ACME: check that the account status is valid.

Author: bavshin-f5

src/acme.rs

@@ -18,7 +18,7 @@ use ngx::collections::Vec;
 use ngx::ngx_log_debug;
 use openssl::pkey::{PKey, PKeyRef, Private};
 use openssl::x509::{self, extension as x509_ext, X509Req};
-use types::ProblemCategory;
+use types::{AccountStatus, ProblemCategory};
 
 use self::account_key::{AccountKey, AccountKeyError};
 use self::types::{AuthorizationStatus, ChallengeKind, ChallengeStatus, OrderStatus};
@@ -287,6 +287,11 @@ where
 
         let res = self.post(&self.directory.new_account, payload).await?;
 
+        let account: types::Account = deserialize_body(res.body())?;
+        if !matches!(account.status, AccountStatus::Valid) {
+            return Err(NewAccountError::Status(account.status));
+        }
+
         let key_id: &str =
             try_get_header(res.headers(), http::header::LOCATION).ok_or(NewAccountError::Url)?;
 

src/acme/error.rs

@@ -9,7 +9,7 @@ use ngx::allocator::{unsize_box, Box};
 use thiserror::Error;
 
 use super::solvers::SolverError;
-use super::types::{Problem, ProblemCategory};
+use super::types::{AccountStatus, Problem, ProblemCategory};
 use crate::net::http::HttpClientError;
 
 #[derive(Debug, Error)]
@@ -26,6 +26,9 @@ pub enum NewAccountError {
     #[error("account request failed ({0})")]
     Request(RequestError),
 
+    #[error("unexpected account status {0:?}")]
+    Status(AccountStatus),
+
     #[error("no account URL in response")]
     Url,
 }
@@ -47,6 +50,7 @@ impl NewAccountError {
                 err.category(),
                 ProblemCategory::Account | ProblemCategory::Malformed
             ),
+            Self::Status(_) => true,
             _ => false,
         }
     }