WFE: return unauthorized prob from NewAccount for deactivated accounts.

Returns a specific unauthorized problem when `newAccount` is called with a public key matching a deactivated account. This is a compromise on contradicting conditions in [7.3.6](https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-7.3.6) (*"Once an account is deactivated, the server MUST NOT accept further requests authorized by that account's key."*) and [7.3.1](https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-7.3.1) (*"If the server receives a newAccount request signed with a key for which it already has an account registered with the provided account key, then it MUST return a response with a 200 (OK) status code and provide the URL of that account in the Location header field. The body of this response represents the account object as it existed on the server before this request."*) of [draft-16](https://tools.ietf.org/html/draft-ietf-acme-acme-16). Fixes letsencrypt#179.
shred · Dec 6, 2018 · f07faa4 · f07faa4
1 parent 87f0b12
commit f07faa4
Showing 1 changed file with 12 additions and 5 deletions.
diff --git a/wfe/wfe.go b/wfe/wfe.go
@@ -941,11 +941,18 @@ func (wfe *WebFrontEndImpl) NewAccount(
 	// Lookup existing account to exit early if it exists
 	existingAcct, _ := wfe.db.GetAccountByKey(postData.jwk)
 	if existingAcct != nil {
-		// If there is an existing account then return a Location header pointing to
-		// the account and a 200 OK response
-		acctURL := wfe.relativeEndpoint(request, fmt.Sprintf("%s%s", acctPath, existingAcct.ID))
-		response.Header().Set("Location", acctURL)
-		_ = wfe.writeJsonResponse(response, http.StatusOK, existingAcct)
+		if existingAcct.Status == acme.StatusDeactivated {
+			// If there is an existing, but deactivated account, then return an unauthorized
+			// problem informing the user that this account was deactivated
+			wfe.sendError(acme.UnauthorizedProblem(
+				"An account with the provided public key exists but is deactivated"), response)
+		} else {
+			// If there is an existing account then return a Location header pointing to
+			// the account and a 200 OK response
+			acctURL := wfe.relativeEndpoint(request, fmt.Sprintf("%s%s", acctPath, existingAcct.ID))
+			response.Header().Set("Location", acctURL)
+			_ = wfe.writeJsonResponse(response, http.StatusOK, existingAcct)
+		}
 		return
 	} else if existingAcct == nil && newAcctReq.OnlyReturnExisting {
 		// If there *isn't* an existing account and the created account request