Skip to main content

seer_core/
caa.rs

1//! CAA (Certification Authority Authorization) lookup and policy comparison.
2//!
3//! CAA records (RFC 8659) let domain owners declare which Certificate
4//! Authorities may issue certificates for the domain. They are consulted
5//! by CAs at issuance time only; they are *not* part of certificate
6//! validation. A presented certificate whose issuer is not in the current
7//! CAA policy is therefore not necessarily invalid — it may have been
8//! issued before the policy was updated, or via a parent zone. See
9//! [`ISSUANCE_TIME_NOTE`].
10
11use serde::{Deserialize, Serialize};
12
13use crate::dns::{DnsResolver, RecordData, RecordType};
14
15/// Informational note surfaced alongside every CAA report.
16///
17/// Explains why an issuer/CAA mismatch is not the same as an invalid cert.
18pub const ISSUANCE_TIME_NOTE: &str = "CAA is checked by CAs at issuance time, not by \
19clients at validation time. A cert whose issuer is not in the current CAA policy is \
20not invalid — it may have been issued before the policy was set, or under a parent \
21zone. Treat mismatches as informational.";
22
23/// A single CAA resource record.
24#[derive(Debug, Clone, Serialize, Deserialize)]
25pub struct CaaRecord {
26    /// CAA flags (only `issuer_critical` = 128 is defined).
27    pub flags: u8,
28    /// Property tag (e.g., `issue`, `issuewild`, `iodef`).
29    pub tag: String,
30    /// Property value (e.g., `letsencrypt.org` or a URI for `iodef`).
31    pub value: String,
32}
33
34/// Result of how a presented cert's issuer relates to the CAA policy.
35#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
36#[serde(rename_all = "lowercase")]
37pub enum IssuerCaaMatch {
38    /// No CAA records exist (any CA may issue per default).
39    NoPolicy,
40    /// CAA records exist and at least one `issue`/`issuewild` value plausibly
41    /// matches the presented issuer.
42    Permitted,
43    /// CAA records exist but none of the allowed CAs appear to match the
44    /// presented issuer. Informational, not a validation failure.
45    Mismatch,
46    /// CAA records exist but only contain `iodef` / unknown tags — no
47    /// authoritative answer about issuance.
48    Indeterminate,
49}
50
51/// CAA policy collected for a domain, plus the informational note that
52/// callers should surface to users.
53#[derive(Debug, Clone, Serialize, Deserialize)]
54pub struct CaaPolicy {
55    /// Records discovered (may be empty if no policy is set).
56    pub records: Vec<CaaRecord>,
57    /// Domain at which the records were found. Per RFC 8659 the resolver
58    /// climbs the tree until a CAA RRset is encountered, so this may be a
59    /// parent of the queried name.
60    pub effective_domain: Option<String>,
61    /// True iff at least one CAA record was found in the tree-walk.
62    pub has_policy: bool,
63    /// Result of comparing a presented cert's issuer against the policy.
64    /// `None` if no cert was supplied for comparison.
65    #[serde(skip_serializing_if = "Option::is_none")]
66    pub issuer_match: Option<IssuerCaaMatch>,
67    /// `iodef` incident-reporting contacts declared in the policy (RFC 8659
68    /// §4.4) — a takedown/abuse channel available nowhere else in seer.
69    #[serde(default, skip_serializing_if = "Vec::is_empty")]
70    pub iodef: Vec<String>,
71    /// A note when the wildcard issuance policy (`issuewild`) is *broader* than
72    /// the base (`issue`) policy — i.e. a CA may issue wildcard certs it is not
73    /// permitted to issue named certs for. `None` when the policies are
74    /// consistent, or `issuewild`/`issue` is absent (RFC 8659 §4.3: absent
75    /// `issuewild` inherits `issue`, which is NOT a gap).
76    #[serde(default, skip_serializing_if = "Option::is_none")]
77    pub wildcard_note: Option<String>,
78    /// Informational note about CAA semantics. Always populated.
79    pub note: String,
80}
81
82impl CaaPolicy {
83    /// Empty policy — used when no CAA records were found anywhere in the tree.
84    pub fn empty() -> Self {
85        Self {
86            records: Vec::new(),
87            effective_domain: None,
88            has_policy: false,
89            issuer_match: None,
90            iodef: Vec::new(),
91            wildcard_note: None,
92            note: ISSUANCE_TIME_NOTE.to_string(),
93        }
94    }
95
96    /// Builds a populated policy from discovered records, deriving the `iodef`
97    /// contacts and the wildcard-vs-base consistency note.
98    fn from_records(records: Vec<CaaRecord>, effective_domain: String) -> Self {
99        let iodef = records
100            .iter()
101            .filter(|r| r.tag == "iodef")
102            .map(|r| r.value.clone())
103            .filter(|v| !v.is_empty())
104            .collect();
105        let wildcard_note = analyze_wildcard(&records);
106        Self {
107            has_policy: true,
108            records,
109            effective_domain: Some(effective_domain),
110            issuer_match: None,
111            iodef,
112            wildcard_note,
113            note: ISSUANCE_TIME_NOTE.to_string(),
114        }
115    }
116}
117
118/// The non-empty CA-domain values permitted by a given tag (`issue` /
119/// `issuewild`). An empty value (from a bare `";"`) means "forbid all" and is
120/// filtered out here so callers reason only about explicitly-permitted CAs.
121fn permitted_cas(records: &[CaaRecord], tag: &str) -> Vec<String> {
122    records
123        .iter()
124        .filter(|r| r.tag == tag)
125        .map(|r| {
126            r.value
127                .split(';')
128                .next()
129                .unwrap_or(&r.value)
130                .trim()
131                .to_ascii_lowercase()
132        })
133        .filter(|v| !v.is_empty())
134        .collect()
135}
136
137/// Detects the genuine wildcard-policy asymmetry: when both `issue` and
138/// `issuewild` are present and `issuewild` permits a CA that `issue` does not,
139/// wildcard issuance is broader than named issuance. Returns a describing note,
140/// or `None` when the policies are consistent.
141///
142/// Note the RFC 8659 §4.3 subtlety: an *absent* `issuewild` inherits the
143/// `issue` policy, so absence is NOT a gap and is deliberately not flagged.
144fn analyze_wildcard(records: &[CaaRecord]) -> Option<String> {
145    let has_issue = records.iter().any(|r| r.tag == "issue");
146    let has_issuewild = records.iter().any(|r| r.tag == "issuewild");
147    if !has_issue || !has_issuewild {
148        return None;
149    }
150    let issue = permitted_cas(records, "issue");
151    let issuewild = permitted_cas(records, "issuewild");
152    let looser: Vec<String> = issuewild
153        .iter()
154        .filter(|w| !issue.iter().any(|i| i == *w))
155        .cloned()
156        .collect();
157    if looser.is_empty() {
158        None
159    } else {
160        Some(format!(
161            "issuewild permits CA(s) not allowed by issue ({}) — wildcard issuance is broader than named issuance",
162            looser.join(", ")
163        ))
164    }
165}
166
167/// Looks up CAA records for `domain`, climbing the DNS tree per RFC 8659
168/// section 3 until a record set is found or only a TLD remains.
169///
170/// Returns an [`CaaPolicy::empty`] on resolver errors — CAA is advisory,
171/// so we never want to fail a higher-level check just because a CAA query
172/// did not return.
173pub async fn lookup_caa(resolver: &DnsResolver, domain: &str) -> CaaPolicy {
174    let mut current = domain.trim_end_matches('.').to_ascii_lowercase();
175
176    loop {
177        match resolver.resolve(&current, RecordType::CAA, None).await {
178            Ok(records) if !records.is_empty() => {
179                let caa: Vec<CaaRecord> = records
180                    .into_iter()
181                    .filter_map(|r| match r.data {
182                        RecordData::CAA { flags, tag, value } => Some(CaaRecord {
183                            flags,
184                            tag: tag.to_ascii_lowercase(),
185                            value,
186                        }),
187                        _ => None,
188                    })
189                    .collect();
190
191                if !caa.is_empty() {
192                    return CaaPolicy::from_records(caa, current);
193                }
194            }
195            Ok(_) | Err(_) => {}
196        }
197
198        // Strip the leftmost label. Stop when only one label (TLD) remains.
199        match current.split_once('.') {
200            Some((_, rest)) if rest.contains('.') => current = rest.to_string(),
201            _ => return CaaPolicy::empty(),
202        }
203    }
204}
205
206/// Compares a presented certificate's issuer string against a CAA policy
207/// and returns a classification. Pure function — no I/O.
208pub fn classify_issuer(issuer: &str, policy: &CaaPolicy) -> IssuerCaaMatch {
209    if !policy.has_policy {
210        return IssuerCaaMatch::NoPolicy;
211    }
212
213    // RFC 8659 §4.1: if any CAA record has the Issuer Critical flag (bit 7,
214    // 0x80) set AND its tag is unknown to us, the spec mandates that
215    // issuance be treated as forbidden — we cannot honor a critical
216    // property we don't understand. Surface that as `Mismatch` so callers
217    // see a non-permitted verdict.
218    const KNOWN_TAGS: &[&str] = &["issue", "issuewild", "iodef"];
219    let critical_unknown = policy
220        .records
221        .iter()
222        .any(|r| (r.flags & 0x80) != 0 && !KNOWN_TAGS.contains(&r.tag.as_str()));
223    if critical_unknown {
224        return IssuerCaaMatch::Mismatch;
225    }
226
227    let issue_values: Vec<String> = policy
228        .records
229        .iter()
230        .filter(|r| r.tag == "issue" || r.tag == "issuewild")
231        .map(|r| {
232            // RFC 8659 §4.2: value is "<CA domain> [; <parameters>]". We
233            // only need the domain portion for matching.
234            r.value
235                .split(';')
236                .next()
237                .unwrap_or(&r.value)
238                .trim()
239                .to_ascii_lowercase()
240        })
241        .collect();
242
243    if issue_values.is_empty() {
244        return IssuerCaaMatch::Indeterminate;
245    }
246
247    let issuer_lc = issuer.to_ascii_lowercase();
248    let allowed_any = issue_values.iter().any(|v| !v.is_empty());
249
250    let matched = issue_values
251        .iter()
252        .any(|v| !v.is_empty() && ca_value_matches_issuer(v, &issuer_lc));
253
254    if matched {
255        IssuerCaaMatch::Permitted
256    } else if allowed_any {
257        IssuerCaaMatch::Mismatch
258    } else {
259        // Only entries are empty-value (";") — issuance is explicitly forbidden,
260        // yet a cert exists. Report as mismatch with the informational note.
261        IssuerCaaMatch::Mismatch
262    }
263}
264
265/// Best-effort comparison between a CAA `issue` value (a CA's domain) and a
266/// certificate issuer string (typically a CN/O like "Let's Encrypt").
267///
268/// CAA values are short reverse-DNS-ish labels; issuer strings vary by CA.
269/// We use a small alias table for the common public CAs and fall back to a
270/// direct substring check.
271fn ca_value_matches_issuer(caa_value: &str, issuer_lc: &str) -> bool {
272    // 1. The CAA value appears verbatim in the issuer (e.g. "ssl.com"), but
273    //    only when it is long enough AND lands on a word boundary. A
274    //    pathologically short value ("ca", "ssl") would otherwise blanket-match
275    //    any issuer that merely contains those letters — the same over-match the
276    //    base-label fallback guards against (issue #56). Length is gated by
277    //    MIN_FALLBACK_BASE_LEN so the verbatim and base paths share one bar.
278    if caa_value.len() >= MIN_FALLBACK_BASE_LEN && contains_word(issuer_lc, caa_value) {
279        return true;
280    }
281    // 2. Curated aliases for well-known CAs — preferred over the generic base
282    //    fallback so a precise mapping wins (e.g. "ssl.com" -> "ssl.com",
283    //    never bare "ssl").
284    for (cv, aliases) in CA_ALIASES {
285        if caa_value == *cv && aliases.iter().any(|a| issuer_lc.contains(a)) {
286            return true;
287        }
288    }
289    // 3. Generic fallback for CAs not in the alias table: the base label (the
290    //    CAA value minus its trailing TLD) appears in the issuer AS A WHOLE
291    //    WORD. Guarded by a minimum length so a short, ambiguous base — "ssl"
292    //    from "ssl.com" — can't collide with unrelated issuer text like
293    //    "...SSL CA..." and report a genuine mismatch as Permitted (issue #56).
294    let base = caa_value
295        .rsplit_once('.')
296        .map(|(b, _)| b)
297        .unwrap_or(caa_value);
298    base.len() >= MIN_FALLBACK_BASE_LEN && contains_word(issuer_lc, base)
299}
300
301/// Minimum base-label length for the generic substring fallback in
302/// [`ca_value_matches_issuer`]. Shorter bases (e.g. "ssl", "ca", "pki") are too
303/// ambiguous to match by substring and must go through the curated alias table
304/// or a verbatim value match instead.
305const MIN_FALLBACK_BASE_LEN: usize = 6;
306
307/// Returns true if `needle` occurs in `haystack` as a whole word — i.e. bounded
308/// by string start/end or a non-alphanumeric character on each side — so a base
309/// like "examplecorp" matches "ExampleCorp Root" but not "NotExamplecorporated".
310/// Both arguments are expected lowercase.
311fn contains_word(haystack: &str, needle: &str) -> bool {
312    if needle.is_empty() {
313        return false;
314    }
315    let bytes = haystack.as_bytes();
316    let mut from = 0;
317    while let Some(rel) = haystack[from..].find(needle) {
318        let start = from + rel;
319        let end = start + needle.len();
320        let before_ok = start == 0 || !bytes[start - 1].is_ascii_alphanumeric();
321        let after_ok = end == bytes.len() || !bytes[end].is_ascii_alphanumeric();
322        if before_ok && after_ok {
323            return true;
324        }
325        from = start + 1;
326    }
327    false
328}
329
330/// Hand-maintained map from common CAA `issue` values to substrings that
331/// frequently appear in the issuer CN/O of certs from that CA.
332const CA_ALIASES: &[(&str, &[&str])] = &[
333    ("letsencrypt.org", &["let's encrypt", "letsencrypt"]),
334    ("pki.goog", &["google trust services", "gts "]),
335    ("digicert.com", &["digicert"]),
336    ("sectigo.com", &["sectigo", "comodo"]),
337    ("globalsign.com", &["globalsign"]),
338    ("amazon.com", &["amazon"]),
339    ("amazontrust.com", &["amazon"]),
340    ("zerossl.com", &["zerossl"]),
341    ("buypass.com", &["buypass"]),
342    ("entrust.net", &["entrust"]),
343    ("ssl.com", &["ssl.com"]),
344    ("certum.pl", &["certum"]),
345    ("identrust.com", &["identrust"]),
346];
347
348#[cfg(test)]
349mod tests {
350    use super::*;
351
352    fn policy_with(records: Vec<(&str, &str)>) -> CaaPolicy {
353        // Route through the real constructor so tests also exercise iodef +
354        // wildcard-note derivation.
355        let records = records
356            .into_iter()
357            .map(|(tag, value)| CaaRecord {
358                flags: 0,
359                tag: tag.to_string(),
360                value: value.to_string(),
361            })
362            .collect();
363        CaaPolicy::from_records(records, "example.com".to_string())
364    }
365
366    #[test]
367    fn iodef_contacts_are_extracted() {
368        let policy = policy_with(vec![
369            ("issue", "letsencrypt.org"),
370            ("iodef", "mailto:security@example.com"),
371        ]);
372        assert_eq!(policy.iodef, vec!["mailto:security@example.com"]);
373    }
374
375    #[test]
376    fn wildcard_note_flags_broader_wildcard_policy() {
377        // issue locks named issuance to Let's Encrypt, but issuewild also
378        // permits DigiCert for wildcards — genuinely broader.
379        let policy = policy_with(vec![
380            ("issue", "letsencrypt.org"),
381            ("issuewild", "digicert.com"),
382        ]);
383        let note = policy
384            .wildcard_note
385            .expect("looser wildcard policy flagged");
386        assert!(
387            note.contains("digicert.com"),
388            "note names the extra CA: {note}"
389        );
390    }
391
392    #[test]
393    fn wildcard_note_absent_when_issuewild_missing() {
394        // RFC 8659 §4.3: absent issuewild inherits issue — NOT a gap.
395        let policy = policy_with(vec![("issue", "letsencrypt.org")]);
396        assert!(policy.wildcard_note.is_none());
397    }
398
399    #[test]
400    fn wildcard_note_absent_when_policies_consistent() {
401        let policy = policy_with(vec![
402            ("issue", "letsencrypt.org"),
403            ("issuewild", "letsencrypt.org"),
404        ]);
405        assert!(policy.wildcard_note.is_none());
406    }
407
408    #[test]
409    fn classify_no_policy() {
410        assert_eq!(
411            classify_issuer("Let's Encrypt R3", &CaaPolicy::empty()),
412            IssuerCaaMatch::NoPolicy
413        );
414    }
415
416    #[test]
417    fn classify_indeterminate_when_only_iodef() {
418        let policy = policy_with(vec![("iodef", "mailto:sec@example.com")]);
419        assert_eq!(
420            classify_issuer("Let's Encrypt R3", &policy),
421            IssuerCaaMatch::Indeterminate
422        );
423    }
424
425    #[test]
426    fn classify_permitted_letsencrypt() {
427        let policy = policy_with(vec![("issue", "letsencrypt.org")]);
428        assert_eq!(
429            classify_issuer("CN=R3, O=Let's Encrypt", &policy),
430            IssuerCaaMatch::Permitted
431        );
432    }
433
434    #[test]
435    fn classify_permitted_via_alias() {
436        // Issuer CN/O does not literally contain "pki.goog"; alias table
437        // maps it to "Google Trust Services".
438        let policy = policy_with(vec![("issue", "pki.goog")]);
439        assert_eq!(
440            classify_issuer("CN=GTS CA 1C3, O=Google Trust Services LLC", &policy),
441            IssuerCaaMatch::Permitted
442        );
443    }
444
445    #[test]
446    fn classify_mismatch_when_only_other_ca_allowed() {
447        let policy = policy_with(vec![("issue", "digicert.com")]);
448        assert_eq!(
449            classify_issuer("CN=R3, O=Let's Encrypt", &policy),
450            IssuerCaaMatch::Mismatch
451        );
452    }
453
454    #[test]
455    fn classify_verbatim_match_is_length_guarded() {
456        // A pathologically short CAA `issue` value (here "ca") must not
457        // blanket-match an unrelated issuer just because the two letters appear
458        // verbatim somewhere in the issuer string. The verbatim path is now
459        // length-guarded just like the base-label fallback (issue #56 follow-up).
460        let policy = policy_with(vec![("issue", "ca")]);
461        assert_eq!(
462            classify_issuer("CN=Verisign Class 3 CA, O=Symantec", &policy),
463            IssuerCaaMatch::Mismatch,
464            "two-letter verbatim CAA value must not over-match unrelated issuers"
465        );
466    }
467
468    #[test]
469    fn classify_full_domain_verbatim_still_matches() {
470        // A real, full-domain CAA value that appears verbatim in the issuer is
471        // still Permitted — the length guard must not break the common case.
472        let policy = policy_with(vec![("issue", "letsencrypt.org")]);
473        assert_eq!(
474            classify_issuer("CN=R3, O=letsencrypt.org", &policy),
475            IssuerCaaMatch::Permitted,
476            "full-domain verbatim value must still match"
477        );
478    }
479
480    #[test]
481    fn classify_does_not_overmatch_short_base_substring() {
482        // CAA `issue "ssl.com"` must NOT mark an unrelated issuer that merely
483        // contains the substring "ssl" as permitted — the base "ssl" is too
484        // short/ambiguous for the generic fallback (issue #56).
485        let policy = policy_with(vec![("issue", "ssl.com")]);
486        assert_eq!(
487            classify_issuer("CN=WoanWolf SSL Root CA, O=Other", &policy),
488            IssuerCaaMatch::Mismatch,
489            "bare 'ssl' substring must not over-match"
490        );
491        // The genuine SSL.com issuer (value appears verbatim) is still permitted.
492        assert_eq!(
493            classify_issuer("CN=SSL.com RSA SSL subCA, O=SSL Corp", &policy),
494            IssuerCaaMatch::Permitted
495        );
496    }
497
498    #[test]
499    fn classify_unknown_ca_base_matches_only_on_word_boundary() {
500        // A long, distinctive base still matches via the guarded fallback — but
501        // only as a whole word, never buried inside a larger token (issue #56).
502        let policy = policy_with(vec![("issue", "examplecorp.test")]);
503        assert_eq!(
504            classify_issuer("CN=ExampleCorp Root, O=ExampleCorp", &policy),
505            IssuerCaaMatch::Permitted
506        );
507        assert_eq!(
508            classify_issuer("CN=NotExamplecorporated CA", &policy),
509            IssuerCaaMatch::Mismatch,
510            "base inside a larger word must not match"
511        );
512    }
513
514    #[test]
515    fn classify_mismatch_when_issuance_forbidden() {
516        // A bare `issue ";"` forbids all issuance, yet a cert exists.
517        let policy = policy_with(vec![("issue", ";")]);
518        assert_eq!(
519            classify_issuer("CN=R3, O=Let's Encrypt", &policy),
520            IssuerCaaMatch::Mismatch
521        );
522    }
523
524    #[test]
525    fn classify_issuewild_treated_like_issue() {
526        let policy = policy_with(vec![("issuewild", "letsencrypt.org")]);
527        assert_eq!(
528            classify_issuer("CN=R3, O=Let's Encrypt", &policy),
529            IssuerCaaMatch::Permitted
530        );
531    }
532
533    #[test]
534    fn empty_policy_has_no_issuer_match_set() {
535        let p = CaaPolicy::empty();
536        assert!(p.records.is_empty());
537        assert!(!p.has_policy);
538        assert!(p.issuer_match.is_none());
539        assert_eq!(p.note, ISSUANCE_TIME_NOTE);
540    }
541
542    /// RFC 8659 §4.1: a CAA record carrying an unknown tag with the Issuer
543    /// Critical flag (bit 7 of `flags`) set MUST be treated as forbidding
544    /// issuance — we cannot honor a critical property we don't understand.
545    #[test]
546    fn classify_unknown_critical_tag_forces_mismatch() {
547        let policy = CaaPolicy {
548            records: vec![
549                // Valid issue that would otherwise match Let's Encrypt.
550                CaaRecord {
551                    flags: 0,
552                    tag: "issue".to_string(),
553                    value: "letsencrypt.org".to_string(),
554                },
555                // Unknown tag with critical flag — must veto issuance.
556                CaaRecord {
557                    flags: 0x80,
558                    tag: "auth".to_string(),
559                    value: "future-extension".to_string(),
560                },
561            ],
562            effective_domain: Some("example.com".to_string()),
563            has_policy: true,
564            issuer_match: None,
565            iodef: Vec::new(),
566            wildcard_note: None,
567            note: ISSUANCE_TIME_NOTE.to_string(),
568        };
569        assert_eq!(
570            classify_issuer("CN=R3, O=Let's Encrypt", &policy),
571            IssuerCaaMatch::Mismatch,
572            "critical unknown tag must veto otherwise-matching issue"
573        );
574    }
575
576    #[test]
577    fn classify_unknown_non_critical_tag_does_not_veto() {
578        // Same shape but flags = 0 (non-critical). Per RFC the unknown tag
579        // is ignored; the matching `issue` carries through.
580        let policy = CaaPolicy {
581            records: vec![
582                CaaRecord {
583                    flags: 0,
584                    tag: "issue".to_string(),
585                    value: "letsencrypt.org".to_string(),
586                },
587                CaaRecord {
588                    flags: 0,
589                    tag: "auth".to_string(),
590                    value: "future-extension".to_string(),
591                },
592            ],
593            effective_domain: Some("example.com".to_string()),
594            has_policy: true,
595            issuer_match: None,
596            iodef: Vec::new(),
597            wildcard_note: None,
598            note: ISSUANCE_TIME_NOTE.to_string(),
599        };
600        assert_eq!(
601            classify_issuer("CN=R3, O=Let's Encrypt", &policy),
602            IssuerCaaMatch::Permitted
603        );
604    }
605
606    #[test]
607    fn classify_critical_known_tag_does_not_veto() {
608        // A critical `issue` (a known tag) is just a normal critical-issue.
609        // It must NOT trip the unknown-critical veto.
610        let policy = CaaPolicy {
611            records: vec![CaaRecord {
612                flags: 0x80,
613                tag: "issue".to_string(),
614                value: "letsencrypt.org".to_string(),
615            }],
616            effective_domain: Some("example.com".to_string()),
617            has_policy: true,
618            issuer_match: None,
619            iodef: Vec::new(),
620            wildcard_note: None,
621            note: ISSUANCE_TIME_NOTE.to_string(),
622        };
623        assert_eq!(
624            classify_issuer("CN=R3, O=Let's Encrypt", &policy),
625            IssuerCaaMatch::Permitted
626        );
627    }
628}