Merge pull request #1689 from smallstep/beltram/wire-acme-extensions

Use two separate Wire identifier types
4 months ago · 502334fd82
parent 7e6356ece2 a38132aa58
commit 502334fd82
9 changed files with 266 additions and 81 deletions
--- a/acme/api/order.go
+++ b/acme/api/order.go
@ -49,8 +49,13 @@ func (n *NewOrderRequest) Validate() error {
 			if id.Value == "" {
 				return acme.NewError(acme.ErrorMalformedType, "permanent identifier cannot be empty")
 			}
-		case acme.WireID:
-			wireID, err := wire.ParseID([]byte(id.Value))
+		case acme.WireUser:
+			_, err := wire.ParseUserID([]byte(id.Value))
+			if err != nil {
+				return acme.WrapError(acme.ErrorMalformedType, err, "failed parsing Wire ID")
+			}
+		case acme.WireDevice:
+			wireID, err := wire.ParseDeviceID([]byte(id.Value))
 			if err != nil {
 				return acme.WrapError(acme.ErrorMalformedType, err, "failed parsing Wire ID")
 			}
@ -273,10 +278,28 @@ func newAuthorization(ctx context.Context, az *acme.Authorization) error {
 		}

 		var target string
-		if az.Identifier.Type == acme.WireID {
-			wireID, err := wire.ParseID([]byte(az.Identifier.Value))
+		switch az.Identifier.Type {
+		case acme.WireUser:
+			wireOptions, err := prov.GetOptions().GetWireOptions()
+			if err != nil {
+				return acme.WrapErrorISE(err, "failed getting Wire options")
+			}
+			var targetProvider interface{ EvaluateTarget(string) (string, error) }
+			switch typ {
+			case acme.WIREOIDC01:
+				targetProvider = wireOptions.GetOIDCOptions()
+			default:
+				return acme.NewError(acme.ErrorMalformedType, "unsupported type %q", typ)
+			}
+
+			target, err = targetProvider.EvaluateTarget("")
 			if err != nil {
-				return acme.WrapError(acme.ErrorMalformedType, err, "failed parsing WireID")
+				return acme.WrapError(acme.ErrorMalformedType, err, "invalid Go template registered for 'target'")
+			}
+		case acme.WireDevice:
+			wireID, err := wire.ParseDeviceID([]byte(az.Identifier.Value))
+			if err != nil {
+				return acme.WrapError(acme.ErrorMalformedType, err, "failed parsing WireUser")
 			}
 			clientID, err := wire.ParseClientID(wireID.ClientID)
 			if err != nil {
@ -288,8 +311,6 @@ func newAuthorization(ctx context.Context, az *acme.Authorization) error {
 			}
 			var targetProvider interface{ EvaluateTarget(string) (string, error) }
 			switch typ {
-			case acme.WIREOIDC01:
-				targetProvider = wireOptions.GetOIDCOptions()
 			case acme.WIREDPOP01:
 				targetProvider = wireOptions.GetDPOPOptions()
 			default:
@ -440,8 +461,10 @@ func challengeTypes(az *acme.Authorization) []acme.ChallengeType {
 		}
 	case acme.PermanentIdentifier:
 		chTypes = []acme.ChallengeType{acme.DEVICEATTEST01}
-	case acme.WireID:
-		chTypes = []acme.ChallengeType{acme.WIREOIDC01, acme.WIREDPOP01}
+	case acme.WireUser:
+		chTypes = []acme.ChallengeType{acme.WIREOIDC01}
+	case acme.WireDevice:
+		chTypes = []acme.ChallengeType{acme.WIREDPOP01}
 	default:
 		chTypes = []acme.ChallengeType{}
 	}
--- a/acme/api/order_test.go
+++ b/acme/api/order_test.go
@ -101,7 +101,7 @@ func TestNewOrderRequest_Validate(t *testing.T) {
 			return test{
 				nor: &NewOrderRequest{
 					Identifiers: []acme.Identifier{
-						{Type: "wireapp-id", Value: "{}"},
+						{Type: "wireapp-device", Value: "{}"},
 					},
 				},
 				err: acme.NewError(acme.ErrorMalformedType, `invalid Wire client ID "": invalid Wire client ID URI "": error parsing : scheme is missing`),
@ -111,7 +111,7 @@ func TestNewOrderRequest_Validate(t *testing.T) {
 			return test{
 				nor: &NewOrderRequest{
 					Identifiers: []acme.Identifier{
-						{Type: "wireapp-id", Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "client-id": "nowireapp://example.com", "handle": "wireapp://%40alice.smith.qa@example.com"}`},
+						{Type: "wireapp-device", Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "client-id": "nowireapp://example.com", "handle": "wireapp://%40alice.smith.qa@example.com"}`},
 					},
 				},
 				err: acme.NewError(acme.ErrorMalformedType, `invalid Wire client ID "nowireapp://example.com": invalid Wire client ID scheme "nowireapp"; expected "wireapp"`),
@ -121,7 +121,7 @@ func TestNewOrderRequest_Validate(t *testing.T) {
 			return test{
 				nor: &NewOrderRequest{
 					Identifiers: []acme.Identifier{
-						{Type: "wireapp-id", Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "client-id": "wireapp://user-device@example.com", "handle": "wireapp://%40alice.smith.qa@example.com"}`},
+						{Type: "wireapp-device", Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "client-id": "wireapp://user-device@example.com", "handle": "wireapp://%40alice.smith.qa@example.com"}`},
 					},
 				},
 				err: acme.NewError(acme.ErrorMalformedType, `invalid Wire client ID "wireapp://user-device@example.com": invalid Wire client ID username "user-device"`),
@ -205,13 +205,28 @@ func TestNewOrderRequest_Validate(t *testing.T) {
 				naf: naf,
 			}
 		},
-		"ok/wireapp-idd": func(t *testing.T) test {
+		"ok/wireapp-user": func(t *testing.T) test {
 			nbf := time.Now().UTC().Add(time.Minute)
 			naf := time.Now().UTC().Add(5 * time.Minute)
 			return test{
 				nor: &NewOrderRequest{
 					Identifiers: []acme.Identifier{
-						{Type: "wireapp-id", Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "client-id": "wireapp://lJGYPz0ZRq2kvc_XpdaDlA!ed416ce8ecdd9fad@example.com", "handle": "wireapp://%40alice.smith.qa@example.com"}`},
+						{Type: "wireapp-user", Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "handle": "wireapp://%40alice.smith.qa@example.com"}`},
+					},
+					NotAfter:  naf,
+					NotBefore: nbf,
+				},
+				nbf: nbf,
+				naf: naf,
+			}
+		},
+		"ok/wireapp-device": func(t *testing.T) test {
+			nbf := time.Now().UTC().Add(time.Minute)
+			naf := time.Now().UTC().Add(5 * time.Minute)
+			return test{
+				nor: &NewOrderRequest{
+					Identifiers: []acme.Identifier{
+						{Type: "wireapp-device", Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "client-id": "wireapp://lJGYPz0ZRq2kvc_XpdaDlA!ed416ce8ecdd9fad@example.com", "handle": "wireapp://%40alice.smith.qa@example.com"}`},
 					},
 					NotAfter:  naf,
 					NotBefore: nbf,
@ -1719,7 +1734,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				},
 			}
 		},
-		"ok/default-naf-nbf-wireapp": func(t *testing.T) test {
+		"ok/default-naf-nbf-wireapp-user": func(t *testing.T) test {
 			acmeWireProv := newWireProvisionerWithOptions(t, &provisioner.Options{
 				Wire: &wire.Options{
 					OIDC: &wire.OIDCOptions{
@ -1749,7 +1764,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 			acc := &acme.Account{ID: "accID"}
 			nor := &NewOrderRequest{
 				Identifiers: []acme.Identifier{
-					{Type: "wireapp-id", Value: `{"client-id": "wireapp://user!client@domain"}`},
+					{Type: "wireapp-user", Value: `{"name": "Alice Smith", "handle": "wireapp://%40alice.smith.qa@example.com"}`},
 				},
 			}
 			b, err := json.Marshal(nor)
@ -1758,9 +1773,8 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 			ctx = context.WithValue(ctx, accContextKey, acc)
 			ctx = context.WithValue(ctx, payloadContextKey, &payloadInfo{value: b})
 			var (
-				ch1, ch2 **acme.Challenge
-				az1ID    *string
-				count    = 0
+				ch1   **acme.Challenge
+				az1ID *string
 			)
 			return test{
 				ctx:        ctx,
@ -1769,20 +1783,113 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				ca:         &mockCA{},
 				db: &acme.MockDB{
 					MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
-						switch count {
-						case 0:
-							ch.ID = "wireapp-oidc"
-							assert.Equals(t, ch.Type, acme.WIREOIDC01)
-							ch1 = &ch
-						case 1:
-							ch.ID = "wireapp-dpop"
-							assert.Equals(t, ch.Type, acme.WIREDPOP01)
-							ch2 = &ch
-						default:
-							assert.FatalError(t, errors.New("test logic error"))
-							return errors.New("force")
-						}
-						count++
+						ch.ID = "wireapp-oidc"
+						assert.Equals(t, ch.Type, acme.WIREOIDC01)
+						ch1 = &ch
+						assert.Equals(t, ch.AccountID, "accID")
+						assert.NotEquals(t, ch.Token, "")
+						assert.Equals(t, ch.Status, acme.StatusPending)
+						assert.Equals(t, ch.Value, `{"name": "Alice Smith", "handle": "wireapp://%40alice.smith.qa@example.com"}`)
+						return nil
+					},
+					MockCreateAuthorization: func(ctx context.Context, az *acme.Authorization) error {
+						az.ID = "az1ID"
+						az1ID = &az.ID
+						assert.Equals(t, az.AccountID, "accID")
+						assert.NotEquals(t, az.Token, "")
+						assert.Equals(t, az.Status, acme.StatusPending)
+						assert.Equals(t, az.Identifier, nor.Identifiers[0])
+						assert.Equals(t, az.Challenges, []*acme.Challenge{*ch1})
+						assert.Equals(t, az.Wildcard, false)
+						return nil
+					},
+					MockCreateOrder: func(ctx context.Context, o *acme.Order) error {
+						o.ID = "ordID"
+						assert.Equals(t, o.AccountID, "accID")
+						assert.Equals(t, o.ProvisionerID, prov.GetID())
+						assert.Equals(t, o.Status, acme.StatusPending)
+						assert.Equals(t, o.Identifiers, nor.Identifiers)
+						assert.Equals(t, o.AuthorizationIDs, []string{*az1ID})
+						return nil
+					},
+					MockGetExternalAccountKeyByAccountID: func(ctx context.Context, provisionerID, accountID string) (*acme.ExternalAccountKey, error) {
+						assert.Equals(t, prov.GetID(), provisionerID)
+						assert.Equals(t, "accID", accountID)
+						return nil, nil
+					},
+				},
+				vr: func(t *testing.T, o *acme.Order) {
+					now := clock.Now()
+					testBufferDur := 5 * time.Second
+					orderExpiry := now.Add(defaultOrderExpiry)
+					expNbf := now.Add(-defaultOrderBackdate)
+					expNaf := now.Add(prov.DefaultTLSCertDuration())
+
+					assert.Equals(t, o.ID, "ordID")
+					assert.Equals(t, o.Status, acme.StatusPending)
+					assert.Equals(t, o.Identifiers, nor.Identifiers)
+					assert.Equals(t, o.AuthorizationURLs, []string{fmt.Sprintf("%s/acme/%s/authz/az1ID", baseURL.String(), escProvName)})
+					assert.True(t, o.NotBefore.Add(-testBufferDur).Before(expNbf))
+					assert.True(t, o.NotBefore.Add(testBufferDur).After(expNbf))
+					assert.True(t, o.NotAfter.Add(-testBufferDur).Before(expNaf))
+					assert.True(t, o.NotAfter.Add(testBufferDur).After(expNaf))
+					assert.True(t, o.ExpiresAt.Add(-testBufferDur).Before(orderExpiry))
+					assert.True(t, o.ExpiresAt.Add(testBufferDur).After(orderExpiry))
+				},
+			}
+		},
+		"ok/default-naf-nbf-wireapp-device": func(t *testing.T) test {
+			acmeWireProv := newWireProvisionerWithOptions(t, &provisioner.Options{
+				Wire: &wire.Options{
+					OIDC: &wire.OIDCOptions{
+						Provider: &wire.Provider{
+							IssuerURL:   "https://issuer.example.com",
+							AuthURL:     "",
+							TokenURL:    "",
+							JWKSURL:     "",
+							UserInfoURL: "",
+							Algorithms:  []string{"ES256"},
+						},
+						Config: &wire.Config{
+							ClientID:                   "integration test",
+							SignatureAlgorithms:        []string{"ES256"},
+							SkipClientIDCheck:          true,
+							SkipExpiryCheck:            true,
+							SkipIssuerCheck:            true,
+							InsecureSkipSignatureCheck: true,
+							Now:                        time.Now,
+						},
+					},
+					DPOP: &wire.DPOPOptions{
+						SigningKey: []byte(fakeWireSigningKey),
+					},
+				},
+			})
+			acc := &acme.Account{ID: "accID"}
+			nor := &NewOrderRequest{
+				Identifiers: []acme.Identifier{
+					{Type: "wireapp-device", Value: `{"client-id": "wireapp://user!client@domain"}`},
+				},
+			}
+			b, err := json.Marshal(nor)
+			assert.FatalError(t, err)
+			ctx := acme.NewProvisionerContext(context.Background(), acmeWireProv)
+			ctx = context.WithValue(ctx, accContextKey, acc)
+			ctx = context.WithValue(ctx, payloadContextKey, &payloadInfo{value: b})
+			var (
+				ch1   **acme.Challenge
+				az1ID *string
+			)
+			return test{
+				ctx:        ctx,
+				statusCode: 201,
+				nor:        nor,
+				ca:         &mockCA{},
+				db: &acme.MockDB{
+					MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
+						ch.ID = "wireapp-dpop"
+						assert.Equals(t, ch.Type, acme.WIREDPOP01)
+						ch1 = &ch
 						assert.Equals(t, ch.AccountID, "accID")
 						assert.NotEquals(t, ch.Token, "")
 						assert.Equals(t, ch.Status, acme.StatusPending)
@ -1796,7 +1903,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 						assert.NotEquals(t, az.Token, "")
 						assert.Equals(t, az.Status, acme.StatusPending)
 						assert.Equals(t, az.Identifier, nor.Identifiers[0])
-						assert.Equals(t, az.Challenges, []*acme.Challenge{*ch1, *ch2})
+						assert.Equals(t, az.Challenges, []*acme.Challenge{*ch1})
 						assert.Equals(t, az.Wildcard, false)
 						return nil
 					},
--- a/acme/api/wire_integration_test.go
+++ b/acme/api/wire_integration_test.go
@ -234,7 +234,11 @@ func TestWireIntegration(t *testing.T) {
 		nor := &NewOrderRequest{
 			Identifiers: []acme.Identifier{
 				{
-					Type:  "wireapp-id",
+					Type:  "wireapp-user",
+					Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "handle": "wireapp://%40alice.smith.qa@example.com"}`,
+				},
+				{
+					Type:  "wireapp-device",
 					Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "client-id": "wireapp://lJGYPz0ZRq2kvc_XpdaDlA!ed416ce8ecdd9fad@example.com", "handle": "wireapp://%40alice.smith.qa@example.com"}`,
 				},
 			},
--- a/acme/challenge.go
+++ b/acme/challenge.go
@ -373,7 +373,7 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
 		return WrapError(ErrorMalformedType, err, "error unmarshalling Wire OIDC challenge payload")
 	}

-	wireID, err := wire.ParseID([]byte(ch.Value))
+	wireID, err := wire.ParseUserID([]byte(ch.Value))
 	if err != nil {
 		return WrapErrorISE(err, "error unmarshalling challenge data")
 	}
@ -451,7 +451,7 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
 	return nil
 }

-func validateWireOIDCClaims(o *wireprovisioner.OIDCOptions, token *oidc.IDToken, wireID wire.ID) (map[string]any, error) {
+func validateWireOIDCClaims(o *wireprovisioner.OIDCOptions, token *oidc.IDToken, wireID wire.UserID) (map[string]any, error) {
 	var m map[string]any
 	if err := token.Claims(&m); err != nil {
 		return nil, fmt.Errorf("failed extracting OIDC ID token claims: %w", err)
@ -500,7 +500,7 @@ func wireDPOP01Validate(ctx context.Context, ch *Challenge, db DB, accountJWK *j
 		return WrapError(ErrorMalformedType, err, "error unmarshalling Wire DPoP challenge payload")
 	}

-	wireID, err := wire.ParseID([]byte(ch.Value))
+	wireID, err := wire.ParseDeviceID([]byte(ch.Value))
 	if err != nil {
 		return WrapErrorISE(err, "error unmarshalling challenge data")
 	}
@ -598,7 +598,7 @@ type wireVerifyParams struct {
 	dpopKeyID string
 	issuer    string
 	audience  string
-	wireID    wire.ID
+	wireID    wire.DeviceID
 	chToken   string
 	t         time.Time
 }
--- a/acme/challenge_wire_test.go
+++ b/acme/challenge_wire_test.go
@ -100,7 +100,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 					Type:   "urn:ietf:params:acme:error:serverInternal",
 					Detail: "The server experienced an internal error",
 					Status: 500,
-					Err:    errors.New(`error unmarshalling challenge data: json: cannot unmarshal number into Go value of type wire.ID`),
+					Err:    errors.New(`error unmarshalling challenge data: json: cannot unmarshal number into Go value of type wire.DeviceID`),
 				},
 			}
 		},
@ -1096,7 +1096,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 					Type:   "urn:ietf:params:acme:error:serverInternal",
 					Detail: "The server experienced an internal error",
 					Status: 500,
-					Err:    errors.New(`error unmarshalling challenge data: json: cannot unmarshal number into Go value of type wire.ID`),
+					Err:    errors.New(`error unmarshalling challenge data: json: cannot unmarshal number into Go value of type wire.UserID`),
 				},
 			}
 		},
@ -2030,7 +2030,7 @@ MCowBQYDK2VwAyEAB2IYqBWXAouDt3WcCZgCM3t9gumMEKMlgMsGenSu+fA=
 	require.True(t, ok)

 	issuer := "http://wire.com:19983/clients/7a41cf5b79683410/access-token"
-	wireID := wire.ID{
+	wireID := wire.DeviceID{
 		ClientID: "wireapp://guVX5xeFS3eTatmXBIyA4A!7a41cf5b79683410@wire.com",
 		Handle:   "wireapp://%40alice_wire@wire.com",
 	}
@ -2127,7 +2127,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 	idToken, err := verifier.Verify(ctx, idTokenString)
 	require.NoError(t, err)

-	wireID := wire.ID{
+	wireID := wire.UserID{
 		Name:   "Alice Smith",
 		Handle: "wireapp://%40alice_wire@wire.com",
 	}
--- a/acme/order.go
+++ b/acme/order.go
@ -31,8 +31,10 @@ const (
 	// PermanentIdentifier is the ACME permanent-identifier identifier type
 	// defined in https://datatracker.ietf.org/doc/html/draft-bweeks-acme-device-attest-00
 	PermanentIdentifier IdentifierType = "permanent-identifier"
-	// WireID is the Wire user identifier type
-	WireID IdentifierType = "wireapp-id"
+	// WireUser is the Wire user identifier type
+	WireUser IdentifierType = "wireapp-user"
+	// WireDevice is the Wire device identifier type
+	WireDevice IdentifierType = "wireapp-device"
 )

 // Identifier encodes the type that an order pertains to.
@ -322,23 +324,23 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
 }

 // containsWireIdentifiers checks if [Order] contains ACME
-// identifiers for the WireID type.
+// identifiers for the WireUser or WireDevice types.
 func (o *Order) containsWireIdentifiers() bool {
 	for _, i := range o.Identifiers {
-		if i.Type == WireID {
+		if i.Type == WireUser || i.Type == WireDevice {
 			return true
 		}
 	}
 	return false
 }

-// createWireSubject creates the subject for an [Order] with WireID identifiers.
+// createWireSubject creates the subject for an [Order] with WireUser identifiers.
 func createWireSubject(o *Order, csr *x509.CertificateRequest) (subject x509util.Subject, err error) {
-	wireIDs, otherIDs := 0, 0
+	wireUserIDs, wireDeviceIDs, otherIDs := 0, 0, 0
 	for _, identifier := range o.Identifiers {
 		switch identifier.Type {
-		case WireID:
-			wireID, err := wire.ParseID([]byte(identifier.Value))
+		case WireUser:
+			wireID, err := wire.ParseUserID([]byte(identifier.Value))
 			if err != nil {
 				return subject, NewErrorISE("unmarshal wireID: %s", err)
 			}
@ -357,7 +359,7 @@ func createWireSubject(o *Order, csr *x509.CertificateRequest) (subject x509util
 				}
 			}
 			if !foundDisplayName {
-				return subject, NewErrorISE("CSR must contain the display name in 2.16.840.1.113730.3.1.241 OID")
+				return subject, NewErrorISE("CSR must contain the display name in '2.16.840.1.113730.3.1.241' OID")
 			}

 			if len(csr.Subject.Organization) == 0 || !strings.EqualFold(csr.Subject.Organization[0], wireID.Domain) {
@ -365,14 +367,16 @@ func createWireSubject(o *Order, csr *x509.CertificateRequest) (subject x509util
 			}
 			subject.CommonName = wireID.Name
 			subject.Organization = []string{wireID.Domain}
-			wireIDs++
+			wireUserIDs++
+		case WireDevice:
+			wireDeviceIDs++
 		default:
 			otherIDs++
 		}
 	}

-	if wireIDs > 0 && otherIDs > 0 || wireIDs > 1 {
-		return subject, NewErrorISE("at most one WireID can be signed along with no other ID, found %d WireIDs and %d other IDs", wireIDs, otherIDs)
+	if otherIDs > 0 || wireUserIDs != 1 && wireDeviceIDs != 1 {
+		return subject, NewErrorISE("order must have exactly one WireUser and WireDevice identifier")
 	}

 	return
@ -385,10 +389,10 @@ func (o *Order) sans(csr *x509.CertificateRequest) ([]x509util.SubjectAlternativ
 	}

 	// order the DNS names and IP addresses, so that they can be compared against the canonicalized CSR
-	orderNames := make([]string, numberOfIdentifierType(DNS, o.Identifiers)+2*numberOfIdentifierType(WireID, o.Identifiers))
+	orderNames := make([]string, numberOfIdentifierType(DNS, o.Identifiers))
 	orderIPs := make([]net.IP, numberOfIdentifierType(IP, o.Identifiers))
 	orderPIDs := make([]string, numberOfIdentifierType(PermanentIdentifier, o.Identifiers))
-	tmpOrderURIs := make([]*url.URL, 2*numberOfIdentifierType(WireID, o.Identifiers))
+	tmpOrderURIs := make([]*url.URL, numberOfIdentifierType(WireUser, o.Identifiers)+numberOfIdentifierType(WireDevice, o.Identifiers))
 	indexDNS, indexIP, indexPID, indexURI := 0, 0, 0, 0
 	for _, n := range o.Identifiers {
 		switch n.Type {
@ -401,23 +405,28 @@ func (o *Order) sans(csr *x509.CertificateRequest) ([]x509util.SubjectAlternativ
 		case PermanentIdentifier:
 			orderPIDs[indexPID] = n.Value
 			indexPID++
-		case WireID:
-			wireID, err := wire.ParseID([]byte(n.Value))
+		case WireUser:
+			wireID, err := wire.ParseUserID([]byte(n.Value))
 			if err != nil {
 				return sans, NewErrorISE("unsupported identifier value in order: %s", n.Value)
 			}
-			clientID, err := url.Parse(wireID.ClientID)
-			if err != nil {
-				return sans, NewErrorISE("clientId must be a URI: %s", wireID.ClientID)
-			}
-			tmpOrderURIs[indexURI] = clientID
-			indexURI++
 			handle, err := url.Parse(wireID.Handle)
 			if err != nil {
 				return sans, NewErrorISE("handle must be a URI: %s", wireID.Handle)
 			}
 			tmpOrderURIs[indexURI] = handle
 			indexURI++
+		case WireDevice:
+			wireID, err := wire.ParseDeviceID([]byte(n.Value))
+			if err != nil {
+				return sans, NewErrorISE("unsupported identifier value in order: %s", n.Value)
+			}
+			clientID, err := url.Parse(wireID.ClientID)
+			if err != nil {
+				return sans, NewErrorISE("clientId must be a URI: %s", wireID.ClientID)
+			}
+			tmpOrderURIs[indexURI] = clientID
+			indexURI++
 		default:
 			return sans, NewErrorISE("unsupported identifier type in order: %s", n.Type)
 		}
--- a/acme/wire/id.go
+++ b/acme/wire/id.go
@ -8,15 +8,26 @@ import (
 	"go.step.sm/crypto/kms/uri"
 )

-type ID struct {
+type UserID struct {
+	Name   string `json:"name,omitempty"`
+	Domain string `json:"domain,omitempty"`
+	Handle string `json:"handle,omitempty"`
+}
+
+type DeviceID struct {
 	Name     string `json:"name,omitempty"`
 	Domain   string `json:"domain,omitempty"`
 	ClientID string `json:"client-id,omitempty"`
 	Handle   string `json:"handle,omitempty"`
 }

-func ParseID(data []byte) (wireID ID, err error) {
-	err = json.Unmarshal(data, &wireID)
+func ParseUserID(data []byte) (id UserID, err error) {
+	err = json.Unmarshal(data, &id)
+	return
+}
+
+func ParseDeviceID(data []byte) (id DeviceID, err error) {
+	err = json.Unmarshal(data, &id)
 	return
 }

--- a/acme/wire/id_test.go
+++ b/acme/wire/id_test.go
@ -7,19 +7,43 @@ import (
 	"github.com/stretchr/testify/assert"
 )

-func TestParseID(t *testing.T) {
-	ok := `{"name": "Alice Smith", "domain": "wire.com", "client-id": "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com", "handle": "wireapp://%40alice_wire@wire.com"}`
+func TestParseUserID(t *testing.T) {
+	ok := `{"name": "Alice Smith", "domain": "wire.com", "handle": "wireapp://%40alice_wire@wire.com"}`
 	tests := []struct {
 		name        string
 		data        []byte
-		wantWireID  ID
+		wantWireID  UserID
 		expectedErr error
 	}{
-		{name: "ok", data: []byte(ok), wantWireID: ID{Name: "Alice Smith", Domain: "wire.com", ClientID: "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com", Handle: "wireapp://%40alice_wire@wire.com"}},
+		{name: "ok", data: []byte(ok), wantWireID: UserID{Name: "Alice Smith", Domain: "wire.com", Handle: "wireapp://%40alice_wire@wire.com"}},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			gotWireID, err := ParseID(tt.data)
+			gotWireID, err := ParseUserID(tt.data)
+			if tt.expectedErr != nil {
+				assert.EqualError(t, err, tt.expectedErr.Error())
+				return
+			}
+
+			assert.NoError(t, err)
+			assert.Equal(t, tt.wantWireID, gotWireID)
+		})
+	}
+}
+
+func TestParseDeviceID(t *testing.T) {
+	ok := `{"name": "device", "domain": "wire.com", "client-id": "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com", "handle": "wireapp://%40alice_wire@wire.com"}`
+	tests := []struct {
+		name        string
+		data        []byte
+		wantWireID  DeviceID
+		expectedErr error
+	}{
+		{name: "ok", data: []byte(ok), wantWireID: DeviceID{Name: "device", Domain: "wire.com", ClientID: "wireapp://CzbfFjDOQrenCbDxVmgnFw!594930e9d50bb175@wire.com", Handle: "wireapp://%40alice_wire@wire.com"}},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotWireID, err := ParseDeviceID(tt.data)
 			if tt.expectedErr != nil {
 				assert.EqualError(t, err, tt.expectedErr.Error())
 				return
--- a/authority/provisioner/acme.go
+++ b/authority/provisioner/acme.go
@ -10,9 +10,8 @@ import (
 	"time"

 	"github.com/pkg/errors"
-	"go.step.sm/linkedca"
-
 	"github.com/smallstep/certificates/acme/wire"
+	"go.step.sm/linkedca"
 )

 // ACMEChallenge represents the supported acme challenges.
@ -224,8 +223,10 @@ const (
 	IP ACMEIdentifierType = "ip"
 	// DNS is the ACME dns identifier type
 	DNS ACMEIdentifierType = "dns"
-	// WireID is the Wire user identifier type
-	WireID ACMEIdentifierType = "wireapp-id"
+	// WireUser is the Wire user identifier type
+	WireUser ACMEIdentifierType = "wireapp-user"
+	// WireDevice is the Wire device identifier type
+	WireDevice ACMEIdentifierType = "wireapp-device"
 )

 // ACMEIdentifier encodes ACME Order Identifiers
@ -251,12 +252,18 @@ func (p *ACME) AuthorizeOrderIdentifier(_ context.Context, identifier ACMEIdenti
 		err = x509Policy.IsIPAllowed(net.ParseIP(identifier.Value))
 	case DNS:
 		err = x509Policy.IsDNSAllowed(identifier.Value)
-	case WireID:
-		var wireID wire.ID
-		if wireID, err = wire.ParseID([]byte(identifier.Value)); err != nil {
+	case WireUser:
+		var wireID wire.UserID
+		if wireID, err = wire.ParseUserID([]byte(identifier.Value)); err != nil {
+			return fmt.Errorf("failed parsing Wire SANs: %w", err)
+		}
+		err = x509Policy.AreSANsAllowed([]string{wireID.Handle})
+	case WireDevice:
+		var wireID wire.DeviceID
+		if wireID, err = wire.ParseDeviceID([]byte(identifier.Value)); err != nil {
 			return fmt.Errorf("failed parsing Wire SANs: %w", err)
 		}
-		err = x509Policy.AreSANsAllowed([]string{wireID.ClientID, wireID.Handle})
+		err = x509Policy.AreSANsAllowed([]string{wireID.ClientID})
 	default:
 		err = fmt.Errorf("invalid ACME identifier type '%s' provided", identifier.Type)
 	}