WFE: Return errors from JWS-verification functions (#8077)

Change all of the helper methods and functions in verify.go to return an
`error` instead of a `probs.ProblemDetails`. Add a few new types to our
errors package, and support for those types in ProblemDetailsForError,
to maintain the same public-facing error types. Update the tests to
check for specific errors instead of specific problems.

This is a building block towards making the probs.ProblemDetails type
not implement the Error interface, and only be used when rendering
errors to the user (i.e. not within Boulder logic itself).

Part of #4980

Author: aarongable

errors/errors.go

@@ -31,7 +31,7 @@ const (
 	// InternalServer is deprecated. Instead, pass a plain Go error. That will get
 	// turned into a probs.InternalServerError by the WFE.
 	InternalServer ErrorType = iota
-	_
+	_                        // Reserved, previously NotSupported
 	Malformed
 	Unauthorized
 	NotFound
@@ -58,6 +58,9 @@ const (
 	// The certificate being indicated for replacement already has a replacement
 	// order.
 	AlreadyReplaced
+	BadSignatureAlgorithm
+	AccountDoesNotExist
+	BadNonce
 )
 
 func (ErrorType) Error() string {
@@ -303,3 +306,15 @@ func UnknownSerialError() error {
 func InvalidProfileError(msg string, args ...interface{}) error {
 	return newf(InvalidProfile, msg, args...)
 }
+
+func BadSignatureAlgorithmError(msg string, args ...interface{}) error {
+	return newf(BadSignatureAlgorithm, msg, args...)
+}
+
+func AccountDoesNotExistError(msg string, args ...interface{}) error {
+	return newf(AccountDoesNotExist, msg, args...)
+}
+
+func BadNonceError(msg string, args ...interface{}) error {
+	return newf(BadNonce, msg, args...)
+}

test/integration/revocation_test.go

@@ -536,7 +536,7 @@ func TestRevokeWithKeyCompromiseBlocksKey(t *testing.T) {
 			test.AssertNotError(t, err, "NewAccount failed with a non-blocklisted key")
 		case byKey:
 			test.AssertError(t, err, "NewAccount didn't fail with a blocklisted key")
-			test.AssertEquals(t, err.Error(), `acme: error code 400 "urn:ietf:params:acme:error:badPublicKey": public key is forbidden`)
+			test.AssertEquals(t, err.Error(), `acme: error code 400 "urn:ietf:params:acme:error:badPublicKey": Unable to validate JWS :: invalid request signing key: public key is forbidden`)
 		}
 	}
 }

web/probs.go

@@ -52,6 +52,12 @@ func problemDetailsForBoulderError(err *berrors.BoulderError, msg string) *probs
 		outProb = probs.Conflict(fmt.Sprintf("%s :: %s", msg, err))
 	case berrors.InvalidProfile:
 		outProb = probs.InvalidProfile(fmt.Sprintf("%s :: %s", msg, err))
+	case berrors.BadSignatureAlgorithm:
+		outProb = probs.BadSignatureAlgorithm(fmt.Sprintf("%s :: %s", msg, err))
+	case berrors.AccountDoesNotExist:
+		outProb = probs.AccountDoesNotExist(fmt.Sprintf("%s :: %s", msg, err))
+	case berrors.BadNonce:
+		outProb = probs.BadNonce(fmt.Sprintf("%s :: %s", msg, err))
 	default:
 		// Internal server error messages may include sensitive data, so we do
 		// not include it.