From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id AA248C1BCF for ; Thu, 18 Jan 2024 10:31:09 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 8F9DC1319F for ; Thu, 18 Jan 2024 10:31:09 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Thu, 18 Jan 2024 10:31:08 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id BBB57491AE; Thu, 18 Jan 2024 10:31:07 +0100 (CET) Message-ID: Date: Thu, 18 Jan 2024 10:31:00 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: LoveSy , pmg-devel@lists.proxmox.com References: <20240116174328.75567-1-shana@zju.edu.cn> <20240116174328.75567-2-shana@zju.edu.cn> Content-Language: en-US From: Fiona Ebner In-Reply-To: <20240116174328.75567-2-shana@zju.edu.cn> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.075 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com, acme.pm] Subject: Re: [pmg-devel] [PATCH acme 1/1] Fix EBA MAC key decoding X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jan 2024 09:31:09 -0000 Am 16.01.24 um 18:43 schrieb LoveSy: > From: YU Jincheng > Thank you for the contribution! > Accroding to RFC 8555: >> The MAC key SHOULD be provided in base64url-encoded form... > > However, currently we are only decoding the MAC key as base64. > This patch uses the correct function to decode the user provided > MAC key as base64url format. > The encoding is already done with encode_base64url(). Your change is for the MAC provided via the Proxmox API, so it doesn't necessarily need to adhere to the RFC. If it's a backwards-compatible change, it can still be worth it of course. > Signed-off-by: YU Jincheng > --- > src/PVE/ACME.pm | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > If I'm not missing something, PMG doesn't use this implementation but a Rust-based one, see: https://git.proxmox.com/?p=pmg-api.git;a=blob;f=src/PMG/API2/ACME.pm;h=1eab74da209f97460b3ef584b2bb8eba7b19e6ec;hb=HEAD#l153 https://git.proxmox.com/?p=proxmox-perl-rs.git;a=blob;f=pmg-rs/src/acme.rs;h=06281da6f2955475f2e85023e3241e496c4c7eba;hb=27a7f2e2529770de8802ce92bc096a67c18b9fa6 https://git.proxmox.com/?p=proxmox-acme.git;a=summary Did you intend to send this patch to pve-devel instead, which does use this Perl module? If you haven't done already, you need to agree to the Harmony CLA before we can accept your contribution: https://pve.proxmox.com/wiki/Developer_Documentation#Software_License_and_Copyright > diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm > index bf5410d..428cdda 100644 > --- a/src/PVE/ACME.pm > +++ b/src/PVE/ACME.pm > @@ -7,7 +7,7 @@ use POSIX; > > use Data::Dumper; > use Date::Parse; > -use MIME::Base64 qw(encode_base64url decode_base64); > +use MIME::Base64 qw(encode_base64url decode_base64url); > use File::Path qw(make_path); > use JSON; > use Digest::SHA qw(sha256 sha256_hex hmac_sha256); > @@ -365,7 +365,7 @@ sub new_account { > my %payload = ( contact => $info{contact} ); > > if (defined($info{eab})) { > - my $eab_hmac_key = decode_base64($info{eab}->{hmac_key}); > + my $eab_hmac_key = decode_base64url($info{eab}->{hmac_key}); > $payload{externalAccountBinding} = external_account_binding_jws( > $info{eab}->{kid}, > $eab_hmac_key,