From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.gleumes@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 8D7CBC1C1D
 for <pve-devel@lists.proxmox.com>; Thu, 18 Jan 2024 15:28:39 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 6729516652
 for <pve-devel@lists.proxmox.com>; Thu, 18 Jan 2024 15:28:09 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Thu, 18 Jan 2024 15:28:08 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 6D85C491CE
 for <pve-devel@lists.proxmox.com>; Thu, 18 Jan 2024 15:28:08 +0100 (CET)
Message-ID: <1fc22f503128b9043613c4f6571232189857ebe3.camel@proxmox.com>
From: Folke Gleumes <f.gleumes@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Thu, 18 Jan 2024 15:28:07 +0100
In-Reply-To: <20240118104013.91132-1-shana@zju.edu.cn>
References: <20240118104013.91132-1-shana@zju.edu.cn>
Organization: Proxmox Server Solutions GmbH
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.46.4-2 
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.015 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 T_SCC_BODY_TEXT_LINE    -0.01 -
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [acme.pm]
Subject: Re: [pve-devel] [PATCH acme] Fix EBA MAC key decoding
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 18 Jan 2024 14:28:39 -0000

Hey,

thanks for contributing!

Your right, the RFC suggests that the key the user supplies should be
interpreted as base64url and not base64. Since I'm not the first and
probably won't be the last to run into this mistake, I wonder if it
might be worth to be a bit more lenient and implement a simple check on
the '/' and '+' characters, to check if base64 or base64url has been
used to encode the key.

Tested-By: Folke Gleumes <f.gleumes@proxmox.com>

On Thu, 2024-01-18 at 18:40 +0800, YU Jincheng wrote:
> Accroding to RFC 8555:
> > The MAC key SHOULD be provided in base64url-encoded form...
>=20
> However, currently we are only decoding the MAC key as base64.
> This patch uses the correct function to decode the user provided
> MAC key as base64url format. This can fix authentication error
> when a user uses command `pvenode acme account register` and paste
> the EBA MAC key as prompted.
>=20
> Signed-off-by: YU Jincheng <shana@zju.edu.cn>
> ---
> =C2=A0src/PVE/ACME.pm | 4 ++--
> =C2=A01 file changed, 2 insertions(+), 2 deletions(-)
>=20
> diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
> index bf5410d..428cdda 100644
> --- a/src/PVE/ACME.pm
> +++ b/src/PVE/ACME.pm
> @@ -7,7 +7,7 @@ use POSIX;
> =C2=A0
> =C2=A0use Data::Dumper;
> =C2=A0use Date::Parse;
> -use MIME::Base64 qw(encode_base64url decode_base64);
> +use MIME::Base64 qw(encode_base64url decode_base64url);
> =C2=A0use File::Path qw(make_path);
> =C2=A0use JSON;
> =C2=A0use Digest::SHA qw(sha256 sha256_hex hmac_sha256);
> @@ -365,7 +365,7 @@ sub new_account {
> =C2=A0=C2=A0=C2=A0=C2=A0 my %payload =3D ( contact =3D> $info{contact} );
> =C2=A0
> =C2=A0=C2=A0=C2=A0=C2=A0 if (defined($info{eab})) {
> -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0my $eab_hmac_key =3D decode_ba=
se64($info{eab}->{hmac_key});
> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0my $eab_hmac_key =3D decode_ba=
se64url($info{eab}->{hmac_key});
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0$payload{externalAccountB=
inding} =3D
> external_account_binding_jws(
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 $info{=
eab}->{kid},
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 $eab_h=
mac_key,