From: Folke Gleumes <f.gleumes@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH acme v3 1/5] fix #4497: add support for external account bindings
Date: Tue, 31 Oct 2023 10:05:10 +0100 [thread overview]
Message-ID: <20231031090514.23629-2-f.gleumes@proxmox.com> (raw)
In-Reply-To: <20231031090514.23629-1-f.gleumes@proxmox.com>
implementation acording to rfc8555 section 7.3.4
Signed-off-by: Folke Gleumes <f.gleumes@proxmox.com>
---
Changes since v2:
Transport eab credentials in the info hash, but don't reuse it as
payload. Instead, needed values are extracted and, if needed, transformed
into a new hash.
While this limits how the info hash can be used, AFAIK there are no
fields that could be set when creating a new account [0], that can't be
produced with this abi.
[0] https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.2
src/PVE/ACME.pm | 48 ++++++++++++++++++++++++++++++++++++++++++------
1 file changed, 42 insertions(+), 6 deletions(-)
diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
index 3f66182..bf5410d 100644
--- a/src/PVE/ACME.pm
+++ b/src/PVE/ACME.pm
@@ -7,10 +7,10 @@ use POSIX;
use Data::Dumper;
use Date::Parse;
-use MIME::Base64 qw(encode_base64url);
+use MIME::Base64 qw(encode_base64url decode_base64);
use File::Path qw(make_path);
use JSON;
-use Digest::SHA qw(sha256 sha256_hex);
+use Digest::SHA qw(sha256 sha256_hex hmac_sha256);
use HTTP::Request;
use LWP::UserAgent;
@@ -251,6 +251,28 @@ sub jws {
};
}
+# EAB signing using the HS256 alg (HMAC/SHA256).
+my sub external_account_binding_jws {
+ my ($eab_kid, $eab_hmac_key, $jwk, $url) = @_;
+
+ my $protected = {
+ alg => 'HS256',
+ kid => $eab_kid,
+ url => $url,
+ };
+ $protected = encode(tojs($protected));
+
+ my $payload = encode(tojs($jwk));
+ my $signdata = "$protected.$payload";
+ my $signature = encode(hmac_sha256($signdata, $eab_hmac_key));
+
+ return {
+ protected => $protected,
+ payload => $payload,
+ signature => $signature,
+ };
+}
+
sub __get_result {
my ($resp, $code, $plain) = @_;
@@ -300,8 +322,8 @@ sub list_methods {
}
# return (optional) meta directory entry.
-# this is public because it might contain the ToS, which should be displayed
-# and agreed to before creating an account
+# this is public because it might contain the ToS and EAB requirements,
+# which have to be considered before creating an account
sub get_meta {
my ($self) = @_;
my $methods = $self->__get_methods();
@@ -331,6 +353,8 @@ sub __new_account {
# Create a new account using data in %info.
# Optionally pass $tos_url to agree to the given Terms of Service
+# %info must have at least a 'contact' field and may have a 'eab' field
+# containing a hash with 'kid' and 'hmac_key' set.
# POST to newAccount endpoint
# Expects a '201 Created' reply
# Saves and returns the account data
@@ -338,12 +362,24 @@ sub new_account {
my ($self, $tos_url, %info) = @_;
my $url = $self->_method('newAccount');
+ my %payload = ( contact => $info{contact} );
+
+ if (defined($info{eab})) {
+ my $eab_hmac_key = decode_base64($info{eab}->{hmac_key});
+ $payload{externalAccountBinding} = external_account_binding_jws(
+ $info{eab}->{kid},
+ $eab_hmac_key,
+ $self->jwk(),
+ $url
+ );
+ }
+
if ($tos_url) {
$self->{tos} = $tos_url;
- $info{termsOfServiceAgreed} = JSON::true;
+ $payload{termsOfServiceAgreed} = JSON::true;
}
- return $self->__new_account(201, $url, 1, %info);
+ return $self->__new_account(201, $url, 1, %payload);
}
# Update existing account with new %info
--
2.39.2
next prev parent reply other threads:[~2023-10-31 9:05 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-31 9:05 [pve-devel] [PATCH acme v3 0/5] " Folke Gleumes
2023-10-31 9:05 ` Folke Gleumes [this message]
2023-10-31 9:05 ` [pve-devel] [PATCH manager v3 2/5] fix #4497: acme: " Folke Gleumes
2023-10-31 9:05 ` [pve-devel] [PATCH manager v3 3/5] api/acme: deprecate tos endpoint in favor of meta Folke Gleumes
2023-11-13 11:24 ` Thomas Lamprecht
2023-10-31 9:05 ` [pve-devel] [PATCH manager v3 4/5] fix #4497: cli/acme: detect eab and ask for credentials Folke Gleumes
2023-10-31 9:05 ` [pve-devel] [PATCH manager v3 5/5] ui/acme: switch to new meta endpoint Folke Gleumes
2023-11-10 11:18 ` [pve-devel] [PATCH acme v3 0/5] fix #4497: add support for external account bindings Fabian Grünbichler
2023-11-13 11:26 ` [pve-devel] applied: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231031090514.23629-2-f.gleumes@proxmox.com \
--to=f.gleumes@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox