From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <shana@zju.edu.cn>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id A3ABA90915
 for <pve-devel@lists.proxmox.com>; Thu, 25 Jan 2024 09:32:13 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 856AB156F7
 for <pve-devel@lists.proxmox.com>; Thu, 25 Jan 2024 09:31:43 +0100 (CET)
Received: from zg8tmtyylji0my4xnjqumte4.icoremail.net
 (zg8tmtyylji0my4xnjqumte4.icoremail.net [162.243.164.118])
 by firstgate.proxmox.com (Proxmox) with ESMTP
 for <pve-devel@lists.proxmox.com>; Thu, 25 Jan 2024 09:31:40 +0100 (CET)
Received: from localhost.localdomain (unknown [113.93.28.4])
 by mail-app4 (Coremail) with SMTP id cS_KCgAnRIO8G7JljlOaAA--.42887S2;
 Thu, 25 Jan 2024 16:28:45 +0800 (CST)
From: YU Jincheng <shana@zju.edu.cn>
To: pve-devel@lists.proxmox.com
Date: Thu, 25 Jan 2024 16:28:01 +0800
Message-Id: <20240125082800.11857-1-shana@zju.edu.cn>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <1fc22f503128b9043613c4f6571232189857ebe3.camel@proxmox.com>
References: <1fc22f503128b9043613c4f6571232189857ebe3.camel@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CM-TRANSID: cS_KCgAnRIO8G7JljlOaAA--.42887S2
X-Coremail-Antispam: 1UD129KBjvJXoW7CF15Jw13Ww43uFW7Cw45Jrb_yoW8Gw1kpr
 s7Jrs7tryUCF10kFZava1UJ3y3JFWkZrWfKF1Uuws7CFZxJryFvF42vF1Ykay7Zr4SyFy5
 XrnIga47uFn8ArUanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
 9KBjDU0xBIdaVrnRJUUUkS14x267AKxVWUJVW8JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0
 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02
 1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U
 JVWxJr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Gc
 CE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E
 2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJV
 W8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lc2xSY4AK67AK6r43
 MxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr
 0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUXVWUAwCIc40Y0x0E
 wIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AKxVWUJV
 W8JwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAI
 cVC2z280aVCY1x0267AKxVWUJVW8JbIYCTnIWIevJa73UjIFyTuYvjfU04E_DUUUU
X-CM-SenderInfo: qtrviiyqrrkko62m3hxhgxhubq/1tbiAwQJDmWuuU8NpQArs+
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.250 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_MSPIKE_H4       0.001 Very Good reputation (+4)
 RCVD_IN_MSPIKE_WL       0.001 Mailspike good senders
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 T_SCC_BODY_TEXT_LINE    -0.01 -
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [acme.pm]
Subject: [pve-devel] [PATCH v2 acme] Fix EBA MAC key decoding
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 25 Jan 2024 08:32:13 -0000

Accroding to RFC 8555:

> The MAC key SHOULD be provided in base64url-encoded form...

However, currently we are only decoding the MAC key as base64.
This patch chooses the correct function to decode the user provided
MAC key. This can fix authentication error when a user uses command
`pvenode acme account register` and paste the EBA MAC key as prompted.

Signed-off-by: YU Jincheng <shana@zju.edu.cn>
---
 src/PVE/ACME.pm | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
index bf5410d..65094c2 100644
--- a/src/PVE/ACME.pm
+++ b/src/PVE/ACME.pm
@@ -7,7 +7,7 @@ use POSIX;
 
 use Data::Dumper;
 use Date::Parse;
-use MIME::Base64 qw(encode_base64url decode_base64);
+use MIME::Base64 qw(encode_base64url decode_base64 decode_base64url);
 use File::Path qw(make_path);
 use JSON;
 use Digest::SHA qw(sha256 sha256_hex hmac_sha256);
@@ -365,7 +365,12 @@ sub new_account {
     my %payload = ( contact => $info{contact} );
 
     if (defined($info{eab})) {
-	my $eab_hmac_key = decode_base64($info{eab}->{hmac_key});
+	my $eab_hmac_key;
+	if ($info{eab}->{hmac_key} =~ m/[+\/]/) {
+	    $eab_hmac_key = decode_base64($info{eab}->{hmac_key});
+	} else {
+	    $eab_hmac_key = decode_base64url($info{eab}->{hmac_key});
+	}
 	$payload{externalAccountBinding} = external_account_binding_jws(
 	    $info{eab}->{kid},
 	    $eab_hmac_key,
-- 
2.34.1