public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH acme] Fix EBA MAC key decoding
@ 2024-01-18 10:40 YU Jincheng
  2024-01-18 14:28 ` Folke Gleumes
  0 siblings, 1 reply; 5+ messages in thread
From: YU Jincheng @ 2024-01-18 10:40 UTC (permalink / raw)
  To: pve-devel

Accroding to RFC 8555:
> The MAC key SHOULD be provided in base64url-encoded form...

However, currently we are only decoding the MAC key as base64.
This patch uses the correct function to decode the user provided
MAC key as base64url format. This can fix authentication error
when a user uses command `pvenode acme account register` and paste
the EBA MAC key as prompted.

Signed-off-by: YU Jincheng <shana@zju.edu.cn>
---
 src/PVE/ACME.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
index bf5410d..428cdda 100644
--- a/src/PVE/ACME.pm
+++ b/src/PVE/ACME.pm
@@ -7,7 +7,7 @@ use POSIX;
 
 use Data::Dumper;
 use Date::Parse;
-use MIME::Base64 qw(encode_base64url decode_base64);
+use MIME::Base64 qw(encode_base64url decode_base64url);
 use File::Path qw(make_path);
 use JSON;
 use Digest::SHA qw(sha256 sha256_hex hmac_sha256);
@@ -365,7 +365,7 @@ sub new_account {
     my %payload = ( contact => $info{contact} );
 
     if (defined($info{eab})) {
-	my $eab_hmac_key = decode_base64($info{eab}->{hmac_key});
+	my $eab_hmac_key = decode_base64url($info{eab}->{hmac_key});
 	$payload{externalAccountBinding} = external_account_binding_jws(
 	    $info{eab}->{kid},
 	    $eab_hmac_key,
-- 
2.39.3 (Apple Git-145)




^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [pve-devel] [PATCH acme] Fix EBA MAC key decoding
  2024-01-18 10:40 [pve-devel] [PATCH acme] Fix EBA MAC key decoding YU Jincheng
@ 2024-01-18 14:28 ` Folke Gleumes
  2024-01-25  8:28   ` [pve-devel] [PATCH v2 " YU Jincheng
  0 siblings, 1 reply; 5+ messages in thread
From: Folke Gleumes @ 2024-01-18 14:28 UTC (permalink / raw)
  To: pve-devel

Hey,

thanks for contributing!

Your right, the RFC suggests that the key the user supplies should be
interpreted as base64url and not base64. Since I'm not the first and
probably won't be the last to run into this mistake, I wonder if it
might be worth to be a bit more lenient and implement a simple check on
the '/' and '+' characters, to check if base64 or base64url has been
used to encode the key.

Tested-By: Folke Gleumes <f.gleumes@proxmox.com>

On Thu, 2024-01-18 at 18:40 +0800, YU Jincheng wrote:
> Accroding to RFC 8555:
> > The MAC key SHOULD be provided in base64url-encoded form...
> 
> However, currently we are only decoding the MAC key as base64.
> This patch uses the correct function to decode the user provided
> MAC key as base64url format. This can fix authentication error
> when a user uses command `pvenode acme account register` and paste
> the EBA MAC key as prompted.
> 
> Signed-off-by: YU Jincheng <shana@zju.edu.cn>
> ---
>  src/PVE/ACME.pm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
> index bf5410d..428cdda 100644
> --- a/src/PVE/ACME.pm
> +++ b/src/PVE/ACME.pm
> @@ -7,7 +7,7 @@ use POSIX;
>  
>  use Data::Dumper;
>  use Date::Parse;
> -use MIME::Base64 qw(encode_base64url decode_base64);
> +use MIME::Base64 qw(encode_base64url decode_base64url);
>  use File::Path qw(make_path);
>  use JSON;
>  use Digest::SHA qw(sha256 sha256_hex hmac_sha256);
> @@ -365,7 +365,7 @@ sub new_account {
>      my %payload = ( contact => $info{contact} );
>  
>      if (defined($info{eab})) {
> -       my $eab_hmac_key = decode_base64($info{eab}->{hmac_key});
> +       my $eab_hmac_key = decode_base64url($info{eab}->{hmac_key});
>         $payload{externalAccountBinding} =
> external_account_binding_jws(
>             $info{eab}->{kid},
>             $eab_hmac_key,





^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] [PATCH v2 acme] Fix EBA MAC key decoding
  2024-01-18 14:28 ` Folke Gleumes
@ 2024-01-25  8:28   ` YU Jincheng
  2024-01-29 13:15     ` Folke Gleumes
  2024-02-12  8:54     ` [pve-devel] applied: " Thomas Lamprecht
  0 siblings, 2 replies; 5+ messages in thread
From: YU Jincheng @ 2024-01-25  8:28 UTC (permalink / raw)
  To: pve-devel

Accroding to RFC 8555:

> The MAC key SHOULD be provided in base64url-encoded form...

However, currently we are only decoding the MAC key as base64.
This patch chooses the correct function to decode the user provided
MAC key. This can fix authentication error when a user uses command
`pvenode acme account register` and paste the EBA MAC key as prompted.

Signed-off-by: YU Jincheng <shana@zju.edu.cn>
---
 src/PVE/ACME.pm | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
index bf5410d..65094c2 100644
--- a/src/PVE/ACME.pm
+++ b/src/PVE/ACME.pm
@@ -7,7 +7,7 @@ use POSIX;
 
 use Data::Dumper;
 use Date::Parse;
-use MIME::Base64 qw(encode_base64url decode_base64);
+use MIME::Base64 qw(encode_base64url decode_base64 decode_base64url);
 use File::Path qw(make_path);
 use JSON;
 use Digest::SHA qw(sha256 sha256_hex hmac_sha256);
@@ -365,7 +365,12 @@ sub new_account {
     my %payload = ( contact => $info{contact} );
 
     if (defined($info{eab})) {
-	my $eab_hmac_key = decode_base64($info{eab}->{hmac_key});
+	my $eab_hmac_key;
+	if ($info{eab}->{hmac_key} =~ m/[+\/]/) {
+	    $eab_hmac_key = decode_base64($info{eab}->{hmac_key});
+	} else {
+	    $eab_hmac_key = decode_base64url($info{eab}->{hmac_key});
+	}
 	$payload{externalAccountBinding} = external_account_binding_jws(
 	    $info{eab}->{kid},
 	    $eab_hmac_key,
-- 
2.34.1




^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [pve-devel] [PATCH v2 acme] Fix EBA MAC key decoding
  2024-01-25  8:28   ` [pve-devel] [PATCH v2 " YU Jincheng
@ 2024-01-29 13:15     ` Folke Gleumes
  2024-02-12  8:54     ` [pve-devel] applied: " Thomas Lamprecht
  1 sibling, 0 replies; 5+ messages in thread
From: Folke Gleumes @ 2024-01-29 13:15 UTC (permalink / raw)
  To: Proxmox VE development discussion

On Thu, 2024-01-25 at 16:28 +0800, YU Jincheng wrote:
> Accroding to RFC 8555:
> 
> > The MAC key SHOULD be provided in base64url-encoded form...
> 
> However, currently we are only decoding the MAC key as base64.
> This patch chooses the correct function to decode the user provided
> MAC key. This can fix authentication error when a user uses command
> `pvenode acme account register` and paste the EBA MAC key as
> prompted.
> 
> Signed-off-by: YU Jincheng <shana@zju.edu.cn>
> ---
>  src/PVE/ACME.pm | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
> index bf5410d..65094c2 100644
> --- a/src/PVE/ACME.pm
> +++ b/src/PVE/ACME.pm
> @@ -7,7 +7,7 @@ use POSIX;
>  
>  use Data::Dumper;
>  use Date::Parse;
> -use MIME::Base64 qw(encode_base64url decode_base64);
> +use MIME::Base64 qw(encode_base64url decode_base64
> decode_base64url);
>  use File::Path qw(make_path);
>  use JSON;
>  use Digest::SHA qw(sha256 sha256_hex hmac_sha256);
> @@ -365,7 +365,12 @@ sub new_account {
>      my %payload = ( contact => $info{contact} );
>  
>      if (defined($info{eab})) {
> -       my $eab_hmac_key = decode_base64($info{eab}->{hmac_key});
> +       my $eab_hmac_key;
> +       if ($info{eab}->{hmac_key} =~ m/[+\/]/) {
> +           $eab_hmac_key = decode_base64($info{eab}->{hmac_key});
> +       } else {
> +           $eab_hmac_key = decode_base64url($info{eab}->{hmac_key});
> +       }
>         $payload{externalAccountBinding} =
> external_account_binding_jws(
>             $info{eab}->{kid},
>             $eab_hmac_key,

Thanks!

Works as intended, tested with base64, base64url and strings that would
be valid for both.

Tested-by: Folke Gleumes <f.gleumes@proxmox.com>





^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] applied:  [PATCH v2 acme] Fix EBA MAC key decoding
  2024-01-25  8:28   ` [pve-devel] [PATCH v2 " YU Jincheng
  2024-01-29 13:15     ` Folke Gleumes
@ 2024-02-12  8:54     ` Thomas Lamprecht
  1 sibling, 0 replies; 5+ messages in thread
From: Thomas Lamprecht @ 2024-02-12  8:54 UTC (permalink / raw)
  To: Proxmox VE development discussion, YU Jincheng

Am 25/01/2024 um 09:28 schrieb YU Jincheng:
> Accroding to RFC 8555:
> 
>> The MAC key SHOULD be provided in base64url-encoded form...
> 
> However, currently we are only decoding the MAC key as base64.
> This patch chooses the correct function to decode the user provided
> MAC key. This can fix authentication error when a user uses command
> `pvenode acme account register` and paste the EBA MAC key as prompted.
> 
> Signed-off-by: YU Jincheng <shana@zju.edu.cn>
> ---
>  src/PVE/ACME.pm | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
>

applied, with Folke's T-b, thanks!

I fixed a small typo in the commit message and while at it I
reworded the commit subject to better fit our style (and to make
it easier to write a debian/changelog entry from this).




^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2024-02-12  8:54 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-01-18 10:40 [pve-devel] [PATCH acme] Fix EBA MAC key decoding YU Jincheng
2024-01-18 14:28 ` Folke Gleumes
2024-01-25  8:28   ` [pve-devel] [PATCH v2 " YU Jincheng
2024-01-29 13:15     ` Folke Gleumes
2024-02-12  8:54     ` [pve-devel] applied: " Thomas Lamprecht

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal