proxmox-mirrors/proxmox-acme
1
0
Fork 0
mirror of https://git.proxmox.com/git/proxmox-acme synced 2025-04-28 12:16:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix #4497: add support for external account bindings

Browse Source 
implementation according to RFC 8555, section 7.3.4

Signed-off-by: Folke Gleumes <f.gleumes@proxmox.com>
Reviewed-by: Fabian.Grünbichler <f.gruenbichler@proxmox.com>
Tested-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Folke Gleumes 2023-10-31 10:05:10 +01:00 committed by Thomas Lamprecht
parent c0e3e6c415
commit c0e1079c87
1 changed files with 44 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
src/PVE/ACME.pm
View File

@ -7,10 +7,10 @@ use POSIX;
use Data::Dumper;
use Date::Parse;
use MIME::Base64 qw(encode_base64url);
use MIME::Base64 qw(encode_base64url decode_base64);
use File::Path qw(make_path);
use JSON;
use Digest::SHA qw(sha256 sha256_hex);
use Digest::SHA qw(sha256 sha256_hex hmac_sha256);
use HTTP::Request;
use LWP::UserAgent;
@ -251,6 +251,28 @@ sub jws {
};
}
# EAB signing using the HS256 alg (HMAC/SHA256).
my sub external_account_binding_jws {
my ($eab_kid, $eab_hmac_key, $jwk, $url) = @_;
my $protected = {
alg => 'HS256',
kid => $eab_kid,
url => $url,
};
$protected = encode(tojs($protected));
my $payload = encode(tojs($jwk));
my $signdata = "$protected.$payload";
my $signature = encode(hmac_sha256($signdata, $eab_hmac_key));
return {
protected => $protected,
payload => $payload,
signature => $signature,
};
}
sub __get_result {
my ($resp, $code, $plain) = @_;
@ -300,8 +322,8 @@ sub list_methods {
}
# return (optional) meta directory entry.
# this is public because it might contain the ToS, which should be displayed
# and agreed to before creating an account
# this is public because it might contain the ToS and EAB requirements,
# which have to be considered before creating an account
sub get_meta {
my ($self) = @_;
my $methods = $self->__get_methods();
@ -331,6 +353,8 @@ sub __new_account {
# Create a new account using data in %info.
# Optionally pass $tos_url to agree to the given Terms of Service
# %info must have at least a 'contact' field and may have a 'eab' field
# containing a hash with 'kid' and 'hmac_key' set.
# POST to newAccount endpoint
# Expects a '201 Created' reply
# Saves and returns the account data
@ -338,12 +362,24 @@ sub new_account {
my ($self, $tos_url, %info) = @_;
my $url = $self->_method('newAccount');
if ($tos_url) {
$self->{tos} = $tos_url;
$info{termsOfServiceAgreed} = JSON::true;
my %payload = ( contact => $info{contact} );
if (defined($info{eab})) {
my $eab_hmac_key = decode_base64($info{eab}->{hmac_key});
$payload{externalAccountBinding} = external_account_binding_jws(
$info{eab}->{kid},
$eab_hmac_key,
$self->jwk(),
$url
);
}
return $self->__new_account(201, $url, 1, %info);
if ($tos_url) {
$self->{tos} = $tos_url;
$payload{termsOfServiceAgreed} = JSON::true;
}
return $self->__new_account(201, $url, 1, %payload);
}
# Update existing account with new %info