[pve-devel] [PATCH acme v2 1/5] fix #4497: add support for external account bindings
Thomas Lamprecht
t.lamprecht at proxmox.com
Fri Oct 27 08:58:31 CEST 2023
Am 25/10/2023 um 15:07 schrieb Folke Gleumes:
> Changes v1 -> v2:
> Switched from including the eab credentials in the info hash,
> to passing them in their own variable. This still unfortunately still
> breaks the api, but doesn't potentially expose secrets and is
> cleaner then purging the values from the hash afterwards.
yeah, IMO the signature of that method is still not really ideal, i.e.,
adding that as explicit param is a lateral move and still breaks ABI, so
meh, and I'd prefer
> src/PVE/ACME.pm | 42 +++++++++++++++++++++++++++++++++++++-----
> 1 file changed, 37 insertions(+), 5 deletions(-)
>
> diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
> index 3f66182..7b3840b 100644
> --- a/src/PVE/ACME.pm
> +++ b/src/PVE/ACME.pm
> @@ -251,6 +251,28 @@ sub jws {
> };
> }
>
> +# EAB signing using the HS256 alg (HMAC/SHA256).
> +sub external_account_binding_jws {
should this be actually a private method? I.e., some
my sub external_account_binding_jws { }
or as code ref in a variable:
my $external_account_binding_jws = sub { }
FYI: For above examples you'd need to pass $self then explicitly
either way though.
As this is probably not intended to be called from the "outside"?
Albeit, that would be yet another way to avoid API breakage: let the
caller call this first and place the result into the %info hash, but
that would still keep that unchecked passing along of the %info hash.
More information about the pve-devel
mailing list