[pve-devel] [PATCH acme v3 1/5] fix #4497: add support for external account bindings

Folke Gleumes f.gleumes at proxmox.com
Tue Oct 31 10:05:10 CET 2023 

implementation acording to rfc8555 section 7.3.4

Signed-off-by: Folke Gleumes <f.gleumes at proxmox.com>
---

Changes since v2:
Transport eab credentials in the info hash, but don't reuse it as
payload. Instead, needed values are extracted and, if needed, transformed
into a new hash.
While this limits how the info hash can be used, AFAIK there are no
fields that could be set when creating a new account [0], that can't be
produced with this abi.

[0] https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.2

 src/PVE/ACME.pm | 48 ++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 42 insertions(+), 6 deletions(-)

diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
index 3f66182..bf5410d 100644
--- a/src/PVE/ACME.pm
+++ b/src/PVE/ACME.pm
@@ -7,10 +7,10 @@ use POSIX;
 
 use Data::Dumper;
 use Date::Parse;
-use MIME::Base64 qw(encode_base64url);
+use MIME::Base64 qw(encode_base64url decode_base64);
 use File::Path qw(make_path);
 use JSON;
-use Digest::SHA qw(sha256 sha256_hex);
+use Digest::SHA qw(sha256 sha256_hex hmac_sha256);
 
 use HTTP::Request;
 use LWP::UserAgent;
@@ -251,6 +251,28 @@ sub jws {
     };
 }
 
+# EAB signing using the HS256 alg (HMAC/SHA256).
+my sub external_account_binding_jws {
+    my ($eab_kid, $eab_hmac_key, $jwk, $url) = @_;
+
+    my $protected = {
+	alg => 'HS256',
+	kid => $eab_kid,
+	url => $url,
+    };
+    $protected = encode(tojs($protected));
+
+    my $payload = encode(tojs($jwk));
+    my $signdata = "$protected.$payload";
+    my $signature = encode(hmac_sha256($signdata, $eab_hmac_key));
+
+    return {
+	protected => $protected,
+	payload => $payload,
+	signature => $signature,
+    };
+}
+
 sub __get_result {
     my ($resp, $code, $plain) = @_;
 
@@ -300,8 +322,8 @@ sub list_methods {
 }
 
 # return (optional) meta directory entry.
-# this is public because it might contain the ToS, which should be displayed
-# and agreed to before creating an account
+# this is public because it might contain the ToS and EAB requirements,
+# which have to be considered before creating an account
 sub get_meta {
     my ($self) = @_;
     my $methods = $self->__get_methods();
@@ -331,6 +353,8 @@ sub __new_account {
 
 # Create a new account using data in %info.
 # Optionally pass $tos_url to agree to the given Terms of Service
+# %info must have at least a 'contact' field and may have a 'eab' field
+# containing a hash with 'kid' and 'hmac_key' set.
 # POST to newAccount endpoint
 # Expects a '201 Created' reply
 # Saves and returns the account data
@@ -338,12 +362,24 @@ sub new_account {
     my ($self, $tos_url, %info) = @_;
     my $url = $self->_method('newAccount');
 
+    my %payload = ( contact => $info{contact} );
+
+    if (defined($info{eab})) {
+	my $eab_hmac_key = decode_base64($info{eab}->{hmac_key});
+	$payload{externalAccountBinding} = external_account_binding_jws(
+	    $info{eab}->{kid},
+	    $eab_hmac_key,
+	    $self->jwk(),
+	    $url
+	);
+    }
+
     if ($tos_url) {
 	$self->{tos} = $tos_url;
-	$info{termsOfServiceAgreed} = JSON::true;
+	$payload{termsOfServiceAgreed} = JSON::true;
     }
 
-    return $self->__new_account(201, $url, 1, %info);
+    return $self->__new_account(201, $url, 1, %payload);
 }
 
 # Update existing account with new %info
-- 
2.39.2

More information about the pve-devel mailing list