[pve-devel] [PATCH acme] Fix EBA MAC key decoding

Folke Gleumes f.gleumes at proxmox.com
Thu Jan 18 15:28:07 CET 2024


Hey,

thanks for contributing!

Your right, the RFC suggests that the key the user supplies should be
interpreted as base64url and not base64. Since I'm not the first and
probably won't be the last to run into this mistake, I wonder if it
might be worth to be a bit more lenient and implement a simple check on
the '/' and '+' characters, to check if base64 or base64url has been
used to encode the key.

Tested-By: Folke Gleumes <f.gleumes at proxmox.com>

On Thu, 2024-01-18 at 18:40 +0800, YU Jincheng wrote:
> Accroding to RFC 8555:
> > The MAC key SHOULD be provided in base64url-encoded form...
> 
> However, currently we are only decoding the MAC key as base64.
> This patch uses the correct function to decode the user provided
> MAC key as base64url format. This can fix authentication error
> when a user uses command `pvenode acme account register` and paste
> the EBA MAC key as prompted.
> 
> Signed-off-by: YU Jincheng <shana at zju.edu.cn>
> ---
>  src/PVE/ACME.pm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
> index bf5410d..428cdda 100644
> --- a/src/PVE/ACME.pm
> +++ b/src/PVE/ACME.pm
> @@ -7,7 +7,7 @@ use POSIX;
>  
>  use Data::Dumper;
>  use Date::Parse;
> -use MIME::Base64 qw(encode_base64url decode_base64);
> +use MIME::Base64 qw(encode_base64url decode_base64url);
>  use File::Path qw(make_path);
>  use JSON;
>  use Digest::SHA qw(sha256 sha256_hex hmac_sha256);
> @@ -365,7 +365,7 @@ sub new_account {
>      my %payload = ( contact => $info{contact} );
>  
>      if (defined($info{eab})) {
> -       my $eab_hmac_key = decode_base64($info{eab}->{hmac_key});
> +       my $eab_hmac_key = decode_base64url($info{eab}->{hmac_key});
>         $payload{externalAccountBinding} =
> external_account_binding_jws(
>             $info{eab}->{kid},
>             $eab_hmac_key,





More information about the pve-devel mailing list