[pve-devel] [PATCH v2 acme] Fix EBA MAC key decoding
Folke Gleumes
f.gleumes at proxmox.com
Mon Jan 29 14:15:20 CET 2024
On Thu, 2024-01-25 at 16:28 +0800, YU Jincheng wrote:
> Accroding to RFC 8555:
>
> > The MAC key SHOULD be provided in base64url-encoded form...
>
> However, currently we are only decoding the MAC key as base64.
> This patch chooses the correct function to decode the user provided
> MAC key. This can fix authentication error when a user uses command
> `pvenode acme account register` and paste the EBA MAC key as
> prompted.
>
> Signed-off-by: YU Jincheng <shana at zju.edu.cn>
> ---
> src/PVE/ACME.pm | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
> index bf5410d..65094c2 100644
> --- a/src/PVE/ACME.pm
> +++ b/src/PVE/ACME.pm
> @@ -7,7 +7,7 @@ use POSIX;
>
> use Data::Dumper;
> use Date::Parse;
> -use MIME::Base64 qw(encode_base64url decode_base64);
> +use MIME::Base64 qw(encode_base64url decode_base64
> decode_base64url);
> use File::Path qw(make_path);
> use JSON;
> use Digest::SHA qw(sha256 sha256_hex hmac_sha256);
> @@ -365,7 +365,12 @@ sub new_account {
> my %payload = ( contact => $info{contact} );
>
> if (defined($info{eab})) {
> - my $eab_hmac_key = decode_base64($info{eab}->{hmac_key});
> + my $eab_hmac_key;
> + if ($info{eab}->{hmac_key} =~ m/[+\/]/) {
> + $eab_hmac_key = decode_base64($info{eab}->{hmac_key});
> + } else {
> + $eab_hmac_key = decode_base64url($info{eab}->{hmac_key});
> + }
> $payload{externalAccountBinding} =
> external_account_binding_jws(
> $info{eab}->{kid},
> $eab_hmac_key,
Thanks!
Works as intended, tested with base64, base64url and strings that would
be valid for both.
Tested-by: Folke Gleumes <f.gleumes at proxmox.com>
More information about the pve-devel
mailing list