[pve-devel] [PATCH v2 acme] Fix EBA MAC key decoding

Folke Gleumes f.gleumes at proxmox.com
Mon Jan 29 14:15:20 CET 2024


On Thu, 2024-01-25 at 16:28 +0800, YU Jincheng wrote:
> Accroding to RFC 8555:
> 
> > The MAC key SHOULD be provided in base64url-encoded form...
> 
> However, currently we are only decoding the MAC key as base64.
> This patch chooses the correct function to decode the user provided
> MAC key. This can fix authentication error when a user uses command
> `pvenode acme account register` and paste the EBA MAC key as
> prompted.
> 
> Signed-off-by: YU Jincheng <shana at zju.edu.cn>
> ---
>  src/PVE/ACME.pm | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
> index bf5410d..65094c2 100644
> --- a/src/PVE/ACME.pm
> +++ b/src/PVE/ACME.pm
> @@ -7,7 +7,7 @@ use POSIX;
>  
>  use Data::Dumper;
>  use Date::Parse;
> -use MIME::Base64 qw(encode_base64url decode_base64);
> +use MIME::Base64 qw(encode_base64url decode_base64
> decode_base64url);
>  use File::Path qw(make_path);
>  use JSON;
>  use Digest::SHA qw(sha256 sha256_hex hmac_sha256);
> @@ -365,7 +365,12 @@ sub new_account {
>      my %payload = ( contact => $info{contact} );
>  
>      if (defined($info{eab})) {
> -       my $eab_hmac_key = decode_base64($info{eab}->{hmac_key});
> +       my $eab_hmac_key;
> +       if ($info{eab}->{hmac_key} =~ m/[+\/]/) {
> +           $eab_hmac_key = decode_base64($info{eab}->{hmac_key});
> +       } else {
> +           $eab_hmac_key = decode_base64url($info{eab}->{hmac_key});
> +       }
>         $payload{externalAccountBinding} =
> external_account_binding_jws(
>             $info{eab}->{kid},
>             $eab_hmac_key,

Thanks!

Works as intended, tested with base64, base64url and strings that would
be valid for both.

Tested-by: Folke Gleumes <f.gleumes at proxmox.com>





More information about the pve-devel mailing list