EAB with pebble 2.5.x

[icing]

Pebble before 2.5 used to support HS256 with EAB. Now, only RS256 and EC seem supported. Is there any description how to use an RSA key for EAB with pebble?

I'd prefer continue using HS256 in my test suite for Apache since that seems to be in use at several CAs still. I appreciated that you want to be on the bleeding edge here, but for testing purposes this seem to be a step back.

[pgporada]

When testing with certbot main and latest pebble running in docker with the EAB config, I get the reported failure. (Technically you'll need to volume mount - ./test/config:/test/config to work around the container not having the EAB config inside it.)

$ certbot_test certonly --standalone -d test.example.com --eab-kid zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W --eab-hmac-key phil

https://localhost:14000 "POST /sign-me-up HTTP/1.1" 400 240
Received response:
HTTP 400
Cache-Control: public, max-age=0, no-cache
Content-Type: application/problem+json; charset=utf-8
Link: <https://localhost:14000/dir>;rel="index"
Replay-Nonce: V-GoNIeXrRUXYE7jD52Fhw
Date: Mon, 08 Apr 2024 16:54:33 GMT
Content-Length: 240

{
   "type": "urn:ietf:params:acme:error:malformed",
   "detail": "failed to decode external account binding: go-jose/go-jose: unexpected signature algorithm \"HS256\"; expected [\"RS256\" \"ES256\" \"ES384\" \"ES512\"]",
   "status": 400
}

[mcpherrinm]

That seems like my fault during the go-jose v4 upgrade with supported algorithms. It should be straightforward to fix. I’m out today but I can do that this week.

[mcpherrinm]

RFC 8555 says about EAB in 7.3.4: The "alg" field MUST indicate a MAC-based algorithm, so the current set of algorithms in Pebble (ES*, RS*) is straightforwardly incorrect

[buchdag]

Hi.

Is there a planned fix for this, or instruction on how to generate and use suitable keys ?

[mcpherrinm]

yes, but there’s several other higher priority things we’re working on elsewhere. It’ll get fixed soon.

[buchdag]

I guess that mean the fix is a bit more involved than adding jose.HS256 to goodJWSSignatureAlgorithms then (ie not fixable by someone with limited knowledge about JWS like me).

Would you happen to know ressources that explain how to generate new kid with a supported algorithm ?

[mcpherrinm]

It's not quite that simple, but not much more complicated either.

Fix PR opened - #459

The big thing I need is a test still, as this functionality was clearly broken.

[mcpherrinm]

OK, writing an integration test was actually not that bad, so it's done now :)

We'll tag a new release with this fix, too.

[buchdag]

Thanks for the fast fix @mcpherrinm 🙏

[buchdag]

@mcpherrinm do you think a new tagged release that include the fix could be possible ?

[mcpherrinm]

Yes, we will tag a new release soon. There’s a few other changes in progress I’d like to get in, such as the ARI PR, and a few docker container changes. That should all be done in the next week or two.

[mcpherrinm]

I pushed a v2.5.2 tag now. We will do another release with ARI etc later.