Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require HS256, HS384, or HS512 for EAB #459

Merged
merged 7 commits into from
May 1, 2024
Merged

Require HS256, HS384, or HS512 for EAB #459

merged 7 commits into from
May 1, 2024

Conversation

mcpherrinm
Copy link
Contributor

@mcpherrinm mcpherrinm commented May 1, 2024
edited
Loading

During the go-jose/v4 upgrade, I accidentally required the same signature sets for EAB as for the account keys, which is incorrect. This allows the correct MAC-based algorithms. It drops the custom algorithm checks, which are now unreachable as go-jose will enforce the algorithms.

Fixes #455

@mcpherrinm
Require HS256, HS384, or HS512 for EAB
ac5d6f1 
During the jose.v4 upgrade, I accidentally required the same signature sets for
EAB as for the account keys, which is incorrect. This allows the correct
MAC-based algorithms. It drops the custom algorithm checks, which are now
unreachable as go-jose will enforce the algorithms.
@mcpherrinm mcpherrinm mentioned this pull request May 1, 2024
Closed
@mcpherrinm mcpherrinm marked this pull request as draft May 1, 2024 16:24
@mcpherrinm mcpherrinm force-pushed the mattm-fix-455-eab-mac branch 2 times, most recently from d539c67 to 680d520 Compare May 1, 2024 16:47
@mcpherrinm mcpherrinm force-pushed the mattm-fix-455-eab-mac branch from 680d520 to c8c1f39 Compare May 1, 2024 16:51
@mcpherrinm
Specify a high http port so lego can bind
4f618d0 
With PEBBLE_VA_ALWAYS_VALID, we don't need to complete a challenge, but have
lego listen on a high port to avoid permission problems.
@mcpherrinm mcpherrinm force-pushed the mattm-fix-455-eab-mac branch from e8b1500 to 4f618d0 Compare May 1, 2024 16:57
@mcpherrinm mcpherrinm marked this pull request as ready for review May 1, 2024 17:05
@mcpherrinm
Copy link
Contributor Author

Running this same integration tests against the current main branch has lego return the expected error from #455:

acme: error: 400 :: POST :: https://localhost:14000/sign-me-up :: urn:ietf:params:acme:error:malformed :: failed to decode external account binding: go-jose/go-jose: unexpected signature algorithm "HS256"; expected ["RS256" "ES256" "ES384" "ES512"]

mcpherrinm and others added 3 commits May 1, 2024 13:10
@mcpherrinm
Remove un-needed pebble flags
8d2da1b
@j0ru @mcpherrinm
Add eab key example that enforces base64url
afa31b9 
The acme rfc states that clients should interpret supplied eab keys as
base64url. To encourage that behaviour, this commit adds a key to the
example configuration that is only decodable by base64url.
@mcpherrinm
Use kid-3
f4c00da
@mcpherrinm
Copy link
Contributor Author

I've cherry-picked the command and switched to the key from #428 to make the EAB integration test hit the "base64url" edge-case

@mcpherrinm mcpherrinm mentioned this pull request May 1, 2024
Closed
@mcpherrinm mcpherrinm merged commit e87ace7 into main May 1, 2024
14 checks passed
@mcpherrinm mcpherrinm deleted the mattm-fix-455-eab-mac branch May 1, 2024 19:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aarongable aarongable aarongable approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

EAB with pebble 2.5.x
3 participants
@mcpherrinm @aarongable @j0ru