fix #4497: add support for external account bindings

implementation according to RFC 8555, section 7.3.4

Signed-off-by: Folke Gleumes <f.gleumes@proxmox.com>
Reviewed-by: Fabian.Grünbichler <f.gruenbichler@proxmox.com>
Tested-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
index 3f66182c7b4c75c121586fdadb259a0e6fbbcbbe..bf5410d551ecb1a305d5a20ffc459ecd94499778 100644 (file)
--- a/src/PVE/ACME.pm
+++ b/src/PVE/ACME.pm
@@ -7,10 +7,10 @@ use POSIX;
 
 use Data::Dumper;
 use Date::Parse;
-use MIME::Base64 qw(encode_base64url);
+use MIME::Base64 qw(encode_base64url decode_base64);
 use File::Path qw(make_path);
 use JSON;
-use Digest::SHA qw(sha256 sha256_hex);
+use Digest::SHA qw(sha256 sha256_hex hmac_sha256);
 
 use HTTP::Request;
 use LWP::UserAgent;
@@ -251,6 +251,28 @@ sub jws {
     };
 }
 
+# EAB signing using the HS256 alg (HMAC/SHA256).
+my sub external_account_binding_jws {
+    my ($eab_kid, $eab_hmac_key, $jwk, $url) = @_;
+
+    my $protected = {
+       alg => 'HS256',
+       kid => $eab_kid,
+       url => $url,
+    };
+    $protected = encode(tojs($protected));
+
+    my $payload = encode(tojs($jwk));
+    my $signdata = "$protected.$payload";
+    my $signature = encode(hmac_sha256($signdata, $eab_hmac_key));
+
+    return {
+       protected => $protected,
+       payload => $payload,
+       signature => $signature,
+    };
+}
+
 sub __get_result {
     my ($resp, $code, $plain) = @_;
 
@@ -300,8 +322,8 @@ sub list_methods {
 }
 
 # return (optional) meta directory entry.
-# this is public because it might contain the ToS, which should be displayed
-# and agreed to before creating an account
+# this is public because it might contain the ToS and EAB requirements,
+# which have to be considered before creating an account
 sub get_meta {
     my ($self) = @_;
     my $methods = $self->__get_methods();
@@ -331,6 +353,8 @@ sub __new_account {
 
 # Create a new account using data in %info.
 # Optionally pass $tos_url to agree to the given Terms of Service
+# %info must have at least a 'contact' field and may have a 'eab' field
+# containing a hash with 'kid' and 'hmac_key' set.
 # POST to newAccount endpoint
 # Expects a '201 Created' reply
 # Saves and returns the account data
@@ -338,12 +362,24 @@ sub new_account {
     my ($self, $tos_url, %info) = @_;
     my $url = $self->_method('newAccount');
 
+    my %payload = ( contact => $info{contact} );
+
+    if (defined($info{eab})) {
+       my $eab_hmac_key = decode_base64($info{eab}->{hmac_key});
+       $payload{externalAccountBinding} = external_account_binding_jws(
+           $info{eab}->{kid},
+           $eab_hmac_key,
+           $self->jwk(),
+           $url
+       );
+    }
+
     if ($tos_url) {
        $self->{tos} = $tos_url;
-       $info{termsOfServiceAgreed} = JSON::true;
+       $payload{termsOfServiceAgreed} = JSON::true;
     }
 
-    return $self->__new_account(201, $url, 1, %info);
+    return $self->__new_account(201, $url, 1, %payload);
 }
 
 # Update existing account with new %info