Accroding to RFC 8555:
> The MAC key SHOULD be provided in base64url-encoded form...
However, currently we are only decoding the MAC key as base64.
This patch chooses the correct function to decode the user provided
MAC key. This can fix authentication error when a user uses command
`pvenode acme account register` and paste the EBA MAC key as prompted.
Signed-off-by: YU Jincheng <sh...@zju.edu.cn>
---
src/PVE/ACME.pm | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
index bf5410d..65094c2 100644
--- a/src/PVE/ACME.pm
+++ b/src/PVE/ACME.pm
@@ -7,7 +7,7 @@ use POSIX;
use Data::Dumper;
use Date::Parse;
-use MIME::Base64 qw(encode_base64url decode_base64);
+use MIME::Base64 qw(encode_base64url decode_base64 decode_base64url);
use File::Path qw(make_path);
use JSON;
use Digest::SHA qw(sha256 sha256_hex hmac_sha256);
@@ -365,7 +365,12 @@ sub new_account {
my %payload = ( contact => $info{contact} );
if (defined($info{eab})) {
- my $eab_hmac_key = decode_base64($info{eab}->{hmac_key});
+ my $eab_hmac_key;
+ if ($info{eab}->{hmac_key} =~ m/[+\/]/) {
+ $eab_hmac_key = decode_base64($info{eab}->{hmac_key});
+ } else {
+ $eab_hmac_key = decode_base64url($info{eab}->{hmac_key});
+ }
$payload{externalAccountBinding} = external_account_binding_jws(
$info{eab}->{kid},
$eab_hmac_key,
--
2.34.1
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
