diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2021-02-21 18:49:14 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2021-02-22 00:14:51 +0100 |
| commit | 9898b1877ce2973bbc336921969bd7f16d3698fa (patch) | |
| tree | 286901349d8345e204c21bce2b49737cbd72e286 /lacme-accountd | |
| parent | 1bdaeae835b5c9914f9c2107efda150d643cda12 (diff) | |
lacme-accountd(1): new setting 'keyid'.
This saves a round trip and provides a safeguard against malicious
clients.
Diffstat (limited to 'lacme-accountd')
| -rwxr-xr-x | lacme-accountd | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/lacme-accountd b/lacme-accountd index d8c96b0..a842bce 100755 --- a/lacme-accountd +++ b/lacme-accountd @@ -125,7 +125,7 @@ do { open $LOG, ">>", $1 or die "Can't open $1: $!"; } error("Invalid section(s): ".join(', ', keys %$h)) if %$h; - my %h = map { $_ => delete $h2->{$_} } qw/privkey gpg socket logfile quiet/; + my %h = map { $_ => delete $h2->{$_} } qw/privkey gpg socket logfile keyid quiet/; error("Unknown option(s): ".join(', ', keys %$h2)) if %$h2; $h{quiet} = lc $h{quiet} eq 'yes' ? 1 : 0 if defined $h{quiet}; $OPTS{$_} //= $h{$_} foreach grep {defined $h{$_}} keys %h; @@ -183,6 +183,11 @@ if ($OPTS{privkey} =~ /\A(file|gpg):(\p{Print}+)\z/) { # use of SHA-256 digest in the thumbprint is hardcoded, see RFC 8555 sec. 8.1 $JWK_STR = JSON::->new->utf8->canonical->encode(\%jwk); $extra_greeting{"jwk-thumbprint"} = encode_base64url(sha256($JWK_STR)); + + if ((my $kid = $OPTS{keyid} // "") ne "") { + $extra_greeting{kid} = $kid; + $JWK_STR = "{}"; + } $EXTRA_GREETING_STR = JSON::->new->encode(\%extra_greeting); } else { |