aboutsummaryrefslogtreecommitdiffstats
path: root/tests/accountd-kid
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2021-02-21 18:49:14 +0100
committerGuilhem Moulin <guilhem@fripost.org>2021-02-22 00:14:51 +0100
commit9898b1877ce2973bbc336921969bd7f16d3698fa (patch)
tree286901349d8345e204c21bce2b49737cbd72e286 /tests/accountd-kid
parent1bdaeae835b5c9914f9c2107efda150d643cda12 (diff)
lacme-accountd(1): new setting 'keyid'.
This saves a round trip and provides a safeguard against malicious clients.
Diffstat (limited to 'tests/accountd-kid')
-rw-r--r--tests/accountd-kid59
1 files changed, 59 insertions, 0 deletions
diff --git a/tests/accountd-kid b/tests/accountd-kid
new file mode 100644
index 0000000..e1bd63d
--- /dev/null
+++ b/tests/accountd-kid
@@ -0,0 +1,59 @@
+# Hide JWK from ACME client and pass KID instead
+
+# get the key ID
+lacme account 2>"$STDERR" || fail
+keyid="$(sed -n "/^Key ID: / {s///p;q}" <"$STDERR")"
+
+# prepare accountd
+adduser --disabled-password \
+ --home /home/lacme-account \
+ --gecos "lacme account user" \
+ --quiet lacme-account
+
+install -olacme-account -glacme-account -Ddm0700 -- \
+ ~lacme-account/.config/lacme ~lacme-account/.local/share/lacme
+mv -t ~lacme-account/.config/lacme /etc/lacme/account.key
+chown lacme-account: ~lacme-account/.config/lacme/account.key
+
+cat >~lacme-account/.config/lacme/lacme-accountd.conf <<-EOF
+ privkey = file:%E/lacme/account.key
+ logfile = %h/.local/share/lacme/accountd.log
+ keyid = $keyid
+EOF
+
+SOCKET=~lacme-account/S.lacme
+runuser -u lacme-account -- lacme-accountd --socket="$SOCKET" --quiet & PID=$!
+
+# newAccount resource fails as per RFC 8555 sec. 6.2 it requires a JWK
+! lacme --socket="$SOCKET" account 2>"$STDERR" || fail
+grepstderr -Fxq "WARNING: lacme-accountd supplied an empty JWK; try removing 'keyid' setting from lacme-accountd.conf if the ACME resource request fails."
+grepstderr -Fxq "400 Bad Request (Parse error reading JWS)"
+! grep -F ">>> OK signing request: header=" ~lacme-account/.local/share/lacme/accountd.log | \
+ grep -vF ">>> OK signing request: header=base64url({\"alg\":\"RS256\",\"jwk\":{}," || exit 1
+
+# rotate log and restart accountd
+kill $PID
+wait
+
+rm ~lacme-account/.local/share/lacme/accountd.log
+runuser -u lacme-account -- lacme-accountd --socket="$SOCKET" --quiet & PID=$!
+
+# newOrder works fine without JWK
+lacme --socket="$SOCKET" newOrder
+test /etc/lacme/simpletest.rsa.crt -nt /etc/lacme/simpletest.rsa.key
+
+# and so does revokeCert (for requests authenticated with the account key)
+lacme --socket="$SOCKET" revokeCert /etc/lacme/simpletest.rsa.crt
+! lacme --socket="$SOCKET" revokeCert /etc/lacme/simpletest.rsa.crt 2>"$STDERR" || fail
+grepstderr -Fxq "Revoking /etc/lacme/simpletest.rsa.crt"
+grepstderr -Fxq "400 Bad Request (Certificate already revoked)"
+grepstderr -Fxq "Warning: Couldn't revoke /etc/lacme/simpletest.rsa.crt"
+
+kill $PID
+wait
+
+# make sure all signing requests have a KID
+! grep -F ">>> OK signing request: header=" ~lacme-account/.local/share/lacme/accountd.log | \
+ grep -vF ">>> OK signing request: header=base64url({\"alg\":\"RS256\",\"kid\":\"$keyid\"," || exit 1
+
+# vim: set filetype=sh :