From 9898b1877ce2973bbc336921969bd7f16d3698fa Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sun, 21 Feb 2021 18:49:14 +0100
Subject: lacme-accountd(1): new setting 'keyid'.

This saves a round trip and provides a safeguard against malicious
clients.
---
 lacme-accountd | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'lacme-accountd')

diff --git a/lacme-accountd b/lacme-accountd
index d8c96b0..a842bce 100755
--- a/lacme-accountd
+++ b/lacme-accountd
@@ -125,7 +125,7 @@ do {
             open $LOG, ">>", $1 or die "Can't open $1: $!";
         }
         error("Invalid section(s): ".join(', ', keys %$h)) if %$h;
-        my %h = map { $_ => delete $h2->{$_} } qw/privkey gpg socket logfile quiet/;
+        my %h = map { $_ => delete $h2->{$_} } qw/privkey gpg socket logfile keyid quiet/;
         error("Unknown option(s): ".join(', ', keys %$h2)) if %$h2;
         $h{quiet} = lc $h{quiet} eq 'yes' ? 1 : 0 if defined $h{quiet};
         $OPTS{$_} //= $h{$_} foreach grep {defined $h{$_}} keys %h;
@@ -183,6 +183,11 @@ if ($OPTS{privkey} =~ /\A(file|gpg):(\p{Print}+)\z/) {
     # use of SHA-256 digest in the thumbprint is hardcoded, see RFC 8555 sec. 8.1
     $JWK_STR = JSON::->new->utf8->canonical->encode(\%jwk);
     $extra_greeting{"jwk-thumbprint"} = encode_base64url(sha256($JWK_STR));
+
+    if ((my $kid = $OPTS{keyid} // "") ne "") {
+        $extra_greeting{kid} = $kid;
+        $JWK_STR = "{}";
+    }
     $EXTRA_GREETING_STR = JSON::->new->encode(\%extra_greeting);
 }
 else {
-- 
cgit v1.2.3