From 9898b1877ce2973bbc336921969bd7f16d3698fa Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sun, 21 Feb 2021 18:49:14 +0100
Subject: lacme-accountd(1): new setting 'keyid'.

This saves a round trip and provides a safeguard against malicious
clients.
---
 tests/accountd-kid | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 tests/accountd-kid

(limited to 'tests')

diff --git a/tests/accountd-kid b/tests/accountd-kid
new file mode 100644
index 0000000..e1bd63d
--- /dev/null
+++ b/tests/accountd-kid
@@ -0,0 +1,59 @@
+# Hide JWK from ACME client and pass KID instead
+
+# get the key ID
+lacme account 2>"$STDERR" || fail
+keyid="$(sed -n "/^Key ID: / {s///p;q}" <"$STDERR")"
+
+# prepare accountd
+adduser --disabled-password \
+       --home /home/lacme-account \
+       --gecos "lacme account user" \
+       --quiet lacme-account
+
+install -olacme-account -glacme-account -Ddm0700 -- \
+    ~lacme-account/.config/lacme ~lacme-account/.local/share/lacme
+mv -t ~lacme-account/.config/lacme /etc/lacme/account.key
+chown lacme-account: ~lacme-account/.config/lacme/account.key
+
+cat >~lacme-account/.config/lacme/lacme-accountd.conf <<-EOF
+	privkey = file:%E/lacme/account.key
+	logfile = %h/.local/share/lacme/accountd.log
+	keyid = $keyid
+EOF
+
+SOCKET=~lacme-account/S.lacme
+runuser -u lacme-account -- lacme-accountd --socket="$SOCKET" --quiet & PID=$!
+
+# newAccount resource fails as per RFC 8555 sec. 6.2 it requires a JWK
+! lacme --socket="$SOCKET" account 2>"$STDERR" || fail
+grepstderr -Fxq "WARNING: lacme-accountd supplied an empty JWK; try removing 'keyid' setting from lacme-accountd.conf if the ACME resource request fails."
+grepstderr -Fxq "400 Bad Request (Parse error reading JWS)"
+! grep -F ">>> OK signing request: header=" ~lacme-account/.local/share/lacme/accountd.log | \
+    grep -vF ">>> OK signing request: header=base64url({\"alg\":\"RS256\",\"jwk\":{}," || exit 1
+
+# rotate log and restart accountd
+kill $PID
+wait
+
+rm ~lacme-account/.local/share/lacme/accountd.log
+runuser -u lacme-account -- lacme-accountd --socket="$SOCKET" --quiet & PID=$!
+
+# newOrder works fine without JWK
+lacme --socket="$SOCKET" newOrder
+test /etc/lacme/simpletest.rsa.crt -nt /etc/lacme/simpletest.rsa.key
+
+# and so does revokeCert (for requests authenticated with the account key)
+lacme --socket="$SOCKET" revokeCert /etc/lacme/simpletest.rsa.crt
+! lacme --socket="$SOCKET" revokeCert /etc/lacme/simpletest.rsa.crt 2>"$STDERR" || fail
+grepstderr -Fxq "Revoking /etc/lacme/simpletest.rsa.crt"
+grepstderr -Fxq "400 Bad Request (Certificate already revoked)"
+grepstderr -Fxq "Warning: Couldn't revoke /etc/lacme/simpletest.rsa.crt"
+
+kill $PID
+wait
+
+# make sure all signing requests have a KID
+! grep -F ">>> OK signing request: header=" ~lacme-account/.local/share/lacme/accountd.log | \
+    grep -vF ">>> OK signing request: header=base64url({\"alg\":\"RS256\",\"kid\":\"$keyid\"," || exit 1
+
+# vim: set filetype=sh :
-- 
cgit v1.2.3