blob: e1bd63d54aaf1d4c2b1e41d3b274cf30719b3911 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
# Hide JWK from ACME client and pass KID instead
# get the key ID
lacme account 2>"$STDERR" || fail
keyid="$(sed -n "/^Key ID: / {s///p;q}" <"$STDERR")"
# prepare accountd
adduser --disabled-password \
--home /home/lacme-account \
--gecos "lacme account user" \
--quiet lacme-account
install -olacme-account -glacme-account -Ddm0700 -- \
~lacme-account/.config/lacme ~lacme-account/.local/share/lacme
mv -t ~lacme-account/.config/lacme /etc/lacme/account.key
chown lacme-account: ~lacme-account/.config/lacme/account.key
cat >~lacme-account/.config/lacme/lacme-accountd.conf <<-EOF
privkey = file:%E/lacme/account.key
logfile = %h/.local/share/lacme/accountd.log
keyid = $keyid
EOF
SOCKET=~lacme-account/S.lacme
runuser -u lacme-account -- lacme-accountd --socket="$SOCKET" --quiet & PID=$!
# newAccount resource fails as per RFC 8555 sec. 6.2 it requires a JWK
! lacme --socket="$SOCKET" account 2>"$STDERR" || fail
grepstderr -Fxq "WARNING: lacme-accountd supplied an empty JWK; try removing 'keyid' setting from lacme-accountd.conf if the ACME resource request fails."
grepstderr -Fxq "400 Bad Request (Parse error reading JWS)"
! grep -F ">>> OK signing request: header=" ~lacme-account/.local/share/lacme/accountd.log | \
grep -vF ">>> OK signing request: header=base64url({\"alg\":\"RS256\",\"jwk\":{}," || exit 1
# rotate log and restart accountd
kill $PID
wait
rm ~lacme-account/.local/share/lacme/accountd.log
runuser -u lacme-account -- lacme-accountd --socket="$SOCKET" --quiet & PID=$!
# newOrder works fine without JWK
lacme --socket="$SOCKET" newOrder
test /etc/lacme/simpletest.rsa.crt -nt /etc/lacme/simpletest.rsa.key
# and so does revokeCert (for requests authenticated with the account key)
lacme --socket="$SOCKET" revokeCert /etc/lacme/simpletest.rsa.crt
! lacme --socket="$SOCKET" revokeCert /etc/lacme/simpletest.rsa.crt 2>"$STDERR" || fail
grepstderr -Fxq "Revoking /etc/lacme/simpletest.rsa.crt"
grepstderr -Fxq "400 Bad Request (Certificate already revoked)"
grepstderr -Fxq "Warning: Couldn't revoke /etc/lacme/simpletest.rsa.crt"
kill $PID
wait
# make sure all signing requests have a KID
! grep -F ">>> OK signing request: header=" ~lacme-account/.local/share/lacme/accountd.log | \
grep -vF ">>> OK signing request: header=base64url({\"alg\":\"RS256\",\"kid\":\"$keyid\"," || exit 1
# vim: set filetype=sh :
|