blob: 8a4b53c69ce9f03c055f5896c3fd67195fed7a02 (
plain)
| 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
 | # Hide JWK from ACME client and pass KID instead
# get the key ID
lacme account 2>"$STDERR" || fail
keyid="$(sed -n "/^Key ID: / {s///p;q}" <"$STDERR")"
# prepare accountd
adduser --disabled-password \
       --home /home/lacme-account \
       --gecos "lacme account user" \
       --quiet lacme-account
install -olacme-account -glacme-account -Ddm0700 -- \
    ~lacme-account/.config/lacme ~lacme-account/.local/share/lacme
mv -t ~lacme-account/.config/lacme /etc/lacme/account.key
chown lacme-account: ~lacme-account/.config/lacme/account.key
cat >~lacme-account/.config/lacme/lacme-accountd.conf <<-EOF
	privkey = file:%E/lacme/account.key
	logfile = %h/.local/share/lacme/accountd.log
	keyid = $keyid
EOF
SOCKET=~lacme-account/S.lacme
runuser -u lacme-account -- lacme-accountd --socket="$SOCKET" --quiet & PID=$!
sleep 1
# newAccount resource fails as per RFC 8555 sec. 6.2 it requires a JWK
! lacme --socket="$SOCKET" account 2>"$STDERR" || fail
grepstderr -Fxq "Warning: lacme-accountd supplied an empty JWK; try removing 'keyid' setting from lacme-accountd.conf if the ACME resource request fails."
grepstderr -Fxq "400 Bad Request (Parse error reading JWS)"
grep -F "] SIGNED header=base64url({" ~lacme-account/.local/share/lacme/accountd.log >/tmp/signed
! grep -vF "] SIGNED header=base64url({\"alg\":\"RS256\",\"jwk\":{}," </tmp/signed
# rotate log and restart accountd
kill $PID
wait
rm ~lacme-account/.local/share/lacme/accountd.log
runuser -u lacme-account -- lacme-accountd --socket="$SOCKET" --quiet & PID=$!
sleep 1
# newOrder works fine without JWK
lacme --socket="$SOCKET" newOrder
test /etc/lacme/simpletest.rsa.crt -nt /etc/lacme/simpletest.rsa.key
# and so does revokeCert (for requests authenticated with the account key)
lacme --socket="$SOCKET" revokeCert /etc/lacme/simpletest.rsa.crt
! lacme --socket="$SOCKET" revokeCert /etc/lacme/simpletest.rsa.crt 2>"$STDERR" || fail
grepstderr -Fxq "Revoking /etc/lacme/simpletest.rsa.crt"
grepstderr -Fq "400 Bad Request (unable to revoke"
grepstderr -Fxq "Warning: Couldn't revoke /etc/lacme/simpletest.rsa.crt"
kill $PID
wait
# make sure all signing requests have a KID
grep -F "] SIGNED header=base64url({" ~lacme-account/.local/share/lacme/accountd.log >/tmp/signed
! grep -vF "] SIGNED header=base64url({\"alg\":\"RS256\",\"kid\":\"$keyid\"," </tmp/signed
# vim: set filetype=sh :
 |