-
Notifications
You must be signed in to change notification settings - Fork 371
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add EAB functions #704
add EAB functions #704
Conversation
Hi @lodott72 Thanks for contributing this change, I need to read up on EAB as I've not heard of that and then see if |
Just to help you out there - RFC 8555 Section 7.3.4 An example of a CA which expects EAB is % curl https://acme.sectigo.com/v2/OV { To obtain the binding you need to send an additional field externalAccountBinding with the newAccount request, see spec. The value is the EAB_JSON generated by the function added in my pull request. The parameters KID, HMAC-KEY are obtained from the CA and at least in case of sectigo are used up once successfully bound. It took a while to find out that the approach with hexkey is the correct one, matching certbot - sectigo recommends using certbot to do this but I wanted it to work with getssl as well. |
I will test this out and try to provide feedback. |
This is the script I have been (successfully) using with the Sectigo CA. It is a reduced version of the main getssl script, sourcing its functions and main code block reduced to the parts needed for the EAB process. I tried to attach this as file but failed both with .txt and .gz for some reason - I left out the details for the get_eab_json function which are in the commit, to keep it a little shorter
|
@lodott72 code looks good, I'll see if I can merge it into the main getssl script over the next day or two. I'll also have a look and see if sectigo provide developer accounts so I can test! |
Hi @lodott72 I never did find the time to look at the eab functions, apart from discovering that they are needed for one of the other ACME providers. I'll merge this so I can use your functions to add the support for them when I get time to make enhancements |
I am looking for an idea on how to use EAB key ID and HMAC key using getssl. I think its already implemented but not sure how to pass those values to getssl. Do I need to add these values in config file ? |
No, this is used once only to bind your acme key to your external account at the CA. Once bound, the CA will detect the acme key as authorized. I have used the script I pasted above a few times for Sectigo, you should get by with only minor changes:
Put the script into the same dir as getssl, then run it; use -i, -k, -a to set ID, HMAC and ACCOUNT_KEY The first two options basically replicate the certbot options --eab-kid and --eab-hmac-key |
I don't have experience with shell scripting and have limited knowledge(Currently Learning) to Linux based system. I am using ansible to automate issuing of certificates using this script. My OS is customized appliance from VMware, so not all things are supported. However, I am tweaking things to get it worked. |
You need all three parameters for EAB: a CA uses EAB to give you a chance to register a key pair as authorized with the ACME server of the CA. It works basically like this (AFAIK): the CA gives you a one-time key (ID+HMAC) while you are authorized to the External Account you want the key pair (ACCOUNT_KEY) Bound to. I figure that the key id is reserved in the ACME server of the CA and the HMAC stored there until you complete the binding. Once you have the ID+HMAC, you need to sign it with the key-pair you want to put into the reserved key ID. The script above sends such a signature during the ACME registration step. The ACME server validates the signature and on success stores your public key in the reserved slot. From then you can simply use your the key-pair normally during registration, as it will now be found among the authorized keys. As you have an internal ACME server, maybe there is a simpler solution for you than EAB - depends on your setup, I guess. |
Shell function get_eab_json() that generates the EAB field required in register requests when EAB is required.
Based on the array EAB_PARAMS it generates the json string EAB_JSON.
If the array has a single entry, it is treated as file path and keyid and hmac-key are read from it.
If it has two entries, they are treated as keyid string and hmac-key as base64url-encoded binary key (64 bytes).
That's how certbot for example treats their --eac-hmac-key argument.
It also requires base64url_decode which was added as well - it uses awk and might need some OS related tweaking.
For now I am using these functions in a separate script that sources getssl (--source), so it would be helpful to have them in getssl already.
I can make that separate script available as well, if it is of interest.