forked from TrueCloudLab/certificates
Fix JWK payload key equality check
This commit is contained in:
parent
2eb69636ea
commit
2110c7722f
1 changed files with 16 additions and 4 deletions
|
@ -1,7 +1,6 @@
|
|||
package api
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"encoding/json"
|
||||
"net/http"
|
||||
|
@ -281,14 +280,27 @@ func (h *Handler) validateExternalAccountBinding(ctx context.Context, nar *NewAc
|
|||
return nil, err
|
||||
}
|
||||
|
||||
jwkJSONBytes, err := jwk.MarshalJSON()
|
||||
var payloadJWK *squarejose.JSONWebKey
|
||||
err = json.Unmarshal(payload, &payloadJWK)
|
||||
if err != nil {
|
||||
return nil, acme.WrapErrorISE(err, "error marshaling jwk")
|
||||
return nil, acme.WrapError(acme.ErrorMalformedType, err, "error unmarshaling payload into jwk")
|
||||
}
|
||||
|
||||
if bytes.Equal(payload, jwkJSONBytes) {
|
||||
if !keysAreEqual(jwk, payloadJWK) {
|
||||
return nil, acme.NewError(acme.ErrorMalformedType, "keys in jws and eab payload do not match") // TODO: decide ACME error type to use
|
||||
}
|
||||
|
||||
return externalAccountKey, nil
|
||||
}
|
||||
|
||||
func keysAreEqual(x, y *squarejose.JSONWebKey) bool {
|
||||
if x == nil || y == nil {
|
||||
return false
|
||||
}
|
||||
digestX, errX := acme.KeyToID(x)
|
||||
digestY, errY := acme.KeyToID(y)
|
||||
if errX != nil || errY != nil {
|
||||
return false
|
||||
}
|
||||
return digestX == digestY
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue