alexvanin/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Fix JWK payload key equality check

Browse source
This commit is contained in:
Herman Slatman 2021-07-17 20:29:12 +02:00
parent 2eb69636ea
commit 2110c7722f
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F
1 changed files with 16 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
acme/api/account.go
View file

@ -1,7 +1,6 @@
package api package api
import ( import (
"bytes"
"context" "context"
"encoding/json" "encoding/json"
"net/http" "net/http"
@ -281,14 +280,27 @@ func (h *Handler) validateExternalAccountBinding(ctx context.Context, nar *NewAc
return nil, err return nil, err
} }
jwkJSONBytes, err := jwk.MarshalJSON() var payloadJWK *squarejose.JSONWebKey
err = json.Unmarshal(payload, &payloadJWK)
if err != nil { if err != nil {
return nil, acme.WrapErrorISE(err, "error marshaling jwk") return nil, acme.WrapError(acme.ErrorMalformedType, err, "error unmarshaling payload into jwk")
} }
if bytes.Equal(payload, jwkJSONBytes) { if !keysAreEqual(jwk, payloadJWK) {
return nil, acme.NewError(acme.ErrorMalformedType, "keys in jws and eab payload do not match") // TODO: decide ACME error type to use return nil, acme.NewError(acme.ErrorMalformedType, "keys in jws and eab payload do not match") // TODO: decide ACME error type to use
} }
return externalAccountKey, nil return externalAccountKey, nil
} }
func keysAreEqual(x, y *squarejose.JSONWebKey) bool {
if x == nil || y == nil {
return false
}
digestX, errX := acme.KeyToID(x)
digestY, errY := acme.KeyToID(y)
if errX != nil || errY != nil {
return false
}
return digestX == digestY
}