From c2a6af783e3aac4912f96b56d8575e7627b54c3b Mon Sep 17 00:00:00 2001 From: Florian Ritterhoff Date: Thu, 21 Nov 2024 10:31:25 +0100 Subject: [PATCH] handle eab kid and hmac --- backend/pki-service/cmd/run.go | 4 ++-- backend/pki-service/pkg/cfg/sectigo.go | 4 ++-- backend/pki-service/pkg/grpc/ssl.go | 2 +- backend/pki-service/pkg/helper/acme.go | 10 ++++++++-- 4 files changed, 13 insertions(+), 7 deletions(-) diff --git a/backend/pki-service/cmd/run.go b/backend/pki-service/cmd/run.go index 967692b6..f97de3f2 100644 --- a/backend/pki-service/cmd/run.go +++ b/backend/pki-service/cmd/run.go @@ -121,7 +121,7 @@ func init() { runCmd.Flags().String("mail_from", "", "The mail from") runCmd.Flags().String("acme_storage", "", "Storage for the internal acme client") runCmd.Flags().String("acme_email", "", "Email for the acme client") - runCmd.Flags().String("acme_eab", "", "EAB for the acme client") - runCmd.Flags().String("acme_key", "", "Key for the acme client") + runCmd.Flags().String("acme_hmac", "", "EAB HMAC for the acme client") + runCmd.Flags().String("acme_kid", "", "Key ID for the acme client") runCmd.Flags().String("dns_configs", "", "Config file for the dns provider") } diff --git a/backend/pki-service/pkg/cfg/sectigo.go b/backend/pki-service/pkg/cfg/sectigo.go index d1aa9b05..ec4705cf 100644 --- a/backend/pki-service/pkg/cfg/sectigo.go +++ b/backend/pki-service/pkg/cfg/sectigo.go @@ -26,8 +26,8 @@ type PKIConfiguration struct { SmimeKeyType string `mapstructure:"smime_key_type"` AcmeStorage string `mapstructure:"acme_storage"` AcmeEmail string `mapstructure:"acme_email"` - AcmeEab string `mapstructure:"acme_eab"` - AcmeKey string `mapstructure:"acme_key"` + AcmeKid string `mapstructure:"acme_kid"` + AcmeHmac string `mapstructure:"acme_hmac"` DnsConfigs string `mapstructure:"dns_configs"` } diff --git a/backend/pki-service/pkg/grpc/ssl.go b/backend/pki-service/pkg/grpc/ssl.go index 00181f01..ff525024 100644 --- a/backend/pki-service/pkg/grpc/ssl.go +++ b/backend/pki-service/pkg/grpc/ssl.go @@ -176,7 +176,7 @@ func registerAcme(cfg *cfg.PKIConfiguration) *lego.Client { if err != nil { return nil } - err = pkiHelper.RegisterAcme(legoClient, account, accountFile, keyFile) + err = pkiHelper.RegisterAcme(legoClient, cfg, account, accountFile, keyFile) if err != nil { return nil } diff --git a/backend/pki-service/pkg/helper/acme.go b/backend/pki-service/pkg/helper/acme.go index 45461890..bd734629 100644 --- a/backend/pki-service/pkg/helper/acme.go +++ b/backend/pki-service/pkg/helper/acme.go @@ -11,6 +11,7 @@ import ( "github.com/go-acme/lego/v4/certcrypto" "github.com/go-acme/lego/v4/lego" "github.com/go-acme/lego/v4/registration" + "github.com/hm-edu/pki-service/pkg/cfg" ) // User represents an ACME user. @@ -36,8 +37,13 @@ func (u *User) GetPrivateKey() crypto.PrivateKey { } // RegisterAcme performs a new registration and stores the registration in the given file. -func RegisterAcme(client *lego.Client, account User, accountFile string, keyFile string) error { - reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true}) +func RegisterAcme(client *lego.Client, config *cfg.PKIConfiguration, account User, accountFile string, keyFile string) error { + reg, err := client.Registration.RegisterWithExternalAccountBinding( + registration.RegisterEABOptions{ + TermsOfServiceAgreed: true, + Kid: config.AcmeKid, + HmacEncoded: config.AcmeHmac, + }) if err != nil { return err }