Use the email configuration in the ACME issuer to "pin" an account …

…to a key When the issuer is configured with both an email and key material, these should match -- but that also means we can use the email information to predict the key-key, skipping the potentially expensive storage.List operation.
caddyserver · Apr 18, 2024 · c6e664b · c6e664b
1 parent f64401c
commit c6e664b
Showing 1 changed file with 12 additions and 4 deletions.
diff --git a/account.go b/account.go
@@ -88,11 +88,19 @@ func (*ACMEIssuer) newAccount(email string) (acme.Account, error) {
 // If it does not exist in storage, it will be retrieved from the ACME server and added to storage.
 // The account must already exist; it does not create a new account.
 func (am *ACMEIssuer) GetAccount(ctx context.Context, privateKeyPEM []byte) (acme.Account, error) {
-	account, err := am.loadAccountByKey(ctx, privateKeyPEM)
-	if errors.Is(err, fs.ErrNotExist) {
-		account, err = am.lookUpAccount(ctx, privateKeyPEM)
+	email := am.getEmail()
+	if email == "" {
+		account, err := am.loadAccountByKey(ctx, privateKeyPEM)
+		if err == nil || !errors.Is(err, fs.ErrNotExist) {
+			return account, err
+		}
+	} else {
+		keyBytes, err := am.config.Storage.Load(ctx, am.storageKeyUserPrivateKey(am.CA, email))
+		if err == nil && bytes.Equal(bytes.TrimSpace(keyBytes), bytes.TrimSpace(privateKeyPEM)) {
+			return am.loadAccount(ctx, am.CA, email)
+		}
 	}
-	return account, err
+	return am.lookUpAccount(ctx, privateKeyPEM)
 }
 
 // loadAccountByKey loads the account with the given private key from storage, if it exists.