Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove KeyAuthorization from challenge updates. #96

Merged
merged 2 commits into from
Mar 6, 2018
Merged

Remove KeyAuthorization from challenge updates. #96

merged 2 commits into from
Mar 6, 2018

Conversation

cpu
Copy link
Contributor

@cpu cpu commented Mar 6, 2018

Per ACME draft-10 challenge update POST bodies should no longer include
the KeyAuthorization field, the server can calculate this on its own.
Similarly, it shouldn't be returned in challenge bodies sent to the
client because the client can calculate it themselves.

This commit updates Pebble to reject challenge updates with
a KeyAuthorization field. This is fairly aggressive: We could simply
ignore this field, but Pebble is meant to encourage good client
behaviour so we'll be more aggressive than Boulder will.

Remove KeyAuthorization from challenge updates.
1cdb470 
Per ACME draft-10 challenge update POST bodies should no longer include
the `KeyAuthorization` field, the server can calculate this on its own.
Similarly, it shouldn't be returned in challenge bodies sent to the
client because the client can calculate it themselves.

This commit updates Pebble to *reject* challenge updates with
a `KeyAuthorization` field. This is fairly aggressive: We could simply
ignore this field, but Pebble is meant to encourage good client
behaviour so we'll be more aggressive than Boulder will.
@cpu cpu self-assigned this Mar 6, 2018
@cpu cpu requested a review from jsha March 6, 2018 15:38
@cpu
Copy link
Contributor Author

cpu commented Mar 6, 2018

This breaks in CI because Chisel2 sends the legacy field:

{
   "type": "urn:ietf:params:acme:error:malformedRequest",
   "detail": "Challenge response body contained legacy KeyAuthorzation field, POST body should be `{}`",
   "status": 400
}

Fixing that is likely blocked on letsencrypt/boulder#3514 in Boulder.

jsha
jsha reviewed Mar 6, 2018
View reviewed changes
wfe/wfe.go Outdated
// sent (and that's what Boulder will do) but for Pebble we'd like to be more
// aggressive about pushing clients implementations in the right direction, so
// we treat this as a malformed request.
if chalResp.KeyAuthorization != "" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's make this field a pointer so we can check if it's present at all. Otherwise we'll accept its presence with an empty string.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea, thanks!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved in ee20d06

@jsha jsha merged commit 65f0647 into master Mar 6, 2018
@jsha jsha deleted the cpu-acme-keyauthz-chall-updates branch March 6, 2018 15:47
@milux
Copy link

milux commented Mar 14, 2018

#100

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsha jsha jsha left review comments

Assignees

@cpu cpu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@cpu @milux @jsha