ACME: external account binding support. #22
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bavshin-f5
force-pushed
the
main
branch
2 times, most recently
from
30a0562 to
fda230c
Compare
bavshin-f5
force-pushed
the
bavshin/external-account
branch
from
9bb8643 to
9cd7190
Compare
bavshin-f5
force-pushed
the
bavshin/external-account
branch
from
9cd7190 to
52646d0
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR implements external account binding (EAB) support for the ACME client module as specified in RFC8555 § 7.3.4. External account binding allows ACME clients to associate their account with an external account managed by the CA.
- Added support for HMAC-based signing for external account binding
- Introduced configuration directive
external_account_keyto specify EAB credentials - Enhanced test infrastructure with feature detection and version checking
Reviewed Changes
Copilot reviewed 17 out of 17 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| t/lib/Test/Nginx/ACME.pm | Enhanced test daemon with configuration merging, feature detection, and version checking |
| t/acme_external_account.t | New test case for external account binding functionality |
| t/acme_*.t | Removed unused imports and simplified configuration |
| src/util.rs | Added utility functions for file reading and string manipulation |
| src/jws.rs | Added HMAC key support and made nonce optional for EAB signing |
| src/conf/issuer.rs | Added external account key configuration structure |
| src/conf.rs | Added configuration parser for external_account_key directive |
| src/acme/types.rs | Added external_account_binding field to AccountRequest |
| src/acme.rs | Implemented EAB signature generation in account creation |
| README.md | Updated documentation to reflect EAB support |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
bavshin-f5
force-pushed
the
bavshin/external-account
branch
from
52646d0 to
c9bfd5d
Compare
Do not set certificate validity unless necessary.
Allow passing extra configuration.
bavshin-f5
force-pushed
the
bavshin/external-account
branch
from
c9bfd5d to
9cf9c9e
Compare
bavshin-f5
force-pushed
the
bavshin/external-account
branch
from
d19c6a7 to
68754de
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
RFC8555 § 7.3.4 implementation.
The keys are
base64urlencoded because that's how most of the issuers provide the keys.Tested with:
Fixes #6