Mailing List Archive

svn commit: r1895285 - in /httpd/httpd/trunk: changes-entries/md_2.4.9.txt docs/manual/mod/mod_md.xml modules/md/md_version.h modules/md/mod_md_config.c
Author: icing
Date: Wed Nov 24 10:13:42 2021
New Revision: 1895285

URL: http://svn.apache.org/viewvc?rev=1895285&view=rev
Log:
*) mod_md: values for External Account Binding (EAB) can
now also be configured to be read from a separate JSON
file. This allows to keep server configuration permissions
world readable without exposing secrets.


Added:
httpd/httpd/trunk/changes-entries/md_2.4.9.txt
Modified:
httpd/httpd/trunk/docs/manual/mod/mod_md.xml
httpd/httpd/trunk/modules/md/md_version.h
httpd/httpd/trunk/modules/md/mod_md_config.c

Added: httpd/httpd/trunk/changes-entries/md_2.4.9.txt
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/changes-entries/md_2.4.9.txt?rev=1895285&view=auto
==============================================================================
--- httpd/httpd/trunk/changes-entries/md_2.4.9.txt (added)
+++ httpd/httpd/trunk/changes-entries/md_2.4.9.txt Wed Nov 24 10:13:42 2021
@@ -0,0 +1,6 @@
+ *) mod_md: values for External Account Binding (EAB) can
+ now also be configured to be read from a separate JSON
+ file. This allows to keep server configuration permissions
+ world readable without exposing secrets.
+ [Stefan Eissing]
+

Modified: httpd/httpd/trunk/docs/manual/mod/mod_md.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_md.xml?rev=1895285&r1=1895284&r2=1895285&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_md.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_md.xml Wed Nov 24 10:13:42 2021
@@ -1295,7 +1295,7 @@ MDMessageCmd /etc/apache/md-message
<directivesynopsis>
<name>MDExternalAccountBinding</name>
<description></description>
- <syntax>MDExternalAccountBinding <var>key-id</var> <var>hmac-64</var></syntax>
+ <syntax>MDExternalAccountBinding <var>key-id</var> <var>hmac-64</var> | none | <var>file</var></syntax>
<default>MDExternalAccountBinding none</default>
<contextlist>
<context>server config</context>
@@ -1319,7 +1319,17 @@ MDMessageCmd /etc/apache/md-message
e.g. root only.
</p>
<p>
- If you change these values, the new ones will be used when the next
+ The value can also be taken from a JSON file, to keep more open
+ permissions on the server configuration and restrict the ones on that
+ file. The JSON itself is:
+ </p>
+ <example><title>EAB JSON Example file</title>
+ <highlight language="config">
+{"kid": "kid-1", "hmac": "zWND..."}
+ </highlight>
+ </example>
+ <p>
+ If you change EAB values, the new ones will be used when the next
certificate renewal is due.
</p>
</usage>

Modified: httpd/httpd/trunk/modules/md/md_version.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/md_version.h?rev=1895285&r1=1895284&r2=1895285&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/md_version.h (original)
+++ httpd/httpd/trunk/modules/md/md_version.h Wed Nov 24 10:13:42 2021
@@ -27,7 +27,7 @@
* @macro
* Version number of the md module as c string
*/
-#define MOD_MD_VERSION "2.4.8"
+#define MOD_MD_VERSION "2.4.9"

/**
* @macro
@@ -35,7 +35,7 @@
* release. This is a 24 bit number with 8 bits for major number, 8 bits
* for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
*/
-#define MOD_MD_VERSION_NUM 0x020408
+#define MOD_MD_VERSION_NUM 0x020409

#define MD_ACME_DEF_URL "https://acme-v02.api.letsencrypt.org/directory"


Modified: httpd/httpd/trunk/modules/md/mod_md_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/mod_md_config.c?rev=1895285&r1=1895284&r2=1895285&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/mod_md_config.c (original)
+++ httpd/httpd/trunk/modules/md/mod_md_config.c Wed Nov 24 10:13:42 2021
@@ -28,6 +28,7 @@
#include "md.h"
#include "md_crypt.h"
#include "md_log.h"
+#include "md_json.h"
#include "md_util.h"
#include "mod_md_private.h"
#include "mod_md_config.h"
@@ -1038,11 +1039,50 @@ static const char *md_config_set_eab(cmd
return err;
}
if (!hmac) {
- if (apr_strnatcasecmp("None", keyid)) {
- return "only 'None' or a KEYID and HMAC string are allowed.";
+ if (!apr_strnatcasecmp("None", keyid)) {
+ keyid = "none";
+ }
+ else {
+ /* a JSON file keeping keyid and hmac */
+ const char *fpath;
+ apr_status_t rv;
+ md_json_t *json;
+
+ /* If only dumping the config, don't verify the file */
+ if (ap_state_query(AP_SQ_RUN_MODE) == AP_SQ_RM_CONFIG_DUMP) {
+ goto leave;
+ }
+
+ fpath = ap_server_root_relative(cmd->pool, keyid);
+ if (!fpath) {
+ return apr_pstrcat(cmd->pool, cmd->cmd->name,
+ ": Invalid file path ", keyid, NULL);
+ }
+ if (!md_file_exists(fpath, cmd->pool)) {
+ return apr_pstrcat(cmd->pool, cmd->cmd->name,
+ ": file not found: ", fpath, NULL);
+ }
+
+ rv = md_json_readf(&json, cmd->pool, fpath);
+ if (APR_SUCCESS != rv) {
+ return apr_pstrcat(cmd->pool, cmd->cmd->name,
+ ": error reading JSON file ", fpath, NULL);
+ }
+ keyid = md_json_gets(json, MD_KEY_KID, NULL);
+ if (!keyid || !*keyid) {
+ return apr_pstrcat(cmd->pool, cmd->cmd->name,
+ ": JSON does not contain '", MD_KEY_KID,
+ "' element in file ", fpath, NULL);
+ }
+ hmac = md_json_gets(json, MD_KEY_HMAC, NULL);
+ if (!hmac || !*hmac) {
+ return apr_pstrcat(cmd->pool, cmd->cmd->name,
+ ": JSON does not contain '", MD_KEY_HMAC,
+ "' element in file ", fpath, NULL);
+ }
}
- keyid = "none";
}
+leave:
sc->ca_eab_kid = keyid;
sc->ca_eab_hmac = hmac;
return NULL;