Mailing List Archive

From:: Jonathan Matthew <jonathan@d14n.org>
Subject:: regress tests for acme-client eab
To:: tech@openbsd.org
Cc:: florian@openbsd.org, bluhm@openbsd.org
Date:: Wed, 24 Jun 2026 17:19:30 +1000
Download raw body.
Thread
2026-06-24 07:19 Jonathan Matthew:
regress tests for acme-client eab
This adds regress tests for the external account binding feature in
acme-client.  pebble can't selectively require binding, so we need
a separate pebble config to test it, which complicates things a bit.

Input from regress test knowers is welcome.  I'm a little concerned that
this leaves things in a state that requires manual cleanup if things don't
go perfectly.

ok?

Index: Makefile
===================================================================
RCS file: /cvs/src/regress/usr.sbin/acme-client/Makefile,v
diff -u -p -u -p -r1.6 Makefile
--- Makefile	23 Feb 2026 10:28:23 -0000	1.6
+++ Makefile	24 Jun 2026 06:53:48 -0000
@@ -25,8 +25,8 @@ regress:
 .endif
 
 clean: _SUBDIRUSE
-	rm -f a.out [Ee]rrs mklog *.core y.tab.h ktrace.out pebble-config.json
-	rm -f pebble.out
+	rm -f a.out [Ee]rrs mklog *.core y.tab.h ktrace.out
+	rm -f pebble.out pebble-config.json pebble-config-eab.json
 	rm -rf etc www
 
 etc/acme-client.conf: acme-client.conf
@@ -46,6 +46,11 @@ etc/acme-client-ipaddress.conf: acme-cli
 		${.CURDIR}/acme-client-ipaddress.conf \
 		> etc/acme-client-ipaddress.conf
 
+etc/acme-client-eab.conf: acme-client-eab.conf
+	mkdir -p etc
+	sed 's,$${.OBJDIR},${.OBJDIR},'\
+		${.CURDIR}/acme-client-eab.conf > etc/acme-client-eab.conf
+
 etc/httpd.conf: httpd.conf
 	mkdir -p etc
 	sed 's,$${.OBJDIR},${.OBJDIR},'\
@@ -64,15 +69,28 @@ pebble-config.json:
 	sed 's,$${.CURDIR},${.CURDIR},'\
 		${.CURDIR}/pebble-config.json > pebble-config.json
 
+pebble-config-eab.json:
+	sed 's,$${.CURDIR},${.CURDIR},'\
+		${.CURDIR}/pebble-config-eab.json > pebble-config-eab.json
+
 pebble-start: pebble-config.json
 	/usr/local/bin/pebble -config ${.OBJDIR}/pebble-config.json > \
 	    ${.OBJDIR}/pebble.out &
 	while ! $$(fgrep -q 'Root CA certificate available' \
 	    ${.OBJDIR}/pebble.out); do sleep .1; done
 
+pebble-eab-start: pebble-config-eab.json
+	/usr/local/bin/pebble -config ${.OBJDIR}/pebble-config-eab.json > \
+	    ${.OBJDIR}/pebble.out &
+	while ! $$(fgrep -q 'Root CA certificate available' \
+	    ${.OBJDIR}/pebble.out); do sleep .1; done
+
 pebble-stop:
 	pkill -xf "/usr/local/bin/pebble -config ${.OBJDIR}/pebble-config.json"
 
+pebble-eab-stop:
+	pkill -xf "/usr/local/bin/pebble -config ${.OBJDIR}/pebble-config-eab.json"
+
 REGRESS_TARGETS +=	run-regress-acme
 run-regress-acme: etc/acme-client.conf httpd-start pebble-start
 	${SUDO} /usr/sbin/acme-client \
@@ -109,11 +127,20 @@ run-regress-acme-ipaddress2: etc/acme-cl
 	    -f ${.OBJDIR}/etc/acme-client-ipaddress.conf \
 	    -r -v ::1
 
+REGRESS_TARGETS +=	run-regress-acme-eab
+run-regress-acme-eab: etc/acme-client-eab.conf pebble-eab-start
+	${SUDO} /usr/sbin/acme-client \
+	    -f ${.OBJDIR}/etc/acme-client-eab.conf \
+	    -e kid-1:zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W \
+	    -v localhost
+
 REGRESS_TARGETS +=	run-regress-cleanup
 run-regress-cleanup:
 	${.MAKE} -C ${.CURDIR} httpd-stop
 	${.MAKE} -C ${.CURDIR} pebble-stop
+	${.MAKE} -C ${.CURDIR} pebble-eab-stop
 
-.PHONY: ${REGRESS_TARGETS} httpd-start httpd-stop pebble-start pebble-stop
+.PHONY: ${REGRESS_TARGETS} httpd-start httpd-stop pebble-start pebble-eab-start \
+	pebble-stop pebble-eab-stop
 
 .include <bsd.regress.mk>
Index: acme-client-eab.conf
===================================================================
RCS file: acme-client-eab.conf
diff -N acme-client-eab.conf
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ acme-client-eab.conf	24 Jun 2026 06:53:48 -0000
@@ -0,0 +1,11 @@
+authority pebble-eab {
+	account key "${.OBJDIR}/etc/acme/privkey-eab.pem"
+	api url https://127.0.0.1:14001/dir
+	insecure
+}
+domain localhost {
+	domain key "${.OBJDIR}/etc/ssl/acme/private/privkey.pem"
+	domain certificate "${.OBJDIR}/etc/ssl/acme/cert.pem"
+	sign with "pebble-eab"
+	challengedir "${.OBJDIR}/www/acme"
+}
Index: pebble-config-eab.json
===================================================================
RCS file: pebble-config-eab.json
diff -N pebble-config-eab.json
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ pebble-config-eab.json	24 Jun 2026 06:53:48 -0000
@@ -0,0 +1,32 @@
+{
+  "pebble": {
+    "listenAddress": "0.0.0.0:14001",
+    "managementListenAddress": "0.0.0.0:15001",
+    "certificate": "${.CURDIR}/localhost_cert.pem",
+    "privateKey": "${.CURDIR}/localhost_key.pem",
+    "httpPort": 80,
+    "tlsPort": 5001,
+    "ocspResponderURL": "",
+    "externalAccountBindingRequired": true,
+    "externalAccountMACKeys": {
+      "kid-1": "zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W",
+      "kid-2": "b10lLJs8l1GPIzsLP0s6pMt8O0XVGnfTaCeROxQM0BIt2XrJMDHJZBM5NuQmQJQH",
+      "kid-3": "HjudV5qnbreN-n9WyFSH-t4HXuEx_XFen45zuxY-G1h6fr74V3cUM_dVlwQZBWmc"
+    },
+    "domainBlocklist": ["blocked-domain.example"],
+    "retryAfter": {
+        "authz": 3,
+        "order": 5
+    },
+    "profiles": {
+      "default": {
+        "description": "The profile you know and love",
+        "validityPeriod": 7776000
+      },
+      "shortlived": {
+        "description": "A short-lived cert profile, without actual enforcement",
+        "validityPeriod": 518400
+      }
+    }
+  }
+}
2026-06-24 07:19 Jonathan Matthew:
regress tests for acme-client eab