From: Theo Buehler Subject: Re: acme-client: support for external account binding To: Jonathan Matthew , tech@openbsd.org, sthen@openbsd.org Date: Sat, 2 May 2026 19:53:50 +0200 On Sat, May 02, 2026 at 07:09:37PM +0200, Florian Obser wrote: > On 2026-05-01 14:09 +10, Jonathan Matthew wrote: > > The ACME protocol includes a scheme allowing a client to bind an ACME > > account key with a account in some non-ACME ("external") system run by > > the CA. This is described in section 7.3.4 of RFC 8555. In short, the > > CA gives you a key out-of-band and your ACME client HMACs your account > > details with that key and sends that to the ACME server. > > I know some of these words! My Joo Janta 200 conveniently turned black > when looking at the acctproc changes. That stuff is certainly over my > head. In the past tb@ pointed out the errors of my ways, maybe we can > trick him into reviewing those bits. I haven't checked against the spec, but it looks fine to me, just two things: > > + /* sign with the EAB key */ > > + dig = malloc(eab_key_len); > > + HMAC(EVP_sha256(), eab_key, eab_key_len, sign, sign_len, dig, &digsz); Both malloc and HMAC should be error checked (against NULL). > > @@ -630,6 +630,14 @@ json_fmt_newacc(const char *contact) > > return NULL; > > } > > } > > + if (eab != NULL) { > > + char *ecnt = NULL; > > + c = asprintf(&ecnt, "%s\"externalAccountBinding\": %s, ", > > + cnt == NULL ? "" : cnt, eab); Pretty sure this should return NULL if c == -1.