From: Jonathan Matthew Subject: regress tests for acme-client eab To: tech@openbsd.org Cc: florian@openbsd.org, bluhm@openbsd.org Date: Wed, 24 Jun 2026 17:19:30 +1000 This adds regress tests for the external account binding feature in acme-client. pebble can't selectively require binding, so we need a separate pebble config to test it, which complicates things a bit. Input from regress test knowers is welcome. I'm a little concerned that this leaves things in a state that requires manual cleanup if things don't go perfectly. ok? Index: Makefile =================================================================== RCS file: /cvs/src/regress/usr.sbin/acme-client/Makefile,v diff -u -p -u -p -r1.6 Makefile --- Makefile 23 Feb 2026 10:28:23 -0000 1.6 +++ Makefile 24 Jun 2026 06:53:48 -0000 @@ -25,8 +25,8 @@ regress: .endif clean: _SUBDIRUSE - rm -f a.out [Ee]rrs mklog *.core y.tab.h ktrace.out pebble-config.json - rm -f pebble.out + rm -f a.out [Ee]rrs mklog *.core y.tab.h ktrace.out + rm -f pebble.out pebble-config.json pebble-config-eab.json rm -rf etc www etc/acme-client.conf: acme-client.conf @@ -46,6 +46,11 @@ etc/acme-client-ipaddress.conf: acme-cli ${.CURDIR}/acme-client-ipaddress.conf \ > etc/acme-client-ipaddress.conf +etc/acme-client-eab.conf: acme-client-eab.conf + mkdir -p etc + sed 's,$${.OBJDIR},${.OBJDIR},'\ + ${.CURDIR}/acme-client-eab.conf > etc/acme-client-eab.conf + etc/httpd.conf: httpd.conf mkdir -p etc sed 's,$${.OBJDIR},${.OBJDIR},'\ @@ -64,15 +69,28 @@ pebble-config.json: sed 's,$${.CURDIR},${.CURDIR},'\ ${.CURDIR}/pebble-config.json > pebble-config.json +pebble-config-eab.json: + sed 's,$${.CURDIR},${.CURDIR},'\ + ${.CURDIR}/pebble-config-eab.json > pebble-config-eab.json + pebble-start: pebble-config.json /usr/local/bin/pebble -config ${.OBJDIR}/pebble-config.json > \ ${.OBJDIR}/pebble.out & while ! $$(fgrep -q 'Root CA certificate available' \ ${.OBJDIR}/pebble.out); do sleep .1; done +pebble-eab-start: pebble-config-eab.json + /usr/local/bin/pebble -config ${.OBJDIR}/pebble-config-eab.json > \ + ${.OBJDIR}/pebble.out & + while ! $$(fgrep -q 'Root CA certificate available' \ + ${.OBJDIR}/pebble.out); do sleep .1; done + pebble-stop: pkill -xf "/usr/local/bin/pebble -config ${.OBJDIR}/pebble-config.json" +pebble-eab-stop: + pkill -xf "/usr/local/bin/pebble -config ${.OBJDIR}/pebble-config-eab.json" + REGRESS_TARGETS += run-regress-acme run-regress-acme: etc/acme-client.conf httpd-start pebble-start ${SUDO} /usr/sbin/acme-client \ @@ -109,11 +127,20 @@ run-regress-acme-ipaddress2: etc/acme-cl -f ${.OBJDIR}/etc/acme-client-ipaddress.conf \ -r -v ::1 +REGRESS_TARGETS += run-regress-acme-eab +run-regress-acme-eab: etc/acme-client-eab.conf pebble-eab-start + ${SUDO} /usr/sbin/acme-client \ + -f ${.OBJDIR}/etc/acme-client-eab.conf \ + -e kid-1:zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W \ + -v localhost + REGRESS_TARGETS += run-regress-cleanup run-regress-cleanup: ${.MAKE} -C ${.CURDIR} httpd-stop ${.MAKE} -C ${.CURDIR} pebble-stop + ${.MAKE} -C ${.CURDIR} pebble-eab-stop -.PHONY: ${REGRESS_TARGETS} httpd-start httpd-stop pebble-start pebble-stop +.PHONY: ${REGRESS_TARGETS} httpd-start httpd-stop pebble-start pebble-eab-start \ + pebble-stop pebble-eab-stop .include Index: acme-client-eab.conf =================================================================== RCS file: acme-client-eab.conf diff -N acme-client-eab.conf --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ acme-client-eab.conf 24 Jun 2026 06:53:48 -0000 @@ -0,0 +1,11 @@ +authority pebble-eab { + account key "${.OBJDIR}/etc/acme/privkey-eab.pem" + api url https://127.0.0.1:14001/dir + insecure +} +domain localhost { + domain key "${.OBJDIR}/etc/ssl/acme/private/privkey.pem" + domain certificate "${.OBJDIR}/etc/ssl/acme/cert.pem" + sign with "pebble-eab" + challengedir "${.OBJDIR}/www/acme" +} Index: pebble-config-eab.json =================================================================== RCS file: pebble-config-eab.json diff -N pebble-config-eab.json --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ pebble-config-eab.json 24 Jun 2026 06:53:48 -0000 @@ -0,0 +1,32 @@ +{ + "pebble": { + "listenAddress": "0.0.0.0:14001", + "managementListenAddress": "0.0.0.0:15001", + "certificate": "${.CURDIR}/localhost_cert.pem", + "privateKey": "${.CURDIR}/localhost_key.pem", + "httpPort": 80, + "tlsPort": 5001, + "ocspResponderURL": "", + "externalAccountBindingRequired": true, + "externalAccountMACKeys": { + "kid-1": "zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W", + "kid-2": "b10lLJs8l1GPIzsLP0s6pMt8O0XVGnfTaCeROxQM0BIt2XrJMDHJZBM5NuQmQJQH", + "kid-3": "HjudV5qnbreN-n9WyFSH-t4HXuEx_XFen45zuxY-G1h6fr74V3cUM_dVlwQZBWmc" + }, + "domainBlocklist": ["blocked-domain.example"], + "retryAfter": { + "authz": 3, + "order": 5 + }, + "profiles": { + "default": { + "description": "The profile you know and love", + "validityPeriod": 7776000 + }, + "shortlived": { + "description": "A short-lived cert profile, without actual enforcement", + "validityPeriod": 518400 + } + } + } +}