diff --git a/getssl b/getssl index 3bb6272..057fba1 100755 --- a/getssl +++ b/getssl @@ -396,6 +396,10 @@ cert_archive() { # Archive certificate file by copying files to dated archive d purge_archive "$DOMAIN_DIR" } +base64url_decode() { + awk '{ if (length($0) % 4 == 3) print $0"="; else if (length($0) % 4 == 2) print $0"=="; else print $0; }' | tr -- '-_' '+/' | base64 -d +} + cert_install() { # copy certs to the correct location (creating concatenated files as required) umask 077 @@ -1731,6 +1735,36 @@ get_cr() { # get curl response return $ret } +get_eab_json() { # calculate json block for external account bindings, v2 only + if [ ${#EAB_PARAMS[@]} -eq 1 ]; then + # single param, assume file path and read into array + debug "Using EAB FILE ${EAB_PARAMS[0]}" + [[ -s "${EAB_PARAMS[0]}" ]] || error_exit "missing path ${EAB_PARAMS[0]} for eab file" + EAB_PARAMS=( $(cat "${EAB_PARAMS[0]}") ) + fi + if [ ${#EAB_PARAMS[@]} -eq 2 ]; then + # two params - kid and mac key from CA + debug "Using EAB KID ${EAB_PARAMS[0]}" + debug "Using EAB HMAC ${EAB_PARAMS[1]}" + eab_protected="{\"alg\": \"HS256\", \"kid\": \"${EAB_PARAMS[0]}\", \"url\": \"${URL_newAccount}\"}" + eab_protected64=$(printf '%s' "${eab_protected}" | urlbase64) + eab_payload="${jwk}" + eab_payload64=$(printf '%s' "${eab_payload}" | urlbase64) + signing_input=$(printf '%s' "${eab_protected64}.${eab_payload64}") + keyhex=$(printf '%s' "${EAB_PARAMS[1]}" | base64url_decode | xxd -p | tr -d '\n') + debug "SIGN INPUT $signing_input" + debug "HMAC-SHA256 HEXKEY $keyhex" + eab_signature=$(printf '%s' "$signing_input" | openssl dgst -sha256 -mac hmac -macopt "hexkey:${keyhex}" -binary | urlbase64) + EAB_JSON="{" + EAB_JSON="${EAB_JSON}\"protected\": \"${eab_protected64}\"," + EAB_JSON="${EAB_JSON}\"payload\": \"${eab_payload64}\"," + EAB_JSON="${EAB_JSON}\"signature\": \"${eab_signature}\"}" + debug "EAB_JSON ${EAB_JSON}" + else + EAB_JSON="" + fi +} + get_os() { # function to get the current Operating System uname_res=$(uname -s) if [[ $(date -h 2>&1 | grep -ic busybox) -gt 0 ]]; then