search

fszlin / certes

A client implementation for the Automated Certificate Management Environment (ACME) protocol
MIT License
545 stars 119 forks source link

Support the external account binding feature #231

Closed lennybacon closed 3 years ago

lennybacon commented 3 years ago 
   ACME can also be used to automate some aspects of certificate
   management even where non-automated processes are still needed.  For
   example, the external account binding feature (see Section 7.3.4) can
   allow an ACME account to use authorizations that have been granted to
   an external, non-ACME account.  This allows ACME to address issuance
   scenarios that cannot yet be fully automated, such as the issuance of
   "Extended Validation" certificates.

More details in the spec: https://tools.ietf.org/html/rfc8555#section-7.3.4

webprofusion-chrisc commented 3 years ago

Hi, I'm preparing a PR for this already. So far I have it working with pebble, do you have any other suggested ACME CAs I can try it against?

lennybacon commented 3 years ago

Sorry no. But I'm working on an internal implementation and could offer to provide feedback.

webprofusion-chrisc commented 3 years ago

Cool, my EAB branch is here: https://github.com/webprofusion-chrisc/certes/tree/external-account-binding

webprofusion-chrisc commented 3 years ago

When you call NewAccount you can optionally pass in an EAB Key Id and EAB Key (EAB Algorithm will default to HS256 if you don't specify one).

lennybacon commented 3 years ago

Thanks, I'll try to check things this week.

lennybacon commented 3 years ago

I started to look at the branch.

The AccountContext.cs instantiates HMAC instances to compute the hashes but doe not dispose the instances afterwards.

webprofusion-chrisc commented 3 years ago

Thanks, I've updated that now :)