*) mod_md: values for External Account Binding (EAB) can

     now also be configured to be read from a separate JSON
     file. This allows to keep server configuration permissions
     world readable without exposing secrets.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1895285 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/changes-entries/md_2.4.9.txt b/changes-entries/md_2.4.9.txt
new file mode 100644 (file)
index 0000000..27cc5c9
--- /dev/null
+++ b/changes-entries/md_2.4.9.txt
@@ -0,0 +1,6 @@
+  *) mod_md: values for External Account Binding (EAB) can
+     now also be configured to be read from a separate JSON
+     file. This allows to keep server configuration permissions
+     world readable without exposing secrets.
+     [Stefan Eissing]
+

diff --git a/docs/manual/mod/mod_md.xml b/docs/manual/mod/mod_md.xml
index 15ad758338a950c2599ac29b491f3756da5bce3b..15430327958f8716349e04a338692c42a504c0f3 100644 (file)
--- a/docs/manual/mod/mod_md.xml
+++ b/docs/manual/mod/mod_md.xml
@@ -1295,7 +1295,7 @@ MDMessageCmd /etc/apache/md-message
     <directivesynopsis>
         <name>MDExternalAccountBinding</name>
         <description></description>
-        <syntax>MDExternalAccountBinding <var>key-id</var> <var>hmac-64</var></syntax>
+        <syntax>MDExternalAccountBinding <var>key-id</var> <var>hmac-64</var> | none | <var>file</var></syntax>
         <default>MDExternalAccountBinding none</default>
         <contextlist>
             <context>server config</context>
@@ -1319,7 +1319,17 @@ MDMessageCmd /etc/apache/md-message
                 e.g. root only.
             </p>
             <p>
-                If you change these values, the new ones will be used when the next
+                The value can also be taken from a JSON file, to keep more open
+                permissions on the server configuration and restrict the ones on that
+                file. The JSON itself is:
+            </p>
+            <example><title>EAB JSON Example file</title>
+                <highlight language="config">
+{"kid": "kid-1", "hmac": "zWND..."}
+                </highlight>
+            </example>
+            <p>
+                If you change EAB values, the new ones will be used when the next
                 certificate renewal is due.
             </p>
         </usage>

diff --git a/modules/md/md_version.h b/modules/md/md_version.h
index 72c14983226e6c121e550d81aa109c1761fc4ee3..27a20fd25e9fd5d4ed98332cd240ab3b96616a6f 100644 (file)
--- a/modules/md/md_version.h
+++ b/modules/md/md_version.h
@@ -27,7 +27,7 @@
  * @macro
  * Version number of the md module as c string
  */
-#define MOD_MD_VERSION "2.4.8"
+#define MOD_MD_VERSION "2.4.9"
 
 /**
  * @macro
@@ -35,7 +35,7 @@
  * release. This is a 24 bit number with 8 bits for major number, 8 bits
  * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
  */
-#define MOD_MD_VERSION_NUM 0x020408
+#define MOD_MD_VERSION_NUM 0x020409
 
 #define MD_ACME_DEF_URL    "https://acme-v02.api.letsencrypt.org/directory"
 

diff --git a/modules/md/mod_md_config.c b/modules/md/mod_md_config.c
index cda11a00267e5e32a688f024db611a3a904e1f58..8d3260634ecb72bd6eeb95b114151902caa0d0c6 100644 (file)
--- a/modules/md/mod_md_config.c
+++ b/modules/md/mod_md_config.c
@@ -28,6 +28,7 @@
 #include "md.h"
 #include "md_crypt.h"
 #include "md_log.h"
+#include "md_json.h"
 #include "md_util.h"
 #include "mod_md_private.h"
 #include "mod_md_config.h"
@@ -1038,11 +1039,50 @@ static const char *md_config_set_eab(cmd_parms *cmd, void *dc,
         return err;
     }
     if (!hmac) {
-        if (apr_strnatcasecmp("None", keyid)) {
-            return "only 'None' or a KEYID and HMAC string are allowed.";
+        if (!apr_strnatcasecmp("None", keyid)) {
+            keyid = "none";
+        }
+        else {
+            /* a JSON file keeping keyid and hmac */
+            const char *fpath;
+            apr_status_t rv;
+            md_json_t *json;
+
+            /* If only dumping the config, don't verify the file */
+            if (ap_state_query(AP_SQ_RUN_MODE) == AP_SQ_RM_CONFIG_DUMP) {
+                goto leave;
+            }
+
+            fpath = ap_server_root_relative(cmd->pool, keyid);
+            if (!fpath) {
+                return apr_pstrcat(cmd->pool, cmd->cmd->name,
+                                   ": Invalid file path ", keyid, NULL);
+            }
+            if (!md_file_exists(fpath, cmd->pool)) {
+                return apr_pstrcat(cmd->pool, cmd->cmd->name,
+                                   ": file not found: ", fpath, NULL);
+            }
+
+            rv = md_json_readf(&json, cmd->pool, fpath);
+            if (APR_SUCCESS != rv) {
+                return apr_pstrcat(cmd->pool, cmd->cmd->name,
+                                   ": error reading JSON file ", fpath, NULL);
+            }
+            keyid = md_json_gets(json, MD_KEY_KID, NULL);
+            if (!keyid || !*keyid) {
+                return apr_pstrcat(cmd->pool, cmd->cmd->name,
+                                   ": JSON does not contain '", MD_KEY_KID,
+                                   "' element in file ", fpath, NULL);
+            }
+            hmac = md_json_gets(json, MD_KEY_HMAC, NULL);
+            if (!hmac || !*hmac) {
+                return apr_pstrcat(cmd->pool, cmd->cmd->name,
+                                   ": JSON does not contain '", MD_KEY_HMAC,
+                                   "' element in file ", fpath, NULL);
+            }
         }
-        keyid = "none";
     }
+leave:
     sc->ca_eab_kid = keyid;
     sc->ca_eab_hmac = hmac;
     return NULL;