From: Joe Orton Date: Wed, 3 Mar 2021 14:53:12 +0000 (+0000) Subject: Synch from mod_md github: X-Git-Tag: 2.5.0-alpha2-ci-test-only~1012 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=33af74c29fbd85890f1f6e6454a81bab7a01de41;p=thirdparty%2Fapache%2Fhttpd.git Synch from mod_md github: mod_md: tolerate missing revokeCert or keyChange resource RFC 8555 ยง7.1 states: The server MUST provide "directory" and "newNonce" resources. But RFC 8555 makes no explicit statement anywhere whether other resources are, or are not, required (with the exception of "newAuthz" which is optional). Therefore it is possible that some ACME server implementations may omit some resources; in particular those that are not an essential part of the "order" workflow. Indeed, I am working with one such server implementation, which does not at this time implement "keyChange". mod_md refuses to interact with this server because it is checking that a certain set of resources are defined in the directory object - despite some of those resources not currently being used. Update the check to require only "newNonce", "newAccount" and "newOrder". Omit from the check and therefore tolerate the absense of resources which are not always required: "revokeCert" and "keyChange". If mod_md implements revocation and/or key rollover in the future, the availability of those features should be predicated on the server's advertised capabilities. https://github.com/icing/mod_md/commit/38ff597f3ccb3c942e68701fb185c6a68f0708e4 Submitted by: Fraser Tweedale Github: closes #122 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887148 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/changes-entries/mod_md-missing-resources.txt b/changes-entries/mod_md-missing-resources.txt new file mode 100644 index 00000000000..301d64f9575 --- /dev/null +++ b/changes-entries/mod_md-missing-resources.txt @@ -0,0 +1,2 @@ + *) mod_md: Tolerate a missing "revokeCert" or "keyChange" resource. + [Fraser Tweedale ] diff --git a/modules/md/md_acme.c b/modules/md/md_acme.c index c085ba35184..e3702eb0ad4 100644 --- a/modules/md/md_acme.c +++ b/modules/md/md_acme.c @@ -726,8 +726,12 @@ static apr_status_t update_directory(const md_http_response_t *res, void *data) acme->api.v2.revoke_cert = md_json_dups(acme->p, json, "revokeCert", NULL); acme->api.v2.key_change = md_json_dups(acme->p, json, "keyChange", NULL); acme->api.v2.new_nonce = md_json_dups(acme->p, json, "newNonce", NULL); - if (acme->api.v2.new_account && acme->api.v2.new_order - && acme->api.v2.revoke_cert && acme->api.v2.key_change + /* RFC 8555 only requires "directory" and "newNonce" resources. + * mod_md uses "newAccount" and "newOrder" so check for them. + * But mod_md does not use the "revokeCert" or "keyChange" + * resources, so tolerate the absense of those keys. */ + if (acme->api.v2.new_account + && acme->api.v2.new_order && acme->api.v2.new_nonce) { acme->version = MD_ACME_VERSION_2; }