[Acme] RFC 8823 email-reply-00: How to concatenate the tokens?
Richard Körber <acme2@ml.shredzone.de> Sat, 05 June 2021 14:15 UTC
Return-Path: <acme2@ml.shredzone.de>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC9803A2486 for <acme@ietfa.amsl.com>; Sat, 5 Jun 2021 07:15:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=i7o.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PJtpwj1ixlME for <acme@ietfa.amsl.com>; Sat, 5 Jun 2021 07:15:15 -0700 (PDT)
Received: from i7o.de (i7o.de [95.216.117.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E949D3A2485 for <acme@ietf.org>; Sat, 5 Jun 2021 07:15:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=i7o.de; s=dkim_1; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Date: Message-ID:Subject:From:To:Sender:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ODbOpkxbDNzaEnLbe5WKNjVj5ScKjrPV+KhOrtKYsBg=; b=byu7zo/dJIXvnXhW8wVjEKUOor dJQxKMlPJNTs1XE39kGG2EXuTsH2HBYlPvGuxWU5CSLEHA+f/qbyx4niie8bs6oTzPc7S3iGHfed6 DrN9Uj8APAFFyguY6aFr80LJEe4tlzw3PtzqLEwCcMnRvOSITpORkLAgXEMeGkk+eEU0=;
Received: from p5ddd7e3a.dip0.t-ipconnect.de ([93.221.126.58] helo=[192.168.0.17]) by i7o.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) (envelope-from <acme2@ml.shredzone.de>) id 1lpX4x-00055G-Fn for acme@ietf.org; Sat, 05 Jun 2021 16:15:11 +0200
To: acme@ietf.org
From: Richard Körber <acme2@ml.shredzone.de>
Message-ID: <a7b2cdea-53a0-2cd9-f07a-07f069d792a5@i7o.de>
Date: Sat, 05 Jun 2021 16:15:10 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/mOtPJpJHmmJeuzGBIaHuDcX8LBI>
Subject: [Acme] RFC 8823 email-reply-00: How to concatenate the tokens?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Jun 2021 14:15:20 -0000
Hi! I have a question regarding RFC 8823 and the calculation of the ACME response. The RFC says: "[...] followed by [...] the key authorization, calculated from concatenated token-part1 (received over email) and token-part2 (received over HTTPS) [...]" The RFC also gives two example tokens: token-part1 = "LgYemJLy3F1LDkiJrdIGbEzyFJyOyf6vBdyZ1TG3sME=" token-part2 = "DGyRejmCefe7v4NfDGDKfA" There are now two ways to concatenate them. The simple way would be a plain string concatenation, giving: LgYemJLy3F1LDkiJrdIGbEzyFJyOyf6vBdyZ1TG3sME=DGyRejmCefe7v4NfDGDKfA As token-part1 has a trailing padding character '=', the concatenation has a padding character within the string. This is not a valid base64url encoded value according to RFC 4648, but since the token does not need to be decoded for the key authorization computation, it would be technically possible to use it like that. The clean way would be to base64url-decode both parts first, concatenate the decoded byte arrays, and then base64url-encode the concatenated array. This would give an entirely different result though: LgYemJLy3F1LDkiJrdIGbEzyFJyOyf6vBdyZ1TG3sMEMbJF6OYJ597u_g18MYMp8 Since both ways are giving different results, only one of them can be the correct one. :) Question 1: Which concatenation is meant to be used in RFC 8823? Question 2: Should the RFC 8823 explicitly specify how the concatenation should be done? Thank you for your help! Best, Richard Körber
- [Acme] RFC 8823 email-reply-00: How to concatenat… Richard Körber
- Re: [Acme] RFC 8823 email-reply-00: How to concat… Sebastian
- Re: [Acme] RFC 8823 email-reply-00: How to concat… Richard Körber