Fix JWK payload key equality check

2024-11-17 15:29:21 +00:00 · 2021-07-17 20:29:12 +02:00 · 2021-07-17 20:29:12 +02:00 · 2110c7722f
commit 2110c7722f
parent 2eb69636ea
1 changed files with 16 additions and 4 deletions
--- a/acme/api/account.go
+++ b/acme/api/account.go
@ -1,7 +1,6 @@
 package api

 import (
-	"bytes"
 	"context"
 	"encoding/json"
 	"net/http"
@ -281,14 +280,27 @@ func (h *Handler) validateExternalAccountBinding(ctx context.Context, nar *NewAc
 		return nil, err
 	}

-	jwkJSONBytes, err := jwk.MarshalJSON()
+	var payloadJWK *squarejose.JSONWebKey
+	err = json.Unmarshal(payload, &payloadJWK)
 	if err != nil {
-		return nil, acme.WrapErrorISE(err, "error marshaling jwk")
+		return nil, acme.WrapError(acme.ErrorMalformedType, err, "error unmarshaling payload into jwk")
 	}

-	if bytes.Equal(payload, jwkJSONBytes) {
+	if !keysAreEqual(jwk, payloadJWK) {
 		return nil, acme.NewError(acme.ErrorMalformedType, "keys in jws and eab payload do not match") // TODO: decide ACME error type to use
 	}

 	return externalAccountKey, nil
 }
+
+func keysAreEqual(x, y *squarejose.JSONWebKey) bool {
+	if x == nil || y == nil {
+		return false
+	}
+	digestX, errX := acme.KeyToID(x)
+	digestY, errY := acme.KeyToID(y)
+	if errX != nil || errY != nil {
+		return false
+	}
+	return digestX == digestY
+}