x/crypto/acme/autocert: support External Account Binding (EAB) tokens

[benburkert]

What version of Go are you using (go version)?

$ go version
go version go1.17.1 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/benburkert/Library/Caches/go-build"
GOENV="/Users/benburkert/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/benburkert/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/benburkert"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/Cellar/go/1.17.1/libexec"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.17.1/libexec/pkg/tool/darwin_amd64"
GOVCS=""
GOVERSION="go1.17.1"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/benburkert/gohack/golang.org/x/crypto/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/3q/b_j95bxn6_n4z99hyl_8r41r0000gn/T/go-build1720885754=/tmp/go-build -gno-record-gcc-switches -fno-common"
GOROOT/bin/go version: go version go1.17.1 darwin/amd64
GOROOT/bin/go tool compile -V: compile version go1.17.1
uname -v: Darwin Kernel Version 20.6.0: Mon Aug 30 06:12:21 PDT 2021; root:xnu-7195.141.6~3/RELEASE_X86_64
ProductName:	macOS
ProductVersion:	11.6
BuildVersion:	20G165
lldb --version: lldb-1205.0.27.3
Apple Swift version 5.4 (swiftlang-1205.0.26.9 clang-1205.0.19.55)

What did you do?

I tried to use the golang.org/x/crypto/acme/autocert package to provision an X.509 certificate from an ACME server that requires an EAB token on account registration.

What did you expect to see?

A certificate provisioned by an autocert.Manager with an acme.ExternalAccountBinding token specified.

What did you see instead?

An urn:ietf:params:acme:error:externalAccountRequired error.

[gopherbot]

Change https://golang.org/cl/354189 mentions this issue: acme/autocert: support External Account Binding (EAB) tokens

[mknyszek]

CC @FiloSottile @rolandshoemaker

[ktheindifferent]

I have been trying to use autocert with EAB keys from ZeroSSL for days now with no luck.

Code Sample:
`
eab := &acme.ExternalAccountBinding{
KID: "QXXXXXXXX",
Key: []byte("6XXXXXXXXX"),
}

a := &acme.Account{Contact: contact, ExternalAccountBinding: eab}

`

I keep getting this response:
urn:ietf:params:acme:error:malformed: [External Account Binding] Invalid MAC on JWS request

[benburkert]

@PixelCoda looks like the key needs to be hex or base64 decoded.

[ktheindifferent]

Thanks! I just tested that and it worked perfectly!

Here is a code snippet for anyone who stumbles onto this thread.

b64DecodedKey, b64err := base64.RawURLEncoding.DecodeString("6XXXXX")
if b64err != nil {
	fmt.Println(b64err)
}
eab := &acme.ExternalAccountBinding{
	KID: "QXXXXX",
	Key: []byte(b64DecodedKey),
}
a := &acme.Account{Contact: contact, ExternalAccountBinding: eab}