Use the base64-encoded account name for file names

The account public and private keys are stored in files with names derives from the account name itself. Because the account name may contain characters incompatible with a file name, it needs to be sanitized. Additionally, the account files does not need to be publicly accessed, therefore their name should only be deterministic. This last property allows to use a simple solution for sanitation: encode the name in base64. This way, it is deterministic, unique for each account and only contains safe characters. Note the base64 variant used is, as for the ACME protocol, the one with the URL and filename safe alphabet https://tools.ietf.org/html/rfc4648#section-5
5 years ago · 84d2c94bad
1 changed files with 2 additions and 1 deletions
--- a/acmed/src/storage.rs
+++ b/acmed/src/storage.rs
@ -1,3 +1,4 @@
+use crate::acme_proto::b64_encode;
 use crate::certificate::Certificate;
 use crate::error::Error;
 use crate::hooks::{self, FileStorageHookData};
@ -44,7 +45,7 @@ fn get_file_full_path(
    let file_name = match file_type {
        FileType::AccountPrivateKey | FileType::AccountPublicKey => format!(
            "{account}.{file_type}.{ext}",
-            account = cert.account.name,
+            account = b64_encode(&cert.account.name),
            file_type = file_type.to_string(),
            ext = "pem"
        ),