From 84d2c94badb728e82d13f4dbdb5a0c20adee5370 Mon Sep 17 00:00:00 2001 From: Rodolphe Breard Date: Wed, 24 Apr 2019 19:42:52 +0200 Subject: [PATCH] Use the base64-encoded account name for file names The account public and private keys are stored in files with names derives from the account name itself. Because the account name may contain characters incompatible with a file name, it needs to be sanitized. Additionally, the account files does not need to be publicly accessed, therefore their name should only be deterministic. This last property allows to use a simple solution for sanitation: encode the name in base64. This way, it is deterministic, unique for each account and only contains safe characters. Note the base64 variant used is, as for the ACME protocol, the one with the URL and filename safe alphabet https://tools.ietf.org/html/rfc4648#section-5 --- acmed/src/storage.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/acmed/src/storage.rs b/acmed/src/storage.rs index 8b2cb59..20fea3f 100644 --- a/acmed/src/storage.rs +++ b/acmed/src/storage.rs @@ -1,3 +1,4 @@ +use crate::acme_proto::b64_encode; use crate::certificate::Certificate; use crate::error::Error; use crate::hooks::{self, FileStorageHookData}; @@ -44,7 +45,7 @@ fn get_file_full_path( let file_name = match file_type { FileType::AccountPrivateKey | FileType::AccountPublicKey => format!( "{account}.{file_type}.{ext}", - account = cert.account.name, + account = b64_encode(&cert.account.name), file_type = file_type.to_string(), ext = "pem" ),