Browse Source

Use the base64-encoded account name for file names

The account public and private keys are stored in files with names
derives from the account name itself. Because the account name may
contain characters incompatible with a file name, it needs to be
sanitized. Additionally, the account files does not need to be publicly
accessed, therefore their name should only be deterministic. This last
property allows to use a simple solution for sanitation: encode the name
in base64. This way, it is deterministic, unique for each account and
only contains safe characters.
Note the base64 variant used is, as for the ACME protocol, the one with
the URL and filename safe alphabet

https://tools.ietf.org/html/rfc4648#section-5
pull/5/head
Rodolphe Breard 6 years ago
parent
commit
84d2c94bad
  1. 3
      acmed/src/storage.rs

3
acmed/src/storage.rs

@ -1,3 +1,4 @@
use crate::acme_proto::b64_encode;
use crate::certificate::Certificate; use crate::certificate::Certificate;
use crate::error::Error; use crate::error::Error;
use crate::hooks::{self, FileStorageHookData}; use crate::hooks::{self, FileStorageHookData};
@ -44,7 +45,7 @@ fn get_file_full_path(
let file_name = match file_type { let file_name = match file_type {
FileType::AccountPrivateKey | FileType::AccountPublicKey => format!( FileType::AccountPrivateKey | FileType::AccountPublicKey => format!(
"{account}.{file_type}.{ext}", "{account}.{file_type}.{ext}",
account = cert.account.name,
account = b64_encode(&cert.account.name),
file_type = file_type.to_string(), file_type = file_type.to_string(),
ext = "pem" ext = "pem"
), ),

Loading…
Cancel
Save