feat(EAB): fallback to base64.URLEncoding (#2635)

acme/api/account.go

@@ -29,9 +29,9 @@ func (a *AccountService) New(req acme.Account) (acme.ExtendedAccount, error) {
 
 // NewEAB Creates a new account with an External Account Binding.
 func (a *AccountService) NewEAB(accMsg acme.Account, kid, hmacEncoded string) (acme.ExtendedAccount, error) {
-	hmac, err := base64.RawURLEncoding.DecodeString(hmacEncoded)
+	hmac, err := decodeEABHmac(hmacEncoded)
 	if err != nil {
-		return acme.ExtendedAccount{}, fmt.Errorf("acme: could not decode hmac key: %w", err)
+		return acme.ExtendedAccount{}, err
 	}
 
 	eabJWS, err := a.core.signEABContent(a.core.GetDirectory().NewAccountURL, kid, hmac)
@@ -83,3 +83,17 @@ func (a *AccountService) Deactivate(accountURL string) error {
 	_, err := a.core.post(accountURL, req, nil)
 	return err
 }
+
+func decodeEABHmac(hmacEncoded string) ([]byte, error) {
+	hmac, errRaw := base64.RawURLEncoding.DecodeString(hmacEncoded)
+	if errRaw == nil {
+		return hmac, nil
+	}
+
+	hmac, err := base64.URLEncoding.DecodeString(hmacEncoded)
+	if err == nil {
+		return hmac, nil
+	}
+
+	return nil, fmt.Errorf("acme: could not decode hmac key: %w", errors.Join(errRaw, err))
+}

acme/api/account_test.go

@@ -0,0 +1,35 @@
+package api
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_decodeEABHmac(t *testing.T) {
+	testCases := []struct {
+		desc string
+		hmac string
+	}{
+		{
+			desc: "RawURLEncoding",
+			hmac: "BAEDAgQCBQcGCAUDDDMBAAIRAwQhEjEFQVFhEyJxgTIGFJGhsUIjJBVSwWIzNHKC0UMHJZJT8OHx",
+		},
+		{
+			desc: "URLEncoding",
+			hmac: "nKTo9Hu8fpCqWPXx-25LVbZrJWxcHISsr4qHrRR0j5U=",
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			v, err := decodeEABHmac(test.hmac)
+			require.NoError(t, err)
+
+			assert.NotEmpty(t, v)
+		})
+	}
+}