Link Target parsing in ACME clients

Hello,

I'm a maintainer of lego.

A user has opened an issue that concerns Link parsing.
This issue makes me wonder about the implementation by the ACME clients of the RFC8288 concerning the parsing of these links.

I'm curious to know the opinion of the maintainers of the other ACME clients and the Let's Encrypt team on this point.

Thanks in advance.

4 Likes

Interesting, thanks for the heads up. I've been using a similar regex to parse the link relation and haven't come across an issue with boulder or pebble.

Your regex change makes sense, but I guess this is just an example of where we should be properly parsing the url instead of using a regex to extract what we need. That is, use go's url parser and extract the relations from the url fragment. EDIT: Thinking about this, it looks like go won't parse these urls properly anyway, so short of rolling your own or using an external url parser which supports these relations, the modified regex might be the easiest solution.

It would be interesting to see what acme server implementation is being used here and how.

5 Likes

Hello Fernandez :slightly_smiling_face:

I noticed that jillian liked your original post, eggsampler responded to you, and _az liked that response, so it appears that you've already gotten the attention of Let's Encrypt and Certbot. I know that @jsha has been around today and might have something to say here. I'll try to ping some of the ACME client developers that frequent our community to respond if they wish.

@certbot-devs, @rmbolger, @webprofusion

Any thoughts here to add?

2 Likes

For what it's worth, the only time my client currently tries to parse Link headers in a response is when downloading the finalized cert and looking for alternate chains. So my (PowerShell/.NET based) regex is tailored for that scenario rather than more generic Link header parsing.

$reAltLink = '<(?<uri>\S+)>;rel="alternate"'

So it basically captures any non-whitespace characters between the <> characters. But the <> are definitely assumed to be there and wouldn't match if they were missing.

5 Likes

The client I'm maintaining uses a similar regex:
<?(\S+?)>?(?:;[^;]+)*?;\s*rel="(.+?)"

1 Like

Thanks felixf. I'll try to keep you in mind for future questions to ACME client developers.

1 Like