acme: update TLS-ALPN identifier to the latest IANA assignment
It looks like the source code has fallen out of date with the draft spec.
The latest version https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05 has a different OID 1.3.6.1.5.5.7.1.31 assigned.
You can test that you're using the correct OID by performing a TLS-ALPN-01 challenge against a Pebble (https://github.com/letsencrypt/pebble) ACME server running with the -strict argument. This implementation will reject the obsolete OID.
Change-Id: I58c52eaed487949e9071d3b9772f7acfdcc91201
GitHub-Last-Rev: 4cacc0723c431a29aec77d4fb3320d91c66c1ff5
GitHub-Pull-Request: golang/crypto#91
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/204177
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Alex Vaghin <alex@cloudware.io>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
diff --git a/acme/acme.go b/acme/acme.go
index 02fde12..6e6c9d1 100644
--- a/acme/acme.go
+++ b/acme/acme.go
@@ -55,8 +55,9 @@
ALPNProto = "acme-tls/1"
)
-// idPeACMEIdentifierV1 is the OID for the ACME extension for the TLS-ALPN challenge.
-var idPeACMEIdentifierV1 = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 30, 1}
+// idPeACMEIdentifier is the OID for the ACME extension for the TLS-ALPN challenge.
+// https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05#section-5.1
+var idPeACMEIdentifier = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 31}
const (
maxChainLen = 5 // max depth and breadth of a certificate chain
@@ -778,7 +779,7 @@
return tls.Certificate{}, err
}
acmeExtension := pkix.Extension{
- Id: idPeACMEIdentifierV1,
+ Id: idPeACMEIdentifier,
Critical: true,
Value: extValue,
}
diff --git a/acme/acme_test.go b/acme/acme_test.go
index 8d94dd6..e2f446f 100644
--- a/acme/acme_test.go
+++ b/acme/acme_test.go
@@ -1317,7 +1317,7 @@
}
acmeExts := []pkix.Extension{}
for _, ext := range cert.Extensions {
- if idPeACMEIdentifierV1.Equal(ext.Id) {
+ if idPeACMEIdentifier.Equal(ext.Id) {
acmeExts = append(acmeExts, ext)
}
}
