commit e6b1200d11b062b0e525730044b7de555b7ed66d
author Roland Shoemaker <rolandshoemaker@gmail.com> Wed Jun 13 13:00:12 2018 -0700
committer Brad Fitzpatrick <bradfitz@golang.org> Wed Jun 13 20:22:54 2018 +0000
tree 51da966a74d7965ff77b759a6f93631d7f646c3a
parent 8ac0e0d97ce45cd83d1d7243c060cb8461dda5e9

acme: fix encoding of the TLS-ALPN challenge extension

To comply with the specification the value of the extension should be a ASN.1
OCTET STRING rather than a raw SHA 256 hash. This change uses asn1.Marshal to
wrap the hash before putting it in the extension.

Change-Id: I4ebe88a00238c6f928555d605e4b5dd98aad8128
Reviewed-on: https://go-review.googlesource.com/118696
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>

acme/acme.go

diff --git a/acme/acme.go b/acme/acme.go
index 9fbe72c..8257ffb 100644
--- a/acme/acme.go
+++ b/acme/acme.go
@@ -598,10 +598,14 @@
 		return tls.Certificate{}, err
 	}
 	shasum := sha256.Sum256([]byte(ka))
+	extValue, err := asn1.Marshal(shasum[:])
+	if err != nil {
+		return tls.Certificate{}, err
+	}
 	acmeExtension := pkix.Extension{
 		Id:       idPeACMEIdentifierV1,
 		Critical: true,
-		Value:    shasum[:],
+		Value:    extValue,
 	}
 
 	tmpl := defaultTLSChallengeCertTemplate()

acme/acme_test.go

diff --git a/acme/acme_test.go b/acme/acme_test.go
index aa6ecaf..ef1fe47 100644
--- a/acme/acme_test.go
+++ b/acme/acme_test.go
@@ -1166,7 +1166,7 @@
 		token   = "evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA"
 		keyAuth = "evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA." + testKeyECThumbprint
 		// echo -n <token.testKeyECThumbprint> | shasum -a 256
-		h      = "dbbd5eefe7b4d06eb9d1d9f5acb4c7cda27d320e4b30332f0b6cb441734ad7b0"
+		h      = "0420dbbd5eefe7b4d06eb9d1d9f5acb4c7cda27d320e4b30332f0b6cb441734ad7b0"
 		domain = "example.com"
 	)