acme: fix encoding of the TLS-ALPN challenge extension
To comply with the specification the value of the extension should be a ASN.1
OCTET STRING rather than a raw SHA 256 hash. This change uses asn1.Marshal to
wrap the hash before putting it in the extension.
Change-Id: I4ebe88a00238c6f928555d605e4b5dd98aad8128
Reviewed-on: https://go-review.googlesource.com/118696
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
diff --git a/acme/acme.go b/acme/acme.go
index 9fbe72c..8257ffb 100644
--- a/acme/acme.go
+++ b/acme/acme.go
@@ -598,10 +598,14 @@
return tls.Certificate{}, err
}
shasum := sha256.Sum256([]byte(ka))
+ extValue, err := asn1.Marshal(shasum[:])
+ if err != nil {
+ return tls.Certificate{}, err
+ }
acmeExtension := pkix.Extension{
Id: idPeACMEIdentifierV1,
Critical: true,
- Value: shasum[:],
+ Value: extValue,
}
tmpl := defaultTLSChallengeCertTemplate()
diff --git a/acme/acme_test.go b/acme/acme_test.go
index aa6ecaf..ef1fe47 100644
--- a/acme/acme_test.go
+++ b/acme/acme_test.go
@@ -1166,7 +1166,7 @@
token = "evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA"
keyAuth = "evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA." + testKeyECThumbprint
// echo -n <token.testKeyECThumbprint> | shasum -a 256
- h = "dbbd5eefe7b4d06eb9d1d9f5acb4c7cda27d320e4b30332f0b6cb441734ad7b0"
+ h = "0420dbbd5eefe7b4d06eb9d1d9f5acb4c7cda27d320e4b30332f0b6cb441734ad7b0"
domain = "example.com"
)