Cherry-pick acme.go from acdfdf3

authority/provisioner/acme.go

@@ -3,6 +3,7 @@ package provisioner
 import (
 	"context"
 	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"net"
 	"strings"
@@ -98,6 +99,10 @@ type ACME struct {
 	Claims             *Claims                 `json:"claims,omitempty"`
 	Options            *Options                `json:"options,omitempty"`
 
+	// TODO(hs): WIP configuration for ACME Device Attestation
+	AttestationRoots    []byte `json:"attestationRoots"`
+	attestationRootPool *x509.CertPool
+
 	ctl *Controller
 }
 
@@ -155,6 +160,7 @@ func (p *ACME) Init(config Config) (err error) {
 		return errors.New("provisioner name cannot be empty")
 	}
 
+<<<<<<< HEAD
 	for _, c := range p.Challenges {
 		if err := c.Validate(); err != nil {
 			return err
@@ -166,6 +172,29 @@ func (p *ACME) Init(config Config) (err error) {
 		}
 	}
 
+=======
+	// TODO(hs): WIP configuration for ACME Device Attestation
+	p.attestationRootPool = x509.NewCertPool()
+
+	var (
+		block *pem.Block
+		rest  = p.AttestationRoots
+	)
+	for rest != nil {
+		block, rest = pem.Decode(rest)
+		if block == nil {
+			break
+		}
+		cert, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			return errors.Wrap(err, "error parsing x509 certificate from PEM block")
+		}
+		p.attestationRootPool.AddCert(cert)
+	}
+
+	// TODO(hs): need validation for number of certs? The current ones are only for the `tpm` type; not for Apple or Yubico.
+
+>>>>>>> acdfdf34 (Add `tpm` attestation with configurable roots)
 	p.ctl, err = NewController(p, p.Claims, config, p.Options)
 	return
 }
@@ -282,3 +311,9 @@ func (p *ACME) IsAttestationFormatEnabled(ctx context.Context, format ACMEAttest
 	}
 	return false
 }
+
+// TODO(hs): we may not want to expose the root pool like this;
+// call into an interface function instead to authorize?
+func (p *ACME) GetAttestationRoots() (*x509.CertPool, error) {
+	return p.attestationRootPool, nil
+}