lego/challenge/tlsalpn01/tls_alpn_challenge.go

package tlsalpn01

import (
	"crypto/rsa"
	"crypto/sha256"
	"crypto/tls"
	"crypto/x509/pkix"
	"encoding/asn1"
	"fmt"

	"github.com/xenolf/lego/acme"
	"github.com/xenolf/lego/acme/api"
	"github.com/xenolf/lego/certcrypto"
	"github.com/xenolf/lego/challenge"
	"github.com/xenolf/lego/log"
)

// idPeAcmeIdentifierV1 is the SMI Security for PKIX Certification Extension OID referencing the ACME extension.
// Reference: https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05#section-5.1
var idPeAcmeIdentifierV1 = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 31}

type ValidateFunc func(core *api.Core, domain string, chlng acme.Challenge) error

type Challenge struct {
	core     *api.Core
	validate ValidateFunc
	provider challenge.Provider
}

func NewChallenge(core *api.Core, validate ValidateFunc, provider challenge.Provider) *Challenge {
	return &Challenge{
		core:     core,
		validate: validate,
		provider: provider,
	}
}

func (c *Challenge) SetProvider(provider challenge.Provider) {
	c.provider = provider
}

// Solve manages the provider to validate and solve the challenge.
func (c *Challenge) Solve(authz acme.Authorization) error {
	domain := authz.Identifier.Value
	log.Infof("[%s] acme: Trying to solve TLS-ALPN-01", challenge.GetTargetedDomain(authz))

	chlng, err := challenge.FindChallenge(challenge.TLSALPN01, authz)
	if err != nil {
		return err
	}

	// Generate the Key Authorization for the challenge
	keyAuth, err := c.core.GetKeyAuthorization(chlng.Token)
	if err != nil {
		return err
	}

	err = c.provider.Present(domain, chlng.Token, keyAuth)
	if err != nil {
		return fmt.Errorf("[%s] acme: error presenting token: %v", challenge.GetTargetedDomain(authz), err)
	}
	defer func() {
		err := c.provider.CleanUp(domain, chlng.Token, keyAuth)
		if err != nil {
			log.Warnf("[%s] acme: error cleaning up: %v", challenge.GetTargetedDomain(authz), err)
		}
	}()

	chlng.KeyAuthorization = keyAuth
	return c.validate(c.core, domain, chlng)
}

// ChallengeBlocks returns PEM blocks (certPEMBlock, keyPEMBlock) with the acmeValidation-v1 extension
// and domain name for the `tls-alpn-01` challenge.
func ChallengeBlocks(domain, keyAuth string) ([]byte, []byte, error) {
	// Compute the SHA-256 digest of the key authorization.
	zBytes := sha256.Sum256([]byte(keyAuth))

	value, err := asn1.Marshal(zBytes[:sha256.Size])
	if err != nil {
		return nil, nil, err
	}

	// Add the keyAuth digest as the acmeValidation-v1 extension
	// (marked as critical such that it won't be used by non-ACME software).
	// Reference: https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05#section-3
	extensions := []pkix.Extension{
		{
			Id:       idPeAcmeIdentifierV1,
			Critical: true,
			Value:    value,
		},
	}

	// Generate a new RSA key for the certificates.
	tempPrivateKey, err := certcrypto.GeneratePrivateKey(certcrypto.RSA2048)
	if err != nil {
		return nil, nil, err
	}

	rsaPrivateKey := tempPrivateKey.(*rsa.PrivateKey)

	// Generate the PEM certificate using the provided private key, domain, and extra extensions.
	tempCertPEM, err := certcrypto.GeneratePemCert(rsaPrivateKey, domain, extensions)
	if err != nil {
		return nil, nil, err
	}

	// Encode the private key into a PEM format. We'll need to use it to generate the x509 keypair.
	rsaPrivatePEM := certcrypto.PEMEncode(rsaPrivateKey)

	return tempCertPEM, rsaPrivatePEM, nil
}

// ChallengeCert returns a certificate with the acmeValidation-v1 extension
// and domain name for the `tls-alpn-01` challenge.
func ChallengeCert(domain, keyAuth string) (*tls.Certificate, error) {
	tempCertPEM, rsaPrivatePEM, err := ChallengeBlocks(domain, keyAuth)
	if err != nil {
		return nil, err
	}

	cert, err := tls.X509KeyPair(tempCertPEM, rsaPrivatePEM)
	if err != nil {
		return nil, err
	}

	return &cert, nil
}
Refactor the core of the lib (#700) - Packages - Isolate code used by the CLI into the package `cmd` - (experimental) Add e2e tests for HTTP01, TLS-ALPN-01 and DNS-01, use [Pebble](https://github.com/letsencrypt/pebble) and [challtestsrv](https://github.com/letsencrypt/boulder/tree/master/test/challtestsrv) - Support non-ascii domain name (punnycode) - Check all challenges in a predictable order - No more global exported variables - Archive revoked certificates - Fixes revocation for subdomains and non-ascii domains - Disable pending authorizations - use pointer for RemoteError/ProblemDetails - Poll authz URL instead of challenge URL - The ability for a DNS provider to solve the challenge sequentially - Check all nameservers in a predictable order - Option to disable the complete propagation Requirement - CLI, support for renew with CSR - CLI, add SAN on renew - Add command to list certificates. - Logs every iteration of waiting for the propagation - update DNSimple client - update github.com/miekg/dns 2018-12-06 21:50:17 +00:00			`package tlsalpn01`

			`import (`
			`"crypto/rsa"`
			`"crypto/sha256"`
			`"crypto/tls"`
			`"crypto/x509/pkix"`
			`"encoding/asn1"`
			`"fmt"`

			`"github.com/xenolf/lego/acme"`
			`"github.com/xenolf/lego/acme/api"`
			`"github.com/xenolf/lego/certcrypto"`
			`"github.com/xenolf/lego/challenge"`
			`"github.com/xenolf/lego/log"`
			`)`

			`// idPeAcmeIdentifierV1 is the SMI Security for PKIX Certification Extension OID referencing the ACME extension.`
			`// Reference: https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05#section-5.1`
			`var idPeAcmeIdentifierV1 = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 31}`

			`type ValidateFunc func(core *api.Core, domain string, chlng acme.Challenge) error`

			`type Challenge struct {`
			`core *api.Core`
			`validate ValidateFunc`
			`provider challenge.Provider`
			`}`

			`func NewChallenge(core api.Core, validate ValidateFunc, provider challenge.Provider) Challenge {`
			`return &Challenge{`
			`core: core,`
			`validate: validate,`
			`provider: provider,`
			`}`
			`}`

			`func (c *Challenge) SetProvider(provider challenge.Provider) {`
			`c.provider = provider`
			`}`

			`// Solve manages the provider to validate and solve the challenge.`
			`func (c *Challenge) Solve(authz acme.Authorization) error {`
			`domain := authz.Identifier.Value`
			`log.Infof("[%s] acme: Trying to solve TLS-ALPN-01", challenge.GetTargetedDomain(authz))`

			`chlng, err := challenge.FindChallenge(challenge.TLSALPN01, authz)`
			`if err != nil {`
			`return err`
			`}`

			`// Generate the Key Authorization for the challenge`
			`keyAuth, err := c.core.GetKeyAuthorization(chlng.Token)`
			`if err != nil {`
			`return err`
			`}`

			`err = c.provider.Present(domain, chlng.Token, keyAuth)`
			`if err != nil {`
			`return fmt.Errorf("[%s] acme: error presenting token: %v", challenge.GetTargetedDomain(authz), err)`
			`}`
			`defer func() {`
			`err := c.provider.CleanUp(domain, chlng.Token, keyAuth)`
			`if err != nil {`
			`log.Warnf("[%s] acme: error cleaning up: %v", challenge.GetTargetedDomain(authz), err)`
			`}`
			`}()`

			`chlng.KeyAuthorization = keyAuth`
			`return c.validate(c.core, domain, chlng)`
			`}`

			`// ChallengeBlocks returns PEM blocks (certPEMBlock, keyPEMBlock) with the acmeValidation-v1 extension`
			// and domain name for the `tls-alpn-01` challenge.
			`func ChallengeBlocks(domain, keyAuth string) ([]byte, []byte, error) {`
			`// Compute the SHA-256 digest of the key authorization.`
			`zBytes := sha256.Sum256([]byte(keyAuth))`

			`value, err := asn1.Marshal(zBytes[:sha256.Size])`
			`if err != nil {`
			`return nil, nil, err`
			`}`

			`// Add the keyAuth digest as the acmeValidation-v1 extension`
			`// (marked as critical such that it won't be used by non-ACME software).`
			`// Reference: https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05#section-3`
			`extensions := []pkix.Extension{`
			`{`
			`Id: idPeAcmeIdentifierV1,`
			`Critical: true,`
			`Value: value,`
			`},`
			`}`

			`// Generate a new RSA key for the certificates.`
			`tempPrivateKey, err := certcrypto.GeneratePrivateKey(certcrypto.RSA2048)`
			`if err != nil {`
			`return nil, nil, err`
			`}`

			`rsaPrivateKey := tempPrivateKey.(*rsa.PrivateKey)`

			`// Generate the PEM certificate using the provided private key, domain, and extra extensions.`
			`tempCertPEM, err := certcrypto.GeneratePemCert(rsaPrivateKey, domain, extensions)`
			`if err != nil {`
			`return nil, nil, err`
			`}`

			`// Encode the private key into a PEM format. We'll need to use it to generate the x509 keypair.`
			`rsaPrivatePEM := certcrypto.PEMEncode(rsaPrivateKey)`

			`return tempCertPEM, rsaPrivatePEM, nil`
			`}`

			`// ChallengeCert returns a certificate with the acmeValidation-v1 extension`
			// and domain name for the `tls-alpn-01` challenge.
			`func ChallengeCert(domain, keyAuth string) (*tls.Certificate, error) {`
			`tempCertPEM, rsaPrivatePEM, err := ChallengeBlocks(domain, keyAuth)`
			`if err != nil {`
			`return nil, err`
			`}`

			`cert, err := tls.X509KeyPair(tempCertPEM, rsaPrivatePEM)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return &cert, nil`
			`}`