|
|
|
@ -1,7 +1,6 @@
|
|
|
|
|
package acme
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"bytes"
|
|
|
|
|
"context"
|
|
|
|
|
"crypto"
|
|
|
|
|
"crypto/ecdsa"
|
|
|
|
@ -16,13 +15,11 @@ import (
|
|
|
|
|
"encoding/base64"
|
|
|
|
|
"encoding/hex"
|
|
|
|
|
"encoding/json"
|
|
|
|
|
"encoding/pem"
|
|
|
|
|
"errors"
|
|
|
|
|
"fmt"
|
|
|
|
|
"io"
|
|
|
|
|
"net"
|
|
|
|
|
"net/url"
|
|
|
|
|
"os"
|
|
|
|
|
"reflect"
|
|
|
|
|
"strconv"
|
|
|
|
|
"strings"
|
|
|
|
@ -45,7 +42,6 @@ const (
|
|
|
|
|
TLSALPN01 ChallengeType = "tls-alpn-01"
|
|
|
|
|
// DEVICEATTEST01 is the device-attest-01 ACME challenge type
|
|
|
|
|
DEVICEATTEST01 ChallengeType = "device-attest-01"
|
|
|
|
|
APPLEATTEST01 ChallengeType = "client-01"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// Challenge represents an ACME response Challenge type.
|
|
|
|
@ -89,8 +85,6 @@ func (ch *Challenge) Validate(ctx context.Context, db DB, jwk *jose.JSONWebKey,
|
|
|
|
|
return tlsalpn01Validate(ctx, ch, db, jwk)
|
|
|
|
|
case DEVICEATTEST01:
|
|
|
|
|
return deviceAttest01Validate(ctx, ch, db, jwk, payload)
|
|
|
|
|
case APPLEATTEST01:
|
|
|
|
|
return appleAttest01Validate(ctx, ch, db, jwk, payload)
|
|
|
|
|
default:
|
|
|
|
|
return NewErrorISE("unexpected challenge type '%s'", ch.Type)
|
|
|
|
|
}
|
|
|
|
@ -168,7 +162,7 @@ func tlsalpn01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSON
|
|
|
|
|
// [RFC5246] or higher when connecting to clients for validation.
|
|
|
|
|
MinVersion: tls.VersionTLS12,
|
|
|
|
|
ServerName: serverName(ch),
|
|
|
|
|
InsecureSkipVerify: true, //nolint:gosec // we expect a self-signed challenge certificate
|
|
|
|
|
InsecureSkipVerify: true, // nolint:gosec // we expect a self-signed challenge certificate
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
hostPort := net.JoinHostPort(ch.Value, "443")
|
|
|
|
@ -418,7 +412,6 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
<<<<<<< HEAD
|
|
|
|
|
// Apple Enterprise Attestation Root CA from
|
|
|
|
|
// https://www.apple.com/certificateauthority/private/
|
|
|
|
|
const appleEnterpriseAttestationRootCA = `-----BEGIN CERTIFICATE-----
|
|
|
|
@ -659,68 +652,6 @@ func doStepAttestationFormat(ctx context.Context, prov Provisioner, ch *Challeng
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return data, nil
|
|
|
|
|
=======
|
|
|
|
|
type ApplePayload struct {
|
|
|
|
|
AttObj string `json:"attObj"`
|
|
|
|
|
Error string `json:"error"`
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func appleAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebKey, payload []byte) error {
|
|
|
|
|
var p ApplePayload
|
|
|
|
|
if err := json.Unmarshal(payload, &p); err != nil {
|
|
|
|
|
return WrapErrorISE(err, "error unmarshalling JSON")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fmt.Fprintf(os.Stderr, "p.AttObj: %v\n", p.AttObj)
|
|
|
|
|
|
|
|
|
|
attObj, err := base64.RawURLEncoding.DecodeString(p.AttObj)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return WrapErrorISE(err, "error base64 decoding attObj")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
att := AttestationObject{}
|
|
|
|
|
if err := cbor.Unmarshal(attObj, &att); err != nil {
|
|
|
|
|
return WrapErrorISE(err, "error unmarshalling CBOR")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if att.Format != "apple" {
|
|
|
|
|
return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatement,
|
|
|
|
|
"unexpected attestation object format"))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
x5c, x509present := att.AttStatement["x5c"].([]interface{})
|
|
|
|
|
if !x509present {
|
|
|
|
|
return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatement,
|
|
|
|
|
"x5c not present"))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
attCertBytes, valid := x5c[0].([]byte)
|
|
|
|
|
if !valid {
|
|
|
|
|
return storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType,
|
|
|
|
|
"error getting certificate from x5c cert chain"))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
attCert, err := x509.ParseCertificate(attCertBytes)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return WrapErrorISE(err, "error parsing AK certificate")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
b := &pem.Block{
|
|
|
|
|
Type: "CERTIFICATE",
|
|
|
|
|
Bytes: attCert.Raw,
|
|
|
|
|
}
|
|
|
|
|
pem.Encode(os.Stderr, b)
|
|
|
|
|
|
|
|
|
|
// Update and store the challenge.
|
|
|
|
|
ch.Status = StatusValid
|
|
|
|
|
ch.Error = nil
|
|
|
|
|
ch.ValidatedAt = clock.Now().Format(time.RFC3339)
|
|
|
|
|
|
|
|
|
|
if err := db.UpdateChallenge(ctx, ch); err != nil {
|
|
|
|
|
return WrapErrorISE(err, "error updating challenge")
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
>>>>>>> 26e1b4ba (iOS 16 beta 1 support)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// serverName determines the SNI HostName to set based on an acme.Challenge
|
|
|
|
|