Reject obsolete id-pe-acmeIdentifier.

4 years ago · 6843408d42
parent 6b5a2b17b5
commit 6843408d42
2 changed files with 38 additions and 33 deletions
--- a/acme/challenge.go
+++ b/acme/challenge.go
@ -439,6 +439,7 @@ func (tc *tlsALPN01Challenge) validate(db nosql.DB, jwk *jose.JSONWebKey, vo val

 	idPeAcmeIdentifier := asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 31}
 	idPeAcmeIdentifierV1Obsolete := asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 30, 1}
+	foundIDPeAcmeIdentifierV1Obsolete := false

 	keyAuth, err := KeyAuthorization(tc.Token, jwk)
 	if err != nil {
@ -447,8 +448,7 @@ func (tc *tlsALPN01Challenge) validate(db nosql.DB, jwk *jose.JSONWebKey, vo val
 	hashedKeyAuth := sha256.Sum256([]byte(keyAuth))

 	for _, ext := range leafCert.Extensions {
-		if idPeAcmeIdentifier.Equal(ext.Id) || idPeAcmeIdentifierV1Obsolete.Equal(ext.Id) {
-
+		if idPeAcmeIdentifier.Equal(ext.Id) {
 			if !ext.Critical {
 				if err = tc.storeError(db,
 					RejectedIdentifierErr(errors.Errorf("incorrect certificate for tls-alpn-01 challenge: "+
@ -490,6 +490,19 @@ func (tc *tlsALPN01Challenge) validate(db nosql.DB, jwk *jose.JSONWebKey, vo val
 			}
 			return upd, nil
 		}
+
+		if idPeAcmeIdentifierV1Obsolete.Equal(ext.Id) {
+			foundIDPeAcmeIdentifierV1Obsolete = true
+		}
+	}
+
+	if foundIDPeAcmeIdentifierV1Obsolete {
+		if err = tc.storeError(db,
+			RejectedIdentifierErr(errors.Errorf("incorrect certificate for tls-alpn-01 challenge: "+
+				"obsolete id-pe-acmeIdentifier in acmeValidationV1 extension"))); err != nil {
+			return nil, err
+		}
+		return tc, nil
 	}

 	if err = tc.storeError(db,
--- a/acme/challenge_test.go
+++ b/acme/challenge_test.go
@ -1463,28 +1463,28 @@ func TestTLSALPN01Validate(t *testing.T) {
 				res: ch,
 			}
 		},
-		"ok/with-new-oid": func(t *testing.T) test {
+		"ok/obsolete-oid": func(t *testing.T) test {
 			ch, err := newTLSALPNCh()
 			assert.FatalError(t, err)
-			_ch, ok := ch.(*tlsALPN01Challenge)
-			assert.Fatal(t, ok)
-			_ch.baseChallenge.Error = MalformedErr(nil).ToACME()
 			oldb, err := json.Marshal(ch)
 			assert.FatalError(t, err)

+			jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
+			assert.FatalError(t, err)
+
+			expErr := RejectedIdentifierErr(errors.New("incorrect certificate for tls-alpn-01 challenge: " +
+				"obsolete id-pe-acmeIdentifier in acmeValidationV1 extension"))
 			baseClone := ch.clone()
-			baseClone.Status = StatusValid
-			baseClone.Error = nil
+			baseClone.Error = expErr.ToACME()
 			newCh := &tlsALPN01Challenge{baseClone}
-
-			jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
+			newb, err := json.Marshal(newCh)
 			assert.FatalError(t, err)

 			expKeyAuth, err := KeyAuthorization(ch.getToken(), jwk)
 			assert.FatalError(t, err)
 			expKeyAuthHash := sha256.Sum256([]byte(expKeyAuth))

-			cert, err := newTLSALPNValidationCert(expKeyAuthHash[:], false, true, ch.getValue())
+			cert, err := newTLSALPNValidationCert(expKeyAuthHash[:], true, true, ch.getValue())
 			assert.FatalError(t, err)

 			srv, tlsDial := newTestTLSALPNServer(cert)
@ -1494,15 +1494,7 @@ func TestTLSALPN01Validate(t *testing.T) {
 				srv: srv,
 				ch:  ch,
 				vo: validateOptions{
-					tlsDial: func(network, addr string, config *tls.Config) (conn *tls.Conn, err error) {
-						assert.Equals(t, network, "tcp")
-						assert.Equals(t, addr, net.JoinHostPort(newCh.getValue(), "443"))
-						assert.Equals(t, config.NextProtos, []string{"acme-tls/1"})
-						assert.Equals(t, config.ServerName, newCh.getValue())
-						assert.True(t, config.InsecureSkipVerify)
-
-						return tlsDial(network, addr, config)
-					},
+					tlsDial: tlsDial,
 				},
 				jwk: jwk,
 				db: &db.MockNoSQLDB{
@ -1510,22 +1502,14 @@ func TestTLSALPN01Validate(t *testing.T) {
 						assert.Equals(t, bucket, challengeTable)
 						assert.Equals(t, key, []byte(ch.getID()))
 						assert.Equals(t, old, oldb)
-
-						alpnCh, err := unmarshalChallenge(newval)
-						assert.FatalError(t, err)
-						assert.Equals(t, alpnCh.getStatus(), StatusValid)
-						assert.True(t, alpnCh.getValidated().Before(time.Now().UTC().Add(time.Minute)))
-						assert.True(t, alpnCh.getValidated().After(time.Now().UTC().Add(-1*time.Second)))
-
-						baseClone.Validated = alpnCh.getValidated()
-
+						assert.Equals(t, string(newval), string(newb))
 						return nil, true, nil
 					},
 				},
-				res: newCh,
+				res: ch,
 			}
 		},
-		"ok/with-obsolete-oid": func(t *testing.T) test {
+		"ok/with-new-oid": func(t *testing.T) test {
 			ch, err := newTLSALPNCh()
 			assert.FatalError(t, err)
 			_ch, ok := ch.(*tlsALPN01Challenge)
@ -1546,7 +1530,7 @@ func TestTLSALPN01Validate(t *testing.T) {
 			assert.FatalError(t, err)
 			expKeyAuthHash := sha256.Sum256([]byte(expKeyAuth))

-			cert, err := newTLSALPNValidationCert(expKeyAuthHash[:], true, true, ch.getValue())
+			cert, err := newTLSALPNValidationCert(expKeyAuthHash[:], false, true, ch.getValue())
 			assert.FatalError(t, err)

 			srv, tlsDial := newTestTLSALPNServer(cert)
@ -1556,7 +1540,15 @@ func TestTLSALPN01Validate(t *testing.T) {
 				srv: srv,
 				ch:  ch,
 				vo: validateOptions{
-					tlsDial: tlsDial,
+					tlsDial: func(network, addr string, config *tls.Config) (conn *tls.Conn, err error) {
+						assert.Equals(t, network, "tcp")
+						assert.Equals(t, addr, net.JoinHostPort(newCh.getValue(), "443"))
+						assert.Equals(t, config.NextProtos, []string{"acme-tls/1"})
+						assert.Equals(t, config.ServerName, newCh.getValue())
+						assert.True(t, config.InsecureSkipVerify)
+
+						return tlsDial(network, addr, config)
+					},
 				},
 				jwk: jwk,
 				db: &db.MockNoSQLDB{