Fix tls-alpn-01 certificate generation

pull/66/head
Richard Körber 2018-06-24 19:04:53 +02:00
parent 8358c1513a
commit 3b7aa20759
No known key found for this signature in database
GPG Key ID: AAB9FD19C78AA3E0
3 changed files with 11 additions and 3 deletions

View File

@ -32,6 +32,7 @@ import javax.annotation.ParametersAreNonnullByDefault;
import javax.annotation.WillClose;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
@ -120,7 +121,7 @@ public final class CertificateUtils {
gns[0] = new GeneralName(GeneralName.dNSName, subject);
certBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(gns));
certBuilder.addExtension(ACME_VALIDATION_V1, true, acmeValidationV1);
certBuilder.addExtension(ACME_VALIDATION_V1, true, new DEROctetString(acmeValidationV1));
JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlg);

View File

@ -33,6 +33,7 @@ import java.util.List;
import java.util.Set;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.BERTags;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
@ -111,7 +112,13 @@ public class CertificateUtilsTest {
try (ASN1InputStream asn = new ASN1InputStream(new ByteArrayInputStream(encodedExtensionValue))) {
DEROctetString derOctetString = (DEROctetString) asn.readObject();
assertThat(derOctetString.getOctets(), is(acmeValidationV1));
byte[] test = new byte[acmeValidationV1.length + 2];
test[0] = BERTags.OCTET_STRING;
test[1] = (byte) acmeValidationV1.length;
System.arraycopy(acmeValidationV1, 0, test, 2, acmeValidationV1.length);
assertThat(derOctetString.getOctets(), is(test));
}
}

View File

@ -15,7 +15,7 @@ TlsAlpn01Challenge challenge = auth.findChallenge(TlsAlpn01Challenge.TYPE);
byte[] acmeValidationV1 = challenge.getAcmeValidationV1();
```
You need to create a self-signed certificate with the domain to be validated set as the only _Subject Alternative Name_. The `acmeValidationV1` must be set as octet string extension with the object id `1.3.6.1.5.5.7.1.30.1`. It is required to set this extension as critical.
You need to create a self-signed certificate with the domain to be validated set as the only _Subject Alternative Name_. The `acmeValidationV1` must be set as DER encoded `OCTET STRING` extension with the object id `1.3.6.1.5.5.7.1.30.1`. It is required to set this extension as critical.
After that, configure your web server so it will use this certificate on an incoming TLS request having the SNI `subject` and the ALPN protocol `acme-tls/1`.