From 3b7aa2075967eb512f0bb9fa4440df72dc46380a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Richard=20K=C3=B6rber?= Date: Sun, 24 Jun 2018 19:04:53 +0200 Subject: [PATCH] Fix tls-alpn-01 certificate generation --- .../java/org/shredzone/acme4j/util/CertificateUtils.java | 3 ++- .../org/shredzone/acme4j/util/CertificateUtilsTest.java | 9 ++++++++- src/site/markdown/challenge/tls-alpn-01.md | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/acme4j-utils/src/main/java/org/shredzone/acme4j/util/CertificateUtils.java b/acme4j-utils/src/main/java/org/shredzone/acme4j/util/CertificateUtils.java index cd65bc56..4536db70 100644 --- a/acme4j-utils/src/main/java/org/shredzone/acme4j/util/CertificateUtils.java +++ b/acme4j-utils/src/main/java/org/shredzone/acme4j/util/CertificateUtils.java @@ -32,6 +32,7 @@ import javax.annotation.ParametersAreNonnullByDefault; import javax.annotation.WillClose; import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.DEROctetString; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x509.Extension; import org.bouncycastle.asn1.x509.GeneralName; @@ -120,7 +121,7 @@ public final class CertificateUtils { gns[0] = new GeneralName(GeneralName.dNSName, subject); certBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(gns)); - certBuilder.addExtension(ACME_VALIDATION_V1, true, acmeValidationV1); + certBuilder.addExtension(ACME_VALIDATION_V1, true, new DEROctetString(acmeValidationV1)); JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlg); diff --git a/acme4j-utils/src/test/java/org/shredzone/acme4j/util/CertificateUtilsTest.java b/acme4j-utils/src/test/java/org/shredzone/acme4j/util/CertificateUtilsTest.java index 33cd7e16..a74c6daf 100644 --- a/acme4j-utils/src/test/java/org/shredzone/acme4j/util/CertificateUtilsTest.java +++ b/acme4j-utils/src/test/java/org/shredzone/acme4j/util/CertificateUtilsTest.java @@ -33,6 +33,7 @@ import java.util.List; import java.util.Set; import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.BERTags; import org.bouncycastle.asn1.DEROctetString; import org.bouncycastle.asn1.x509.GeneralName; import org.bouncycastle.pkcs.PKCS10CertificationRequest; @@ -111,7 +112,13 @@ public class CertificateUtilsTest { try (ASN1InputStream asn = new ASN1InputStream(new ByteArrayInputStream(encodedExtensionValue))) { DEROctetString derOctetString = (DEROctetString) asn.readObject(); - assertThat(derOctetString.getOctets(), is(acmeValidationV1)); + + byte[] test = new byte[acmeValidationV1.length + 2]; + test[0] = BERTags.OCTET_STRING; + test[1] = (byte) acmeValidationV1.length; + System.arraycopy(acmeValidationV1, 0, test, 2, acmeValidationV1.length); + + assertThat(derOctetString.getOctets(), is(test)); } } diff --git a/src/site/markdown/challenge/tls-alpn-01.md b/src/site/markdown/challenge/tls-alpn-01.md index 3f087f6e..77e38e0b 100644 --- a/src/site/markdown/challenge/tls-alpn-01.md +++ b/src/site/markdown/challenge/tls-alpn-01.md @@ -15,7 +15,7 @@ TlsAlpn01Challenge challenge = auth.findChallenge(TlsAlpn01Challenge.TYPE); byte[] acmeValidationV1 = challenge.getAcmeValidationV1(); ``` -You need to create a self-signed certificate with the domain to be validated set as the only _Subject Alternative Name_. The `acmeValidationV1` must be set as octet string extension with the object id `1.3.6.1.5.5.7.1.30.1`. It is required to set this extension as critical. +You need to create a self-signed certificate with the domain to be validated set as the only _Subject Alternative Name_. The `acmeValidationV1` must be set as DER encoded `OCTET STRING` extension with the object id `1.3.6.1.5.5.7.1.30.1`. It is required to set this extension as critical. After that, configure your web server so it will use this certificate on an incoming TLS request having the SNI `subject` and the ALPN protocol `acme-tls/1`.