acme: update TLS-ALPN identifier to the latest IANA assignment

It looks like the source code has fallen out of date with the draft spec.
The latest version https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05 has a different OID 1.3.6.1.5.5.7.1.31 assigned.

You can test that you're using the correct OID by performing a TLS-ALPN-01 challenge against a Pebble (https://github.com/letsencrypt/pebble) ACME server running with the -strict argument. This implementation will reject the obsolete OID.

Change-Id: I58c52eaed487949e9071d3b9772f7acfdcc91201
GitHub-Last-Rev: 4cacc07
GitHub-Pull-Request: golang#91
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/204177
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Alex Vaghin <alex@cloudware.io>
Reviewed-by: Filippo Valsorda <filippo@golang.org>

acme/acme.go

@@ -55,8 +55,9 @@ const (
 	ALPNProto = "acme-tls/1"
 )
 
-// idPeACMEIdentifierV1 is the OID for the ACME extension for the TLS-ALPN challenge.
-var idPeACMEIdentifierV1 = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 30, 1}
+// idPeACMEIdentifier is the OID for the ACME extension for the TLS-ALPN challenge.
+// https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05#section-5.1
+var idPeACMEIdentifier = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 31}
 
 const (
 	maxChainLen = 5       // max depth and breadth of a certificate chain
@@ -778,7 +779,7 @@ func (c *Client) TLSALPN01ChallengeCert(token, domain string, opt ...CertOption)
 		return tls.Certificate{}, err
 	}
 	acmeExtension := pkix.Extension{
-		Id:       idPeACMEIdentifierV1,
+		Id:       idPeACMEIdentifier,
 		Critical: true,
 		Value:    extValue,
 	}

acme/acme_test.go

@@ -1317,7 +1317,7 @@ func TestTLSALPN01ChallengeCert(t *testing.T) {
 	}
 	acmeExts := []pkix.Extension{}
 	for _, ext := range cert.Extensions {
-		if idPeACMEIdentifierV1.Equal(ext.Id) {
+		if idPeACMEIdentifier.Equal(ext.Id) {
 			acmeExts = append(acmeExts, ext)
 		}
 	}