From 6ca56c2f2e2b26dc733347707d0e75d8eb050ee1 Mon Sep 17 00:00:00 2001
From: Jason Baker <thebaker@google.com>
Date: Mon, 10 Feb 2020 19:01:28 +0000
Subject: [PATCH] acme: update TLS-ALPN identifier to the latest IANA
 assignment

It looks like the source code has fallen out of date with the draft spec.
The latest version https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05 has a different OID 1.3.6.1.5.5.7.1.31 assigned.

You can test that you're using the correct OID by performing a TLS-ALPN-01 challenge against a Pebble (https://github.com/letsencrypt/pebble) ACME server running with the -strict argument. This implementation will reject the obsolete OID.

Change-Id: I58c52eaed487949e9071d3b9772f7acfdcc91201
GitHub-Last-Rev: 4cacc0723c431a29aec77d4fb3320d91c66c1ff5
GitHub-Pull-Request: golang/crypto#91
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/204177
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Alex Vaghin <alex@cloudware.io>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
---
 acme/acme.go      | 7 ++++---
 acme/acme_test.go | 2 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/acme/acme.go b/acme/acme.go
index 02fde12db5..6e6c9d1319 100644
--- a/acme/acme.go
+++ b/acme/acme.go
@@ -55,8 +55,9 @@ const (
 	ALPNProto = "acme-tls/1"
 )
 
-// idPeACMEIdentifierV1 is the OID for the ACME extension for the TLS-ALPN challenge.
-var idPeACMEIdentifierV1 = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 30, 1}
+// idPeACMEIdentifier is the OID for the ACME extension for the TLS-ALPN challenge.
+// https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05#section-5.1
+var idPeACMEIdentifier = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 31}
 
 const (
 	maxChainLen = 5       // max depth and breadth of a certificate chain
@@ -778,7 +779,7 @@ func (c *Client) TLSALPN01ChallengeCert(token, domain string, opt ...CertOption)
 		return tls.Certificate{}, err
 	}
 	acmeExtension := pkix.Extension{
-		Id:       idPeACMEIdentifierV1,
+		Id:       idPeACMEIdentifier,
 		Critical: true,
 		Value:    extValue,
 	}
diff --git a/acme/acme_test.go b/acme/acme_test.go
index 8d94dd67e1..e2f446f3d8 100644
--- a/acme/acme_test.go
+++ b/acme/acme_test.go
@@ -1317,7 +1317,7 @@ func TestTLSALPN01ChallengeCert(t *testing.T) {
 	}
 	acmeExts := []pkix.Extension{}
 	for _, ext := range cert.Extensions {
-		if idPeACMEIdentifierV1.Equal(ext.Id) {
+		if idPeACMEIdentifier.Equal(ext.Id) {
 			acmeExts = append(acmeExts, ext)
 		}
 	}