acme: fix encoding of the TLS-ALPN challenge extension

To comply with the specification the value of the extension should be a ASN.1
OCTET STRING rather than a raw SHA 256 hash. This change uses asn1.Marshal to
wrap the hash before putting it in the extension.

Change-Id: I4ebe88a00238c6f928555d605e4b5dd98aad8128
Reviewed-on: https://go-review.googlesource.com/118696
Reviewed-by: Brad Fitzpatrick <[email protected]>
Run-TryBot: Brad Fitzpatrick <[email protected]>
TryBot-Result: Gobot Gobot <[email protected]>

Author: rolandshoemaker

acme/acme.go

@@ -598,10 +598,14 @@ func (c *Client) TLSALPN01ChallengeCert(token, domain string, opt ...CertOption)
 		return tls.Certificate{}, err
 	}
 	shasum := sha256.Sum256([]byte(ka))
+	extValue, err := asn1.Marshal(shasum[:])
+	if err != nil {
+		return tls.Certificate{}, err
+	}
 	acmeExtension := pkix.Extension{
 		Id:       idPeACMEIdentifierV1,
 		Critical: true,
-		Value:    shasum[:],
+		Value:    extValue,
 	}
 
 	tmpl := defaultTLSChallengeCertTemplate()

acme/acme_test.go

@@ -1166,7 +1166,7 @@ func TestTLSALPN01ChallengeCert(t *testing.T) {
 		token   = "evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA"
 		keyAuth = "evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA." + testKeyECThumbprint
 		// echo -n <token.testKeyECThumbprint> | shasum -a 256
-		h      = "dbbd5eefe7b4d06eb9d1d9f5acb4c7cda27d320e4b30332f0b6cb441734ad7b0"
+		h      = "0420dbbd5eefe7b4d06eb9d1d9f5acb4c7cda27d320e4b30332f0b6cb441734ad7b0"
 		domain = "example.com"
 	)