From 71d3a4cfdb0360795ce5f2d7041e01823fd22eb6 Mon Sep 17 00:00:00 2001
From: Evgeny Shatokhin <evgeny.shatokhin@gmail.com>
Date: Wed, 28 Aug 2024 15:03:34 +1000
Subject: acme: support challenges that require the ACME client to send a
 non-empty JSON body in a response to the challenge.

A new extension to the ACME protocol is proposed to support device attestation: https://datatracker.ietf.org/doc/draft-acme-device-attest/
Based on the recent IETF meetings, the proposal is likely to be accepted.
To support the new extension, the ACME client will need to send a non-empty JSON body in the response to a "device-attest-01" challenge.
Fixes golang/go#68674

Change-Id: I29b420ec837f682e3d59071a4a82af56dc319134
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/608975
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
---
 acme/acme.go  |  6 +++++-
 acme/types.go | 11 +++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/acme/acme.go b/acme/acme.go
index aaafea2..a43c62f 100644
--- a/acme/acme.go
+++ b/acme/acme.go
@@ -514,7 +514,11 @@ func (c *Client) Accept(ctx context.Context, chal *Challenge) (*Challenge, error
 		return nil, err
 	}
 
-	res, err := c.post(ctx, nil, chal.URI, json.RawMessage("{}"), wantStatus(
+	payload := json.RawMessage("{}")
+	if len(chal.Payload) != 0 {
+		payload = chal.Payload
+	}
+	res, err := c.post(ctx, nil, chal.URI, payload, wantStatus(
 		http.StatusOK,       // according to the spec
 		http.StatusAccepted, // Let's Encrypt: see https://goo.gl/WsJ7VT (acme-divergences.md)
 	))
diff --git a/acme/types.go b/acme/types.go
index 23a4d65..45492ad 100644
--- a/acme/types.go
+++ b/acme/types.go
@@ -7,6 +7,7 @@ package acme
 import (
 	"crypto"
 	"crypto/x509"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
@@ -527,6 +528,16 @@ type Challenge struct {
 	// when this challenge was used.
 	// The type of a non-nil value is *Error.
 	Error error
+
+	// Payload is the JSON-formatted payload that the client sends
+	// to the server to indicate it is ready to respond to the challenge.
+	// When unset, it defaults to an empty JSON object: {}.
+	// For most challenges, the client must not set Payload,
+	// see https://tools.ietf.org/html/rfc8555#section-7.5.1.
+	// Payload is used only for newer challenges (such as "device-attest-01")
+	// where the client must send additional data for the server to validate
+	// the challenge.
+	Payload json.RawMessage
 }
 
 // wireChallenge is ACME JSON challenge representation.
-- 
cgit v1.3