RootShell-coder
diff --git a/‎.gitignore
Lines changed: 1 addition & 0 deletions b/‎.gitignore
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md
Lines changed: 1 addition & 1 deletion b/‎README.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎acme/authority.go
Lines changed: 7 additions & 0 deletions b/‎acme/authority.go
Lines changed: 7 additions & 0 deletions
diff --git a/‎acme/authority_test.go
Lines changed: 21 additions & 5 deletions b/‎acme/authority_test.go
Lines changed: 21 additions & 5 deletions
diff --git a/‎acme/authz.go
Lines changed: 13 additions & 3 deletions b/‎acme/authz.go
Lines changed: 13 additions & 3 deletions
diff --git a/‎acme/authz_test.go
Lines changed: 30 additions & 7 deletions b/‎acme/authz_test.go
Lines changed: 30 additions & 7 deletions
@@ -18,3 +18,4 @@
 coverage.txt
 vendor
 output
+.idea
@@ -50,7 +50,7 @@ It's super easy to get started and to operate `step-ca` thanks to [streamlined i
 ### [Your own private ACME Server](https://smallstep.com/blog/private-acme-server/)
 - Issue certificates using ACMEv2 ([RFC8555](https://tools.ietf.org/html/rfc8555)), **the protocol used by Let's Encrypt**
 - Great for [using ACME in development & pre-production](https://smallstep.com/blog/private-acme-server/#local-development-pre-production)
-- Supports the `http-01` and `dns-01` ACME challenge types
+- Supports the `http-01`, `tls-alpn-01`, and `dns-01` ACME challenge types
 - Works with any compliant ACME client including [certbot](https://smallstep.com/blog/private-acme-server/#certbot-uploads-acme-certbot-png-certbot-example), [acme.sh](https://smallstep.com/blog/private-acme-server/#acme-sh-uploads-acme-acme-sh-png-acme-sh-example), [Caddy](https://smallstep.com/blog/private-acme-server/#caddy-uploads-acme-caddy-png-caddy-example), and [traefik](https://smallstep.com/blog/private-acme-server/#traefik-uploads-acme-traefik-png-traefik-example)
 - Get certificates programmatically (e.g., in [Go](https://smallstep.com/blog/private-acme-server/#golang-uploads-acme-golang-png-go-example), [Python](https://smallstep.com/blog/private-acme-server/#python-uploads-acme-python-png-python-example), [Node.js](https://smallstep.com/blog/private-acme-server/#node-js-uploads-acme-node-js-png-node-js-example))
 
 
@@ -2,6 +2,7 @@ package acme
 
 import (
 	"crypto"
+	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
 	"net"
@@ -265,9 +266,15 @@ func (a *Authority) ValidateChallenge(p provisioner.Interface, accID, chID strin
 	client := http.Client{
 		Timeout: time.Duration(30 * time.Second),
 	}
+	dialer := &net.Dialer{
+		Timeout: 30 * time.Second,
+	}
 	ch, err = ch.validate(a.db, jwk, validateOptions{
 		httpGet:   client.Get,
 		lookupTxt: net.LookupTXT,
+		tlsDial: func(network, addr string, config *tls.Config) (*tls.Conn, error) {
+			return tls.DialWithDialer(dialer, network, addr, config)
+		},
 	})
 	if err != nil {
 		return nil, Wrap(err, "error attempting challenge validation")
 
@@ -730,7 +730,7 @@ func TestAuthorityGetAuthz(t *testing.T) {
 			}
 		},
 		"ok": func(t *testing.T) test {
-			var ch1B, ch2B = &[]byte{}, &[]byte{}
+			var ch1B, ch2B, ch3B = &[]byte{}, &[]byte{}, &[]byte{}
 			count := 0
 			mockdb := &db.MockNoSQLDB{
 				MCmpAndSwap: func(bucket, key, old, newval []byte) ([]byte, bool, error) {
@@ -739,6 +739,8 @@ func TestAuthorityGetAuthz(t *testing.T) {
 						*ch1B = newval
 					case 1:
 						*ch2B = newval
+					case 2:
+						*ch3B = newval
 					}
 					count++
 					return nil, true, nil
@@ -758,6 +760,8 @@ func TestAuthorityGetAuthz(t *testing.T) {
 			assert.FatalError(t, err)
 			ch2, err := unmarshalChallenge(*ch2B)
 			assert.FatalError(t, err)
+			ch3, err := unmarshalChallenge(*ch3B)
+			assert.FatalError(t, err)
 			count = 0
 			mockdb = &db.MockNoSQLDB{
 				MGet: func(bucket, key []byte) ([]byte, error) {
@@ -771,6 +775,10 @@ func TestAuthorityGetAuthz(t *testing.T) {
 						assert.Equals(t, bucket, challengeTable)
 						assert.Equals(t, key, []byte(ch2.getID()))
 						ret = *ch2B
+					case 2:
+						assert.Equals(t, bucket, challengeTable)
+						assert.Equals(t, key, []byte(ch3.getID()))
+						ret = *ch3B
 					}
 					count++
 					return ret, nil
@@ -796,6 +804,10 @@ func TestAuthorityGetAuthz(t *testing.T) {
 						assert.Equals(t, bucket, challengeTable)
 						assert.Equals(t, key, []byte(ch2.getID()))
 						ret = *ch2B
+					case 3:
+						assert.Equals(t, bucket, challengeTable)
+						assert.Equals(t, key, []byte(ch3.getID()))
+						ret = *ch3B
 					}
 					count++
 					return ret, nil
@@ -876,21 +888,25 @@ func TestAuthorityNewOrder(t *testing.T) {
 					case 1:
 						assert.Equals(t, bucket, challengeTable)
 					case 2:
-						assert.Equals(t, bucket, authzTable)
-					case 3:
 						assert.Equals(t, bucket, challengeTable)
+					case 3:
+						assert.Equals(t, bucket, authzTable)
 					case 4:
 						assert.Equals(t, bucket, challengeTable)
 					case 5:
-						assert.Equals(t, bucket, authzTable)
+						assert.Equals(t, bucket, challengeTable)
 					case 6:
+						assert.Equals(t, bucket, challengeTable)
+					case 7:
+						assert.Equals(t, bucket, authzTable)
+					case 8:
 						assert.Equals(t, bucket, orderTable)
 						var o order
 						assert.FatalError(t, json.Unmarshal(newval, &o))
 						*acmeO, err = o.toACME(nil, dir, prov)
 						assert.FatalError(t, err)
 						*accID = o.AccountID
-					case 7:
+					case 9:
 						assert.Equals(t, bucket, ordersByAccountIDTable)
 						assert.Equals(t, string(key), *accID)
 					}
 
@@ -294,7 +294,7 @@ func newDNSAuthz(db nosql.DB, accID string, identifier Identifier) (authz, error
 
 	ba.Challenges = []string{}
 	if !ba.Wildcard {
-		// http challenges are only permitted if the DNS is not a wildcard dns.
+		// http and alpn challenges are only permitted if the DNS is not a wildcard dns.
 		ch1, err := newHTTP01Challenge(db, ChallengeOptions{
 			AccountID:  accID,
 			AuthzID:    ba.ID,
@@ -303,15 +303,25 @@ func newDNSAuthz(db nosql.DB, accID string, identifier Identifier) (authz, error
 			return nil, Wrap(err, "error creating http challenge")
 		}
 		ba.Challenges = append(ba.Challenges, ch1.getID())
+
+		ch2, err := newTLSALPN01Challenge(db, ChallengeOptions{
+			AccountID:  accID,
+			AuthzID:    ba.ID,
+			Identifier: ba.Identifier,
+		})
+		if err != nil {
+			return nil, Wrap(err, "error creating alpn challenge")
+		}
+		ba.Challenges = append(ba.Challenges, ch2.getID())
 	}
-	ch2, err := newDNS01Challenge(db, ChallengeOptions{
+	ch3, err := newDNS01Challenge(db, ChallengeOptions{
 		AccountID:  accID,
 		AuthzID:    ba.ID,
 		Identifier: identifier})
 	if err != nil {
 		return nil, Wrap(err, "error creating dns challenge")
 	}
-	ba.Challenges = append(ba.Challenges, ch2.getID())
+	ba.Challenges = append(ba.Challenges, ch3.getID())
 
 	da := &dnsAuthz{ba}
 	if err := da.save(db, nil); err != nil {
 
@@ -173,7 +173,7 @@ func TestNewAuthz(t *testing.T) {
 				err: ServerInternalErr(errors.New("error creating http challenge: error saving acme challenge: force")),
 			}
 		},
-		"fail/new-dns-chall-error": func(t *testing.T) test {
+		"fail/new-tls-alpn-chall-error": func(t *testing.T) test {
 			count := 0
 			return test{
 				iden: iden,
@@ -186,6 +186,22 @@ func TestNewAuthz(t *testing.T) {
 						return nil, true, nil
 					},
 				},
+				err: ServerInternalErr(errors.New("error creating alpn challenge: error saving acme challenge: force")),
+			}
+		},
+		"fail/new-dns-chall-error": func(t *testing.T) test {
+			count := 0
+			return test{
+				iden: iden,
+				db: &db.MockNoSQLDB{
+					MCmpAndSwap: func(bucket, key, old, newval []byte) ([]byte, bool, error) {
+						if count == 2 {
+							return nil, false, errors.New("force")
+						}
+						count++
+						return nil, true, nil
+					},
+				},
 				err: ServerInternalErr(errors.New("error creating dns challenge: error saving acme challenge: force")),
 			}
 		},
@@ -195,7 +211,7 @@ func TestNewAuthz(t *testing.T) {
 				iden: iden,
 				db: &db.MockNoSQLDB{
 					MCmpAndSwap: func(bucket, key, old, newval []byte) ([]byte, bool, error) {
-						if count == 2 {
+						if count == 3 {
 							return nil, false, errors.New("force")
 						}
 						count++
@@ -212,7 +228,7 @@ func TestNewAuthz(t *testing.T) {
 				iden: iden,
 				db: &db.MockNoSQLDB{
 					MCmpAndSwap: func(bucket, key, old, newval []byte) ([]byte, bool, error) {
-						if count == 2 {
+						if count == 3 {
 							assert.Equals(t, bucket, authzTable)
 							assert.Equals(t, old, nil)
 
@@ -690,7 +706,8 @@ func TestAuthzUpdateStatus(t *testing.T) {
 		},
 		"ok/valid": func(t *testing.T) test {
 			var (
-				ch2      challenge
+				ch3      challenge
+				ch2Bytes = &([]byte{})
 				ch1Bytes = &([]byte{})
 				err      error
 			)
@@ -701,7 +718,9 @@ func TestAuthzUpdateStatus(t *testing.T) {
 					if count == 0 {
 						*ch1Bytes = newval
 					} else if count == 1 {
-						ch2, err = unmarshalChallenge(newval)
+						*ch2Bytes = newval
+					} else if count == 2 {
+						ch3, err = unmarshalChallenge(newval)
 						assert.FatalError(t, err)
 					}
 					count++
@@ -717,10 +736,10 @@ func TestAuthzUpdateStatus(t *testing.T) {
 			assert.Fatal(t, ok)
 			_az.baseAuthz.Error = MalformedErr(nil)
 
-			_ch, ok := ch2.(*dns01Challenge)
+			_ch, ok := ch3.(*dns01Challenge)
 			assert.Fatal(t, ok)
 			_ch.baseChallenge.Status = StatusValid
-			chb, err := json.Marshal(ch2)
+			chb, err := json.Marshal(ch3)
 
 			clone := az.clone()
 			clone.Status = StatusValid
@@ -736,6 +755,10 @@ func TestAuthzUpdateStatus(t *testing.T) {
 							count++
 							return *ch1Bytes, nil
 						}
+						if count == 1 {
+							count++
+							return *ch2Bytes, nil
+						}
 						count++
 						return chb, nil
 					},
-Original file line number
+Diff line change
 coverage.txt
 vendor
 output
 +.idea