ACME: tls-alpn-01 challenge solver implementation.

Author: bavshin-f5

README.md

@@ -11,11 +11,14 @@ certificate management (ACMEv2) protocol.
 
 The module implements following specifications:
 
- * [RFC8555] (Automatic Certificate Management Environment) with limitations:
-     * Only HTTP-01 challenge type is supported
+- [RFC8555] (Automatic Certificate Management Environment) with limitations:
+    - Only HTTP-01 challenge type is supported
+- [RFC8737] (ACME TLS Application-Layer Protocol Negotiation (ALPN) Challenge
+  Extension)
 
 [NGINX]: https://nginx.org/
 [RFC8555]: https://www.rfc-editor.org/rfc/rfc8555.html
+[RFC8737]: https://www.rfc-editor.org/rfc/rfc8737.html
 
 ## Getting Started
 
@@ -188,6 +191,19 @@ Accepted values:
 The generated account keys are preserved across reloads, but will be lost on
 restart unless [state_path](#state_path) is configured.
 
+### challenge
+
+**Syntax:** challenge `type`
+
+**Default:** http-01
+
+**Context:** acme_issuer
+
+Sets challenge type used for this issuer. Allowed values:
+
+- `http-01`
+- `tls-alpn-01`
+
 ### contact
 
 **Syntax:** contact `url`

build.rs

@@ -54,13 +54,18 @@ fn detect_nginx_features() {
     // Generate cfg values for version checks
 
     println!("cargo::rustc-check-cfg=cfg(ngx_ssl_cache)");
+    println!("cargo::rustc-check-cfg=cfg(ngx_ssl_client_hello_cb)");
     println!("cargo::rerun-if-env-changed=DEP_NGINX_VERSION_NUMBER");
     if let Ok(version) = env::var("DEP_NGINX_VERSION_NUMBER") {
         let version: u64 = version.parse().unwrap();
 
         if version >= 1_027_002 {
             println!("cargo::rustc-cfg=ngx_ssl_cache");
         }
+
+        if version >= 1_029_002 {
+            println!("cargo::rustc-cfg=ngx_ssl_client_hello_cb");
+        }
     }
 }
 

src/acme.rs

@@ -41,7 +41,13 @@ pub struct NewCertificateOutput {
 }
 
 pub struct AuthorizationContext<'a> {
+    /// Account key thumbprint.
     pub thumbprint: &'a [u8],
+    /// A private key generated for the new certificate request.
+    ///
+    /// This is used in tls-alpn-01 challenge to avoid generating a new key on each verification
+    /// attempt.
+    pub pkey: &'a PKeyRef<Private>,
 }
 
 pub struct AcmeClient<'a, Http>
@@ -357,6 +363,7 @@ where
 
         let order = AuthorizationContext {
             thumbprint: self.key.thumbprint(),
+            pkey: &pkey,
         };
 
         for (url, authorization) in authorizations {

src/acme/solvers.rs

@@ -10,6 +10,7 @@ use super::AuthorizationContext;
 use crate::conf::identifier::Identifier;
 
 pub mod http;
+pub mod tls_alpn;
 
 #[derive(Debug, Error)]
 #[error("challenge registration failed: {0}")]