🔱: [acme] sync upgrade with 7 commits [trident-sync]

CHANGELOG Fix tls-alpn-01 pebble test on Node v18+ Return correct tls-alpn-01 key authorization, tests Support tls-alpn-01 internal challenge verification Add tls-alpn-01 challenge test server support Add ALPN crypto utility methods
2026-04-24 12:27:25 +08:00 · 2024-01-30 19:24:20 +00:00
parent 08c1f338d5
commit fc9e71bed2
14 changed files with 389 additions and 42 deletions
@@ -2,6 +2,7 @@
 * Utility methods
 */

+const tls = require('tls');
 const dns = require('dns').promises;
 const { readCertificateInfo, splitPemChain } = require('./crypto');
 const { log } = require('./logger');
@@ -245,6 +246,60 @@ async function getAuthoritativeDnsResolver(recordName) {
 }


+/**
+ * Attempt to retrieve TLS ALPN certificate from peer
+ *
+ * https://nodejs.org/api/tls.html#tlsconnectoptions-callback
+ *
+ * @param {string} host Host the TLS client should connect to
+ * @param {number} port Port the client should connect to
+ * @param {string} servername Server name for the SNI (Server Name Indication)
+ * @returns {Promise<string>} PEM encoded certificate
+ */
+
+async function retrieveTlsAlpnCertificate(host, port, timeout = 30000) {
+    return new Promise((resolve, reject) => {
+        let result;
+
+        /* TLS connection */
+        const socket = tls.connect({
+            host,
+            port,
+            servername: host,
+            rejectUnauthorized: false,
+            ALPNProtocols: ['acme-tls/1']
+        });
+
+        socket.setTimeout(timeout);
+        socket.setEncoding('utf-8');
+
+        /* Grab certificate once connected and close */
+        socket.on('secureConnect', () => {
+            result = socket.getPeerX509Certificate();
+            socket.end();
+        });
+
+        /* Errors */
+        socket.on('error', (err) => {
+            reject(err);
+        });
+
+        socket.on('timeout', () => {
+            socket.destroy(new Error('TLS ALPN certificate lookup request timed out'));
+        });
+
+        /* Done, return cert as PEM if found */
+        socket.on('end', () => {
+            if (result) {
+                return resolve(result.toString());
+            }
+
+            return reject(new Error('TLS ALPN lookup failed to retrieve certificate'));
+        });
+    });
+}
+
+
 /**
 * Export utils
 */
@@ -254,5 +309,6 @@ module.exports = {
    parseLinkHeader,
    findCertificateChainForIssuer,
    formatResponseError,
-    getAuthoritativeDnsResolver
+    getAuthoritativeDnsResolver,
+    retrieveTlsAlpnCertificate
 };