From da028ca9c27acf31a6266ae5c0abe53922da86b4 Mon Sep 17 00:00:00 2001
From: Roland Bracewell Shoemaker <roland@bracewel.net>
Date: Mon, 11 Jun 2018 11:59:57 -0700
Subject: [PATCH] Wrap TLS-ALPN extension with ASN.1 (#6089)

* Wrap TLS-ALPN extension with ASN.1

* Fix test
---
 acme/acme/challenges.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/acme/acme/challenges.py b/acme/acme/challenges.py
index ce788e2cc..30983e28f 100644
--- a/acme/acme/challenges.py
+++ b/acme/acme/challenges.py
@@ -546,7 +546,9 @@ class TLSALPN01Response(KeyAuthorizationChallengeResponse):
             key.generate_key(crypto.TYPE_RSA, bits)
 
 
-        der_value = b"DER:" + codecs.encode(self.h, 'hex')
+        # Instead of using a ASN.1 encoding library just append the OCTET STRING tag (0x04)
+        # and the length of the SHA256 hash (0x20) since both of these should never change
+        der_value = b"DER:0420" + codecs.encode(self.h, 'hex')
         acme_extension = crypto.X509Extension(self.ID_PE_ACME_IDENTIFIER_V1,
                 critical=True, value=der_value)
 
@@ -592,7 +594,8 @@ class TLSALPN01Response(KeyAuthorizationChallengeResponse):
             # way to get full OID of an unknown extension from pyopenssl.
             if ext.get_short_name() == b'UNDEF':
                 data = ext.get_data()
-                return data == self.h
+                # Add the ASN.1 tag/length prefix to the hash before comparison
+                return data == b'\x04\x20' + self.h
 
         return False