From ba9e08243ab2c40083ee763fbb463344a5084d65 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Mon, 30 Dec 2024 12:55:32 -0800
Subject: [PATCH] Add attestation format to challenge

This commit adds the format of the payload to the challenge object.
---
 acme/challenge.go      |  2 ++
 acme/challenge_test.go | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/acme/challenge.go b/acme/challenge.go
index 1dc39bf27..7ebb19748 100644
--- a/acme/challenge.go
+++ b/acme/challenge.go
@@ -89,6 +89,7 @@ type Challenge struct {
 	Target          string        `json:"target,omitempty"`
 	Error           *Error        `json:"error,omitempty"`
 	Payload         []byte        `json:"-"`
+	PayloadFormat   string        `json:"-"`
 }
 
 // ToLog enables response logging.
@@ -944,6 +945,7 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
 	ch.Error = nil
 	ch.ValidatedAt = clock.Now().Format(time.RFC3339)
 	ch.Payload = payload
+	ch.PayloadFormat = format
 
 	// Store the fingerprint in the authorization.
 	//
diff --git a/acme/challenge_test.go b/acme/challenge_test.go
index d17bcb216..f0c7ae28f 100644
--- a/acme/challenge_test.go
+++ b/acme/challenge_test.go
@@ -151,6 +151,8 @@ func mustAttestApple(t *testing.T, nonce string) ([]byte, *x509.Certificate, *x5
 }
 
 func mustAttestYubikey(t *testing.T, _, keyAuthorization string, serial int) ([]byte, *x509.Certificate, *x509.Certificate) {
+	t.Helper()
+
 	ca, err := minica.New()
 	fatalError(t, err)
 
@@ -821,6 +823,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 						assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 						assert.Equal(t, "12345678", updch.Value)
 						assert.Nil(t, updch.Payload)
+						assert.Empty(t, updch.PayloadFormat)
 
 						err := NewError(ErrorRejectedIdentifierType, "payload contained error: an error")
 
@@ -873,6 +876,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 						assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 						assert.Equal(t, "1234", updch.Value)
 						assert.Equal(t, payload, updch.Payload)
+						assert.Equal(t, "step", updch.PayloadFormat)
 
 						return nil
 					},
@@ -4007,6 +4011,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
 							assert.Nil(t, updch.Payload)
+							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewError(ErrorRejectedIdentifierType, "payload contained error: an error")
 
@@ -4046,6 +4051,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
 							assert.Nil(t, updch.Payload)
+							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewDetailedError(ErrorBadAttestationStatementType, "failed base64 decoding attObj %q", "?!")
 
@@ -4085,6 +4091,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
 							assert.Nil(t, updch.Payload)
+							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewDetailedError(ErrorBadAttestationStatementType, "attObj must not be empty")
 
@@ -4124,6 +4131,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
 							assert.Nil(t, updch.Payload)
+							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewDetailedError(ErrorBadAttestationStatementType, "attObj must not be empty")
 
@@ -4163,6 +4171,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
 							assert.Nil(t, updch.Payload)
+							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewDetailedError(ErrorBadAttestationStatementType, "attObj is not well formed CBOR: unexpected EOF")
 
@@ -4204,6 +4213,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
 							assert.Nil(t, updch.Payload)
+							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewDetailedError(ErrorBadAttestationStatementType, "unsupported attestation object format %q", "unsupported-format")
 
@@ -4250,6 +4260,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
 							assert.Nil(t, updch.Payload)
+							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewError(ErrorBadAttestationStatementType, "attestation format %q is not enabled", "step")
 
@@ -4306,6 +4317,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
 							assert.Nil(t, updch.Payload)
+							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewDetailedError(ErrorBadAttestationStatementType, "x5c not present")
 
@@ -4354,6 +4366,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "serial-number", updch.Value)
 							assert.Nil(t, updch.Payload)
+							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewDetailedError(ErrorBadAttestationStatementType, "challenge token does not match")
 
@@ -4401,6 +4414,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "non-matching-value", updch.Value)
 							assert.Nil(t, updch.Payload)
+							assert.Empty(t, updch.PayloadFormat)
 
 							subproblem := NewSubproblemWithIdentifier(
 								ErrorRejectedIdentifierType,
@@ -4480,6 +4494,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
 							assert.Nil(t, updch.Payload)
+							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewDetailedError(ErrorBadAttestationStatementType, "x5c not present")
 
@@ -4535,6 +4550,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
 							assert.Nil(t, updch.Payload)
+							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewDetailedError(ErrorBadAttestationStatementType, "permanent identifier does not match").
 								AddSubproblems(NewSubproblemWithIdentifier(
@@ -4631,6 +4647,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
 							assert.Nil(t, updch.Payload)
+							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewDetailedError(ErrorBadAttestationStatementType, `unsupported attestation object format "bogus-format"`)
 
@@ -4724,6 +4741,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
 							assert.Equal(t, payload, updch.Payload)
+							assert.Equal(t, "step", updch.PayloadFormat)
 
 							return errors.New("force")
 						},
@@ -4771,6 +4789,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
 							assert.Equal(t, payload, updch.Payload)
+							assert.Equal(t, "step", updch.PayloadFormat)
 
 							return nil
 						},