introduce send_device_attestation() for device-attest-01

Author: christianhoelzl

src/order.rs

@@ -12,7 +12,7 @@ use tokio::time::sleep;
 use crate::account::AccountInner;
 use crate::types::{
     Authorization, AuthorizationState, AuthorizationStatus, AuthorizedIdentifier, Challenge,
-    ChallengeType, Empty, FinalizeRequest, OrderState, OrderStatus, Problem,
+    ChallengeType, DeviceAttestation, Empty, FinalizeRequest, OrderState, OrderStatus, Problem,
 };
 use crate::{Error, Key, crypto, nonce_from_response, retry_after};
 
@@ -453,6 +453,44 @@ impl ChallengeHandle<'_> {
         }
     }
 
+    /// Notify the server that the challenge is ready and send device attestation
+    ///
+    /// This function is for the ACME challenge device-attest-01.
+    /// See <https://datatracker.ietf.org/doc/draft-acme-device-attest/> for details.
+    ///
+    /// Note: Do not use this function for http-01, tls-alpn-01 or dns-01 challenges.
+    ///
+    /// `payload` is the device attestation object as defined in link. Provide the attestation
+    /// object as a raw blob. Base64 encoding of the attestation object `payload.att_obj`
+    /// is done by this function.
+    pub async fn send_device_attestation(
+        &mut self,
+        payload: &DeviceAttestation,
+    ) -> Result<(), Error> {
+        if self.challenge.r#type != ChallengeType::DeviceAttest01 {
+            return Err(Error::Str("challenge type should be device-attest-01"));
+        }
+
+        // The DeviceAttestation struct can be used for base64 encoding.
+        let payload = DeviceAttestation {
+            att_obj: BASE64_URL_SAFE_NO_PAD
+                .encode(payload.att_obj.as_slice())
+                .into_bytes(),
+        };
+
+        let rsp = self
+            .account
+            .post(Some(&payload), self.nonce.take(), &self.challenge.url)
+            .await?;
+
+        *self.nonce = nonce_from_response(&rsp);
+        let response = Problem::check::<Challenge>(rsp).await?;
+        match response.error {
+            Some(details) => Err(Error::Api(details)),
+            None => Ok(()),
+        }
+    }
+
     /// Create a [`KeyAuthorization`] for this challenge
     ///
     /// Combines a challenge's token with the thumbprint of the account's public key to compute

src/types.rs

@@ -714,6 +714,8 @@ pub enum ChallengeType {
     Dns01,
     #[serde(rename = "tls-alpn-01")]
     TlsAlpn01,
+    #[serde(rename = "device-attest-01")]
+    DeviceAttest01,
     #[serde(untagged)]
     Unknown(String),
 }
@@ -943,6 +945,14 @@ pub(crate) enum SigningAlgorithm {
 #[derive(Debug, Serialize)]
 pub(crate) struct Empty {}
 
+/// Attestation payload used for device-attest-01
+#[derive(Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct DeviceAttestation {
+    /// attestation payload
+    pub att_obj: Vec<u8>,
+}
+
 #[cfg(test)]
 mod tests {
     #[cfg(feature = "x509-parser")]