introduce send_device_attestation() for device-attest-01

christianhoelzl · christianhoelzl · commit 0acd83fee25f · 2025-07-07T11:03:30.000+02:00
diff --git a/src/order.rs b/src/order.rs
@@ -1,3 +1,4 @@
+use std::borrow::Cow;
 use std::ops::{ControlFlow, Deref};
 use std::sync::Arc;
 use std::time::{Duration, Instant, SystemTime};
@@ -12,7 +13,7 @@ use tokio::time::sleep;
 use crate::account::AccountInner;
 use crate::types::{
     Authorization, AuthorizationState, AuthorizationStatus, AuthorizedIdentifier, Challenge,
-    ChallengeType, Empty, FinalizeRequest, OrderState, OrderStatus, Problem,
+    ChallengeType, DeviceAttestation, Empty, FinalizeRequest, OrderState, OrderStatus, Problem,
 };
 use crate::{Error, Key, crypto, nonce_from_response, retry_after};
 
@@ -453,6 +454,42 @@ impl ChallengeHandle<'_> {
         }
     }
 
+    /// Notify the server that the challenge is ready and send device attestation
+    ///
+    /// This function is for the ACME challenge device-attest-01.
+    /// See <https://datatracker.ietf.org/doc/draft-acme-device-attest/> for details.
+    ///
+    /// Note: Do not use this function for http-01, tls-alpn-01 or dns-01 challenges.
+    ///
+    /// `payload` is the device attestation object as defined in link. Provide the attestation
+    /// object as a raw blob. Base64 encoding of the attestation object `payload.att_obj`
+    /// is done by this function.
+    pub async fn send_device_attestation(
+        &mut self,
+        payload: &DeviceAttestation<'_>,
+    ) -> Result<(), Error> {
+        if self.challenge.r#type != ChallengeType::DeviceAttest01 {
+            return Err(Error::Str("challenge type should be device-attest-01"));
+        }
+
+        // The DeviceAttestation struct can be used for base64 encoding.
+        let payload = DeviceAttestation {
+            att_obj: Cow::Owned(BASE64_URL_SAFE_NO_PAD.encode(&payload.att_obj).into()),
+        };
+
+        let rsp = self
+            .account
+            .post(Some(&payload), self.nonce.take(), &self.challenge.url)
+            .await?;
+
+        *self.nonce = nonce_from_response(&rsp);
+        let response = Problem::check::<Challenge>(rsp).await?;
+        match response.error {
+            Some(details) => Err(Error::Api(details)),
+            None => Ok(()),
+        }
+    }
+
     /// Create a [`KeyAuthorization`] for this challenge
     ///
     /// Combines a challenge's token with the thumbprint of the account's public key to compute
diff --git a/src/types.rs b/src/types.rs
@@ -704,6 +704,8 @@ pub enum ChallengeType {
     Dns01,
     #[serde(rename = "tls-alpn-01")]
     TlsAlpn01,
+    #[serde(rename = "device-attest-01")]
+    DeviceAttest01,
     #[serde(untagged)]
     Unknown(String),
 }
@@ -930,6 +932,14 @@ pub(crate) enum SigningAlgorithm {
     Hs256,
 }
 
+/// Attestation payload used for device-attest-01
+#[derive(Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct DeviceAttestation<'a> {
+    /// attestation payload
+    pub att_obj: Cow<'a, [u8]>,
+}
+
 #[derive(Debug, Serialize)]
 pub(crate) struct Empty {}
 
