From a08a66d7ee07a2fc27cbe17c85e78c7e34076131 Mon Sep 17 00:00:00 2001
From: Lexi Winter <lexi@le-fay.org>
Date: Wed, 4 Jun 2025 12:46:22 +0100
Subject: add a challenge handler for ualpn(1)

---
 Makefile          |  6 ++++--
 lfacme-ualpn.7.in | 41 +++++++++++++++++++++++++++++++++++++++++
 ualpn.sh.in       | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 100 insertions(+), 2 deletions(-)
 create mode 100644 lfacme-ualpn.7.in
 create mode 100644 ualpn.sh.in

diff --git a/Makefile b/Makefile
index 8aef3e8..bcf080d 100644
--- a/Makefile
+++ b/Makefile
@@ -25,7 +25,8 @@ LIB=		init.sh dnsutils.sh
 CHALLENGEMODE?=	0755
 CHALLENGE=	dns.sh \
 		http.sh \
-		kerberos.sh
+		kerberos.sh \
+		ualpn.sh
 
 BINMODE?=	0755
 BIN=		lfacme-renew.sh \
@@ -44,7 +45,8 @@ MAN5=		acme.conf.5 \
 MAN7=		lfacme.7 \
 		lfacme-dns.7 \
 		lfacme-http.7 \
-		lfacme-kerberos.7
+		lfacme-kerberos.7 \
+		lfacme-ualpn.7
 MAN8=		lfacme-renew.8 \
 		lfacme-setup.8
 
diff --git a/lfacme-ualpn.7.in b/lfacme-ualpn.7.in
new file mode 100644
index 0000000..dceaa8d
--- /dev/null
+++ b/lfacme-ualpn.7.in
@@ -0,0 +1,41 @@
+.\" This source code is released into the public domain.
+.Dd June 4, 2025
+.Dt LFACME-UALPN 7
+.Os
+.Sh NAME
+.Nm lfacme-ualpn
+.Nd validate an ACME challenge via TLS using ualpn
+.Sh SYNOPSIS
+In
+.Xr domains.conf 5 :
+.Bd -ragged -offset indent
+.Ar domain
+challenge=ualpn
+.Ed
+.Sh DESCRIPTION
+The
+.Nm
+challenge hook will respond to an ACME domain validation using a TLS-based
+.Dq tls-alpn-01
+authorization.
+To use this challenge hook, configure one or more domains with
+.Dq challenge=ualpn
+in
+.Xr domains.conf 5 .
+.Pp
+The
+.Dq tls-alpn-01
+challenge expects the authorization token to be provided in response to a
+TLS connection to port 443 on the domain to be valided.
+This functionality is provided by the
+.Xr ualpn 1
+daemon, which is part of uacme.
+The
+.Xr ualpn 1
+daemon must be configured and running for this challenge handler to work.
+.Sh SEE ALSO
+.Xr acme.conf 5 ,
+.Xr domains.conf 5 ,
+.Xr lfacme 7 ,
+.Xr lfacme-renew 8 ,
+.Xr ualpn 1
diff --git a/ualpn.sh.in b/ualpn.sh.in
new file mode 100644
index 0000000..372ed27
--- /dev/null
+++ b/ualpn.sh.in
@@ -0,0 +1,55 @@
+#! /bin/sh
+# This source code is released into the public domain.
+
+. __LIBDIR__/init.sh
+
+# begin, done or failed
+ACTION=$1
+# ACME method, must be http-01.
+METHOD=$2
+# The full domain name we're authorising.
+DOMAIN=$3
+# Token name.
+TOKEN=$4
+# The token value we need to create.
+AUTH=$5
+
+if [ "$#" -ne 5 ]; then
+	_fatal "missing arguments"
+fi
+
+if [ "$METHOD" != "tls-alpn-01" ]; then
+	exit 1
+fi
+
+case "$ACTION" in
+	begin)
+		_verbose "creating validation token %s" "$_file"
+		status="$(ualpn <<EOF
+auth ${DOMAIN} ${AUTH}
+EOF
+)"
+		if [ "$status" = "OK" ]; then
+			exit 0
+		else
+			exit 1
+		fi
+		;;
+
+	done|failed)
+		_verbose "deleting validation token %s" "$_file"
+		status="$(ualpn <<EOF
+unauth ${DOMAIN}
+EOF
+)"
+		if [ "$status" = "OK" ]; then
+			exit 0
+		else
+			exit 1
+		fi
+		;;
+
+	*)
+		_fatal "unknown action: %s" "$ACTION"
+		;;
+esac
-- 
cgit v1.2.3