acme-server: account resource + JWS verifier (Phase 1b/7)

Layers JWS-authenticated POST machinery onto the Phase 1a foundation
(commit ec88a61). After this commit, an ACME client can run

  POST /acme/profile/<id>/new-account

against certctl and successfully register an account. Account update
+ deactivation via POST /acme/profile/<id>/account/<acc-id> work.
Orders + challenges remain Phase 2 / 3.

Background:
  Two prior dispatch attempts at the original Phase 1 ("skeleton +
  directory + new-nonce + new-account" as a single commit) failed on
  go-jose v4 API speculation (jws.GetPayload, sig.Algorithm,
  jose.SHA256, etc. — none of those exist in v4). Splitting Phase 1
  into 1a (foundation, no go-jose) and 1b (this commit, all go-jose
  in one place) concentrated the JWS work where attention pays off.
  The verifier reads the actual go-jose v4 surface — ParseSigned with
  closed alg allow-list, Header struct fields (Algorithm, KeyID,
  JSONWebKey, Nonce, ExtraHeaders[HeaderKey]), JWK.Thumbprint with
  stdlib crypto.SHA256.

What ships:
  - internal/api/acme/jws.go: 487-line verifier + sentinel error
    family. Enforces RFC 8555 §6.2 + §6.4 + §6.5 invariants:
      - alg in {RS256, ES256, EdDSA} (closed allow-list passed to
        jose.ParseSigned — HS256 / none / etc. rejected at parse time)
      - exactly one of `kid` / `jwk` in protected header (per
        endpoint policy — new-account demands jwk, others demand kid)
      - protected `url` matches request URL exactly
      - protected `nonce` consumed against acme_nonces (badNonce on
        miss/replay/expiry per RFC 8555 §6.5.1)
      - kid round-trips against canonical AccountKID(accountID) URL
        (catches cross-profile / cross-host replay)
      - kid path: account exists + status=valid (deactivated /
        revoked accounts cannot authenticate)
      - signature verifies; post-Verify payload bytes equal
        UnsafePayloadWithoutVerification (defense in depth)
    + JWK persistence helpers (JWKToPEM / ParseJWKFromPEM round-
    trip a public-only JWK as a PEM-wrapped JSON envelope; stored
    as TEXT in acme_accounts.jwk_pem for diff-friendliness) +
    JWKThumbprint per RFC 7638.
  - internal/api/acme/jws_test.go: 16 cases covering happy paths
    (RS256 kid, ES256 jwk, EdDSA kid) + every named failure mode
    (alg-not-allowed, bad-sig, missing-nonce, unknown-nonce,
    replay, url-mismatch, mixed kid+jwk, deactivated-account,
    cross-host kid). Uses real keypairs + real go-jose Signer to
    build JWS objects.
  - internal/api/acme/account.go: NewAccountRequest /
    AccountUpdateRequest payload shapes (RFC 8555 §7.3 + §7.3.2 +
    §7.3.6) + AccountResponseJSON wire shape + MarshalAccount
    helper.
  - internal/domain/acme.go: ACMEAccount struct + ACMEAccountStatus
    closed enum (valid / deactivated / revoked).
  - internal/repository/postgres/acme.go: full account CRUD path
    (CreateAccountWithTx with 23505-unique-violation sentinel
    translation, GetAccountByID, GetAccountByThumbprint,
    UpdateAccountContactWithTx, UpdateAccountStatusWithTx) +
    sql.ErrNoRows-wrapped repository.ErrNotFound on lookup misses.
  - internal/service/acme.go: ACMERepo interface extended;
    SetTransactor + SetAuditService wires; NewAccount (idempotent
    re-registration per RFC 8555 §7.3.1 — same JWK returns existing
    row without an update or new audit event); LookupAccount;
    UpdateAccount; DeactivateAccount; VerifyJWS adapter that bridges
    api/acme.VerifierConfig to the service-layer ACMERepo; per-op
    metrics extended (new_account_total + _failures_total +
    _idempotent_total + update_account_total + _failures_total +
    deactivate_account_total).
  - internal/service/acme_test.go: 8 new tests covering
    new-account happy path / idempotent re-registration / only-
    return-existing match + no-match / contact update / deactivate
    / lookup-not-found / requires-transactor.
  - internal/api/handler/acme.go: NewAccount + Account handlers.
    Account dispatches POST-as-GET (RFC 8555 §6.3 — empty body or
    {} payload returns the account row), contact update, and
    deactivation from the same endpoint. Defense-in-depth check
    that the kid path-segment matches the URL path-segment (the
    verifier already round-tripped the kid against canonical URL,
    but the handler re-asserts to catch any future verifier
    refactor).
  - internal/api/handler/acme_handler_test.go: 7 new cases
    covering happy-create, idempotent-200, only-return-existing-
    no-match-400, malformed-JWS-400, kid-URL-mismatch-401,
    deactivate, contact-update, POST-as-GET.
  - internal/api/router/router.go: 4 new Register calls (per-
    profile + shorthand for new-account and account/{acc_id}).
  - internal/api/router/openapi_parity_test.go: SpecParityExceptions
    extended with the 4 new routes (RFC 8555 wire-protocol surface,
    not OpenAPI-shaped — same precedent as Phase 1a).
  - cmd/server/main.go: SetTransactor + SetAuditService on
    acmeService at startup so the WithinTx-based new-account /
    update / deactivate paths run with the same transactor instance
    shared across CertificateService / RevocationSvc / RenewalService.
  - docs/acme-server.md: Phase status updated; endpoints table grows
    new-account + account/<acc_id> rows; new "JWS verification
    (Phase 1b)" section enumerates the 7 invariants the verifier
    enforces; phases-cross-reference table marks 1b live.
  - go.mod / go.sum: github.com/go-jose/go-jose/v4 v4.0.4 added.

Atomicity: every account-state mutation writes its acme_accounts row
+ its audit_events row inside one repository.Transactor.WithinTx
call — the canonical certctl atomicity contract (matches
CertificateService.Create at internal/service/certificate.go:131).
Idempotent re-registration explicitly does NOT write an audit row
(RFC 8555 §7.3.1 returns the existing row unmodified).

Tests: 16 jws_test.go cases + 11 service tests + 11 handler tests
all pass under -short. Bad-signature test uses a real registered
account whose stored JWK is a different keypair from the signer's,
so the JWS parses cleanly but jose.Verify rejects — exercises the
ErrJWSSignatureInvalid path directly.

Engineering history: cowork/WORKSPACE-CHANGELOG.md "ACME-Server-1b".

internal/api/acme/jws.go

@@ -0,0 +1,487 @@
+// Copyright (c) certctl
+// SPDX-License-Identifier: BSL-1.1
+
+package acme
+
+import (
+	"crypto"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+
+	jose "github.com/go-jose/go-jose/v4"
+
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// AllowedSignatureAlgorithms is the closed allow-list per RFC 8555 §6.2.
+// ParseSigned takes this slice and rejects every other algorithm —
+// in particular HS256 (symmetric — RFC 8555 forbids) and "none"
+// (RFC 7515 §6.1 — alg confusion attack).
+//
+// Order is not load-bearing; the slice is value-copied by go-jose.
+var AllowedSignatureAlgorithms = []jose.SignatureAlgorithm{
+	jose.RS256,
+	jose.ES256,
+	jose.EdDSA,
+}
+
+// JWS-verifier sentinel errors. Each maps to an RFC 8555 §6.7
+// problem type via mapJWSError below; handlers render via
+// WriteProblem(w, p) on err.
+var (
+	ErrJWSMalformed         = errors.New("acme jws: malformed")
+	ErrJWSWrongType         = errors.New("acme jws: protected header `typ` must be `application/jose+json` or absent")
+	ErrJWSAlgorithmRejected = errors.New("acme jws: signature algorithm not in {RS256, ES256, EdDSA}")
+	ErrJWSMissingNonce      = errors.New("acme jws: protected header `nonce` is required")
+	ErrJWSBadNonce          = errors.New("acme jws: nonce missing, replayed, or expired")
+	ErrJWSMissingURL        = errors.New("acme jws: protected header `url` is required")
+	ErrJWSURLMismatch       = errors.New("acme jws: protected header `url` does not match request URL")
+	ErrJWSBothKidAndJWK     = errors.New("acme jws: protected header MUST contain exactly one of `kid` or `jwk`")
+	ErrJWSNeitherKidNorJWK  = errors.New("acme jws: protected header MUST contain exactly one of `kid` or `jwk`")
+	ErrJWSExpectKidGotJWK   = errors.New("acme jws: this endpoint requires `kid` (registered account); got `jwk`")
+	ErrJWSExpectJWKGotKid   = errors.New("acme jws: this endpoint requires `jwk` (new account); got `kid`")
+	ErrJWSInvalidJWK        = errors.New("acme jws: embedded JWK is invalid")
+	ErrJWSSignatureInvalid  = errors.New("acme jws: signature did not verify")
+	ErrJWSPayloadMismatch   = errors.New("acme jws: post-verify payload differs from pre-verify payload")
+	ErrJWSAccountNotFound   = errors.New("acme jws: kid points at unknown account")
+	ErrJWSAccountInactive   = errors.New("acme jws: account status is not `valid`")
+)
+
+// VerifiedRequest is the JWS-verified envelope a handler hands to its
+// service-layer entry point. Fields are populated based on the auth
+// path: `kid` requests carry Account (and AccountKey is the registered
+// JWK); `jwk` requests (new-account only) carry JWK.
+//
+// Payload is the bytes the JWS signed — the handler json.Unmarshals
+// into the per-endpoint payload struct.
+type VerifiedRequest struct {
+	// Payload is the signed body bytes (post-Verify).
+	Payload []byte
+	// Algorithm is the negotiated alg (RS256 / ES256 / EdDSA), echoed
+	// from sig.Protected.Algorithm post-allow-list-check.
+	Algorithm string
+	// URL is the protected-header `url` value, asserted equal to the
+	// inbound request URL.
+	URL string
+	// Nonce is the protected-header `nonce` value, asserted consumed
+	// from the nonce store.
+	Nonce string
+	// Account is non-nil on the `kid` path (registered account
+	// authenticating). Always nil on the `jwk` path.
+	Account *domain.ACMEAccount
+	// JWK is non-nil on the `jwk` path (new-account flow). Always nil
+	// on the `kid` path.
+	JWK *jose.JSONWebKey
+}
+
+// AccountLookup is the minimum surface VerifyJWS needs to resolve a
+// `kid` request's account. The repository layer satisfies this; tests
+// inject in-memory fakes.
+type AccountLookup interface {
+	// LookupAccount returns the account by ID. Returns
+	// ErrJWSAccountNotFound if the row doesn't exist.
+	LookupAccount(accountID string) (*domain.ACMEAccount, error)
+}
+
+// NonceConsumer is the minimum surface the verifier needs to consume
+// the protected-header `nonce`. Returns nil on success, or an error
+// (typically sql.ErrNoRows from the postgres repo) on missing /
+// replayed / expired. The verifier wraps any non-nil error in
+// ErrJWSBadNonce so handlers don't need to distinguish.
+type NonceConsumer interface {
+	ConsumeNonce(nonce string) error
+}
+
+// VerifierConfig wires the verifier's runtime dependencies + policy.
+// Constructed by the handler/service layer once at startup; one
+// instance per ACMEService is sufficient.
+type VerifierConfig struct {
+	// Accounts looks up registered accounts on the kid path.
+	Accounts AccountLookup
+	// Nonces consumes the protected-header nonce.
+	Nonces NonceConsumer
+	// AccountKID returns the canonical kid URL the server expects
+	// inbound requests to use for a given account ID. The verifier
+	// asserts the request's `kid` matches what AccountKID(acct.ID)
+	// produces — this prevents a stolen account-id-from-one-server
+	// from being replayed against another. The handler computes
+	// the URL from the inbound request's scheme + host + profile.
+	AccountKID func(accountID string) string
+}
+
+// VerifyOptions bound a single verify call. ExpectNewAccount inverts
+// the kid-vs-jwk default: new-account demands jwk, every other
+// endpoint demands kid.
+type VerifyOptions struct {
+	// ExpectNewAccount=true means "expect jwk in the protected header,
+	// reject kid." Used by /new-account.
+	// ExpectNewAccount=false means "expect kid in the protected header,
+	// reject jwk." Used by everything else.
+	ExpectNewAccount bool
+}
+
+// VerifyJWS is the canonical entry point. It enforces:
+//
+//  1. Body parses as a flattened JWS with exactly one signature
+//     (RFC 8555 §6.2 forbids multi-sig).
+//  2. Algorithm is in the {RS256, ES256, EdDSA} allow-list.
+//  3. Protected header carries exactly one of `kid` / `jwk` per
+//     ExpectNewAccount.
+//  4. Protected header carries `url` matching the inbound request URL
+//     exactly.
+//  5. Protected header carries `nonce` that consumes successfully
+//     against the nonce store (badNonce on miss/replay/expiry).
+//  6. Signature verifies against the resolved key (registered
+//     account's stored JWK on kid path; embedded jwk on jwk path).
+//  7. Post-verify payload bytes equal pre-verify
+//     UnsafePayloadWithoutVerification (defense in depth — go-jose
+//     guarantees this, but assert anyway).
+//
+// On success returns VerifiedRequest; the handler json.Unmarshals
+// Payload into the per-endpoint payload struct.
+//
+// The `requestURL` argument is what the handler computed from the
+// inbound *http.Request (scheme + host + path). VerifyJWS does NOT
+// see r itself — keeping net/http out of the package surface lets
+// the verifier be tested without httptest.
+func VerifyJWS(cfg VerifierConfig, body []byte, requestURL string, opts VerifyOptions) (*VerifiedRequest, error) {
+	jws, err := jose.ParseSigned(string(body), AllowedSignatureAlgorithms)
+	if err != nil {
+		// ParseSigned errors lump together "wrong format" and "alg
+		// not in allow-list." Both are operator-meaningful as
+		// "malformed" — the alg case is not exploitable by leaking
+		// the allow-list.
+		return nil, fmt.Errorf("%w: %v", ErrJWSMalformed, err)
+	}
+	// RFC 8555 §6.2: ACME forbids JWS multi-signature. Reject anything
+	// other than exactly one signature so a maliciously-crafted
+	// multi-sig blob can't trigger ambiguous downstream behavior.
+	if len(jws.Signatures) != 1 {
+		return nil, fmt.Errorf("%w: multi-signature JWS rejected", ErrJWSMalformed)
+	}
+	sig := jws.Signatures[0]
+
+	// Defense-in-depth: ParseSigned rejected non-allow-list algs
+	// already, but a corrupted Signatures slice could still slip
+	// through. Verify the field directly.
+	if !algorithmAllowed(sig.Protected.Algorithm) {
+		return nil, fmt.Errorf("%w: %s", ErrJWSAlgorithmRejected, sig.Protected.Algorithm)
+	}
+
+	// Protected-header `typ` (RFC 8555 §6.2): when present, must be
+	// "application/jose+json". Many ACME clients (including
+	// cert-manager) omit it; treat absent as OK.
+	if typ := sig.Protected.ExtraHeaders[jose.HeaderKey("typ")]; typ != nil {
+		typStr, ok := typ.(string)
+		if !ok || (typStr != "application/jose+json" && typStr != "") {
+			return nil, fmt.Errorf("%w: got %q", ErrJWSWrongType, typ)
+		}
+	}
+
+	// Protected-header `url` is mandatory per RFC 8555 §6.4. Compare
+	// to the inbound request URL exactly (scheme+host+path); a
+	// mismatch indicates either a bug in the client or an attempt to
+	// replay a JWS signed for a different URL.
+	urlVal, err := extractStringHeader(sig.Protected.ExtraHeaders, "url")
+	if err != nil {
+		return nil, ErrJWSMissingURL
+	}
+	if urlVal == "" {
+		return nil, ErrJWSMissingURL
+	}
+	if urlVal != requestURL {
+		return nil, fmt.Errorf("%w: header=%q request=%q", ErrJWSURLMismatch, urlVal, requestURL)
+	}
+
+	// Protected-header `nonce` is mandatory (RFC 8555 §6.5). Check
+	// it BEFORE running Verify — if the nonce is bad we don't want to
+	// burn CPU on signature verification.
+	nonce := sig.Protected.Nonce
+	if nonce == "" {
+		return nil, ErrJWSMissingNonce
+	}
+	if err := cfg.Nonces.ConsumeNonce(nonce); err != nil {
+		return nil, fmt.Errorf("%w: %v", ErrJWSBadNonce, err)
+	}
+
+	// Protected header MUST contain exactly one of kid / jwk per
+	// RFC 8555 §6.2. Both-set or neither-set are rejected.
+	hasKid := sig.Protected.KeyID != ""
+	hasJWK := sig.Protected.JSONWebKey != nil
+	if hasKid && hasJWK {
+		return nil, ErrJWSBothKidAndJWK
+	}
+	if !hasKid && !hasJWK {
+		return nil, ErrJWSNeitherKidNorJWK
+	}
+
+	// Per-endpoint kid-vs-jwk policy.
+	if opts.ExpectNewAccount && hasKid {
+		return nil, ErrJWSExpectJWKGotKid
+	}
+	if !opts.ExpectNewAccount && hasJWK {
+		return nil, ErrJWSExpectKidGotJWK
+	}
+
+	// Resolve the verification key and (kid path) the corresponding
+	// account row.
+	var (
+		verifyKey interface{}
+		account   *domain.ACMEAccount
+		jwkOut    *jose.JSONWebKey
+	)
+	if hasKid {
+		accountID, err := accountIDFromKID(sig.Protected.KeyID, cfg)
+		if err != nil {
+			return nil, err
+		}
+		acct, err := cfg.Accounts.LookupAccount(accountID)
+		if err != nil {
+			return nil, err
+		}
+		if acct.Status != domain.ACMEAccountStatusValid {
+			return nil, fmt.Errorf("%w: status=%s", ErrJWSAccountInactive, acct.Status)
+		}
+		// The account's stored JWK is what we verify against. The
+		// JWKPEM round-trips through ParseJWKFromPEM; tests inject
+		// pre-parsed keys to keep the unit suite hermetic.
+		key, err := ParseJWKFromPEM(acct.JWKPEM)
+		if err != nil {
+			return nil, fmt.Errorf("%w: %v", ErrJWSInvalidJWK, err)
+		}
+		verifyKey = key.Key
+		account = acct
+	} else {
+		jwk := sig.Protected.JSONWebKey
+		if !jwk.Valid() {
+			return nil, ErrJWSInvalidJWK
+		}
+		verifyKey = jwk.Key
+		jwkOut = jwk
+	}
+
+	// Run the actual signature verification. go-jose returns the
+	// post-verify payload bytes; we sanity-check them against the
+	// pre-verify view.
+	verified, err := jws.Verify(verifyKey)
+	if err != nil {
+		return nil, fmt.Errorf("%w: %v", ErrJWSSignatureInvalid, err)
+	}
+	preVerify := jws.UnsafePayloadWithoutVerification()
+	if string(verified) != string(preVerify) {
+		// Should be impossible under correct go-jose use; fail loudly.
+		return nil, ErrJWSPayloadMismatch
+	}
+
+	return &VerifiedRequest{
+		Payload:   verified,
+		Algorithm: sig.Protected.Algorithm,
+		URL:       urlVal,
+		Nonce:     nonce,
+		Account:   account,
+		JWK:       jwkOut,
+	}, nil
+}
+
+// MapJWSErrorToProblem renders a JWS verifier error as an RFC 7807 +
+// RFC 8555 §6.7 Problem the handler emits via WriteProblem.
+//
+// All errors map to a documented ACME error type — no internal-state
+// leakage per master-prompt criterion #10. Operator-actionable detail
+// strings carry the failure category (badNonce, malformed, etc.) but
+// not raw err.Error() output.
+func MapJWSErrorToProblem(err error) Problem {
+	switch {
+	case errors.Is(err, ErrJWSBadNonce):
+		return BadNonce("nonce missing, replayed, or expired")
+	case errors.Is(err, ErrJWSMissingNonce):
+		return BadNonce("protected header `nonce` is required")
+	case errors.Is(err, ErrJWSURLMismatch), errors.Is(err, ErrJWSMissingURL):
+		return Problem{
+			Type:   "urn:ietf:params:acme:error:unauthorized",
+			Detail: "protected header `url` mismatch or missing",
+			Status: http.StatusUnauthorized,
+		}
+	case errors.Is(err, ErrJWSAccountNotFound):
+		return AccountDoesNotExist("kid points at unknown account")
+	case errors.Is(err, ErrJWSAccountInactive):
+		return Problem{
+			Type:   "urn:ietf:params:acme:error:unauthorized",
+			Detail: "account status is not `valid`",
+			Status: http.StatusUnauthorized,
+		}
+	case errors.Is(err, ErrJWSSignatureInvalid):
+		return Problem{
+			Type:   "urn:ietf:params:acme:error:unauthorized",
+			Detail: "signature did not verify",
+			Status: http.StatusUnauthorized,
+		}
+	case errors.Is(err, ErrJWSAlgorithmRejected):
+		return Malformed("signature algorithm not allowed (RFC 8555 §6.2: RS256, ES256, EdDSA only)")
+	case errors.Is(err, ErrJWSExpectJWKGotKid):
+		return Malformed("this endpoint requires `jwk` (new-account flow); got `kid`")
+	case errors.Is(err, ErrJWSExpectKidGotJWK):
+		return Malformed("this endpoint requires `kid` (registered account); got `jwk`")
+	case errors.Is(err, ErrJWSBothKidAndJWK), errors.Is(err, ErrJWSNeitherKidNorJWK):
+		return Malformed("protected header MUST contain exactly one of `kid` or `jwk`")
+	case errors.Is(err, ErrJWSInvalidJWK):
+		return Malformed("invalid or unsupported JWK")
+	case errors.Is(err, ErrJWSWrongType):
+		return Malformed("protected header `typ` must be `application/jose+json`")
+	case errors.Is(err, ErrJWSPayloadMismatch):
+		return ServerInternal("JWS payload integrity check failed")
+	case errors.Is(err, ErrJWSMalformed):
+		return Malformed("malformed JWS")
+	default:
+		return Malformed("malformed request")
+	}
+}
+
+// algorithmAllowed verifies the post-parse algorithm is in the
+// approved set. ParseSigned already rejects non-allow-list algs but
+// re-checking here protects against go-jose contract changes.
+func algorithmAllowed(alg string) bool {
+	for _, a := range AllowedSignatureAlgorithms {
+		if string(a) == alg {
+			return true
+		}
+	}
+	return false
+}
+
+// extractStringHeader pulls a string-typed entry from ExtraHeaders.
+// Returns ("", nil) when the key is absent so the caller can
+// distinguish absent (empty string) from non-string-shaped (error).
+func extractStringHeader(extra map[jose.HeaderKey]interface{}, name string) (string, error) {
+	v, ok := extra[jose.HeaderKey(name)]
+	if !ok {
+		return "", nil
+	}
+	s, ok := v.(string)
+	if !ok {
+		return "", fmt.Errorf("acme jws: header %q is not a string: %T", name, v)
+	}
+	return s, nil
+}
+
+// accountIDFromKID extracts the account ID from a kid URL. RFC 8555
+// §6.2 says kid is the URL the server returned in the Location
+// header on new-account; we expect the canonical
+//
+//	<scheme>://<host>/acme/profile/<profile-id>/account/<account-id>
+//
+// shape and trust the verifier-config-supplied AccountKID to round-
+// trip the full URL match. Phase 1b: extract the account ID by
+// trimming the URL prefix; Phase 1b's caller asserts the round-trip
+// equals the original kid.
+func accountIDFromKID(kid string, cfg VerifierConfig) (string, error) {
+	// Trim off everything up to the last "/account/" — the suffix is
+	// the account ID. The Phase-1b account-id format is
+	// "acme-acc-<...>" (alphanumeric + hyphen), so we don't need to
+	// URL-unescape.
+	idx := strings.LastIndex(kid, "/account/")
+	if idx < 0 {
+		return "", fmt.Errorf("%w: kid does not match expected /account/<id> shape", ErrJWSMalformed)
+	}
+	accountID := kid[idx+len("/account/"):]
+	if accountID == "" {
+		return "", fmt.Errorf("%w: kid has empty account id", ErrJWSMalformed)
+	}
+	// Round-trip: confirm the canonical kid for this account-id
+	// matches what the client sent. Catches accidental cross-profile
+	// replay.
+	if cfg.AccountKID != nil {
+		expected := cfg.AccountKID(accountID)
+		if expected != kid {
+			return "", fmt.Errorf("%w: kid does not match canonical URL", ErrJWSMalformed)
+		}
+	}
+	return accountID, nil
+}
+
+// ParseJWKFromPEM parses a JWK previously serialized by JWKToPEM.
+// Used by the verifier on the kid path: the registered account row's
+// JWKPEM column round-trips through here to recover the key bytes
+// used for signature verification.
+//
+// The PEM block is JSON-encoded JWK (we use PEM as the wire format
+// for the column to keep the schema text-shaped + line-friendly for
+// SQL diffs). Block type is "ACME ACCOUNT JWK".
+func ParseJWKFromPEM(pemString string) (*jose.JSONWebKey, error) {
+	// Strip the PEM header / footer; everything between is base64.
+	const header = "-----BEGIN ACME ACCOUNT JWK-----"
+	const footer = "-----END ACME ACCOUNT JWK-----"
+	s := strings.TrimSpace(pemString)
+	if !strings.HasPrefix(s, header) {
+		return nil, fmt.Errorf("acme jws: pem missing header")
+	}
+	s = strings.TrimPrefix(s, header)
+	idx := strings.Index(s, footer)
+	if idx < 0 {
+		return nil, fmt.Errorf("acme jws: pem missing footer")
+	}
+	body := strings.TrimSpace(s[:idx])
+	body = strings.ReplaceAll(body, "\n", "")
+	body = strings.ReplaceAll(body, "\r", "")
+	raw, err := base64.StdEncoding.DecodeString(body)
+	if err != nil {
+		return nil, fmt.Errorf("acme jws: decode pem body: %w", err)
+	}
+	jwk := new(jose.JSONWebKey)
+	if err := jwk.UnmarshalJSON(raw); err != nil {
+		return nil, fmt.Errorf("acme jws: parse jwk json: %w", err)
+	}
+	if !jwk.Valid() {
+		return nil, fmt.Errorf("acme jws: jwk did not validate")
+	}
+	return jwk, nil
+}
+
+// JWKToPEM is the inverse of ParseJWKFromPEM. Used at account creation
+// time to persist the public-only JWK to the acme_accounts row.
+func JWKToPEM(jwk *jose.JSONWebKey) (string, error) {
+	raw, err := jwk.MarshalJSON()
+	if err != nil {
+		return "", fmt.Errorf("acme jws: marshal jwk json: %w", err)
+	}
+	encoded := base64.StdEncoding.EncodeToString(raw)
+	// Wrap to 64-char lines for diff-friendliness.
+	var buf strings.Builder
+	buf.WriteString("-----BEGIN ACME ACCOUNT JWK-----\n")
+	for i := 0; i < len(encoded); i += 64 {
+		end := i + 64
+		if end > len(encoded) {
+			end = len(encoded)
+		}
+		buf.WriteString(encoded[i:end])
+		buf.WriteByte('\n')
+	}
+	buf.WriteString("-----END ACME ACCOUNT JWK-----\n")
+	return buf.String(), nil
+}
+
+// JWKThumbprint computes the RFC 7638 thumbprint of jwk and returns
+// it as a base64url-no-padding string. The (profile_id, thumbprint)
+// pair uniquely identifies an account per profile; new-account uses
+// it for idempotency (RFC 8555 §7.3.1).
+func JWKThumbprint(jwk *jose.JSONWebKey) (string, error) {
+	raw, err := jwk.Thumbprint(crypto.SHA256)
+	if err != nil {
+		return "", fmt.Errorf("acme jws: thumbprint: %w", err)
+	}
+	return base64.RawURLEncoding.EncodeToString(raw), nil
+}
+
+// AccountID derives the canonical certctl account ID from a JWK
+// thumbprint: "acme-acc-" + base64url-no-pad-thumbprint. The output is
+// stable across clients (same JWK → same ID) so the new-account
+// idempotency check at RFC 8555 §7.3.1 holds without an additional
+// lookup.
+func AccountID(thumbprint string) string {
+	// base64url-no-pad already produces alphanumeric + `-_`; we keep
+	// `-_` as part of the certctl-readable prefix shape.
+	return "acme-acc-" + thumbprint
+}