acme-server: account resource + JWS verifier (Phase 1b/7)

Layers JWS-authenticated POST machinery onto the Phase 1a foundation (commit ec88a61). After this commit, an ACME client can run POST /acme/profile/<id>/new-account against certctl and successfully register an account. Account update + deactivation via POST /acme/profile/<id>/account/<acc-id> work. Orders + challenges remain Phase 2 / 3. Background: Two prior dispatch attempts at the original Phase 1 ("skeleton + directory + new-nonce + new-account" as a single commit) failed on go-jose v4 API speculation (jws.GetPayload, sig.Algorithm, jose.SHA256, etc. — none of those exist in v4). Splitting Phase 1 into 1a (foundation, no go-jose) and 1b (this commit, all go-jose in one place) concentrated the JWS work where attention pays off. The verifier reads the actual go-jose v4 surface — ParseSigned with closed alg allow-list, Header struct fields (Algorithm, KeyID, JSONWebKey, Nonce, ExtraHeaders[HeaderKey]), JWK.Thumbprint with stdlib crypto.SHA256. What ships: - internal/api/acme/jws.go: 487-line verifier + sentinel error family. Enforces RFC 8555 §6.2 + §6.4 + §6.5 invariants: - alg in {RS256, ES256, EdDSA} (closed allow-list passed to jose.ParseSigned — HS256 / none / etc. rejected at parse time) - exactly one of `kid` / `jwk` in protected header (per endpoint policy — new-account demands jwk, others demand kid) - protected `url` matches request URL exactly - protected `nonce` consumed against acme_nonces (badNonce on miss/replay/expiry per RFC 8555 §6.5.1) - kid round-trips against canonical AccountKID(accountID) URL (catches cross-profile / cross-host replay) - kid path: account exists + status=valid (deactivated / revoked accounts cannot authenticate) - signature verifies; post-Verify payload bytes equal UnsafePayloadWithoutVerification (defense in depth) + JWK persistence helpers (JWKToPEM / ParseJWKFromPEM round- trip a public-only JWK as a PEM-wrapped JSON envelope; stored as TEXT in acme_accounts.jwk_pem for diff-friendliness) + JWKThumbprint per RFC 7638. - internal/api/acme/jws_test.go: 16 cases covering happy paths (RS256 kid, ES256 jwk, EdDSA kid) + every named failure mode (alg-not-allowed, bad-sig, missing-nonce, unknown-nonce, replay, url-mismatch, mixed kid+jwk, deactivated-account, cross-host kid). Uses real keypairs + real go-jose Signer to build JWS objects. - internal/api/acme/account.go: NewAccountRequest / AccountUpdateRequest payload shapes (RFC 8555 §7.3 + §7.3.2 + §7.3.6) + AccountResponseJSON wire shape + MarshalAccount helper. - internal/domain/acme.go: ACMEAccount struct + ACMEAccountStatus closed enum (valid / deactivated / revoked). - internal/repository/postgres/acme.go: full account CRUD path (CreateAccountWithTx with 23505-unique-violation sentinel translation, GetAccountByID, GetAccountByThumbprint, UpdateAccountContactWithTx, UpdateAccountStatusWithTx) + sql.ErrNoRows-wrapped repository.ErrNotFound on lookup misses. - internal/service/acme.go: ACMERepo interface extended; SetTransactor + SetAuditService wires; NewAccount (idempotent re-registration per RFC 8555 §7.3.1 — same JWK returns existing row without an update or new audit event); LookupAccount; UpdateAccount; DeactivateAccount; VerifyJWS adapter that bridges api/acme.VerifierConfig to the service-layer ACMERepo; per-op metrics extended (new_account_total + _failures_total + _idempotent_total + update_account_total + _failures_total + deactivate_account_total). - internal/service/acme_test.go: 8 new tests covering new-account happy path / idempotent re-registration / only- return-existing match + no-match / contact update / deactivate / lookup-not-found / requires-transactor. - internal/api/handler/acme.go: NewAccount + Account handlers. Account dispatches POST-as-GET (RFC 8555 §6.3 — empty body or {} payload returns the account row), contact update, and deactivation from the same endpoint. Defense-in-depth check that the kid path-segment matches the URL path-segment (the verifier already round-tripped the kid against canonical URL, but the handler re-asserts to catch any future verifier refactor). - internal/api/handler/acme_handler_test.go: 7 new cases covering happy-create, idempotent-200, only-return-existing- no-match-400, malformed-JWS-400, kid-URL-mismatch-401, deactivate, contact-update, POST-as-GET. - internal/api/router/router.go: 4 new Register calls (per- profile + shorthand for new-account and account/{acc_id}). - internal/api/router/openapi_parity_test.go: SpecParityExceptions extended with the 4 new routes (RFC 8555 wire-protocol surface, not OpenAPI-shaped — same precedent as Phase 1a). - cmd/server/main.go: SetTransactor + SetAuditService on acmeService at startup so the WithinTx-based new-account / update / deactivate paths run with the same transactor instance shared across CertificateService / RevocationSvc / RenewalService. - docs/acme-server.md: Phase status updated; endpoints table grows new-account + account/<acc_id> rows; new "JWS verification (Phase 1b)" section enumerates the 7 invariants the verifier enforces; phases-cross-reference table marks 1b live. - go.mod / go.sum: github.com/go-jose/go-jose/v4 v4.0.4 added. Atomicity: every account-state mutation writes its acme_accounts row + its audit_events row inside one repository.Transactor.WithinTx call — the canonical certctl atomicity contract (matches CertificateService.Create at internal/service/certificate.go:131). Idempotent re-registration explicitly does NOT write an audit row (RFC 8555 §7.3.1 returns the existing row unmodified). Tests: 16 jws_test.go cases + 11 service tests + 11 handler tests all pass under -short. Bad-signature test uses a real registered account whose stored JWK is a different keypair from the signer's, so the JWS parses cleanly but jose.Verify rejects — exercises the ErrJWSSignatureInvalid path directly. Engineering history: cowork/WORKSPACE-CHANGELOG.md "ACME-Server-1b".
2026-06-07 15:32:02 +00:00 · 2026-05-03 13:21:56 +00:00
parent ec88a61274
commit 44a85d6f85
15 changed files with 2621 additions and 72 deletions
@@ -7,21 +7,37 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
+	"io"
 	"net/http"

+	jose "github.com/go-jose/go-jose/v4"
+
 	"github.com/shankar0123/certctl/internal/api/acme"
+	"github.com/shankar0123/certctl/internal/domain"
 	"github.com/shankar0123/certctl/internal/service"
 )

+// MaxJWSBodyBytes caps the per-request JWS payload at 64 KiB. RFC 8555
+// payloads are tiny (a JWK is < 1 KiB; a CSR < 4 KiB), so anything
+// larger is either malformed or hostile. The router-level body-limit
+// middleware already caps requests at the server-wide
+// CERTCTL_MAX_BODY_SIZE (default 1 MiB), but ACME-specifically we
+// tighten further.
+const MaxJWSBodyBytes = 64 * 1024
+
 // ACMEService is the handler-facing surface for the ACME server. The
 // service-layer concrete type is *service.ACMEService; the interface
 // definition lives here to keep the handler import-direction
-// canonical (handler imports service, not the reverse). Phase 1a
-// pins two methods; Phase 1b extends with VerifyJWS, NewAccount,
-// LookupAccount, UpdateAccount, DeactivateAccount.
+// canonical (handler imports service, not the reverse).
 type ACMEService interface {
 	BuildDirectory(ctx context.Context, profileID, baseURL string) (*acme.Directory, error)
 	IssueNonce(ctx context.Context) (string, error)
+	// Phase 1b — JWS verification + account resource.
+	VerifyJWS(ctx context.Context, body []byte, requestURL string, expectNewAccount bool, accountKID func(accountID string) string) (*acme.VerifiedRequest, error)
+	NewAccount(ctx context.Context, profileID string, jwk *jose.JSONWebKey, contact []string, onlyReturnExisting bool, tosAgreed bool) (*domain.ACMEAccount, bool, error)
+	LookupAccount(ctx context.Context, accountID string) (*domain.ACMEAccount, error)
+	UpdateAccount(ctx context.Context, accountID string, contact []string) (*domain.ACMEAccount, error)
+	DeactivateAccount(ctx context.Context, accountID string) (*domain.ACMEAccount, error)
 }

 // ACMEHandler exposes the ACME server's RFC 8555 endpoints under the
@@ -147,8 +163,8 @@ func (h ACMEHandler) directoryBaseURL(r *http.Request, profileID string) string

 // writeServiceError maps service-layer sentinels to RFC 7807 + RFC
 // 8555 §6.7 problem responses. Centralized so every handler method
-// gets identical mapping; future Phase 1b/2/3/4 sentinels extend
-// the switch.
+// gets identical mapping; new sentinels extend the switch as later
+// phases land.
 func writeServiceError(w http.ResponseWriter, err error) {
 	switch {
 	case errors.Is(err, service.ErrACMEUserActionRequired):
@@ -161,6 +177,11 @@ func writeServiceError(w http.ResponseWriter, err error) {
 			Detail: "profile not found",
 			Status: http.StatusNotFound,
 		})
+	case errors.Is(err, service.ErrACMEAccountNotFound):
+		acme.WriteProblem(w, acme.AccountDoesNotExist("account not found"))
+	case errors.Is(err, service.ErrACMEAccountDoesNotExist):
+		acme.WriteProblem(w, acme.AccountDoesNotExist(
+			"no account exists for this JWK; submit a new-account request without onlyReturnExisting"))
 	default:
 		// Avoid leaking internal error text per master-prompt
 		// criterion #10 (operator-actionable errors with no info
@@ -168,3 +189,224 @@ func writeServiceError(w http.ResponseWriter, err error) {
 		acme.WriteProblem(w, acme.ServerInternal("ACME server error"))
 	}
 }
+
+// NewAccount handles POST /acme/profile/{id}/new-account (RFC 8555
+// §7.3). The request body is a JWS with `jwk` (NOT `kid`) in the
+// protected header — the verifier enforces this via
+// ExpectNewAccount=true.
+//
+// Behavior matrix:
+//   - JWK already registered + payload.OnlyReturnExisting=false →
+//     200 + existing account row (idempotent re-registration per
+//     RFC 8555 §7.3.1).
+//   - JWK already registered + payload.OnlyReturnExisting=true →
+//     same 200 + existing row.
+//   - JWK new + OnlyReturnExisting=false → 201 + newly-created row.
+//   - JWK new + OnlyReturnExisting=true → 400 + accountDoesNotExist.
+func (h ACMEHandler) NewAccount(w http.ResponseWriter, r *http.Request) {
+	profileID := r.PathValue("id")
+	requestURL := h.requestURL(r)
+
+	body, err := io.ReadAll(io.LimitReader(r.Body, MaxJWSBodyBytes+1))
+	if err != nil {
+		acme.WriteProblem(w, acme.Malformed("could not read request body"))
+		return
+	}
+	if len(body) > MaxJWSBodyBytes {
+		acme.WriteProblem(w, acme.Malformed("request body too large"))
+		return
+	}
+
+	verified, err := h.svc.VerifyJWS(r.Context(), body, requestURL, true /*expectNewAccount*/, h.accountKID(r, profileID))
+	if err != nil {
+		acme.WriteProblem(w, acme.MapJWSErrorToProblem(err))
+		return
+	}
+
+	var req acme.NewAccountRequest
+	if err := json.Unmarshal(verified.Payload, &req); err != nil {
+		acme.WriteProblem(w, acme.Malformed("could not parse new-account payload"))
+		return
+	}
+
+	acct, isNew, err := h.svc.NewAccount(
+		r.Context(), profileID, verified.JWK, req.Contact,
+		req.OnlyReturnExisting, req.TermsOfServiceAgreed,
+	)
+	if err != nil {
+		writeServiceError(w, err)
+		return
+	}
+
+	if nonce, err := h.svc.IssueNonce(r.Context()); err == nil {
+		w.Header().Set("Replay-Nonce", nonce)
+	}
+	w.Header().Set("Location", h.accountKID(r, profileID)(acct.AccountID))
+	w.Header().Set("Content-Type", "application/json")
+	if isNew {
+		w.WriteHeader(http.StatusCreated)
+	} else {
+		w.WriteHeader(http.StatusOK)
+	}
+	_ = json.NewEncoder(w).Encode(
+		acme.MarshalAccount(acct, h.accountOrdersURL(r, profileID, acct.AccountID)),
+	)
+}
+
+// Account handles POST /acme/profile/{id}/account/{acc-id} (RFC 8555
+// §7.3.2 + §7.3.6 + POST-as-GET per §6.3). The verifier requires
+// `kid` (NOT `jwk`); the kid path-segment must match the URL
+// path-segment.
+//
+// Payload variants:
+//   - empty body or empty JSON {}: POST-as-GET; returns the account.
+//   - {"contact": [...]}: contact update (RFC 8555 §7.3.2).
+//   - {"status": "deactivated"}: deactivation (RFC 8555 §7.3.6).
+//
+// Mixing contact + status in one request is permitted; we apply
+// status first (deactivation is the more conservative action).
+func (h ACMEHandler) Account(w http.ResponseWriter, r *http.Request) {
+	profileID := r.PathValue("id")
+	urlAccountID := r.PathValue("acc_id")
+	requestURL := h.requestURL(r)
+
+	body, err := io.ReadAll(io.LimitReader(r.Body, MaxJWSBodyBytes+1))
+	if err != nil {
+		acme.WriteProblem(w, acme.Malformed("could not read request body"))
+		return
+	}
+	if len(body) > MaxJWSBodyBytes {
+		acme.WriteProblem(w, acme.Malformed("request body too large"))
+		return
+	}
+
+	verified, err := h.svc.VerifyJWS(r.Context(), body, requestURL, false /*expectNewAccount*/, h.accountKID(r, profileID))
+	if err != nil {
+		acme.WriteProblem(w, acme.MapJWSErrorToProblem(err))
+		return
+	}
+
+	// kid path-segment must equal URL path-segment (defense in depth —
+	// the verifier already round-tripped the kid against the canonical
+	// URL).
+	if verified.Account == nil || verified.Account.AccountID != urlAccountID {
+		acme.WriteProblem(w, acme.Problem{
+			Type:   "urn:ietf:params:acme:error:unauthorized",
+			Detail: "kid does not match URL account id",
+			Status: http.StatusUnauthorized,
+		})
+		return
+	}
+
+	var (
+		updated  *domain.ACMEAccount
+		readOnly bool
+	)
+	// Empty body or empty JSON object → POST-as-GET (§6.3).
+	trimmed := trimBody(verified.Payload)
+	if len(trimmed) == 0 || string(trimmed) == "{}" {
+		readOnly = true
+		updated = verified.Account
+	} else {
+		var req acme.AccountUpdateRequest
+		if err := json.Unmarshal(verified.Payload, &req); err != nil {
+			acme.WriteProblem(w, acme.Malformed("could not parse account update payload"))
+			return
+		}
+		// Status transition first (the more conservative action).
+		switch req.Status {
+		case "":
+			// no-op
+		case "deactivated":
+			acct, err := h.svc.DeactivateAccount(r.Context(), urlAccountID)
+			if err != nil {
+				writeServiceError(w, err)
+				return
+			}
+			updated = acct
+		default:
+			acme.WriteProblem(w, acme.Malformed(
+				"only `deactivated` is a valid status for account update; got "+req.Status))
+			return
+		}
+		// Contact update.
+		if req.Contact != nil {
+			acct, err := h.svc.UpdateAccount(r.Context(), urlAccountID, req.Contact)
+			if err != nil {
+				writeServiceError(w, err)
+				return
+			}
+			updated = acct
+		}
+		if updated == nil {
+			// Empty status + nil contact → no-op; treat as POST-as-GET.
+			updated = verified.Account
+			readOnly = true
+		}
+	}
+
+	if nonce, err := h.svc.IssueNonce(r.Context()); err == nil {
+		w.Header().Set("Replay-Nonce", nonce)
+	}
+	if readOnly {
+		w.Header().Set("Content-Type", "application/json")
+	} else {
+		w.Header().Set("Content-Type", "application/json")
+	}
+	w.WriteHeader(http.StatusOK)
+	_ = json.NewEncoder(w).Encode(
+		acme.MarshalAccount(updated, h.accountOrdersURL(r, profileID, updated.AccountID)),
+	)
+}
+
+// requestURL composes the full URL the JWS protected-header `url`
+// MUST equal. Equivalent to scheme://host + r.URL.Path.
+func (h ACMEHandler) requestURL(r *http.Request) string {
+	scheme := "https"
+	if r.TLS == nil {
+		scheme = "http"
+	}
+	return scheme + "://" + r.Host + r.URL.Path
+}
+
+// accountKID returns the closure VerifyJWS uses to round-trip-check
+// inbound `kid` headers. Centralized so both NewAccount + Account
+// build the same URL shape.
+func (h ACMEHandler) accountKID(r *http.Request, profileID string) func(accountID string) string {
+	scheme := "https"
+	if r.TLS == nil {
+		scheme = "http"
+	}
+	prefix := scheme + "://" + r.Host
+	if profileID != "" {
+		prefix += "/acme/profile/" + profileID
+	} else {
+		prefix += "/acme"
+	}
+	return func(accountID string) string { return prefix + "/account/" + accountID }
+}
+
+// accountOrdersURL is the URL Phase 2 will serve account orders at.
+// Phase 1b emits it in the account JSON for RFC 8555 §7.1.2.1
+// compliance even though hitting it returns 404 until Phase 2.
+func (h ACMEHandler) accountOrdersURL(r *http.Request, profileID, accountID string) string {
+	return h.accountKID(r, profileID)(accountID) + "/orders"
+}
+
+// trimBody is a minimal JSON-aware trim that returns a copy with
+// outer whitespace removed. We don't need full JSON parsing here —
+// just enough to detect empty body / empty object for POST-as-GET
+// routing.
+func trimBody(b []byte) []byte {
+	for len(b) > 0 && (b[0] == ' ' || b[0] == '\t' || b[0] == '\n' || b[0] == '\r') {
+		b = b[1:]
+	}
+	for len(b) > 0 {
+		c := b[len(b)-1]
+		if c != ' ' && c != '\t' && c != '\n' && c != '\r' {
+			break
+		}
+		b = b[:len(b)-1]
+	}
+	return b
+}
@@ -4,6 +4,7 @@
 package handler

 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"errors"
@@ -12,7 +13,10 @@ import (
 	"strings"
 	"testing"

+	jose "github.com/go-jose/go-jose/v4"
+
 	"github.com/shankar0123/certctl/internal/api/acme"
+	"github.com/shankar0123/certctl/internal/domain"
 	"github.com/shankar0123/certctl/internal/service"
 )

@@ -20,8 +24,13 @@ import (
 // Mirrors the mockSCEPService pattern at scep_handler_test.go (struct
 // holding canned responses + an err field per method).
 type mockACMEService struct {
-	BuildDirectoryFn func(ctx context.Context, profileID, baseURL string) (*acme.Directory, error)
-	IssueNonceFn     func(ctx context.Context) (string, error)
+	BuildDirectoryFn    func(ctx context.Context, profileID, baseURL string) (*acme.Directory, error)
+	IssueNonceFn        func(ctx context.Context) (string, error)
+	VerifyJWSFn         func(ctx context.Context, body []byte, requestURL string, expectNewAccount bool, accountKID func(string) string) (*acme.VerifiedRequest, error)
+	NewAccountFn        func(ctx context.Context, profileID string, jwk *jose.JSONWebKey, contact []string, onlyReturnExisting bool, tosAgreed bool) (*domain.ACMEAccount, bool, error)
+	LookupAccountFn     func(ctx context.Context, accountID string) (*domain.ACMEAccount, error)
+	UpdateAccountFn     func(ctx context.Context, accountID string, contact []string) (*domain.ACMEAccount, error)
+	DeactivateAccountFn func(ctx context.Context, accountID string) (*domain.ACMEAccount, error)
 }

 func (m *mockACMEService) BuildDirectory(ctx context.Context, profileID, baseURL string) (*acme.Directory, error) {
@@ -38,6 +47,41 @@ func (m *mockACMEService) IssueNonce(ctx context.Context) (string, error) {
 	return "test-nonce-12345", nil
 }

+func (m *mockACMEService) VerifyJWS(ctx context.Context, body []byte, requestURL string, expectNewAccount bool, accountKID func(string) string) (*acme.VerifiedRequest, error) {
+	if m.VerifyJWSFn != nil {
+		return m.VerifyJWSFn(ctx, body, requestURL, expectNewAccount, accountKID)
+	}
+	return nil, errors.New("VerifyJWS not stubbed")
+}
+
+func (m *mockACMEService) NewAccount(ctx context.Context, profileID string, jwk *jose.JSONWebKey, contact []string, onlyReturnExisting bool, tosAgreed bool) (*domain.ACMEAccount, bool, error) {
+	if m.NewAccountFn != nil {
+		return m.NewAccountFn(ctx, profileID, jwk, contact, onlyReturnExisting, tosAgreed)
+	}
+	return nil, false, errors.New("NewAccount not stubbed")
+}
+
+func (m *mockACMEService) LookupAccount(ctx context.Context, accountID string) (*domain.ACMEAccount, error) {
+	if m.LookupAccountFn != nil {
+		return m.LookupAccountFn(ctx, accountID)
+	}
+	return nil, errors.New("LookupAccount not stubbed")
+}
+
+func (m *mockACMEService) UpdateAccount(ctx context.Context, accountID string, contact []string) (*domain.ACMEAccount, error) {
+	if m.UpdateAccountFn != nil {
+		return m.UpdateAccountFn(ctx, accountID, contact)
+	}
+	return nil, errors.New("UpdateAccount not stubbed")
+}
+
+func (m *mockACMEService) DeactivateAccount(ctx context.Context, accountID string) (*domain.ACMEAccount, error) {
+	if m.DeactivateAccountFn != nil {
+		return m.DeactivateAccountFn(ctx, accountID)
+	}
+	return nil, errors.New("DeactivateAccount not stubbed")
+}
+
 // newACMETestServer wires the ACMEHandler against the mock + a stdlib
 // ServeMux configured exactly the way internal/api/router/router.go
 // does it in production. Routes:
@@ -55,9 +99,13 @@ func newACMETestServer(t *testing.T, mock *mockACMEService) *httptest.Server {
 	mux.HandleFunc("GET /acme/profile/{id}/directory", h.Directory)
 	mux.HandleFunc("HEAD /acme/profile/{id}/new-nonce", h.NewNonce)
 	mux.HandleFunc("GET /acme/profile/{id}/new-nonce", h.NewNonce)
+	mux.HandleFunc("POST /acme/profile/{id}/new-account", h.NewAccount)
+	mux.HandleFunc("POST /acme/profile/{id}/account/{acc_id}", h.Account)
 	mux.HandleFunc("GET /acme/directory", h.Directory)
 	mux.HandleFunc("HEAD /acme/new-nonce", h.NewNonce)
 	mux.HandleFunc("GET /acme/new-nonce", h.NewNonce)
+	mux.HandleFunc("POST /acme/new-account", h.NewAccount)
+	mux.HandleFunc("POST /acme/account/{acc_id}", h.Account)
 	return httptest.NewServer(mux)
 }

@@ -240,3 +288,254 @@ func TestACMEHandler_NewNonce_ServiceError(t *testing.T) {
 		t.Errorf("content-type = %q", got)
 	}
 }
+
+// --- Phase 1b — new-account + account update ---------------------------
+
+// stubVerifiedReq returns a VerifiedRequest pre-baked with payload +
+// the supplied Account / JWK for handler-level tests that don't go
+// through the actual JWS verifier.
+func stubVerifiedReq(payload interface{}, account *domain.ACMEAccount, jwk *jose.JSONWebKey) func(ctx context.Context, body []byte, requestURL string, expectNewAccount bool, accountKID func(string) string) (*acme.VerifiedRequest, error) {
+	return func(ctx context.Context, body []byte, requestURL string, expectNewAccount bool, accountKID func(string) string) (*acme.VerifiedRequest, error) {
+		raw, _ := json.Marshal(payload)
+		return &acme.VerifiedRequest{
+			Payload:   raw,
+			Algorithm: "RS256",
+			URL:       requestURL,
+			Nonce:     "test-nonce",
+			Account:   account,
+			JWK:       jwk,
+		}, nil
+	}
+}
+
+func TestACMEHandler_NewAccount_HappyPath_New(t *testing.T) {
+	mock := &mockACMEService{
+		VerifyJWSFn: stubVerifiedReq(
+			acme.NewAccountRequest{Contact: []string{"mailto:a@example.com"}, TermsOfServiceAgreed: true},
+			nil, // jwk path → no Account
+			&jose.JSONWebKey{},
+		),
+		NewAccountFn: func(ctx context.Context, profileID string, jwk *jose.JSONWebKey, contact []string, onlyReturnExisting bool, tosAgreed bool) (*domain.ACMEAccount, bool, error) {
+			return &domain.ACMEAccount{
+				AccountID: "acme-acc-fresh", JWKThumbprint: "thumb-x",
+				Contact: contact, Status: domain.ACMEAccountStatusValid, ProfileID: profileID,
+			}, true, nil
+		},
+	}
+	srv := newACMETestServer(t, mock)
+	defer srv.Close()
+
+	resp, err := http.Post(srv.URL+"/acme/profile/prof-corp/new-account", "application/jose+json", bytes.NewReader([]byte("ignored-by-mock")))
+	if err != nil {
+		t.Fatalf("Post: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusCreated {
+		t.Errorf("status = %d, want 201", resp.StatusCode)
+	}
+	if got := resp.Header.Get("Replay-Nonce"); got == "" {
+		t.Error("Replay-Nonce header missing")
+	}
+	if got := resp.Header.Get("Location"); !strings.Contains(got, "/account/acme-acc-fresh") {
+		t.Errorf("Location = %q (want suffix /account/acme-acc-fresh)", got)
+	}
+	var body acme.AccountResponseJSON
+	if err := json.NewDecoder(resp.Body).Decode(&body); err != nil {
+		t.Fatalf("decode: %v", err)
+	}
+	if body.Status != "valid" {
+		t.Errorf("status = %q", body.Status)
+	}
+	if !strings.HasSuffix(body.Orders, "/account/acme-acc-fresh/orders") {
+		t.Errorf("orders URL = %q", body.Orders)
+	}
+}
+
+func TestACMEHandler_NewAccount_Idempotent_ExistingReturns200(t *testing.T) {
+	mock := &mockACMEService{
+		VerifyJWSFn: stubVerifiedReq(acme.NewAccountRequest{}, nil, &jose.JSONWebKey{}),
+		NewAccountFn: func(ctx context.Context, profileID string, jwk *jose.JSONWebKey, contact []string, onlyReturnExisting bool, tosAgreed bool) (*domain.ACMEAccount, bool, error) {
+			return &domain.ACMEAccount{
+				AccountID: "acme-acc-existing", Status: domain.ACMEAccountStatusValid, ProfileID: profileID,
+			}, false /*isNew=false*/, nil
+		},
+	}
+	srv := newACMETestServer(t, mock)
+	defer srv.Close()
+
+	resp, err := http.Post(srv.URL+"/acme/profile/prof-corp/new-account", "application/jose+json", bytes.NewReader([]byte("x")))
+	if err != nil {
+		t.Fatalf("Post: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("status = %d, want 200 (idempotent re-registration)", resp.StatusCode)
+	}
+}
+
+func TestACMEHandler_NewAccount_OnlyReturnExisting_NoMatch(t *testing.T) {
+	mock := &mockACMEService{
+		VerifyJWSFn: stubVerifiedReq(acme.NewAccountRequest{OnlyReturnExisting: true}, nil, &jose.JSONWebKey{}),
+		NewAccountFn: func(ctx context.Context, profileID string, jwk *jose.JSONWebKey, contact []string, onlyReturnExisting bool, tosAgreed bool) (*domain.ACMEAccount, bool, error) {
+			return nil, false, service.ErrACMEAccountDoesNotExist
+		},
+	}
+	srv := newACMETestServer(t, mock)
+	defer srv.Close()
+
+	resp, err := http.Post(srv.URL+"/acme/profile/prof-corp/new-account", "application/jose+json", bytes.NewReader([]byte("x")))
+	if err != nil {
+		t.Fatalf("Post: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusBadRequest {
+		t.Errorf("status = %d, want 400", resp.StatusCode)
+	}
+	var p acme.Problem
+	_ = json.NewDecoder(resp.Body).Decode(&p)
+	if p.Type != "urn:ietf:params:acme:error:accountDoesNotExist" {
+		t.Errorf("Problem.Type = %q", p.Type)
+	}
+}
+
+func TestACMEHandler_NewAccount_JWSMalformed(t *testing.T) {
+	mock := &mockACMEService{
+		VerifyJWSFn: func(ctx context.Context, body []byte, requestURL string, expectNewAccount bool, accountKID func(string) string) (*acme.VerifiedRequest, error) {
+			return nil, acme.ErrJWSMalformed
+		},
+	}
+	srv := newACMETestServer(t, mock)
+	defer srv.Close()
+
+	resp, err := http.Post(srv.URL+"/acme/profile/prof-corp/new-account", "application/jose+json", bytes.NewReader([]byte("garbage")))
+	if err != nil {
+		t.Fatalf("Post: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusBadRequest {
+		t.Errorf("status = %d, want 400", resp.StatusCode)
+	}
+	var p acme.Problem
+	_ = json.NewDecoder(resp.Body).Decode(&p)
+	if p.Type != "urn:ietf:params:acme:error:malformed" {
+		t.Errorf("Problem.Type = %q", p.Type)
+	}
+}
+
+func TestACMEHandler_Account_KIDMismatch(t *testing.T) {
+	mock := &mockACMEService{
+		VerifyJWSFn: stubVerifiedReq(
+			acme.AccountUpdateRequest{},
+			&domain.ACMEAccount{
+				AccountID: "acme-acc-A", Status: domain.ACMEAccountStatusValid, ProfileID: "prof-corp",
+			},
+			nil,
+		),
+	}
+	srv := newACMETestServer(t, mock)
+	defer srv.Close()
+
+	// URL claims account B, JWS-verified account is A.
+	resp, err := http.Post(srv.URL+"/acme/profile/prof-corp/account/acme-acc-B", "application/jose+json", bytes.NewReader([]byte("x")))
+	if err != nil {
+		t.Fatalf("Post: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusUnauthorized {
+		t.Errorf("status = %d, want 401", resp.StatusCode)
+	}
+}
+
+func TestACMEHandler_Account_Deactivate(t *testing.T) {
+	called := false
+	mock := &mockACMEService{
+		VerifyJWSFn: stubVerifiedReq(
+			acme.AccountUpdateRequest{Status: "deactivated"},
+			&domain.ACMEAccount{AccountID: "acme-acc-D", Status: domain.ACMEAccountStatusValid, ProfileID: "prof-corp"},
+			nil,
+		),
+		DeactivateAccountFn: func(ctx context.Context, accountID string) (*domain.ACMEAccount, error) {
+			called = true
+			return &domain.ACMEAccount{AccountID: accountID, Status: domain.ACMEAccountStatusDeactivated, ProfileID: "prof-corp"}, nil
+		},
+	}
+	srv := newACMETestServer(t, mock)
+	defer srv.Close()
+
+	resp, err := http.Post(srv.URL+"/acme/profile/prof-corp/account/acme-acc-D", "application/jose+json", bytes.NewReader([]byte("x")))
+	if err != nil {
+		t.Fatalf("Post: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("status = %d, want 200", resp.StatusCode)
+	}
+	if !called {
+		t.Error("DeactivateAccount was not invoked")
+	}
+	var body acme.AccountResponseJSON
+	_ = json.NewDecoder(resp.Body).Decode(&body)
+	if body.Status != "deactivated" {
+		t.Errorf("status = %q", body.Status)
+	}
+}
+
+func TestACMEHandler_Account_UpdateContact(t *testing.T) {
+	mock := &mockACMEService{
+		VerifyJWSFn: stubVerifiedReq(
+			acme.AccountUpdateRequest{Contact: []string{"mailto:new@example.com"}},
+			&domain.ACMEAccount{AccountID: "acme-acc-U", Status: domain.ACMEAccountStatusValid, ProfileID: "prof-corp"},
+			nil,
+		),
+		UpdateAccountFn: func(ctx context.Context, accountID string, contact []string) (*domain.ACMEAccount, error) {
+			return &domain.ACMEAccount{AccountID: accountID, Status: domain.ACMEAccountStatusValid, Contact: contact, ProfileID: "prof-corp"}, nil
+		},
+	}
+	srv := newACMETestServer(t, mock)
+	defer srv.Close()
+
+	resp, err := http.Post(srv.URL+"/acme/profile/prof-corp/account/acme-acc-U", "application/jose+json", bytes.NewReader([]byte("x")))
+	if err != nil {
+		t.Fatalf("Post: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("status = %d, want 200", resp.StatusCode)
+	}
+	var body acme.AccountResponseJSON
+	_ = json.NewDecoder(resp.Body).Decode(&body)
+	if len(body.Contact) != 1 || body.Contact[0] != "mailto:new@example.com" {
+		t.Errorf("contact = %v", body.Contact)
+	}
+}
+
+func TestACMEHandler_Account_PostAsGet(t *testing.T) {
+	// Empty payload → POST-as-GET (RFC 8555 §6.3): handler returns
+	// the unmodified account row.
+	mock := &mockACMEService{
+		VerifyJWSFn: stubVerifiedReq(
+			struct{}{}, // empty payload
+			&domain.ACMEAccount{AccountID: "acme-acc-G", Status: domain.ACMEAccountStatusValid, Contact: []string{"mailto:o@example.com"}, ProfileID: "prof-corp"},
+			nil,
+		),
+	}
+	srv := newACMETestServer(t, mock)
+	defer srv.Close()
+
+	resp, err := http.Post(srv.URL+"/acme/profile/prof-corp/account/acme-acc-G", "application/jose+json", bytes.NewReader([]byte("x")))
+	if err != nil {
+		t.Fatalf("Post: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("status = %d, want 200 (POST-as-GET)", resp.StatusCode)
+	}
+}