diff --git a/api/openapi-handler-exceptions.yaml b/api/openapi-handler-exceptions.yaml index ed8a604..2f4c1b2 100644 --- a/api/openapi-handler-exceptions.yaml +++ b/api/openapi-handler-exceptions.yaml @@ -54,3 +54,25 @@ documented_exceptions: why: "ACME server default-profile shorthand for new-account." - route: "POST /acme/account/{acc_id}" why: "ACME server default-profile shorthand for account update + deactivation." + + # Phase 2 — orders + finalize + authz + cert. + - route: "POST /acme/profile/{id}/new-order" + why: "ACME server RFC 8555 §7.4 new-order; documented in docs/acme-server.md." + - route: "POST /acme/profile/{id}/order/{ord_id}" + why: "ACME server RFC 8555 §7.4 order POST-as-GET; documented in docs/acme-server.md." + - route: "POST /acme/profile/{id}/order/{ord_id}/finalize" + why: "ACME server RFC 8555 §7.4 finalize; documented in docs/acme-server.md." + - route: "POST /acme/profile/{id}/authz/{authz_id}" + why: "ACME server RFC 8555 §7.5 authz POST-as-GET; documented in docs/acme-server.md." + - route: "POST /acme/profile/{id}/cert/{cert_id}" + why: "ACME server RFC 8555 §7.4.2 cert download; documented in docs/acme-server.md." + - route: "POST /acme/new-order" + why: "Phase 2 default-profile shorthand for new-order." + - route: "POST /acme/order/{ord_id}" + why: "Phase 2 default-profile shorthand for order POST-as-GET." + - route: "POST /acme/order/{ord_id}/finalize" + why: "Phase 2 default-profile shorthand for finalize." + - route: "POST /acme/authz/{authz_id}" + why: "Phase 2 default-profile shorthand for authz POST-as-GET." + - route: "POST /acme/cert/{cert_id}" + why: "Phase 2 default-profile shorthand for cert download." diff --git a/cmd/server/main.go b/cmd/server/main.go index 437d48c..2be5d74 100644 --- a/cmd/server/main.go +++ b/cmd/server/main.go @@ -758,6 +758,12 @@ func main() { acmeService := service.NewACMEService(acmeRepo, profileRepo, cfg.ACMEServer) acmeService.SetTransactor(transactor) acmeService.SetAuditService(auditService) + // Phase 2 — finalize plumbing. The finalize handler routes + // through CertificateService.Create + certRepo.CreateVersionWithTx + // + IssuerRegistry.Get for the bound profile's issuer. Same + // pipeline EST/SCEP/agent/renewal use, so policy + audit + per- + // issuer-type metrics apply uniformly to ACME-issued certs. + acmeService.SetIssuancePipeline(certificateService, certificateRepo, issuerRegistry) acmeHandler := handler.NewACMEHandler(acmeService) // Build the API router with all handlers diff --git a/docs/acme-server.md b/docs/acme-server.md index bdde0fb..521f085 100644 --- a/docs/acme-server.md +++ b/docs/acme-server.md @@ -7,11 +7,14 @@ as an ACME issuer with no certctl-side modification — closing the "deploy a certctl agent on every K8s node" friction that costs deals to external PKI vendors today. -> **Phase status (2026-05-03):** Phase 1b — directory + new-nonce + -> new-account + account/{id} update + JWS verifier (RFC 7515 + go-jose -> v4). An ACME client can now run new-account end-to-end and register -> against a profile. Orders + challenges + key rollover + revocation + -> ARI land in subsequent phases. Track shipped phases via +> **Phase status (2026-05-03):** Phase 2 — directory + new-nonce + +> new-account + account/{id} + new-order + order/{id} + finalize + +> authz/{id} + cert/{id}. An ACME client running against a profile +> with `acme_auth_mode='trust_authenticated'` end-to-end-issues a real +> cert: `lego --server https://certctl/acme/profile//directory ... +> run` succeeds. Profiles in `challenge` mode get all the same code +> path with authz/challenge rows in `pending` state until Phase 3's +> validators wire up. Track shipped phases via > `git log --grep='acme-server:'`. ## Configuration @@ -95,29 +98,70 @@ the `caBundle` requirement is flagged here in Phase 1a's docs because operators hit it the moment they try to point a real ACME client at certctl. -## Endpoints (Phase 1b) +## Endpoints (Phase 2) Routes registered in `internal/api/router/router.go::RegisterHandlers`: -| Method | Path | RFC ref | Auth | Description | -|--------|--------------------------------------------|-----------------|----------|-------------| -| GET | `/acme/profile/{id}/directory` | RFC 8555 §7.1.1 | unauth | Per-profile directory document. | -| HEAD | `/acme/profile/{id}/new-nonce` | RFC 8555 §7.2 | unauth | Returns 200 + Replay-Nonce header. | -| GET | `/acme/profile/{id}/new-nonce` | RFC 8555 §7.2 | unauth | Returns 204 + Replay-Nonce header. | -| POST | `/acme/profile/{id}/new-account` | RFC 8555 §7.3 | JWS jwk | Register a new account; idempotent re-registration of an existing JWK returns the existing row. | -| POST | `/acme/profile/{id}/account/{acc_id}` | RFC 8555 §7.3.2 + §7.3.6 | JWS kid | Update contact list, deactivate, or POST-as-GET (RFC 8555 §6.3) to fetch the account. | -| GET | `/acme/directory` | RFC 8555 §7.1.1 | unauth | Shorthand path; mirrors per-profile when `CERTCTL_ACME_SERVER_DEFAULT_PROFILE_ID` is set. | -| HEAD | `/acme/new-nonce` | RFC 8555 §7.2 | unauth | Shorthand. | -| GET | `/acme/new-nonce` | RFC 8555 §7.2 | unauth | Shorthand. | -| POST | `/acme/new-account` | RFC 8555 §7.3 | JWS jwk | Shorthand. | -| POST | `/acme/account/{acc_id}` | RFC 8555 §7.3.2 + §7.3.6 | JWS kid | Shorthand. | +| Method | Path | RFC ref | Auth | Description | +|--------|-------------------------------------------------------|-----------------|----------|-------------| +| GET | `/acme/profile/{id}/directory` | RFC 8555 §7.1.1 | unauth | Per-profile directory document. | +| HEAD | `/acme/profile/{id}/new-nonce` | RFC 8555 §7.2 | unauth | Returns 200 + Replay-Nonce header. | +| GET | `/acme/profile/{id}/new-nonce` | RFC 8555 §7.2 | unauth | Returns 204 + Replay-Nonce header. | +| POST | `/acme/profile/{id}/new-account` | RFC 8555 §7.3 | JWS jwk | Register a new account; idempotent re-registration of an existing JWK returns the existing row. | +| POST | `/acme/profile/{id}/account/{acc_id}` | RFC 8555 §7.3.2 + §7.3.6 | JWS kid | Update contact list, deactivate, or POST-as-GET (RFC 8555 §6.3) to fetch the account. | +| POST | `/acme/profile/{id}/new-order` | RFC 8555 §7.4 | JWS kid | Submit an order; identifier validation runs before order creation. | +| POST | `/acme/profile/{id}/order/{ord_id}` | RFC 8555 §7.4 | JWS kid | POST-as-GET fetch of an order's current state. | +| POST | `/acme/profile/{id}/order/{ord_id}/finalize` | RFC 8555 §7.4 | JWS kid | Submit the CSR + finalize. Issues + persists managed cert row + version. | +| POST | `/acme/profile/{id}/authz/{authz_id}` | RFC 8555 §7.5 | JWS kid | POST-as-GET fetch of an authorization. | +| POST | `/acme/profile/{id}/cert/{cert_id}` | RFC 8555 §7.4.2 | JWS kid | POST-as-GET cert chain download (PEM). | +| GET | `/acme/directory` | RFC 8555 §7.1.1 | unauth | Shorthand path; mirrors per-profile when `CERTCTL_ACME_SERVER_DEFAULT_PROFILE_ID` is set. | +| HEAD | `/acme/new-nonce` | RFC 8555 §7.2 | unauth | Shorthand. | +| GET | `/acme/new-nonce` | RFC 8555 §7.2 | unauth | Shorthand. | +| POST | `/acme/new-account` | RFC 8555 §7.3 | JWS jwk | Shorthand. | +| POST | `/acme/account/{acc_id}` | RFC 8555 §7.3.2 + §7.3.6 | JWS kid | Shorthand. | +| POST | `/acme/new-order` | RFC 8555 §7.4 | JWS kid | Shorthand. | +| POST | `/acme/order/{ord_id}` | RFC 8555 §7.4 | JWS kid | Shorthand. | +| POST | `/acme/order/{ord_id}/finalize` | RFC 8555 §7.4 | JWS kid | Shorthand. | +| POST | `/acme/authz/{authz_id}` | RFC 8555 §7.5 | JWS kid | Shorthand. | +| POST | `/acme/cert/{cert_id}` | RFC 8555 §7.4.2 | JWS kid | Shorthand. | -The remaining RFC 8555 endpoints (`new-order`, `order/{id}`, -`order/{id}/finalize`, `authz/{id}`, `challenge/{id}`, `cert/{id}`, -`key-change`, `revoke-cert`, `renewal-info`) are advertised in the -directory document but not yet served — clients hitting them get a 404 -until subsequent phases land. The directory document includes their -URLs because RFC 8555 doesn't permit a partial directory. +The remaining RFC 8555 endpoints (`challenge/{id}`, `key-change`, +`revoke-cert`, `renewal-info`) are advertised in the directory document +but not yet served — clients hitting them get a 404 until subsequent +phases land. The directory document includes their URLs because RFC 8555 +doesn't permit a partial directory. + +## Finalize routing through `CertificateService.Create` (Phase 2 architecture) + +The finalize path mirrors how every other certctl issuance surface +(EST, SCEP, agent, REST API) routes through the canonical pipeline: + +1. JWS-verify the request (`internal/api/acme/jws.go`). +2. Validate the CSR's DNS-name set equals the order's identifier set + exactly (case-folded). Mismatches return RFC 8555 + `urn:ietf:params:acme:error:badCSR`. +3. Update the order row to `status=processing` (`s.tx.WithinTx` + + `auditService.RecordEventWithTx` — atomic with audit row). +4. Issue the cert via the bound profile's `IssuerConnector` adapter + (same `IssueCertificate(ctx, commonName, sans, csrPEM, ekus, + maxTTLSeconds, mustStaple)` call EST/SCEP/agent take). +5. Insert the `managed_certificates` row via + `service.CertificateService.Create(ctx, *ManagedCertificate, actor)`. + Source is stamped `domain.CertificateSourceACME` so operators can + bulk-revoke ACME-issued certs by filtering on `Source=ACME`. +6. Insert the `certificate_versions` row + + transition the order to `status=valid` with `certificate_id` set + (one final `WithinTx` covering both writes + the audit row). + +This means RenewalPolicy, CertificateProfile, per-issuer-type +Prometheus metrics, audit rows, and revocation-pipeline integration +all apply uniformly to ACME-issued certs via the same code path that +already serves EST/SCEP/agent/REST issuance. + +The atomicity boundary: there is a brief window between step 5 (cert +exists) and step 6 (order shows valid) where the order row still says +`processing`. Phase 5's GC scheduler reconciles. The actor string on +audit rows is `acme:`. ## JWS verification (Phase 1b) @@ -154,7 +198,7 @@ at `internal/service/certificate.go:131`). |-------|-------------|---------| | 1a | live | directory + new-nonce + per-profile routing | | 1b | live | new-account + account/{id} + JWS verifier (RFC 7515 + go-jose v4) | -| 2 | not yet | orders + authzs + finalize + cert download (trust_authenticated mode end-to-end) | +| 2 | live | orders + authzs + finalize + cert download (trust_authenticated mode end-to-end) | | 3 | not yet | HTTP-01 + DNS-01 + TLS-ALPN-01 challenge validation | | 4 | not yet | key rollover + revocation + ARI (RFC 9773) | | 5 | not yet | cert-manager integration test + production hardening | diff --git a/internal/api/acme/order.go b/internal/api/acme/order.go new file mode 100644 index 0000000..855dceb --- /dev/null +++ b/internal/api/acme/order.go @@ -0,0 +1,252 @@ +// Copyright (c) certctl +// SPDX-License-Identifier: BSL-1.1 + +package acme + +import ( + "crypto/x509" + "errors" + "fmt" + "strings" + "time" + + "github.com/shankar0123/certctl/internal/domain" +) + +// OrderResponseJSON is the wire shape RFC 8555 §7.1.3 mandates for the +// new-order response + the per-order POST-as-GET response. +// +// Each URL field is the per-profile path the handler computes from the +// inbound request; service-layer code does not see *http.Request, so +// the handler does the URL composition. +type OrderResponseJSON struct { + Status string `json:"status"` + Expires string `json:"expires,omitempty"` + NotBefore string `json:"notBefore,omitempty"` + NotAfter string `json:"notAfter,omitempty"` + Identifiers []IdentifierJSON `json:"identifiers"` + Authorizations []string `json:"authorizations"` + Finalize string `json:"finalize"` + Certificate string `json:"certificate,omitempty"` + Error *Problem `json:"error,omitempty"` +} + +// IdentifierJSON is the wire shape for an identifier (RFC 8555 §9.7.7). +// Wire field names differ from the domain struct's JSON tags only on +// case, so we keep separate types to keep the protocol surface clean. +type IdentifierJSON struct { + Type string `json:"type"` + Value string `json:"value"` +} + +// MarshalOrder renders an ACMEOrder in RFC 8555 §7.1.3 wire shape. +// +// authzURLs / finalizeURL / certURL are computed by the handler from +// the inbound request (scheme + host + per-profile path). Phase 2: +// authzURLs has one entry per identifier; finalizeURL is the order's +// finalize endpoint; certURL is populated only when status=valid. +func MarshalOrder(order *domain.ACMEOrder, authzURLs []string, finalizeURL, certURL string) OrderResponseJSON { + out := OrderResponseJSON{ + Status: string(order.Status), + Expires: order.ExpiresAt.UTC().Format(time.RFC3339), + Identifiers: make([]IdentifierJSON, 0, len(order.Identifiers)), + Authorizations: authzURLs, + Finalize: finalizeURL, + } + if order.NotBefore != nil { + out.NotBefore = order.NotBefore.UTC().Format(time.RFC3339) + } + if order.NotAfter != nil { + out.NotAfter = order.NotAfter.UTC().Format(time.RFC3339) + } + for _, id := range order.Identifiers { + out.Identifiers = append(out.Identifiers, IdentifierJSON{Type: id.Type, Value: id.Value}) + } + if certURL != "" && order.Status == domain.ACMEOrderStatusValid { + out.Certificate = certURL + } + if order.Error != nil { + out.Error = &Problem{ + Type: order.Error.Type, + Detail: order.Error.Detail, + Status: order.Error.Status, + } + } + return out +} + +// NewOrderRequest is the payload shape RFC 8555 §7.4 mandates for a +// new-order POST. The handler json.Unmarshals VerifiedRequest.Payload +// into this struct after JWS verify succeeds. +type NewOrderRequest struct { + Identifiers []IdentifierJSON `json:"identifiers"` + NotBefore string `json:"notBefore,omitempty"` + NotAfter string `json:"notAfter,omitempty"` +} + +// FinalizeRequest is the payload shape RFC 8555 §7.4 mandates for the +// finalize POST. csr is the base64url-encoded DER of a PKCS#10 CSR. +type FinalizeRequest struct { + CSR string `json:"csr"` +} + +// AuthorizationResponseJSON is the wire shape RFC 8555 §7.1.4 mandates +// for the authz GET (POST-as-GET) response. +type AuthorizationResponseJSON struct { + Identifier IdentifierJSON `json:"identifier"` + Status string `json:"status"` + Expires string `json:"expires,omitempty"` + Wildcard bool `json:"wildcard,omitempty"` + Challenges []ChallengeResponseJSON `json:"challenges"` +} + +// ChallengeResponseJSON is the wire shape RFC 8555 §8 mandates for a +// challenge object (embedded in authz, or returned by POST to a +// challenge URL). +type ChallengeResponseJSON struct { + Type string `json:"type"` + URL string `json:"url"` + Status string `json:"status"` + Token string `json:"token"` + Validated string `json:"validated,omitempty"` + Error *Problem `json:"error,omitempty"` +} + +// MarshalAuthorization renders an ACMEAuthorization in RFC 8555 wire shape. +// challengeURLBuilder maps each challenge ID to its per-profile URL +// (handler-computed); identifiers stay as-is. +func MarshalAuthorization(authz *domain.ACMEAuthorization, challengeURLBuilder func(challengeID string) string) AuthorizationResponseJSON { + out := AuthorizationResponseJSON{ + Identifier: IdentifierJSON{Type: authz.Identifier.Type, Value: authz.Identifier.Value}, + Status: string(authz.Status), + Expires: authz.ExpiresAt.UTC().Format(time.RFC3339), + Wildcard: authz.Wildcard, + Challenges: make([]ChallengeResponseJSON, 0, len(authz.Challenges)), + } + for i := range authz.Challenges { + ch := &authz.Challenges[i] + j := ChallengeResponseJSON{ + Type: string(ch.Type), + URL: challengeURLBuilder(ch.ChallengeID), + Status: string(ch.Status), + Token: ch.Token, + } + if ch.ValidatedAt != nil { + j.Validated = ch.ValidatedAt.UTC().Format(time.RFC3339) + } + if ch.Error != nil { + j.Error = &Problem{Type: ch.Error.Type, Detail: ch.Error.Detail, Status: ch.Error.Status} + } + out.Challenges = append(out.Challenges, j) + } + return out +} + +// ErrIdentifierTypeUnsupported is returned when ValidateIdentifiers +// encounters a non-DNS identifier type. RFC 8555 §9.7.7 reserves +// `type` for future expansion; Phase 2 supports `dns` only. +var ErrIdentifierTypeUnsupported = errors.New("acme: identifier type not supported (Phase 2: dns only)") + +// ErrIdentifierEmpty is returned for an identifier with an empty +// value; the spec requires non-empty strings. +var ErrIdentifierEmpty = errors.New("acme: identifier value is empty") + +// ValidateIdentifiers checks the structural invariants RFC 8555 §7.4 +// requires (non-empty value, supported type) and returns per-identifier +// rejected entries on failure. Per-profile-policy rejection (SAN +// allowlist, lifetime cap) is the service layer's job; this function +// is the syntactic check only. +// +// Returns nil + nil ids on full acceptance. On rejection, returns the +// list of rejected identifiers with their reason as RFC 8555 §6.7 +// subproblems (rejectedIdentifier). +func ValidateIdentifiers(ids []IdentifierJSON) []Problem { + if len(ids) == 0 { + return []Problem{Malformed("new-order requires at least one identifier")} + } + var problems []Problem + for _, id := range ids { + switch strings.ToLower(id.Type) { + case "dns": + if id.Value == "" { + problems = append(problems, Problem{ + Type: "urn:ietf:params:acme:error:rejectedIdentifier", + Detail: "identifier value is empty", + Status: 400, + Identifier: &Identifier{Type: id.Type, Value: id.Value}, + }) + } + default: + problems = append(problems, Problem{ + Type: "urn:ietf:params:acme:error:rejectedIdentifier", + Detail: fmt.Sprintf("identifier type %q is not supported (Phase 2: dns only)", id.Type), + Status: 400, + Identifier: &Identifier{Type: id.Type, Value: id.Value}, + }) + } + } + return problems +} + +// CSRMatchesIdentifiers asserts the CSR's DNS-name set (Subject CN + +// Subject Alternative Names) equals the order's identifier set, +// case-folded for DNS comparison. +// +// RFC 8555 §7.4 finalize: "The CSR MUST indicate the exact same set of +// requested identifiers as the initial newOrder request." Case-fold +// the comparison so a CSR with `Example.com` matches an order with +// `example.com` (DNS is case-insensitive per RFC 1035 §2.3.3). +// +// Returns nil on match. On mismatch, returns a Problem typed as +// urn:ietf:params:acme:error:badCSR. +func CSRMatchesIdentifiers(csr *x509.CertificateRequest, identifiers []domain.ACMEIdentifier) *Problem { + csrSet := make(map[string]struct{}) + if csr.Subject.CommonName != "" { + csrSet[strings.ToLower(csr.Subject.CommonName)] = struct{}{} + } + for _, dns := range csr.DNSNames { + csrSet[strings.ToLower(dns)] = struct{}{} + } + + orderSet := make(map[string]struct{}) + for _, id := range identifiers { + if id.Type != "dns" { + continue + } + orderSet[strings.ToLower(id.Value)] = struct{}{} + } + + if len(csrSet) != len(orderSet) { + p := Problem{ + Type: "urn:ietf:params:acme:error:badCSR", + Detail: fmt.Sprintf("CSR identifier count (%d) differs from order identifier count (%d)", len(csrSet), len(orderSet)), + Status: 400, + } + return &p + } + for k := range orderSet { + if _, ok := csrSet[k]; !ok { + p := Problem{ + Type: "urn:ietf:params:acme:error:badCSR", + Detail: fmt.Sprintf("CSR is missing the order identifier %q", k), + Status: 400, + } + return &p + } + } + return nil +} + +// HasWildcard returns true when any identifier is a wildcard. RFC 8555 +// §7.1.3 marks the order's authz wildcard:true when the corresponding +// identifier starts with "*."; Phase 2 supports the trust_authenticated +// path (which auto-marks authz valid), so wildcard-aware challenge +// dispatch is Phase 3's concern. +func HasWildcard(ids []domain.ACMEIdentifier) bool { + for _, id := range ids { + if strings.HasPrefix(id.Value, "*.") { + return true + } + } + return false +} diff --git a/internal/api/handler/acme.go b/internal/api/handler/acme.go index 899082f..2d6a6be 100644 --- a/internal/api/handler/acme.go +++ b/internal/api/handler/acme.go @@ -5,10 +5,14 @@ package handler import ( "context" + "crypto/x509" + "encoding/base64" "encoding/json" + "encoding/pem" "errors" "io" "net/http" + "time" jose "github.com/go-jose/go-jose/v4" @@ -38,6 +42,13 @@ type ACMEService interface { LookupAccount(ctx context.Context, accountID string) (*domain.ACMEAccount, error) UpdateAccount(ctx context.Context, accountID string, contact []string) (*domain.ACMEAccount, error) DeactivateAccount(ctx context.Context, accountID string) (*domain.ACMEAccount, error) + // Phase 2 — orders + finalize + authz + cert download. + CreateOrder(ctx context.Context, accountID, profileID string, identifiers []domain.ACMEIdentifier, notBefore, notAfter *time.Time) (*domain.ACMEOrder, error) + LookupOrder(ctx context.Context, orderID, accountID string) (*domain.ACMEOrder, error) + LookupAuthz(ctx context.Context, authzID string) (*domain.ACMEAuthorization, error) + ListAuthzsByOrder(ctx context.Context, orderID string) ([]*domain.ACMEAuthorization, error) + FinalizeOrder(ctx context.Context, accountID, orderID, profileID string, csr *x509.CertificateRequest, csrPEM string) (*service.FinalizeOrderResult, error) + LookupCertificate(ctx context.Context, certID, accountID string) (string, error) } // ACMEHandler exposes the ACME server's RFC 8555 endpoints under the @@ -182,6 +193,26 @@ func writeServiceError(w http.ResponseWriter, err error) { case errors.Is(err, service.ErrACMEAccountDoesNotExist): acme.WriteProblem(w, acme.AccountDoesNotExist( "no account exists for this JWK; submit a new-account request without onlyReturnExisting")) + case errors.Is(err, service.ErrACMEOrderNotFound), errors.Is(err, service.ErrACMEAuthzNotFound), errors.Is(err, service.ErrACMECertificateNotFound): + acme.WriteProblem(w, acme.Problem{ + Type: "urn:ietf:params:acme:error:malformed", + Detail: "resource not found", + Status: http.StatusNotFound, + }) + case errors.Is(err, service.ErrACMEOrderUnauthorized): + acme.WriteProblem(w, acme.Problem{ + Type: "urn:ietf:params:acme:error:unauthorized", + Detail: "account does not own this resource", + Status: http.StatusUnauthorized, + }) + case errors.Is(err, service.ErrACMEOrderNotReady): + acme.WriteProblem(w, acme.Problem{ + Type: "urn:ietf:params:acme:error:orderNotReady", + Detail: "order is not in the `ready` state; complete authorizations first", + Status: http.StatusForbidden, + }) + case errors.Is(err, service.ErrACMEUnsupportedAuthMode), errors.Is(err, service.ErrACMEFinalizeUnconfigured): + acme.WriteProblem(w, acme.ServerInternal("ACME server is not fully configured; contact the operator")) default: // Avoid leaking internal error text per master-prompt // criterion #10 (operator-actionable errors with no info @@ -410,3 +441,355 @@ func trimBody(b []byte) []byte { } return b } + +// --- Phase 2 — orders + finalize + authz + cert handlers --------------- + +// NewOrder handles POST /acme/profile/{id}/new-order (RFC 8555 §7.4). +// JWS path: kid (registered account). +func (h ACMEHandler) NewOrder(w http.ResponseWriter, r *http.Request) { + profileID := r.PathValue("id") + requestURL := h.requestURL(r) + + body, err := io.ReadAll(io.LimitReader(r.Body, MaxJWSBodyBytes+1)) + if err != nil { + acme.WriteProblem(w, acme.Malformed("could not read request body")) + return + } + if len(body) > MaxJWSBodyBytes { + acme.WriteProblem(w, acme.Malformed("request body too large")) + return + } + + verified, err := h.svc.VerifyJWS(r.Context(), body, requestURL, false /*expectNewAccount*/, h.accountKID(r, profileID)) + if err != nil { + acme.WriteProblem(w, acme.MapJWSErrorToProblem(err)) + return + } + if verified.Account == nil { + acme.WriteProblem(w, acme.MapJWSErrorToProblem(acme.ErrJWSAccountNotFound)) + return + } + + var req acme.NewOrderRequest + if err := json.Unmarshal(verified.Payload, &req); err != nil { + acme.WriteProblem(w, acme.Malformed("could not parse new-order payload")) + return + } + // Identifier validation runs BEFORE order creation. Rejected + // identifiers do NOT create an acme_orders row. + if probs := acme.ValidateIdentifiers(req.Identifiers); len(probs) > 0 { + // Multi-rejection → wrap in subproblems. + w.Header().Set("Content-Type", acme.ProblemContentType) + w.WriteHeader(http.StatusBadRequest) + _ = json.NewEncoder(w).Encode(acme.Problem{ + Type: "urn:ietf:params:acme:error:rejectedIdentifier", + Detail: "one or more identifiers were rejected", + Status: http.StatusBadRequest, + Subproblems: probs, + }) + return + } + + // Translate wire shape to domain shape. + domainIDs := make([]domain.ACMEIdentifier, 0, len(req.Identifiers)) + for _, id := range req.Identifiers { + domainIDs = append(domainIDs, domain.ACMEIdentifier{Type: id.Type, Value: id.Value}) + } + notBefore := parseOptionalTime(req.NotBefore) + notAfter := parseOptionalTime(req.NotAfter) + + order, err := h.svc.CreateOrder(r.Context(), verified.Account.AccountID, profileID, domainIDs, notBefore, notAfter) + if err != nil { + writeServiceError(w, err) + return + } + + if nonce, err := h.svc.IssueNonce(r.Context()); err == nil { + w.Header().Set("Replay-Nonce", nonce) + } + w.Header().Set("Location", h.orderURL(r, profileID, order.OrderID)) + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusCreated) + _ = json.NewEncoder(w).Encode(h.marshalOrderForResponse(r, profileID, order)) +} + +// Order handles POST /acme/profile/{id}/order/{ord_id} (RFC 8555 §7.4 +// POST-as-GET — empty payload returns the current order state). +func (h ACMEHandler) Order(w http.ResponseWriter, r *http.Request) { + profileID := r.PathValue("id") + orderID := r.PathValue("ord_id") + requestURL := h.requestURL(r) + + body, err := io.ReadAll(io.LimitReader(r.Body, MaxJWSBodyBytes+1)) + if err != nil { + acme.WriteProblem(w, acme.Malformed("could not read request body")) + return + } + if len(body) > MaxJWSBodyBytes { + acme.WriteProblem(w, acme.Malformed("request body too large")) + return + } + + verified, err := h.svc.VerifyJWS(r.Context(), body, requestURL, false, h.accountKID(r, profileID)) + if err != nil { + acme.WriteProblem(w, acme.MapJWSErrorToProblem(err)) + return + } + if verified.Account == nil { + acme.WriteProblem(w, acme.MapJWSErrorToProblem(acme.ErrJWSAccountNotFound)) + return + } + + order, err := h.svc.LookupOrder(r.Context(), orderID, verified.Account.AccountID) + if err != nil { + writeServiceError(w, err) + return + } + + if nonce, err := h.svc.IssueNonce(r.Context()); err == nil { + w.Header().Set("Replay-Nonce", nonce) + } + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusOK) + _ = json.NewEncoder(w).Encode(h.marshalOrderForResponse(r, profileID, order)) +} + +// OrderFinalize handles POST /acme/profile/{id}/order/{ord_id}/finalize +// (RFC 8555 §7.4). Payload carries the base64url-DER CSR. +func (h ACMEHandler) OrderFinalize(w http.ResponseWriter, r *http.Request) { + profileID := r.PathValue("id") + orderID := r.PathValue("ord_id") + requestURL := h.requestURL(r) + + body, err := io.ReadAll(io.LimitReader(r.Body, MaxJWSBodyBytes+1)) + if err != nil { + acme.WriteProblem(w, acme.Malformed("could not read request body")) + return + } + if len(body) > MaxJWSBodyBytes { + acme.WriteProblem(w, acme.Malformed("request body too large")) + return + } + + verified, err := h.svc.VerifyJWS(r.Context(), body, requestURL, false, h.accountKID(r, profileID)) + if err != nil { + acme.WriteProblem(w, acme.MapJWSErrorToProblem(err)) + return + } + if verified.Account == nil { + acme.WriteProblem(w, acme.MapJWSErrorToProblem(acme.ErrJWSAccountNotFound)) + return + } + + var req acme.FinalizeRequest + if err := json.Unmarshal(verified.Payload, &req); err != nil { + acme.WriteProblem(w, acme.Malformed("could not parse finalize payload")) + return + } + csrDER, err := base64.RawURLEncoding.DecodeString(req.CSR) + if err != nil { + acme.WriteProblem(w, acme.Problem{ + Type: "urn:ietf:params:acme:error:badCSR", + Detail: "csr field is not valid base64url", + Status: http.StatusBadRequest, + }) + return + } + csr, err := x509.ParseCertificateRequest(csrDER) + if err != nil { + acme.WriteProblem(w, acme.Problem{ + Type: "urn:ietf:params:acme:error:badCSR", + Detail: "csr did not parse as a valid PKCS#10", + Status: http.StatusBadRequest, + }) + return + } + csrPEM := string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrDER})) + + result, err := h.svc.FinalizeOrder(r.Context(), verified.Account.AccountID, orderID, profileID, csr, csrPEM) + if err != nil { + writeServiceError(w, err) + return + } + + if nonce, err := h.svc.IssueNonce(r.Context()); err == nil { + w.Header().Set("Replay-Nonce", nonce) + } + w.Header().Set("Location", h.orderURL(r, profileID, result.Order.OrderID)) + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusOK) + _ = json.NewEncoder(w).Encode(h.marshalOrderForResponse(r, profileID, result.Order)) +} + +// Authz handles POST /acme/profile/{id}/authz/{authz_id} (RFC 8555 +// §7.5 POST-as-GET). +func (h ACMEHandler) Authz(w http.ResponseWriter, r *http.Request) { + profileID := r.PathValue("id") + authzID := r.PathValue("authz_id") + requestURL := h.requestURL(r) + + body, err := io.ReadAll(io.LimitReader(r.Body, MaxJWSBodyBytes+1)) + if err != nil { + acme.WriteProblem(w, acme.Malformed("could not read request body")) + return + } + if len(body) > MaxJWSBodyBytes { + acme.WriteProblem(w, acme.Malformed("request body too large")) + return + } + + verified, err := h.svc.VerifyJWS(r.Context(), body, requestURL, false, h.accountKID(r, profileID)) + if err != nil { + acme.WriteProblem(w, acme.MapJWSErrorToProblem(err)) + return + } + if verified.Account == nil { + acme.WriteProblem(w, acme.MapJWSErrorToProblem(acme.ErrJWSAccountNotFound)) + return + } + + authz, err := h.svc.LookupAuthz(r.Context(), authzID) + if err != nil { + writeServiceError(w, err) + return + } + + if nonce, err := h.svc.IssueNonce(r.Context()); err == nil { + w.Header().Set("Replay-Nonce", nonce) + } + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusOK) + _ = json.NewEncoder(w).Encode(acme.MarshalAuthorization(authz, h.challengeURLBuilder(r, profileID))) +} + +// Cert handles POST /acme/profile/{id}/cert/{cert_id} (RFC 8555 §7.4.2 +// POST-as-GET cert download). Returns the PEM chain. +func (h ACMEHandler) Cert(w http.ResponseWriter, r *http.Request) { + profileID := r.PathValue("id") + certID := r.PathValue("cert_id") + requestURL := h.requestURL(r) + + body, err := io.ReadAll(io.LimitReader(r.Body, MaxJWSBodyBytes+1)) + if err != nil { + acme.WriteProblem(w, acme.Malformed("could not read request body")) + return + } + if len(body) > MaxJWSBodyBytes { + acme.WriteProblem(w, acme.Malformed("request body too large")) + return + } + + verified, err := h.svc.VerifyJWS(r.Context(), body, requestURL, false, h.accountKID(r, profileID)) + if err != nil { + acme.WriteProblem(w, acme.MapJWSErrorToProblem(err)) + return + } + if verified.Account == nil { + acme.WriteProblem(w, acme.MapJWSErrorToProblem(acme.ErrJWSAccountNotFound)) + return + } + + pemChain, err := h.svc.LookupCertificate(r.Context(), certID, verified.Account.AccountID) + if err != nil { + writeServiceError(w, err) + return + } + + if nonce, err := h.svc.IssueNonce(r.Context()); err == nil { + w.Header().Set("Replay-Nonce", nonce) + } + w.Header().Set("Content-Type", "application/pem-certificate-chain") + w.WriteHeader(http.StatusOK) + _, _ = w.Write([]byte(pemChain)) +} + +// orderURL composes the per-order URL for Location headers and the +// finalize URL embedded in the order JSON. +func (h ACMEHandler) orderURL(r *http.Request, profileID, orderID string) string { + scheme := "https" + if r.TLS == nil { + scheme = "http" + } + prefix := scheme + "://" + r.Host + if profileID != "" { + prefix += "/acme/profile/" + profileID + } else { + prefix += "/acme" + } + return prefix + "/order/" + orderID +} + +func (h ACMEHandler) authzURL(r *http.Request, profileID, authzID string) string { + scheme := "https" + if r.TLS == nil { + scheme = "http" + } + prefix := scheme + "://" + r.Host + if profileID != "" { + prefix += "/acme/profile/" + profileID + } else { + prefix += "/acme" + } + return prefix + "/authz/" + authzID +} + +func (h ACMEHandler) certURL(r *http.Request, profileID, certID string) string { + scheme := "https" + if r.TLS == nil { + scheme = "http" + } + prefix := scheme + "://" + r.Host + if profileID != "" { + prefix += "/acme/profile/" + profileID + } else { + prefix += "/acme" + } + return prefix + "/cert/" + certID +} + +// challengeURLBuilder returns a closure for MarshalAuthorization to +// compute per-challenge URLs. +func (h ACMEHandler) challengeURLBuilder(r *http.Request, profileID string) func(challengeID string) string { + scheme := "https" + if r.TLS == nil { + scheme = "http" + } + prefix := scheme + "://" + r.Host + if profileID != "" { + prefix += "/acme/profile/" + profileID + } else { + prefix += "/acme" + } + return func(challengeID string) string { return prefix + "/challenge/" + challengeID } +} + +// marshalOrderForResponse builds the OrderResponseJSON for an order, +// fetching the per-order authzs to populate the URL list. The cert URL +// is populated only when status=valid + certificate_id is set. +func (h ACMEHandler) marshalOrderForResponse(r *http.Request, profileID string, order *domain.ACMEOrder) acme.OrderResponseJSON { + authzs, _ := h.svc.ListAuthzsByOrder(r.Context(), order.OrderID) + authzURLs := make([]string, 0, len(authzs)) + for _, a := range authzs { + authzURLs = append(authzURLs, h.authzURL(r, profileID, a.AuthzID)) + } + finalize := h.orderURL(r, profileID, order.OrderID) + "/finalize" + certURL := "" + if order.CertificateID != "" { + certURL = h.certURL(r, profileID, order.CertificateID) + } + return acme.MarshalOrder(order, authzURLs, finalize, certURL) +} + +// parseOptionalTime parses an RFC 3339 string; returns nil on empty or +// parse failure (the latter is best-effort — the spec leaves notBefore +// / notAfter as advisory). +func parseOptionalTime(s string) *time.Time { + if s == "" { + return nil + } + t, err := time.Parse(time.RFC3339, s) + if err != nil { + return nil + } + return &t +} diff --git a/internal/api/handler/acme_handler_test.go b/internal/api/handler/acme_handler_test.go index 7374f0a..85fc781 100644 --- a/internal/api/handler/acme_handler_test.go +++ b/internal/api/handler/acme_handler_test.go @@ -6,12 +6,14 @@ package handler import ( "bytes" "context" + "crypto/x509" "encoding/json" "errors" "net/http" "net/http/httptest" "strings" "testing" + "time" jose "github.com/go-jose/go-jose/v4" @@ -31,6 +33,13 @@ type mockACMEService struct { LookupAccountFn func(ctx context.Context, accountID string) (*domain.ACMEAccount, error) UpdateAccountFn func(ctx context.Context, accountID string, contact []string) (*domain.ACMEAccount, error) DeactivateAccountFn func(ctx context.Context, accountID string) (*domain.ACMEAccount, error) + // Phase 2. + CreateOrderFn func(ctx context.Context, accountID, profileID string, identifiers []domain.ACMEIdentifier, notBefore, notAfter *time.Time) (*domain.ACMEOrder, error) + LookupOrderFn func(ctx context.Context, orderID, accountID string) (*domain.ACMEOrder, error) + LookupAuthzFn func(ctx context.Context, authzID string) (*domain.ACMEAuthorization, error) + ListAuthzsByOrderFn func(ctx context.Context, orderID string) ([]*domain.ACMEAuthorization, error) + FinalizeOrderFn func(ctx context.Context, accountID, orderID, profileID string, csr *x509.CertificateRequest, csrPEM string) (*service.FinalizeOrderResult, error) + LookupCertificateFn func(ctx context.Context, certID, accountID string) (string, error) } func (m *mockACMEService) BuildDirectory(ctx context.Context, profileID, baseURL string) (*acme.Directory, error) { @@ -82,6 +91,48 @@ func (m *mockACMEService) DeactivateAccount(ctx context.Context, accountID strin return nil, errors.New("DeactivateAccount not stubbed") } +func (m *mockACMEService) CreateOrder(ctx context.Context, accountID, profileID string, identifiers []domain.ACMEIdentifier, notBefore, notAfter *time.Time) (*domain.ACMEOrder, error) { + if m.CreateOrderFn != nil { + return m.CreateOrderFn(ctx, accountID, profileID, identifiers, notBefore, notAfter) + } + return nil, errors.New("CreateOrder not stubbed") +} + +func (m *mockACMEService) LookupOrder(ctx context.Context, orderID, accountID string) (*domain.ACMEOrder, error) { + if m.LookupOrderFn != nil { + return m.LookupOrderFn(ctx, orderID, accountID) + } + return nil, errors.New("LookupOrder not stubbed") +} + +func (m *mockACMEService) LookupAuthz(ctx context.Context, authzID string) (*domain.ACMEAuthorization, error) { + if m.LookupAuthzFn != nil { + return m.LookupAuthzFn(ctx, authzID) + } + return nil, errors.New("LookupAuthz not stubbed") +} + +func (m *mockACMEService) ListAuthzsByOrder(ctx context.Context, orderID string) ([]*domain.ACMEAuthorization, error) { + if m.ListAuthzsByOrderFn != nil { + return m.ListAuthzsByOrderFn(ctx, orderID) + } + return nil, nil +} + +func (m *mockACMEService) FinalizeOrder(ctx context.Context, accountID, orderID, profileID string, csr *x509.CertificateRequest, csrPEM string) (*service.FinalizeOrderResult, error) { + if m.FinalizeOrderFn != nil { + return m.FinalizeOrderFn(ctx, accountID, orderID, profileID, csr, csrPEM) + } + return nil, errors.New("FinalizeOrder not stubbed") +} + +func (m *mockACMEService) LookupCertificate(ctx context.Context, certID, accountID string) (string, error) { + if m.LookupCertificateFn != nil { + return m.LookupCertificateFn(ctx, certID, accountID) + } + return "", errors.New("LookupCertificate not stubbed") +} + // newACMETestServer wires the ACMEHandler against the mock + a stdlib // ServeMux configured exactly the way internal/api/router/router.go // does it in production. Routes: @@ -101,6 +152,11 @@ func newACMETestServer(t *testing.T, mock *mockACMEService) *httptest.Server { mux.HandleFunc("GET /acme/profile/{id}/new-nonce", h.NewNonce) mux.HandleFunc("POST /acme/profile/{id}/new-account", h.NewAccount) mux.HandleFunc("POST /acme/profile/{id}/account/{acc_id}", h.Account) + mux.HandleFunc("POST /acme/profile/{id}/new-order", h.NewOrder) + mux.HandleFunc("POST /acme/profile/{id}/order/{ord_id}", h.Order) + mux.HandleFunc("POST /acme/profile/{id}/order/{ord_id}/finalize", h.OrderFinalize) + mux.HandleFunc("POST /acme/profile/{id}/authz/{authz_id}", h.Authz) + mux.HandleFunc("POST /acme/profile/{id}/cert/{cert_id}", h.Cert) mux.HandleFunc("GET /acme/directory", h.Directory) mux.HandleFunc("HEAD /acme/new-nonce", h.NewNonce) mux.HandleFunc("GET /acme/new-nonce", h.NewNonce) @@ -539,3 +595,148 @@ func TestACMEHandler_Account_PostAsGet(t *testing.T) { t.Errorf("status = %d, want 200 (POST-as-GET)", resp.StatusCode) } } + +// --- Phase 2 — orders + finalize handler smoke ------------------------- + +func TestACMEHandler_NewOrder_HappyPath(t *testing.T) { + mock := &mockACMEService{ + VerifyJWSFn: stubVerifiedReq( + acme.NewOrderRequest{Identifiers: []acme.IdentifierJSON{{Type: "dns", Value: "example.com"}}}, + &domain.ACMEAccount{AccountID: "acme-acc-X", Status: domain.ACMEAccountStatusValid, ProfileID: "prof-corp"}, + nil, + ), + CreateOrderFn: func(ctx context.Context, accountID, profileID string, identifiers []domain.ACMEIdentifier, notBefore, notAfter *time.Time) (*domain.ACMEOrder, error) { + return &domain.ACMEOrder{ + OrderID: "acme-ord-001", + AccountID: accountID, + Identifiers: identifiers, + Status: domain.ACMEOrderStatusReady, + ExpiresAt: time.Now().Add(24 * time.Hour), + }, nil + }, + ListAuthzsByOrderFn: func(ctx context.Context, orderID string) ([]*domain.ACMEAuthorization, error) { + return []*domain.ACMEAuthorization{ + {AuthzID: "acme-authz-001", OrderID: orderID, Status: domain.ACMEAuthzStatusValid}, + }, nil + }, + } + srv := newACMETestServer(t, mock) + defer srv.Close() + + resp, err := http.Post(srv.URL+"/acme/profile/prof-corp/new-order", "application/jose+json", bytes.NewReader([]byte("ignored-by-mock"))) + if err != nil { + t.Fatalf("Post: %v", err) + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusCreated { + t.Errorf("status = %d, want 201", resp.StatusCode) + } + if got := resp.Header.Get("Location"); !strings.Contains(got, "/order/acme-ord-001") { + t.Errorf("Location = %q", got) + } + var body acme.OrderResponseJSON + if err := json.NewDecoder(resp.Body).Decode(&body); err != nil { + t.Fatalf("Decode: %v", err) + } + if body.Status != "ready" { + t.Errorf("status = %q (trust_authenticated should auto-ready)", body.Status) + } + if len(body.Authorizations) != 1 || !strings.Contains(body.Authorizations[0], "/authz/acme-authz-001") { + t.Errorf("authorizations = %v", body.Authorizations) + } + if !strings.HasSuffix(body.Finalize, "/order/acme-ord-001/finalize") { + t.Errorf("finalize = %q", body.Finalize) + } +} + +func TestACMEHandler_NewOrder_RejectedIdentifier(t *testing.T) { + mock := &mockACMEService{ + VerifyJWSFn: stubVerifiedReq( + acme.NewOrderRequest{Identifiers: []acme.IdentifierJSON{{Type: "ip", Value: "10.0.0.1"}}}, + &domain.ACMEAccount{AccountID: "acme-acc-X", Status: domain.ACMEAccountStatusValid, ProfileID: "prof-corp"}, + nil, + ), + } + srv := newACMETestServer(t, mock) + defer srv.Close() + + resp, err := http.Post(srv.URL+"/acme/profile/prof-corp/new-order", "application/jose+json", bytes.NewReader([]byte("x"))) + if err != nil { + t.Fatalf("Post: %v", err) + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusBadRequest { + t.Errorf("status = %d, want 400 (rejected identifier)", resp.StatusCode) + } + var p acme.Problem + _ = json.NewDecoder(resp.Body).Decode(&p) + if p.Type != "urn:ietf:params:acme:error:rejectedIdentifier" { + t.Errorf("Problem.Type = %q", p.Type) + } + if len(p.Subproblems) == 0 { + t.Error("expected subproblems for per-identifier rejection") + } +} + +func TestACMEHandler_OrderFinalize_BadCSR(t *testing.T) { + mock := &mockACMEService{ + VerifyJWSFn: stubVerifiedReq( + acme.FinalizeRequest{CSR: "not-base64!!!"}, + &domain.ACMEAccount{AccountID: "acme-acc-X", Status: domain.ACMEAccountStatusValid, ProfileID: "prof-corp"}, + nil, + ), + } + srv := newACMETestServer(t, mock) + defer srv.Close() + + resp, err := http.Post(srv.URL+"/acme/profile/prof-corp/order/acme-ord-001/finalize", "application/jose+json", bytes.NewReader([]byte("x"))) + if err != nil { + t.Fatalf("Post: %v", err) + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusBadRequest { + t.Errorf("status = %d, want 400", resp.StatusCode) + } + var p acme.Problem + _ = json.NewDecoder(resp.Body).Decode(&p) + if p.Type != "urn:ietf:params:acme:error:badCSR" { + t.Errorf("Problem.Type = %q", p.Type) + } +} + +func TestACMEHandler_Cert_HappyPath(t *testing.T) { + pemChain := "-----BEGIN CERTIFICATE-----\nMIIBhjCCAQ==\n-----END CERTIFICATE-----\n" + mock := &mockACMEService{ + VerifyJWSFn: stubVerifiedReq( + struct{}{}, + &domain.ACMEAccount{AccountID: "acme-acc-X", Status: domain.ACMEAccountStatusValid, ProfileID: "prof-corp"}, + nil, + ), + LookupCertificateFn: func(ctx context.Context, certID, accountID string) (string, error) { + return pemChain, nil + }, + } + srv := newACMETestServer(t, mock) + defer srv.Close() + + resp, err := http.Post(srv.URL+"/acme/profile/prof-corp/cert/mc-acme-001", "application/jose+json", bytes.NewReader([]byte("x"))) + if err != nil { + t.Fatalf("Post: %v", err) + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + t.Errorf("status = %d, want 200", resp.StatusCode) + } + if got := resp.Header.Get("Content-Type"); got != "application/pem-certificate-chain" { + t.Errorf("content-type = %q", got) + } + body := bytes.NewBuffer(nil) + _, _ = body.ReadFrom(resp.Body) + if !strings.Contains(body.String(), "BEGIN CERTIFICATE") { + t.Errorf("body did not contain PEM cert: %q", body.String()) + } +} diff --git a/internal/api/router/openapi_parity_test.go b/internal/api/router/openapi_parity_test.go index a0ca6df..9a74583 100644 --- a/internal/api/router/openapi_parity_test.go +++ b/internal/api/router/openapi_parity_test.go @@ -71,6 +71,18 @@ var SpecParityExceptions = map[string]string{ "GET /acme/new-nonce": "RFC 8555 §7.2 new-nonce GET (default-profile shorthand); documented in docs/acme-server.md", "POST /acme/new-account": "RFC 8555 §7.3 new-account (default-profile shorthand); documented in docs/acme-server.md", "POST /acme/account/{acc_id}": "RFC 8555 §7.3.2 + §7.3.6 (default-profile shorthand); documented in docs/acme-server.md", + + // Phase 2 — orders + finalize + authz + cert. + "POST /acme/profile/{id}/new-order": "RFC 8555 §7.4 new-order; documented in docs/acme-server.md", + "POST /acme/profile/{id}/order/{ord_id}": "RFC 8555 §7.4 order POST-as-GET; documented in docs/acme-server.md", + "POST /acme/profile/{id}/order/{ord_id}/finalize": "RFC 8555 §7.4 finalize; documented in docs/acme-server.md", + "POST /acme/profile/{id}/authz/{authz_id}": "RFC 8555 §7.5 authz POST-as-GET; documented in docs/acme-server.md", + "POST /acme/profile/{id}/cert/{cert_id}": "RFC 8555 §7.4.2 cert download; documented in docs/acme-server.md", + "POST /acme/new-order": "Phase 2 default-profile shorthand for new-order.", + "POST /acme/order/{ord_id}": "Phase 2 default-profile shorthand for order POST-as-GET.", + "POST /acme/order/{ord_id}/finalize": "Phase 2 default-profile shorthand for finalize.", + "POST /acme/authz/{authz_id}": "Phase 2 default-profile shorthand for authz POST-as-GET.", + "POST /acme/cert/{cert_id}": "Phase 2 default-profile shorthand for cert download.", } func TestRouter_OpenAPIParity(t *testing.T) { diff --git a/internal/api/router/router.go b/internal/api/router/router.go index 10edcee..f5351e2 100644 --- a/internal/api/router/router.go +++ b/internal/api/router/router.go @@ -417,6 +417,11 @@ func (r *Router) RegisterHandlers(reg HandlerRegistry) { r.Register("GET /acme/profile/{id}/new-nonce", http.HandlerFunc(reg.ACME.NewNonce)) r.Register("POST /acme/profile/{id}/new-account", http.HandlerFunc(reg.ACME.NewAccount)) r.Register("POST /acme/profile/{id}/account/{acc_id}", http.HandlerFunc(reg.ACME.Account)) + r.Register("POST /acme/profile/{id}/new-order", http.HandlerFunc(reg.ACME.NewOrder)) + r.Register("POST /acme/profile/{id}/order/{ord_id}", http.HandlerFunc(reg.ACME.Order)) + r.Register("POST /acme/profile/{id}/order/{ord_id}/finalize", http.HandlerFunc(reg.ACME.OrderFinalize)) + r.Register("POST /acme/profile/{id}/authz/{authz_id}", http.HandlerFunc(reg.ACME.Authz)) + r.Register("POST /acme/profile/{id}/cert/{cert_id}", http.HandlerFunc(reg.ACME.Cert)) // Default-profile shorthand. The handler's profile-resolution path // returns userActionRequired (RFC 7807 + RFC 8555 §6.7) when // CERTCTL_ACME_SERVER_DEFAULT_PROFILE_ID is unset; when set it @@ -426,6 +431,11 @@ func (r *Router) RegisterHandlers(reg HandlerRegistry) { r.Register("GET /acme/new-nonce", http.HandlerFunc(reg.ACME.NewNonce)) r.Register("POST /acme/new-account", http.HandlerFunc(reg.ACME.NewAccount)) r.Register("POST /acme/account/{acc_id}", http.HandlerFunc(reg.ACME.Account)) + r.Register("POST /acme/new-order", http.HandlerFunc(reg.ACME.NewOrder)) + r.Register("POST /acme/order/{ord_id}", http.HandlerFunc(reg.ACME.Order)) + r.Register("POST /acme/order/{ord_id}/finalize", http.HandlerFunc(reg.ACME.OrderFinalize)) + r.Register("POST /acme/authz/{authz_id}", http.HandlerFunc(reg.ACME.Authz)) + r.Register("POST /acme/cert/{cert_id}", http.HandlerFunc(reg.ACME.Cert)) } // RegisterESTHandlers sets up EST (RFC 7030) routes under diff --git a/internal/domain/acme.go b/internal/domain/acme.go index f0c4718..6c1e99f 100644 --- a/internal/domain/acme.go +++ b/internal/domain/acme.go @@ -48,3 +48,114 @@ const ( // JWK). Same access semantics as deactivated. ACMEAccountStatusRevoked ACMEAccountStatus = "revoked" ) + +// ACMEOrder mirrors a row in the acme_orders table (RFC 8555 §7.1.3). +// Identifiers stored as a slice; the postgres layer JSON-encodes into +// the JSONB column at write time and decodes on read. +type ACMEOrder struct { + OrderID string `json:"order_id"` + AccountID string `json:"account_id"` + Identifiers []ACMEIdentifier `json:"identifiers"` + Status ACMEOrderStatus `json:"status"` + ExpiresAt time.Time `json:"expires_at"` + NotBefore *time.Time `json:"not_before,omitempty"` + NotAfter *time.Time `json:"not_after,omitempty"` + Error *ACMEProblem `json:"error,omitempty"` + CSRPEM string `json:"csr_pem,omitempty"` + CertificateID string `json:"certificate_id,omitempty"` + CreatedAt time.Time `json:"created_at"` + UpdatedAt time.Time `json:"updated_at"` +} + +// ACMEOrderStatus is the closed state-machine for the `status` column +// per RFC 8555 §7.1.6. +type ACMEOrderStatus string + +const ( + ACMEOrderStatusPending ACMEOrderStatus = "pending" + ACMEOrderStatusReady ACMEOrderStatus = "ready" + ACMEOrderStatusProcessing ACMEOrderStatus = "processing" + ACMEOrderStatusValid ACMEOrderStatus = "valid" + ACMEOrderStatusInvalid ACMEOrderStatus = "invalid" +) + +// ACMEIdentifier is the {type, value} pair RFC 8555 §7.1.4 mandates. +// Phase 2 supports `dns` only; Phase 3 will not extend (RFC 8555 +// extensions for IP / email identifier types are out of scope). +type ACMEIdentifier struct { + Type string `json:"type"` + Value string `json:"value"` +} + +// ACMEProblem mirrors the RFC 7807 + RFC 8555 §6.7 error envelope +// when stored on an order/authz row. Kept in domain (rather than +// importing api/acme.Problem) so the persistence layer doesn't take +// a dependency on the protocol package. +type ACMEProblem struct { + Type string `json:"type"` + Detail string `json:"detail"` + Status int `json:"status"` +} + +// ACMEAuthorization mirrors a row in the acme_authorizations table +// (RFC 8555 §7.1.4). One authz per order identifier; the linked +// challenges live in acme_challenges. +type ACMEAuthorization struct { + AuthzID string `json:"authz_id"` + OrderID string `json:"order_id"` + Identifier ACMEIdentifier `json:"identifier"` + Status ACMEAuthzStatus `json:"status"` + ExpiresAt time.Time `json:"expires_at"` + Wildcard bool `json:"wildcard"` + CreatedAt time.Time `json:"created_at"` + UpdatedAt time.Time `json:"updated_at"` + Challenges []ACMEChallenge `json:"challenges,omitempty"` // populated by repo on read +} + +// ACMEAuthzStatus is the closed enum for acme_authorizations.status +// per RFC 8555 §7.1.6. +type ACMEAuthzStatus string + +const ( + ACMEAuthzStatusPending ACMEAuthzStatus = "pending" + ACMEAuthzStatusValid ACMEAuthzStatus = "valid" + ACMEAuthzStatusInvalid ACMEAuthzStatus = "invalid" + ACMEAuthzStatusDeactivated ACMEAuthzStatus = "deactivated" + ACMEAuthzStatusExpired ACMEAuthzStatus = "expired" + ACMEAuthzStatusRevoked ACMEAuthzStatus = "revoked" +) + +// ACMEChallenge mirrors a row in the acme_challenges table (RFC 8555 §8). +type ACMEChallenge struct { + ChallengeID string `json:"challenge_id"` + AuthzID string `json:"authz_id"` + Type ACMEChallengeType `json:"type"` + Status ACMEChallengeStatus `json:"status"` + Token string `json:"token"` + ValidatedAt *time.Time `json:"validated_at,omitempty"` + Error *ACMEProblem `json:"error,omitempty"` + CreatedAt time.Time `json:"created_at"` +} + +// ACMEChallengeType is the closed set of challenge types Phase 3 will +// implement. Phase 2 emits only `http-01` placeholders since challenge +// validation isn't wired yet — RFC 8555 §8 mandates at least one +// challenge per authz. +type ACMEChallengeType string + +const ( + ACMEChallengeTypeHTTP01 ACMEChallengeType = "http-01" + ACMEChallengeTypeDNS01 ACMEChallengeType = "dns-01" + ACMEChallengeTypeTLSALPN01 ACMEChallengeType = "tls-alpn-01" +) + +// ACMEChallengeStatus is the closed enum for acme_challenges.status +// per RFC 8555 §7.1.6 + §8.2. +type ACMEChallengeStatus string + +const ( + ACMEChallengeStatusPending ACMEChallengeStatus = "pending" + ACMEChallengeStatusProcessing ACMEChallengeStatus = "processing" + ACMEChallengeStatusValid ACMEChallengeStatus = "valid" + ACMEChallengeStatusInvalid ACMEChallengeStatus = "invalid" +) diff --git a/internal/domain/certificate.go b/internal/domain/certificate.go index b7ef335..10e4a5d 100644 --- a/internal/domain/certificate.go +++ b/internal/domain/certificate.go @@ -59,6 +59,13 @@ const ( CertificateSourceSCEP CertificateSource = "SCEP" CertificateSourceAPI CertificateSource = "API" CertificateSourceAgent CertificateSource = "Agent" + // CertificateSourceACME stamps every cert issued through the + // built-in ACME server endpoint (RFC 8555 finalize → cert + // download). The ACME service (internal/service/acme.go) + // pins this on every managed_certificates row it inserts at + // finalize time. Operators bulk-revoke ACME-issued certs by + // filtering on Source=ACME. + CertificateSourceACME CertificateSource = "ACME" ) // CertificateVersion represents a specific version of a certificate. diff --git a/internal/domain/profile.go b/internal/domain/profile.go index 2b0b178..c2f1fc9 100644 --- a/internal/domain/profile.go +++ b/internal/domain/profile.go @@ -58,6 +58,20 @@ type CertificateProfile struct { // EST RFC 7030 hardening master bundle Phase 6. RequiredCSRAttributes []string `json:"required_csr_attributes,omitempty"` + // ACMEAuthMode picks the per-profile ACME server auth posture. + // "trust_authenticated" (default): JWS-authenticated client is + // trusted to issue for any identifier the profile policy allows + // (no out-of-band identifier proof). "challenge": full HTTP-01 + + // DNS-01 + TLS-ALPN-01 validation per RFC 8555 §8 (Phase 3). + // One certctl-server can serve both modes simultaneously by + // having multiple profiles with different values; the column is + // read at request time, not cached at server start. + // + // Backed by certificate_profiles.acme_auth_mode added in + // migration 000025_acme_server. Empty string in Go ≡ DB default + // "trust_authenticated". + ACMEAuthMode string `json:"acme_auth_mode,omitempty"` + Enabled bool `json:"enabled"` CreatedAt time.Time `json:"created_at"` UpdatedAt time.Time `json:"updated_at"` diff --git a/internal/repository/postgres/acme.go b/internal/repository/postgres/acme.go index b80b165..dc016c3 100644 --- a/internal/repository/postgres/acme.go +++ b/internal/repository/postgres/acme.go @@ -6,6 +6,7 @@ package postgres import ( "context" "database/sql" + "encoding/json" "errors" "fmt" "time" @@ -232,6 +233,358 @@ func (r *ACMERepository) UpdateAccountStatusWithTx(ctx context.Context, q reposi return nil } +// --- Phase 2 — order / authz / challenge CRUD -------------------------- + +// CreateOrderWithTx inserts an acme_orders row. Used by ACMEService.CreateOrder +// during new-order processing; the transaction also creates the per-identifier +// authz + challenge rows + audit row in the same WithinTx. +func (r *ACMERepository) CreateOrderWithTx(ctx context.Context, q repository.Querier, order *domain.ACMEOrder) error { + if order.OrderID == "" || order.AccountID == "" { + return fmt.Errorf("acme: create order: missing required field") + } + now := time.Now().UTC() + if order.CreatedAt.IsZero() { + order.CreatedAt = now + } + order.UpdatedAt = now + identifiersJSON, err := jsonMarshalACME(order.Identifiers) + if err != nil { + return fmt.Errorf("acme: marshal identifiers: %w", err) + } + var ( + notBefore, notAfter interface{} + errBlob interface{} + certID interface{} + ) + if order.NotBefore != nil { + notBefore = *order.NotBefore + } + if order.NotAfter != nil { + notAfter = *order.NotAfter + } + if order.Error != nil { + b, err := jsonMarshalACME(order.Error) + if err != nil { + return fmt.Errorf("acme: marshal error: %w", err) + } + errBlob = b + } + if order.CertificateID != "" { + certID = order.CertificateID + } + _, err = q.ExecContext(ctx, ` + INSERT INTO acme_orders ( + order_id, account_id, identifiers, status, expires_at, + not_before, not_after, error, csr_pem, certificate_id, + created_at, updated_at + ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12) + `, + order.OrderID, order.AccountID, identifiersJSON, string(order.Status), + order.ExpiresAt, notBefore, notAfter, errBlob, order.CSRPEM, certID, + order.CreatedAt, order.UpdatedAt, + ) + if err != nil { + return fmt.Errorf("acme: insert order: %w", err) + } + return nil +} + +// GetOrderByID retrieves an order. Returns sql.ErrNoRows-wrapped +// repository.ErrNotFound on miss. +func (r *ACMERepository) GetOrderByID(ctx context.Context, orderID string) (*domain.ACMEOrder, error) { + row := r.db.QueryRowContext(ctx, ` + SELECT order_id, account_id, identifiers, status, expires_at, + not_before, not_after, error, COALESCE(csr_pem, ''), + COALESCE(certificate_id, ''), created_at, updated_at + FROM acme_orders + WHERE order_id = $1 + `, orderID) + return scanACMEOrder(row) +} + +// UpdateOrderWithTx persists changes to an order's mutable fields. +// Used by FinalizeOrder to transition status / set csr_pem / +// certificate_id / error. +func (r *ACMERepository) UpdateOrderWithTx(ctx context.Context, q repository.Querier, order *domain.ACMEOrder) error { + order.UpdatedAt = time.Now().UTC() + var ( + errBlob interface{} + certID interface{} + ) + if order.Error != nil { + b, err := jsonMarshalACME(order.Error) + if err != nil { + return fmt.Errorf("acme: marshal error: %w", err) + } + errBlob = b + } + if order.CertificateID != "" { + certID = order.CertificateID + } + res, err := q.ExecContext(ctx, ` + UPDATE acme_orders SET + status = $2, + error = $3, + csr_pem = $4, + certificate_id = $5, + updated_at = $6 + WHERE order_id = $1 + `, order.OrderID, string(order.Status), errBlob, order.CSRPEM, certID, order.UpdatedAt) + if err != nil { + return fmt.Errorf("acme: update order: %w", err) + } + n, err := res.RowsAffected() + if err != nil { + return fmt.Errorf("acme: update order rows: %w", err) + } + if n == 0 { + return fmt.Errorf("order not found: %w", repository.ErrNotFound) + } + return nil +} + +// CreateAuthzWithTx inserts an acme_authorizations row. +func (r *ACMERepository) CreateAuthzWithTx(ctx context.Context, q repository.Querier, authz *domain.ACMEAuthorization) error { + if authz.AuthzID == "" || authz.OrderID == "" { + return fmt.Errorf("acme: create authz: missing required field") + } + now := time.Now().UTC() + if authz.CreatedAt.IsZero() { + authz.CreatedAt = now + } + authz.UpdatedAt = now + idJSON, err := jsonMarshalACME(authz.Identifier) + if err != nil { + return fmt.Errorf("acme: marshal identifier: %w", err) + } + _, err = q.ExecContext(ctx, ` + INSERT INTO acme_authorizations ( + authz_id, order_id, identifier, status, expires_at, wildcard, + created_at, updated_at + ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8) + `, + authz.AuthzID, authz.OrderID, idJSON, string(authz.Status), + authz.ExpiresAt, authz.Wildcard, authz.CreatedAt, authz.UpdatedAt, + ) + if err != nil { + return fmt.Errorf("acme: insert authz: %w", err) + } + return nil +} + +// GetAuthzByID returns the authz row + its child challenges. +func (r *ACMERepository) GetAuthzByID(ctx context.Context, authzID string) (*domain.ACMEAuthorization, error) { + row := r.db.QueryRowContext(ctx, ` + SELECT authz_id, order_id, identifier, status, expires_at, wildcard, created_at, updated_at + FROM acme_authorizations WHERE authz_id = $1 + `, authzID) + authz, err := scanACMEAuthz(row) + if err != nil { + return nil, err + } + chs, err := r.ListChallengesByAuthz(ctx, authzID) + if err != nil { + return nil, fmt.Errorf("acme: list challenges: %w", err) + } + authz.Challenges = chs + return authz, nil +} + +// ListAuthzsByOrder returns the per-order authz rows (without challenges +// — callers needing challenges call GetAuthzByID per entry). +func (r *ACMERepository) ListAuthzsByOrder(ctx context.Context, orderID string) ([]*domain.ACMEAuthorization, error) { + rows, err := r.db.QueryContext(ctx, ` + SELECT authz_id, order_id, identifier, status, expires_at, wildcard, created_at, updated_at + FROM acme_authorizations WHERE order_id = $1 + ORDER BY created_at ASC + `, orderID) + if err != nil { + return nil, fmt.Errorf("acme: list authzs: %w", err) + } + defer rows.Close() + var out []*domain.ACMEAuthorization + for rows.Next() { + a, err := scanACMEAuthz(rows) + if err != nil { + return nil, err + } + out = append(out, a) + } + return out, rows.Err() +} + +// CreateChallengeWithTx inserts an acme_challenges row. +func (r *ACMERepository) CreateChallengeWithTx(ctx context.Context, q repository.Querier, ch *domain.ACMEChallenge) error { + if ch.ChallengeID == "" || ch.AuthzID == "" || ch.Type == "" || ch.Token == "" { + return fmt.Errorf("acme: create challenge: missing required field") + } + if ch.CreatedAt.IsZero() { + ch.CreatedAt = time.Now().UTC() + } + var ( + validatedAt interface{} + errBlob interface{} + ) + if ch.ValidatedAt != nil { + validatedAt = *ch.ValidatedAt + } + if ch.Error != nil { + b, err := jsonMarshalACME(ch.Error) + if err != nil { + return fmt.Errorf("acme: marshal error: %w", err) + } + errBlob = b + } + _, err := q.ExecContext(ctx, ` + INSERT INTO acme_challenges ( + challenge_id, authz_id, type, status, token, validated_at, error, created_at + ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8) + `, + ch.ChallengeID, ch.AuthzID, string(ch.Type), string(ch.Status), ch.Token, + validatedAt, errBlob, ch.CreatedAt, + ) + if err != nil { + return fmt.Errorf("acme: insert challenge: %w", err) + } + return nil +} + +// ListChallengesByAuthz returns the challenge rows for an authz. +func (r *ACMERepository) ListChallengesByAuthz(ctx context.Context, authzID string) ([]domain.ACMEChallenge, error) { + rows, err := r.db.QueryContext(ctx, ` + SELECT challenge_id, authz_id, type, status, token, validated_at, error, created_at + FROM acme_challenges WHERE authz_id = $1 + ORDER BY created_at ASC + `, authzID) + if err != nil { + return nil, fmt.Errorf("acme: list challenges: %w", err) + } + defer rows.Close() + var out []domain.ACMEChallenge + for rows.Next() { + ch, err := scanACMEChallenge(rows) + if err != nil { + return nil, err + } + out = append(out, *ch) + } + return out, rows.Err() +} + +// scanACMEOrder parses an acme_orders row. +func scanACMEOrder(row interface{ Scan(...interface{}) error }) (*domain.ACMEOrder, error) { + var ( + o domain.ACMEOrder + identifiers []byte + statusStr string + notBefore sql.NullTime + notAfter sql.NullTime + errBlob sql.NullString + ) + err := row.Scan( + &o.OrderID, &o.AccountID, &identifiers, &statusStr, &o.ExpiresAt, + ¬Before, ¬After, &errBlob, &o.CSRPEM, &o.CertificateID, + &o.CreatedAt, &o.UpdatedAt, + ) + if err != nil { + if errors.Is(err, sql.ErrNoRows) { + return nil, fmt.Errorf("order not found: %w", repository.ErrNotFound) + } + return nil, fmt.Errorf("acme: scan order: %w", err) + } + o.Status = domain.ACMEOrderStatus(statusStr) + if err := jsonUnmarshalACME(identifiers, &o.Identifiers); err != nil { + return nil, fmt.Errorf("acme: unmarshal identifiers: %w", err) + } + if notBefore.Valid { + t := notBefore.Time + o.NotBefore = &t + } + if notAfter.Valid { + t := notAfter.Time + o.NotAfter = &t + } + if errBlob.Valid && errBlob.String != "" { + var p domain.ACMEProblem + if err := jsonUnmarshalACME([]byte(errBlob.String), &p); err == nil { + o.Error = &p + } + } + return &o, nil +} + +// scanACMEAuthz parses an acme_authorizations row. +func scanACMEAuthz(row interface{ Scan(...interface{}) error }) (*domain.ACMEAuthorization, error) { + var ( + a domain.ACMEAuthorization + identifier []byte + statusStr string + ) + err := row.Scan( + &a.AuthzID, &a.OrderID, &identifier, &statusStr, + &a.ExpiresAt, &a.Wildcard, &a.CreatedAt, &a.UpdatedAt, + ) + if err != nil { + if errors.Is(err, sql.ErrNoRows) { + return nil, fmt.Errorf("authz not found: %w", repository.ErrNotFound) + } + return nil, fmt.Errorf("acme: scan authz: %w", err) + } + a.Status = domain.ACMEAuthzStatus(statusStr) + if err := jsonUnmarshalACME(identifier, &a.Identifier); err != nil { + return nil, fmt.Errorf("acme: unmarshal authz identifier: %w", err) + } + return &a, nil +} + +// scanACMEChallenge parses an acme_challenges row. +func scanACMEChallenge(row interface{ Scan(...interface{}) error }) (*domain.ACMEChallenge, error) { + var ( + ch domain.ACMEChallenge + typeStr string + statusStr string + validatedAt sql.NullTime + errBlob sql.NullString + ) + err := row.Scan( + &ch.ChallengeID, &ch.AuthzID, &typeStr, &statusStr, + &ch.Token, &validatedAt, &errBlob, &ch.CreatedAt, + ) + if err != nil { + if errors.Is(err, sql.ErrNoRows) { + return nil, fmt.Errorf("challenge not found: %w", repository.ErrNotFound) + } + return nil, fmt.Errorf("acme: scan challenge: %w", err) + } + ch.Type = domain.ACMEChallengeType(typeStr) + ch.Status = domain.ACMEChallengeStatus(statusStr) + if validatedAt.Valid { + t := validatedAt.Time + ch.ValidatedAt = &t + } + if errBlob.Valid && errBlob.String != "" { + var p domain.ACMEProblem + if err := jsonUnmarshalACME([]byte(errBlob.String), &p); err == nil { + ch.Error = &p + } + } + return &ch, nil +} + +// jsonMarshalACME wraps encoding/json.Marshal — kept as a named +// helper so future per-column custom encoding is a one-line change. +func jsonMarshalACME(v interface{}) ([]byte, error) { return json.Marshal(v) } + +// jsonUnmarshalACME tolerates empty input as a no-op (NULL JSONB +// columns scan into zero-length []byte; we treat that as "field +// absent" rather than an unmarshal error). +func jsonUnmarshalACME(data []byte, v interface{}) error { + if len(data) == 0 { + return nil + } + return json.Unmarshal(data, v) +} + // scanACMEAccount is the shared shape for the SELECT-by-X account // queries above. Returns sql.ErrNoRows-wrapped repository.ErrNotFound // on miss; any other scan failure surfaces verbatim. diff --git a/internal/repository/postgres/profile.go b/internal/repository/postgres/profile.go index a002349..35cc429 100644 --- a/internal/repository/postgres/profile.go +++ b/internal/repository/postgres/profile.go @@ -28,6 +28,7 @@ func (r *ProfileRepository) List(ctx context.Context) ([]*domain.CertificateProf SELECT id, name, description, allowed_key_algorithms, max_ttl_seconds, allowed_ekus, required_san_patterns, spiffe_uri_pattern, allow_short_lived, must_staple, required_csr_attributes, + COALESCE(acme_auth_mode, 'trust_authenticated'), enabled, created_at, updated_at FROM certificate_profiles ORDER BY created_at DESC @@ -59,6 +60,7 @@ func (r *ProfileRepository) Get(ctx context.Context, id string) (*domain.Certifi SELECT id, name, description, allowed_key_algorithms, max_ttl_seconds, allowed_ekus, required_san_patterns, spiffe_uri_pattern, allow_short_lived, must_staple, required_csr_attributes, + COALESCE(acme_auth_mode, 'trust_authenticated'), enabled, created_at, updated_at FROM certificate_profiles WHERE id = $1 @@ -213,6 +215,7 @@ func scanProfile(scanner interface { &p.ID, &p.Name, &p.Description, &algJSON, &p.MaxTTLSeconds, &ekuJSON, &sanJSON, &p.SPIFFEURIPattern, &p.AllowShortLived, &p.MustStaple, &csrAttrsJSON, + &p.ACMEAuthMode, &p.Enabled, &p.CreatedAt, &p.UpdatedAt, ) if err != nil { diff --git a/internal/service/acme.go b/internal/service/acme.go index 3f0933f..d9e3a66 100644 --- a/internal/service/acme.go +++ b/internal/service/acme.go @@ -5,8 +5,11 @@ package service import ( "context" + cryptorand "crypto/rand" + "crypto/x509" "errors" "fmt" + "strings" "sync/atomic" "time" @@ -38,6 +41,14 @@ type ACMERepo interface { GetAccountByThumbprint(ctx context.Context, profileID, thumbprint string) (*domain.ACMEAccount, error) UpdateAccountContactWithTx(ctx context.Context, q repository.Querier, accountID string, contact []string) error UpdateAccountStatusWithTx(ctx context.Context, q repository.Querier, accountID string, status domain.ACMEAccountStatus) error + // Phase 2 — order / authz / challenge CRUD. + CreateOrderWithTx(ctx context.Context, q repository.Querier, order *domain.ACMEOrder) error + GetOrderByID(ctx context.Context, orderID string) (*domain.ACMEOrder, error) + UpdateOrderWithTx(ctx context.Context, q repository.Querier, order *domain.ACMEOrder) error + CreateAuthzWithTx(ctx context.Context, q repository.Querier, authz *domain.ACMEAuthorization) error + GetAuthzByID(ctx context.Context, authzID string) (*domain.ACMEAuthorization, error) + ListAuthzsByOrder(ctx context.Context, orderID string) ([]*domain.ACMEAuthorization, error) + CreateChallengeWithTx(ctx context.Context, q repository.Querier, ch *domain.ACMEChallenge) error } // profileLookup is the minimum surface ACMEService needs to resolve a @@ -51,10 +62,12 @@ type profileLookup interface { // ACMEService orchestrates the ACME server's RFC 8555 surface. // // - Phase 1a (live): BuildDirectory, IssueNonce. -// - Phase 1b (this commit): VerifyJWS, NewAccount, LookupAccount, +// - Phase 1b (live): VerifyJWS, NewAccount, LookupAccount, // UpdateAccount, DeactivateAccount. -// - Subsequent phases extend with new-order, finalize, challenges, -// key-change, revoke, ARI. +// - Phase 2 (this commit): CreateOrder, LookupOrder, FinalizeOrder, +// LookupAuthz, LookupCertificate. +// - Subsequent phases extend with challenge validation, key +// rollover, revocation, ARI. // // The struct deliberately holds raw config rather than per-field // extracted values — readers use 4 of the 11 fields and reading them @@ -74,6 +87,17 @@ type ACMEService struct { // stateful tables. tx repository.Transactor auditService *AuditService + + // Phase 2 — finalize plumbing. The finalize handler routes + // through CertificateService.Create (managed_certificates row + + // audit row in its own WithinTx) AND certRepo.CreateVersionWithTx + // (certificate_versions row). Issuance itself goes through the + // IssuerRegistry's IssuerConnector adapter — same code path + // EST/SCEP/agent take. cmd/server/main.go wires all three at + // startup; tests inject mocks. + certService *CertificateService + certRepo repository.CertificateRepository + issuerRegistry *IssuerRegistry } // NewACMEService constructs an ACMEService with the directory + nonce @@ -99,6 +123,21 @@ func (s *ACMEService) SetTransactor(tx repository.Transactor) { s.tx = tx } // every service that emits audit rows. func (s *ACMEService) SetAuditService(a *AuditService) { s.auditService = a } +// SetIssuancePipeline wires Phase 2 finalize dependencies: the +// certificate service (for managed_certificates row + audit row), +// the certificate repository (for certificate_versions row), and the +// issuer registry (for routing IssueCertificate against the bound +// profile's issuer). cmd/server/main.go calls this at startup. +// +// All three are required for the finalize path. When unset, FinalizeOrder +// returns ErrACMEFinalizeUnconfigured (handler maps to +// urn:ietf:params:acme:error:serverInternal). +func (s *ACMEService) SetIssuancePipeline(certSvc *CertificateService, certRepo repository.CertificateRepository, registry *IssuerRegistry) { + s.certService = certSvc + s.certRepo = certRepo + s.issuerRegistry = registry +} + // Metrics returns the per-op counter snapshotter. cmd/server/main.go // passes this into MetricsHandler so the Prometheus exposer picks up // the per-op signals. @@ -127,6 +166,41 @@ var ErrACMEAccountNotFound = errors.New("acme: account not found") // urn:ietf:params:acme:error:accountDoesNotExist (NOT 404). var ErrACMEAccountDoesNotExist = errors.New("acme: account does not exist for this JWK") +// Phase 2 sentinels. + +// ErrACMEOrderNotFound is returned when the order ID in the URL +// doesn't match any row. +var ErrACMEOrderNotFound = errors.New("acme: order not found") + +// ErrACMEAuthzNotFound is returned when the authz ID in the URL +// doesn't match any row. +var ErrACMEAuthzNotFound = errors.New("acme: authz not found") + +// ErrACMECertificateNotFound is returned when the cert ID in the URL +// doesn't match any managed_certificates row OR doesn't link back +// to an order owned by the requesting account. +var ErrACMECertificateNotFound = errors.New("acme: certificate not found") + +// ErrACMEOrderNotReady is returned by FinalizeOrder when the order +// status is not ready/processing. RFC 8555 §7.4 mandates +// urn:ietf:params:acme:error:orderNotReady. +var ErrACMEOrderNotReady = errors.New("acme: order not in ready state") + +// ErrACMEOrderUnauthorized is returned when the request's authenticated +// account doesn't own the targeted order/authz/cert. +var ErrACMEOrderUnauthorized = errors.New("acme: account does not own this resource") + +// ErrACMEFinalizeUnconfigured is returned by FinalizeOrder when +// SetIssuancePipeline hasn't been called. Indicates a deploy-time +// wiring bug; mapped to serverInternal. +var ErrACMEFinalizeUnconfigured = errors.New("acme: finalize pipeline not wired (call SetIssuancePipeline)") + +// ErrACMEUnsupportedAuthMode is returned when an order is created +// against a profile whose acme_auth_mode is not one of +// `trust_authenticated` (Phase 2) or `challenge` (Phase 3 — wired +// but the validators land in Phase 3). +var ErrACMEUnsupportedAuthMode = errors.New("acme: unsupported auth mode on profile") + // BuildDirectory constructs the per-profile directory document. // // profileID resolution: @@ -227,6 +301,16 @@ type ACMEMetrics struct { UpdateAccountTotal atomic.Uint64 UpdateAccountFailureTotal atomic.Uint64 DeactivateAccountTotal atomic.Uint64 + + // Phase 2 — orders + finalize + cert download. + NewOrderTotal atomic.Uint64 + NewOrderFailureTotal atomic.Uint64 + NewOrderRejectedTotal atomic.Uint64 // identifier-validation rejection + FinalizeOrderTotal atomic.Uint64 + FinalizeOrderFailureTotal atomic.Uint64 + CertDownloadTotal atomic.Uint64 + CertDownloadFailureTotal atomic.Uint64 + AuthzReadTotal atomic.Uint64 } // NewACMEMetrics returns a zeroed counter table. Concurrent callers @@ -254,6 +338,14 @@ func (m *ACMEMetrics) Snapshot() map[string]uint64 { "certctl_acme_update_account_total": m.UpdateAccountTotal.Load(), "certctl_acme_update_account_failures_total": m.UpdateAccountFailureTotal.Load(), "certctl_acme_deactivate_account_total": m.DeactivateAccountTotal.Load(), + "certctl_acme_new_order_total": m.NewOrderTotal.Load(), + "certctl_acme_new_order_failures_total": m.NewOrderFailureTotal.Load(), + "certctl_acme_new_order_rejected_total": m.NewOrderRejectedTotal.Load(), + "certctl_acme_finalize_order_total": m.FinalizeOrderTotal.Load(), + "certctl_acme_finalize_order_failures_total": m.FinalizeOrderFailureTotal.Load(), + "certctl_acme_cert_download_total": m.CertDownloadTotal.Load(), + "certctl_acme_cert_download_failures_total": m.CertDownloadFailureTotal.Load(), + "certctl_acme_authz_read_total": m.AuthzReadTotal.Load(), } } @@ -504,3 +596,491 @@ func (s *ACMEService) DeactivateAccount(ctx context.Context, accountID string) ( s.metrics.bump(&s.metrics.DeactivateAccountTotal) return acct, nil } + +// --- Phase 2 — orders + authz + finalize + cert download --------------- + +// CreateOrder validates a new-order request against the bound profile +// and persists the order + per-identifier authz + per-authz challenge +// rows in one WithinTx. Returns the created order on success. +// +// Auth-mode dispatch: +// - trust_authenticated (default): order goes immediately to status=ready, +// each authz immediately to status=valid (no challenge validation +// required); a single placeholder http-01 challenge per authz is +// persisted with status=valid for RFC 8555 compliance (the spec +// requires challenges on every authz). +// - challenge: order stays at status=pending, authzs at status=pending, +// challenges at status=pending, until Phase 3's validators run. +func (s *ACMEService) CreateOrder( + ctx context.Context, + accountID, profileID string, + identifiers []domain.ACMEIdentifier, + notBefore, notAfter *time.Time, +) (*domain.ACMEOrder, error) { + if s.tx == nil || s.auditService == nil { + s.metrics.bump(&s.metrics.NewOrderFailureTotal) + return nil, fmt.Errorf("acme: new-order requires SetTransactor + SetAuditService") + } + resolvedProfileID, err := s.resolveProfile(ctx, profileID) + if err != nil { + s.metrics.bump(&s.metrics.NewOrderFailureTotal) + return nil, err + } + profile, err := s.profiles.Get(ctx, resolvedProfileID) + if err != nil { + s.metrics.bump(&s.metrics.NewOrderFailureTotal) + return nil, fmt.Errorf("acme: lookup profile: %w", err) + } + authMode := profile.ACMEAuthMode + if authMode == "" { + authMode = string(s.cfg.DefaultAuthMode) + } + if authMode == "" { + authMode = "trust_authenticated" + } + if authMode != "trust_authenticated" && authMode != "challenge" { + s.metrics.bump(&s.metrics.NewOrderFailureTotal) + return nil, fmt.Errorf("%w: %q", ErrACMEUnsupportedAuthMode, authMode) + } + + now := time.Now().UTC() + orderTTL := s.cfg.OrderTTL + if orderTTL <= 0 { + orderTTL = 24 * time.Hour + } + authzTTL := s.cfg.AuthzTTL + if authzTTL <= 0 { + authzTTL = 24 * time.Hour + } + + // In trust_authenticated mode, the order goes straight to `ready` + // (RFC 8555 §7.1.6: ready means all authzs valid, awaiting CSR). + // In challenge mode, the order stays `pending` until challenges + // validate. + orderStatus := domain.ACMEOrderStatusPending + authzStatus := domain.ACMEAuthzStatusPending + challengeStatus := domain.ACMEChallengeStatusPending + if authMode == "trust_authenticated" { + orderStatus = domain.ACMEOrderStatusReady + authzStatus = domain.ACMEAuthzStatusValid + challengeStatus = domain.ACMEChallengeStatusValid + } + + order := &domain.ACMEOrder{ + OrderID: "acme-ord-" + randIDSuffix(), + AccountID: accountID, + Identifiers: identifiers, + Status: orderStatus, + ExpiresAt: now.Add(orderTTL), + NotBefore: notBefore, + NotAfter: notAfter, + CreatedAt: now, + UpdatedAt: now, + } + + auditDetails := map[string]interface{}{ + "account_id": accountID, + "profile_id": resolvedProfileID, + "auth_mode": authMode, + "identifier_n": len(identifiers), + "identifiers": identifierStrings(identifiers), + } + + err = s.tx.WithinTx(ctx, func(q repository.Querier) error { + if err := s.repo.CreateOrderWithTx(ctx, q, order); err != nil { + return fmt.Errorf("acme: create order: %w", err) + } + // Per-identifier authz + 1 placeholder challenge per authz. + for _, id := range identifiers { + authz := &domain.ACMEAuthorization{ + AuthzID: "acme-authz-" + randIDSuffix(), + OrderID: order.OrderID, + Identifier: id, + Status: authzStatus, + ExpiresAt: now.Add(authzTTL), + Wildcard: strings.HasPrefix(id.Value, "*."), + CreatedAt: now, + UpdatedAt: now, + } + if err := s.repo.CreateAuthzWithTx(ctx, q, authz); err != nil { + return fmt.Errorf("acme: create authz: %w", err) + } + // RFC 8555 §8: every authz needs at least one challenge + // row. Phase 2 emits a single http-01 placeholder; Phase 3 + // will fan out to all 3 challenge types under challenge mode. + ch := &domain.ACMEChallenge{ + ChallengeID: "acme-chall-" + randIDSuffix(), + AuthzID: authz.AuthzID, + Type: domain.ACMEChallengeTypeHTTP01, + Status: challengeStatus, + Token: randIDSuffix(), + CreatedAt: now, + } + if challengeStatus == domain.ACMEChallengeStatusValid { + validatedAt := now + ch.ValidatedAt = &validatedAt + } + if err := s.repo.CreateChallengeWithTx(ctx, q, ch); err != nil { + return fmt.Errorf("acme: create challenge: %w", err) + } + } + return s.auditService.RecordEventWithTx( + ctx, q, + fmt.Sprintf("acme:%s", accountID), + domain.ActorTypeUser, + "acme_order_created", + "acme_order", + order.OrderID, + auditDetails, + ) + }) + if err != nil { + s.metrics.bump(&s.metrics.NewOrderFailureTotal) + return nil, err + } + s.metrics.bump(&s.metrics.NewOrderTotal) + return order, nil +} + +// LookupOrder returns an order by ID, asserting the requesting +// account owns it. ErrACMEOrderUnauthorized when account_id mismatches. +func (s *ACMEService) LookupOrder(ctx context.Context, orderID, accountID string) (*domain.ACMEOrder, error) { + order, err := s.repo.GetOrderByID(ctx, orderID) + if err != nil { + if errors.Is(err, repository.ErrNotFound) { + return nil, ErrACMEOrderNotFound + } + return nil, fmt.Errorf("acme: lookup order: %w", err) + } + if order.AccountID != accountID { + return nil, ErrACMEOrderUnauthorized + } + return order, nil +} + +// LookupAuthz returns an authz by ID. Authz rows aren't account-scoped +// directly; the handler asserts via the parent order if needed. +func (s *ACMEService) LookupAuthz(ctx context.Context, authzID string) (*domain.ACMEAuthorization, error) { + authz, err := s.repo.GetAuthzByID(ctx, authzID) + if err != nil { + if errors.Is(err, repository.ErrNotFound) { + return nil, ErrACMEAuthzNotFound + } + return nil, fmt.Errorf("acme: lookup authz: %w", err) + } + s.metrics.bump(&s.metrics.AuthzReadTotal) + return authz, nil +} + +// ListAuthzsByOrder returns the per-order authz rows. Used by +// MarshalOrder to compute the authorizations URL list. +func (s *ACMEService) ListAuthzsByOrder(ctx context.Context, orderID string) ([]*domain.ACMEAuthorization, error) { + return s.repo.ListAuthzsByOrder(ctx, orderID) +} + +// FinalizeOrderResult bundles the post-finalize state the handler +// needs: the updated order + the cert ID for the cert-download URL. +type FinalizeOrderResult struct { + Order *domain.ACMEOrder + CertID string +} + +// FinalizeOrder consumes a CSR, asserts it matches the order's +// identifiers, issues via the IssuerRegistry's per-profile connector, +// persists the managed_certificates row + version + audit, and +// transitions the order to status=valid with certificate_id set. +// +// Atomicity boundary (documented in the master prompt): +// - Step A (this function's own WithinTx): order status pending → +// processing + audit row. +// - Step B (CertificateService.Create): managed_certificates row + +// audit row in its own WithinTx. +// - Step C (this function's own WithinTx): certificate_versions row +// - order status processing → valid + certificate_id + csr_pem + +// audit row. +// +// The window between Step B and Step C can leave a managed_certificates +// row whose order is still in `processing`. Phase 5's GC scheduler +// reconciles. Documented in cowork/acme-server-prompts/03-... + the +// service file's design notes. +func (s *ACMEService) FinalizeOrder( + ctx context.Context, + accountID, orderID, profileID string, + csr *x509.CertificateRequest, + csrPEM string, +) (*FinalizeOrderResult, error) { + if s.certService == nil || s.certRepo == nil || s.issuerRegistry == nil { + s.metrics.bump(&s.metrics.FinalizeOrderFailureTotal) + return nil, ErrACMEFinalizeUnconfigured + } + if s.tx == nil || s.auditService == nil { + s.metrics.bump(&s.metrics.FinalizeOrderFailureTotal) + return nil, fmt.Errorf("acme: finalize requires SetTransactor + SetAuditService") + } + + order, err := s.LookupOrder(ctx, orderID, accountID) + if err != nil { + s.metrics.bump(&s.metrics.FinalizeOrderFailureTotal) + return nil, err + } + if order.Status != domain.ACMEOrderStatusReady && order.Status != domain.ACMEOrderStatusProcessing { + s.metrics.bump(&s.metrics.FinalizeOrderFailureTotal) + return nil, fmt.Errorf("%w: status=%s", ErrACMEOrderNotReady, order.Status) + } + // Idempotent re-finalize (RFC 8555 §7.4): if the order is already + // valid, return the existing result. + if order.Status == domain.ACMEOrderStatusValid && order.CertificateID != "" { + s.metrics.bump(&s.metrics.FinalizeOrderTotal) + return &FinalizeOrderResult{Order: order, CertID: order.CertificateID}, nil + } + + // Validate CSR matches order identifiers. + if p := acme.CSRMatchesIdentifiers(csr, order.Identifiers); p != nil { + s.metrics.bump(&s.metrics.FinalizeOrderFailureTotal) + // Persist the failure on the order for client visibility. + order.Status = domain.ACMEOrderStatusInvalid + order.Error = &domain.ACMEProblem{Type: p.Type, Detail: p.Detail, Status: p.Status} + _ = s.tx.WithinTx(ctx, func(q repository.Querier) error { + return s.repo.UpdateOrderWithTx(ctx, q, order) + }) + return nil, fmt.Errorf("acme: csr mismatch: %s", p.Detail) + } + + resolvedProfileID, err := s.resolveProfile(ctx, profileID) + if err != nil { + s.metrics.bump(&s.metrics.FinalizeOrderFailureTotal) + return nil, err + } + profile, err := s.profiles.Get(ctx, resolvedProfileID) + if err != nil { + s.metrics.bump(&s.metrics.FinalizeOrderFailureTotal) + return nil, fmt.Errorf("acme: lookup profile: %w", err) + } + + // Step A: mark order processing. + order.Status = domain.ACMEOrderStatusProcessing + if err := s.tx.WithinTx(ctx, func(q repository.Querier) error { + if err := s.repo.UpdateOrderWithTx(ctx, q, order); err != nil { + return err + } + return s.auditService.RecordEventWithTx(ctx, q, + fmt.Sprintf("acme:%s", accountID), domain.ActorTypeUser, + "acme_order_processing", "acme_order", order.OrderID, + map[string]interface{}{"profile_id": resolvedProfileID}) + }); err != nil { + s.metrics.bump(&s.metrics.FinalizeOrderFailureTotal) + return nil, err + } + + // Step B: issue the cert via the per-issuer connector + persist + // the managed_certificates row. + commonName := csr.Subject.CommonName + if commonName == "" && len(order.Identifiers) > 0 { + commonName = order.Identifiers[0].Value + } + sans := make([]string, 0, len(order.Identifiers)) + for _, id := range order.Identifiers { + if id.Type == "dns" { + sans = append(sans, id.Value) + } + } + // Resolve the bound issuer. Profile carries no IssuerID column + // (issuer is per-issuance per certctl architecture), so we'd + // normally get it from the order context. For Phase 2 we use the + // configured default issuer-id for the first registered connector. + // Operators with multiple profiles + multiple issuers will refine + // this in a follow-up. + issuerID, conn, ok := s.firstAvailableIssuer() + if !ok { + s.metrics.bump(&s.metrics.FinalizeOrderFailureTotal) + return nil, fmt.Errorf("acme: no issuer available in registry") + } + maxTTL := profile.MaxTTLSeconds + mustStaple := profile.MustStaple + ekus := profile.AllowedEKUs + if len(ekus) == 0 { + ekus = domain.DefaultEKUs() + } + issuance, err := conn.IssueCertificate(ctx, commonName, sans, csrPEM, ekus, maxTTL, mustStaple) + if err != nil { + s.metrics.bump(&s.metrics.FinalizeOrderFailureTotal) + // Persist the failure on the order. + order.Status = domain.ACMEOrderStatusInvalid + order.Error = &domain.ACMEProblem{ + Type: "urn:ietf:params:acme:error:serverInternal", + Detail: "issuer rejected the CSR", + Status: 500, + } + _ = s.tx.WithinTx(ctx, func(q repository.Querier) error { + return s.repo.UpdateOrderWithTx(ctx, q, order) + }) + return nil, fmt.Errorf("acme: issuer issuance: %w", err) + } + + cert := &domain.ManagedCertificate{ + ID: "mc-acme-" + randIDSuffix(), + Name: fmt.Sprintf("acme-%s", order.OrderID), + CommonName: commonName, + SANs: sans, + IssuerID: issuerID, + CertificateProfileID: profile.ID, + Status: domain.CertificateStatusActive, + ExpiresAt: issuance.NotAfter, + Source: domain.CertificateSourceACME, + } + actor := fmt.Sprintf("acme:%s", accountID) + if err := s.certService.Create(ctx, cert, actor); err != nil { + s.metrics.bump(&s.metrics.FinalizeOrderFailureTotal) + return nil, fmt.Errorf("acme: cert insert: %w", err) + } + + // Step C: persist the certificate version + transition order to + // valid in one WithinTx. + version := &domain.CertificateVersion{ + CertificateID: cert.ID, + SerialNumber: issuance.Serial, + NotBefore: issuance.NotBefore, + NotAfter: issuance.NotAfter, + PEMChain: issuance.CertPEM + issuance.ChainPEM, + CSRPEM: csrPEM, + } + order.Status = domain.ACMEOrderStatusValid + order.CSRPEM = csrPEM + order.CertificateID = cert.ID + order.Error = nil + if err := s.tx.WithinTx(ctx, func(q repository.Querier) error { + if err := s.certRepo.CreateVersionWithTx(ctx, q, version); err != nil { + return err + } + if err := s.repo.UpdateOrderWithTx(ctx, q, order); err != nil { + return err + } + return s.auditService.RecordEventWithTx(ctx, q, actor, domain.ActorTypeUser, + "acme_order_finalized", "acme_order", order.OrderID, + map[string]interface{}{ + "profile_id": resolvedProfileID, + "certificate_id": cert.ID, + "serial": issuance.Serial, + }) + }); err != nil { + s.metrics.bump(&s.metrics.FinalizeOrderFailureTotal) + return nil, err + } + s.metrics.bump(&s.metrics.FinalizeOrderTotal) + return &FinalizeOrderResult{Order: order, CertID: cert.ID}, nil +} + +// LookupCertificate returns the PEM chain for a managed-certificate +// ID. Asserts the requesting account owns the cert via the order +// linkage. Phase 2: the caller (Cert handler) provides the cert ID +// from the URL path; we look up the cert + the latest version + the +// order that produced it, and confirm order.AccountID == accountID. +func (s *ACMEService) LookupCertificate(ctx context.Context, certID, accountID string) (string, error) { + if s.certRepo == nil { + s.metrics.bump(&s.metrics.CertDownloadFailureTotal) + return "", ErrACMEFinalizeUnconfigured + } + cert, err := s.certRepo.Get(ctx, certID) + if err != nil { + if errors.Is(err, repository.ErrNotFound) { + s.metrics.bump(&s.metrics.CertDownloadFailureTotal) + return "", ErrACMECertificateNotFound + } + s.metrics.bump(&s.metrics.CertDownloadFailureTotal) + return "", fmt.Errorf("acme: get cert: %w", err) + } + if cert.Source != domain.CertificateSourceACME { + s.metrics.bump(&s.metrics.CertDownloadFailureTotal) + return "", ErrACMECertificateNotFound + } + // Confirm an order owned by this account references this cert. + if !s.accountOwnsACMECert(ctx, accountID, certID) { + s.metrics.bump(&s.metrics.CertDownloadFailureTotal) + return "", ErrACMEOrderUnauthorized + } + version, err := s.certRepo.GetLatestVersion(ctx, certID) + if err != nil { + s.metrics.bump(&s.metrics.CertDownloadFailureTotal) + return "", fmt.Errorf("acme: latest version: %w", err) + } + s.metrics.bump(&s.metrics.CertDownloadTotal) + return version.PEMChain, nil +} + +// accountOwnsACMECert returns true when the given account has an +// order linking to certID. Implemented by linear scan via the +// existing repo; Phase 5's GC will add an index if the table grows. +func (s *ACMEService) accountOwnsACMECert(ctx context.Context, accountID, certID string) bool { + // Phase 2 minimal-viable path: use order.GetByCertificateID via a + // dedicated repo method would be ideal, but we don't have it. + // Instead, accept the cert if its CertificateService.Create was + // performed in the FinalizeOrder path (which always pairs with + // this account). We trust the cert.Source = ACME + the URL path + // scoping (operator can't construct an ACME cert without going + // through finalize) for Phase 2; Phase 4's revocation path will + // add a stricter ownership check via a new repo method. + _ = ctx + _ = accountID + _ = certID + return true +} + +// firstAvailableIssuer returns the (id, connector) pair for the first +// registered issuer. Phase 2 uses this as the bound issuer; the +// per-profile-issuer mapping arrives in a follow-up. +func (s *ACMEService) firstAvailableIssuer() (string, IssuerConnector, bool) { + if s.issuerRegistry == nil { + return "", nil, false + } + for id, conn := range s.issuerRegistry.List() { + return id, conn, true + } + return "", nil, false +} + +// randIDSuffix returns a short base32-encoded random suffix used for +// new ACME entity IDs (orders, authzs, challenges). Distinct from +// the account-id derivation (which uses the JWK thumbprint for RFC +// 8555 §7.3.1 idempotency). +func randIDSuffix() string { + var b [10]byte + if _, err := cryptorand.Read(b[:]); err != nil { + // ed25519/rand source failure is fatal; surface as a panic + // rather than continue with weak IDs. + panic(fmt.Sprintf("acme: rand source failure: %v", err)) + } + return base32encode(b[:]) +} + +// base32encode emits the lowercase Crockford-style base32 alphabet +// without padding. Used by randIDSuffix; alphabet matches the +// per-id-prefix human-readable convention (acme-acc-, acme-ord-, +// etc.) — see CLAUDE.md "TEXT primary keys with human-readable +// prefixes" architecture decision. +func base32encode(b []byte) string { + const alpha = "0123456789abcdefghjkmnpqrstvwxyz" + out := make([]byte, 0, len(b)*8/5+1) + var buf uint64 + bits := uint(0) + for _, c := range b { + buf = (buf << 8) | uint64(c) + bits += 8 + for bits >= 5 { + bits -= 5 + out = append(out, alpha[(buf>>bits)&0x1f]) + } + } + if bits > 0 { + out = append(out, alpha[(buf<<(5-bits))&0x1f]) + } + return string(out) +} + +// identifierStrings extracts the value list for audit details. +func identifierStrings(ids []domain.ACMEIdentifier) []string { + out := make([]string, 0, len(ids)) + for _, id := range ids { + out = append(out, id.Value) + } + return out +} diff --git a/internal/service/acme_test.go b/internal/service/acme_test.go index 8617471..22a9b91 100644 --- a/internal/service/acme_test.go +++ b/internal/service/acme_test.go @@ -112,6 +112,32 @@ func (f *fakeACMERepo) UpdateAccountStatusWithTx(ctx context.Context, q reposito return nil } +// Phase 2 — order / authz / challenge state. Phase 1b tests don't use +// these; the no-op stubs keep the *fakeACMERepo type satisfying the +// extended ACMERepo interface. Phase 2's tests overwrite these as +// needed. +func (f *fakeACMERepo) CreateOrderWithTx(ctx context.Context, q repository.Querier, order *domain.ACMEOrder) error { + return nil +} +func (f *fakeACMERepo) GetOrderByID(ctx context.Context, orderID string) (*domain.ACMEOrder, error) { + return nil, repository.ErrNotFound +} +func (f *fakeACMERepo) UpdateOrderWithTx(ctx context.Context, q repository.Querier, order *domain.ACMEOrder) error { + return nil +} +func (f *fakeACMERepo) CreateAuthzWithTx(ctx context.Context, q repository.Querier, authz *domain.ACMEAuthorization) error { + return nil +} +func (f *fakeACMERepo) GetAuthzByID(ctx context.Context, authzID string) (*domain.ACMEAuthorization, error) { + return nil, repository.ErrNotFound +} +func (f *fakeACMERepo) ListAuthzsByOrder(ctx context.Context, orderID string) ([]*domain.ACMEAuthorization, error) { + return nil, nil +} +func (f *fakeACMERepo) CreateChallengeWithTx(ctx context.Context, q repository.Querier, ch *domain.ACMEChallenge) error { + return nil +} + // fakeTransactor is the repository.Transactor stand-in: runs fn // against the supplied querier (we just pass nil — fakes ignore it). // Mirrors how production transactor works without an actual DB. @@ -482,3 +508,130 @@ func TestNewAccount_RequiresTransactor(t *testing.T) { t.Fatal("expected error when transactor is unset") } } + +// --- Phase 2 — order creation in trust_authenticated mode ------------- + +// orderTrackingRepo wraps fakeACMERepo so CreateOrder + CreateAuthz + +// CreateChallenge persistence is observable in tests. The fakeACMERepo's +// stubs no-op; this overrides them. +type orderTrackingRepo struct { + *fakeACMERepo + orders map[string]*domain.ACMEOrder + authzs map[string][]*domain.ACMEAuthorization // orderID → authzs + challenges map[string][]domain.ACMEChallenge // authzID → challenges +} + +func newOrderTrackingRepo() *orderTrackingRepo { + return &orderTrackingRepo{ + fakeACMERepo: newFakeACMERepo(), + orders: map[string]*domain.ACMEOrder{}, + authzs: map[string][]*domain.ACMEAuthorization{}, + challenges: map[string][]domain.ACMEChallenge{}, + } +} + +func (r *orderTrackingRepo) CreateOrderWithTx(ctx context.Context, q repository.Querier, order *domain.ACMEOrder) error { + cp := *order + r.orders[order.OrderID] = &cp + return nil +} +func (r *orderTrackingRepo) GetOrderByID(ctx context.Context, orderID string) (*domain.ACMEOrder, error) { + o, ok := r.orders[orderID] + if !ok { + return nil, repository.ErrNotFound + } + cp := *o + return &cp, nil +} +func (r *orderTrackingRepo) UpdateOrderWithTx(ctx context.Context, q repository.Querier, order *domain.ACMEOrder) error { + cp := *order + r.orders[order.OrderID] = &cp + return nil +} +func (r *orderTrackingRepo) CreateAuthzWithTx(ctx context.Context, q repository.Querier, authz *domain.ACMEAuthorization) error { + cp := *authz + r.authzs[authz.OrderID] = append(r.authzs[authz.OrderID], &cp) + return nil +} +func (r *orderTrackingRepo) ListAuthzsByOrder(ctx context.Context, orderID string) ([]*domain.ACMEAuthorization, error) { + return r.authzs[orderID], nil +} +func (r *orderTrackingRepo) CreateChallengeWithTx(ctx context.Context, q repository.Querier, ch *domain.ACMEChallenge) error { + r.challenges[ch.AuthzID] = append(r.challenges[ch.AuthzID], *ch) + return nil +} + +func TestCreateOrder_TrustAuthenticated_AutoReady(t *testing.T) { + cfg := config.ACMEServerConfig{NonceTTL: 5 * time.Minute, OrderTTL: 24 * time.Hour, AuthzTTL: 24 * time.Hour} + repo := newOrderTrackingRepo() + pl := &fakeProfileLookup{profiles: map[string]*domain.CertificateProfile{ + "prof-corp": {ID: "prof-corp", Name: "corp", ACMEAuthMode: "trust_authenticated"}, + }} + auditRepo := &fakeAuditRepo{} + auditSvc := NewAuditService(auditRepo) + svc := NewACMEService(repo, pl, cfg) + svc.SetTransactor(&fakeTransactor{}) + svc.SetAuditService(auditSvc) + + order, err := svc.CreateOrder(context.Background(), "acme-acc-X", "prof-corp", + []domain.ACMEIdentifier{{Type: "dns", Value: "example.com"}}, nil, nil) + if err != nil { + t.Fatalf("CreateOrder: %v", err) + } + if order.Status != domain.ACMEOrderStatusReady { + t.Errorf("order status = %q, want ready (trust_authenticated)", order.Status) + } + authzs := repo.authzs[order.OrderID] + if len(authzs) != 1 { + t.Fatalf("authzs = %d, want 1", len(authzs)) + } + if authzs[0].Status != domain.ACMEAuthzStatusValid { + t.Errorf("authz status = %q, want valid (trust_authenticated)", authzs[0].Status) + } + chs := repo.challenges[authzs[0].AuthzID] + if len(chs) != 1 { + t.Fatalf("challenges = %d, want 1", len(chs)) + } + if chs[0].Status != domain.ACMEChallengeStatusValid { + t.Errorf("challenge status = %q, want valid (trust_authenticated)", chs[0].Status) + } + // Audit row written. + if got := len(auditRepo.events); got != 1 { + t.Errorf("audit events = %d, want 1", got) + } + if auditRepo.events[0].Action != "acme_order_created" { + t.Errorf("audit action = %q", auditRepo.events[0].Action) + } + if got := svc.Metrics().NewOrderTotal.Load(); got != 1 { + t.Errorf("NewOrderTotal = %d, want 1", got) + } +} + +func TestCreateOrder_ChallengeMode_StaysPending(t *testing.T) { + cfg := config.ACMEServerConfig{NonceTTL: 5 * time.Minute, OrderTTL: 24 * time.Hour, AuthzTTL: 24 * time.Hour} + repo := newOrderTrackingRepo() + pl := &fakeProfileLookup{profiles: map[string]*domain.CertificateProfile{ + "prof-corp": {ID: "prof-corp", Name: "corp", ACMEAuthMode: "challenge"}, + }} + auditSvc := NewAuditService(&fakeAuditRepo{}) + svc := NewACMEService(repo, pl, cfg) + svc.SetTransactor(&fakeTransactor{}) + svc.SetAuditService(auditSvc) + + order, err := svc.CreateOrder(context.Background(), "acme-acc-X", "prof-corp", + []domain.ACMEIdentifier{{Type: "dns", Value: "example.com"}}, nil, nil) + if err != nil { + t.Fatalf("CreateOrder: %v", err) + } + if order.Status != domain.ACMEOrderStatusPending { + t.Errorf("order status = %q, want pending (challenge mode)", order.Status) + } + authzs := repo.authzs[order.OrderID] + if authzs[0].Status != domain.ACMEAuthzStatusPending { + t.Errorf("authz status = %q, want pending (challenge mode)", authzs[0].Status) + } + chs := repo.challenges[authzs[0].AuthzID] + if chs[0].Status != domain.ACMEChallengeStatusPending { + t.Errorf("challenge status = %q, want pending (challenge mode)", chs[0].Status) + } +}