feat: add EST server (RFC 7030) for device certificate enrollment (M23)

Implement Enrollment over Secure Transport protocol with 4 endpoints under
/.well-known/est/ — cacerts (CA chain distribution), simpleenroll (initial
enrollment), simplereenroll (certificate renewal), and csrattrs (CSR
attributes). PKCS#7 certs-only wire format with hand-rolled ASN.1, accepts
both PEM and base64-encoded DER CSRs, configurable issuer and profile
binding, full audit trail. 28 new tests (18 handler + 10 service).

Also includes:
- GetCACertPEM added to issuer connector interface (all 4 issuers updated)
- EST integration tests wired into e2e test suite (13 test cases)
- QA testing guide Part 26 (15 manual EST test cases)
- All docs updated: README, features, architecture, concepts, connectors,
  quickstart, demo-advanced (endpoint counts, MCP wording, agent IDs,
  issuer interface, resource lists, OpenSSL status)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/api/handler/est.go

@@ -0,0 +1,404 @@
+package handler
+
+import (
+	"context"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+
+	"github.com/shankar0123/certctl/internal/api/middleware"
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// ESTService defines the service interface for EST enrollment operations.
+// EST (RFC 7030) is a protocol for certificate enrollment over HTTPS.
+type ESTService interface {
+	// GetCACerts returns the PEM-encoded CA certificate chain for the EST issuer.
+	GetCACerts(ctx context.Context) (string, error)
+
+	// SimpleEnroll processes a PKCS#10 CSR and returns a signed certificate.
+	SimpleEnroll(ctx context.Context, csrPEM string) (*domain.ESTEnrollResult, error)
+
+	// SimpleReEnroll processes a re-enrollment CSR (same as enroll for our purposes).
+	SimpleReEnroll(ctx context.Context, csrPEM string) (*domain.ESTEnrollResult, error)
+
+	// GetCSRAttrs returns the CSR attributes the server wants clients to include.
+	GetCSRAttrs(ctx context.Context) ([]byte, error)
+}
+
+// ESTHandler handles HTTP requests for the EST protocol (RFC 7030).
+//
+// EST endpoints are served under /.well-known/est/ per the RFC.
+// Wire format: base64-encoded DER (PKCS#7 for certs, PKCS#10 for CSRs).
+//
+// Supported operations:
+//   - GET  /.well-known/est/cacerts       — CA certificate distribution
+//   - POST /.well-known/est/simpleenroll  — initial enrollment
+//   - POST /.well-known/est/simplereenroll — re-enrollment
+//   - GET  /.well-known/est/csrattrs      — CSR attributes
+type ESTHandler struct {
+	svc ESTService
+}
+
+// NewESTHandler creates a new ESTHandler.
+func NewESTHandler(svc ESTService) ESTHandler {
+	return ESTHandler{svc: svc}
+}
+
+// CACerts handles GET /.well-known/est/cacerts
+// Returns the CA certificate chain as base64-encoded PKCS#7 (certs-only).
+// Per RFC 7030 Section 4.1, this is a "certs-only" CMC Simple PKI Response.
+// For simplicity and broad client compatibility, we return base64-encoded DER certificates.
+func (h ESTHandler) CACerts(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	caCertPEM, err := h.svc.GetCACerts(r.Context())
+	if err != nil {
+		requestID := middleware.GetRequestID(r.Context())
+		ErrorWithRequestID(w, http.StatusInternalServerError, fmt.Sprintf("Failed to get CA certificates: %v", err), requestID)
+		return
+	}
+
+	// Parse PEM to DER for PKCS#7 encoding
+	derCerts, err := pemToDERChain(caCertPEM)
+	if err != nil {
+		requestID := middleware.GetRequestID(r.Context())
+		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to encode CA certificates", requestID)
+		return
+	}
+
+	// Build a simple PKCS#7 SignedData (certs-only, degenerate) structure
+	pkcs7Data, err := buildCertsOnlyPKCS7(derCerts)
+	if err != nil {
+		requestID := middleware.GetRequestID(r.Context())
+		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to build PKCS#7 response", requestID)
+		return
+	}
+
+	// RFC 7030 Section 4.1.3: response is base64-encoded application/pkcs7-mime
+	w.Header().Set("Content-Type", "application/pkcs7-mime; smime-type=certs-only")
+	w.Header().Set("Content-Transfer-Encoding", "base64")
+	w.WriteHeader(http.StatusOK)
+	encoded := base64.StdEncoding.EncodeToString(pkcs7Data)
+	// Write base64 with line breaks at 76 chars per RFC 2045
+	for i := 0; i < len(encoded); i += 76 {
+		end := i + 76
+		if end > len(encoded) {
+			end = len(encoded)
+		}
+		w.Write([]byte(encoded[i:end]))
+		w.Write([]byte("\r\n"))
+	}
+}
+
+// SimpleEnroll handles POST /.well-known/est/simpleenroll
+// Accepts a base64-encoded PKCS#10 CSR and returns a base64-encoded PKCS#7 certificate.
+func (h ESTHandler) SimpleEnroll(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	requestID := middleware.GetRequestID(r.Context())
+
+	csrPEM, err := h.readCSRFromRequest(r)
+	if err != nil {
+		ErrorWithRequestID(w, http.StatusBadRequest, fmt.Sprintf("Invalid CSR: %v", err), requestID)
+		return
+	}
+
+	result, err := h.svc.SimpleEnroll(r.Context(), csrPEM)
+	if err != nil {
+		ErrorWithRequestID(w, http.StatusInternalServerError, fmt.Sprintf("Enrollment failed: %v", err), requestID)
+		return
+	}
+
+	h.writeCertResponse(w, result)
+}
+
+// SimpleReEnroll handles POST /.well-known/est/simplereenroll
+// Same as SimpleEnroll but for re-enrollment (certificate renewal).
+func (h ESTHandler) SimpleReEnroll(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	requestID := middleware.GetRequestID(r.Context())
+
+	csrPEM, err := h.readCSRFromRequest(r)
+	if err != nil {
+		ErrorWithRequestID(w, http.StatusBadRequest, fmt.Sprintf("Invalid CSR: %v", err), requestID)
+		return
+	}
+
+	result, err := h.svc.SimpleReEnroll(r.Context(), csrPEM)
+	if err != nil {
+		ErrorWithRequestID(w, http.StatusInternalServerError, fmt.Sprintf("Re-enrollment failed: %v", err), requestID)
+		return
+	}
+
+	h.writeCertResponse(w, result)
+}
+
+// CSRAttrs handles GET /.well-known/est/csrattrs
+// Returns the CSR attributes the server wants the client to include in enrollment requests.
+func (h ESTHandler) CSRAttrs(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	attrs, err := h.svc.GetCSRAttrs(r.Context())
+	if err != nil {
+		requestID := middleware.GetRequestID(r.Context())
+		ErrorWithRequestID(w, http.StatusInternalServerError, fmt.Sprintf("Failed to get CSR attributes: %v", err), requestID)
+		return
+	}
+
+	if len(attrs) == 0 {
+		// No specific attributes required — return 204
+		w.WriteHeader(http.StatusNoContent)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/csrattrs")
+	w.Header().Set("Content-Transfer-Encoding", "base64")
+	w.WriteHeader(http.StatusOK)
+	w.Write([]byte(base64.StdEncoding.EncodeToString(attrs)))
+}
+
+// readCSRFromRequest reads and decodes the CSR from an EST enrollment request.
+// EST sends CSRs as base64-encoded PKCS#10 DER with Content-Type application/pkcs10.
+func (h ESTHandler) readCSRFromRequest(r *http.Request) (string, error) {
+	body, err := io.ReadAll(io.LimitReader(r.Body, 1<<20)) // 1MB limit
+	if err != nil {
+		return "", fmt.Errorf("failed to read request body: %w", err)
+	}
+	defer r.Body.Close()
+
+	if len(body) == 0 {
+		return "", fmt.Errorf("empty request body")
+	}
+
+	// Check if it's already PEM-encoded (some clients send PEM directly)
+	bodyStr := strings.TrimSpace(string(body))
+	if strings.HasPrefix(bodyStr, "-----BEGIN CERTIFICATE REQUEST-----") {
+		// Validate it parses
+		block, _ := pem.Decode([]byte(bodyStr))
+		if block == nil {
+			return "", fmt.Errorf("invalid PEM-encoded CSR")
+		}
+		if _, err := x509.ParseCertificateRequest(block.Bytes); err != nil {
+			return "", fmt.Errorf("invalid CSR: %w", err)
+		}
+		return bodyStr, nil
+	}
+
+	// EST standard: base64-encoded DER PKCS#10
+	derBytes, err := base64.StdEncoding.DecodeString(bodyStr)
+	if err != nil {
+		// Try with padding/whitespace stripped
+		cleaned := strings.Map(func(r rune) rune {
+			if r == '\r' || r == '\n' || r == ' ' || r == '\t' {
+				return -1
+			}
+			return r
+		}, bodyStr)
+		derBytes, err = base64.StdEncoding.DecodeString(cleaned)
+		if err != nil {
+			return "", fmt.Errorf("failed to decode base64 CSR: %w", err)
+		}
+	}
+
+	// Validate it's a valid PKCS#10 CSR
+	if _, err := x509.ParseCertificateRequest(derBytes); err != nil {
+		return "", fmt.Errorf("invalid PKCS#10 CSR: %w", err)
+	}
+
+	// Convert DER to PEM for internal use (certctl services expect PEM)
+	csrPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE REQUEST",
+		Bytes: derBytes,
+	})
+	return string(csrPEM), nil
+}
+
+// writeCertResponse writes an EST enrollment response as base64-encoded PKCS#7.
+func (h ESTHandler) writeCertResponse(w http.ResponseWriter, result *domain.ESTEnrollResult) {
+	// Parse cert and chain PEM to DER
+	var derCerts [][]byte
+
+	// Add the issued certificate
+	certDER, err := pemToDERChain(result.CertPEM)
+	if err != nil || len(certDER) == 0 {
+		http.Error(w, "Failed to encode certificate", http.StatusInternalServerError)
+		return
+	}
+	derCerts = append(derCerts, certDER...)
+
+	// Add the CA chain if present
+	if result.ChainPEM != "" {
+		chainDER, err := pemToDERChain(result.ChainPEM)
+		if err == nil {
+			derCerts = append(derCerts, chainDER...)
+		}
+	}
+
+	// Build PKCS#7 certs-only
+	pkcs7Data, err := buildCertsOnlyPKCS7(derCerts)
+	if err != nil {
+		http.Error(w, "Failed to build PKCS#7 response", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/pkcs7-mime; smime-type=certs-only")
+	w.Header().Set("Content-Transfer-Encoding", "base64")
+	w.WriteHeader(http.StatusOK)
+	encoded := base64.StdEncoding.EncodeToString(pkcs7Data)
+	for i := 0; i < len(encoded); i += 76 {
+		end := i + 76
+		if end > len(encoded) {
+			end = len(encoded)
+		}
+		w.Write([]byte(encoded[i:end]))
+		w.Write([]byte("\r\n"))
+	}
+}
+
+// pemToDERChain converts PEM-encoded certificates to a slice of DER-encoded certificates.
+func pemToDERChain(pemData string) ([][]byte, error) {
+	var derCerts [][]byte
+	rest := []byte(pemData)
+	for {
+		var block *pem.Block
+		block, rest = pem.Decode(rest)
+		if block == nil {
+			break
+		}
+		if block.Type == "CERTIFICATE" {
+			derCerts = append(derCerts, block.Bytes)
+		}
+	}
+	if len(derCerts) == 0 {
+		return nil, fmt.Errorf("no certificates found in PEM data")
+	}
+	return derCerts, nil
+}
+
+// buildCertsOnlyPKCS7 creates a degenerate PKCS#7 SignedData structure containing only certificates.
+// This is the "certs-only" format specified in RFC 7030 Section 4.1.3 for /cacerts responses
+// and enrollment responses.
+//
+// ASN.1 structure (simplified):
+//
+//	ContentInfo {
+//	  contentType: signedData (1.2.840.113549.1.7.2)
+//	  content: SignedData {
+//	    version: 1
+//	    digestAlgorithms: {} (empty)
+//	    encapContentInfo: { contentType: data (1.2.840.113549.1.7.1) }
+//	    certificates: [cert1, cert2, ...]
+//	    signerInfos: {} (empty)
+//	  }
+//	}
+func buildCertsOnlyPKCS7(derCerts [][]byte) ([]byte, error) {
+	// We build the ASN.1 manually to avoid pulling in a PKCS#7 library.
+	// This is a well-defined, static structure — no signing needed.
+
+	// OID for signedData: 1.2.840.113549.1.7.2
+	oidSignedData := []byte{0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02}
+	// OID for data: 1.2.840.113549.1.7.1
+	oidData := []byte{0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01}
+
+	// Build certificates [0] IMPLICIT SET OF Certificate
+	var certsContent []byte
+	for _, cert := range derCerts {
+		certsContent = append(certsContent, cert...)
+	}
+	certsField := asn1WrapImplicit(0, certsContent)
+
+	// Build encapContentInfo: SEQUENCE { OID data }
+	encapContentInfo := asn1WrapSequence(oidData)
+
+	// Build digestAlgorithms: SET {} (empty)
+	digestAlgorithms := asn1WrapSet(nil)
+
+	// Build signerInfos: SET {} (empty)
+	signerInfos := asn1WrapSet(nil)
+
+	// Version: INTEGER 1
+	version := []byte{0x02, 0x01, 0x01}
+
+	// Build SignedData SEQUENCE
+	var signedDataContent []byte
+	signedDataContent = append(signedDataContent, version...)
+	signedDataContent = append(signedDataContent, digestAlgorithms...)
+	signedDataContent = append(signedDataContent, encapContentInfo...)
+	signedDataContent = append(signedDataContent, certsField...)
+	signedDataContent = append(signedDataContent, signerInfos...)
+	signedData := asn1WrapSequence(signedDataContent)
+
+	// Wrap in [0] EXPLICIT for ContentInfo.content
+	contentField := asn1WrapExplicit(0, signedData)
+
+	// Build ContentInfo SEQUENCE
+	var contentInfoContent []byte
+	contentInfoContent = append(contentInfoContent, oidSignedData...)
+	contentInfoContent = append(contentInfoContent, contentField...)
+	contentInfo := asn1WrapSequence(contentInfoContent)
+
+	return contentInfo, nil
+}
+
+// asn1WrapSequence wraps content in an ASN.1 SEQUENCE tag (0x30).
+func asn1WrapSequence(content []byte) []byte {
+	return asn1Wrap(0x30, content)
+}
+
+// asn1WrapSet wraps content in an ASN.1 SET tag (0x31).
+func asn1WrapSet(content []byte) []byte {
+	return asn1Wrap(0x31, content)
+}
+
+// asn1WrapExplicit wraps content in an ASN.1 context-specific EXPLICIT tag.
+func asn1WrapExplicit(tag int, content []byte) []byte {
+	return asn1Wrap(byte(0xa0|tag), content)
+}
+
+// asn1WrapImplicit wraps content in an ASN.1 context-specific IMPLICIT CONSTRUCTED tag.
+func asn1WrapImplicit(tag int, content []byte) []byte {
+	return asn1Wrap(byte(0xa0|tag), content)
+}
+
+// asn1Wrap wraps content with an ASN.1 tag and length.
+func asn1Wrap(tag byte, content []byte) []byte {
+	length := len(content)
+	var result []byte
+	result = append(result, tag)
+	result = append(result, asn1EncodeLength(length)...)
+	result = append(result, content...)
+	return result
+}
+
+// asn1EncodeLength encodes a length in ASN.1 DER format.
+func asn1EncodeLength(length int) []byte {
+	if length < 0x80 {
+		return []byte{byte(length)}
+	}
+	// Long form
+	var lengthBytes []byte
+	l := length
+	for l > 0 {
+		lengthBytes = append([]byte{byte(l & 0xff)}, lengthBytes...)
+		l >>= 8
+	}
+	return append([]byte{byte(0x80 | len(lengthBytes))}, lengthBytes...)
+}

internal/api/handler/est_handler_test.go

@@ -0,0 +1,369 @@
+package handler
+
+import (
+	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/base64"
+	"encoding/pem"
+	"errors"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// mockESTService implements ESTService for testing.
+type mockESTService struct {
+	CACertPEM    string
+	CACertErr    error
+	EnrollResult *domain.ESTEnrollResult
+	EnrollErr    error
+	CSRAttrs     []byte
+	CSRAttrsErr  error
+}
+
+func (m *mockESTService) GetCACerts(ctx context.Context) (string, error) {
+	return m.CACertPEM, m.CACertErr
+}
+
+func (m *mockESTService) SimpleEnroll(ctx context.Context, csrPEM string) (*domain.ESTEnrollResult, error) {
+	return m.EnrollResult, m.EnrollErr
+}
+
+func (m *mockESTService) SimpleReEnroll(ctx context.Context, csrPEM string) (*domain.ESTEnrollResult, error) {
+	return m.EnrollResult, m.EnrollErr
+}
+
+func (m *mockESTService) GetCSRAttrs(ctx context.Context) ([]byte, error) {
+	return m.CSRAttrs, m.CSRAttrsErr
+}
+
+// generateTestCSRPEM creates a valid ECDSA P-256 CSR for testing.
+func generateTestCSRPEM(t *testing.T) string {
+	t.Helper()
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatalf("failed to generate key: %v", err)
+	}
+	template := &x509.CertificateRequest{
+		Subject:  pkix.Name{CommonName: "test.example.com"},
+		DNSNames: []string{"test.example.com", "www.example.com"},
+	}
+	csrDER, err := x509.CreateCertificateRequest(rand.Reader, template, key)
+	if err != nil {
+		t.Fatalf("failed to create CSR: %v", err)
+	}
+	return string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrDER}))
+}
+
+// generateTestCSRBase64DER creates a valid base64-encoded DER CSR for EST wire format.
+func generateTestCSRBase64DER(t *testing.T) string {
+	t.Helper()
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatalf("failed to generate key: %v", err)
+	}
+	template := &x509.CertificateRequest{
+		Subject:  pkix.Name{CommonName: "test.example.com"},
+		DNSNames: []string{"test.example.com"},
+	}
+	csrDER, err := x509.CreateCertificateRequest(rand.Reader, template, key)
+	if err != nil {
+		t.Fatalf("failed to create CSR: %v", err)
+	}
+	return base64.StdEncoding.EncodeToString(csrDER)
+}
+
+func TestESTCACerts_Success(t *testing.T) {
+	svc := &mockESTService{
+		CACertPEM: "-----BEGIN CERTIFICATE-----\nMIIBmjCCAUCgAwIBAgIRATest\n-----END CERTIFICATE-----\n",
+	}
+	h := NewESTHandler(svc)
+
+	req := httptest.NewRequest(http.MethodGet, "/.well-known/est/cacerts", nil)
+	w := httptest.NewRecorder()
+	h.CACerts(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	ct := w.Header().Get("Content-Type")
+	if !strings.Contains(ct, "application/pkcs7-mime") {
+		t.Errorf("expected application/pkcs7-mime content type, got %s", ct)
+	}
+	cte := w.Header().Get("Content-Transfer-Encoding")
+	if cte != "base64" {
+		t.Errorf("expected base64 content-transfer-encoding, got %s", cte)
+	}
+}
+
+func TestESTCACerts_MethodNotAllowed(t *testing.T) {
+	svc := &mockESTService{}
+	h := NewESTHandler(svc)
+
+	req := httptest.NewRequest(http.MethodPost, "/.well-known/est/cacerts", nil)
+	w := httptest.NewRecorder()
+	h.CACerts(w, req)
+
+	if w.Code != http.StatusMethodNotAllowed {
+		t.Errorf("expected 405, got %d", w.Code)
+	}
+}
+
+func TestESTCACerts_ServiceError(t *testing.T) {
+	svc := &mockESTService{
+		CACertErr: errors.New("issuer unavailable"),
+	}
+	h := NewESTHandler(svc)
+
+	req := httptest.NewRequest(http.MethodGet, "/.well-known/est/cacerts", nil)
+	w := httptest.NewRecorder()
+	h.CACerts(w, req)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("expected 500, got %d", w.Code)
+	}
+}
+
+func TestESTSimpleEnroll_Success_PEM(t *testing.T) {
+	csrPEM := generateTestCSRPEM(t)
+	svc := &mockESTService{
+		EnrollResult: &domain.ESTEnrollResult{
+			CertPEM:  "-----BEGIN CERTIFICATE-----\nMIIBtest\n-----END CERTIFICATE-----\n",
+			ChainPEM: "-----BEGIN CERTIFICATE-----\nMIIBchain\n-----END CERTIFICATE-----\n",
+		},
+	}
+	h := NewESTHandler(svc)
+
+	req := httptest.NewRequest(http.MethodPost, "/.well-known/est/simpleenroll", strings.NewReader(csrPEM))
+	req.Header.Set("Content-Type", "application/pkcs10")
+	w := httptest.NewRecorder()
+	h.SimpleEnroll(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	ct := w.Header().Get("Content-Type")
+	if !strings.Contains(ct, "application/pkcs7-mime") {
+		t.Errorf("expected application/pkcs7-mime, got %s", ct)
+	}
+}
+
+func TestESTSimpleEnroll_Success_Base64DER(t *testing.T) {
+	csrB64 := generateTestCSRBase64DER(t)
+	svc := &mockESTService{
+		EnrollResult: &domain.ESTEnrollResult{
+			CertPEM:  "-----BEGIN CERTIFICATE-----\nMIIBtest\n-----END CERTIFICATE-----\n",
+			ChainPEM: "",
+		},
+	}
+	h := NewESTHandler(svc)
+
+	req := httptest.NewRequest(http.MethodPost, "/.well-known/est/simpleenroll", strings.NewReader(csrB64))
+	req.Header.Set("Content-Type", "application/pkcs10")
+	w := httptest.NewRecorder()
+	h.SimpleEnroll(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestESTSimpleEnroll_MethodNotAllowed(t *testing.T) {
+	svc := &mockESTService{}
+	h := NewESTHandler(svc)
+
+	req := httptest.NewRequest(http.MethodGet, "/.well-known/est/simpleenroll", nil)
+	w := httptest.NewRecorder()
+	h.SimpleEnroll(w, req)
+
+	if w.Code != http.StatusMethodNotAllowed {
+		t.Errorf("expected 405, got %d", w.Code)
+	}
+}
+
+func TestESTSimpleEnroll_EmptyBody(t *testing.T) {
+	svc := &mockESTService{}
+	h := NewESTHandler(svc)
+
+	req := httptest.NewRequest(http.MethodPost, "/.well-known/est/simpleenroll", strings.NewReader(""))
+	w := httptest.NewRecorder()
+	h.SimpleEnroll(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestESTSimpleEnroll_InvalidCSR(t *testing.T) {
+	svc := &mockESTService{}
+	h := NewESTHandler(svc)
+
+	req := httptest.NewRequest(http.MethodPost, "/.well-known/est/simpleenroll", strings.NewReader("not-a-valid-csr"))
+	w := httptest.NewRecorder()
+	h.SimpleEnroll(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestESTSimpleEnroll_ServiceError(t *testing.T) {
+	csrPEM := generateTestCSRPEM(t)
+	svc := &mockESTService{
+		EnrollErr: errors.New("issuance failed"),
+	}
+	h := NewESTHandler(svc)
+
+	req := httptest.NewRequest(http.MethodPost, "/.well-known/est/simpleenroll", strings.NewReader(csrPEM))
+	w := httptest.NewRecorder()
+	h.SimpleEnroll(w, req)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("expected 500, got %d", w.Code)
+	}
+}
+
+func TestESTSimpleReEnroll_Success(t *testing.T) {
+	csrPEM := generateTestCSRPEM(t)
+	svc := &mockESTService{
+		EnrollResult: &domain.ESTEnrollResult{
+			CertPEM:  "-----BEGIN CERTIFICATE-----\nMIIBtest\n-----END CERTIFICATE-----\n",
+			ChainPEM: "-----BEGIN CERTIFICATE-----\nMIIBchain\n-----END CERTIFICATE-----\n",
+		},
+	}
+	h := NewESTHandler(svc)
+
+	req := httptest.NewRequest(http.MethodPost, "/.well-known/est/simplereenroll", strings.NewReader(csrPEM))
+	w := httptest.NewRecorder()
+	h.SimpleReEnroll(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestESTSimpleReEnroll_MethodNotAllowed(t *testing.T) {
+	svc := &mockESTService{}
+	h := NewESTHandler(svc)
+
+	req := httptest.NewRequest(http.MethodGet, "/.well-known/est/simplereenroll", nil)
+	w := httptest.NewRecorder()
+	h.SimpleReEnroll(w, req)
+
+	if w.Code != http.StatusMethodNotAllowed {
+		t.Errorf("expected 405, got %d", w.Code)
+	}
+}
+
+func TestESTCSRAttrs_NoContent(t *testing.T) {
+	svc := &mockESTService{
+		CSRAttrs: nil,
+	}
+	h := NewESTHandler(svc)
+
+	req := httptest.NewRequest(http.MethodGet, "/.well-known/est/csrattrs", nil)
+	w := httptest.NewRecorder()
+	h.CSRAttrs(w, req)
+
+	if w.Code != http.StatusNoContent {
+		t.Errorf("expected 204, got %d", w.Code)
+	}
+}
+
+func TestESTCSRAttrs_WithData(t *testing.T) {
+	svc := &mockESTService{
+		CSRAttrs: []byte{0x30, 0x00}, // empty SEQUENCE
+	}
+	h := NewESTHandler(svc)
+
+	req := httptest.NewRequest(http.MethodGet, "/.well-known/est/csrattrs", nil)
+	w := httptest.NewRecorder()
+	h.CSRAttrs(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d", w.Code)
+	}
+	ct := w.Header().Get("Content-Type")
+	if ct != "application/csrattrs" {
+		t.Errorf("expected application/csrattrs, got %s", ct)
+	}
+}
+
+func TestESTCSRAttrs_MethodNotAllowed(t *testing.T) {
+	svc := &mockESTService{}
+	h := NewESTHandler(svc)
+
+	req := httptest.NewRequest(http.MethodPost, "/.well-known/est/csrattrs", nil)
+	w := httptest.NewRecorder()
+	h.CSRAttrs(w, req)
+
+	if w.Code != http.StatusMethodNotAllowed {
+		t.Errorf("expected 405, got %d", w.Code)
+	}
+}
+
+func TestBuildCertsOnlyPKCS7(t *testing.T) {
+	// Test with a dummy DER certificate
+	dummyCert := []byte{0x30, 0x82, 0x01, 0x00} // minimal ASN.1 SEQUENCE
+	result, err := buildCertsOnlyPKCS7([][]byte{dummyCert})
+	if err != nil {
+		t.Fatalf("buildCertsOnlyPKCS7 failed: %v", err)
+	}
+	if len(result) == 0 {
+		t.Error("expected non-empty PKCS#7 output")
+	}
+	// Verify it starts with SEQUENCE tag
+	if result[0] != 0x30 {
+		t.Errorf("expected PKCS#7 to start with SEQUENCE tag (0x30), got 0x%02x", result[0])
+	}
+}
+
+func TestPemToDERChain(t *testing.T) {
+	pemData := "-----BEGIN CERTIFICATE-----\nMIIBmjCCAUCgAwIBAgIRATest\n-----END CERTIFICATE-----\n"
+	certs, err := pemToDERChain(pemData)
+	if err != nil {
+		t.Fatalf("pemToDERChain failed: %v", err)
+	}
+	if len(certs) != 1 {
+		t.Errorf("expected 1 cert, got %d", len(certs))
+	}
+}
+
+func TestPemToDERChain_NoCerts(t *testing.T) {
+	_, err := pemToDERChain("not a PEM")
+	if err == nil {
+		t.Error("expected error for invalid PEM")
+	}
+}
+
+func TestASN1EncodeLength(t *testing.T) {
+	tests := []struct {
+		length   int
+		expected []byte
+	}{
+		{0, []byte{0x00}},
+		{1, []byte{0x01}},
+		{127, []byte{0x7f}},
+		{128, []byte{0x81, 0x80}},
+		{256, []byte{0x82, 0x01, 0x00}},
+	}
+	for _, tt := range tests {
+		result := asn1EncodeLength(tt.length)
+		if len(result) != len(tt.expected) {
+			t.Errorf("asn1EncodeLength(%d): expected %d bytes, got %d", tt.length, len(tt.expected), len(result))
+			continue
+		}
+		for i := range result {
+			if result[i] != tt.expected[i] {
+				t.Errorf("asn1EncodeLength(%d): byte %d: expected 0x%02x, got 0x%02x", tt.length, i, tt.expected[i], result[i])
+			}
+		}
+	}
+}