feat: M12 — sub-CA mode, ACME DNS-01 challenges, step-ca issuer connector

Sub-CA mode: Local CA loads CA cert+key from disk (CERTCTL_CA_CERT_PATH + CERTCTL_CA_KEY_PATH) to operate as subordinate CA under enterprise root (e.g., ADCS). Supports RSA, ECDSA, PKCS#8 keys. Validates IsCA and KeyUsageCertSign. Falls back to self-signed when paths unset. DNS-01 challenges: Pluggable DNSSolver interface with script-based hook implementation. User-provided scripts create/cleanup _acme-challenge TXT records for any DNS provider. Configurable propagation wait. Enables wildcard certs and non-HTTP-accessible hosts. step-ca connector: Smallstep private CA via native /sign API with JWK provisioner auth. Issuance, renewal, revocation. Registered as iss-stepca. 23 new tests across 3 files. CI test path widened to ./internal/connector/issuer/... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-14 22:58:52 +00:00 · 2026-03-21 22:55:50 -04:00
parent d7a4d40d47
commit f5fed74d6f
14 changed files with 1827 additions and 45 deletions
@@ -0,0 +1,110 @@
+package acme
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"os/exec"
+	"time"
+)
+
+// DNSSolver defines the interface for DNS-01 challenge provisioning.
+// Implementations create and clean up DNS TXT records for ACME validation.
+type DNSSolver interface {
+	// Present creates a DNS TXT record for the given domain with the given value.
+	// The FQDN will be _acme-challenge.<domain>.
+	Present(ctx context.Context, domain, token, keyAuth string) error
+
+	// CleanUp removes the DNS TXT record created by Present.
+	CleanUp(ctx context.Context, domain, token, keyAuth string) error
+}
+
+// ScriptDNSSolver implements DNSSolver by executing external scripts.
+// This provides maximum flexibility: users supply their own scripts for
+// whatever DNS provider they use (Cloudflare, Route53, Azure DNS, etc.).
+//
+// The scripts receive these environment variables:
+//
+//	CERTCTL_DNS_DOMAIN   — the domain being validated (e.g., "example.com")
+//	CERTCTL_DNS_FQDN     — the full record name (e.g., "_acme-challenge.example.com")
+//	CERTCTL_DNS_VALUE    — the TXT record value (key authorization digest)
+//	CERTCTL_DNS_TOKEN    — the ACME challenge token
+//
+// The present script must create the TXT record and exit 0.
+// The cleanup script must remove the TXT record and exit 0.
+type ScriptDNSSolver struct {
+	PresentScript string // Path to script that creates the TXT record
+	CleanUpScript string // Path to script that removes the TXT record
+	Timeout       time.Duration
+	Logger        *slog.Logger
+}
+
+// NewScriptDNSSolver creates a script-based DNS solver.
+func NewScriptDNSSolver(presentScript, cleanUpScript string, logger *slog.Logger) *ScriptDNSSolver {
+	return &ScriptDNSSolver{
+		PresentScript: presentScript,
+		CleanUpScript: cleanUpScript,
+		Timeout:       120 * time.Second,
+		Logger:        logger,
+	}
+}
+
+// Present executes the present script to create a DNS TXT record.
+func (s *ScriptDNSSolver) Present(ctx context.Context, domain, token, keyAuth string) error {
+	if s.PresentScript == "" {
+		return fmt.Errorf("DNS present script not configured")
+	}
+
+	fqdn := "_acme-challenge." + domain
+
+	s.Logger.Info("creating DNS TXT record via script",
+		"domain", domain,
+		"fqdn", fqdn,
+		"script", s.PresentScript)
+
+	return s.runScript(ctx, s.PresentScript, domain, fqdn, token, keyAuth)
+}
+
+// CleanUp executes the cleanup script to remove a DNS TXT record.
+func (s *ScriptDNSSolver) CleanUp(ctx context.Context, domain, token, keyAuth string) error {
+	if s.CleanUpScript == "" {
+		s.Logger.Warn("DNS cleanup script not configured, skipping cleanup", "domain", domain)
+		return nil
+	}
+
+	fqdn := "_acme-challenge." + domain
+
+	s.Logger.Info("removing DNS TXT record via script",
+		"domain", domain,
+		"fqdn", fqdn,
+		"script", s.CleanUpScript)
+
+	return s.runScript(ctx, s.CleanUpScript, domain, fqdn, token, keyAuth)
+}
+
+// runScript executes a DNS hook script with the appropriate environment variables.
+func (s *ScriptDNSSolver) runScript(ctx context.Context, script, domain, fqdn, token, keyAuth string) error {
+	timeout := s.Timeout
+	if timeout == 0 {
+		timeout = 120 * time.Second
+	}
+
+	execCtx, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+
+	cmd := exec.CommandContext(execCtx, script)
+	cmd.Env = append(cmd.Environ(),
+		"CERTCTL_DNS_DOMAIN="+domain,
+		"CERTCTL_DNS_FQDN="+fqdn,
+		"CERTCTL_DNS_VALUE="+keyAuth,
+		"CERTCTL_DNS_TOKEN="+token,
+	)
+
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("DNS script %s failed: %w (output: %s)", script, err, string(output))
+	}
+
+	s.Logger.Debug("DNS script completed", "script", script, "output", string(output))
+	return nil
+}