gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 18:51:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
0729ee46e01f5da97d78ec24627ab4e6e0a8c71e
certctl/internal/api/acme/phase4_test.go
T
shankar0123 4dc8d3fa5b acme-server: key rollover + revocation + ARI (Phase 4/7) 
Closes the RFC 8555 + RFC 9773 surface beyond the issuance happy-path:
  - POST /acme/profile/<id>/key-change   (RFC 8555 §7.3.5)
  - POST /acme/profile/<id>/revoke-cert  (RFC 8555 §7.6)
  - GET  /acme/profile/<id>/renewal-info/<cert-id>  (RFC 9773 ARI)

After this commit, ACME clients can rotate account keys, revoke certs
through the ACME surface (rather than only via the certctl GUI/API),
and fetch ARI for proactive renewal scheduling.

Architecture:
  - Key rollover: outer JWS verified against the registered account key
    (existing kid path); the inner JWS — embedded as the outer's payload
    — verified against the embedded NEW jwk in a new dedicated routine
    (ParseAndVerifyKeyChangeInner) that enforces RFC 8555 §7.3.5
    inner-only invariants: MUST use jwk + MUST NOT use kid, payload
    .account == outer.kid, payload.oldKey thumbprint-equals registered.
    A single WithinTx swaps the stored thumbprint+pem and writes the
    audit row. Concurrent-rollover safety via SELECT…FOR UPDATE on the
    conflicting account row in UpdateAccountJWKWithTx; the loser
    observes the winner's new thumbprint and is told to retry (409).
  - Revocation: two auth paths. kid → AccountOwnsCertificate single-
    indexed COUNT lookup over acme_orders. jwk → constant-time RFC 7638
    thumbprint compare against the cert's pubkey. Both paths route
    through service.RevocationSvc.RevokeCertificateWithActor so the
    existing CRL/OCSP refresh + audit + metrics pipeline applies. RFC
    5280 §5.3.1 numeric reason codes clamp to certctl's
    domain.ValidRevocationReasons; codes 8 (removeFromCRL) + 10
    (aACompromise) clamp to 'unspecified' since they aren't in the set.
  - ARI is GET-only and unauth per RFC 9773 §4. Cert-id wire shape is
    base64url(AKI).base64url(serial); ParseARICertID strict-decodes,
    SerialHex emits the canonical certctl-shape lowercase-no-leading-
    zeros hex used in certificate_versions.serial_number.
    ComputeRenewalWindow has 3 branches: bound RenewalPolicy →
    [notAfter - days, notAfter - days/2]; no policy → last 33% of
    validity; past expiry → [now, now + 1d] (renew immediately).
    Retry-After honors CERTCTL_ACME_SERVER_ARI_POLL_INTERVAL.

What ships:
  - internal/api/acme/{keychange,ari}.go (+ phase4_test.go: 15 tests).
  - internal/api/acme/order.go: RevokeCertRequest wire shape.
  - internal/api/handler/acme.go: KeyChange, RevokeCert, RenewalInfo
    + 11 new writeServiceError mappings.
  - internal/repository/postgres/acme.go: UpdateAccountJWKWithTx (FOR
    UPDATE + expectedOldThumbprint precondition; ErrACMEAccountKey-
    ConcurrentUpdate sentinel) + AccountOwnsCertificate.
  - internal/service/acme.go: RotateAccountKey + RevokeCert +
    RenewalInfo; CertificateRevoker + RenewalPolicyLookup interfaces;
    SetRevocationDelegate + SetRenewalPolicyLookup wiring; 11 new
    sentinels; 6 new metrics.
  - internal/service/acme_phase4_test.go: service-layer tests for
    RotateAccountKey (happy + duplicate-key) + RevokeCert (kid mismatch
    + jwk mismatch + jwk happy + already-revoked + reason-clamping) +
    RenewalInfo (disabled + bad cert-id).
  - internal/api/router/router.go: 6 new register calls (3 per-profile
    + 3 shorthand). Router parity exceptions extended in lockstep
    (in-tree SpecParityExceptions + CI-only openapi-handler-exceptions
    .yaml).
  - cmd/server/main.go: SetRevocationDelegate(revocationSvc) +
    SetRenewalPolicyLookup(renewalPolicyRepo) at startup.
  - internal/config/config.go: CERTCTL_ACME_SERVER_ARI_ENABLED (default
    true) + CERTCTL_ACME_SERVER_ARI_POLL_INTERVAL (default 6h);
    BuildDirectory's ariEnabled flag now flips on under
    cfg.ARIEnabled.
  - docs/acme-server.md: phase status flipped to Phase 4; endpoints
    table grows 6 rows (3 per-profile + 3 shorthand); FAQ section
    appended explaining how to rotate keys, revoke certs, and consume
    ARI.

Tests:
  - 'go vet ./...' clean across the repo.
  - 'go test -short -count=1 ./...' green across every package.
  - phase4_test.go covers: keychange happy-path + 5 negatives +
    MapKeyChangeErrorToProblem coverage; ARI cert-id round-trip + 6
    malformed cases + BuildARICertID from a generated cert; window-
    math 3 branches.
  - service-layer tests confirm: RotateAccountKey atomically swaps the
    thumbprint (verifies persisted state) and rejects duplicate keys;
    RevokeCert routes through the stub RevocationSvc with the right
    actor string + reason on the jwk path, rejects mismatched keys,
    rejects already-revoked certs, clamps reason codes correctly;
    RenewalInfo respects ARIEnabled + cert-id format.

Engineering history: cowork/WORKSPACE-CHANGELOG.md 'ACME-Server-4'.
2026-05-03 16:51:06 +00:00

363 lines
13 KiB
Go
Raw Blame History

// Copyright (c) certctl
// SPDX-License-Identifier: BSL-1.1
package acme
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/base64"
"encoding/json"
"encoding/pem"
"errors"
"math/big"
"strings"
"testing"
"time"
jose "github.com/go-jose/go-jose/v4"
"github.com/shankar0123/certctl/internal/domain"
)
// --- Test fixtures + helpers -------------------------------------------
func newTestRSAJWK(t *testing.T) (*rsa.PrivateKey, *jose.JSONWebKey) {
t.Helper()
priv, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
t.Fatalf("rsa.GenerateKey: %v", err)
}
jwk := &jose.JSONWebKey{Key: priv.Public(), Algorithm: string(jose.RS256), Use: "sig"}
return priv, jwk
}
func newTestECDSAJWK(t *testing.T) (*ecdsa.PrivateKey, *jose.JSONWebKey) {
t.Helper()
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatalf("ecdsa.GenerateKey: %v", err)
}
jwk := &jose.JSONWebKey{Key: priv.Public(), Algorithm: string(jose.ES256), Use: "sig"}
return priv, jwk
}
// signWithEmbeddedJWK builds an RFC-7515-compatible compact-serialized JWS with
// the given protected header + payload, signed by signer. Used for
// constructing inner-key-change blobs in tests.
func signWithEmbeddedJWK(t *testing.T, signer interface{}, alg jose.SignatureAlgorithm, payload []byte, headers map[jose.HeaderKey]interface{}, embedJWK *jose.JSONWebKey) string {
t.Helper()
opts := &jose.SignerOptions{ExtraHeaders: headers}
if embedJWK != nil {
opts = opts.WithHeader("jwk", embedJWK)
}
sigSigner, err := jose.NewSigner(jose.SigningKey{Algorithm: alg, Key: signer}, opts)
if err != nil {
t.Fatalf("NewSigner: %v", err)
}
obj, err := sigSigner.Sign(payload)
if err != nil {
t.Fatalf("Sign: %v", err)
}
out, err := obj.CompactSerialize()
if err != nil {
t.Fatalf("CompactSerialize: %v", err)
}
return out
}
// --- KeyChange tests ----------------------------------------------------
func TestParseAndVerifyKeyChangeInner_HappyPath(t *testing.T) {
_, oldJWK := newTestRSAJWK(t)
newPriv, newJWK := newTestECDSAJWK(t)
url := "https://example.com/acme/profile/p1/key-change"
kid := "https://example.com/acme/profile/p1/account/acme-acc-abc"
payloadJSON, err := json.Marshal(KeyChangeInnerPayload{
Account: kid,
OldKey: oldJWK,
})
if err != nil {
t.Fatalf("marshal payload: %v", err)
}
headers := map[jose.HeaderKey]interface{}{"url": url}
innerBytes := signWithEmbeddedJWK(t, newPriv, jose.ES256, payloadJSON, headers, newJWK)
got, err := ParseAndVerifyKeyChangeInner([]byte(innerBytes), kid, url, oldJWK)
if err != nil {
t.Fatalf("ParseAndVerifyKeyChangeInner: %v", err)
}
if got.Payload.Account != kid {
t.Errorf("payload.Account = %q, want %q", got.Payload.Account, kid)
}
if got.URL != url {
t.Errorf("URL = %q, want %q", got.URL, url)
}
if got.NewJWK == nil {
t.Errorf("NewJWK is nil")
}
}
func TestParseAndVerifyKeyChangeInner_OldKeyMismatch(t *testing.T) {
_, oldJWK := newTestRSAJWK(t)
_, otherJWK := newTestRSAJWK(t)
newPriv, newJWK := newTestECDSAJWK(t)
url := "https://example.com/acme/profile/p1/key-change"
kid := "https://example.com/acme/profile/p1/account/acme-acc-abc"
// payload claims an oldKey that doesn't match what's registered.
payloadJSON, _ := json.Marshal(KeyChangeInnerPayload{Account: kid, OldKey: otherJWK})
headers := map[jose.HeaderKey]interface{}{"url": url}
innerBytes := signWithEmbeddedJWK(t, newPriv, jose.ES256, payloadJSON, headers, newJWK)
_, err := ParseAndVerifyKeyChangeInner([]byte(innerBytes), kid, url, oldJWK)
if !errors.Is(err, ErrKeyChangeInnerOldKeyMismatch) {
t.Errorf("got err=%v, want ErrKeyChangeInnerOldKeyMismatch", err)
}
}
func TestParseAndVerifyKeyChangeInner_AccountMismatch(t *testing.T) {
_, oldJWK := newTestRSAJWK(t)
newPriv, newJWK := newTestECDSAJWK(t)
url := "https://example.com/acme/profile/p1/key-change"
outerKID := "https://example.com/acme/profile/p1/account/acme-acc-abc"
// payload.Account does NOT equal outer.kid.
payloadJSON, _ := json.Marshal(KeyChangeInnerPayload{
Account: "https://example.com/acme/profile/p1/account/acme-acc-DIFFERENT",
OldKey: oldJWK,
})
headers := map[jose.HeaderKey]interface{}{"url": url}
innerBytes := signWithEmbeddedJWK(t, newPriv, jose.ES256, payloadJSON, headers, newJWK)
_, err := ParseAndVerifyKeyChangeInner([]byte(innerBytes), outerKID, url, oldJWK)
if !errors.Is(err, ErrKeyChangeInnerAccountMismatch) {
t.Errorf("got err=%v, want ErrKeyChangeInnerAccountMismatch", err)
}
}
func TestParseAndVerifyKeyChangeInner_URLMismatch(t *testing.T) {
_, oldJWK := newTestRSAJWK(t)
newPriv, newJWK := newTestECDSAJWK(t)
innerURL := "https://example.com/acme/profile/p1/key-change"
outerURL := "https://example.com/acme/profile/p1/key-change-different"
kid := "https://example.com/acme/profile/p1/account/acme-acc-abc"
payloadJSON, _ := json.Marshal(KeyChangeInnerPayload{Account: kid, OldKey: oldJWK})
headers := map[jose.HeaderKey]interface{}{"url": innerURL}
innerBytes := signWithEmbeddedJWK(t, newPriv, jose.ES256, payloadJSON, headers, newJWK)
_, err := ParseAndVerifyKeyChangeInner([]byte(innerBytes), kid, outerURL, oldJWK)
if !errors.Is(err, ErrKeyChangeInnerURLMismatch) {
t.Errorf("got err=%v, want ErrKeyChangeInnerURLMismatch", err)
}
}
func TestParseAndVerifyKeyChangeInner_BadSignature(t *testing.T) {
_, oldJWK := newTestRSAJWK(t)
newPriv, newJWK := newTestECDSAJWK(t)
_, otherJWK := newTestECDSAJWK(t) // different key embedded vs. signer
url := "https://example.com/acme/profile/p1/key-change"
kid := "https://example.com/acme/profile/p1/account/acme-acc-abc"
payloadJSON, _ := json.Marshal(KeyChangeInnerPayload{Account: kid, OldKey: oldJWK})
headers := map[jose.HeaderKey]interface{}{"url": url}
// Sign with newPriv but embed otherJWK — verification against the
// embedded jwk will fail since the signer didn't possess otherJWK's
// private key.
innerBytes := signWithEmbeddedJWK(t, newPriv, jose.ES256, payloadJSON, headers, otherJWK)
_, err := ParseAndVerifyKeyChangeInner([]byte(innerBytes), kid, url, oldJWK)
if !errors.Is(err, ErrKeyChangeInnerSignatureBad) {
t.Errorf("got err=%v, want ErrKeyChangeInnerSignatureBad", err)
}
_ = newJWK
}
func TestParseAndVerifyKeyChangeInner_MalformedJWS(t *testing.T) {
_, oldJWK := newTestRSAJWK(t)
_, err := ParseAndVerifyKeyChangeInner([]byte("not-a-jws"), "kid", "url", oldJWK)
if !errors.Is(err, ErrKeyChangeInnerMalformed) {
t.Errorf("got err=%v, want ErrKeyChangeInnerMalformed", err)
}
}
func TestParseAndVerifyKeyChangeInner_MissingURL(t *testing.T) {
_, oldJWK := newTestRSAJWK(t)
newPriv, newJWK := newTestECDSAJWK(t)
url := "https://example.com/acme/profile/p1/key-change"
kid := "https://example.com/acme/profile/p1/account/acme-acc-abc"
payloadJSON, _ := json.Marshal(KeyChangeInnerPayload{Account: kid, OldKey: oldJWK})
// No `url` header.
innerBytes := signWithEmbeddedJWK(t, newPriv, jose.ES256, payloadJSON, nil, newJWK)
_, err := ParseAndVerifyKeyChangeInner([]byte(innerBytes), kid, url, oldJWK)
if !errors.Is(err, ErrKeyChangeInnerURLMissing) {
t.Errorf("got err=%v, want ErrKeyChangeInnerURLMissing", err)
}
}
func TestMapKeyChangeErrorToProblem_Coverage(t *testing.T) {
cases := []struct {
err error
wantType string
}{
{ErrKeyChangeInnerSignatureBad, "urn:ietf:params:acme:error:unauthorized"},
{ErrKeyChangeInnerOldKeyMismatch, "urn:ietf:params:acme:error:unauthorized"},
{ErrKeyChangeInnerAccountMismatch, "urn:ietf:params:acme:error:malformed"},
{ErrKeyChangeInnerForbidsKID, "urn:ietf:params:acme:error:malformed"},
{ErrKeyChangeInnerMissingJWK, "urn:ietf:params:acme:error:malformed"},
{ErrKeyChangeInnerOldKeyMissing, "urn:ietf:params:acme:error:malformed"},
{ErrKeyChangeInnerURLMismatch, "urn:ietf:params:acme:error:unauthorized"},
{ErrKeyChangeInnerMalformed, "urn:ietf:params:acme:error:malformed"},
}
for _, c := range cases {
got := MapKeyChangeErrorToProblem(c.err)
if got.Type != c.wantType {
t.Errorf("err=%v: got type %q, want %q", c.err, got.Type, c.wantType)
}
}
}
// --- ARI tests ----------------------------------------------------------
func TestParseARICertID_Roundtrip(t *testing.T) {
aki := []byte{0xde, 0xad, 0xbe, 0xef, 0x01, 0x02}
serial := []byte{0x12, 0x34, 0x56, 0x78}
certID := base64.RawURLEncoding.EncodeToString(aki) + "." + base64.RawURLEncoding.EncodeToString(serial)
got, err := ParseARICertID(certID)
if err != nil {
t.Fatalf("ParseARICertID: %v", err)
}
if string(got.AKI) != string(aki) {
t.Errorf("AKI: got %x, want %x", got.AKI, aki)
}
if string(got.Serial) != string(serial) {
t.Errorf("Serial: got %x, want %x", got.Serial, serial)
}
// SerialHex must match canonical certctl shape.
wantSerialHex := "12345678"
if got.SerialHex() != wantSerialHex {
t.Errorf("SerialHex: got %q, want %q", got.SerialHex(), wantSerialHex)
}
}
func TestParseARICertID_Malformed(t *testing.T) {
cases := []struct {
name string
certID string
wantErr error
}{
{"missing dot", "abc123nodot", ErrARICertIDMalformed},
{"too many dots", "a.b.c", ErrARICertIDMalformed},
{"empty aki", ".YWJj", ErrARICertIDEmpty},
{"empty serial", "YWJj.", ErrARICertIDEmpty},
{"non-base64 aki", "!!!!.YWJj", ErrARICertIDDecodeAKI},
{"non-base64 serial", "YWJj.!!!!", ErrARICertIDDecodeSeria},
}
for _, c := range cases {
t.Run(c.name, func(t *testing.T) {
_, err := ParseARICertID(c.certID)
if !errors.Is(err, c.wantErr) {
t.Errorf("got err=%v, want %v", err, c.wantErr)
}
})
}
}
func TestBuildARICertID_FromGeneratedCert(t *testing.T) {
// Build a self-signed cert with an explicit AKI and serial.
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatalf("genkey: %v", err)
}
template := &x509.Certificate{
SerialNumber: big.NewInt(0x12345678),
Subject: pkix.Name{CommonName: "test"},
NotBefore: time.Now(),
NotAfter: time.Now().Add(24 * time.Hour),
AuthorityKeyId: []byte{0xde, 0xad, 0xbe, 0xef},
BasicConstraintsValid: true,
IsCA: true,
}
der, err := x509.CreateCertificate(rand.Reader, template, template, &priv.PublicKey, priv)
if err != nil {
t.Fatalf("CreateCertificate: %v", err)
}
certPEM := string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der}))
certID, err := BuildARICertID(certPEM)
if err != nil {
t.Fatalf("BuildARICertID: %v", err)
}
parts := strings.Split(certID, ".")
if len(parts) != 2 {
t.Fatalf("got %d parts, want 2", len(parts))
}
wantAKI := base64.RawURLEncoding.EncodeToString([]byte{0xde, 0xad, 0xbe, 0xef})
if parts[0] != wantAKI {
t.Errorf("AKI part: got %q, want %q", parts[0], wantAKI)
}
}
func TestComputeRenewalWindow_WithPolicy(t *testing.T) {
now := time.Date(2026, 5, 1, 0, 0, 0, 0, time.UTC)
notAfter := time.Date(2026, 7, 1, 0, 0, 0, 0, time.UTC) // 61 days out
cert := &domain.ManagedCertificate{ExpiresAt: notAfter}
version := &domain.CertificateVersion{
NotBefore: time.Date(2026, 4, 1, 0, 0, 0, 0, time.UTC),
NotAfter: notAfter,
}
policy := &domain.RenewalPolicy{RenewalWindowDays: 30}
start, end := ComputeRenewalWindow(cert, version, policy, now)
wantStart := notAfter.Add(-30 * 24 * time.Hour) // 2026-06-01
wantEnd := wantStart.Add(15 * 24 * time.Hour) // 2026-06-16
if !start.Equal(wantStart) {
t.Errorf("start: got %v, want %v", start, wantStart)
}
if !end.Equal(wantEnd) {
t.Errorf("end: got %v, want %v", end, wantEnd)
}
}
func TestComputeRenewalWindow_NoPolicy_LastThird(t *testing.T) {
now := time.Date(2026, 5, 1, 0, 0, 0, 0, time.UTC)
notBefore := time.Date(2026, 4, 1, 0, 0, 0, 0, time.UTC)
notAfter := time.Date(2026, 7, 1, 0, 0, 0, 0, time.UTC) // 91-day validity
cert := &domain.ManagedCertificate{ExpiresAt: notAfter}
version := &domain.CertificateVersion{NotBefore: notBefore, NotAfter: notAfter}
start, end := ComputeRenewalWindow(cert, version, nil, now)
// Validity = 91 days; thirty3 ~30d, end_offset = 10d. Start is in
// the future from `now` (Jun 2026), so no clamp.
if start.Before(now) {
t.Errorf("start before now: got %v", start)
}
if !end.After(start) && !end.Equal(start) {
t.Errorf("end before start: start=%v end=%v", start, end)
}
}
func TestComputeRenewalWindow_PastExpiry_RenewNow(t *testing.T) {
now := time.Date(2026, 8, 1, 0, 0, 0, 0, time.UTC)
notAfter := time.Date(2026, 7, 1, 0, 0, 0, 0, time.UTC) // 1 month ago
cert := &domain.ManagedCertificate{ExpiresAt: notAfter}
start, end := ComputeRenewalWindow(cert, nil, nil, now)
// Expect a "renew now" 1-day window starting at now.
if !start.Equal(now) {
t.Errorf("start: got %v, want %v", start, now)
}
if want := now.Add(24 * time.Hour); !end.Equal(want) {
t.Errorf("end: got %v, want %v", end, want)
}
}
Reference in New Issue View Git Blame Copy Permalink