mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 13:31:36 +00:00
shankar0123
44a85d6f85
Layers JWS-authenticated POST machinery onto the Phase 1a foundation
(commit ec88a61). After this commit, an ACME client can run
POST /acme/profile/<id>/new-account
against certctl and successfully register an account. Account update
+ deactivation via POST /acme/profile/<id>/account/<acc-id> work.
Orders + challenges remain Phase 2 / 3.
Background:
Two prior dispatch attempts at the original Phase 1 ("skeleton +
directory + new-nonce + new-account" as a single commit) failed on
go-jose v4 API speculation (jws.GetPayload, sig.Algorithm,
jose.SHA256, etc. — none of those exist in v4). Splitting Phase 1
into 1a (foundation, no go-jose) and 1b (this commit, all go-jose
in one place) concentrated the JWS work where attention pays off.
The verifier reads the actual go-jose v4 surface — ParseSigned with
closed alg allow-list, Header struct fields (Algorithm, KeyID,
JSONWebKey, Nonce, ExtraHeaders[HeaderKey]), JWK.Thumbprint with
stdlib crypto.SHA256.
What ships:
- internal/api/acme/jws.go: 487-line verifier + sentinel error
family. Enforces RFC 8555 §6.2 + §6.4 + §6.5 invariants:
- alg in {RS256, ES256, EdDSA} (closed allow-list passed to
jose.ParseSigned — HS256 / none / etc. rejected at parse time)
- exactly one of `kid` / `jwk` in protected header (per
endpoint policy — new-account demands jwk, others demand kid)
- protected `url` matches request URL exactly
- protected `nonce` consumed against acme_nonces (badNonce on
miss/replay/expiry per RFC 8555 §6.5.1)
- kid round-trips against canonical AccountKID(accountID) URL
(catches cross-profile / cross-host replay)
- kid path: account exists + status=valid (deactivated /
revoked accounts cannot authenticate)
- signature verifies; post-Verify payload bytes equal
UnsafePayloadWithoutVerification (defense in depth)
+ JWK persistence helpers (JWKToPEM / ParseJWKFromPEM round-
trip a public-only JWK as a PEM-wrapped JSON envelope; stored
as TEXT in acme_accounts.jwk_pem for diff-friendliness) +
JWKThumbprint per RFC 7638.
- internal/api/acme/jws_test.go: 16 cases covering happy paths
(RS256 kid, ES256 jwk, EdDSA kid) + every named failure mode
(alg-not-allowed, bad-sig, missing-nonce, unknown-nonce,
replay, url-mismatch, mixed kid+jwk, deactivated-account,
cross-host kid). Uses real keypairs + real go-jose Signer to
build JWS objects.
- internal/api/acme/account.go: NewAccountRequest /
AccountUpdateRequest payload shapes (RFC 8555 §7.3 + §7.3.2 +
§7.3.6) + AccountResponseJSON wire shape + MarshalAccount
helper.
- internal/domain/acme.go: ACMEAccount struct + ACMEAccountStatus
closed enum (valid / deactivated / revoked).
- internal/repository/postgres/acme.go: full account CRUD path
(CreateAccountWithTx with 23505-unique-violation sentinel
translation, GetAccountByID, GetAccountByThumbprint,
UpdateAccountContactWithTx, UpdateAccountStatusWithTx) +
sql.ErrNoRows-wrapped repository.ErrNotFound on lookup misses.
- internal/service/acme.go: ACMERepo interface extended;
SetTransactor + SetAuditService wires; NewAccount (idempotent
re-registration per RFC 8555 §7.3.1 — same JWK returns existing
row without an update or new audit event); LookupAccount;
UpdateAccount; DeactivateAccount; VerifyJWS adapter that bridges
api/acme.VerifierConfig to the service-layer ACMERepo; per-op
metrics extended (new_account_total + _failures_total +
_idempotent_total + update_account_total + _failures_total +
deactivate_account_total).
- internal/service/acme_test.go: 8 new tests covering
new-account happy path / idempotent re-registration / only-
return-existing match + no-match / contact update / deactivate
/ lookup-not-found / requires-transactor.
- internal/api/handler/acme.go: NewAccount + Account handlers.
Account dispatches POST-as-GET (RFC 8555 §6.3 — empty body or
{} payload returns the account row), contact update, and
deactivation from the same endpoint. Defense-in-depth check
that the kid path-segment matches the URL path-segment (the
verifier already round-tripped the kid against canonical URL,
but the handler re-asserts to catch any future verifier
refactor).
- internal/api/handler/acme_handler_test.go: 7 new cases
covering happy-create, idempotent-200, only-return-existing-
no-match-400, malformed-JWS-400, kid-URL-mismatch-401,
deactivate, contact-update, POST-as-GET.
- internal/api/router/router.go: 4 new Register calls (per-
profile + shorthand for new-account and account/{acc_id}).
- internal/api/router/openapi_parity_test.go: SpecParityExceptions
extended with the 4 new routes (RFC 8555 wire-protocol surface,
not OpenAPI-shaped — same precedent as Phase 1a).
- cmd/server/main.go: SetTransactor + SetAuditService on
acmeService at startup so the WithinTx-based new-account /
update / deactivate paths run with the same transactor instance
shared across CertificateService / RevocationSvc / RenewalService.
- docs/acme-server.md: Phase status updated; endpoints table grows
new-account + account/<acc_id> rows; new "JWS verification
(Phase 1b)" section enumerates the 7 invariants the verifier
enforces; phases-cross-reference table marks 1b live.
- go.mod / go.sum: github.com/go-jose/go-jose/v4 v4.0.4 added.
Atomicity: every account-state mutation writes its acme_accounts row
+ its audit_events row inside one repository.Transactor.WithinTx
call — the canonical certctl atomicity contract (matches
CertificateService.Create at internal/service/certificate.go:131).
Idempotent re-registration explicitly does NOT write an audit row
(RFC 8555 §7.3.1 returns the existing row unmodified).
Tests: 16 jws_test.go cases + 11 service tests + 11 handler tests
all pass under -short. Bad-signature test uses a real registered
account whose stored JWK is a different keypair from the signer's,
so the JWS parses cleanly but jose.Verify rejects — exercises the
ErrJWSSignatureInvalid path directly.
Engineering history: cowork/WORKSPACE-CHANGELOG.md "ACME-Server-1b".
571 lines
18 KiB
Go
571 lines
18 KiB
Go
// Copyright (c) certctl
|
|
// SPDX-License-Identifier: BSL-1.1
|
|
|
|
package acme
|
|
|
|
import (
|
|
"crypto/ecdsa"
|
|
"crypto/ed25519"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"encoding/json"
|
|
"errors"
|
|
"strings"
|
|
"testing"
|
|
|
|
jose "github.com/go-jose/go-jose/v4"
|
|
|
|
"github.com/shankar0123/certctl/internal/domain"
|
|
)
|
|
|
|
// --- test fixtures + helpers --------------------------------------------
|
|
|
|
// stubAccounts implements AccountLookup with a static map.
|
|
type stubAccounts struct {
|
|
byID map[string]*domain.ACMEAccount
|
|
}
|
|
|
|
func (s *stubAccounts) LookupAccount(accountID string) (*domain.ACMEAccount, error) {
|
|
acct, ok := s.byID[accountID]
|
|
if !ok {
|
|
return nil, ErrJWSAccountNotFound
|
|
}
|
|
return acct, nil
|
|
}
|
|
|
|
// stubNonces implements NonceConsumer with a one-shot map. Used == true
|
|
// after first Consume.
|
|
type stubNonces struct {
|
|
known map[string]bool // nonce → consumed?
|
|
}
|
|
|
|
func newStubNonces(nonces ...string) *stubNonces {
|
|
s := &stubNonces{known: make(map[string]bool, len(nonces))}
|
|
for _, n := range nonces {
|
|
s.known[n] = false
|
|
}
|
|
return s
|
|
}
|
|
|
|
func (s *stubNonces) ConsumeNonce(nonce string) error {
|
|
used, ok := s.known[nonce]
|
|
if !ok {
|
|
return errors.New("not found")
|
|
}
|
|
if used {
|
|
return errors.New("already used")
|
|
}
|
|
s.known[nonce] = true
|
|
return nil
|
|
}
|
|
|
|
const testKID = "https://server/acme/profile/prof-corp/account/acme-acc-test123"
|
|
const testURL = "https://server/acme/profile/prof-corp/new-account"
|
|
|
|
func testAccountKID(accountID string) string {
|
|
return "https://server/acme/profile/prof-corp/account/" + accountID
|
|
}
|
|
|
|
// genRSAKey, genECKey, genEdKey return a freshly-generated keypair
|
|
// suitable for signing JWS objects. Tests share the same key per-case
|
|
// to keep failures localized to the verifier rather than cross-test
|
|
// state.
|
|
func genRSAKey(t *testing.T) *rsa.PrivateKey {
|
|
t.Helper()
|
|
k, err := rsa.GenerateKey(rand.Reader, 2048)
|
|
if err != nil {
|
|
t.Fatalf("rsa keygen: %v", err)
|
|
}
|
|
return k
|
|
}
|
|
|
|
func genECKey(t *testing.T) *ecdsa.PrivateKey {
|
|
t.Helper()
|
|
k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
if err != nil {
|
|
t.Fatalf("ecdsa keygen: %v", err)
|
|
}
|
|
return k
|
|
}
|
|
|
|
func genEdKey(t *testing.T) (ed25519.PublicKey, ed25519.PrivateKey) {
|
|
t.Helper()
|
|
pub, priv, err := ed25519.GenerateKey(rand.Reader)
|
|
if err != nil {
|
|
t.Fatalf("ed25519 keygen: %v", err)
|
|
}
|
|
return pub, priv
|
|
}
|
|
|
|
// signWithKID builds a flattened JWS using kid (registered-account flow).
|
|
func signWithKID(t *testing.T, key interface{}, alg jose.SignatureAlgorithm, kid, url, nonce string, payload interface{}) string {
|
|
t.Helper()
|
|
body, err := json.Marshal(payload)
|
|
if err != nil {
|
|
t.Fatalf("marshal payload: %v", err)
|
|
}
|
|
signer, err := jose.NewSigner(
|
|
jose.SigningKey{Algorithm: alg, Key: key},
|
|
(&jose.SignerOptions{}).
|
|
WithHeader(jose.HeaderKey("url"), url).
|
|
WithHeader("kid", kid).
|
|
WithHeader("nonce", nonce),
|
|
)
|
|
if err != nil {
|
|
t.Fatalf("new signer: %v", err)
|
|
}
|
|
jws, err := signer.Sign(body)
|
|
if err != nil {
|
|
t.Fatalf("sign: %v", err)
|
|
}
|
|
out := jws.FullSerialize()
|
|
return out
|
|
}
|
|
|
|
// signWithJWK builds a flattened JWS embedding the public JWK
|
|
// (new-account flow). The Signer with EmbedJWK=true attaches the
|
|
// JSONWebKey to the protected header.
|
|
func signWithJWK(t *testing.T, key interface{}, alg jose.SignatureAlgorithm, url, nonce string, payload interface{}) string {
|
|
t.Helper()
|
|
body, err := json.Marshal(payload)
|
|
if err != nil {
|
|
t.Fatalf("marshal payload: %v", err)
|
|
}
|
|
signer, err := jose.NewSigner(
|
|
jose.SigningKey{Algorithm: alg, Key: key},
|
|
(&jose.SignerOptions{EmbedJWK: true}).
|
|
WithHeader(jose.HeaderKey("url"), url).
|
|
WithHeader("nonce", nonce),
|
|
)
|
|
if err != nil {
|
|
t.Fatalf("new signer (embed jwk): %v", err)
|
|
}
|
|
jws, err := signer.Sign(body)
|
|
if err != nil {
|
|
t.Fatalf("sign: %v", err)
|
|
}
|
|
return jws.FullSerialize()
|
|
}
|
|
|
|
// --- JWK round-trip helpers --------------------------------------------
|
|
|
|
func TestJWKRoundTrip_RSA(t *testing.T) {
|
|
k := genRSAKey(t)
|
|
jwk := &jose.JSONWebKey{Key: &k.PublicKey}
|
|
pem, err := JWKToPEM(jwk)
|
|
if err != nil {
|
|
t.Fatalf("JWKToPEM: %v", err)
|
|
}
|
|
if !strings.Contains(pem, "BEGIN ACME ACCOUNT JWK") {
|
|
t.Fatalf("PEM missing header: %s", pem)
|
|
}
|
|
parsed, err := ParseJWKFromPEM(pem)
|
|
if err != nil {
|
|
t.Fatalf("ParseJWKFromPEM: %v", err)
|
|
}
|
|
if !parsed.Valid() {
|
|
t.Fatal("parsed jwk is not valid")
|
|
}
|
|
}
|
|
|
|
func TestJWKThumbprint_StableAcrossKeyTypes(t *testing.T) {
|
|
rsaJWK := &jose.JSONWebKey{Key: &genRSAKey(t).PublicKey}
|
|
rsaThumb1, err := JWKThumbprint(rsaJWK)
|
|
if err != nil {
|
|
t.Fatalf("rsa thumb: %v", err)
|
|
}
|
|
rsaThumb2, err := JWKThumbprint(rsaJWK)
|
|
if err != nil {
|
|
t.Fatalf("rsa thumb 2: %v", err)
|
|
}
|
|
if rsaThumb1 != rsaThumb2 {
|
|
t.Errorf("thumbprint not stable: %q vs %q", rsaThumb1, rsaThumb2)
|
|
}
|
|
// Different keys produce different thumbprints.
|
|
otherJWK := &jose.JSONWebKey{Key: &genRSAKey(t).PublicKey}
|
|
otherThumb, err := JWKThumbprint(otherJWK)
|
|
if err != nil {
|
|
t.Fatalf("other thumb: %v", err)
|
|
}
|
|
if rsaThumb1 == otherThumb {
|
|
t.Error("two distinct keys collided on thumbprint")
|
|
}
|
|
}
|
|
|
|
// --- VerifyJWS happy paths ---------------------------------------------
|
|
|
|
func TestVerifyJWS_Happy_RS256_KID(t *testing.T) {
|
|
key := genRSAKey(t)
|
|
jwk := &jose.JSONWebKey{Key: &key.PublicKey}
|
|
pem, _ := JWKToPEM(jwk)
|
|
thumb, _ := JWKThumbprint(jwk)
|
|
|
|
cfg := VerifierConfig{
|
|
Accounts: &stubAccounts{byID: map[string]*domain.ACMEAccount{
|
|
"acme-acc-test123": {
|
|
AccountID: "acme-acc-test123", JWKPEM: pem, JWKThumbprint: thumb,
|
|
Status: domain.ACMEAccountStatusValid, ProfileID: "prof-corp",
|
|
},
|
|
}},
|
|
Nonces: newStubNonces("nonce-001"),
|
|
AccountKID: testAccountKID,
|
|
}
|
|
body := signWithKID(t, key, jose.RS256, testKID, testURL, "nonce-001", map[string]any{"hello": "world"})
|
|
|
|
v, err := VerifyJWS(cfg, []byte(body), testURL, VerifyOptions{ExpectNewAccount: false})
|
|
if err != nil {
|
|
t.Fatalf("VerifyJWS: %v", err)
|
|
}
|
|
if v.Account == nil || v.Account.AccountID != "acme-acc-test123" {
|
|
t.Errorf("account = %+v, want acme-acc-test123", v.Account)
|
|
}
|
|
if v.JWK != nil {
|
|
t.Errorf("JWK should be nil on kid path; got %+v", v.JWK)
|
|
}
|
|
if v.Nonce != "nonce-001" {
|
|
t.Errorf("nonce = %q", v.Nonce)
|
|
}
|
|
if v.URL != testURL {
|
|
t.Errorf("url = %q", v.URL)
|
|
}
|
|
if v.Algorithm != "RS256" {
|
|
t.Errorf("algorithm = %q", v.Algorithm)
|
|
}
|
|
var payload map[string]any
|
|
if err := json.Unmarshal(v.Payload, &payload); err != nil {
|
|
t.Fatalf("payload not json: %v", err)
|
|
}
|
|
if payload["hello"] != "world" {
|
|
t.Errorf("payload = %+v", payload)
|
|
}
|
|
}
|
|
|
|
func TestVerifyJWS_Happy_ES256_JWK(t *testing.T) {
|
|
key := genECKey(t)
|
|
cfg := VerifierConfig{
|
|
Accounts: &stubAccounts{},
|
|
Nonces: newStubNonces("nonce-002"),
|
|
AccountKID: testAccountKID,
|
|
}
|
|
body := signWithJWK(t, key, jose.ES256, testURL, "nonce-002", map[string]any{"new": "account"})
|
|
v, err := VerifyJWS(cfg, []byte(body), testURL, VerifyOptions{ExpectNewAccount: true})
|
|
if err != nil {
|
|
t.Fatalf("VerifyJWS: %v", err)
|
|
}
|
|
if v.JWK == nil {
|
|
t.Fatal("JWK should be populated on jwk path")
|
|
}
|
|
if v.Account != nil {
|
|
t.Errorf("Account should be nil on jwk path; got %+v", v.Account)
|
|
}
|
|
if v.Algorithm != "ES256" {
|
|
t.Errorf("algorithm = %q", v.Algorithm)
|
|
}
|
|
}
|
|
|
|
func TestVerifyJWS_Happy_EdDSA_KID(t *testing.T) {
|
|
pub, priv := genEdKey(t)
|
|
jwk := &jose.JSONWebKey{Key: pub}
|
|
pem, _ := JWKToPEM(jwk)
|
|
thumb, _ := JWKThumbprint(jwk)
|
|
|
|
cfg := VerifierConfig{
|
|
Accounts: &stubAccounts{byID: map[string]*domain.ACMEAccount{
|
|
"acme-acc-ed1": {
|
|
AccountID: "acme-acc-ed1", JWKPEM: pem, JWKThumbprint: thumb,
|
|
Status: domain.ACMEAccountStatusValid, ProfileID: "prof-corp",
|
|
},
|
|
}},
|
|
Nonces: newStubNonces("nonce-003"),
|
|
AccountKID: testAccountKID,
|
|
}
|
|
kid := testAccountKID("acme-acc-ed1")
|
|
body := signWithKID(t, priv, jose.EdDSA, kid, testURL, "nonce-003", struct{}{})
|
|
|
|
v, err := VerifyJWS(cfg, []byte(body), testURL, VerifyOptions{ExpectNewAccount: false})
|
|
if err != nil {
|
|
t.Fatalf("VerifyJWS: %v", err)
|
|
}
|
|
if v.Algorithm != "EdDSA" {
|
|
t.Errorf("algorithm = %q, want EdDSA", v.Algorithm)
|
|
}
|
|
}
|
|
|
|
// --- VerifyJWS rejection paths -----------------------------------------
|
|
|
|
func TestVerifyJWS_Reject_AlgNotInAllowList(t *testing.T) {
|
|
// HS256 (HMAC-SHA256, symmetric) is forbidden by RFC 8555 §6.2.
|
|
key := []byte("supersecretkey32byteslongforhmac")
|
|
signer, err := jose.NewSigner(
|
|
jose.SigningKey{Algorithm: jose.HS256, Key: key},
|
|
(&jose.SignerOptions{}).
|
|
WithHeader(jose.HeaderKey("url"), testURL).
|
|
WithHeader("kid", testKID).
|
|
WithHeader("nonce", "n"),
|
|
)
|
|
if err != nil {
|
|
t.Fatalf("hs256 signer: %v", err)
|
|
}
|
|
jws, _ := signer.Sign([]byte("{}"))
|
|
body := jws.FullSerialize()
|
|
|
|
cfg := VerifierConfig{
|
|
Accounts: &stubAccounts{},
|
|
Nonces: newStubNonces("n"),
|
|
AccountKID: testAccountKID,
|
|
}
|
|
_, err = VerifyJWS(cfg, []byte(body), testURL, VerifyOptions{})
|
|
if err == nil {
|
|
t.Fatal("expected algorithm-rejected error; got nil")
|
|
}
|
|
// ParseSigned filters the alg before we ever see the JWS, so the
|
|
// error wraps ErrJWSMalformed (the verifier can't distinguish
|
|
// "wrong format" from "bad alg" at this layer — both manifest as
|
|
// malformed).
|
|
if !errors.Is(err, ErrJWSMalformed) && !errors.Is(err, ErrJWSAlgorithmRejected) {
|
|
t.Errorf("err = %v; want ErrJWSMalformed or ErrJWSAlgorithmRejected", err)
|
|
}
|
|
}
|
|
|
|
func TestVerifyJWS_Reject_BadSignature(t *testing.T) {
|
|
signingKey := genRSAKey(t)
|
|
// The verifier resolves the account row's stored JWK and uses its
|
|
// public component as the verify key. Register an account whose
|
|
// stored JWK is a DIFFERENT key — same shape, different material.
|
|
// The JWS parses cleanly but Verify returns "verification failed".
|
|
storedKey := genRSAKey(t)
|
|
storedJWK := &jose.JSONWebKey{Key: &storedKey.PublicKey}
|
|
storedPEM, _ := JWKToPEM(storedJWK)
|
|
storedThumb, _ := JWKThumbprint(storedJWK)
|
|
|
|
cfg := VerifierConfig{
|
|
Accounts: &stubAccounts{byID: map[string]*domain.ACMEAccount{
|
|
"acme-acc-test123": {
|
|
AccountID: "acme-acc-test123", JWKPEM: storedPEM, JWKThumbprint: storedThumb,
|
|
Status: domain.ACMEAccountStatusValid, ProfileID: "prof-corp",
|
|
},
|
|
}},
|
|
Nonces: newStubNonces("n1"),
|
|
AccountKID: testAccountKID,
|
|
}
|
|
body := signWithKID(t, signingKey, jose.RS256, testKID, testURL, "n1", map[string]any{"x": 1})
|
|
|
|
_, err := VerifyJWS(cfg, []byte(body), testURL, VerifyOptions{})
|
|
if err == nil {
|
|
t.Fatal("expected signature-invalid error; got nil")
|
|
}
|
|
if !errors.Is(err, ErrJWSSignatureInvalid) {
|
|
t.Errorf("err = %v; want ErrJWSSignatureInvalid wrapper", err)
|
|
}
|
|
}
|
|
|
|
func TestVerifyJWS_Reject_NonceMissingFromHeader(t *testing.T) {
|
|
key := genRSAKey(t)
|
|
cfg := VerifierConfig{
|
|
Accounts: &stubAccounts{},
|
|
Nonces: newStubNonces(),
|
|
AccountKID: testAccountKID,
|
|
}
|
|
signer, _ := jose.NewSigner(
|
|
jose.SigningKey{Algorithm: jose.RS256, Key: key},
|
|
(&jose.SignerOptions{EmbedJWK: true}).
|
|
WithHeader(jose.HeaderKey("url"), testURL),
|
|
// nonce omitted intentionally
|
|
)
|
|
jws, _ := signer.Sign([]byte("{}"))
|
|
body := jws.FullSerialize()
|
|
|
|
_, err := VerifyJWS(cfg, []byte(body), testURL, VerifyOptions{ExpectNewAccount: true})
|
|
if !errors.Is(err, ErrJWSMissingNonce) {
|
|
t.Errorf("err = %v; want ErrJWSMissingNonce", err)
|
|
}
|
|
}
|
|
|
|
func TestVerifyJWS_Reject_NonceUnknown(t *testing.T) {
|
|
key := genRSAKey(t)
|
|
cfg := VerifierConfig{
|
|
Accounts: &stubAccounts{},
|
|
Nonces: newStubNonces(), // no nonces issued
|
|
AccountKID: testAccountKID,
|
|
}
|
|
body := signWithJWK(t, key, jose.RS256, testURL, "ghost-nonce", map[string]any{})
|
|
_, err := VerifyJWS(cfg, []byte(body), testURL, VerifyOptions{ExpectNewAccount: true})
|
|
if !errors.Is(err, ErrJWSBadNonce) {
|
|
t.Errorf("err = %v; want ErrJWSBadNonce", err)
|
|
}
|
|
}
|
|
|
|
func TestVerifyJWS_Reject_NonceReplay(t *testing.T) {
|
|
key := genRSAKey(t)
|
|
cfg := VerifierConfig{
|
|
Accounts: &stubAccounts{},
|
|
Nonces: newStubNonces("n-replay"),
|
|
AccountKID: testAccountKID,
|
|
}
|
|
body := signWithJWK(t, key, jose.RS256, testURL, "n-replay", map[string]any{})
|
|
if _, err := VerifyJWS(cfg, []byte(body), testURL, VerifyOptions{ExpectNewAccount: true}); err != nil {
|
|
t.Fatalf("first verify: %v", err)
|
|
}
|
|
// Replay — same JWS, second time.
|
|
_, err := VerifyJWS(cfg, []byte(body), testURL, VerifyOptions{ExpectNewAccount: true})
|
|
if !errors.Is(err, ErrJWSBadNonce) {
|
|
t.Errorf("err = %v; want ErrJWSBadNonce on replay", err)
|
|
}
|
|
}
|
|
|
|
func TestVerifyJWS_Reject_URLMismatch(t *testing.T) {
|
|
key := genRSAKey(t)
|
|
cfg := VerifierConfig{
|
|
Accounts: &stubAccounts{},
|
|
Nonces: newStubNonces("n-url"),
|
|
AccountKID: testAccountKID,
|
|
}
|
|
body := signWithJWK(t, key, jose.RS256, testURL, "n-url", map[string]any{})
|
|
// Hand the verifier a different URL than the one signed.
|
|
_, err := VerifyJWS(cfg, []byte(body), "https://server/acme/different", VerifyOptions{ExpectNewAccount: true})
|
|
if !errors.Is(err, ErrJWSURLMismatch) {
|
|
t.Errorf("err = %v; want ErrJWSURLMismatch", err)
|
|
}
|
|
}
|
|
|
|
func TestVerifyJWS_Reject_ExpectKidGotJWK(t *testing.T) {
|
|
key := genRSAKey(t)
|
|
cfg := VerifierConfig{
|
|
Accounts: &stubAccounts{},
|
|
Nonces: newStubNonces("n-mix1"),
|
|
AccountKID: testAccountKID,
|
|
}
|
|
body := signWithJWK(t, key, jose.RS256, testURL, "n-mix1", map[string]any{})
|
|
// New-account expects jwk; we set ExpectNewAccount=false so this
|
|
// flow demands kid.
|
|
_, err := VerifyJWS(cfg, []byte(body), testURL, VerifyOptions{ExpectNewAccount: false})
|
|
if !errors.Is(err, ErrJWSExpectKidGotJWK) {
|
|
t.Errorf("err = %v; want ErrJWSExpectKidGotJWK", err)
|
|
}
|
|
}
|
|
|
|
func TestVerifyJWS_Reject_ExpectJWKGotKid(t *testing.T) {
|
|
key := genRSAKey(t)
|
|
jwk := &jose.JSONWebKey{Key: &key.PublicKey}
|
|
pem, _ := JWKToPEM(jwk)
|
|
thumb, _ := JWKThumbprint(jwk)
|
|
cfg := VerifierConfig{
|
|
Accounts: &stubAccounts{byID: map[string]*domain.ACMEAccount{
|
|
"acme-acc-test123": {
|
|
AccountID: "acme-acc-test123", JWKPEM: pem, JWKThumbprint: thumb,
|
|
Status: domain.ACMEAccountStatusValid, ProfileID: "prof-corp",
|
|
},
|
|
}},
|
|
Nonces: newStubNonces("n-mix2"),
|
|
AccountKID: testAccountKID,
|
|
}
|
|
body := signWithKID(t, key, jose.RS256, testKID, testURL, "n-mix2", map[string]any{})
|
|
_, err := VerifyJWS(cfg, []byte(body), testURL, VerifyOptions{ExpectNewAccount: true})
|
|
if !errors.Is(err, ErrJWSExpectJWKGotKid) {
|
|
t.Errorf("err = %v; want ErrJWSExpectJWKGotKid", err)
|
|
}
|
|
}
|
|
|
|
func TestVerifyJWS_Reject_AccountUnknown(t *testing.T) {
|
|
key := genRSAKey(t)
|
|
cfg := VerifierConfig{
|
|
Accounts: &stubAccounts{},
|
|
Nonces: newStubNonces("n-acct"),
|
|
AccountKID: testAccountKID,
|
|
}
|
|
body := signWithKID(t, key, jose.RS256, testKID, testURL, "n-acct", map[string]any{})
|
|
_, err := VerifyJWS(cfg, []byte(body), testURL, VerifyOptions{})
|
|
if !errors.Is(err, ErrJWSAccountNotFound) {
|
|
t.Errorf("err = %v; want ErrJWSAccountNotFound", err)
|
|
}
|
|
}
|
|
|
|
func TestVerifyJWS_Reject_AccountDeactivated(t *testing.T) {
|
|
key := genRSAKey(t)
|
|
jwk := &jose.JSONWebKey{Key: &key.PublicKey}
|
|
pem, _ := JWKToPEM(jwk)
|
|
thumb, _ := JWKThumbprint(jwk)
|
|
cfg := VerifierConfig{
|
|
Accounts: &stubAccounts{byID: map[string]*domain.ACMEAccount{
|
|
"acme-acc-test123": {
|
|
AccountID: "acme-acc-test123", JWKPEM: pem, JWKThumbprint: thumb,
|
|
Status: domain.ACMEAccountStatusDeactivated, // ← deactivated
|
|
ProfileID: "prof-corp",
|
|
},
|
|
}},
|
|
Nonces: newStubNonces("n-deact"),
|
|
AccountKID: testAccountKID,
|
|
}
|
|
body := signWithKID(t, key, jose.RS256, testKID, testURL, "n-deact", map[string]any{})
|
|
_, err := VerifyJWS(cfg, []byte(body), testURL, VerifyOptions{})
|
|
if !errors.Is(err, ErrJWSAccountInactive) {
|
|
t.Errorf("err = %v; want ErrJWSAccountInactive", err)
|
|
}
|
|
}
|
|
|
|
func TestVerifyJWS_Reject_KIDMismatchesProfile(t *testing.T) {
|
|
key := genRSAKey(t)
|
|
jwk := &jose.JSONWebKey{Key: &key.PublicKey}
|
|
pem, _ := JWKToPEM(jwk)
|
|
thumb, _ := JWKThumbprint(jwk)
|
|
cfg := VerifierConfig{
|
|
Accounts: &stubAccounts{byID: map[string]*domain.ACMEAccount{
|
|
"acme-acc-test123": {
|
|
AccountID: "acme-acc-test123", JWKPEM: pem, JWKThumbprint: thumb,
|
|
Status: domain.ACMEAccountStatusValid, ProfileID: "prof-corp",
|
|
},
|
|
}},
|
|
Nonces: newStubNonces("n-cross"),
|
|
// AccountKID expects prof-corp; the test JWS uses a kid that
|
|
// claims prof-corp BUT we're going to feed an off-canonical
|
|
// kid that doesn't match.
|
|
AccountKID: testAccountKID,
|
|
}
|
|
// Sign with a kid that points at a different host. The verifier's
|
|
// AccountKID round-trip-check should reject it.
|
|
wrongKID := "https://different-host/acme/profile/prof-corp/account/acme-acc-test123"
|
|
body := signWithKID(t, key, jose.RS256, wrongKID, testURL, "n-cross", map[string]any{})
|
|
_, err := VerifyJWS(cfg, []byte(body), testURL, VerifyOptions{})
|
|
if err == nil {
|
|
t.Fatal("expected error from kid round-trip mismatch")
|
|
}
|
|
if !errors.Is(err, ErrJWSMalformed) {
|
|
t.Errorf("err = %v; want ErrJWSMalformed (round-trip mismatch)", err)
|
|
}
|
|
}
|
|
|
|
// MapJWSErrorToProblem coverage check: every exported sentinel maps
|
|
// to a typed Problem (not the default malformed catch-all).
|
|
func TestMapJWSErrorToProblem_KnownSentinels(t *testing.T) {
|
|
cases := []struct {
|
|
err error
|
|
wantTyp string
|
|
}{
|
|
{ErrJWSBadNonce, "urn:ietf:params:acme:error:badNonce"},
|
|
{ErrJWSMissingNonce, "urn:ietf:params:acme:error:badNonce"},
|
|
{ErrJWSAccountNotFound, "urn:ietf:params:acme:error:accountDoesNotExist"},
|
|
{ErrJWSAccountInactive, "urn:ietf:params:acme:error:unauthorized"},
|
|
{ErrJWSURLMismatch, "urn:ietf:params:acme:error:unauthorized"},
|
|
{ErrJWSSignatureInvalid, "urn:ietf:params:acme:error:unauthorized"},
|
|
{ErrJWSAlgorithmRejected, "urn:ietf:params:acme:error:malformed"},
|
|
{ErrJWSExpectJWKGotKid, "urn:ietf:params:acme:error:malformed"},
|
|
{ErrJWSExpectKidGotJWK, "urn:ietf:params:acme:error:malformed"},
|
|
{ErrJWSBothKidAndJWK, "urn:ietf:params:acme:error:malformed"},
|
|
{ErrJWSNeitherKidNorJWK, "urn:ietf:params:acme:error:malformed"},
|
|
{ErrJWSInvalidJWK, "urn:ietf:params:acme:error:malformed"},
|
|
{ErrJWSWrongType, "urn:ietf:params:acme:error:malformed"},
|
|
{ErrJWSPayloadMismatch, "urn:ietf:params:acme:error:serverInternal"},
|
|
{ErrJWSMalformed, "urn:ietf:params:acme:error:malformed"},
|
|
}
|
|
for _, tc := range cases {
|
|
p := MapJWSErrorToProblem(tc.err)
|
|
if p.Type != tc.wantTyp {
|
|
t.Errorf("err=%v: type = %q, want %q", tc.err, p.Type, tc.wantTyp)
|
|
}
|
|
if p.Status == 0 {
|
|
t.Errorf("err=%v: status was 0", tc.err)
|
|
}
|
|
}
|
|
}
|