mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 13:31:36 +00:00
shankar0123
44a85d6f85
Layers JWS-authenticated POST machinery onto the Phase 1a foundation
(commit ec88a61). After this commit, an ACME client can run
POST /acme/profile/<id>/new-account
against certctl and successfully register an account. Account update
+ deactivation via POST /acme/profile/<id>/account/<acc-id> work.
Orders + challenges remain Phase 2 / 3.
Background:
Two prior dispatch attempts at the original Phase 1 ("skeleton +
directory + new-nonce + new-account" as a single commit) failed on
go-jose v4 API speculation (jws.GetPayload, sig.Algorithm,
jose.SHA256, etc. — none of those exist in v4). Splitting Phase 1
into 1a (foundation, no go-jose) and 1b (this commit, all go-jose
in one place) concentrated the JWS work where attention pays off.
The verifier reads the actual go-jose v4 surface — ParseSigned with
closed alg allow-list, Header struct fields (Algorithm, KeyID,
JSONWebKey, Nonce, ExtraHeaders[HeaderKey]), JWK.Thumbprint with
stdlib crypto.SHA256.
What ships:
- internal/api/acme/jws.go: 487-line verifier + sentinel error
family. Enforces RFC 8555 §6.2 + §6.4 + §6.5 invariants:
- alg in {RS256, ES256, EdDSA} (closed allow-list passed to
jose.ParseSigned — HS256 / none / etc. rejected at parse time)
- exactly one of `kid` / `jwk` in protected header (per
endpoint policy — new-account demands jwk, others demand kid)
- protected `url` matches request URL exactly
- protected `nonce` consumed against acme_nonces (badNonce on
miss/replay/expiry per RFC 8555 §6.5.1)
- kid round-trips against canonical AccountKID(accountID) URL
(catches cross-profile / cross-host replay)
- kid path: account exists + status=valid (deactivated /
revoked accounts cannot authenticate)
- signature verifies; post-Verify payload bytes equal
UnsafePayloadWithoutVerification (defense in depth)
+ JWK persistence helpers (JWKToPEM / ParseJWKFromPEM round-
trip a public-only JWK as a PEM-wrapped JSON envelope; stored
as TEXT in acme_accounts.jwk_pem for diff-friendliness) +
JWKThumbprint per RFC 7638.
- internal/api/acme/jws_test.go: 16 cases covering happy paths
(RS256 kid, ES256 jwk, EdDSA kid) + every named failure mode
(alg-not-allowed, bad-sig, missing-nonce, unknown-nonce,
replay, url-mismatch, mixed kid+jwk, deactivated-account,
cross-host kid). Uses real keypairs + real go-jose Signer to
build JWS objects.
- internal/api/acme/account.go: NewAccountRequest /
AccountUpdateRequest payload shapes (RFC 8555 §7.3 + §7.3.2 +
§7.3.6) + AccountResponseJSON wire shape + MarshalAccount
helper.
- internal/domain/acme.go: ACMEAccount struct + ACMEAccountStatus
closed enum (valid / deactivated / revoked).
- internal/repository/postgres/acme.go: full account CRUD path
(CreateAccountWithTx with 23505-unique-violation sentinel
translation, GetAccountByID, GetAccountByThumbprint,
UpdateAccountContactWithTx, UpdateAccountStatusWithTx) +
sql.ErrNoRows-wrapped repository.ErrNotFound on lookup misses.
- internal/service/acme.go: ACMERepo interface extended;
SetTransactor + SetAuditService wires; NewAccount (idempotent
re-registration per RFC 8555 §7.3.1 — same JWK returns existing
row without an update or new audit event); LookupAccount;
UpdateAccount; DeactivateAccount; VerifyJWS adapter that bridges
api/acme.VerifierConfig to the service-layer ACMERepo; per-op
metrics extended (new_account_total + _failures_total +
_idempotent_total + update_account_total + _failures_total +
deactivate_account_total).
- internal/service/acme_test.go: 8 new tests covering
new-account happy path / idempotent re-registration / only-
return-existing match + no-match / contact update / deactivate
/ lookup-not-found / requires-transactor.
- internal/api/handler/acme.go: NewAccount + Account handlers.
Account dispatches POST-as-GET (RFC 8555 §6.3 — empty body or
{} payload returns the account row), contact update, and
deactivation from the same endpoint. Defense-in-depth check
that the kid path-segment matches the URL path-segment (the
verifier already round-tripped the kid against canonical URL,
but the handler re-asserts to catch any future verifier
refactor).
- internal/api/handler/acme_handler_test.go: 7 new cases
covering happy-create, idempotent-200, only-return-existing-
no-match-400, malformed-JWS-400, kid-URL-mismatch-401,
deactivate, contact-update, POST-as-GET.
- internal/api/router/router.go: 4 new Register calls (per-
profile + shorthand for new-account and account/{acc_id}).
- internal/api/router/openapi_parity_test.go: SpecParityExceptions
extended with the 4 new routes (RFC 8555 wire-protocol surface,
not OpenAPI-shaped — same precedent as Phase 1a).
- cmd/server/main.go: SetTransactor + SetAuditService on
acmeService at startup so the WithinTx-based new-account /
update / deactivate paths run with the same transactor instance
shared across CertificateService / RevocationSvc / RenewalService.
- docs/acme-server.md: Phase status updated; endpoints table grows
new-account + account/<acc_id> rows; new "JWS verification
(Phase 1b)" section enumerates the 7 invariants the verifier
enforces; phases-cross-reference table marks 1b live.
- go.mod / go.sum: github.com/go-jose/go-jose/v4 v4.0.4 added.
Atomicity: every account-state mutation writes its acme_accounts row
+ its audit_events row inside one repository.Transactor.WithinTx
call — the canonical certctl atomicity contract (matches
CertificateService.Create at internal/service/certificate.go:131).
Idempotent re-registration explicitly does NOT write an audit row
(RFC 8555 §7.3.1 returns the existing row unmodified).
Tests: 16 jws_test.go cases + 11 service tests + 11 handler tests
all pass under -short. Bad-signature test uses a real registered
account whose stored JWK is a different keypair from the signer's,
so the JWS parses cleanly but jose.Verify rejects — exercises the
ErrJWSSignatureInvalid path directly.
Engineering history: cowork/WORKSPACE-CHANGELOG.md "ACME-Server-1b".
413 lines
15 KiB
Go
413 lines
15 KiB
Go
// Copyright (c) certctl
|
|
// SPDX-License-Identifier: BSL-1.1
|
|
|
|
package handler
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"io"
|
|
"net/http"
|
|
|
|
jose "github.com/go-jose/go-jose/v4"
|
|
|
|
"github.com/shankar0123/certctl/internal/api/acme"
|
|
"github.com/shankar0123/certctl/internal/domain"
|
|
"github.com/shankar0123/certctl/internal/service"
|
|
)
|
|
|
|
// MaxJWSBodyBytes caps the per-request JWS payload at 64 KiB. RFC 8555
|
|
// payloads are tiny (a JWK is < 1 KiB; a CSR < 4 KiB), so anything
|
|
// larger is either malformed or hostile. The router-level body-limit
|
|
// middleware already caps requests at the server-wide
|
|
// CERTCTL_MAX_BODY_SIZE (default 1 MiB), but ACME-specifically we
|
|
// tighten further.
|
|
const MaxJWSBodyBytes = 64 * 1024
|
|
|
|
// ACMEService is the handler-facing surface for the ACME server. The
|
|
// service-layer concrete type is *service.ACMEService; the interface
|
|
// definition lives here to keep the handler import-direction
|
|
// canonical (handler imports service, not the reverse).
|
|
type ACMEService interface {
|
|
BuildDirectory(ctx context.Context, profileID, baseURL string) (*acme.Directory, error)
|
|
IssueNonce(ctx context.Context) (string, error)
|
|
// Phase 1b — JWS verification + account resource.
|
|
VerifyJWS(ctx context.Context, body []byte, requestURL string, expectNewAccount bool, accountKID func(accountID string) string) (*acme.VerifiedRequest, error)
|
|
NewAccount(ctx context.Context, profileID string, jwk *jose.JSONWebKey, contact []string, onlyReturnExisting bool, tosAgreed bool) (*domain.ACMEAccount, bool, error)
|
|
LookupAccount(ctx context.Context, accountID string) (*domain.ACMEAccount, error)
|
|
UpdateAccount(ctx context.Context, accountID string, contact []string) (*domain.ACMEAccount, error)
|
|
DeactivateAccount(ctx context.Context, accountID string) (*domain.ACMEAccount, error)
|
|
}
|
|
|
|
// ACMEHandler exposes the ACME server's RFC 8555 endpoints under the
|
|
// per-profile path /acme/profile/<id>/* and (optionally) the
|
|
// /acme/* shorthand when CERTCTL_ACME_SERVER_DEFAULT_PROFILE_ID is
|
|
// set. Phase 1a wires:
|
|
//
|
|
// - GET /acme/profile/{id}/directory
|
|
// - HEAD /acme/profile/{id}/new-nonce
|
|
// - GET /acme/profile/{id}/new-nonce
|
|
// - GET /acme/directory (shorthand)
|
|
// - HEAD /acme/new-nonce (shorthand)
|
|
// - GET /acme/new-nonce (shorthand)
|
|
//
|
|
// Phase 1b adds new-account + account/<id>; Phase 2 adds new-order +
|
|
// order/<id>(/finalize) + authz/<id> + cert/<id>; Phase 3 adds
|
|
// challenge/<id>; Phase 4 adds key-change + revoke-cert + renewal-info.
|
|
//
|
|
// Handler shape mirrors internal/api/handler/scep.go:73-91 (struct
|
|
// holding the service interface, factory function returning the
|
|
// struct value).
|
|
type ACMEHandler struct {
|
|
svc ACMEService
|
|
}
|
|
|
|
// NewACMEHandler constructs an ACMEHandler. Returns the value (not a
|
|
// pointer) — same convention as NewSCEPHandler at scep.go:89.
|
|
func NewACMEHandler(svc ACMEService) ACMEHandler {
|
|
return ACMEHandler{svc: svc}
|
|
}
|
|
|
|
// Directory handles GET requests to the directory URL. The Go 1.22+
|
|
// stdlib router parses the {id} path parameter via r.PathValue("id").
|
|
// When the path is /acme/directory (no profile in URL), PathValue
|
|
// returns ""; the service layer applies the
|
|
// CERTCTL_ACME_SERVER_DEFAULT_PROFILE_ID fallback (or returns
|
|
// userActionRequired if unset).
|
|
func (h ACMEHandler) Directory(w http.ResponseWriter, r *http.Request) {
|
|
profileID := r.PathValue("id")
|
|
baseURL := h.directoryBaseURL(r, profileID)
|
|
|
|
dir, err := h.svc.BuildDirectory(r.Context(), profileID, baseURL)
|
|
if err != nil {
|
|
writeServiceError(w, err)
|
|
return
|
|
}
|
|
|
|
// RFC 8555 §6.5: every successful response carries Replay-Nonce.
|
|
// The directory endpoint is not JWS-authenticated but ACME clients
|
|
// expect the header so they can use it on the very next POST.
|
|
if nonce, err := h.svc.IssueNonce(r.Context()); err == nil {
|
|
w.Header().Set("Replay-Nonce", nonce)
|
|
}
|
|
w.Header().Set("Cache-Control", "public, max-age=0, no-cache")
|
|
w.Header().Set("Content-Type", "application/json")
|
|
_ = json.NewEncoder(w).Encode(dir)
|
|
}
|
|
|
|
// NewNonce handles HEAD and GET on the new-nonce URL.
|
|
//
|
|
// RFC 8555 §7.2:
|
|
// - HEAD MUST return 200 with Replay-Nonce + zero-length body.
|
|
// - GET MUST return 204 No Content with Replay-Nonce + zero-length body.
|
|
//
|
|
// Both verbs MUST set Cache-Control: no-store so middleboxes don't
|
|
// inadvertently re-serve a stale nonce.
|
|
//
|
|
// We resolve the profile here (rather than passing it through the
|
|
// service) only to validate it exists — the nonce itself is global
|
|
// to the server (one acme_nonces table), but if the operator hits
|
|
// /acme/profile/<bogus>/new-nonce we return 404 so the path-shape
|
|
// failure is operator-visible.
|
|
func (h ACMEHandler) NewNonce(w http.ResponseWriter, r *http.Request) {
|
|
profileID := r.PathValue("id")
|
|
// Same profile-resolution path as Directory — go through
|
|
// BuildDirectory only to leverage its profile-not-found / user-
|
|
// action-required mapping. The directory document is not used.
|
|
baseURL := h.directoryBaseURL(r, profileID)
|
|
if _, err := h.svc.BuildDirectory(r.Context(), profileID, baseURL); err != nil {
|
|
writeServiceError(w, err)
|
|
return
|
|
}
|
|
|
|
nonce, err := h.svc.IssueNonce(r.Context())
|
|
if err != nil {
|
|
acme.WriteProblem(w, acme.ServerInternal("nonce issuance failed"))
|
|
return
|
|
}
|
|
|
|
w.Header().Set("Replay-Nonce", nonce)
|
|
w.Header().Set("Cache-Control", "no-store")
|
|
if r.Method == http.MethodHead {
|
|
w.WriteHeader(http.StatusOK)
|
|
return
|
|
}
|
|
w.WriteHeader(http.StatusNoContent)
|
|
}
|
|
|
|
// directoryBaseURL composes the per-profile base URL the directory's
|
|
// inner URLs are built against. The composition lives in the handler
|
|
// (NOT the service) because it depends on the inbound request's
|
|
// scheme + host + observed path; the service layer would need to
|
|
// import net/http to do this.
|
|
//
|
|
// For requests on /acme/profile/<id>/* we strip the trailing path
|
|
// element to produce the base. For shorthand /acme/* requests we
|
|
// strip the trailing element from /acme — the result is just the
|
|
// scheme://host/acme prefix, which the service then uses to build
|
|
// /acme/new-nonce, /acme/new-account, etc.
|
|
func (h ACMEHandler) directoryBaseURL(r *http.Request, profileID string) string {
|
|
scheme := "https"
|
|
if r.TLS == nil {
|
|
// HTTPS-only architecture decision (CLAUDE.md): the listener
|
|
// is TLS 1.3 pinned. r.TLS == nil only happens in tests with
|
|
// httptest.NewServer (non-TLS); honor http: for those.
|
|
scheme = "http"
|
|
}
|
|
if profileID != "" {
|
|
return scheme + "://" + r.Host + "/acme/profile/" + profileID
|
|
}
|
|
return scheme + "://" + r.Host + "/acme"
|
|
}
|
|
|
|
// writeServiceError maps service-layer sentinels to RFC 7807 + RFC
|
|
// 8555 §6.7 problem responses. Centralized so every handler method
|
|
// gets identical mapping; new sentinels extend the switch as later
|
|
// phases land.
|
|
func writeServiceError(w http.ResponseWriter, err error) {
|
|
switch {
|
|
case errors.Is(err, service.ErrACMEUserActionRequired):
|
|
acme.WriteProblem(w, acme.UserActionRequired(
|
|
"this server requires the per-profile path /acme/profile/<id>/* — "+
|
|
"set CERTCTL_ACME_SERVER_DEFAULT_PROFILE_ID for /acme/* shorthand"))
|
|
case errors.Is(err, service.ErrACMEProfileNotFound):
|
|
acme.WriteProblem(w, acme.Problem{
|
|
Type: "urn:ietf:params:acme:error:userActionRequired",
|
|
Detail: "profile not found",
|
|
Status: http.StatusNotFound,
|
|
})
|
|
case errors.Is(err, service.ErrACMEAccountNotFound):
|
|
acme.WriteProblem(w, acme.AccountDoesNotExist("account not found"))
|
|
case errors.Is(err, service.ErrACMEAccountDoesNotExist):
|
|
acme.WriteProblem(w, acme.AccountDoesNotExist(
|
|
"no account exists for this JWK; submit a new-account request without onlyReturnExisting"))
|
|
default:
|
|
// Avoid leaking internal error text per master-prompt
|
|
// criterion #10 (operator-actionable errors with no info
|
|
// leak). The detail is operator-facing but generic.
|
|
acme.WriteProblem(w, acme.ServerInternal("ACME server error"))
|
|
}
|
|
}
|
|
|
|
// NewAccount handles POST /acme/profile/{id}/new-account (RFC 8555
|
|
// §7.3). The request body is a JWS with `jwk` (NOT `kid`) in the
|
|
// protected header — the verifier enforces this via
|
|
// ExpectNewAccount=true.
|
|
//
|
|
// Behavior matrix:
|
|
// - JWK already registered + payload.OnlyReturnExisting=false →
|
|
// 200 + existing account row (idempotent re-registration per
|
|
// RFC 8555 §7.3.1).
|
|
// - JWK already registered + payload.OnlyReturnExisting=true →
|
|
// same 200 + existing row.
|
|
// - JWK new + OnlyReturnExisting=false → 201 + newly-created row.
|
|
// - JWK new + OnlyReturnExisting=true → 400 + accountDoesNotExist.
|
|
func (h ACMEHandler) NewAccount(w http.ResponseWriter, r *http.Request) {
|
|
profileID := r.PathValue("id")
|
|
requestURL := h.requestURL(r)
|
|
|
|
body, err := io.ReadAll(io.LimitReader(r.Body, MaxJWSBodyBytes+1))
|
|
if err != nil {
|
|
acme.WriteProblem(w, acme.Malformed("could not read request body"))
|
|
return
|
|
}
|
|
if len(body) > MaxJWSBodyBytes {
|
|
acme.WriteProblem(w, acme.Malformed("request body too large"))
|
|
return
|
|
}
|
|
|
|
verified, err := h.svc.VerifyJWS(r.Context(), body, requestURL, true /*expectNewAccount*/, h.accountKID(r, profileID))
|
|
if err != nil {
|
|
acme.WriteProblem(w, acme.MapJWSErrorToProblem(err))
|
|
return
|
|
}
|
|
|
|
var req acme.NewAccountRequest
|
|
if err := json.Unmarshal(verified.Payload, &req); err != nil {
|
|
acme.WriteProblem(w, acme.Malformed("could not parse new-account payload"))
|
|
return
|
|
}
|
|
|
|
acct, isNew, err := h.svc.NewAccount(
|
|
r.Context(), profileID, verified.JWK, req.Contact,
|
|
req.OnlyReturnExisting, req.TermsOfServiceAgreed,
|
|
)
|
|
if err != nil {
|
|
writeServiceError(w, err)
|
|
return
|
|
}
|
|
|
|
if nonce, err := h.svc.IssueNonce(r.Context()); err == nil {
|
|
w.Header().Set("Replay-Nonce", nonce)
|
|
}
|
|
w.Header().Set("Location", h.accountKID(r, profileID)(acct.AccountID))
|
|
w.Header().Set("Content-Type", "application/json")
|
|
if isNew {
|
|
w.WriteHeader(http.StatusCreated)
|
|
} else {
|
|
w.WriteHeader(http.StatusOK)
|
|
}
|
|
_ = json.NewEncoder(w).Encode(
|
|
acme.MarshalAccount(acct, h.accountOrdersURL(r, profileID, acct.AccountID)),
|
|
)
|
|
}
|
|
|
|
// Account handles POST /acme/profile/{id}/account/{acc-id} (RFC 8555
|
|
// §7.3.2 + §7.3.6 + POST-as-GET per §6.3). The verifier requires
|
|
// `kid` (NOT `jwk`); the kid path-segment must match the URL
|
|
// path-segment.
|
|
//
|
|
// Payload variants:
|
|
// - empty body or empty JSON {}: POST-as-GET; returns the account.
|
|
// - {"contact": [...]}: contact update (RFC 8555 §7.3.2).
|
|
// - {"status": "deactivated"}: deactivation (RFC 8555 §7.3.6).
|
|
//
|
|
// Mixing contact + status in one request is permitted; we apply
|
|
// status first (deactivation is the more conservative action).
|
|
func (h ACMEHandler) Account(w http.ResponseWriter, r *http.Request) {
|
|
profileID := r.PathValue("id")
|
|
urlAccountID := r.PathValue("acc_id")
|
|
requestURL := h.requestURL(r)
|
|
|
|
body, err := io.ReadAll(io.LimitReader(r.Body, MaxJWSBodyBytes+1))
|
|
if err != nil {
|
|
acme.WriteProblem(w, acme.Malformed("could not read request body"))
|
|
return
|
|
}
|
|
if len(body) > MaxJWSBodyBytes {
|
|
acme.WriteProblem(w, acme.Malformed("request body too large"))
|
|
return
|
|
}
|
|
|
|
verified, err := h.svc.VerifyJWS(r.Context(), body, requestURL, false /*expectNewAccount*/, h.accountKID(r, profileID))
|
|
if err != nil {
|
|
acme.WriteProblem(w, acme.MapJWSErrorToProblem(err))
|
|
return
|
|
}
|
|
|
|
// kid path-segment must equal URL path-segment (defense in depth —
|
|
// the verifier already round-tripped the kid against the canonical
|
|
// URL).
|
|
if verified.Account == nil || verified.Account.AccountID != urlAccountID {
|
|
acme.WriteProblem(w, acme.Problem{
|
|
Type: "urn:ietf:params:acme:error:unauthorized",
|
|
Detail: "kid does not match URL account id",
|
|
Status: http.StatusUnauthorized,
|
|
})
|
|
return
|
|
}
|
|
|
|
var (
|
|
updated *domain.ACMEAccount
|
|
readOnly bool
|
|
)
|
|
// Empty body or empty JSON object → POST-as-GET (§6.3).
|
|
trimmed := trimBody(verified.Payload)
|
|
if len(trimmed) == 0 || string(trimmed) == "{}" {
|
|
readOnly = true
|
|
updated = verified.Account
|
|
} else {
|
|
var req acme.AccountUpdateRequest
|
|
if err := json.Unmarshal(verified.Payload, &req); err != nil {
|
|
acme.WriteProblem(w, acme.Malformed("could not parse account update payload"))
|
|
return
|
|
}
|
|
// Status transition first (the more conservative action).
|
|
switch req.Status {
|
|
case "":
|
|
// no-op
|
|
case "deactivated":
|
|
acct, err := h.svc.DeactivateAccount(r.Context(), urlAccountID)
|
|
if err != nil {
|
|
writeServiceError(w, err)
|
|
return
|
|
}
|
|
updated = acct
|
|
default:
|
|
acme.WriteProblem(w, acme.Malformed(
|
|
"only `deactivated` is a valid status for account update; got "+req.Status))
|
|
return
|
|
}
|
|
// Contact update.
|
|
if req.Contact != nil {
|
|
acct, err := h.svc.UpdateAccount(r.Context(), urlAccountID, req.Contact)
|
|
if err != nil {
|
|
writeServiceError(w, err)
|
|
return
|
|
}
|
|
updated = acct
|
|
}
|
|
if updated == nil {
|
|
// Empty status + nil contact → no-op; treat as POST-as-GET.
|
|
updated = verified.Account
|
|
readOnly = true
|
|
}
|
|
}
|
|
|
|
if nonce, err := h.svc.IssueNonce(r.Context()); err == nil {
|
|
w.Header().Set("Replay-Nonce", nonce)
|
|
}
|
|
if readOnly {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
} else {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
}
|
|
w.WriteHeader(http.StatusOK)
|
|
_ = json.NewEncoder(w).Encode(
|
|
acme.MarshalAccount(updated, h.accountOrdersURL(r, profileID, updated.AccountID)),
|
|
)
|
|
}
|
|
|
|
// requestURL composes the full URL the JWS protected-header `url`
|
|
// MUST equal. Equivalent to scheme://host + r.URL.Path.
|
|
func (h ACMEHandler) requestURL(r *http.Request) string {
|
|
scheme := "https"
|
|
if r.TLS == nil {
|
|
scheme = "http"
|
|
}
|
|
return scheme + "://" + r.Host + r.URL.Path
|
|
}
|
|
|
|
// accountKID returns the closure VerifyJWS uses to round-trip-check
|
|
// inbound `kid` headers. Centralized so both NewAccount + Account
|
|
// build the same URL shape.
|
|
func (h ACMEHandler) accountKID(r *http.Request, profileID string) func(accountID string) string {
|
|
scheme := "https"
|
|
if r.TLS == nil {
|
|
scheme = "http"
|
|
}
|
|
prefix := scheme + "://" + r.Host
|
|
if profileID != "" {
|
|
prefix += "/acme/profile/" + profileID
|
|
} else {
|
|
prefix += "/acme"
|
|
}
|
|
return func(accountID string) string { return prefix + "/account/" + accountID }
|
|
}
|
|
|
|
// accountOrdersURL is the URL Phase 2 will serve account orders at.
|
|
// Phase 1b emits it in the account JSON for RFC 8555 §7.1.2.1
|
|
// compliance even though hitting it returns 404 until Phase 2.
|
|
func (h ACMEHandler) accountOrdersURL(r *http.Request, profileID, accountID string) string {
|
|
return h.accountKID(r, profileID)(accountID) + "/orders"
|
|
}
|
|
|
|
// trimBody is a minimal JSON-aware trim that returns a copy with
|
|
// outer whitespace removed. We don't need full JSON parsing here —
|
|
// just enough to detect empty body / empty object for POST-as-GET
|
|
// routing.
|
|
func trimBody(b []byte) []byte {
|
|
for len(b) > 0 && (b[0] == ' ' || b[0] == '\t' || b[0] == '\n' || b[0] == '\r') {
|
|
b = b[1:]
|
|
}
|
|
for len(b) > 0 {
|
|
c := b[len(b)-1]
|
|
if c != ' ' && c != '\t' && c != '\n' && c != '\r' {
|
|
break
|
|
}
|
|
b = b[:len(b)-1]
|
|
}
|
|
return b
|
|
}
|