mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 16:01:30 +00:00
shankar0123
c351bba41a
Closes the issuance loop in trust_authenticated mode (commitsec88a61+44a85d6wired the foundation + JWS-verified account resource). After this commit, an ACME client running against a profile with acme_auth_mode='trust_authenticated' end-to-end-issues a real cert: POST /acme/profile/<id>/new-order → 201 + order URL (status=ready) POST /acme/profile/<id>/order/<oid> → POST-as-GET fetch POST /acme/profile/<id>/order/<oid>/finalize → 200 + status=valid + cert URL POST /acme/profile/<id>/cert/<cid> → 200 + PEM chain Profiles with acme_auth_mode='challenge' get the same code path with authz/challenge rows in `pending` state until Phase 3's validators wire up. The mode is read from the bound profile's column at request time, NOT cached at server start — operators flipping the column via SQL take effect on the next order without restart. Architecture (the load-bearing part): - Finalize routes through service.CertificateService.Create — the canonical certctl issuance entry point that wraps the managed_certificates row insert + audit row in s.tx.WithinTx. RenewalPolicy / CertificateProfile / per-issuer-type Prometheus metrics / audit rows all apply uniformly to ACME-issued certs via the same code path that already serves EST/SCEP/agent/REST issuance. - Identifier validation runs BEFORE order creation. Rejected identifiers return RFC 7807 with per-identifier subproblems and create no order row. - Source stamp on managed_certificates: domain.CertificateSourceACME. Operators bulk-revoke ACME-issued certs by filtering on Source=ACME. - 3-step atomicity boundary documented in code + this commit msg: (A) WithinTx-A marks order processing + audit row. (B) IssuerConnector.IssueCertificate + CertificateService.Create (each in its own WithinTx — Create wraps cert row + audit atomically). (C) WithinTx-C creates certificate_versions row + transitions order to valid + sets certificate_id + audit row. The brief window between B and C can leave a managed_certificates row whose order is still in `processing`. Phase 5's GC scheduler reconciles. Documented inline. What ships: - internal/api/acme/order.go: OrderResponseJSON + AuthorizationResponseJSON + ChallengeResponseJSON + NewOrderRequest + FinalizeRequest wire shapes; ValidateIdentifiers (Phase 2 syntactic checks, dns-only); CSRMatchesIdentifiers (RFC 8555 §7.4 strict equality, case-folded). - internal/domain/acme.go: ACMEOrder + ACMEAuthorization + ACMEChallenge + ACMEIdentifier + ACMEProblem domain types + closed status enums for each (order: pending|ready|processing|valid|invalid; authz: pending|valid|invalid|deactivated|expired|revoked; challenge: pending|processing|valid|invalid; challenge type: http-01|dns-01| tls-alpn-01). - internal/domain/profile.go: new ACMEAuthMode field reading from certificate_profiles.acme_auth_mode (added in migration 25). - internal/domain/certificate.go: new CertificateSourceACME enum value. - internal/repository/postgres/profile.go: extended SELECT/scanProfile to read the per-profile acme_auth_mode column with a COALESCE default of trust_authenticated. - internal/repository/postgres/acme.go: full order/authz/challenge CRUD (CreateOrderWithTx + GetOrderByID + UpdateOrderWithTx + CreateAuthzWithTx + GetAuthzByID + ListAuthzsByOrder + ListChallengesByAuthz + CreateChallengeWithTx) with proper sql.NullTime + JSONB handling. scanACMEOrder / scanACMEAuthz / scanACMEChallenge helpers. - internal/service/acme.go: extended ACMERepo interface; new SetIssuancePipeline wires certificateService + certificateRepo + issuerRegistry. CreateOrder (auth-mode-dispatched: trust_authenticated auto-marks order ready + authz valid + 1 placeholder http-01 challenge valid; challenge mode keeps everything pending). LookupOrder (with account-ownership assertion). LookupAuthz. ListAuthzsByOrder. FinalizeOrder (3-step atomicity boundary as above; CSR-vs-order SAN strict-equality check before issuance; persists FinalizeOrderResult {Order, CertID}). LookupCertificate. randIDSuffix + base32encode helpers for the human-readable acme-ord-* / acme-authz-* / acme-chall-* prefixes (CLAUDE.md "TEXT primary keys with human- readable prefixes" architecture decision). 8 new per-op metrics. - internal/service/acme_test.go: extended fakeACMERepo with Phase 2 interface stubs; new orderTrackingRepo for observable persistence; 2 new tests asserting trust_authenticated → auto-ready/valid and challenge → stays-pending. - internal/api/handler/acme.go: NewOrder + Order + OrderFinalize + Authz + Cert handler methods. orderURL / authzURL / certURL / challengeURLBuilder helpers; marshalOrderForResponse fetches per-order authzs to populate the URL list. parseOptionalTime for notBefore / notAfter. - internal/api/handler/acme_handler_test.go: extended mockACMEService with Phase 2 method stubs; 4 new handler tests (NewOrder happy + rejected-identifier + OrderFinalize bad-CSR + Cert happy). - internal/api/router/router.go: 10 new Register calls (5 per-profile + 5 shorthand) for new-order, order/{ord_id}, order/{ord_id}/finalize, authz/{authz_id}, cert/{cert_id}. - internal/api/router/openapi_parity_test.go + api/openapi-handler-exceptions.yaml: 10 new exception entries. - cmd/server/main.go: SetIssuancePipeline at startup, threading certificateService + certificateRepo + issuerRegistry into ACMEService. - docs/acme-server.md: phase status updated; endpoints table grows 5 rows for new-order/order/finalize/authz/cert (per-profile + shorthand variants); new section "Finalize routing through CertificateService.Create" documenting the 3-step atomicity boundary + the actor-string convention `acme:<account-id>`. Tests: ACME package + service + handler + router + config + domain all green under -short. New cases: - TestCreateOrder_TrustAuthenticated_AutoReady (asserts auto-ready transition + valid-status authz/challenge + audit row + metric bump). - TestCreateOrder_ChallengeMode_StaysPending (asserts pending-status cascading authz/challenge for challenge mode). - TestACMEHandler_NewOrder_HappyPath (asserts 201 + Location + finalize URL shape). - TestACMEHandler_NewOrder_RejectedIdentifier (asserts 400 + RFC 7807 rejectedIdentifier + per-identifier subproblems for type=ip). - TestACMEHandler_OrderFinalize_BadCSR (asserts 400 + badCSR for non-base64 CSR field). - TestACMEHandler_Cert_HappyPath (asserts 200 + PEM content-type + PEM chain in body). Engineering history: cowork/WORKSPACE-CHANGELOG.md "ACME-Server-2".
253 lines
8.9 KiB
Go
253 lines
8.9 KiB
Go
// Copyright (c) certctl
|
|
// SPDX-License-Identifier: BSL-1.1
|
|
|
|
package acme
|
|
|
|
import (
|
|
"crypto/x509"
|
|
"errors"
|
|
"fmt"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/shankar0123/certctl/internal/domain"
|
|
)
|
|
|
|
// OrderResponseJSON is the wire shape RFC 8555 §7.1.3 mandates for the
|
|
// new-order response + the per-order POST-as-GET response.
|
|
//
|
|
// Each URL field is the per-profile path the handler computes from the
|
|
// inbound request; service-layer code does not see *http.Request, so
|
|
// the handler does the URL composition.
|
|
type OrderResponseJSON struct {
|
|
Status string `json:"status"`
|
|
Expires string `json:"expires,omitempty"`
|
|
NotBefore string `json:"notBefore,omitempty"`
|
|
NotAfter string `json:"notAfter,omitempty"`
|
|
Identifiers []IdentifierJSON `json:"identifiers"`
|
|
Authorizations []string `json:"authorizations"`
|
|
Finalize string `json:"finalize"`
|
|
Certificate string `json:"certificate,omitempty"`
|
|
Error *Problem `json:"error,omitempty"`
|
|
}
|
|
|
|
// IdentifierJSON is the wire shape for an identifier (RFC 8555 §9.7.7).
|
|
// Wire field names differ from the domain struct's JSON tags only on
|
|
// case, so we keep separate types to keep the protocol surface clean.
|
|
type IdentifierJSON struct {
|
|
Type string `json:"type"`
|
|
Value string `json:"value"`
|
|
}
|
|
|
|
// MarshalOrder renders an ACMEOrder in RFC 8555 §7.1.3 wire shape.
|
|
//
|
|
// authzURLs / finalizeURL / certURL are computed by the handler from
|
|
// the inbound request (scheme + host + per-profile path). Phase 2:
|
|
// authzURLs has one entry per identifier; finalizeURL is the order's
|
|
// finalize endpoint; certURL is populated only when status=valid.
|
|
func MarshalOrder(order *domain.ACMEOrder, authzURLs []string, finalizeURL, certURL string) OrderResponseJSON {
|
|
out := OrderResponseJSON{
|
|
Status: string(order.Status),
|
|
Expires: order.ExpiresAt.UTC().Format(time.RFC3339),
|
|
Identifiers: make([]IdentifierJSON, 0, len(order.Identifiers)),
|
|
Authorizations: authzURLs,
|
|
Finalize: finalizeURL,
|
|
}
|
|
if order.NotBefore != nil {
|
|
out.NotBefore = order.NotBefore.UTC().Format(time.RFC3339)
|
|
}
|
|
if order.NotAfter != nil {
|
|
out.NotAfter = order.NotAfter.UTC().Format(time.RFC3339)
|
|
}
|
|
for _, id := range order.Identifiers {
|
|
out.Identifiers = append(out.Identifiers, IdentifierJSON{Type: id.Type, Value: id.Value})
|
|
}
|
|
if certURL != "" && order.Status == domain.ACMEOrderStatusValid {
|
|
out.Certificate = certURL
|
|
}
|
|
if order.Error != nil {
|
|
out.Error = &Problem{
|
|
Type: order.Error.Type,
|
|
Detail: order.Error.Detail,
|
|
Status: order.Error.Status,
|
|
}
|
|
}
|
|
return out
|
|
}
|
|
|
|
// NewOrderRequest is the payload shape RFC 8555 §7.4 mandates for a
|
|
// new-order POST. The handler json.Unmarshals VerifiedRequest.Payload
|
|
// into this struct after JWS verify succeeds.
|
|
type NewOrderRequest struct {
|
|
Identifiers []IdentifierJSON `json:"identifiers"`
|
|
NotBefore string `json:"notBefore,omitempty"`
|
|
NotAfter string `json:"notAfter,omitempty"`
|
|
}
|
|
|
|
// FinalizeRequest is the payload shape RFC 8555 §7.4 mandates for the
|
|
// finalize POST. csr is the base64url-encoded DER of a PKCS#10 CSR.
|
|
type FinalizeRequest struct {
|
|
CSR string `json:"csr"`
|
|
}
|
|
|
|
// AuthorizationResponseJSON is the wire shape RFC 8555 §7.1.4 mandates
|
|
// for the authz GET (POST-as-GET) response.
|
|
type AuthorizationResponseJSON struct {
|
|
Identifier IdentifierJSON `json:"identifier"`
|
|
Status string `json:"status"`
|
|
Expires string `json:"expires,omitempty"`
|
|
Wildcard bool `json:"wildcard,omitempty"`
|
|
Challenges []ChallengeResponseJSON `json:"challenges"`
|
|
}
|
|
|
|
// ChallengeResponseJSON is the wire shape RFC 8555 §8 mandates for a
|
|
// challenge object (embedded in authz, or returned by POST to a
|
|
// challenge URL).
|
|
type ChallengeResponseJSON struct {
|
|
Type string `json:"type"`
|
|
URL string `json:"url"`
|
|
Status string `json:"status"`
|
|
Token string `json:"token"`
|
|
Validated string `json:"validated,omitempty"`
|
|
Error *Problem `json:"error,omitempty"`
|
|
}
|
|
|
|
// MarshalAuthorization renders an ACMEAuthorization in RFC 8555 wire shape.
|
|
// challengeURLBuilder maps each challenge ID to its per-profile URL
|
|
// (handler-computed); identifiers stay as-is.
|
|
func MarshalAuthorization(authz *domain.ACMEAuthorization, challengeURLBuilder func(challengeID string) string) AuthorizationResponseJSON {
|
|
out := AuthorizationResponseJSON{
|
|
Identifier: IdentifierJSON{Type: authz.Identifier.Type, Value: authz.Identifier.Value},
|
|
Status: string(authz.Status),
|
|
Expires: authz.ExpiresAt.UTC().Format(time.RFC3339),
|
|
Wildcard: authz.Wildcard,
|
|
Challenges: make([]ChallengeResponseJSON, 0, len(authz.Challenges)),
|
|
}
|
|
for i := range authz.Challenges {
|
|
ch := &authz.Challenges[i]
|
|
j := ChallengeResponseJSON{
|
|
Type: string(ch.Type),
|
|
URL: challengeURLBuilder(ch.ChallengeID),
|
|
Status: string(ch.Status),
|
|
Token: ch.Token,
|
|
}
|
|
if ch.ValidatedAt != nil {
|
|
j.Validated = ch.ValidatedAt.UTC().Format(time.RFC3339)
|
|
}
|
|
if ch.Error != nil {
|
|
j.Error = &Problem{Type: ch.Error.Type, Detail: ch.Error.Detail, Status: ch.Error.Status}
|
|
}
|
|
out.Challenges = append(out.Challenges, j)
|
|
}
|
|
return out
|
|
}
|
|
|
|
// ErrIdentifierTypeUnsupported is returned when ValidateIdentifiers
|
|
// encounters a non-DNS identifier type. RFC 8555 §9.7.7 reserves
|
|
// `type` for future expansion; Phase 2 supports `dns` only.
|
|
var ErrIdentifierTypeUnsupported = errors.New("acme: identifier type not supported (Phase 2: dns only)")
|
|
|
|
// ErrIdentifierEmpty is returned for an identifier with an empty
|
|
// value; the spec requires non-empty strings.
|
|
var ErrIdentifierEmpty = errors.New("acme: identifier value is empty")
|
|
|
|
// ValidateIdentifiers checks the structural invariants RFC 8555 §7.4
|
|
// requires (non-empty value, supported type) and returns per-identifier
|
|
// rejected entries on failure. Per-profile-policy rejection (SAN
|
|
// allowlist, lifetime cap) is the service layer's job; this function
|
|
// is the syntactic check only.
|
|
//
|
|
// Returns nil + nil ids on full acceptance. On rejection, returns the
|
|
// list of rejected identifiers with their reason as RFC 8555 §6.7
|
|
// subproblems (rejectedIdentifier).
|
|
func ValidateIdentifiers(ids []IdentifierJSON) []Problem {
|
|
if len(ids) == 0 {
|
|
return []Problem{Malformed("new-order requires at least one identifier")}
|
|
}
|
|
var problems []Problem
|
|
for _, id := range ids {
|
|
switch strings.ToLower(id.Type) {
|
|
case "dns":
|
|
if id.Value == "" {
|
|
problems = append(problems, Problem{
|
|
Type: "urn:ietf:params:acme:error:rejectedIdentifier",
|
|
Detail: "identifier value is empty",
|
|
Status: 400,
|
|
Identifier: &Identifier{Type: id.Type, Value: id.Value},
|
|
})
|
|
}
|
|
default:
|
|
problems = append(problems, Problem{
|
|
Type: "urn:ietf:params:acme:error:rejectedIdentifier",
|
|
Detail: fmt.Sprintf("identifier type %q is not supported (Phase 2: dns only)", id.Type),
|
|
Status: 400,
|
|
Identifier: &Identifier{Type: id.Type, Value: id.Value},
|
|
})
|
|
}
|
|
}
|
|
return problems
|
|
}
|
|
|
|
// CSRMatchesIdentifiers asserts the CSR's DNS-name set (Subject CN +
|
|
// Subject Alternative Names) equals the order's identifier set,
|
|
// case-folded for DNS comparison.
|
|
//
|
|
// RFC 8555 §7.4 finalize: "The CSR MUST indicate the exact same set of
|
|
// requested identifiers as the initial newOrder request." Case-fold
|
|
// the comparison so a CSR with `Example.com` matches an order with
|
|
// `example.com` (DNS is case-insensitive per RFC 1035 §2.3.3).
|
|
//
|
|
// Returns nil on match. On mismatch, returns a Problem typed as
|
|
// urn:ietf:params:acme:error:badCSR.
|
|
func CSRMatchesIdentifiers(csr *x509.CertificateRequest, identifiers []domain.ACMEIdentifier) *Problem {
|
|
csrSet := make(map[string]struct{})
|
|
if csr.Subject.CommonName != "" {
|
|
csrSet[strings.ToLower(csr.Subject.CommonName)] = struct{}{}
|
|
}
|
|
for _, dns := range csr.DNSNames {
|
|
csrSet[strings.ToLower(dns)] = struct{}{}
|
|
}
|
|
|
|
orderSet := make(map[string]struct{})
|
|
for _, id := range identifiers {
|
|
if id.Type != "dns" {
|
|
continue
|
|
}
|
|
orderSet[strings.ToLower(id.Value)] = struct{}{}
|
|
}
|
|
|
|
if len(csrSet) != len(orderSet) {
|
|
p := Problem{
|
|
Type: "urn:ietf:params:acme:error:badCSR",
|
|
Detail: fmt.Sprintf("CSR identifier count (%d) differs from order identifier count (%d)", len(csrSet), len(orderSet)),
|
|
Status: 400,
|
|
}
|
|
return &p
|
|
}
|
|
for k := range orderSet {
|
|
if _, ok := csrSet[k]; !ok {
|
|
p := Problem{
|
|
Type: "urn:ietf:params:acme:error:badCSR",
|
|
Detail: fmt.Sprintf("CSR is missing the order identifier %q", k),
|
|
Status: 400,
|
|
}
|
|
return &p
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// HasWildcard returns true when any identifier is a wildcard. RFC 8555
|
|
// §7.1.3 marks the order's authz wildcard:true when the corresponding
|
|
// identifier starts with "*."; Phase 2 supports the trust_authenticated
|
|
// path (which auto-marks authz valid), so wildcard-aware challenge
|
|
// dispatch is Phase 3's concern.
|
|
func HasWildcard(ids []domain.ACMEIdentifier) bool {
|
|
for _, id := range ids {
|
|
if strings.HasPrefix(id.Value, "*.") {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|