metacrypt

mc/metacrypt

Fork 0

Commit Graph

Author	SHA1	Message	Date
Kyle Isom	7749c035ae	Add comprehensive ACME test suite (60 tests, 2100 lines) Test coverage for the entire ACME server implementation: - helpers_test.go: memBarrier, key generation, JWS/EAB signing, test fixtures - nonce_test.go: issue/consume lifecycle, reuse rejection, concurrency - jws_test.go: JWS parsing/verification (ES256, ES384, RS256), JWK parsing, RFC 7638 thumbprints, EAB HMAC verification, key authorization - eab_test.go: EAB credential CRUD, account/order listing - validate_test.go: HTTP-01 challenge validation with httptest servers, authorization/order state machine transitions - handlers_test.go: full ACME protocol flow via chi router — directory, nonce, account creation with EAB, order creation, authorization retrieval, challenge triggering, finalize (order-not-ready), cert retrieval/revocation, CSR identifier validation One production change: extract dnsResolver variable in validate.go for DNS-01 test injection (no behavior change). All 60 tests pass with -race. Full project vet and test clean. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-25 21:01:23 -07:00
Kyle Isom	d0b1875dbb	Fix all errcheck linter issues Co-authored-by: Junie <junie@jetbrains.com>	2026-03-15 10:36:35 -07:00
Kyle Isom	167db48eb4	Add ACME (RFC 8555) server and Go client library Implements full ACME protocol support in Metacrypt: - internal/acme: core types, JWS verification (ES256/384/512 + RS256), nonce store, per-mount handler, all RFC 8555 protocol endpoints, HTTP-01 and DNS-01 challenge validation, EAB management - internal/server/acme.go: management REST routes (EAB create, config, list accounts/orders) + ACME protocol route dispatch - proto/metacrypt/v1/acme.proto: ACMEService (CreateEAB, SetConfig, ListAccounts, ListOrders) — protocol endpoints are HTTP-only per RFC - clients/go: new Go module with MCIAS-auth bootstrap, ACME account registration, certificate issuance/renewal, HTTP-01 and DNS-01 challenge providers - .claude/launch.json: dev server configuration EAB is required for all account creation; MCIAS-authenticated users obtain a single-use KID + HMAC-SHA256 key via POST /v1/acme/{mount}/eab.	2026-03-15 08:09:12 -07:00

Author

SHA1

Message

Date

Kyle Isom

7749c035ae

Add comprehensive ACME test suite (60 tests, 2100 lines)

Test coverage for the entire ACME server implementation:

- helpers_test.go: memBarrier, key generation, JWS/EAB signing, test fixtures
- nonce_test.go: issue/consume lifecycle, reuse rejection, concurrency
- jws_test.go: JWS parsing/verification (ES256, ES384, RS256), JWK parsing,
  RFC 7638 thumbprints, EAB HMAC verification, key authorization
- eab_test.go: EAB credential CRUD, account/order listing
- validate_test.go: HTTP-01 challenge validation with httptest servers,
  authorization/order state machine transitions
- handlers_test.go: full ACME protocol flow via chi router — directory,
  nonce, account creation with EAB, order creation, authorization retrieval,
  challenge triggering, finalize (order-not-ready), cert retrieval/revocation,
  CSR identifier validation

One production change: extract dnsResolver variable in validate.go for
DNS-01 test injection (no behavior change).

All 60 tests pass with -race. Full project vet and test clean.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-25 21:01:23 -07:00

Kyle Isom

d0b1875dbb

Fix all errcheck linter issues

Co-authored-by: Junie <junie@jetbrains.com>

2026-03-15 10:36:35 -07:00

Kyle Isom

167db48eb4

Add ACME (RFC 8555) server and Go client library

Implements full ACME protocol support in Metacrypt:

- internal/acme: core types, JWS verification (ES256/384/512 + RS256),
  nonce store, per-mount handler, all RFC 8555 protocol endpoints,
  HTTP-01 and DNS-01 challenge validation, EAB management
- internal/server/acme.go: management REST routes (EAB create, config,
  list accounts/orders) + ACME protocol route dispatch
- proto/metacrypt/v1/acme.proto: ACMEService (CreateEAB, SetConfig,
  ListAccounts, ListOrders) — protocol endpoints are HTTP-only per RFC
- clients/go: new Go module with MCIAS-auth bootstrap, ACME account
  registration, certificate issuance/renewal, HTTP-01 and DNS-01
  challenge providers
- .claude/launch.json: dev server configuration

EAB is required for all account creation; MCIAS-authenticated users
obtain a single-use KID + HMAC-SHA256 key via POST /v1/acme/{mount}/eab.

2026-03-15 08:09:12 -07:00

3 Commits