BREAKING CHANGE(acme): Replace external acme-client with a built-in RFC8555-compliant ACME implementation and update public APIs accordingly

test/test.acme-challenge.ts

@@ -0,0 +1,64 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import * as crypto from 'node:crypto';
+import { AcmeCrypto } from '../ts/acme/acme.classes.crypto.js';
+import { AcmeChallengeManager } from '../ts/acme/acme.classes.challenge.js';
+
+// Create a shared key and fake httpClient for all tests
+let accountKeyPem: string;
+let challengeManager: AcmeChallengeManager;
+
+tap.test('setup: create key and challenge manager', async () => {
+  accountKeyPem = AcmeCrypto.createRsaPrivateKey();
+  // AcmeChallengeManager only needs httpClient for complete(), not for getKeyAuthorization()
+  // Pass null since we only test the sync crypto method
+  challengeManager = new AcmeChallengeManager(null as any, accountKeyPem);
+});
+
+// --- http-01 ---
+
+tap.test('http-01 returns token.thumbprint', async () => {
+  const challenge = { type: 'http-01', url: 'https://acme.example/chall/1', status: 'pending', token: 'test-token-abc' };
+  const result = challengeManager.getKeyAuthorization(challenge);
+
+  const jwk = AcmeCrypto.getJwk(accountKeyPem);
+  const thumbprint = AcmeCrypto.getJwkThumbprint(jwk);
+  expect(result).toEqual(`test-token-abc.${thumbprint}`);
+});
+
+// --- dns-01 ---
+
+tap.test('dns-01 returns base64url(sha256(token.thumbprint))', async () => {
+  const challenge = { type: 'dns-01', url: 'https://acme.example/chall/2', status: 'pending', token: 'dns-token-xyz' };
+  const result = challengeManager.getKeyAuthorization(challenge);
+
+  // Manual computation
+  const jwk = AcmeCrypto.getJwk(accountKeyPem);
+  const thumbprint = AcmeCrypto.getJwkThumbprint(jwk);
+  const keyAuth = `dns-token-xyz.${thumbprint}`;
+  const expected = crypto.createHash('sha256').update(keyAuth).digest().toString('base64url');
+  expect(result).toEqual(expected);
+});
+
+tap.test('dns-01 output is base64url (no +, /, =)', async () => {
+  const challenge = { type: 'dns-01', url: 'https://acme.example/chall/3', status: 'pending', token: 'another-token' };
+  const result = challengeManager.getKeyAuthorization(challenge);
+  expect(result).not.toInclude('+');
+  expect(result).not.toInclude('/');
+  expect(result).not.toInclude('=');
+});
+
+tap.test('http-01 and dns-01 differ for same token', async () => {
+  const token = 'shared-token-123';
+  const httpResult = challengeManager.getKeyAuthorization({ type: 'http-01', url: 'https://acme.example/c/1', status: 'pending', token });
+  const dnsResult = challengeManager.getKeyAuthorization({ type: 'dns-01', url: 'https://acme.example/c/2', status: 'pending', token });
+  expect(httpResult).not.toEqual(dnsResult);
+});
+
+tap.test('deterministic across calls', async () => {
+  const challenge = { type: 'http-01', url: 'https://acme.example/c/x', status: 'pending', token: 'stable-token' };
+  const r1 = challengeManager.getKeyAuthorization(challenge);
+  const r2 = challengeManager.getKeyAuthorization(challenge);
+  expect(r1).toEqual(r2);
+});
+
+export default tap.start();

test/test.acme-crypto.ts

@@ -0,0 +1,161 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import * as crypto from 'node:crypto';
+import { AcmeCrypto } from '../ts/acme/acme.classes.crypto.js';
+
+// --- createRsaPrivateKey ---
+
+tap.test('createRsaPrivateKey returns valid PEM', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  expect(pem).toStartWith('-----BEGIN PRIVATE KEY-----');
+  expect(pem).toInclude('-----END PRIVATE KEY-----');
+});
+
+tap.test('createRsaPrivateKey creates RSA key type', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  const keyObj = crypto.createPrivateKey(pem);
+  expect(keyObj.asymmetricKeyType).toEqual('rsa');
+});
+
+tap.test('createRsaPrivateKey respects modulusLength', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey(4096);
+  const keyObj = crypto.createPrivateKey(pem);
+  expect(keyObj.asymmetricKeyDetails!.modulusLength).toEqual(4096);
+});
+
+// --- getJwk ---
+
+tap.test('getJwk returns sorted keys {e, kty, n}', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  const jwk = AcmeCrypto.getJwk(pem);
+  const keys = Object.keys(jwk);
+  expect(keys).toEqual(['e', 'kty', 'n']);
+  expect(jwk.kty).toEqual('RSA');
+  expect(typeof jwk.e).toEqual('string');
+  expect(typeof jwk.n).toEqual('string');
+});
+
+tap.test('getJwk is deterministic for same key', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  const jwk1 = AcmeCrypto.getJwk(pem);
+  const jwk2 = AcmeCrypto.getJwk(pem);
+  expect(JSON.stringify(jwk1)).toEqual(JSON.stringify(jwk2));
+});
+
+// --- getJwkThumbprint ---
+
+tap.test('getJwkThumbprint matches manual SHA-256 computation', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  const jwk = AcmeCrypto.getJwk(pem);
+  const thumbprint = AcmeCrypto.getJwkThumbprint(jwk);
+
+  // Manual computation
+  const canonical = JSON.stringify({ e: jwk.e, kty: jwk.kty, n: jwk.n });
+  const expected = crypto.createHash('sha256').update(canonical).digest().toString('base64url');
+  expect(thumbprint).toEqual(expected);
+});
+
+tap.test('getJwkThumbprint is base64url format (no +, /, =)', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  const jwk = AcmeCrypto.getJwk(pem);
+  const thumbprint = AcmeCrypto.getJwkThumbprint(jwk);
+  expect(thumbprint).not.toInclude('+');
+  expect(thumbprint).not.toInclude('/');
+  expect(thumbprint).not.toInclude('=');
+});
+
+// --- createJws ---
+
+tap.test('createJws returns correct structure', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  const jwk = AcmeCrypto.getJwk(pem);
+  const jws = AcmeCrypto.createJws(pem, 'https://acme.example/new-acct', { foo: 'bar' }, {
+    nonce: 'test-nonce',
+    jwk,
+  });
+  expect(typeof jws.protected).toEqual('string');
+  expect(typeof jws.payload).toEqual('string');
+  expect(typeof jws.signature).toEqual('string');
+});
+
+tap.test('createJws protected header contains alg, nonce, url, jwk', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  const jwk = AcmeCrypto.getJwk(pem);
+  const jws = AcmeCrypto.createJws(pem, 'https://acme.example/new-acct', { foo: 'bar' }, {
+    nonce: 'test-nonce',
+    jwk,
+  });
+  const header = JSON.parse(Buffer.from(jws.protected, 'base64url').toString());
+  expect(header.alg).toEqual('RS256');
+  expect(header.nonce).toEqual('test-nonce');
+  expect(header.url).toEqual('https://acme.example/new-acct');
+  expect(header.jwk).toBeTruthy();
+  expect(header.kid).toBeFalsy();
+});
+
+tap.test('createJws uses kid when provided instead of jwk', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  const jws = AcmeCrypto.createJws(pem, 'https://acme.example/order', { test: 1 }, {
+    nonce: 'nonce-2',
+    kid: 'https://acme.example/acct/1',
+  });
+  const header = JSON.parse(Buffer.from(jws.protected, 'base64url').toString());
+  expect(header.kid).toEqual('https://acme.example/acct/1');
+  expect(header.jwk).toBeFalsy();
+});
+
+tap.test('createJws POST-as-GET produces empty payload', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  const jws = AcmeCrypto.createJws(pem, 'https://acme.example/order/1', null, {
+    nonce: 'nonce-3',
+    kid: 'https://acme.example/acct/1',
+  });
+  expect(jws.payload).toEqual('');
+});
+
+tap.test('createJws signature is verifiable', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  const jwk = AcmeCrypto.getJwk(pem);
+  const jws = AcmeCrypto.createJws(pem, 'https://acme.example/test', { val: 1 }, {
+    nonce: 'nonce-v',
+    jwk,
+  });
+
+  const sigInput = `${jws.protected}.${jws.payload}`;
+  const pubKey = crypto.createPublicKey(pem);
+  const verified = crypto.verify(
+    'sha256',
+    Buffer.from(sigInput),
+    pubKey,
+    Buffer.from(jws.signature, 'base64url'),
+  );
+  expect(verified).toBeTrue();
+});
+
+// --- createCsr ---
+
+tap.test('createCsr returns [keyPem, csrPem] with valid PEM formats', async () => {
+  const [keyPem, csrPem] = await AcmeCrypto.createCsr({ commonName: 'example.com' });
+  expect(keyPem).toStartWith('-----BEGIN PRIVATE KEY-----');
+  expect(csrPem).toInclude('CERTIFICATE REQUEST');
+});
+
+tap.test('createCsr uses existing key when provided', async () => {
+  const existingKey = AcmeCrypto.createRsaPrivateKey();
+  const [keyPem, csrPem] = await AcmeCrypto.createCsr({ commonName: 'example.com' }, existingKey);
+  expect(keyPem).toEqual(existingKey);
+  expect(csrPem).toInclude('CERTIFICATE REQUEST');
+});
+
+// --- pemToBuffer ---
+
+tap.test('pemToBuffer strips headers and returns Buffer', async () => {
+  const pem = AcmeCrypto.createRsaPrivateKey();
+  const buf = AcmeCrypto.pemToBuffer(pem);
+  expect(buf).toBeInstanceOf(Buffer);
+  expect(buf.length).toBeGreaterThan(0);
+  // Verify it doesn't contain PEM header text
+  const str = buf.toString('utf-8');
+  expect(str).not.toInclude('-----BEGIN');
+});
+
+export default tap.start();

test/test.acme-error.ts

@@ -0,0 +1,103 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+import { AcmeError } from '../ts/acme/acme.classes.error.js';
+
+// --- Basic error properties ---
+
+tap.test('AcmeError extends Error', async () => {
+  const err = new AcmeError({ status: 400 });
+  expect(err).toBeInstanceOf(Error);
+  expect(err).toBeInstanceOf(AcmeError);
+});
+
+tap.test('AcmeError has correct name', async () => {
+  const err = new AcmeError({ status: 400 });
+  expect(err.name).toEqual('AcmeError');
+});
+
+tap.test('message includes type, status, url, and detail', async () => {
+  const err = new AcmeError({
+    status: 403,
+    type: 'urn:ietf:params:acme:error:unauthorized',
+    detail: 'Account is deactivated',
+    url: 'https://acme.example/order/1',
+  });
+  expect(err.message).toInclude('403');
+  expect(err.message).toInclude('urn:ietf:params:acme:error:unauthorized');
+  expect(err.message).toInclude('https://acme.example/order/1');
+  expect(err.message).toInclude('Account is deactivated');
+});
+
+tap.test('preserves all properties including subproblems', async () => {
+  const subproblems = [
+    { type: 'urn:ietf:params:acme:error:caa', detail: 'CAA record prevents issuance', identifier: { type: 'dns', value: 'example.com' } },
+  ];
+  const err = new AcmeError({
+    status: 403,
+    type: 'urn:ietf:params:acme:error:unauthorized',
+    detail: 'Forbidden',
+    subproblems,
+    url: 'https://acme.example/chall/1',
+    retryAfter: 30,
+  });
+  expect(err.status).toEqual(403);
+  expect(err.type).toEqual('urn:ietf:params:acme:error:unauthorized');
+  expect(err.detail).toEqual('Forbidden');
+  expect(err.subproblems.length).toEqual(1);
+  expect(err.subproblems[0].type).toEqual('urn:ietf:params:acme:error:caa');
+  expect(err.url).toEqual('https://acme.example/chall/1');
+  expect(err.retryAfter).toEqual(30);
+});
+
+tap.test('default values for optional fields', async () => {
+  const err = new AcmeError({ status: 500 });
+  expect(err.type).toEqual('');
+  expect(err.detail).toEqual('');
+  expect(err.subproblems).toEqual([]);
+  expect(err.url).toEqual('');
+  expect(err.retryAfter).toEqual(0);
+});
+
+// --- isRateLimited ---
+
+tap.test('isRateLimited is true for status 429', async () => {
+  const err = new AcmeError({ status: 429 });
+  expect(err.isRateLimited).toBeTrue();
+});
+
+tap.test('isRateLimited is true for rateLimited type URN', async () => {
+  const err = new AcmeError({
+    status: 403,
+    type: 'urn:ietf:params:acme:error:rateLimited',
+  });
+  expect(err.isRateLimited).toBeTrue();
+});
+
+tap.test('isRateLimited is false for regular 400', async () => {
+  const err = new AcmeError({ status: 400, type: 'urn:ietf:params:acme:error:malformed' });
+  expect(err.isRateLimited).toBeFalse();
+});
+
+// --- isRetryable ---
+
+tap.test('isRetryable is true for 429', async () => {
+  const err = new AcmeError({ status: 429 });
+  expect(err.isRetryable).toBeTrue();
+});
+
+tap.test('isRetryable is true for 503 and 500', async () => {
+  expect(new AcmeError({ status: 503 }).isRetryable).toBeTrue();
+  expect(new AcmeError({ status: 500 }).isRetryable).toBeTrue();
+});
+
+tap.test('isRetryable is true for badNonce type', async () => {
+  const err = new AcmeError({ status: 400, type: 'urn:ietf:params:acme:error:badNonce' });
+  expect(err.isRetryable).toBeTrue();
+});
+
+tap.test('isRetryable is false for 403, 404, 409', async () => {
+  expect(new AcmeError({ status: 403 }).isRetryable).toBeFalse();
+  expect(new AcmeError({ status: 404 }).isRetryable).toBeFalse();
+  expect(new AcmeError({ status: 409 }).isRetryable).toBeFalse();
+});
+
+export default tap.start();

test/test.certmatcher.ts

@@ -1,4 +1,4 @@
-import { tap, expect } from '@push.rocks/tapbundle';
+import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { SmartacmeCertMatcher } from '../ts/smartacme.classes.certmatcher.js';
 
 tap.test('should match 2-level domain', async () => {

test/test.handlers-dns01.ts

@@ -1,4 +1,4 @@
-import { tap, expect } from '@push.rocks/tapbundle';
+import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { Dns01Handler } from '../ts/handlers/Dns01Handler.js';
 
 tap.test('Dns01Handler prepare and cleanup calls Cloudflare and DNS functions', async () => {

test/test.handlers-http01-memory.ts

@@ -1,4 +1,4 @@
-import { tap, expect } from '@push.rocks/tapbundle';
+import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { Http01MemoryHandler } from '../ts/handlers/Http01MemoryHandler.js';
 
 tap.test('Http01MemoryHandler serves in-memory challenges and cleans up', async () => {

test/test.handlers-http01.ts

@@ -1,4 +1,4 @@
-import { tap, expect } from '@push.rocks/tapbundle';
+import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { Http01Webroot } from '../ts/handlers/Http01Handler.js';
 import { promises as fs } from 'fs';
 import * as path from 'path';

test/test.http01-only.ts

@@ -1,4 +1,4 @@
-import { tap, expect } from '@push.rocks/tapbundle';
+import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { SmartAcme, certmanagers } from '../ts/index.js';
 import { Http01MemoryHandler } from '../ts/handlers/Http01MemoryHandler.js';
 
@@ -9,23 +9,25 @@ tap.test('HTTP-01 only configuration should work for regular domains', async ()
   // Stub the domain support check to always return true for testing
   memHandler.checkWetherDomainIsSupported = async () => true;
   
+  const certManager = new certmanagers.MemoryCertManager();
   const smartAcmeInstance = new SmartAcme({
     accountEmail: 'test@example.com',
-    certManager: new certmanagers.MemoryCertManager(),
+    certManager,
     environment: 'integration',
     retryOptions: {},
     challengeHandlers: [memHandler],
     challengePriority: ['http-01'],
   });
-  
+
   // Stub the start method to avoid actual ACME connections
   smartAcmeInstance.start = async () => {
+    smartAcmeInstance.certmanager = certManager;
     smartAcmeInstance.certmatcher = {
       getCertificateDomainNameByDomainName: (domain: string) => domain.replace('*.', '')
     } as any;
     smartAcmeInstance.interestMap = {
       checkInterest: async () => false,
-      addInterest: async () => ({ interestFullfilled: new Promise(() => {}) } as any)
+      addInterest: async () => ({ interestFullfilled: new Promise(() => {}), fullfillInterest: () => {}, destroy: () => {} } as any)
     } as any;
     await smartAcmeInstance.certmanager.init();
   };
@@ -65,23 +67,25 @@ tap.test('should only include wildcard when explicitly requested with DNS-01', a
     checkWetherDomainIsSupported: async () => true,
   };
   
+  const certManager2 = new certmanagers.MemoryCertManager();
   const smartAcmeInstance = new SmartAcme({
     accountEmail: 'test@example.com',
-    certManager: new certmanagers.MemoryCertManager(),
+    certManager: certManager2,
     environment: 'integration',
     retryOptions: {},
     challengeHandlers: [dnsHandler],
     challengePriority: ['dns-01'],
   });
-  
+
   // Stub the start method to avoid actual ACME connections
   smartAcmeInstance.start = async () => {
+    smartAcmeInstance.certmanager = certManager2;
     smartAcmeInstance.certmatcher = {
       getCertificateDomainNameByDomainName: (domain: string) => domain.replace('*.', '')
     } as any;
     smartAcmeInstance.interestMap = {
       checkInterest: async () => false,
-      addInterest: async () => ({ interestFullfilled: new Promise(() => {}) } as any)
+      addInterest: async () => ({ interestFullfilled: new Promise(() => {}), fullfillInterest: () => {}, destroy: () => {} } as any)
     } as any;
     await smartAcmeInstance.certmanager.init();
   };
@@ -116,23 +120,25 @@ tap.test('should skip wildcard if requested but no DNS-01 handler available', as
   const httpHandler = new Http01MemoryHandler();
   httpHandler.checkWetherDomainIsSupported = async () => true;
   
+  const certManager3 = new certmanagers.MemoryCertManager();
   const smartAcmeInstance = new SmartAcme({
     accountEmail: 'test@example.com',
-    certManager: new certmanagers.MemoryCertManager(),
+    certManager: certManager3,
     environment: 'integration',
     retryOptions: {},
     challengeHandlers: [httpHandler],
     challengePriority: ['http-01'],
   });
-  
+
   // Stub the start method to avoid actual ACME connections
   smartAcmeInstance.start = async () => {
+    smartAcmeInstance.certmanager = certManager3;
     smartAcmeInstance.certmatcher = {
       getCertificateDomainNameByDomainName: (domain: string) => domain.replace('*.', '')
     } as any;
     smartAcmeInstance.interestMap = {
       checkInterest: async () => false,
-      addInterest: async () => ({ interestFullfilled: new Promise(() => {}) } as any)
+      addInterest: async () => ({ interestFullfilled: new Promise(() => {}), fullfillInterest: () => {}, destroy: () => {} } as any)
     } as any;
     await smartAcmeInstance.certmanager.init();
   };

test/test.smartacme.integration.ts

@@ -1,4 +1,4 @@
-import { tap, expect } from '@push.rocks/tapbundle';
+import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { Qenv } from '@push.rocks/qenv';
 import * as cloudflare from '@apiclient.xyz/cloudflare';
 import { SmartAcme, certmanagers } from '../ts/index.js';
@@ -35,10 +35,9 @@ tap.test('should wipe the certmanager for this test', async () => {
   await smartAcmeInstance.certmanager.wipe();
 });
 
-tap.test('get a domain certificate via DNS-01 challenge', async () => {
-  // Replace 'bleu.de' with your test domain if different
+tap.test('get a domain certificate covering bleu.de and *.bleu.de via DNS-01 challenge', async () => {
   const domain = 'bleu.de';
-  const cert = await smartAcmeInstance.getCertificateForDomain(domain);
+  const cert = await smartAcmeInstance.getCertificateForDomain(domain, { includeWildcard: true });
   expect(cert).toHaveProperty('domainName');
   expect(cert.domainName).toEqual(domain);
   expect(cert).toHaveProperty('publicKey');

test/test.smartacme.ts

@@ -1,4 +1,4 @@
-import { tap, expect } from '@push.rocks/tapbundle';
+import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { SmartAcme, certmanagers } from '../ts/index.js';
 import { Cert } from '../ts/index.js';
 import type { IChallengeHandler } from '../ts/handlers/IChallengeHandler.js';

test/test.wildcard-options.ts

@@ -1,4 +1,4 @@
-import { tap, expect } from '@push.rocks/tapbundle';
+import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { SmartAcme, certmanagers } from '../ts/index.js';
 import { SmartacmeCert as Cert } from '../ts/smartacme.classes.cert.js';