push.rocks/smartacme
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BREAKING CHANGE(acme): Replace external acme-client with a built-in RFC8555-compliant ACME implementation and update public APIs accordingly

Browse Source
This commit is contained in:
Jürgen Kunz
2026-02-15 20:20:46 +00:00
parent 3fa34fa373
commit cf4b758800
31 changed files with 4717 additions and 3530 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
test/test.acme-challenge.ts Normal file
View File

@@ -0,0 +1,64 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import * as crypto from 'node:crypto';
import { AcmeCrypto } from '../ts/acme/acme.classes.crypto.js';
import { AcmeChallengeManager } from '../ts/acme/acme.classes.challenge.js';
// Create a shared key and fake httpClient for all tests
let accountKeyPem: string;
let challengeManager: AcmeChallengeManager;
tap.test('setup: create key and challenge manager', async () => {
accountKeyPem = AcmeCrypto.createRsaPrivateKey();
// AcmeChallengeManager only needs httpClient for complete(), not for getKeyAuthorization()
// Pass null since we only test the sync crypto method
challengeManager = new AcmeChallengeManager(null as any, accountKeyPem);
});
// --- http-01 ---
tap.test('http-01 returns token.thumbprint', async () => {
const challenge = { type: 'http-01', url: 'https://acme.example/chall/1', status: 'pending', token: 'test-token-abc' };
const result = challengeManager.getKeyAuthorization(challenge);
const jwk = AcmeCrypto.getJwk(accountKeyPem);
const thumbprint = AcmeCrypto.getJwkThumbprint(jwk);
expect(result).toEqual(`test-token-abc.${thumbprint}`);
});
// --- dns-01 ---
tap.test('dns-01 returns base64url(sha256(token.thumbprint))', async () => {
const challenge = { type: 'dns-01', url: 'https://acme.example/chall/2', status: 'pending', token: 'dns-token-xyz' };
const result = challengeManager.getKeyAuthorization(challenge);
// Manual computation
const jwk = AcmeCrypto.getJwk(accountKeyPem);
const thumbprint = AcmeCrypto.getJwkThumbprint(jwk);
const keyAuth = `dns-token-xyz.${thumbprint}`;
const expected = crypto.createHash('sha256').update(keyAuth).digest().toString('base64url');
expect(result).toEqual(expected);
});
tap.test('dns-01 output is base64url (no +, /, =)', async () => {
const challenge = { type: 'dns-01', url: 'https://acme.example/chall/3', status: 'pending', token: 'another-token' };
const result = challengeManager.getKeyAuthorization(challenge);
expect(result).not.toInclude('+');
expect(result).not.toInclude('/');
expect(result).not.toInclude('=');
});
tap.test('http-01 and dns-01 differ for same token', async () => {
const token = 'shared-token-123';
const httpResult = challengeManager.getKeyAuthorization({ type: 'http-01', url: 'https://acme.example/c/1', status: 'pending', token });
const dnsResult = challengeManager.getKeyAuthorization({ type: 'dns-01', url: 'https://acme.example/c/2', status: 'pending', token });
expect(httpResult).not.toEqual(dnsResult);
});
tap.test('deterministic across calls', async () => {
const challenge = { type: 'http-01', url: 'https://acme.example/c/x', status: 'pending', token: 'stable-token' };
const r1 = challengeManager.getKeyAuthorization(challenge);
const r2 = challengeManager.getKeyAuthorization(challenge);
expect(r1).toEqual(r2);
});
export default tap.start();