feat: new ca provider: custom acme ca

2025-05-16 21:40:40 +08:00
parent 980d1ee0b9
commit 122d766cab
16 changed files with 206 additions and 40 deletions
--- a/internal/applicant/acme_ca.go
+++ b/internal/applicant/acme_ca.go
@@ -3,25 +3,26 @@ package applicant
 import "github.com/usual2970/certimate/internal/domain"

 const (
-	sslProviderLetsEncrypt         = string(domain.CAProviderTypeLetsEncrypt)
-	sslProviderLetsEncryptStaging  = string(domain.CAProviderTypeLetsEncryptStaging)
-	sslProviderBuypass             = string(domain.CAProviderTypeBuypass)
-	sslProviderGoogleTrustServices = string(domain.CAProviderTypeGoogleTrustServices)
-	sslProviderSSLCom              = string(domain.CAProviderTypeSSLCom)
-	sslProviderZeroSSL             = string(domain.CAProviderTypeZeroSSL)
+	caLetsEncrypt         = string(domain.CAProviderTypeLetsEncrypt)
+	caLetsEncryptStaging  = string(domain.CAProviderTypeLetsEncryptStaging)
+	caBuypass             = string(domain.CAProviderTypeBuypass)
+	caGoogleTrustServices = string(domain.CAProviderTypeGoogleTrustServices)
+	caSSLCom              = string(domain.CAProviderTypeSSLCom)
+	caZeroSSL             = string(domain.CAProviderTypeZeroSSL)
+	caCustom              = string(domain.CAProviderTypeACMECA)

-	sslProviderDefault = sslProviderLetsEncrypt
+	caDefault = caLetsEncrypt
 )

-var sslProviderUrls = map[string]string{
-	sslProviderLetsEncrypt:         "https://acme-v02.api.letsencrypt.org/directory",
-	sslProviderLetsEncryptStaging:  "https://acme-staging-v02.api.letsencrypt.org/directory",
-	sslProviderBuypass:             "https://api.buypass.com/acme/directory",
-	sslProviderGoogleTrustServices: "https://dv.acme-v02.api.pki.goog/directory",
-	sslProviderSSLCom:              "https://acme.ssl.com/sslcom-dv-rsa",
-	sslProviderSSLCom + "RSA":      "https://acme.ssl.com/sslcom-dv-rsa",
-	sslProviderSSLCom + "ECC":      "https://acme.ssl.com/sslcom-dv-ecc",
-	sslProviderZeroSSL:             "https://acme.zerossl.com/v2/DV90",
+var caDirUrls = map[string]string{
+	caLetsEncrypt:         "https://acme-v02.api.letsencrypt.org/directory",
+	caLetsEncryptStaging:  "https://acme-staging-v02.api.letsencrypt.org/directory",
+	caBuypass:             "https://api.buypass.com/acme/directory",
+	caGoogleTrustServices: "https://dv.acme-v02.api.pki.goog/directory",
+	caSSLCom:              "https://acme.ssl.com/sslcom-dv-rsa",
+	caSSLCom + "RSA":      "https://acme.ssl.com/sslcom-dv-rsa",
+	caSSLCom + "ECC":      "https://acme.ssl.com/sslcom-dv-ecc",
+	caZeroSSL:             "https://acme.zerossl.com/v2/DV90",
 }

 type acmeSSLProviderConfig struct {
--- a/internal/applicant/acme_user.go
+++ b/internal/applicant/acme_user.go
@@ -7,6 +7,7 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"fmt"
+	"strings"

 	"github.com/go-acme/lego/v4/lego"
 	"github.com/go-acme/lego/v4/registration"
@@ -19,22 +20,31 @@ import (
 )

 type acmeUser struct {
-	CA           string
-	Email        string
+	// 证书颁发机构标识。
+	// 通常等同于 [CAProviderType] 的值。
+	// 对于自定义 ACME CA，值为 "custom#{access_id}"。
+	CA string
+	// 邮箱。
+	Email string
+	// 注册信息。
 	Registration *registration.Resource

+	// CSR 私钥。
 	privkey string
 }

-func newAcmeUser(ca, email string) (*acmeUser, error) {
+func newAcmeUser(ca, caAccessId, email string) (*acmeUser, error) {
 	repo := repository.NewAcmeAccountRepository()

 	applyUser := &acmeUser{
 		CA:    ca,
 		Email: email,
 	}
+	if ca == caCustom {
+		applyUser.CA = fmt.Sprintf("%s#%s", ca, caAccessId)
+	}

-	acmeAccount, err := repo.GetByCAAndEmail(ca, email)
+	acmeAccount, err := repo.GetByCAAndEmail(applyUser.CA, applyUser.Email)
 	if err != nil {
 		key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 		if err != nil {
@@ -73,6 +83,10 @@ func (u *acmeUser) hasRegistration() bool {
 	return u.Registration != nil
 }

+func (u *acmeUser) getCAProvider() string {
+	return strings.Split(u.CA, "#")[0]
+}
+
 func (u *acmeUser) getPrivateKeyPEM() string {
 	return u.privkey
 }
@@ -94,16 +108,16 @@ func registerAcmeUserWithSingleFlight(client *lego.Client, user *acmeUser, userR
 func registerAcmeUser(client *lego.Client, user *acmeUser, userRegisterOptions map[string]any) (*registration.Resource, error) {
 	var reg *registration.Resource
 	var err error
-	switch user.CA {
-	case sslProviderLetsEncrypt, sslProviderLetsEncryptStaging:
+	switch user.getCAProvider() {
+	case caLetsEncrypt, caLetsEncryptStaging:
 		reg, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})

-	case sslProviderBuypass:
+	case caBuypass:
 		{
 			reg, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
 		}

-	case sslProviderGoogleTrustServices:
+	case caGoogleTrustServices:
 		{
 			access := domain.AccessConfigForGoogleTrustServices{}
 			if err := maputil.Populate(userRegisterOptions, &access); err != nil {
@@ -117,7 +131,7 @@ func registerAcmeUser(client *lego.Client, user *acmeUser, userRegisterOptions m
 			})
 		}

-	case sslProviderSSLCom:
+	case caSSLCom:
 		{
 			access := domain.AccessConfigForSSLCom{}
 			if err := maputil.Populate(userRegisterOptions, &access); err != nil {
@@ -131,7 +145,7 @@ func registerAcmeUser(client *lego.Client, user *acmeUser, userRegisterOptions m
 			})
 		}

-	case sslProviderZeroSSL:
+	case caZeroSSL:
 		{
 			access := domain.AccessConfigForZeroSSL{}
 			if err := maputil.Populate(userRegisterOptions, &access); err != nil {
@@ -145,6 +159,26 @@ func registerAcmeUser(client *lego.Client, user *acmeUser, userRegisterOptions m
 			})
 		}

+	case caCustom:
+		{
+			access := domain.AccessConfigForACMECA{}
+			if err := maputil.Populate(userRegisterOptions, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			if access.EabKid == "" && access.EabHmacKey == "" {
+				reg, err = client.Registration.Register(registration.RegisterOptions{
+					TermsOfServiceAgreed: true,
+				})
+			} else {
+				reg, err = client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
+					TermsOfServiceAgreed: true,
+					Kid:                  access.EabKid,
+					HmacEncoded:          access.EabHmacKey,
+				})
+			}
+		}
+
 	default:
 		err = fmt.Errorf("unsupported ca provider '%s'", user.CA)
 	}
--- a/internal/applicant/applicant.go
+++ b/internal/applicant/applicant.go
@@ -20,12 +20,13 @@ import (
 	"golang.org/x/time/rate"

 	"github.com/usual2970/certimate/internal/domain"
+	maputil "github.com/usual2970/certimate/internal/pkg/utils/map"
 	sliceutil "github.com/usual2970/certimate/internal/pkg/utils/slice"
 	"github.com/usual2970/certimate/internal/repository"
 )

 type ApplyResult struct {
-	CertificateFullChain string
+	FullChainCertificate string
 	IssuerCertificate    string
 	PrivateKey           string
 	ACMEAccountUrl       string
@@ -81,6 +82,7 @@ func NewWithWorkflowNode(config ApplicantWithWorkflowNodeConfig) (Applicant, err
 		if access, err := accessRepo.GetById(context.Background(), nodeConfig.CAProviderAccessId); err != nil {
 			return nil, fmt.Errorf("failed to get access #%s record: %w", nodeConfig.CAProviderAccessId, err)
 		} else {
+			options.CAProviderAccessId = access.Id
 			options.CAProviderAccessConfig = access.Config
 		}
 	}
@@ -91,13 +93,13 @@ func NewWithWorkflowNode(config ApplicantWithWorkflowNodeConfig) (Applicant, err

 		sslProviderConfig := &acmeSSLProviderConfig{
 			Config:   make(map[domain.CAProviderType]map[string]any),
-			Provider: sslProviderDefault,
+			Provider: caDefault,
 		}
 		if settings != nil {
 			if err := json.Unmarshal([]byte(settings.Content), sslProviderConfig); err != nil {
 				return nil, err
 			} else if sslProviderConfig.Provider == "" {
-				sslProviderConfig.Provider = sslProviderDefault
+				sslProviderConfig.Provider = caDefault
 			}
 		}

@@ -163,7 +165,7 @@ func getLimiter(key string) *rate.Limiter {
 }

 func applyUseLego(legoProvider challenge.Provider, options *applicantProviderOptions) (*ApplyResult, error) {
-	user, err := newAcmeUser(string(options.CAProvider), options.ContactEmail)
+	user, err := newAcmeUser(string(options.CAProvider), options.CAProviderAccessId, options.ContactEmail)
 	if err != nil {
 		return nil, err
 	}
@@ -175,13 +177,26 @@ func applyUseLego(legoProvider challenge.Provider, options *applicantProviderOpt
 	// Create an ACME client config
 	config := lego.NewConfig(user)
 	config.Certificate.KeyType = parseLegoKeyAlgorithm(domain.CertificateKeyAlgorithmType(options.KeyAlgorithm))
-	config.CADirURL = sslProviderUrls[user.CA]
-	if user.CA == sslProviderSSLCom {
+	switch user.getCAProvider() {
+	case caSSLCom:
 		if strings.HasPrefix(options.KeyAlgorithm, "RSA") {
-			config.CADirURL = sslProviderUrls[sslProviderSSLCom+"RSA"]
+			config.CADirURL = caDirUrls[caSSLCom+"RSA"]
 		} else if strings.HasPrefix(options.KeyAlgorithm, "EC") {
-			config.CADirURL = sslProviderUrls[sslProviderSSLCom+"ECC"]
+			config.CADirURL = caDirUrls[caSSLCom+"ECC"]
+		} else {
+			config.CADirURL = caDirUrls[caSSLCom]
 		}
+
+	case caCustom:
+		caDirURL := maputil.GetString(options.CAProviderAccessConfig, "endpoint")
+		if caDirURL != "" {
+			config.CADirURL = caDirURL
+		} else {
+			return nil, fmt.Errorf("invalid ca provider endpoint")
+		}
+
+	default:
+		config.CADirURL = caDirUrls[user.CA]
 	}

 	// Create an ACME client
@@ -229,7 +244,7 @@ func applyUseLego(legoProvider challenge.Provider, options *applicantProviderOpt
 	}

 	return &ApplyResult{
-		CertificateFullChain: strings.TrimSpace(string(certResource.Certificate)),
+		FullChainCertificate: strings.TrimSpace(string(certResource.Certificate)),
 		IssuerCertificate:    strings.TrimSpace(string(certResource.IssuerCertificate)),
 		PrivateKey:           strings.TrimSpace(string(certResource.PrivateKey)),
 		ACMEAccountUrl:       user.Registration.URI,
--- a/internal/applicant/providers.go
+++ b/internal/applicant/providers.go
@@ -48,6 +48,7 @@ type applicantProviderOptions struct {
 	ProviderAccessConfig     map[string]any
 	ProviderExtendedConfig   map[string]any
 	CAProvider               domain.CAProviderType
+	CAProviderAccessId       string
 	CAProviderAccessConfig   map[string]any
 	CAProviderExtendedConfig map[string]any
 	KeyAlgorithm             string
--- a/internal/domain/access.go
+++ b/internal/domain/access.go
@@ -22,6 +22,12 @@ type AccessConfigFor1Panel struct {
 	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
 }

+type AccessConfigForACMECA struct {
+	Endpoint   string `json:"endpoint"`
+	EabKid     string `json:"eabKid,omitempty"`
+	EabHmacKey string `json:"eabHmacKey,omitempty"`
+}
+
 type AccessConfigForACMEHttpReq struct {
 	Endpoint string `json:"endpoint"`
 	Mode     string `json:"mode,omitempty"`
--- a/internal/domain/provider.go
+++ b/internal/domain/provider.go
@@ -10,7 +10,7 @@ type AccessProviderType string
 */
 const (
 	AccessProviderType1Panel              = AccessProviderType("1panel")
-	AccessProviderTypeACMECA              = AccessProviderType("acmeca") // ACME CA（预留）
+	AccessProviderTypeACMECA              = AccessProviderType("acmeca")
 	AccessProviderTypeACMEHttpReq         = AccessProviderType("acmehttpreq")
 	AccessProviderTypeAkamai              = AccessProviderType("akamai") // Akamai（预留）
 	AccessProviderTypeAliyun              = AccessProviderType("aliyun")
@@ -91,6 +91,7 @@ type CAProviderType string
 	NOTICE: If you add new constant, please keep ASCII order.
 */
 const (
+	CAProviderTypeACMECA              = CAProviderType(AccessProviderTypeACMECA)
 	CAProviderTypeBuypass             = CAProviderType(AccessProviderTypeBuypass)
 	CAProviderTypeGoogleTrustServices = CAProviderType(AccessProviderTypeGoogleTrustServices)
 	CAProviderTypeLetsEncrypt         = CAProviderType(AccessProviderTypeLetsEncrypt)
--- a/internal/workflow/node-processor/apply_node.go
+++ b/internal/workflow/node-processor/apply_node.go
@@ -66,14 +66,14 @@ func (n *applyNode) Process(ctx context.Context) error {
 	}

 	// 解析证书并生成实体
-	certX509, err := certutil.ParseCertificateFromPEM(applyResult.CertificateFullChain)
+	certX509, err := certutil.ParseCertificateFromPEM(applyResult.FullChainCertificate)
 	if err != nil {
 		n.logger.Warn("failed to parse certificate, may be the CA responded error")
 		return err
 	}
 	certificate := &domain.Certificate{
 		Source:            domain.CertificateSourceTypeWorkflow,
-		Certificate:       applyResult.CertificateFullChain,
+		Certificate:       applyResult.FullChainCertificate,
 		PrivateKey:        applyResult.PrivateKey,
 		IssuerCertificate: applyResult.IssuerCertificate,
 		ACMEAccountUrl:    applyResult.ACMEAccountUrl,