@kagal/acme 0.1.0

package/dist/shared/acme.DkI8KXwO.d.mts

@@ -0,0 +1,583 @@
+/** Identifier type values. */
+declare const identifierTypes: readonly ["dns", "ip"];
+/**
+ * Identifier type union.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-9.7.7}
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8738}
+ */
+type IdentifierType = (typeof identifierTypes)[number];
+/** Runtime set of valid identifier types. */
+declare const IdentifierTypes: ReadonlySet<IdentifierType>;
+
+/** Order status values (RFC 8555 §7.1.3). */
+declare const orderStatuses: readonly ["pending", "ready", "processing", "valid", "invalid"];
+/**
+ * Order status union type.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.3}
+ */
+type OrderStatus = (typeof orderStatuses)[number];
+/** Runtime set of valid order statuses. */
+declare const OrderStatuses: ReadonlySet<OrderStatus>;
+/** Authorization status values (RFC 8555 §7.1.4). */
+declare const authorizationStatuses: readonly ["pending", "valid", "invalid", "deactivated", "expired", "revoked"];
+/**
+ * Authorisation status union type.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.4}
+ */
+type AuthorizationStatus = (typeof authorizationStatuses)[number];
+/** Runtime set of valid authorisation statuses. */
+declare const AuthorizationStatuses: ReadonlySet<AuthorizationStatus>;
+/** Challenge status values (RFC 8555 §7.1.5). */
+declare const challengeStatuses: readonly ["pending", "processing", "valid", "invalid"];
+/**
+ * Challenge status union type.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.5}
+ */
+type ChallengeStatus = (typeof challengeStatuses)[number];
+/** Runtime set of valid challenge statuses. */
+declare const ChallengeStatuses: ReadonlySet<ChallengeStatus>;
+/** Account status values (RFC 8555 §7.1.2). */
+declare const accountStatuses: readonly ["valid", "deactivated", "revoked"];
+/**
+ * Account status union type.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.2}
+ */
+type AccountStatus = (typeof accountStatuses)[number];
+/** Runtime set of valid account statuses. */
+declare const AccountStatuses: ReadonlySet<AccountStatus>;
+
+/**
+ * Base64url-encoded string without padding
+ * (RFC 7515 §2).
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc7515#section-2}
+ */
+type Base64url = string;
+
+/**
+ * Optional JWK members shared by all key types (RFC 7517 §4).
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc7517#section-4}
+ */
+type JWKBase = {
+    /** Algorithm (§4.4). */
+    'alg'?: string;
+    /** Key operations (§4.3). */
+    'key_ops'?: readonly string[];
+    /** Key ID (§4.5). */
+    'kid'?: string;
+    /** Public key use (§4.2). */
+    'use'?: string;
+    /** X.509 certificate chain (§4.7). */
+    'x5c'?: readonly string[];
+    /** X.509 SHA-1 thumbprint (§4.8). */
+    'x5t'?: string;
+    /** X.509 SHA-256 thumbprint (§4.9). */
+    'x5t#S256'?: string;
+    /** X.509 URL (§4.6). */
+    'x5u'?: string;
+};
+/**
+ * EC key (RFC 7518 §6.2).
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc7518#section-6.2}
+ */
+type ECJWK = JWKBase & {
+    kty: 'EC';
+    crv: string;
+    x: string;
+    y: string;
+};
+/**
+ * OKP key (RFC 8037 §2).
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8037#section-2}
+ */
+type OKPJWK = JWKBase & {
+    kty: 'OKP';
+    crv: string;
+    x: string;
+};
+/**
+ * RSA key (RFC 7518 §6.3).
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc7518#section-6.3}
+ */
+type RSAJWK = JWKBase & {
+    kty: 'RSA';
+    e: string;
+    n: string;
+};
+/**
+ * JWK — discriminated union on `kty`.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc7517}
+ */
+type JWK = ECJWK | OKPJWK | RSAJWK;
+
+/**
+ * Flattened JWS Serialization (RFC 7515 §7.2.2).
+ *
+ * @remarks
+ * ACME uses the flattened serialisation exclusively —
+ * compact and general forms are not used. `payload`
+ * may be empty for POST-as-GET requests (RFC 8555
+ * §6.3).
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc7515#section-7.2.2}
+ */
+interface FlattenedJWS {
+    /** Base64url-encoded protected header. */
+    protected: Base64url;
+    /** Base64url-encoded payload (empty for POST-as-GET). */
+    payload: string;
+    /** Base64url-encoded signature. */
+    signature: Base64url;
+}
+/**
+ * JWS protected header (RFC 7515 §4.1).
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc7515#section-4.1}
+ */
+interface JWSProtectedHeader {
+    /** Signature algorithm (e.g. 'ES256', 'EdDSA'). */
+    alg: string;
+    /** JSON Web Key (RFC 7515 §4.1.3). */
+    jwk?: JWK;
+    /** Key ID (RFC 7515 §4.1.4). */
+    kid?: string;
+}
+/**
+ * ACME protected header fields (RFC 8555 §6.2).
+ *
+ * @remarks
+ * Extends {@link JWSProtectedHeader} with ACME-required
+ * `nonce` and `url`. Inner JWS objects (EAB, key change)
+ * omit `nonce` and use {@link JWSProtectedHeader} directly.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-6.2}
+ */
+interface ACMEProtectedHeader extends JWSProtectedHeader {
+    /** Anti-replay nonce (RFC 8555 §6.5). */
+    nonce: string;
+    /** Request URL (RFC 8555 §6.4). */
+    url: string;
+}
+/**
+ * Outer ACME request header with `jwk` XOR `kid`.
+ *
+ * @remarks
+ * `jwk` for newAccount and revokeCert-by-cert-key;
+ * `kid` (account URL) for all other requests.
+ * Servers MUST reject headers containing both.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-6.2}
+ */
+type ACMERequestHeader = ACMEProtectedHeader & {
+    /** Account public key. */
+    jwk: JWK;
+    kid?: never;
+} | ACMEProtectedHeader & {
+    jwk?: never;
+    /** Account URL. */
+    kid: string;
+};
+
+/**
+ * External account binding (RFC 8555 §7.3.4).
+ *
+ * Structurally identical to {@link FlattenedJWS} —
+ * the payload is the account's public key, signed
+ * with the EAB HMAC key.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.4}
+ */
+type ExternalAccountBinding = FlattenedJWS;
+/**
+ * ACME account object.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.2}
+ */
+interface Account {
+    /** Account state. */
+    status: AccountStatus;
+    /** Contact URIs (`mailto:...`). */
+    contact?: string[];
+    /** EAB JWS (registration only). */
+    externalAccountBinding?: ExternalAccountBinding;
+    /** URL to order list. */
+    orders: string;
+    /** Whether ToS was accepted. */
+    termsOfServiceAgreed?: boolean;
+}
+
+/**
+ * Domain or IP identifier.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-9.7.7}
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8738}
+ */
+interface Identifier {
+    /** Identifier type — see {@link IdentifierType}. */
+    type: IdentifierType;
+    /** Domain name or IP address. */
+    value: string;
+}
+
+/**
+ * Per-identifier sub-error (RFC 8555 §6.7.1).
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-6.7.1}
+ */
+interface Subproblem {
+    /** URN error type. */
+    type: string;
+    /** Human-readable description. */
+    detail?: string;
+    /** Related identifier. */
+    identifier?: Identifier;
+    /** URI reference for this occurrence (RFC 7807 §3.1). */
+    instance?: string;
+    /** HTTP status code. */
+    status?: number;
+    /** Human-readable summary (RFC 7807 §3.1). */
+    title?: string;
+}
+/**
+ * ACME problem document (RFC 7807).
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc7807}
+ */
+interface Problem extends Subproblem {
+    /** Per-identifier errors. */
+    subproblems?: Subproblem[];
+}
+
+/**
+ * Shared challenge fields.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.5}
+ */
+interface ChallengeBase {
+    /** Error details. */
+    error?: Problem;
+    /** Challenge state. */
+    status: ChallengeStatus;
+    /** Challenge URL. */
+    url: string;
+    /** RFC 3339 validation timestamp. */
+    validated?: string;
+}
+/**
+ * HTTP-01 challenge (RFC 8555 §8.3).
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-8.3}
+ */
+type HTTPChallenge = ChallengeBase & {
+    type: 'http-01';
+    token: string;
+};
+/**
+ * DNS-01 challenge (RFC 8555 §8.4).
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-8.4}
+ */
+type DNSChallenge = ChallengeBase & {
+    type: 'dns-01';
+    token: string;
+};
+/**
+ * TLS-ALPN-01 challenge (RFC 8737).
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8737}
+ */
+type TLSALPNChallenge = ChallengeBase & {
+    type: 'tls-alpn-01';
+    token: string;
+};
+/**
+ * Discriminated challenge union.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-8}
+ */
+type Challenge = DNSChallenge | HTTPChallenge | TLSALPNChallenge;
+
+/**
+ * Shared authorisation fields.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.4}
+ */
+interface AuthorizationBase {
+    /** Associated challenges. */
+    challenges: Challenge[];
+    /** RFC 3339 expiry timestamp. */
+    expires?: string;
+    /** Subject identifier. */
+    identifier: Identifier;
+    /** True for wildcard authorisations. */
+    wildcard?: boolean;
+}
+/**
+ * Discriminated authorisation union.
+ *
+ * @remarks
+ * `expires` is required when status is `'valid'`.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.4}
+ */
+type Authorization = AuthorizationBase & {
+    /** Required when valid. */
+    expires: string;
+    status: 'valid';
+} | AuthorizationBase & {
+    status: 'pending';
+} | AuthorizationBase & {
+    status: Exclude<AuthorizationStatus, 'pending' | 'valid'>;
+};
+
+/**
+ * Directory metadata.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.1}
+ */
+interface DirectoryMeta {
+    /** CAA hostnames. */
+    caaIdentities?: string[];
+    /** Whether EAB is required. */
+    externalAccountRequired?: boolean;
+    /** URL to terms of service. */
+    termsOfService?: string;
+    /** CA information URL. */
+    website?: string;
+    /**
+     * Profile name to description map
+     * (draft-ietf-acme-profiles).
+     *
+     * @beta
+     * @see {@link https://datatracker.ietf.org/doc/draft-ietf-acme-profiles/}
+     */
+    profiles?: Record<string, string>;
+}
+/**
+ * ACME directory resource.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.1}
+ */
+interface Directory {
+    /** Key rollover URL. */
+    keyChange: string;
+    /** Server metadata. */
+    meta?: DirectoryMeta;
+    /** Account creation URL. */
+    newAccount: string;
+    /** Pre-authorisation URL (optional). */
+    newAuthz?: string;
+    /** Nonce endpoint URL. */
+    newNonce: string;
+    /** Order creation URL. */
+    newOrder: string;
+    /** Revocation URL. */
+    revokeCert: string;
+    /**
+     * ARI endpoint URL (RFC 9773 §3).
+     *
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc9773#section-3}
+     */
+    renewalInfo?: string;
+}
+
+/**
+ * ARI certificate identifier —
+ * `base64url(AKI) + "." + base64url(Serial)`.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc9773#section-4.1}
+ */
+type CertID = string;
+/**
+ * Renewal information (RFC 9773 §4).
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc9773#section-4}
+ */
+interface RenewalInfo {
+    /** Suggested renewal window. */
+    suggestedWindow: {
+        /** RFC 3339 end timestamp. */
+        end: string;
+        /** RFC 3339 start timestamp. */
+        start: string;
+    };
+    /** URL explaining the renewal suggestion. */
+    explanationURL?: string;
+}
+
+/**
+ * ACME order object.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.3}
+ */
+interface Order {
+    /** Order state. */
+    status: OrderStatus;
+    /** Authorization URLs. */
+    authorizations: string[];
+    /** Certificate download URL. */
+    certificate?: string;
+    /** Error details. */
+    error?: Problem;
+    /** RFC 3339 expiry timestamp. */
+    expires?: string;
+    /** Finalize URL. */
+    finalize: string;
+    /** Requested domains/IPs. */
+    identifiers: Identifier[];
+    /** Certificate validity end. */
+    notAfter?: string;
+    /** Certificate validity start. */
+    notBefore?: string;
+    /**
+     * Selected profile (draft-ietf-acme-profiles).
+     *
+     * @beta
+     * @see {@link https://datatracker.ietf.org/doc/draft-ietf-acme-profiles/}
+     */
+    profile?: string;
+    /**
+     * ARI predecessor certID (RFC 9773 §5).
+     *
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc9773#section-5}
+     */
+    replaces?: CertID;
+}
+
+/**
+ * Order finalisation payload.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-7.4}
+ */
+type Finalize = {
+    /** Base64url-encoded DER CSR. */
+    csr: Base64url;
+};
+
+/**
+ * Inner JWS payload for key rollover.
+ *
+ * @remarks
+ * Signed with the new key; the outer JWS is signed
+ * with the old key.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.5}
+ */
+type KeyChange = {
+    /** Account URL. */
+    account: string;
+    /** Old account public key. */
+    oldKey: JWK;
+};
+
+/**
+ * newAccount request payload.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-7.3}
+ */
+type NewAccount = {
+    /** Contact URIs. */
+    contact?: string[];
+    /** External account binding JWS. */
+    externalAccountBinding?: ExternalAccountBinding;
+    /** Return existing account only. */
+    onlyReturnExisting?: boolean;
+    /** ToS agreement. */
+    termsOfServiceAgreed?: boolean;
+};
+/**
+ * Account deactivation payload.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.6}
+ */
+type DeactivateAccount = {
+    status: 'deactivated';
+};
+
+/**
+ * Pre-authorisation request payload.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-7.4.1}
+ */
+type NewAuthz = {
+    /** Identifier to pre-authorise. */
+    identifier: Identifier;
+};
+/**
+ * Authorisation deactivation payload.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-7.5.2}
+ */
+type DeactivateAuthorization = {
+    status: 'deactivated';
+};
+
+/**
+ * newOrder request payload.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-7.4}
+ */
+type NewOrder = {
+    /** Requested identifiers. */
+    identifiers: Identifier[];
+    /** Certificate validity end (RFC 3339). */
+    notAfter?: string;
+    /** Certificate validity start (RFC 3339). */
+    notBefore?: string;
+    /**
+     * Desired profile name.
+     *
+     * @beta
+     * @see {@link https://datatracker.ietf.org/doc/draft-ietf-acme-profiles/}
+     */
+    profile?: string;
+    /**
+     * ARI predecessor certID (RFC 9773 §5).
+     *
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc9773#section-5}
+     */
+    replaces?: CertID;
+};
+
+/**
+ * CRL reason code (RFC 5280 §5.3.1).
+ *
+ * @remarks
+ * Code 7 is not used.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc5280#section-5.3.1}
+ */
+type CRLReasonCode = 0 | // unspecified
+1 | // keyCompromise
+2 | // cACompromise
+3 | // affiliationChanged
+4 | // superseded
+5 | // cessationOfOperation
+6 | // certificateHold
+8 | // removeFromCRL
+9 | // privilegeWithdrawn
+10;
+/**
+ * Certificate revocation payload.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8555#section-7.6}
+ */
+type RevokeCert = {
+    /** Base64url-encoded DER certificate. */
+    certificate: Base64url;
+    /** CRL reason code (RFC 5280 §5.3.1). */
+    reason?: CRLReasonCode;
+};
+
+export { OrderStatuses as L, accountStatuses as U, authorizationStatuses as V, challengeStatuses as W, identifierTypes as X, orderStatuses as Y, AccountStatuses as d, AuthorizationStatuses as h, ChallengeStatuses as m, IdentifierTypes as u };
+export type { ACMEProtectedHeader as A, Base64url as B, CRLReasonCode as C, DNSChallenge as D, ECJWK as E, Finalize as F, OrderStatus as G, HTTPChallenge as H, Identifier as I, JWK as J, KeyChange as K, RenewalInfo as M, NewAccount as N, OKPJWK as O, Problem as P, RevokeCert as Q, RSAJWK as R, Subproblem as S, TLSALPNChallenge as T, ACMERequestHeader as a, Account as b, AccountStatus as c, Authorization as e, AuthorizationBase as f, AuthorizationStatus as g, CertID as i, Challenge as j, ChallengeBase as k, ChallengeStatus as l, DeactivateAccount as n, DeactivateAuthorization as o, Directory as p, DirectoryMeta as q, ExternalAccountBinding as r, FlattenedJWS as s, IdentifierType as t, JWKBase as v, JWSProtectedHeader as w, NewAuthz as x, NewOrder as y, Order as z };