@labacacia/nps-sdk 1.0.0-alpha.1 → 1.0.0-alpha.13

package/dist/nip/acme/jws.js

@@ -0,0 +1,76 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * JWS signing helpers for ACME with Ed25519 (`alg: "EdDSA"` per RFC 8037).
+ *
+ * Wire shape (RFC 8555 §6.2 + RFC 7515 flattened JWS JSON serialization):
+ * {
+ *   "protected": base64url(JSON({alg, nonce, url, [jwk|kid]})),
+ *   "payload":   base64url(JSON(payload)),
+ *   "signature": base64url(Ed25519(protected || "." || payload))
+ * }
+ */
+import * as ed25519 from "@noble/ed25519";
+import { sha512 } from "@noble/hashes/sha512";
+import { sha256 } from "@noble/hashes/sha2";
+ed25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));
+export const ALG_EDDSA = "EdDSA"; // RFC 8037 §3.1
+export const KTY_OKP = "OKP"; // RFC 8037 §2
+export const CRV_ED25519 = "Ed25519"; // RFC 8037 §2
+export function jwkFromPublicKey(rawPubKey) {
+    if (rawPubKey.length !== 32) {
+        throw new Error(`Ed25519 public key must be 32 bytes, got ${rawPubKey.length}`);
+    }
+    return { kty: KTY_OKP, crv: CRV_ED25519, x: b64uEncode(rawPubKey) };
+}
+export function publicKeyFromJwk(jwk) {
+    if (jwk.kty !== KTY_OKP || jwk.crv !== CRV_ED25519) {
+        throw new Error(`JWK is not OKP/Ed25519: kty=${jwk.kty} crv=${jwk.crv}`);
+    }
+    return b64uDecode(jwk.x);
+}
+/** RFC 7638 §3 thumbprint of an Ed25519 JWK (lex-sorted compact JSON, SHA-256, base64url). */
+export function thumbprint(jwk) {
+    const canonical = `{"crv":"${jwk.crv}","kty":"${jwk.kty}","x":"${jwk.x}"}`;
+    return b64uEncode(sha256(new TextEncoder().encode(canonical)));
+}
+export function sign(header, payload, privKey) {
+    const headerBytes = new TextEncoder().encode(JSON.stringify(header));
+    const headerB64u = b64uEncode(headerBytes);
+    const payloadB64u = payload === null
+        ? ""
+        : b64uEncode(new TextEncoder().encode(JSON.stringify(payload)));
+    const signingInput = new TextEncoder().encode(`${headerB64u}.${payloadB64u}`);
+    const sig = ed25519.sign(signingInput, privKey);
+    return { protected: headerB64u, payload: payloadB64u, signature: b64uEncode(sig) };
+}
+/** Verify a JWS envelope. Returns the parsed protected header on success, else null. */
+export function verify(envelope, pubKey) {
+    try {
+        const signingInput = new TextEncoder().encode(`${envelope.protected}.${envelope.payload}`);
+        const sigBytes = b64uDecode(envelope.signature);
+        if (!ed25519.verify(sigBytes, signingInput, pubKey))
+            return null;
+        const headerJson = new TextDecoder().decode(b64uDecode(envelope.protected));
+        return JSON.parse(headerJson);
+    }
+    catch {
+        return null;
+    }
+}
+export function decodePayload(envelope) {
+    if (!envelope.payload)
+        return null;
+    return JSON.parse(new TextDecoder().decode(b64uDecode(envelope.payload)));
+}
+// ── helpers ──────────────────────────────────────────────────────────────────
+export function b64uEncode(bytes) {
+    return Buffer.from(bytes).toString("base64").replace(/=+$/, "")
+        .replace(/\+/g, "-").replace(/\//g, "_");
+}
+export function b64uDecode(s) {
+    const padded = s + "=".repeat((4 - (s.length % 4)) % 4);
+    const std = padded.replace(/-/g, "+").replace(/_/g, "/");
+    return new Uint8Array(Buffer.from(std, "base64"));
+}
+//# sourceMappingURL=jws.js.map

package/dist/nip/acme/jws.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jws.js","sourceRoot":"","sources":["../../../src/nip/acme/jws.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC;AAEtC;;;;;;;;;GASG;AAEH,OAAO,KAAK,OAAO,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAE5C,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAEzE,MAAM,CAAC,MAAM,SAAS,GAAK,OAAO,CAAC,CAAG,gBAAgB;AACtD,MAAM,CAAC,MAAM,OAAO,GAAO,KAAK,CAAC,CAAK,cAAc;AACpD,MAAM,CAAC,MAAM,WAAW,GAAG,SAAS,CAAC,CAAC,cAAc;AAsBpD,MAAM,UAAU,gBAAgB,CAAC,SAAqB;IACpD,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,4CAA4C,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;IAClF,CAAC;IACD,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,WAAW,EAAE,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;AACtE,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,GAAQ;IACvC,IAAI,GAAG,CAAC,GAAG,KAAK,OAAO,IAAI,GAAG,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;QACnD,MAAM,IAAI,KAAK,CAAC,+BAA+B,GAAG,CAAC,GAAG,QAAQ,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC;IAC3E,CAAC;IACD,OAAO,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAC3B,CAAC;AAED,8FAA8F;AAC9F,MAAM,UAAU,UAAU,CAAC,GAAQ;IACjC,MAAM,SAAS,GAAG,WAAW,GAAG,CAAC,GAAG,YAAY,GAAG,CAAC,GAAG,UAAU,GAAG,CAAC,CAAC,IAAI,CAAC;IAC3E,OAAO,UAAU,CAAC,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;AACjE,CAAC;AAED,MAAM,UAAU,IAAI,CAClB,MAAyB,EACzB,OAAwB,EACxB,OAAoB;IAEpB,MAAM,WAAW,GAAI,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACtE,MAAM,UAAU,GAAK,UAAU,CAAC,WAAW,CAAC,CAAC;IAC7C,MAAM,WAAW,GAAI,OAAO,KAAK,IAAI;QACnC,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC,UAAU,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IAClE,MAAM,YAAY,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,UAAU,IAAI,WAAW,EAAE,CAAC,CAAC;IAC9E,MAAM,GAAG,GAAY,OAAO,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IACzD,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;AACrF,CAAC;AAED,wFAAwF;AACxF,MAAM,UAAU,MAAM,CAAC,QAAkB,EAAE,MAAkB;IAC3D,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,QAAQ,CAAC,SAAS,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3F,MAAM,QAAQ,GAAO,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACpD,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,EAAE,YAAY,EAAE,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;QACjE,MAAM,UAAU,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;QAC5E,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAoB,CAAC;IACnD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,aAAa,CAAc,QAAkB;IAC3D,IAAI,CAAC,QAAQ,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IACnC,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAM,CAAC;AACjF,CAAC;AAED,gFAAgF;AAEhF,MAAM,UAAU,UAAU,CAAC,KAAiB;IAC1C,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;SAC5D,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AAC7C,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,CAAS;IAClC,MAAM,MAAM,GAAG,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACxD,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACzD,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC;AACpD,CAAC"}

package/dist/nip/acme/messages.d.ts

@@ -0,0 +1,71 @@
+/** ACME wire-level DTOs (RFC 8555 + NPS-RFC-0002 §4.4) — plain interfaces. */
+export interface DirectoryMeta {
+    termsOfService?: string;
+    website?: string;
+    caaIdentities?: readonly string[];
+    externalAccountRequired?: boolean;
+}
+export interface Directory {
+    newNonce: string;
+    newAccount: string;
+    newOrder: string;
+    revokeCert?: string;
+    keyChange?: string;
+    meta?: DirectoryMeta;
+}
+export interface NewAccountPayload {
+    termsOfServiceAgreed?: boolean;
+    contact?: readonly string[];
+    onlyReturnExisting?: boolean;
+}
+export interface Account {
+    status: string;
+    contact?: readonly string[];
+    orders?: string;
+}
+export interface Identifier {
+    type: string;
+    value: string;
+}
+export interface NewOrderPayload {
+    identifiers: readonly Identifier[];
+    notBefore?: string;
+    notAfter?: string;
+}
+export interface ProblemDetail {
+    type: string;
+    detail?: string;
+    status?: number;
+}
+export interface Order {
+    status: string;
+    expires?: string;
+    identifiers: readonly Identifier[];
+    authorizations: readonly string[];
+    finalize: string;
+    certificate?: string;
+    error?: ProblemDetail;
+}
+export interface Challenge {
+    type: string;
+    url: string;
+    status: string;
+    token: string;
+    validated?: string;
+    error?: ProblemDetail;
+}
+export interface Authorization {
+    status: string;
+    expires?: string;
+    identifier: Identifier;
+    challenges: readonly Challenge[];
+}
+export interface ChallengeRespondPayload {
+    /** base64url(Ed25519(token)) per NPS-RFC-0002 §4.4. */
+    agent_signature: string;
+}
+export interface FinalizePayload {
+    /** base64url(CSR DER). */
+    csr: string;
+}
+//# sourceMappingURL=messages.d.ts.map

package/dist/nip/acme/messages.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"messages.d.ts","sourceRoot":"","sources":["../../../src/nip/acme/messages.ts"],"names":[],"mappings":"AAGA,8EAA8E;AAE9E,MAAM,WAAW,aAAa;IAC5B,cAAc,CAAC,EAAW,MAAM,CAAC;IACjC,OAAO,CAAC,EAAkB,MAAM,CAAC;IACjC,aAAa,CAAC,EAAY,SAAS,MAAM,EAAE,CAAC;IAC5C,uBAAuB,CAAC,EAAE,OAAO,CAAC;CACnC;AAED,MAAM,WAAW,SAAS;IACxB,QAAQ,EAAK,MAAM,CAAC;IACpB,UAAU,EAAG,MAAM,CAAC;IACpB,QAAQ,EAAK,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAG,MAAM,CAAC;IACpB,IAAI,CAAC,EAAQ,aAAa,CAAC;CAC5B;AAED,MAAM,WAAW,iBAAiB;IAChC,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,OAAO,CAAC,EAAe,SAAS,MAAM,EAAE,CAAC;IACzC,kBAAkB,CAAC,EAAI,OAAO,CAAC;CAChC;AAED,MAAM,WAAW,OAAO;IACtB,MAAM,EAAK,MAAM,CAAC;IAClB,OAAO,CAAC,EAAG,SAAS,MAAM,EAAE,CAAC;IAC7B,MAAM,CAAC,EAAI,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAG,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE,SAAS,UAAU,EAAE,CAAC;IACnC,SAAS,CAAC,EAAG,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAI,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAK,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,KAAK;IACpB,MAAM,EAAU,MAAM,CAAC;IACvB,OAAO,CAAC,EAAQ,MAAM,CAAC;IACvB,WAAW,EAAK,SAAS,UAAU,EAAE,CAAC;IACtC,cAAc,EAAE,SAAS,MAAM,EAAE,CAAC;IAClC,QAAQ,EAAQ,MAAM,CAAC;IACvB,WAAW,CAAC,EAAI,MAAM,CAAC;IACvB,KAAK,CAAC,EAAU,aAAa,CAAC;CAC/B;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,EAAQ,MAAM,CAAC;IACnB,GAAG,EAAS,MAAM,CAAC;IACnB,MAAM,EAAM,MAAM,CAAC;IACnB,KAAK,EAAO,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAM,aAAa,CAAC;CAC3B;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAM,MAAM,CAAC;IACnB,OAAO,CAAC,EAAI,MAAM,CAAC;IACnB,UAAU,EAAE,UAAU,CAAC;IACvB,UAAU,EAAE,SAAS,SAAS,EAAE,CAAC;CAClC;AAED,MAAM,WAAW,uBAAuB;IACtC,uDAAuD;IACvD,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,eAAe;IAC9B,0BAA0B;IAC1B,GAAG,EAAE,MAAM,CAAC;CACb"}

package/dist/nip/acme/messages.js

@@ -0,0 +1,4 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+export {};
+//# sourceMappingURL=messages.js.map

package/dist/nip/acme/messages.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"messages.js","sourceRoot":"","sources":["../../../src/nip/acme/messages.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,sCAAsC"}

package/dist/nip/acme/server.d.ts

@@ -0,0 +1,41 @@
+import * as x509 from "@peculiar/x509";
+export interface AcmeServerOptions {
+    caNid: string;
+    caKeys: CryptoKeyPair;
+    caRootCert: x509.X509Certificate;
+    certValidityMs: number;
+}
+export declare class AcmeServer {
+    readonly options: AcmeServerOptions;
+    private readonly server;
+    private readonly nonces;
+    private readonly accountJwks;
+    private readonly orders;
+    private readonly authzs;
+    private readonly challenges;
+    private readonly certs;
+    private boundPort;
+    constructor(options: AcmeServerOptions);
+    start(): Promise<this>;
+    close(): Promise<void>;
+    get baseUrl(): string;
+    get directoryUrl(): string;
+    private dispatch;
+    private handleDirectory;
+    private handleNewNonce;
+    private handleNewAccount;
+    private handleNewOrder;
+    private handleAuthz;
+    private handleChallenge;
+    private handleFinalize;
+    private handleCert;
+    private handleOrder;
+    private mintNonce;
+    private consumeNonce;
+    private verifyAccount;
+    private readEnvelope;
+    private parseHeader;
+    private sendJson;
+    private sendProblem;
+}
+//# sourceMappingURL=server.d.ts.map

package/dist/nip/acme/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../../src/nip/acme/server.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,IAAI,MAAM,gBAAgB,CAAC;AAevC,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAY,MAAM,CAAC;IACxB,MAAM,EAAW,aAAa,CAAC;IAC/B,UAAU,EAAO,IAAI,CAAC,eAAe,CAAC;IACtC,cAAc,EAAG,MAAM,CAAC;CACzB;AA6BD,qBAAa,UAAU;aAUO,OAAO,EAAE,iBAAiB;IATtD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAA2B;IAClD,OAAO,CAAC,QAAQ,CAAC,WAAW,CAA+B;IAC3D,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAuC;IAC9D,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAuC;IAC9D,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAuC;IAClE,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAoC;IAC1D,OAAO,CAAC,SAAS,CAAgB;gBAEL,OAAO,EAAE,iBAAiB;IAIhD,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAS5B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAItB,IAAI,OAAO,IAAU,MAAM,CAAiD;IAC5E,IAAI,YAAY,IAAK,MAAM,CAAwC;YAIrD,QAAQ;IAsBtB,OAAO,CAAC,eAAe;IASvB,OAAO,CAAC,cAAc;YAOR,gBAAgB;YAgChB,cAAc;YAwDd,WAAW;YA2BX,eAAe;YAyDf,cAAc;YAuEd,UAAU;YAmBV,WAAW;IAuBzB,OAAO,CAAC,SAAS;IAMjB,OAAO,CAAC,YAAY;IAIpB,OAAO,CAAC,aAAa;YAOP,YAAY;IAe1B,OAAO,CAAC,WAAW;IAUnB,OAAO,CAAC,QAAQ;IAMhB,OAAO,CAAC,WAAW;CAKpB"}

package/dist/nip/acme/server.js

@@ -0,0 +1,458 @@
+// Copyright 2026 INNO LOTUS PTY LTD
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * In-process ACME server implementing the `agent-01` challenge for NPS-RFC-0002 §4.4.
+ *
+ * Backed by Node's stdlib `http.createServer`. Suitable for tests and reference
+ * deployments. State is kept in memory.
+ */
+import * as ed25519 from "@noble/ed25519";
+import { sha512 } from "@noble/hashes/sha512";
+import { createServer } from "node:http";
+import { randomBytes } from "node:crypto";
+import * as x509 from "@peculiar/x509";
+import { AssuranceLevel } from "../assurance-level.js";
+import { ACME_CHALLENGE_FAILED } from "../error-codes.js";
+import { issueLeaf } from "../x509/builder.js";
+import * as Jws from "./jws.js";
+import * as wire from "./wire.js";
+ed25519.etc.sha512Sync = (...m) => sha512(ed25519.etc.concatBytes(...m));
+x509.cryptoProvider.set(globalThis.crypto);
+export class AcmeServer {
+    options;
+    server;
+    nonces = new Set();
+    accountJwks = new Map();
+    orders = new Map();
+    authzs = new Map();
+    challenges = new Map();
+    certs = new Map();
+    boundPort = 0;
+    constructor(options) {
+        this.options = options;
+        this.server = createServer((req, res) => this.dispatch(req, res));
+    }
+    async start() {
+        await new Promise((resolve) => {
+            this.server.listen(0, "127.0.0.1", () => resolve());
+        });
+        const addr = this.server.address();
+        this.boundPort = typeof addr === "object" && addr !== null ? addr.port : 0;
+        return this;
+    }
+    close() {
+        return new Promise((resolve) => this.server.close(() => resolve()));
+    }
+    get baseUrl() { return `http://127.0.0.1:${this.boundPort}`; }
+    get directoryUrl() { return `${this.baseUrl}/directory`; }
+    // ── Routing ──────────────────────────────────────────────────────────────
+    async dispatch(req, res) {
+        const url = req.url ?? "/";
+        const method = req.method ?? "GET";
+        try {
+            if (method === "GET" && url === "/directory")
+                return this.handleDirectory(res);
+            if (url === "/new-nonce")
+                return this.handleNewNonce(method, res);
+            if (method === "POST" && url === "/new-account")
+                return await this.handleNewAccount(req, res);
+            if (method === "POST" && url === "/new-order")
+                return await this.handleNewOrder(req, res);
+            if (method === "POST" && url.startsWith("/authz/"))
+                return await this.handleAuthz(req, res, url);
+            if (method === "POST" && url.startsWith("/chall/"))
+                return await this.handleChallenge(req, res, url);
+            if (method === "POST" && url.startsWith("/finalize/"))
+                return await this.handleFinalize(req, res, url);
+            if (method === "POST" && url.startsWith("/cert/"))
+                return await this.handleCert(req, res, url);
+            if (method === "POST" && url.startsWith("/order/"))
+                return await this.handleOrder(req, res, url);
+            this.sendProblem(res, 404, "urn:ietf:params:acme:error:malformed", "no such resource");
+        }
+        catch (e) {
+            this.sendProblem(res, 500, "urn:ietf:params:acme:error:serverInternal", e.message);
+        }
+    }
+    // ── Endpoint handlers ────────────────────────────────────────────────────
+    handleDirectory(res) {
+        const dir = {
+            newNonce: `${this.baseUrl}/new-nonce`,
+            newAccount: `${this.baseUrl}/new-account`,
+            newOrder: `${this.baseUrl}/new-order`,
+        };
+        this.sendJson(res, 200, dir);
+    }
+    handleNewNonce(method, res) {
+        res.statusCode = method === "HEAD" ? 200 : 204;
+        res.setHeader("Replay-Nonce", this.mintNonce());
+        res.setHeader("Cache-Control", "no-store");
+        res.end();
+    }
+    async handleNewAccount(req, res) {
+        const env = await this.readEnvelope(req, res);
+        if (!env)
+            return;
+        const header = this.parseHeader(env, res);
+        if (!header)
+            return;
+        if (!header.jwk) {
+            this.sendProblem(res, 400, "urn:ietf:params:acme:error:malformed", "newAccount must include a 'jwk' member");
+            return;
+        }
+        if (!this.consumeNonce(header.nonce)) {
+            this.sendProblem(res, 400, "urn:ietf:params:acme:error:badNonce", "invalid nonce");
+            return;
+        }
+        const pub = Jws.publicKeyFromJwk(header.jwk);
+        if (Jws.verify(env, pub) === null) {
+            this.sendProblem(res, 400, "urn:ietf:params:acme:error:malformed", "JWS signature verify failed");
+            return;
+        }
+        const accountId = `acc-${shortId()}`;
+        const accountUrl = `${this.baseUrl}/account/${accountId}`;
+        this.accountJwks.set(accountUrl, header.jwk);
+        res.statusCode = 201;
+        res.setHeader("Content-Type", "application/json");
+        res.setHeader("Location", accountUrl);
+        res.setHeader("Replay-Nonce", this.mintNonce());
+        res.end(JSON.stringify({ status: wire.Status.VALID }));
+    }
+    async handleNewOrder(req, res) {
+        const env = await this.readEnvelope(req, res);
+        if (!env)
+            return;
+        const header = this.parseHeader(env, res);
+        if (!header)
+            return;
+        if (!this.consumeNonce(header.nonce)) {
+            this.sendProblem(res, 400, "urn:ietf:params:acme:error:badNonce", "invalid nonce");
+            return;
+        }
+        if (!this.verifyAccount(env, header)) {
+            this.sendProblem(res, 401, "urn:ietf:params:acme:error:accountDoesNotExist", `unknown kid: ${header.kid ?? "<missing>"}`);
+            return;
+        }
+        const payload = Jws.decodePayload(env);
+        if (!payload || !payload.identifiers?.length) {
+            this.sendProblem(res, 400, "urn:ietf:params:acme:error:malformed", "missing identifiers");
+            return;
+        }
+        const ident = payload.identifiers[0];
+        const orderId = `ord-${shortId()}`;
+        const authzId = `az-${shortId()}`;
+        const challId = `ch-${shortId()}`;
+        const token = Jws.b64uEncode(new Uint8Array(randomBytes(32)));
+        const orderUrl = `${this.baseUrl}/order/${orderId}`;
+        const authzUrl = `${this.baseUrl}/authz/${authzId}`;
+        const challUrl = `${this.baseUrl}/chall/${challId}`;
+        const finalizeUrl = `${this.baseUrl}/finalize/${orderId}`;
+        this.challenges.set(challId, {
+            id: challId, type: wire.CHALLENGE_AGENT_01, status: wire.Status.PENDING,
+            token, authzId, accountUrl: header.kid ?? "",
+        });
+        this.authzs.set(authzId, {
+            id: authzId, identifier: ident, status: wire.Status.PENDING,
+            challengeIds: [challId], accountUrl: header.kid ?? "",
+        });
+        this.orders.set(orderId, {
+            id: orderId, identifier: ident, status: wire.Status.PENDING,
+            authzId, finalizeUrl, accountUrl: header.kid ?? "",
+        });
+        const order = {
+            status: wire.Status.PENDING,
+            identifiers: [ident],
+            authorizations: [authzUrl],
+            finalize: finalizeUrl,
+        };
+        res.statusCode = 201;
+        res.setHeader("Content-Type", "application/json");
+        res.setHeader("Location", orderUrl);
+        res.setHeader("Replay-Nonce", this.mintNonce());
+        res.end(JSON.stringify(order));
+    }
+    async handleAuthz(req, res, url) {
+        const env = await this.readEnvelope(req, res);
+        if (!env)
+            return;
+        const header = this.parseHeader(env, res);
+        if (!header)
+            return;
+        if (!this.consumeNonce(header.nonce)) {
+            this.sendProblem(res, 400, "urn:ietf:params:acme:error:badNonce", "invalid nonce");
+            return;
+        }
+        if (!this.verifyAccount(env, header)) {
+            this.sendProblem(res, 401, "urn:ietf:params:acme:error:unauthorized", "bad sig");
+            return;
+        }
+        const id = url.replace(/^\/authz\//, "");
+        const az = this.authzs.get(id);
+        if (!az) {
+            this.sendProblem(res, 404, "urn:ietf:params:acme:error:malformed", "no authz");
+            return;
+        }
+        const challenges = az.challengeIds.map((cid) => {
+            const cs = this.challenges.get(cid);
+            return {
+                type: cs.type, url: `${this.baseUrl}/chall/${cs.id}`,
+                status: cs.status, token: cs.token,
+            };
+        });
+        const authz = {
+            status: az.status, identifier: az.identifier, challenges,
+        };
+        res.setHeader("Replay-Nonce", this.mintNonce());
+        this.sendJson(res, 200, authz);
+    }
+    async handleChallenge(req, res, url) {
+        const env = await this.readEnvelope(req, res);
+        if (!env)
+            return;
+        const header = this.parseHeader(env, res);
+        if (!header)
+            return;
+        if (!this.consumeNonce(header.nonce)) {
+            this.sendProblem(res, 400, "urn:ietf:params:acme:error:badNonce", "invalid nonce");
+            return;
+        }
+        const accountJwk = this.accountJwks.get(header.kid ?? "");
+        if (!accountJwk) {
+            this.sendProblem(res, 401, "urn:ietf:params:acme:error:accountDoesNotExist", "unknown kid");
+            return;
+        }
+        const accountPub = Jws.publicKeyFromJwk(accountJwk);
+        if (Jws.verify(env, accountPub) === null) {
+            this.sendProblem(res, 400, "urn:ietf:params:acme:error:malformed", "JWS sig fail");
+            return;
+        }
+        const id = url.replace(/^\/chall\//, "");
+        const ch = this.challenges.get(id);
+        if (!ch) {
+            this.sendProblem(res, 404, "urn:ietf:params:acme:error:malformed", "no chall");
+            return;
+        }
+        const payload = Jws.decodePayload(env);
+        if (!payload?.agent_signature) {
+            ch.status = wire.Status.INVALID;
+            this.sendProblem(res, 400, ACME_CHALLENGE_FAILED, "missing agent_signature in challenge response");
+            return;
+        }
+        try {
+            const sigBytes = Jws.b64uDecode(payload.agent_signature);
+            const tokenBytes = new TextEncoder().encode(ch.token);
+            if (!ed25519.verify(sigBytes, tokenBytes, accountPub)) {
+                ch.status = wire.Status.INVALID;
+                this.sendProblem(res, 400, ACME_CHALLENGE_FAILED, "agent-01 signature did not verify");
+                return;
+            }
+        }
+        catch (e) {
+            ch.status = wire.Status.INVALID;
+            this.sendProblem(res, 400, ACME_CHALLENGE_FAILED, `agent-01 verification error: ${e.message}`);
+            return;
+        }
+        ch.status = wire.Status.VALID;
+        const az = this.authzs.get(ch.authzId);
+        if (az)
+            az.status = wire.Status.VALID;
+        for (const o of this.orders.values()) {
+            if (o.authzId === ch.authzId)
+                o.status = wire.Status.READY;
+        }
+        res.setHeader("Replay-Nonce", this.mintNonce());
+        this.sendJson(res, 200, {
+            type: ch.type, url: `${this.baseUrl}/chall/${ch.id}`,
+            status: ch.status, token: ch.token,
+        });
+    }
+    async handleFinalize(req, res, url) {
+        const env = await this.readEnvelope(req, res);
+        if (!env)
+            return;
+        const header = this.parseHeader(env, res);
+        if (!header)
+            return;
+        if (!this.consumeNonce(header.nonce)) {
+            this.sendProblem(res, 400, "urn:ietf:params:acme:error:badNonce", "invalid nonce");
+            return;
+        }
+        if (!this.verifyAccount(env, header)) {
+            this.sendProblem(res, 401, "urn:ietf:params:acme:error:unauthorized", "bad sig");
+            return;
+        }
+        const orderId = url.replace(/^\/finalize\//, "");
+        const os = this.orders.get(orderId);
+        if (!os) {
+            this.sendProblem(res, 404, "urn:ietf:params:acme:error:malformed", "no order");
+            return;
+        }
+        if (os.status !== wire.Status.READY) {
+            this.sendProblem(res, 403, "urn:ietf:params:acme:error:orderNotReady", `order is in state '${os.status}', not 'ready'`);
+            return;
+        }
+        const fp = Jws.decodePayload(env);
+        if (!fp?.csr) {
+            this.sendProblem(res, 400, "urn:ietf:params:acme:error:malformed", "missing csr");
+            return;
+        }
+        try {
+            const csrDer = Jws.b64uDecode(fp.csr);
+            const csr = new x509.Pkcs10CertificateRequest(csrDer.buffer);
+            const subjectCn = (() => {
+                for (const rdn of csr.subject.split(",")) {
+                    const t = rdn.trim();
+                    if (t.startsWith("CN="))
+                        return t.slice(3).replace(/\\([",+;<>\\])/g, "$1");
+                }
+                return null;
+            })();
+            if (subjectCn !== os.identifier.value) {
+                this.sendProblem(res, 400, "NIP-CERT-SUBJECT-NID-MISMATCH", `CSR subject CN '${subjectCn ?? ""}' does not match order identifier '${os.identifier.value}'`);
+                return;
+            }
+            const subjectPub = await csr.publicKey.export();
+            const now = new Date();
+            const leaf = await issueLeaf({
+                subjectNid: os.identifier.value,
+                subjectPublicKey: subjectPub,
+                caKeys: this.options.caKeys,
+                issuerNid: this.options.caNid,
+                role: "agent",
+                assuranceLevel: AssuranceLevel.ANONYMOUS,
+                notBefore: new Date(now.getTime() - 60_000),
+                notAfter: new Date(now.getTime() + this.options.certValidityMs),
+                serialNumber: randomHexSerial(),
+            });
+            const certId = `crt-${shortId()}`;
+            const certUrl = `${this.baseUrl}/cert/${certId}`;
+            const pem = leaf.toString("pem") + this.options.caRootCert.toString("pem");
+            this.certs.set(certId, pem);
+            os.status = wire.Status.VALID;
+            os.certificateUrl = certUrl;
+        }
+        catch (e) {
+            this.sendProblem(res, 400, "urn:ietf:params:acme:error:badCSR", `CSR processing failed: ${e.message}`);
+            return;
+        }
+        const authzUrl = `${this.baseUrl}/authz/${os.authzId}`;
+        res.setHeader("Replay-Nonce", this.mintNonce());
+        this.sendJson(res, 200, {
+            status: os.status, identifiers: [os.identifier],
+            authorizations: [authzUrl], finalize: os.finalizeUrl,
+            certificate: os.certificateUrl,
+        });
+    }
+    async handleCert(req, res, url) {
+        const env = await this.readEnvelope(req, res);
+        if (!env)
+            return;
+        const header = this.parseHeader(env, res);
+        if (!header)
+            return;
+        if (!this.consumeNonce(header.nonce)) {
+            this.sendProblem(res, 400, "urn:ietf:params:acme:error:badNonce", "invalid nonce");
+            return;
+        }
+        if (!this.verifyAccount(env, header)) {
+            this.sendProblem(res, 401, "urn:ietf:params:acme:error:unauthorized", "bad sig");
+            return;
+        }
+        const certId = url.replace(/^\/cert\//, "");
+        const pem = this.certs.get(certId);
+        if (!pem) {
+            this.sendProblem(res, 404, "urn:ietf:params:acme:error:malformed", "no cert");
+            return;
+        }
+        res.statusCode = 200;
+        res.setHeader("Content-Type", wire.CONTENT_TYPE_PEM_CERT);
+        res.setHeader("Replay-Nonce", this.mintNonce());
+        res.end(pem);
+    }
+    async handleOrder(req, res, url) {
+        const env = await this.readEnvelope(req, res);
+        if (!env)
+            return;
+        const header = this.parseHeader(env, res);
+        if (!header)
+            return;
+        if (!this.consumeNonce(header.nonce)) {
+            this.sendProblem(res, 400, "urn:ietf:params:acme:error:badNonce", "invalid nonce");
+            return;
+        }
+        if (!this.verifyAccount(env, header)) {
+            this.sendProblem(res, 401, "urn:ietf:params:acme:error:unauthorized", "bad sig");
+            return;
+        }
+        const orderId = url.replace(/^\/order\//, "");
+        const os = this.orders.get(orderId);
+        if (!os) {
+            this.sendProblem(res, 404, "urn:ietf:params:acme:error:malformed", "no order");
+            return;
+        }
+        const authzUrl = `${this.baseUrl}/authz/${os.authzId}`;
+        res.setHeader("Replay-Nonce", this.mintNonce());
+        this.sendJson(res, 200, {
+            status: os.status, identifiers: [os.identifier],
+            authorizations: [authzUrl], finalize: os.finalizeUrl,
+            certificate: os.certificateUrl,
+        });
+    }
+    // ── helpers ──────────────────────────────────────────────────────────────
+    mintNonce() {
+        const n = Jws.b64uEncode(new Uint8Array(randomBytes(16)));
+        this.nonces.add(n);
+        return n;
+    }
+    consumeNonce(nonce) {
+        return this.nonces.delete(nonce);
+    }
+    verifyAccount(env, header) {
+        if (!header.kid)
+            return false;
+        const jwk = this.accountJwks.get(header.kid);
+        if (!jwk)
+            return false;
+        return Jws.verify(env, Jws.publicKeyFromJwk(jwk)) !== null;
+    }
+    async readEnvelope(req, res) {
+        try {
+            const chunks = [];
+            for await (const chunk of req) {
+                chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+            }
+            const body = Buffer.concat(chunks).toString("utf8");
+            return JSON.parse(body);
+        }
+        catch (e) {
+            this.sendProblem(res, 400, "urn:ietf:params:acme:error:malformed", `body read/parse failed: ${e.message}`);
+            return null;
+        }
+    }
+    parseHeader(env, res) {
+        try {
+            return JSON.parse(new TextDecoder().decode(Jws.b64uDecode(env.protected)));
+        }
+        catch (e) {
+            this.sendProblem(res, 400, "urn:ietf:params:acme:error:malformed", `malformed protected header: ${e.message}`);
+            return null;
+        }
+    }
+    sendJson(res, status, body) {
+        res.statusCode = status;
+        res.setHeader("Content-Type", "application/json");
+        res.end(JSON.stringify(body));
+    }
+    sendProblem(res, status, type, detail) {
+        res.statusCode = status;
+        res.setHeader("Content-Type", wire.CONTENT_TYPE_PROBLEM);
+        res.end(JSON.stringify({ type, detail, status }));
+    }
+}
+function shortId() {
+    return Buffer.from(randomBytes(8)).toString("hex");
+}
+function randomHexSerial() {
+    return Buffer.from(randomBytes(20)).toString("hex");
+}
+//# sourceMappingURL=server.js.map