feat: enhance certificate model

2025-10-04 13:34:52 +00:00 · 2025-02-06 16:01:46 +08:00
parent 5f5c835533
commit a41ee9c3ca
30 changed files with 545 additions and 273 deletions
--- a/internal/applicant/acme_user.go
+++ b/internal/applicant/acme_user.go
@@ -1,6 +1,7 @@
 package applicant

 import (
+	"context"
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
@@ -110,14 +111,11 @@ func registerAcmeUser(client *lego.Client, sslProviderConfig *acmeSSLProviderCon
 			Kid:                  sslProviderConfig.Config.GoogleTrustServices.EabKid,
 			HmacEncoded:          sslProviderConfig.Config.GoogleTrustServices.EabHmacKey,
 		})
-
 	case sslProviderLetsEncrypt, sslProviderLetsEncryptStaging:
 		reg, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
-
 	default:
 		err = fmt.Errorf("unsupported ssl provider: %s", sslProviderConfig.Provider)
 	}
-
 	if err != nil {
 		return nil, err
 	}
@@ -129,7 +127,12 @@ func registerAcmeUser(client *lego.Client, sslProviderConfig *acmeSSLProviderCon
 		return resp.Resource, nil
 	}

-	if err := repo.Save(sslProviderConfig.Provider, user.GetEmail(), user.getPrivateKeyPEM(), reg); err != nil {
+	if _, err := repo.Save(context.Background(), &domain.AcmeAccount{
+		CA:       sslProviderConfig.Provider,
+		Email:    user.GetEmail(),
+		Key:      user.getPrivateKeyPEM(),
+		Resource: reg,
+	}); err != nil {
 		return nil, fmt.Errorf("failed to save registration: %w", err)
 	}

--- a/internal/applicant/applicant.go
+++ b/internal/applicant/applicant.go
@@ -26,6 +26,7 @@ type ApplyCertResult struct {
 	CertificateFullChain string
 	IssuerCertificate    string
 	PrivateKey           string
+	ACMEAccountUrl       string
 	ACMECertUrl          string
 	ACMECertStableUrl    string
 	CSR                  string
@@ -46,8 +47,7 @@ type applicantOptions struct {
 	DnsPropagationTimeout int32
 	DnsTTL                int32
 	DisableFollowCNAME    bool
-	DisableARI            bool
-	SkipBeforeExpiryDays  int32
+	ReplacedARIAccount    string
 	ReplacedARICertId     string
 }

@@ -67,8 +67,6 @@ func NewWithApplyNode(node *domain.WorkflowNode) (Applicant, error) {
 		DnsPropagationTimeout: nodeConfig.DnsPropagationTimeout,
 		DnsTTL:                nodeConfig.DnsTTL,
 		DisableFollowCNAME:    nodeConfig.DisableFollowCNAME,
-		DisableARI:            nodeConfig.DisableARI,
-		SkipBeforeExpiryDays:  nodeConfig.SkipBeforeExpiryDays,
 	}

 	accessRepo := repository.NewAccessRepository()
@@ -95,6 +93,7 @@ func NewWithApplyNode(node *domain.WorkflowNode) (Applicant, error) {
 			lastCertX509, _ := certcrypto.ParsePEMCertificate([]byte(lastCertificate.Certificate))
 			if lastCertX509 != nil {
 				replacedARICertId, _ := certificate.MakeARICertID(lastCertX509)
+				options.ReplacedARIAccount = lastCertificate.ACMEAccountUrl
 				options.ReplacedARICertId = replacedARICertId
 			}
 		}
@@ -141,7 +140,7 @@ func apply(challengeProvider challenge.Provider, options *applicantOptions) (*Ap
 	// Create an ACME client config
 	config := lego.NewConfig(acmeUser)
 	config.CADirURL = sslProviderUrls[sslProviderConfig.Provider]
-	config.Certificate.KeyType = parseKeyAlgorithm(options.KeyAlgorithm)
+	config.Certificate.KeyType = parseKeyAlgorithm(domain.CertificateKeyAlgorithmType(options.KeyAlgorithm))

 	// Create an ACME client
 	client, err := lego.NewClient(config)
@@ -171,7 +170,7 @@ func apply(challengeProvider challenge.Provider, options *applicantOptions) (*Ap
 		Domains: options.Domains,
 		Bundle:  true,
 	}
-	if !options.DisableARI {
+	if options.ReplacedARICertId != "" && options.ReplacedARIAccount != acmeUser.Registration.URI {
 		certRequest.ReplacesCertID = options.ReplacedARICertId
 	}
 	certResource, err := client.Certificate.Obtain(certRequest)
@@ -183,29 +182,30 @@ func apply(challengeProvider challenge.Provider, options *applicantOptions) (*Ap
 		CertificateFullChain: strings.TrimSpace(string(certResource.Certificate)),
 		IssuerCertificate:    strings.TrimSpace(string(certResource.IssuerCertificate)),
 		PrivateKey:           strings.TrimSpace(string(certResource.PrivateKey)),
+		ACMEAccountUrl:       acmeUser.Registration.URI,
 		ACMECertUrl:          certResource.CertURL,
 		ACMECertStableUrl:    certResource.CertStableURL,
 		CSR:                  strings.TrimSpace(string(certResource.CSR)),
 	}, nil
 }

-func parseKeyAlgorithm(algo string) certcrypto.KeyType {
+func parseKeyAlgorithm(algo domain.CertificateKeyAlgorithmType) certcrypto.KeyType {
 	switch algo {
-	case "RSA2048":
+	case domain.CertificateKeyAlgorithmTypeRSA2048:
 		return certcrypto.RSA2048
-	case "RSA3072":
+	case domain.CertificateKeyAlgorithmTypeRSA3072:
 		return certcrypto.RSA3072
-	case "RSA4096":
+	case domain.CertificateKeyAlgorithmTypeRSA4096:
 		return certcrypto.RSA4096
-	case "RSA8192":
+	case domain.CertificateKeyAlgorithmTypeRSA8192:
 		return certcrypto.RSA8192
-	case "EC256":
+	case domain.CertificateKeyAlgorithmTypeEC256:
 		return certcrypto.EC256
-	case "EC384":
+	case domain.CertificateKeyAlgorithmTypeEC384:
 		return certcrypto.EC384
-	default:
-		return certcrypto.RSA2048
 	}
+
+	return certcrypto.RSA2048
 }

 // TODO: 暂时使用代理模式以兼容之前版本代码，后续重新实现此处逻辑