Skip to content

Features/external account binding#39

Merged
jjrdk merged 9 commits intomasterfrom
features/external-account-binding
Apr 11, 2026
Merged

Features/external account binding#39
jjrdk merged 9 commits intomasterfrom
features/external-account-binding

Conversation

@jjrdk
Copy link
Copy Markdown
Owner

@jjrdk jjrdk commented Apr 11, 2026

Implement external account binding to support external account requirements

Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Implements ACME External Account Binding (EAB) support (RFC 8555 §7.3.4) by adding storage for provisioned external account keys, validating EAB JWS bindings on new-account requests, and extending conformance tests to cover EAB scenarios.

Changes:

  • Add ExternalAccountKey model + persistence (IStoreExternalAccountKeys) with file-based and in-memory implementations.
  • Add IExternalAccountBindingService + default validator to verify EAB flattened JWS (HMAC + url + payload JWK match).
  • Update account creation flow to accept/bind an external account key id, and add conformance scenarios + step definitions for EAB.

Reviewed changes

Copilot reviewed 17 out of 19 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
web/package-lock.json Bumps a few frontend dependency versions.
tests/opencertserver.lambda.tests/opencertserver.lambda.tests.csproj Updates AWS SDK extensions package version.
tests/opencertserver.certserver.tests/StepDefinitions/AcmeConformance.cs Adds step definitions + helpers for EAB conformance scenarios.
tests/opencertserver.certserver.tests/Features/AcmeConformance.feature Adds new EAB rule/scenarios to the conformance feature.
tests/opencertserver.certserver.tests/Features/AcmeConformance.feature.cs Regenerated feature code to include EAB scenarios.
src/opencertserver.acme.server/Stores/InMemoryExternalAccountKeyStore.cs Adds in-memory EAB key store implementation.
src/opencertserver.acme.server/Stores/ExternalAccountKeyStore.cs Adds file-based EAB key store implementation.
src/opencertserver.acme.server/Services/DefaultExternalAccountBindingService.cs Implements EAB JWS validation + active-key checks.
src/opencertserver.acme.server/Endpoints/AccountEndpoints.cs Validates EAB on new-account and binds the external account id to created accounts.
src/opencertserver.acme.server/Services/DefaultAccountService.cs Extends account creation to accept an external account id.
src/opencertserver.acme.server/JsonDefaults.cs Adds source-gen serialization metadata for ExternalAccountKey.
src/opencertserver.acme.server/Extensions/ServiceCollectionExtensions.cs Registers EAB service and key stores for file/in-memory setups.
src/opencertserver.acme.server/Configuration/FileStoreOptions.cs Adds ExternalAccountKeyPath location under file store base path.
src/opencertserver.acme.abstractions/Storage/IStoreExternalAccountKeys.cs Introduces storage contract for external account keys.
src/opencertserver.acme.abstractions/Services/IExternalAccountBindingService.cs Introduces service contract for EAB validation / key status checks.
src/opencertserver.acme.abstractions/Services/IAccountService.cs Extends account creation API with optional external account id.
src/opencertserver.acme.abstractions/Model/ExternalAccountKey.cs Adds the external account key domain model.
src/opencertserver.acme.abstractions/Model/Account.cs Persists the external account id on accounts created with EAB.
src/opencertserver.acme.abstractions/Exceptions/ExternalAccountBindingException.cs Adds EAB-specific exception mapped to externalAccountRequired.
Files not reviewed (2)
  • tests/opencertserver.certserver.tests/Features/AcmeConformance.feature.cs: Language not supported
  • web/package-lock.json: Language not supported

Comment thread src/opencertserver.acme.server/Stores/ExternalAccountKeyStore.cs
Comment thread src/opencertserver.acme.server/Services/DefaultExternalAccountBindingService.cs Outdated
Comment thread src/opencertserver.acme.server/Endpoints/AccountEndpoints.cs Outdated
Comment thread tests/opencertserver.certserver.tests/StepDefinitions/AcmeConformance.cs Outdated
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
jjrdk and others added 2 commits April 11, 2026 23:18
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…ormance.cs

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@jjrdk
Copy link
Copy Markdown
Owner Author

jjrdk commented Apr 11, 2026

@copilot apply changes based on the comments in this thread

@jjrdk
Copy link
Copy Markdown
Owner Author

jjrdk commented Apr 11, 2026

@copilot apply changes based on the comments in this thread

@jjrdk jjrdk merged commit fc79b3e into master Apr 11, 2026
7 of 8 checks passed
@jjrdk jjrdk deleted the features/external-account-binding branch April 11, 2026 21:48
Copilot stopped work on behalf of jjrdk due to an error April 11, 2026 21:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants