chore: added raw subject to certificate ObtainRequest

acme/api/internal/sender/sender.go

@@ -29,7 +29,6 @@ type Doer struct {
 func NewDoer(client *http.Client, userAgent string) *Doer {
 	// EVT: disable HTTPS only to ensure no compatibility issues
 	// client.Transport = newHTTPSOnly(client)
-
 	return &Doer{
 		httpClient: client,
 		userAgent:  userAgent,
@@ -162,28 +161,3 @@ func checkError(req *http.Request, resp *http.Response) error {
 		return errorDetails
 	}
 }
-
-type httpsOnly struct {
-	rt http.RoundTripper
-}
-
-func newHTTPSOnly(client *http.Client) *httpsOnly {
-	if client.Transport == nil {
-		return &httpsOnly{rt: http.DefaultTransport}
-	}
-
-	return &httpsOnly{rt: client.Transport}
-}
-
-// RoundTrip ensure HTTPS is used.
-// Each ACME function is accomplished by the client sending a sequence of HTTPS requests to the server [RFC2818],
-// carrying JSON messages [RFC8259].
-// Use of HTTPS is REQUIRED.
-// https://datatracker.ietf.org/doc/html/rfc8555#section-6.1
-func (r *httpsOnly) RoundTrip(req *http.Request) (*http.Response, error) {
-	if req.URL.Scheme != "https" {
-		return nil, fmt.Errorf("HTTPS is required: %s", req.URL)
-	}
-
-	return r.rt.RoundTrip(req)
-}

acme/api/internal/sender/sender_test.go

@@ -72,16 +72,6 @@ func TestDo_CustomUserAgent(t *testing.T) {
 	assert.Len(t, strings.Split(ua, " "), 5)
 }
 
-func TestDo_failWithHTTP(t *testing.T) {
-	server := httptest.NewServer(http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {}))
-	t.Cleanup(server.Close)
-
-	sender := NewDoer(server.Client(), "test")
-
-	_, err := sender.Post(server.URL, strings.NewReader("data"), "text/plain", nil)
-	require.ErrorContains(t, err, "HTTPS is required: http://")
-}
-
 func Test_checkError(t *testing.T) {
 	testCases := []struct {
 		desc   string

certcrypto/crypto.go

@@ -153,6 +153,7 @@ type CSROptions struct {
 	MustStaple     bool
 	EmailAddresses []string
 	Subject        pkix.Name
+	RawSubject     []byte
 }
 
 func CreateCSR(privateKey crypto.PrivateKey, opts CSROptions) ([]byte, error) {
@@ -169,13 +170,22 @@ func CreateCSR(privateKey crypto.PrivateKey, opts CSROptions) ([]byte, error) {
 		}
 	}
 
-	opts.Subject.CommonName = opts.Domain
-
-	template := x509.CertificateRequest{
-		Subject:        opts.Subject,
-		DNSNames:       dnsNames,
-		EmailAddresses: opts.EmailAddresses,
-		IPAddresses:    ipAddresses,
+	var template x509.CertificateRequest
+	if len(opts.RawSubject) > 0 {
+		template = x509.CertificateRequest{
+			RawSubject:     opts.RawSubject,
+			DNSNames:       dnsNames,
+			EmailAddresses: opts.EmailAddresses,
+			IPAddresses:    ipAddresses,
+		}
+	} else {
+		opts.Subject.CommonName = opts.Domain
+		template = x509.CertificateRequest{
+			Subject:        opts.Subject,
+			DNSNames:       dnsNames,
+			EmailAddresses: opts.EmailAddresses,
+			IPAddresses:    ipAddresses,
+		}
 	}
 
 	if opts.MustStaple {

certcrypto/crypto_test.go

@@ -6,6 +6,7 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509/pkix"
+	"encoding/asn1"
 	"encoding/pem"
 	"testing"
 	"time"
@@ -32,6 +33,20 @@ func TestGenerateCSR(t *testing.T) {
 	privateKey, err := rsa.GenerateKey(rand.Reader, 1024)
 	require.NoError(t, err, "Error generating private key")
 
+	var rdns pkix.RDNSequence
+
+	rdns = append(rdns, pkix.RDNSequence{
+		{{Type: []int{2, 5, 4, 3}, Value: "example.com"}},
+	}...)
+	rdns = append(rdns, pkix.RDNSequence{
+		{{Type: []int{2, 5, 4, 6}, Value: "FR"}},
+	}...)
+	rdns = append(rdns, pkix.RDNSequence{
+		{{Type: []int{2, 5, 4, 10}, Value: "EVERTRUST"}},
+	}...)
+	rawSubject, err := asn1.Marshal(rdns)
+	require.NoError(t, err, "Error marshaling raw subject")
+
 	type expected struct {
 		len   int
 		error bool
@@ -124,6 +139,17 @@ func TestGenerateCSR(t *testing.T) {
 			},
 			expected: expected{len: 454},
 		},
+		{
+			desc:       "with raw subject",
+			privateKey: privateKey,
+			opts: CSROptions{
+				Domain:         "example.com",
+				SAN:            []string{"example.org"},
+				EmailAddresses: []string{"foo@example.com", "bar@example.com"},
+				RawSubject:     rawSubject,
+			},
+			expected: expected{len: 454},
+		},
 	}
 
 	for _, test := range testCases {

certificate/certificates.go

@@ -69,6 +69,7 @@ type Resource struct {
 type ObtainRequest struct {
 	Domains        []string
 	Subject        pkix.Name
+	RawSubject     []byte
 	PrivateKey     crypto.PrivateKey
 	MustStaple     bool
 	EmailAddresses []string
@@ -335,6 +336,7 @@ func (c *Certifier) getForOrder(domains []string, order acme.ExtendedOrder, requ
 		MustStaple:     request.MustStaple,
 		EmailAddresses: request.EmailAddresses,
 		Subject:        request.Subject,
+		RawSubject:     request.RawSubject,
 	}
 
 	csr, err := certcrypto.CreateCSR(privateKey, csrOptions)