PKI-145 PKI ACME error IP Address SANs

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Greptile Summary

This PR extends Infisical's ACME certificate issuance to support IP address identifiers (RFC 8738), unblocking the use case where the underlying CA already supports IP SANs but the ACME layer was rejecting them. The changes span identifier validation, challenge type selection (HTTP-01 only for IP), CSR matching, and IPv6 URL construction.

Key changes:

• Adds AcmeIdentifierType.IP = "ip" to the schema enum.
• Validates IP identifiers via isValidIp and conditionally blocks private IPs when ownership verification is enabled.
• Restricts IP identifiers to HTTP-01 challenges only (DNS-01 not applicable per RFC 8738).
• Updates CSR finalization to match SANs and CN against both DNS and IP authorized identifiers using "type:value" pair sets.
• Adds IPv6 bracket wrapping for URL construction in HTTP-01 challenge validation.

Issues found:

• IPv6 support is broken when ownership verification is enabled: isPrivateIp in ipRange.ts only defines IPv4 BlockList ranges. For IPv6 addresses, BlockList.check(ip) defaults to type 'ipv4', which throws for non-IPv4 strings. This exception surfaces as a plain BadRequestError for all IPv6 identifiers when skipDnsOwnershipVerification=false, not a proper ACME error. IPv6 private/loopback addresses (e.g., ::1, fc00::/7, fe80::/10) are also completely unguarded.
• IPv6 Host header missing brackets: The HTTP Host header during HTTP-01 challenge validation uses the raw identifier value (e.g., ::1) without brackets, violating RFC 7230 §5.4. The URL construction was correctly fixed but the header was not.
• The private-IP validation inside the authorization-creation map callback is a duplicate of the pre-transaction loop and is unreachable dead code.

Confidence Score: 2/5

• Not safe to merge as-is: IPv6 IP identifiers are non-functional when ownership verification is enabled, and the IPv6 Host header violates RFC 7230.
• Two P1 logic bugs were found: (1) isPrivateIp is IPv4-only and either throws or incorrectly evaluates IPv6 addresses, meaning IPv6 IP identifiers are broken in the default configuration; (2) the HTTP Host header during challenge validation lacks required brackets for IPv6 literal addresses. Together these could silently fail for the primary new use-case (IPv6 IPs) while also leaving IPv6 private/loopback addresses unguarded against SSRF if the throw path is ever changed.
• backend/src/ee/services/pki-acme/pki-acme-service.ts (IPv6 private-IP guard) and backend/src/ee/services/pki-acme/pki-acme-challenge-service.ts (Host header brackets) need the most attention. The root cause is in backend/src/lib/ip/ipRange.ts, which needs IPv6 range support.

Important Files Changed

_{Last reviewed commit: "feat(pki): add IP ad..."}