chore(scripts): add get-dcv/verify-dcv probe scripts and Makefile targets

Add scripts/get-dcv.sh and scripts/verify-dcv.sh mirroring the
track-order.sh pattern. Both scripts source ~/.env_certinext and
certinext-auth.sh, accept ORDER_NUMBER, DOMAIN_NAME, and optional
DCV_METHOD (default 1=DNS TXT), and use jq --arg for safe JSON
construction to prevent injection via user-supplied values.

Add get-dcv and verify-dcv Makefile targets with DCV_METHOD variable
and register both in .PHONY.

Author: spbsoluble

Makefile

@@ -18,6 +18,8 @@ REPORT_DIR   := /tmp/certinext-coverage-report
         get-order-report orders \
         track-order get-order \
         get-certificate get-cert \
+        get-dcv \
+        verify-dcv \
         generate-order \
         revoke-order \
         submit-csr \
@@ -203,6 +205,31 @@ track-order get-order:
 get-certificate get-cert:
 	@ORDER_NUMBER=$(ORDER_NUMBER) scripts/get-certificate.sh
 
+# ---------------------------------------------------------------------------
+# GetDcv — POST {baseURL}GetDcv
+# Fetches the DCV token for a domain on an existing order
+# Mirrors ICERTInextClient.GetDcvAsync
+# Required: ORDER_NUMBER=<order number>  DOMAIN_NAME=<domain>
+# Optional: DCV_METHOD=1  (1=DNS TXT, 2=HTTP file, 3=Email; default 1)
+# ---------------------------------------------------------------------------
+
+DCV_METHOD ?= 1
+
+get-dcv:
+	@ORDER_NUMBER=$(ORDER_NUMBER) DOMAIN_NAME=$(DOMAIN_NAME) DCV_METHOD=$(DCV_METHOD) scripts/get-dcv.sh
+
+# ---------------------------------------------------------------------------
+# VerifyDcv — POST {baseURL}VerifyDcv
+# Instructs CERTInext to check the published DCV token for a domain
+# Mirrors ICERTInextClient.VerifyDcvAsync
+# Call after publishing the TXT record and allowing time for DNS propagation.
+# Required: ORDER_NUMBER=<order number>  DOMAIN_NAME=<domain>
+# Optional: DCV_METHOD=1  (default 1 = DNS TXT)
+# ---------------------------------------------------------------------------
+
+verify-dcv:
+	@ORDER_NUMBER=$(ORDER_NUMBER) DOMAIN_NAME=$(DOMAIN_NAME) DCV_METHOD=$(DCV_METHOD) scripts/verify-dcv.sh
+
 # ---------------------------------------------------------------------------
 # GenerateOrderSSL — POST {baseURL}GenerateOrderSSL
 # Places a new SSL/TLS certificate order — mirrors ICERTInextClient.PlaceOrderAsync

scripts/get-dcv.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+# Required env vars: ORDER_NUMBER, DOMAIN_NAME
+# Optional: DCV_METHOD (default: 1 = DNS TXT record)
+set -euo pipefail
+. ~/.env_certinext
+. "$(dirname "$0")/lib/certinext-auth.sh"
+
+ORDER_NUMBER="${ORDER_NUMBER:?Usage: ORDER_NUMBER=<order> DOMAIN_NAME=<domain> [DCV_METHOD=1] scripts/get-dcv.sh}"
+DOMAIN_NAME="${DOMAIN_NAME:?DOMAIN_NAME is required}"
+DCV_METHOD="${DCV_METHOD:-1}"
+
+read -r ts txn authKey <<< "$(certinext_meta)"
+
+# SOC2 CC6.1: do NOT echo authKey — it is a valid single-use request authenticator.
+echo "GetDcv  orderNumber=$ORDER_NUMBER  domainName=$DOMAIN_NAME  dcvMethod=$DCV_METHOD  ts=$ts  txn=$txn"
+
+# SOX CC6.6: use jq --arg to safely interpolate all user-supplied values into the JSON body,
+# preventing shell injection via specially crafted ORDER_NUMBER or DOMAIN_NAME values.
+jq -n \
+  --arg ver "1.0" \
+  --arg ts "$ts" \
+  --arg txn "$txn" \
+  --arg acct "$CERTINEXT_ACCOUNT_NUMBER" \
+  --arg authKey "$authKey" \
+  --arg email "$CERTINEXT_REQUESTOR_EMAIL" \
+  --arg order "$ORDER_NUMBER" \
+  --arg domain "$DOMAIN_NAME" \
+  --arg method "$DCV_METHOD" \
+  '{
+    meta: {ver: $ver, ts: $ts, txn: $txn, accountNumber: $acct, authKey: $authKey},
+    dcvDetails: {requestorEmail: $email, orderNumber: $order, domainName: $domain, dcvMethod: $method}
+  }' \
+| curl -s -X POST "$CERTINEXT_API_URL/GetDcv" \
+       -H "Content-Type: application/json" \
+       --data-binary @- \
+| jq .

scripts/verify-dcv.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+# Required env vars: ORDER_NUMBER, DOMAIN_NAME
+# Optional: DCV_METHOD (default: 1 = DNS TXT record)
+set -euo pipefail
+. ~/.env_certinext
+. "$(dirname "$0")/lib/certinext-auth.sh"
+
+ORDER_NUMBER="${ORDER_NUMBER:?Usage: ORDER_NUMBER=<order> DOMAIN_NAME=<domain> [DCV_METHOD=1] scripts/verify-dcv.sh}"
+DOMAIN_NAME="${DOMAIN_NAME:?DOMAIN_NAME is required}"
+DCV_METHOD="${DCV_METHOD:-1}"
+
+read -r ts txn authKey <<< "$(certinext_meta)"
+
+# SOC2 CC6.1: do NOT echo authKey — it is a valid single-use request authenticator.
+echo "VerifyDcv  orderNumber=$ORDER_NUMBER  domainName=$DOMAIN_NAME  dcvMethod=$DCV_METHOD  ts=$ts  txn=$txn"
+
+# SOX CC6.6: use jq --arg to safely interpolate all user-supplied values into the JSON body,
+# preventing shell injection via specially crafted ORDER_NUMBER or DOMAIN_NAME values.
+jq -n \
+  --arg ver "1.0" \
+  --arg ts "$ts" \
+  --arg txn "$txn" \
+  --arg acct "$CERTINEXT_ACCOUNT_NUMBER" \
+  --arg authKey "$authKey" \
+  --arg email "$CERTINEXT_REQUESTOR_EMAIL" \
+  --arg order "$ORDER_NUMBER" \
+  --arg domain "$DOMAIN_NAME" \
+  --arg method "$DCV_METHOD" \
+  '{
+    meta: {ver: $ver, ts: $ts, txn: $txn, accountNumber: $acct, authKey: $authKey},
+    dcvDetails: {requestorEmail: $email, orderNumber: $order, domainName: $domain, dcvMethod: $method}
+  }' \
+| curl -s -X POST "$CERTINEXT_API_URL/VerifyDcv" \
+       -H "Content-Type: application/json" \
+       --data-binary @- \
+| jq .