npm - @peac/protocol - Versions diffs - 0.11.2 → 0.11.3 - Mend

@peac/protocol 0.11.2 → 0.11.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +68 -3
package/dist/discovery.d.ts.map +1 -1
package/dist/index.cjs +98 -4
package/dist/index.cjs.map +1 -1
package/dist/index.mjs +98 -6
package/dist/index.mjs.map +1 -1
package/dist/jwks-resolver.d.ts +20 -0
package/dist/jwks-resolver.d.ts.map +1 -1
package/dist/verify.d.ts.map +1 -1
package/package.json +4 -4

package/dist/index.mjs CHANGED Viewed

@@ -2,7 +2,7 @@ import { uuidv7 } from 'uuidv7';
 import { sign, decode, verify, sha256Hex, computeJwkThumbprint, jwkToPublicKeyBytes, base64urlDecode } from '@peac/crypto';
 export { base64urlDecode, base64urlEncode, computeJwkThumbprint, generateKeypair, jwkToPublicKeyBytes, sha256Bytes, sha256Hex, verify } from '@peac/crypto';
 import { ZodError } from 'zod';
-import { isValidPurposeToken, isCanonicalPurpose, isValidPurposeReason, isValidWorkflowContext, createWorkflowContextInvalidError, hasValidDagSemantics, createWorkflowDagInvalidError, WORKFLOW_EXTENSION_KEY, validateKernelConstraints, createConstraintViolationError, ReceiptClaims, createEvidenceNotJsonError, validateSubjectSnapshot, PEAC_ISSUER_CONFIG_MAX_BYTES, PEAC_ISSUER_CONFIG_PATH, PEAC_POLICY_MAX_BYTES, PEAC_POLICY_PATH, PEAC_POLICY_FALLBACK_PATH, parseReceiptClaims, PEAC_RECEIPT_HEADER, PEAC_PURPOSE_HEADER, parsePurposeHeader, PEAC_PURPOSE_APPLIED_HEADER, PEAC_PURPOSE_REASON_HEADER } from '@peac/schema';
+import { isValidPurposeToken, isCanonicalPurpose, isValidPurposeReason, isValidWorkflowContext, createWorkflowContextInvalidError, hasValidDagSemantics, createWorkflowDagInvalidError, WORKFLOW_EXTENSION_KEY, validateKernelConstraints, createConstraintViolationError, ReceiptClaims, createEvidenceNotJsonError, validateSubjectSnapshot, PEAC_ISSUER_CONFIG_MAX_BYTES, validateRevokedKeys, PEAC_ISSUER_CONFIG_PATH, PEAC_POLICY_MAX_BYTES, PEAC_POLICY_PATH, PEAC_POLICY_FALLBACK_PATH, parseReceiptClaims, PEAC_RECEIPT_HEADER, PEAC_PURPOSE_HEADER, parsePurposeHeader, PEAC_PURPOSE_APPLIED_HEADER, PEAC_PURPOSE_REASON_HEADER } from '@peac/schema';
 import { createHash } from 'crypto';
 import { VERIFIER_LIMITS, VERIFIER_NETWORK, VERIFIER_POLICY_VERSION, VERIFICATION_REPORT_VERSION, WIRE_TYPE } from '@peac/kernel';
@@ -237,6 +237,17 @@ function parseIssuerConfig(json) {
       throw new Error("payment_rails must be an array");
     }
   }
+  let revokedKeys;
+  if (obj.revoked_keys !== void 0) {
+    if (!Array.isArray(obj.revoked_keys)) {
+      throw new Error("revoked_keys must be an array");
+    }
+    const result = validateRevokedKeys(obj.revoked_keys);
+    if (!result.ok) {
+      throw new Error(`Invalid revoked_keys: ${result.error}`);
+    }
+    revokedKeys = result.value;
+  }
   return {
     version: obj.version,
     issuer: obj.issuer,
@@ -245,7 +256,8 @@ function parseIssuerConfig(json) {
     receipt_versions: obj.receipt_versions,
     algorithms: obj.algorithms,
     payment_rails: obj.payment_rails,
-    security_contact: obj.security_contact
+    security_contact: obj.security_contact,
+    revoked_keys: revokedKeys
   };
 }
 async function fetchIssuerConfig(issuerUrl) {
@@ -932,6 +944,53 @@ async function fetchPointerSafe(pointerUrl, options) {
 var DEFAULT_CACHE_TTL_MS = 5 * 60 * 1e3;
 var DEFAULT_MAX_CACHE_ENTRIES = 1e3;
 var jwksCache = /* @__PURE__ */ new Map();
+var KID_RETENTION_MS = 30 * 24 * 60 * 60 * 1e3;
+var MAX_KID_THUMBPRINT_ENTRIES = 1e4;
+var kidThumbprints = /* @__PURE__ */ new Map();
+function pruneExpiredKidEntries(now) {
+  for (const [key, entry] of kidThumbprints) {
+    if (now - entry.firstSeen >= KID_RETENTION_MS) {
+      kidThumbprints.delete(key);
+    }
+  }
+}
+function evictOldestKidEntries() {
+  if (kidThumbprints.size <= MAX_KID_THUMBPRINT_ENTRIES) return;
+  const entries = Array.from(kidThumbprints.entries()).sort(
+    (a, b) => a[1].firstSeen - b[1].firstSeen
+  );
+  const toRemove = kidThumbprints.size - MAX_KID_THUMBPRINT_ENTRIES;
+  for (let i = 0; i < toRemove; i++) {
+    kidThumbprints.delete(entries[i][0]);
+  }
+}
+function checkKidReuse(issuer, jwks, now) {
+  pruneExpiredKidEntries(now);
+  for (const key of jwks.keys) {
+    if (!key.kid || !key.x) continue;
+    const mapKey = `${issuer}|${key.kid}`;
+    const existing = kidThumbprints.get(mapKey);
+    if (existing) {
+      if (now - existing.firstSeen < KID_RETENTION_MS) {
+        if (existing.thumbprint !== key.x) {
+          return `Kid reuse detected: kid=${key.kid} for issuer ${issuer} maps to different key material`;
+        }
+      } else {
+        kidThumbprints.set(mapKey, { thumbprint: key.x, firstSeen: now });
+      }
+    } else {
+      kidThumbprints.set(mapKey, { thumbprint: key.x, firstSeen: now });
+    }
+  }
+  evictOldestKidEntries();
+  return null;
+}
+function clearKidThumbprints() {
+  kidThumbprints.clear();
+}
+function getKidThumbprintSize() {
+  return kidThumbprints.size;
+}
 function cacheGet(key, now) {
   const entry = jwksCache.get(key);
   if (!entry) return void 0;
@@ -1020,7 +1079,7 @@ async function resolveJWKS(issuerUrl, options) {
   if (!noCache) {
     const cached = cacheGet(normalizedIssuer, now);
     if (cached) {
-      return { ok: true, jwks: cached.jwks, fromCache: true };
+      return { ok: true, jwks: cached.jwks, fromCache: true, revokedKeys: cached.revokedKeys };
     }
   }
   if (!normalizedIssuer.startsWith("https://")) {
@@ -1115,14 +1174,28 @@ async function resolveJWKS(issuerUrl, options) {
       message: `JWKS has too many keys: ${jwks.keys.length} > ${VERIFIER_LIMITS.maxJwksKeys}`
     };
   }
+  const kidReuseError = checkKidReuse(normalizedIssuer, jwks, now);
+  if (kidReuseError) {
+    return {
+      ok: false,
+      code: "E_KID_REUSE_DETECTED",
+      message: kidReuseError
+    };
+  }
+  const revokedKeys = issuerConfig.revoked_keys?.map((entry) => ({
+    kid: entry.kid,
+    revoked_at: entry.revoked_at,
+    reason: entry.reason
+  }));
   if (!noCache) {
-    cacheSet(normalizedIssuer, { jwks, expiresAt: now + cacheTtlMs }, maxCacheEntries);
+    cacheSet(normalizedIssuer, { jwks, expiresAt: now + cacheTtlMs, revokedKeys }, maxCacheEntries);
   }
   return {
     ok: true,
     jwks,
     fromCache: false,
-    rawBytes: jwksResult.rawBytes
+    rawBytes: jwksResult.rawBytes,
+    revokedKeys
   };
 }
@@ -1183,6 +1256,25 @@ async function verifyReceipt(optionsOrJws) {
     if (!jwksResult.fromCache) {
       jwksFetchTime = performance.now() - jwksFetchStart;
     }
+    if (jwksResult.revokedKeys) {
+      const revokedEntry = jwksResult.revokedKeys.find((rk) => rk.kid === header.kid);
+      if (revokedEntry) {
+        const durationMs = performance.now() - startTime;
+        fireTelemetryHook(telemetry?.onReceiptVerified, {
+          receiptHash: hashReceipt(receiptJws),
+          valid: false,
+          reasonCode: "key_revoked",
+          issuer: payload.iss,
+          kid: header.kid,
+          durationMs
+        });
+        return {
+          ok: false,
+          reason: "key_revoked",
+          details: `Key kid=${header.kid} was revoked at ${revokedEntry.revoked_at}${revokedEntry.reason ? ` (reason: ${revokedEntry.reason})` : ""}`
+        };
+      }
+    }
     const jwk = jwksResult.jwks.keys.find((k) => k.kid === header.kid);
     if (!jwk) {
       const durationMs = performance.now() - startTime;
@@ -2728,6 +2820,6 @@ async function verifyAndFetchPointer(pointerHeader, fetchOptions) {
   });
 }
-export { CHECK_IDS, DEFAULT_NETWORK_SECURITY, DEFAULT_VERIFIER_LIMITS, IssueError, NON_DETERMINISTIC_ARTIFACT_KEYS, VerificationReportBuilder, buildFailureReport, buildSuccessReport, clearJWKSCache, computeReceiptDigest, createDefaultPolicy, createDigest, createEmptyReport, createReportBuilder, fetchDiscovery, fetchIssuerConfig, fetchJWKSSafe, fetchPointerSafe, fetchPointerWithDigest, fetchPolicyManifest, getJWKSCacheSize, getPurposeHeader, getReceiptHeader, getSSRFCapabilities, isAttestationResult, isBlockedIP, isCommerceResult, issue, issueJws, parseBodyProfile, parseDiscovery, parseHeaderProfile, parseIssuerConfig, parsePointerProfile, parsePolicyManifest, parseTransportProfile, reasonCodeToErrorCode, reasonCodeToSeverity, resetSSRFCapabilitiesCache, resolveJWKS, setPurposeAppliedHeader, setPurposeReasonHeader, setReceiptHeader, setVaryHeader, setVaryPurposeHeader, ssrfErrorToReasonCode, ssrfSafeFetch, verifyAndFetchPointer, verifyLocal, verifyReceipt, verifyReceiptCore };
+export { CHECK_IDS, DEFAULT_NETWORK_SECURITY, DEFAULT_VERIFIER_LIMITS, IssueError, NON_DETERMINISTIC_ARTIFACT_KEYS, VerificationReportBuilder, buildFailureReport, buildSuccessReport, clearJWKSCache, clearKidThumbprints, computeReceiptDigest, createDefaultPolicy, createDigest, createEmptyReport, createReportBuilder, fetchDiscovery, fetchIssuerConfig, fetchJWKSSafe, fetchPointerSafe, fetchPointerWithDigest, fetchPolicyManifest, getJWKSCacheSize, getKidThumbprintSize, getPurposeHeader, getReceiptHeader, getSSRFCapabilities, isAttestationResult, isBlockedIP, isCommerceResult, issue, issueJws, parseBodyProfile, parseDiscovery, parseHeaderProfile, parseIssuerConfig, parsePointerProfile, parsePolicyManifest, parseTransportProfile, reasonCodeToErrorCode, reasonCodeToSeverity, resetSSRFCapabilitiesCache, resolveJWKS, setPurposeAppliedHeader, setPurposeReasonHeader, setReceiptHeader, setVaryHeader, setVaryPurposeHeader, ssrfErrorToReasonCode, ssrfSafeFetch, verifyAndFetchPointer, verifyLocal, verifyReceipt, verifyReceiptCore };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map