npm - @primust/verifier - Versions diffs - 1.0.1 → 1.1.0 - Mend

@primust/verifier 1.0.1 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/{chunk-ZADQUKKN.js → chunk-NOADQWB6.js} +59 -10
package/dist/cli.js +1 -1
package/dist/index.js +1 -1
package/dist/tsa-chain-7KSQ5LAH.js +235 -0
package/package.json +1 -1

package/dist/{chunk-ZADQUKKN.js → chunk-NOADQWB6.js} RENAMED Viewed

@@ -2308,14 +2308,32 @@ async function verify3(artifact, options = {}, upstreamRootResolver) {
   }
   const tsAnchor = artifact.timestamp_anchor;
   if (tsAnchor && tsAnchor.type === "rfc3161" && typeof tsAnchor.value === "string") {
-    result.timestamp_anchor_valid = verifyTimestampImprint(
+    const imprintOk = verifyTimestampImprint(
       tsAnchor.value,
       timestampBody(artifact)
     );
-    if (result.timestamp_anchor_valid === false) {
+    if (imprintOk === false) {
+      result.timestamp_anchor_valid = false;
       result.warnings.push("rfc3161_imprint_mismatch");
-    } else if (result.timestamp_anchor_valid === true) {
-      result.warnings.push("rfc3161_tsa_cert_chain_not_verified");
+    } else if (imprintOk === true) {
+      let chain = null;
+      try {
+        const { verifyTsaChain } = await import("./tsa-chain-7KSQ5LAH.js");
+        chain = verifyTsaChain(tsAnchor.value);
+      } catch {
+        chain = null;
+      }
+      if (chain === null) {
+        result.timestamp_anchor_valid = true;
+        result.warnings.push("rfc3161_tsa_chain_verifier_unavailable");
+      } else if (chain.ok) {
+        result.timestamp_anchor_valid = true;
+      } else {
+        result.timestamp_anchor_valid = false;
+        result.warnings.push(`rfc3161_tsa_chain_invalid:${chain.reason}`);
+      }
+    } else {
+      result.timestamp_anchor_valid = null;
     }
   } else {
     result.timestamp_anchor_valid = null;
@@ -2829,23 +2847,54 @@ function findBuffer(haystack, needle) {
   return -1;
 }
 var REKOR_API = "https://rekor.sigstore.dev/api/v1";
+var DEFAULT_REVOKED_KEYS_URLS = [
+  "https://keys.primust.com/.well-known/primust-pubkeys/revoked.json",
+  "https://keys.eu.primust.com/.well-known/primust-pubkeys/revoked.json"
+];
+function revokedKeysUrls() {
+  const env = globalThis.process?.env?.PRIMUST_REVOKED_KEYS_URLS;
+  if (!env || !env.trim()) return DEFAULT_REVOKED_KEYS_URLS;
+  return env.split(",").map((s) => s.trim()).filter(Boolean);
+}
+async function isKeyRevoked(fingerprintHex) {
+  for (const url of revokedKeysUrls()) {
+    try {
+      const resp = await fetch(url, {
+        headers: { Accept: "application/json" },
+        signal: AbortSignal.timeout(3e3)
+      });
+      if (!resp.ok) continue;
+      const body = await resp.json();
+      const list = Array.isArray(body) ? body : Array.isArray(body.revoked) ? body.revoked : [];
+      const needle = fingerprintHex.toLowerCase();
+      for (const entry of list) {
+        if (typeof entry === "string" && entry.toLowerCase().replace(/^sha256:/, "") === needle) {
+          return true;
+        }
+      }
+      return false;
+    } catch {
+      continue;
+    }
+  }
+  return null;
+}
 async function checkRekor(publicKeyB64Url, kid) {
+  void kid;
   try {
     const keyBytes = fromBase64Url(publicKeyB64Url);
     const fingerprint = createHash("sha256").update(Buffer.from(keyBytes)).digest("hex");
+    const revoked = await isKeyRevoked(fingerprint);
+    if (revoked === true) return "revoked";
     const resp = await fetch(`${REKOR_API}/index/retrieve`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({ hash: `sha256:${fingerprint}` }),
       signal: AbortSignal.timeout(5e3)
     });
-    if (!resp.ok) {
-      return "unavailable";
-    }
+    if (!resp.ok) return "unavailable";
     const entries = await resp.json();
-    if (!entries || entries.length === 0) {
-      return "not_found";
-    }
+    if (!entries || entries.length === 0) return "not_found";
     return "active";
   } catch {
     return "unavailable";

package/dist/cli.js CHANGED Viewed

@@ -2,7 +2,7 @@
 import {
   createUpstreamRootResolver,
   verify
-} from "./chunk-ZADQUKKN.js";
+} from "./chunk-NOADQWB6.js";
 // src/cli.ts
 import { readFileSync } from "fs";

package/dist/index.js CHANGED Viewed

@@ -3,7 +3,7 @@ import {
   createUpstreamRootResolver,
   seedKeyCache,
   verify
-} from "./chunk-ZADQUKKN.js";
+} from "./chunk-NOADQWB6.js";
 import {
   ALLOWED_KINDS,
   ALLOWED_TRUST_EDGES,

package/dist/tsa-chain-7KSQ5LAH.js ADDED Viewed

@@ -0,0 +1,235 @@
+// src/tsa-chain.ts
+import { X509Certificate, createHash } from "crypto";
+var DIGICERT_TRUSTED_ROOT_G4_FPR_HEX = "552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988";
+var TIME_STAMPING_EKU_OID = "1.3.6.1.5.5.7.3.8";
+var DIGICERT_TRUSTED_ROOT_G4_PEM = `-----BEGIN CERTIFICATE-----
+MIIFkDCCA3igAwIBAgIQBZsbV56OITLiOQe9p3d1XDANBgkqhkiG9w0BAQwFADBi
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg
+RzQwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBiMQswCQYDVQQGEwJV
+UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu
+Y29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwggIiMA0GCSqG
+SIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAiMGkz7MKnJS7JIT3y
+ithZwuEppz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnnyyhHS5F/WBTxSD1If
+xp4VpX6+n6lXFllVcq9ok3DCsrp1mWpzMpTREEQQLt+C8weE5nQ7bXHiLQwb7iDV
+ySAdYyktzuxeTsiT+CFhmzTrBcZe7FsavOvJz82sNEBfsXpm7nfISKhmV1efVFiO
+DCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGYQJB5w3jHtrHEtWoYOAMQ
+jdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsDdV14Ztk6MUSaM0C/
+CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1ZXUJ2h4mXaXpI8OCi
+EhtmmnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS00mFt6zPZxd9LBADM
+fRyVw4/3IbKyEbe7f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hkpjPRiQfhvbfmQ6QY
+uKZ3AeEPlAwhHbJUKSWJbOUOUlFHdL4mrLZBdd56rF+NP8m800ERElvlEFDrMcXK
+chYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8oR7FwI+isX4KJpn15GkvmB0t
+9dmpsh3lGwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
+hjAdBgNVHQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wDQYJKoZIhvcNAQEMBQAD
+ggIBALth2X2pbL4XxJEbw6GiAI3jZGgPVs93rnD5/ZpKmbnJeFwMDF/k5hQpVgs2
+SV1EY+CtnJYYZhsjDT156W1r1lT40jzBQ0CuHVD1UvyQO7uYmWlrx8GnqGikJ9yd
++SeuMIW59mdNOj6PWTkiU0TryF0Dyu1Qen1iIQqAyHNm0aAFYF/opbSnr6j3bTWc
+fFqK1qI4mfN4i/RN0iAL3gTujJtHgXINwBQy7zBZLq7gcfJW5GqXb5JQbZaNaHqa
+sjYUegbyJLkJEVDXCLG4iXqEI2FCKeWjzaIgQdfRnGTZ6iahixTXTBmyUEFxPT9N
+cCOGDErcgdLMMpSEDQgJlxxPwO5rIHQw0uA5NBCFIRUBCOhVMt5xSdkoF1BN5r5N
+0XWs0Mr7QbhDparTwwVETyw2m+L64kW4I1NsBm9nVX9GtUw/bihaeSbSpKhil9Ie
+4u1Ki7wb/UdKDd9nZn6yW0HQO+T0O/QEY+nvwlQAUaCKKsnOeMzV6ocEGLPOr0mI
+r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1
+/YldvIViHTLSoCtU7ZpXwdv6EM8Zt4tKG48BtieVU+i2iW1bvGjUI+iLUaJW+fCm
+gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
+-----END CERTIFICATE-----`;
+function loadBundledRoots() {
+  const out = [];
+  try {
+    out.push(new X509Certificate(DIGICERT_TRUSTED_ROOT_G4_PEM));
+  } catch {
+  }
+  return out;
+}
+var BUNDLED_ROOTS = loadBundledRoots();
+function trustedRootFprs() {
+  const env = globalThis.process?.env?.PRIMUST_TSA_ROOT_FPR;
+  if (!env || !env.trim()) {
+    return /* @__PURE__ */ new Set([DIGICERT_TRUSTED_ROOT_G4_FPR_HEX]);
+  }
+  return new Set(
+    env.split(",").map((f) => f.trim().toLowerCase().replace(/:/g, "")).filter(Boolean)
+  );
+}
+function verifyTsaChain(tsTokenB64) {
+  let tokenDer;
+  try {
+    tokenDer = Buffer.from(tsTokenB64, "base64");
+  } catch {
+    return { ok: false, reason: "parse_error" };
+  }
+  let certs;
+  try {
+    certs = extractCertificates(tokenDer);
+  } catch {
+    return { ok: false, reason: "parse_error" };
+  }
+  if (certs.length === 0) {
+    return { ok: false, reason: "no_certs" };
+  }
+  const trusted = trustedRootFprs();
+  let leaf = null;
+  for (const c of certs) {
+    if (hasTimeStampingEku(c)) {
+      leaf = c;
+      break;
+    }
+  }
+  if (!leaf) {
+    const subjects = new Set(certs.map((c) => c.subject));
+    const issuers = new Set(certs.map((c) => c.issuer));
+    for (const c of certs) {
+      if (subjects.has(c.subject) && !issuers.has(c.subject)) {
+        leaf = c;
+        break;
+      }
+    }
+  }
+  if (!leaf) {
+    return { ok: false, reason: "leaf_not_found" };
+  }
+  if (!hasTimeStampingEku(leaf)) {
+    return { ok: false, reason: "missing_eku" };
+  }
+  if (!isWithinValidity(leaf)) {
+    return { ok: false, reason: "expired" };
+  }
+  const candidateRoots = BUNDLED_ROOTS.filter(
+    (r) => trusted.has(certFingerprint(r))
+  );
+  const opRootPem = globalThis.process?.env?.PRIMUST_TSA_ROOT_PEM;
+  if (opRootPem) {
+    try {
+      const opRoot = new X509Certificate(opRootPem);
+      if (trusted.has(certFingerprint(opRoot))) {
+        candidateRoots.push(opRoot);
+      }
+    } catch {
+      return { ok: false, reason: "parse_error" };
+    }
+  }
+  if (candidateRoots.length === 0) {
+    return { ok: false, reason: "root_not_trusted" };
+  }
+  const bySubject = /* @__PURE__ */ new Map();
+  for (const c of certs) bySubject.set(c.subject, c);
+  const byRootSubject = /* @__PURE__ */ new Map();
+  for (const r of candidateRoots) byRootSubject.set(r.subject, r);
+  let current = leaf;
+  const seen = /* @__PURE__ */ new Set();
+  for (let hop = 0; hop < 8; hop++) {
+    if (seen.has(current.subject)) {
+      return { ok: false, reason: "chain_incomplete" };
+    }
+    seen.add(current.subject);
+    const rootCert = byRootSubject.get(current.issuer);
+    if (rootCert) {
+      if (!current.verify(rootCert.publicKey)) {
+        return { ok: false, reason: "signature_invalid" };
+      }
+      if (!isWithinValidity(rootCert)) {
+        return { ok: false, reason: "expired" };
+      }
+      return { ok: true, reason: "ok" };
+    }
+    const issuerCert = bySubject.get(current.issuer);
+    if (issuerCert && issuerCert !== current) {
+      if (!current.verify(issuerCert.publicKey)) {
+        return { ok: false, reason: "signature_invalid" };
+      }
+      if (!isWithinValidity(issuerCert)) {
+        return { ok: false, reason: "expired" };
+      }
+      if (issuerCert.subject === issuerCert.issuer) {
+        if (trusted.has(certFingerprint(issuerCert))) {
+          return { ok: true, reason: "ok" };
+        }
+        return { ok: false, reason: "root_not_trusted" };
+      }
+      current = issuerCert;
+      continue;
+    }
+    return { ok: false, reason: "chain_incomplete" };
+  }
+  return { ok: false, reason: "chain_incomplete" };
+}
+function certFingerprint(cert) {
+  return createHash("sha256").update(cert.raw).digest("hex");
+}
+function hasTimeStampingEku(cert) {
+  const info = cert.toString();
+  return info.includes(TIME_STAMPING_EKU_OID) || info.includes("Time Stamping");
+}
+function isWithinValidity(cert) {
+  const now = Date.now();
+  const nb = Date.parse(cert.validFrom);
+  const na = Date.parse(cert.validTo);
+  if (Number.isNaN(nb) || Number.isNaN(na)) return false;
+  return nb <= now && now <= na;
+}
+function extractCertificates(tokenDer) {
+  const signedDataOid = Buffer.from([
+    6,
+    9,
+    42,
+    134,
+    72,
+    134,
+    247,
+    13,
+    1,
+    7,
+    2
+  ]);
+  const oidIdx = tokenDer.indexOf(signedDataOid);
+  if (oidIdx === -1) return [];
+  const scanStart = oidIdx + signedDataOid.length;
+  const limit = tokenDer.length;
+  for (let i = scanStart; i < limit - 2; i++) {
+    if (tokenDer[i] === 160) {
+      const lenInfo = parseDerLength(tokenDer, i + 1);
+      if (!lenInfo) continue;
+      const { length, headerLen } = lenInfo;
+      const setStart = i + 1 + headerLen;
+      const setEnd = setStart + length;
+      if (setEnd > limit) continue;
+      const certs = [];
+      let p = setStart;
+      while (p < setEnd) {
+        if (tokenDer[p] !== 48) break;
+        const li = parseDerLength(tokenDer, p + 1);
+        if (!li) break;
+        const certLen = li.length;
+        const certHdr = li.headerLen;
+        const certEnd = p + 1 + certHdr + certLen;
+        if (certEnd > setEnd) break;
+        const certDer = tokenDer.subarray(p, certEnd);
+        try {
+          certs.push(new X509Certificate(certDer));
+        } catch {
+        }
+        p = certEnd;
+      }
+      if (certs.length > 0) return certs;
+    }
+  }
+  return [];
+}
+function parseDerLength(buf, offset) {
+  if (offset >= buf.length) return null;
+  const first = buf[offset];
+  if ((first & 128) === 0) {
+    return { length: first, headerLen: 1 };
+  }
+  const n = first & 127;
+  if (n === 0 || n > 4 || offset + n >= buf.length) return null;
+  let val = 0;
+  for (let i = 0; i < n; i++) {
+    val = val << 8 | buf[offset + 1 + i];
+  }
+  return { length: val, headerLen: 1 + n };
+}
+export {
+  verifyTsaChain
+};

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@primust/verifier",
-  "version": "1.0.1",
+  "version": "1.1.0",
   "description": "Offline and CLI verifier for Primust VPECs. Free forever. No account required.",
   "homepage": "https://primust.com",
   "repository": {