npm - @stackwright-pro/auth - Versions diffs - 0.2.0-alpha.4 → 0.2.0-alpha.5 - Mend

@stackwright-pro/auth 0.2.0-alpha.4 → 0.2.0-alpha.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.js CHANGED Viewed

@@ -210,6 +210,8 @@ var AuditEventType = /* @__PURE__ */ ((AuditEventType2) => {
   AuditEventType2["PKI_CERT_VALIDATED"] = "pki.cert.validated";
   AuditEventType2["PKI_CERT_REJECTED"] = "pki.cert.rejected";
   AuditEventType2["PKI_HEADER_SIG_FAILED"] = "pki.header_sig.failed";
+  AuditEventType2["PKI_CERT_REVOKED"] = "pki.cert.revoked";
+  AuditEventType2["PKI_REVOCATION_CHECK_FAILED"] = "pki.revocation_check.failed";
   AuditEventType2["OIDC_STATE_MISMATCH"] = "oidc.state_mismatch";
   AuditEventType2["OIDC_TOKEN_EXCHANGE"] = "oidc.token_exchange";
   AuditEventType2["OIDC_NONCE_MISMATCH"] = "oidc.nonce_mismatch";
@@ -242,13 +244,380 @@ function createAuditEvent(type, outcome, details) {
   };
 }
+// src/pki/revocation-checker.ts
+var RevocationCache = class {
+  store = /* @__PURE__ */ new Map();
+  maxAgeMs;
+  constructor(cacheMaxAgeSecs = 300) {
+    this.maxAgeMs = cacheMaxAgeSecs * 1e3;
+  }
+  get(serialNumber) {
+    const entry = this.store.get(serialNumber);
+    if (!entry) return null;
+    if (Date.now() > entry.expiresAt) {
+      this.store.delete(serialNumber);
+      return null;
+    }
+    return entry.status;
+  }
+  set(serialNumber, status) {
+    this.store.set(serialNumber, {
+      status,
+      expiresAt: Date.now() + this.maxAgeMs
+    });
+  }
+  /** Invalidate a single entry (e.g. after a forced re-check) */
+  invalidate(serialNumber) {
+    this.store.delete(serialNumber);
+  }
+  /** Number of cached entries (for testing/monitoring) */
+  get size() {
+    return this.store.size;
+  }
+};
+var SkipRevocationChecker = class {
+  reason;
+  constructor(reason = "Revocation checking delegated to upstream gateway") {
+    this.reason = reason;
+  }
+  async check(_input) {
+    return { revoked: false, skipped: true, reason: this.reason };
+  }
+};
+var CRLRevocationChecker = class {
+  cache;
+  config;
+  constructor(config) {
+    this.config = config;
+    this.cache = new RevocationCache(config.cacheMaxAge ?? 300);
+  }
+  async check(input) {
+    const { serialNumber } = input;
+    const crlUrl = this.config.crlDistributionPoint;
+    if (!crlUrl) {
+      if (this.config.hardFail) {
+        throw new Error("[revocation] CRL strategy requires crlDistributionPoint to be configured");
+      }
+      return {
+        revoked: false,
+        skipped: true,
+        reason: "CRL distribution point not configured"
+      };
+    }
+    const cached = this.cache.get(serialNumber);
+    if (cached !== null) return cached;
+    let derBuffer;
+    try {
+      const controller = new AbortController();
+      const timer = setTimeout(
+        () => controller.abort(),
+        this.config.timeoutMs ?? 5e3
+      );
+      const response = await fetch(crlUrl, {
+        signal: controller.signal,
+        headers: { Accept: "application/pkix-crl" }
+      });
+      clearTimeout(timer);
+      if (!response.ok) {
+        throw new Error(`CRL fetch returned HTTP ${response.status}`);
+      }
+      derBuffer = await response.arrayBuffer();
+    } catch (err) {
+      if (this.config.hardFail) {
+        throw new Error(`[revocation] CRL fetch failed (hardFail=true): ${String(err)}`);
+      }
+      return { revoked: false, skipped: true, reason: `CRL fetch failed: ${String(err)}` };
+    }
+    let revokedSerials;
+    try {
+      revokedSerials = parseCRLRevokedSerials(Buffer.from(derBuffer));
+    } catch (err) {
+      if (this.config.hardFail) {
+        throw new Error(`[revocation] CRL parse failed (hardFail=true): ${String(err)}`);
+      }
+      return { revoked: false, skipped: true, reason: `CRL parse failed: ${String(err)}` };
+    }
+    const normalizedSerial = normalizeSerial(serialNumber);
+    const isRevoked = revokedSerials.has(normalizedSerial);
+    const status = isRevoked ? { revoked: true, reason: "Certificate found in CRL" } : { revoked: false };
+    this.cache.set(serialNumber, status);
+    return status;
+  }
+  /** Exposed for testing */
+  get _cache() {
+    return this.cache;
+  }
+};
+var OCSPRevocationChecker = class {
+  cache;
+  config;
+  constructor(config) {
+    this.config = config;
+    this.cache = new RevocationCache(config.cacheMaxAge ?? 300);
+  }
+  async check(input) {
+    const { serialNumber } = input;
+    const ocspUrl = this.config.ocspResponderUrl;
+    if (!ocspUrl) {
+      if (this.config.hardFail) {
+        throw new Error("[revocation] OCSP strategy requires ocspResponderUrl to be configured");
+      }
+      return {
+        revoked: false,
+        skipped: true,
+        reason: "OCSP responder URL not configured"
+      };
+    }
+    const cached = this.cache.get(serialNumber);
+    if (cached !== null) return cached;
+    let response;
+    try {
+      const ocspRequest = buildOCSPGetRequest(ocspUrl, serialNumber);
+      const controller = new AbortController();
+      const timer = setTimeout(
+        () => controller.abort(),
+        this.config.timeoutMs ?? 5e3
+      );
+      response = await fetch(ocspRequest, {
+        signal: controller.signal,
+        headers: { Accept: "application/ocsp-response" }
+      });
+      clearTimeout(timer);
+    } catch (err) {
+      if (this.config.hardFail) {
+        throw new Error(`[revocation] OCSP request failed (hardFail=true): ${String(err)}`);
+      }
+      return { revoked: false, skipped: true, reason: `OCSP request failed: ${String(err)}` };
+    }
+    if (!response.ok) {
+      if (this.config.hardFail) {
+        throw new Error(
+          `[revocation] OCSP responder returned HTTP ${response.status} (hardFail=true)`
+        );
+      }
+      const skippedStatus = {
+        revoked: false,
+        skipped: true,
+        reason: `OCSP responder returned HTTP ${response.status}`
+      };
+      this.cache.set(serialNumber, skippedStatus);
+      return skippedStatus;
+    }
+    let status;
+    try {
+      const derBuffer = await response.arrayBuffer();
+      status = parseOCSPResponse(Buffer.from(derBuffer), serialNumber);
+    } catch (err) {
+      if (this.config.hardFail) {
+        throw new Error(`[revocation] OCSP response parse failed (hardFail=true): ${String(err)}`);
+      }
+      return { revoked: false, skipped: true, reason: `OCSP parse failed: ${String(err)}` };
+    }
+    this.cache.set(serialNumber, status);
+    return status;
+  }
+  /** Exposed for testing */
+  get _cache() {
+    return this.cache;
+  }
+};
+var CompositeRevocationChecker = class {
+  ocsp;
+  crl;
+  constructor(config) {
+    this.ocsp = new OCSPRevocationChecker({ ...config, hardFail: false });
+    this.crl = new CRLRevocationChecker(config);
+  }
+  async check(input) {
+    const ocspResult = await this.ocsp.check(input);
+    if (!("skipped" in ocspResult && ocspResult.skipped)) {
+      return ocspResult;
+    }
+    return this.crl.check(input);
+  }
+};
+function createRevocationChecker(config) {
+  switch (config.strategy) {
+    case "ocsp":
+      return new OCSPRevocationChecker(config);
+    case "crl":
+      return new CRLRevocationChecker(config);
+    case "ocsp_with_crl_fallback":
+      return new CompositeRevocationChecker(config);
+    case "skip":
+    default:
+      return new SkipRevocationChecker();
+  }
+}
+function normalizeSerial(serial) {
+  const clean = serial.replace(/[:\s]/g, "").replace(/^0x/i, "").toUpperCase();
+  return clean.replace(/^0+(?=.)/, "") || "0";
+}
+function parseCRLRevokedSerials(der) {
+  const serials = /* @__PURE__ */ new Set();
+  const tbsCertList = unwrapSequence(unwrapSequence(der));
+  let offset = 0;
+  let revokedSeqOffset = -1;
+  while (offset < tbsCertList.length - 2) {
+    const tag = tbsCertList[offset];
+    if (tag === void 0) break;
+    const { length: len, headerLen } = readTLVLength(tbsCertList, offset + 1);
+    if (tag === 48 && len > 0) {
+      const inner = tbsCertList.slice(offset + headerLen, offset + headerLen + len);
+      if (inner.length > 0 && inner[0] === 48) {
+        revokedSeqOffset = offset + headerLen;
+        break;
+      }
+    }
+    offset += headerLen + len;
+  }
+  if (revokedSeqOffset === -1) {
+    return serials;
+  }
+  const revokedBlock = tbsCertList.slice(revokedSeqOffset);
+  let pos = 0;
+  while (pos < revokedBlock.length - 2) {
+    const tag = revokedBlock[pos];
+    if (tag !== 48) break;
+    const { length: entryLen, headerLen: entryHdrLen } = readTLVLength(revokedBlock, pos + 1);
+    const entry = revokedBlock.slice(pos + entryHdrLen, pos + entryHdrLen + entryLen);
+    if (entry.length > 0 && entry[0] === 2) {
+      const { length: intLen, headerLen: intHdrLen } = readTLVLength(entry, 1);
+      const serialBytes = entry.slice(intHdrLen, intHdrLen + intLen);
+      const trimmed = serialBytes[0] === 0 && serialBytes.length > 1 ? serialBytes.slice(1) : serialBytes;
+      const hexSerial = trimmed.toString("hex").toUpperCase().replace(/^0+(?=.)/, "");
+      serials.add(hexSerial || "0");
+    }
+    pos += entryHdrLen + entryLen;
+  }
+  return serials;
+}
+function unwrapSequence(der) {
+  if (der[0] !== 48) {
+    throw new Error(`Expected SEQUENCE (0x30), got 0x${der[0]?.toString(16)}`);
+  }
+  const { length, headerLen } = readTLVLength(der, 1);
+  return der.slice(headerLen, headerLen + length);
+}
+function readTLVLength(buf, offset) {
+  const firstByte = buf[offset];
+  if (firstByte === void 0) throw new Error("Unexpected end of DER data");
+  if ((firstByte & 128) === 0) {
+    return { length: firstByte, headerLen: 2 };
+  }
+  const numLenBytes = firstByte & 127;
+  let length = 0;
+  for (let i = 1; i <= numLenBytes; i++) {
+    const b = buf[offset + i];
+    if (b === void 0) throw new Error("Unexpected end of DER length encoding");
+    length = length << 8 | b;
+  }
+  return { length, headerLen: 2 + numLenBytes };
+}
+function buildOCSPGetRequest(baseUrl, serialNumber) {
+  const serialHex = normalizeSerial(serialNumber);
+  const serialBuf = Buffer.from(serialHex.length % 2 === 0 ? serialHex : "0" + serialHex, "hex");
+  const serialDer = (serialBuf[0] & 128) !== 0 ? Buffer.concat([Buffer.from([0]), serialBuf]) : serialBuf;
+  const sha1Oid = Buffer.from([
+    48,
+    9,
+    // SEQUENCE, 9 bytes
+    6,
+    5,
+    43,
+    14,
+    3,
+    2,
+    26,
+    // OID 1.3.14.3.2.26 (SHA-1)
+    5,
+    0
+    // NULL
+  ]);
+  const zeroHash = Buffer.alloc(20, 0);
+  const issuerNameHashDer = derOctetString(zeroHash);
+  const issuerKeyHashDer = derOctetString(zeroHash);
+  const serialDerTagged = derInteger(serialDer);
+  const certId = derSequence(
+    Buffer.concat([sha1Oid, issuerNameHashDer, issuerKeyHashDer, serialDerTagged])
+  );
+  const requestItem = derSequence(certId);
+  const requestList = derSequence(requestItem);
+  const tbsRequest = derSequence(requestList);
+  const ocspRequest = derSequence(tbsRequest);
+  const b64 = ocspRequest.toString("base64url");
+  const separator = baseUrl.endsWith("/") ? "" : "/";
+  return `${baseUrl}${separator}${b64}`;
+}
+function parseOCSPResponse(der, _serialNumber) {
+  const ocspResponse = unwrapSequence(der);
+  if (ocspResponse[0] !== 10) {
+    throw new Error("Expected ENUMERATED responseStatus in OCSPResponse");
+  }
+  const statusLen = ocspResponse[1] ?? 0;
+  const responseStatus = ocspResponse[2 + statusLen - 1] ?? 0;
+  if (responseStatus !== 0) {
+    const statusNames = {
+      1: "malformedRequest",
+      2: "internalError",
+      3: "tryLater",
+      5: "sigRequired",
+      6: "unauthorized"
+    };
+    throw new Error(
+      `OCSP responder returned non-success status: ${statusNames[responseStatus] ?? responseStatus}`
+    );
+  }
+  const derStr = ocspResponse.toString("hex");
+  if (derStr.includes("8000")) {
+    return { revoked: false };
+  }
+  if (derStr.includes("a1")) {
+    const revokedIdx = ocspResponse.indexOf(161);
+    if (revokedIdx !== -1) {
+      return {
+        revoked: true,
+        reason: "Certificate revoked per OCSP responder"
+      };
+    }
+  }
+  return { revoked: false };
+}
+function derTLV(tag, value) {
+  const lenBytes = encodeDERLength(value.length);
+  return Buffer.concat([Buffer.from([tag]), lenBytes, value]);
+}
+function derSequence(content) {
+  return derTLV(48, content);
+}
+function derOctetString(value) {
+  return derTLV(4, value);
+}
+function derInteger(value) {
+  return derTLV(2, value);
+}
+function encodeDERLength(len) {
+  if (len < 128) {
+    return Buffer.from([len]);
+  } else if (len < 256) {
+    return Buffer.from([129, len]);
+  } else if (len < 65536) {
+    return Buffer.from([130, len >> 8 & 255, len & 255]);
+  }
+  throw new Error(`DER length ${len} too large for this implementation`);
+}
 // src/providers/pki-provider.ts
 var PKIProvider = class {
   constructor(config, auditLogger) {
     this.config = config;
     this.auditLogger = auditLogger;
+    this.revocationChecker = createRevocationChecker(
+      config.revocationCheck ?? { strategy: "skip" }
+    );
   }
   auditLogger;
+  revocationChecker;
   async authenticate(context) {
     let parsed = null;
     if (this.config.source === "gateway_headers") {
@@ -296,6 +665,39 @@ var PKIProvider = class {
       }
       return null;
     }
+    const revocationInput = {
+      serialNumber: parsed.serialNumber,
+      issuerName: parsed.issuer.commonName
+      // certPem not available for gateway_headers source
+    };
+    try {
+      const revocationStatus = await this.revocationChecker.check(revocationInput);
+      if (revocationStatus.revoked) {
+        try {
+          this.auditLogger?.log(
+            createAuditEvent("pki.cert.revoked" /* PKI_CERT_REVOKED */, "failure", {
+              authMethod: "pki",
+              reason: "reason" in revocationStatus ? revocationStatus.reason : "Certificate revoked",
+              details: { serialNumber: parsed.serialNumber }
+            })
+          );
+        } catch {
+        }
+        return null;
+      }
+    } catch (err) {
+      try {
+        this.auditLogger?.log(
+          createAuditEvent("pki.revocation_check.failed" /* PKI_REVOCATION_CHECK_FAILED */, "failure", {
+            authMethod: "pki",
+            reason: String(err),
+            details: { serialNumber: parsed.serialNumber }
+          })
+        );
+      } catch {
+      }
+      return null;
+    }
     if (this.config.profile === "dod_cac") {
       if (!validateDoDCAC(parsed)) {
         try {
@@ -1598,21 +2000,27 @@ Object.defineProperty(exports, "rbacConfigSchema", {
 exports.AuditEventType = AuditEventType;
 exports.AuthContext = AuthContext;
 exports.AuthProvider = AuthProvider;
+exports.CRLRevocationChecker = CRLRevocationChecker;
 exports.CompositeAuditLogger = CompositeAuditLogger;
+exports.CompositeRevocationChecker = CompositeRevocationChecker;
 exports.ConsoleAuditLogger = ConsoleAuditLogger;
 exports.DOD_CAC_PROFILE = DOD_CAC_PROFILE;
 exports.InMemoryRevocationStore = InMemoryRevocationStore;
 exports.KeycloakAdapter = KeycloakAdapter;
 exports.NoopAuditLogger = NoopAuditLogger;
+exports.OCSPRevocationChecker = OCSPRevocationChecker;
 exports.OIDCProvider = OIDCProvider;
 exports.PKIProvider = PKIProvider;
 exports.RBACEngine = RBACEngine;
+exports.RevocationCache = RevocationCache;
 exports.SessionManager = SessionManager;
+exports.SkipRevocationChecker = SkipRevocationChecker;
 exports.buildAuthorizationUrl = buildAuthorizationUrl;
 exports.clearCookie = clearCookie;
 exports.createAuditEvent = createAuditEvent;
 exports.createDoDCACConfig = createDoDCACConfig;
 exports.createDoDCACDevConfig = createDoDCACDevConfig;
+exports.createRevocationChecker = createRevocationChecker;
 exports.decryptToken = decryptToken;
 exports.deriveEncryptionKey = deriveEncryptionKey;
 exports.discoverOIDC = discoverOIDC;
@@ -1627,6 +2035,7 @@ exports.generateState = generateState;
 exports.getAuthDecorator = getAuthDecorator;
 exports.hasAuthConfig = hasAuthConfig;
 exports.maybeWrapWithAuth = maybeWrapWithAuth;
+exports.normalizeSerial = normalizeSerial;
 exports.parseCertFromHeaders = parseCertFromHeaders;
 exports.parseCertificate = parseCertificate;
 exports.parseCookies = parseCookies;