@vizamodo/aws-sts-core 0.2.34 → 0.3.1

package/dist/sts/issue.js

@@ -20,24 +20,26 @@ const DEFAULT_TTL = 2 * 60 * 60;
 let cachedSigningKey = null;
 let cachedCertBase64 = null;
 let cachedPrivateKeyBase64 = null;
-// ---- shared encoder + canonical request hash cache ----
+// ---- cached certificate serial (DER parse is expensive, cert rarely changes) ----
+let cachedCertSerialDec = null;
+let cachedCertSerialSource = null;
+// ---- shared encoder ----
 const textEncoder = new TextEncoder();
-let lastCanonicalRequestKey = null;
-let lastCanonicalRequest = null;
-let lastCanonicalRequestHash = null;
-let lastBody = null;
-let lastPayloadHash = null;
-let lastBaseHeadersKey = null;
-let lastCanonicalHeaders = null;
-let lastSignedHeaders = null;
+// Precomputed hex table for fast byte→hex conversion (no per-byte toString alloc)
+const HEX_TABLE = new Array(256);
+for (let i = 0; i < 256; i++) {
+    HEX_TABLE[i] = (i < 16 ? "0" : "") + i.toString(16);
+}
 async function getSigningMaterial(input) {
     if (cachedSigningKey &&
         cachedCertBase64 === input.certBase64 &&
         cachedPrivateKeyBase64 === input.privateKeyPkcs8Base64) {
+        console.debug("[sts-cache] signingKey HIT");
         return { signingKey: cachedSigningKey, certBase64: cachedCertBase64 };
     }
+    console.debug("[sts-cache] signingKey MISS → importing key");
     try {
-        const keyBuffer = base64ToArrayBuffer(input.privateKeyPkcs8Base64);
+        const keyBuffer = base64ToBytes(input.privateKeyPkcs8Base64);
         cachedSigningKey = await crypto.subtle.importKey("pkcs8", keyBuffer, { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"]);
         cachedCertBase64 = input.certBase64;
         cachedPrivateKeyBase64 = input.privateKeyPkcs8Base64;
@@ -57,7 +59,13 @@ export async function issueAwsCredentials(input) {
     const { roleArn, profileArn, trustAnchorArn, region, certBase64, privateKeyPkcs8Base64, profile, } = input;
     // 1. Kiểm tra đầu vào & Fix TTL an toàn
     const sessionTtl = resolveSessionTtlByProfile(profile);
-    const { signingKey } = await getSigningMaterial({ certBase64, privateKeyPkcs8Base64 });
+    // Normalize certificate once so every subsystem (cache, DER parse, headers)
+    // uses the exact same canonical string
+    const normalizedCert = normalizeCert(certBase64);
+    const { signingKey } = await getSigningMaterial({
+        certBase64: normalizedCert,
+        privateKeyPkcs8Base64,
+    });
     // 2. Setup constants
     const host = `${SERVICE}.${region}.amazonaws.com`;
     const path = PATH;
@@ -69,56 +77,60 @@ export async function issueAwsCredentials(input) {
     const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
     const payloadHash = await getPayloadHash(body);
     // --- REFACTOR: Làm sạch chứng chỉ chặt chẽ ---
-    const normalizedCert = normalizeCert(certBase64);
+    // const normalizedCert = normalizeCert(certBase64);
     // --- REFACTOR: Parser ASN.1 an toàn để lấy Serial Number (DECIMAL) ---
     // --- MINIMAL DER WALK: extract serial number ---
     let certSerialDec;
-    try {
-        const der = new Uint8Array(base64ToArrayBuffer(normalizedCert));
-        let offset = 0;
-        // helper: read DER length (short + long form)
-        function readLen() {
-            const b = der[offset++];
-            if ((b & 0x80) === 0)
-                return b;
-            const n = b & 0x7f;
-            let len = 0;
-            for (let i = 0; i < n; i++) {
-                len = (len << 8) | der[offset++];
+    if (cachedCertSerialDec && cachedCertSerialSource === normalizedCert) {
+        console.debug("[sts-cache] certSerial HIT");
+        certSerialDec = cachedCertSerialDec;
+    }
+    else {
+        console.debug("[sts-cache] certSerial MISS → parsing DER");
+        try {
+            const der = base64ToBytes(normalizedCert);
+            let offset = 0;
+            function readLen() {
+                const b = der[offset++];
+                if ((b & 0x80) === 0)
+                    return b;
+                const n = b & 0x7f;
+                let len = 0;
+                for (let i = 0; i < n; i++) {
+                    len = (len << 8) | der[offset++];
+                }
+                return len;
             }
-            return len;
-        }
-        // Certificate SEQUENCE
-        if (der[offset++] !== 0x30)
-            throw new Error("bad cert");
-        readLen();
-        // TBSCertificate SEQUENCE
-        if (der[offset++] !== 0x30)
-            throw new Error("bad tbs");
-        readLen();
-        // Optional version [0] EXPLICIT (0xa0)
-        if (der[offset] === 0xa0) {
-            offset++; // tag
-            const vLen = readLen(); // length
-            offset += vLen; // skip full version block
+            if (der[offset++] !== 0x30)
+                throw new Error("bad cert");
+            readLen();
+            if (der[offset++] !== 0x30)
+                throw new Error("bad tbs");
+            readLen();
+            if (der[offset] === 0xa0) {
+                offset++;
+                const vLen = readLen();
+                offset += vLen;
+            }
+            if (der[offset++] !== 0x02)
+                throw new Error("bad serial tag");
+            const serialLen = readLen();
+            let serial = der.slice(offset, offset + serialLen);
+            if (serial.length > 1 && serial[0] === 0x00) {
+                serial = serial.slice(1);
+            }
+            let hex = "";
+            for (let i = 0; i < serial.length; i++) {
+                hex += HEX_TABLE[serial[i]];
+            }
+            certSerialDec = BigInt("0x" + hex).toString();
+            cachedCertSerialDec = certSerialDec;
+            cachedCertSerialSource = normalizedCert;
         }
-        // SerialNumber INTEGER
-        if (der[offset++] !== 0x02)
-            throw new Error("bad serial tag");
-        const serialLen = readLen();
-        let serial = der.slice(offset, offset + serialLen);
-        // strip leading 0x00 padding if present (DER signed integer rule)
-        if (serial.length > 1 && serial[0] === 0x00) {
-            serial = serial.slice(1);
+        catch (e) {
+            console.error("[issueAwsCredentials] Failed to parse cert serial", e);
+            throw new InternalError("invalid_cert_der");
         }
-        certSerialDec = BigInt("0x" +
-            Array.from(serial)
-                .map(b => b.toString(16).padStart(2, "0"))
-                .join("")).toString();
-    }
-    catch (e) {
-        console.error("[issueAwsCredentials] Failed to parse cert serial", e);
-        throw new InternalError("invalid_cert_der");
     }
     // 4. Tính toán Signature
     const baseHeaders = {
@@ -127,9 +139,9 @@ export async function issueAwsCredentials(input) {
         "x-amz-date": amzDate,
         "x-amz-x509": normalizedCert,
     };
-    const { canonicalHeaders, signedHeaders } = getCanonicalizedHeaders(baseHeaders);
+    const { canonicalHeaders, signedHeaders } = canonicalizeHeaders(baseHeaders);
     const credentialScope = `${dateStamp}/${region}/${service}/aws4_request`;
-    const canonicalRequest = getCanonicalRequest({
+    const canonicalRequest = buildCanonicalRequest({
         method: "POST",
         canonicalUri: path,
         query: "",
@@ -137,14 +149,30 @@ export async function issueAwsCredentials(input) {
         signedHeaders,
         payloadHash,
     });
+    console.debug("[sts-debug] canonicalRequest", {
+        amzDate,
+        signedHeaders,
+        payloadHash,
+        canonicalHeadersPreview: canonicalHeaders.slice(0, 120),
+        canonicalRequestPreview: canonicalRequest.slice(0, 200)
+    });
     const canonicalRequestHash = await getCanonicalRequestHash(canonicalRequest);
+    console.debug("[sts-debug] canonicalRequestHash", canonicalRequestHash);
     const stringToSign = buildStringToSign({
         algorithm: ALGORITHM,
         amzDate,
         credentialScope,
         canonicalRequestHash,
     });
+    console.debug("[sts-debug] stringToSign", {
+        credentialScope,
+        stringPreview: stringToSign.slice(0, 200)
+    });
     const signatureHex = await signStringToSign(stringToSign, signingKey);
+    console.debug("[sts-debug] signature", {
+        length: signatureHex.length,
+        prefix: signatureHex.slice(0, 32)
+    });
     // 5. Build Authorization Header với số Serial (DECIMAL)
     const finalHeaders = new Headers({
         "Content-Type": "application/json",
@@ -152,6 +180,24 @@ export async function issueAwsCredentials(input) {
         "X-Amz-X509": normalizedCert,
         "Authorization": `AWS4-X509-ECDSA-SHA256 Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`
     });
+    console.debug("[sts-debug] requestHeaders", {
+        host,
+        amzDate,
+        signedHeaders,
+        certLen: normalizedCert.length
+    });
+    console.debug("[sts-request] issuing rolesanywhere session", {
+        region,
+        profile,
+        roleArn,
+        profileArn,
+        trustAnchorArn,
+        amzDate,
+        cacheState: {
+            hasSigningKey: !!cachedSigningKey,
+            cachedCertMatch: cachedCertBase64 === normalizedCert,
+        }
+    });
     // 6. Execution
     try {
         const res = await fetch(`https://${host}${path}`, {
@@ -164,12 +210,19 @@ export async function issueAwsCredentials(input) {
             // Debug logs
             console.error("[aws-rejected] Request details", {
                 status: res.status,
-                response: errorBody
+                response: errorBody,
+                region,
+                profile,
+                amzDate
             });
             throw new InternalError("aws_rejected");
         }
         const json = await res.json();
         const creds = json?.credentialSet?.[0]?.credentials;
+        if (!creds?.accessKeyId || !creds?.secretAccessKey || !creds?.sessionToken) {
+            console.error("[issueAwsCredentials] malformed AWS credential response", { json });
+            throw new InternalError("aws_malformed_credentials");
+        }
         return {
             accessKeyId: creds.accessKeyId,
             secretAccessKey: creds.secretAccessKey,
@@ -178,6 +231,14 @@ export async function issueAwsCredentials(input) {
         };
     }
     catch (e) {
+        console.error("[sts-debug] fetch failure", {
+            error: String(e),
+            region,
+            roleArn,
+            profileArn,
+            trustAnchorArn,
+            amzDate
+        });
         if (e instanceof InternalError)
             throw e;
         throw new InternalError("aws_unreachable");
@@ -194,66 +255,28 @@ async function sha256Hex(input) {
     const data = textEncoder.encode(input);
     const hash = await crypto.subtle.digest("SHA-256", data);
     const bytes = new Uint8Array(hash);
-    const hex = new Array(bytes.length);
+    // build hex string with minimal allocations
+    let out = "";
     for (let i = 0; i < bytes.length; i++) {
-        const h = bytes[i].toString(16);
-        hex[i] = h.length === 1 ? "0" + h : h;
+        out += HEX_TABLE[bytes[i]];
     }
-    return hex.join("");
+    return out;
 }
 async function getCanonicalRequestHash(canonicalRequest) {
-    if (lastCanonicalRequest === canonicalRequest && lastCanonicalRequestHash) {
-        return lastCanonicalRequestHash;
-    }
-    const hash = await sha256Hex(canonicalRequest);
-    lastCanonicalRequest = canonicalRequest;
-    lastCanonicalRequestHash = hash;
-    return hash;
+    return sha256Hex(canonicalRequest);
 }
 async function getPayloadHash(body) {
-    if (lastBody === body && lastPayloadHash) {
-        return lastPayloadHash;
-    }
-    const hash = await sha256Hex(body);
-    lastBody = body;
-    lastPayloadHash = hash;
-    return hash;
-}
-function getCanonicalizedHeaders(baseHeaders) {
-    // build deterministic cache key without JSON.stringify allocation
-    const key = baseHeaders["content-type"] + "|" +
-        baseHeaders["host"] + "|" +
-        baseHeaders["x-amz-date"] + "|" +
-        baseHeaders["x-amz-x509"];
-    if (lastBaseHeadersKey === key && lastCanonicalHeaders && lastSignedHeaders) {
-        return { canonicalHeaders: lastCanonicalHeaders, signedHeaders: lastSignedHeaders };
-    }
-    const { canonicalHeaders, signedHeaders } = canonicalizeHeaders(baseHeaders);
-    lastBaseHeadersKey = key;
-    lastCanonicalHeaders = canonicalHeaders;
-    lastSignedHeaders = signedHeaders;
-    return { canonicalHeaders, signedHeaders };
-}
-function getCanonicalRequest(input) {
-    const key = input.method + "|" +
-        input.canonicalUri + "|" +
-        input.query + "|" +
-        input.canonicalHeaders + "|" +
-        input.signedHeaders + "|" +
-        input.payloadHash;
-    if (lastCanonicalRequestKey === key && lastCanonicalRequest) {
-        return lastCanonicalRequest;
-    }
-    const req = buildCanonicalRequest(input);
-    lastCanonicalRequestKey = key;
-    lastCanonicalRequest = req;
-    return req;
+    // Payload changes are rare but SHA‑256 here is extremely cheap (~tens of µs),
+    // so caching adds complexity without measurable benefit.
+    return sha256Hex(body);
 }
-function base64ToArrayBuffer(base64) {
+// Faster base64 decode → Uint8Array (avoids extra ArrayBuffer wrapping)
+function base64ToBytes(base64) {
     const binary = atob(base64);
-    const bytes = new Uint8Array(binary.length);
-    for (let i = 0; i < binary.length; i++) {
+    const len = binary.length;
+    const bytes = new Uint8Array(len);
+    for (let i = 0; i < len; i++) {
         bytes[i] = binary.charCodeAt(i);
     }
-    return bytes.buffer;
+    return bytes;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vizamodo/aws-sts-core",
-  "version": "0.2.34",
+  "version": "0.3.1",
   "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
   "type": "module",
   "main": "dist/index.js",