@vizamodo/aws-sts-core 0.2.39 → 0.3.1

package/dist/sts/issue.js

@@ -20,10 +20,16 @@ const DEFAULT_TTL = 2 * 60 * 60;
 let cachedSigningKey = null;
 let cachedCertBase64 = null;
 let cachedPrivateKeyBase64 = null;
-// ---- shared encoder + payload hash cache ----
+// ---- cached certificate serial (DER parse is expensive, cert rarely changes) ----
+let cachedCertSerialDec = null;
+let cachedCertSerialSource = null;
+// ---- shared encoder ----
 const textEncoder = new TextEncoder();
-let lastBody = null;
-let lastPayloadHash = null;
+// Precomputed hex table for fast byte→hex conversion (no per-byte toString alloc)
+const HEX_TABLE = new Array(256);
+for (let i = 0; i < 256; i++) {
+    HEX_TABLE[i] = (i < 16 ? "0" : "") + i.toString(16);
+}
 async function getSigningMaterial(input) {
     if (cachedSigningKey &&
         cachedCertBase64 === input.certBase64 &&
@@ -33,7 +39,7 @@ async function getSigningMaterial(input) {
     }
     console.debug("[sts-cache] signingKey MISS → importing key");
     try {
-        const keyBuffer = base64ToArrayBuffer(input.privateKeyPkcs8Base64);
+        const keyBuffer = base64ToBytes(input.privateKeyPkcs8Base64);
         cachedSigningKey = await crypto.subtle.importKey("pkcs8", keyBuffer, { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"]);
         cachedCertBase64 = input.certBase64;
         cachedPrivateKeyBase64 = input.privateKeyPkcs8Base64;
@@ -53,7 +59,13 @@ export async function issueAwsCredentials(input) {
     const { roleArn, profileArn, trustAnchorArn, region, certBase64, privateKeyPkcs8Base64, profile, } = input;
     // 1. Kiểm tra đầu vào & Fix TTL an toàn
     const sessionTtl = resolveSessionTtlByProfile(profile);
-    const { signingKey } = await getSigningMaterial({ certBase64, privateKeyPkcs8Base64 });
+    // Normalize certificate once so every subsystem (cache, DER parse, headers)
+    // uses the exact same canonical string
+    const normalizedCert = normalizeCert(certBase64);
+    const { signingKey } = await getSigningMaterial({
+        certBase64: normalizedCert,
+        privateKeyPkcs8Base64,
+    });
     // 2. Setup constants
     const host = `${SERVICE}.${region}.amazonaws.com`;
     const path = PATH;
@@ -65,56 +77,60 @@ export async function issueAwsCredentials(input) {
     const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
     const payloadHash = await getPayloadHash(body);
     // --- REFACTOR: Làm sạch chứng chỉ chặt chẽ ---
-    const normalizedCert = normalizeCert(certBase64);
+    // const normalizedCert = normalizeCert(certBase64);
     // --- REFACTOR: Parser ASN.1 an toàn để lấy Serial Number (DECIMAL) ---
     // --- MINIMAL DER WALK: extract serial number ---
     let certSerialDec;
-    try {
-        const der = new Uint8Array(base64ToArrayBuffer(normalizedCert));
-        let offset = 0;
-        // helper: read DER length (short + long form)
-        function readLen() {
-            const b = der[offset++];
-            if ((b & 0x80) === 0)
-                return b;
-            const n = b & 0x7f;
-            let len = 0;
-            for (let i = 0; i < n; i++) {
-                len = (len << 8) | der[offset++];
+    if (cachedCertSerialDec && cachedCertSerialSource === normalizedCert) {
+        console.debug("[sts-cache] certSerial HIT");
+        certSerialDec = cachedCertSerialDec;
+    }
+    else {
+        console.debug("[sts-cache] certSerial MISS → parsing DER");
+        try {
+            const der = base64ToBytes(normalizedCert);
+            let offset = 0;
+            function readLen() {
+                const b = der[offset++];
+                if ((b & 0x80) === 0)
+                    return b;
+                const n = b & 0x7f;
+                let len = 0;
+                for (let i = 0; i < n; i++) {
+                    len = (len << 8) | der[offset++];
+                }
+                return len;
             }
-            return len;
-        }
-        // Certificate SEQUENCE
-        if (der[offset++] !== 0x30)
-            throw new Error("bad cert");
-        readLen();
-        // TBSCertificate SEQUENCE
-        if (der[offset++] !== 0x30)
-            throw new Error("bad tbs");
-        readLen();
-        // Optional version [0] EXPLICIT (0xa0)
-        if (der[offset] === 0xa0) {
-            offset++; // tag
-            const vLen = readLen(); // length
-            offset += vLen; // skip full version block
+            if (der[offset++] !== 0x30)
+                throw new Error("bad cert");
+            readLen();
+            if (der[offset++] !== 0x30)
+                throw new Error("bad tbs");
+            readLen();
+            if (der[offset] === 0xa0) {
+                offset++;
+                const vLen = readLen();
+                offset += vLen;
+            }
+            if (der[offset++] !== 0x02)
+                throw new Error("bad serial tag");
+            const serialLen = readLen();
+            let serial = der.slice(offset, offset + serialLen);
+            if (serial.length > 1 && serial[0] === 0x00) {
+                serial = serial.slice(1);
+            }
+            let hex = "";
+            for (let i = 0; i < serial.length; i++) {
+                hex += HEX_TABLE[serial[i]];
+            }
+            certSerialDec = BigInt("0x" + hex).toString();
+            cachedCertSerialDec = certSerialDec;
+            cachedCertSerialSource = normalizedCert;
         }
-        // SerialNumber INTEGER
-        if (der[offset++] !== 0x02)
-            throw new Error("bad serial tag");
-        const serialLen = readLen();
-        let serial = der.slice(offset, offset + serialLen);
-        // strip leading 0x00 padding if present (DER signed integer rule)
-        if (serial.length > 1 && serial[0] === 0x00) {
-            serial = serial.slice(1);
+        catch (e) {
+            console.error("[issueAwsCredentials] Failed to parse cert serial", e);
+            throw new InternalError("invalid_cert_der");
         }
-        certSerialDec = BigInt("0x" +
-            Array.from(serial)
-                .map(b => b.toString(16).padStart(2, "0"))
-                .join("")).toString();
-    }
-    catch (e) {
-        console.error("[issueAwsCredentials] Failed to parse cert serial", e);
-        throw new InternalError("invalid_cert_der");
     }
     // 4. Tính toán Signature
     const baseHeaders = {
@@ -123,9 +139,9 @@ export async function issueAwsCredentials(input) {
         "x-amz-date": amzDate,
         "x-amz-x509": normalizedCert,
     };
-    const { canonicalHeaders, signedHeaders } = getCanonicalizedHeaders(baseHeaders);
+    const { canonicalHeaders, signedHeaders } = canonicalizeHeaders(baseHeaders);
     const credentialScope = `${dateStamp}/${region}/${service}/aws4_request`;
-    const canonicalRequest = getCanonicalRequest({
+    const canonicalRequest = buildCanonicalRequest({
         method: "POST",
         canonicalUri: path,
         query: "",
@@ -160,7 +176,6 @@ export async function issueAwsCredentials(input) {
     // 5. Build Authorization Header với số Serial (DECIMAL)
     const finalHeaders = new Headers({
         "Content-Type": "application/json",
-        "Host": host,
         "X-Amz-Date": amzDate,
         "X-Amz-X509": normalizedCert,
         "Authorization": `AWS4-X509-ECDSA-SHA256 Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`
@@ -180,7 +195,7 @@ export async function issueAwsCredentials(input) {
         amzDate,
         cacheState: {
             hasSigningKey: !!cachedSigningKey,
-            cachedCertMatch: cachedCertBase64 === certBase64,
+            cachedCertMatch: cachedCertBase64 === normalizedCert,
         }
     });
     // 6. Execution
@@ -204,6 +219,10 @@ export async function issueAwsCredentials(input) {
         }
         const json = await res.json();
         const creds = json?.credentialSet?.[0]?.credentials;
+        if (!creds?.accessKeyId || !creds?.secretAccessKey || !creds?.sessionToken) {
+            console.error("[issueAwsCredentials] malformed AWS credential response", { json });
+            throw new InternalError("aws_malformed_credentials");
+        }
         return {
             accessKeyId: creds.accessKeyId,
             secretAccessKey: creds.secretAccessKey,
@@ -236,49 +255,28 @@ async function sha256Hex(input) {
     const data = textEncoder.encode(input);
     const hash = await crypto.subtle.digest("SHA-256", data);
     const bytes = new Uint8Array(hash);
-    const hex = new Array(bytes.length);
+    // build hex string with minimal allocations
+    let out = "";
     for (let i = 0; i < bytes.length; i++) {
-        const h = bytes[i].toString(16);
-        hex[i] = h.length === 1 ? "0" + h : h;
+        out += HEX_TABLE[bytes[i]];
     }
-    return hex.join("");
+    return out;
 }
 async function getCanonicalRequestHash(canonicalRequest) {
     return sha256Hex(canonicalRequest);
 }
 async function getPayloadHash(body) {
-    if (lastBody === body && lastPayloadHash) {
-        console.debug("[sts-cache] payloadHash HIT");
-        return lastPayloadHash;
-    }
-    console.debug("[sts-cache] payloadHash MISS");
-    const hash = await sha256Hex(body);
-    lastBody = body;
-    lastPayloadHash = hash;
-    return hash;
-}
-function getCanonicalizedHeaders(baseHeaders) {
-    // Debug input headers before canonicalization
-    console.debug("[sts-debug] canonicalizeHeaders input", {
-        headers: baseHeaders,
-        keys: Object.keys(baseHeaders),
-    });
-    const result = canonicalizeHeaders(baseHeaders);
-    // Debug canonicalization result
-    console.debug("[sts-debug] canonicalizeHeaders output", {
-        canonicalHeaders: result.canonicalHeaders,
-        signedHeaders: result.signedHeaders,
-    });
-    return result;
-}
-function getCanonicalRequest(input) {
-    return buildCanonicalRequest(input);
+    // Payload changes are rare but SHA‑256 here is extremely cheap (~tens of µs),
+    // so caching adds complexity without measurable benefit.
+    return sha256Hex(body);
 }
-function base64ToArrayBuffer(base64) {
+// Faster base64 decode → Uint8Array (avoids extra ArrayBuffer wrapping)
+function base64ToBytes(base64) {
     const binary = atob(base64);
-    const bytes = new Uint8Array(binary.length);
-    for (let i = 0; i < binary.length; i++) {
+    const len = binary.length;
+    const bytes = new Uint8Array(len);
+    for (let i = 0; i < len; i++) {
         bytes[i] = binary.charCodeAt(i);
     }
-    return bytes.buffer;
+    return bytes;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vizamodo/aws-sts-core",
-  "version": "0.2.39",
+  "version": "0.3.1",
   "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
   "type": "module",
   "main": "dist/index.js",