@vizamodo/aws-sts-core 0.4.18 → 0.4.20
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/sts/issue.js +11 -16
- package/package.json +1 -1
package/dist/sts/issue.js
CHANGED
|
@@ -26,18 +26,12 @@ let signingKeyPromise = null;
|
|
|
26
26
|
let cachedSigningKey = null;
|
|
27
27
|
let cachedCertBase64 = null;
|
|
28
28
|
let cachedPrivateKeyBase64 = null;
|
|
29
|
-
// ── Cert serial cache ──────────────────────────────────────────────────────
|
|
30
|
-
// BUG 5 KEPT: stale isolate cache can return wrong serial across deploys.
|
|
31
|
-
let cachedCertSerialDec = null;
|
|
32
|
-
let cachedCertSerialSource = null;
|
|
33
29
|
// ── Test utilities ─────────────────────────────────────────────────────────
|
|
34
30
|
export function resetIsolateCache() {
|
|
35
31
|
signingKeyPromise = null;
|
|
36
32
|
cachedSigningKey = null;
|
|
37
33
|
cachedCertBase64 = null;
|
|
38
34
|
cachedPrivateKeyBase64 = null;
|
|
39
|
-
cachedCertSerialDec = null;
|
|
40
|
-
cachedCertSerialSource = null;
|
|
41
35
|
}
|
|
42
36
|
// ── Signing material ───────────────────────────────────────────────────────
|
|
43
37
|
async function getSigningMaterial(input) {
|
|
@@ -78,16 +72,14 @@ export async function issueAwsCredentials(input) {
|
|
|
78
72
|
const { roleArn, profileArn, trustAnchorArn, region, certBase64, privateKeyPkcs8Base64, profile, forceRefresh, } = input;
|
|
79
73
|
const sessionTtl = resolveSessionTtlByProfile(profile);
|
|
80
74
|
const normalizedCert = normalizeCert(certBase64);
|
|
81
|
-
//
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
cachedCertSerialSource = normalizedCert;
|
|
90
|
-
}
|
|
75
|
+
// No isolate cache — stale cached values caused wrong-serial bugs.
|
|
76
|
+
const certSerialDec = parseCertSerialDec(normalizedCert);
|
|
77
|
+
console.debug("[cert-serial-debug]", {
|
|
78
|
+
certLen: normalizedCert.length,
|
|
79
|
+
certPreview: normalizedCert.slice(0, 40),
|
|
80
|
+
certSerialDec,
|
|
81
|
+
certSerialHex: BigInt(certSerialDec).toString(16),
|
|
82
|
+
});
|
|
91
83
|
const cacheKey = `${region}|${roleArn}|${profileArn}|${trustAnchorArn}|${certSerialDec}`;
|
|
92
84
|
// BUG 1 KEPT: signing happens before getCachedOrFetch — runs on every
|
|
93
85
|
// request even when L1/L2 cache would have returned a hit.
|
|
@@ -205,13 +197,16 @@ function parseCertSerialDec(normalizedCertBase64) {
|
|
|
205
197
|
if (der[offset++] !== 0x30)
|
|
206
198
|
throw new Error("bad tbs");
|
|
207
199
|
readLen();
|
|
200
|
+
const beforeVersionOffset = offset;
|
|
208
201
|
if (der[offset] === 0xa0) {
|
|
209
202
|
offset++;
|
|
210
203
|
offset += readLen();
|
|
211
204
|
}
|
|
205
|
+
const afterVersionOffset = offset;
|
|
212
206
|
if (der[offset++] !== 0x02)
|
|
213
207
|
throw new Error("bad serial tag");
|
|
214
208
|
const serialLen = readLen();
|
|
209
|
+
console.debug("[der-debug]", { beforeVersionOffset, afterVersionOffset, serialLen, serialByte0: der[offset]?.toString(16) });
|
|
215
210
|
if (offset + serialLen > der.length)
|
|
216
211
|
throw new Error("DER overflow");
|
|
217
212
|
let serial = der.slice(offset, offset + serialLen);
|