@vizamodo/aws-sts-core 0.4.5 → 0.4.7

package/dist/sts/issue.js

@@ -1,10 +1,10 @@
-import { getCachedOrFetch, wrapResult } from "@vizamodo/edge-cache-core";
 import { canonicalizeHeaders } from "../sigv4/headers";
 import { buildCanonicalRequest } from "../sigv4/canonical";
 import { buildStringToSign } from "../sigv4/string-to-sign";
 import { signStringToSign } from "./signer";
 import { InternalError } from "./errors";
 import { sha256Hex } from "../crypto/sha256";
+import { getCachedOrFetch, wrapResult } from "@vizamodo/edge-cache-core";
 // ── Constants ──────────────────────────────────────────────────────────────
 const ALGORITHM = "AWS4-X509-ECDSA-SHA256";
 const SERVICE = "rolesanywhere";
@@ -30,6 +30,10 @@ let signingKeyPromise = null;
 let cachedSigningKey = null;
 let cachedCertBase64 = null;
 let cachedPrivateKeyBase64 = null;
+// ── Isolate-level cert-serial cache ───────────────────────────────────────
+// DER walk is CPU-bound; the cert rarely rotates within an isolate lifetime.
+let cachedCertSerialDec = null;
+let cachedCertSerialSource = null;
 // ── Test utilities ─────────────────────────────────────────────────────────
 /**
  * Reset isolate-level signing material and cert serial caches.
@@ -43,6 +47,8 @@ export function resetIsolateCache() {
     cachedSigningKey = null;
     cachedCertBase64 = null;
     cachedPrivateKeyBase64 = null;
+    cachedCertSerialDec = null;
+    cachedCertSerialSource = null;
 }
 // ── Signing material ───────────────────────────────────────────────────────
 async function getSigningMaterial(certBase64, privateKeyPkcs8Base64) {
@@ -129,6 +135,35 @@ async function fetchCredentials(input) {
     });
     const signatureHex = await signStringToSign(stringToSign, signingKey);
     const certSerialDec = getCertSerialDec(normalizedCert);
+    // 🔍 Deep debug helper (compare with working version)
+    function debugAwsSigning() {
+        try {
+            console.debug("[aws-debug][input]", {
+                roleArn,
+                profileArn,
+                trustAnchorArn,
+                region,
+                sessionTtl,
+            });
+            console.debug("[aws-debug][cert]", {
+                length: normalizedCert.length,
+                preview: normalizedCert.slice(0, 30),
+            });
+            console.debug("[aws-debug][serial]", {
+                serialDec: certSerialDec,
+                serialHex: BigInt(certSerialDec).toString(16),
+            });
+            console.debug("[aws-debug][headers]", baseHeaders);
+            console.debug("[aws-debug][signedHeaders]", signedHeaders);
+            console.debug("[aws-debug][canonicalRequest]", canonicalRequest);
+            console.debug("[aws-debug][stringToSign]", stringToSign);
+            console.debug("[aws-debug][signatureHex]", signatureHex);
+        }
+        catch (e) {
+            console.warn("[aws-debug][error]", e);
+        }
+    }
+    debugAwsSigning();
     const finalHeaders = new Headers({
         "Content-Type": "application/json",
         "X-Amz-Date": amzDate,
@@ -148,7 +183,12 @@ async function fetchCredentials(input) {
         throw new InternalError("aws_unreachable");
     }
     if (!res.ok) {
-        console.warn("[aws-rejected]", { status: res.status, region });
+        const text = await res.text().catch(() => "<no-body>");
+        console.error("[aws-rejected]", {
+            status: res.status,
+            body: text,
+            region,
+        });
         throw new InternalError("aws_rejected");
     }
     const json = await res.json();
@@ -183,9 +223,15 @@ function normalizeCert(raw) {
     }
     return raw.replace(/\s+/g, "");
 }
-/** Extract cert serial as decimal string from DER-encoded base64 cert. */
+/** Return cert serial as decimal string, using isolate-level cache. */
 function getCertSerialDec(normalizedCert) {
-    return parseCertSerialDec(normalizedCert);
+    if (cachedCertSerialDec && cachedCertSerialSource === normalizedCert) {
+        return cachedCertSerialDec;
+    }
+    const serial = parseCertSerialDec(normalizedCert);
+    cachedCertSerialDec = serial;
+    cachedCertSerialSource = normalizedCert;
+    return serial;
 }
 /**
  * Minimal DER walk to extract the certificate serial number as a decimal string.
@@ -209,24 +255,27 @@ function parseCertSerialDec(normalizedCertBase64) {
                 len = (len << 8) | der[offset++];
             return len;
         }
+        // Certificate ::= SEQUENCE
         if (der[offset++] !== 0x30)
             throw new Error("bad cert");
         readLen();
+        // tbsCertificate ::= SEQUENCE
         if (der[offset++] !== 0x30)
             throw new Error("bad tbs");
         readLen();
-        // Skip optional [0] EXPLICIT version field.
+        // Optional version [0] EXPLICIT
         if (der[offset] === 0xa0) {
-            offset++;
-            offset += readLen();
+            offset++; // tag
+            offset += readLen(); // skip content
         }
+        // 👉 SERIAL MUST be the next INTEGER after optional version
         if (der[offset++] !== 0x02)
             throw new Error("bad serial tag");
-        const serialLen = readLen();
-        if (offset + serialLen > der.length)
+        const len = readLen();
+        if (offset + len > der.length)
             throw new Error("DER overflow");
-        let serial = der.slice(offset, offset + serialLen);
-        // Strip ASN.1 sign-extension padding byte.
+        let serial = der.slice(offset, offset + len);
+        // Strip leading 0x00 only if it's padding for signed INTEGER
         if (serial.length > 1 && serial[0] === 0x00) {
             serial = serial.slice(1);
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vizamodo/aws-sts-core",
-  "version": "0.4.5",
+  "version": "0.4.7",
   "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
   "type": "module",
   "main": "dist/index.js",