harperdb 4.6.5 → 4.7.0-alpha.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +0 -0
- package/README.md +1 -1
- package/bin/harperdb.js +89 -78
- package/bin/lite.js +85 -74
- package/components/requestRestart.d.ts +3 -0
- package/components/status/ComponentStatus.d.ts +61 -0
- package/components/status/ComponentStatusRegistry.d.ts +80 -0
- package/components/status/api.d.ts +104 -0
- package/components/status/crossThread.d.ts +62 -0
- package/components/status/errors.d.ts +68 -0
- package/components/status/index.d.ts +35 -0
- package/components/status/internal.d.ts +40 -0
- package/components/status/registry.d.ts +10 -0
- package/components/status/types.d.ts +75 -0
- package/json/systemSchema.json +66 -7
- package/launchServiceScripts/launchNatsIngestService.js +85 -74
- package/launchServiceScripts/launchNatsReplyService.js +85 -74
- package/launchServiceScripts/launchUpdateNodes4-0-0.js +85 -74
- package/npm-shrinkwrap.json +118 -75
- package/package.json +5 -5
- package/resources/RequestTarget.d.ts +1 -1
- package/resources/Resource.d.ts +3 -3
- package/resources/ResourceInterface.d.ts +33 -10
- package/resources/Resources.d.ts +1 -0
- package/resources/Table.d.ts +3 -3
- package/resources/analytics/hostnames.d.ts +3 -3
- package/resources/analytics/write.d.ts +2 -0
- package/resources/auditStore.d.ts +2 -0
- package/resources/databases.d.ts +3 -3
- package/resources/usageLicensing.d.ts +29 -0
- package/security/certificateVerification.d.ts +80 -0
- package/security/pkijs-ed25519-patch.d.ts +14 -0
- package/server/jobs/jobProcess.js +85 -74
- package/server/replication/knownNodes.d.ts +13 -1
- package/server/replication/replicationConnection.d.ts +11 -2
- package/server/status/index.d.ts +14 -5
- package/server/threads/threadServer.js +85 -74
- package/studio/build-local/asset-manifest.json +2 -2
- package/studio/build-local/index.html +1 -1
- package/studio/build-local/static/js/main.ee040ffb.js +2 -0
- package/utility/hdbTerms.d.ts +8 -0
- package/utility/scripts/restartHdb.js +85 -74
- package/validation/usageLicensing.d.ts +36 -0
- package/studio/build-local/static/js/main.14ef684d.js +0 -2
- /package/studio/build-local/static/js/{main.14ef684d.js.LICENSE.txt → main.ee040ffb.js.LICENSE.txt} +0 -0
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Certificate verification for mTLS authentication
|
|
3
|
+
*
|
|
4
|
+
* This module provides certificate revocation checking for client certificates
|
|
5
|
+
* in mutual TLS (mTLS) connections. Currently supports OCSP (Online Certificate
|
|
6
|
+
* Status Protocol) with the ability to add CRL (Certificate Revocation List) support.
|
|
7
|
+
* Uses a system table, hdb_certificate_cache, for a certificate verification
|
|
8
|
+
* status cache.
|
|
9
|
+
*
|
|
10
|
+
* Default configuration:
|
|
11
|
+
* - Enabled by default when mTLS is configured
|
|
12
|
+
* - Timeout: 5 seconds
|
|
13
|
+
* - Cache TTL: 1 hour
|
|
14
|
+
* - Failure mode: fail-open (allows connections if verification fails)
|
|
15
|
+
*/
|
|
16
|
+
import './pkijs-ed25519-patch.ts';
|
|
17
|
+
interface CertificateVerificationResult {
|
|
18
|
+
valid: boolean;
|
|
19
|
+
status: string;
|
|
20
|
+
cached?: boolean;
|
|
21
|
+
error?: string;
|
|
22
|
+
method?: 'ocsp' | 'crl' | 'disabled';
|
|
23
|
+
}
|
|
24
|
+
interface PeerCertificate {
|
|
25
|
+
subject?: {
|
|
26
|
+
CN?: string;
|
|
27
|
+
[key: string]: any;
|
|
28
|
+
};
|
|
29
|
+
raw?: Buffer;
|
|
30
|
+
issuerCertificate?: PeerCertificate;
|
|
31
|
+
}
|
|
32
|
+
interface CertificateVerificationConfig {
|
|
33
|
+
timeout?: number;
|
|
34
|
+
cacheTtl?: number;
|
|
35
|
+
failureMode?: 'fail-open' | 'fail-closed';
|
|
36
|
+
}
|
|
37
|
+
interface CertificateChainEntry {
|
|
38
|
+
cert: Buffer;
|
|
39
|
+
issuer?: Buffer;
|
|
40
|
+
}
|
|
41
|
+
/**
|
|
42
|
+
* Determine if certificate verification should be performed based on configuration
|
|
43
|
+
* @param mtlsConfig - The mTLS configuration (can be boolean or object)
|
|
44
|
+
* @returns Configuration object or false if verification is disabled
|
|
45
|
+
*/
|
|
46
|
+
export declare function getCertificateVerificationConfig(mtlsConfig: boolean | Record<string, any> | null | undefined): false | CertificateVerificationConfig;
|
|
47
|
+
/**
|
|
48
|
+
* Verify certificate revocation status
|
|
49
|
+
* @param peerCertificate - Peer certificate object from TLS connection
|
|
50
|
+
* @param mtlsConfig - The mTLS configuration from the request
|
|
51
|
+
* @returns Promise resolving to verification result
|
|
52
|
+
*/
|
|
53
|
+
export declare function verifyCertificate(peerCertificate: PeerCertificate, mtlsConfig?: boolean | Record<string, any> | null): Promise<CertificateVerificationResult>;
|
|
54
|
+
/**
|
|
55
|
+
* Verify OCSP status of a client certificate
|
|
56
|
+
* @param certPem - Client certificate in PEM format or Buffer
|
|
57
|
+
* @param issuerPem - Issuer (CA) certificate in PEM format or Buffer
|
|
58
|
+
* @returns Promise resolving to verification result
|
|
59
|
+
*/
|
|
60
|
+
export declare function verifyOCSP(certPem: Buffer | string, issuerPem: Buffer | string, config?: CertificateVerificationConfig): Promise<CertificateVerificationResult>;
|
|
61
|
+
/**
|
|
62
|
+
* Set TTL configuration for the certificate cache
|
|
63
|
+
* @param ttlConfig - Configuration for cache expiration and eviction
|
|
64
|
+
*/
|
|
65
|
+
export declare function setCertificateCacheTTL(ttlConfig: {
|
|
66
|
+
expiration: number;
|
|
67
|
+
eviction?: number;
|
|
68
|
+
scanInterval?: number;
|
|
69
|
+
}): void;
|
|
70
|
+
/**
|
|
71
|
+
* Convert a buffer to PEM format
|
|
72
|
+
*/
|
|
73
|
+
export declare function bufferToPem(buffer: Buffer, type: string): string;
|
|
74
|
+
/**
|
|
75
|
+
* Extract certificate chain from peer certificate object
|
|
76
|
+
* @param peerCertificate - Peer certificate object from TLS connection
|
|
77
|
+
* @returns Certificate chain
|
|
78
|
+
*/
|
|
79
|
+
export declare function extractCertificateChain(peerCertificate: PeerCertificate): CertificateChainEntry[];
|
|
80
|
+
export {};
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* PKI.js Ed25519/Ed448 Support Patch
|
|
3
|
+
*
|
|
4
|
+
* This module patches PKI.js to add complete Ed25519/Ed448 support for certificate
|
|
5
|
+
* and OCSP response verification. While PKI.js has some Ed25519/Ed448 support,
|
|
6
|
+
* it currently lacks:
|
|
7
|
+
* - getHashAlgorithm() support for Ed25519/Ed448 OIDs
|
|
8
|
+
* - getAlgorithmByOID() recognition of Ed25519/Ed448
|
|
9
|
+
* - Certificate verification using Ed25519/Ed448 signatures
|
|
10
|
+
* - OCSP response signature verification with Ed25519/Ed448
|
|
11
|
+
*
|
|
12
|
+
* This patch must be loaded before any module that uses PKI.js (including easy-ocsp).
|
|
13
|
+
*/
|
|
14
|
+
export declare function applyEd25519Patch(): void;
|