mcp-security-framework 1.1.2__py3-none-any.whl → 1.2.1__py3-none-any.whl

mcp_security_framework/__init__.py

@@ -71,7 +71,7 @@ from mcp_security_framework.schemas.responses import (
 )
 
 # Version information
-__version__ = "0.1.0"
+__version__ = "1.2.1"
 __author__ = "Vasiliy Zdanovskiy"
 __email__ = "vasilyvz@gmail.com"
 __license__ = "MIT"

mcp_security_framework/cli/cert_cli.py

@@ -314,12 +314,18 @@ def create_client(
     type=click.Path(exists=True),
     help="Path to CA certificate for validation",
 )
+@click.option(
+    "--crl",
+    type=click.Path(exists=True),
+    help="Path to CRL file for revocation check",
+)
 @click.pass_context
-def validate(ctx, cert_path: str, ca_cert: Optional[str]):
+def validate(ctx, cert_path: str, ca_cert: Optional[str], crl: Optional[str]):
     """
     Validate a certificate.
 
-    This command validates a certificate and optionally checks it against a CA.
+    This command validates a certificate and optionally checks it against a CA
+    and CRL for revocation status.
     """
     try:
         config = ctx.obj["config"]
@@ -330,12 +336,16 @@ def validate(ctx, cert_path: str, ca_cert: Optional[str]):
             click.echo(f"Validating certificate: {cert_path}")
             if ca_cert:
                 click.echo(f"Using CA certificate: {ca_cert}")
+            if crl:
+                click.echo(f"Using CRL file: {crl}")
 
         # Validate certificate
-        is_valid = cert_manager.validate_certificate_chain(cert_path, ca_cert)
+        is_valid = cert_manager.validate_certificate_chain(cert_path, ca_cert, crl)
 
         if is_valid:
             click.echo(f"✅ Certificate is valid!")
+            if crl:
+                click.echo(f"✅ Certificate is not revoked according to CRL")
         else:
             click.echo(f"❌ Certificate validation failed!", err=True)
             raise click.Abort()
@@ -543,5 +553,159 @@ def revoke(ctx, serial_number: str, reason: str):
         raise click.Abort()
 
 
+@cert_cli.command()
+@click.argument("cert_path", type=click.Path(exists=True))
+@click.option(
+    "--crl",
+    type=click.Path(exists=True),
+    help="Path to CRL file for revocation check",
+)
+@click.pass_context
+def check_revocation(ctx, cert_path: str, crl: Optional[str]):
+    """
+    Check if certificate is revoked according to CRL.
+
+    This command checks if a certificate is revoked according to the provided CRL.
+    """
+    try:
+        config = ctx.obj["config"]
+        cert_manager = ctx.obj["cert_manager"]
+        verbose = ctx.obj["verbose"]
+
+        if verbose:
+            click.echo(f"Checking revocation status for certificate: {cert_path}")
+            if crl:
+                click.echo(f"Using CRL file: {crl}")
+
+        # Check if certificate is revoked
+        is_revoked = cert_manager.is_certificate_revoked(cert_path, crl)
+
+        if is_revoked:
+            click.echo(f"❌ Certificate is REVOKED!", err=True)
+        else:
+            click.echo(f"✅ Certificate is NOT revoked")
+
+    except Exception as e:
+        click.echo(f"❌ Failed to check revocation status: {str(e)}", err=True)
+        raise click.Abort()
+
+
+@cert_cli.command()
+@click.argument("cert_path", type=click.Path(exists=True))
+@click.option(
+    "--crl",
+    type=click.Path(exists=True),
+    help="Path to CRL file for detailed revocation check",
+)
+@click.pass_context
+def revocation_info(ctx, cert_path: str, crl: Optional[str]):
+    """
+    Get detailed revocation information for certificate.
+
+    This command provides detailed revocation information including
+    revocation date, reason, and CRL details.
+    """
+    try:
+        config = ctx.obj["config"]
+        cert_manager = ctx.obj["cert_manager"]
+        verbose = ctx.obj["verbose"]
+
+        if verbose:
+            click.echo(f"Getting revocation information for certificate: {cert_path}")
+            if crl:
+                click.echo(f"Using CRL file: {crl}")
+
+        # Get detailed revocation information
+        revocation_info = cert_manager.validate_certificate_against_crl(cert_path, crl)
+
+        click.echo(f"Certificate Serial Number: {revocation_info['serial_number']}")
+        click.echo(f"CRL Issuer: {revocation_info['crl_issuer']}")
+        click.echo(f"CRL Last Update: {revocation_info['crl_last_update']}")
+        click.echo(f"CRL Next Update: {revocation_info['crl_next_update']}")
+
+        if revocation_info["is_revoked"]:
+            click.echo(f"❌ Certificate is REVOKED!", err=True)
+            click.echo(f"Revocation Date: {revocation_info['revocation_date']}")
+            click.echo(f"Revocation Reason: {revocation_info['revocation_reason']}")
+        else:
+            click.echo(f"✅ Certificate is NOT revoked")
+
+    except Exception as e:
+        click.echo(f"❌ Failed to get revocation information: {str(e)}", err=True)
+        raise click.Abort()
+
+
+@cert_cli.command()
+@click.argument("crl_path", type=click.Path(exists=True))
+@click.pass_context
+def crl_info(ctx, crl_path: str):
+    """
+    Display CRL information.
+
+    This command displays detailed information about a CRL including
+    issuer, validity period, and revoked certificate count.
+    """
+    try:
+        config = ctx.obj["config"]
+        cert_manager = ctx.obj["cert_manager"]
+        verbose = ctx.obj["verbose"]
+
+        if verbose:
+            click.echo(f"Getting CRL information: {crl_path}")
+
+        # Get CRL information
+        crl_info = cert_manager.get_crl_info(crl_path)
+
+        click.echo(f"CRL Issuer: {crl_info['issuer']}")
+        click.echo(f"Last Update: {crl_info['last_update']}")
+        click.echo(f"Next Update: {crl_info['next_update']}")
+        click.echo(f"Revoked Certificates: {crl_info['revoked_certificates_count']}")
+        click.echo(f"Status: {crl_info['status']}")
+        click.echo(f"Version: {crl_info['version']}")
+        click.echo(f"Signature Algorithm: {crl_info['signature_algorithm']}")
+
+        if crl_info["is_expired"]:
+            click.echo(f"❌ CRL is EXPIRED!", err=True)
+        elif crl_info["expires_soon"]:
+            click.echo(f"⚠️  CRL expires soon ({crl_info['days_until_expiry']} days)", err=True)
+        else:
+            click.echo(f"✅ CRL is valid")
+
+    except Exception as e:
+        click.echo(f"❌ Failed to get CRL information: {str(e)}", err=True)
+        raise click.Abort()
+
+
+@cert_cli.command()
+@click.argument("crl_path", type=click.Path(exists=True))
+@click.pass_context
+def validate_crl(ctx, crl_path: str):
+    """
+    Validate CRL file.
+
+    This command validates a CRL file for format and validity period.
+    """
+    try:
+        config = ctx.obj["config"]
+        cert_manager = ctx.obj["cert_manager"]
+        verbose = ctx.obj["verbose"]
+
+        if verbose:
+            click.echo(f"Validating CRL: {crl_path}")
+
+        # Validate CRL
+        is_valid = cert_manager.is_crl_valid(crl_path)
+
+        if is_valid:
+            click.echo(f"✅ CRL is valid!")
+        else:
+            click.echo(f"❌ CRL validation failed!", err=True)
+            raise click.Abort()
+
+    except Exception as e:
+        click.echo(f"❌ CRL validation failed: {str(e)}", err=True)
+        raise click.Abort()
+
+
 if __name__ == "__main__":
     cert_cli()

mcp_security_framework/core/auth_manager.py

@@ -38,6 +38,7 @@ from ..schemas.models import AuthResult, AuthStatus, ValidationResult
 from ..utils.cert_utils import (
     extract_permissions_from_certificate,
     extract_roles_from_certificate,
+    extract_unitid_from_certificate,
     parse_certificate,
     validate_certificate_chain,
 )
@@ -124,20 +125,21 @@ class AuthManager:
         self.logger = logging.getLogger(__name__)
 
         # Initialize storage
-        # Convert API keys from "key": "user" format to "user": "key" format
+        # Store API keys in format: {"api_key": "username"}
         # or handle new format "key": {"username": "user", "roles": ["role1", "role2"]}
         if config.api_keys:
             self._api_keys = {}
             self._api_key_metadata = {}
             for key, value in config.api_keys.items():
                 if isinstance(value, str):
-                    # Old format: "key": "user"
+                    # Old format: "username": "api_key" -> store as {"api_key": "username"}
                     self._api_keys[value] = key
                 elif isinstance(value, dict):
-                    # New format: "key": {"username": "user", "roles": ["role1", "role2"]}
+                    # New format: "username": {"api_key": "key", "roles": ["role1", "role2"]}
+                    api_key = value.get("api_key", key)
                     username = value.get("username", key)
-                    self._api_keys[username] = key
-                    self._api_key_metadata[key] = value
+                    self._api_keys[api_key] = username
+                    self._api_key_metadata[api_key] = value
                 else:
                     self.logger.warning(
                         f"Invalid API key format for key {key}: {value}"
@@ -253,7 +255,7 @@ class AuthManager:
             # Find user by API key
             username = None
             user_roles = []
-            for user, api_key_in_config in self._api_keys.items():
+            for api_key_in_config, user in self._api_keys.items():
                 if api_key_in_config == api_key:
                     username = user
                     # Check if we have metadata for this API key
@@ -625,11 +627,23 @@ class AuthManager:
                 )
                 roles = []
 
+            # Extract unitid from certificate
+            unitid = None
+            try:
+                unitid = extract_unitid_from_certificate(cert_pem)
+            except Exception as e:
+                self.logger.warning(
+                    "Failed to extract unitid from certificate",
+                    extra={"username": username, "error": str(e)},
+                )
+
             # Validate certificate chain if CA is configured
             if self.config.ca_cert_file:
                 try:
+                    # Check if CRL is configured for certificate validation
+                    crl_file = getattr(self.config, 'crl_file', None)
                     is_valid_chain = validate_certificate_chain(
-                        cert_pem, self.config.ca_cert_file
+                        cert_pem, self.config.ca_cert_file, crl_file
                     )
                     if not is_valid_chain:
                         return AuthResult(
@@ -654,6 +668,7 @@ class AuthManager:
                 auth_method="certificate",
                 auth_timestamp=datetime.now(timezone.utc),
                 token_expiry=get_not_valid_after_utc(cert),
+                unitid=unitid,
             )
 
             self.logger.info(
@@ -859,7 +874,7 @@ class AuthManager:
             if not validate_api_key_format(api_key):
                 return False
 
-            self._api_keys[username] = api_key
+            self._api_keys[api_key] = username
 
             self.logger.info("API key added for user", extra={"username": username})
 
@@ -882,8 +897,15 @@ class AuthManager:
             bool: True if API key was removed successfully, False otherwise
         """
         try:
-            if username in self._api_keys:
-                del self._api_keys[username]
+            # Find API key for the username and remove it
+            api_key_to_remove = None
+            for api_key, user in self._api_keys.items():
+                if user == username:
+                    api_key_to_remove = api_key
+                    break
+            
+            if api_key_to_remove:
+                del self._api_keys[api_key_to_remove]
 
                 self.logger.info(
                     "API key removed for user", extra={"username": username}

mcp_security_framework/core/cert_manager.py

@@ -29,6 +29,7 @@ License: MIT
 
 import logging
 import os
+import uuid
 from datetime import datetime, timedelta, timezone
 from pathlib import Path
 from typing import Dict, List, Optional, Tuple, Union
@@ -54,10 +55,15 @@ from mcp_security_framework.schemas.models import (
 from mcp_security_framework.utils.cert_utils import (
     extract_permissions_from_certificate,
     extract_roles_from_certificate,
+    extract_unitid_from_certificate,
     get_certificate_expiry,
     get_certificate_serial_number,
+    get_crl_info,
+    is_certificate_revoked,
     is_certificate_self_signed,
+    is_crl_valid,
     parse_certificate,
+    validate_certificate_against_crl,
     validate_certificate_chain,
 )
 from mcp_security_framework.utils.datetime_compat import (
@@ -250,6 +256,14 @@ class CertificateManager:
                 x509.BasicConstraints(ca=True, path_length=None), critical=True
             )
 
+            # Add unitid extension if provided
+            if ca_config.unitid:
+                unitid_extension = x509.UnrecognizedExtension(
+                    oid=x509.ObjectIdentifier("1.3.6.1.4.1.99999.1.3"),
+                    value=ca_config.unitid.encode(),
+                )
+                builder = builder.add_extension(unitid_extension, critical=False)
+
             builder = builder.add_extension(
                 x509.KeyUsage(
                     digital_signature=True,
@@ -321,6 +335,7 @@ class CertificateManager:
                 not_after=get_not_valid_after_utc(certificate),
                 certificate_type=CertificateType.ROOT_CA,
                 key_size=ca_config.key_size,
+                unitid=ca_config.unitid,
             )
 
             self.logger.info(
@@ -762,6 +777,14 @@ class CertificateManager:
                 )
                 builder = builder.add_extension(permissions_extension, critical=False)
 
+            # Add unitid extension if provided
+            if client_config.unitid:
+                unitid_extension = x509.UnrecognizedExtension(
+                    oid=x509.ObjectIdentifier("1.3.6.1.4.1.99999.1.3"),
+                    value=client_config.unitid.encode(),
+                )
+                builder = builder.add_extension(unitid_extension, critical=False)
+
             # Create certificate
             certificate = builder.sign(ca_key, hashes.SHA256())
 
@@ -812,6 +835,7 @@ class CertificateManager:
                 not_after=get_not_valid_after_utc(certificate),
                 certificate_type=CertificateType.CLIENT,
                 key_size=client_config.key_size,
+                unitid=client_config.unitid,
             )
 
             self.logger.info(
@@ -1327,21 +1351,27 @@ WvWwM6xqxW0Sf6s5AxJmTn3amZ0G+aP4Y2AEojlbQR7g5aigKbFQqGDFW07egp6
             return False
 
     def validate_certificate_chain(
-        self, cert_path: str, ca_cert_path: Optional[str] = None
+        self, 
+        cert_path: str, 
+        ca_cert_path: Optional[str] = None,
+        crl_path: Optional[str] = None
     ) -> bool:
         """
-        Validate certificate chain against CA.
+        Validate certificate chain against CA and optionally check CRL.
 
         This method validates a certificate chain by checking the certificate
-        against the CA certificate and verifying the chain of trust.
+        against the CA certificate and verifying the chain of trust. If CRL
+        is provided, it also checks if the certificate is revoked.
 
         Args:
             cert_path (str): Path to certificate to validate
             ca_cert_path (Optional[str]): Path to CA certificate. If None,
                 uses CA certificate from configuration.
+            crl_path (Optional[str]): Path to CRL file. If None, CRL check
+                is skipped. If provided, certificate revocation is checked.
 
         Returns:
-            bool: True if certificate chain is valid, False otherwise
+            bool: True if certificate chain is valid and not revoked, False otherwise
 
         Raises:
             FileNotFoundError: When certificate files are not found
@@ -1352,6 +1382,11 @@ WvWwM6xqxW0Sf6s5AxJmTn3amZ0G+aP4Y2AEojlbQR7g5aigKbFQqGDFW07egp6
             >>> is_valid = cert_manager.validate_certificate_chain("client.crt")
             >>> if is_valid:
             ...     print("Certificate chain is valid")
+            >>> 
+            >>> # With CRL check
+            >>> is_valid = cert_manager.validate_certificate_chain(
+            ...     "client.crt", crl_path="crl.pem"
+            ... )
         """
         try:
             # Use configured CA certificate if not provided
@@ -1361,8 +1396,12 @@ WvWwM6xqxW0Sf6s5AxJmTn3amZ0G+aP4Y2AEojlbQR7g5aigKbFQqGDFW07egp6
             if not ca_cert_path:
                 raise CertificateConfigurationError("CA certificate path is required")
 
-            # Validate certificate chain
-            return validate_certificate_chain(cert_path, ca_cert_path)
+            # Use configured CRL path if not provided
+            if not crl_path and self.config.crl_enabled:
+                crl_path = self.config.crl_path
+
+            # Validate certificate chain with optional CRL check
+            return validate_certificate_chain(cert_path, ca_cert_path, crl_path)
 
         except Exception as e:
             self.logger.error(
@@ -1370,6 +1409,7 @@ WvWwM6xqxW0Sf6s5AxJmTn3amZ0G+aP4Y2AEojlbQR7g5aigKbFQqGDFW07egp6
                 extra={
                     "cert_path": cert_path,
                     "ca_cert_path": ca_cert_path,
+                    "crl_path": crl_path,
                     "error": str(e),
                 },
             )
@@ -1929,6 +1969,221 @@ WvWwM6xqxW0Sf6s5AxJmTn3amZ0G+aP4Y2AEojlbQR7g5aigKbFQqGDFW07egp6
                 f"CA private key file not found: {self.config.ca_key_path}"
             )
 
+    def validate_certificate_against_crl(
+        self, 
+        cert_path: str, 
+        crl_path: Optional[str] = None
+    ) -> Dict[str, any]:
+        """
+        Validate certificate against CRL and return detailed revocation status.
+
+        This method checks if a certificate is revoked according to the
+        provided CRL and returns detailed revocation information.
+
+        Args:
+            cert_path (str): Path to certificate to validate
+            crl_path (Optional[str]): Path to CRL file. If None, uses CRL
+                from configuration if CRL is enabled.
+
+        Returns:
+            Dict[str, any]: Dictionary containing revocation status and details:
+                - is_revoked (bool): True if certificate is revoked
+                - serial_number (str): Certificate serial number
+                - revocation_date (datetime): Date of revocation (if revoked)
+                - revocation_reason (str): Reason for revocation (if revoked)
+                - crl_issuer (str): CRL issuer information
+                - crl_last_update (datetime): CRL last update time
+                - crl_next_update (datetime): CRL next update time
+
+        Raises:
+            CertificateConfigurationError: When CRL configuration is invalid
+            CertificateValidationError: When CRL validation fails
+
+        Example:
+            >>> cert_manager = CertificateManager(config)
+            >>> result = cert_manager.validate_certificate_against_crl("client.crt")
+            >>> if result["is_revoked"]:
+            ...     print(f"Certificate revoked: {result['revocation_reason']}")
+        """
+        try:
+            # Use configured CRL path if not provided
+            if not crl_path:
+                if not self.config.crl_enabled:
+                    raise CertificateConfigurationError("CRL is not enabled in configuration")
+                crl_path = self.config.crl_path
+
+            if not crl_path:
+                raise CertificateConfigurationError("CRL path is required")
+
+            # Validate certificate against CRL
+            return validate_certificate_against_crl(cert_path, crl_path)
+
+        except Exception as e:
+            self.logger.error(
+                "Certificate CRL validation failed",
+                extra={
+                    "cert_path": cert_path,
+                    "crl_path": crl_path,
+                    "error": str(e),
+                },
+            )
+            raise CertificateValidationError(f"CRL validation failed: {str(e)}")
+
+    def is_certificate_revoked(
+        self, 
+        cert_path: str, 
+        crl_path: Optional[str] = None
+    ) -> bool:
+        """
+        Check if certificate is revoked according to CRL.
+
+        This method provides a simple boolean check for certificate revocation
+        without detailed revocation information.
+
+        Args:
+            cert_path (str): Path to certificate to check
+            crl_path (Optional[str]): Path to CRL file. If None, uses CRL
+                from configuration if CRL is enabled.
+
+        Returns:
+            bool: True if certificate is revoked, False otherwise
+
+        Raises:
+            CertificateConfigurationError: When CRL configuration is invalid
+            CertificateValidationError: When CRL validation fails
+
+        Example:
+            >>> cert_manager = CertificateManager(config)
+            >>> if cert_manager.is_certificate_revoked("client.crt"):
+            ...     print("Certificate is revoked")
+        """
+        try:
+            # Use configured CRL path if not provided
+            if not crl_path:
+                if not self.config.crl_enabled:
+                    raise CertificateConfigurationError("CRL is not enabled in configuration")
+                crl_path = self.config.crl_path
+
+            if not crl_path:
+                raise CertificateConfigurationError("CRL path is required")
+
+            # Check if certificate is revoked
+            return is_certificate_revoked(cert_path, crl_path)
+
+        except Exception as e:
+            self.logger.error(
+                "Certificate revocation check failed",
+                extra={
+                    "cert_path": cert_path,
+                    "crl_path": crl_path,
+                    "error": str(e),
+                },
+            )
+            raise CertificateValidationError(f"Revocation check failed: {str(e)}")
+
+    def get_crl_info(self, crl_path: Optional[str] = None) -> Dict:
+        """
+        Get detailed information from CRL.
+
+        This method extracts comprehensive information from a CRL including
+        issuer details, validity period, and revoked certificate count.
+
+        Args:
+            crl_path (Optional[str]): Path to CRL file. If None, uses CRL
+                from configuration if CRL is enabled.
+
+        Returns:
+            Dict: Dictionary containing CRL information:
+                - issuer (str): CRL issuer information
+                - last_update (datetime): CRL last update time
+                - next_update (datetime): CRL next update time
+                - revoked_certificates_count (int): Number of revoked certificates
+                - days_until_expiry (int): Days until CRL expires
+                - is_expired (bool): True if CRL is expired
+                - expires_soon (bool): True if CRL expires within 7 days
+                - status (str): CRL status (valid, expires_soon, expired)
+                - version (str): CRL version
+                - signature_algorithm (str): Signature algorithm used
+                - signature (str): CRL signature in hex format
+
+        Raises:
+            CertificateConfigurationError: When CRL configuration is invalid
+            CertificateValidationError: When CRL information extraction fails
+
+        Example:
+            >>> cert_manager = CertificateManager(config)
+            >>> crl_info = cert_manager.get_crl_info()
+            >>> print(f"CRL has {crl_info['revoked_certificates_count']} revoked certificates")
+        """
+        try:
+            # Use configured CRL path if not provided
+            if not crl_path:
+                if not self.config.crl_enabled:
+                    raise CertificateConfigurationError("CRL is not enabled in configuration")
+                crl_path = self.config.crl_path
+
+            if not crl_path:
+                raise CertificateConfigurationError("CRL path is required")
+
+            # Get CRL information
+            return get_crl_info(crl_path)
+
+        except Exception as e:
+            self.logger.error(
+                "CRL information extraction failed",
+                extra={
+                    "crl_path": crl_path,
+                    "error": str(e),
+                },
+            )
+            raise CertificateValidationError(f"CRL information extraction failed: {str(e)}")
+
+    def is_crl_valid(self, crl_path: Optional[str] = None) -> bool:
+        """
+        Check if CRL is valid (not expired and properly formatted).
+
+        This method validates CRL format and checks if it's within its
+        validity period.
+
+        Args:
+            crl_path (Optional[str]): Path to CRL file. If None, uses CRL
+                from configuration if CRL is enabled.
+
+        Returns:
+            bool: True if CRL is valid, False otherwise
+
+        Raises:
+            CertificateConfigurationError: When CRL configuration is invalid
+            CertificateValidationError: When CRL validation fails
+
+        Example:
+            >>> cert_manager = CertificateManager(config)
+            >>> if cert_manager.is_crl_valid():
+            ...     print("CRL is valid")
+        """
+        try:
+            # Use configured CRL path if not provided
+            if not crl_path:
+                if not self.config.crl_enabled:
+                    raise CertificateConfigurationError("CRL is not enabled in configuration")
+                crl_path = self.config.crl_path
+
+            if not crl_path:
+                raise CertificateConfigurationError("CRL path is required")
+
+            # Check if CRL is valid
+            return is_crl_valid(crl_path)
+
+        except Exception as e:
+            self.logger.error(
+                "CRL validation failed",
+                extra={
+                    "crl_path": crl_path,
+                    "error": str(e),
+                },
+            )
+            raise CertificateValidationError(f"CRL validation failed: {str(e)}")
+
 
 class CertificateConfigurationError(Exception):
     """Raised when certificate configuration is invalid."""