mcp-security-framework 1.1.2__py3-none-any.whl → 1.2.1__py3-none-any.whl

mcp_security_framework/core/ssl_manager.py

@@ -37,6 +37,7 @@ from ..schemas.models import CertificateInfo
 from ..utils.cert_utils import (
     extract_certificate_info,
     get_certificate_expiry,
+    is_certificate_revoked,
     is_certificate_self_signed,
     parse_certificate,
     validate_certificate_chain,
@@ -349,21 +350,24 @@ class SSLManager:
                 f"Failed to create client SSL context: {str(e)}"
             )
 
-    def validate_certificate(self, cert_path: str) -> bool:
+    def validate_certificate(self, cert_path: str, crl_path: Optional[str] = None) -> bool:
         """
-        Validate certificate file.
+        Validate certificate file with optional CRL check.
 
         This method validates a certificate file by checking its format,
-        parsing it, and verifying basic certificate properties.
+        parsing it, and verifying basic certificate properties. If CRL
+        is provided, it also checks if the certificate is revoked.
 
         Args:
             cert_path (str): Path to certificate file to validate.
                 Must be a valid PEM or DER certificate file path.
+            crl_path (Optional[str]): Path to CRL file. If None, CRL check
+                is skipped. If provided, certificate revocation is checked.
 
         Returns:
-            bool: True if certificate is valid, False otherwise.
-                Returns True when certificate can be parsed and has
-                valid basic properties.
+            bool: True if certificate is valid and not revoked, False otherwise.
+                Returns True when certificate can be parsed, has valid basic
+                properties, and is not revoked (if CRL is provided).
 
         Raises:
             FileNotFoundError: If certificate file is not found.
@@ -374,8 +378,9 @@ class SSLManager:
             >>> is_valid = ssl_manager.validate_certificate("server.crt")
             >>> if is_valid:
             ...     print("Certificate is valid")
-            >>> else:
-            ...     print("Certificate is invalid")
+            >>> 
+            >>> # With CRL check
+            >>> is_valid = ssl_manager.validate_certificate("server.crt", "crl.pem")
         """
         try:
             # Check if file exists
@@ -402,8 +407,35 @@ class SSLManager:
                 )
                 return False
 
+            # Check CRL if provided
+            if crl_path:
+                try:
+                    if is_certificate_revoked(cert_path, crl_path):
+                        self.logger.warning(
+                            "Certificate is revoked",
+                            extra={
+                                "cert_path": cert_path,
+                                "crl_path": crl_path,
+                            },
+                        )
+                        return False
+                except Exception as e:
+                    self.logger.error(
+                        "CRL validation failed",
+                        extra={
+                            "cert_path": cert_path,
+                            "crl_path": crl_path,
+                            "error": str(e),
+                        },
+                    )
+                    return False
+
             self.logger.info(
-                "Certificate validation successful", extra={"cert_path": cert_path}
+                "Certificate validation successful", 
+                extra={
+                    "cert_path": cert_path,
+                    "crl_checked": crl_path is not None,
+                }
             )
 
             return True

mcp_security_framework/middleware/mtls_middleware.py

@@ -223,9 +223,17 @@ class MTLSMiddleware(SecurityMiddleware):
             Dict[str, Any]: Validation result with status and details
         """
         try:
-            # Use security manager's certificate validation
+            # Get CA certificate file
+            ca_cert_file = self.config.ssl.ca_cert_file if self.config.ssl else None
+            
+            # Get CRL file if configured
+            crl_file = None
+            if self.config.ssl and hasattr(self.config.ssl, 'crl_file'):
+                crl_file = self.config.ssl.crl_file
+            
+            # Use security manager's certificate validation with optional CRL check
             is_valid = self.security_manager.cert_manager.validate_certificate_chain(
-                cert_pem, self.config.ssl.ca_cert_file if self.config.ssl else None
+                cert_pem, ca_cert_file, crl_file
             )
 
             if is_valid:

mcp_security_framework/schemas/config.py

@@ -33,6 +33,7 @@ License: MIT
 from enum import Enum
 from pathlib import Path
 from typing import Any, Dict, List, Optional, Union
+import uuid
 
 from pydantic import BaseModel, Field, field_validator, model_validator
 from pydantic.types import SecretStr
@@ -599,6 +600,21 @@ class CAConfig(BaseModel):
     hash_algorithm: str = Field(
         default="sha256", description="Hash algorithm for signing"
     )
+    unitid: Optional[str] = Field(
+        default=None, description="Unique unit identifier (UUID4) for the certificate"
+    )
+
+    @field_validator("unitid")
+    @classmethod
+    def validate_unitid(cls, v):
+        """Validate unitid format."""
+        if v is not None:
+            try:
+                # Validate UUID4 format
+                uuid.UUID(v, version=4)
+            except ValueError:
+                raise ValueError("unitid must be a valid UUID4 string")
+        return v
 
 
 class IntermediateCAConfig(CAConfig):
@@ -668,6 +684,21 @@ class ClientCertConfig(BaseModel):
     )
     ca_cert_path: str = Field(..., description="Path to signing CA certificate")
     ca_key_path: str = Field(..., description="Path to signing CA private key")
+    unitid: Optional[str] = Field(
+        default=None, description="Unique unit identifier (UUID4) for the certificate"
+    )
+
+    @field_validator("unitid")
+    @classmethod
+    def validate_unitid(cls, v):
+        """Validate unitid format."""
+        if v is not None:
+            try:
+                # Validate UUID4 format
+                uuid.UUID(v, version=4)
+            except ValueError:
+                raise ValueError("unitid must be a valid UUID4 string")
+        return v
 
 
 class ServerCertConfig(ClientCertConfig):

mcp_security_framework/schemas/models.py

@@ -38,6 +38,7 @@ License: MIT
 from datetime import datetime, timedelta, timezone
 from enum import Enum
 from typing import Any, Dict, List, Optional, Set, TypeAlias
+import uuid
 
 from pydantic import BaseModel, Field, field_validator, model_validator
 
@@ -140,6 +141,9 @@ class AuthResult(BaseModel):
     metadata: Dict[str, Any] = Field(
         default_factory=dict, description="Additional authentication metadata"
     )
+    unitid: Optional[str] = Field(
+        default=None, description="Unique unit identifier (UUID4) from certificate"
+    )
 
     @field_validator("username")
     @classmethod
@@ -149,6 +153,18 @@ class AuthResult(BaseModel):
             raise ValueError("Username cannot be empty")
         return v
 
+    @field_validator("unitid")
+    @classmethod
+    def validate_unitid(cls, v):
+        """Validate unitid format."""
+        if v is not None:
+            try:
+                # Validate UUID4 format
+                uuid.UUID(v, version=4)
+            except ValueError:
+                raise ValueError("unitid must be a valid UUID4 string")
+        return v
+
     @model_validator(mode="after")
     def validate_auth_result(self):
         """Validate authentication result consistency."""
@@ -309,6 +325,9 @@ class CertificateInfo(BaseModel):
     fingerprint_sha256: Optional[str] = Field(
         default=None, description="SHA256 fingerprint"
     )
+    unitid: Optional[str] = Field(
+        default=None, description="Unique unit identifier (UUID4) for the certificate"
+    )
 
     @field_validator("key_size")
     @classmethod
@@ -318,6 +337,18 @@ class CertificateInfo(BaseModel):
             raise ValueError("Key size must be between 512 and 8192 bits")
         return v
 
+    @field_validator("unitid")
+    @classmethod
+    def validate_unitid(cls, v):
+        """Validate unitid format."""
+        if v is not None:
+            try:
+                # Validate UUID4 format
+                uuid.UUID(v, version=4)
+            except ValueError:
+                raise ValueError("unitid must be a valid UUID4 string")
+        return v
+
     @property
     def is_expired(self) -> bool:
         """Check if certificate is expired."""
@@ -424,6 +455,9 @@ class CertificatePair(BaseModel):
     metadata: Dict[str, Any] = Field(
         default_factory=dict, description="Additional certificate metadata"
     )
+    unitid: Optional[str] = Field(
+        default=None, description="Unique unit identifier (UUID4) for the certificate"
+    )
 
     @field_validator("certificate_pem")
     @classmethod
@@ -449,6 +483,18 @@ class CertificatePair(BaseModel):
             raise ValueError("Invalid private key PEM format")
         return v
 
+    @field_validator("unitid")
+    @classmethod
+    def validate_unitid(cls, v):
+        """Validate unitid format."""
+        if v is not None:
+            try:
+                # Validate UUID4 format
+                uuid.UUID(v, version=4)
+            except ValueError:
+                raise ValueError("unitid must be a valid UUID4 string")
+        return v
+
     @property
     def is_expired(self) -> bool:
         """Check if certificate is expired."""

mcp_security_framework/utils/cert_utils.py

@@ -20,10 +20,15 @@ Functions:
     validate_certificate_format: Validate certificate format
     extract_roles_from_certificate: Extract roles from certificate
     extract_permissions_from_certificate: Extract permissions from certificate
-    validate_certificate_chain: Validate certificate chain
+    validate_certificate_chain: Validate certificate chain with optional CRL check
     get_certificate_expiry: Get certificate expiry information
     convert_certificate_format: Convert between certificate formats
     extract_public_key: Extract public key from certificate
+    parse_crl: Parse Certificate Revocation List from PEM/DER format
+    is_certificate_revoked: Check if certificate is revoked according to CRL
+    validate_certificate_against_crl: Validate certificate against CRL with details
+    is_crl_valid: Check if CRL is valid and not expired
+    get_crl_info: Get detailed information from CRL
 
 Author: MCP Security Team
 Version: 1.0.0
@@ -33,12 +38,12 @@ License: MIT
 import base64
 from datetime import datetime, timezone
 from pathlib import Path
-from typing import Dict, List, Union
+from typing import Dict, List, Union, Optional
 
 from cryptography import x509
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
-from cryptography.x509.oid import ExtensionOID, NameOID
+from cryptography.x509.oid import ExtensionOID, NameOID, CRLEntryExtensionOID
 
 from mcp_security_framework.utils.datetime_compat import (
     get_not_valid_after_utc,
@@ -155,6 +160,15 @@ def extract_certificate_info(cert_data: Union[str, bytes, Path]) -> Dict:
         if country:
             info["country"] = country[0].value
 
+        # Extract unitid
+        try:
+            unitid = extract_unitid_from_certificate(cert_data)
+            if unitid:
+                info["unitid"] = unitid
+        except Exception:
+            # If unitid extraction fails, continue without it
+            pass
+
         return info
     except Exception as e:
         raise CertificateError(f"Certificate information extraction failed: {str(e)}")
@@ -270,19 +284,66 @@ def extract_permissions_from_certificate(
         raise CertificateError(f"Permission extraction failed: {str(e)}")
 
 
+def extract_unitid_from_certificate(
+    cert_data: Union[str, bytes, Path],
+) -> Optional[str]:
+    """
+    Extract unitid from certificate extensions.
+
+    Args:
+        cert_data: Certificate data as string, bytes, or file path
+
+    Returns:
+        Unit ID (UUID4) found in certificate, or None if not found
+
+    Raises:
+        CertificateError: If unitid extraction fails
+    """
+    try:
+        cert = parse_certificate(cert_data)
+        unitid = None
+
+        # Check for custom extension with unitid
+        try:
+            unitid_extension = cert.extensions.get_extension_for_oid(
+                x509.ObjectIdentifier("1.3.6.1.4.1.99999.1.3")  # Custom unitid OID
+            )
+            if unitid_extension:
+                unitid_data = unitid_extension.value.value
+                if isinstance(unitid_data, bytes):
+                    unitid_str = unitid_data.decode("utf-8")
+                    unitid = unitid_str.strip()
+                    
+                    # Validate UUID4 format
+                    try:
+                        import uuid
+                        uuid.UUID(unitid, version=4)
+                    except ValueError:
+                        # Invalid UUID4 format, return None
+                        unitid = None
+        except x509.extensions.ExtensionNotFound:
+            pass
+
+        return unitid
+    except Exception as e:
+        raise CertificateError(f"Unitid extraction failed: {str(e)}")
+
+
 def validate_certificate_chain(
     cert_data: Union[str, bytes, Path],
     ca_cert_data: Union[str, bytes, Path, List[Union[str, bytes, Path]]],
+    crl_data: Optional[Union[str, bytes, Path]] = None,
 ) -> bool:
     """
-    Validate certificate chain against CA certificate(s).
+    Validate certificate chain against CA certificate(s) and optionally check CRL.
 
     Args:
         cert_data: Certificate data to validate
         ca_cert_data: CA certificate data or list of CA certificates
+        crl_data: Optional CRL data to check for certificate revocation
 
     Returns:
-        True if chain is valid, False otherwise
+        True if chain is valid and not revoked, False otherwise
 
     Raises:
         CertificateError: If validation fails
@@ -296,13 +357,28 @@ def validate_certificate_chain(
         else:
             ca_certs = [parse_certificate(ca_cert_data)]
 
-        # For now, just check that the certificate was issued by one of the CA certificates
+        # Check that the certificate was issued by one of the CA certificates
         # This is a simplified validation - in a real scenario, you would use OpenSSL or similar
+        chain_valid = False
         for ca_cert in ca_certs:
             if cert.issuer == ca_cert.subject:
-                return True
+                chain_valid = True
+                break
+
+        if not chain_valid:
+            return False
+
+        # If CRL is provided, check if certificate is revoked
+        if crl_data:
+            try:
+                if is_certificate_revoked(cert_data, crl_data):
+                    return False
+            except Exception as e:
+                # If CRL check fails, we can choose to fail validation or continue
+                # For security, we'll fail validation if CRL check fails
+                raise CertificateError(f"CRL validation failed: {str(e)}")
 
-        return False
+        return True
     except Exception as e:
         return False
 
@@ -529,3 +605,228 @@ def is_certificate_self_signed(cert_data: Union[str, bytes, Path]) -> bool:
         return cert.subject == cert.issuer
     except Exception as e:
         raise CertificateError(f"Self-signed check failed: {str(e)}")
+
+
+def parse_crl(crl_data: Union[str, bytes, Path]) -> x509.CertificateRevocationList:
+    """
+    Parse Certificate Revocation List (CRL) from PEM or DER format.
+
+    Args:
+        crl_data: CRL data as string, bytes, or file path
+
+    Returns:
+        Parsed X.509 CRL object
+
+    Raises:
+        CertificateError: If CRL parsing fails
+    """
+    try:
+        # Handle string input first (check if it's PEM data)
+        if isinstance(crl_data, str):
+            # Check if it looks like PEM data
+            if "-----BEGIN X509 CRL-----" in crl_data:
+                lines = crl_data.strip().split("\n")
+                crl_data = "".join(
+                    line for line in lines if not line.startswith("-----")
+                )
+                crl_data = base64.b64decode(crl_data)
+            else:
+                # Try to treat as file path
+                try:
+                    if Path(crl_data).exists():
+                        with open(crl_data, "rb") as f:
+                            crl_data = f.read()
+                    else:
+                        # Try to decode as base64
+                        crl_data = base64.b64decode(crl_data)
+                except (OSError, ValueError):
+                    # If file doesn't exist and not base64, try to decode anyway
+                    crl_data = base64.b64decode(crl_data)
+
+        # Handle Path object
+        elif isinstance(crl_data, Path):
+            if crl_data.exists():
+                with open(crl_data, "rb") as f:
+                    crl_data = f.read()
+            else:
+                raise CertificateError(f"CRL file not found: {crl_data}")
+
+        # Try to parse as PEM first, then as DER
+        try:
+            return x509.load_pem_x509_crl(crl_data)
+        except Exception:
+            return x509.load_der_x509_crl(crl_data)
+    except Exception as e:
+        raise CertificateError(f"CRL parsing failed: {str(e)}")
+
+
+def is_certificate_revoked(
+    cert_data: Union[str, bytes, Path], 
+    crl_data: Union[str, bytes, Path]
+) -> bool:
+    """
+    Check if certificate is revoked according to CRL.
+
+    Args:
+        cert_data: Certificate data to check
+        crl_data: CRL data to check against
+
+    Returns:
+        True if certificate is revoked, False otherwise
+
+    Raises:
+        CertificateError: If revocation check fails
+    """
+    try:
+        cert = parse_certificate(cert_data)
+        crl = parse_crl(crl_data)
+        
+        # Get certificate serial number
+        cert_serial = cert.serial_number
+        
+        # Check if certificate serial number is in CRL
+        for revoked_cert in crl:
+            if revoked_cert.serial_number == cert_serial:
+                return True
+                
+        return False
+    except Exception as e:
+        raise CertificateError(f"Certificate revocation check failed: {str(e)}")
+
+
+def validate_certificate_against_crl(
+    cert_data: Union[str, bytes, Path], 
+    crl_data: Union[str, bytes, Path]
+) -> Dict[str, any]:
+    """
+    Validate certificate against CRL and return detailed revocation status.
+
+    Args:
+        cert_data: Certificate data to validate
+        crl_data: CRL data to validate against
+
+    Returns:
+        Dictionary containing revocation status and details
+
+    Raises:
+        CertificateError: If validation fails
+    """
+    try:
+        cert = parse_certificate(cert_data)
+        crl = parse_crl(crl_data)
+        
+        # Get certificate serial number
+        cert_serial = cert.serial_number
+        
+        # Check if certificate serial number is in CRL
+        for revoked_cert in crl:
+            if revoked_cert.serial_number == cert_serial:
+                # Extract revocation reason if available
+                revocation_reason = "unspecified"
+                try:
+                    reason_ext = revoked_cert.extensions.get_extension_for_oid(
+                        CRLEntryExtensionOID.CRL_REASON
+                    )
+                    if reason_ext:
+                        revocation_reason = reason_ext.value.reason.name
+                except x509.extensions.ExtensionNotFound:
+                    pass
+                
+                return {
+                    "is_revoked": True,
+                    "serial_number": str(cert_serial),
+                    "revocation_date": revoked_cert.revocation_date_utc,
+                    "revocation_reason": revocation_reason,
+                    "crl_issuer": str(crl.issuer),
+                    "crl_last_update": crl.last_update_utc,
+                    "crl_next_update": crl.next_update_utc
+                }
+        
+        return {
+            "is_revoked": False,
+            "serial_number": str(cert_serial),
+            "crl_issuer": str(crl.issuer),
+            "crl_last_update": crl.last_update_utc,
+            "crl_next_update": crl.next_update_utc
+        }
+    except Exception as e:
+        raise CertificateError(f"Certificate CRL validation failed: {str(e)}")
+
+
+def is_crl_valid(crl_data: Union[str, bytes, Path]) -> bool:
+    """
+    Check if CRL is valid (not expired and properly formatted).
+
+    Args:
+        crl_data: CRL data to validate
+
+    Returns:
+        True if CRL is valid, False otherwise
+
+    Raises:
+        CertificateError: If CRL validation fails
+    """
+    try:
+        crl = parse_crl(crl_data)
+        now = datetime.now(timezone.utc)
+        
+        # Check if CRL is expired
+        if crl.next_update_utc and crl.next_update_utc < now:
+            return False
+            
+        # Check if CRL is not yet valid
+        if crl.last_update_utc and crl.last_update_utc > now:
+            return False
+            
+        return True
+    except Exception as e:
+        raise CertificateError(f"CRL validation failed: {str(e)}")
+
+
+def get_crl_info(crl_data: Union[str, bytes, Path]) -> Dict:
+    """
+    Get detailed information from CRL.
+
+    Args:
+        crl_data: CRL data to analyze
+
+    Returns:
+        Dictionary containing CRL information
+
+    Raises:
+        CertificateError: If CRL information extraction fails
+    """
+    try:
+        crl = parse_crl(crl_data)
+        now = datetime.now(timezone.utc)
+        
+        # Calculate time until CRL expiry
+        time_until_expiry = crl.next_update_utc - now if crl.next_update_utc else None
+        days_until_expiry = time_until_expiry.days if time_until_expiry else None
+        
+        # Determine CRL status
+        if crl.next_update_utc and crl.next_update_utc < now:
+            status = "expired"
+        elif days_until_expiry and days_until_expiry <= 7:
+            status = "expires_soon"
+        else:
+            status = "valid"
+        
+        # Count revoked certificates
+        revoked_count = len(list(crl))
+        
+        return {
+            "issuer": str(crl.issuer),
+            "last_update": crl.last_update_utc,
+            "next_update": crl.next_update_utc,
+            "revoked_certificates_count": revoked_count,
+            "days_until_expiry": days_until_expiry,
+            "is_expired": crl.next_update_utc < now if crl.next_update_utc else False,
+            "expires_soon": days_until_expiry <= 7 if days_until_expiry else False,
+            "status": status,
+            "version": "v2",  # CRL version is typically v2
+            "signature_algorithm": crl.signature_algorithm_oid._name,
+            "signature": crl.signature.hex(),
+        }
+    except Exception as e:
+        raise CertificateError(f"CRL information extraction failed: {str(e)}")

{mcp_security_framework-1.1.2.dist-info → mcp_security_framework-1.2.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mcp-security-framework
-Version: 1.1.2
+Version: 1.2.1
 Summary: Universal security framework for microservices with SSL/TLS, authentication, authorization, and rate limiting. Requires cryptography>=42.0.0 for certificate operations.
 Author-email: Vasiliy Zdanovskiy <vasilyvz@gmail.com>
 Maintainer-email: Vasiliy Zdanovskiy <vasilyvz@gmail.com>