mcp-security-framework 1.1.2__tar.gz → 1.2.0__tar.gz

{mcp_security_framework-1.1.2 → mcp_security_framework-1.2.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mcp-security-framework
-Version: 1.1.2
+Version: 1.2.0
 Summary: Universal security framework for microservices with SSL/TLS, authentication, authorization, and rate limiting. Requires cryptography>=42.0.0 for certificate operations.
 Author-email: Vasiliy Zdanovskiy <vasilyvz@gmail.com>
 Maintainer-email: Vasiliy Zdanovskiy <vasilyvz@gmail.com>

{mcp_security_framework-1.1.2 → mcp_security_framework-1.2.0}/mcp_security_framework/cli/cert_cli.py

@@ -314,12 +314,18 @@ def create_client(
     type=click.Path(exists=True),
     help="Path to CA certificate for validation",
 )
+@click.option(
+    "--crl",
+    type=click.Path(exists=True),
+    help="Path to CRL file for revocation check",
+)
 @click.pass_context
-def validate(ctx, cert_path: str, ca_cert: Optional[str]):
+def validate(ctx, cert_path: str, ca_cert: Optional[str], crl: Optional[str]):
     """
     Validate a certificate.
 
-    This command validates a certificate and optionally checks it against a CA.
+    This command validates a certificate and optionally checks it against a CA
+    and CRL for revocation status.
     """
     try:
         config = ctx.obj["config"]
@@ -330,12 +336,16 @@ def validate(ctx, cert_path: str, ca_cert: Optional[str]):
             click.echo(f"Validating certificate: {cert_path}")
             if ca_cert:
                 click.echo(f"Using CA certificate: {ca_cert}")
+            if crl:
+                click.echo(f"Using CRL file: {crl}")
 
         # Validate certificate
-        is_valid = cert_manager.validate_certificate_chain(cert_path, ca_cert)
+        is_valid = cert_manager.validate_certificate_chain(cert_path, ca_cert, crl)
 
         if is_valid:
             click.echo(f"✅ Certificate is valid!")
+            if crl:
+                click.echo(f"✅ Certificate is not revoked according to CRL")
         else:
             click.echo(f"❌ Certificate validation failed!", err=True)
             raise click.Abort()
@@ -543,5 +553,159 @@ def revoke(ctx, serial_number: str, reason: str):
         raise click.Abort()
 
 
+@cert_cli.command()
+@click.argument("cert_path", type=click.Path(exists=True))
+@click.option(
+    "--crl",
+    type=click.Path(exists=True),
+    help="Path to CRL file for revocation check",
+)
+@click.pass_context
+def check_revocation(ctx, cert_path: str, crl: Optional[str]):
+    """
+    Check if certificate is revoked according to CRL.
+
+    This command checks if a certificate is revoked according to the provided CRL.
+    """
+    try:
+        config = ctx.obj["config"]
+        cert_manager = ctx.obj["cert_manager"]
+        verbose = ctx.obj["verbose"]
+
+        if verbose:
+            click.echo(f"Checking revocation status for certificate: {cert_path}")
+            if crl:
+                click.echo(f"Using CRL file: {crl}")
+
+        # Check if certificate is revoked
+        is_revoked = cert_manager.is_certificate_revoked(cert_path, crl)
+
+        if is_revoked:
+            click.echo(f"❌ Certificate is REVOKED!", err=True)
+        else:
+            click.echo(f"✅ Certificate is NOT revoked")
+
+    except Exception as e:
+        click.echo(f"❌ Failed to check revocation status: {str(e)}", err=True)
+        raise click.Abort()
+
+
+@cert_cli.command()
+@click.argument("cert_path", type=click.Path(exists=True))
+@click.option(
+    "--crl",
+    type=click.Path(exists=True),
+    help="Path to CRL file for detailed revocation check",
+)
+@click.pass_context
+def revocation_info(ctx, cert_path: str, crl: Optional[str]):
+    """
+    Get detailed revocation information for certificate.
+
+    This command provides detailed revocation information including
+    revocation date, reason, and CRL details.
+    """
+    try:
+        config = ctx.obj["config"]
+        cert_manager = ctx.obj["cert_manager"]
+        verbose = ctx.obj["verbose"]
+
+        if verbose:
+            click.echo(f"Getting revocation information for certificate: {cert_path}")
+            if crl:
+                click.echo(f"Using CRL file: {crl}")
+
+        # Get detailed revocation information
+        revocation_info = cert_manager.validate_certificate_against_crl(cert_path, crl)
+
+        click.echo(f"Certificate Serial Number: {revocation_info['serial_number']}")
+        click.echo(f"CRL Issuer: {revocation_info['crl_issuer']}")
+        click.echo(f"CRL Last Update: {revocation_info['crl_last_update']}")
+        click.echo(f"CRL Next Update: {revocation_info['crl_next_update']}")
+
+        if revocation_info["is_revoked"]:
+            click.echo(f"❌ Certificate is REVOKED!", err=True)
+            click.echo(f"Revocation Date: {revocation_info['revocation_date']}")
+            click.echo(f"Revocation Reason: {revocation_info['revocation_reason']}")
+        else:
+            click.echo(f"✅ Certificate is NOT revoked")
+
+    except Exception as e:
+        click.echo(f"❌ Failed to get revocation information: {str(e)}", err=True)
+        raise click.Abort()
+
+
+@cert_cli.command()
+@click.argument("crl_path", type=click.Path(exists=True))
+@click.pass_context
+def crl_info(ctx, crl_path: str):
+    """
+    Display CRL information.
+
+    This command displays detailed information about a CRL including
+    issuer, validity period, and revoked certificate count.
+    """
+    try:
+        config = ctx.obj["config"]
+        cert_manager = ctx.obj["cert_manager"]
+        verbose = ctx.obj["verbose"]
+
+        if verbose:
+            click.echo(f"Getting CRL information: {crl_path}")
+
+        # Get CRL information
+        crl_info = cert_manager.get_crl_info(crl_path)
+
+        click.echo(f"CRL Issuer: {crl_info['issuer']}")
+        click.echo(f"Last Update: {crl_info['last_update']}")
+        click.echo(f"Next Update: {crl_info['next_update']}")
+        click.echo(f"Revoked Certificates: {crl_info['revoked_certificates_count']}")
+        click.echo(f"Status: {crl_info['status']}")
+        click.echo(f"Version: {crl_info['version']}")
+        click.echo(f"Signature Algorithm: {crl_info['signature_algorithm']}")
+
+        if crl_info["is_expired"]:
+            click.echo(f"❌ CRL is EXPIRED!", err=True)
+        elif crl_info["expires_soon"]:
+            click.echo(f"⚠️  CRL expires soon ({crl_info['days_until_expiry']} days)", err=True)
+        else:
+            click.echo(f"✅ CRL is valid")
+
+    except Exception as e:
+        click.echo(f"❌ Failed to get CRL information: {str(e)}", err=True)
+        raise click.Abort()
+
+
+@cert_cli.command()
+@click.argument("crl_path", type=click.Path(exists=True))
+@click.pass_context
+def validate_crl(ctx, crl_path: str):
+    """
+    Validate CRL file.
+
+    This command validates a CRL file for format and validity period.
+    """
+    try:
+        config = ctx.obj["config"]
+        cert_manager = ctx.obj["cert_manager"]
+        verbose = ctx.obj["verbose"]
+
+        if verbose:
+            click.echo(f"Validating CRL: {crl_path}")
+
+        # Validate CRL
+        is_valid = cert_manager.is_crl_valid(crl_path)
+
+        if is_valid:
+            click.echo(f"✅ CRL is valid!")
+        else:
+            click.echo(f"❌ CRL validation failed!", err=True)
+            raise click.Abort()
+
+    except Exception as e:
+        click.echo(f"❌ CRL validation failed: {str(e)}", err=True)
+        raise click.Abort()
+
+
 if __name__ == "__main__":
     cert_cli()

{mcp_security_framework-1.1.2 → mcp_security_framework-1.2.0}/mcp_security_framework/core/auth_manager.py

@@ -628,8 +628,10 @@ class AuthManager:
             # Validate certificate chain if CA is configured
             if self.config.ca_cert_file:
                 try:
+                    # Check if CRL is configured for certificate validation
+                    crl_file = getattr(self.config, 'crl_file', None)
                     is_valid_chain = validate_certificate_chain(
-                        cert_pem, self.config.ca_cert_file
+                        cert_pem, self.config.ca_cert_file, crl_file
                     )
                     if not is_valid_chain:
                         return AuthResult(

{mcp_security_framework-1.1.2 → mcp_security_framework-1.2.0}/mcp_security_framework/core/cert_manager.py

@@ -56,8 +56,12 @@ from mcp_security_framework.utils.cert_utils import (
     extract_roles_from_certificate,
     get_certificate_expiry,
     get_certificate_serial_number,
+    get_crl_info,
+    is_certificate_revoked,
     is_certificate_self_signed,
+    is_crl_valid,
     parse_certificate,
+    validate_certificate_against_crl,
     validate_certificate_chain,
 )
 from mcp_security_framework.utils.datetime_compat import (
@@ -1327,21 +1331,27 @@ WvWwM6xqxW0Sf6s5AxJmTn3amZ0G+aP4Y2AEojlbQR7g5aigKbFQqGDFW07egp6
             return False
 
     def validate_certificate_chain(
-        self, cert_path: str, ca_cert_path: Optional[str] = None
+        self, 
+        cert_path: str, 
+        ca_cert_path: Optional[str] = None,
+        crl_path: Optional[str] = None
     ) -> bool:
         """
-        Validate certificate chain against CA.
+        Validate certificate chain against CA and optionally check CRL.
 
         This method validates a certificate chain by checking the certificate
-        against the CA certificate and verifying the chain of trust.
+        against the CA certificate and verifying the chain of trust. If CRL
+        is provided, it also checks if the certificate is revoked.
 
         Args:
             cert_path (str): Path to certificate to validate
             ca_cert_path (Optional[str]): Path to CA certificate. If None,
                 uses CA certificate from configuration.
+            crl_path (Optional[str]): Path to CRL file. If None, CRL check
+                is skipped. If provided, certificate revocation is checked.
 
         Returns:
-            bool: True if certificate chain is valid, False otherwise
+            bool: True if certificate chain is valid and not revoked, False otherwise
 
         Raises:
             FileNotFoundError: When certificate files are not found
@@ -1352,6 +1362,11 @@ WvWwM6xqxW0Sf6s5AxJmTn3amZ0G+aP4Y2AEojlbQR7g5aigKbFQqGDFW07egp6
             >>> is_valid = cert_manager.validate_certificate_chain("client.crt")
             >>> if is_valid:
             ...     print("Certificate chain is valid")
+            >>> 
+            >>> # With CRL check
+            >>> is_valid = cert_manager.validate_certificate_chain(
+            ...     "client.crt", crl_path="crl.pem"
+            ... )
         """
         try:
             # Use configured CA certificate if not provided
@@ -1361,8 +1376,12 @@ WvWwM6xqxW0Sf6s5AxJmTn3amZ0G+aP4Y2AEojlbQR7g5aigKbFQqGDFW07egp6
             if not ca_cert_path:
                 raise CertificateConfigurationError("CA certificate path is required")
 
-            # Validate certificate chain
-            return validate_certificate_chain(cert_path, ca_cert_path)
+            # Use configured CRL path if not provided
+            if not crl_path and self.config.crl_enabled:
+                crl_path = self.config.crl_path
+
+            # Validate certificate chain with optional CRL check
+            return validate_certificate_chain(cert_path, ca_cert_path, crl_path)
 
         except Exception as e:
             self.logger.error(
@@ -1370,6 +1389,7 @@ WvWwM6xqxW0Sf6s5AxJmTn3amZ0G+aP4Y2AEojlbQR7g5aigKbFQqGDFW07egp6
                 extra={
                     "cert_path": cert_path,
                     "ca_cert_path": ca_cert_path,
+                    "crl_path": crl_path,
                     "error": str(e),
                 },
             )
@@ -1929,6 +1949,221 @@ WvWwM6xqxW0Sf6s5AxJmTn3amZ0G+aP4Y2AEojlbQR7g5aigKbFQqGDFW07egp6
                 f"CA private key file not found: {self.config.ca_key_path}"
             )
 
+    def validate_certificate_against_crl(
+        self, 
+        cert_path: str, 
+        crl_path: Optional[str] = None
+    ) -> Dict[str, any]:
+        """
+        Validate certificate against CRL and return detailed revocation status.
+
+        This method checks if a certificate is revoked according to the
+        provided CRL and returns detailed revocation information.
+
+        Args:
+            cert_path (str): Path to certificate to validate
+            crl_path (Optional[str]): Path to CRL file. If None, uses CRL
+                from configuration if CRL is enabled.
+
+        Returns:
+            Dict[str, any]: Dictionary containing revocation status and details:
+                - is_revoked (bool): True if certificate is revoked
+                - serial_number (str): Certificate serial number
+                - revocation_date (datetime): Date of revocation (if revoked)
+                - revocation_reason (str): Reason for revocation (if revoked)
+                - crl_issuer (str): CRL issuer information
+                - crl_last_update (datetime): CRL last update time
+                - crl_next_update (datetime): CRL next update time
+
+        Raises:
+            CertificateConfigurationError: When CRL configuration is invalid
+            CertificateValidationError: When CRL validation fails
+
+        Example:
+            >>> cert_manager = CertificateManager(config)
+            >>> result = cert_manager.validate_certificate_against_crl("client.crt")
+            >>> if result["is_revoked"]:
+            ...     print(f"Certificate revoked: {result['revocation_reason']}")
+        """
+        try:
+            # Use configured CRL path if not provided
+            if not crl_path:
+                if not self.config.crl_enabled:
+                    raise CertificateConfigurationError("CRL is not enabled in configuration")
+                crl_path = self.config.crl_path
+
+            if not crl_path:
+                raise CertificateConfigurationError("CRL path is required")
+
+            # Validate certificate against CRL
+            return validate_certificate_against_crl(cert_path, crl_path)
+
+        except Exception as e:
+            self.logger.error(
+                "Certificate CRL validation failed",
+                extra={
+                    "cert_path": cert_path,
+                    "crl_path": crl_path,
+                    "error": str(e),
+                },
+            )
+            raise CertificateValidationError(f"CRL validation failed: {str(e)}")
+
+    def is_certificate_revoked(
+        self, 
+        cert_path: str, 
+        crl_path: Optional[str] = None
+    ) -> bool:
+        """
+        Check if certificate is revoked according to CRL.
+
+        This method provides a simple boolean check for certificate revocation
+        without detailed revocation information.
+
+        Args:
+            cert_path (str): Path to certificate to check
+            crl_path (Optional[str]): Path to CRL file. If None, uses CRL
+                from configuration if CRL is enabled.
+
+        Returns:
+            bool: True if certificate is revoked, False otherwise
+
+        Raises:
+            CertificateConfigurationError: When CRL configuration is invalid
+            CertificateValidationError: When CRL validation fails
+
+        Example:
+            >>> cert_manager = CertificateManager(config)
+            >>> if cert_manager.is_certificate_revoked("client.crt"):
+            ...     print("Certificate is revoked")
+        """
+        try:
+            # Use configured CRL path if not provided
+            if not crl_path:
+                if not self.config.crl_enabled:
+                    raise CertificateConfigurationError("CRL is not enabled in configuration")
+                crl_path = self.config.crl_path
+
+            if not crl_path:
+                raise CertificateConfigurationError("CRL path is required")
+
+            # Check if certificate is revoked
+            return is_certificate_revoked(cert_path, crl_path)
+
+        except Exception as e:
+            self.logger.error(
+                "Certificate revocation check failed",
+                extra={
+                    "cert_path": cert_path,
+                    "crl_path": crl_path,
+                    "error": str(e),
+                },
+            )
+            raise CertificateValidationError(f"Revocation check failed: {str(e)}")
+
+    def get_crl_info(self, crl_path: Optional[str] = None) -> Dict:
+        """
+        Get detailed information from CRL.
+
+        This method extracts comprehensive information from a CRL including
+        issuer details, validity period, and revoked certificate count.
+
+        Args:
+            crl_path (Optional[str]): Path to CRL file. If None, uses CRL
+                from configuration if CRL is enabled.
+
+        Returns:
+            Dict: Dictionary containing CRL information:
+                - issuer (str): CRL issuer information
+                - last_update (datetime): CRL last update time
+                - next_update (datetime): CRL next update time
+                - revoked_certificates_count (int): Number of revoked certificates
+                - days_until_expiry (int): Days until CRL expires
+                - is_expired (bool): True if CRL is expired
+                - expires_soon (bool): True if CRL expires within 7 days
+                - status (str): CRL status (valid, expires_soon, expired)
+                - version (str): CRL version
+                - signature_algorithm (str): Signature algorithm used
+                - signature (str): CRL signature in hex format
+
+        Raises:
+            CertificateConfigurationError: When CRL configuration is invalid
+            CertificateValidationError: When CRL information extraction fails
+
+        Example:
+            >>> cert_manager = CertificateManager(config)
+            >>> crl_info = cert_manager.get_crl_info()
+            >>> print(f"CRL has {crl_info['revoked_certificates_count']} revoked certificates")
+        """
+        try:
+            # Use configured CRL path if not provided
+            if not crl_path:
+                if not self.config.crl_enabled:
+                    raise CertificateConfigurationError("CRL is not enabled in configuration")
+                crl_path = self.config.crl_path
+
+            if not crl_path:
+                raise CertificateConfigurationError("CRL path is required")
+
+            # Get CRL information
+            return get_crl_info(crl_path)
+
+        except Exception as e:
+            self.logger.error(
+                "CRL information extraction failed",
+                extra={
+                    "crl_path": crl_path,
+                    "error": str(e),
+                },
+            )
+            raise CertificateValidationError(f"CRL information extraction failed: {str(e)}")
+
+    def is_crl_valid(self, crl_path: Optional[str] = None) -> bool:
+        """
+        Check if CRL is valid (not expired and properly formatted).
+
+        This method validates CRL format and checks if it's within its
+        validity period.
+
+        Args:
+            crl_path (Optional[str]): Path to CRL file. If None, uses CRL
+                from configuration if CRL is enabled.
+
+        Returns:
+            bool: True if CRL is valid, False otherwise
+
+        Raises:
+            CertificateConfigurationError: When CRL configuration is invalid
+            CertificateValidationError: When CRL validation fails
+
+        Example:
+            >>> cert_manager = CertificateManager(config)
+            >>> if cert_manager.is_crl_valid():
+            ...     print("CRL is valid")
+        """
+        try:
+            # Use configured CRL path if not provided
+            if not crl_path:
+                if not self.config.crl_enabled:
+                    raise CertificateConfigurationError("CRL is not enabled in configuration")
+                crl_path = self.config.crl_path
+
+            if not crl_path:
+                raise CertificateConfigurationError("CRL path is required")
+
+            # Check if CRL is valid
+            return is_crl_valid(crl_path)
+
+        except Exception as e:
+            self.logger.error(
+                "CRL validation failed",
+                extra={
+                    "crl_path": crl_path,
+                    "error": str(e),
+                },
+            )
+            raise CertificateValidationError(f"CRL validation failed: {str(e)}")
+
 
 class CertificateConfigurationError(Exception):
     """Raised when certificate configuration is invalid."""

{mcp_security_framework-1.1.2 → mcp_security_framework-1.2.0}/mcp_security_framework/core/ssl_manager.py

@@ -37,6 +37,7 @@ from ..schemas.models import CertificateInfo
 from ..utils.cert_utils import (
     extract_certificate_info,
     get_certificate_expiry,
+    is_certificate_revoked,
     is_certificate_self_signed,
     parse_certificate,
     validate_certificate_chain,
@@ -349,21 +350,24 @@ class SSLManager:
                 f"Failed to create client SSL context: {str(e)}"
             )
 
-    def validate_certificate(self, cert_path: str) -> bool:
+    def validate_certificate(self, cert_path: str, crl_path: Optional[str] = None) -> bool:
         """
-        Validate certificate file.
+        Validate certificate file with optional CRL check.
 
         This method validates a certificate file by checking its format,
-        parsing it, and verifying basic certificate properties.
+        parsing it, and verifying basic certificate properties. If CRL
+        is provided, it also checks if the certificate is revoked.
 
         Args:
             cert_path (str): Path to certificate file to validate.
                 Must be a valid PEM or DER certificate file path.
+            crl_path (Optional[str]): Path to CRL file. If None, CRL check
+                is skipped. If provided, certificate revocation is checked.
 
         Returns:
-            bool: True if certificate is valid, False otherwise.
-                Returns True when certificate can be parsed and has
-                valid basic properties.
+            bool: True if certificate is valid and not revoked, False otherwise.
+                Returns True when certificate can be parsed, has valid basic
+                properties, and is not revoked (if CRL is provided).
 
         Raises:
             FileNotFoundError: If certificate file is not found.
@@ -374,8 +378,9 @@ class SSLManager:
             >>> is_valid = ssl_manager.validate_certificate("server.crt")
             >>> if is_valid:
             ...     print("Certificate is valid")
-            >>> else:
-            ...     print("Certificate is invalid")
+            >>> 
+            >>> # With CRL check
+            >>> is_valid = ssl_manager.validate_certificate("server.crt", "crl.pem")
         """
         try:
             # Check if file exists
@@ -402,8 +407,35 @@ class SSLManager:
                 )
                 return False
 
+            # Check CRL if provided
+            if crl_path:
+                try:
+                    if is_certificate_revoked(cert_path, crl_path):
+                        self.logger.warning(
+                            "Certificate is revoked",
+                            extra={
+                                "cert_path": cert_path,
+                                "crl_path": crl_path,
+                            },
+                        )
+                        return False
+                except Exception as e:
+                    self.logger.error(
+                        "CRL validation failed",
+                        extra={
+                            "cert_path": cert_path,
+                            "crl_path": crl_path,
+                            "error": str(e),
+                        },
+                    )
+                    return False
+
             self.logger.info(
-                "Certificate validation successful", extra={"cert_path": cert_path}
+                "Certificate validation successful", 
+                extra={
+                    "cert_path": cert_path,
+                    "crl_checked": crl_path is not None,
+                }
             )
 
             return True

{mcp_security_framework-1.1.2 → mcp_security_framework-1.2.0}/mcp_security_framework/middleware/mtls_middleware.py

@@ -223,9 +223,17 @@ class MTLSMiddleware(SecurityMiddleware):
             Dict[str, Any]: Validation result with status and details
         """
         try:
-            # Use security manager's certificate validation
+            # Get CA certificate file
+            ca_cert_file = self.config.ssl.ca_cert_file if self.config.ssl else None
+            
+            # Get CRL file if configured
+            crl_file = None
+            if self.config.ssl and hasattr(self.config.ssl, 'crl_file'):
+                crl_file = self.config.ssl.crl_file
+            
+            # Use security manager's certificate validation with optional CRL check
             is_valid = self.security_manager.cert_manager.validate_certificate_chain(
-                cert_pem, self.config.ssl.ca_cert_file if self.config.ssl else None
+                cert_pem, ca_cert_file, crl_file
             )
 
             if is_valid: