packages/shade-crypto-web/tests/hardening.test.ts

import { describe, test, expect } from 'bun:test';
import { SubtleCryptoProvider } from '../src/provider.js';
import { constantTimeEqual } from '@shade/core';

const crypto = new SubtleCryptoProvider();

describe('Cryptographic Hardening', () => {
  // ─── constantTimeEqual ───────────────────────────────────

  describe('constantTimeEqual', () => {
    test('equal arrays return true', () => {
      const a = new Uint8Array([1, 2, 3, 4, 5]);
      const b = new Uint8Array([1, 2, 3, 4, 5]);
      expect(crypto.constantTimeEqual(a, b)).toBe(true);
    });

    test('unequal arrays return false', () => {
      const a = new Uint8Array([1, 2, 3, 4, 5]);
      const b = new Uint8Array([1, 2, 3, 4, 6]);
      expect(crypto.constantTimeEqual(a, b)).toBe(false);
    });

    test('different lengths return false', () => {
      const a = new Uint8Array([1, 2, 3]);
      const b = new Uint8Array([1, 2, 3, 4]);
      expect(crypto.constantTimeEqual(a, b)).toBe(false);
    });

    test('empty arrays are equal', () => {
      expect(crypto.constantTimeEqual(new Uint8Array(0), new Uint8Array(0))).toBe(true);
    });

    test('works on full 32-byte keys', () => {
      const k1 = crypto.randomBytes(32);
      const k2 = new Uint8Array(k1);
      expect(crypto.constantTimeEqual(k1, k2)).toBe(true);

      k2[31] ^= 0x01;
      expect(crypto.constantTimeEqual(k1, k2)).toBe(false);
    });

    test('standalone function gives same result', () => {
      const a = crypto.randomBytes(32);
      const b = new Uint8Array(a);
      expect(constantTimeEqual(a, b)).toBe(true);
      b[0] ^= 0x01;
      expect(constantTimeEqual(a, b)).toBe(false);
    });

    // Statistical timing test — measure variance between mismatch-at-start vs mismatch-at-end
    // This is noisy on CI but catches obvious early-exit regressions.
    test('timing variance stays bounded across mismatch positions', () => {
      const len = 256;
      const target = crypto.randomBytes(len);

      const mismatchAtStart = new Uint8Array(target);
      mismatchAtStart[0] ^= 0xff;

      const mismatchAtEnd = new Uint8Array(target);
      mismatchAtEnd[len - 1] ^= 0xff;

      // Measure many iterations to get a stable signal
      const iterations = 50000;

      const start1 = performance.now();
      for (let i = 0; i < iterations; i++) {
        crypto.constantTimeEqual(target, mismatchAtStart);
      }
      const timeStart = performance.now() - start1;

      const start2 = performance.now();
      for (let i = 0; i < iterations; i++) {
        crypto.constantTimeEqual(target, mismatchAtEnd);
      }
      const timeEnd = performance.now() - start2;

      // With constant-time comparison, these should be very close.
      // Non-constant-time would show timeEnd >> timeStart (early exit vs full scan).
      // Allow 2x variance for JIT/noise, but it should never be 10x.
      const ratio = Math.max(timeStart, timeEnd) / Math.min(timeStart, timeEnd);
      expect(ratio).toBeLessThan(3);
    });
  });

  // ─── zeroize ──────────────────────────────────────────────

  describe('zeroize', () => {
    test('fills buffer with zeros', () => {
      const buf = crypto.randomBytes(32);
      // Make sure it's not already zero
      const anyNonZero = buf.some((b) => b !== 0);
      expect(anyNonZero).toBe(true);

      crypto.zeroize(buf);
      expect(buf.every((b) => b === 0)).toBe(true);
    });

    test('handles empty buffer', () => {
      crypto.zeroize(new Uint8Array(0));
      // Should not throw
    });

    test('handles large buffer', () => {
      const buf = crypto.randomBytes(4096);
      crypto.zeroize(buf);
      expect(buf.every((b) => b === 0)).toBe(true);
    });
  });

  // ─── randomUint32 ─────────────────────────────────────────

  describe('randomUint32', () => {
    test('returns number in 32-bit unsigned range', () => {
      for (let i = 0; i < 100; i++) {
        const n = crypto.randomUint32();
        expect(n).toBeGreaterThanOrEqual(0);
        expect(n).toBeLessThanOrEqual(0xffffffff);
        expect(Number.isInteger(n)).toBe(true);
      }
    });

    test('produces different values each call', () => {
      const values = new Set<number>();
      for (let i = 0; i < 100; i++) {
        values.add(crypto.randomUint32());
      }
      // With 32 bits, 100 samples should all be unique
      expect(values.size).toBe(100);
    });

    test('distribution is not biased toward low values', () => {
      // Generate many and check that at least some are above 2^31
      // (would fail if using Math.random() with weird multiplier bugs)
      let highCount = 0;
      for (let i = 0; i < 1000; i++) {
        if (crypto.randomUint32() >= 0x80000000) highCount++;
      }
      // Should be around 500, accept 400-600 as "not obviously broken"
      expect(highCount).toBeGreaterThan(400);
      expect(highCount).toBeLessThan(600);
    });
  });
});
feat(hardening): M-Hard 1-5 — crypto, auth, rate limit, fingerprints, rotation M-Hard 1: Cryptographic Hardening - constantTimeEqual, zeroize, randomUint32 on CryptoProvider - Fix Math.random() → crypto.randomUint32() for registrationId - Zero message keys and chain keys after use in ratchet.ts - Constant-time trust comparison in MemoryStorage + SQLiteStorage - Timing variance test catches early-exit regressions M-Hard 2: Self-Authenticated Prekey Server - Ed25519 signature verification on all write routes - signPayload/verifyPayload with canonical JSON, ±5 min replay window - Address validation (NFKC, alphanumeric + :_-.) - Global ShadeError → HTTP status mapping - ShadeFetchTransport signs requests when signingPrivateKey provided - Anonymous bundle fetches still allowed (read-only) M-Hard 3: Rate Limiting + DoS Protection - Token bucket rate limiter with pluggable store - Per-route limits: register 5/h/IP, fetch 60/min/IP, replenish 10/min/id - 64KB body size limit on POST - Retry-After header on 429 responses M-Hard 4: Auto-replenish + Fingerprints + Session Reset - Safety numbers (12 groups × 5 digits, Signal-style) - ensurePreKeyStock, resetSession, acceptIdentityChange - verifyRemoteIdentity for out-of-band comparison M-Hard 5: Identity Rotation with Grace Period - rotateIdentity archives old identity, generates fresh signed prekey - RetiredIdentity storage with addRetired/getRetired/pruneRetired - 7-day default grace period for decrypting old sessions - pruneExpiredIdentities for cleanup M-Hard 8: Error Hierarchy - New error types: Network, Storage, Validation, Timeout, RateLimit, Configuration, Unauthorized, Replay, IdentityRotation - All errors have stable SHADE_* codes - errorToHttpStatus for consistent HTTP mapping - toJSON() for network serialization 188 tests passing, zero failures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-10 17:45:34 +02:00			`import { describe, test, expect } from 'bun:test';`
			`import { SubtleCryptoProvider } from '../src/provider.js';`
			`import { constantTimeEqual } from '@shade/core';`

			`const crypto = new SubtleCryptoProvider();`

			`describe('Cryptographic Hardening', () => {`
			`// ─── constantTimeEqual ───────────────────────────────────`

			`describe('constantTimeEqual', () => {`
			`test('equal arrays return true', () => {`
			`const a = new Uint8Array([1, 2, 3, 4, 5]);`
			`const b = new Uint8Array([1, 2, 3, 4, 5]);`
			`expect(crypto.constantTimeEqual(a, b)).toBe(true);`
			`});`

			`test('unequal arrays return false', () => {`
			`const a = new Uint8Array([1, 2, 3, 4, 5]);`
			`const b = new Uint8Array([1, 2, 3, 4, 6]);`
			`expect(crypto.constantTimeEqual(a, b)).toBe(false);`
			`});`

			`test('different lengths return false', () => {`
			`const a = new Uint8Array([1, 2, 3]);`
			`const b = new Uint8Array([1, 2, 3, 4]);`
			`expect(crypto.constantTimeEqual(a, b)).toBe(false);`
			`});`

			`test('empty arrays are equal', () => {`
			`expect(crypto.constantTimeEqual(new Uint8Array(0), new Uint8Array(0))).toBe(true);`
			`});`

			`test('works on full 32-byte keys', () => {`
			`const k1 = crypto.randomBytes(32);`
			`const k2 = new Uint8Array(k1);`
			`expect(crypto.constantTimeEqual(k1, k2)).toBe(true);`

			`k2[31] ^= 0x01;`
			`expect(crypto.constantTimeEqual(k1, k2)).toBe(false);`
			`});`

			`test('standalone function gives same result', () => {`
			`const a = crypto.randomBytes(32);`
			`const b = new Uint8Array(a);`
			`expect(constantTimeEqual(a, b)).toBe(true);`
			`b[0] ^= 0x01;`
			`expect(constantTimeEqual(a, b)).toBe(false);`
			`});`

			`// Statistical timing test — measure variance between mismatch-at-start vs mismatch-at-end`
			`// This is noisy on CI but catches obvious early-exit regressions.`
			`test('timing variance stays bounded across mismatch positions', () => {`
			`const len = 256;`
			`const target = crypto.randomBytes(len);`

			`const mismatchAtStart = new Uint8Array(target);`
			`mismatchAtStart[0] ^= 0xff;`

			`const mismatchAtEnd = new Uint8Array(target);`
			`mismatchAtEnd[len - 1] ^= 0xff;`

			`// Measure many iterations to get a stable signal`
			`const iterations = 50000;`

			`const start1 = performance.now();`
			`for (let i = 0; i < iterations; i++) {`
			`crypto.constantTimeEqual(target, mismatchAtStart);`
			`}`
			`const timeStart = performance.now() - start1;`

			`const start2 = performance.now();`
			`for (let i = 0; i < iterations; i++) {`
			`crypto.constantTimeEqual(target, mismatchAtEnd);`
			`}`
			`const timeEnd = performance.now() - start2;`

			`// With constant-time comparison, these should be very close.`
			`// Non-constant-time would show timeEnd >> timeStart (early exit vs full scan).`
			`// Allow 2x variance for JIT/noise, but it should never be 10x.`
			`const ratio = Math.max(timeStart, timeEnd) / Math.min(timeStart, timeEnd);`
			`expect(ratio).toBeLessThan(3);`
			`});`
			`});`

			`// ─── zeroize ──────────────────────────────────────────────`

			`describe('zeroize', () => {`
			`test('fills buffer with zeros', () => {`
			`const buf = crypto.randomBytes(32);`
			`// Make sure it's not already zero`
			`const anyNonZero = buf.some((b) => b !== 0);`
			`expect(anyNonZero).toBe(true);`

			`crypto.zeroize(buf);`
			`expect(buf.every((b) => b === 0)).toBe(true);`
			`});`

			`test('handles empty buffer', () => {`
			`crypto.zeroize(new Uint8Array(0));`
			`// Should not throw`
			`});`

			`test('handles large buffer', () => {`
			`const buf = crypto.randomBytes(4096);`
			`crypto.zeroize(buf);`
			`expect(buf.every((b) => b === 0)).toBe(true);`
			`});`
			`});`

			`// ─── randomUint32 ─────────────────────────────────────────`

			`describe('randomUint32', () => {`
			`test('returns number in 32-bit unsigned range', () => {`
			`for (let i = 0; i < 100; i++) {`
			`const n = crypto.randomUint32();`
			`expect(n).toBeGreaterThanOrEqual(0);`
			`expect(n).toBeLessThanOrEqual(0xffffffff);`
			`expect(Number.isInteger(n)).toBe(true);`
			`}`
			`});`

			`test('produces different values each call', () => {`
			`const values = new Set<number>();`
			`for (let i = 0; i < 100; i++) {`
			`values.add(crypto.randomUint32());`
			`}`
			`// With 32 bits, 100 samples should all be unique`
			`expect(values.size).toBe(100);`
			`});`

			`test('distribution is not biased toward low values', () => {`
			`// Generate many and check that at least some are above 2^31`
			`// (would fail if using Math.random() with weird multiplier bugs)`
			`let highCount = 0;`
			`for (let i = 0; i < 1000; i++) {`
			`if (crypto.randomUint32() >= 0x80000000) highCount++;`
			`}`
			`// Should be around 500, accept 400-600 as "not obviously broken"`
			`expect(highCount).toBeGreaterThan(400);`
			`expect(highCount).toBeLessThan(600);`
			`});`
			`});`
			`});`