feat(hardening): M-Hard 1-5 — crypto, auth, rate limit, fingerprints, rotation
M-Hard 1: Cryptographic Hardening - constantTimeEqual, zeroize, randomUint32 on CryptoProvider - Fix Math.random() → crypto.randomUint32() for registrationId - Zero message keys and chain keys after use in ratchet.ts - Constant-time trust comparison in MemoryStorage + SQLiteStorage - Timing variance test catches early-exit regressions M-Hard 2: Self-Authenticated Prekey Server - Ed25519 signature verification on all write routes - signPayload/verifyPayload with canonical JSON, ±5 min replay window - Address validation (NFKC, alphanumeric + :_-.) - Global ShadeError → HTTP status mapping - ShadeFetchTransport signs requests when signingPrivateKey provided - Anonymous bundle fetches still allowed (read-only) M-Hard 3: Rate Limiting + DoS Protection - Token bucket rate limiter with pluggable store - Per-route limits: register 5/h/IP, fetch 60/min/IP, replenish 10/min/id - 64KB body size limit on POST - Retry-After header on 429 responses M-Hard 4: Auto-replenish + Fingerprints + Session Reset - Safety numbers (12 groups × 5 digits, Signal-style) - ensurePreKeyStock, resetSession, acceptIdentityChange - verifyRemoteIdentity for out-of-band comparison M-Hard 5: Identity Rotation with Grace Period - rotateIdentity archives old identity, generates fresh signed prekey - RetiredIdentity storage with addRetired/getRetired/pruneRetired - 7-day default grace period for decrypting old sessions - pruneExpiredIdentities for cleanup M-Hard 8: Error Hierarchy - New error types: Network, Storage, Validation, Timeout, RateLimit, Configuration, Unauthorized, Replay, IdentityRotation - All errors have stable SHADE_* codes - errorToHttpStatus for consistent HTTP mapping - toJSON() for network serialization 188 tests passing, zero failures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
131
packages/shade-core/tests/identity-rotation.test.ts
Normal file
131
packages/shade-core/tests/identity-rotation.test.ts
Normal file
@@ -0,0 +1,131 @@
|
||||
import { describe, test, expect } from 'bun:test';
|
||||
import { SubtleCryptoProvider, MemoryStorage } from '@shade/crypto-web';
|
||||
import { ShadeSessionManager, GRACE_PERIOD_MS } from '../src/index.js';
|
||||
|
||||
const crypto = new SubtleCryptoProvider();
|
||||
|
||||
describe('Identity rotation', () => {
|
||||
test('rotateIdentity generates new identity and archives old', async () => {
|
||||
const storage = new MemoryStorage();
|
||||
const mgr = new ShadeSessionManager(crypto, storage);
|
||||
await mgr.initialize();
|
||||
|
||||
const oldFp = await mgr.getIdentityFingerprint();
|
||||
const oldPub = mgr.getPublicIdentity();
|
||||
|
||||
await mgr.rotateIdentity();
|
||||
|
||||
const newFp = await mgr.getIdentityFingerprint();
|
||||
const newPub = mgr.getPublicIdentity();
|
||||
|
||||
// New identity should differ
|
||||
expect(newFp).not.toBe(oldFp);
|
||||
expect(newPub.signingKey).not.toEqual(oldPub.signingKey);
|
||||
expect(newPub.dhKey).not.toEqual(oldPub.dhKey);
|
||||
|
||||
// Old identity is archived
|
||||
const retired = await storage.getRetiredIdentities();
|
||||
expect(retired.length).toBe(1);
|
||||
expect(retired[0].keyPair.signingPublicKey).toEqual(oldPub.signingKey);
|
||||
});
|
||||
|
||||
test('rotation returns a new prekey bundle', async () => {
|
||||
const mgr = new ShadeSessionManager(crypto, new MemoryStorage());
|
||||
await mgr.initialize();
|
||||
|
||||
const bundle = await mgr.rotateIdentity();
|
||||
expect(bundle.identitySigningKey.length).toBe(32);
|
||||
expect(bundle.identityDHKey.length).toBe(32);
|
||||
expect(bundle.signedPreKey.keyId).toBe(2); // advanced
|
||||
expect(bundle.signedPreKey.signature.length).toBe(64);
|
||||
});
|
||||
|
||||
test('getActiveRetiredIdentities returns entries within grace period', async () => {
|
||||
const mgr = new ShadeSessionManager(crypto, new MemoryStorage());
|
||||
await mgr.initialize();
|
||||
|
||||
await mgr.rotateIdentity();
|
||||
await mgr.rotateIdentity();
|
||||
|
||||
const active = await mgr.getActiveRetiredIdentities();
|
||||
expect(active.length).toBe(2);
|
||||
});
|
||||
|
||||
test('getActiveRetiredIdentities filters out expired entries', async () => {
|
||||
const storage = new MemoryStorage();
|
||||
const mgr = new ShadeSessionManager(crypto, storage);
|
||||
await mgr.initialize();
|
||||
|
||||
// Manually add a very old retired identity
|
||||
await storage.addRetiredIdentity({
|
||||
keyPair: (await mgr.getPublicIdentity()) as any, // placeholder
|
||||
retiredAt: Date.now() - (GRACE_PERIOD_MS + 1000),
|
||||
});
|
||||
|
||||
// And a fresh one
|
||||
await mgr.rotateIdentity();
|
||||
|
||||
const active = await mgr.getActiveRetiredIdentities();
|
||||
expect(active.length).toBe(1);
|
||||
});
|
||||
|
||||
test('pruneExpiredIdentities removes old entries', async () => {
|
||||
const storage = new MemoryStorage();
|
||||
const mgr = new ShadeSessionManager(crypto, storage);
|
||||
await mgr.initialize();
|
||||
|
||||
// Rotate twice
|
||||
await mgr.rotateIdentity();
|
||||
await mgr.rotateIdentity();
|
||||
|
||||
expect((await storage.getRetiredIdentities()).length).toBe(2);
|
||||
|
||||
// Default grace period: nothing is expired yet
|
||||
await mgr.pruneExpiredIdentities();
|
||||
expect((await storage.getRetiredIdentities()).length).toBe(2);
|
||||
|
||||
// Force prune with 0 grace → everything goes
|
||||
await mgr.pruneExpiredIdentities(0);
|
||||
expect((await storage.getRetiredIdentities()).length).toBe(0);
|
||||
});
|
||||
|
||||
test('rotation persists across manager restart', async () => {
|
||||
const storage = new MemoryStorage();
|
||||
const mgr1 = new ShadeSessionManager(crypto, storage);
|
||||
await mgr1.initialize();
|
||||
await mgr1.rotateIdentity();
|
||||
const fp1 = await mgr1.getIdentityFingerprint();
|
||||
|
||||
const mgr2 = new ShadeSessionManager(crypto, storage);
|
||||
await mgr2.initialize();
|
||||
const fp2 = await mgr2.getIdentityFingerprint();
|
||||
|
||||
expect(fp1).toBe(fp2);
|
||||
});
|
||||
|
||||
test('existing sessions survive identity rotation', async () => {
|
||||
// Set up Alice-Bob conversation
|
||||
const alice = new ShadeSessionManager(crypto, new MemoryStorage());
|
||||
const bob = new ShadeSessionManager(crypto, new MemoryStorage());
|
||||
await alice.initialize();
|
||||
await bob.initialize();
|
||||
|
||||
const otpks = await bob.generateOneTimePreKeys(5);
|
||||
const bundle = await bob.createPreKeyBundle();
|
||||
bundle.oneTimePreKey = { keyId: otpks[0].keyId, publicKey: otpks[0].keyPair.publicKey };
|
||||
await alice.initSessionFromBundle('bob', bundle);
|
||||
|
||||
// Exchange messages to establish bidirectional session
|
||||
const env1 = await alice.encrypt('bob', 'hello');
|
||||
expect(await bob.decrypt('alice', env1)).toBe('hello');
|
||||
const env2 = await bob.encrypt('alice', 'hi');
|
||||
expect(await alice.decrypt('bob', env2)).toBe('hi');
|
||||
|
||||
// Alice rotates her identity — but her session with Bob should still work
|
||||
// because the Double Ratchet uses ephemeral DH keys, not identity keys
|
||||
await alice.rotateIdentity();
|
||||
|
||||
const env3 = await alice.encrypt('bob', 'after rotation');
|
||||
expect(await bob.decrypt('alice', env3)).toBe('after rotation');
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user