feat(hardening): M-Hard 1-5 — crypto, auth, rate limit, fingerprints, rotation

M-Hard 1: Cryptographic Hardening - constantTimeEqual, zeroize, randomUint32 on CryptoProvider - Fix Math.random() → crypto.randomUint32() for registrationId - Zero message keys and chain keys after use in ratchet.ts - Constant-time trust comparison in MemoryStorage + SQLiteStorage - Timing variance test catches early-exit regressions M-Hard 2: Self-Authenticated Prekey Server - Ed25519 signature verification on all write routes - signPayload/verifyPayload with canonical JSON, ±5 min replay window - Address validation (NFKC, alphanumeric + :_-.) - Global ShadeError → HTTP status mapping - ShadeFetchTransport signs requests when signingPrivateKey provided - Anonymous bundle fetches still allowed (read-only) M-Hard 3: Rate Limiting + DoS Protection - Token bucket rate limiter with pluggable store - Per-route limits: register 5/h/IP, fetch 60/min/IP, replenish 10/min/id - 64KB body size limit on POST - Retry-After header on 429 responses M-Hard 4: Auto-replenish + Fingerprints + Session Reset - Safety numbers (12 groups × 5 digits, Signal-style) - ensurePreKeyStock, resetSession, acceptIdentityChange - verifyRemoteIdentity for out-of-band comparison M-Hard 5: Identity Rotation with Grace Period - rotateIdentity archives old identity, generates fresh signed prekey - RetiredIdentity storage with addRetired/getRetired/pruneRetired - 7-day default grace period for decrypting old sessions - pruneExpiredIdentities for cleanup M-Hard 8: Error Hierarchy - New error types: Network, Storage, Validation, Timeout, RateLimit, Configuration, Unauthorized, Replay, IdentityRotation - All errors have stable SHADE_* codes - errorToHttpStatus for consistent HTTP mapping - toJSON() for network serialization 188 tests passing, zero failures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 17:45:34 +02:00
parent 7d214dc614
commit 96a8c210b2
25 changed files with 1835 additions and 257 deletions
--- a/packages/shade-crypto-web/src/memory-storage.ts
+++ b/packages/shade-crypto-web/src/memory-storage.ts
@@ -1,4 +1,5 @@
-import type { StorageProvider, IdentityKeyPair, SignedPreKey, OneTimePreKey, SessionState } from '@shade/core';
+import type { StorageProvider, IdentityKeyPair, SignedPreKey, OneTimePreKey, SessionState, RetiredIdentity } from '@shade/core';
+import { constantTimeEqual } from '@shade/core';

 /**
 * In-memory StorageProvider for testing and embedded use.
@@ -11,6 +12,7 @@ export class MemoryStorage implements StorageProvider {
  private oneTimePreKeys = new Map<number, OneTimePreKey>();
  private sessions = new Map<string, SessionState>();
  private trustedIdentities = new Map<string, Uint8Array>();
+  private retiredIdentities: RetiredIdentity[] = [];

  // ─── Identity ──────────────────────────────────────────────

@@ -81,18 +83,24 @@ export class MemoryStorage implements StorageProvider {
  async isTrustedIdentity(address: string, identityKey: Uint8Array): Promise<boolean> {
    const stored = this.trustedIdentities.get(address);
    if (!stored) return true; // TOFU: trust on first use
-    return arraysEqual(stored, identityKey);
+    return constantTimeEqual(stored, identityKey);
  }

  async saveTrustedIdentity(address: string, identityKey: Uint8Array): Promise<void> {
    this.trustedIdentities.set(address, identityKey);
  }
-}

-function arraysEqual(a: Uint8Array, b: Uint8Array): boolean {
-  if (a.length !== b.length) return false;
-  for (let i = 0; i < a.length; i++) {
-    if (a[i] !== b[i]) return false;
+  // ─── Identity History ─────────────────────────────────────
+
+  async addRetiredIdentity(identity: RetiredIdentity): Promise<void> {
+    this.retiredIdentities.push(identity);
+  }
+
+  async getRetiredIdentities(): Promise<RetiredIdentity[]> {
+    return [...this.retiredIdentities];
+  }
+
+  async pruneRetiredIdentities(olderThan: number): Promise<void> {
+    this.retiredIdentities = this.retiredIdentities.filter((r) => r.retiredAt >= olderThan);
  }
-  return true;
 }
--- a/packages/shade-crypto-web/src/provider.ts
+++ b/packages/shade-crypto-web/src/provider.ts
@@ -115,4 +115,24 @@ export class SubtleCryptoProvider implements CryptoProvider {
    globalThis.crypto.getRandomValues(buf);
    return buf;
  }
+
+  // ─── Hardening ─────────────────────────────────────────────
+
+  constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {
+    if (a.length !== b.length) return false;
+    let diff = 0;
+    for (let i = 0; i < a.length; i++) {
+      diff |= a[i]! ^ b[i]!;
+    }
+    return diff === 0;
+  }
+
+  zeroize(buf: Uint8Array): void {
+    buf.fill(0);
+  }
+
+  randomUint32(): number {
+    const buf = this.randomBytes(4);
+    return new DataView(buf.buffer, buf.byteOffset, 4).getUint32(0, false);
+  }
 }