feat(hardening): M-Hard 1-5 — crypto, auth, rate limit, fingerprints, rotation

M-Hard 1: Cryptographic Hardening - constantTimeEqual, zeroize, randomUint32 on CryptoProvider - Fix Math.random() → crypto.randomUint32() for registrationId - Zero message keys and chain keys after use in ratchet.ts - Constant-time trust comparison in MemoryStorage + SQLiteStorage - Timing variance test catches early-exit regressions M-Hard 2: Self-Authenticated Prekey Server - Ed25519 signature verification on all write routes - signPayload/verifyPayload with canonical JSON, ±5 min replay window - Address validation (NFKC, alphanumeric + :_-.) - Global ShadeError → HTTP status mapping - ShadeFetchTransport signs requests when signingPrivateKey provided - Anonymous bundle fetches still allowed (read-only) M-Hard 3: Rate Limiting + DoS Protection - Token bucket rate limiter with pluggable store - Per-route limits: register 5/h/IP, fetch 60/min/IP, replenish 10/min/id - 64KB body size limit on POST - Retry-After header on 429 responses M-Hard 4: Auto-replenish + Fingerprints + Session Reset - Safety numbers (12 groups × 5 digits, Signal-style) - ensurePreKeyStock, resetSession, acceptIdentityChange - verifyRemoteIdentity for out-of-band comparison M-Hard 5: Identity Rotation with Grace Period - rotateIdentity archives old identity, generates fresh signed prekey - RetiredIdentity storage with addRetired/getRetired/pruneRetired - 7-day default grace period for decrypting old sessions - pruneExpiredIdentities for cleanup M-Hard 8: Error Hierarchy - New error types: Network, Storage, Validation, Timeout, RateLimit, Configuration, Unauthorized, Replay, IdentityRotation - All errors have stable SHADE_* codes - errorToHttpStatus for consistent HTTP mapping - toJSON() for network serialization 188 tests passing, zero failures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 17:45:34 +02:00
parent 7d214dc614
commit 96a8c210b2
25 changed files with 1835 additions and 257 deletions
--- a/packages/shade-crypto-web/tests/hardening.test.ts
+++ b/packages/shade-crypto-web/tests/hardening.test.ts
@@ -0,0 +1,143 @@
+import { describe, test, expect } from 'bun:test';
+import { SubtleCryptoProvider } from '../src/provider.js';
+import { constantTimeEqual } from '@shade/core';
+
+const crypto = new SubtleCryptoProvider();
+
+describe('Cryptographic Hardening', () => {
+  // ─── constantTimeEqual ───────────────────────────────────
+
+  describe('constantTimeEqual', () => {
+    test('equal arrays return true', () => {
+      const a = new Uint8Array([1, 2, 3, 4, 5]);
+      const b = new Uint8Array([1, 2, 3, 4, 5]);
+      expect(crypto.constantTimeEqual(a, b)).toBe(true);
+    });
+
+    test('unequal arrays return false', () => {
+      const a = new Uint8Array([1, 2, 3, 4, 5]);
+      const b = new Uint8Array([1, 2, 3, 4, 6]);
+      expect(crypto.constantTimeEqual(a, b)).toBe(false);
+    });
+
+    test('different lengths return false', () => {
+      const a = new Uint8Array([1, 2, 3]);
+      const b = new Uint8Array([1, 2, 3, 4]);
+      expect(crypto.constantTimeEqual(a, b)).toBe(false);
+    });
+
+    test('empty arrays are equal', () => {
+      expect(crypto.constantTimeEqual(new Uint8Array(0), new Uint8Array(0))).toBe(true);
+    });
+
+    test('works on full 32-byte keys', () => {
+      const k1 = crypto.randomBytes(32);
+      const k2 = new Uint8Array(k1);
+      expect(crypto.constantTimeEqual(k1, k2)).toBe(true);
+
+      k2[31] ^= 0x01;
+      expect(crypto.constantTimeEqual(k1, k2)).toBe(false);
+    });
+
+    test('standalone function gives same result', () => {
+      const a = crypto.randomBytes(32);
+      const b = new Uint8Array(a);
+      expect(constantTimeEqual(a, b)).toBe(true);
+      b[0] ^= 0x01;
+      expect(constantTimeEqual(a, b)).toBe(false);
+    });
+
+    // Statistical timing test — measure variance between mismatch-at-start vs mismatch-at-end
+    // This is noisy on CI but catches obvious early-exit regressions.
+    test('timing variance stays bounded across mismatch positions', () => {
+      const len = 256;
+      const target = crypto.randomBytes(len);
+
+      const mismatchAtStart = new Uint8Array(target);
+      mismatchAtStart[0] ^= 0xff;
+
+      const mismatchAtEnd = new Uint8Array(target);
+      mismatchAtEnd[len - 1] ^= 0xff;
+
+      // Measure many iterations to get a stable signal
+      const iterations = 50000;
+
+      const start1 = performance.now();
+      for (let i = 0; i < iterations; i++) {
+        crypto.constantTimeEqual(target, mismatchAtStart);
+      }
+      const timeStart = performance.now() - start1;
+
+      const start2 = performance.now();
+      for (let i = 0; i < iterations; i++) {
+        crypto.constantTimeEqual(target, mismatchAtEnd);
+      }
+      const timeEnd = performance.now() - start2;
+
+      // With constant-time comparison, these should be very close.
+      // Non-constant-time would show timeEnd >> timeStart (early exit vs full scan).
+      // Allow 2x variance for JIT/noise, but it should never be 10x.
+      const ratio = Math.max(timeStart, timeEnd) / Math.min(timeStart, timeEnd);
+      expect(ratio).toBeLessThan(3);
+    });
+  });
+
+  // ─── zeroize ──────────────────────────────────────────────
+
+  describe('zeroize', () => {
+    test('fills buffer with zeros', () => {
+      const buf = crypto.randomBytes(32);
+      // Make sure it's not already zero
+      const anyNonZero = buf.some((b) => b !== 0);
+      expect(anyNonZero).toBe(true);
+
+      crypto.zeroize(buf);
+      expect(buf.every((b) => b === 0)).toBe(true);
+    });
+
+    test('handles empty buffer', () => {
+      crypto.zeroize(new Uint8Array(0));
+      // Should not throw
+    });
+
+    test('handles large buffer', () => {
+      const buf = crypto.randomBytes(4096);
+      crypto.zeroize(buf);
+      expect(buf.every((b) => b === 0)).toBe(true);
+    });
+  });
+
+  // ─── randomUint32 ─────────────────────────────────────────
+
+  describe('randomUint32', () => {
+    test('returns number in 32-bit unsigned range', () => {
+      for (let i = 0; i < 100; i++) {
+        const n = crypto.randomUint32();
+        expect(n).toBeGreaterThanOrEqual(0);
+        expect(n).toBeLessThanOrEqual(0xffffffff);
+        expect(Number.isInteger(n)).toBe(true);
+      }
+    });
+
+    test('produces different values each call', () => {
+      const values = new Set<number>();
+      for (let i = 0; i < 100; i++) {
+        values.add(crypto.randomUint32());
+      }
+      // With 32 bits, 100 samples should all be unique
+      expect(values.size).toBe(100);
+    });
+
+    test('distribution is not biased toward low values', () => {
+      // Generate many and check that at least some are above 2^31
+      // (would fail if using Math.random() with weird multiplier bugs)
+      let highCount = 0;
+      for (let i = 0; i < 1000; i++) {
+        if (crypto.randomUint32() >= 0x80000000) highCount++;
+      }
+      // Should be around 500, accept 400-600 as "not obviously broken"
+      expect(highCount).toBeGreaterThan(400);
+      expect(highCount).toBeLessThan(600);
+    });
+  });
+});