Sterister
96a8c210b2
M-Hard 1: Cryptographic Hardening - constantTimeEqual, zeroize, randomUint32 on CryptoProvider - Fix Math.random() → crypto.randomUint32() for registrationId - Zero message keys and chain keys after use in ratchet.ts - Constant-time trust comparison in MemoryStorage + SQLiteStorage - Timing variance test catches early-exit regressions M-Hard 2: Self-Authenticated Prekey Server - Ed25519 signature verification on all write routes - signPayload/verifyPayload with canonical JSON, ±5 min replay window - Address validation (NFKC, alphanumeric + :_-.) - Global ShadeError → HTTP status mapping - ShadeFetchTransport signs requests when signingPrivateKey provided - Anonymous bundle fetches still allowed (read-only) M-Hard 3: Rate Limiting + DoS Protection - Token bucket rate limiter with pluggable store - Per-route limits: register 5/h/IP, fetch 60/min/IP, replenish 10/min/id - 64KB body size limit on POST - Retry-After header on 429 responses M-Hard 4: Auto-replenish + Fingerprints + Session Reset - Safety numbers (12 groups × 5 digits, Signal-style) - ensurePreKeyStock, resetSession, acceptIdentityChange - verifyRemoteIdentity for out-of-band comparison M-Hard 5: Identity Rotation with Grace Period - rotateIdentity archives old identity, generates fresh signed prekey - RetiredIdentity storage with addRetired/getRetired/pruneRetired - 7-day default grace period for decrypting old sessions - pruneExpiredIdentities for cleanup M-Hard 8: Error Hierarchy - New error types: Network, Storage, Validation, Timeout, RateLimit, Configuration, Unauthorized, Replay, IdentityRotation - All errors have stable SHADE_* codes - errorToHttpStatus for consistent HTTP mapping - toJSON() for network serialization 188 tests passing, zero failures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
132 lines
4.7 KiB
TypeScript
132 lines
4.7 KiB
TypeScript
import { describe, test, expect } from 'bun:test';
|
|
import { SubtleCryptoProvider, MemoryStorage } from '@shade/crypto-web';
|
|
import { ShadeSessionManager, GRACE_PERIOD_MS } from '../src/index.js';
|
|
|
|
const crypto = new SubtleCryptoProvider();
|
|
|
|
describe('Identity rotation', () => {
|
|
test('rotateIdentity generates new identity and archives old', async () => {
|
|
const storage = new MemoryStorage();
|
|
const mgr = new ShadeSessionManager(crypto, storage);
|
|
await mgr.initialize();
|
|
|
|
const oldFp = await mgr.getIdentityFingerprint();
|
|
const oldPub = mgr.getPublicIdentity();
|
|
|
|
await mgr.rotateIdentity();
|
|
|
|
const newFp = await mgr.getIdentityFingerprint();
|
|
const newPub = mgr.getPublicIdentity();
|
|
|
|
// New identity should differ
|
|
expect(newFp).not.toBe(oldFp);
|
|
expect(newPub.signingKey).not.toEqual(oldPub.signingKey);
|
|
expect(newPub.dhKey).not.toEqual(oldPub.dhKey);
|
|
|
|
// Old identity is archived
|
|
const retired = await storage.getRetiredIdentities();
|
|
expect(retired.length).toBe(1);
|
|
expect(retired[0].keyPair.signingPublicKey).toEqual(oldPub.signingKey);
|
|
});
|
|
|
|
test('rotation returns a new prekey bundle', async () => {
|
|
const mgr = new ShadeSessionManager(crypto, new MemoryStorage());
|
|
await mgr.initialize();
|
|
|
|
const bundle = await mgr.rotateIdentity();
|
|
expect(bundle.identitySigningKey.length).toBe(32);
|
|
expect(bundle.identityDHKey.length).toBe(32);
|
|
expect(bundle.signedPreKey.keyId).toBe(2); // advanced
|
|
expect(bundle.signedPreKey.signature.length).toBe(64);
|
|
});
|
|
|
|
test('getActiveRetiredIdentities returns entries within grace period', async () => {
|
|
const mgr = new ShadeSessionManager(crypto, new MemoryStorage());
|
|
await mgr.initialize();
|
|
|
|
await mgr.rotateIdentity();
|
|
await mgr.rotateIdentity();
|
|
|
|
const active = await mgr.getActiveRetiredIdentities();
|
|
expect(active.length).toBe(2);
|
|
});
|
|
|
|
test('getActiveRetiredIdentities filters out expired entries', async () => {
|
|
const storage = new MemoryStorage();
|
|
const mgr = new ShadeSessionManager(crypto, storage);
|
|
await mgr.initialize();
|
|
|
|
// Manually add a very old retired identity
|
|
await storage.addRetiredIdentity({
|
|
keyPair: (await mgr.getPublicIdentity()) as any, // placeholder
|
|
retiredAt: Date.now() - (GRACE_PERIOD_MS + 1000),
|
|
});
|
|
|
|
// And a fresh one
|
|
await mgr.rotateIdentity();
|
|
|
|
const active = await mgr.getActiveRetiredIdentities();
|
|
expect(active.length).toBe(1);
|
|
});
|
|
|
|
test('pruneExpiredIdentities removes old entries', async () => {
|
|
const storage = new MemoryStorage();
|
|
const mgr = new ShadeSessionManager(crypto, storage);
|
|
await mgr.initialize();
|
|
|
|
// Rotate twice
|
|
await mgr.rotateIdentity();
|
|
await mgr.rotateIdentity();
|
|
|
|
expect((await storage.getRetiredIdentities()).length).toBe(2);
|
|
|
|
// Default grace period: nothing is expired yet
|
|
await mgr.pruneExpiredIdentities();
|
|
expect((await storage.getRetiredIdentities()).length).toBe(2);
|
|
|
|
// Force prune with 0 grace → everything goes
|
|
await mgr.pruneExpiredIdentities(0);
|
|
expect((await storage.getRetiredIdentities()).length).toBe(0);
|
|
});
|
|
|
|
test('rotation persists across manager restart', async () => {
|
|
const storage = new MemoryStorage();
|
|
const mgr1 = new ShadeSessionManager(crypto, storage);
|
|
await mgr1.initialize();
|
|
await mgr1.rotateIdentity();
|
|
const fp1 = await mgr1.getIdentityFingerprint();
|
|
|
|
const mgr2 = new ShadeSessionManager(crypto, storage);
|
|
await mgr2.initialize();
|
|
const fp2 = await mgr2.getIdentityFingerprint();
|
|
|
|
expect(fp1).toBe(fp2);
|
|
});
|
|
|
|
test('existing sessions survive identity rotation', async () => {
|
|
// Set up Alice-Bob conversation
|
|
const alice = new ShadeSessionManager(crypto, new MemoryStorage());
|
|
const bob = new ShadeSessionManager(crypto, new MemoryStorage());
|
|
await alice.initialize();
|
|
await bob.initialize();
|
|
|
|
const otpks = await bob.generateOneTimePreKeys(5);
|
|
const bundle = await bob.createPreKeyBundle();
|
|
bundle.oneTimePreKey = { keyId: otpks[0].keyId, publicKey: otpks[0].keyPair.publicKey };
|
|
await alice.initSessionFromBundle('bob', bundle);
|
|
|
|
// Exchange messages to establish bidirectional session
|
|
const env1 = await alice.encrypt('bob', 'hello');
|
|
expect(await bob.decrypt('alice', env1)).toBe('hello');
|
|
const env2 = await bob.encrypt('alice', 'hi');
|
|
expect(await alice.decrypt('bob', env2)).toBe('hi');
|
|
|
|
// Alice rotates her identity — but her session with Bob should still work
|
|
// because the Double Ratchet uses ephemeral DH keys, not identity keys
|
|
await alice.rotateIdentity();
|
|
|
|
const env3 = await alice.encrypt('bob', 'after rotation');
|
|
expect(await bob.decrypt('alice', env3)).toBe('after rotation');
|
|
});
|
|
});
|