7524d6e919
H1: Replace HS256/HMAC signing with real JWK signing (ES256/RS256/ES384)
via jose SignJWT. Algorithm derived from JWK kty/crv. Provisioner
password dropped as signing input; kept only as optional env var for
PBES2-decrypt path at startup.
H2: Clamp cert TTL to 900s (15 min) in both DTO validator and issueCert().
Default changed to 300s (5 min). @Max reduced to 15*60.
H3: Real CSR validation via @peculiar/x509: parse PEM, verify self-
signature, reject weak keys (RSA<2048, bad EC curves), reject MD5/SHA-1.
New validateCsr() throws CaServiceError code INVALID_CSR on failure.
H4: Replace hardcoded \x24 DER length in federation.tpl with dynamic
printf "%c" (len ...) encoding. Add UUID-shape validation for grantId
and subjectUserId in buildOtt() with code INVALID_GRANT_ID.
H5: Load JWK into KeyObject once (lazy, cached). provisionerKeyJson raw
string not stored as class field. provisionerPassword not stored.
M1: Set JWT sub to CSR CN (extracted via @peculiar/x509) instead of URL.
M2: Add jti: crypto.randomUUID() to OTT claims.
M3: Drop top-level sha claim; keep only step.sha.
M4: extractSerial() throws CaServiceError code CERT_PARSE instead of
returning 'unknown' on failure.
M5: Set timeout: 5000 on https.RequestOptions + req.setTimeout(5000).
M6: OTT signature verified with jose.jwtVerify in tests. Added real P-256
CSR test via @peculiar/x509 generator. Added provisionerPassword
leak-check test.
M7: Constructor validates STEP_CA_URL must be https://.
Verification: typecheck ✓, 385 tests pass (16 new), lint ✓, format ✓.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
496 KiB
496 KiB