Skip to content

feat: add security testing utilities for mTLS certificate verification#1

Open
Ethan-Arrowood wants to merge 1 commit intomainfrom
feat/security-utilities
Open

feat: add security testing utilities for mTLS certificate verification#1
Ethan-Arrowood wants to merge 1 commit intomainfrom
feat/security-utilities

Conversation

@Ethan-Arrowood
Copy link
Copy Markdown
Member

@Ethan-Arrowood Ethan-Arrowood commented Apr 27, 2026

Summary

  • Extracts OCSP and CRL testing utilities from harper's integration test suite into this reusable module
  • Adds pure-Node.js X.509 certificate generation (via pkijs + Node.js webcrypto, no openssl CLI), an OCSP responder server, a CRL HTTP server, and high-level setupOcspResponderWithCerts / setupCrlServerWithCerts helpers
  • Exports all new APIs from the package root (index.ts) and documents them in the README
  • Fixes build configuration: adds explicit rootDir to tsconfig.build.json, adds skipLibCheck for pkijs/asn1js TS6 compatibility, upgrades @types/node to 22.15.21

New exports

// High-level helpers
setupOcspResponderWithCerts(certsPath, hostname?, maxRetries?): Promise<OcspResponderContext>
stopOcspResponder(ctx): Promise<void>
setupCrlServerWithCerts(certsPath, hostname?, maxRetries?): Promise<CrlServerContext>
stopCrlServer(ctx): Promise<void>
startCrlServer(certsPath, port, certs): Promise<CrlServerContext>

// Certificate generation
generateOcspCertificates(outputDir, ocspHost, ocspPort)
generateCrlCertificates(outputDir, crlHost, crlPort)

// Low-level primitives
generateEd25519KeyPair, createCertificate, createCRL, certToPem, crlToPem,
makeCRLDistributionPointsExt, makeOCSPAIAExt, makeExtKeyUsageExt,
signBasicOCSPResponse, startOcspServer, stopOcspServer

Test plan

  • All 115 harper integration tests pass (including OCSP and CRL suites) with imports updated to @harperfast/integration-testing
  • npm run build succeeds cleanly
  • npm run check passes

Next steps

After this PR is merged and released, the extract-integration-testing-framework branch in harper will be updated to consume the released version and remove the now-redundant integrationTests/utils/security/ directory.

🤖 Generated with Claude Code

@Ethan-Arrowood @claude
feat: add security testing utilities for mTLS certificate verification
ce004de 
Extracts OCSP and CRL testing utilities from harper's integration test suite
into a reusable module. Adds pure-Node.js certificate generation (via pkijs +
webcrypto), an OCSP responder server, a CRL server, and high-level setup
helpers for both protocols — with no openssl CLI dependency.

Also fixes the build configuration by adding an explicit rootDir and skipLibCheck,
updates @types/node for TypeScript 6 compatibility, and documents all new APIs
in the README.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Ethan-Arrowood Ethan-Arrowood requested a review from heskew April 28, 2026 02:28
kriszyp
kriszyp reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@kriszyp kriszyp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm curious about the motivation for this, and why this is deemed generic enough to exist in the integration framework instead of the project testing this? (The PR description doesn't really indicate)

@Ethan-Arrowood
Copy link
Copy Markdown
Member Author

Ethan-Arrowood commented Apr 28, 2026

I assume these utils would be relevant for other projects that may want to do similar security testing. Anything from harper-pro to plugins or applications.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kriszyp kriszyp kriszyp left review comments

@heskew heskew Awaiting requested review from heskew

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Ethan-Arrowood @kriszyp