@blamejs/blamejs-shop 0.1.0 → 0.1.2

package/lib/vendor/blamejs/lib/crypto.js

@@ -62,6 +62,9 @@ var audit       = lazyRequire(function () { return require("./audit"); });
 // loaded because safe-buffer.js itself imports b.crypto for
 // hex-compare helpers (circular).
 var safeBuffer  = lazyRequire(function () { return require("./safe-buffer"); });
+// pqc-software requires this module (b.crypto) — lazy-load to break the
+// cycle. Only the power-on self-test needs it here.
+var pqcSoftware = lazyRequire(function () { return require("./pqc-software"); });
 
 // Streaming-hash algorithm allowlist. Mirrors the framework's PQC-
 // first crypto policy: SHA3 / SHAKE family is the default surface;
@@ -1873,8 +1876,124 @@ var SUPPORTED_KEM_ALGORITHMS = Object.freeze([
 //   var fixtures = require("blamejs/lib/_test/crypto-fixtures");
 //   var blob = fixtures.mintLegacyEnvelope0xE1(plaintext, recipient);
 
+// ---- FIPS 140-3-style power-on self-test ----
+//
+// Known-answer tests (KATs) for the deterministic primitives — the
+// hash / XOF digests are NIST FIPS 202 published vectors, so this
+// confirms the framework's hashing matches the standard, not merely
+// itself. The PQC algorithms have no seed-injection API (node generates
+// the keypair randomness internally), so they get FIPS 140-3 §10.3
+// pairwise-consistency + negative tests (a fresh keypair must
+// sign->verify / encaps->decaps consistently, and a tampered signature
+// must be rejected) rather than a fixed-seed KAT.
+var KAT_SHA3_512_ABC = "b751850b1a57168a5693cd924b6b096e08f621827444f70d884f5d0240d2712e10e116e9192af3c91a7ec57647e3934057340b4cf408d5a56592f8274eec53f0";
+var KAT_SHA3_256_ABC = "3a985da74fe225b2045c172d6bd390bd855f086e3e9d525b46bfe24511431532";
+var KAT_SHAKE256_ABC_32 = "483366601360a8771c6863080cc4114d8db44530f8f1e1ee4f94ea37e78b5739";
+
+/**
+ * @primitive b.crypto.selfTest
+ * @signature b.crypto.selfTest(opts?)
+ * @since     0.12.43
+ * @status    stable
+ * @compliance soc2, hipaa, pci-dss
+ * @related   b.crypto.sha3Hash, b.crypto.encrypt
+ *
+ * Run a power-on self-test over the framework's cryptographic
+ * primitives — the integrity check FIPS 140-3 requires of a validated
+ * module. The hash / XOF checks are known-answer tests against NIST FIPS
+ * 202 vectors (SHA3-256 / SHA3-512 / SHAKE256); the AEAD check
+ * round-trips XChaCha20-Poly1305 and confirms a tampered ciphertext is
+ * rejected; the post-quantum checks run a pairwise-consistency +
+ * negative test for ML-KEM-1024, ML-DSA-87, and SLH-DSA-SHAKE-256f.
+ * Returns a structured report and, by default, throws on any failure so
+ * a broken crypto stack fails closed at boot rather than silently
+ * producing bad output.
+ *
+ * @opts
+ *   {
+ *     throwOnFailure?: boolean,  // default true — throw if any check fails
+ *   }
+ *
+ * @example
+ *   var report = b.crypto.selfTest();
+ *   // -> { ok: true, results: [ { name, ok }, ... ], failures: [], ranAt }
+ */
+function selfTest(opts) {
+  opts = opts || {};
+  var results = [];
+  function record(name, fn) {
+    try { fn(); results.push({ name: name, ok: true }); }
+    catch (e) { results.push({ name: name, ok: false, detail: (e && e.message) || String(e) }); }
+  }
+  function assert(cond, msg) { if (!cond) throw new Error(msg); }
+
+  record("SHA3-512 KAT (FIPS 202)", function () {
+    assert(sha3Hash("abc") === KAT_SHA3_512_ABC, "SHA3-512(\"abc\") does not match the FIPS 202 vector");
+  });
+  record("SHA3-256 KAT (FIPS 202)", function () {
+    assert(hash("abc", "sha3-256").toString("hex") === KAT_SHA3_256_ABC, "SHA3-256(\"abc\") does not match the FIPS 202 vector");
+  });
+  record("SHAKE256 KAT (FIPS 202)", function () {
+    assert(hash("abc", "shake256", C.BYTES.bytes(32)).toString("hex") === KAT_SHAKE256_ABC_32, "SHAKE256(\"abc\") does not match the FIPS 202 vector");
+  });
+  record("HMAC-SHA3-512 determinism", function () {
+    var k = Buffer.from("self-test-hmac-key", "utf8");
+    assert(timingSafeEqual(hmacSha3(k, "abc"), hmacSha3(k, "abc")), "HMAC-SHA3-512 is not deterministic");
+    assert(!timingSafeEqual(hmacSha3(k, "abc"), hmacSha3(k, "abd")), "HMAC-SHA3-512 collided on distinct inputs");
+  });
+  record("XChaCha20-Poly1305 round-trip + tamper-detect", function () {
+    var key = generateBytes(C.BYTES.bytes(32));
+    var pt = Buffer.from("blamejs crypto self-test plaintext", "utf8");
+    var packed = encryptPacked(pt, key);
+    assert(decryptPacked(packed, key).equals(pt), "AEAD round-trip did not recover the plaintext");
+    var bad = Buffer.from(packed); bad[bad.length - 1] ^= 0xff;
+    var rejected = false;
+    try { decryptPacked(bad, key); } catch (_e) { rejected = true; }
+    assert(rejected, "AEAD accepted a tampered ciphertext");
+  });
+
+  // Post-quantum pairwise-consistency + negative tests. PQC is an
+  // optional vendored dependency — a load failure surfaces as a failed
+  // check rather than a silent skip.
+  var pqc = pqcSoftware();
+  record("ML-KEM-1024 encaps/decaps pairwise consistency", function () {
+    var kp = pqc.ml_kem_1024.keygen();
+    var enc = pqc.ml_kem_1024.encapsulate(kp.publicKey);
+    var ss = pqc.ml_kem_1024.decapsulate(enc.cipherText, kp.secretKey);
+    assert(timingSafeEqual(Buffer.from(ss), Buffer.from(enc.sharedSecret)), "ML-KEM-1024 decapsulated secret does not match");
+  });
+  record("ML-DSA-87 sign/verify + negative", function () {
+    var kp = pqc.ml_dsa_87.keygen();
+    var msg = Buffer.from("blamejs ML-DSA self-test", "utf8");
+    var sig = pqc.ml_dsa_87.sign(msg, kp.secretKey);
+    assert(pqc.ml_dsa_87.verify(sig, msg, kp.publicKey), "ML-DSA-87 rejected a valid signature");
+    var bad = Buffer.from(sig); bad[0] ^= 0xff;
+    assert(!pqc.ml_dsa_87.verify(bad, msg, kp.publicKey), "ML-DSA-87 accepted a tampered signature");
+  });
+  record("SLH-DSA-SHAKE-256f sign/verify + negative", function () {
+    var kp = pqc.slh_dsa_shake_256f.keygen();
+    var msg = Buffer.from("blamejs SLH-DSA self-test", "utf8");
+    var sig = pqc.slh_dsa_shake_256f.sign(msg, kp.secretKey);
+    assert(pqc.slh_dsa_shake_256f.verify(sig, msg, kp.publicKey), "SLH-DSA-SHAKE-256f rejected a valid signature");
+    var bad = Buffer.from(sig); bad[0] ^= 0xff;
+    assert(!pqc.slh_dsa_shake_256f.verify(bad, msg, kp.publicKey), "SLH-DSA-SHAKE-256f accepted a tampered signature");
+  });
+
+  var failures = results.filter(function (r) { return !r.ok; });
+  var report = { ok: failures.length === 0, results: results, failures: failures, ranAt: new Date().toISOString() };
+  if (failures.length && opts.throwOnFailure !== false) {
+    var err = new Error("crypto.selfTest: " + failures.length + " self-test(s) failed: " +
+      failures.map(function (f) { return f.name; }).join("; "));
+    err.code = "crypto/self-test-failed";
+    err.report = report;
+    throw err;
+  }
+  return report;
+}
+
 module.exports = {
   sri:                          sri,
+  selfTest:                     selfTest,
   // Hashing
   sha3Hash:                    sha3Hash,
   hmacSha3:                    hmacSha3,

package/lib/vendor/blamejs/lib/did.js

@@ -12,14 +12,16 @@
  *   <code>b.scitt</code> credential to a <code>node:crypto</code>
  *   KeyObject, then hand that key to the verifier.
  *
- *   Two methods are supported. <strong>did:key</strong> encodes a public
- *   key directly in the identifier (multicodec + base58btc multibase),
- *   so resolution is deterministic and offline — Ed25519, P-256, P-384,
- *   and secp256k1 keys round-trip. <strong>did:web</strong> places the
- *   DID document at an HTTPS URL derived from the identifier; the network
- *   fetch is the operator's to make (the same operator-supplied-input
- *   stance as the rest of the framework), and <code>resolve</code> takes
- *   the fetched document and extracts its verification methods.
+ *   Three methods are supported. <strong>did:key</strong> encodes a
+ *   public key directly in the identifier (multicodec + base58btc
+ *   multibase) and <strong>did:jwk</strong> encodes it as a base64url
+ *   public JWK — both resolve deterministically and offline (Ed25519,
+ *   P-256, P-384, and secp256k1 round-trip). <strong>did:web</strong>
+ *   places the DID document at an HTTPS URL derived from the identifier;
+ *   the network fetch is the operator's to make (the same
+ *   operator-supplied-input stance as the rest of the framework), and
+ *   <code>resolve</code> takes the fetched document and extracts its
+ *   verification methods.
  *
  *   <code>b.did.keyToDid(publicKey)</code> produces a did:key from a
  *   KeyObject (an issuer naming itself); <code>b.did.parse(did)</code>
@@ -36,13 +38,15 @@
  *   deployed and interoperable today; pin the dependency deliberately.
  *
  * @card
- *   W3C DID resolution (did:key + did:web) → verification KeyObjects for
- *   the credential verifiers. did:key is deterministic + offline
- *   (Ed25519 / P-256 / P-384 / secp256k1); did:web parses an
- *   operator-fetched DID document. Composes node:crypto; no new dep.
+ *   W3C DID resolution (did:key + did:jwk + did:web) → verification
+ *   KeyObjects for the credential verifiers. did:key + did:jwk are
+ *   deterministic + offline (Ed25519 / P-256 / P-384 / secp256k1);
+ *   did:web parses an operator-fetched DID document. Composes
+ *   node:crypto; no new dep.
  */
 
 var nodeCrypto = require("node:crypto");
+var safeJson = require("./safe-json");
 var validateOpts = require("./validate-opts");
 var { defineClass } = require("./framework-error");
 
@@ -55,6 +59,7 @@ var B58_MAP = (function () {
   return m;
 })();
 var MAX_MULTIBASE_CHARS = 1024;                        // allow:raw-byte-literal — bounded did:key multibase length (DoS cap)
+var MAX_JWK_B64_CHARS = 8192;                          // allow:raw-byte-literal — bounded did:jwk encoded-JWK length (DoS cap)
 
 // multicodec public-key codes (unsigned-varint) → curve descriptor.
 // keyLen is the multicodec payload: Ed25519 raw 32; EC compressed point.
@@ -224,23 +229,43 @@ function _didWebUrl(id) {
 
 /**
  * @primitive b.did.keyToDid
- * @signature b.did.keyToDid(publicKey)
+ * @signature b.did.keyToDid(publicKey, opts?)
  * @since     0.12.41
  * @status    experimental
  * @related   b.did.resolve
  *
  * Encode a public key (a <code>node:crypto</code> KeyObject or PEM) as a
- * <code>did:key</code> — the inverse of resolution, for an issuer that
- * names itself by its key. Ed25519, P-256, P-384, and secp256k1 are
- * supported.
+ * DID — the inverse of resolution, for an issuer that names itself by
+ * its key. Defaults to <code>did:key</code> (multicodec + base58btc);
+ * pass <code>opts.method = "jwk"</code> for <code>did:jwk</code>
+ * (base64url-encoded public JWK). Ed25519, P-256, P-384, and secp256k1
+ * are supported.
+ *
+ * @opts
+ *   {
+ *     method: string,   // "key" (default) | "jwk"
+ *   }
  *
  * @example
- *   var did = b.did.keyToDid(issuerPublicKey);   // → "did:key:z6Mk…"
+ *   var did = b.did.keyToDid(issuerPublicKey);                 // → "did:key:z6Mk…"
+ *   var dj  = b.did.keyToDid(issuerPublicKey, { method: "jwk" }); // → "did:jwk:eyJr…"
  */
-function keyToDid(publicKey) {
+function keyToDid(publicKey, opts) {
   var key = (publicKey && typeof publicKey === "object" && publicKey.asymmetricKeyType)
     ? publicKey : nodeCrypto.createPublicKey(publicKey);
   var jwk = key.export({ format: "jwk" });
+  if (opts && opts.method === "jwk") {
+    // did:jwk — base64url(UTF-8(JSON of the PUBLIC JWK)). Strip any
+    // private member defensively (a public KeyObject has none, but a
+    // caller could pass a private key by mistake).
+    var pub = {};
+    Object.keys(jwk).forEach(function (k) { if (k !== "d") pub[k] = jwk[k]; });
+    // Gate on the same kty/crv allowlist resolution enforces, so a
+    // produced did:jwk always round-trips (no generate-succeeds /
+    // resolve-fails RSA-style identifiers).
+    _jwkToKey(pub);
+    return "did:jwk:" + Buffer.from(JSON.stringify(pub), "utf8").toString("base64url");
+  }
   var code, payload;
   if (jwk.kty === "OKP" && jwk.crv === "Ed25519") {
     code = NAME_TO_CODE["Ed25519"];
@@ -266,8 +291,8 @@ function keyToDid(publicKey) {
  *
  * Resolve a DID to its document and verification methods (each with a
  * <code>node:crypto</code> public KeyObject ready for a verifier).
- * <code>did:key</code> resolves deterministically and offline.
- * <code>did:web</code> requires the operator to supply the fetched DID
+ * <code>did:key</code> and <code>did:jwk</code> resolve deterministically
+ * and offline. <code>did:web</code> requires the operator to supply the fetched DID
  * document as <code>opts.document</code> (the network fetch is the
  * operator's; the URL to fetch is on <code>b.did.parse(did).url</code>).
  *
@@ -304,6 +329,30 @@ function resolve(did, opts) {
     return { didDocument: doc, verificationMethods: [vm] };
   }
 
+  if (parsed.method === "jwk") {
+    if (parsed.id.length > MAX_JWK_B64_CHARS) {
+      throw new DidError("did/too-long", "did:jwk: encoded JWK exceeds the " + MAX_JWK_B64_CHARS + "-char cap");
+    }
+    var jwkJson = Buffer.from(parsed.id, "base64url").toString("utf8");
+    var jwk;
+    try { jwk = safeJson.parse(jwkJson, { maxBytes: MAX_JWK_B64_CHARS }); } catch (_e) {
+      throw new DidError("did/bad-jwk", "did:jwk: method-specific id is not base64url-encoded JSON");
+    }
+    if (!jwk || typeof jwk !== "object" || Array.isArray(jwk)) {
+      throw new DidError("did/bad-jwk", "did:jwk: decoded value is not a JWK object");
+    }
+    var jwkKey = _jwkToKey(jwk);                        // kty/crv allowlisted
+    var jwkVmId = did + "#0";
+    var jwkVm = { id: jwkVmId, controller: did, type: "JsonWebKey2020", publicKey: jwkKey };
+    var jwkDoc = {
+      "@context": ["https://www.w3.org/ns/did/v1"],
+      id: did,
+      verificationMethod: [{ id: jwkVmId, controller: did, type: "JsonWebKey2020", publicKeyJwk: jwk }],
+      assertionMethod: [jwkVmId], authentication: [jwkVmId],
+    };
+    return { didDocument: jwkDoc, verificationMethods: [jwkVm] };
+  }
+
   if (parsed.method === "web") {
     if (!opts.document || typeof opts.document !== "object") {
       throw new DidError("did/document-required",

package/lib/vendor/blamejs/lib/mdoc.js

@@ -251,17 +251,138 @@ async function verifyIssuerSigned(issuerSigned, opts) {
     _verifyChain(chain, anchors, at);
   }
 
+  // The device key (MSO deviceKeyInfo.deviceKey, a COSE_Key) binds the
+  // holder — surfaced for b.mdoc.verifyDeviceAuth.
+  var deviceKeyInfo = _mapGet(mso, "deviceKeyInfo");
+  var deviceKey = deviceKeyInfo ? _mapGet(deviceKeyInfo, "deviceKey") : undefined;
+
   return {
     docType:      docType,
     version:      _mapGet(mso, "version"),
     digestAlgorithm: digestAlgName,
     validityInfo: { validFrom: new Date(validFromMs), validUntil: new Date(validUntilMs) },
     namespaces:   out,
+    deviceKey:    deviceKey,
     signerCert:   signerCert.toString(),
     alg:          verified.alg,
   };
 }
 
+/**
+ * @primitive b.mdoc.verifyDeviceAuth
+ * @signature b.mdoc.verifyDeviceAuth(opts)
+ * @since     0.12.46
+ * @status    experimental
+ * @compliance gdpr, soc2
+ * @related   b.mdoc.verifyIssuerSigned, b.cose.verify
+ *
+ * Verify the device-authentication half of an ISO 18013-5 mdoc (§9.1.3,
+ * signature variant) — the proof that the holder controls the device key
+ * the issuer bound into the MSO, which stops a captured issuer-signed
+ * document from being replayed by anyone else. The device's COSE_Sign1
+ * (<code>deviceSigned.deviceAuth.deviceSignature</code>) is verified over
+ * the detached DeviceAuthentication structure
+ * (<code>["DeviceAuthentication", SessionTranscript, DocType,
+ * DeviceNameSpacesBytes]</code>) with the device key from the issuer-signed
+ * MSO (<code>verifyIssuerSigned(...).deviceKey</code>). The
+ * <code>sessionTranscript</code> binds the proof to this exact exchange
+ * and is supplied by the operator (the presentation protocol — e.g.
+ * OpenID4VP — defines it). The MAC variant (<code>deviceMac</code> /
+ * COSE_Mac0, used in proximity flows with a reader ephemeral key) is not
+ * yet supported and is refused with <code>mdoc/device-mac-unsupported</code>.
+ *
+ * @opts
+ *   {
+ *     deviceKey:         object,   // COSE_Key (from verifyIssuerSigned().deviceKey) or a KeyObject / PEM
+ *     deviceSigned:      object,   // the DeviceSigned structure (CBOR bytes or decoded)
+ *     docType:           string,   // the document type (must match the issuer-signed docType)
+ *     sessionTranscript: any,      // the SessionTranscript (CBOR bytes or decoded) bound by the protocol
+ *     algorithms:        string[], // required — accepted COSE alg names (ES256/384/512, EdDSA)
+ *     maxBytes:          number,   // forwarded to b.cbor.decode
+ *     maxDepth:          number,
+ *   }
+ *
+ * @example
+ *   var issuer = await b.mdoc.verifyIssuerSigned(issuerSignedBytes, { algorithms: ["ES256"] });
+ *   var dev = await b.mdoc.verifyDeviceAuth({ deviceKey: issuer.deviceKey, deviceSigned: deviceSignedBytes, docType: issuer.docType, sessionTranscript: transcript, algorithms: ["ES256"] });
+ *   // → { docType, alg, deviceNamespaces }
+ */
+async function verifyDeviceAuth(opts) {
+  validateOpts.requireObject(opts, "mdoc.verifyDeviceAuth", MdocError);
+  validateOpts(opts, ["deviceKey", "deviceSigned", "docType", "sessionTranscript", "algorithms", "maxBytes", "maxDepth"], "mdoc.verifyDeviceAuth");
+  if (!Array.isArray(opts.algorithms) || opts.algorithms.length === 0) {
+    throw new MdocError("mdoc/algorithms-required", "mdoc.verifyDeviceAuth: opts.algorithms is required");
+  }
+  if (typeof opts.docType !== "string" || !opts.docType) {
+    throw new MdocError("mdoc/bad-input", "mdoc.verifyDeviceAuth: opts.docType is required");
+  }
+  if (opts.sessionTranscript === undefined || opts.sessionTranscript === null) {
+    throw new MdocError("mdoc/no-session-transcript", "mdoc.verifyDeviceAuth: opts.sessionTranscript is required (the protocol-bound transcript)");
+  }
+  var decodeOpts = { allowedTags: ALLOWED_TAGS, maxBytes: opts.maxBytes, maxDepth: opts.maxDepth };
+
+  // Device key → KeyObject. Accept a COSE_Key (Map/object) via importKey,
+  // or an already-loaded KeyObject / PEM.
+  var deviceKeyObj;
+  if (opts.deviceKey && typeof opts.deviceKey === "object" && typeof opts.deviceKey.asymmetricKeyType === "string") {
+    deviceKeyObj = opts.deviceKey;
+  } else if (opts.deviceKey instanceof Map || (opts.deviceKey && typeof opts.deviceKey === "object")) {
+    deviceKeyObj = cose.importKey(opts.deviceKey);
+  } else if (typeof opts.deviceKey === "string") {
+    deviceKeyObj = opts.deviceKey;   // PEM, resolved by b.cose
+  } else {
+    throw new MdocError("mdoc/no-device-key", "mdoc.verifyDeviceAuth: opts.deviceKey is required (a COSE_Key or KeyObject)");
+  }
+
+  var ds = (Buffer.isBuffer(opts.deviceSigned) || opts.deviceSigned instanceof Uint8Array)
+    ? cbor.decode(_bytes(opts.deviceSigned, "deviceSigned"), decodeOpts) : opts.deviceSigned;
+  var deviceNameSpaces = _mapGet(ds, "nameSpaces");
+  var deviceAuth = _mapGet(ds, "deviceAuth");
+  if (!deviceNameSpaces || !deviceAuth) {
+    throw new MdocError("mdoc/malformed", "mdoc.verifyDeviceAuth: deviceSigned must have nameSpaces + deviceAuth");
+  }
+  if (!(deviceNameSpaces instanceof cbor.Tag) || deviceNameSpaces.tag !== TAG_ENCODED_CBOR) {
+    throw new MdocError("mdoc/malformed", "mdoc.verifyDeviceAuth: deviceSigned.nameSpaces must be a Tag-24 DeviceNameSpacesBytes");
+  }
+  var deviceSignature = _mapGet(deviceAuth, "deviceSignature");
+  if (!deviceSignature) {
+    if (_mapGet(deviceAuth, "deviceMac") !== undefined) {
+      throw new MdocError("mdoc/device-mac-unsupported",
+        "mdoc.verifyDeviceAuth: the MAC variant (deviceMac / COSE_Mac0) is not supported — only deviceSignature");
+    }
+    throw new MdocError("mdoc/no-device-signature", "mdoc.verifyDeviceAuth: deviceAuth has no deviceSignature");
+  }
+
+  var st = (Buffer.isBuffer(opts.sessionTranscript) || opts.sessionTranscript instanceof Uint8Array)
+    ? cbor.decode(_bytes(opts.sessionTranscript, "sessionTranscript"), decodeOpts) : opts.sessionTranscript;
+
+  // DeviceAuthentication (ISO 18013-5 §9.1.3.4); the detached payload is
+  // its Tag-24-wrapped CBOR.
+  var deviceAuthentication = ["DeviceAuthentication", st, opts.docType, deviceNameSpaces];
+  var deviceAuthBytes = cbor.encode(new cbor.Tag(TAG_ENCODED_CBOR, cbor.encode(deviceAuthentication)));
+
+  var coseBytes = Array.isArray(deviceSignature) ? cbor.encode(deviceSignature) : _bytes(deviceSignature, "deviceSignature");
+  var out = await cose.verify(coseBytes, {
+    algorithms:      opts.algorithms,
+    keyResolver:     function () { return deviceKeyObj; },
+    externalPayload: deviceAuthBytes,
+    maxBytes:        opts.maxBytes,
+    maxDepth:        opts.maxDepth,
+  });
+
+  var deviceNamespaces = {};
+  try {
+    var dns = cbor.decode(deviceNameSpaces.value, decodeOpts);
+    if (dns instanceof Map) {
+      dns.forEach(function (items, ns) {
+        deviceNamespaces[ns] = items instanceof Map ? Object.fromEntries(items) : items;
+      });
+    }
+  } catch (_e) { /* device-released namespaces are optional + advisory */ }
+
+  return { docType: opts.docType, alg: out.alg, deviceNamespaces: deviceNamespaces };
+}
+
 // Verify the leaf (chain[0]) chains to a supplied anchor and every cert
 // is valid at `at`. Intermediates in the x5chain are consulted.
 function _verifyChain(chainDer, anchorsPem, at) {
@@ -300,6 +421,7 @@ function _assertValidAt(cert, atMs) {
 
 module.exports = {
   verifyIssuerSigned: verifyIssuerSigned,
+  verifyDeviceAuth:   verifyDeviceAuth,
   DIGEST_ALGS:        DIGEST_ALGS,
   MdocError:          MdocError,
 };