@blamejs/blamejs-shop 0.2.9 → 0.2.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/lib/asset-manifest.json +5 -5
- package/lib/storefront.js +231 -41
- package/lib/vendor/MANIFEST.json +3 -3
- package/lib/vendor/blamejs/CHANGELOG.md +6 -0
- package/lib/vendor/blamejs/README.md +2 -2
- package/lib/vendor/blamejs/api-snapshot.json +10 -2
- package/lib/vendor/blamejs/lib/agent-tenant.js +30 -0
- package/lib/vendor/blamejs/lib/archive-read.js +53 -40
- package/lib/vendor/blamejs/lib/archive-wrap.js +100 -32
- package/lib/vendor/blamejs/lib/cose.js +84 -0
- package/lib/vendor/blamejs/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.13.20.json +22 -0
- package/lib/vendor/blamejs/release-notes/v0.13.21.json +18 -0
- package/lib/vendor/blamejs/release-notes/v0.13.22.json +18 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive-read.test.js +46 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive-wrap.test.js +50 -7
- package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +10 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cose.test.js +42 -0
- package/package.json +1 -1
|
@@ -386,6 +386,35 @@ function _deriveTenantKeyBytes(tenantId, purpose) {
|
|
|
386
386
|
return bCrypto.kdf(input, TENANT_KEY_BYTES);
|
|
387
387
|
}
|
|
388
388
|
|
|
389
|
+
/**
|
|
390
|
+
* @primitive b.agent.tenant.derivedKey
|
|
391
|
+
* @signature b.agent.tenant.derivedKey(tenantId, purpose)
|
|
392
|
+
* @since 0.9.25
|
|
393
|
+
* @status stable
|
|
394
|
+
* @compliance hipaa, pci-dss, gdpr, soc2
|
|
395
|
+
* @related b.agent.tenant.create, b.archive.wrap, b.vault
|
|
396
|
+
*
|
|
397
|
+
* Derive a deterministic, domain-separated 32-byte key for a tenant
|
|
398
|
+
* and a named purpose, returned as a 64-char hex string. The key is a
|
|
399
|
+
* SHAKE256 KDF over the vault root (the master keypair PEM hashed),
|
|
400
|
+
* the `tenantId`, and the `purpose`, with NUL separators so distinct
|
|
401
|
+
* `(tenantId, purpose)` pairs cannot collide. The same inputs always
|
|
402
|
+
* produce the same key, so a value sealed under
|
|
403
|
+
* `derivedKey(t, "archive-wrap")` is recoverable later from the same
|
|
404
|
+
* tenant + purpose with no key escrow. Rotating the vault
|
|
405
|
+
* (`b.vaultRotate.rotate`) changes the root and therefore every
|
|
406
|
+
* derived key — by design, rotation intent is re-seal.
|
|
407
|
+
*
|
|
408
|
+
* Throws if the vault has not been initialized (keys cannot be derived
|
|
409
|
+
* before bootstrap) or if `purpose` is empty. This is the same
|
|
410
|
+
* derivation the per-tenant `sealField` / archive `recipient: "tenant"`
|
|
411
|
+
* paths use internally; call it directly when you need the raw key for
|
|
412
|
+
* your own AEAD.
|
|
413
|
+
*
|
|
414
|
+
* @example
|
|
415
|
+
* var key = b.agent.tenant.derivedKey("acme-corp", "archive-wrap");
|
|
416
|
+
* // → "9f3c…" (64 hex chars; deterministic per tenant + purpose)
|
|
417
|
+
*/
|
|
389
418
|
function _derivedKey(tenantId, purpose) {
|
|
390
419
|
// Public API — returns hex so the existing wire shape (operators
|
|
391
420
|
// storing the derived key string in their DB) is unchanged. Internal
|
|
@@ -624,6 +653,7 @@ function _inMemoryBackend() {
|
|
|
624
653
|
|
|
625
654
|
module.exports = {
|
|
626
655
|
create: create,
|
|
656
|
+
derivedKey: _derivedKey,
|
|
627
657
|
CROSS_TENANT_ADMIN_SCOPE: CROSS_TENANT_ADMIN_SCOPE,
|
|
628
658
|
AgentTenantError: AgentTenantError,
|
|
629
659
|
guards: {
|
|
@@ -51,6 +51,8 @@ var ArchiveReadError = defineClass("ArchiveReadError", { alwaysPermanent: true }
|
|
|
51
51
|
var guardFilename = lazyRequire(function () { return require("./guard-filename"); });
|
|
52
52
|
var guardArchive = lazyRequire(function () { return require("./guard-archive"); });
|
|
53
53
|
var safeDecompress = lazyRequire(function () { return require("./safe-decompress"); });
|
|
54
|
+
var safeBuffer = lazyRequire(function () { return require("./safe-buffer"); });
|
|
55
|
+
var archiveAdapters = lazyRequire(function () { return require("./archive-adapters"); });
|
|
54
56
|
|
|
55
57
|
// ---- Wire-format constants ------------------------------------------------
|
|
56
58
|
// Aligned with the write-side `lib/archive.js`. APPNOTE.TXT § references
|
|
@@ -775,29 +777,31 @@ function zip(adapter, opts) {
|
|
|
775
777
|
* @status experimental
|
|
776
778
|
* @related b.archive.read.zip, b.archive.adapters.trustedStream
|
|
777
779
|
*
|
|
778
|
-
*
|
|
779
|
-
*
|
|
780
|
-
*
|
|
781
|
-
*
|
|
782
|
-
*
|
|
780
|
+
* ZIP reader for a Readable source — pass `b.archive.adapters.trustedStream(readable)`
|
|
781
|
+
* instead of buffering the stream yourself. The bytes are collected
|
|
782
|
+
* into a size-capped buffer (1 GiB hard ceiling, like the tar
|
|
783
|
+
* trusted-stream reader) and then read through the same bomb-cap /
|
|
784
|
+
* path-traversal / entry-policy decode as the random-access reader, so
|
|
785
|
+
* `bombPolicy`, `guardProfile`, `entryTypePolicy`, and `audit` all
|
|
786
|
+
* apply. "Trusted" means the source size is bounded by the operator —
|
|
787
|
+
* the collection ceiling is the only guard against an unbounded
|
|
788
|
+
* producer; adversarial archives are still fully bomb-capped on decode.
|
|
783
789
|
*
|
|
784
|
-
*
|
|
785
|
-
*
|
|
786
|
-
*
|
|
787
|
-
* are accepted but not yet honored. Re-opens when a streaming
|
|
788
|
-
* consumer needs it. Until then, collect the stream into a buffer and
|
|
789
|
-
* use the random-access reader, which is the supported path for both
|
|
790
|
-
* trusted round-trip verification and adversarial input.
|
|
790
|
+
* The collection ceiling means this is not zero-buffer streaming (the
|
|
791
|
+
* whole archive is held in memory, capped); a future bounded-memory
|
|
792
|
+
* forward-inflate walker would lift that, shared with the tar reader.
|
|
791
793
|
*
|
|
792
794
|
* @opts
|
|
793
|
-
* bombPolicy: {
|
|
794
|
-
*
|
|
795
|
+
* bombPolicy: { maxEntries, maxEntryDecompressedBytes,
|
|
796
|
+
* maxTotalDecompressedBytes, maxExpansionRatio },
|
|
797
|
+
* entryTypePolicy: { ... },
|
|
798
|
+
* guardProfile: "strict" | "balanced" | "permissive",
|
|
799
|
+
* audit: b.audit,
|
|
795
800
|
*
|
|
796
801
|
* @example
|
|
797
|
-
*
|
|
798
|
-
* var bytes = await someStreamToBuffer(producedZipStream);
|
|
799
|
-
* var reader = b.archive.read.zip(b.archive.adapters.buffer(bytes));
|
|
802
|
+
* var reader = b.archive.read.zip.fromTrustedStream(b.archive.adapters.trustedStream(readable));
|
|
800
803
|
* var entries = await reader.inspect();
|
|
804
|
+
* void entries;
|
|
801
805
|
*/
|
|
802
806
|
function fromTrustedStream(adapter, opts) {
|
|
803
807
|
if (!adapter || adapter.kind !== "trusted-sequential") {
|
|
@@ -805,36 +809,45 @@ function fromTrustedStream(adapter, opts) {
|
|
|
805
809
|
"fromTrustedStream: adapter must come from b.archive.adapters.trustedStream(readable)");
|
|
806
810
|
}
|
|
807
811
|
opts = opts || {};
|
|
808
|
-
|
|
809
|
-
|
|
810
|
-
|
|
811
|
-
//
|
|
812
|
-
//
|
|
813
|
-
//
|
|
814
|
-
|
|
815
|
-
|
|
816
|
-
|
|
817
|
-
|
|
818
|
-
|
|
819
|
-
|
|
820
|
-
|
|
812
|
+
|
|
813
|
+
// Collect the Readable into a size-capped buffer once (tar-parity:
|
|
814
|
+
// boundedChunkCollector with a 1 GiB ceiling), then delegate to the
|
|
815
|
+
// random-access reader so the full bomb-cap / guard / audit decode
|
|
816
|
+
// applies. Lazy + memoized — construction stays cheap and the stream
|
|
817
|
+
// is consumed only on the first method call.
|
|
818
|
+
var readerPromise = null;
|
|
819
|
+
function _reader() {
|
|
820
|
+
if (!readerPromise) {
|
|
821
|
+
readerPromise = (async function () {
|
|
822
|
+
var collector = safeBuffer().boundedChunkCollector({
|
|
823
|
+
maxBytes: C.BYTES.gib(1),
|
|
824
|
+
errorClass: ArchiveReadError,
|
|
825
|
+
sizeCode: "archive-read/trusted-stream-too-large",
|
|
826
|
+
});
|
|
827
|
+
for await (var chunk of adapter.readable) { collector.push(chunk); }
|
|
828
|
+
return zip(archiveAdapters().buffer(collector.result()), opts);
|
|
829
|
+
})();
|
|
830
|
+
}
|
|
831
|
+
return readerPromise;
|
|
821
832
|
}
|
|
822
833
|
|
|
834
|
+
async function inspect() { return (await _reader()).inspect(); }
|
|
823
835
|
async function* entries() {
|
|
824
|
-
|
|
825
|
-
|
|
836
|
+
var r = await _reader();
|
|
837
|
+
for await (var e of r.entries()) { yield e; }
|
|
826
838
|
}
|
|
827
|
-
|
|
828
|
-
async function
|
|
829
|
-
|
|
830
|
-
|
|
839
|
+
async function extract(extractOpts) { return (await _reader()).extract(extractOpts); }
|
|
840
|
+
async function* extractEntries(extractOpts) {
|
|
841
|
+
var r = await _reader();
|
|
842
|
+
for await (var e of r.extractEntries(extractOpts)) { yield e; }
|
|
831
843
|
}
|
|
832
844
|
|
|
833
845
|
return {
|
|
834
|
-
kind:
|
|
835
|
-
inspect:
|
|
836
|
-
entries:
|
|
837
|
-
extract:
|
|
846
|
+
kind: "zip-trusted-sequential",
|
|
847
|
+
inspect: inspect,
|
|
848
|
+
entries: entries,
|
|
849
|
+
extract: extract,
|
|
850
|
+
extractEntries: extractEntries,
|
|
838
851
|
};
|
|
839
852
|
}
|
|
840
853
|
|
|
@@ -15,10 +15,11 @@
|
|
|
15
15
|
* var bytes = b.archive.unwrap(sealed, { recipient: privKeys });
|
|
16
16
|
* var reader = b.archive.read.tar(b.archive.adapters.buffer(bytes));
|
|
17
17
|
*
|
|
18
|
-
*
|
|
19
|
-
*
|
|
20
|
-
*
|
|
21
|
-
*
|
|
18
|
+
* Three recipient strategies: a static hybrid-PQC key-pair, a peer
|
|
19
|
+
* certificate, and `"tenant"` — a deterministic per-tenant symmetric
|
|
20
|
+
* seal keyed by the vault root (no key-pair to manage; unwrap
|
|
21
|
+
* re-derives from the tenant id). b.backup's `cryptoStrategy:
|
|
22
|
+
* "recipient"` consumes the same substrate.
|
|
22
23
|
*/
|
|
23
24
|
|
|
24
25
|
var C = require("./constants");
|
|
@@ -29,13 +30,23 @@ var ArchiveWrapError = defineClass("ArchiveWrapError", { alwaysPermanent: true }
|
|
|
29
30
|
|
|
30
31
|
var bCrypto = lazyRequire(function () { return require("./crypto"); });
|
|
31
32
|
var backupCrypto = lazyRequire(function () { return require("./backup/crypto"); });
|
|
33
|
+
var agentTenant = lazyRequire(function () { return require("./agent-tenant"); });
|
|
32
34
|
|
|
33
35
|
// Envelope magic — 5-byte ASCII prefix the safe-archive sniffer
|
|
34
36
|
// recognises. Distinct from b.crypto.encrypt's base64 envelope so
|
|
35
37
|
// archive-wrap output can carry an unambiguous "this is an archive
|
|
36
38
|
// wrap envelope" magic before the operator-controlled payload.
|
|
37
39
|
var ARCH_WRAP_MAGIC = "BAWRP"; // allow:raw-byte-literal — 5-byte ASCII archive-wrap recipient envelope magic
|
|
38
|
-
var ARCH_WRAP_VERSION = 0x01; // allow:raw-byte-literal — recipient version byte
|
|
40
|
+
var ARCH_WRAP_VERSION = 0x01; // allow:raw-byte-literal — recipient version byte (hybrid-KEM envelope)
|
|
41
|
+
// Tenant strategy uses the same BAWRP magic with a distinct version
|
|
42
|
+
// byte: the body is a symmetric XChaCha20-Poly1305 packed ciphertext
|
|
43
|
+
// (b.crypto.encryptPacked) keyed by the tenant's vault-derived key,
|
|
44
|
+
// not a hybrid-KEM envelope. unwrap dispatches on the version byte so
|
|
45
|
+
// a tenant envelope is never fed to the KEM decrypt path.
|
|
46
|
+
var ARCH_WRAP_VERSION_TENANT = 0x02; // allow:raw-byte-literal — tenant symmetric-seal version byte
|
|
47
|
+
// Purpose label for the per-tenant key derivation (domain-separates
|
|
48
|
+
// the archive-wrap key from a tenant's seal / audit / session keys).
|
|
49
|
+
var TENANT_KEY_PURPOSE = "archive-wrap";
|
|
39
50
|
var ARCH_WRAP_HEADER_BYTES = C.BYTES.bytes(6); // magic(5) + version(1)
|
|
40
51
|
// Passphrase variant — wire format: magic(5) + version(1) + saltLen(1)
|
|
41
52
|
// + salt(saltLen bytes) + encrypted bytes (24-byte nonce + ciphertext+tag
|
|
@@ -66,10 +77,14 @@ var ARCH_PASSPHRASE_HEADER_BYTES = C.BYTES.bytes(7);
|
|
|
66
77
|
* - peer cert — `{ recipient: { peerCertDer, peerKemPubkey } }` composes
|
|
67
78
|
* `b.crypto.encryptEnvelopeAsCertPeer` (extracts the
|
|
68
79
|
* P-384 half from the cert).
|
|
69
|
-
* - tenant — `{ recipient: "tenant", tenantId: "alpha" }`
|
|
70
|
-
*
|
|
71
|
-
*
|
|
72
|
-
*
|
|
80
|
+
* - tenant — `{ recipient: "tenant", tenantId: "alpha" }` seals
|
|
81
|
+
* under a deterministic per-tenant key derived from the
|
|
82
|
+
* vault root (`b.agent.tenant.derivedKey`) with
|
|
83
|
+
* XChaCha20-Poly1305, the tenant id mixed into the AEAD
|
|
84
|
+
* AAD so one tenant's envelope cannot open under
|
|
85
|
+
* another's key. No recipient key-pair to manage;
|
|
86
|
+
* `unwrap` re-derives from the same `tenantId`. Requires
|
|
87
|
+
* an initialized vault.
|
|
73
88
|
*
|
|
74
89
|
* @opts
|
|
75
90
|
* recipient: object | string, // see strategies above; required
|
|
@@ -96,15 +111,16 @@ function wrap(bytes, opts) {
|
|
|
96
111
|
throw new ArchiveWrapError("archive-wrap/no-recipient",
|
|
97
112
|
"wrap: opts.recipient is required (static key object | \"tenant\" string | peer-cert object)");
|
|
98
113
|
}
|
|
99
|
-
var
|
|
100
|
-
//
|
|
101
|
-
//
|
|
102
|
-
//
|
|
103
|
-
|
|
114
|
+
var enc = _encryptForRecipient(bytes, opts);
|
|
115
|
+
// enc.body is the envelope bytes (base64 KEM envelope for static /
|
|
116
|
+
// peer-cert recipients, symmetric packed ciphertext for tenant).
|
|
117
|
+
// Prepend the 6-byte archive-wrap header stamped with the strategy's
|
|
118
|
+
// version byte so safeArchive's sniffer + unwrap can identify the
|
|
119
|
+
// envelope (and pick the right decrypt path) without trial decryption.
|
|
104
120
|
var header = Buffer.alloc(ARCH_WRAP_HEADER_BYTES);
|
|
105
121
|
header.write(ARCH_WRAP_MAGIC, 0, 5, "ascii");
|
|
106
|
-
header[5] =
|
|
107
|
-
return Buffer.concat([header,
|
|
122
|
+
header[5] = enc.version;
|
|
123
|
+
return Buffer.concat([header, enc.body]);
|
|
108
124
|
}
|
|
109
125
|
|
|
110
126
|
/**
|
|
@@ -121,11 +137,14 @@ function wrap(bytes, opts) {
|
|
|
121
137
|
* than a crypto-level error.
|
|
122
138
|
*
|
|
123
139
|
* @opts
|
|
124
|
-
* recipient: object,
|
|
140
|
+
* recipient: object | "tenant", // { privateKey, ecPrivateKey } | { certPrivateKey, kemSecret } | "tenant"
|
|
141
|
+
* tenantId: string, // required when the envelope was sealed with recipient: "tenant"
|
|
125
142
|
*
|
|
126
143
|
* @example
|
|
127
144
|
* var bytes = b.archive.unwrap(sealed, { recipient: privPair });
|
|
128
145
|
* var reader = b.archive.read.tar(b.archive.adapters.buffer(bytes));
|
|
146
|
+
* // tenant envelope:
|
|
147
|
+
* var t = b.archive.unwrap(sealedForTenant, { recipient: "tenant", tenantId: "alpha" });
|
|
129
148
|
*/
|
|
130
149
|
function unwrap(sealed, opts) {
|
|
131
150
|
opts = opts || {};
|
|
@@ -145,6 +164,27 @@ function unwrap(sealed, opts) {
|
|
|
145
164
|
JSON.stringify(ARCH_WRAP_MAGIC) + "; got " + JSON.stringify(magic));
|
|
146
165
|
}
|
|
147
166
|
var version = buf[5];
|
|
167
|
+
// Tenant strategy: symmetric packed ciphertext keyed by the
|
|
168
|
+
// vault-derived per-tenant key. Re-derive from opts.tenantId and
|
|
169
|
+
// decrypt under the same tenant-bound AAD that wrap sealed with.
|
|
170
|
+
if (version === ARCH_WRAP_VERSION_TENANT) {
|
|
171
|
+
if (opts.recipient !== undefined && opts.recipient !== "tenant") {
|
|
172
|
+
throw new ArchiveWrapError("archive-wrap/recipient-mismatch",
|
|
173
|
+
"unwrap: this envelope was sealed with recipient: \"tenant\" — pass opts.tenantId " +
|
|
174
|
+
"(and either omit opts.recipient or set it to \"tenant\"), not a key-pair recipient");
|
|
175
|
+
}
|
|
176
|
+
var tenantKey = _tenantKey(opts.tenantId);
|
|
177
|
+
var packedBody = buf.slice(ARCH_WRAP_HEADER_BYTES);
|
|
178
|
+
try {
|
|
179
|
+
return bCrypto().decryptPacked(packedBody, tenantKey, _tenantAad(opts.tenantId));
|
|
180
|
+
} catch (e) {
|
|
181
|
+
var terr = new ArchiveWrapError("archive-wrap/decrypt-failed",
|
|
182
|
+
"unwrap: tenant envelope decryption refused (wrong tenantId or rotated vault?): " +
|
|
183
|
+
((e && e.message) || String(e)));
|
|
184
|
+
terr.cause = e;
|
|
185
|
+
throw terr;
|
|
186
|
+
}
|
|
187
|
+
}
|
|
148
188
|
if (version !== ARCH_WRAP_VERSION) {
|
|
149
189
|
throw new ArchiveWrapError("archive-wrap/bad-version",
|
|
150
190
|
"unwrap: archive-wrap version " + version + " not supported by this build");
|
|
@@ -152,7 +192,8 @@ function unwrap(sealed, opts) {
|
|
|
152
192
|
if (!opts.recipient || typeof opts.recipient !== "object") {
|
|
153
193
|
throw new ArchiveWrapError("archive-wrap/no-recipient",
|
|
154
194
|
"unwrap: opts.recipient is required ({ privateKey, ecPrivateKey } " +
|
|
155
|
-
"for the static-key path, { certPrivateKey, kemSecret } for the peer-cert path
|
|
195
|
+
"for the static-key path, { certPrivateKey, kemSecret } for the peer-cert path, " +
|
|
196
|
+
"or \"tenant\" + opts.tenantId for the tenant path)");
|
|
156
197
|
}
|
|
157
198
|
var envelope = buf.slice(ARCH_WRAP_HEADER_BYTES).toString("utf-8");
|
|
158
199
|
var plaintext;
|
|
@@ -183,28 +224,52 @@ function unwrap(sealed, opts) {
|
|
|
183
224
|
return Buffer.isBuffer(plaintext) ? plaintext : Buffer.from(plaintext);
|
|
184
225
|
}
|
|
185
226
|
|
|
227
|
+
// Resolve a tenant's deterministic 32-byte archive-wrap key from the
|
|
228
|
+
// vault root. Throws a clear archive-wrap error (rather than a deep
|
|
229
|
+
// agent-tenant one) when tenantId is missing; the vault-not-initialized
|
|
230
|
+
// case surfaces from agentTenant.derivedKey unchanged.
|
|
231
|
+
function _tenantKey(tenantId) {
|
|
232
|
+
if (typeof tenantId !== "string" || tenantId.length === 0) {
|
|
233
|
+
throw new ArchiveWrapError("archive-wrap/no-tenant-id",
|
|
234
|
+
"recipient: \"tenant\" requires opts.tenantId (a non-empty string)");
|
|
235
|
+
}
|
|
236
|
+
return Buffer.from(agentTenant().derivedKey(tenantId, TENANT_KEY_PURPOSE), "hex");
|
|
237
|
+
}
|
|
238
|
+
|
|
239
|
+
// AAD context-binds the symmetric envelope to the tenant: the Poly1305
|
|
240
|
+
// tag covers this, so a tenant-A envelope cannot be decrypted under
|
|
241
|
+
// tenant-B's key even if an attacker swaps headers between envelopes.
|
|
242
|
+
function _tenantAad(tenantId) {
|
|
243
|
+
return Buffer.from("archive-wrap|tenant|" + tenantId, "utf8");
|
|
244
|
+
}
|
|
245
|
+
|
|
246
|
+
// Returns { version, body } so wrap() can stamp the right version byte:
|
|
247
|
+
// hybrid-KEM recipients use ARCH_WRAP_VERSION with a base64 envelope
|
|
248
|
+
// body; the tenant strategy uses ARCH_WRAP_VERSION_TENANT with a
|
|
249
|
+
// symmetric packed-ciphertext body.
|
|
186
250
|
function _encryptForRecipient(bytes, opts) {
|
|
187
251
|
var r = opts.recipient;
|
|
188
252
|
if (typeof r === "string") {
|
|
189
253
|
if (r === "tenant") {
|
|
190
|
-
|
|
191
|
-
|
|
192
|
-
|
|
193
|
-
throw new ArchiveWrapError("archive-wrap/tenant-strategy-deferred",
|
|
194
|
-
"wrap: recipient: \"tenant\" lands in v0.12.11 alongside b.backup cryptoStrategy: \"recipient\" + per-tenant key resolution. For v0.12.10, pass an explicit { publicKey, ecPublicKey } recipient");
|
|
254
|
+
var tenantKey = _tenantKey(opts.tenantId);
|
|
255
|
+
var packed = bCrypto().encryptPacked(Buffer.from(bytes), tenantKey, _tenantAad(opts.tenantId));
|
|
256
|
+
return { version: ARCH_WRAP_VERSION_TENANT, body: packed };
|
|
195
257
|
}
|
|
196
258
|
throw new ArchiveWrapError("archive-wrap/bad-recipient",
|
|
197
|
-
"wrap: recipient string " + JSON.stringify(r) + " not recognised; \"tenant\"
|
|
259
|
+
"wrap: recipient string " + JSON.stringify(r) + " not recognised; the only string recipient is \"tenant\" (with opts.tenantId)");
|
|
198
260
|
}
|
|
199
261
|
if (r.peerCertDer || r.peerKemPubkey) {
|
|
200
262
|
if (!r.peerCertDer || !r.peerKemPubkey) {
|
|
201
263
|
throw new ArchiveWrapError("archive-wrap/bad-recipient",
|
|
202
264
|
"wrap: peer-cert strategy requires BOTH peerCertDer + peerKemPubkey");
|
|
203
265
|
}
|
|
204
|
-
return
|
|
205
|
-
|
|
206
|
-
|
|
207
|
-
|
|
266
|
+
return {
|
|
267
|
+
version: ARCH_WRAP_VERSION,
|
|
268
|
+
body: Buffer.from(bCrypto().encryptEnvelopeAsCertPeer(bytes, {
|
|
269
|
+
peerCertDer: r.peerCertDer,
|
|
270
|
+
peerKemPubkey: r.peerKemPubkey,
|
|
271
|
+
}), "utf-8"),
|
|
272
|
+
};
|
|
208
273
|
}
|
|
209
274
|
if (r.publicKey) {
|
|
210
275
|
// Codex P2 on v0.12.10 PR #161 — b.crypto.encrypt falls back to
|
|
@@ -221,10 +286,13 @@ function _encryptForRecipient(bytes, opts) {
|
|
|
221
286
|
"and ecPublicKey (P-384 ECDH PEM). Partial recipients trip b.crypto.encrypt's " +
|
|
222
287
|
"ML-KEM-only fallback which silently degrades the hybrid contract this primitive promises.");
|
|
223
288
|
}
|
|
224
|
-
return
|
|
225
|
-
|
|
226
|
-
|
|
227
|
-
|
|
289
|
+
return {
|
|
290
|
+
version: ARCH_WRAP_VERSION,
|
|
291
|
+
body: Buffer.from(bCrypto().encrypt(bytes, {
|
|
292
|
+
publicKey: r.publicKey,
|
|
293
|
+
ecPublicKey: r.ecPublicKey,
|
|
294
|
+
}), "utf-8"),
|
|
295
|
+
};
|
|
228
296
|
}
|
|
229
297
|
throw new ArchiveWrapError("archive-wrap/bad-recipient",
|
|
230
298
|
"wrap: recipient must be { publicKey, ecPublicKey } | { peerCertDer, peerKemPubkey } | \"tenant\"");
|
|
@@ -743,9 +743,15 @@ function macVerify0(coseMac0, opts) {
|
|
|
743
743
|
// secp256k1 key be verified under ES256, breaking the COSE alg/curve
|
|
744
744
|
// binding (RFC 9053). Re-add with an explicit ES256K algorithm.
|
|
745
745
|
var COSE_EC2_CRV = { 1: "P-256", 2: "P-384", 3: "P-521" };
|
|
746
|
+
// Reverse of COSE_EC2_CRV — JWK crv name → COSE EC2 curve id, for exportKey.
|
|
747
|
+
var COSE_EC2_CRV_ID = { "P-256": 1, "P-384": 2, "P-521": 3 };
|
|
746
748
|
var COSE_KTY_OKP = 1;
|
|
747
749
|
var COSE_KTY_EC2 = 2;
|
|
748
750
|
var COSE_OKP_ED25519 = 6; // allow:raw-byte-literal — COSE OKP Ed25519 crv id (RFC 9053)
|
|
751
|
+
// COSE_Key common-parameter labels (RFC 9052 §7.1): 1=kty, 2=kid, 3=alg.
|
|
752
|
+
var COSE_KEY_LABEL_KTY = 1;
|
|
753
|
+
var COSE_KEY_LABEL_KID = 2;
|
|
754
|
+
var COSE_KEY_LABEL_ALG = 3;
|
|
749
755
|
|
|
750
756
|
function _coseKeyBytes(v, what) {
|
|
751
757
|
if (Buffer.isBuffer(v)) return v;
|
|
@@ -804,6 +810,83 @@ function importKey(coseKey) {
|
|
|
804
810
|
catch (e) { throw new CoseError("cose/bad-cose-key", "cose.importKey: could not import COSE_Key: " + ((e && e.message) || e)); }
|
|
805
811
|
}
|
|
806
812
|
|
|
813
|
+
/**
|
|
814
|
+
* @primitive b.cose.exportKey
|
|
815
|
+
* @signature b.cose.exportKey(keyObject, opts?)
|
|
816
|
+
* @since 0.13.20
|
|
817
|
+
* @status stable
|
|
818
|
+
* @related b.cose.importKey, b.cose.verify, b.cbor.encode
|
|
819
|
+
*
|
|
820
|
+
* Serialize a <code>node:crypto</code> public key as a COSE_Key
|
|
821
|
+
* (RFC 9052 §7) — the CBOR-map, integer-labelled form embedded in an
|
|
822
|
+
* mdoc MSO, a COSE_Key header, or a SCITT / C2PA verification-key
|
|
823
|
+
* field. The inverse of <code>b.cose.importKey</code>: a key signed
|
|
824
|
+
* with <code>b.cose.sign</code> can be shipped to a verifier as bytes
|
|
825
|
+
* and re-imported. Returns the CBOR-encoded bytes (like the other COSE
|
|
826
|
+
* producers); pass the decoded map to <code>importKey</code> to round-trip.
|
|
827
|
+
*
|
|
828
|
+
* Accepts the same key types <code>importKey</code> / <code>verify</code>
|
|
829
|
+
* understand: EC2 (P-256 / P-384 / P-521) and OKP (Ed25519). A private
|
|
830
|
+
* key has its public half exported. Other curves / key types are
|
|
831
|
+
* refused rather than emitting a COSE_Key no verifier here would accept.
|
|
832
|
+
*
|
|
833
|
+
* @opts
|
|
834
|
+
* alg: string, // optional COSE alg label (e.g. "ES256") → COSE_Key label 3
|
|
835
|
+
* kid: Buffer | string, // optional key id → COSE_Key label 2 (bstr; string encoded UTF-8)
|
|
836
|
+
*
|
|
837
|
+
* @example
|
|
838
|
+
* var bytes = b.cose.exportKey(pubKey, { alg: "ES256", kid: "key-1" });
|
|
839
|
+
* var key = b.cose.importKey(b.cbor.decode(bytes)); // round-trips
|
|
840
|
+
*/
|
|
841
|
+
function exportKey(keyObject, opts) {
|
|
842
|
+
opts = opts || {};
|
|
843
|
+
if (!keyObject || typeof keyObject.export !== "function" || typeof keyObject.type !== "string") {
|
|
844
|
+
throw new CoseError("cose/bad-key", "cose.exportKey: expected a node:crypto KeyObject");
|
|
845
|
+
}
|
|
846
|
+
// A private key exports its public half — a COSE_Key here is a
|
|
847
|
+
// verification key, never the secret.
|
|
848
|
+
var pub = keyObject.type === "private" ? nodeCrypto.createPublicKey(keyObject) : keyObject;
|
|
849
|
+
var jwk;
|
|
850
|
+
try { jwk = pub.export({ format: "jwk" }); }
|
|
851
|
+
catch (e) { throw new CoseError("cose/bad-key", "cose.exportKey: could not export key to JWK: " + ((e && e.message) || e)); }
|
|
852
|
+
|
|
853
|
+
var coseKey = new Map();
|
|
854
|
+
if (jwk.kty === "OKP") {
|
|
855
|
+
if (jwk.crv !== "Ed25519") {
|
|
856
|
+
throw new CoseError("cose/unsupported-key", "cose.exportKey: only OKP curve Ed25519 is supported (got " + jwk.crv + ")");
|
|
857
|
+
}
|
|
858
|
+
coseKey.set(COSE_KEY_LABEL_KTY, COSE_KTY_OKP);
|
|
859
|
+
coseKey.set(-1, COSE_OKP_ED25519);
|
|
860
|
+
coseKey.set(-2, Buffer.from(jwk.x, "base64url"));
|
|
861
|
+
} else if (jwk.kty === "EC") {
|
|
862
|
+
var crvId = COSE_EC2_CRV_ID[jwk.crv];
|
|
863
|
+
if (!crvId) {
|
|
864
|
+
throw new CoseError("cose/unsupported-key", "cose.exportKey: unsupported EC curve " + jwk.crv + " (only P-256 / P-384 / P-521)");
|
|
865
|
+
}
|
|
866
|
+
coseKey.set(COSE_KEY_LABEL_KTY, COSE_KTY_EC2);
|
|
867
|
+
coseKey.set(-1, crvId);
|
|
868
|
+
coseKey.set(-2, Buffer.from(jwk.x, "base64url"));
|
|
869
|
+
coseKey.set(-3, Buffer.from(jwk.y, "base64url"));
|
|
870
|
+
} else {
|
|
871
|
+
throw new CoseError("cose/unsupported-key", "cose.exportKey: kty must be OKP or EC (got " + jwk.kty + ")");
|
|
872
|
+
}
|
|
873
|
+
|
|
874
|
+
if (opts.kid !== undefined) {
|
|
875
|
+
var kid = Buffer.isBuffer(opts.kid) ? opts.kid
|
|
876
|
+
: (typeof opts.kid === "string" ? Buffer.from(opts.kid, "utf8") : null);
|
|
877
|
+
if (!kid) throw new CoseError("cose/bad-kid", "cose.exportKey: opts.kid must be a Buffer or string");
|
|
878
|
+
coseKey.set(COSE_KEY_LABEL_KID, kid);
|
|
879
|
+
}
|
|
880
|
+
if (opts.alg !== undefined) {
|
|
881
|
+
var algId = ALG_NAME_TO_ID[opts.alg];
|
|
882
|
+
if (algId === undefined) {
|
|
883
|
+
throw new CoseError("cose/unknown-alg", "cose.exportKey: opts.alg '" + opts.alg + "' not recognized");
|
|
884
|
+
}
|
|
885
|
+
coseKey.set(COSE_KEY_LABEL_ALG, algId);
|
|
886
|
+
}
|
|
887
|
+
return cbor.encode(coseKey);
|
|
888
|
+
}
|
|
889
|
+
|
|
807
890
|
module.exports = {
|
|
808
891
|
sign: sign,
|
|
809
892
|
verify: verify,
|
|
@@ -812,6 +895,7 @@ module.exports = {
|
|
|
812
895
|
mac0: mac0,
|
|
813
896
|
macVerify0: macVerify0,
|
|
814
897
|
importKey: importKey,
|
|
898
|
+
exportKey: exportKey,
|
|
815
899
|
ALGORITHMS: ALG_NAME_TO_ID,
|
|
816
900
|
MAC_ALGORITHMS: HMAC_NAME_TO_ID,
|
|
817
901
|
COSE_MAC0_TAG: COSE_MAC0_TAG,
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
+
"version": "0.13.20",
|
|
4
|
+
"date": "2026-05-27",
|
|
5
|
+
"headline": "`b.archive.wrap` can seal an archive for a tenant with no key-pair to manage — `recipient: \"tenant\"`",
|
|
6
|
+
"summary": "b.archive.wrap previously sealed only to an explicit hybrid-PQC key-pair or a peer certificate; the documented recipient: \"tenant\" strategy threw. It now works: pass { recipient: \"tenant\", tenantId } and the archive is sealed under a deterministic per-tenant key derived from the vault root (SHAKE256 KDF) with XChaCha20-Poly1305, the tenant id mixed into the AEAD additional-authenticated-data so one tenant's envelope cannot be opened under another tenant's key. There is no recipient key-pair for the operator to generate, store, or rotate — b.archive.unwrap re-derives the key from the same tenantId. Rotating the vault re-keys every tenant (rotation intent is re-seal). The derivation is exposed directly as b.agent.tenant.derivedKey(tenantId, purpose) for operators who need the raw per-tenant key for their own AEAD. Requires an initialized vault.",
|
|
7
|
+
"sections": [
|
|
8
|
+
{
|
|
9
|
+
"heading": "Added",
|
|
10
|
+
"items": [
|
|
11
|
+
{
|
|
12
|
+
"title": "`b.archive.wrap` / `b.archive.unwrap` `recipient: \"tenant\"` — per-tenant archive sealing, no key-pair",
|
|
13
|
+
"body": "`b.archive.wrap(bytes, { recipient: \"tenant\", tenantId })` seals under a deterministic per-tenant key derived from the vault root with XChaCha20-Poly1305 (draft-irtf-cfrg-xchacha-03) and a SHAKE256 KDF (FIPS 202); the tenant id is bound into the AEAD AAD so a tenant-A envelope cannot decrypt under tenant-B's key even if an attacker swaps envelope headers. `b.archive.unwrap(sealed, { recipient: \"tenant\", tenantId })` (or just `{ tenantId }`) re-derives the key and recovers the bytes — no recipient key-pair to manage. The tenant envelope carries a distinct version byte so it is never fed to the hybrid-KEM decrypt path. The static-key and peer-cert recipient strategies are unchanged."
|
|
14
|
+
},
|
|
15
|
+
{
|
|
16
|
+
"title": "`b.agent.tenant.derivedKey(tenantId, purpose)` — direct per-tenant key derivation",
|
|
17
|
+
"body": "The deterministic, domain-separated per-tenant key derivation (vault root + tenantId + purpose, SHAKE256, NUL-separated) is now exported at the module level, returning a 64-char hex key. Previously reachable only as a method on a created tenant manager; operators who need the raw key for their own AEAD can now call it directly. Throws if the vault is not initialized."
|
|
18
|
+
}
|
|
19
|
+
]
|
|
20
|
+
}
|
|
21
|
+
]
|
|
22
|
+
}
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
+
"version": "0.13.21",
|
|
4
|
+
"date": "2026-05-27",
|
|
5
|
+
"headline": "`b.cose.exportKey` — serialize a public key as a COSE_Key, the inverse of `b.cose.importKey`",
|
|
6
|
+
"summary": "b.cose could import a COSE_Key (RFC 9052 §7) into a node:crypto key for verification, but had no way to produce one — so a key used with b.cose.sign could not be shipped to a verifier in COSE form without hand-building the CBOR map. b.cose.exportKey(keyObject, opts?) closes the round-trip: it serializes an EC2 (P-256 / P-384 / P-521) or OKP (Ed25519) public key as the CBOR-encoded COSE_Key map, with optional alg and kid common parameters. A private key has its public half exported; unsupported curves / key types are refused rather than emitting a COSE_Key no verifier here would accept. The bytes round-trip through b.cose.importKey, and feed the mdoc MSO / COSE_Key header / SCITT / C2PA verification-key paths.",
|
|
7
|
+
"sections": [
|
|
8
|
+
{
|
|
9
|
+
"heading": "Added",
|
|
10
|
+
"items": [
|
|
11
|
+
{
|
|
12
|
+
"title": "`b.cose.exportKey(keyObject, { alg?, kid? })` — KeyObject → COSE_Key (RFC 9052 §7)",
|
|
13
|
+
"body": "Serialize a `node:crypto` public key as the CBOR-encoded COSE_Key map — the inverse of `b.cose.importKey`. Supports EC2 (P-256 / P-384 / P-521) and OKP (Ed25519), the same key types `b.cose.verify` accepts; `opts.alg` (e.g. `\"ES256\"`) and `opts.kid` populate the COSE_Key alg (label 3) and kid (label 2) common parameters. A private key exports its public half; unsupported curves / key types throw rather than producing a COSE_Key no verifier would accept. `b.cose.importKey(b.cbor.decode(exportKey(k)))` round-trips, so a key signed with `b.cose.sign` can be shipped to a verifier as bytes — the mdoc MSO / COSE_Key header / SCITT / C2PA verification-key paths."
|
|
14
|
+
}
|
|
15
|
+
]
|
|
16
|
+
}
|
|
17
|
+
]
|
|
18
|
+
}
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
+
"version": "0.13.22",
|
|
4
|
+
"date": "2026-05-27",
|
|
5
|
+
"headline": "`b.archive.read.zip.fromTrustedStream` reads a ZIP from a Readable — no longer an experimental stub",
|
|
6
|
+
"summary": "fromTrustedStream was an experimental stub whose inspect / entries / extract methods threw, forcing callers to buffer the stream themselves and use the random-access reader. It now works, with the same shape as the tar trusted-stream reader: pass b.archive.adapters.trustedStream(readable) and the bytes are collected into a size-capped buffer (1 GiB hard ceiling) and read through the same bomb-cap, path-traversal, and entry-type decode as the random-access reader — so bombPolicy, guardProfile, entryTypePolicy, and audit all apply, and inspect / entries / extract / extractEntries all return data. This is a bounded-memory reader (the archive is held in memory under the ceiling), not zero-buffer streaming; a future forward-inflate walker shared with the tar reader would lift the ceiling.",
|
|
7
|
+
"sections": [
|
|
8
|
+
{
|
|
9
|
+
"heading": "Added",
|
|
10
|
+
"items": [
|
|
11
|
+
{
|
|
12
|
+
"title": "`b.archive.read.zip.fromTrustedStream` now reads — `inspect` / `entries` / `extract` / `extractEntries`",
|
|
13
|
+
"body": "The ZIP trusted-stream reader is implemented (was an experimental stub that threw). Pass `b.archive.adapters.trustedStream(readable)` to read a ZIP straight from a Node Readable without buffering it yourself. The stream is collected into a size-capped buffer (1 GiB ceiling, matching `b.archive.read.tar`'s trusted-stream reader) and decoded through the same adversarial-safe path as the random-access reader, so `bombPolicy` / `guardProfile` / `entryTypePolicy` / `audit` are honored on decode. Adversarial archives remain fully bomb-capped; \"trusted\" refers only to the source-size bound. A non-trusted-stream adapter is refused with `archive-read/bad-adapter`."
|
|
14
|
+
}
|
|
15
|
+
]
|
|
16
|
+
}
|
|
17
|
+
]
|
|
18
|
+
}
|
|
@@ -222,6 +222,51 @@ async function testSafeArchiveRefusesTrustedStreamSource() {
|
|
|
222
222
|
}
|
|
223
223
|
}
|
|
224
224
|
|
|
225
|
+
async function testFromTrustedStreamRoundTrip() {
|
|
226
|
+
var nodeStream = require("node:stream");
|
|
227
|
+
var z = b.archive.zip();
|
|
228
|
+
z.addFile("readme.txt", "trusted stream readme\n");
|
|
229
|
+
z.addFile("data/n.csv", "a,b\n1,2\n");
|
|
230
|
+
var bytes = z.toBuffer();
|
|
231
|
+
|
|
232
|
+
// inspect over a Readable via the trusted-stream adapter (no manual
|
|
233
|
+
// buffering by the caller — the reader collects + decodes).
|
|
234
|
+
var reader = b.archive.read.zip.fromTrustedStream(
|
|
235
|
+
b.archive.adapters.trustedStream(nodeStream.Readable.from(bytes)));
|
|
236
|
+
check("fromTrustedStream: kind tag", reader.kind === "zip-trusted-sequential");
|
|
237
|
+
var entries = await reader.inspect();
|
|
238
|
+
check("fromTrustedStream: inspect sees both entries", entries.length === 2);
|
|
239
|
+
check("fromTrustedStream: entry name round-trips",
|
|
240
|
+
entries.some(function (e) { return e.name === "readme.txt"; }));
|
|
241
|
+
|
|
242
|
+
// extractEntries over a fresh stream recovers the bytes.
|
|
243
|
+
var reader2 = b.archive.read.zip.fromTrustedStream(
|
|
244
|
+
b.archive.adapters.trustedStream(nodeStream.Readable.from(bytes)));
|
|
245
|
+
var got = {};
|
|
246
|
+
for await (var ent of reader2.extractEntries()) {
|
|
247
|
+
got[ent.name] = Buffer.isBuffer(ent.bytes) ? ent.bytes.toString("utf8") : null;
|
|
248
|
+
}
|
|
249
|
+
check("fromTrustedStream: extractEntries recovers content",
|
|
250
|
+
got["readme.txt"] === "trusted stream readme\n" && got["data/n.csv"] === "a,b\n1,2\n");
|
|
251
|
+
|
|
252
|
+
// bombPolicy is honored through the delegated decode — a tiny
|
|
253
|
+
// per-entry cap refuses the archive.
|
|
254
|
+
var reader3 = b.archive.read.zip.fromTrustedStream(
|
|
255
|
+
b.archive.adapters.trustedStream(nodeStream.Readable.from(bytes)),
|
|
256
|
+
{ bombPolicy: { maxEntryDecompressedBytes: 4 } });
|
|
257
|
+
var bombErr = null;
|
|
258
|
+
try { await reader3.inspect(); for await (var _e of reader3.extractEntries()) { void _e; } }
|
|
259
|
+
catch (e) { bombErr = e; }
|
|
260
|
+
check("fromTrustedStream: bombPolicy applies on decode", bombErr !== null);
|
|
261
|
+
|
|
262
|
+
// bad adapter (random-access) refused.
|
|
263
|
+
var badErr = null;
|
|
264
|
+
try { b.archive.read.zip.fromTrustedStream(b.archive.adapters.buffer(bytes)); }
|
|
265
|
+
catch (e) { badErr = e; }
|
|
266
|
+
check("fromTrustedStream: non-trusted-stream adapter refused",
|
|
267
|
+
badErr && /bad-adapter/.test(badErr.code || badErr.message));
|
|
268
|
+
}
|
|
269
|
+
|
|
225
270
|
async function testGuardArchiveInspect() {
|
|
226
271
|
var z = b.archive.zip();
|
|
227
272
|
z.addFile("safe.txt", "safe");
|
|
@@ -359,6 +404,7 @@ async function run() {
|
|
|
359
404
|
testVerifyExtractionPathWindowsHazards();
|
|
360
405
|
await testExtractRefusesOverwrite();
|
|
361
406
|
await testSafeArchiveRefusesTrustedStreamSource();
|
|
407
|
+
await testFromTrustedStreamRoundTrip();
|
|
362
408
|
await testGuardArchiveInspect();
|
|
363
409
|
await testBundleAdapterStorageRoundTrip();
|
|
364
410
|
}
|