@blamejs/blamejs-shop 0.4.31 → 0.4.33

package/lib/vendor/blamejs/lib/auth/oauth.js

@@ -1833,10 +1833,30 @@ function create(opts) {
     var now = Math.floor(Date.now() / C.TIME.seconds(1));
     var skewSec = Math.floor(clockSkewMs / C.TIME.seconds(1));
     // OIDC Back-Channel Logout 1.0 §2.4 — logout tokens have no `exp`
-    // claim; freshness comes from `iat` + jti-replay window. Operators
-    // verifying logout tokens pass `skipExpCheck: true`. ID tokens
-    // never set this and continue to require `exp`.
-    if (!vopts.skipExpCheck) {
+    // claim; freshness comes from `iat` + jti-replay window. `skipExpCheck`
+    // bypasses the exp gate for that path ONLY. It is a public-API option,
+    // so it must be self-guarding: refuse it on any token that is not a
+    // logout token (no back-channel-logout event), or a caller could verify
+    // an expired/replayed id_token clean. Logout tokens then carry no exp,
+    // so `iat` is the only freshness bound — enforce a max-age floor.
+    if (vopts.skipExpCheck) {
+      if (!payload.events || typeof payload.events !== "object" ||
+          !payload.events["http://schemas.openid.net/event/backchannel-logout"]) {
+        throw new OAuthError("auth-oauth/skip-exp-check-not-allowed",
+          "skipExpCheck is only valid for back-channel-logout tokens " +
+          "(OIDC Back-Channel Logout 1.0 §2.4); this token carries no logout event claim");
+      }
+      // Honor the operator's configured replay window. verifyBackchannelLogoutToken
+      // exposes vopts.maxAgeSec (default 5 min) and passes it through here; a
+      // deployment that widened the window must not have this freshness floor
+      // reject a token between the default and its configured max age.
+      var logoutMaxAgeSec = (typeof vopts.maxAgeSec === "number" && isFinite(vopts.maxAgeSec) &&
+        vopts.maxAgeSec > 0) ? vopts.maxAgeSec : DEFAULT_LOGOUT_TOKEN_MAX_AGE_SEC;
+      if (typeof payload.iat !== "number" || payload.iat + logoutMaxAgeSec + skewSec < now) {
+        throw new OAuthError("auth-oauth/logout-token-stale",
+          "logout token iat is older than " + logoutMaxAgeSec + "s (no exp; iat is the freshness bound)");
+      }
+    } else {
       if (typeof payload.exp !== "number" || payload.exp + skewSec < now) {
         throw new OAuthError("auth-oauth/expired", "ID token expired (exp=" + payload.exp + ", now=" + now + ")");
       }
@@ -1876,6 +1896,19 @@ function create(opts) {
       throw new OAuthError("auth-oauth/aud-mismatch",
         "ID token aud does not contain clientId '" + clientId + "'");
     }
+    // OIDC Core §3.1.3.7: a multi-audience ID token MUST carry an azp
+    // (authorized party), and a present azp MUST equal our client_id.
+    // Without this, a token whose authorized party is a DIFFERENT client but
+    // whose aud array also lists this RP would verify clean — a confused-deputy
+    // / token-substitution hole.
+    if (aud.length > 1 && typeof payload.azp !== "string") {
+      throw new OAuthError("auth-oauth/azp-required",
+        "ID token has multiple audiences but no azp (authorized party) claim");
+    }
+    if (payload.azp !== undefined && payload.azp !== clientId) {
+      throw new OAuthError("auth-oauth/azp-mismatch",
+        "ID token azp '" + payload.azp + "' is not clientId '" + clientId + "'");
+    }
     if (vopts.nonce && !vopts.skipNonceCheck) {
       // Constant-time nonce compare — secret-shaped value matched
       // against attacker-controlled payload.
@@ -2016,13 +2049,19 @@ function create(opts) {
     if (uopts.prompt)    authzParams.prompt     = uopts.prompt;
     if (uopts.loginHint) authzParams.login_hint = uopts.loginHint;
     if (uopts.maxAge != null) authzParams.max_age = String(uopts.maxAge);
-    // RFC 9396 — push the fine-grained authorization request through PAR
-    // identically to the redirect path (validated, then JSON-serialized).
+    // RFC 9396 — push the fine-grained authorization request through PAR.
+    // On the plain-form branch the value is a form parameter (JSON STRING);
+    // on the signed-request-object branch it becomes a JAR claim and MUST
+    // be the native JSON ARRAY (RFC 9101/9396) — a conforming AS rejects a
+    // string-valued authorization_details claim. Carry the validated array
+    // and serialize ONLY when it travels as a form param.
     var requestedAuthzDetails = null;
     if (uopts.authorizationDetails !== undefined) {
       requestedAuthzDetails = _validateAuthorizationDetailsArray(
         uopts.authorizationDetails, "pushAuthorizationRequest");
-      authzParams.authorization_details = JSON.stringify(requestedAuthzDetails);
+      authzParams.authorization_details = sro
+        ? requestedAuthzDetails                    // JAR claim — native array
+        : JSON.stringify(requestedAuthzDetails);   // form param — JSON string
     }
     if (uopts.extraParams && typeof uopts.extraParams === "object") {
       var ek = Object.keys(uopts.extraParams);
@@ -2160,9 +2199,18 @@ function create(opts) {
   // store — operators wire b.cache or b.db.
   async function verifyBackchannelLogoutToken(logoutToken, vopts) {
     vopts = vopts || {};
-    if (typeof logoutToken !== "string" || logoutToken.length === 0) {
+    // Type / non-empty / length-cap gate, folded into one bounds check.
+    // The cap runs BEFORE the split + base64url decode — an attacker-
+    // reachable endpoint can POST an arbitrarily large logout_token, and
+    // bounding it first stops the decode from allocating unbounded memory.
+    var logoutTokenIsString = typeof logoutToken === "string";
+    if (!logoutTokenIsString || logoutToken.length === 0) {
       throw new OAuthError("auth-oauth/bad-logout-token",
         "verifyBackchannelLogoutToken: logoutToken must be a non-empty string");
+    } else if (logoutToken.length > OAUTH_MAX_RESPONSE_BYTES) {
+      throw new OAuthError("auth-oauth/logout-token-too-large",
+        "verifyBackchannelLogoutToken: logout_token exceeds " +
+        OAUTH_MAX_RESPONSE_BYTES + " bytes");
     }
     var parts = logoutToken.split(".");
     if (parts.length !== 3) {
@@ -2170,7 +2218,12 @@ function create(opts) {
         "verifyBackchannelLogoutToken: logout_token must be a 3-segment JWS");
     }
     var headerObj;
-    try { headerObj = JSON.parse(Buffer.from(parts[0], "base64url").toString("utf8")); }         // allow:bare-json-parse — pre-verify header parse to look up the typ; the JWS signature is verified by verifyIdToken below
+    // Route the pre-verify header parse through safeJson (size-bounded) like
+    // the in-module id_token / JWS-header siblings — the bare JSON.parse on
+    // an attacker-reachable, not-yet-signature-checked header was the one
+    // unbounded parse on this surface. The JWS signature is verified by
+    // verifyIdToken below.
+    try { headerObj = safeJson.parse(_b64urlDecode(parts[0]).toString("utf8"), { maxBytes: OAUTH_MAX_RESPONSE_BYTES }); }
     catch (_e) {
       throw new OAuthError("auth-oauth/bad-logout-header",
         "verifyBackchannelLogoutToken: malformed header");
@@ -2192,6 +2245,10 @@ function create(opts) {
       // Logout tokens have no exp claim per OIDC Back-Channel Logout
       // §2.4 — the freshness gate is iat + jti-replay window.
       skipExpCheck:   true,
+      // Pass the operator's configured replay window through so verifyIdToken's
+      // iat freshness floor uses it, not the 5-min default (the wrapper's own
+      // maxAgeSec check below stays as a belt-and-suspenders bound).
+      maxAgeSec:      vopts.maxAgeSec,
     });
     var claims = verified.claims;
 

package/lib/vendor/blamejs/lib/auth/openid-federation.js

@@ -334,14 +334,23 @@ function _applyOnePolicy(metadata, policy) {
  * @signature b.auth.openidFederation.applyMetadataPolicy(metadata, chain, kind)
  * @since     0.8.62
  *
- * Apply every metadata_policy in the chain (top-down) to the leaf's
+ * Apply the federation's metadata_policy (top-down) to the leaf's
  * declared metadata for the given entity-kind ("openid_relying_party"
  * / "openid_provider" / "federation_entity" / etc.) and return the
  * effective metadata. Throws on any policy violation.
  *
- * The chain is leaf-first; we reverse for top-down application so
- * the trust anchor's policy applies first, then each intermediate's,
- * then the leaf's claimed metadata is the starting object.
+ * Per OpenID Federation 1.0 §6.2, an entity's metadata_policy comes
+ * from the SUPERIOR-SIGNED subordinate statement about that entity
+ * (`chain[i].subordinate.metadata_policy`), NOT from the entity's own
+ * self-published configuration. An entity cannot self-declare the
+ * policy that constrains it — that would let a leaf widen or drop the
+ * trust anchor's value / subset_of / essential constraints. The leaf's
+ * own self-config metadata_policy is therefore ignored.
+ *
+ * The chain is leaf-first; each `chain[i].subordinate` is the statement
+ * signed by the superior directly above entity `i`, so walking high
+ * index → low index applies the anchor's policy first, then each
+ * intermediate's, narrowing down to the leaf (§6.2 narrow-only merge).
  *
  * @example
  *   var effective = b.auth.openidFederation.applyMetadataPolicy(
@@ -361,12 +370,17 @@ function applyMetadataPolicy(metadata, chain, kind) {
       "applyMetadataPolicy: chain must be an array");
   }
   var out = Object.assign({}, metadata);
-  // Walk top-down (anchor last in leaf-first array).
+  // Walk top-down (anchor last in leaf-first array). Read the policy
+  // from each node's SUPERIOR-SIGNED subordinate statement — never from
+  // the entity's own self-config — so the anchor/intermediate
+  // constraints can't be dropped by a self-declared policy. The anchor
+  // node carries no `.subordinate` (it terminates the chain) and is
+  // skipped; the leaf's self-config policy is never read.
   for (var i = chain.length - 1; i >= 0; i--) {
     var stmt = chain[i];
-    if (!stmt || !stmt.claims) continue;
-    if (stmt.claims.metadata_policy && stmt.claims.metadata_policy[kind]) {
-      out = _applyOnePolicy(out, stmt.claims.metadata_policy[kind]);
+    if (!stmt || !stmt.subordinate) continue;
+    if (stmt.subordinate.metadata_policy && stmt.subordinate.metadata_policy[kind]) {
+      out = _applyOnePolicy(out, stmt.subordinate.metadata_policy[kind]);
     }
   }
   return out;
@@ -433,6 +447,18 @@ async function buildTrustChain(opts) {
   };
   var maxDepth = opts.maxDepth || MAX_CHAIN_DEPTH;
 
+  // ---- Phase 1: collect the chain bottom-up (leaf → anchor) ----------
+  // Fetch each entity's self-config + the superior-signed subordinate
+  // statement about it, but DEFER cryptographic chain verification to
+  // Phase 2. The signature on a subordinate statement must be checked
+  // against the keys ATTESTED for the signing authority by ITS superior
+  // — flowing down from the operator-pinned anchor — not against the
+  // authority's own self-published config jwks. Verifying eagerly here
+  // (against self-published keys) is a fetch-time TOCTOU: an attacker
+  // controlling the authority's endpoint can serve attacker jwks to the
+  // statement-verify fetch while serving genuine config elsewhere, and
+  // the only operator-pinned trust (the anchor key) never gates the
+  // subordinate links.
   var chain = [];
   var current = opts.leafEntityId;
   var depth = 0;
@@ -446,6 +472,7 @@ async function buildTrustChain(opts) {
   // hostile-federation probes immediately.
   var visited = Object.create(null);
   visited[current] = true;
+  var reachedAnchor = false;
   while (depth < maxDepth) {
     var entityConfigUrl = current.replace(/\/$/, "") + "/.well-known/openid-federation";
     var entityConfigJwt = await fetcher(entityConfigUrl);
@@ -454,21 +481,22 @@ async function buildTrustChain(opts) {
       throw new AuthError("auth-openid-federation/bad-self-statement",
         "entity configuration for \"" + current + "\" must have iss==sub==entity_id");
     }
-    // Self-signed: verify with its own jwks.
+    // Self-statement integrity: a well-formed entity config is self-signed
+    // over its own jwks. This proves the document isn't truncated/garbled
+    // — it is NOT the trust decision. Trust flows from the anchor through
+    // the subordinate statements verified top-down in Phase 2.
     verifyEntityStatement(entityConfigJwt, parsedEC.claims.jwks || {});
 
     // Is this entity a trust anchor?
     if (Object.prototype.hasOwnProperty.call(opts.trustAnchors, current)) {
       // Verify the anchor's self-statement using the operator-pinned
       // JWKS — defends against a compromised anchor key by trusting
-      // the configured one over what the anchor publishes today.
+      // the configured one over what the anchor publishes today. The
+      // pinned keys become the root of the top-down verification.
       verifyEntityStatement(entityConfigJwt, opts.trustAnchors[current]);
       chain.push({ jwt: entityConfigJwt, claims: parsedEC.claims, role: "trust_anchor" });
-      _emitAudit("chain_built", "success", {
-        leaf: opts.leafEntityId, depth: chain.length, anchor: current,
-      });
-      _emitMetric("chain-built");
-      return chain;
+      reachedAnchor = true;
+      break;
     }
     // Not the anchor — add to chain, ascend via authority_hints.
     chain.push({
@@ -481,16 +509,15 @@ async function buildTrustChain(opts) {
       throw new AuthError("auth-openid-federation/no-authority-hints",
         "entity \"" + current + "\" has no authority_hints; cannot ascend to a trust anchor");
     }
-    // Pick the FIRST authority_hint that resolves to a trust anchor,
-    // OR the first that returns a valid subordinate statement. Real
-    // operators with multiple federations usually have one anchor
-    // active; we walk in order and pick the first success.
-    // Track every per-authority failure reason and surface them on
-    // `no-ascent` rather than masking — silently
-    // swallowing `catch (_e) {}` lets a hostile intermediate that
-    // serves a malformed-then-valid pair shape-walk the verifier.
-    // We continue past 404 / fetch errors but refuse on
-    // signature-verify failure (cryptographic refusal is a hard stop).
+    // Pick the FIRST authority_hint that yields a fetchable subordinate
+    // statement with matching iss/sub. We continue past 404 / fetch /
+    // parse errors (acceptable "try the next hint") and surface every
+    // failure reason on `no-ascent` rather than masking it — silently
+    // swallowing `catch (_e) {}` lets a hostile intermediate that serves
+    // a malformed-then-valid pair shape-walk the verifier. Cryptographic
+    // verification is NOT done here; the selected statement is verified
+    // against the superior-attested keys in Phase 2, so a forged
+    // signature fails the whole chain regardless of which hint picked it.
     var ascended = false;
     var ascentErrors = [];
     for (var ai = 0; ai < parsedEC.claims.authority_hints.length; ai++) {
@@ -502,49 +529,83 @@ async function buildTrustChain(opts) {
           ascentErrors.push({ authority: authority, code: "iss-sub-mismatch" });
           continue;
         }
-        var authorityCfgJwt = await fetcher(authority.replace(/\/$/, "") + "/.well-known/openid-federation");
-        var authorityCfgClaims = parseEntityStatement(authorityCfgJwt).claims;
-        // Cryptographic verification — any throw here is a hard
-        // refusal, NOT a "try next authority" signal. A malformed-
-        // signature subordinate from an authority listed by the
-        // entity means that authority is hostile or compromised;
-        // moving on lets a chain-shaping attacker bypass the gate.
-        verifyEntityStatement(subordinateJwt, authorityCfgClaims.jwks || {});
-        chain[chain.length - 1].claims.jwks = parsedSub.claims.jwks || chain[chain.length - 1].claims.jwks;
-        chain[chain.length - 1].subordinateJwt = subordinateJwt;
-        chain[chain.length - 1].subordinate    = parsedSub.claims;
-        // Refuse revisit. A trust anchor terminates the loop
-        // before re-entry, so a revisit here ALWAYS means a cyclic
+        // Refuse revisit. A trust anchor terminates the loop before
+        // re-entry, so a revisit here ALWAYS means a cyclic
         // authority_hints graph.
         if (visited[authority]) {
           throw new AuthError("auth-openid-federation/chain-cycle",
             "buildTrustChain: authority \"" + authority + "\" already visited — " +
             "cyclic authority_hints graph refused");
         }
+        // Stash the superior-signed subordinate statement on the entity
+        // it is ABOUT. Phase 2 verifies its signature against the
+        // attested keys for `authority` and applies its metadata_policy.
+        chain[chain.length - 1].subordinateJwt = subordinateJwt;
+        chain[chain.length - 1].subordinate    = parsedSub.claims;
         visited[authority] = true;
         current = authority;
         ascended = true;
         break;
       } catch (err) {
+        // A cycle refusal is a hard stop, not a "try next hint" signal.
+        if (err && err.code === "auth-openid-federation/chain-cycle") throw err;
         var errCode = (err && err.code) || "unknown";
-        // Network / 404 / parse errors at the AUTHORITY-fetch step
-        // are acceptable "try the next hint" signals. Verify-side
-        // failures (crypto) are NOT — surface them and abort.
-        if (/^auth-openid-federation\/(?:bad-jwk|alg-kty-mismatch|bad-signature|signature-failed)$/.test(errCode)) {
-          throw err;
-        }
         ascentErrors.push({ authority: authority, code: errCode, message: (err && err.message) || String(err) });
       }
     }
     if (!ascended) {
       throw new AuthError("auth-openid-federation/no-ascent",
-        "entity \"" + current + "\" has authority_hints but none yielded a verifiable subordinate statement: " +
+        "entity \"" + current + "\" has authority_hints but none yielded a fetchable subordinate statement: " +
         JSON.stringify(ascentErrors));
     }
     depth += 1;
   }
-  throw new AuthError("auth-openid-federation/chain-too-deep",
-    "buildTrustChain: max depth " + maxDepth + " exceeded; refused");
+  if (!reachedAnchor) {
+    throw new AuthError("auth-openid-federation/chain-too-deep",
+      "buildTrustChain: max depth " + maxDepth + " exceeded; refused");
+  }
+
+  // ---- Phase 2: verify top-down against attested keys ----------------
+  // Trust flows from the operator-pinned anchor downward. Each
+  // subordinate statement is signed by the superior directly above the
+  // entity it describes, and pins that entity's jwks. We start with the
+  // anchor's pinned keys and, for each step down, verify the subordinate
+  // statement with the keys attested for its SIGNER (never the signer's
+  // self-published config), then adopt the statement's attested jwks as
+  // the trusted keys for the next step. This closes the fetch-time TOCTOU
+  // and makes the anchor key gate every link, not just the anchor's own
+  // self-config.
+  var anchorEntityId = chain[chain.length - 1].claims.iss;
+  var attestedJwks = opts.trustAnchors[anchorEntityId];
+  for (var ci = chain.length - 2; ci >= 0; ci--) {
+    var node = chain[ci];
+    if (!node.subordinate || !node.subordinateJwt) {
+      // Every non-anchor node must carry the superior-signed statement
+      // collected in Phase 1; its absence is an internal invariant break.
+      throw new AuthError("auth-openid-federation/no-subordinate",
+        "buildTrustChain: entity \"" + node.claims.iss + "\" has no superior-signed subordinate statement");
+    }
+    // Verify against the SIGNER's attested keys (flowed down), not the
+    // signer's self-published config jwks.
+    verifyEntityStatement(node.subordinateJwt, attestedJwks || {});
+    // The subordinate statement pins this entity's jwks — adopt the
+    // attested keys for the next link down, and reflect them on the node.
+    if (node.subordinate.jwks && Array.isArray(node.subordinate.jwks.keys)) {
+      node.claims.jwks = node.subordinate.jwks;
+      attestedJwks = node.subordinate.jwks;
+    } else {
+      // A subordinate statement that pins no keys cannot attest the next
+      // link — refuse rather than fall back to self-published keys.
+      throw new AuthError("auth-openid-federation/no-attested-jwks",
+        "subordinate statement for \"" + node.claims.iss + "\" pins no jwks; cannot attest the chain downward");
+    }
+  }
+
+  _emitAudit("chain_built", "success", {
+    leaf: opts.leafEntityId, depth: chain.length, anchor: anchorEntityId,
+  });
+  _emitMetric("chain-built");
+  return chain;
 }
 
 /**

package/lib/vendor/blamejs/lib/auth/saml.js

@@ -684,10 +684,11 @@ function create(opts) {
         // as Bearer (Profile §3.1 incorporates §3 by reference).
         var nbHok = _attr(scdHok, "NotBefore");
         var noaHok = _attr(scdHok, "NotOnOrAfter");
+        if (!noaHok) continue;                                                                      // §3.1 (incorporates §3) — time-bound required
+        var noaHokSec = Date.parse(noaHok) / 1000;                                                  // ms→s
+        if (!isFinite(noaHokSec) || noaHokSec < nowSec - clockSkewSec) continue;                    // unparseable or expired
         if (nbHok && isFinite(Date.parse(nbHok) / 1000) &&                                          // ms→s
             Date.parse(nbHok) / 1000 > nowSec + clockSkewSec) continue;                             // ms→s
-        if (noaHok && isFinite(Date.parse(noaHok) / 1000) &&                                        // ms→s
-            Date.parse(noaHok) / 1000 < nowSec - clockSkewSec) continue;                            // ms→s
         var recipHok = _attr(scdHok, "Recipient");
         if (recipHok && recipHok !== opts.assertionConsumerServiceUrl) continue;
         hokOk = true;
@@ -697,12 +698,9 @@ function create(opts) {
       var scd = _findChild(sc, "SubjectConfirmationData", SAML_NS.assertion);
       if (!scd) continue;
       var notOnOrAfter = _attr(scd, "NotOnOrAfter");
-      if (notOnOrAfter) {
-        var t = Date.parse(notOnOrAfter) / 1000;                                                // ms→s
-        if (!isFinite(t) || t < nowSec - clockSkewSec) {
-          continue; // expired confirmation — try next
-        }
-      }
+      if (!notOnOrAfter) continue;       // §4.1.4.2 — Bearer requires NotOnOrAfter (no unbounded freshness)
+      var t = Date.parse(notOnOrAfter) / 1000;                                                  // ms→s
+      if (!isFinite(t) || t < nowSec - clockSkewSec) continue;   // unparseable or expired confirmation — try next
       var notBefore = _attr(scd, "NotBefore");
       if (notBefore) {
         var nb = Date.parse(notBefore) / 1000;                                                  // ms→s

package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js

@@ -126,12 +126,25 @@ function _hashDisclosure(disclosureStr, hashAlg) {
   return h.digest().toString("base64url");
 }
 
+// JOSE/JWS — and EUDI wallets — require ECDSA signatures as raw r||s
+// ("ieee-p1363"); node:crypto defaults to DER (ASN.1 SEQUENCE). Wrap the EC
+// key so ES256/ES384 sign + verify emit/expect the JOSE encoding. Without it
+// a token this library signs is rejected by every conformant verifier (and
+// the library rejects their raw-r||s KB-JWTs). EdDSA / ML-DSA keys pass
+// through unchanged. Mirrors oauth.js / dpop.js / jwt-external.js.
+function _ecKeyParam(algorithm, key) {
+  if (algorithm === "ES256" || algorithm === "ES384") {
+    return { key: key, dsaEncoding: "ieee-p1363" };
+  }
+  return key;
+}
+
 function _signJwt(header, payload, privateKey, algorithm) {
   var headerStr = _b64uEncode(safeJson.stringify(header));
   var payloadStr = _b64uEncode(safeJson.stringify(payload));
   var signingInput = headerStr + "." + payloadStr;
   var sigAlgo = _resolveSigAlgo(algorithm);
-  var sig = nodeCrypto.sign(sigAlgo, Buffer.from(signingInput, "ascii"), privateKey);
+  var sig = nodeCrypto.sign(sigAlgo, Buffer.from(signingInput, "ascii"), _ecKeyParam(algorithm, privateKey));
   return signingInput + "." + sig.toString("base64url");
 }
 
@@ -144,7 +157,7 @@ function _verifyJwt(token, publicKey, algorithm) {
   var signingInput = parts[0] + "." + parts[1];
   var sig = _b64uDecodeBuf(parts[2]);
   var sigAlgo = _resolveSigAlgo(algorithm);
-  var ok = nodeCrypto.verify(sigAlgo, Buffer.from(signingInput, "ascii"), publicKey, sig);
+  var ok = nodeCrypto.verify(sigAlgo, Buffer.from(signingInput, "ascii"), _ecKeyParam(algorithm, publicKey), sig);
   if (!ok) {
     throw new AuthError("auth-sd-jwt-vc/bad-signature",
       "JWT signature verification failed");
@@ -482,9 +495,13 @@ async function verify(presentation, opts) {
       "verify: issuerKeyResolver returned no key");
   }
   // CVE-2026-22817 — when issuerKeyResolver returns a JWK object,
-  // cross-check alg/kty BEFORE handing it to node:crypto.verify.
-  // KeyObject / PEM shapes can't surface kty so the check happens at
-  // JWK resolution only.
+  // cross-check the issuer JWS alg/kty BEFORE handing it to
+  // node:crypto.verify. KeyObject / PEM shapes can't surface kty, so this
+  // guard only fires when the resolver hands back a JWK (the common path).
+  // The holder KB-JWT path applies its OWN _assertAlgKtyMatch against the
+  // cnf.jwk below — note that the holder key is issuer-ATTESTED (it comes
+  // from the cryptographically-verified issuer payload's cnf claim), not
+  // header-resolved, so the two cross-checks defend different trust edges.
   if (typeof issuerKey === "object" &&
       !(issuerKey instanceof nodeCrypto.KeyObject) &&
       !Buffer.isBuffer(issuerKey) &&
@@ -610,13 +627,25 @@ async function verify(presentation, opts) {
       throw new AuthError("auth-sd-jwt-vc/unsupported-alg",
         "verify: KB-JWT alg unsupported");
     }
+    // CVE-2026-22817 — cross-check the KB-JWT header alg against the holder
+    // key type BEFORE importing the key / verifying. The issuer path does
+    // this for issuerKey (above); the holder KB-JWT path must too. The
+    // KB-JWT header alg is attacker-controllable (the holder mints the
+    // KB-JWT), and holderKey is a cnf.jwk with a kty, so an alg/kty
+    // mismatch (e.g. a header claiming EdDSA against an EC cnf key) is
+    // refused with the precise alg-mismatch error rather than handed to
+    // node:crypto.verify.
+    jwtExternal._assertAlgKtyMatch(kbAlg, holderKey);
     var holderKeyObj = nodeCrypto.createPublicKey({ key: holderKey, format: "jwk" });
     var kbParsed = _verifyJwt(maybeKbJwt, holderKeyObj, kbAlg);
-    if (opts.audience && kbParsed.payload.aud !== opts.audience) {
+    // Constant-time compares: the nonce is a verifier-issued replay-defense
+    // value, so a short-circuiting !== leaks a matching-prefix timing oracle.
+    // Matches the sd_hash check below (the framework's hash/token discipline).
+    if (opts.audience && !_timingSafeEqStr(kbParsed.payload.aud, opts.audience)) {
       throw new AuthError("auth-sd-jwt-vc/wrong-audience",
         "verify: KB-JWT aud mismatch");
     }
-    if (opts.nonce && kbParsed.payload.nonce !== opts.nonce) {
+    if (opts.nonce && !_timingSafeEqStr(kbParsed.payload.nonce, opts.nonce)) {
       throw new AuthError("auth-sd-jwt-vc/wrong-nonce",
         "verify: KB-JWT nonce mismatch (replay defense)");
     }

package/lib/vendor/blamejs/lib/backup/index.js

@@ -54,6 +54,7 @@ var nodePath = require("node:path");
 var bCrypto = require("../crypto");
 var atomicFile = require("../atomic-file");
 var backupBundle = require("./bundle");
+var frameworkFiles = require("../framework-files");
 var backupManifest = require("./manifest");
 var lazyRequire = require("../lazy-require");
 var validateOpts = require("../validate-opts");
@@ -65,6 +66,7 @@ var compliance = lazyRequire(function () { return require("../compliance"); });
 // module graph (CLI tools, stand-alone backup runners). The db()
 // callable resolves on first access.
 var dbModuleLazy = lazyRequire(function () { return require("../db"); });
+var cryptoField = lazyRequire(function () { return require("../crypto-field"); });
 var archiveLazy = lazyRequire(function () { return require("../archive"); });
 var archiveAdaptersLazy = lazyRequire(function () { return require("../archive-adapters"); });
 var { defineClass } = require("../framework-error");
@@ -416,6 +418,37 @@ function create(opts) {
         });
       } catch (_e) { /* drop-silent */ }
     }
+    // Per-row residency blind spot: the deployment-level check above only
+    // compares the single DB region to the destination. A per-row-residency
+    // table is DECLARED (cryptoField.declarePerRowResidency) to admit rows in
+    // several regions; rows tagged to a region other than the backup
+    // destination are a per-row cross-border transfer the deployment compare
+    // cannot see. Surface the declared cross-border regions (policy-based —
+    // no row scan) so the bundle's residency exposure is visible.
+    if (backupResidencyTag) {
+      try {
+        var perRowTables = cryptoField().listPerRowResidency();
+        var perRowCrossBorder = [];
+        for (var pri = 0; pri < perRowTables.length; pri++) {
+          var prt = perRowTables[pri];
+          var offending = (prt.allowedTags || []).filter(function (tag) {
+            return tag !== "global" && tag !== "unrestricted" && tag !== backupResidencyTag;
+          });
+          if (offending.length) perRowCrossBorder.push({ table: prt.table, regions: offending });
+        }
+        if (perRowCrossBorder.length) {
+          audit().safeEmit({
+            action:   "backup.residency.per_row_cross_border",
+            outcome:  "success",
+            metadata: {
+              severity: "warning", scope: "per-row", posture: posture,
+              destination: backupResidencyTag, tables: perRowCrossBorder,
+              recommendation: "a per-row-residency table admits rows in regions other than the backup destination; confirm the cross-border transfer is permitted (allowCrossBorder + documented legalBasis) or restrict the destination region",
+            },
+          });
+        }
+      } catch (_e) { /* drop-silent — advisory only */ }
+    }
   }
 
   var dataDir = opts.dataDir;
@@ -887,21 +920,23 @@ function recommendedFiles(opts) {
   var files = [];
 
   if (atRest === "encrypted") {
-    files.push({ relativePath: "db.enc",     kind: "raw", required: true });
-    files.push({ relativePath: "db.key.enc", kind: "raw", required: true });
+    files.push({ relativePath: frameworkFiles.fileName("dbEnc"),    kind: "raw", required: true });
+    files.push({ relativePath: frameworkFiles.fileName("dbKeyEnc"), kind: "raw", required: true });
   } else {
     files.push({ relativePath: dbName,       kind: "raw", required: true });
   }
 
   if (vaultMode === "wrapped") {
-    files.push({ relativePath: "vault.key.sealed", kind: "raw", required: true });
+    files.push({ relativePath: frameworkFiles.fileName("vaultKey") + ".sealed", kind: "raw", required: true });
   } else {
-    files.push({ relativePath: "vault.key", kind: "raw", required: true });
+    files.push({ relativePath: frameworkFiles.fileName("vaultKey"), kind: "raw", required: true });
   }
 
   // Audit-signing key (always present; sealed in wrapped mode)
   files.push({
-    relativePath: vaultMode === "wrapped" ? "audit-sign.key.sealed" : "audit-sign.key",
+    relativePath: vaultMode === "wrapped"
+      ? frameworkFiles.fileName("auditSignKey") + ".sealed"
+      : frameworkFiles.fileName("auditSignKey"),
     kind: "raw", required: false,
   });
 
@@ -2368,7 +2403,7 @@ bundleAdapterStorage.objectStoreAdapter = function (client, osOpts) {
         // b.objectStore surfaces NOT_FOUND via the framework's
         // err.code === "NOT_FOUND" convention — translate to the
         // backup adapter contract's no-key error.
-        if (e && (e.code === "NOT_FOUND" || /NOT_FOUND|not found/i.test(e.message || ""))) {
+        if (e && (e.code === "NOT_FOUND" || e.statusCode === 404 || /NOT_FOUND|not found/i.test(e.message || ""))) {
           throw new BackupError("backup/no-key",
             "objectStoreAdapter: key not found: " + JSON.stringify(key));
         }
@@ -2425,7 +2460,7 @@ bundleAdapterStorage.objectStoreAdapter = function (client, osOpts) {
       } catch (e) {
         // drop-silent on NOT_FOUND — adapter contract is idempotent
         // delete (fsAdapter same shape).
-        if (e && (e.code === "NOT_FOUND" || /NOT_FOUND|not found/i.test(e.message || ""))) {
+        if (e && (e.code === "NOT_FOUND" || e.statusCode === 404 || /NOT_FOUND|not found/i.test(e.message || ""))) {
           return;
         }
         throw e;
@@ -2436,7 +2471,7 @@ bundleAdapterStorage.objectStoreAdapter = function (client, osOpts) {
         await client.head(_scopedKey(key));
         return true;
       } catch (e) {
-        if (e && (e.code === "NOT_FOUND" || /NOT_FOUND|not found/i.test(e.message || ""))) {
+        if (e && (e.code === "NOT_FOUND" || e.statusCode === 404 || /NOT_FOUND|not found/i.test(e.message || ""))) {
           return false;
         }
         throw e;
@@ -2453,7 +2488,7 @@ bundleAdapterStorage.objectStoreAdapter = function (client, osOpts) {
         var buf = Buffer.isBuffer(body) ? body : Buffer.from(body);
         return buf.slice(0, length);
       } catch (e) {
-        if (e && (e.code === "NOT_FOUND" || /NOT_FOUND|not found/i.test(e.message || ""))) {
+        if (e && (e.code === "NOT_FOUND" || e.statusCode === 404 || /NOT_FOUND|not found/i.test(e.message || ""))) {
           throw new BackupError("backup/no-key",
             "objectStoreAdapter.readPartial: key not found: " + JSON.stringify(key));
         }
@@ -2466,7 +2501,7 @@ bundleAdapterStorage.objectStoreAdapter = function (client, osOpts) {
         if (!meta || typeof meta.size !== "number") return null;
         return { size: meta.size, mtimeMs: meta.lastModified || null };
       } catch (e) {
-        if (e && (e.code === "NOT_FOUND" || /NOT_FOUND|not found/i.test(e.message || ""))) {
+        if (e && (e.code === "NOT_FOUND" || e.statusCode === 404 || /NOT_FOUND|not found/i.test(e.message || ""))) {
           return null;
         }
         throw e;