@blamejs/core 0.12.35 → 0.12.36

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.36 (2026-05-24) — **`b.cose.encrypt0` / `b.cose.decrypt0` — COSE_Encrypt0 single-recipient AEAD (RFC 9052 §5.2).** Completes the COSE family with encryption alongside the v0.12.33 signing: COSE_Encrypt0 is the single-recipient AEAD container where the recipient already holds the symmetric key (direct mode). The default algorithm is ChaCha20/Poly1305 (COSE alg 24) — AES-GCM stays opt-in, since hard-rule #2 forbids AES-GCM as a default. The Enc_structure (`["Encrypt0", protected, external_aad]`) is bound as the AEAD associated data so the algorithm + any external context are authenticated, and the authentication tag is appended to the ciphertext per COSE. Composes the in-tree `b.cbor` codec and `node:crypto` AEAD. **Added:** *`b.cose.encrypt0(plaintext, opts)` / `b.cose.decrypt0(coseEncrypt0, opts)`* — `encrypt0` produces a tagged COSE_Encrypt0 with `alg` in the protected header and a random 12-byte IV in the unprotected header (label 5); `alg` is `"ChaCha20-Poly1305"` (default), `"A256GCM"`, or `"A128GCM"`, with the key length enforced (32 / 16 bytes). `decrypt0` reads the algorithm from the protected header (must be in the required `opts.algorithms` allowlist), reconstructs the Enc_structure as the AEAD AAD, and returns `{ plaintext, alg, protectedHeaders, unprotectedHeaders }`; a wrong key, tampered ciphertext, or `external_aad` mismatch fails AEAD authentication and is refused with `cose/decrypt-failed`. `external_aad` binds request context into the tag.
+
 - v0.12.35 (2026-05-24) — **`b.eat` — Entity Attestation Token (RFC 9711) over `b.cwt`.** An EAT is the token a Relying Party asks a device or software entity to produce to prove what it is and what state it is in — a freshness nonce, a Universal Entity ID, OEM / hardware identifiers, debug status, software measurements, and nested submodule attestations. `b.eat` is the RFC 9711 profile over the v0.12.34 `b.cwt`: it maps the EAT claim names to their IANA CWT claim-key integer labels and adds the attestation-specific verification on top of the CWT signature + time checks. The central control is the verifier-nonce binding: when the Relying Party supplies a fresh `expectedNonce`, the token's `eat_nonce` (claim 10) must match it (constant-time compare) — without it a captured attestation replays forever. `verify` also enforces a debug-status policy (`requireDebugDisabled` refuses an `enabled` or absent `dbgstat`) and pins the `eat_profile`. RFC 9711 is a finalized standard; signing follows `b.cwt` / `b.cose` (ES256/384/512 + EdDSA interoperable today, ML-DSA-87 PQC-forward). **Added:** *`b.eat.sign(claims, opts)` / `b.eat.verify(eat, opts)`* — `sign` maps EAT claim names (`nonce`, `ueid`, `oemid`, `hwmodel`, `dbgstat`, `eat_profile`, `swname`/`swversion`, `measurements`, `submods`, …) to their RFC 9711 integer labels and accepts the `dbgstat` enum by name (`disabled-since-boot` → 2); standard CWT claims (`iss` / `exp` / …) pass through. `verify` returns `{ claims, raw, alg, protectedHeaders }` with the labels mapped back to friendly names and `dbgstat` decoded to its enum name. Attestation enforcement: `expectedNonce` requires a matching `eat_nonce` (refused `eat/nonce-mismatch`, missing `eat/nonce-missing` — `eat_nonce` may be a single byte string or an array for multiple verifiers), `requireDebugDisabled` refuses a non-disabled `dbgstat` (`eat/debug-not-disabled`), and `expectedProfile` pins `eat_profile`. The signature, algorithm allowlist, and `exp`/`nbf` checks delegate to `b.cwt` / `b.cose`. · *`b.cwt.sign` accepts a `Map`* — `b.cwt.sign` now takes either a plain object (string keys, standard claims mapped by name) or a `Map`, which preserves integer claim keys verbatim — profiles like `b.eat` resolve their claim names to integer labels and pass them through without the keys being stringified. The plain-object path is unchanged.
 
 - v0.12.34 (2026-05-24) — **`b.cwt` — CBOR Web Token (RFC 8392) sign / verify over `b.cose`.** A CWT is the CBOR-native counterpart to JWT — a signed claims set for constrained / IoT, FIDO attestation, and verifiable-credential contexts. `b.cwt` composes the v0.12.33 `b.cose` (COSE_Sign1 signature + mandatory algorithm allowlist) and v0.12.32 `b.cbor` (deterministic claims encoding) and layers the standard-claim handling on top: `sign` takes a friendly claims object, maps the standard claims to their RFC 8392 §3.1.1 integer labels (iss=1, sub=2, aud=3, exp=4, nbf=5, iat=6, cti=7), and signs; `verify` checks the COSE signature, decodes the claims, and enforces the time + identity claims — a passed `exp` (with clock-skew tolerance), a future `nbf`, and an `iss` / `aud` mismatch against the expected values are each refused. Signing algorithms follow `b.cose`: classical ES256/384/512 + EdDSA (final COSE ids, interoperable today) and ML-DSA-87 (PQC-forward). RFC 8392 is a finalized standard, so CWTs produced here interoperate with other COSE/CWT implementations. **Added:** *`b.cwt.sign(claims, opts)` / `b.cwt.verify(cwt, opts)`* — `sign` maps standard claim names to integer labels and keeps custom claims verbatim; `exp` / `nbf` / `iat` must be non-negative integer NumericDates. `opts.tagged` wraps the COSE_Sign1 in the CWT CBOR tag 61 (RFC 8392 §6); `verify` accepts tagged or bare input. `verify` returns `{ claims, raw, alg, protectedHeaders }` — `claims` is the friendly object (labels mapped back to names), `raw` the integer-keyed Map. Standard-claim enforcement: `exp` past `now + clockSkewSec` (default 60s) is refused with `cwt/expired`, `nbf` beyond `now - skew` with `cwt/not-yet-valid`, and `expectedIssuer` / `expectedAudience` mismatches with `cwt/issuer-mismatch` / `cwt/audience-mismatch` (aud may be a single value or an array). `opts.now` overrides the clock for testing. The signature itself is verified by `b.cose.verify`, so a tampered token fails there.

package/README.md

@@ -126,7 +126,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **JSON / SQL / schema** — `b.safeJson` (with `maxKeys` cap defending CVE-2026-21717 V8 HashDoS), `b.safeBuffer`, `b.safeSql`, `b.safeSchema`
 - **URL + path** — `b.safeUrl` (IDN mixed-script / homograph refuse); `b.safeJsonPath` (refuses filter `?(...)`, deep-scan `$..`, script-shape `(@.x)` for safe Postgres JSONB ops)
 - **Binary codec** — `b.cbor` bounded deterministic CBOR (RFC 8949 §4.2): depth/size caps, indefinite-length + reserved-info + tag + duplicate-key refusal, `requireDeterministic` canonical-form check; the in-tree substrate under COSE / CWT / SCITT / WebAuthn attestation
-- **COSE signing** — `b.cose` COSE_Sign1 sign/verify (RFC 9052) over `b.cbor`: classical ES256/384/512 + EdDSA (final COSE ids, interoperable today) plus ML-DSA-87 (PQC-forward, draft id); bounded + alg-allowlisted + crit-bypass-checked verification; the signed-statement substrate under SCITT / CWT / C2PA
+- **COSE signing + encryption** — `b.cose` COSE_Sign1 sign/verify + COSE_Encrypt0 (RFC 9052) over `b.cbor`: classical ES256/384/512 + EdDSA (final COSE ids, interoperable today) plus ML-DSA-87 (PQC-forward, draft id); bounded + alg-allowlisted + crit-bypass-checked verification; single-recipient AEAD (ChaCha20/Poly1305 default, AES-GCM opt-in) with Enc_structure-bound AAD; the signed-statement substrate under SCITT / CWT / C2PA
 - **CBOR Web Token** — `b.cwt` CWT sign/verify (RFC 8392) over `b.cose`: standard-claim mapping (iss/sub/aud/exp/nbf/iat/cti) + `exp`/`nbf` clock-skew enforcement + `iss`/`aud` matching; the CBOR-native JWT for constrained / IoT / FIDO / verifiable-credential contexts
 - **Entity Attestation Token** — `b.eat` EAT sign/verify (RFC 9711) over `b.cwt`: device + software attestation claims (ueid / oemid / hwmodel / measurements / submods) with verifier-nonce freshness binding, `dbgstat` debug-status policy, and `eat_profile` pinning
 - **Document parsers** — `b.parsers` (XML / TOML / YAML / .env); `b.config` (schema-validated env)

package/lib/cose.js

@@ -330,10 +330,192 @@ async function verify(coseSign1, opts) {
   };
 }
 
+// ---- COSE_Encrypt0 (RFC 9052 §5.2) — single-recipient AEAD ----
+
+var COSE_ENCRYPT0_TAG = 16;                                                            // allow:raw-byte-literal — RFC 9052 COSE_Encrypt0 CBOR tag
+var HDR_IV = 5;                                                                        // RFC 9052 §3.1 unprotected header label: IV
+var AEAD_TAG_LEN = 16;                                                                 // allow:raw-byte-literal — AEAD authentication tag length (bytes)
+
+// AEAD algorithm: COSE id → node cipher + key / IV sizes. ChaCha20/
+// Poly1305 (24) is the default; AES-GCM is opt-in (project hard-rule
+// #2 forbids AES-GCM as a default).
+var AEAD_NAME_TO_ID = { "ChaCha20-Poly1305": 24, "A256GCM": 3, "A128GCM": 1 };         // allow:raw-byte-literal — COSE AEAD algorithm identifiers (RFC 9053), not sizes
+var AEAD_ID_TO_NAME = {};
+Object.keys(AEAD_NAME_TO_ID).forEach(function (k) { AEAD_ID_TO_NAME[AEAD_NAME_TO_ID[k]] = k; });
+
+function _aeadParams(algId) {
+  switch (algId) {
+    case 24: return { cipher: "chacha20-poly1305", keyLen: 32, ivLen: 12 };            // allow:raw-byte-literal — ChaCha20/Poly1305 key+IV sizes
+    case 3:  return { cipher: "aes-256-gcm",      keyLen: 32, ivLen: 12 };             // allow:raw-byte-literal — AES-256-GCM key+IV sizes
+    case 1:  return { cipher: "aes-128-gcm",      keyLen: 16, ivLen: 12 };             // allow:raw-byte-literal — AES-128-GCM key+IV sizes
+    default:
+      throw new CoseError("cose/unknown-alg", "cose: unrecognized AEAD COSE alg id " + algId);
+  }
+}
+
+// Enc_structure (§5.3) = [ "Encrypt0", body_protected (bstr), external_aad (bstr) ]
+// — deterministically CBOR-encoded, used as the AEAD associated data.
+function _encStructure(protectedBstr, externalAad) {
+  return cbor.encode(["Encrypt0", protectedBstr, externalAad]);
+}
+
+/**
+ * @primitive b.cose.encrypt0
+ * @signature b.cose.encrypt0(plaintext, opts)
+ * @since     0.12.36
+ * @status    stable
+ * @related   b.cose.decrypt0, b.cose.sign
+ *
+ * Encrypt bytes into a tagged COSE_Encrypt0 (RFC 9052 §5.2), a
+ * single-recipient AEAD container where the recipient already holds
+ * the symmetric key (direct mode). Default algorithm is
+ * <code>ChaCha20-Poly1305</code>; <code>A256GCM</code> / <code>A128GCM</code>
+ * are opt-in. The Enc_structure is bound as the AEAD associated data,
+ * and the authentication tag is appended to the ciphertext per COSE.
+ *
+ * @opts
+ *   {
+ *     alg:        string,   // "ChaCha20-Poly1305" (default) | "A256GCM" | "A128GCM"
+ *     key:        Buffer,   // symmetric key (32 bytes for ChaCha/A256GCM, 16 for A128GCM)
+ *     iv?:        Buffer,   // 12-byte IV (random if omitted)
+ *     externalAad?: Buffer, // bound into the AEAD tag
+ *     unprotectedHeaders?: object,
+ *   }
+ *
+ * @example
+ *   var enc = b.cose.encrypt0(Buffer.from("secret"), { alg: "ChaCha20-Poly1305", key: k });
+ */
+function encrypt0(plaintext, opts) {
+  validateOpts.requireObject(opts, "cose.encrypt0", CoseError);
+  validateOpts(opts, ["alg", "key", "iv", "externalAad", "unprotectedHeaders"], "cose.encrypt0");
+  var alg = opts.alg || "ChaCha20-Poly1305";
+  if (!(alg in AEAD_NAME_TO_ID)) {
+    throw new CoseError("cose/unknown-alg", "cose.encrypt0: alg must be one of " + Object.keys(AEAD_NAME_TO_ID).join(" / "));
+  }
+  var algId = AEAD_NAME_TO_ID[alg];
+  var p = _aeadParams(algId);
+  var key = _bstr(opts.key);
+  if (key.length !== p.keyLen) throw new CoseError("cose/bad-key", "cose.encrypt0: " + alg + " requires a " + p.keyLen + "-byte key");
+  var iv = opts.iv != null ? _bstr(opts.iv) : nodeCrypto.randomBytes(p.ivLen);
+  if (iv.length !== p.ivLen) throw new CoseError("cose/bad-iv", "cose.encrypt0: " + alg + " requires a " + p.ivLen + "-byte IV");
+
+  var protMap = new Map(); protMap.set(HDR_ALG, algId);
+  var protectedBstr = cbor.encode(protMap);
+  var aad = _encStructure(protectedBstr, opts.externalAad == null ? Buffer.alloc(0) : _bstr(opts.externalAad));
+
+  var cipher = nodeCrypto.createCipheriv(p.cipher, key, iv, { authTagLength: AEAD_TAG_LEN });
+  cipher.setAAD(aad);
+  var ct = Buffer.concat([cipher.update(_bstr(plaintext)), cipher.final()]);
+  var ciphertext = Buffer.concat([ct, cipher.getAuthTag()]);                            // COSE appends the auth tag to the ciphertext
+
+  var unprot = new Map(); unprot.set(HDR_IV, iv);
+  if (opts.unprotectedHeaders && typeof opts.unprotectedHeaders === "object") {
+    var uk = Object.keys(opts.unprotectedHeaders);
+    for (var i = 0; i < uk.length; i++) {
+      var label = Number(uk[i]);
+      // The IV (label 5) is managed via opts.iv and must match the IV
+      // the AEAD used — refuse an override that would emit a token whose
+      // stored IV disagrees with the one it was encrypted under.
+      if (label === HDR_IV) {
+        throw new CoseError("cose/reserved-header",
+          "cose.encrypt0: unprotectedHeaders must not set label 5 (IV) — pass opts.iv instead");
+      }
+      unprot.set(label, opts.unprotectedHeaders[uk[i]]);
+    }
+  }
+  return cbor.encode(new cbor.Tag(COSE_ENCRYPT0_TAG, [protectedBstr, unprot, ciphertext]));
+}
+
+/**
+ * @primitive b.cose.decrypt0
+ * @signature b.cose.decrypt0(coseEncrypt0, opts)
+ * @since     0.12.36
+ * @status    stable
+ * @related   b.cose.encrypt0
+ *
+ * Decrypt a COSE_Encrypt0 and return the plaintext. The algorithm is
+ * read from the protected header and must be in
+ * <code>opts.algorithms</code>; the Enc_structure is reconstructed as
+ * the AEAD associated data and authentication failure (wrong key /
+ * tampered ciphertext or AAD) is refused.
+ *
+ * @opts
+ *   {
+ *     key:        Buffer,    // symmetric key
+ *     algorithms: string[],  // required — accepted AEAD algs (allowlist)
+ *     externalAad?: Buffer,  // must match what was encrypted
+ *     maxBytes?:  number,
+ *     maxDepth?:  number,
+ *   }
+ *
+ * @example
+ *   var pt = b.cose.decrypt0(enc, { key: k, algorithms: ["ChaCha20-Poly1305"] }).plaintext;
+ */
+function decrypt0(coseEncrypt0, opts) {
+  validateOpts.requireObject(opts, "cose.decrypt0", CoseError);
+  validateOpts(opts, ["key", "algorithms", "externalAad", "maxBytes", "maxDepth"], "cose.decrypt0");
+  if (!Array.isArray(opts.algorithms) || opts.algorithms.length === 0) {
+    throw new CoseError("cose/algorithms-required", "cose.decrypt0: opts.algorithms is required (no defaults — name the accepted algorithms)");
+  }
+  var decoded = cbor.decode(_bstr(coseEncrypt0), { allowedTags: [COSE_ENCRYPT0_TAG], maxBytes: opts.maxBytes, maxDepth: opts.maxDepth });
+  var arr = (decoded instanceof cbor.Tag && decoded.tag === COSE_ENCRYPT0_TAG) ? decoded.value : decoded;
+  if (!Array.isArray(arr) || arr.length !== 3) {
+    throw new CoseError("cose/malformed", "cose.decrypt0: not a COSE_Encrypt0 (expected a 3-element array)");
+  }
+  var protectedBstr = arr[0], unprotected = arr[1], ciphertext = arr[2];
+  if (!Buffer.isBuffer(protectedBstr) || !Buffer.isBuffer(ciphertext)) {
+    throw new CoseError("cose/malformed", "cose.decrypt0: protected header and ciphertext must be byte strings");
+  }
+  if (!(unprotected instanceof Map)) {
+    throw new CoseError("cose/malformed", "cose.decrypt0: unprotected header must be a CBOR map");
+  }
+  var protMap = protectedBstr.length === 0 ? new Map()
+    : cbor.decode(protectedBstr, { maxBytes: opts.maxBytes, maxDepth: opts.maxDepth });
+  if (!(protMap instanceof Map)) {
+    throw new CoseError("cose/malformed", "cose.decrypt0: protected header is not a CBOR map");
+  }
+  var algId = protMap.get(HDR_ALG);
+  var algName = AEAD_ID_TO_NAME[algId];
+  if (algName === undefined) {
+    throw new CoseError("cose/unknown-alg", "cose.decrypt0: unrecognized AEAD alg id " + algId);
+  }
+  if (opts.algorithms.indexOf(algName) === -1) {
+    throw new CoseError("cose/alg-not-allowed", "cose.decrypt0: alg '" + algName + "' is not in the allowlist");
+  }
+  var p = _aeadParams(algId);
+  var key = _bstr(opts.key);
+  if (key.length !== p.keyLen) throw new CoseError("cose/bad-key", "cose.decrypt0: " + algName + " requires a " + p.keyLen + "-byte key");
+  var iv = unprotected.get(HDR_IV);
+  if (!Buffer.isBuffer(iv) || iv.length !== p.ivLen) {
+    throw new CoseError("cose/bad-iv", "cose.decrypt0: missing or wrong-length IV (unprotected label 5)");
+  }
+  if (ciphertext.length < AEAD_TAG_LEN) {
+    throw new CoseError("cose/malformed", "cose.decrypt0: ciphertext shorter than the AEAD tag");
+  }
+  var tag = ciphertext.subarray(ciphertext.length - AEAD_TAG_LEN);
+  var ct = ciphertext.subarray(0, ciphertext.length - AEAD_TAG_LEN);
+  var aad = _encStructure(protectedBstr, opts.externalAad == null ? Buffer.alloc(0) : _bstr(opts.externalAad));
+
+  var decipher = nodeCrypto.createDecipheriv(p.cipher, key, iv, { authTagLength: AEAD_TAG_LEN });
+  decipher.setAAD(aad);
+  decipher.setAuthTag(tag);
+  var pt;
+  try {
+    pt = Buffer.concat([decipher.update(ct), decipher.final()]);
+  } catch (_e) {
+    throw new CoseError("cose/decrypt-failed", "cose.decrypt0: AEAD authentication failed (wrong key, tampered ciphertext, or AAD mismatch)");
+  }
+  return { plaintext: pt, alg: algName, protectedHeaders: protMap, unprotectedHeaders: unprotected };
+}
+
 module.exports = {
   sign:        sign,
   verify:      verify,
+  encrypt0:    encrypt0,
+  decrypt0:    decrypt0,
   ALGORITHMS:  ALG_NAME_TO_ID,
+  AEAD_ALGORITHMS: AEAD_NAME_TO_ID,
   COSE_SIGN1_TAG: COSE_SIGN1_TAG,
+  COSE_ENCRYPT0_TAG: COSE_ENCRYPT0_TAG,
   CoseError:   CoseError,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.35",
+  "version": "0.12.36",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:05721aa1-7108-4263-bd58-e67b140f3790",
+  "serialNumber": "urn:uuid:0d92b39a-5bed-4091-9927-a887660568ee",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-24T23:29:47.165Z",
+    "timestamp": "2026-05-25T00:19:35.328Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.12.35",
+      "bom-ref": "@blamejs/core@0.12.36",
       "type": "application",
       "name": "blamejs",
-      "version": "0.12.35",
+      "version": "0.12.36",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.12.35",
+      "purl": "pkg:npm/%40blamejs/core@0.12.36",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.12.35",
+      "ref": "@blamejs/core@0.12.36",
       "dependsOn": []
     }
   ]