@blamejs/core 0.12.50 → 0.12.52

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.52 (2026-05-25) — **`b.privacyPass` — Privacy Pass origin-side token verification (RFC 9577 / 9578).** Anonymous, publicly verifiable authorization: an origin issues a WWW-Authenticate: PrivateToken challenge and verifies a presented token cryptographically, without learning who the client is and without a callback to the issuer. b.privacyPass implements the publicly verifiable token type 0x0002 (Blind RSA, 2048-bit): the token's authenticator is an RSA Blind Signature (RFC 9474) checked as RSASSA-PSS (SHA-384, 48-byte salt) over token_input = token_type ‖ nonce ‖ challenge_digest ‖ token_key_id, using only the issuer's public key. The token is bound to that key (token_key_id) and, optionally, to the challenge it answers, so a token minted for another origin is refused. Blind RSA is the algorithm Privacy Pass defines on the wire — like the DNSSEC / DANE verifiers it validates an external protocol's signatures rather than introducing classical crypto as a framework default. Verified against the RFC 9578 §8.2 test vector. **Added:** *`b.privacyPass.verifyToken(opts)` / `parseToken` / `buildChallenge`* — `buildChallenge` builds a TokenChallenge (RFC 9577 §2.1) and the matching `WWW-Authenticate: PrivateToken challenge=…, token-key=…` header an origin returns to request a token, scoped to an issuer (and optionally an origin and a 32-byte redemption context). `parseToken` splits a token into its fields (type / nonce / challenge_digest / token_key_id / authenticator). `verifyToken` verifies a type 0x0002 (Blind RSA) token: it confirms the token's `token_key_id` is the SHA-256 of the supplied issuer public key, optionally that its `challenge_digest` matches `opts.challenge`, and that the authenticator is a valid RSASSA-PSS signature over the token input. Refuses unknown / privately verifiable token types (the VOPRF type 0x0001 needs the issuer secret and is an issuer-side operation), key-id and challenge mismatches, and tampered authenticators. Marked experimental while the issuance protocols see deployment.
+
+- v0.12.51 (2026-05-25) — **`b.network.dns.dane.matchCertificate` — DANE / TLSA certificate matching (RFC 6698 / 7671).** Pin a service's certificate through DNS instead of a public CA. matchCertificate checks a server certificate against a set of TLSA records: the selected data — the full certificate (selector 0) or its subjectPublicKeyInfo (selector 1) — is hashed per the matching type (exact / SHA-256 / SHA-512) and compared in constant time to the record's association data. For a DANE-EE (usage 3) record a match is self-authenticating — the TLSA pins the key, so no public-CA path is needed (the common SMTP-DANE case, RFC 7672); for the PKIX usages a match is reported as necessary-but-not-sufficient so the caller still runs PKIX. This is the payoff of the DNSSEC verifier: verify the TLSA RRset with b.network.dns.dnssec, then match the certificate. Verified against a live DNSSEC-signed TLSA record and the matching server certificate. **Added:** *`b.network.dns.dane.matchCertificate(opts)`* — Matches a leaf certificate (and optional `chain`) against a TLSA RRset (`{ usage, selector, matchingType, data }`). Selector 0 hashes the full certificate DER, selector 1 the subjectPublicKeyInfo; matching type 0 is an exact comparison, 1 SHA-256, 2 SHA-512 (SHA-1 and any other type are refused, not guessed). End-entity usages (PKIX-EE 1, DANE-EE 3) match the leaf; trust-anchor usages (PKIX-TA 0, DANE-TA 2) match the leaf or any supplied chain certificate. Returns `{ ok, matched, daneAuthenticated, trustAnchorMatch, pkixRequired, matchedCertIndex }` — `daneAuthenticated` is true only for a DANE-EE match (the key is pinned, no CA needed); `pkixRequired` flags the PKIX usages. Throws `dane/no-match` when nothing matches, and refuses unknown usage / selector / matching values and unparseable certificates. Verify the TLSA RRset with `b.network.dns.dnssec` first — an unauthenticated TLSA record proves nothing.
+
 - v0.12.50 (2026-05-25) — **`b.network.dns.dnssec.verifyChain` — validate a DNSSEC delegation chain to a pinned root anchor.** Completes local DNSSEC verification: validate a full delegation chain from the root down to a zone against a pinned trust anchor (RFC 4035 §5), instead of trusting any single resolver. For each link, the zone's DNSKEY RRset must be self-signed by one of its keys, and that key must be vouched for either by a pinned anchor (at the root) or by a DS record served + signed by the already-trusted parent — so trust flows root → TLD → zone with no gap. The IANA root KSKs (KSK-2017 tag 20326, KSK-2024 tag 38696) ship as the default anchors; override with opts.trustAnchors for a private root. verifyChain returns the leaf zone's trusted DNSKEY set, which you then hand to verifyRrset / verifyDenial for the actual answer. Composes verifyRrset + verifyDs + the key tag; verified end-to-end against a live root→org chain. **Added:** *`b.network.dns.dnssec.verifyChain(opts)`* — Walks an ordered, root-first list of `links` ({ zone, dnskeys, dnskeyRrsig, dsRdatas?, dsRrsig? }). At each link it verifies the DNSKEY RRset's self-signature (composing `verifyRrset`), then establishes trust in the signing key: at the root by matching a pinned anchor's DS digest (`verifyDs`), at every delegation by verifying the parent-served DS RRset's signature with the already-trusted parent key and confirming the signing KSK matches one of those DS records. Returns `{ ok, zone, keys, path }` with the leaf zone's trusted DNSKEY set. Refuses a root key that matches no anchor (`dnssec/chain-anchor-mismatch`), a KSK that matches no parent DS (`dnssec/chain-ds-mismatch`), and a missing parent key (`dnssec/chain-no-parent-key`). The default `DEFAULT_ROOT_ANCHORS` are the published IANA root KSK DS records; `opts.trustAnchors` overrides them for a private or test root.
 
 - v0.12.49 (2026-05-25) — **`b.network.dns.dnssec.verifyDenial` — NSEC / NSEC3 denial-of-existence.** Prove a DNS name does not exist, or has no records of a given type, from the signed NSEC (RFC 4034 §4) or NSEC3 (RFC 5155) records a server returns. This is the other half of local DNSSEC verification: verifyRrset proves a positive answer, verifyDenial proves a negative — so a resolver client can confirm an NXDOMAIN / NODATA itself instead of trusting the upstream resolver. NSEC3 proofs run the closest-encloser / next-closer / covering-range logic over iterated-SHA-1 hashes, with the iteration count capped (default 500) to bound the work an attacker can force, and an Opt-Out NXDOMAIN refused unless explicitly accepted (opt-out only proves 'no signed records', not non-existence). The companion b.network.dns.dnssec.nsec3Hash computes the RFC 5155 §5 hash directly. NSEC verifyRrset support is also enabled: per RFC 6840 §5.1 the NSEC Next Domain Name is not downcased, so its RDATA is verbatim-canonical. **Added:** *`b.network.dns.dnssec.verifyDenial(opts)`* — Proves NXDOMAIN or NODATA from already-verified NSEC / NSEC3 records (supply one of `opts.nsec3` or `opts.nsec`). Like `verifyDs`, it checks the denial RELATION — closest-encloser matching, covering ranges, and type-bitmap absence — not the record signatures, which the caller verifies with `verifyRrset` first. NSEC3 supports name-error proofs (matching closest encloser + covered next-closer + covered wildcard), NODATA (matching record with the type and CNAME absent from the bitmap), Opt-Out DS NODATA, and wildcard NODATA. The iterated-SHA-1 count is capped by `opts.maxIterations` (default 500); an NXDOMAIN proof that depends on an Opt-Out NSEC3 is refused unless `opts.allowOptOut` is set. NSEC supports covering-name NXDOMAIN (with the source-of-synthesis wildcard) and matching-name NODATA. Verified end-to-end against a live iana.org NXDOMAIN proof. · *`b.network.dns.dnssec.nsec3Hash(name, opts)`* — Computes the RFC 5155 §5 NSEC3 hash of a name — iterated SHA-1 over the canonical (lowercased, root-terminated) wire form with the zone salt. The base32hex encoding of the result is the NSEC3 owner label. SHA-1 is the only hash IANA registers for NSEC3, so this is a wire-protocol constant rather than a cryptographic default. Useful for checking an owner label or analyzing a zone's hashing parameters. **Changed:** *`verifyRrset` now accepts NSEC and NSEC3 RRsets* — NSEC (type 47) and NSEC3 (type 50) are no longer refused as uncanonicalizable: NSEC3's next-owner is a hash, and per RFC 6840 §5.1 the NSEC Next Domain Name field is not downcased for DNSSEC canonical form, so both RDATAs are verbatim-canonical. This lets a caller verify the signatures on the records that `verifyDenial` then reasons over.

package/README.md

@@ -89,6 +89,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **Financial / Open Banking** — FAPI 2.0 Final composite posture (PAR + PKCE-S256 + DPoP-or-mTLS + RFC 9207); runtime enforcement helpers `b.fapi2.assertCallback` (refuses missing iss + bare-param under message-signing) and `b.fapi2.assertAuthzRequest` (refuses non-JAR); CFPB §1033 / FDX 6.0 consumer-financial-data-sharing wrapper (`b.fdx`)
 - **Data-subject coordination** — cross-table export / rectify / erase / restrict / objection (`b.subject`, `b.subject.eraseHard`); subject-level legal-hold registry consulted by erase + retention paths (FRCP Rule 26/37(e), GDPR Art 17(3)(e), SEC Rule 17a-4, HIPAA §164.530(j)(2)) (`b.legalHold`)
 - **Account safety** — adaptive bot-challenge staircase (`b.authBotChallenge`); session-to-device-posture binding with fail-closed verify (`b.sessionDeviceBinding`)
+- **Anonymous authorization** — Privacy Pass origin side (RFC 9577/9578 — `b.privacyPass`): issue a `WWW-Authenticate: PrivateToken` challenge and verify a presented Blind-RSA (type 0x0002) token against the issuer public key, with no issuer callback and no client identity
 ### Crypto
 
 - **At-rest envelope** — envelope-versioned PQC (ML-KEM-1024 + P-384 hybrid, XChaCha20-Poly1305, SHAKE256); vault sealing (`b.crypto`, `b.vault`)
@@ -120,7 +121,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
   - In-process CIDR fence (`b.middleware.networkAllowlist`)
   - `Cache-Control: no-store` on every 401 from `requireAuth` / `requireAal` / `requireStepUp` per RFC 9111 §5.2.2.5
 - **Outbound HTTP client** — HTTP/1.1 + HTTP/2 with SSRF gate (cloud-metadata IPs hard-denied; private / loopback / link-local overridable per call); scheme + userinfo + per-host destination allowlist; redirects, multipart, interceptors, progress, encrypted cookie jar (`b.httpClient`, `b.ssrfGuard`, `b.safeUrl`)
-- **Network configurability (`b.network`)** — env-driven NTP / NTS (RFC 8915), IPv4/IPv6 NTP, DNS with IPv6 / DoH / DoT (private-CA pinning) / cache / lookup timeout; local DNSSEC signature verification (RFC 4035 — `b.network.dns.dnssec.verifyRrset` over a canonicalised RRset against RSA / ECDSA P-256·P-384 / Ed25519 DNSKEYs, plus DS-digest + key-tag, plus `verifyDenial` for NSEC / NSEC3 (RFC 5155) NXDOMAIN / NODATA proofs with iteration caps + Opt-Out handling, plus `verifyChain` to validate a full root→TLD→zone delegation chain against the pinned IANA root anchors) so a resolver client can verify both positive and negative answers instead of trusting the upstream AD bit; outbound HTTP proxy (`HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY`); runtime DPI trust-store CA additions; application-level heartbeats; TCP socket defaults
+- **Network configurability (`b.network`)** — env-driven NTP / NTS (RFC 8915), IPv4/IPv6 NTP, DNS with IPv6 / DoH / DoT (private-CA pinning) / cache / lookup timeout; local DNSSEC signature verification (RFC 4035 — `b.network.dns.dnssec.verifyRrset` over a canonicalised RRset against RSA / ECDSA P-256·P-384 / Ed25519 DNSKEYs, plus DS-digest + key-tag, plus `verifyDenial` for NSEC / NSEC3 (RFC 5155) NXDOMAIN / NODATA proofs with iteration caps + Opt-Out handling, plus `verifyChain` to validate a full root→TLD→zone delegation chain against the pinned IANA root anchors) so a resolver client can verify both positive and negative answers instead of trusting the upstream AD bit; DANE / TLSA certificate matching (RFC 6698/7671 — `b.network.dns.dane.matchCertificate`) to pin a service's key through DNSSEC instead of a public CA; outbound HTTP proxy (`HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY`); runtime DPI trust-store CA additions; application-level heartbeats; TCP socket defaults
 - **Error pages** — operator-rendered, no app-frame leakage (`b.errorPage`)
 ### Defensive parsers
 

package/index.js

@@ -394,6 +394,7 @@ var webPush = require("./lib/web-push-vapid");
 var fedcm = require("./lib/fedcm");
 var dbsc = require("./lib/dbsc");
 var importmapIntegrity = require("./lib/importmap-integrity");
+var privacyPass = require("./lib/privacy-pass");
 var standardWebhooks = require("./lib/standard-webhooks");
 var lro = require("./lib/lro");
 var jsonApi = require("./lib/jsonapi");
@@ -409,6 +410,7 @@ module.exports = {
   fedcm:            fedcm,
   dbsc:             dbsc,
   importmapIntegrity: importmapIntegrity,
+  privacyPass:      privacyPass,
   standardWebhooks: standardWebhooks,
   lro:              lro,
   jsonApi:          jsonApi,

package/lib/network-dane.js

@@ -0,0 +1,159 @@
+"use strict";
+/**
+ * @module b.network.dns.dane
+ * @nav    Network
+ * @title  DANE / TLSA
+ *
+ * @intro
+ *   DNS-Based Authentication of Named Entities (RFC 6698, updated by
+ *   RFC 7671) — match a server certificate against a TLSA record so the
+ *   DNS, not a public CA, vouches for which key a service uses. This is
+ *   the payoff of DNSSEC: verify the TLSA RRset with
+ *   <code>b.network.dns.dnssec</code> first, then
+ *   <code>matchCertificate</code> checks the certificate against it.
+ *
+ *   A TLSA record carries a certificate usage (PKIX-TA 0, PKIX-EE 1,
+ *   DANE-TA 2, DANE-EE 3 — RFC 7218 mnemonics), a selector (full
+ *   certificate 0, or subjectPublicKeyInfo 1), and a matching type
+ *   (exact 0, SHA-256 1, SHA-512 2). The selected certificate data is
+ *   hashed per the matching type and compared, in constant time, to the
+ *   record's association data. For DANE-EE(3) a match means the
+ *   certificate IS the pinned end-entity key — no public-CA path is
+ *   needed (the common SMTP-DANE case, RFC 7672). For the PKIX usages a
+ *   match is necessary but the caller still performs PKIX validation.
+ *
+ * @card
+ *   DANE / TLSA certificate matching (RFC 6698 / 7671). Pin a service's
+ *   key through DNSSEC instead of a public CA — verify the TLSA RRset,
+ *   then match the certificate (DANE-EE / DANE-TA / PKIX usages,
+ *   full-cert or SPKI selector, SHA-256 / SHA-512).
+ */
+
+var nodeCrypto = require("node:crypto");
+var bCrypto = require("./crypto");
+var validateOpts = require("./validate-opts");
+var { defineClass } = require("./framework-error");
+
+var DaneError = defineClass("DaneError", { alwaysPermanent: true });
+
+// RFC 6698 §2.1 + RFC 7218 mnemonics.
+var USAGES = { 0: "PKIX-TA", 1: "PKIX-EE", 2: "DANE-TA", 3: "DANE-EE" };
+var SELECTORS = { 0: "Cert", 1: "SPKI" };
+// Matching types: 0 = exact match on the selected data, 1 = SHA-256,
+// 2 = SHA-512. SHA-1 is not registered for TLSA, so anything else is
+// refused rather than guessed.
+var MATCHING = { 0: null, 1: "sha256", 2: "sha512" };
+
+function _bytes(x, what) {
+  if (Buffer.isBuffer(x)) return x;
+  if (x instanceof Uint8Array) return Buffer.from(x);
+  if (typeof x === "string") return Buffer.from(x, "hex");
+  throw new DaneError("dane/bad-bytes", "dane: " + what + " must be a Buffer / Uint8Array / hex string");
+}
+
+function _selectedData(x509, selector) {
+  if (selector === 0) return Buffer.from(x509.raw);                                   // full certificate DER
+  if (selector === 1) return x509.publicKey.export({ format: "der", type: "spki" });  // subjectPublicKeyInfo DER
+  throw new DaneError("dane/unsupported-selector", "dane: unsupported TLSA selector " + selector + " (0 = full cert, 1 = SPKI)");
+}
+
+function _associationOf(selected, matchingType) {
+  if (matchingType === 0) return selected;
+  var hashName = MATCHING[matchingType];
+  if (!hashName) throw new DaneError("dane/unsupported-matching", "dane: unsupported TLSA matching type " + matchingType + " (0 = exact, 1 = SHA-256, 2 = SHA-512)");
+  return nodeCrypto.createHash(hashName).update(selected).digest();
+}
+
+function _parseCert(der, what) {
+  try { return new nodeCrypto.X509Certificate(_bytes(der, what)); }
+  catch (e) { throw new DaneError("dane/bad-certificate", "dane: could not parse " + what + ": " + ((e && e.message) || e)); }
+}
+
+// Validate a TLSA enum field: it must be an actual integer that is an
+// OWN key of the lookup table. Rejecting non-numbers stops a string like
+// "1" (which coerces on key lookup but then fails the strict-=== usage
+// checks below), and the own-property test stops prototype keys such as
+// "__proto__" that `in` / `[x] !== undefined` would wrongly accept.
+function _enumField(v, table, code, label, i) {
+  if (typeof v !== "number" || !Number.isInteger(v) || !Object.prototype.hasOwnProperty.call(table, v)) {
+    throw new DaneError(code, "dane: tlsa[" + i + "] " + label + " must be a numeric " + Object.keys(table).join(" / ") + " (got " + JSON.stringify(v) + ")");
+  }
+}
+function _normaliseTlsa(rec, i) {
+  if (!rec || typeof rec !== "object") throw new DaneError("dane/bad-tlsa", "dane: tlsa[" + i + "] must be an object");
+  _enumField(rec.usage, USAGES, "dane/unsupported-usage", "certificate usage", i);
+  _enumField(rec.selector, SELECTORS, "dane/unsupported-selector", "selector", i);
+  _enumField(rec.matchingType, MATCHING, "dane/unsupported-matching", "matching type", i);
+  return { usage: rec.usage, selector: rec.selector, matchingType: rec.matchingType, data: _bytes(rec.data, "tlsa[" + i + "].data") };
+}
+
+/**
+ * @primitive b.network.dns.dane.matchCertificate
+ * @signature b.network.dns.dane.matchCertificate(opts)
+ * @since     0.12.51
+ * @status    stable
+ * @compliance soc2
+ * @related   b.network.dns.dnssec.verifyChain, b.network.dns.dnssec.verifyRrset
+ *
+ * Match a server certificate against a set of (DNSSEC-verified) TLSA
+ * records (RFC 6698 / 7671). For each record the selected data — the
+ * full certificate DER (selector 0) or its subjectPublicKeyInfo
+ * (selector 1) — is hashed per the matching type (exact / SHA-256 /
+ * SHA-512) and compared, constant-time, to the record's association
+ * data. End-entity usages (PKIX-EE 1, DANE-EE 3) are matched against the
+ * leaf certificate; trust-anchor usages (PKIX-TA 0, DANE-TA 2) are
+ * matched against the leaf and any supplied <code>chain</code>.
+ *
+ * Returns the matching record plus what the caller must still do: a
+ * DANE-EE match is self-sufficient (the TLSA pins the key); a DANE-TA
+ * match still needs chain-to-anchor verification; PKIX usages still need
+ * full PKIX validation. Throws <code>dane/no-match</code> if nothing
+ * matches. Verify the TLSA RRset with <code>b.network.dns.dnssec</code>
+ * before trusting the records — an unauthenticated TLSA proves nothing.
+ *
+ * @opts
+ *   {
+ *     tlsa: [ { usage, selector, matchingType, data: Buffer|hex } ],  // the TLSA RRset
+ *     certificate: Buffer,   // leaf certificate (DER)
+ *     chain?:      Buffer[],  // intermediate / CA certs (DER), for TA usages
+ *   }
+ *
+ * @example
+ *   var r = b.network.dns.dane.matchCertificate({ tlsa: records, certificate: leafDer });
+ *   // → { ok: true, matched: { usage: 3, selector: 1, matchingType: 1 }, daneAuthenticated: true, pkixRequired: false }
+ */
+function matchCertificate(opts) {
+  validateOpts.requireObject(opts, "dane.matchCertificate", DaneError);
+  validateOpts(opts, ["tlsa", "certificate", "chain"], "dane.matchCertificate");
+  if (!Array.isArray(opts.tlsa) || opts.tlsa.length === 0) throw new DaneError("dane/bad-arg", "dane.matchCertificate: opts.tlsa must be a non-empty array");
+  var records = opts.tlsa.map(_normaliseTlsa);
+  var leaf = _parseCert(opts.certificate, "certificate");
+  var chain = Array.isArray(opts.chain) ? opts.chain.map(function (c, i) { return _parseCert(c, "chain[" + i + "]"); }) : [];
+
+  for (var i = 0; i < records.length; i++) {
+    var rec = records[i];
+    var eeUsage = rec.usage === 1 || rec.usage === 3;       // PKIX-EE / DANE-EE → leaf only
+    var certs = eeUsage ? [leaf] : [leaf].concat(chain);    // TA usages may match a chain cert
+    for (var c = 0; c < certs.length; c++) {
+      var assoc = _associationOf(_selectedData(certs[c], rec.selector), rec.matchingType);
+      if (bCrypto.timingSafeEqual(assoc, rec.data)) {
+        return {
+          ok: true,
+          matched: { usage: rec.usage, usageName: USAGES[rec.usage], selector: rec.selector, matchingType: rec.matchingType },
+          matchedCertIndex: c,                              // 0 = leaf, >0 = chain[c-1]
+          daneAuthenticated: rec.usage === 3,               // DANE-EE: TLSA pins the key, no CA path needed
+          trustAnchorMatch: rec.usage === 0 || rec.usage === 2,
+          pkixRequired: rec.usage === 0 || rec.usage === 1,
+        };
+      }
+    }
+  }
+  throw new DaneError("dane/no-match", "dane.matchCertificate: no TLSA record matched the certificate" + (chain.length ? " or chain" : ""));
+}
+
+module.exports = {
+  matchCertificate: matchCertificate,
+  USAGES:           USAGES,
+  SELECTORS:        SELECTORS,
+  DaneError:        DaneError,
+};

package/lib/network.js

@@ -36,6 +36,7 @@ var nts      = require("./network-nts");
 var networkDns = require("./network-dns");
 networkDns.resolver = require("./network-dns-resolver");
 networkDns.dnssec = require("./network-dnssec");
+networkDns.dane = require("./network-dane");
 var networkProxy = require("./network-proxy");
 var networkTls = require("./network-tls");
 var heartbeat = require("./network-heartbeat");

package/lib/privacy-pass.js

@@ -0,0 +1,267 @@
+"use strict";
+/**
+ * @module b.privacyPass
+ * @nav    Identity
+ * @title  Privacy Pass
+ *
+ * @intro
+ *   Origin / relying-party side of Privacy Pass (RFC 9577 HTTP
+ *   authentication scheme, RFC 9578 issuance protocols) — issue a token
+ *   challenge and verify a presented token without learning who the
+ *   client is. An origin asks for a token with a
+ *   <code>WWW-Authenticate: PrivateToken</code> challenge; the client
+ *   obtains a token from an issuer and presents it; the origin verifies
+ *   it cryptographically.
+ *
+ *   This implements the publicly verifiable token type
+ *   <strong>0x0002 (Blind RSA, 2048-bit)</strong>: the token's
+ *   authenticator is an RSA Blind Signature (RFC 9474) that any party
+ *   holding the issuer's public key can verify with RSASSA-PSS — so the
+ *   origin verifies tokens itself, with no issuer secret and no callback.
+ *   The privately verifiable VOPRF type (0x0001) requires the issuer's
+ *   secret key and is an issuer-side operation, not implemented here.
+ *
+ *   Blind RSA is the algorithm Privacy Pass defines on the wire; like
+ *   the framework's DNSSEC / DANE verifiers it validates an external
+ *   protocol's signatures (RSASSA-PSS, SHA-384) rather than introducing
+ *   classical crypto as a framework default.
+ *
+ * @card
+ *   Privacy Pass origin side (RFC 9577 / 9578). Issue a
+ *   <code>WWW-Authenticate: PrivateToken</code> challenge and verify a
+ *   presented Blind-RSA (type 0x0002) token against the issuer public
+ *   key — anonymous, publicly verifiable authorization with no issuer
+ *   callback.
+ */
+
+var nodeCrypto = require("node:crypto");
+var bCrypto = require("./crypto");
+var validateOpts = require("./validate-opts");
+var { defineClass } = require("./framework-error");
+
+var PrivacyPassError = defineClass("PrivacyPassError", { alwaysPermanent: true });
+
+var TOKEN_TYPE_BLIND_RSA = 0x0002;
+// RFC 9578 §5.3 token type 0x0002: RSABSSA-SHA384-PSS, salt length 48.
+var PSS_HASH = "sha384";
+var PSS_SALT_LEN = 48;                                        // allow:raw-byte-literal — RFC 9578 §5.3 PSS salt length (= SHA-384 digest size)
+// Fixed-size token fields (RFC 9577 §2.2): type(2) nonce(32)
+// challenge_digest(32) token_key_id(32), then the authenticator.
+var TOKEN_PREFIX_LEN = 98;                                    // allow:raw-byte-literal — 2 + 32 + 32 + 32 (token_input length)
+
+// RFC 9577 §2.1 sends the challenge / token-key auth-params as base64url
+// WITH padding; Node's "base64url" output is unpadded, so pad to a
+// multiple of 4 so strict clients / proxies accept the header.
+function _b64urlPadded(buf) {
+  var s = Buffer.from(buf).toString("base64url");
+  while (s.length % 4 !== 0) s += "=";                        // allow:raw-byte-literal — base64 quantum is 4 chars
+  return s;
+}
+
+function _bytes(x, what) {
+  if (Buffer.isBuffer(x)) return x;
+  if (x instanceof Uint8Array) return Buffer.from(x);
+  if (typeof x === "string") return Buffer.from(x, "base64");
+  throw new PrivacyPassError("privacy-pass/bad-bytes", "privacyPass: " + what + " must be a Buffer / Uint8Array / base64 string");
+}
+
+// Import the issuer public key and capture the SubjectPublicKeyInfo
+// bytes used to derive token_key_id. When the caller supplies the
+// published SPKI DER directly, hash THOSE bytes — re-exporting an
+// rsa-pss KeyObject can re-encode the AlgorithmIdentifier and change the
+// digest. token_key_id is SHA-256 of the issuer's distributed key
+// (RFC 9577 §2.2), which is the SPKI as published.
+function _importIssuerKey(k) {
+  if (k && typeof k === "object" && typeof k.export === "function" && k.type === "public") {
+    return { key: k, spki: k.export({ format: "der", type: "spki" }) };
+  }
+  try {
+    if (Buffer.isBuffer(k) || k instanceof Uint8Array) {
+      var der = Buffer.from(k);
+      return { key: nodeCrypto.createPublicKey({ key: der, format: "der", type: "spki" }), spki: der };
+    }
+    // A "PUBLIC KEY" PEM body IS the SubjectPublicKeyInfo DER — decode it
+    // directly so token_key_id is SHA-256 of the issuer's exact bytes,
+    // not a re-encoding (Node can re-emit rsa-pss AlgorithmIdentifier
+    // parameters differently on export).
+    if (typeof k === "string" && /-----BEGIN PUBLIC KEY-----/.test(k)) {
+      var body = k.replace(/-----BEGIN PUBLIC KEY-----/, "").replace(/-----END PUBLIC KEY-----/, "").replace(/\s+/g, "");
+      var pemDer = Buffer.from(body, "base64");
+      return { key: nodeCrypto.createPublicKey(k), spki: pemDer };
+    }
+    var key = nodeCrypto.createPublicKey(k);                  // other key spec (best-effort SPKI export)
+    return { key: key, spki: key.export({ format: "der", type: "spki" }) };
+  } catch (e) {
+    throw new PrivacyPassError("privacy-pass/bad-key", "privacyPass: could not import issuerPublicKey: " + ((e && e.message) || e));
+  }
+}
+
+/**
+ * @primitive b.privacyPass.parseToken
+ * @signature b.privacyPass.parseToken(token)
+ * @since     0.12.52
+ * @status    experimental
+ * @related   b.privacyPass.verifyToken, b.privacyPass.buildChallenge
+ *
+ * Parse a Privacy Pass token (RFC 9577 §2.2) into its fields: the
+ * <code>tokenType</code>, the client <code>nonce</code>, the
+ * <code>challengeDigest</code> (SHA-256 of the TokenChallenge the token
+ * answers), the <code>tokenKeyId</code> (SHA-256 of the issuer public
+ * key), and the <code>authenticator</code>. Structural only — call
+ * <code>verifyToken</code> to check the signature.
+ *
+ * @example
+ *   var t = b.privacyPass.parseToken(tokenBytes);
+ *   // → { tokenType: 2, nonce, challengeDigest, tokenKeyId, authenticator }
+ */
+function parseToken(token) {
+  var b = _bytes(token, "token");
+  if (b.length < TOKEN_PREFIX_LEN + 1) throw new PrivacyPassError("privacy-pass/bad-token", "privacyPass.parseToken: token too short");
+  return {
+    tokenType:       b.readUInt16BE(0),
+    nonce:           b.slice(2, 34),
+    challengeDigest: b.slice(34, 66),
+    tokenKeyId:      b.slice(66, 98),
+    authenticator:   b.slice(98),
+    tokenInput:      b.slice(0, TOKEN_PREFIX_LEN),
+  };
+}
+
+/**
+ * @primitive b.privacyPass.verifyToken
+ * @signature b.privacyPass.verifyToken(opts)
+ * @since     0.12.52
+ * @status    experimental
+ * @compliance soc2
+ * @related   b.privacyPass.buildChallenge, b.privacyPass.parseToken
+ *
+ * Verify a publicly verifiable Privacy Pass token (type 0x0002, Blind
+ * RSA — RFC 9578 §8.2). The authenticator is checked as an RSASSA-PSS
+ * (SHA-384, MGF1-SHA-384, 48-byte salt) signature over
+ * <code>token_input = token_type ‖ nonce ‖ challenge_digest ‖
+ * token_key_id</code> using the issuer's public key. The token is bound
+ * to that key — its <code>token_key_id</code> must equal the SHA-256 of
+ * the supplied key's SubjectPublicKeyInfo — and, when
+ * <code>opts.challenge</code> is given, to that challenge (its SHA-256
+ * must equal the token's <code>challenge_digest</code>), so a token
+ * minted for a different origin's challenge is refused.
+ *
+ * @opts
+ *   {
+ *     token:            Buffer|base64,   // the presented token
+ *     issuerPublicKey:  KeyObject|Buffer(SPKI DER)|PEM,
+ *     challenge?:       Buffer|base64,   // the TokenChallenge this token must answer
+ *   }
+ *
+ * @example
+ *   var r = b.privacyPass.verifyToken({ token: tok, issuerPublicKey: issuerSpki });
+ *   // → { ok: true, tokenType: 2, nonce, challengeDigest, tokenKeyId }
+ */
+function verifyToken(opts) {
+  validateOpts.requireObject(opts, "privacyPass.verifyToken", PrivacyPassError);
+  validateOpts(opts, ["token", "issuerPublicKey", "challenge"], "privacyPass.verifyToken");
+  if (opts.issuerPublicKey === undefined || opts.issuerPublicKey === null) throw new PrivacyPassError("privacy-pass/bad-arg", "privacyPass.verifyToken: opts.issuerPublicKey is required");
+
+  var parsed = parseToken(opts.token);
+  if (parsed.tokenType !== TOKEN_TYPE_BLIND_RSA) {
+    throw new PrivacyPassError("privacy-pass/unsupported-token-type", "privacyPass.verifyToken: only token type 0x0002 (Blind RSA) is verifiable by the origin; got 0x" + parsed.tokenType.toString(16).padStart(4, "0"));  // allow:raw-byte-literal — base-16 radix + 4-hex-digit pad, not a size
+  }
+
+  var imported = _importIssuerKey(opts.issuerPublicKey);
+  var key = imported.key;
+  if (key.asymmetricKeyType !== "rsa" && key.asymmetricKeyType !== "rsa-pss") {
+    throw new PrivacyPassError("privacy-pass/bad-key", "privacyPass.verifyToken: issuerPublicKey must be an RSA key for token type 0x0002");
+  }
+
+  // Bind the token to the issuer key: token_key_id = SHA-256(SPKI).
+  var keyId = nodeCrypto.createHash("sha256").update(imported.spki).digest();
+  if (!bCrypto.timingSafeEqual(keyId, parsed.tokenKeyId)) {
+    throw new PrivacyPassError("privacy-pass/key-id-mismatch", "privacyPass.verifyToken: token_key_id does not match the issuer public key");
+  }
+
+  // Bind the token to the challenge, when supplied.
+  if (opts.challenge !== undefined && opts.challenge !== null) {
+    var cd = nodeCrypto.createHash("sha256").update(_bytes(opts.challenge, "challenge")).digest();
+    if (!bCrypto.timingSafeEqual(cd, parsed.challengeDigest)) {
+      throw new PrivacyPassError("privacy-pass/challenge-mismatch", "privacyPass.verifyToken: challenge_digest does not match opts.challenge");
+    }
+  }
+
+  var ok;
+  try {
+    ok = nodeCrypto.verify(PSS_HASH, parsed.tokenInput, { key: key, padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: PSS_SALT_LEN }, parsed.authenticator);
+  } catch (e) {
+    throw new PrivacyPassError("privacy-pass/verify-threw", "privacyPass.verifyToken: signature verification threw: " + ((e && e.message) || e));
+  }
+  if (!ok) throw new PrivacyPassError("privacy-pass/bad-authenticator", "privacyPass.verifyToken: token authenticator did not verify");
+  return { ok: true, tokenType: parsed.tokenType, nonce: parsed.nonce, challengeDigest: parsed.challengeDigest, tokenKeyId: parsed.tokenKeyId };
+}
+
+/**
+ * @primitive b.privacyPass.buildChallenge
+ * @signature b.privacyPass.buildChallenge(opts)
+ * @since     0.12.52
+ * @status    experimental
+ * @related   b.privacyPass.verifyToken
+ *
+ * Build a TokenChallenge (RFC 9577 §2.1) and the matching
+ * <code>WWW-Authenticate: PrivateToken</code> header value an origin
+ * returns to ask a client for a token. The challenge binds the token to
+ * this issuer (and optionally this origin and a redemption context);
+ * its SHA-256 is the <code>challenge_digest</code> that
+ * <code>verifyToken</code> checks.
+ *
+ * @opts
+ *   {
+ *     issuerName:        string,   // the token issuer's name
+ *     tokenType?:        number,   // default 0x0002 (Blind RSA)
+ *     originInfo?:       string,   // origin name(s) the token is scoped to (default: any)
+ *     redemptionContext?: Buffer,  // 0 or 32 bytes (default: empty)
+ *     tokenKey?:         Buffer|KeyObject,  // issuer SPKI, included as token-key= when given
+ *   }
+ *
+ * @example
+ *   var c = b.privacyPass.buildChallenge({ issuerName: "issuer.example", originInfo: "origin.example" });
+ *   res.setHeader("WWW-Authenticate", c.wwwAuthenticate);
+ */
+function buildChallenge(opts) {
+  validateOpts.requireObject(opts, "privacyPass.buildChallenge", PrivacyPassError);
+  validateOpts(opts, ["issuerName", "tokenType", "originInfo", "redemptionContext", "tokenKey"], "privacyPass.buildChallenge");
+  if (typeof opts.issuerName !== "string" || opts.issuerName === "") throw new PrivacyPassError("privacy-pass/bad-arg", "privacyPass.buildChallenge: opts.issuerName is required");
+  var tokenType = opts.tokenType === undefined ? TOKEN_TYPE_BLIND_RSA : opts.tokenType;
+  if (typeof tokenType !== "number" || !Number.isInteger(tokenType) || tokenType < 0 || tokenType > 0xffff) throw new PrivacyPassError("privacy-pass/bad-arg", "privacyPass.buildChallenge: tokenType must be a uint16");
+
+  var issuer = Buffer.from(opts.issuerName, "utf8");
+  if (issuer.length > 0xffff) throw new PrivacyPassError("privacy-pass/bad-arg", "privacyPass.buildChallenge: issuerName too long");
+  var origin = Buffer.alloc(0);
+  if (opts.originInfo !== undefined && opts.originInfo !== null) {
+    if (typeof opts.originInfo !== "string") throw new PrivacyPassError("privacy-pass/bad-arg", "privacyPass.buildChallenge: originInfo must be a string");
+    origin = Buffer.from(opts.originInfo, "utf8");
+    if (origin.length > 0xffff) throw new PrivacyPassError("privacy-pass/bad-arg", "privacyPass.buildChallenge: originInfo too long");
+  }
+  var rc = opts.redemptionContext !== undefined && opts.redemptionContext !== null ? _bytes(opts.redemptionContext, "redemptionContext") : Buffer.alloc(0);
+  if (rc.length !== 0 && rc.length !== 32) throw new PrivacyPassError("privacy-pass/bad-arg", "privacyPass.buildChallenge: redemptionContext must be empty or 32 bytes");  // allow:raw-byte-literal — RFC 9577 redemption_context is 0 or 32 bytes
+
+  var u16 = function (n) { return Buffer.from([(n >> 8) & 0xff, n & 0xff]); };
+  var challenge = Buffer.concat([
+    u16(tokenType),
+    u16(issuer.length), issuer,
+    Buffer.from([rc.length]), rc,
+    u16(origin.length), origin,
+  ]);
+
+  var parts = ['PrivateToken challenge="' + _b64urlPadded(challenge) + '"'];
+  if (opts.tokenKey !== undefined && opts.tokenKey !== null) {
+    var spki = (opts.tokenKey && typeof opts.tokenKey.export === "function") ? opts.tokenKey.export({ format: "der", type: "spki" }) : _bytes(opts.tokenKey, "tokenKey");
+    parts.push('token-key="' + _b64urlPadded(spki) + '"');
+  }
+  return { challenge: challenge, wwwAuthenticate: parts.join(", ") };
+}
+
+module.exports = {
+  parseToken:     parseToken,
+  verifyToken:    verifyToken,
+  buildChallenge: buildChallenge,
+  TOKEN_TYPE_BLIND_RSA: TOKEN_TYPE_BLIND_RSA,
+  PrivacyPassError: PrivacyPassError,
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.50",
+  "version": "0.12.52",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:73355867-afbb-4417-a3e0-56f83b718707",
+  "serialNumber": "urn:uuid:455224f5-2973-4bdf-8fc9-c8553709b68b",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-25T14:43:55.314Z",
+    "timestamp": "2026-05-25T17:01:11.242Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.12.50",
+      "bom-ref": "@blamejs/core@0.12.52",
       "type": "application",
       "name": "blamejs",
-      "version": "0.12.50",
+      "version": "0.12.52",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.12.50",
+      "purl": "pkg:npm/%40blamejs/core@0.12.52",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.12.50",
+      "ref": "@blamejs/core@0.12.52",
       "dependsOn": []
     }
   ]