@blamejs/core 0.14.18 → 0.14.19

package/lib/auth/oid4vci.js

@@ -79,14 +79,15 @@ function _b64uDecodeStr(s) {
   return Buffer.from(s, "base64url").toString("utf8");
 }
 
-function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId, supportedAlgs, proofMaxAgeMs) {
+async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId, supportedAlgs, proofMaxAgeMs, resolveKid) {
   // OID4VCI §7.2.1.1: the proof JWT MUST:
   //   - typ = "openid4vci-proof+jwt"
   //   - alg in supported list (issuer publishes these)
   //   - aud = credential issuer URL (this issuer's `credential_issuer`)
   //   - iat = recent
   //   - nonce = c_nonce previously issued to the wallet
-  //   - jwk OR kid in header pointing at the key to bind cnf to
+  //   - jwk (inline) OR kid (resolved via resolveKid) in the header
+  //     pointing at the holder key to bind cnf to (RFC 7515 §4.1.3/§4.1.4)
   if (typeof proofJwt !== "string" || proofJwt.length === 0 || proofJwt.length > MAX_PROOF_BYTES) {
     throw new AuthError("auth-oid4vci/bad-proof",
       "credential issuance: proof JWT is empty or exceeds " + MAX_PROOF_BYTES + " bytes");
@@ -171,29 +172,78 @@ function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId
       "credential issuance: proof JWT iss does not match the access-token client_id");
   }
 
-  // Verify the JWS signature using the key embedded in the header.
+  // Resolve the holder key the proof is signed with. Two paths:
+  //   - inline `jwk` (RFC 7515 §4.1.3) — the wallet ships the public
+  //     key in the header; bind `cnf` to it directly.
+  //   - `kid` (RFC 7515 §4.1.4) without inline `jwk` — the wallet
+  //     references a key by identifier (EUDI-Wallet attested-key flow,
+  //     OID4VCI §8.2.1.1 `key_attestation` proof). The operator
+  //     supplies `resolveKid(kid, header)` to map the kid → public key.
+  //     With no resolver configured the issuer keeps the clear refusal
+  //     (back-compat): a kid-only proof can't be verified without one.
   var holderKeyJwk = header.jwk || null;
-  if (!holderKeyJwk && header.kid) {
-    // Operators with kid-only proofs supply a resolver; until then,
-    // require jwk inline. Refuse rather than silently downgrade.
-    throw new AuthError("auth-oid4vci/kid-resolver-not-supported",
-      "credential issuance: proof JWT used `kid` without inline `jwk` — supply { jwk } in the header for inline binding (kid-resolver path is operator-side)");
-  }
-  if (!holderKeyJwk) {
-    throw new AuthError("auth-oid4vci/no-jwk-in-header",
-      "credential issuance: proof JWT must carry `jwk` for inline holder-key binding");
-  }
-  // CVE-2026-22817 — cross-check alg/kty before importing the holder
-  // JWK. Without this an attacker-controlled `alg: "HS256"` against an
-  // RSA holder JWK would have node:crypto.verify treat the RSA public
-  // key as an HMAC secret. Routed through the shared helper so every
-  // JWT verifier in the framework enforces the same check.
-  jwtExternal._assertAlgKtyMatch(header.alg, holderKeyJwk);
   var keyObj;
-  try { keyObj = nodeCrypto.createPublicKey({ key: holderKeyJwk, format: "jwk" }); }
-  catch (e) {
-    throw new AuthError("auth-oid4vci/bad-jwk",
-      "credential issuance: proof JWT jwk is not parseable: " + ((e && e.message) || String(e)));
+  if (!holderKeyJwk && header.kid) {
+    if (typeof resolveKid !== "function") {
+      throw new AuthError("auth-oid4vci/kid-resolver-not-supported",
+        "credential issuance: proof JWT used `kid` without inline `jwk` — supply { jwk } in the header for inline binding, or configure issuer.create({ resolveKid }) to resolve kid-referenced holder keys");
+    }
+    var resolved;
+    try {
+      resolved = await resolveKid(header.kid, header);
+    } catch (e) {
+      // Wrap a resolver exception in a stable AuthError code so the
+      // /credential handler returns a typed refusal instead of an
+      // unhandled rejection. resolveKid is operator code, so its own
+      // message is allowed through for operator-side debugging.
+      throw new AuthError("auth-oid4vci/kid-resolver-failed",
+        "credential issuance: resolveKid threw while resolving the proof JWT kid: " + ((e && e.message) || String(e)));
+    }
+    if (!resolved) {
+      throw new AuthError("auth-oid4vci/kid-unresolved",
+        "credential issuance: resolveKid returned no key for the proof JWT kid — refused");
+    }
+    // Normalize to (verify KeyObject) + (cnf JWK). A KeyObject verifies
+    // the signature directly; the cnf binding sdJwtIssuer.issue expects
+    // a JWK, so a resolved KeyObject is exported to one. A resolved JWK
+    // is used for both.
+    if (resolved instanceof nodeCrypto.KeyObject) {
+      try { holderKeyJwk = resolved.export({ format: "jwk" }); }
+      catch (e) {
+        throw new AuthError("auth-oid4vci/bad-resolved-key",
+          "credential issuance: resolveKid returned a KeyObject that does not export to JWK: " + ((e && e.message) || String(e)));
+      }
+    } else if (typeof resolved === "object" && typeof resolved.kty === "string") {
+      holderKeyJwk = resolved;
+    } else {
+      throw new AuthError("auth-oid4vci/bad-resolved-key",
+        "credential issuance: resolveKid must return a JWK object (with kty) or a node:crypto KeyObject");
+    }
+    // CVE-2026-22817 — same alg/kty cross-check the inline path applies.
+    // A resolver that returns an RSA key for a proof declaring an HMAC
+    // alg would otherwise be verified as an HMAC secret.
+    jwtExternal._assertAlgKtyMatch(header.alg, holderKeyJwk);
+    try { keyObj = nodeCrypto.createPublicKey({ key: holderKeyJwk, format: "jwk" }); }
+    catch (e) {
+      throw new AuthError("auth-oid4vci/bad-resolved-key",
+        "credential issuance: resolveKid-returned key is not importable as a public key: " + ((e && e.message) || String(e)));
+    }
+  } else {
+    if (!holderKeyJwk) {
+      throw new AuthError("auth-oid4vci/no-jwk-in-header",
+        "credential issuance: proof JWT must carry `jwk` for inline holder-key binding");
+    }
+    // CVE-2026-22817 — cross-check alg/kty before importing the holder
+    // JWK. Without this an attacker-controlled `alg: "HS256"` against an
+    // RSA holder JWK would have node:crypto.verify treat the RSA public
+    // key as an HMAC secret. Routed through the shared helper so every
+    // JWT verifier in the framework enforces the same check.
+    jwtExternal._assertAlgKtyMatch(header.alg, holderKeyJwk);
+    try { keyObj = nodeCrypto.createPublicKey({ key: holderKeyJwk, format: "jwk" }); }
+    catch (e) {
+      throw new AuthError("auth-oid4vci/bad-jwk",
+        "credential issuance: proof JWT jwk is not parseable: " + ((e && e.message) || String(e)));
+    }
   }
 
   var signingInput = parts[0] + "." + parts[1];
@@ -241,6 +291,7 @@ function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId
  *     sdJwtIssuer:                <b.auth.sdJwtVc.issuer instance>, // mints the SD-JWT VC
  *     supportedCredentials:       { [id]: { format, vct, claims, ... } },
  *     proofAlgorithms:            string[],              // default ["ES256", "ES384", "EdDSA"]
+ *     resolveKid?:                function(kid, header), // resolve a kid-only proof's holder key (JWK | KeyObject); without it, kid-only proofs are refused
  *     preAuthCodeTtlMs?:          number,                // default 5m
  *     accessTokenTtlMs?:          number,                // default 15m
  *     cNonceTtlMs?:               number,                // default 5m
@@ -301,6 +352,12 @@ function create(opts) {
   var proofAlgs = Array.isArray(opts.proofAlgorithms) && opts.proofAlgorithms.length > 0
     ? opts.proofAlgorithms : ["ES256", "ES384", "EdDSA"];
 
+  // Optional kid-resolver for kid-only proofs (EUDI-Wallet attested-key
+  // flow). Config-time throw if supplied but not a function. Absent →
+  // kid-only proofs keep the clear refusal (back-compat).
+  var resolveKid = validateOpts.optionalFunction(opts.resolveKid,
+    "issuer.create: resolveKid", AuthError, "auth-oid4vci/bad-resolve-kid");
+
   var preAuthTtl = opts.preAuthCodeTtlMs || DEFAULT_PRE_AUTH_TTL_MS;
   var accessTokenTtl = opts.accessTokenTtlMs || DEFAULT_ACCESS_TOKEN_TTL;
   var cNonceTtl = opts.cNonceTtlMs || DEFAULT_C_NONCE_TTL_MS;
@@ -466,7 +523,7 @@ function create(opts) {
           "exchangePreAuthorizedCode: tx_code does not match");
       }
     }
-    await codeStore.delete(eopts.preAuthCode);
+    await codeStore.del(eopts.preAuthCode);
     var accessToken = generateToken(32);                                                         // 256-bit access token
     var cNonce = generateToken(16);                                                              // 128-bit c_nonce
     var record = {
@@ -555,7 +612,7 @@ function create(opts) {
     }
 
     var expectedCNonce = await cNonceStore.get(iopts.accessToken);
-    var verified = _verifyProofJwt(iopts.proof, opts.credentialIssuerUrl, expectedCNonce, null, proofAlgs, proofMaxAgeMs);
+    var verified = await _verifyProofJwt(iopts.proof, opts.credentialIssuerUrl, expectedCNonce, null, proofAlgs, proofMaxAgeMs, resolveKid);
 
     if (!iopts.claims || typeof iopts.claims !== "object") {
       throw new AuthError("auth-oid4vci/no-claims",
@@ -584,8 +641,8 @@ function create(opts) {
     // explicitly tightens cleanup.
     if (accessTokenSingleUse) {
       try {
-        await atStore.delete(iopts.accessToken);
-        await cNonceStore.delete(iopts.accessToken);
+        await atStore.del(iopts.accessToken);
+        await cNonceStore.del(iopts.accessToken);
       } catch (_e) { /* drop-silent — cleanup is best-effort */ }
     }