@blamejs/core 0.14.19 → 0.14.21

package/lib/auth/oid4vci.js

@@ -79,15 +79,68 @@ function _b64uDecodeStr(s) {
   return Buffer.from(s, "base64url").toString("utf8");
 }
 
-async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId, supportedAlgs, proofMaxAgeMs, resolveKid) {
+// Linear trailing-`=` strip (charCodeAt + slice) — a regex-based
+// padding strip is polynomial-ReDoS-shaped per CodeQL
+// js/polynomial-redos; mirrors lib/argon2-builtin.js. The comparison
+// below is standard base64 (RFC 7515 §4.1.6), so b.crypto.toBase64Url
+// would produce the wrong alphabet.
+function _stripBase64Pad(s) {
+  var end = s.length;
+  while (end > 0 && s.charCodeAt(end - 1) === 61) end--;                           // 61 = "="
+  return s.slice(0, end);
+}
+
+// RFC 7515 §4.1.6 — x5c is an array of base64 (NOT base64url) DER
+// certificate strings, leaf first. Parse + shape-validate the chain into
+// node:crypto X509Certificate objects; refuse a malformed array (empty,
+// non-string entries, non-base64, or a leaf that won't parse) with a
+// typed AuthError matching the module error style.
+function _parseX5cChain(x5c) {
+  if (!Array.isArray(x5c) || x5c.length === 0) {
+    throw new AuthError("auth-oid4vci/bad-x5c",
+      "credential issuance: proof JWT `x5c` must be a non-empty array of base64 DER certificate strings (RFC 7515 §4.1.6)");
+  }
+  var derBuffers = [];
+  var certs = [];
+  for (var i = 0; i < x5c.length; i++) {
+    var entry = x5c[i];
+    if (typeof entry !== "string" || entry.length === 0) {
+      throw new AuthError("auth-oid4vci/bad-x5c",
+        "credential issuance: proof JWT `x5c[" + i + "]` must be a non-empty base64 string");
+    }
+    // Standard base64 (not base64url) per RFC 7515 §4.1.6. Reject
+    // entries carrying base64url-only chars or that don't round-trip.
+    if (/[^A-Za-z0-9+/=]/.test(entry)) {
+      throw new AuthError("auth-oid4vci/bad-x5c",
+        "credential issuance: proof JWT `x5c[" + i + "]` is not valid base64 (RFC 7515 §4.1.6 mandates standard base64, not base64url)");
+    }
+    var der = Buffer.from(entry, "base64");
+    if (der.length === 0 || _stripBase64Pad(der.toString("base64")) !== _stripBase64Pad(entry)) {
+      throw new AuthError("auth-oid4vci/bad-x5c",
+        "credential issuance: proof JWT `x5c[" + i + "]` is not valid base64 (RFC 7515 §4.1.6)");
+    }
+    var cert;
+    try { cert = new nodeCrypto.X509Certificate(der); }
+    catch (e) {
+      throw new AuthError("auth-oid4vci/bad-x5c",
+        "credential issuance: proof JWT `x5c[" + i + "]` is not a parseable DER certificate: " + ((e && e.message) || String(e)));
+    }
+    derBuffers.push(der);
+    certs.push(cert);
+  }
+  return { derBuffers: derBuffers, certs: certs };
+}
+
+async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId, supportedAlgs, proofMaxAgeMs, resolveKid, validateX5c) {
   // OID4VCI §7.2.1.1: the proof JWT MUST:
   //   - typ = "openid4vci-proof+jwt"
   //   - alg in supported list (issuer publishes these)
   //   - aud = credential issuer URL (this issuer's `credential_issuer`)
   //   - iat = recent
   //   - nonce = c_nonce previously issued to the wallet
-  //   - jwk (inline) OR kid (resolved via resolveKid) in the header
-  //     pointing at the holder key to bind cnf to (RFC 7515 §4.1.3/§4.1.4)
+  //   - jwk (inline), kid (resolved via resolveKid), OR x5c (leaf-cert
+  //     SPKI) in the header pointing at the holder key to bind cnf to
+  //     (RFC 7515 §4.1.3 / §4.1.4 / §4.1.6; OID4VCI §8.2.1.1)
   if (typeof proofJwt !== "string" || proofJwt.length === 0 || proofJwt.length > MAX_PROOF_BYTES) {
     throw new AuthError("auth-oid4vci/bad-proof",
       "credential issuance: proof JWT is empty or exceeds " + MAX_PROOF_BYTES + " bytes");
@@ -135,6 +188,18 @@ async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedCl
     throw new AuthError("auth-oid4vci/wrong-proof-aud",
       "credential issuance: proof JWT aud \"" + payload.aud + "\" mismatch (expected \"" + expectedAud + "\")");
   }
+  // c_nonce expectation has three states the caller distinguishes:
+  //   null      → no nonce check expected (caller deliberately skips it).
+  //   string    → the c_nonce the wallet must echo (compared below).
+  //   undefined → a nonce WAS expected but the store missed/expired it
+  //               (cNonceStore.get returns undefined on miss/expiry, and
+  //               the c_nonce TTL is shorter than the access token's).
+  //               Refuse with a typed code — comparing against undefined
+  //               would otherwise throw a raw TypeError from timingSafeEqual.
+  if (expectedCNonce === undefined) {
+    throw new AuthError("auth-oid4vci/c-nonce-expired",
+      "credential issuance: c_nonce expected but missing/expired — wallet must request a fresh c_nonce (the /token response's c_nonce TTL elapsed before /credential was called)");
+  }
   if (expectedCNonce !== null) {
     // Constant-time c_nonce compare — secret-shaped value vs
     // attacker-controlled wallet payload.
@@ -172,7 +237,7 @@ async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedCl
       "credential issuance: proof JWT iss does not match the access-token client_id");
   }
 
-  // Resolve the holder key the proof is signed with. Two paths:
+  // Resolve the holder key the proof is signed with. Three paths:
   //   - inline `jwk` (RFC 7515 §4.1.3) — the wallet ships the public
   //     key in the header; bind `cnf` to it directly.
   //   - `kid` (RFC 7515 §4.1.4) without inline `jwk` — the wallet
@@ -181,6 +246,15 @@ async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedCl
   //     supplies `resolveKid(kid, header)` to map the kid → public key.
   //     With no resolver configured the issuer keeps the clear refusal
   //     (back-compat): a kid-only proof can't be verified without one.
+  //   - `x5c` (RFC 7515 §4.1.6) without inline `jwk`/`kid` — the wallet
+  //     ships a base64 DER certificate chain; the LEAF cert's SPKI is
+  //     the holder key (OID4VCI §8.2.1.1). Like inline `jwk`, the chain
+  //     is self-asserted, so leaf-SPKI extraction at the same trust
+  //     level is the correct parity — the proof signature check binds
+  //     the key. Chain trust beyond that is operator policy: an optional
+  //     `validateX5c(chainDerBuffers, header)` callback may throw to
+  //     refuse (PKI anchoring, EKU checks, revocation, attestation-CA
+  //     allowlist) before the SPKI is trusted.
   var holderKeyJwk = header.jwk || null;
   var keyObj;
   if (!holderKeyJwk && header.kid) {
@@ -228,6 +302,42 @@ async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedCl
       throw new AuthError("auth-oid4vci/bad-resolved-key",
         "credential issuance: resolveKid-returned key is not importable as a public key: " + ((e && e.message) || String(e)));
     }
+  } else if (!holderKeyJwk && header.x5c) {
+    // RFC 7515 §4.1.6 / OID4VCI §8.2.1.1 — the wallet ships a base64 DER
+    // certificate chain; the LEAF (first) cert's SPKI is the holder key.
+    var chain = _parseX5cChain(header.x5c);
+    // Operator chain-trust policy runs BEFORE the SPKI is trusted. A
+    // throw refuses the proof (wrapped in a stable AuthError code so the
+    // /credential handler returns a typed refusal rather than an
+    // unhandled rejection; the callback is operator code, so its own
+    // message is allowed through for operator-side debugging).
+    if (typeof validateX5c === "function") {
+      try {
+        await validateX5c(chain.derBuffers.slice(), header);
+      } catch (e) {
+        if (e instanceof AuthError) throw e;
+        throw new AuthError("auth-oid4vci/x5c-rejected",
+          "credential issuance: validateX5c rejected the proof JWT certificate chain: " + ((e && e.message) || String(e)));
+      }
+    }
+    // Extract the leaf SPKI as a JWK to use as the holder key, exactly
+    // parallel to the inline-jwk path. publicKey is a node:crypto
+    // KeyObject; export to JWK for the cnf binding sdJwtIssuer.issue
+    // expects.
+    try { holderKeyJwk = chain.certs[0].publicKey.export({ format: "jwk" }); }
+    catch (e) {
+      throw new AuthError("auth-oid4vci/bad-x5c",
+        "credential issuance: proof JWT `x5c` leaf certificate public key does not export to JWK: " + ((e && e.message) || String(e)));
+    }
+    // CVE-2026-22817 — same alg/kty cross-check the inline path applies.
+    // A leaf cert holding an RSA key against a proof declaring an HMAC
+    // alg would otherwise be verified as an HMAC secret.
+    jwtExternal._assertAlgKtyMatch(header.alg, holderKeyJwk);
+    try { keyObj = nodeCrypto.createPublicKey({ key: holderKeyJwk, format: "jwk" }); }
+    catch (e) {
+      throw new AuthError("auth-oid4vci/bad-x5c",
+        "credential issuance: proof JWT `x5c` leaf public key is not importable: " + ((e && e.message) || String(e)));
+    }
   } else {
     if (!holderKeyJwk) {
       throw new AuthError("auth-oid4vci/no-jwk-in-header",
@@ -292,6 +402,7 @@ async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedCl
  *     supportedCredentials:       { [id]: { format, vct, claims, ... } },
  *     proofAlgorithms:            string[],              // default ["ES256", "ES384", "EdDSA"]
  *     resolveKid?:                function(kid, header), // resolve a kid-only proof's holder key (JWK | KeyObject); without it, kid-only proofs are refused
+ *     validateX5c?:               function(chainDerBuffers, header), // x5c (RFC 7515 §4.1.6) chain-trust policy; throw to refuse. Absent → leaf-cert SPKI binds at the same self-asserted trust as inline `jwk`
  *     preAuthCodeTtlMs?:          number,                // default 5m
  *     accessTokenTtlMs?:          number,                // default 15m
  *     cNonceTtlMs?:               number,                // default 5m
@@ -358,6 +469,14 @@ function create(opts) {
   var resolveKid = validateOpts.optionalFunction(opts.resolveKid,
     "issuer.create: resolveKid", AuthError, "auth-oid4vci/bad-resolve-kid");
 
+  // Optional x5c chain-trust policy for x5c proofs (RFC 7515 §4.1.6 /
+  // OID4VCI §8.2.1.1). Config-time throw if supplied but not a function.
+  // Absent → the leaf-cert SPKI binds at the same self-asserted trust
+  // level as an inline `jwk` (the proof signature binds the key); chain
+  // anchoring beyond that is the operator's to enforce via this callback.
+  var validateX5c = validateOpts.optionalFunction(opts.validateX5c,
+    "issuer.create: validateX5c", AuthError, "auth-oid4vci/bad-validate-x5c");
+
   var preAuthTtl = opts.preAuthCodeTtlMs || DEFAULT_PRE_AUTH_TTL_MS;
   var accessTokenTtl = opts.accessTokenTtlMs || DEFAULT_ACCESS_TOKEN_TTL;
   var cNonceTtl = opts.cNonceTtlMs || DEFAULT_C_NONCE_TTL_MS;
@@ -612,7 +731,7 @@ function create(opts) {
     }
 
     var expectedCNonce = await cNonceStore.get(iopts.accessToken);
-    var verified = await _verifyProofJwt(iopts.proof, opts.credentialIssuerUrl, expectedCNonce, null, proofAlgs, proofMaxAgeMs, resolveKid);
+    var verified = await _verifyProofJwt(iopts.proof, opts.credentialIssuerUrl, expectedCNonce, null, proofAlgs, proofMaxAgeMs, resolveKid, validateX5c);
 
     if (!iopts.claims || typeof iopts.claims !== "object") {
       throw new AuthError("auth-oid4vci/no-claims",

package/lib/auth/oid4vp.js

@@ -65,10 +65,11 @@ var _emitMetric = emit.metric;
 
 /**
  * Validate a DCQL query against the spec shape. Refuses unknown
- * top-level keys, missing credential id, missing claim paths, or
- * malformed credential_sets options. Throws AuthError on first
- * failure (config-time validation — the verifier author is the one
- * who needs to see the error).
+ * top-level keys, missing credential id, missing claim paths,
+ * numeric claim-path segments that are not non-negative integer
+ * array indices (OpenID4VP 1.0 §7.1.1), or malformed credential_sets
+ * options. Throws AuthError on first failure (config-time validation
+ * — the verifier author is the one who needs to see the error).
  */
 function _validateDcql(dcql) {
   if (!dcql || typeof dcql !== "object" || Array.isArray(dcql)) {
@@ -113,6 +114,15 @@ function _validateDcql(dcql) {
             throw new AuthError("auth-oid4vp/bad-claim-segment",
               "DCQL: claim path segments must be string|number|null");
           }
+          // OpenID4VP 1.0 §7.1.1 — a numeric segment is an array index;
+          // it MUST be a non-negative integer. Reject -1 / 1.5 / NaN /
+          // Infinity here (config-time / entry-point tier) so the
+          // verifier author sees the typo at build, not a silent
+          // non-match at verify time.
+          if (typeof segment === "number" && (!Number.isInteger(segment) || segment < 0)) {
+            throw new AuthError("auth-oid4vp/bad-claim-segment",
+              "DCQL: numeric claim path segment must be a non-negative integer (OpenID4VP 1.0 §7.1.1)");
+          }
         });
         if (claim.values !== undefined && !Array.isArray(claim.values)) {
           throw new AuthError("auth-oid4vp/bad-claim-values",

package/lib/auth/sd-jwt-vc-holder.js

@@ -43,6 +43,7 @@
  * tests — production operators wire b.db / b.objectStore.
  */
 
+var nodeCrypto = require("node:crypto");
 var lazyRequire = require("../lazy-require");
 var validateOpts = require("../validate-opts");
 var { AuthError } = require("../framework-error");
@@ -51,6 +52,50 @@ var sdJwtVcCore = lazyRequire(function () { return require("./sd-jwt-vc"); });
 var audit = lazyRequire(function () { return require("../audit"); });
 var observability = lazyRequire(function () { return require("../observability"); });
 
+// EC curve → the KB-JWT alg the sd-jwt-vc core supports for it. P-521
+// has no entry — the core's SUPPORTED_ALGS stops at ES384.
+var _HOLDER_EC_CURVE_ALG = { prime256v1: "ES256", secp384r1: "ES384" };
+
+// Resolve the KB-JWT signing alg from the holder key when the operator
+// gives no explicit `algorithm`. A fixed default (the old "ES256") signed
+// a non-EC-P256 holder key under a header alg that disagreed with the key
+// — un-signable (Ed25519 / EC-P384) or a self-invalid KB-JWT a verifier
+// rejects (any key whose sign succeeds under the wrong digest). Inferring
+// from the key keeps the common EC-P256 → ES256 case unchanged while
+// producing a self-consistent KB-JWT for every other supported key, and
+// refuses a key type the core has no alg for (e.g. RSA) instead of
+// emitting a broken presentation. An explicit `algorithm` is honoured and
+// validated by the core against SUPPORTED_ALGS.
+function _resolveHolderAlg(holderKey, explicitAlg) {
+  if (explicitAlg) return explicitAlg;
+  var keyObj = null;
+  try {
+    if (holderKey instanceof nodeCrypto.KeyObject) {
+      keyObj = holderKey;
+    } else if (typeof holderKey === "string" || Buffer.isBuffer(holderKey)) {
+      keyObj = nodeCrypto.createPrivateKey({ key: holderKey, format: "pem" });
+    } else if (holderKey && typeof holderKey === "object" && holderKey.kty) {
+      keyObj = nodeCrypto.createPrivateKey({ key: holderKey, format: "jwk" });
+    }
+  } catch (_e) {
+    keyObj = null;                       // unreadable key — let the signer surface the real error
+  }
+  if (!keyObj) return "ES256";           // preserve the historical default when the type can't be read
+  var kty = keyObj.asymmetricKeyType;
+  if (kty === "ec") {
+    var curve = (keyObj.asymmetricKeyDetails && keyObj.asymmetricKeyDetails.namedCurve) || "";
+    var ecAlg = _HOLDER_EC_CURVE_ALG[curve];
+    if (ecAlg) return ecAlg;
+    throw new AuthError("auth-sd-jwt-vc/holder-key-unsupported",
+      "holder.create: EC curve '" + curve + "' has no KB-JWT algorithm (use P-256 / P-384, Ed25519, or ML-DSA-87 / ML-DSA-65)");
+  }
+  if (kty === "ed25519" || kty === "ed448") return "EdDSA";
+  if (kty === "ml-dsa-87") return "ML-DSA-87";
+  if (kty === "ml-dsa-65") return "ML-DSA-65";
+  throw new AuthError("auth-sd-jwt-vc/holder-key-unsupported",
+    "holder.create: key type '" + String(kty) + "' has no KB-JWT algorithm (use EC P-256 / P-384, Ed25519, or ML-DSA-87 / ML-DSA-65; RSA is not supported for KB-JWT)");
+}
+
 function _validateStorage(storage) {
   if (!storage || typeof storage !== "object") return false;
   return ["put", "get", "list", "delete"].every(function (m) {
@@ -96,7 +141,7 @@ function create(opts) {
     throw new AuthError("auth-sd-jwt-vc/no-key",
       "holder.create: holderKey required");
   }
-  var algorithm = opts.algorithm || "ES256";
+  var algorithm = _resolveHolderAlg(opts.holderKey, opts.algorithm);
   var auditOn = opts.auditOn !== false;
 
   function _emitAudit(action, outcome, metadata) {

package/lib/break-glass.js

@@ -425,7 +425,6 @@ async function migrate(table, opts) {
  * has run.
  *
  * @opts
- *   now:        number,    // testing-only override of Date.now (fixtures)
  *   trustProxy: boolean,   // honor X-Forwarded-For when populating grant.ip (default false)
  *
  * @example
@@ -434,7 +433,7 @@ async function migrate(table, opts) {
  */
 function init(opts) {
   opts = opts || {};
-  validateOpts(opts, ["now", "trustProxy"], "breakGlass.init");
+  validateOpts(opts, ["trustProxy"], "breakGlass.init");
   initialized = true;
   policyCache.clear();
   _factorLockout = null;

package/lib/config.js

@@ -258,7 +258,8 @@ function create(opts) {
  *                   Rows whose transform throws or returns a non-string
  *                   are skipped with a `config.reload.failed` audit so a
  *                   single bad row never crashes the poller),
- *   audit:          boolean  (default true; reserved for future per-poll audit),
+ *   audit:          boolean  (default true; set false to silence the
+ *                   per-poll config.reload.* audit emissions),
  *
  * @example
  *   var s = b.safeSchema;
@@ -322,6 +323,12 @@ function loadDbBacked(opts) {
   var transformValue = validateOpts.optionalFunction(
     opts.transformValue, "loadDbBacked: opts.transformValue",
     ConfigError, "config/bad-transform-value") || null;
+  var auditOn = opts.audit !== false;
+  function _emitReloadAudit(record) {
+    if (!auditOn) return;
+    try { audit().safeEmit(record); }
+    catch (_e) { /* audit best-effort */ }
+  }
   var cfg = create({ schema: opts.schema, env: opts.env, redactKeys: opts.redactKeys });
   var stopped = false;
   // Concurrency guard. _tick() runs `await opts.fetchRows()` + per-row
@@ -348,12 +355,10 @@ function loadDbBacked(opts) {
     var rows;
     try { rows = await opts.fetchRows(); }
     catch (e) {
-      try {
-        audit().safeEmit({
-          action: "config.reload.failed", outcome: "failure",
-          metadata: { phase: "fetch", reason: e && e.message },
-        });
-      } catch (_e) { /* audit best-effort */ }
+      _emitReloadAudit({
+        action: "config.reload.failed", outcome: "failure",
+        metadata: { phase: "fetch", reason: e && e.message },
+      });
       return;
     }
     if (!Array.isArray(rows)) return;
@@ -366,21 +371,17 @@ function loadDbBacked(opts) {
         try {
           value = await transformValue(row);
         } catch (e) {
-          try {
-            audit().safeEmit({
-              action: "config.reload.failed", outcome: "failure",
-              metadata: { phase: "transform", key: row.key, reason: e && e.message },
-            });
-          } catch (_e) { /* audit best-effort */ }
+          _emitReloadAudit({
+            action: "config.reload.failed", outcome: "failure",
+            metadata: { phase: "transform", key: row.key, reason: e && e.message },
+          });
           continue;
         }
         if (typeof value !== "string") {
-          try {
-            audit().safeEmit({
-              action: "config.reload.failed", outcome: "failure",
-              metadata: { phase: "transform", key: row.key, reason: "transformValue did not return a string" },
-            });
-          } catch (_e) { /* audit best-effort */ }
+          _emitReloadAudit({
+            action: "config.reload.failed", outcome: "failure",
+            metadata: { phase: "transform", key: row.key, reason: "transformValue did not return a string" },
+          });
           continue;
         }
       }
@@ -389,12 +390,10 @@ function loadDbBacked(opts) {
     // Drop-stale: a tick that started after me has already finished and
     // applied its newer fetch — my overlay would clobber fresher data.
     if (mySeq <= ticksAppliedMax) {
-      try {
-        audit().safeEmit({
-          action: "config.reload.skipped", outcome: "success",
-          metadata: { phase: "stale-tick", mySeq: mySeq, appliedMax: ticksAppliedMax },
-        });
-      } catch (_e) { /* audit best-effort */ }
+      _emitReloadAudit({
+        action: "config.reload.skipped", outcome: "success",
+        metadata: { phase: "stale-tick", mySeq: mySeq, appliedMax: ticksAppliedMax },
+      });
       return;
     }
     // Advance the watermark ONLY after a successful reload. A newer
@@ -407,12 +406,10 @@ function loadDbBacked(opts) {
       ticksAppliedMax = mySeq;
     }
     catch (e) {
-      try {
-        audit().safeEmit({
-          action: "config.reload.failed", outcome: "failure",
-          metadata: { phase: "validate", reason: e && e.message },
-        });
-      } catch (_e) { /* audit best-effort */ }
+      _emitReloadAudit({
+        action: "config.reload.failed", outcome: "failure",
+        metadata: { phase: "validate", reason: e && e.message },
+      });
     }
   }
   // Fire one immediate hydration before the interval kicks in so