@blamejs/core 0.14.26 → 0.15.0

package/lib/auth/openid-federation.js

@@ -334,14 +334,23 @@ function _applyOnePolicy(metadata, policy) {
  * @signature b.auth.openidFederation.applyMetadataPolicy(metadata, chain, kind)
  * @since     0.8.62
  *
- * Apply every metadata_policy in the chain (top-down) to the leaf's
+ * Apply the federation's metadata_policy (top-down) to the leaf's
  * declared metadata for the given entity-kind ("openid_relying_party"
  * / "openid_provider" / "federation_entity" / etc.) and return the
  * effective metadata. Throws on any policy violation.
  *
- * The chain is leaf-first; we reverse for top-down application so
- * the trust anchor's policy applies first, then each intermediate's,
- * then the leaf's claimed metadata is the starting object.
+ * Per OpenID Federation 1.0 §6.2, an entity's metadata_policy comes
+ * from the SUPERIOR-SIGNED subordinate statement about that entity
+ * (`chain[i].subordinate.metadata_policy`), NOT from the entity's own
+ * self-published configuration. An entity cannot self-declare the
+ * policy that constrains it — that would let a leaf widen or drop the
+ * trust anchor's value / subset_of / essential constraints. The leaf's
+ * own self-config metadata_policy is therefore ignored.
+ *
+ * The chain is leaf-first; each `chain[i].subordinate` is the statement
+ * signed by the superior directly above entity `i`, so walking high
+ * index → low index applies the anchor's policy first, then each
+ * intermediate's, narrowing down to the leaf (§6.2 narrow-only merge).
  *
  * @example
  *   var effective = b.auth.openidFederation.applyMetadataPolicy(
@@ -361,12 +370,17 @@ function applyMetadataPolicy(metadata, chain, kind) {
       "applyMetadataPolicy: chain must be an array");
   }
   var out = Object.assign({}, metadata);
-  // Walk top-down (anchor last in leaf-first array).
+  // Walk top-down (anchor last in leaf-first array). Read the policy
+  // from each node's SUPERIOR-SIGNED subordinate statement — never from
+  // the entity's own self-config — so the anchor/intermediate
+  // constraints can't be dropped by a self-declared policy. The anchor
+  // node carries no `.subordinate` (it terminates the chain) and is
+  // skipped; the leaf's self-config policy is never read.
   for (var i = chain.length - 1; i >= 0; i--) {
     var stmt = chain[i];
-    if (!stmt || !stmt.claims) continue;
-    if (stmt.claims.metadata_policy && stmt.claims.metadata_policy[kind]) {
-      out = _applyOnePolicy(out, stmt.claims.metadata_policy[kind]);
+    if (!stmt || !stmt.subordinate) continue;
+    if (stmt.subordinate.metadata_policy && stmt.subordinate.metadata_policy[kind]) {
+      out = _applyOnePolicy(out, stmt.subordinate.metadata_policy[kind]);
     }
   }
   return out;
@@ -433,6 +447,18 @@ async function buildTrustChain(opts) {
   };
   var maxDepth = opts.maxDepth || MAX_CHAIN_DEPTH;
 
+  // ---- Phase 1: collect the chain bottom-up (leaf → anchor) ----------
+  // Fetch each entity's self-config + the superior-signed subordinate
+  // statement about it, but DEFER cryptographic chain verification to
+  // Phase 2. The signature on a subordinate statement must be checked
+  // against the keys ATTESTED for the signing authority by ITS superior
+  // — flowing down from the operator-pinned anchor — not against the
+  // authority's own self-published config jwks. Verifying eagerly here
+  // (against self-published keys) is a fetch-time TOCTOU: an attacker
+  // controlling the authority's endpoint can serve attacker jwks to the
+  // statement-verify fetch while serving genuine config elsewhere, and
+  // the only operator-pinned trust (the anchor key) never gates the
+  // subordinate links.
   var chain = [];
   var current = opts.leafEntityId;
   var depth = 0;
@@ -446,6 +472,7 @@ async function buildTrustChain(opts) {
   // hostile-federation probes immediately.
   var visited = Object.create(null);
   visited[current] = true;
+  var reachedAnchor = false;
   while (depth < maxDepth) {
     var entityConfigUrl = current.replace(/\/$/, "") + "/.well-known/openid-federation";
     var entityConfigJwt = await fetcher(entityConfigUrl);
@@ -454,21 +481,22 @@ async function buildTrustChain(opts) {
       throw new AuthError("auth-openid-federation/bad-self-statement",
         "entity configuration for \"" + current + "\" must have iss==sub==entity_id");
     }
-    // Self-signed: verify with its own jwks.
+    // Self-statement integrity: a well-formed entity config is self-signed
+    // over its own jwks. This proves the document isn't truncated/garbled
+    // — it is NOT the trust decision. Trust flows from the anchor through
+    // the subordinate statements verified top-down in Phase 2.
     verifyEntityStatement(entityConfigJwt, parsedEC.claims.jwks || {});
 
     // Is this entity a trust anchor?
     if (Object.prototype.hasOwnProperty.call(opts.trustAnchors, current)) {
       // Verify the anchor's self-statement using the operator-pinned
       // JWKS — defends against a compromised anchor key by trusting
-      // the configured one over what the anchor publishes today.
+      // the configured one over what the anchor publishes today. The
+      // pinned keys become the root of the top-down verification.
       verifyEntityStatement(entityConfigJwt, opts.trustAnchors[current]);
       chain.push({ jwt: entityConfigJwt, claims: parsedEC.claims, role: "trust_anchor" });
-      _emitAudit("chain_built", "success", {
-        leaf: opts.leafEntityId, depth: chain.length, anchor: current,
-      });
-      _emitMetric("chain-built");
-      return chain;
+      reachedAnchor = true;
+      break;
     }
     // Not the anchor — add to chain, ascend via authority_hints.
     chain.push({
@@ -481,16 +509,15 @@ async function buildTrustChain(opts) {
       throw new AuthError("auth-openid-federation/no-authority-hints",
         "entity \"" + current + "\" has no authority_hints; cannot ascend to a trust anchor");
     }
-    // Pick the FIRST authority_hint that resolves to a trust anchor,
-    // OR the first that returns a valid subordinate statement. Real
-    // operators with multiple federations usually have one anchor
-    // active; we walk in order and pick the first success.
-    // Track every per-authority failure reason and surface them on
-    // `no-ascent` rather than masking — silently
-    // swallowing `catch (_e) {}` lets a hostile intermediate that
-    // serves a malformed-then-valid pair shape-walk the verifier.
-    // We continue past 404 / fetch errors but refuse on
-    // signature-verify failure (cryptographic refusal is a hard stop).
+    // Pick the FIRST authority_hint that yields a fetchable subordinate
+    // statement with matching iss/sub. We continue past 404 / fetch /
+    // parse errors (acceptable "try the next hint") and surface every
+    // failure reason on `no-ascent` rather than masking it — silently
+    // swallowing `catch (_e) {}` lets a hostile intermediate that serves
+    // a malformed-then-valid pair shape-walk the verifier. Cryptographic
+    // verification is NOT done here; the selected statement is verified
+    // against the superior-attested keys in Phase 2, so a forged
+    // signature fails the whole chain regardless of which hint picked it.
     var ascended = false;
     var ascentErrors = [];
     for (var ai = 0; ai < parsedEC.claims.authority_hints.length; ai++) {
@@ -502,49 +529,83 @@ async function buildTrustChain(opts) {
           ascentErrors.push({ authority: authority, code: "iss-sub-mismatch" });
           continue;
         }
-        var authorityCfgJwt = await fetcher(authority.replace(/\/$/, "") + "/.well-known/openid-federation");
-        var authorityCfgClaims = parseEntityStatement(authorityCfgJwt).claims;
-        // Cryptographic verification — any throw here is a hard
-        // refusal, NOT a "try next authority" signal. A malformed-
-        // signature subordinate from an authority listed by the
-        // entity means that authority is hostile or compromised;
-        // moving on lets a chain-shaping attacker bypass the gate.
-        verifyEntityStatement(subordinateJwt, authorityCfgClaims.jwks || {});
-        chain[chain.length - 1].claims.jwks = parsedSub.claims.jwks || chain[chain.length - 1].claims.jwks;
-        chain[chain.length - 1].subordinateJwt = subordinateJwt;
-        chain[chain.length - 1].subordinate    = parsedSub.claims;
-        // Refuse revisit. A trust anchor terminates the loop
-        // before re-entry, so a revisit here ALWAYS means a cyclic
+        // Refuse revisit. A trust anchor terminates the loop before
+        // re-entry, so a revisit here ALWAYS means a cyclic
         // authority_hints graph.
         if (visited[authority]) {
           throw new AuthError("auth-openid-federation/chain-cycle",
             "buildTrustChain: authority \"" + authority + "\" already visited — " +
             "cyclic authority_hints graph refused");
         }
+        // Stash the superior-signed subordinate statement on the entity
+        // it is ABOUT. Phase 2 verifies its signature against the
+        // attested keys for `authority` and applies its metadata_policy.
+        chain[chain.length - 1].subordinateJwt = subordinateJwt;
+        chain[chain.length - 1].subordinate    = parsedSub.claims;
         visited[authority] = true;
         current = authority;
         ascended = true;
         break;
       } catch (err) {
+        // A cycle refusal is a hard stop, not a "try next hint" signal.
+        if (err && err.code === "auth-openid-federation/chain-cycle") throw err;
         var errCode = (err && err.code) || "unknown";
-        // Network / 404 / parse errors at the AUTHORITY-fetch step
-        // are acceptable "try the next hint" signals. Verify-side
-        // failures (crypto) are NOT — surface them and abort.
-        if (/^auth-openid-federation\/(?:bad-jwk|alg-kty-mismatch|bad-signature|signature-failed)$/.test(errCode)) {
-          throw err;
-        }
         ascentErrors.push({ authority: authority, code: errCode, message: (err && err.message) || String(err) });
       }
     }
     if (!ascended) {
       throw new AuthError("auth-openid-federation/no-ascent",
-        "entity \"" + current + "\" has authority_hints but none yielded a verifiable subordinate statement: " +
+        "entity \"" + current + "\" has authority_hints but none yielded a fetchable subordinate statement: " +
         JSON.stringify(ascentErrors));
     }
     depth += 1;
   }
-  throw new AuthError("auth-openid-federation/chain-too-deep",
-    "buildTrustChain: max depth " + maxDepth + " exceeded; refused");
+  if (!reachedAnchor) {
+    throw new AuthError("auth-openid-federation/chain-too-deep",
+      "buildTrustChain: max depth " + maxDepth + " exceeded; refused");
+  }
+
+  // ---- Phase 2: verify top-down against attested keys ----------------
+  // Trust flows from the operator-pinned anchor downward. Each
+  // subordinate statement is signed by the superior directly above the
+  // entity it describes, and pins that entity's jwks. We start with the
+  // anchor's pinned keys and, for each step down, verify the subordinate
+  // statement with the keys attested for its SIGNER (never the signer's
+  // self-published config), then adopt the statement's attested jwks as
+  // the trusted keys for the next step. This closes the fetch-time TOCTOU
+  // and makes the anchor key gate every link, not just the anchor's own
+  // self-config.
+  var anchorEntityId = chain[chain.length - 1].claims.iss;
+  var attestedJwks = opts.trustAnchors[anchorEntityId];
+  for (var ci = chain.length - 2; ci >= 0; ci--) {
+    var node = chain[ci];
+    if (!node.subordinate || !node.subordinateJwt) {
+      // Every non-anchor node must carry the superior-signed statement
+      // collected in Phase 1; its absence is an internal invariant break.
+      throw new AuthError("auth-openid-federation/no-subordinate",
+        "buildTrustChain: entity \"" + node.claims.iss + "\" has no superior-signed subordinate statement");
+    }
+    // Verify against the SIGNER's attested keys (flowed down), not the
+    // signer's self-published config jwks.
+    verifyEntityStatement(node.subordinateJwt, attestedJwks || {});
+    // The subordinate statement pins this entity's jwks — adopt the
+    // attested keys for the next link down, and reflect them on the node.
+    if (node.subordinate.jwks && Array.isArray(node.subordinate.jwks.keys)) {
+      node.claims.jwks = node.subordinate.jwks;
+      attestedJwks = node.subordinate.jwks;
+    } else {
+      // A subordinate statement that pins no keys cannot attest the next
+      // link — refuse rather than fall back to self-published keys.
+      throw new AuthError("auth-openid-federation/no-attested-jwks",
+        "subordinate statement for \"" + node.claims.iss + "\" pins no jwks; cannot attest the chain downward");
+    }
+  }
+
+  _emitAudit("chain_built", "success", {
+    leaf: opts.leafEntityId, depth: chain.length, anchor: anchorEntityId,
+  });
+  _emitMetric("chain-built");
+  return chain;
 }
 
 /**

package/lib/backup/index.js

@@ -54,6 +54,7 @@ var nodePath = require("node:path");
 var bCrypto = require("../crypto");
 var atomicFile = require("../atomic-file");
 var backupBundle = require("./bundle");
+var frameworkFiles = require("../framework-files");
 var backupManifest = require("./manifest");
 var lazyRequire = require("../lazy-require");
 var validateOpts = require("../validate-opts");
@@ -887,21 +888,23 @@ function recommendedFiles(opts) {
   var files = [];
 
   if (atRest === "encrypted") {
-    files.push({ relativePath: "db.enc",     kind: "raw", required: true });
-    files.push({ relativePath: "db.key.enc", kind: "raw", required: true });
+    files.push({ relativePath: frameworkFiles.fileName("dbEnc"),    kind: "raw", required: true });
+    files.push({ relativePath: frameworkFiles.fileName("dbKeyEnc"), kind: "raw", required: true });
   } else {
     files.push({ relativePath: dbName,       kind: "raw", required: true });
   }
 
   if (vaultMode === "wrapped") {
-    files.push({ relativePath: "vault.key.sealed", kind: "raw", required: true });
+    files.push({ relativePath: frameworkFiles.fileName("vaultKey") + ".sealed", kind: "raw", required: true });
   } else {
-    files.push({ relativePath: "vault.key", kind: "raw", required: true });
+    files.push({ relativePath: frameworkFiles.fileName("vaultKey"), kind: "raw", required: true });
   }
 
   // Audit-signing key (always present; sealed in wrapped mode)
   files.push({
-    relativePath: vaultMode === "wrapped" ? "audit-sign.key.sealed" : "audit-sign.key",
+    relativePath: vaultMode === "wrapped"
+      ? frameworkFiles.fileName("auditSignKey") + ".sealed"
+      : frameworkFiles.fileName("auditSignKey"),
     kind: "raw", required: false,
   });
 
@@ -2368,7 +2371,7 @@ bundleAdapterStorage.objectStoreAdapter = function (client, osOpts) {
         // b.objectStore surfaces NOT_FOUND via the framework's
         // err.code === "NOT_FOUND" convention — translate to the
         // backup adapter contract's no-key error.
-        if (e && (e.code === "NOT_FOUND" || /NOT_FOUND|not found/i.test(e.message || ""))) {
+        if (e && (e.code === "NOT_FOUND" || e.statusCode === 404 || /NOT_FOUND|not found/i.test(e.message || ""))) {
           throw new BackupError("backup/no-key",
             "objectStoreAdapter: key not found: " + JSON.stringify(key));
         }
@@ -2425,7 +2428,7 @@ bundleAdapterStorage.objectStoreAdapter = function (client, osOpts) {
       } catch (e) {
         // drop-silent on NOT_FOUND — adapter contract is idempotent
         // delete (fsAdapter same shape).
-        if (e && (e.code === "NOT_FOUND" || /NOT_FOUND|not found/i.test(e.message || ""))) {
+        if (e && (e.code === "NOT_FOUND" || e.statusCode === 404 || /NOT_FOUND|not found/i.test(e.message || ""))) {
           return;
         }
         throw e;
@@ -2436,7 +2439,7 @@ bundleAdapterStorage.objectStoreAdapter = function (client, osOpts) {
         await client.head(_scopedKey(key));
         return true;
       } catch (e) {
-        if (e && (e.code === "NOT_FOUND" || /NOT_FOUND|not found/i.test(e.message || ""))) {
+        if (e && (e.code === "NOT_FOUND" || e.statusCode === 404 || /NOT_FOUND|not found/i.test(e.message || ""))) {
           return false;
         }
         throw e;
@@ -2453,7 +2456,7 @@ bundleAdapterStorage.objectStoreAdapter = function (client, osOpts) {
         var buf = Buffer.isBuffer(body) ? body : Buffer.from(body);
         return buf.slice(0, length);
       } catch (e) {
-        if (e && (e.code === "NOT_FOUND" || /NOT_FOUND|not found/i.test(e.message || ""))) {
+        if (e && (e.code === "NOT_FOUND" || e.statusCode === 404 || /NOT_FOUND|not found/i.test(e.message || ""))) {
           throw new BackupError("backup/no-key",
             "objectStoreAdapter.readPartial: key not found: " + JSON.stringify(key));
         }
@@ -2466,7 +2469,7 @@ bundleAdapterStorage.objectStoreAdapter = function (client, osOpts) {
         if (!meta || typeof meta.size !== "number") return null;
         return { size: meta.size, mtimeMs: meta.lastModified || null };
       } catch (e) {
-        if (e && (e.code === "NOT_FOUND" || /NOT_FOUND|not found/i.test(e.message || ""))) {
+        if (e && (e.code === "NOT_FOUND" || e.statusCode === 404 || /NOT_FOUND|not found/i.test(e.message || ""))) {
           return null;
         }
         throw e;