@blamejs/core 0.15.14 → 0.15.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +2 -0
- package/index.js +2 -0
- package/lib/auth/ciba.js +32 -8
- package/lib/auth/dpop.js +9 -0
- package/lib/auth/fido-mds3.js +25 -12
- package/lib/auth/jwt.js +19 -3
- package/lib/auth/oauth.js +8 -2
- package/lib/auth/saml.js +19 -9
- package/lib/crypto-field.js +19 -1
- package/lib/csp.js +9 -0
- package/lib/db-query.js +33 -2
- package/lib/mail-auth.js +24 -1
- package/lib/mail-dkim.js +20 -7
- package/lib/middleware/compose-pipeline.js +39 -5
- package/lib/pipl-cn.js +11 -8
- package/lib/request-helpers.js +146 -13
- package/lib/safe-json.js +26 -0
- package/lib/session.js +35 -117
- package/lib/sql.js +22 -0
- package/lib/ws-client.js +26 -0
- package/lib/x509-chain.js +71 -24
- package/package.json +1 -1
- package/sbom.cdx.json +6 -6
package/lib/x509-chain.js
CHANGED
|
@@ -1,33 +1,80 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* @module b.x509Chain
|
|
4
|
+
* @nav Crypto
|
|
5
|
+
* @title X.509 chain (CA-bit issuer test)
|
|
6
|
+
*
|
|
7
|
+
* @intro
|
|
8
|
+
* The basicConstraints-enforcing issuer test the framework's own
|
|
9
|
+
* certificate-chain walkers route through (<code>b.tsa.verifyToken</code>,
|
|
10
|
+
* <code>b.mail.bimi</code> VMC/CMC, <code>b.mail.crypto.smime</code>,
|
|
11
|
+
* <code>b.mdoc</code>, <code>b.contentCredentials</code>,
|
|
12
|
+
* <code>b.auth.fido</code>). It exists because node:crypto's
|
|
13
|
+
* <code>X509Certificate.checkIssued()</code> validates the issuer/subject
|
|
14
|
+
* DN match, the AKI/SKI linkage, and — only when a keyUsage extension is
|
|
15
|
+
* present — keyCertSign, but it does <strong>not</strong> enforce
|
|
16
|
+
* basicConstraints cA:TRUE. A leaf / end-entity certificate (cA:FALSE)
|
|
17
|
+
* that omits keyUsage is therefore wrongly accepted as a signing CA for
|
|
18
|
+
* the next certificate in the chain — the classic basicConstraints bypass
|
|
19
|
+
* (CVE-2002-0862 class). Every in-tree walker routes its issuer test
|
|
20
|
+
* through these helpers so the cA enforcement can never be forgotten in
|
|
21
|
+
* one walker but present in another.
|
|
22
|
+
*
|
|
23
|
+
* Exposed so a consumer validating an X.509 chain <em>outside</em> a TLS
|
|
24
|
+
* handshake — an operator-uploaded CA bundle, a non-handshake PQ-signed
|
|
25
|
+
* certificate — has the same hardened, fail-closed test instead of being
|
|
26
|
+
* pushed toward the raw <code>checkIssued()</code> path this module
|
|
27
|
+
* exists to prevent. Both helpers fail closed: any malformed input or
|
|
28
|
+
* unsupported key type returns false rather than throwing.
|
|
29
|
+
*
|
|
30
|
+
* @card
|
|
31
|
+
* basicConstraints cA:TRUE-enforcing X.509 issuer test, fail-closed —
|
|
32
|
+
* the hardened alternative to node's checkIssued() for chains built
|
|
33
|
+
* outside a TLS handshake.
|
|
34
|
+
*/
|
|
2
35
|
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
//
|
|
20
|
-
|
|
36
|
+
/**
|
|
37
|
+
* @primitive b.x509Chain.isCaCert
|
|
38
|
+
* @signature b.x509Chain.isCaCert(cert)
|
|
39
|
+
* @since 0.15.15
|
|
40
|
+
* @status stable
|
|
41
|
+
* @related b.x509Chain.issuerValidlyIssued
|
|
42
|
+
*
|
|
43
|
+
* True only when <code>cert</code> asserts basicConstraints cA:TRUE.
|
|
44
|
+
* node's <code>X509Certificate</code> exposes <code>.ca</code> (a boolean);
|
|
45
|
+
* a certificate with no basicConstraints extension or with cA:FALSE
|
|
46
|
+
* returns false. A missing cert or a non-boolean <code>.ca</code> (parse
|
|
47
|
+
* failure / unsupported runtime) fails closed to false.
|
|
48
|
+
*
|
|
49
|
+
* @example
|
|
50
|
+
* var crypto = require("crypto");
|
|
51
|
+
* var ca = new crypto.X509Certificate(caPem);
|
|
52
|
+
* b.x509Chain.isCaCert(ca); // → true only if basicConstraints cA:TRUE
|
|
53
|
+
*/
|
|
21
54
|
function isCaCert(cert) {
|
|
22
55
|
return !!cert && cert.ca === true;
|
|
23
56
|
}
|
|
24
57
|
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
58
|
+
/**
|
|
59
|
+
* @primitive b.x509Chain.issuerValidlyIssued
|
|
60
|
+
* @signature b.x509Chain.issuerValidlyIssued(issuer, subject)
|
|
61
|
+
* @since 0.15.15
|
|
62
|
+
* @status stable
|
|
63
|
+
* @related b.x509Chain.isCaCert
|
|
64
|
+
*
|
|
65
|
+
* True when <code>issuer</code> validly issued <code>subject</code> AND is
|
|
66
|
+
* itself a CA: the DN / AKI-SKI / keyUsage linkage (checkIssued), the
|
|
67
|
+
* cryptographic signature (verify), and basicConstraints cA:TRUE
|
|
68
|
+
* (isCaCert). The cA check runs first so a non-CA certificate is rejected
|
|
69
|
+
* before the expensive signature verification. Any exception (malformed
|
|
70
|
+
* cert, unsupported key type) fails closed to false.
|
|
71
|
+
*
|
|
72
|
+
* @example
|
|
73
|
+
* var crypto = require("crypto");
|
|
74
|
+
* var issuer = new crypto.X509Certificate(issuerPem);
|
|
75
|
+
* var subject = new crypto.X509Certificate(leafPem);
|
|
76
|
+
* b.x509Chain.issuerValidlyIssued(issuer, subject); // → boolean
|
|
77
|
+
*/
|
|
31
78
|
function issuerValidlyIssued(issuer, subject) {
|
|
32
79
|
try {
|
|
33
80
|
return isCaCert(issuer) &&
|
package/package.json
CHANGED
package/sbom.cdx.json
CHANGED
|
@@ -2,10 +2,10 @@
|
|
|
2
2
|
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
|
|
3
3
|
"bomFormat": "CycloneDX",
|
|
4
4
|
"specVersion": "1.5",
|
|
5
|
-
"serialNumber": "urn:uuid:
|
|
5
|
+
"serialNumber": "urn:uuid:b3337d85-2941-4510-a9ff-2246e428aef5",
|
|
6
6
|
"version": 1,
|
|
7
7
|
"metadata": {
|
|
8
|
-
"timestamp": "2026-06-
|
|
8
|
+
"timestamp": "2026-06-22T03:24:08.024Z",
|
|
9
9
|
"lifecycles": [
|
|
10
10
|
{
|
|
11
11
|
"phase": "build"
|
|
@@ -19,14 +19,14 @@
|
|
|
19
19
|
}
|
|
20
20
|
],
|
|
21
21
|
"component": {
|
|
22
|
-
"bom-ref": "@blamejs/core@0.15.
|
|
22
|
+
"bom-ref": "@blamejs/core@0.15.15",
|
|
23
23
|
"type": "application",
|
|
24
24
|
"name": "blamejs",
|
|
25
|
-
"version": "0.15.
|
|
25
|
+
"version": "0.15.15",
|
|
26
26
|
"scope": "required",
|
|
27
27
|
"author": "blamejs contributors",
|
|
28
28
|
"description": "The Node framework that owns its stack.",
|
|
29
|
-
"purl": "pkg:npm/%40blamejs/core@0.15.
|
|
29
|
+
"purl": "pkg:npm/%40blamejs/core@0.15.15",
|
|
30
30
|
"properties": [],
|
|
31
31
|
"externalReferences": [
|
|
32
32
|
{
|
|
@@ -54,7 +54,7 @@
|
|
|
54
54
|
"components": [],
|
|
55
55
|
"dependencies": [
|
|
56
56
|
{
|
|
57
|
-
"ref": "@blamejs/core@0.15.
|
|
57
|
+
"ref": "@blamejs/core@0.15.15",
|
|
58
58
|
"dependsOn": []
|
|
59
59
|
}
|
|
60
60
|
]
|