@blamejs/core 0.8.90 → 0.9.1

package/index.js

@@ -145,6 +145,9 @@ var compliance = Object.assign({}, require("./lib/compliance"), {
 var dataAct = require("./lib/data-act");
 var problemDetails = require("./lib/problem-details");
 var cacheStatus = require("./lib/cache-status");
+var cdnCacheControl = require("./lib/cdn-cache-control");
+var clientHints = require("./lib/client-hints");
+var structuredFields = require("./lib/structured-fields");
 var serverTiming = require("./lib/server-timing");
 var earlyHints = require("./lib/early-hints");
 var gateContract = require("./lib/gate-contract");
@@ -377,6 +380,9 @@ module.exports = {
   dataAct:          dataAct,
   problemDetails:   problemDetails,
   cacheStatus:      cacheStatus,
+  cdnCacheControl:  cdnCacheControl,
+  clientHints:      clientHints,
+  structuredFields: structuredFields,
   serverTiming:     serverTiming,
   earlyHints:       earlyHints,
   gateContract:     gateContract,

package/lib/ai-pref.js

@@ -26,8 +26,9 @@
  *   AIPREF (RFC draft) signal — operators publish a machine-readable preference about AI training / agent crawling / etc.
  */
 
-var audit = require("./audit");
-var requestHelpers = require("./request-helpers");
+var audit            = require("./audit");
+var requestHelpers   = require("./request-helpers");
+var structuredFields = require("./structured-fields");
 var { defineClass } = require("./framework-error");
 var AiPrefError = defineClass("AiPrefError", { alwaysPermanent: true });
 
@@ -145,6 +146,11 @@ function parseHeader(value) {
     throw AiPrefError.factory("HEADER_TOO_LARGE",
       "aiPref.parseHeader: value exceeds 1024 chars");
   }
+  structuredFields.refuseControlBytes(value, {
+    ErrorClass: AiPrefError,
+    code:       "BAD_HEADER",
+    label:      "aiPref.parseHeader",
+  });
   var out = { train: null, infer: null, snippet: null, price: null };
   var pairs = value.split(",");
   for (var i = 0; i < pairs.length; i += 1) {

package/lib/auth/oauth.js

@@ -108,7 +108,7 @@ var nodeCrypto = require("node:crypto");
 var cache = require("../cache");
 var C = require("../constants");
 var safeAsync = require("../safe-async");
-var { generateBytes } = require("../crypto");
+var { generateBytes, timingSafeEqual: cryptoTimingSafeEqual } = require("../crypto");
 var httpClient = require("../http-client");
 var safeJson = require("../safe-json");
 var safeUrl = require("../safe-url");
@@ -678,10 +678,15 @@ function create(opts) {
         "but the callback omitted `iss` — refused (RFC 9207 / FAPI 2.0 §5.4.2)");
     }
     if (popts.expectedState !== undefined && popts.expectedState !== null) {
-      if (query.state !== popts.expectedState) {
+      // Constant-time compare on the CSRF state token. Project
+      // discipline (auth/dpop.js, mail-srs.js, webhook.js) is
+      // timingSafeEqual for any secret-shaped value compared
+      // against attacker-controlled input. (Audit 2026-05-11.)
+      if (typeof query.state !== "string" ||
+          !cryptoTimingSafeEqual(query.state, popts.expectedState)) {
         throw new OAuthError("auth-oauth/state-mismatch",
-          "parseCallback: state mismatch (CSRF defense). Expected '" +
-          popts.expectedState + "', got '" + query.state + "'");
+          "parseCallback: state mismatch (CSRF defense) — expected and " +
+          "supplied state values do not match");
       }
     }
     if (typeof query.code !== "string" || query.code.length === 0) {
@@ -922,6 +927,16 @@ function create(opts) {
       throw new OAuthError("auth-oauth/alg-not-accepted",
         "ID token signed with '" + header.alg + "' which is not in the accepted-algorithm list");
     }
+    // RFC 7515 §4.1.11 — refuse JWS with `crit` header. Every other
+    // verifier in the framework (jwt.js, jwt-external.js, dpop.js)
+    // refuses; verifyIdToken previously silently ignored, letting an
+    // attacker-controlled OP ship critical extensions the verifier
+    // doesn't understand. (Audit 2026-05-11.)
+    if (header.crit !== undefined && header.crit !== null) {
+      throw new OAuthError("auth-oauth/crit-not-supported",
+        "ID token JWS header carries 'crit' extension list; this verifier does not " +
+        "support any critical extensions and refuses per RFC 7515 §4.1.11");
+    }
     var keys = await _getJwks();
     var match = null;
     if (header.kid) {
@@ -943,7 +958,19 @@ function create(opts) {
     if (params.padding !== undefined) verifyOpts.padding = params.padding;
     if (params.saltLength !== undefined) verifyOpts.saltLength = params.saltLength;
     if (params.dsaEncoding !== undefined) verifyOpts.dsaEncoding = params.dsaEncoding;
-    var verified = nodeCrypto.verify(params.hash, Buffer.from(signingInput, "ascii"), verifyOpts, sig);
+    // nodeCrypto.verify panics on key/sig shape mismatch (e.g. an
+    // ES256 signature attempted against an RS256 key returned by a
+    // hostile or buggy IdP with duplicate kids). Wrap so the panic
+    // becomes a typed AuthError, matching the discipline in
+    // jwt-external.js + dpop.js. (Audit 2026-05-11.)
+    var verified;
+    try {
+      verified = nodeCrypto.verify(params.hash, Buffer.from(signingInput, "ascii"), verifyOpts, sig);
+    } catch (verifyErr) {
+      throw new OAuthError("auth-oauth/bad-signature",
+        "ID token signature verification raised: " +
+        ((verifyErr && verifyErr.message) || String(verifyErr)));
+    }
     if (!verified) {
       throw new OAuthError("auth-oauth/bad-signature", "ID token signature verification failed");
     }
@@ -976,7 +1003,10 @@ function create(opts) {
         "ID token aud does not contain clientId '" + clientId + "'");
     }
     if (vopts.nonce && !vopts.skipNonceCheck) {
-      if (payload.nonce !== vopts.nonce) {
+      // Constant-time nonce compare — secret-shaped value matched
+      // against attacker-controlled payload. (Audit 2026-05-11.)
+      if (typeof payload.nonce !== "string" ||
+          !cryptoTimingSafeEqual(payload.nonce, vopts.nonce)) {
         throw new OAuthError("auth-oauth/nonce-mismatch",
           "ID token nonce mismatch (replay protection)");
       }

package/lib/auth/openid-federation.js

@@ -155,6 +155,23 @@ function verifyEntityStatement(jwt, jwks) {
       "verifyEntityStatement: no JWKS key matches kid \"" + parsed.header.kid + "\"");
   }
 
+  // Cross-check the JWK key type against the JWS `alg` header BEFORE
+  // verifying. Without this an attacker-controlled entity-config can
+  // declare `alg: "ES256"` while supplying an RSA `kty: "RSA"` JWK;
+  // Node will silently use the RSA key with SHA-256 and the signature
+  // verify either always-fails (if PSS) or succeeds against a payload
+  // the attacker crafted to match the wrong primitive (algorithm/key-
+  // type confusion). (Audit 2026-05-11.)
+  var expectedKty = null;
+  if (parsed.header.alg.indexOf("ES") === 0)        expectedKty = "EC";
+  else if (parsed.header.alg.indexOf("PS") === 0 || parsed.header.alg.indexOf("RS") === 0) expectedKty = "RSA";
+  else if (parsed.header.alg === "EdDSA")           expectedKty = "OKP";
+  if (expectedKty && key.kty !== expectedKty) {
+    throw new AuthError("auth-openid-federation/alg-kty-mismatch",
+      "verifyEntityStatement: JWS header alg=\"" + parsed.header.alg + "\" requires " +
+      "JWK kty=\"" + expectedKty + "\" but the resolved JWK has kty=\"" + key.kty + "\"");
+  }
+
   var keyObj;
   try { keyObj = nodeCrypto.createPublicKey({ key: key, format: "jwk" }); }
   catch (e) {
@@ -431,38 +448,52 @@ async function buildTrustChain(opts) {
     // OR the first that returns a valid subordinate statement. Real
     // operators with multiple federations usually have one anchor
     // active; we walk in order and pick the first success.
+    // Track every per-authority failure reason and surface them on
+    // `no-ascent` rather than masking. Audit 2026-05-11 — silently
+    // swallowing `catch (_e) {}` lets a hostile intermediate that
+    // serves a malformed-then-valid pair shape-walk the verifier.
+    // We continue past 404 / fetch errors but refuse on
+    // signature-verify failure (cryptographic refusal is a hard stop).
     var ascended = false;
+    var ascentErrors = [];
     for (var ai = 0; ai < parsedEC.claims.authority_hints.length; ai++) {
       var authority = parsedEC.claims.authority_hints[ai];
       try {
         var subordinateJwt = await fetchSubordinate(authority, current);
         var parsedSub = parseEntityStatement(subordinateJwt);
         if (parsedSub.claims.iss !== authority || parsedSub.claims.sub !== current) {
+          ascentErrors.push({ authority: authority, code: "iss-sub-mismatch" });
           continue;
         }
-        // Need to fetch the authority's JWKS to verify the subordinate
-        // statement — the authority's entity-config carries it. We
-        // verify that on the next loop iteration; for now, refuse if
-        // the subordinate's signature doesn't verify with the keys
-        // declared in the authority's most recently fetched config.
         var authorityCfgJwt = await fetcher(authority.replace(/\/$/, "") + "/.well-known/openid-federation");
         var authorityCfgClaims = parseEntityStatement(authorityCfgJwt).claims;
+        // Cryptographic verification — any throw here is a hard
+        // refusal, NOT a "try next authority" signal. A malformed-
+        // signature subordinate from an authority listed by the
+        // entity means that authority is hostile or compromised;
+        // moving on lets a chain-shaping attacker bypass the gate.
         verifyEntityStatement(subordinateJwt, authorityCfgClaims.jwks || {});
-        // Replace the entity's claimed JWKS with the JWKS the
-        // authority signs about it — this is the trust-bearing one.
         chain[chain.length - 1].claims.jwks = parsedSub.claims.jwks || chain[chain.length - 1].claims.jwks;
         chain[chain.length - 1].subordinateJwt = subordinateJwt;
         chain[chain.length - 1].subordinate    = parsedSub.claims;
         current = authority;
         ascended = true;
         break;
-      } catch (_e) {
-        // Try the next authority_hint.
+      } catch (err) {
+        var errCode = (err && err.code) || "unknown";
+        // Network / 404 / parse errors at the AUTHORITY-fetch step
+        // are acceptable "try the next hint" signals. Verify-side
+        // failures (crypto) are NOT — surface them and abort.
+        if (/^auth-openid-federation\/(?:bad-jwk|alg-kty-mismatch|bad-signature|signature-failed)$/.test(errCode)) {
+          throw err;
+        }
+        ascentErrors.push({ authority: authority, code: errCode, message: (err && err.message) || String(err) });
       }
     }
     if (!ascended) {
       throw new AuthError("auth-openid-federation/no-ascent",
-        "entity \"" + current + "\" has authority_hints but none yielded a verifiable subordinate statement");
+        "entity \"" + current + "\" has authority_hints but none yielded a verifiable subordinate statement: " +
+        JSON.stringify(ascentErrors));
     }
     depth += 1;
   }

package/lib/auth/saml.js

@@ -49,7 +49,7 @@
 var lazyRequire  = require("../lazy-require");
 var validateOpts = require("../validate-opts");
 var nodeCrypto   = require("node:crypto");
-var { generateToken } = require("../crypto");
+var { generateToken, timingSafeEqual } = require("../crypto");
 var { AuthError } = require("../framework-error");
 
 var xmlC14n   = lazyRequire(function () { return require("../xml-c14n"); });
@@ -261,7 +261,11 @@ function _verifyXmldsig(envelope, signatureNode, certPem) {
   }
   var canonical = c14n.canonicalize(refTarget, { withComments: refC14nWithComments });
   var actualDigest = nodeCrypto.createHash(SUPPORTED_DIGEST[digestAlgo]).update(canonical).digest();
-  if (Buffer.from(expectedDigestB64, "base64").compare(actualDigest) !== 0) {
+  // Constant-time compare — Buffer.compare short-circuits per byte and
+  // leaks the matching-prefix length when the operator's audit/log
+  // captures verify-failure timing. timingSafeEqual returns false for
+  // length-mismatched inputs without leaking length.
+  if (!timingSafeEqual(Buffer.from(expectedDigestB64, "base64"), actualDigest)) {
     throw new AuthError("auth-saml/digest-mismatch",
       "Reference DigestValue does not match canonicalized referenced element (signature-wrapping or tampered content)");
   }
@@ -360,9 +364,18 @@ function create(opts) {
     bopts = bopts || {};
     var id = "_" + generateToken(20);
     var issueInstant = new Date().toISOString();
+    // RFC 3741 §1.3.2 attribute-value + §1.3.1 element-text escaping
+    // for every operator-supplied string interpolated into the
+    // AuthnRequest XML. Without escaping, a `"` or `<` in any of the
+    // four fields (idpSsoUrl, assertionConsumerServiceUrl, entityId,
+    // nameIdFormat) produces malformed XML and can break out of the
+    // attribute / element context, injecting unsigned content the IdP
+    // canonicalizer would never honor but the consumer's signed XML
+    // baseline relies on. (Surfaced by the 2026-05-11 SAML audit.)
+    var c14n = xmlC14n();
     var nameIdPolicy = "";
     if (opts.nameIdFormat) {
-      nameIdPolicy = "<samlp:NameIDPolicy Format=\"" + opts.nameIdFormat +
+      nameIdPolicy = "<samlp:NameIDPolicy Format=\"" + c14n.escapeAttrValue(opts.nameIdFormat) +
                      "\" AllowCreate=\"true\"/>";
     }
     var xml =
@@ -371,10 +384,10 @@ function create(opts) {
       "ID=\"" + id + "\" " +
       "Version=\"2.0\" " +
       "IssueInstant=\"" + issueInstant + "\" " +
-      "Destination=\"" + opts.idpSsoUrl + "\" " +
-      "AssertionConsumerServiceURL=\"" + opts.assertionConsumerServiceUrl + "\" " +
+      "Destination=\"" + c14n.escapeAttrValue(opts.idpSsoUrl) + "\" " +
+      "AssertionConsumerServiceURL=\"" + c14n.escapeAttrValue(opts.assertionConsumerServiceUrl) + "\" " +
       "ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\">" +
-      "<saml:Issuer>" + opts.entityId + "</saml:Issuer>" +
+      "<saml:Issuer>" + c14n.escapeText(opts.entityId) + "</saml:Issuer>" +
       nameIdPolicy +
       "</samlp:AuthnRequest>";
     var zlib = require("node:zlib");
@@ -436,9 +449,26 @@ function create(opts) {
         "verifyResponse: root element must be Response, got " + rootLocal);
     }
 
-    // Validate Status
-    var status = _findChild(root, "Status", SAML_NS.protocol);
-    var statusCode = status && _findChild(status, "StatusCode", SAML_NS.protocol);
+    // XSW defense — refuse duplicate top-level security-critical
+    // elements. SAML XML signature wrapping (XSW) attacks shuffle
+    // signed elements alongside unsigned siblings; the parser's
+    // first-match `_findChild` lookup combined with the signed-
+    // element-ID check at L479 was vulnerable to a multi-Assertion
+    // payload where the verifier signed one but the consumer read
+    // attributes from another. Reject any Response with more than
+    // one of these structural children (Audit 2026-05-11).
+    var statusChildren = _findAllChildren(root, "Status", SAML_NS.protocol);
+    if (statusChildren.length > 1) {
+      throw new AuthError("auth-saml/duplicate-status",
+        "verifyResponse: Response has multiple <Status> children — XSW shape refused");
+    }
+    var status = statusChildren[0] || null;
+    var statusCodeChildren = status ? _findAllChildren(status, "StatusCode", SAML_NS.protocol) : [];
+    if (statusCodeChildren.length > 1) {
+      throw new AuthError("auth-saml/duplicate-status-code",
+        "verifyResponse: <Status> has multiple <StatusCode> children — XSW shape refused");
+    }
+    var statusCode = statusCodeChildren[0] || null;
     var statusValue = statusCode && _attr(statusCode, "Value");
     if (statusValue !== "urn:oasis:names:tc:SAML:2.0:status:Success") {
       throw new AuthError("auth-saml/bad-status",
@@ -448,7 +478,12 @@ function create(opts) {
     // Validate signature: prefer Assertion-level (most secure — the
     // assertion is the security-critical element). Fall back to
     // Response-level when the IdP signs the envelope only.
-    var assertion = _findChild(root, "Assertion", SAML_NS.assertion);
+    var assertionChildren = _findAllChildren(root, "Assertion", SAML_NS.assertion);
+    if (assertionChildren.length > 1) {
+      throw new AuthError("auth-saml/duplicate-assertion",
+        "verifyResponse: Response has multiple <Assertion> children — XSW shape refused");
+    }
+    var assertion = assertionChildren[0] || null;
     if (!assertion) {
       throw new AuthError("auth-saml/no-assertion", "verifyResponse: Response has no Assertion");
     }
@@ -484,10 +519,20 @@ function create(opts) {
         opts.idpEntityId + "\"");
     }
 
-    // Subject + SubjectConfirmation
-    var subject = _findChild(assertion, "Subject", SAML_NS.assertion);
+    // Subject + SubjectConfirmation — XSW: refuse duplicate <Subject>.
+    var subjectChildren = _findAllChildren(assertion, "Subject", SAML_NS.assertion);
+    if (subjectChildren.length > 1) {
+      throw new AuthError("auth-saml/duplicate-subject",
+        "verifyResponse: Assertion has multiple <Subject> children — XSW shape refused");
+    }
+    var subject = subjectChildren[0] || null;
     if (!subject) throw new AuthError("auth-saml/no-subject", "verifyResponse: missing Subject");
-    var nameIdEl = _findChild(subject, "NameID", SAML_NS.assertion);
+    var nameIdChildren = _findAllChildren(subject, "NameID", SAML_NS.assertion);
+    if (nameIdChildren.length > 1) {
+      throw new AuthError("auth-saml/duplicate-nameid",
+        "verifyResponse: <Subject> has multiple <NameID> children — XSW shape refused");
+    }
+    var nameIdEl = nameIdChildren[0] || null;
     if (!nameIdEl) throw new AuthError("auth-saml/no-nameid", "verifyResponse: missing NameID");
     var nameId = _textContent(nameIdEl);
     var nameIdFormat = _attr(nameIdEl, "Format");
@@ -517,10 +562,17 @@ function create(opts) {
         continue;
       }
       var inResponseTo = _attr(scd, "InResponseTo");
-      if (vopts.expectedInResponseTo && inResponseTo !== vopts.expectedInResponseTo) {
-        throw new AuthError("auth-saml/bad-in-response-to",
-          "SubjectConfirmation InResponseTo \"" + inResponseTo +
-          "\" does not match expected \"" + vopts.expectedInResponseTo + "\" (replay defense)");
+      if (vopts.expectedInResponseTo) {
+        // Constant-time compare against the AuthnRequest ID the
+        // operator stored — protects against timing-based InResponseTo
+        // probing. timingSafeEqual returns false for missing /
+        // length-mismatch without leaking. (Audit 2026-05-11.)
+        if (inResponseTo === null || inResponseTo === undefined ||
+            !timingSafeEqual(inResponseTo, vopts.expectedInResponseTo)) {
+          throw new AuthError("auth-saml/bad-in-response-to",
+            "SubjectConfirmation InResponseTo does not match expected " +
+            "AuthnRequest ID (replay defense)");
+        }
       }
       bearerOk = true;
       break;
@@ -608,13 +660,16 @@ function create(opts) {
    *   });
    */
   function metadata() {
+    // RFC 3741 attr/text escaping for operator-supplied URLs / IDs —
+    // same audit-finding shape as buildAuthnRequest above.
+    var c14n = xmlC14n();
     return "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
-      "<md:EntityDescriptor xmlns:md=\"" + SAML_NS.metadata + "\" entityID=\"" + opts.entityId + "\">" +
+      "<md:EntityDescriptor xmlns:md=\"" + SAML_NS.metadata + "\" entityID=\"" + c14n.escapeAttrValue(opts.entityId) + "\">" +
       "<md:SPSSODescriptor protocolSupportEnumeration=\"" + SAML_NS.protocol + "\" " +
       "AuthnRequestsSigned=\"false\" WantAssertionsSigned=\"true\">" +
       "<md:AssertionConsumerService " +
       "Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" " +
-      "Location=\"" + opts.assertionConsumerServiceUrl + "\" index=\"0\"/>" +
+      "Location=\"" + c14n.escapeAttrValue(opts.assertionConsumerServiceUrl) + "\" index=\"0\"/>" +
       "</md:SPSSODescriptor>" +
       "</md:EntityDescriptor>";
   }

package/lib/auth/sd-jwt-vc.js

@@ -61,9 +61,15 @@
  */
 
 var nodeCrypto = require("node:crypto");
+var blamejsCrypto = require("../crypto");
 var safeBuffer = require("../safe-buffer");
 var safeJson = require("../safe-json");
 var validateOpts = require("../validate-opts");
+
+function _timingSafeEqStr(a, b) {
+  if (typeof a !== "string" || typeof b !== "string") return false;
+  return blamejsCrypto.timingSafeEqual(a, b);
+}
 var disclosure = require("./sd-jwt-vc-disclosure");
 var sdJwtVcIssuer = require("./sd-jwt-vc-issuer");
 var sdJwtVcHolder = require("./sd-jwt-vc-holder");
@@ -284,7 +290,29 @@ function present(opts) {
   var jwt = parts[0];
   var allDisclosures = parts.slice(1).filter(function (p) { return p.length > 0; });
 
-  // Decode disclosures + filter by name
+  // Decode the issuer JWT payload to read its declared `_sd_alg` —
+  // KB-JWT `sd_hash` MUST be computed with the SAME hash algorithm
+  // the credential's `_sd` digests use (IETF SD-JWT draft §4.1.1).
+  // Hardcoded sha256 here previously diverged from the verifier when
+  // an issuer used a non-default hash, producing sd-hash-mismatch on
+  // valid presentations.
+  var _issuerPayload = null;
+  var _jwtParts = jwt.split(".");
+  if (_jwtParts.length === 3) {
+    try {
+      _issuerPayload = safeJson.parse(_b64uDecodeStr(_jwtParts[1]),
+        { maxBytes: 64 * 1024 });                                                                  // allow:bare-json-parse — payload only read to pull _sd_alg; final auth happens in verify() // allow:raw-byte-literal — JWT payload cap (64 KB)
+    } catch (_e) { _issuerPayload = null; }
+  }
+  var _sdAlg = (_issuerPayload && typeof _issuerPayload._sd_alg === "string")
+    ? _issuerPayload._sd_alg : "sha-256";
+  var _sdNodeHash = SUPPORTED_HASH_ALGS[_sdAlg];
+  if (!_sdNodeHash) {
+    throw new AuthError("auth-sd-jwt-vc/bad-hash",
+      "present: issuer credential declares _sd_alg \"" + _sdAlg +
+      "\" which this framework version does not support");
+  }
+
   var disclosedNames = Array.isArray(opts.disclosedClaimNames)
     ? opts.disclosedClaimNames.slice() : [];
   var releasedDisclosures = [];
@@ -314,7 +342,11 @@ function present(opts) {
       ? Math.floor(opts.issuedAt / 1000) : Math.floor(Date.now() / 1000);           // allow:raw-byte-literal — ms→s conversion factor
     // The KB-JWT's hash binds it to the specific SD-JWT + presentation
     var kbHashInput = presentation;     // jwt~d1~d2~ (without KB)
-    var sdHash = nodeCrypto.createHash("sha256")
+    // sd_hash uses the SAME hash algorithm the credential's _sd
+    // digests use (computed at top of present() from issuer payload).
+    // Matches the verifier's expectation in lib/auth/sd-jwt-vc.js
+    // verify() — both ends MUST agree on the algorithm.
+    var sdHash = nodeCrypto.createHash(_sdNodeHash)
                            .update(kbHashInput, "ascii")
                            .digest()
                            .toString("base64url");
@@ -429,12 +461,26 @@ async function verify(presentation, opts) {
   }
 
   // 3. Reconstruct disclosed claims from disclosures
-  var hashAlg = jwtParsed.payload._sd_alg || DEFAULT_HASH_ALG;
+  // IETF SD-JWT default `_sd_alg` is `sha-256` (draft-ietf-oauth-
+  // selective-disclosure-jwt §4.1.1). Earlier the framework defaulted
+  // to its own DEFAULT_HASH_ALG (`sha3-512`) which broke verification
+  // against spec-conformant issuers when `_sd_alg` was omitted.
+  // (Audit 2026-05-11.)
+  var hashAlg = jwtParsed.payload._sd_alg || "sha-256";
   if (!SUPPORTED_HASH_ALGS[hashAlg]) {
     throw new AuthError("auth-sd-jwt-vc/bad-hash",
       "verify: _sd_alg \"" + hashAlg + "\" not supported");
   }
   var sdDigests = Array.isArray(jwtParsed.payload._sd) ? jwtParsed.payload._sd : [];
+  // Protected-claim refusal: a holder-supplied disclosure with one
+  // of these names would shadow the issuer-signed payload claim when
+  // merged into the resolved set. Spec-protected per draft §5
+  // (the issuer-signed claims are authoritative).
+  var PROTECTED_CLAIM_NAMES = {
+    iss: 1, sub: 1, aud: 1, iat: 1, nbf: 1, exp: 1, jti: 1,
+    vct: 1, cnf: 1, _sd: 1, _sd_alg: 1, status: 1,
+  };
+  var seenDigests = Object.create(null);
   var disclosedClaims = {};
   for (var i = 0; i < disclosureParts.length; i++) {
     var d = disclosure.decode(disclosureParts[i]);
@@ -444,6 +490,23 @@ async function verify(presentation, opts) {
       throw new AuthError("auth-sd-jwt-vc/disclosure-mismatch",
         "verify: disclosure for claim \"" + d.name + "\" does not match any _sd digest");
     }
+    // Disclosure-replay defense — a holder presenting the same _sd
+    // digest twice (with the same or different values) is malformed
+    // per spec and is the shape of a partial-disclosure smuggling
+    // attack. Refuse on duplicate digest. (Audit 2026-05-11.)
+    if (seenDigests[digest]) {
+      throw new AuthError("auth-sd-jwt-vc/disclosure-replay",
+        "verify: disclosure digest \"" + digest.slice(0, 12) +
+        "...\" appears twice — refusing replayed disclosure");
+    }
+    seenDigests[digest] = true;
+    // Claim-shadowing defense — refuse holder-supplied disclosures
+    // whose name collides with an issuer-signed top-level claim.
+    if (PROTECTED_CLAIM_NAMES[d.name]) {
+      throw new AuthError("auth-sd-jwt-vc/protected-claim-shadow",
+        "verify: disclosure for claim \"" + d.name + "\" would shadow a " +
+        "spec-protected issuer-signed claim — refused");
+    }
     disclosedClaims[d.name] = d.value;
   }
 
@@ -485,14 +548,21 @@ async function verify(presentation, opts) {
       throw new AuthError("auth-sd-jwt-vc/wrong-nonce",
         "verify: KB-JWT nonce mismatch (replay defense)");
     }
-    // Validate KB-JWT sd_hash matches the presentation
+    // Validate KB-JWT sd_hash matches the presentation, using the
+    // credential's declared `_sd_alg` (audit 2026-05-11 — was
+    // hardcoded sha256 regardless of issuer's choice, breaking
+    // verification when issuer used sha3-512).
     var kbHashInput = jwt + "~";
     if (disclosureParts.length > 0) kbHashInput += disclosureParts.join("~") + "~";
-    var expectedSdHash = nodeCrypto.createHash("sha256")
+    var kbNodeHash = SUPPORTED_HASH_ALGS[hashAlg];
+    var expectedSdHash = nodeCrypto.createHash(kbNodeHash)
                                    .update(kbHashInput, "ascii")
                                    .digest()
                                    .toString("base64url");
-    if (kbParsed.payload.sd_hash !== expectedSdHash) {
+    // Constant-time compare on the sd_hash (both fixed-width
+    // base64url(SHA-*) strings; defense-in-depth even though the
+    // hash is itself the integrity binding).
+    if (!_timingSafeEqStr(kbParsed.payload.sd_hash, expectedSdHash)) {
       throw new AuthError("auth-sd-jwt-vc/sd-hash-mismatch",
         "verify: KB-JWT sd_hash does not match the presentation hash (presentation tampered with?)");
     }

package/lib/auth/step-up.js

@@ -60,11 +60,12 @@
  *   - auth.stepUp.grant.revoked   (elevation grant revoked)
  */
 
-var lazyRequire    = require("../lazy-require");
-var validateOpts   = require("../validate-opts");
-var safeJson       = require("../safe-json");
-var C              = require("../constants");
-var { AuthError }  = require("../framework-error");
+var lazyRequire      = require("../lazy-require");
+var validateOpts     = require("../validate-opts");
+var safeJson         = require("../safe-json");
+var structuredFields = require("../structured-fields");
+var C                = require("../constants");
+var { AuthError }    = require("../framework-error");
 
 var acr            = require("./acr-vocabulary");
 var authTime       = require("./auth-time-tracker");
@@ -362,6 +363,14 @@ function _summarizePresented(presented) {
 
 function parseChallenge(headerValue) {
   if (typeof headerValue !== "string") return null;
+  // Refuse C0 / DEL on the RAW value BEFORE the slice + trim
+  // normalisation below. WWW-Authenticate is a token-or-quoted-string
+  // grammar per RFC 9110 §11.3; a leading `\nBearer ...` would slip
+  // past the slice() with a clean `Bearer` token if we trimmed first
+  // (same shape as the v0.8.90 mail-require-tls bug class).
+  // parseChallenge is a defensive request-shape reader, so the
+  // predicate variant returns null rather than throwing.
+  if (structuredFields.containsControlBytes(headerValue)) return null;
   // Tolerate "Bearer " prefix in any case; reject anything else.
   var idx = headerValue.toLowerCase().indexOf("bearer");
   if (idx === -1) return null;