@blamejs/core 0.9.0 → 0.9.2

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.9.x
 
+- v0.9.2 (2026-05-11) — **Audit hardening slice 2: WebAuthn + FIDO MDS3 + NIST AAL**. Continues the 2026-05-11 auth surface audit follow-through. **`b.auth.passkey.verifyAuthentication` counter-regression bypass fix** — pre-v0.9.2 the wrapper coerced `opts.credential.counter || 0`, silently zeroing an `undefined` / `null` / `NaN` counter and defeating CTAP 2.1 clone-detection on credentials whose stored counter was > 0. An operator deserializing the credential from a column that lost the counter would unknowingly accept a cloned authenticator. The wrapper now refuses `undefined` / `null` (operators MUST persist whatever the vendor returned at registration; first-time-stored credentials carry counter:0 explicitly) and rejects any non-integer / non-finite / negative value with `auth-passkey/bad-counter`. **`b.auth.passkey` multi-origin support** — `expectedOrigin` now accepts `string` OR `string[]` on both `verifyRegistration` and `verifyAuthentication`. Pre-v0.9.2 the wrapper enforced a single string only, blocking multi-origin deployments (web + admin-subdomain) from sharing one verifier; SimpleWebAuthn natively supports arrays. **`b.auth.passkey` prototype-pollution fix** — `ALLOWED_MEDIATION` lookup changed from `{...}[opts.mediation]` to `hasOwnProperty.call(ALLOWED_MEDIATION, opts.mediation)` with a null-prototype map. Pre-v0.9.2 a caller passing `mediation: "__proto__"` / `"constructor"` truthy-matched an inherited Object.prototype property and slipped past the allowlist into `generateAuthenticationOptions`. **`b.auth.aal.fromMethods` UV requirement for AAL3** — per NIST SP 800-63-4 §5.1.7, WebAuthn / passkey satisfies AAL3 (MF-CRYPT) only when user verification was performed on the assertion. Pre-v0.9.2 `fromMethods({ webauthn: true })` returned `AAL3` unconditionally; operators using `userVerification: "preferred"` whose authenticator skipped UV landed in AAL3 despite not satisfying the spec's MF requirement. The caller now passes `uv: true` (sourced from the vendor's authData UV bit) to claim AAL3 with webauthn alone; without `uv`, webauthn alone caps at AAL2 (SF-CRYPT). Combination paths (`webauthn + password` / `webauthn + pin`) reach AAL3 regardless of UV (the memorized secret provides the second factor independently). **`b.auth.fidoMds3.verifyAuthenticator` fail-closed default + new opts** — pre-v0.9.2 unknown AAGUIDs returned `{ ok: true, reason: "aaguid-not-in-blob" }`, silently trusting any authenticator the metadata service hadn't yet listed (rogue / pre-certification / fake hardware). Now fails closed by default; operators wanting the legacy fail-open behavior (test fixtures, pre-certification pilot rollouts) pass `opts.allowUnknownAaguid: true` explicitly. **`b.auth.fidoMds3.parseBlob` stale-BLOB refusal** — refuses BLOB payloads whose `nextUpdate` is already in the past (FIDO MDS3 §3.1.7). Pre-v0.9.2 the staleness was floored to `MIN_CACHE_TTL_MS` but the BLOB was still served, letting an attacker pin operators to a revoked-authenticator-list-frozen-at-X by serving an ancient signed-but-expired BLOB. **`b.auth.fidoMds3.REFUSE_STATUS`** — added `ATTESTATION_KEY_COMPROMISE` per FIDO MDS3 §3.1.4. Pre-v0.9.2 this status was silently accepted; manufacturer batch-signing-key compromise affects every credential attested under that key.
+- v0.9.1 (2026-05-11) — **Audit hardening, slice 1 of N: federation auth + OAuth ID-token verifier**. Audit run after v0.9.0 across OAuth / SAML / OIDC federation / SD-JWT VC / WebAuthn / FIDO MDS3 / constant-time-compare surfaces; this slice closes the highest-severity SAML + OIDC + SD-JWT + OAuth findings. **SAML SP** (`b.auth.saml.sp.create({...}).buildAuthnRequest` + `.metadata`): every operator-supplied URL / ID interpolated into the emitted XML now routes through `b.xmlC14n.escapeAttrValue` / `escapeText`. Pre-v0.9.1 a `"` or `<` in `idpSsoUrl` / `assertionConsumerServiceUrl` / `entityId` / `nameIdFormat` broke out of attribute / element context and produced unsigned-XML breakout into the IdP redirect. Newly exported `b.xmlC14n.escapeAttrValue(s)` and `b.xmlC14n.escapeText(s)` — RFC 3741 §1.3.x compliant; available for any operator emitting XML alongside the framework's own SAML / canonicalization paths. **SAML SP `verifyResponse`**: digest compare on `Reference DigestValue` and `SubjectConfirmation InResponseTo` now use `b.crypto.timingSafeEqual` instead of `Buffer.compare` / `!==`. **SAML XSW defense**: refuses Response payloads that carry duplicate `<Status>`, `<StatusCode>`, `<Assertion>`, `<Subject>`, or `<NameID>` children — XML signature wrapping attacks ferry an unsigned sibling next to a signed element and exploit first-match parsers; the verifier now asserts single-child cardinality on every security-critical element via `_findAllChildren(...).length === 1`. **OIDC federation** (`b.auth.openidFederation.verifyEntityStatement`): JWK key-type cross-check against the JWS `alg` header BEFORE `nodeCrypto.createPublicKey` — an attacker-controlled entity-config declaring `alg: "ES256"` while supplying an RSA JWK would previously load through Node's silent algorithm-vs-key coercion path. Now refuses with `auth-openid-federation/alg-kty-mismatch` for any `alg=ES*` not paired with `kty=EC`, `alg=PS*`/`RS*` not paired with `RSA`, or `alg=EdDSA` not paired with `OKP`. **`b.auth.openidFederation.buildTrustChain` error-masking**: trust-chain ascent previously swallowed every per-authority failure via `catch (_e) {}` and continued to the next `authority_hint`; signature-failure errors from one authority no longer mask, the chain now refuses on cryptographic refusal (`bad-jwk`, `alg-kty-mismatch`, `bad-signature`, `signature-failed`). Network / 404 / iss-sub-mismatch errors still continue to the next hint but are collected and surfaced in the `no-ascent` failure shape. **SD-JWT VC verify** (`b.auth.sdJwtVc.verify`): three correctness fixes. (1) `_sd_alg` default switched from `sha3-512` to `sha-256` per IETF draft §4.1.1 — prior default broke verification against spec-conformant issuers when the issuer omitted `_sd_alg`. (2) Disclosure-replay defense: every disclosure digest tracked in a Set; second occurrence of the same digest refuses with `auth-sd-jwt-vc/disclosure-replay`. (3) Claim-shadowing defense: holder-supplied disclosures whose name collides with an issuer-signed top-level claim (`iss`, `sub`, `aud`, `iat`, `nbf`, `exp`, `jti`, `vct`, `cnf`, `_sd`, `_sd_alg`, `status`) refuse with `auth-sd-jwt-vc/protected-claim-shadow` instead of silently overwriting the signed value. (4) KB-JWT `sd_hash` now uses the credential's declared `_sd_alg` (was hardcoded sha256, breaking against issuers using sha3-512); `sd_hash` compare routed through `b.crypto.timingSafeEqual`. **OAuth `verifyIdToken`** (`b.auth.oauth.verifyIdToken`): three hardening fixes that bring the verifier to parity with the framework's other JWS verifiers. (1) `nodeCrypto.verify` wrapped in try/catch — previously panicked on key/sig shape mismatch (e.g. ES256 sig against an RS256 key returned by a buggy IdP with duplicate kids), bubbling a raw `Error` to the operator's handler instead of an `OAuthError`. (2) RFC 7515 §4.1.11 `crit` header refusal — every sibling verifier (`b.auth.jwt`, `b.auth.jwt.verifyExternal`, `b.auth.dpop`) refuses; verifyIdToken previously silently ignored, letting an attacker-controlled OP ship critical extensions the verifier doesn't understand. (3) `state` and `nonce` claim compares routed through `b.crypto.timingSafeEqual` — these are CSRF / replay tokens compared against attacker-controlled callback / payload data.
 - v0.9.0 (2026-05-11) — **Minor: 3 new RFC primitives + `b.structuredFields` shared substrate + full audit-derived hardening sweep + 5 new bug-class detectors**. **`b.structuredFields`** consolidates the quote-aware top-level splitter (`splitTopLevel(s, sep)`), the raw-value control-byte refusal scan (`refuseControlBytes` / `containsControlBytes`), and the sf-string unquote (`unquoteSfString`) used by every RFC 8941 / RFC 9110 / RFC 9111 / RFC 9213 / RFC 9421 / RFC 6266 / RFC 6265 / RFC 6455 parser in the framework — replaces the per-file open-coded copies that were drifting site-by-site. **8 audit-surfaced bug-class sites fixed in this same patch** (no deferred follow-up): (1) `b.middleware.bodyParser._contentType` + `_parseHeaderParams` — RFC 9110 Content-Type / RFC 6266 Content-Disposition parameters can carry quoted-string values (`boundary="foo;bar"` / `filename="weird;name.txt"`); bare `.split(";")` previously sliced through quoted semicolons and corrupted multipart boundaries. (2) `b.requestHelpers.parseListHeader({ strictToken: true })` — control-byte scan now runs on the RAW value before `.trim()` so a leading `\n<token>` no longer slips past `RFC_9110_TOKEN_RE` (same v0.8.90 bug class; used by webhook signature parsing and WS subprotocol negotiation). (3) `b.middleware.tusUpload._parseChecksumHeader` — same trim-before-validate fix. (4) `b.httpClient.cache._parseCacheControl` — quote-aware `,` splitter (RFC 9111 §5.2 + RFC 9110 §5.6.4 directive values may be quoted-string). (5) `b.httpClient.cookieJar._parseSetCookie` — quote-aware `;` splitter defends RFC 7230 quoted-string attribute values (`SameSite="Strict"` from interop-imperfect upstreams). (6) `b.websocket._parseExtensionHeader` — quote-aware `;` and `,` splitters defend RFC 6455 §9.1 + RFC 7230 token-or-quoted-string parameter values against forward-compat extensions shipping quoted params. (7) `b.aiPref.parseHeader` — control-byte refusal added on the RAW value before split + trim. (8) `b.auth.stepUp.parseChallenge` — same trim-before-validate fix (returns `null` per defensive-reader contract instead of throwing). Also: `b.logStream.init({ minLevel })` now validates the level vocabulary at config time so a typo'd `"infos"` (which previously produced `LEVEL_PRIORITY["infos"] === undefined` and silently dropped every log record) throws at boot. `b.crypto.httpSig`'s RFC 9421 Signature-Input parameter parser uses the quote-aware `;` splitter (RFC 8941 §3.1.2 sf-string parameter values). `b.security.assertProductionPosture({ minTlsVersion })` validates `minTlsVersion` against the canonical TLS vocabulary BEFORE the rank comparison (a typo previously silently passed because `indexOf` returned `-1` — same bug class as v0.8.88 `b.auth.fal.meets`). **3 new RFC primitives**: **`b.cdnCacheControl`** ships an RFC 9213 directive list builder + parser shared across `Cache-Control`, `CDN-Cache-Control`, `Surrogate-Control`, and the operator-specific `Cloudflare-` / `Vercel-` / `Fastly-` / `Akamai-` / `Netlify-CDN-Cache-Control` variants. `build({...})` emits the directive list string (numeric directives non-negative-integer-only; refuses Infinity / NaN / floats / negatives; full RFC 9111 boolean directive set; `extensions` for non-standard directives with RFC 7234 §5.2 token-shape enforcement); refuses `public + private` conflict per RFC 9111 §5.2.2.5/§5.2.2.6. `parse(headerValue)` decodes any targeted header into `{ public, private, noStore, maxAge, sMaxAge, ..., directives, fields }` with **qualified-form support** (`private="Authorization"` flag stays enabled, field-name list under `.fields[camel]` per RFC 9111 §5.2.2.4 / §5.2.2.6 — presence == enabled, the argument narrows scope), **bare `max-stale` parses as `Infinity`** per RFC 9111 §5.2.1.2 (instead of buggy `Number(true) === 1`), and a quote-aware top-level `,` splitter so a `, ` inside a quoted directive value doesn't fake-split. `isTargetedHeader(name)` + curated `TARGETED_HEADERS` allowlist. **`b.clientHints`** ships a Sec-CH-UA-* request-header family parser per W3C UA Client Hints + IETF draft-davidben-http-client-hint-reliability. `parse(req.headers)` returns `{ brands, mobile, platform, platformVersion, arch, bitness, model, fullVersionList, wow64, formFactors, raw }`; quote-aware splitters at brand-list and brand-member-parameter level (RFC 8941 §4.1.1.4 parameter values may be sf-string); refuses control characters in any Sec-CH-* value. `acceptList(hintNames)` builds `Accept-CH` with typo-defense (unknown hint name throws `client-hints/unknown-hint`); dedupes case-variant duplicates; canonicalizes to W3C mixed-case spelling. `KNOWN_HINTS` exports the well-known 22-name list. **`b.network.dns.classifyDnskeyAlgorithm(algorithm)` / `classifyDsDigestType(digestType)`** — RFC 9905 DNSSEC SHA-1 deprecation classifier. Covers every IANA-assigned DNSKEY algorithm (including PRIVATEDNS/PRIVATEOID/INDIRECT/Reserved entries) and RFC 9558 §3 DS digest types 5 (GOST R 34.11-2012) + 6 (SM3); operators auditing inbound DNSSEC chain-of-trust evidence refuse validations where `deprecated === true`. Inline `allow:bare-split-on-quoted-header` markers added across `mail-auth.js` (DKIM / DMARC / ARC tag-list grammar — token-only), `network-smtp-policy.js` (TLS-RPT — token-only), `middleware/scim-server.js` (RFC 7644 §3.9 SCIM attribute paths), `http-client-cache.js` (RFC 9110 §12.5.5 Vary field-names), `http-message-signature.js` (RFC 9421 component-id covered list), `middleware/body-parser.js` (RFC 9112 §6.1 Transfer-Encoding token-only), each citing the controlling RFC clause showing why quoted-string is not a legal value in that grammar. **5 new bug-class detectors** in `test/layer-0-primitives/codebase-patterns.test.js` so the same shapes can't drift back in: (a) `trim-before-validate` — control-byte refusal scans must run on the RAW header value BEFORE `.trim()` strips leading/trailing C0/DEL bytes; detector now catches BOTH the `charCodeAt` codepoint-loop shape AND the `<NAME>_RE.test(<trimmed>)` grammar-regex shape; (b) `enum-rank-without-validation` — `_rankFn(X) >= _rankFn(Y)` arithmetic comparisons must have a preceding `isValid*` / `KNOWN_*` membership check on both inputs (catches `b.auth.fal.meets` bug shape); (c) `bool-string-coerce-shape` — boolean directive parsing must NOT use `val === "" || val === "true"` coercion (catches `b.cdnCacheControl.parse` qualified-form bug shape); (d) `bare-split-on-quoted-header` — RFC structured-fields parsers in files that ALSO handle sf-string unquote regex must use the shared quote-aware `b.structuredFields.splitTopLevel`, not bare `.split(",") / .split(";")`; (e) `scoped-context-binding-unused` — scope-named factory bindings (`forwarderDomain` / `realm` / `origin` / `audience` / `issuer`) captured in the factory must be compared against the inbound value's embedded scope in the `verify` / `reverse` / `decode` path (catches the v0.8.89 SRS forwarder-domain bug shape). Operators upgrade `0.8.90` → `0.9.0`; v0.8.91 was never tagged (its surface is folded into v0.9.0 with the audit-derived hardening).
 - v0.8.90 (2026-05-11) — **RFC 8689 REQUIRETLS support** (`b.mail.requireTls`). Per-message TLS-requirement signaling between sender and receiver MTAs. Complements MTA-STS / DANE (policy-side, domain-scoped) with a per-message knob that overrides policy when the operator wants stricter-than-policy delivery — message bounces instead of falling back to cleartext if no downstream MTA can deliver under TLS. **`peerSupports(ehloLines)`**: walks a parsed EHLO response and returns `true` when the peer advertised the `REQUIRETLS` keyword; case-insensitive per RFC 5321 §2.4; refuses substring matches (`FOO-REQUIRETLS-BAR` does NOT match); empty / non-array input returns `false`. **`mailFromExtension({ requireTls })`**: builds the trailing `" REQUIRETLS"` token to append to a MAIL FROM line; refuses non-boolean flag value (a truthy-but-wrong-shape value like `"yes"` throws instead of silently succeeding). **`parseTlsRequiredHeader(headerValue)`**: parses the RFC 8689 §5 `TLS-Required` header — returns `"no"` only when the value is the literal token `no` (case-insensitive, ignoring whitespace) per spec; any other non-empty value returns `"yes"` (RFC 8689 §5: "any value other than 'No' MUST be treated as if the field had been absent" — conservative strict path); returns `null` for absent / empty / non-string input; refuses control characters on the **raw** header value before `trim()` runs so a leading `\n` / trailing `\r` / NUL / DEL byte can no longer slip past as the literal token `no` (ASCII HT remains permitted as structural folding whitespace).
 - v0.8.89 (2026-05-11) — **Hotfix: `b.earlyHints.send()` case-variant link bypass + new `b.mail.srs` Sender Rewriting Scheme**. **Hotfix (PRIMARY)**: pre-v0.8.89, supplying both `link` (lowercase) AND `Link` (capital, or any other case variant) to `b.earlyHints.send()` bypassed the validator. `opts.link` got the dedicated `_validateLink` pass and was assigned to `headers.link`; the trailing header loop then iterated `Object.keys(opts)`, skipped only the exact-match `"link"` key, and for `"Link"` lowercased the name and wrote `headers.link = opts.Link` — overwriting the validated value with unvalidated content. Malformed Link headers (missing `rel=`, unknown relation, oversized) reached `writeEarlyHints()` despite the API contract. The fix collapses all opt keys to a single canonical lowercase map up front; duplicate case-variants of any header (not just `link`) now refuse with `early-hints/duplicate-header` so operators see the collision instead of getting silent winner-take-all behavior. Capital `Link` alone (no lowercase variant) still works — it goes through the same validator. Tests added: case-variant-collision refuse, capital-Link-alone validates, capital-Link with malformed value still throws `bad-link`. **New**: `b.mail.srs.create({ secret, forwarderDomain, expiryDays? })` — Sender Rewriting Scheme (SRS0) implementation for forwarder envelope-from rewriting so the next-hop SPF check passes and bounces route correctly back to the original sender. Returns `{ rewrite, reverse }`. `rewrite(addr)` produces an SRS-encoded `SRS0=HHHH=TT=domain=local@forwarder.example` form; `reverse(srs)` decodes back to the original sender, verifying the HMAC-SHA-256 short-tag (operator-supplied secret), the day-stamp expiry window (default 30 days), and the canonical 4-field SRS0 grammar. Domain-binding check: `reverse(srs)` refuses with `srs/wrong-forwarder` when the SRS0 address's `@domain` part doesn't match the rewriter's `forwarderDomain` (case-insensitive per RFC 5321 §2.3.5) so a tag signed with the same secret but addressed to a different forwarder domain can no longer be accepted. Refuses tampered tags via `srs/bad-tag`, expired rewrites via `srs/expired`, double-SRS-encoding via `srs/already-rewritten`, and bad address shapes via `srs/bad-address`. HMAC uses `b.crypto.timingSafeEqual` for tag comparison so the verification side stays constant-time against operator-controlled tag inputs.

package/lib/auth/aal.js

@@ -70,38 +70,51 @@ function _bandRank(band) {
 var KNOWN_METHODS = [
   "password", "pin", "totp", "sms", "webauthn", "passkey",
   "hardware", "mtls",
+  // `uv` is a webauthn-side qualifier: when true, the
+  // authenticator-data UV bit was set on the assertion. Required
+  // for AAL3 paired with `webauthn` / `passkey` per SP 800-63-4
+  // §5.1.7.
+  "uv",
 ];
 
 function fromMethods(methods) {
   if (!methods || typeof methods !== "object") {
     throw new AuthError("auth-aal/bad-methods",
-      "fromMethods: methods must be an object like { password: true, webauthn: true }");
+      "fromMethods: methods must be an object like { password: true, webauthn: true, uv: true }");
   }
   var has = function (m) { return methods[m] === true; };
-
-  // Phishing-resistant multi-factor → AAL3.
-  // - WebAuthn / passkey with UV=true alone satisfies AAL3 per
-  //   SP 800-63-4 §5.1.7 (cryptographic authenticator + verifier impl
-  //   binding + user verification = MF-CRYPT).
-  // - Hardware authenticator + memorized secret also satisfies AAL3
-  //   (SF-CRYPT + memorized = MF-equivalent under §4.4.1).
-  if (has("webauthn") || has("passkey")) return AAL3;
+  // SP 800-63-4 §5.1.7 — WebAuthn / passkey satisfies AAL3 only when
+  // user verification (UV) was actually performed on the assertion
+  // (MF-CRYPT requires the verifier to confirm the user authorized
+  // the operation). Pre-v0.9.2 this returned AAL3 unconditionally
+  // for any webauthn:true assertion; an operator using
+  // `userVerification: "preferred"` whose authenticator skipped UV
+  // landed in AAL3 despite not satisfying the spec's MF requirement.
+  //
+  // The operator passes `methods.uv: true` when verifyAuthentication's
+  // result confirmed UV on the authenticator data (vendor's
+  // `userVerified` flag). When `uv` is omitted or false, webauthn
+  // alone caps at AAL2 (SF-CRYPT — the cryptographic authenticator
+  // is verified, but user-verification proof is missing).
+  // Operators wanting the legacy optimistic path can pass
+  // `methods.uv: true` based on their startAuthentication
+  // `userVerification: "required"` setting having forced UV.
+  if ((has("webauthn") || has("passkey")) && has("uv")) return AAL3;
+  if ((has("webauthn") || has("passkey")) && !has("uv")) {
+    // SF-CRYPT (cryptographic but no UV-bound MF). Combine with a
+    // memorized secret to satisfy MF.
+    if (has("password") || has("pin")) return AAL3;
+    return AAL2;
+  }
   if (has("hardware") && (has("password") || has("pin"))) return AAL3;
 
-  // Multi-factor → AAL2.
-  // - password + totp / sms / hardware single-factor / mtls.
-  // - SP 800-63-4 §5.1.3.3 — SMS is RESTRICTED but still satisfies
-  //   AAL2 with the operator's documented risk acceptance.
   if (has("password") || has("pin")) {
     if (has("totp") || has("sms") || has("hardware") || has("mtls")) return AAL2;
     return AAL1;     // memorized secret alone
   }
 
-  // Single-factor cryptographic — mtls / hardware on its own → AAL1
-  // unless paired with a memorized secret (handled above).
   if (has("hardware") || has("mtls")) return AAL1;
 
-  // No recognized method asserted.
   throw new AuthError("auth-aal/no-methods",
     "fromMethods: methods object did not assert any known authenticator " +
     "(known: " + KNOWN_METHODS.join(", ") + ")");

package/lib/auth/fido-mds3.js

@@ -70,6 +70,11 @@ var REFUSE_STATUS = {
   REVOKED:                       1,
   USER_KEY_PHYSICAL_COMPROMISE:  1,
   USER_KEY_REMOTE_COMPROMISE:    1,
+  // FIDO MDS3 §3.1.4 — attestation-key compromise means the
+  // manufacturer's batch-signing key is suspect; every credential
+  // attested under that key MUST be refused. Pre-v0.9.2 this token
+  // was missing from the refuse-list (audit 2026-05-11).
+  ATTESTATION_KEY_COMPROMISE:    1,
 };
 
 // FIDO Certified levels that surface as certifiedLevel. The spec uses
@@ -333,6 +338,21 @@ function _verifyAndParseBlob(token) {
     throw new FidoMds3Error("fido-mds3/bad-payload",
       "BLOB payload 'nextUpdate' missing or not YYYY-MM-DD: " + payload.nextUpdate);
   }
+  // Stale-BLOB refusal — FIDO MDS3 §3.1.7 says clients SHOULD refresh
+  // by nextUpdate; a BLOB whose nextUpdate is already in the past is
+  // not safe to trust even though its cert chain still validates.
+  // Pre-v0.9.2 the staleness was floored to MIN_CACHE_TTL_MS in
+  // _ttlFromNextUpdate but the BLOB itself was still served from
+  // cache; an attacker serving an ancient signed-but-expired BLOB
+  // could keep operators on a revoked-authenticator-list-frozen-at-X.
+  // Refuse at parse time so neither fetch nor cache lookup honors it.
+  // (Audit 2026-05-11.)
+  if (nextUpdate.getTime() < Date.now()) {
+    throw new FidoMds3Error("fido-mds3/blob-stale",
+      "BLOB payload nextUpdate \"" + payload.nextUpdate +
+      "\" is in the past — refusing to trust a stale metadata BLOB " +
+      "(FIDO MDS3 §3.1.7)");
+  }
   return {
     entries:     payload.entries,
     no:          payload.no,
@@ -539,7 +559,7 @@ function _certifiedLevel(statusReports) {
 
 /**
  * @primitive b.auth.fidoMds3.verifyAuthenticator
- * @signature b.auth.fidoMds3.verifyAuthenticator(blob, registrationInfo)
+ * @signature b.auth.fidoMds3.verifyAuthenticator(blob, registrationInfo, opts)
  * @since     0.8.53
  * @status    stable
  * @related   b.auth.fidoMds3.fetch, b.auth.fidoMds3.lookupAaguid
@@ -549,21 +569,31 @@ function _certifiedLevel(statusReports) {
  * `{ ok, statement, statusReports, certifiedLevel, reason? }`. Refuses
  * (ok: false) when the authenticator's status reports include any of
  * REVOKED / USER_KEY_PHYSICAL_COMPROMISE / USER_KEY_REMOTE_COMPROMISE
- * (FIDO MDS3 section 3.1.4 compromise bucket). Returns
- * `ok: true, statement: null` for AAGUIDs not present in the BLOB —
- * operators choose whether unknown AAGUIDs are permitted via an
- * allowlist policy on top of this primitive.
+ * / ATTESTATION_KEY_COMPROMISE (FIDO MDS3 section 3.1.4 compromise
+ * bucket).
+ *
+ * AAGUIDs not present in the BLOB **fail closed by default** in
+ * v0.9.2+ (pre-v0.9.2 returned `ok: true, statement: null`, silently
+ * trusting any authenticator not yet in the metadata service). To
+ * accept unknown AAGUIDs (test fixtures, pre-certification rollouts),
+ * pass `opts.allowUnknownAaguid: true`; the `reason` field then notes
+ * the operator opt-in.
  *
  * Audits auth.fido_mds3.verify.refused (drop-silent) on compromise.
  *
+ * @opts
+ *   allowUnknownAaguid: boolean,   // default false (fail-closed)
+ *
  * @example
  *   var blob = { entries: [] };
  *   var reg  = { aaguid: "00000000-0000-0000-0000-000000000000" };
- *   var rv   = b.auth.fidoMds3.verifyAuthenticator(blob, reg);
+ *   var rv   = b.auth.fidoMds3.verifyAuthenticator(blob, reg,
+ *                                                  { allowUnknownAaguid: true });
  *   rv.ok === true && rv.statement === null;
- *   // → true
+ *   // → true (with operator opt-in)
  */
-function verifyAuthenticator(blob, registrationInfo) {
+function verifyAuthenticator(blob, registrationInfo, vopts) {
+  vopts = vopts || {};
   if (!blob) {
     throw new FidoMds3Error("fido-mds3/bad-blob", "blob is required");
   }
@@ -573,12 +603,23 @@ function verifyAuthenticator(blob, registrationInfo) {
   }
   var entry = lookupAaguid(blob, registrationInfo.aaguid);
   if (!entry) {
+    // Fail-CLOSED default for unknown AAGUIDs (audit 2026-05-11).
+    // Pre-v0.9.2 default was `ok: true, reason: "aaguid-not-in-blob"`
+    // — an attacker registering a credential with an AAGUID not in
+    // the BLOB (rogue authenticator, fake hardware) silently passed.
+    // The framework's primitive now refuses by default; operators
+    // who genuinely want to accept unknown authenticators (test
+    // fixtures, pre-certification pilot rollouts) pass
+    // `vopts.allowUnknownAaguid: true` explicitly.
+    var unknownOk = vopts.allowUnknownAaguid === true;
     return {
-      ok:             true,
+      ok:             unknownOk,
       statement:      null,
       statusReports:  [],
       certifiedLevel: { level: 0, plus: false },
-      reason:         "aaguid-not-in-blob",
+      reason:         unknownOk
+        ? "aaguid-not-in-blob (operator opted in via allowUnknownAaguid)"
+        : "aaguid-not-in-blob",
     };
   }
   var statusReports = Array.isArray(entry.statusReports) ? entry.statusReports : [];

package/lib/auth/oauth.js

@@ -108,7 +108,7 @@ var nodeCrypto = require("node:crypto");
 var cache = require("../cache");
 var C = require("../constants");
 var safeAsync = require("../safe-async");
-var { generateBytes } = require("../crypto");
+var { generateBytes, timingSafeEqual: cryptoTimingSafeEqual } = require("../crypto");
 var httpClient = require("../http-client");
 var safeJson = require("../safe-json");
 var safeUrl = require("../safe-url");
@@ -678,10 +678,15 @@ function create(opts) {
         "but the callback omitted `iss` — refused (RFC 9207 / FAPI 2.0 §5.4.2)");
     }
     if (popts.expectedState !== undefined && popts.expectedState !== null) {
-      if (query.state !== popts.expectedState) {
+      // Constant-time compare on the CSRF state token. Project
+      // discipline (auth/dpop.js, mail-srs.js, webhook.js) is
+      // timingSafeEqual for any secret-shaped value compared
+      // against attacker-controlled input. (Audit 2026-05-11.)
+      if (typeof query.state !== "string" ||
+          !cryptoTimingSafeEqual(query.state, popts.expectedState)) {
         throw new OAuthError("auth-oauth/state-mismatch",
-          "parseCallback: state mismatch (CSRF defense). Expected '" +
-          popts.expectedState + "', got '" + query.state + "'");
+          "parseCallback: state mismatch (CSRF defense) — expected and " +
+          "supplied state values do not match");
       }
     }
     if (typeof query.code !== "string" || query.code.length === 0) {
@@ -922,6 +927,16 @@ function create(opts) {
       throw new OAuthError("auth-oauth/alg-not-accepted",
         "ID token signed with '" + header.alg + "' which is not in the accepted-algorithm list");
     }
+    // RFC 7515 §4.1.11 — refuse JWS with `crit` header. Every other
+    // verifier in the framework (jwt.js, jwt-external.js, dpop.js)
+    // refuses; verifyIdToken previously silently ignored, letting an
+    // attacker-controlled OP ship critical extensions the verifier
+    // doesn't understand. (Audit 2026-05-11.)
+    if (header.crit !== undefined && header.crit !== null) {
+      throw new OAuthError("auth-oauth/crit-not-supported",
+        "ID token JWS header carries 'crit' extension list; this verifier does not " +
+        "support any critical extensions and refuses per RFC 7515 §4.1.11");
+    }
     var keys = await _getJwks();
     var match = null;
     if (header.kid) {
@@ -943,7 +958,19 @@ function create(opts) {
     if (params.padding !== undefined) verifyOpts.padding = params.padding;
     if (params.saltLength !== undefined) verifyOpts.saltLength = params.saltLength;
     if (params.dsaEncoding !== undefined) verifyOpts.dsaEncoding = params.dsaEncoding;
-    var verified = nodeCrypto.verify(params.hash, Buffer.from(signingInput, "ascii"), verifyOpts, sig);
+    // nodeCrypto.verify panics on key/sig shape mismatch (e.g. an
+    // ES256 signature attempted against an RS256 key returned by a
+    // hostile or buggy IdP with duplicate kids). Wrap so the panic
+    // becomes a typed AuthError, matching the discipline in
+    // jwt-external.js + dpop.js. (Audit 2026-05-11.)
+    var verified;
+    try {
+      verified = nodeCrypto.verify(params.hash, Buffer.from(signingInput, "ascii"), verifyOpts, sig);
+    } catch (verifyErr) {
+      throw new OAuthError("auth-oauth/bad-signature",
+        "ID token signature verification raised: " +
+        ((verifyErr && verifyErr.message) || String(verifyErr)));
+    }
     if (!verified) {
       throw new OAuthError("auth-oauth/bad-signature", "ID token signature verification failed");
     }
@@ -976,7 +1003,10 @@ function create(opts) {
         "ID token aud does not contain clientId '" + clientId + "'");
     }
     if (vopts.nonce && !vopts.skipNonceCheck) {
-      if (payload.nonce !== vopts.nonce) {
+      // Constant-time nonce compare — secret-shaped value matched
+      // against attacker-controlled payload. (Audit 2026-05-11.)
+      if (typeof payload.nonce !== "string" ||
+          !cryptoTimingSafeEqual(payload.nonce, vopts.nonce)) {
         throw new OAuthError("auth-oauth/nonce-mismatch",
           "ID token nonce mismatch (replay protection)");
       }

package/lib/auth/openid-federation.js

@@ -155,6 +155,23 @@ function verifyEntityStatement(jwt, jwks) {
       "verifyEntityStatement: no JWKS key matches kid \"" + parsed.header.kid + "\"");
   }
 
+  // Cross-check the JWK key type against the JWS `alg` header BEFORE
+  // verifying. Without this an attacker-controlled entity-config can
+  // declare `alg: "ES256"` while supplying an RSA `kty: "RSA"` JWK;
+  // Node will silently use the RSA key with SHA-256 and the signature
+  // verify either always-fails (if PSS) or succeeds against a payload
+  // the attacker crafted to match the wrong primitive (algorithm/key-
+  // type confusion). (Audit 2026-05-11.)
+  var expectedKty = null;
+  if (parsed.header.alg.indexOf("ES") === 0)        expectedKty = "EC";
+  else if (parsed.header.alg.indexOf("PS") === 0 || parsed.header.alg.indexOf("RS") === 0) expectedKty = "RSA";
+  else if (parsed.header.alg === "EdDSA")           expectedKty = "OKP";
+  if (expectedKty && key.kty !== expectedKty) {
+    throw new AuthError("auth-openid-federation/alg-kty-mismatch",
+      "verifyEntityStatement: JWS header alg=\"" + parsed.header.alg + "\" requires " +
+      "JWK kty=\"" + expectedKty + "\" but the resolved JWK has kty=\"" + key.kty + "\"");
+  }
+
   var keyObj;
   try { keyObj = nodeCrypto.createPublicKey({ key: key, format: "jwk" }); }
   catch (e) {
@@ -431,38 +448,52 @@ async function buildTrustChain(opts) {
     // OR the first that returns a valid subordinate statement. Real
     // operators with multiple federations usually have one anchor
     // active; we walk in order and pick the first success.
+    // Track every per-authority failure reason and surface them on
+    // `no-ascent` rather than masking. Audit 2026-05-11 — silently
+    // swallowing `catch (_e) {}` lets a hostile intermediate that
+    // serves a malformed-then-valid pair shape-walk the verifier.
+    // We continue past 404 / fetch errors but refuse on
+    // signature-verify failure (cryptographic refusal is a hard stop).
     var ascended = false;
+    var ascentErrors = [];
     for (var ai = 0; ai < parsedEC.claims.authority_hints.length; ai++) {
       var authority = parsedEC.claims.authority_hints[ai];
       try {
         var subordinateJwt = await fetchSubordinate(authority, current);
         var parsedSub = parseEntityStatement(subordinateJwt);
         if (parsedSub.claims.iss !== authority || parsedSub.claims.sub !== current) {
+          ascentErrors.push({ authority: authority, code: "iss-sub-mismatch" });
           continue;
         }
-        // Need to fetch the authority's JWKS to verify the subordinate
-        // statement — the authority's entity-config carries it. We
-        // verify that on the next loop iteration; for now, refuse if
-        // the subordinate's signature doesn't verify with the keys
-        // declared in the authority's most recently fetched config.
         var authorityCfgJwt = await fetcher(authority.replace(/\/$/, "") + "/.well-known/openid-federation");
         var authorityCfgClaims = parseEntityStatement(authorityCfgJwt).claims;
+        // Cryptographic verification — any throw here is a hard
+        // refusal, NOT a "try next authority" signal. A malformed-
+        // signature subordinate from an authority listed by the
+        // entity means that authority is hostile or compromised;
+        // moving on lets a chain-shaping attacker bypass the gate.
         verifyEntityStatement(subordinateJwt, authorityCfgClaims.jwks || {});
-        // Replace the entity's claimed JWKS with the JWKS the
-        // authority signs about it — this is the trust-bearing one.
         chain[chain.length - 1].claims.jwks = parsedSub.claims.jwks || chain[chain.length - 1].claims.jwks;
         chain[chain.length - 1].subordinateJwt = subordinateJwt;
         chain[chain.length - 1].subordinate    = parsedSub.claims;
         current = authority;
         ascended = true;
         break;
-      } catch (_e) {
-        // Try the next authority_hint.
+      } catch (err) {
+        var errCode = (err && err.code) || "unknown";
+        // Network / 404 / parse errors at the AUTHORITY-fetch step
+        // are acceptable "try the next hint" signals. Verify-side
+        // failures (crypto) are NOT — surface them and abort.
+        if (/^auth-openid-federation\/(?:bad-jwk|alg-kty-mismatch|bad-signature|signature-failed)$/.test(errCode)) {
+          throw err;
+        }
+        ascentErrors.push({ authority: authority, code: errCode, message: (err && err.message) || String(err) });
       }
     }
     if (!ascended) {
       throw new AuthError("auth-openid-federation/no-ascent",
-        "entity \"" + current + "\" has authority_hints but none yielded a verifiable subordinate statement");
+        "entity \"" + current + "\" has authority_hints but none yielded a verifiable subordinate statement: " +
+        JSON.stringify(ascentErrors));
     }
     depth += 1;
   }

package/lib/auth/passkey.js

@@ -112,13 +112,39 @@ async function startRegistration(opts) {
   return options;
 }
 
+function _validateExpectedOrigin(value) {
+  if (typeof value === "string") {
+    if (value.length === 0) {
+      throw new AuthError("auth-passkey/missing-expectedOrigin",
+        "expectedOrigin must be a non-empty string or array of strings");
+    }
+    return;
+  }
+  if (Array.isArray(value)) {
+    if (value.length === 0) {
+      throw new AuthError("auth-passkey/missing-expectedOrigin",
+        "expectedOrigin array must contain at least one non-empty string");
+    }
+    for (var i = 0; i < value.length; i += 1) {
+      if (typeof value[i] !== "string" || value[i].length === 0) {
+        throw new AuthError("auth-passkey/missing-expectedOrigin",
+          "expectedOrigin[" + i + "] must be a non-empty string");
+      }
+    }
+    return;
+  }
+  throw new AuthError("auth-passkey/missing-expectedOrigin",
+    "expectedOrigin must be a non-empty string or array of strings");
+}
+
 async function verifyRegistration(opts) {
   if (!opts) throw new AuthError("auth-passkey/missing-opts", "opts is required");
   if (!opts.response) {
     throw new AuthError("auth-passkey/missing-response", "opts.response is required");
   }
   _requireString(opts.expectedChallenge, "expectedChallenge");
-  _requireString(opts.expectedOrigin, "expectedOrigin");
+  // Multi-origin deployments (web + admin subdomain) need string[].
+  _validateExpectedOrigin(opts.expectedOrigin);
   _requireString(opts.expectedRPID, "expectedRPID");
 
   var rv = await _vendor().verifyRegistrationResponse({
@@ -161,12 +187,17 @@ async function verifyRegistration(opts) {
 // Credential Management spec: "silent" / "optional" / "required" /
 // "conditional". "conditional" enables passkey autofill on
 // <input autocomplete="webauthn">.
-var ALLOWED_MEDIATION = { silent: 1, optional: 1, required: 1, conditional: 1 };
+// Null-prototype map so `opts.mediation === "__proto__"` /
+// `"constructor"` can't truthy-match an inherited property and slip
+// past the allowlist (audit 2026-05-11).
+var ALLOWED_MEDIATION = Object.assign(Object.create(null),
+  { silent: 1, optional: 1, required: 1, conditional: 1 });
 
 async function startAuthentication(opts) {
   if (!opts) throw new AuthError("auth-passkey/missing-opts", "opts is required");
   _requireString(opts.rpId, "rpId");
-  if (opts.mediation !== undefined && !ALLOWED_MEDIATION[opts.mediation]) {
+  if (opts.mediation !== undefined &&
+      !Object.prototype.hasOwnProperty.call(ALLOWED_MEDIATION, opts.mediation)) {
     throw new AuthError("auth-passkey/bad-mediation",
       "mediation must be one of silent/optional/required/conditional");
   }
@@ -352,12 +383,40 @@ async function verifyAuthentication(opts) {
     throw new AuthError("auth-passkey/missing-response", "opts.response is required");
   }
   _requireString(opts.expectedChallenge, "expectedChallenge");
-  _requireString(opts.expectedOrigin, "expectedOrigin");
+  _validateExpectedOrigin(opts.expectedOrigin);
   _requireString(opts.expectedRPID, "expectedRPID");
   if (!opts.credential || !opts.credential.id || !opts.credential.publicKey) {
     throw new AuthError("auth-passkey/missing-credential",
       "opts.credential { id, publicKey, counter? } is required");
   }
+  // Counter regression bypass fix (audit 2026-05-11) — pre-v0.9.2
+  // shape `opts.credential.counter || 0` silently zeroed an
+  // undefined / null / NaN counter, defeating CTAP 2.1 clone-
+  // detection on credentials whose stored counter is > 0. An
+  // operator who deserialized the credential from a column that
+  // dropped the counter would unknowingly accept a cloned
+  // authenticator. Require an explicit non-negative integer.
+  var counter;
+  if (opts.credential.counter === undefined || opts.credential.counter === null) {
+    // First-time-stored credentials legitimately have no counter
+    // yet (registration ran on a vendor returning 0). Operators
+    // MUST persist whatever the vendor returned; if they didn't,
+    // refuse rather than silently coerce.
+    throw new AuthError("auth-passkey/missing-counter",
+      "opts.credential.counter is required (set to 0 at registration; " +
+      "store the newCounter returned by verifyAuthentication on every " +
+      "successful auth). undefined / null is refused to prevent clone-" +
+      "detection bypass when the persisted column is missing.");
+  }
+  if (typeof opts.credential.counter !== "number" ||
+      !isFinite(opts.credential.counter) ||
+      opts.credential.counter < 0 ||
+      Math.floor(opts.credential.counter) !== opts.credential.counter) {
+    throw new AuthError("auth-passkey/bad-counter",
+      "opts.credential.counter must be a non-negative integer (got " +
+      typeof opts.credential.counter + ")");
+  }
+  counter = opts.credential.counter;
 
   var rv = await _vendor().verifyAuthenticationResponse({
     response:           opts.response,
@@ -367,7 +426,7 @@ async function verifyAuthentication(opts) {
     credential:         {
       id:         opts.credential.id,
       publicKey:  opts.credential.publicKey,
-      counter:    opts.credential.counter || 0,
+      counter:    counter,
       transports: opts.credential.transports,
     },
     requireUserVerification: opts.requireUserVerification !== false,

package/lib/auth/saml.js

@@ -49,7 +49,7 @@
 var lazyRequire  = require("../lazy-require");
 var validateOpts = require("../validate-opts");
 var nodeCrypto   = require("node:crypto");
-var { generateToken } = require("../crypto");
+var { generateToken, timingSafeEqual } = require("../crypto");
 var { AuthError } = require("../framework-error");
 
 var xmlC14n   = lazyRequire(function () { return require("../xml-c14n"); });
@@ -261,7 +261,11 @@ function _verifyXmldsig(envelope, signatureNode, certPem) {
   }
   var canonical = c14n.canonicalize(refTarget, { withComments: refC14nWithComments });
   var actualDigest = nodeCrypto.createHash(SUPPORTED_DIGEST[digestAlgo]).update(canonical).digest();
-  if (Buffer.from(expectedDigestB64, "base64").compare(actualDigest) !== 0) {
+  // Constant-time compare — Buffer.compare short-circuits per byte and
+  // leaks the matching-prefix length when the operator's audit/log
+  // captures verify-failure timing. timingSafeEqual returns false for
+  // length-mismatched inputs without leaking length.
+  if (!timingSafeEqual(Buffer.from(expectedDigestB64, "base64"), actualDigest)) {
     throw new AuthError("auth-saml/digest-mismatch",
       "Reference DigestValue does not match canonicalized referenced element (signature-wrapping or tampered content)");
   }
@@ -360,9 +364,18 @@ function create(opts) {
     bopts = bopts || {};
     var id = "_" + generateToken(20);
     var issueInstant = new Date().toISOString();
+    // RFC 3741 §1.3.2 attribute-value + §1.3.1 element-text escaping
+    // for every operator-supplied string interpolated into the
+    // AuthnRequest XML. Without escaping, a `"` or `<` in any of the
+    // four fields (idpSsoUrl, assertionConsumerServiceUrl, entityId,
+    // nameIdFormat) produces malformed XML and can break out of the
+    // attribute / element context, injecting unsigned content the IdP
+    // canonicalizer would never honor but the consumer's signed XML
+    // baseline relies on. (Surfaced by the 2026-05-11 SAML audit.)
+    var c14n = xmlC14n();
     var nameIdPolicy = "";
     if (opts.nameIdFormat) {
-      nameIdPolicy = "<samlp:NameIDPolicy Format=\"" + opts.nameIdFormat +
+      nameIdPolicy = "<samlp:NameIDPolicy Format=\"" + c14n.escapeAttrValue(opts.nameIdFormat) +
                      "\" AllowCreate=\"true\"/>";
     }
     var xml =
@@ -371,10 +384,10 @@ function create(opts) {
       "ID=\"" + id + "\" " +
       "Version=\"2.0\" " +
       "IssueInstant=\"" + issueInstant + "\" " +
-      "Destination=\"" + opts.idpSsoUrl + "\" " +
-      "AssertionConsumerServiceURL=\"" + opts.assertionConsumerServiceUrl + "\" " +
+      "Destination=\"" + c14n.escapeAttrValue(opts.idpSsoUrl) + "\" " +
+      "AssertionConsumerServiceURL=\"" + c14n.escapeAttrValue(opts.assertionConsumerServiceUrl) + "\" " +
       "ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\">" +
-      "<saml:Issuer>" + opts.entityId + "</saml:Issuer>" +
+      "<saml:Issuer>" + c14n.escapeText(opts.entityId) + "</saml:Issuer>" +
       nameIdPolicy +
       "</samlp:AuthnRequest>";
     var zlib = require("node:zlib");
@@ -436,9 +449,26 @@ function create(opts) {
         "verifyResponse: root element must be Response, got " + rootLocal);
     }
 
-    // Validate Status
-    var status = _findChild(root, "Status", SAML_NS.protocol);
-    var statusCode = status && _findChild(status, "StatusCode", SAML_NS.protocol);
+    // XSW defense — refuse duplicate top-level security-critical
+    // elements. SAML XML signature wrapping (XSW) attacks shuffle
+    // signed elements alongside unsigned siblings; the parser's
+    // first-match `_findChild` lookup combined with the signed-
+    // element-ID check at L479 was vulnerable to a multi-Assertion
+    // payload where the verifier signed one but the consumer read
+    // attributes from another. Reject any Response with more than
+    // one of these structural children (Audit 2026-05-11).
+    var statusChildren = _findAllChildren(root, "Status", SAML_NS.protocol);
+    if (statusChildren.length > 1) {
+      throw new AuthError("auth-saml/duplicate-status",
+        "verifyResponse: Response has multiple <Status> children — XSW shape refused");
+    }
+    var status = statusChildren[0] || null;
+    var statusCodeChildren = status ? _findAllChildren(status, "StatusCode", SAML_NS.protocol) : [];
+    if (statusCodeChildren.length > 1) {
+      throw new AuthError("auth-saml/duplicate-status-code",
+        "verifyResponse: <Status> has multiple <StatusCode> children — XSW shape refused");
+    }
+    var statusCode = statusCodeChildren[0] || null;
     var statusValue = statusCode && _attr(statusCode, "Value");
     if (statusValue !== "urn:oasis:names:tc:SAML:2.0:status:Success") {
       throw new AuthError("auth-saml/bad-status",
@@ -448,7 +478,12 @@ function create(opts) {
     // Validate signature: prefer Assertion-level (most secure — the
     // assertion is the security-critical element). Fall back to
     // Response-level when the IdP signs the envelope only.
-    var assertion = _findChild(root, "Assertion", SAML_NS.assertion);
+    var assertionChildren = _findAllChildren(root, "Assertion", SAML_NS.assertion);
+    if (assertionChildren.length > 1) {
+      throw new AuthError("auth-saml/duplicate-assertion",
+        "verifyResponse: Response has multiple <Assertion> children — XSW shape refused");
+    }
+    var assertion = assertionChildren[0] || null;
     if (!assertion) {
       throw new AuthError("auth-saml/no-assertion", "verifyResponse: Response has no Assertion");
     }
@@ -484,10 +519,20 @@ function create(opts) {
         opts.idpEntityId + "\"");
     }
 
-    // Subject + SubjectConfirmation
-    var subject = _findChild(assertion, "Subject", SAML_NS.assertion);
+    // Subject + SubjectConfirmation — XSW: refuse duplicate <Subject>.
+    var subjectChildren = _findAllChildren(assertion, "Subject", SAML_NS.assertion);
+    if (subjectChildren.length > 1) {
+      throw new AuthError("auth-saml/duplicate-subject",
+        "verifyResponse: Assertion has multiple <Subject> children — XSW shape refused");
+    }
+    var subject = subjectChildren[0] || null;
     if (!subject) throw new AuthError("auth-saml/no-subject", "verifyResponse: missing Subject");
-    var nameIdEl = _findChild(subject, "NameID", SAML_NS.assertion);
+    var nameIdChildren = _findAllChildren(subject, "NameID", SAML_NS.assertion);
+    if (nameIdChildren.length > 1) {
+      throw new AuthError("auth-saml/duplicate-nameid",
+        "verifyResponse: <Subject> has multiple <NameID> children — XSW shape refused");
+    }
+    var nameIdEl = nameIdChildren[0] || null;
     if (!nameIdEl) throw new AuthError("auth-saml/no-nameid", "verifyResponse: missing NameID");
     var nameId = _textContent(nameIdEl);
     var nameIdFormat = _attr(nameIdEl, "Format");
@@ -517,10 +562,17 @@ function create(opts) {
         continue;
       }
       var inResponseTo = _attr(scd, "InResponseTo");
-      if (vopts.expectedInResponseTo && inResponseTo !== vopts.expectedInResponseTo) {
-        throw new AuthError("auth-saml/bad-in-response-to",
-          "SubjectConfirmation InResponseTo \"" + inResponseTo +
-          "\" does not match expected \"" + vopts.expectedInResponseTo + "\" (replay defense)");
+      if (vopts.expectedInResponseTo) {
+        // Constant-time compare against the AuthnRequest ID the
+        // operator stored — protects against timing-based InResponseTo
+        // probing. timingSafeEqual returns false for missing /
+        // length-mismatch without leaking. (Audit 2026-05-11.)
+        if (inResponseTo === null || inResponseTo === undefined ||
+            !timingSafeEqual(inResponseTo, vopts.expectedInResponseTo)) {
+          throw new AuthError("auth-saml/bad-in-response-to",
+            "SubjectConfirmation InResponseTo does not match expected " +
+            "AuthnRequest ID (replay defense)");
+        }
       }
       bearerOk = true;
       break;
@@ -608,13 +660,16 @@ function create(opts) {
    *   });
    */
   function metadata() {
+    // RFC 3741 attr/text escaping for operator-supplied URLs / IDs —
+    // same audit-finding shape as buildAuthnRequest above.
+    var c14n = xmlC14n();
     return "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
-      "<md:EntityDescriptor xmlns:md=\"" + SAML_NS.metadata + "\" entityID=\"" + opts.entityId + "\">" +
+      "<md:EntityDescriptor xmlns:md=\"" + SAML_NS.metadata + "\" entityID=\"" + c14n.escapeAttrValue(opts.entityId) + "\">" +
       "<md:SPSSODescriptor protocolSupportEnumeration=\"" + SAML_NS.protocol + "\" " +
       "AuthnRequestsSigned=\"false\" WantAssertionsSigned=\"true\">" +
       "<md:AssertionConsumerService " +
       "Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" " +
-      "Location=\"" + opts.assertionConsumerServiceUrl + "\" index=\"0\"/>" +
+      "Location=\"" + c14n.escapeAttrValue(opts.assertionConsumerServiceUrl) + "\" index=\"0\"/>" +
       "</md:SPSSODescriptor>" +
       "</md:EntityDescriptor>";
   }

package/lib/auth/sd-jwt-vc.js

@@ -61,9 +61,15 @@
  */
 
 var nodeCrypto = require("node:crypto");
+var blamejsCrypto = require("../crypto");
 var safeBuffer = require("../safe-buffer");
 var safeJson = require("../safe-json");
 var validateOpts = require("../validate-opts");
+
+function _timingSafeEqStr(a, b) {
+  if (typeof a !== "string" || typeof b !== "string") return false;
+  return blamejsCrypto.timingSafeEqual(a, b);
+}
 var disclosure = require("./sd-jwt-vc-disclosure");
 var sdJwtVcIssuer = require("./sd-jwt-vc-issuer");
 var sdJwtVcHolder = require("./sd-jwt-vc-holder");
@@ -284,7 +290,29 @@ function present(opts) {
   var jwt = parts[0];
   var allDisclosures = parts.slice(1).filter(function (p) { return p.length > 0; });
 
-  // Decode disclosures + filter by name
+  // Decode the issuer JWT payload to read its declared `_sd_alg` —
+  // KB-JWT `sd_hash` MUST be computed with the SAME hash algorithm
+  // the credential's `_sd` digests use (IETF SD-JWT draft §4.1.1).
+  // Hardcoded sha256 here previously diverged from the verifier when
+  // an issuer used a non-default hash, producing sd-hash-mismatch on
+  // valid presentations.
+  var _issuerPayload = null;
+  var _jwtParts = jwt.split(".");
+  if (_jwtParts.length === 3) {
+    try {
+      _issuerPayload = safeJson.parse(_b64uDecodeStr(_jwtParts[1]),
+        { maxBytes: 64 * 1024 });                                                                  // allow:bare-json-parse — payload only read to pull _sd_alg; final auth happens in verify() // allow:raw-byte-literal — JWT payload cap (64 KB)
+    } catch (_e) { _issuerPayload = null; }
+  }
+  var _sdAlg = (_issuerPayload && typeof _issuerPayload._sd_alg === "string")
+    ? _issuerPayload._sd_alg : "sha-256";
+  var _sdNodeHash = SUPPORTED_HASH_ALGS[_sdAlg];
+  if (!_sdNodeHash) {
+    throw new AuthError("auth-sd-jwt-vc/bad-hash",
+      "present: issuer credential declares _sd_alg \"" + _sdAlg +
+      "\" which this framework version does not support");
+  }
+
   var disclosedNames = Array.isArray(opts.disclosedClaimNames)
     ? opts.disclosedClaimNames.slice() : [];
   var releasedDisclosures = [];
@@ -314,7 +342,11 @@ function present(opts) {
       ? Math.floor(opts.issuedAt / 1000) : Math.floor(Date.now() / 1000);           // allow:raw-byte-literal — ms→s conversion factor
     // The KB-JWT's hash binds it to the specific SD-JWT + presentation
     var kbHashInput = presentation;     // jwt~d1~d2~ (without KB)
-    var sdHash = nodeCrypto.createHash("sha256")
+    // sd_hash uses the SAME hash algorithm the credential's _sd
+    // digests use (computed at top of present() from issuer payload).
+    // Matches the verifier's expectation in lib/auth/sd-jwt-vc.js
+    // verify() — both ends MUST agree on the algorithm.
+    var sdHash = nodeCrypto.createHash(_sdNodeHash)
                            .update(kbHashInput, "ascii")
                            .digest()
                            .toString("base64url");
@@ -429,12 +461,26 @@ async function verify(presentation, opts) {
   }
 
   // 3. Reconstruct disclosed claims from disclosures
-  var hashAlg = jwtParsed.payload._sd_alg || DEFAULT_HASH_ALG;
+  // IETF SD-JWT default `_sd_alg` is `sha-256` (draft-ietf-oauth-
+  // selective-disclosure-jwt §4.1.1). Earlier the framework defaulted
+  // to its own DEFAULT_HASH_ALG (`sha3-512`) which broke verification
+  // against spec-conformant issuers when `_sd_alg` was omitted.
+  // (Audit 2026-05-11.)
+  var hashAlg = jwtParsed.payload._sd_alg || "sha-256";
   if (!SUPPORTED_HASH_ALGS[hashAlg]) {
     throw new AuthError("auth-sd-jwt-vc/bad-hash",
       "verify: _sd_alg \"" + hashAlg + "\" not supported");
   }
   var sdDigests = Array.isArray(jwtParsed.payload._sd) ? jwtParsed.payload._sd : [];
+  // Protected-claim refusal: a holder-supplied disclosure with one
+  // of these names would shadow the issuer-signed payload claim when
+  // merged into the resolved set. Spec-protected per draft §5
+  // (the issuer-signed claims are authoritative).
+  var PROTECTED_CLAIM_NAMES = {
+    iss: 1, sub: 1, aud: 1, iat: 1, nbf: 1, exp: 1, jti: 1,
+    vct: 1, cnf: 1, _sd: 1, _sd_alg: 1, status: 1,
+  };
+  var seenDigests = Object.create(null);
   var disclosedClaims = {};
   for (var i = 0; i < disclosureParts.length; i++) {
     var d = disclosure.decode(disclosureParts[i]);
@@ -444,6 +490,23 @@ async function verify(presentation, opts) {
       throw new AuthError("auth-sd-jwt-vc/disclosure-mismatch",
         "verify: disclosure for claim \"" + d.name + "\" does not match any _sd digest");
     }
+    // Disclosure-replay defense — a holder presenting the same _sd
+    // digest twice (with the same or different values) is malformed
+    // per spec and is the shape of a partial-disclosure smuggling
+    // attack. Refuse on duplicate digest. (Audit 2026-05-11.)
+    if (seenDigests[digest]) {
+      throw new AuthError("auth-sd-jwt-vc/disclosure-replay",
+        "verify: disclosure digest \"" + digest.slice(0, 12) +
+        "...\" appears twice — refusing replayed disclosure");
+    }
+    seenDigests[digest] = true;
+    // Claim-shadowing defense — refuse holder-supplied disclosures
+    // whose name collides with an issuer-signed top-level claim.
+    if (PROTECTED_CLAIM_NAMES[d.name]) {
+      throw new AuthError("auth-sd-jwt-vc/protected-claim-shadow",
+        "verify: disclosure for claim \"" + d.name + "\" would shadow a " +
+        "spec-protected issuer-signed claim — refused");
+    }
     disclosedClaims[d.name] = d.value;
   }
 
@@ -485,14 +548,21 @@ async function verify(presentation, opts) {
       throw new AuthError("auth-sd-jwt-vc/wrong-nonce",
         "verify: KB-JWT nonce mismatch (replay defense)");
     }
-    // Validate KB-JWT sd_hash matches the presentation
+    // Validate KB-JWT sd_hash matches the presentation, using the
+    // credential's declared `_sd_alg` (audit 2026-05-11 — was
+    // hardcoded sha256 regardless of issuer's choice, breaking
+    // verification when issuer used sha3-512).
     var kbHashInput = jwt + "~";
     if (disclosureParts.length > 0) kbHashInput += disclosureParts.join("~") + "~";
-    var expectedSdHash = nodeCrypto.createHash("sha256")
+    var kbNodeHash = SUPPORTED_HASH_ALGS[hashAlg];
+    var expectedSdHash = nodeCrypto.createHash(kbNodeHash)
                                    .update(kbHashInput, "ascii")
                                    .digest()
                                    .toString("base64url");
-    if (kbParsed.payload.sd_hash !== expectedSdHash) {
+    // Constant-time compare on the sd_hash (both fixed-width
+    // base64url(SHA-*) strings; defense-in-depth even though the
+    // hash is itself the integrity binding).
+    if (!_timingSafeEqStr(kbParsed.payload.sd_hash, expectedSdHash)) {
       throw new AuthError("auth-sd-jwt-vc/sd-hash-mismatch",
         "verify: KB-JWT sd_hash does not match the presentation hash (presentation tampered with?)");
     }

package/lib/xml-c14n.js

@@ -495,5 +495,12 @@ module.exports = {
   parse:                   parse,
   canonicalize:            canonicalize,
   canonicalizeElementById: canonicalizeElementById,
+  // Exported so SAML metadata / AuthnRequest builders can interpolate
+  // operator-supplied URLs and IDs without raw string concatenation.
+  // _escapeAttrValue handles double-quoted attribute-value escaping
+  // (`"`, `&`, `<`, CR/LF/HT); _escapeText handles element text-node
+  // escaping (`&`, `<`, `>`, CR). Both are RFC 3741 §1.3.x compliant.
+  escapeAttrValue:         _escapeAttrValue,
+  escapeText:              _escapeText,
   XmlC14nError:            XmlC14nError,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.9.0",
+  "version": "0.9.2",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:a74ef77a-e3ee-4c9e-a870-42c5ab81c982",
+  "serialNumber": "urn:uuid:1fccffd9-4415-43af-8e59-a1b496768581",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-11T22:06:34.003Z",
+    "timestamp": "2026-05-11T23:52:18.846Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.9.0",
+      "bom-ref": "@blamejs/core@0.9.2",
       "type": "library",
       "name": "blamejs",
-      "version": "0.9.0",
+      "version": "0.9.2",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.9.0",
+      "purl": "pkg:npm/%40blamejs/core@0.9.2",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.9.0",
+      "ref": "@blamejs/core@0.9.2",
       "dependsOn": []
     }
   ]