@blamejs/core 0.9.49 → 0.10.1

package/lib/vendor-data.js

@@ -38,8 +38,17 @@
 
 var nodeCrypto = require("node:crypto");
 var safeEnv = require("./parsers/safe-env");
+var lazyRequire = require("./lazy-require");
 var { defineClass } = require("./framework-error");
 var pqcSoftware = require("./pqc-software");
+var bCrypto = lazyRequire(function () { return require("./crypto"); });
+
+var _audit = lazyRequire(function () { return require("./audit"); });
+
+// Lazy: audit imports b.crypto which imports b.audit indirectly via
+// vendor-data verifyAll on framework boot. Defer the audit module
+// until the first opt-out / digest-mismatch path runs.
+var audit = lazyRequire(function () { return require("./audit"); });
 
 // Framework-pinned vendor-data public key. Inlined as a CommonJS
 // module (lib/vendor/vendor-data-pubkey.js) so the loader has zero
@@ -166,9 +175,58 @@ function _loadAndVerify(name) {
       "expected=" + meta.sha3_512.slice(0, 12) + "… got=" + actual3.slice(0, 12) + "…");
   }
 
-  // Layer 3: SLH-DSA-SHAKE-256f signature verify against maintainer pubkey
-  var sigBytes = Buffer.from(meta.signatureB64, "base64");
+  // Cross-check meta.publicKeyFingerprint against the inlined pubkey
+  // before signature verify. An attacker who has swapped BOTH the
+  // payload AND the pubkey module (matched signature under the swap
+  // key) would otherwise pass every previous integrity layer; the
+  // fingerprint becomes decorative. Compute the sha3-512(PUBKEY_PEM)
+  // once at module load (memoized below) and compare each entry's
+  // declared fingerprint against the actual pubkey we'll verify
+  // under.
+  var actualPubkeyFp = _actualPubkeyFingerprint();
+  if (typeof meta.publicKeyFingerprint === "string" &&
+      meta.publicKeyFingerprint.length > 0 &&
+      meta.publicKeyFingerprint !== actualPubkeyFp) {
+    throw new VendorDataError("vendor-data/pubkey-fingerprint-mismatch",
+      "vendorData: '" + name + "' declared publicKeyFingerprint '" +
+      meta.publicKeyFingerprint + "' does not match the inlined pubkey " +
+      "fingerprint '" + actualPubkeyFp + "'. An attacker has either swapped " +
+      "the pubkey module + payload + signature in lockstep (impossible " +
+      "without the maintainer private key) OR the .data.js file was " +
+      "generated against a different signing key. Re-run scripts/vendor-data-keygen.js " +
+      "+ scripts/vendor-update.sh --refresh-data.");
+  }
+
+  // Layer 3a: operator-supplied fingerprint pin. SLSA L3 / in-toto
+  // attestation pattern — the runtime trust root (PUBKEY_PEM, inlined
+  // at build time) defends against payload swap; an operator-supplied
+  // env-var pin defends against attacker-swap of both pubkey AND
+  // signature in the same compromise. The pin is SHA-256 over the
+  // PEM-decoded raw SPKI bytes; operators capture it once at install
+  // time from a trusted channel (npm provenance / sigstore attestation
+  // / out-of-band copy) and re-verify on every boot.
   var pubkeyBytes = _pemToRaw(PUBKEY_PEM);
+  var pubkeyFp = nodeCrypto.createHash("sha256").update(pubkeyBytes).digest("hex");
+  var operatorFp = safeEnv.readVar("BLAMEJS_VENDOR_DATA_PUBKEY_FINGERPRINT", { default: "" });
+  if (operatorFp.length > 0) {
+    var normalizedOperatorFp = operatorFp.replace(/^sha256:/i, "").toLowerCase().trim();
+    if (!/^[0-9a-f]{64}$/.test(normalizedOperatorFp)) {
+      throw new VendorDataError("vendor-data/operator-fingerprint-bad-shape",
+        "vendorData: BLAMEJS_VENDOR_DATA_PUBKEY_FINGERPRINT must be a 64-hex SHA-256 (optionally `sha256:`-prefixed)");
+    }
+    // Length-tolerant timing-safe compare via b.crypto.timingSafeEqual.
+    if (!bCrypto.timingSafeEqual(normalizedOperatorFp, pubkeyFp)) {
+      throw new VendorDataError("vendor-data/operator-fingerprint-mismatch",
+        "vendorData: '" + name + "' SLH-DSA pubkey fingerprint does not match the " +
+        "operator-supplied BLAMEJS_VENDOR_DATA_PUBKEY_FINGERPRINT pin. " +
+        "expected=" + normalizedOperatorFp.slice(0, 12) + "… got=" +
+        pubkeyFp.slice(0, 12) + "…. The inlined PUBKEY_PEM has been swapped " +
+        "from what the operator captured at install time — refuse to load.");
+    }
+  }
+
+  // Layer 3b: SLH-DSA-SHAKE-256f signature verify against maintainer pubkey
+  var sigBytes = Buffer.from(meta.signatureB64, "base64");
   var slh = pqcSoftware.slh_dsa_shake_256f;
   var sigOk = false;
   try {
@@ -206,6 +264,22 @@ function _loadAndVerify(name) {
   return mod.payload;
 }
 
+// Memoized — "sha256:" + sha256(pemToRaw(PUBKEY_PEM)). Matches the
+// canonical fingerprint shape `scripts/vendor-data-gen.js` writes into
+// each .data.js's `metadata.publicKeyFingerprint`. Computed lazily on
+// first verify (also lazily by verifyAll at boot). CRYPTO-11 — every
+// per-entry verify cross-checks this against the entry's declared
+// `meta.publicKeyFingerprint` so a pubkey-swap attack fails before
+// signature verify even runs.
+var _PUBKEY_FINGERPRINT = null;
+function _actualPubkeyFingerprint() {
+  if (_PUBKEY_FINGERPRINT !== null) return _PUBKEY_FINGERPRINT;
+  var raw = _pemToRaw(PUBKEY_PEM);
+  _PUBKEY_FINGERPRINT = "sha256:" +
+    nodeCrypto.createHash("sha256").update(raw).digest("hex");
+  return _PUBKEY_FINGERPRINT;
+}
+
 // _pemToRaw — extract the raw SPKI bytes from a PEM-wrapped public key.
 // The .vendor-data-pubkey file ships as PEM (BEGIN PUBLIC KEY ... END
 // PUBLIC KEY); the SLH-DSA verifier expects raw bytes. We strip the
@@ -315,7 +389,16 @@ function verifyAll() {
  *                 " — signed by " + entry.signedBy);
  *   });
  */
+// Rendered-inventory cache. Operators wire `b.vendorData.inventory()`
+// into compliance-reporting endpoints (e.g. /admin/vendor-inventory)
+// where the call surface is read-heavy and the underlying inputs
+// (verified payload buffers + frozen KNOWN_VENDOR_DATA + immutable
+// .data.js metadata) never change after boot. Cache once and serve
+// the same frozen array reference. ~30ms saved per call.
+var _inventoryCache = null;
+
 function inventory() {
+  if (_inventoryCache !== null) return _inventoryCache;
   var out = [];
   var names = Object.keys(KNOWN_VENDOR_DATA);
   for (var i = 0; i < names.length; i++) {
@@ -324,7 +407,7 @@ function inventory() {
     _loadAndVerify(name);
     var mod = _MODULES[name];
     var meta = mod.metadata;
-    out.push({
+    out.push(Object.freeze({
       name:        name,
       source:      meta.source,
       fetchedAt:   meta.fetchedAt,
@@ -335,9 +418,10 @@ function inventory() {
       canary:      entry.canary,
       byteLength:  mod.payload.length,
       description: entry.description,
-    });
+    }));
   }
-  return out;
+  _inventoryCache = Object.freeze(out);
+  return _inventoryCache;
 }
 
 // Eager verification at module-load. The first time anything
@@ -346,10 +430,44 @@ function inventory() {
 // framework consumer's import graph), every registered vendor data
 // file is dual-hash + signature + canary-verified before any caller
 // gets the chance to call get(). Tamper = fail-fast at boot, not at
-// first-request-touches-PSL surprise. Operators wanting to defer
-// verification (e.g. test rigs that mock require() resolution) set
-// BLAMEJS_VENDOR_DATA_DEFER_BOOT_VERIFY=1 in the environment.
-if (safeEnv.readVar("BLAMEJS_VENDOR_DATA_DEFER_BOOT_VERIFY", { default: "" }) !== "1") {
+// first-request-touches-PSL surprise.
+//
+// Operators wanting to defer verification (test rigs that mock
+// require() resolution, install-pipeline contexts that intentionally
+// run before the trust roots are populated) must opt in via TWO env
+// vars: BLAMEJS_VENDOR_DATA_DEFER_BOOT_VERIFY=1 PLUS a non-empty
+// BLAMEJS_VENDOR_DATA_DEFER_BOOT_VERIFY_REASON explaining WHY.
+// Setting the flag alone is refused so a misconfigured CI / Docker
+// image can't silently bypass tamper detection. SSDF PW.4 — every
+// security-default-disable lives in the audit log with an operator-
+// attributed reason.
+var _deferFlag = safeEnv.readVar("BLAMEJS_VENDOR_DATA_DEFER_BOOT_VERIFY", { default: "" });
+if (_deferFlag === "1") {
+  var _deferReason = safeEnv.readVar("BLAMEJS_VENDOR_DATA_DEFER_BOOT_VERIFY_REASON", { default: "" });
+  if (_deferReason.length === 0) {
+    throw new VendorDataError("vendor-data/defer-reason-required",
+      "vendorData: BLAMEJS_VENDOR_DATA_DEFER_BOOT_VERIFY=1 set WITHOUT " +
+      "BLAMEJS_VENDOR_DATA_DEFER_BOOT_VERIFY_REASON. Boot-time vendor " +
+      "verification is a security default — disabling it requires the " +
+      "operator to record WHY in the env so the misconfig is grep-able in " +
+      "the next deploy diff. Set BLAMEJS_VENDOR_DATA_DEFER_BOOT_VERIFY_REASON " +
+      "to a non-empty string (e.g. 'test-rig:require-mock' or 'install-pipeline:pre-trust-root-populated').");
+  }
+  // Audit emit is best-effort: the audit module may not be initialized
+  // yet (boot sequencing). Operators alerting on "boot-time
+  // verification deferred" catch a malicious pivot that set the flag
+  // through a compromised env source.
+  try {
+    audit().safeEmit({
+      action:  "vendor-data.boot_verify_deferred",
+      outcome: "denied",
+      metadata: {
+        reason:          _deferReason.slice(0, 256),                          // allow:raw-byte-literal — audit metadata truncation limit
+        vendorDataKnown: Object.keys(KNOWN_VENDOR_DATA),
+      },
+    });
+  } catch (_e) { /* drop-silent — audit not ready at boot */ }
+} else {
   verifyAll();
 }