@smartledger/bsv 3.4.3 → 3.4.4

package/SECURITY.md

@@ -0,0 +1,88 @@
+# Security Policy
+
+Thank you for helping keep `@smartledger/bsv` and its users safe.
+
+## Supported Versions
+
+Security fixes are applied to the latest minor release line. Earlier releases
+are not patched; please upgrade.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 3.4.x   | :white_check_mark: |
+| < 3.4   | :x:                |
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues,
+discussions, or pull requests.**
+
+Report privately via either of:
+
+- **GitHub Security Advisories** (preferred):
+  <https://github.com/codenlighten/smartledger-bsv/security/advisories/new>
+- **Email:** `hello@smartledger.technology`
+
+When reporting, please include as much of the following as you can:
+
+- Affected version(s) and platform (Node.js version, browser, CDN vs. npm)
+- A minimal reproduction (code snippet, transaction hex, or test vector)
+- Impact assessment — what an attacker can do with the bug
+- Any suggested mitigation
+
+We aim to acknowledge new reports within **3 business days** and to provide a
+remediation timeline within **10 business days**. Coordinated disclosure is
+appreciated; we will credit reporters in the release notes unless you prefer
+to remain anonymous.
+
+## In Scope
+
+- Cryptographic correctness bugs in `lib/crypto/` (ECDSA, BN, Hash, Random,
+  Point, Signature, Shamir).
+- Signature/transaction malleability or forgery affecting the default verify
+  path (`lib/crypto/ecdsa.js`) or the opt-in helpers (`SmartVerify`,
+  `EllipticFixed`).
+- Key-generation, HD-derivation (BIP-32), or mnemonic (BIP-39) flaws that
+  weaken entropy or leak material.
+- Issues in DID:web, VC-JWT, StatusList2021, or Anchor modules that allow
+  forgery, replay, or unauthorized revocation.
+- Bugs in BIP-143 preimage handling, covenant construction, or LTP/GDAF
+  signing paths.
+- Supply-chain concerns about pinned runtime dependencies
+  (`elliptic@6.6.1`, `bn.js@4.11.9`, `bs58@4.0.1`, etc.).
+
+## Out of Scope
+
+- Vulnerabilities in development-only dependencies (`webpack 4`, `standard 12`,
+  `mocha 8`, etc.). These are tracked separately and addressed in the planned
+  3.5.0 toolchain upgrade.
+- Issues that require a malicious local environment (compromised Node, browser
+  extension, or filesystem) to exploit.
+- Denial-of-service from intentionally malformed inputs that do **not** cross
+  a trust boundary (e.g., feeding garbage to a library function in your own
+  process and observing it throw).
+- Stylistic, naming, or documentation issues unrelated to security claims —
+  please open a regular issue or PR for those.
+
+## Security Posture
+
+`@smartledger/bsv` ships **opt-in** hardening helpers — `bsv.SmartVerify`,
+`bsv.EllipticFixed`, and `signature.toCanonical()` — that you must call
+explicitly. The default `transaction.verify()` / `signature.verify()` /
+`Message().verify()` paths use BSV's own pure-JS ECDSA in
+`lib/crypto/ecdsa.js` and are **not** routed through `SmartVerify`.
+
+See the [Security section of the README](./README.md#-security) for the full
+"what's in the box" table and usage examples for the opt-in helpers. A
+planned 3.5.0 will offer an opt-in flag to route the default verify path
+through `SmartVerify` so the protection is on by default for new users.
+
+## Disclosure History
+
+Significant security-relevant changes are documented in
+[`CHANGELOG.md`](./CHANGELOG.md). Recent entries of note:
+
+- **3.4.2 / 3.4.3** — corrected documentation overclaims about which
+  hardening is on by default vs. opt-in.
+- **3.4.1** — `Transaction.shuffleOutputs()` now draws entropy from
+  `bsv.crypto.Random` (CSPRNG) instead of `Math.random`.

package/bin/cli.js

@@ -8,6 +8,7 @@
 
 var fs = require('fs')
 var path = require('path')
+var pkg = require('../package.json')
 var didweb = require('../lib/didweb')
 var vcjwt = require('../lib/vcjwt')
 var statuslist = require('../lib/statuslist')
@@ -43,8 +44,13 @@ function writeJsonFile(filepath, data) {
 }
 
 async function main() {
-  if (!command) {
-    console.log('SmartLedger BSV CLI v3.4.0')
+  if (command === '--version' || command === '-v') {
+    console.log(pkg.version)
+    process.exit(0)
+  }
+
+  if (!command || command === '--help' || command === '-h' || command === 'help') {
+    console.log('SmartLedger BSV CLI v' + pkg.version)
     console.log('')
     console.log('Usage:')
     console.log('  smartledger-bsv didweb <subcommand> [options]')
@@ -205,15 +211,14 @@ async function handleVc(subcommand, opts) {
     
     console.error('Verifying credential...')
     
-    // Simple resolver that reads from .well-known
-    var didResolver = async function(did) {
-      var domain = did.replace('did:web:', '').replace(/%3A/g, ':')
+    // Simple resolver that reads from .well-known. lib/vcjwt expects
+    // `{ jwks: { keys: [...] } }`; jwks.json on disk is the raw JWKS,
+    // so wrap it.
+    var didResolver = async function (did) {
       var jwksPath = path.join(process.cwd(), '.well-known', 'jwks.json')
-      
       if (fs.existsSync(jwksPath)) {
-        return readJsonFile(jwksPath)
+        return { jwks: readJsonFile(jwksPath) }
       }
-      
       throw new Error('Cannot resolve DID: ' + did)
     }