@smartledger/bsv 3.4.5 → 4.0.0

package/lib/crypto/ecdsa.js

@@ -172,30 +172,27 @@ ECDSA.prototype.sigError = function () {
     return 'hashbuf must be a 32 byte buffer'
   }
 
-  // === SmartLedger Security Patches ===
-  // Apply security validation during cryptographic verification
   var r = this.sig.r
   var s = this.sig.s
   var n = Point.getN()
 
   try {
-    // Fix 1 & 2: Enhanced range validation
-    if (r.isZero() || s.isZero() || r.gte(n) || s.gte(n)) {
+    // Reject out-of-range r, s: both must lie in [1, n-1]. lte(0) covers
+    // negative and zero values; gte(n) covers anything at or above the order.
+    if (r.lte(BN.Zero) || s.lte(BN.Zero) || r.gte(n) || s.gte(n)) {
       return 'r and s not in range'
     }
 
-    // Fix 3: Handle canonicalization properly
-    // For verification, we need to try both the original s and canonical s
-    // This handles both pre-canonicalized signatures and non-canonical ones
-    var nh = n.shrn(1) // n/2
-    var canonicalS = s.gt(nh) ? n.sub(s) : s
-
     var e = BN.fromBuffer(this.hashbuf, this.endian ? {
       endian: this.endian
     } : undefined)
 
-    // Try verification with canonical s
-    var sinv = canonicalS.invm(n)
+    // Standard ECDSA verification. This accepts both (r, s) and (r, n - s):
+    // ECDSA is inherently malleable in s, and verifying the canonical form
+    // yields the same accept/reject as verifying s directly, so there is no
+    // need to canonicalize or retry here. Low-S is enforced at *signing* time
+    // (see ECDSA.toLowS), which is where malleability protection belongs.
+    var sinv = s.invm(n)
     var u1 = sinv.mul(e).umod(n)
     var u2 = sinv.mul(r).umod(n)
 
@@ -205,23 +202,9 @@ ECDSA.prototype.sigError = function () {
     }
 
     if (p.getX().umod(n).cmp(r) !== 0) {
-      // If canonical verification failed and s was already canonical, 
-      // try with the non-canonical version (for backwards compatibility)
-      if (s.lte(nh)) {
-        var nonCanonicalS = n.sub(s)
-        sinv = nonCanonicalS.invm(n)
-        u1 = sinv.mul(e).umod(n)
-        u2 = sinv.mul(r).umod(n)
-        
-        p = Point.getG().mulAdd(u1, this.pubkey.point, u2)
-        if (!p.isInfinity() && p.getX().umod(n).cmp(r) === 0) {
-          return false  // Verification succeeded with non-canonical s
-        }
-      }
       return 'Invalid signature'
-    } else {
-      return false  // Verification succeeded with canonical s
     }
+    return false
   } catch (error) {
     return 'Signature security validation failed: ' + error.message
   }

package/lib/ecies/electrum-ecies.js

@@ -163,7 +163,18 @@ ECIES.prototype.decrypt = function (encbuf) {
   var hmac2 = Hash.sha256hmac(encbuf.slice(0, encbuf.length - tagLength), this.kM)
   if (this.opts.shortTag) hmac2 = hmac2.slice(0, 4)
 
-  if (!hmac.equals(hmac2)) {
+  // Constant-time tag comparison. Buffer.equals() short-circuits on the first
+  // differing byte, which leaks how many leading bytes matched and enables a
+  // forgery oracle on the MAC; compare every byte unconditionally instead
+  // (mirrors the loop in bitcore-ecies.js).
+  if (hmac.length !== hmac2.length) {
+    throw new errors.DecryptionError('Invalid checksum')
+  }
+  var equal = 0
+  for (var i = 0; i < hmac2.length; i++) {
+    equal |= (hmac[i] ^ hmac2[i])
+  }
+  if (equal !== 0) {
     throw new errors.DecryptionError('Invalid checksum')
   }
 

package/lib/gdaf/attestation-signer.js

@@ -49,14 +49,49 @@ function AttestationSigner(privateKey, options) {
   return this
 }
 
+/**
+ * Recursively produce a value with all object keys sorted, so that
+ * JSON.stringify yields a deterministic, fully-covering serialization.
+ *
+ * IMPORTANT: this replaces a previous implementation that called
+ * `JSON.stringify(obj, Object.keys(obj).sort())`. That used the JSON.stringify
+ * *replacer array* form, which whitelists keys at EVERY nesting level to the
+ * top-level key set. The result was that nested objects (notably
+ * `credentialSubject`) serialized to `{}` and were therefore NOT covered by the
+ * signature -- a forger could rewrite the subject's claims without invalidating
+ * the proof. This recursive sort includes every key at every depth.
+ *
+ * Note: keys are ordered with Array.prototype.sort (UTF-16 code-unit order) and
+ * inserted in that order. Credential keys are non-integer strings, so insertion
+ * order is preserved by JSON.stringify; do not feed integer-like keys here.
+ *
+ * @param {*} value - Value to canonicalize
+ * @returns {*} Value with all nested object keys sorted
+ * @private
+ */
+AttestationSigner._sortValue = function(value) {
+  if (Array.isArray(value)) {
+    // Arrays are order-significant: preserve order, canonicalize each element.
+    return value.map(function(item) { return AttestationSigner._sortValue(item) })
+  }
+  if (value !== null && typeof value === 'object') {
+    return Object.keys(value).sort().reduce(function(sorted, key) {
+      sorted[key] = AttestationSigner._sortValue(value[key])
+      return sorted
+    }, {})
+  }
+  // Primitives (string, number, boolean, null) are returned unchanged.
+  return value
+}
+
 /**
  * Create canonical JSON string for signing
  * @param {Object} obj - Object to canonicalize
  * @returns {String} Canonical JSON string
  */
 AttestationSigner._canonicalizeJSON = function(obj) {
-  // Use deterministic JSON serialization
-  return JSON.stringify(obj, Object.keys(obj).sort())
+  // Deterministic serialization that covers every nested key at every depth.
+  return JSON.stringify(AttestationSigner._sortValue(obj))
 }
 
 /**

package/lib/gdaf/attestation-verifier.js

@@ -251,6 +251,16 @@ AttestationVerifier._validateStructure = function(credential) {
  * Verify credential signature
  * @private
  */
+AttestationVerifier._normalizeDID = function(issuer) {
+  // W3C VC allows `issuer` to be a DID string or an object with an `id`.
+  var did = (issuer && typeof issuer === 'object') ? issuer.id : issuer
+  if (typeof did !== 'string' || did.length === 0) {
+    return null
+  }
+  // Strip any fragment so `did:...#keys-1` compares equal to `did:...`.
+  return did.split('#')[0]
+}
+
 AttestationVerifier._verifySignature = async function(credential) {
   try {
     var proof = credential.proof
@@ -273,7 +283,22 @@ AttestationVerifier._verifySignature = async function(credential) {
     // Extract DID from verification method
     var verificationMethod = proof.verificationMethod
     var did = verificationMethod.split('#')[0]
-    
+
+    // Bind the signing key to the claimed issuer. Without this, a valid
+    // signature from ANY DID is accepted while `credential.issuer` names a
+    // different (e.g. trusted) authority -- an issuer-spoofing forgery. The
+    // DID that owns the verificationMethod MUST equal the credential issuer.
+    var issuerDID = AttestationVerifier._normalizeDID(credential.issuer)
+    if (!issuerDID) {
+      return { valid: false, errors: ['Missing or invalid credential issuer'] }
+    }
+    if (issuerDID !== did) {
+      return {
+        valid: false,
+        errors: ['Verification method DID (' + did + ') does not match credential issuer (' + issuerDID + ')']
+      }
+    }
+
     // Get public key from DID
     var publicKey = DIDResolver.getPublicKey(did)
     
@@ -292,9 +317,12 @@ AttestationVerifier._verifySignature = async function(credential) {
     ecdsa.hashbuf = credentialHash
     ecdsa.pubkey = publicKey
     ecdsa.sig = signature
-    
-    var valid = ecdsa.verify()
-    
+
+    // NOTE: ECDSA.prototype.verify() returns the ECDSA *instance* (always
+    // truthy), not a boolean. Read the `.verified` flag, otherwise every
+    // structurally-valid proof passes regardless of the actual signature.
+    var valid = ecdsa.verify().verified
+
     if (valid) {
       return {
         valid: true,
@@ -355,9 +383,11 @@ AttestationVerifier._verifyPresentationSignature = async function(presentation)
     ecdsa.hashbuf = presentationHash
     ecdsa.pubkey = publicKey
     ecdsa.sig = signature
-    
-    var valid = ecdsa.verify()
-    
+
+    // ECDSA.prototype.verify() returns the instance, not a boolean — read
+    // `.verified` (see _verifySignature).
+    var valid = ecdsa.verify().verified
+
     return {
       valid: valid,
       errors: valid ? [] : ['Presentation signature verification failed']
@@ -392,10 +422,18 @@ AttestationVerifier._validateIssuer = async function(credential, options) {
       return { valid: false, errors: errors }
     }
     
-    // Check if issuer is in trusted list
+    // Enforce the trusted-issuer allow-list when one is supplied. Previously a
+    // non-member only produced a warning, so `trustedIssuers` provided no
+    // actual enforcement and any resolvable DID was accepted. Comparison is
+    // done on normalized DIDs so fragment/object issuer forms match.
     if (options.trustedIssuers && Array.isArray(options.trustedIssuers)) {
-      if (!options.trustedIssuers.includes(issuer)) {
-        warnings.push('Issuer not in trusted list')
+      var issuerDID = AttestationVerifier._normalizeDID(issuer)
+      var trusted = options.trustedIssuers
+        .map(function(t) { return AttestationVerifier._normalizeDID(t) })
+        .filter(Boolean)
+      if (!issuerDID || trusted.indexOf(issuerDID) === -1) {
+        errors.push('Issuer not in trusted list')
+        return { valid: false, errors: errors, warnings: warnings }
       }
     }
     

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@smartledger/bsv",
-  "version": "3.4.5",
+  "version": "4.0.0",
   "description": "🚀 Complete Bitcoin SV development framework with legally-recognizable DID:web + W3C VC-JWT toolkit, Legal Token Protocol (LTP), Global Digital Attestation Framework (GDAF), StatusList2021 revocation, and 16 flexible loading options. Standards-based credentials with ES256/ES256K support, on-chain BSV anchoring, and comprehensive Bitcoin SV API. Perfect for legal tokens, verifiable credentials, DeFi, smart contracts, and secure Bitcoin applications.",
   "author": "SmartLedger Technology <hello@smartledger.technology> (https://smartledger.technology)",
   "homepage": "https://github.com/codenlighten/smartledger-bsv#readme",
@@ -74,7 +74,6 @@
     "lib/",
     "utilities/*.js",
     "utilities/README.md",
-    "utilities/wallet.json",
     "ecies/",
     "message/",
     "mnemonic/",
@@ -132,7 +131,6 @@
     "debug-tools",
     "modular-loading",
     "standalone-modules",
-    "security-hardened",
     "elliptic-curve-fix",
     "smartledger",
     "transaction",
@@ -184,7 +182,6 @@
     "webpack-ready",
     "cdn-ready",
     "typescript-definitions",
-    "vulnerability-free",
     "drop-in-replacement",
     "performance-optimized",
     "bip21",

package/utilities/wallet.json

@@ -1,30 +0,0 @@
-{
-  "wallet": {
-    "privateKeyWIF": "KwbaQqFUpt9MYQRrkVWk7QC799nAfcqYRYKj4ZNeZBkut3YP45rJ",
-    "privateKeyHex": "KwbaQqFUpt9MYQRrkVWk7QC799nAfcqYRYKj4ZNeZBkut3YP45rJ",
-    "publicKey": "02330726b97010d7bb1f88b1213330e644916cedfd5fee9c57153592c6b5a44fe9",
-    "address": "15XJXD7CSMqHL2ivFCu8PZTACQQ8MPbWY9",
-    "pubkeyHash160": "319b9b8eef10d00cf84b5d4772dca69b5f5a7b5c"
-  },
-  "utxo": {
-    "txid": "d6625d13f3130360dea7ebe8ccf8ccdb5e40b3cd5ea51b2094983a3789354c3e",
-    "vout": 0,
-    "outputIndex": 0,
-    "script": "76a914319b9b8eef10d00cf84b5d4772dca69b5f5a7b5c88ac",
-    "scriptPubKey": "76a914319b9b8eef10d00cf84b5d4772dca69b5f5a7b5c88ac",
-    "satoshis": 50000,
-    "address": "15XJXD7CSMqHL2ivFCu8PZTACQQ8MPbWY9"
-  },
-  "testParams": {
-    "nLockTimeTarget": 1000,
-    "sighashType": 65,
-    "covenantAmount": 40000,
-    "fee": 1000,
-    "changeAmount": 9000
-  },
-  "metadata": {
-    "created": "2025-10-19T14:33:10.987Z",
-    "description": "Test wallet and UTXO for BSV preimage covenant testing",
-    "version": "1.0"
-  }
-}