payment-kit 1.29.6 → 1.29.7

package/api/tests/integrations/app-store/native-jws.spec.ts

@@ -0,0 +1,219 @@
+// Unit tests for the native Apple JWS verifier (Phase 1, Path A).
+//
+// Synthetic chains (make-chain.ts) exercise the algorithm with an injected test
+// root; the committed REAL Apple sandbox JWS (real-sandbox.jws) proves the real
+// OID + 3-cert chain end-to-end (design §11). No env flag needed — verifyAppleJws
+// is pure (the flag only selects native vs legacy in signed-data-verifier).
+
+import { readFileSync } from 'node:fs';
+import path from 'node:path';
+
+import { buildJws, makeChain } from './fixtures/make-chain';
+import { AppleJwsVerifyError, verifyAppleJws } from '../../../src/integrations/app-store/native-jws';
+import type { JwsTransactionPayload } from '../../../src/integrations/app-store/native-jws';
+
+const FIXED_SIGNED_DATE = 1_700_000_000_000;
+
+/** A valid chain + the trustedRoots list that anchors it (the chain's own root). */
+function freshChainCtx(opts: Parameters<typeof makeChain>[0] = {}) {
+  const chain = makeChain({ signedDate: FIXED_SIGNED_DATE, ...opts });
+  const trustedRoots = [Buffer.from(chain.x5c[2]!, 'base64')];
+  return { chain, trustedRoots };
+}
+
+async function expectCode(promise: Promise<unknown>, code: string): Promise<void> {
+  await expect(promise).rejects.toMatchObject({ code });
+}
+
+describe('verifyAppleJws — happy path', () => {
+  it('decodes a synthetic chain when its root is trusted; fields match the signed payload', async () => {
+    const { chain, trustedRoots } = freshChainCtx({
+      payload: { productId: 'sub_happy', expiresDate: 1_900_000_000_000, appAccountToken: 'uuid-happy' },
+    });
+    const decoded = await verifyAppleJws<JwsTransactionPayload>(chain.jws, { trustedRoots });
+    expect(decoded.transactionId).toBe('txn_synth_1');
+    expect(decoded.productId).toBe('sub_happy');
+    expect(decoded.expiresDate).toBe(1_900_000_000_000);
+    expect(decoded.appAccountToken).toBe('uuid-happy');
+    expect(decoded.signedDate).toBe(FIXED_SIGNED_DATE);
+  });
+
+  it('verifies the REAL Apple sandbox JWS against the vendored Apple roots end-to-end', async () => {
+    const jws = readFileSync(path.join(__dirname, 'fixtures', 'real-sandbox.jws'), 'utf8').trim();
+    const meta = JSON.parse(readFileSync(path.join(__dirname, 'fixtures', 'real-sandbox.json'), 'utf8'));
+    // default trustedRoots = APPLE_ROOT_CERTS (the real chain anchors to Apple Root CA G3)
+    const decoded = await verifyAppleJws<JwsTransactionPayload>(jws);
+    expect(decoded.transactionId).toBe(meta.decoded_payload.transactionId);
+    expect(decoded.bundleId).toBe('io.arcblock.ai.stro');
+    expect(decoded.productId).toBe(meta.decoded_payload.productId);
+    expect(decoded.signedDate).toBe(meta.decoded_payload.signedDate);
+  });
+});
+
+describe('verifyAppleJws — bad input', () => {
+  it('rejects non-3-segment JWS', async () => {
+    await expectCode(verifyAppleJws('a.b'), 'FORMAT');
+  });
+
+  it('rejects x5c.length !== 3 with INVALID_CHAIN_LENGTH', async () => {
+    const { chain, trustedRoots } = freshChainCtx();
+    const { jws } = buildJws({ alg: 'ES256', x5c: chain.x5c.slice(0, 2) }, chain.payload, chain.keys.leafKeyPem);
+    await expectCode(verifyAppleJws(jws, { trustedRoots }), 'INVALID_CHAIN_LENGTH');
+  });
+
+  it('rejects a header that is not base64url JSON', async () => {
+    await expectCode(verifyAppleJws('!!!notjson.payload.sig'), 'HEADER');
+  });
+
+  it('rejects a payload that is not valid JSON (after a valid chain)', async () => {
+    const { chain, trustedRoots } = freshChainCtx();
+    const headerSeg = chain.jws.split('.')[0]!;
+    const badPayload = Buffer.from('not json at all').toString('base64url');
+    const jws = `${headerSeg}.${badPayload}.${chain.jws.split('.')[2]}`;
+    await expectCode(verifyAppleJws(jws, { trustedRoots }), 'PAYLOAD');
+  });
+});
+
+describe('verifyAppleJws — security', () => {
+  it('rejects a tampered payload (signature no longer matches)', async () => {
+    const { chain, trustedRoots } = freshChainCtx();
+    const [h, , s] = chain.jws.split('.');
+    const tampered = Buffer.from(JSON.stringify({ ...chain.payload, productId: 'EVIL' })).toString('base64url');
+    await expectCode(verifyAppleJws(`${h}.${tampered}.${s}`, { trustedRoots }), 'SIGNATURE');
+  });
+
+  it('rejects a tampered signature', async () => {
+    const { chain, trustedRoots } = freshChainCtx();
+    const [h, p] = chain.jws.split('.');
+    const sigBytes = Buffer.from(chain.jws.split('.')[2]!, 'base64url');
+    sigBytes[0] = sigBytes[0]! ^ 0xff;
+    await expectCode(verifyAppleJws(`${h}.${p}.${sigBytes.toString('base64url')}`, { trustedRoots }), 'SIGNATURE');
+  });
+
+  it('rejects alg: "none" and alg: "RS256" (alg whitelist)', async () => {
+    const none = freshChainCtx({ alg: 'none' });
+    await expectCode(verifyAppleJws(none.chain.jws, { trustedRoots: none.trustedRoots }), 'ALG');
+    const rs = freshChainCtx({ alg: 'RS256' });
+    await expectCode(verifyAppleJws(rs.chain.jws, { trustedRoots: rs.trustedRoots }), 'ALG');
+  });
+
+  it('rejects when the presented root is NOT a trusted anchor', async () => {
+    const { chain } = freshChainCtx();
+    // default APPLE_ROOT_CERTS does NOT contain the synthetic root
+    await expectCode(verifyAppleJws(chain.jws), 'ANCHOR');
+  });
+
+  it('rejects a cross-signed leaf (chain break) before signature', async () => {
+    const { chain, trustedRoots } = freshChainCtx();
+    const header = { alg: 'ES256', x5c: [chain.crossSignedLeaf, chain.x5c[1], chain.x5c[2]] };
+    const { jws } = buildJws(header, chain.payload, chain.keys.leafKeyPem);
+    await expectCode(verifyAppleJws(jws, { trustedRoots }), 'CHAIN');
+  });
+
+  it('rejects when the leaf is missing the Apple OID', async () => {
+    const { chain, trustedRoots } = freshChainCtx({ leafOid: false });
+    await expectCode(verifyAppleJws(chain.jws, { trustedRoots }), 'OID');
+  });
+
+  it('rejects when the intermediate is missing the Apple OID', async () => {
+    const { chain, trustedRoots } = freshChainCtx({ intOid: false });
+    await expectCode(verifyAppleJws(chain.jws, { trustedRoots }), 'OID');
+  });
+
+  it('does not pollute Object.prototype from a hostile __proto__ payload', async () => {
+    const { chain, trustedRoots } = freshChainCtx();
+    const headerSeg = chain.jws.split('.')[0]!;
+    // own __proto__ key via JSON.parse, then sign it so the chain is valid
+    const hostile = JSON.parse(
+      '{"__proto__":{"polluted":true},"transactionId":"t","productId":"p","signedDate":1700000000000}'
+    );
+    const { jws } = buildJws(
+      JSON.parse(Buffer.from(headerSeg, 'base64url').toString('utf8')),
+      hostile,
+      chain.keys.leafKeyPem
+    );
+    const decoded = await verifyAppleJws<Record<string, unknown>>(jws, { trustedRoots });
+    expect(({} as Record<string, unknown>).polluted).toBeUndefined();
+    expect(Object.prototype.hasOwnProperty.call(decoded, '__proto__')).toBe(false);
+  });
+});
+
+describe('verifyAppleJws — validity & clock skew (±60s, all 3 certs)', () => {
+  // boundary: reject if validTo < effectiveDate − 60s; pass at exactly −60s.
+  it('passes at the expiry boundary (effectiveDate = validTo + 60s) and rejects 1ms past it', async () => {
+    const validTo = new Date(FIXED_SIGNED_DATE);
+    const ctxPass = freshChainCtx({ certValidTo: validTo, signedDate: FIXED_SIGNED_DATE + 60_000 });
+    await expect(verifyAppleJws(ctxPass.chain.jws, { trustedRoots: ctxPass.trustedRoots })).resolves.toBeDefined();
+    const ctxFail = freshChainCtx({ certValidTo: validTo, signedDate: FIXED_SIGNED_DATE + 60_000 + 1 });
+    await expectCode(verifyAppleJws(ctxFail.chain.jws, { trustedRoots: ctxFail.trustedRoots }), 'CERT_EXPIRED');
+  });
+
+  it('passes at the not-yet-valid boundary (effectiveDate = validFrom − 60s) and rejects 1ms before it', async () => {
+    const validFrom = new Date(FIXED_SIGNED_DATE);
+    const ctxPass = freshChainCtx({ certValidFrom: validFrom, signedDate: FIXED_SIGNED_DATE - 60_000 });
+    await expect(verifyAppleJws(ctxPass.chain.jws, { trustedRoots: ctxPass.trustedRoots })).resolves.toBeDefined();
+    const ctxFail = freshChainCtx({ certValidFrom: validFrom, signedDate: FIXED_SIGNED_DATE - 60_000 - 1 });
+    await expectCode(verifyAppleJws(ctxFail.chain.jws, { trustedRoots: ctxFail.trustedRoots }), 'CERT_NOT_YET_VALID');
+  });
+
+  it('rejects when ONLY the intermediate is expired (proves int is checked, not just leaf)', async () => {
+    const { chain, trustedRoots } = freshChainCtx({
+      certWindows: { intermediate: { to: new Date(FIXED_SIGNED_DATE - 3_600_000) } },
+    });
+    await expectCode(verifyAppleJws(chain.jws, { trustedRoots }), 'CERT_EXPIRED');
+  });
+
+  it('rejects when ONLY the root is expired (proves root is checked)', async () => {
+    const { chain, trustedRoots } = freshChainCtx({
+      certWindows: { root: { to: new Date(FIXED_SIGNED_DATE - 3_600_000) } },
+    });
+    await expectCode(verifyAppleJws(chain.jws, { trustedRoots }), 'CERT_EXPIRED');
+  });
+});
+
+describe('verifyAppleJws — data loss (concurrency / statelessness)', () => {
+  it('resolves all concurrent verifications correctly (no shared mutable state)', async () => {
+    const { chain, trustedRoots } = freshChainCtx();
+    const results = await Promise.all(
+      Array.from({ length: 12 }, () => verifyAppleJws<JwsTransactionPayload>(chain.jws, { trustedRoots }))
+    );
+    for (const r of results) expect(r.transactionId).toBe('txn_synth_1');
+  });
+});
+
+describe('verifyAppleJws — data damage (type/encoding fidelity)', () => {
+  it('keeps numbers as numbers and round-trips unicode byte-faithfully', async () => {
+    const { chain, trustedRoots } = freshChainCtx({
+      payload: { productId: '产品_🎉', expiresDate: 1_888_888_888_888, appAccountToken: 'uuid-😀' },
+    });
+    const decoded = await verifyAppleJws<JwsTransactionPayload>(chain.jws, { trustedRoots });
+    expect(decoded.productId).toBe('产品_🎉');
+    expect(decoded.appAccountToken).toBe('uuid-😀');
+    expect(typeof decoded.expiresDate).toBe('number');
+    expect(decoded.expiresDate).toBe(1_888_888_888_888);
+  });
+
+  it('leaves a missing expiresDate as undefined (never coerced to 0/null)', async () => {
+    const { chain, trustedRoots } = freshChainCtx(); // default payload has no expiresDate
+    const decoded = await verifyAppleJws<JwsTransactionPayload>(chain.jws, { trustedRoots });
+    expect('expiresDate' in decoded).toBe(false);
+    expect(decoded.expiresDate).toBeUndefined();
+  });
+});
+
+describe('verifyAppleJws — data leak (errors name the failure, not secrets)', () => {
+  it('throws AppleJwsVerifyError with a code and never echoes the raw cert/JWS material', async () => {
+    const { chain } = freshChainCtx();
+    try {
+      await verifyAppleJws(chain.jws); // ANCHOR (synthetic root not trusted)
+      throw new Error('should have rejected');
+    } catch (err) {
+      expect(err).toBeInstanceOf(AppleJwsVerifyError);
+      const message = (err as Error).message;
+      expect((err as AppleJwsVerifyError).code).toBe('ANCHOR');
+      // the long base64 cert/jws material must not leak into the message
+      expect(message).not.toContain(chain.x5c[0]!.slice(0, 40));
+      expect(message).not.toContain(chain.jws.split('.')[2]!.slice(0, 20));
+    }
+  });
+});

package/api/tests/integrations/app-store/native-receipt.spec.ts

@@ -0,0 +1,161 @@
+// Unit tests for native StoreKit 1 receipt verification (Phase 3, Path C).
+// fetch is mocked — we never hit Apple. Asserts parity with the evicted
+// node-apple-receipt-verify: hosts, body, sandbox fallback, output shape.
+
+import { verifyAppleReceiptNative } from '../../../src/integrations/app-store/native-receipt';
+
+type Call = { url: string; body: any };
+let calls: Call[] = [];
+
+/** Mock fetch with one response per call (for the production→sandbox retry). */
+function mockFetchSequence(responses: Array<{ ok?: boolean; status: number; json: object }>): void {
+  let i = 0;
+  calls = [];
+  global.fetch = jest.fn(async (url: unknown, init?: unknown) => {
+    const reqInit = init as RequestInit;
+    calls.push({ url: String(url), body: JSON.parse(String(reqInit.body)) });
+    const r = responses[Math.min(i, responses.length - 1)]!;
+    i += 1;
+    return { ok: r.ok ?? true, status: 200, json: async () => r.json } as unknown as Response;
+  }) as unknown as typeof fetch;
+}
+
+const item = (over: Record<string, unknown> = {}) => ({
+  product_id: 'sub_06',
+  transaction_id: 'txn_1',
+  original_transaction_id: 'orig_1',
+  purchase_date_ms: '1700000000000',
+  expires_date_ms: '1800000000000',
+  web_order_line_item_id: 'wo_1',
+  ...over,
+});
+
+const appleOk = (items: object[], bundleId = 'com.example.app') => ({
+  status: 0,
+  receipt: { bundle_id: bundleId, in_app: items },
+  latest_receipt_info: items,
+});
+
+afterEach(() => jest.restoreAllMocks());
+
+describe('verifyAppleReceiptNative — happy path', () => {
+  it('maps Apple latest_receipt_info to the normalized shape (snake→camel, ms→Number)', async () => {
+    mockFetchSequence([{ status: 200, json: appleOk([item()]) }]);
+    const result = await verifyAppleReceiptNative({ receipt: 'b64', sharedSecret: 'sk' });
+    expect(result).toEqual([
+      {
+        productId: 'sub_06',
+        transactionId: 'txn_1',
+        originalTransactionId: 'orig_1',
+        purchaseDate: 1700000000000,
+        expirationDate: 1800000000000,
+        bundleId: 'com.example.app',
+        webOrderLineItemId: 'wo_1',
+      },
+    ]);
+    expect(typeof result[0]!.expirationDate).toBe('number');
+  });
+
+  it('falls back to receipt.in_app when latest_receipt_info is absent', async () => {
+    mockFetchSequence([
+      { status: 200, json: { status: 0, receipt: { bundle_id: 'com.example.app', in_app: [item()] } } },
+    ]);
+    const result = await verifyAppleReceiptNative({ receipt: 'b64', sharedSecret: 'sk' });
+    expect(result[0]!.transactionId).toBe('txn_1');
+  });
+});
+
+describe('verifyAppleReceiptNative — bad input', () => {
+  it('returns [] when both latest_receipt_info and in_app are empty', async () => {
+    mockFetchSequence([{ status: 200, json: { status: 0, receipt: { bundle_id: 'x', in_app: [] } } }]);
+    expect(await verifyAppleReceiptNative({ receipt: 'b64', sharedSecret: 'sk' })).toEqual([]);
+  });
+
+  it('handles a non-numeric expires_date_ms as undefined (no NaN leak)', async () => {
+    mockFetchSequence([{ status: 200, json: appleOk([item({ expires_date_ms: 'not-a-number' })]) }]);
+    const result = await verifyAppleReceiptNative({ receipt: 'b64', sharedSecret: 'sk' });
+    expect(result[0]!.expirationDate).toBeUndefined();
+  });
+});
+
+describe('verifyAppleReceiptNative — security', () => {
+  it('POSTs password + exclude-old-transactions to the production Apple host only', async () => {
+    mockFetchSequence([{ status: 200, json: appleOk([item()]) }]);
+    await verifyAppleReceiptNative({ receipt: 'RECEIPT_B64', sharedSecret: 'sk_secret' });
+    expect(calls).toHaveLength(1);
+    expect(calls[0]!.url).toBe('https://buy.itunes.apple.com/verifyReceipt');
+    expect(calls[0]!.body).toEqual({
+      'receipt-data': 'RECEIPT_B64',
+      password: 'sk_secret',
+      'exclude-old-transactions': true,
+    });
+  });
+
+  it('only ever talks to the two Apple verifyReceipt hosts (no host injection)', async () => {
+    mockFetchSequence([
+      { status: 200, json: { status: 21007 } },
+      { status: 200, json: appleOk([item()]) },
+    ]);
+    await verifyAppleReceiptNative({ receipt: 'b64', sharedSecret: 'sk' });
+    const hosts = calls.map((c) => new URL(c.url).host);
+    expect(hosts).toEqual(['buy.itunes.apple.com', 'sandbox.itunes.apple.com']);
+  });
+});
+
+describe('verifyAppleReceiptNative — data loss (sandbox fallback + concurrency)', () => {
+  it.each([21007, 21002])('retries sandbox on status %i and returns the sandbox result', async (prodStatus) => {
+    mockFetchSequence([
+      { status: 200, json: { status: prodStatus } },
+      { status: 200, json: appleOk([item({ transaction_id: 'sandbox_txn' })]) },
+    ]);
+    const result = await verifyAppleReceiptNative({ receipt: 'b64', sharedSecret: 'sk' });
+    expect(calls).toHaveLength(2);
+    expect(calls[1]!.url).toBe('https://sandbox.itunes.apple.com/verifyReceipt');
+    expect(result[0]!.transactionId).toBe('sandbox_txn');
+  });
+
+  it('two concurrent calls with different secrets each POST their OWN secret (no shared state)', async () => {
+    const seen: string[] = [];
+    global.fetch = jest.fn(async (_url: unknown, init?: unknown) => {
+      const body = JSON.parse(String((init as RequestInit).body));
+      seen.push(body.password);
+      return { ok: true, status: 200, json: async () => appleOk([item()]) } as unknown as Response;
+    }) as unknown as typeof fetch;
+    await Promise.all([
+      verifyAppleReceiptNative({ receipt: 'r1', sharedSecret: 'secret_A' }),
+      verifyAppleReceiptNative({ receipt: 'r2', sharedSecret: 'secret_B' }),
+    ]);
+    expect(seen.sort()).toEqual(['secret_A', 'secret_B']);
+  });
+});
+
+describe('verifyAppleReceiptNative — data damage', () => {
+  it('returns all multi-item entries (client.ts picks the latest-expiry one)', async () => {
+    mockFetchSequence([
+      {
+        status: 200,
+        json: appleOk([
+          item({ transaction_id: 'old', expires_date_ms: '1500000000000' }),
+          item({ transaction_id: 'new', expires_date_ms: '1800000000000' }),
+        ]),
+      },
+    ]);
+    const result = await verifyAppleReceiptNative({ receipt: 'b64', sharedSecret: 'sk' });
+    expect(result.map((r) => r.transactionId)).toEqual(['old', 'new']);
+    expect(result.every((r) => typeof r.expirationDate === 'number')).toBe(true);
+  });
+});
+
+describe('verifyAppleReceiptNative — data leak', () => {
+  it('throws on a non-retryable non-zero status with the code but NOT the shared secret', async () => {
+    mockFetchSequence([{ status: 200, json: { status: 21004 } }]);
+    let caught: Error | undefined;
+    try {
+      await verifyAppleReceiptNative({ receipt: 'b64', sharedSecret: 'super_secret_value' });
+    } catch (e) {
+      caught = e as Error;
+    }
+    expect(caught?.message).toMatch(/21004/);
+    expect(caught?.message).not.toContain('super_secret_value');
+  });
+});

package/blocklet.yml

@@ -14,7 +14,7 @@ repository:
   type: git
   url: git+https://github.com/blocklet/payment-kit.git
 specVersion: 1.2.8
-version: 1.29.6
+version: 1.29.7
 logo: logo.png
 files:
   - dist

package/cloudflare/tests/x509-probe.mjs

@@ -0,0 +1,260 @@
+// X509 / crypto probe — runs inside REAL workerd (via miniflare) with the EXACT
+// production CF config (compatibility_date 2024-12-01 + nodejs_compat).
+//
+// Settles the Apple-IAP native-verify plan (intent/apple-iap-native-verify-plan/)
+// AND is the committed regression gate proving the §5 algorithm holds under
+// workerd. Rounds:
+//   Round 1 (baseline): X509Certificate construct/publicKey/verify, node ES256
+//            (DER sig), subtle ECDSA P-256, subtle importKey spki.
+//   Round 2 (§4 prep): the verify-path specifics NOT covered by round 1 —
+//     P1: leafCert.publicKey.export({type:'spki',format:'der'}) in workerd
+//     P2: verify a REAL P1363 (raw r||s) ES256 sig — (a) via crypto.subtle,
+//                                                      (b) via createVerify dsaEncoding:'ieee-p1363'
+//     P3: read an Apple custom extension OID (1.2.840.113635.*) WITHOUT an ASN.1
+//         lib — DER-encode the OID and indexOf() it in cert.raw. (Node's
+//         X509Certificate has NO generic extension-by-OID accessor.)
+//   chain_round (0.2): a synthetic 3-cert chain (root → CA int w/ Apple OID →
+//            leaf w/ Apple OID) — proves §5.4 walk (intermediate.verify(root),
+//            leaf.verify(int)) + §5.5 OID presence on BOTH certs under workerd,
+//            plus a cross-signed leaf that MUST fail leaf.verify(int).
+//            Mirrors api/tests/integrations/app-store/fixtures/make-chain.ts —
+//            keep the two in sync.
+//   pkcs8_sign_round (0.5): importKey('pkcs8') for SIGN + round-trip verify —
+//            de-risks the App Store Server API JWT bearer (Phase 2) BEFORE it is
+//            built. If workerd rejects pkcs8-for-sign, Phase 2 takes Approach J.
+//
+// Vectors are generated at runtime (openssl + node:crypto) so cert validity is
+// always current and the P1363 sig is real.
+//
+// Run:  node cloudflare/tests/x509-probe.mjs    (cwd = blocklets/core)
+import { Miniflare } from 'miniflare';
+import { execSync, execFileSync } from 'node:child_process';
+import { generateKeyPairSync, sign as nodeSign, X509Certificate } from 'node:crypto';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+
+const LEAF_OID = '1.2.840.113635.100.6.11.1'; // Apple: present on the leaf
+const INT_OID = '1.2.840.113635.100.6.2.1'; // Apple: present on the intermediate (ABSENT from our leaf — negative control)
+const SIGNING_INPUT = 'header.payload';
+
+// DER-encode an OID's *content* octets (no 0x06 tag / length) — enough to scan
+// for inside a cert's DER with indexOf (the content is unique enough).
+function oidContentHex(oid) {
+  const parts = oid.split('.').map(Number);
+  const bytes = [40 * parts[0] + parts[1]];
+  for (let i = 2; i < parts.length; i++) {
+    let v = parts[i];
+    const stack = [v & 0x7f];
+    v = Math.floor(v / 128);
+    while (v > 0) {
+      stack.unshift((v & 0x7f) | 0x80);
+      v = Math.floor(v / 128);
+    }
+    bytes.push(...stack);
+  }
+  return Buffer.from(bytes).toString('hex');
+}
+
+// ---- generate vectors (node side) ----
+const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'x509-probe-'));
+const keyPath = path.join(dir, 'leaf.key');
+const certPem = path.join(dir, 'leaf.pem');
+const certDer = path.join(dir, 'leaf.der');
+execSync(`openssl ecparam -name prime256v1 -genkey -noout -out ${keyPath}`, { stdio: 'ignore' });
+// self-signed leaf carrying the Apple LEAF extension OID (value = ASN.1 NULL)
+execSync(
+  `openssl req -new -x509 -key ${keyPath} -out ${certPem} -days 3650 -subj "/CN=apple-leaf-probe" -addext "${LEAF_OID}=DER:0500"`,
+  { stdio: 'ignore' }
+);
+execSync(`openssl x509 -in ${certPem} -outform DER -out ${certDer}`, { stdio: 'ignore' });
+
+const certDerB64 = fs.readFileSync(certDer).toString('base64');
+const keyPem = fs.readFileSync(keyPath, 'utf8');
+// REAL P1363 ES256 signature (raw 64-byte r||s — the JWS form), NOT DER.
+const p1363SigB64 = nodeSign('sha256', Buffer.from(SIGNING_INPUT), { key: keyPem, dsaEncoding: 'ieee-p1363' }).toString(
+  'base64'
+);
+
+// ---- chain_round vectors (0.2): synthetic root → CA int (Apple OID) → leaf (Apple OID) ----
+// Mirrors fixtures/make-chain.ts. The cross-signed leaf shares the int's subject
+// DN but is signed by a DIFFERENT key, so leaf.verify(int.publicKey) MUST fail.
+function buildChain() {
+  const d = fs.mkdtempSync(path.join(os.tmpdir(), 'x509-chain-'));
+  const f = (n) => path.join(d, n);
+  const run = (args) => execFileSync('openssl', args, { cwd: d, stdio: ['ignore', 'pipe', 'pipe'] });
+  const key = (n) => run(['ecparam', '-name', 'prime256v1', '-genkey', '-noout', '-out', f(n)]);
+  const SUBJ_INT = '/CN=Probe Apple WWDR Intermediate';
+  try {
+    key('root.key');
+    run(['req', '-new', '-x509', '-key', f('root.key'), '-out', f('root.pem'), '-days', '3650',
+      '-subj', '/CN=Probe Apple Root CA', '-addext', 'basicConstraints=critical,CA:TRUE']);
+    key('int.key');
+    run(['req', '-new', '-key', f('int.key'), '-out', f('int.csr'), '-subj', SUBJ_INT]);
+    fs.writeFileSync(f('int.ext'), `[v3]\nbasicConstraints=critical,CA:TRUE\n${INT_OID}=DER:0500`);
+    run(['x509', '-req', '-in', f('int.csr'), '-CA', f('root.pem'), '-CAkey', f('root.key'), '-CAcreateserial',
+      '-out', f('int.pem'), '-days', '3650', '-extfile', f('int.ext'), '-extensions', 'v3']);
+    key('leaf.key');
+    run(['req', '-new', '-key', f('leaf.key'), '-out', f('leaf.csr'), '-subj', '/CN=Probe Apple Leaf']);
+    fs.writeFileSync(f('leaf.ext'), `[v3]\nbasicConstraints=critical,CA:FALSE\n${LEAF_OID}=DER:0500`);
+    run(['x509', '-req', '-in', f('leaf.csr'), '-CA', f('int.pem'), '-CAkey', f('int.key'), '-CAcreateserial',
+      '-out', f('leaf.pem'), '-days', '3650', '-extfile', f('leaf.ext'), '-extensions', 'v3']);
+    // wrong intermediate: same subject DN, different key
+    key('wrongint.key');
+    run(['req', '-new', '-x509', '-key', f('wrongint.key'), '-out', f('wrongint.pem'), '-days', '3650',
+      '-subj', SUBJ_INT, '-addext', 'basicConstraints=critical,CA:TRUE']);
+    key('crossleaf.key');
+    run(['req', '-new', '-key', f('crossleaf.key'), '-out', f('crossleaf.csr'), '-subj', '/CN=Probe Apple Leaf']);
+    run(['x509', '-req', '-in', f('crossleaf.csr'), '-CA', f('wrongint.pem'), '-CAkey', f('wrongint.key'),
+      '-CAcreateserial', '-out', f('crossleaf.pem'), '-days', '3650', '-extfile', f('leaf.ext'), '-extensions', 'v3']);
+    const der = (n) => Buffer.from(new X509Certificate(fs.readFileSync(f(n))).raw).toString('base64');
+    return { leaf: der('leaf.pem'), int: der('int.pem'), root: der('root.pem'), crossLeaf: der('crossleaf.pem') };
+  } finally {
+    fs.rmSync(d, { recursive: true, force: true });
+  }
+}
+const chain = buildChain();
+
+// ---- pkcs8_sign_round vectors (0.5): EC P-256 pkcs8 (DER) + its spki, for SIGN ----
+const { privateKey: ecPriv, publicKey: ecPub } = generateKeyPairSync('ec', { namedCurve: 'P-256' });
+const pkcs8B64 = ecPriv.export({ type: 'pkcs8', format: 'der' }).toString('base64');
+const spkiSignB64 = ecPub.export({ type: 'spki', format: 'der' }).toString('base64');
+const badPkcs8B64 = Buffer.from('not-a-real-pkcs8-key').toString('base64');
+
+const script = `
+import { X509Certificate, createVerify } from 'node:crypto';
+import { Buffer } from 'node:buffer';
+
+const CERT_DER_B64   = ${JSON.stringify(certDerB64)};
+const P1363_SIG_B64  = ${JSON.stringify(p1363SigB64)};
+const LEAF_OID_HEX   = ${JSON.stringify(oidContentHex(LEAF_OID))};
+const INT_OID_HEX    = ${JSON.stringify(oidContentHex(INT_OID))};
+const MSG = ${JSON.stringify(SIGNING_INPUT)};
+
+// chain_round (0.2)
+const CHAIN = ${JSON.stringify(chain)};
+// pkcs8_sign_round (0.5)
+const PKCS8_B64      = ${JSON.stringify(pkcs8B64)};
+const SPKI_SIGN_B64  = ${JSON.stringify(spkiSignB64)};
+const BAD_PKCS8_B64  = ${JSON.stringify(badPkcs8B64)};
+
+function ok(v){ return { ok: true, ...v }; }
+function err(e){ return { ok: false, error: String(e && e.message || e) }; }
+function hex(buf){ return Buffer.from(buf).toString('hex'); }
+
+export default {
+  async fetch() {
+    const out = {};
+    const cert = new X509Certificate(Buffer.from(CERT_DER_B64, 'base64'));
+
+    // P1 — export leaf public key as SPKI DER (needed to feed crypto.subtle)
+    let spkiDer = null;
+    try {
+      spkiDer = cert.publicKey.export({ type: 'spki', format: 'der' });
+      out.P1_export_spki_der = ok({ bytes: spkiDer.byteLength ?? spkiDer.length });
+    } catch (e) { out.P1_export_spki_der = err(e); }
+
+    // P2a — verify REAL P1363 ES256 sig via crypto.subtle (preferred)
+    try {
+      if (!spkiDer) throw new Error('no spki from P1');
+      const key = await crypto.subtle.importKey(
+        'spki', spkiDer, { name: 'ECDSA', namedCurve: 'P-256' }, false, ['verify']
+      );
+      const valid = await crypto.subtle.verify(
+        { name: 'ECDSA', hash: 'SHA-256' }, key,
+        Buffer.from(P1363_SIG_B64, 'base64'), new TextEncoder().encode(MSG)
+      );
+      out.P2a_subtle_p1363_verify = ok({ valid });
+    } catch (e) { out.P2a_subtle_p1363_verify = err(e); }
+
+    // P2b — verify REAL P1363 sig via node createVerify dsaEncoding:'ieee-p1363' (fallback)
+    try {
+      const v = createVerify('SHA256');
+      v.update(MSG); v.end();
+      const valid = v.verify({ key: cert.publicKey, dsaEncoding: 'ieee-p1363' }, Buffer.from(P1363_SIG_B64, 'base64'));
+      out.P2b_node_p1363_verify = ok({ valid });
+    } catch (e) { out.P2b_node_p1363_verify = err(e); }
+
+    // P3 — Apple extension-OID presence via indexOf in cert.raw (no ASN.1 lib)
+    try {
+      const rawHex = hex(cert.raw);
+      const leafPresent = rawHex.includes(LEAF_OID_HEX);   // expect TRUE  (we added it)
+      const intPresent  = rawHex.includes(INT_OID_HEX);    // expect FALSE (negative control)
+      // also confirm Node has NO generic extension accessor (documents the gap)
+      const hasGenericExtAccessor =
+        typeof cert.getExtension === 'function' || typeof cert.extensions !== 'undefined';
+      out.P3_oid_scan = ok({
+        rawIsBuffer: cert.raw instanceof Uint8Array,
+        leafOidPresent: leafPresent,
+        intOidPresent: intPresent,
+        hasGenericExtAccessor,
+      });
+    } catch (e) { out.P3_oid_scan = err(e); }
+
+    // chain_round (0.2) — full §5.4 walk + §5.5 OID presence on a 3-cert chain
+    try {
+      const leaf = new X509Certificate(Buffer.from(CHAIN.leaf, 'base64'));
+      const intermediate = new X509Certificate(Buffer.from(CHAIN.int, 'base64'));
+      const root = new X509Certificate(Buffer.from(CHAIN.root, 'base64'));
+      const crossLeaf = new X509Certificate(Buffer.from(CHAIN.crossLeaf, 'base64'));
+      out.chain_round = ok({
+        intVerifiesRoot: intermediate.verify(root.publicKey),
+        leafVerifiesInt: leaf.verify(intermediate.publicKey),
+        leafOidPresent: hex(leaf.raw).includes(LEAF_OID_HEX),
+        intOidPresent: hex(intermediate.raw).includes(INT_OID_HEX),
+        intIsCa: intermediate.ca === true,
+        crossSignedLeafVerifies: crossLeaf.verify(intermediate.publicKey), // expect FALSE
+      });
+    } catch (e) { out.chain_round = err(e); }
+
+    // pkcs8_sign_round (0.5) — importKey('pkcs8') for SIGN + round-trip verify
+    try {
+      const signKey = await crypto.subtle.importKey(
+        'pkcs8', Buffer.from(PKCS8_B64, 'base64'), { name: 'ECDSA', namedCurve: 'P-256' }, false, ['sign']
+      );
+      const sig = await crypto.subtle.sign(
+        { name: 'ECDSA', hash: 'SHA-256' }, signKey, new TextEncoder().encode(MSG)
+      );
+      const verifyKey = await crypto.subtle.importKey(
+        'spki', Buffer.from(SPKI_SIGN_B64, 'base64'), { name: 'ECDSA', namedCurve: 'P-256' }, false, ['verify']
+      );
+      const roundTripVerifyOk = await crypto.subtle.verify(
+        { name: 'ECDSA', hash: 'SHA-256' }, verifyKey, sig, new TextEncoder().encode(MSG)
+      );
+      // negative control: a malformed pkcs8 must surface as importPkcs8Ok:false, not a silent unsigned key
+      let importBadOk = true;
+      try {
+        await crypto.subtle.importKey(
+          'pkcs8', Buffer.from(BAD_PKCS8_B64, 'base64'), { name: 'ECDSA', namedCurve: 'P-256' }, false, ['sign']
+        );
+      } catch { importBadOk = false; }
+      out.pkcs8_sign_round = ok({
+        importPkcs8Ok: true,
+        signOk: sig.byteLength > 0,
+        roundTripVerifyOk,
+        malformedPkcs8Rejected: importBadOk === false,
+      });
+    } catch (e) { out.pkcs8_sign_round = err(e); }
+
+    return new Response(JSON.stringify(out, null, 2), { headers: { 'content-type': 'application/json' } });
+  }
+};
+`;
+
+const mf = new Miniflare({
+  modules: true,
+  script,
+  compatibilityDate: '2024-12-01',
+  compatibilityFlags: ['nodejs_compat'],
+});
+
+try {
+  const res = await mf.dispatchFetch('http://localhost/');
+  console.log(await res.text());
+} catch (e) {
+  console.error('PROBE FAILED TO RUN:', e);
+  process.exitCode = 1;
+} finally {
+  await mf.dispose();
+  fs.rmSync(dir, { recursive: true, force: true });
+}