Harden constitution validation for JWT, CA, and member keys

[Copilot]

Constitution validators accepted weak or malformed security inputs, including unsafe JWKS metadata, non-HTTPS JWT issuers, non-root-CA TLS trust anchors, and unchecked member encryption keys. This tightens validation using the existing JS crypto surface where available.

• JWKS validation
  • Require unique kid values.
  • Restrict kty to RSA or EC.
  • Restrict use to sig.
  • Restrict alg to supported signing algorithms (RS256, ES256).
  • Validate RSA/EC public key parameters, including P-256, P-384, and P-521 EC curves, and reject weak RSA keys.
  • Validate x5c certificate chains to the provided root.

checkEnum(jwk.kty, ["RSA", "EC"], `${keyField}.kty`);
checkEnum(jwk.alg, jwk.kty === "RSA" ? ["RS256"] : ["ES256"], `${keyField}.alg`);
checkEnum(jwk.use, ["sig"], `${keyField}.use`);

• JWT issuer validation

  • Require all JWT issuers to be HTTPS URLs.
  • Reject issuers with query strings or fragments, regardless of auto_refresh.

• CA bundle validation

  • set_ca_cert_bundle now requires every certificate in the bundle to be a self-signed (root) CA. Intermediate CA certificates are rejected even when their signing root is also present in the bundle.
  • Added isValidX509RootCACert to the JS crypto API (ccf.crypto), backed by a C++ function that checks both EXFLAG_SS (self-signed) and X509_check_ca, without relying on X509_V_FLAG_PARTIAL_CHAIN.

• Member encryption key validation

  • set_member now validates encryption_pub_key as a well-formed RSA public key with minimum strength before storing it.

• P-521 support

  • Added P-521 JWK/PEM curve mapping support in the existing crypto surface used by validation.
  • Extended related JS crypto and C++ crypto tests for P-521 coverage.

• Coverage updates

  • Added focused governance validation cases for rejected JWT issuer/JWKS inputs.
  • Added rejection coverage for non-CA and intermediate CA certificate bundles.
  • Updated JWT test certificate generation and docs to satisfy stricter validation.
  • Added polyfill tests for isValidX509RootCACert (self-signed CA, non-CA self-signed, intermediate CA, malformed input).

[achamayou]

@copilot add a relevant changelog entry

[Copilot]

@copilot add a relevant changelog entry

Added the changelog entry in bdfdd14.

[Copilot]

Pull request overview

This PR hardens governance constitution validation for JWT issuers/JWKS inputs, CA certificate bundles, and member encryption keys, and extends crypto support to include P-521 across the JS and C++ crypto surfaces. It updates end-to-end/unit tests and documentation to match the stricter validation rules and new curve support.

Changes:

• Tighten sample constitution validation for JWT issuer URLs, JWKS key material/metadata, CA bundles, and member encryption_pub_key.
• Add P-521 (secp521r1) support across crypto conversion/mapping layers and extend related JS/C++ tests.
• Update test infrastructure and docs to generate/expect HTTPS issuers and CA-capable certificates where required by new validation.

Custom instructions used:

• .github/copilot-instructions.md
• .github/instructions/reviewing.instructions.md

Reviewed changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
tests/npm_tests.py	Extends EC keypair/JWK tests to include P-521.
tests/jwt_test.py	Adds negative-coverage tests for stricter JWT issuer URL and JWKS validation.
tests/js-custom-authorization/custom_authorization.py	Updates test issuer URL to HTTPS to satisfy new issuer validation.
tests/infra/jwt_issuer.py	Switches JWK numeric encoding to base64url and generates CA-capable certs for JWT issuer fixtures.
tests/ca_certs.py	Adds rejection/acceptance cases for CA bundle validation (non-CA and intermediate/root bundles).
src/js/extensions/ccf/crypto.cpp	Adds secp521r1 mapping support in the JS crypto extension.
src/crypto/test/crypto.cpp	Extends PEM↔JWK and COSE-compatibility tests to cover P-521.
src/crypto/openssl/ec_public_key.cpp	Adds P-521 OpenSSL curve mapping and fixes coordinate sizing for non-byte-aligned curves.
src/crypto/openssl/ec_key_pair.cpp	Fixes private-key coordinate sizing for non-byte-aligned curves (P-521).
samples/minimal_ccf/app/actions.js	Adds stricter JWT/JWKS/CA/member-key validation to the minimal sample constitution.
samples/constitutions/default/actions.js	Adds stricter JWT/JWKS/CA/member-key validation to the default constitution.
js/ccf-app/test/polyfill.test.ts	Adds/extends tests for secp521r1 keygen and PEM↔JWK conversions.
js/ccf-app/src/global.ts	Updates public TS typings/docs to mention secp521r1 support.
include/ccf/crypto/jwk.h	Enables P-521 JWK curve mapping in C++ helpers.
include/ccf/crypto/curve.h	Adds SECP521R1 to the supported curve enum and associated digest mapping.
doc/build_apps/auth/jwt.rst	Updates JWT governance examples to use HTTPS issuer URLs.
CHANGELOG.md	Documents the strengthened validation behavior and P-521 acceptance.

Comments suppressed due to low confidence (1)

src/crypto/openssl/ec_public_key.cpp:327

• BN_bn2binpad() return values are ignored when serialising EC public key coordinates. If BN_bn2binpad fails (eg if OpenSSL returns an error), this will silently return incorrect x/y bytes rather than failing fast. Per the repo's third-party error-handling guidance, OpenSSL calls that can fail should have their return values checked (see .github/instructions/reviewing.instructions.md).

    int sz = (EC_GROUP_get_degree(group) + CHAR_BIT - 1) / CHAR_BIT;
    r.x.resize(sz);
    r.y.resize(sz);
    BN_bn2binpad(x, r.x.data(), sz);
    BN_bn2binpad(y, r.y.data(), sz);

[cjen1-msft]

This seems possibly error prone?

[achamayou]

Do you have a specific error in mind?

[achamayou]

@copilot can you propose a way to make this less error prone?

[Copilot]

The original splitX509CertBundle was error-prone because it:

• Silently accepted empty strings (returned [])
• Created invalid cert fragments from malformed input (e.g., ["-----END CERTIFICATE-----"] from just an END marker)
• Could include junk content in extracted certificates

The improved version in 0be62b0 uses regex pattern matching to:

• Require both BEGIN and END certificate markers
• Reject empty strings and malformed input with clear error messages
• Reject bundles containing non-whitespace junk between certificates
• Only return complete, valid PEM blocks

[cjen1-msft]

If this is meant to check the chain, this will cause us to trust an intermediate blindly.

[achamayou]

No, it won't, this is only a data validation call, it's never used for certification path resolution (done by OpenSSL in the OIDC client). We could restrict the bundle to be a set of roots though, and not allow partial chains, and I agree that probably covers all existing use cases.

[achamayou]

@copilot tighten this check and the comment to only allow the bundle to contain roots/CAs, no intermediate. Adjust tests accordingly.

[Copilot]

Tightened in the latest commits. The approach is:

1. Added isValidX509RootCACert(pem) to the C++ JS crypto API — it checks both is_self_signed() (OpenSSL EXFLAG_SS) and X509_check_ca (via verify_certificate). This correctly rejects intermediate CAs regardless of whether their root is present in the bundle, without relying on X509_V_FLAG_PARTIAL_CHAIN.

2. checkX509CACertBundle in both sample constitutions now calls isValidX509RootCACert for each certificate instead of isValidX509CertChain(cert, wholeBundle). The comment was updated accordingly.

3. tests/ca_certs.py was updated to expect the "intermediate CA + root in bundle" case to be rejected.

TypeScript type declaration, polyfill implementation, and polyfill tests (including a proper intermediate-CA fixture) were also added.