High severity7.5NVD Advisory· Published Apr 9, 2026· Updated Apr 30, 2026
CVE-2026-40069
CVE-2026-40069
Description
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.1.0 to before 0.8.2, BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network. This vulnerability is fixed in 0.8.2.
Affected products
1Patches
14992e8a265fdMerge pull request #306 from sgbett/fix/305-security-hotfixes
14 files changed · +1118 −69
bsv-wallet.gemspec+9 −1 modified@@ -25,5 +25,13 @@ Gem::Specification.new do |spec| spec.require_paths = ['lib'] spec.add_dependency 'base64', '~> 0.2' - spec.add_dependency 'bsv-sdk', '~> 0.4' + + # bsv-wallet and bsv-sdk are released in lockstep from the same + # repository. The `~> 0.4` constraint this replaces was stale — it + # allowed bsv-sdk 0.4.x–0.9.x, but wallet hasn't been tested against + # anything below current (0.8.x) in months. Pinning the floor at + # 0.8.2 ensures consumers installing bsv-wallet 0.3.4 (which ships + # the F8.15 security fix for issue #305) also pick up the F1.3 + # and F5.13 bsv-sdk security fixes that ship together with it. + spec.add_dependency 'bsv-sdk', '>= 0.8.2', '< 1.0' end
.claude/plans/20260408-v090-compliance-rollout.md+98 −47 modified@@ -1,20 +1,30 @@ -# Plan: 0.9.0 Compliance Review Rollout +# Plan: Compliance Review Rollout (bsv-sdk 0.9.0 + bsv-wallet 0.4.0) **Review**: [`.architecture/reviews/20260408-cross-sdk-compliance-review.md`](../../.architecture/reviews/20260408-cross-sdk-compliance-review.md) -**Target release**: 0.9.0 (major correctness release) -**Previous release**: 0.8.2 (A1 security hotfixes, HLR sgbett/bsv-ruby-sdk#305) -**Next release**: 0.10.0 (Chronicle implementation — separate plan) +**Target releases**: **bsv-sdk 0.9.0** and **bsv-wallet 0.4.0** (paired major correctness release) +**Previous releases**: **bsv-sdk 0.8.2** and **bsv-wallet 0.3.4** (A1 security hotfixes, HLR sgbett/bsv-ruby-sdk#305) +**Next release**: **bsv-sdk 0.10.0** (Chronicle implementation — separate plan, no bsv-wallet bump expected) + +## Repository layout note + +This repository ships three gems from one tree with independent versioning: + +- **bsv-sdk** — declarative SDK. Files under `lib/bsv/{primitives,script,transaction,network,wallet,auth,overlay,identity,registry}/`. Current: 0.8.1 → 0.8.2 (A1) → 0.9.0 (most of this plan). +- **bsv-wallet** — BRC-100 wallet interface. Files under `lib/bsv/wallet_interface/`. Current: 0.3.3 → 0.3.4 (A1 F8.15) → 0.4.0 (A7 wallet-layer items). Depends on bsv-sdk. +- **bsv-attest** — attestation workflow. Not touched by this plan; deferred to Tier B per F8.25. + +Findings in this plan are **labelled by target gem**. A single cluster (A7) straddles both gems because it collects scattered defensive fixes; its HLR / PR will land in lockstep with paired release commits. ## Context The 2026-04-08 cross-SDK compliance review surfaced 137 findings across 8 phases. After the 10-member project team quorum vote, 54 reached CONSENSUS and 15 more were near-consensus (blocked only by Pragmatic Enforcer's solo YAGNI dissent on Phase 8 architectural items). -**Three-release strategy** agreed by user and Implementation Strategist: +**Paired-release strategy** agreed by user and Implementation Strategist: -- **0.8.2** — A1 security hotfixes (HLR sgbett/bsv-ruby-sdk#305). Backportable patch. Ships first, not bundled with refactors. -- **0.9.0** — This plan. Everything else from Tier A (non-Chronicle correctness) plus the cross-SDK conformance test suite (C1). -- **0.10.0** — Chronicle implementation (F7.1/F7.2 full semantics with reference vectors). Separate plan. -- **1.0.0 / future** — Tier B Phase 8 wallet/auth architectural epic, pending `bsv-wallet` boundary ADR. +- **bsv-sdk 0.8.2 + bsv-wallet 0.3.4** — A1 security hotfixes (HLR sgbett/bsv-ruby-sdk#305, PR #306). Backportable patch. Must ship together: bsv-wallet depends on the bsv-sdk fixes and bsv-wallet.gemspec has been tightened to `>= 0.8.2`. +- **bsv-sdk 0.9.0 + bsv-wallet 0.4.0** — This plan. Everything else from Tier A (non-Chronicle correctness) plus the cross-SDK conformance test suite (C1). Paired release because A7 straddles both gems; rest of the plan is bsv-sdk-only, but shipping the bsv-wallet bump in lockstep avoids a stale-dependency trap. +- **bsv-sdk 0.10.0** — Chronicle implementation (F7.1/F7.2 full semantics with reference vectors). Separate plan. No bsv-wallet bump expected unless P305.1 or other wallet-layer items slip into that window. +- **bsv-sdk 1.0.0 + bsv-wallet 1.0.0 / future** — Tier B Phase 8 wallet/auth architectural epic, pending `bsv-wallet` boundary ADR. This is where most of the remaining bsv-wallet work lives. The goal of 0.9.0 is to convert the letter-vs-spirit cluster into letter-matches-spirit. The meta-fix (C1 conformance suite) enables confident execution of the rest by providing authoritative cross-SDK vectors as the regression net. @@ -26,20 +36,22 @@ Impact on 0.9: 5 trivial changes (promote `OP_SUBSTR`/`OP_LEFT`/`OP_RIGHT`/`OP_L ## Cluster overview (HLRs to create) -0.9.0 contains **eight separate HLRs**, sequenced for dependency safety. Each HLR maps to one cluster from the review's Tier A plus C1: +0.9.0 contains **eight separate HLRs**, sequenced for dependency safety. Each HLR maps to one cluster from the review's Tier A plus C1. The **Gem** column indicates which gem(s) the cluster affects. -| HLR | Cluster | Scope | Blocks | Blocked by | -|---|---|---|---|---| -| TBD — C1 | Conformance suite | Cross-SDK vector loader + fixture infrastructure | A3, A5, A6 regression tests | — | -| TBD — A2 | Foundation correctness | F4.2, F1.8, F1.5 | A5 (hex), possibly A3 | — | -| TBD — A3 | BEEF cluster (single PR) | F5.1 → F5.2/F5.4/F5.5/F5.6/F5.7/F5.8/F5.9/F5.10/F5.12/F5.3/F5.20 | — | C1, A2 (for hex module if touched) | -| TBD — A4 | Crypto hardening | F2.1, F2.3, F2.2, F2.4, F2.9 | — | — (parallel with A3) | -| TBD — A5 | Parser correctness | F3.1, F3.2, F3.3, F3.4, F3.5, F3.6, F3.10, F3.12, F3.14/F3.21, F3.16 | — | A2 (F1.5 hex module blocks F3.5) | -| TBD — A6 | Interpreter hardening + Chronicle fail-safe | F7.8, F7.9, F7.10, F7.11, F7.16, F7.18, F7.19, F7.1/F7.2 (raise first) | — | — (parallel with A3/A5) | -| TBD — A7 | Defensive bits (catch-all) | F4.1, F4.3, F4.4, F4.9, F8.7, F8.8, F8.10, F8.14, F8.18 | — | — | +| HLR | Cluster | Gem | Scope | Blocks | Blocked by | +|---|---|---|---|---|---| +| TBD — C1 | Conformance suite | bsv-sdk | Cross-SDK vector loader + fixture infrastructure | A3, A5, A6 regression tests | — | +| TBD — A2 | Foundation correctness | bsv-sdk | F4.2, F1.8, F1.5 | A5 (hex), possibly A3 | — | +| TBD — A3 | BEEF cluster (single PR) | bsv-sdk | F5.1 → F5.2/F5.4/F5.5/F5.6/F5.7/F5.8/F5.9/F5.10/F5.12/F5.3/F5.20 | — | C1, A2 (for hex module if touched) | +| TBD — A4 | Crypto hardening | bsv-sdk | F2.1, F2.3, F2.2, F2.4, F2.9 | — | — (parallel with A3) | +| TBD — A5 | Parser correctness | bsv-sdk | F3.1, F3.2, F3.3, F3.4, F3.5, F3.6, F3.10, F3.12, F3.14/F3.21, F3.16 | — | A2 (F1.5 hex module blocks F3.5) | +| TBD — A6 | Interpreter hardening + Chronicle fail-safe | bsv-sdk | F7.8, F7.9, F7.10, F7.11, F7.16, F7.18, F7.19, F7.1/F7.2 (raise first) | — | — (parallel with A3/A5) | +| TBD — A7 | Defensive bits (catch-all) | **both** | bsv-sdk: F4.1, F4.3, F4.4, F4.9; bsv-wallet: F8.7, F8.8, F8.10, F8.14, F8.18, P305.1 | — | — | HLR numbers will be assigned as they are created. This plan updates as each is opened. +**A7 is the only cluster that straddles both gems.** Its PR will likely need to be split into two commits (or two PRs) so the bsv-sdk and bsv-wallet changes can ship in paired release commits. Alternative: one PR with the split preserved at commit granularity, release commits reference both. + ## Sequencing within 0.9.0 Dependencies inside the cluster graph: @@ -166,21 +178,24 @@ Depends on A2 F1.5 (hex module). Parser-centric cluster, all in `lib/bsv/script/ | F7.19 | LOW | `interpreter.rb:271-273` | Conditional-depth counter (e.g. 256 levels). Depends on F7.18. | | **F7.1/F7.2 raise-first** | HIGH | `interpreter.rb:168-172,179-182`, `operations/flow_control.rb:76-92` | Promote Chronicle-slot opcodes (`OP_SUBSTR`, `OP_LEFT`, `OP_RIGHT`, `OP_LSHIFTNUM`, `OP_RSHIFTNUM`, `OP_VER`, `OP_VERIF`, `OP_VERNOTIF`) from silent no-op/reserved → `raise InterpreterError::UnimplementedOpcode`. Full semantics deferred to 0.10. CHANGELOG note pointing at 0.10 for full support. | -### A7 — Defensive bits (catch-all) +### A7 — Defensive bits (catch-all) — **bsv-sdk + bsv-wallet** -Small individually, none block anything. Can land as a single catch-all PR or ride along with adjacent HLRs. +Small individually, none block anything. This cluster straddles both gems — the bsv-sdk bits can land in a pure-sdk PR, the bsv-wallet bits in a pure-wallet PR, or both together with the split preserved at commit granularity for a paired release. -| Finding | Severity | Location | Summary | -|---|---|---|---| -| F4.1 | HIGH | `transaction.rb:789-791` | Change distribution drops outputs on `available <= n` instead of `change <= 0`; match TS. | -| F4.3 | MED | `transaction.rb:608-617` | `estimated_size` silent fallback to 148-byte P2PKH; raise matching TS/Go. | -| F4.4 | MED | `transaction.rb:576-581` | `total_input_satoshis` fallback through `source_transaction.outputs[index].satoshis`. | -| F4.9 | LOW | `transaction.rb:458-489` | `Transaction#sign` doesn't validate outputs have satoshis. Guard raising on nil. | -| F8.7 | MED | `wallet_interface/validators.rb:29` | Lowercase-and-trim protocol ID before validation (silent key-derivation fork). | -| F8.8 | LOW | `wallet_interface/validators.rb:32-33,71-73` | Move permission rules out of `Validators`. | -| F8.10 | LOW | `lib/bsv/wallet_interface.rb` | Namespace cleanup: delete empty `BSV::WalletInterface` shell. Legacy `BSV::Wallet::Wallet` extraction deferred to Tier B. | -| F8.14 | HIGH | `wallet_interface/wallet_client.rb:711-729` | `internalize_action` must verify BEEF merkle proofs against block headers before storing. | -| F8.18 | LOW | `wallet_interface/wallet_client.rb:545-559` | `wire_source_tx_ancestors` unbounded recursion. Add depth cap and cycle detection. | +| Finding | Gem | Severity | Location | Summary | +|---|---|---|---|---| +| F4.1 | bsv-sdk | HIGH | `transaction.rb:789-791` | Change distribution drops outputs on `available <= n` instead of `change <= 0`; match TS. | +| F4.3 | bsv-sdk | MED | `transaction.rb:608-617` | `estimated_size` silent fallback to 148-byte P2PKH; raise matching TS/Go. | +| F4.4 | bsv-sdk | MED | `transaction.rb:576-581` | `total_input_satoshis` fallback through `source_transaction.outputs[index].satoshis`. | +| F4.9 | bsv-sdk | LOW | `transaction.rb:458-489` | `Transaction#sign` doesn't validate outputs have satoshis. Guard raising on nil. | +| F8.7 | bsv-wallet | MED | `wallet_interface/validators.rb:29` | Lowercase-and-trim protocol ID before validation (silent key-derivation fork). | +| F8.8 | bsv-wallet | LOW | `wallet_interface/validators.rb:32-33,71-73` | Move permission rules out of `Validators`. | +| F8.10 | bsv-wallet | LOW | `lib/bsv/wallet_interface.rb` | Namespace cleanup: delete empty `BSV::WalletInterface` shell. Legacy `BSV::Wallet::Wallet` extraction deferred to Tier B. | +| F8.14 | bsv-wallet | HIGH | `wallet_interface/wallet_client.rb:711-729` | `internalize_action` must verify BEEF merkle proofs against block headers before storing. | +| F8.18 | bsv-wallet | LOW | `wallet_interface/wallet_client.rb:545-559` | `wire_source_tx_ancestors` unbounded recursion. Add depth cap and cycle detection. | +| **P305.1** | bsv-wallet | MED | `wallet_interface/proto_wallet.rb:144` | `ProtoWallet#create_signature` defaults `counterparty: 'self'`; TS defaults to `'anyone'` (see `ts-sdk/src/wallet/ProtoWallet.ts:259`). Silent cross-SDK divergence: Ruby and TS consumers calling `create_signature` without an explicit counterparty get signatures that don't verify against each other. Surfaced during #305 implementation while writing BRC-52 certificate tests (the correct BRC-52 sign path requires `counterparty: 'anyone'`, which Ruby users must pass explicitly). Fix: change Ruby's default to `'anyone'` to match TS. Breaking change for any Ruby consumer relying on the `'self'` default, so must ship with a release note. Only affects `create_signature` (TS's `verify_signature`, `encrypt`, `decrypt`, etc. all default to `'self'` on both sides). | + +**A7 split by gem**: bsv-sdk side is 4 findings (F4.1, F4.3, F4.4, F4.9). bsv-wallet side is 6 findings (F8.7, F8.8, F8.10, F8.14, F8.18, P305.1). ## Explicitly deferred from 0.9.0 @@ -202,7 +217,7 @@ Note: 0.9.0 ships the "raise first" fail-safe for all eight opcodes via A6. 0.10 - **F8.11** — WireFormat translator (snake↔camel at JSON boundaries) - **F8.12** — `listActions` / `listOutputs` include-flag honouring - **F8.13** — `sendWith` / `noSend` / batch broadcast model -- **F8.16** — `acquire_certificate` issuance via BRC-104 AuthFetch +- **F8.16** — `acquire_certificate` issuance via BRC-104 AuthFetch. **Partially closed in #305**: the "no signature verification on the issuance path" aspect (noted in F8.16 as "Same issue as F8.15") was fixed as a side effect of the F8.15 hotfix, since both `acquire_via_direct` and `acquire_via_issuance` now call `CertificateSignature.verify!`. What remains in Tier B is the transport switch from ad-hoc JSON POST to BRC-104 AuthFetch with BRC-103-signed requests against the certifier's identity key. - **F8.25** — `BSV::Attest` extraction to `bsv-attest` companion gem ### Backlog (no action, documented in review) @@ -211,9 +226,10 @@ Note: 0.9.0 ships the "raise first" fail-safe for all eight opcodes via A6. 0.10 - The 4 controversial findings resolved as "defer" (F2.5, F2.8, F6.1, F8.19 — all cross-SDK coordination items) - The 1 controversial finding resolved as "don't fix" (F7.6 — `findAndDelete` is dead code under FORKID-only sighash per Cryptography Specialist) -## Release criteria for 0.9.0 +## Release criteria -- [ ] C1, A2, A3, A4, A5, A6, A7 HLRs all closed +### bsv-sdk 0.9.0 +- [ ] C1, A2, A3, A4, A5, A6, and bsv-sdk side of A7 HLRs all closed - [ ] Full test suite green on Ruby 2.7, 3.0, 3.1, 3.2, 3.3, 3.4 - [ ] Conformance vector suite green (cross-SDK BEEF/sighash/BRC-42 vectors) - [ ] RuboCop clean @@ -226,25 +242,60 @@ Note: 0.9.0 ships the "raise first" fail-safe for all eight opcodes via A6. 0.10 - F7.1/F7.2 raise-first — breaking change for any caller running Chronicle opcodes through the interpreter; advertise 0.10 as the implementation target - [ ] Release notes prominently reference the 2026-04-08 compliance review document +### bsv-wallet 0.4.0 (ships paired with bsv-sdk 0.9.0) +- [ ] bsv-wallet side of A7 HLR closed (F8.7, F8.8, F8.10, F8.14, F8.18, P305.1) +- [ ] Full test suite green (same Ruby matrix) +- [ ] RuboCop clean +- [ ] CHANGELOG entry under `wallet-0.4.0` covering every finding ID addressed +- [ ] CHANGELOG migration notes for: + - P305.1 (ProtoWallet `create_signature` default counterparty changed from `'self'` → `'anyone'` — breaking change for any Ruby caller relying on the old default) + - F8.14 (internalize_action now rejects BEEFs without verifiable merkle paths — breaking change for callers feeding unverified BEEFs) + - F8.10 (`BSV::WalletInterface` namespace shell removed; the legacy `BSV::Wallet::Wallet` class is untouched until Tier B) +- [ ] bsv-wallet.gemspec bsv-sdk dependency tightened to `>= 0.9.0, < 1.0` +- [ ] Release notes cross-reference the bsv-sdk 0.9.0 release + +## Post-review addenda (findings surfaced during implementation) + +Items discovered while implementing the review's findings. Numbered `P<hlr>.<n>` to distinguish from phase-review findings. Added to the relevant cluster above with the cross-reference below. + +### P305.1 — `ProtoWallet#create_signature` counterparty default divergence + +- **Surfaced during**: sgbett/bsv-ruby-sdk#305 (F8.15 BRC-52 certificate verification) +- **Severity**: MED +- **Location**: `lib/bsv/wallet_interface/proto_wallet.rb:144` +- **Cluster**: A7 (defensive bits) +- **Description**: Ruby's `ProtoWallet#create_signature` defaults `counterparty` to `'self'`. TypeScript's `ProtoWallet.createSignature` defaults to `'anyone'` (`ts-sdk/src/wallet/ProtoWallet.ts:259`). This is a silent cross-SDK divergence: identical call sites without an explicit counterparty get signatures that cannot cross-verify between Ruby and TS. BRC-52 certificate signing specifically requires `counterparty: 'anyone'` — the review's implementation of F8.15 had to make this explicit in every certificate test to get signatures that verify against TS's canonical `counterparty: certifier_hex` path. It's the same letter-vs-spirit pattern: Ruby's self-tests pass because they sign and verify in the same SDK, but any cross-SDK flow that relies on the default diverges. +- **Note**: only `createSignature` has this default; TS's `verify_signature`, `encrypt`, `decrypt`, `create_hmac`, and `verify_hmac` all default to `'self'` on both sides. The asymmetry is intentional in TS (signatures are usually verified by others; encryption/HMAC are usually self-to-self), and Ruby should mirror it. +- **Fix**: change Ruby's default to `'anyone'` in `create_signature`. Breaking change for any Ruby consumer relying on the `'self'` default — add a release note. +- **Scheduled**: A7 (see the cluster table above) + +### F8.16 partial closure — issuance-path signature verification + +- **Closed by**: sgbett/bsv-ruby-sdk#305 (F8.15 fix) +- **Original description**: F8.16 noted two issues with `acquire_via_issuance` — (a) ad-hoc HTTP POST instead of BRC-104 AuthFetch, (b) "doesn't verify the returned signature before storing, same issue as F8.15" +- **What #305 closed**: aspect (b). Both `acquire_via_direct` and `acquire_via_issuance` now call `BSV::Wallet::CertificateSignature.verify!` before persisting, so a certifier that returns an invalid signature to the issuance HTTP endpoint is rejected with the same `InvalidError` as a tampered direct certificate. +- **What remains in Tier B**: aspect (a). The HTTP transport for the issuance path is still an ad-hoc JSON POST rather than BRC-104 AuthFetch with BRC-103-signed requests against the certifier's identity key. This is a transport-layer concern deferred with the rest of F8.2/F8.3/F8.6 until the Phase 8 architectural epic. + ## Open questions to resolve as HLRs are written 1. **C1 vector sync strategy**: vendor vectors in-repo (static snapshot) vs git-submodule reference SDKs (live sync)? Recommend static snapshot with documented sync procedure — submodules complicate CI and aren't worth it for a regression test suite. 2. **F5.1 byte-order convention**: pick TS's (display-hex in memory, wire-internal-order on the wire) or a different convention? Recommend TS's. Document in `BeefTx` class doc. 3. **F2.1 constant-time implementation**: pure-Ruby Montgomery ladder (matches secp256k1 precedent) or extract to a C extension? Recommend pure-Ruby for consistency — benchmark will reveal if it's unacceptable. -4. **A7 PR strategy**: one big catch-all PR or scatter fixes into the other HLRs' PRs as they touch adjacent code? Recommend scatter — most A7 findings naturally belong next to an A3/A4/A5/A6 fix. -5. **F8.14 BEEF header verification**: should this live in `internalize_action` or in `Beef#verify` (from F5.3 in A3)? Probably `Beef#verify` with `internalize_action` calling it. Clarify in the A3 HLR. +4. **A7 PR strategy**: one big catch-all PR or scatter fixes into the other HLRs' PRs as they touch adjacent code? Recommend scatter for bsv-sdk findings (F4.1/F4.3/F4.4/F4.9 naturally belong next to A3/A4 fixes). bsv-wallet findings (F8.x + P305.1) stay grouped because they require a paired bsv-wallet release anyway. +5. **F8.14 BEEF header verification**: should this live in `internalize_action` or in `Beef#verify` (from F5.3 in A3)? Probably `Beef#verify` with `internalize_action` calling it. Clarify in the A3 HLR. Note that this creates a cross-gem dependency: `Beef#verify` is bsv-sdk, `internalize_action` consuming it is bsv-wallet, which means A3 must land before the A7 bsv-wallet bits. ## Status -| Step | Status | Notes | -|---|---|---| -| Plan written | ✅ | this document | -| C1 HLR | pending | open next | -| A2 HLR | pending | after C1 | -| A3 HLR | pending | after A2 F1.5 | -| A4 HLR | pending | parallel with A3 | -| A5 HLR | pending | after A2 F1.5 | -| A6 HLR | pending | parallel with A3/A4/A5 | -| A7 HLR | pending | opportunistic | +| Step | Gem(s) | Status | Notes | +|---|---|---|---| +| Plan written | — | ✅ | this document | +| **A1 HLR (bsv-sdk 0.8.2 + bsv-wallet 0.3.4)** | both | ✅ | #305 / PR #306 — F1.3 + F5.13 (bsv-sdk), F8.15 (bsv-wallet); F8.16 verification aspect closed as side effect; P305.1 surfaced; bsv-wallet.gemspec bsv-sdk dep tightened to `>= 0.8.2` | +| C1 HLR | bsv-sdk | pending | open next | +| A2 HLR | bsv-sdk | pending | after C1 | +| A3 HLR | bsv-sdk | pending | after A2 F1.5 | +| A4 HLR | bsv-sdk | pending | parallel with A3 | +| A5 HLR | bsv-sdk | pending | after A2 F1.5 | +| A6 HLR | bsv-sdk | pending | parallel with A3/A4/A5 | +| A7 HLR | both | pending | opportunistic; bsv-sdk bits (F4.x) and bsv-wallet bits (F8.x + P305.1) to be split at PR / commit granularity | HLR numbers populated in the **Cluster overview** table at the top of this document as each is opened.
lib/bsv/network/arc.rb+83 −11 modified@@ -3,6 +3,7 @@ require 'net/http' require 'json' require 'uri' +require 'securerandom' module BSV module Network @@ -14,31 +15,67 @@ module Network # The HTTP client is injectable for testability. It must respond to # #request(uri, request) and return an object with #code and #body. class ARC - REJECTED_STATUSES = %w[REJECTED DOUBLE_SPEND_ATTEMPTED].freeze - - def initialize(url, api_key: nil, http_client: nil) + # ARC response statuses that indicate the transaction was NOT accepted. + # Matches the TypeScript SDK's ARC broadcaster failure set (issue #305, + # finding F5.13). Prior to this fix, Ruby only recognised REJECTED and + # DOUBLE_SPEND_ATTEMPTED, silently treating INVALID / MALFORMED / + # MINED_IN_STALE_BLOCK responses as successful broadcasts. + REJECTED_STATUSES = %w[ + REJECTED + DOUBLE_SPEND_ATTEMPTED + INVALID + MALFORMED + MINED_IN_STALE_BLOCK + ].freeze + + # Substring match for orphan detection in txStatus or extraInfo fields. + ORPHAN_MARKER = 'ORPHAN' + + # @param url [String] ARC base URL (without trailing slash) + # @param api_key [String, nil] optional bearer token for Authorization + # @param deployment_id [String, nil] optional deployment identifier for + # the +XDeployment-ID+ header; defaults to a per-instance random value + # @param callback_url [String, nil] optional +X-CallbackUrl+ for ARC + # status callbacks + # @param callback_token [String, nil] optional +X-CallbackToken+ for + # ARC status callback authentication + # @param http_client [#request, nil] injectable HTTP client for testing + def initialize(url, api_key: nil, deployment_id: nil, callback_url: nil, + callback_token: nil, http_client: nil) @url = url.chomp('/') @api_key = api_key + @deployment_id = deployment_id || "bsv-ruby-sdk-#{SecureRandom.hex(8)}" + @callback_url = callback_url + @callback_token = callback_token @http_client = http_client end # Submit a transaction to ARC. # + # The transaction is encoded as Extended Format (BRC-30) hex when every + # input has +source_satoshis+ and +source_locking_script+ populated, + # which lets ARC validate sighashes without fetching parents. Falls back + # to plain raw-tx hex when EF is unavailable. + # # @param tx [Transaction] the transaction to broadcast # @param wait_for [String, nil] ARC wait condition — one of # 'RECEIVED', 'STORED', 'ANNOUNCED_TO_NETWORK', # 'SEEN_ON_NETWORK', or 'MINED'. When set, ARC holds the # connection open until the transaction reaches the requested # state (or times out). Defaults to nil (no wait). # @return [BroadcastResponse] - # @raise [BroadcastError] + # @raise [BroadcastError] when ARC returns a non-2xx HTTP status or a + # rejected/orphan +txStatus+ def broadcast(tx, wait_for: nil) uri = URI("#{@url}/v1/tx") request = Net::HTTP::Post.new(uri) - request['Content-Type'] = 'application/octet-stream' + request['Content-Type'] = 'application/json' + request['XDeployment-ID'] = @deployment_id request['X-WaitFor'] = wait_for if wait_for + request['X-CallbackUrl'] = @callback_url if @callback_url + request['X-CallbackToken'] = @callback_token if @callback_token apply_auth_header(request) - request.body = tx.to_binary + request.body = JSON.generate(rawTx: raw_tx_hex(tx)) response = execute(uri, request) handle_broadcast_response(response) @@ -49,6 +86,7 @@ def broadcast(tx, wait_for: nil) def status(txid) uri = URI("#{@url}/v1/tx/#{txid}") request = Net::HTTP::Get.new(uri) + request['XDeployment-ID'] = @deployment_id apply_auth_header(request) response = execute(uri, request) @@ -57,6 +95,15 @@ def status(txid) private + # Prefer Extended Format (BRC-30) hex so ARC can validate sighashes + # without fetching parent transactions. Falls back to plain raw-tx hex + # when any input lacks source_satoshis / source_locking_script. + def raw_tx_hex(tx) + tx.to_ef_hex + rescue ArgumentError + tx.to_hex + end + def apply_auth_header(request) request['Authorization'] = "Bearer #{@api_key}" if @api_key end @@ -83,20 +130,45 @@ def handle_broadcast_response(response) ) end - tx_status = body['txStatus'] - if rejected_status?(tx_status) + if rejected_status?(body) raise BroadcastError.new( - body['detail'] || body['title'] || tx_status, + body['detail'] || body['title'] || body['txStatus'], status_code: code, txid: body['txid'] ) end + # A 2xx response without a txid is a malformed ARC reply — + # `parse_json` falls back to `{'detail' => raw}` on non-JSON, + # which would otherwise produce a `BroadcastResponse` full of + # `nil`s and `success? => true`. That's the same silent + # success-as-failure class of bug F5.13 closed for explicit + # error statuses; closing it here for shape corruption too. + unless body['txid'] + raise BroadcastError.new( + 'ARC returned a malformed 2xx response', + status_code: code + ) + end + build_response(body) end - def rejected_status?(tx_status) - REJECTED_STATUSES.include?(tx_status) + def rejected_status?(body) + # Case-insensitive match — the TypeScript reference + # (`ts-sdk/src/transaction/broadcasters/ARC.ts:155-166`) explicitly + # `.toUpperCase()`s both fields before membership / substring checks. + # ARC has a documented history of emitting values outside its own + # OpenAPI enum (e.g. `txStatus: "success"` for orphans in TS issue + # #105), so case normalisation is the defensive choice. + tx_status = body['txStatus'].to_s.upcase + return true if REJECTED_STATUSES.include?(tx_status) + return true if tx_status.include?(ORPHAN_MARKER) + + extra_info = body['extraInfo'].to_s.upcase + return true if extra_info.include?(ORPHAN_MARKER) + + false end def parse_json(raw)
lib/bsv/transaction/var_int.rb+8 −1 modified@@ -10,11 +10,18 @@ module Transaction module VarInt module_function + # Maximum value representable by a Bitcoin VarInt (unsigned 64-bit). + MAX_UINT64 = 0xFFFF_FFFF_FFFF_FFFF + # Encode an integer as a Bitcoin VarInt. # - # @param value [Integer] non-negative integer to encode + # @param value [Integer] non-negative integer to encode (0..2^64-1) # @return [String] encoded binary bytes + # @raise [ArgumentError] if +value+ is negative or exceeds 2^64-1 def encode(value) + raise ArgumentError, "varint requires non-negative integer, got #{value}" if value.negative? + raise ArgumentError, "varint value #{value} exceeds uint64 max (#{MAX_UINT64})" if value > MAX_UINT64 + if value < 0xFD [value].pack('C') elsif value <= 0xFFFF
lib/bsv/wallet_interface/certificate_signature.rb+212 −0 added@@ -0,0 +1,212 @@ +# frozen_string_literal: true + +require 'base64' + +module BSV + module Wallet + # BRC-52 identity certificate signature verification. + # + # Certificates carry a signature from the certifier over a canonical + # binary serialisation of their fields (excluding the signature itself). + # This module builds that canonical serialisation and delegates + # verification to a {ProtoWallet}-compatible verifier. + # + # Every field is included in the preimage in this order: + # + # - +type+ (base64 → 32 bytes) + # - +serial_number+ (base64 → 32 bytes) + # - +subject+ (hex → 33-byte compressed pubkey) + # - +certifier+ (hex → 33-byte compressed pubkey) + # - +revocation_outpoint+: txid hex (32 bytes) + output index VarInt + # - +fields+: VarInt count, then for each field (sorted + # lexicographically by name): VarInt name length + UTF-8 name bytes + # + VarInt value length + UTF-8 value bytes + # + # Signing uses BRC-42 key derivation with: + # + # - protocol ID: +[2, 'certificate signature']+ + # - key ID: +"\#{type} \#{serial_number}"+ + # - counterparty on sign: +'anyone'+ (default of + # +ProtoWallet#create_signature+ in TS — Ruby consumers should pass + # it explicitly since Ruby defaults to +'self'+) + # - counterparty on verify: the certifier's public key hex + # + # @see https://hub.bsvblockchain.org/brc/wallet/0052 BRC-52 + module CertificateSignature + PROTOCOL_ID = [2, 'certificate signature'].freeze + + # Error raised when a certificate's signature cannot be verified. + class InvalidError < InvalidSignatureError + def initialize(detail) + super("certificate signature verification failed: #{detail}") + end + end + + module_function + + # Verify a certificate's certifier signature. + # + # Raises {InvalidError} if the signature is missing, malformed, or + # does not match the expected certifier. + # + # @param cert [Hash] certificate fields. Required keys: + # +:type+, +:serial_number+, +:subject+, +:certifier+, + # +:revocation_outpoint+, +:fields+, +:signature+ + # @param verifier [#verify_signature] optional verifier; defaults to + # a fresh +ProtoWallet.new('anyone')+ + # @return [true] when the signature verifies + # @raise [InvalidError] otherwise + def verify!(cert, verifier: ProtoWallet.new('anyone')) + signature_hex = cert[:signature] + raise InvalidError, 'signature is missing' if signature_hex.nil? || signature_hex.empty? + + preimage = serialise_preimage(cert) + sig_bytes = hex_to_bytes(signature_hex) + + verifier.verify_signature({ + data: preimage.unpack('C*'), + signature: sig_bytes, + protocol_id: PROTOCOL_ID, + key_id: "#{cert[:type]} #{cert[:serial_number]}", + counterparty: cert[:certifier] + }) + + true + rescue InvalidSignatureError => e + raise if e.is_a?(InvalidError) + + raise InvalidError, e.message + rescue ArgumentError, EncodingError => e + # EncodingError covers Encoding::InvalidByteSequenceError and + # Encoding::UndefinedConversionError, which `encode_fields` + # raises for non-UTF-8 field names or values. Callers of + # `acquire_certificate` expect `InvalidError` on bad cert input + # — leaking EncodingError would break that contract. + raise InvalidError, e.message + end + + # Build the BRC-52 canonical preimage for signing or verifying. + # + # @param cert [Hash] certificate fields (see {.verify!}) + # @return [String] binary string suitable for +sha256+ (via + # {ProtoWallet#verify_signature}) + def serialise_preimage(cert) + buf = String.new(encoding: Encoding::ASCII_8BIT) + buf << decode_base64_exact(cert[:type], 32, 'type') + buf << decode_base64_exact(cert[:serial_number], 32, 'serial_number') + buf << decode_hex_exact(cert[:subject], 33, 'subject') + buf << decode_hex_exact(cert[:certifier], 33, 'certifier') + + buf << encode_revocation_outpoint(cert[:revocation_outpoint]) + buf << encode_fields(cert[:fields]) + buf + end + + class << self + private + + def encode_revocation_outpoint(outpoint) + raise ArgumentError, 'revocation_outpoint is missing' if outpoint.nil? || outpoint.empty? + + txid_hex, output_index_str = outpoint.to_s.split('.', 2) + raise ArgumentError, "revocation_outpoint #{outpoint.inspect} missing '.<output_index>'" if output_index_str.nil? + + unless output_index_str.match?(/\A\d+\z/) + raise ArgumentError, "revocation_outpoint output index must be a non-negative integer, got #{output_index_str.inspect}" + end + + buf = String.new(encoding: Encoding::ASCII_8BIT) + buf << decode_hex_exact(txid_hex, 32, 'revocation_outpoint txid') + buf << BSV::Transaction::VarInt.encode(output_index_str.to_i) + buf + end + + def encode_fields(fields) + raise ArgumentError, 'fields must be a Hash' unless fields.is_a?(Hash) + + normalised = normalise_field_keys(fields) + + buf = String.new(encoding: Encoding::ASCII_8BIT) + sorted_names = normalised.keys.sort + buf << BSV::Transaction::VarInt.encode(sorted_names.length) + + sorted_names.each do |name| + name_bytes = name.encode('UTF-8').b + value_bytes = normalised[name].to_s.encode('UTF-8').b + + buf << BSV::Transaction::VarInt.encode(name_bytes.bytesize) + buf << name_bytes + buf << BSV::Transaction::VarInt.encode(value_bytes.bytesize) + buf << value_bytes + end + buf + end + + # Normalise Hash keys to strings and reject post-normalisation + # duplicates (e.g. both `:email` and `'email'`). Without this, + # `fields.keys.map(&:to_s)` silently produces duplicate entries + # with ambiguous value ordering, which makes the BRC-52 preimage + # non-deterministic. + def normalise_field_keys(fields) + normalised = {} + fields.each do |key, value| + str_key = key.to_s + if normalised.key?(str_key) + raise ArgumentError, + "duplicate field name #{str_key.inspect} " \ + '(once as string, once as symbol)' + end + + normalised[str_key] = value + end + normalised + end + + def decode_base64_exact(value, expected_length, field_name) + raise ArgumentError, "#{field_name} is missing" if value.nil? || value.empty? + + # strict_decode64 (vs permissive decode64) rejects whitespace, + # non-base64 characters, and non-canonical padding. The rest + # of bsv-wallet (e.g. the wire serialiser) uses strict mode, + # and the BRC-52 preimage must be unambiguous — a cert with + # whitespace-injected type/serial_number would decode to the + # right length but produce a different canonical form than + # the same data re-submitted cleanly. + bytes = begin + Base64.strict_decode64(value) + rescue ArgumentError => e + raise ArgumentError, "#{field_name} is not valid base64: #{e.message}" + end + + if bytes.bytesize != expected_length + raise ArgumentError, + "#{field_name} must decode to #{expected_length} bytes, got #{bytes.bytesize}" + end + + bytes.b + end + + def decode_hex_exact(value, expected_length, field_name) + raise ArgumentError, "#{field_name} is missing" if value.nil? || value.empty? + raise ArgumentError, "#{field_name} must be a hex string" unless value.match?(/\A\h+\z/) + raise ArgumentError, "#{field_name} hex length must be even" unless value.length.even? + + bytes = [value].pack('H*') + if bytes.bytesize != expected_length + raise ArgumentError, + "#{field_name} must decode to #{expected_length} bytes, got #{bytes.bytesize}" + end + + bytes.b + end + + def hex_to_bytes(hex) + raise ArgumentError, 'signature must be a hex string' unless hex.is_a?(String) && hex.match?(/\A\h+\z/) + raise ArgumentError, 'signature hex length must be even' unless hex.length.even? + + [hex].pack('H*').unpack('C*') + end + end + end + end +end
lib/bsv/wallet_interface.rb+1 −0 modified@@ -20,6 +20,7 @@ module Wallet autoload :NullChainProvider, 'bsv/wallet_interface/null_chain_provider' autoload :WalletClient, 'bsv/wallet_interface/wallet_client' autoload :Wire, 'bsv/wallet_interface/wire' + autoload :CertificateSignature, 'bsv/wallet_interface/certificate_signature' # Error classes autoload :WalletError, 'bsv/wallet_interface/errors/wallet_error'
lib/bsv/wallet_interface/wallet_client.rb+19 −2 modified@@ -803,7 +803,7 @@ def validate_acquire_certificate!(args) end def acquire_via_direct(args) - { + cert = { type: args[:type], subject: @key_deriver.identity_key, serial_number: args[:serial_number], @@ -813,6 +813,15 @@ def acquire_via_direct(args) fields: args[:fields], keyring: args[:keyring_for_subject] } + + # BRC-52: verify the certifier's signature against the canonical + # serialisation before persisting. Fixes F8.15 from the 2026-04-08 + # cross-SDK compliance review (#305) — prior to this check, callers + # could pass any value in `args[:signature]` and it would be stored + # as if certifier-authentic. + CertificateSignature.verify!(cert) + + cert end def acquire_via_issuance(args) @@ -833,7 +842,7 @@ def acquire_via_issuance(args) body = JSON.parse(response.body) - { + cert = { type: body['type'] || args[:type], subject: @key_deriver.identity_key, serial_number: body['serialNumber'], @@ -843,6 +852,14 @@ def acquire_via_issuance(args) fields: body['fields'] || args[:fields], keyring: body['keyringForSubject'] } + + # BRC-52: the certifier's HTTP response is untrusted network data; + # verify the signature before persisting. Closes the F8.15 class of + # bug on the issuance path too (the finding's "Same issue as F8.15" + # note from F8.16). + CertificateSignature.verify!(cert) + + cert rescue JSON::ParserError raise WalletError, 'Certificate issuance failed: invalid JSON response' end
.rubocop.yml+3 −1 modified@@ -155,7 +155,7 @@ Metrics/ModuleLength: - 'lib/bsv/primitives/ecies.rb' - 'lib/bsv/script/opcodes.rb' - 'lib/bsv/script/interpreter/operations/**/*' - - 'lib/bsv/wallet_interface/wire/**/*' + - 'lib/bsv/wallet_interface/**/*' - 'lib/bsv/identity/**/*' - 'lib/bsv/registry/**/*' - 'spec/**/*' @@ -167,6 +167,7 @@ Metrics/ClassLength: - 'lib/bsv/transaction/transaction.rb' - 'lib/bsv/transaction/merkle_path.rb' - 'lib/bsv/transaction/beef.rb' + - 'lib/bsv/network/**/*' - 'lib/bsv/wallet_interface/**/*' - 'lib/bsv/auth/**/*' - 'lib/bsv/overlay/**/*' @@ -178,6 +179,7 @@ Metrics/ParameterLists: - 'lib/bsv/primitives/**/*' - 'lib/bsv/script/**/*' - 'lib/bsv/transaction/**/*' + - 'lib/bsv/network/**/*' - 'lib/bsv/overlay/**/*' - 'lib/bsv/identity/**/*' - 'lib/bsv/registry/**/*'
.security/advisories/2026-0001-acquire-certificate-signature-bypass.md+157 −0 added@@ -0,0 +1,157 @@ +--- +id: 2026-0001 +ghsa_id: GHSA-hc36-c89j-5f4j +ghsa_url: https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-hc36-c89j-5f4j +cve_id: TBD +status: draft +title: bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths) +ecosystem: RubyGems +severity: HIGH +cwe: CWE-347 +cvss_v3: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N +cvss_score: 8.1 +affected_products: + - package: bsv-sdk + affected: ">= 0.3.1, < 0.8.2" + patched: "0.8.2" + - package: bsv-wallet + affected: ">= 0.1.2, < 0.3.4" + patched: "0.3.4" +finding: F8.15 +review: .architecture/reviews/20260408-cross-sdk-compliance-review.md +hlr: sgbett/bsv-ruby-sdk#305 +reported: 2026-04-08 +published: TBD +--- + +# Unverified certifier signatures persisted by `acquire_certificate` + +## Affected packages + +Both `bsv-sdk` and `bsv-wallet` are published from the [sgbett/bsv-ruby-sdk](https://github.com/sgbett/bsv-ruby-sdk) repository. The vulnerable code lives in `lib/bsv/wallet_interface/wallet_client.rb`, which is **physically shipped inside both gems** (the `bsv-wallet.gemspec` `files` list bundles the entire `lib/bsv/wallet_interface/` tree). Consumers of either gem are independently vulnerable; the two packages are versioned separately, so each has its own affected range. + +| Package | Affected | Patched | +| --- | --- | --- | +| `bsv-sdk` | `>= 0.3.1, < 0.8.2` | `0.8.2` | +| `bsv-wallet` | `>= 0.1.2, < 0.3.4` | `0.3.4` | + +## Summary + +`BSV::Wallet::WalletClient#acquire_certificate` persists certificate records to storage **without verifying the certifier's signature** over the certificate contents. Both acquisition paths are affected: + +- `acquisition_protocol: 'direct'` — the caller supplies all certificate fields (including `signature:`) and the record is written to storage verbatim. +- `acquisition_protocol: 'issuance'` — the client POSTs to a certifier URL and writes whatever signature the response body contains, also without verification. + +An attacker who can reach either API (or who controls a certifier endpoint targeted by the issuance path) can forge identity certificates that subsequently appear authentic to `list_certificates` and `prove_certificate`. + +## Details + +BRC-52 requires a certificate's `signature` field to be verified against the claimed certifier's public key over a canonical hashing of `(type, subject, serialNumber, revocationOutpoint, fields)` before the certificate is trusted. The reference TypeScript SDK enforces this in `Certificate.verify()`. + +### Direct path + +The Ruby implementation's `acquire_via_direct` path (`lib/bsv/wallet_interface/wallet_client.rb`) constructs the certificate record directly from caller-supplied fields: + +```ruby +def acquire_via_direct(args) + { + type: args[:type], + subject: @key_deriver.identity_key, + serial_number: args[:serial_number], + certifier: args[:certifier], + revocation_outpoint: args[:revocation_outpoint], + signature: args[:signature], + fields: args[:fields], + keyring: args[:keyring_for_subject] + } +end +``` + +The returned record is then written to the storage adapter by `acquire_certificate`. No verification of `args[:signature]` against `args[:certifier]`'s public key occurs at any point in this path. + +### Issuance path + +`acquire_via_issuance` POSTs to a certifier-supplied URL and parses the response body into a certificate record, which is then written to storage without verifying the returned signature. A hostile or compromised certifier endpoint — or anyone able to redirect/MITM the plain HTTP request — can therefore return an arbitrary `signature` value for any subject and have it stored as authentic. This is the same class of bypass as the direct path; it was tracked separately as finding **F8.16** in the compliance review and is closed by the same fix. + +### Downstream impact + +Downstream reads via `list_certificates` and selective-disclosure via `prove_certificate` treat stored records as valid without re-verifying, so any forgery that slips past `acquire_certificate` is trusted permanently. + +## Impact + +Any caller that can invoke `acquire_certificate` — via either acquisition protocol — can forge a certificate attributed to an arbitrary certifier identity key, containing arbitrary fields, and have it persisted as authentic. Applications and downstream gems that rely on the wallet's certificate store as a source of truth for identity attributes (e.g. KYC assertions, role claims, attestations) are subject to credential forgery. + +This is a credential-forgery primitive, not merely a spec divergence from BRC-52. + +## CVSS rationale + +`AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N` → **8.1 (High)** + +- **AV:N** — network-reachable in any wallet context that exposes `acquire_certificate` to callers. +- **AC:L** — low attack complexity: pass arbitrary bytes as `signature:`. +- **PR:L** — low privileges: any caller authorised to invoke `acquire_certificate`. +- **UI:N** — no user interaction required. +- **C:H** — forged credentials via `prove_certificate` can assert attributes about the subject. +- **I:H** — the wallet's credential store is polluted with attacker-controlled data. +- **A:N** — availability unaffected. + +## Proof of concept + +```ruby +client = BSV::Wallet::WalletClient.new(key, storage: BSV::Wallet::MemoryStore.new) + +client.acquire_certificate( + type: 'age-over-18', + acquisition_protocol: 'direct', + certifier: claimed_trusted_pubkey_hex, + serial_number: 'any-serial', + revocation_outpoint: ('00' * 32) + '.0', + signature: 'deadbeef' * 16, # arbitrary bytes — never verified + fields: { 'verified' => 'true' }, + keyring_for_subject: {} +) + +client.list_certificates( + certifiers: [claimed_trusted_pubkey_hex], + types: ['age-over-18'] +) +# => returns the forged record as if it were a real certificate from that certifier +``` + +## Affected versions + +The vulnerable direct-path code was introduced in commit `d14dd19` ("feat(wallet): implement BRC-100 identity certificate methods (Phase 5)") on 2026-03-27 20:35 UTC. The vulnerable issuance-path code was added one day later in `6a4d898` ("feat(wallet): implement certificate issuance protocol", 2026-03-28 04:38 UTC), which removed an earlier `raise UnsupportedActionError` and replaced it with an unverified HTTP POST. + +**`bsv-sdk`:** the v0.3.1 chore bump (`89de3a2`) was committed 28 minutes after `d14dd19`, so the direct-path bypass shipped in the **v0.3.1** tag. The v0.3.1 release raised `UnsupportedActionError` for the issuance path, so the issuance-path bypass first shipped in **v0.3.2** (`5a335de`). Every subsequent release up to and including **v0.8.1** is affected by at least one path, and every release from v0.3.2 onwards is affected by both. Combined affected range: `>= 0.3.1, < 0.8.2`. + +**`bsv-wallet`:** at the time both commits landed, the wallet gem was at version 0.1.1. The first wallet release containing any of the vulnerable code was **v0.1.2** (`5a335de`, 2026-03-30), which shipped both paths simultaneously. Every subsequent release up to and including **v0.3.3** is affected on both paths. Affected range: `>= 0.1.2, < 0.3.4`. + +## Patches + +Upgrade to `bsv-sdk >= 0.8.2` **and/or** `bsv-wallet >= 0.3.4`. Both releases ship the same fix: a new module `BSV::Wallet::CertificateSignature` (`lib/bsv/wallet_interface/certificate_signature.rb`), which builds the BRC-52 canonical preimage (`type`, `serial_number`, `subject`, `certifier`, `revocation_outpoint`, lexicographically-sorted `fields`) and verifies the certifier's signature against it via `ProtoWallet#verify_signature` with protocol ID `[2, 'certificate signature']` and counterparty = the claimed certifier's public key. Both `acquire_via_direct` and `acquire_via_issuance` now call `CertificateSignature.verify!` before returning the certificate to `acquire_certificate`, so invalid certificates raise `BSV::Wallet::CertificateSignature::InvalidError` (a subclass of `InvalidSignatureError`) and are never written to storage. + +Consumers should upgrade whichever gem they depend on directly; they do not need both. `bsv-wallet 0.3.4` additionally tightens its dependency on `bsv-sdk` from the stale `~> 0.4` to `>= 0.8.2, < 1.0`, which forces the known-good pairing and pulls in the sibling advisory fixes (F1.3, F5.13) tracked separately. + +The issuance-path fix also partially closes finding **F8.16** from the same compliance review. F8.16's second aspect — switching the issuance transport from ad-hoc JSON POST to BRC-104 AuthFetch — is not addressed here and remains deferred to a future release. + +Fixed in sgbett/bsv-ruby-sdk#306. + +## Workarounds + +If upgrading is not immediately possible: + +- Do not expose `acquire_certificate` (either acquisition protocol) to untrusted callers. +- Do not invoke `acquire_certificate` with `acquisition_protocol: 'issuance'` against a certifier URL you do not fully trust, and require TLS for any such request. +- Treat any record returned by `list_certificates` / `prove_certificate` as unverified and perform an out-of-band BRC-52 verification against the certifier's public key before acting on it. + +## Credit + +Identified during the 2026-04-08 cross-SDK compliance review, tracked as findings F8.15 (direct path) and F8.16 (issuance path, partial). + +## References + +- HLR: sgbett/bsv-ruby-sdk#305 +- Fix PR: sgbett/bsv-ruby-sdk#306 +- Compliance review: [`.architecture/reviews/20260408-cross-sdk-compliance-review.md`](../../.architecture/reviews/20260408-cross-sdk-compliance-review.md) +- BRC-52 specification: https://brc.dev/52 +- TypeScript reference: `Certificate.verify()` in `@bsv/sdk`
.security/advisories/2026-0002-arc-broadcaster-failure-statuses.md+101 −0 added@@ -0,0 +1,101 @@ +--- +id: 2026-0002 +ghsa_id: GHSA-9hfr-gw99-8rhx +ghsa_url: https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx +cve_id: TBD +status: draft +title: bsv-sdk ARC broadcaster treats INVALID/MALFORMED/ORPHAN responses as successful broadcasts +package: bsv-sdk +ecosystem: RubyGems +severity: HIGH +cwe: CWE-754 +cvss_v3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N +cvss_score: 7.5 +affected: ">= 0.1.0, < 0.8.2" +patched: "0.8.2" +finding: F5.13 +review: .architecture/reviews/20260408-cross-sdk-compliance-review.md +hlr: sgbett/bsv-ruby-sdk#305 +reported: 2026-04-08 +published: TBD +--- + +# ARC broadcaster treats failure statuses as successful broadcasts + +## Summary + +`BSV::Network::ARC`'s failure detection only recognises `REJECTED` and `DOUBLE_SPEND_ATTEMPTED`. ARC responses with `txStatus` values of `INVALID`, `MALFORMED`, `MINED_IN_STALE_BLOCK`, or any `ORPHAN`-containing `extraInfo` / `txStatus` are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network. + +## Details + +`lib/bsv/network/arc.rb` (lines ~74-100 in the affected code) uses a narrow failure predicate compared to the TypeScript reference SDK. The TS broadcaster additionally recognises: + +- `INVALID` +- `MALFORMED` +- `MINED_IN_STALE_BLOCK` +- Any response containing `ORPHAN` in `extraInfo` or `txStatus` + +The Ruby implementation omits all of these, so ARC responses carrying any of these statuses are returned to the caller as successful broadcasts. + +Additional divergences in the same module compound the risk: + +- `Content-Type` is sent as `application/octet-stream`; the TS reference sends `application/json` with a `{ rawTx: <hex> }` body (EF form where source transactions are available). +- The headers `XDeployment-ID`, `X-CallbackUrl`, and `X-CallbackToken` are not sent. + +The immediate security-relevant defect is the missing failure statuses; the other divergences are fixed in the same patch for protocol compliance. + +## Impact + +Integrity: callers receive a success response for broadcasts that were actually rejected by the ARC endpoint. Applications and downstream gems that gate actions on broadcaster success — releasing goods, marking invoices paid, treating a token as minted, progressing a workflow — are tricked into trusting transactions that were never broadcast. + +This is an integrity bug with security consequences. It does not disclose information (confidentiality unaffected) and does not affect availability. + +## CVSS rationale + +`AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` → **7.5 (High)** + +- **AV:N** — network-reachable. +- **AC:L** — no specialised access conditions are required. Triggering any of the unhandled failure statuses is not meaningfully harder than broadcasting a transaction at all: a malformed or invalid transaction, an orphan condition from a transient fork, or a hostile/misbehaving ARC endpoint returning one of these statuses is sufficient. The attacker does not need to defeat any mitigation or race a specific window — the bug is that the code path doesn't exist at all. +- **PR:N** — no privileges required. +- **UI:N** — no user interaction. +- **C:N** — no confidentiality impact. +- **I:H** — downstream integrity decisions are taken on non-broadcast transactions. +- **A:N** — no availability impact. + +## Affected versions + +The ARC broadcaster was introduced in commit `a1f2e62` ("feat(network): add ARC broadcaster with injectable HTTP client") on 2026-02-08 and first released in **v0.1.0**. The narrow failure predicate has been present since introduction. Every release up to and including **v0.8.1** is affected. + +Affected range: `>= 0.1.0, < 0.8.2`. + +## Patches + +Upgrade to `bsv-sdk >= 0.8.2`. The fix: + +- Expands the failure predicate (`REJECTED_STATUSES` + `ORPHAN` substring check on both `txStatus` and `extraInfo`) to include `INVALID`, `MALFORMED`, `MINED_IN_STALE_BLOCK`, and any orphan-containing response, matching the TypeScript reference. +- Switches `Content-Type` to `application/json` with a `{ rawTx: <hex> }` body, preferring Extended Format (BRC-30) hex when every input has `source_satoshis` and `source_locking_script` populated and falling back to plain raw-tx hex otherwise. +- Adds support for the `XDeployment-ID` (default: random `bsv-ruby-sdk-<hex>`), `X-CallbackUrl`, and `X-CallbackToken` headers via new constructor keyword arguments. + +Fixed in sgbett/bsv-ruby-sdk#306. + +### Note for `bsv-wallet` consumers + +The sibling gem `bsv-wallet` (published from the same repository) is not independently vulnerable — `lib/bsv/network/arc.rb` is not bundled into the wallet gem's `files` list. However, `bsv-wallet` runtime-depends on `bsv-sdk`, so a consumer of `bsv-wallet` that also invokes the ARC broadcaster is transitively exposed whenever `Gemfile.lock` resolves to a vulnerable `bsv-sdk` version. `bsv-wallet >= 0.3.4` tightens its `bsv-sdk` constraint to `>= 0.8.2, < 1.0`, so upgrading either gem is sufficient to pull in the fix. + +## Workarounds + +If upgrading is not immediately possible: + +- Verify broadcast results out-of-band (e.g. query a block explorer or WhatsOnChain) before treating a transaction as broadcast. +- Do not gate integrity-critical actions solely on the ARC broadcaster's success response. + +## Credit + +Identified during the 2026-04-08 cross-SDK compliance review, tracked as finding F5.13. + +## References + +- HLR: sgbett/bsv-ruby-sdk#305 +- Fix PR: sgbett/bsv-ruby-sdk#306 +- Compliance review: [`.architecture/reviews/20260408-cross-sdk-compliance-review.md`](../../.architecture/reviews/20260408-cross-sdk-compliance-review.md) +- TypeScript reference: `ARC` class in `@bsv/sdk`
.security/README.md+22 −0 added@@ -0,0 +1,22 @@ +# Security + +This directory holds security-related artefacts for the gems published from this repository (`bsv-sdk` and `bsv-wallet`): + +- `advisories/` — draft and published security advisories. Each file corresponds to a GitHub Security Advisory (GHSA) and, where assigned, a CVE ID. Drafts live here before publication and are updated in-place when the advisory is published. + +Security reports should be made via GitHub's private vulnerability reporting (Security tab → Report a vulnerability) rather than public issues. + +## Advisory lifecycle + +1. Draft the advisory as a Markdown file in `advisories/` using the existing files as a template. +2. File a GitHub Security Advisory (Security → Advisories → New draft) and request a CVE ID. +3. Keep the draft private until the patched release is tagged and pushed to RubyGems. +4. Publish the GHSA on release day. +5. Update the Markdown file with the final GHSA ID, CVE ID, and publication date. + +## Index + +| GHSA | Finding | Packages | Severity | Status | +| --- | --- | --- | --- | --- | +| [GHSA-hc36-c89j-5f4j](advisories/2026-0001-acquire-certificate-signature-bypass.md) | F8.15 / F8.16 partial — `acquire_certificate` persists unverified certifier signatures | `bsv-sdk`, `bsv-wallet` | HIGH (8.1) | Draft | +| [GHSA-9hfr-gw99-8rhx](advisories/2026-0002-arc-broadcaster-failure-statuses.md) | F5.13 — ARC broadcaster treats failure statuses as success | `bsv-sdk` | HIGH (7.5) | Draft |
spec/bsv/network/arc_spec.rb+200 −5 modified@@ -19,9 +19,24 @@ def request(uri, req) end end - # Minimal transaction double with #to_binary + # Minimal transaction double supporting the Extended Format (BRC-30) + # preferred by ARC, plus the plain raw-tx hex fallback used when any + # input lacks source_satoshis / source_locking_script. let(:tx) do - instance_double(BSV::Transaction::Transaction, to_binary: "\x01\x00\x00\x00".b) + instance_double( + BSV::Transaction::Transaction, + to_ef_hex: '010000000000ef0000', + to_hex: '01000000' + ) + end + + # Alternate transaction double that cannot produce EF form (matches the + # real Transaction#to_ef behaviour of raising when inputs are missing + # source_satoshis or source_locking_script). + let(:tx_no_source) do + dbl = instance_double(BSV::Transaction::Transaction, to_hex: '01000000') + allow(dbl).to receive(:to_ef_hex).and_raise(ArgumentError, 'inputs must have source_satoshis for EF') + dbl end let(:success_body) do @@ -51,14 +66,68 @@ def request(uri, req) expect(response.success?).to be true end - it 'sends binary transaction body with correct content type' do + it 'sends JSON body with Extended Format hex raw tx' do + http = mock_http.new(200, success_body) + arc = described_class.new('https://arc.example.com', http_client: http) + + arc.broadcast(tx) + + expect(http.last_request['Content-Type']).to eq('application/json') + body = JSON.parse(http.last_request.body) + expect(body).to eq('rawTx' => '010000000000ef0000') + end + + it 'falls back to plain raw-tx hex when EF encoding is unavailable' do + http = mock_http.new(200, success_body) + arc = described_class.new('https://arc.example.com', http_client: http) + + arc.broadcast(tx_no_source) + + body = JSON.parse(http.last_request.body) + expect(body).to eq('rawTx' => '01000000') + end + + it 'sends the XDeployment-ID header (default random identifier)' do http = mock_http.new(200, success_body) arc = described_class.new('https://arc.example.com', http_client: http) arc.broadcast(tx) - expect(http.last_request['Content-Type']).to eq('application/octet-stream') - expect(http.last_request.body).to eq("\x01\x00\x00\x00".b) + expect(http.last_request['XDeployment-ID']).to start_with('bsv-ruby-sdk-') + end + + it 'sends an explicit XDeployment-ID when configured' do + http = mock_http.new(200, success_body) + arc = described_class.new('https://arc.example.com', deployment_id: 'acme-prod-42', http_client: http) + + arc.broadcast(tx) + + expect(http.last_request['XDeployment-ID']).to eq('acme-prod-42') + end + + it 'sends X-CallbackUrl and X-CallbackToken headers when configured' do + http = mock_http.new(200, success_body) + arc = described_class.new( + 'https://arc.example.com', + callback_url: 'https://example.com/arc-cb', + callback_token: 'secret-token', + http_client: http + ) + + arc.broadcast(tx) + + expect(http.last_request['X-CallbackUrl']).to eq('https://example.com/arc-cb') + expect(http.last_request['X-CallbackToken']).to eq('secret-token') + end + + it 'omits X-CallbackUrl and X-CallbackToken when not configured' do + http = mock_http.new(200, success_body) + arc = described_class.new('https://arc.example.com', http_client: http) + + arc.broadcast(tx) + + expect(http.last_request['X-CallbackUrl']).to be_nil + expect(http.last_request['X-CallbackToken']).to be_nil end it 'posts to /v1/tx' do @@ -118,6 +187,132 @@ def request(uri, req) expect { arc.broadcast(tx) }.to raise_error(BSV::Network::BroadcastError, 'Double spend') end + # Regression for https://github.com/sgbett/bsv-ruby-sdk/issues/305 (F5.13) + # + # Prior behaviour: `REJECTED_STATUSES` only contained REJECTED and + # DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus INVALID, MALFORMED, + # MINED_IN_STALE_BLOCK, or any ORPHAN-containing status / extraInfo were + # silently treated as successful broadcasts — callers relying on + # broadcast() to signal failure would trust un-broadcast transactions. + describe 'failure status recognition (issue #305)' do + %w[INVALID MALFORMED MINED_IN_STALE_BLOCK].each do |failure_status| + it "raises BroadcastError when txStatus is #{failure_status}" do + body = { + 'txid' => 'abc123', + 'txStatus' => failure_status, + 'title' => "Transaction #{failure_status.downcase}" + }.to_json + http = mock_http.new(200, body) + arc = described_class.new('https://arc.example.com', http_client: http) + + expect { arc.broadcast(tx) } + .to raise_error(BSV::Network::BroadcastError) + end + end + + it 'raises BroadcastError when txStatus contains ORPHAN' do + body = { + 'txid' => 'abc123', + 'txStatus' => 'ORPHAN_MISSING_PARENT', + 'title' => 'Orphan transaction' + }.to_json + http = mock_http.new(200, body) + arc = described_class.new('https://arc.example.com', http_client: http) + + expect { arc.broadcast(tx) } + .to raise_error(BSV::Network::BroadcastError, 'Orphan transaction') + end + + it 'raises BroadcastError when extraInfo contains ORPHAN' do + body = { + 'txid' => 'abc123', + 'txStatus' => 'SEEN_ON_NETWORK', + 'title' => 'Orphan', + 'extraInfo' => 'transaction is an ORPHAN — missing parent tx' + }.to_json + http = mock_http.new(200, body) + arc = described_class.new('https://arc.example.com', http_client: http) + + expect { arc.broadcast(tx) } + .to raise_error(BSV::Network::BroadcastError) + end + end + + # Follow-up hardening from PR #306 review — match TS's case-insensitive + # detection at `ts-sdk/src/transaction/broadcasters/ARC.ts:155-166`. + # ARC's OpenAPI pins txStatus as an UPPERCASE enum, but ARC has a + # documented history of emitting values outside its own contract + # (TS issue #105), so normalisation is the defensive choice. + describe 'case-insensitive failure status detection (#306 review)' do + %w[rejected invalid malformed mined_in_stale_block REJECTED Invalid].each do |status| + it "raises BroadcastError on txStatus #{status.inspect} (case-insensitive)" do + body = { 'txid' => 'abc123', 'txStatus' => status, 'title' => 'rejected' }.to_json + http = mock_http.new(200, body) + arc = described_class.new('https://arc.example.com', http_client: http) + + expect { arc.broadcast(tx) } + .to raise_error(BSV::Network::BroadcastError) + end + end + + it 'raises BroadcastError when extraInfo contains lowercase "orphan"' do + body = { + 'txid' => 'abc123', + 'txStatus' => 'SEEN_ON_NETWORK', + 'title' => 'Orphan', + 'extraInfo' => 'transaction is an orphan — missing parent tx' + }.to_json + http = mock_http.new(200, body) + arc = described_class.new('https://arc.example.com', http_client: http) + + expect { arc.broadcast(tx) } + .to raise_error(BSV::Network::BroadcastError) + end + + it 'raises BroadcastError when txStatus contains mixed-case "Orphan"' do + body = { + 'txid' => 'abc123', + 'txStatus' => 'seen_in_Orphan_mempool' + }.to_json + http = mock_http.new(200, body) + arc = described_class.new('https://arc.example.com', http_client: http) + + expect { arc.broadcast(tx) } + .to raise_error(BSV::Network::BroadcastError) + end + end + + # Follow-up hardening from PR #306 review — guard against malformed + # 2xx responses that would otherwise produce a silent "success" + # BroadcastResponse full of nils. + describe 'malformed 2xx response rejection (#306 review)' do + it 'raises BroadcastError on a 2xx response that is not JSON' do + http = mock_http.new(200, 'an ARC proxy wrote this plaintext response') + arc = described_class.new('https://arc.example.com', http_client: http) + + expect { arc.broadcast(tx) } + .to raise_error(BSV::Network::BroadcastError, /malformed/) + end + + it 'raises BroadcastError on a 2xx JSON response without a txid' do + body = { 'txStatus' => 'SEEN_ON_NETWORK' }.to_json # no txid + http = mock_http.new(200, body) + arc = described_class.new('https://arc.example.com', http_client: http) + + expect { arc.broadcast(tx) } + .to raise_error(BSV::Network::BroadcastError, /malformed/) + end + + it 'raises BroadcastError on a 2xx JSON response with explicit null txid' do + body = { 'txid' => nil, 'txStatus' => 'SEEN_ON_NETWORK' }.to_json + http = mock_http.new(200, body) + arc = described_class.new('https://arc.example.com', http_client: http) + + expect { arc.broadcast(tx) } + .to raise_error(BSV::Network::BroadcastError, /malformed/) + end + end + it 'handles non-JSON response body gracefully' do http = mock_http.new(500, 'Internal Server Error') arc = described_class.new('https://arc.example.com', http_client: http)
spec/bsv/transaction/var_int_spec.rb+35 −0 modified@@ -99,4 +99,39 @@ expect(described_class.encode(0x100000000).getbyte(0)).to eq(0xFF) # 9-byte end end + + # Regression for https://github.com/sgbett/bsv-ruby-sdk/issues/305 (F1.3) + # + # Prior behaviour: `VarInt.encode(-1)` fell into the `value < 0xFD` branch and + # emitted `[value].pack('C')`, which masks the two's-complement low byte — + # producing 0xFF, the marker byte for a 9-byte encoding. A downstream reader + # would then try to consume 8 more bytes from whatever followed, silently + # corrupting the transaction stream with no exception raised. The docstring + # required a non-negative integer but the implementation did not enforce it. + describe '.encode input validation (issue #305)' do + it 'raises ArgumentError on -1 (silent 0xFF marker corruption)' do + expect { described_class.encode(-1) } + .to raise_error(ArgumentError, /non-negative/) + end + + it 'raises ArgumentError on a large negative integer' do + expect { described_class.encode(-0xFFFFFFFFFFFFFFFF) } + .to raise_error(ArgumentError, /non-negative/) + end + + it 'accepts the uint64 maximum (2^64 - 1)' do + expected = "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF".b + expect(described_class.encode(0xFFFFFFFFFFFFFFFF)).to eq(expected) + end + + it 'raises ArgumentError on 2^64 (just past uint64 max)' do + expect { described_class.encode(0x10000000000000000) } + .to raise_error(ArgumentError, /exceeds uint64/) + end + + it 'raises ArgumentError on a very large value far above uint64' do + expect { described_class.encode(2**128) } + .to raise_error(ArgumentError, /exceeds uint64/) + end + end end
spec/bsv/wallet_interface/certificate_spec.rb+170 −1 modified@@ -10,15 +10,36 @@ let(:wallet) { BSV::Wallet::WalletClient.new(private_key, storage: BSV::Wallet::MemoryStore.new) } let(:certifier_key) { BSV::Primitives::PrivateKey.generate } let(:certifier_hex) { certifier_key.public_key.to_hex } + let(:certifier_wallet) { BSV::Wallet::ProtoWallet.new(certifier_key) } let(:cert_type) { Base64.strict_encode64(SecureRandom.random_bytes(32)) } let(:serial_number) { Base64.strict_encode64(SecureRandom.random_bytes(32)) } let(:revocation_outpoint) { "#{'ab' * 32}.0" } - let(:signature) { 'deadbeef' * 8 } let(:fields) { { 'name' => 'Alice', 'email' => 'alice@example.com' } } let(:keyring) { { 'name' => Base64.strict_encode64('key1'), 'email' => Base64.strict_encode64('key2') } } + # Compute a valid BRC-52 certifier signature over the canonical preimage. + # The certifier signs with counterparty 'anyone' so any verifier deriving + # against counterparty=certifier_hex can reconstruct the same public key. + let(:signature) do + preimage = BSV::Wallet::CertificateSignature.serialise_preimage( + type: cert_type, + serial_number: serial_number, + subject: wallet.key_deriver.identity_key, + certifier: certifier_hex, + revocation_outpoint: revocation_outpoint, + fields: fields + ) + result = certifier_wallet.create_signature({ + data: preimage.unpack('C*'), + protocol_id: [2, 'certificate signature'], + key_id: "#{cert_type} #{serial_number}", + counterparty: 'anyone' + }) + result[:signature].pack('C*').unpack1('H*') + end + let(:direct_args) do { type: cert_type, @@ -51,6 +72,154 @@ expect(result).not_to have_key(:keyring) end + # Regression for https://github.com/sgbett/bsv-ruby-sdk/issues/305 (F8.15) + # + # Prior to this fix, `acquire_via_direct` wrote user-supplied certificate + # fields to storage without verifying the certifier's signature. A caller + # could pass any value as `args[:signature]` and it would be persisted as + # authentic. `list_certificates` and `prove_certificate` then treated the + # record as valid, producing a credential forgery primitive. + describe 'BRC-52 certifier signature verification (issue #305)' do + it 'rejects a certificate with an invalid signature' do + tampered = direct_args.merge(signature: 'ff' * 70) + + expect { wallet.acquire_certificate(tampered) } + .to raise_error(BSV::Wallet::CertificateSignature::InvalidError) + end + + it 'rejects a certificate whose fields have been tampered with after signing' do + tampered = direct_args.merge(fields: fields.merge('email' => 'attacker@example.com')) + + expect { wallet.acquire_certificate(tampered) } + .to raise_error(BSV::Wallet::CertificateSignature::InvalidError) + end + + it 'rejects a certificate whose subject is overridden' do + # The wallet always sets subject to its own identity key, so changing + # the subject in args has no effect — but if the signature was made + # over a different subject, the preimage hash won't match. + other_wallet_signature = begin + other_key = BSV::Primitives::PrivateKey.generate + preimage = BSV::Wallet::CertificateSignature.serialise_preimage( + type: cert_type, + serial_number: serial_number, + subject: other_key.public_key.to_hex, + certifier: certifier_hex, + revocation_outpoint: revocation_outpoint, + fields: fields + ) + result = certifier_wallet.create_signature({ + data: preimage.unpack('C*'), + protocol_id: [2, 'certificate signature'], + key_id: "#{cert_type} #{serial_number}", + counterparty: 'anyone' + }) + result[:signature].pack('C*').unpack1('H*') + end + + tampered = direct_args.merge(signature: other_wallet_signature) + + expect { wallet.acquire_certificate(tampered) } + .to raise_error(BSV::Wallet::CertificateSignature::InvalidError) + end + + it 'rejects a certificate signed by a different certifier' do + imposter_key = BSV::Primitives::PrivateKey.generate + imposter_wallet = BSV::Wallet::ProtoWallet.new(imposter_key) + preimage = BSV::Wallet::CertificateSignature.serialise_preimage( + type: cert_type, + serial_number: serial_number, + subject: wallet.key_deriver.identity_key, + certifier: certifier_hex, # claims to be from the real certifier + revocation_outpoint: revocation_outpoint, + fields: fields + ) + imposter_sig = imposter_wallet.create_signature({ + data: preimage.unpack('C*'), + protocol_id: [2, 'certificate signature'], + key_id: "#{cert_type} #{serial_number}", + counterparty: 'anyone' + })[:signature].pack('C*').unpack1('H*') + + tampered = direct_args.merge(signature: imposter_sig) + + expect { wallet.acquire_certificate(tampered) } + .to raise_error(BSV::Wallet::CertificateSignature::InvalidError) + end + + it 'rejects a certificate with a malformed (non-hex) signature' do + tampered = direct_args.merge(signature: 'not hex at all') + + expect { wallet.acquire_certificate(tampered) } + .to raise_error(BSV::Wallet::CertificateSignature::InvalidError) + end + + it 'does not persist an unverified certificate to storage' do + tampered = direct_args.merge(signature: 'ff' * 70) + + expect { wallet.acquire_certificate(tampered) } + .to raise_error(BSV::Wallet::CertificateSignature::InvalidError) + + certs = wallet.list_certificates({ certifiers: [certifier_hex], types: [cert_type] }) + expect(certs[:total_certificates]).to eq(0) + end + end + + # Follow-up hardening from PR #306 review. + describe 'CertificateSignature input validation (#306 review)' do + # #2 — strict base64 decode + it 'rejects a certificate whose type has whitespace-injected base64' do + # strict_decode64 rejects whitespace; decode64 would have accepted it. + # The decoded length would still be 32 bytes here, which is exactly + # the silent-corruption case strict_decode64 closes. + raw32 = "\x01".b * 32 + valid_type = Base64.strict_encode64(raw32) + whitespace_injected = valid_type.chars.each_slice(8).map(&:join).join("\n") + + tampered = direct_args.merge(type: whitespace_injected) + + expect { wallet.acquire_certificate(tampered) } + .to raise_error(BSV::Wallet::CertificateSignature::InvalidError, /base64/) + end + + it 'rejects a certificate whose serial_number has non-base64 characters' do + tampered = direct_args.merge(serial_number: 'not valid base64!!@#$%^&*()_+|') + + expect { wallet.acquire_certificate(tampered) } + .to raise_error(BSV::Wallet::CertificateSignature::InvalidError) + end + + # #3 — EncodingError → InvalidError + it 'rejects a certificate with non-UTF-8 bytes in a field value as InvalidError' do + # A lone 0x80 byte is invalid UTF-8 (continuation byte with no lead). + bad_field_value = "\x80".b + tampered = direct_args.merge(fields: fields.merge('email' => bad_field_value)) + + # Without the EncodingError rescue, this would leak + # Encoding::InvalidByteSequenceError / UndefinedConversionError. + expect { wallet.acquire_certificate(tampered) } + .to raise_error(BSV::Wallet::CertificateSignature::InvalidError) + end + + # #4 — duplicate field names + it 'rejects fields containing both symbol and string forms of the same name' do + ambiguous = { 'email' => 'one@example.com', email: 'two@example.com' } + tampered = direct_args.merge(fields: ambiguous) + + expect { wallet.acquire_certificate(tampered) } + .to raise_error(BSV::Wallet::CertificateSignature::InvalidError, /duplicate field name/) + end + + # #6 — hex_to_bytes even-length guard + it 'rejects an odd-length signature hex' do + # Chop one hex nibble off an otherwise valid signature. + tampered = direct_args.merge(signature: signature[0...-1]) + + expect { wallet.acquire_certificate(tampered) } + .to raise_error(BSV::Wallet::CertificateSignature::InvalidError, /even/) + end + end + it 'raises InvalidParameterError for issuance without certifier_url' do args = direct_args.merge(acquisition_protocol: 'issuance') args.delete(:serial_number)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84ccnvdPatch
- github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhxnvdPatchVendor Advisory
- github.com/advisories/GHSA-9hfr-gw99-8rhxghsaADVISORY
- github.com/sgbett/bsv-ruby-sdk/issues/305nvdIssue Tracking
- github.com/sgbett/bsv-ruby-sdk/pull/306nvdIssue Tracking
- github.com/sgbett/bsv-ruby-sdk/releases/tag/v0.8.2nvdRelease Notes
- github.com/rubysec/ruby-advisory-db/blob/master/gems/bsv-sdk/CVE-2026-40069.ymlghsa
- nvd.nist.gov/vuln/detail/CVE-2026-40069ghsa
News mentions
0No linked articles in our index yet.