hardening(identity): round-26 UCP signing reviewer findings

verify_ucp_profile now treats explicit JSON null on JWK.use / JWK.alg as
absent (skip-on-null) rather than rejecting via joserfc's stricter
KeySet.import_key_set validation; both fields are optional per RFC 7517
and the Node sibling now uses ``!= null`` semantics, so a JWK with
``"use": null`` / ``"alg": null`` should pass language-symmetric verify.
The ``is not None`` checks above already skip null; we now also drop the
explicit-null entries before handing the JWK to joserfc so its key
parameter registry doesn't reject them downstream.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: vvillait88

agentscore_commerce/identity/ucp_jwks.py

@@ -430,6 +430,10 @@ def verify_ucp_profile(
         )
     matched = matches[0]
     # RFC 7517 §4.2: reject keys not intended for signature verification.
+    # ``use`` and ``alg`` are optional per RFC 7517; an explicit JSON null is
+    # out-of-spec but treat it as absent (skip-on-null) so a JWK with
+    # ``"use": null`` matches the Node sibling's ``!= null`` semantics in
+    # ucp-jwks.ts and the two languages stay symmetric.
     matched_use = matched.get("use")
     if matched_use is not None and matched_use != "sig":
         raise UCPVerificationError(
@@ -444,6 +448,11 @@ def verify_ucp_profile(
             "unusable_key",
             f"JWK alg {matched_alg!r} does not match JWS header alg {header_alg!r}.",
         )
+    # joserfc's KeySet.import_key_set runs a stricter dict-key validation that
+    # rejects ``use: None`` / ``alg: None`` outright. Strip explicit nulls for
+    # those two fields before handing the JWK off so skip-on-null actually
+    # propagates to the import step.
+    matches = [{k: v for k, v in matched.items() if not (k in ("use", "alg") and v is None)}]
 
     stripped = {k: v for k, v in signed_profile.items() if k != "signature"}
     try:

tests/test_ucp_jwks.py

@@ -756,6 +756,39 @@ def test_accepts_u2027_sanity_case(self) -> None:
         assert verify_ucp_profile(signed, build_jwks_response([signer.public_jwk])) is True
 
 
+class TestJWKUseAlgNullTreatedAsAbsent:
+    """RFC 7517 lists ``use`` and ``alg`` as optional. Explicit JSON null is
+    out-of-spec but harmless; treat null as absent (skip-on-null) so a JWK
+    carrying ``"use": null`` or ``"alg": null`` matches the Node sibling's
+    ``!= null`` semantics in ucp-jwks.ts and the two languages stay
+    symmetric.
+    """
+
+    def test_verify_succeeds_when_matched_jwk_has_null_use(self) -> None:
+        key = generate_ucp_signing_key(kid="null-use")
+        profile = _base_profile([key.public_jwk])
+        signed = sign_ucp_profile(profile, signing_key=key.private_key, kid="null-use")
+        jwks_with_null_use = build_jwks_response([{**key.public_jwk, "use": None}])
+        assert verify_ucp_profile(signed, jwks_with_null_use) is True
+
+    def test_verify_succeeds_when_matched_jwk_has_null_alg(self) -> None:
+        key = generate_ucp_signing_key(kid="null-alg", alg="EdDSA")
+        profile = _base_profile([key.public_jwk])
+        signed = sign_ucp_profile(profile, signing_key=key.private_key, kid="null-alg")
+        jwks_with_null_alg = build_jwks_response([{**key.public_jwk, "alg": None}])
+        assert verify_ucp_profile(signed, jwks_with_null_alg) is True
+
+    def test_verify_still_rejects_use_enc_with_unusable_key(self) -> None:
+        # Sanity: non-null wrong values continue to fail with unusable_key.
+        key = generate_ucp_signing_key(kid="enc-sanity")
+        profile = _base_profile([key.public_jwk])
+        signed = sign_ucp_profile(profile, signing_key=key.private_key, kid="enc-sanity")
+        enc_jwk = {**key.public_jwk, "use": "enc"}
+        with pytest.raises(UCPVerificationError) as exc:
+            verify_ucp_profile(signed, build_jwks_response([enc_jwk]))
+        assert exc.value.code == "unusable_key"
+
+
 class TestVerifierErrorPrecedence:
     def test_null_profile_with_malformed_jwks_returns_no_signature(self) -> None:
         with pytest.raises(UCPVerificationError) as exc: