hardening: round-2 reviewer findings (security + test gaps)

Mirrors node-commerce hardening for cross-language parity.

- verify_ucp_profile: wrap UnsupportedHeaderError (RFC 7515 §4.1.11
  unrecognized `crit`) into UCPVerificationError('unrecognized_critical_header').
- verify_ucp_profile: malformed JWKS shape (non-dict, missing keys array)
  now emits UCPVerificationError('malformed_jwks') instead of cryptic
  AttributeError. Same for non-dict signed_profile input.
- verify_ucp_profile: reject JWKs with use != 'sig' as 'unusable_key'
  (RFC 7517 §4.2).
- sign_ucp_profile: enforce kid in profile.signing_keys[] at sign-time.
- UCPSigningKey.from_jwk: reject `oct` symmetric keys + missing
  `kid`/`kty` with typed ValueError instead of bare KeyError.
- Drop 3 redundant `del joserfc` statements.
- Cross-language fixture corpus: 6 → 12 fixtures (minimal, ES256-rails,
  extras-int, capability, unicode, multi-key per language).
- Fix vacuous key-order-independence test (json.dumps preserves order on
  Python 3.7+); now hand-constructs reverse insertion-order dict.
- README KMS claim rewritten — `OKPKey`/`ECKey` import key MATERIAL, they
  don't wrap remote signers.

Tests: 773 pass, 3 skipped. ruff + ty clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: vvillait88

README.md

@@ -230,7 +230,7 @@ jwks = build_jwks_response([key.public_jwk])
 
 `sign_ucp_profile` rejects profiles containing `float` values: cross-language float canonicalization is not stable, so use decimal strings (e.g. `"9.99"`) for any monetary or fractional fields you put in `extras`.
 
-**HSM / KMS-backed signing.** `signing_key` accepts any joserfc `Key` subclass — including remote signers wrapped via `joserfc.jwk.OKPKey`/`ECKey`. The signing key never has to leave the HSM.
+**Persisting the private JWK.** Mint once via `generate_ucp_signing_key()`, serialize via `key.private_key.as_dict(private=True)`, store in your secret manager. On each container start, read the secret, `OKPKey.import_key(jwk_dict)` (or `ECKey.import_key` for ES256) to re-hydrate. Remote-signer flows (KMS-backed asymmetric keys) require subclassing the joserfc Key to delegate the sign hook; `OKPKey`/`ECKey` themselves only carry local key material.
 
 **Key rotation.** Mint a new key with a new `kid`, add the public JWK to your JWKS endpoint alongside the old one, then sign new profiles with the new key. Drop the old JWK after your verifier-side cache TTL has elapsed.
 

agentscore_commerce/identity/ucp.py

@@ -68,7 +68,28 @@ def from_jwk(cls, jwk: dict[str, Any]) -> UCPSigningKey:
         Routes the JWK's known fields (kid/kty/alg/use/crv) onto the dataclass and
         captures any other fields (x/y/n/e/etc.) into ``extras``. Use this when
         publishing the output of :func:`generate_ucp_signing_key` directly.
+
+        Rejects symmetric (``oct``) keys and JWKs missing required fields with a
+        typed ``ValueError`` rather than a bare ``KeyError``.
         """
+        if not isinstance(jwk, dict):
+            msg = f"UCPSigningKey.from_jwk expected a dict; got {type(jwk).__name__}."
+            raise ValueError(msg)
+        if "kid" not in jwk:
+            msg = "UCPSigningKey.from_jwk: JWK missing required field `kid`."
+            raise ValueError(msg)
+        if "kty" not in jwk:
+            msg = "UCPSigningKey.from_jwk: JWK missing required field `kty`."
+            raise ValueError(msg)
+        if jwk["kty"] not in {"OKP", "EC", "RSA"}:
+            msg = (
+                f"UCPSigningKey.from_jwk: kty={jwk['kty']!r} is not a supported "
+                "asymmetric key type (expected OKP, EC, or RSA). Symmetric `oct` "
+                "keys are rejected because they cannot publicly verify a JWS in "
+                "the trust-mode UCP flow."
+            )
+            raise ValueError(msg)
+
         known = {"kid", "kty", "alg", "use", "crv"}
         return cls(
             kid=jwk["kid"],

agentscore_commerce/identity/ucp_jwks.py

@@ -56,6 +56,9 @@ def __init__(
             "signature_invalid",
             "body_mismatch",
             "malformed_jws",
+            "malformed_jwks",
+            "unrecognized_critical_header",
+            "unusable_key",
         ],
         message: str,
     ) -> None:
@@ -105,7 +108,7 @@ def generate_ucp_signing_key(*, kid: str, alg: Literal["EdDSA", "ES256"] = "EdDS
         # key.private_key — persist securely
         # key.public_jwk  — publish at /.well-known/jwks.json
     """
-    joserfc = _load_joserfc()
+    _load_joserfc()
 
     if alg == "EdDSA":
         from joserfc.jwk import OKPKey  # type: ignore[import-not-found]
@@ -125,8 +128,6 @@ def generate_ucp_signing_key(*, kid: str, alg: Literal["EdDSA", "ES256"] = "EdDS
     public_jwk.setdefault("alg", alg)
     public_jwk.setdefault("use", "sig")
 
-    del joserfc
-
     return GeneratedUCPKey(private_key=priv, public_jwk=public_jwk)
 
 
@@ -198,19 +199,30 @@ def sign_ucp_profile(
         profile = build_ucp_profile(..., signing_keys=[UCPSigningKey(**key.public_jwk)])
         signed = sign_ucp_profile(profile.to_dict(), signing_key=key.private_key, kid='merchant-2026-05')
     """
-    joserfc = _load_joserfc()
+    _load_joserfc()
     from joserfc import jws  # type: ignore[import-not-found]
     from joserfc.jws import JWSRegistry  # type: ignore[import-not-found]
 
+    # Sign-time kid sanity check: the profile's `signing_keys[]` MUST contain
+    # a JWK with the matching kid; otherwise verifiers can't resolve the
+    # public key and the profile is dead-on-arrival.
+    declared_kids = [
+        k.get("kid") if isinstance(k, dict) else getattr(k, "kid", None) for k in profile.get("signing_keys", [])
+    ]
+    if kid not in declared_kids:
+        msg = (
+            f"sign_ucp_profile: kid {kid!r} is not present in profile.signing_keys[] "
+            f"(declared kids: {declared_kids!r}). Verifiers will not find the key."
+        )
+        raise ValueError(msg)
+
     canonical_body = _canonicalize_profile(profile)
     header = {"alg": alg, "kid": kid, "typ": _UCP_TYP}
     # joserfc treats EdDSA as "not recommended" by default; UCP §6 explicitly accepts
     # both EdDSA and ES256, so allow both.
     registry = JWSRegistry(algorithms=list(_ALLOWED_ALGS))
     signature = jws.serialize_compact(header, canonical_body, signing_key, registry=registry)
 
-    del joserfc
-
     return {**profile, "signature": signature}
 
 
@@ -251,11 +263,25 @@ def verify_ucp_profile(
 
         ok = verify_ucp_profile(signed, build_jwks_response([key.public_jwk]))
     """
-    joserfc = _load_joserfc()
+    _load_joserfc()
     from joserfc import jws  # type: ignore[import-not-found]
     from joserfc.jwk import KeySet  # type: ignore[import-not-found]
     from joserfc.jws import JWSRegistry  # type: ignore[import-not-found]
 
+    # JWKS shape guard so a malformed argument emits a typed UCPVerificationError
+    # rather than a confusing kid_not_found / AttributeError.
+    if not isinstance(jwks, dict) or not isinstance(jwks.get("keys"), list):
+        raise UCPVerificationError(
+            "malformed_jwks",
+            f"UCP verifier expected JWKS shape {{'keys': [...]}}; got {type(jwks).__name__}.",
+        )
+
+    if not isinstance(signed_profile, dict):
+        raise UCPVerificationError(
+            "no_signature",
+            f"UCP verifier expected a profile dict; got {type(signed_profile).__name__}.",
+        )
+
     sig = signed_profile.get("signature")
     if not sig:
         raise UCPVerificationError(
@@ -294,6 +320,13 @@ def verify_ucp_profile(
             "duplicate_kid",
             f"JWKS contains {len(matches)} keys with kid={kid!r}; expected exactly one.",
         )
+    # RFC 7517 §4.2: reject keys not intended for signature verification.
+    matched_use = matches[0].get("use")
+    if matched_use is not None and matched_use != "sig":
+        raise UCPVerificationError(
+            "unusable_key",
+            f"JWK with kid={kid!r} has use={matched_use!r}; expected 'sig'.",
+        )
 
     stripped = {k: v for k, v in signed_profile.items() if k != "signature"}
     expected_payload = _canonicalize_profile(stripped)
@@ -303,14 +336,26 @@ def verify_ucp_profile(
     try:
         obj = jws.deserialize_compact(sig, key_set, registry=registry)
     except Exception as exc:
-        # joserfc raises various subclasses (BadSignatureError, DecodeError, ...).
-        # Wrap in our own type so callers don't need to import joserfc internals.
-        from joserfc.errors import BadSignatureError, DecodeError  # type: ignore[import-not-found]
+        # joserfc raises various subclasses. Wrap in our own type so callers
+        # don't need to import joserfc internals.
+        from joserfc.errors import (  # type: ignore[import-not-found]
+            BadSignatureError,
+            DecodeError,
+            UnsupportedHeaderError,
+        )
 
         if isinstance(exc, BadSignatureError):
             raise UCPVerificationError("signature_invalid", f"UCP signature verification failed: {exc}") from exc
         if isinstance(exc, DecodeError):
             raise UCPVerificationError("malformed_jws", f"Malformed JWS: {exc}") from exc
+        # RFC 7515 §4.1.11 / RFC 8725 §3.10: a verifier MUST reject any JWS
+        # whose `crit` header carries an extension the implementation doesn't
+        # understand.
+        if isinstance(exc, UnsupportedHeaderError):
+            raise UCPVerificationError(
+                "unrecognized_critical_header",
+                f"UCP signing rejected unrecognized critical header: {exc}",
+            ) from exc
         raise
 
     # Compare the bytes that were actually signed against the canonical body of the
@@ -323,7 +368,6 @@ def verify_ucp_profile(
             "UCP profile body does not match the signed payload (tampered or non-canonical).",
         )
 
-    del joserfc
     return True
 
 

tests/fixtures/cross-lang/node-capability.json

@@ -0,0 +1,56 @@
+{
+  "profile": {
+    "version": "2026-04-17",
+    "spec": "https://ucp.dev/",
+    "services": [
+      {
+        "type": "rest",
+        "url": "https://c.example.com"
+      }
+    ],
+    "capabilities": [
+      {
+        "name": "agentscore-identity",
+        "schema": "https://agentscore.sh/schema/identity/1",
+        "version": "1",
+        "kyc_required": true
+      }
+    ],
+    "payment_handlers": [
+      {
+        "name": "tempo",
+        "config": {
+          "rail": "tempo-mainnet",
+          "chain_id": 4217
+        }
+      }
+    ],
+    "signing_keys": [
+      {
+        "kid": "node-capability-EdDSA",
+        "alg": "EdDSA",
+        "use": "sig",
+        "crv": "Ed25519",
+        "kty": "OKP",
+        "x": "8zz-L1N_SZ0EUmciU1IzuxBuGd67MSg-OemKm6ofmgg"
+      }
+    ],
+    "name": "Capability Merchant",
+    "signature": "eyJhbGciOiJFZERTQSIsImtpZCI6Im5vZGUtY2FwYWJpbGl0eS1FZERTQSIsInR5cCI6InVjcC1wcm9maWxlK2p3cyJ9.eyJjYXBhYmlsaXRpZXMiOlt7Imt5Y19yZXF1aXJlZCI6dHJ1ZSwibmFtZSI6ImFnZW50c2NvcmUtaWRlbnRpdHkiLCJzY2hlbWEiOiJodHRwczovL2FnZW50c2NvcmUuc2gvc2NoZW1hL2lkZW50aXR5LzEiLCJ2ZXJzaW9uIjoiMSJ9XSwibmFtZSI6IkNhcGFiaWxpdHkgTWVyY2hhbnQiLCJwYXltZW50X2hhbmRsZXJzIjpbeyJjb25maWciOnsiY2hhaW5faWQiOjQyMTcsInJhaWwiOiJ0ZW1wby1tYWlubmV0In0sIm5hbWUiOiJ0ZW1wbyJ9XSwic2VydmljZXMiOlt7InR5cGUiOiJyZXN0IiwidXJsIjoiaHR0cHM6Ly9jLmV4YW1wbGUuY29tIn1dLCJzaWduaW5nX2tleXMiOlt7ImFsZyI6IkVkRFNBIiwiY3J2IjoiRWQyNTUxOSIsImtpZCI6Im5vZGUtY2FwYWJpbGl0eS1FZERTQSIsImt0eSI6Ik9LUCIsInVzZSI6InNpZyIsIngiOiI4enotTDFOX1NaMEVVbWNpVTFJenV4QnVHZDY3TVNnLU9lbUttNm9mbWdnIn1dLCJzcGVjIjoiaHR0cHM6Ly91Y3AuZGV2LyIsInZlcnNpb24iOiIyMDI2LTA0LTE3In0.YmiTy87alEbVfAEXYzXYkBrsbO_kHqgTSlv3gKuzy6Oere-pJl0PmZ8zGW2uTyjaGC9OFbjLUIzowY3jnJmGAg"
+  },
+  "jwks": {
+    "keys": [
+      {
+        "kid": "node-capability-EdDSA",
+        "alg": "EdDSA",
+        "use": "sig",
+        "crv": "Ed25519",
+        "kty": "OKP",
+        "x": "8zz-L1N_SZ0EUmciU1IzuxBuGd67MSg-OemKm6ofmgg"
+      }
+    ]
+  },
+  "alg": "EdDSA",
+  "kid": "node-capability-EdDSA",
+  "generator": "node"
+}

tests/fixtures/cross-lang/node-multikey.json

@@ -0,0 +1,64 @@
+{
+  "profile": {
+    "version": "2026-04-17",
+    "spec": "https://ucp.dev/",
+    "services": [
+      {
+        "type": "rest",
+        "url": "https://mk.example.com"
+      }
+    ],
+    "capabilities": [],
+    "payment_handlers": [
+      {
+        "name": "tempo",
+        "config": {
+          "rail": "tempo-mainnet"
+        }
+      }
+    ],
+    "signing_keys": [
+      {
+        "kid": "node-multikey-old",
+        "alg": "EdDSA",
+        "use": "sig",
+        "crv": "Ed25519",
+        "kty": "OKP",
+        "x": "qSF9p7IJIFIKxoFl6Od1G8qj65Prx35EnN44zMxJs6U"
+      },
+      {
+        "kid": "node-multikey-new",
+        "alg": "EdDSA",
+        "use": "sig",
+        "crv": "Ed25519",
+        "kty": "OKP",
+        "x": "9Al1EZLHjgl02MWGtIGaStOPnR9cBc0WXNYuGbU5r-g"
+      }
+    ],
+    "name": "Multi-Key Merchant",
+    "signature": "eyJhbGciOiJFZERTQSIsImtpZCI6Im5vZGUtbXVsdGlrZXktbmV3IiwidHlwIjoidWNwLXByb2ZpbGUrandzIn0.eyJjYXBhYmlsaXRpZXMiOltdLCJuYW1lIjoiTXVsdGktS2V5IE1lcmNoYW50IiwicGF5bWVudF9oYW5kbGVycyI6W3siY29uZmlnIjp7InJhaWwiOiJ0ZW1wby1tYWlubmV0In0sIm5hbWUiOiJ0ZW1wbyJ9XSwic2VydmljZXMiOlt7InR5cGUiOiJyZXN0IiwidXJsIjoiaHR0cHM6Ly9tay5leGFtcGxlLmNvbSJ9XSwic2lnbmluZ19rZXlzIjpbeyJhbGciOiJFZERTQSIsImNydiI6IkVkMjU1MTkiLCJraWQiOiJub2RlLW11bHRpa2V5LW9sZCIsImt0eSI6Ik9LUCIsInVzZSI6InNpZyIsIngiOiJxU0Y5cDdJSklGSUt4b0ZsNk9kMUc4cWo2NVByeDM1RW5ONDR6TXhKczZVIn0seyJhbGciOiJFZERTQSIsImNydiI6IkVkMjU1MTkiLCJraWQiOiJub2RlLW11bHRpa2V5LW5ldyIsImt0eSI6Ik9LUCIsInVzZSI6InNpZyIsIngiOiI5QWwxRVpMSGpnbDAyTVdHdElHYVN0T1BuUjljQmMwV1hOWXVHYlU1ci1nIn1dLCJzcGVjIjoiaHR0cHM6Ly91Y3AuZGV2LyIsInZlcnNpb24iOiIyMDI2LTA0LTE3In0.jXm8ZRUWa9_BUYfSv_PCJNqIWbAYf39DUwOdqvExMPTLWDoDzNAwoIleWfyiAGXMOyK0J-0DPeeCFTzmOPMnBQ"
+  },
+  "jwks": {
+    "keys": [
+      {
+        "kid": "node-multikey-old",
+        "alg": "EdDSA",
+        "use": "sig",
+        "crv": "Ed25519",
+        "kty": "OKP",
+        "x": "qSF9p7IJIFIKxoFl6Od1G8qj65Prx35EnN44zMxJs6U"
+      },
+      {
+        "kid": "node-multikey-new",
+        "alg": "EdDSA",
+        "use": "sig",
+        "crv": "Ed25519",
+        "kty": "OKP",
+        "x": "9Al1EZLHjgl02MWGtIGaStOPnR9cBc0WXNYuGbU5r-g"
+      }
+    ]
+  },
+  "alg": "EdDSA",
+  "kid": "node-multikey-new",
+  "generator": "node"
+}

tests/fixtures/cross-lang/node-unicode.json

@@ -0,0 +1,48 @@
+{
+  "profile": {
+    "version": "2026-04-17",
+    "spec": "https://ucp.dev/",
+    "services": [
+      {
+        "type": "rest",
+        "url": "https://日本.example.com"
+      }
+    ],
+    "capabilities": [],
+    "payment_handlers": [
+      {
+        "name": "tempo",
+        "config": {
+          "note": "メモ"
+        }
+      }
+    ],
+    "signing_keys": [
+      {
+        "kid": "node-unicode-EdDSA",
+        "alg": "EdDSA",
+        "use": "sig",
+        "crv": "Ed25519",
+        "kty": "OKP",
+        "x": "mxtclpNy58uer_3ivEk9HfPp5_6zXtYUpc_ItTLz0sA"
+      }
+    ],
+    "name": "Café 日本 🍷 Merchant",
+    "signature": "eyJhbGciOiJFZERTQSIsImtpZCI6Im5vZGUtdW5pY29kZS1FZERTQSIsInR5cCI6InVjcC1wcm9maWxlK2p3cyJ9.eyJjYXBhYmlsaXRpZXMiOltdLCJuYW1lIjoiQ2Fmw6kg5pel5pysIPCfjbcgTWVyY2hhbnQiLCJwYXltZW50X2hhbmRsZXJzIjpbeyJjb25maWciOnsibm90ZSI6IuODoeODoiJ9LCJuYW1lIjoidGVtcG8ifV0sInNlcnZpY2VzIjpbeyJ0eXBlIjoicmVzdCIsInVybCI6Imh0dHBzOi8v5pel5pysLmV4YW1wbGUuY29tIn1dLCJzaWduaW5nX2tleXMiOlt7ImFsZyI6IkVkRFNBIiwiY3J2IjoiRWQyNTUxOSIsImtpZCI6Im5vZGUtdW5pY29kZS1FZERTQSIsImt0eSI6Ik9LUCIsInVzZSI6InNpZyIsIngiOiJteHRjbHBOeTU4dWVyXzNpdkVrOUhmUHA1XzZ6WHRZVXBjX0l0VEx6MHNBIn1dLCJzcGVjIjoiaHR0cHM6Ly91Y3AuZGV2LyIsInZlcnNpb24iOiIyMDI2LTA0LTE3In0.21NUepmkXaXs6cRnPBgheUR0F7EoqysnAkOEqiaqZEG8OEGMkegGsVeEvtaxEjpQZfC4KAeTqvjy6Vc-FSDzBg"
+  },
+  "jwks": {
+    "keys": [
+      {
+        "kid": "node-unicode-EdDSA",
+        "alg": "EdDSA",
+        "use": "sig",
+        "crv": "Ed25519",
+        "kty": "OKP",
+        "x": "mxtclpNy58uer_3ivEk9HfPp5_6zXtYUpc_ItTLz0sA"
+      }
+    ]
+  },
+  "alg": "EdDSA",
+  "kid": "node-unicode-EdDSA",
+  "generator": "node"
+}