• checkJwks() only asserts that jwk.kid and jwk.kty are strings and that jwk.x5c is a non-empty array of base64 strings each parseable as an X.509 certificate via ccf.crypto.isValidX509CertBundle. It does NOT validate jwk.alg (would accept 'none', 'HS256'), jwk.use, or the value of jwk.kty (would accept 'oct'). It does not check x5c notBefore/notAfter, key strength (would accept 512-bit RSA), kid uniqueness, chain-to-root, or consistency between the JWK public-key parameters and the x5c leaf SubjectPublicKeyInfo.
• checkX509CertBundle() delegates solely to ccf.crypto.isValidX509CertBundle (PEM parse only). set_ca_cert_bundle therefore accepts expired certs, non-CA leaf certs (no basicConstraints CA:TRUE / keyUsage keyCertSign check), and weak keys as the TLS trust anchor written to public:ccf.gov.tls.ca_cert_bundles
• set_jwt_issuer enforces an https:// issuer URL ONLY when args.auto_refresh==true; otherwise any string is accepted as the issuer.
• set_member stores args.encryption_pub_key into public:ccf.gov.members.encryption_public_keys with no validation at all (only a comment at L398).
• checkJwks() only asserts that jwk.kid and jwk.kty are strings and that jwk.x5c is a non-empty array of base64 strings each parseable as an X.509 certificate via ccf.crypto.isValidX509CertBundle. It does NOT validate jwk.alg (would accept 'none', 'HS256'), jwk.use, or the value of jwk.kty (would accept 'oct'). It does not check x5c notBefore/notAfter, key strength (would accept 512-bit RSA), kid uniqueness, chain-to-root, or consistency between the JWK public-key parameters and the x5c leaf SubjectPublicKeyInfo.
• checkX509CertBundle() delegates solely to ccf.crypto.isValidX509CertBundle (PEM parse only). set_ca_cert_bundle therefore accepts expired certs, non-CA leaf certs (no basicConstraints CA:TRUE / keyUsage keyCertSign check), and weak keys as the TLS trust anchor written to public:ccf.gov.tls.ca_cert_bundles
• set_jwt_issuer enforces an https:// issuer URL ONLY when args.auto_refresh==true; otherwise any string is accepted as the issuer.
• set_member stores args.encryption_pub_key into public:ccf.gov.members.encryption_public_keys with no validation at all (only a comment at L398).