@attestplane/attestplane 0.0.1 → 0.0.3-alpha
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +23 -9
- package/dist/adapter_conformance.d.ts +46 -0
- package/dist/adapter_conformance.d.ts.map +1 -0
- package/dist/adapter_conformance.js +160 -0
- package/dist/adapter_conformance.js.map +1 -0
- package/dist/adapters/langfuse.d.ts +51 -0
- package/dist/adapters/langfuse.d.ts.map +1 -0
- package/dist/adapters/langfuse.js +157 -0
- package/dist/adapters/langfuse.js.map +1 -0
- package/dist/adapters/langsmith.d.ts +53 -0
- package/dist/adapters/langsmith.d.ts.map +1 -0
- package/dist/adapters/langsmith.js +173 -0
- package/dist/adapters/langsmith.js.map +1 -0
- package/dist/adapters.d.ts +88 -0
- package/dist/adapters.d.ts.map +1 -0
- package/dist/adapters.js +109 -0
- package/dist/adapters.js.map +1 -0
- package/dist/anchoring.d.ts +119 -0
- package/dist/anchoring.d.ts.map +1 -0
- package/dist/anchoring.js +340 -0
- package/dist/anchoring.js.map +1 -0
- package/dist/canonical.d.ts +11 -2
- package/dist/canonical.d.ts.map +1 -1
- package/dist/canonical.js +44 -31
- package/dist/canonical.js.map +1 -1
- package/dist/canonical_text.d.ts +30 -0
- package/dist/canonical_text.d.ts.map +1 -0
- package/dist/canonical_text.js +100 -0
- package/dist/canonical_text.js.map +1 -0
- package/dist/der.d.ts +55 -0
- package/dist/der.d.ts.map +1 -0
- package/dist/der.js +200 -0
- package/dist/der.js.map +1 -0
- package/dist/event_payloads.d.ts +118 -0
- package/dist/event_payloads.d.ts.map +1 -0
- package/dist/event_payloads.js +348 -0
- package/dist/event_payloads.js.map +1 -0
- package/dist/event_types.d.ts +47 -0
- package/dist/event_types.d.ts.map +1 -0
- package/dist/event_types.js +63 -0
- package/dist/event_types.js.map +1 -0
- package/dist/hashchain.d.ts +1 -0
- package/dist/hashchain.d.ts.map +1 -1
- package/dist/hashchain.js +25 -1
- package/dist/hashchain.js.map +1 -1
- package/dist/index.d.ts +23 -2
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +24 -2
- package/dist/index.js.map +1 -1
- package/dist/index_version.d.ts +9 -0
- package/dist/index_version.d.ts.map +1 -0
- package/dist/index_version.js +11 -0
- package/dist/index_version.js.map +1 -0
- package/dist/intoto.d.ts +48 -0
- package/dist/intoto.d.ts.map +1 -0
- package/dist/intoto.js +106 -0
- package/dist/intoto.js.map +1 -0
- package/dist/obligations.d.ts +41 -0
- package/dist/obligations.d.ts.map +1 -0
- package/dist/obligations.js +312 -0
- package/dist/obligations.js.map +1 -0
- package/dist/proof_bundle.d.ts +186 -0
- package/dist/proof_bundle.d.ts.map +1 -0
- package/dist/proof_bundle.js +299 -0
- package/dist/proof_bundle.js.map +1 -0
- package/dist/reason_codes.d.ts +38 -0
- package/dist/reason_codes.d.ts.map +1 -0
- package/dist/reason_codes.js +97 -0
- package/dist/reason_codes.js.map +1 -0
- package/dist/replay_verifier.d.ts +43 -0
- package/dist/replay_verifier.d.ts.map +1 -0
- package/dist/replay_verifier.js +98 -0
- package/dist/replay_verifier.js.map +1 -0
- package/dist/rfc3161.d.ts +52 -0
- package/dist/rfc3161.d.ts.map +1 -0
- package/dist/rfc3161.js +480 -0
- package/dist/rfc3161.js.map +1 -0
- package/dist/settlement_verifier.d.ts +34 -0
- package/dist/settlement_verifier.d.ts.map +1 -0
- package/dist/settlement_verifier.js +139 -0
- package/dist/settlement_verifier.js.map +1 -0
- package/dist/signing/base.d.ts +101 -0
- package/dist/signing/base.d.ts.map +1 -0
- package/dist/signing/base.js +144 -0
- package/dist/signing/base.js.map +1 -0
- package/dist/signing/providers.d.ts +113 -0
- package/dist/signing/providers.d.ts.map +1 -0
- package/dist/signing/providers.js +230 -0
- package/dist/signing/providers.js.map +1 -0
- package/dist/signing/signer.d.ts +66 -0
- package/dist/signing/signer.d.ts.map +1 -0
- package/dist/signing/signer.js +146 -0
- package/dist/signing/signer.js.map +1 -0
- package/dist/signing/trust_roots.d.ts +71 -0
- package/dist/signing/trust_roots.d.ts.map +1 -0
- package/dist/signing/trust_roots.js +267 -0
- package/dist/signing/trust_roots.js.map +1 -0
- package/dist/signing/verifier_ext.d.ts +77 -0
- package/dist/signing/verifier_ext.d.ts.map +1 -0
- package/dist/signing/verifier_ext.js +340 -0
- package/dist/signing/verifier_ext.js.map +1 -0
- package/dist/verifier.d.ts +39 -0
- package/dist/verifier.d.ts.map +1 -0
- package/dist/verifier.js +374 -0
- package/dist/verifier.js.map +1 -0
- package/package.json +2 -2
|
@@ -0,0 +1,100 @@
|
|
|
1
|
+
// SPDX-FileCopyrightText: 2026 The Attestplane Authors
|
|
2
|
+
// SPDX-License-Identifier: Apache-2.0
|
|
3
|
+
/**
|
|
4
|
+
* Canonical text normalizer (TypeScript port of
|
|
5
|
+
* `sdk/python/src/attestplane/canonical_text.py`).
|
|
6
|
+
*
|
|
7
|
+
* Cross-language byte stable with the Python reference implementation
|
|
8
|
+
* across the conformance vectors in
|
|
9
|
+
* `sdk/python/tests/conformance/text_vectors.json`.
|
|
10
|
+
*
|
|
11
|
+
* Four-stage algorithm locked by `docs/spec/canonical-text-v1.md`:
|
|
12
|
+
* 1. NFC normalize
|
|
13
|
+
* 2. Unicode default lowercase
|
|
14
|
+
* 3. Zero-width strip (U+200B, U+200C, U+200D, U+FEFF)
|
|
15
|
+
* 4. Whitespace fold (split on \s+, rejoin with single space, trim)
|
|
16
|
+
*/
|
|
17
|
+
import { createHash } from 'node:crypto';
|
|
18
|
+
const ZERO_WIDTH_CODE_POINTS = new Set([0x200b, 0x200c, 0x200d, 0xfeff]);
|
|
19
|
+
export class CanonicalTextError extends Error {
|
|
20
|
+
constructor(message) {
|
|
21
|
+
super(message);
|
|
22
|
+
this.name = 'CanonicalTextError';
|
|
23
|
+
}
|
|
24
|
+
}
|
|
25
|
+
function rejectForbiddenCodePoints(text) {
|
|
26
|
+
for (let i = 0; i < text.length; i++) {
|
|
27
|
+
const code = text.charCodeAt(i);
|
|
28
|
+
if (code === 0) {
|
|
29
|
+
throw new CanonicalTextError('input contains U+0000 (null) — forbidden');
|
|
30
|
+
}
|
|
31
|
+
// Detect unpaired surrogates: a high surrogate not followed by a low,
|
|
32
|
+
// or a low surrogate not preceded by a high.
|
|
33
|
+
if (code >= 0xd800 && code <= 0xdbff) {
|
|
34
|
+
const next = i + 1 < text.length ? text.charCodeAt(i + 1) : 0;
|
|
35
|
+
if (next < 0xdc00 || next > 0xdfff) {
|
|
36
|
+
throw new CanonicalTextError(`input contains unpaired surrogate U+${code.toString(16).toUpperCase().padStart(4, '0')} — forbidden`);
|
|
37
|
+
}
|
|
38
|
+
i++; // skip the paired low surrogate
|
|
39
|
+
}
|
|
40
|
+
else if (code >= 0xdc00 && code <= 0xdfff) {
|
|
41
|
+
throw new CanonicalTextError(`input contains unpaired surrogate U+${code.toString(16).toUpperCase().padStart(4, '0')} — forbidden`);
|
|
42
|
+
}
|
|
43
|
+
}
|
|
44
|
+
}
|
|
45
|
+
function stripZeroWidth(text) {
|
|
46
|
+
// Iterate by code point to be robust under astral planes.
|
|
47
|
+
let out = '';
|
|
48
|
+
for (const ch of text) {
|
|
49
|
+
const cp = ch.codePointAt(0);
|
|
50
|
+
if (cp != null && !ZERO_WIDTH_CODE_POINTS.has(cp)) {
|
|
51
|
+
out += ch;
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
return out;
|
|
55
|
+
}
|
|
56
|
+
function foldWhitespace(text) {
|
|
57
|
+
// `/\s+/u` matches any run of Unicode whitespace (with the `u` flag);
|
|
58
|
+
// splitting then rejoining with single ASCII space is the analogue of
|
|
59
|
+
// Python's `" ".join(text.split())`. Edge empty strings filter out.
|
|
60
|
+
const parts = text.split(/\s+/u).filter((s) => s.length > 0);
|
|
61
|
+
return parts.join(' ');
|
|
62
|
+
}
|
|
63
|
+
/**
|
|
64
|
+
* Return the canonical UTF-8 bytes of `text`.
|
|
65
|
+
*
|
|
66
|
+
* Pure, deterministic, cross-language byte stable across the
|
|
67
|
+
* conformance-vector set. Identical inputs in Python and TypeScript
|
|
68
|
+
* implementations produce identical output bytes.
|
|
69
|
+
*/
|
|
70
|
+
export function canonicalizeText(text) {
|
|
71
|
+
if (typeof text !== 'string') {
|
|
72
|
+
throw new CanonicalTextError(`canonicalizeText expects string, got ${typeof text}`);
|
|
73
|
+
}
|
|
74
|
+
rejectForbiddenCodePoints(text);
|
|
75
|
+
// Stage 1: NFC normalization.
|
|
76
|
+
const nfc = text.normalize('NFC');
|
|
77
|
+
// Stage 2: Unicode default lowercase. JavaScript's toLowerCase() applies
|
|
78
|
+
// the Default Case Conversion (no locale), matching Python's str.lower()
|
|
79
|
+
// for the ASCII / common-Latin subset documented in the spec.
|
|
80
|
+
const lowered = nfc.toLowerCase();
|
|
81
|
+
// Stage 3: zero-width strip.
|
|
82
|
+
const stripped = stripZeroWidth(lowered);
|
|
83
|
+
// Stage 4: whitespace fold.
|
|
84
|
+
const folded = foldWhitespace(stripped);
|
|
85
|
+
return new TextEncoder().encode(folded);
|
|
86
|
+
}
|
|
87
|
+
/** SHA-256 of `canonicalizeText(text)`. Returns 32 raw bytes. */
|
|
88
|
+
export function textHash(text) {
|
|
89
|
+
return new Uint8Array(createHash('sha256').update(canonicalizeText(text)).digest());
|
|
90
|
+
}
|
|
91
|
+
/** Lowercase hex form of `textHash`. */
|
|
92
|
+
export function textHashHex(text) {
|
|
93
|
+
const bytes = textHash(text);
|
|
94
|
+
let out = '';
|
|
95
|
+
for (let i = 0; i < bytes.length; i++) {
|
|
96
|
+
out += bytes[i].toString(16).padStart(2, '0');
|
|
97
|
+
}
|
|
98
|
+
return out;
|
|
99
|
+
}
|
|
100
|
+
//# sourceMappingURL=canonical_text.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"canonical_text.js","sourceRoot":"","sources":["../src/canonical_text.ts"],"names":[],"mappings":"AAAA,uDAAuD;AACvD,sCAAsC;AACtC;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AAEzE,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAC3C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AAED,SAAS,yBAAyB,CAAC,IAAY;IAC7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAChC,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;YACf,MAAM,IAAI,kBAAkB,CAAC,0CAA0C,CAAC,CAAC;QAC3E,CAAC;QACD,sEAAsE;QACtE,6CAA6C;QAC7C,IAAI,IAAI,IAAI,MAAM,IAAI,IAAI,IAAI,MAAM,EAAE,CAAC;YACrC,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC9D,IAAI,IAAI,GAAG,MAAM,IAAI,IAAI,GAAG,MAAM,EAAE,CAAC;gBACnC,MAAM,IAAI,kBAAkB,CAC1B,uCAAuC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,cAAc,CACtG,CAAC;YACJ,CAAC;YACD,CAAC,EAAE,CAAC,CAAC,gCAAgC;QACvC,CAAC;aAAM,IAAI,IAAI,IAAI,MAAM,IAAI,IAAI,IAAI,MAAM,EAAE,CAAC;YAC5C,MAAM,IAAI,kBAAkB,CAC1B,uCAAuC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,cAAc,CACtG,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,IAAY;IAClC,0DAA0D;IAC1D,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,MAAM,EAAE,IAAI,IAAI,EAAE,CAAC;QACtB,MAAM,EAAE,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;QAC7B,IAAI,EAAE,IAAI,IAAI,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;YAClD,GAAG,IAAI,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,cAAc,CAAC,IAAY;IAClC,sEAAsE;IACtE,sEAAsE;IACtE,oEAAoE;IACpE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC7D,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACzB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAAY;IAC3C,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,MAAM,IAAI,kBAAkB,CAAC,wCAAwC,OAAO,IAAI,EAAE,CAAC,CAAC;IACtF,CAAC;IAED,yBAAyB,CAAC,IAAI,CAAC,CAAC;IAEhC,8BAA8B;IAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAElC,yEAAyE;IACzE,yEAAyE;IACzE,8DAA8D;IAC9D,MAAM,OAAO,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;IAElC,6BAA6B;IAC7B,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IAEzC,4BAA4B;IAC5B,MAAM,MAAM,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;IAExC,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AAC1C,CAAC;AAED,iEAAiE;AACjE,MAAM,UAAU,QAAQ,CAAC,IAAY;IACnC,OAAO,IAAI,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;AACtF,CAAC;AAED,wCAAwC;AACxC,MAAM,UAAU,WAAW,CAAC,IAAY;IACtC,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC7B,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,GAAG,IAAK,KAAK,CAAC,CAAC,CAAY,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAC5D,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}
|
package/dist/der.d.ts
ADDED
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Minimal DER (Distinguished Encoding Rules) reader.
|
|
3
|
+
*
|
|
4
|
+
* Scope: enough to parse RFC-3161 TimeStampResp, RFC-5652 CMS
|
|
5
|
+
* SignedData, RFC-3161 TSTInfo, and the subset of X.509 needed to
|
|
6
|
+
* extract a leaf RSA public key. Hand-rolled rather than pulling in a
|
|
7
|
+
* full ASN.1 library — we read sequentially and extract specific
|
|
8
|
+
* fields by tag.
|
|
9
|
+
*
|
|
10
|
+
* Not a general-purpose ASN.1 library. Does NOT handle indefinite-
|
|
11
|
+
* length encodings (forbidden in DER anyway), does NOT validate every
|
|
12
|
+
* field's tag, does NOT handle constructed BIT STRINGs.
|
|
13
|
+
*
|
|
14
|
+
* Reading discipline: every parse function takes a Uint8Array and
|
|
15
|
+
* returns either the parsed value or throws DerParseError. The
|
|
16
|
+
* caller knows the expected structure from the spec.
|
|
17
|
+
*/
|
|
18
|
+
export declare class DerParseError extends Error {
|
|
19
|
+
constructor(message: string);
|
|
20
|
+
}
|
|
21
|
+
/** Parsed TLV (Tag-Length-Value) chunk. */
|
|
22
|
+
export interface DerTlv {
|
|
23
|
+
/** ASN.1 tag byte (0x30 for SEQUENCE, 0x02 for INTEGER, etc.). */
|
|
24
|
+
readonly tag: number;
|
|
25
|
+
/** Length of the value portion (in bytes). */
|
|
26
|
+
readonly length: number;
|
|
27
|
+
/** Offset within the original buffer where the value starts. */
|
|
28
|
+
readonly valueStart: number;
|
|
29
|
+
/** Offset where this TLV ends (valueStart + length). */
|
|
30
|
+
readonly end: number;
|
|
31
|
+
/** Reference into the original buffer. */
|
|
32
|
+
readonly buffer: Uint8Array;
|
|
33
|
+
}
|
|
34
|
+
/** Read one TLV starting at `offset` in `buffer`. */
|
|
35
|
+
export declare function readTlv(buffer: Uint8Array, offset: number): DerTlv;
|
|
36
|
+
/** Read sequential TLVs inside a SEQUENCE/SET value. */
|
|
37
|
+
export declare function readSequence(tlv: DerTlv): DerTlv[];
|
|
38
|
+
/** Return the raw value bytes of a TLV (a fresh slice). */
|
|
39
|
+
export declare function getValueBytes(tlv: DerTlv): Uint8Array;
|
|
40
|
+
/** Decode an INTEGER. Throws if larger than safe integer range. */
|
|
41
|
+
export declare function readInteger(tlv: DerTlv): bigint;
|
|
42
|
+
/** Decode an OID. */
|
|
43
|
+
export declare function readOid(tlv: DerTlv): string;
|
|
44
|
+
/** Decode an OCTET STRING. */
|
|
45
|
+
export declare function readOctetString(tlv: DerTlv): Uint8Array;
|
|
46
|
+
/** Decode a BIT STRING. Returns the raw bits (without the leading "unused bits" byte). */
|
|
47
|
+
export declare function readBitString(tlv: DerTlv): {
|
|
48
|
+
unusedBits: number;
|
|
49
|
+
bytes: Uint8Array;
|
|
50
|
+
};
|
|
51
|
+
/** Decode a GeneralizedTime to a Date. Format: YYYYMMDDhhmmss[.uuuuuu]Z. */
|
|
52
|
+
export declare function readGeneralizedTime(tlv: DerTlv): Date;
|
|
53
|
+
/** Return the DER bytes of this TLV (including tag+length+value). */
|
|
54
|
+
export declare function tlvDer(tlv: DerTlv): Uint8Array;
|
|
55
|
+
//# sourceMappingURL=der.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"der.d.ts","sourceRoot":"","sources":["../src/der.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;GAgBG;AAEH,qBAAa,aAAc,SAAQ,KAAK;gBAC1B,OAAO,EAAE,MAAM;CAI5B;AAED,2CAA2C;AAC3C,MAAM,WAAW,MAAM;IACrB,kEAAkE;IAClE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,8CAA8C;IAC9C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,gEAAgE;IAChE,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,wDAAwD;IACxD,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,0CAA0C;IAC1C,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAC;CAC7B;AAED,qDAAqD;AACrD,wBAAgB,OAAO,CAAC,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAmClE;AAED,wDAAwD;AACxD,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CASlD;AAED,2DAA2D;AAC3D,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAErD;AAED,mEAAmE;AACnE,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAa/C;AAED,qBAAqB;AACrB,wBAAgB,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAwB3C;AAED,8BAA8B;AAC9B,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAKvD;AAED,0FAA0F;AAC1F,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,UAAU,CAAA;CAAE,CAUpF;AAED,4EAA4E;AAC5E,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAwBrD;AAED,qEAAqE;AACrE,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAM9C"}
|
package/dist/der.js
ADDED
|
@@ -0,0 +1,200 @@
|
|
|
1
|
+
// SPDX-FileCopyrightText: 2026 The Attestplane Authors
|
|
2
|
+
// SPDX-License-Identifier: Apache-2.0
|
|
3
|
+
/**
|
|
4
|
+
* Minimal DER (Distinguished Encoding Rules) reader.
|
|
5
|
+
*
|
|
6
|
+
* Scope: enough to parse RFC-3161 TimeStampResp, RFC-5652 CMS
|
|
7
|
+
* SignedData, RFC-3161 TSTInfo, and the subset of X.509 needed to
|
|
8
|
+
* extract a leaf RSA public key. Hand-rolled rather than pulling in a
|
|
9
|
+
* full ASN.1 library — we read sequentially and extract specific
|
|
10
|
+
* fields by tag.
|
|
11
|
+
*
|
|
12
|
+
* Not a general-purpose ASN.1 library. Does NOT handle indefinite-
|
|
13
|
+
* length encodings (forbidden in DER anyway), does NOT validate every
|
|
14
|
+
* field's tag, does NOT handle constructed BIT STRINGs.
|
|
15
|
+
*
|
|
16
|
+
* Reading discipline: every parse function takes a Uint8Array and
|
|
17
|
+
* returns either the parsed value or throws DerParseError. The
|
|
18
|
+
* caller knows the expected structure from the spec.
|
|
19
|
+
*/
|
|
20
|
+
export class DerParseError extends Error {
|
|
21
|
+
constructor(message) {
|
|
22
|
+
super(message);
|
|
23
|
+
this.name = 'DerParseError';
|
|
24
|
+
}
|
|
25
|
+
}
|
|
26
|
+
/** Read one TLV starting at `offset` in `buffer`. */
|
|
27
|
+
export function readTlv(buffer, offset) {
|
|
28
|
+
if (offset >= buffer.length) {
|
|
29
|
+
throw new DerParseError(`offset ${offset} past end of buffer (${buffer.length})`);
|
|
30
|
+
}
|
|
31
|
+
const tag = buffer[offset];
|
|
32
|
+
let cursor = offset + 1;
|
|
33
|
+
if (cursor >= buffer.length) {
|
|
34
|
+
throw new DerParseError('truncated: missing length byte');
|
|
35
|
+
}
|
|
36
|
+
let length;
|
|
37
|
+
const firstLen = buffer[cursor];
|
|
38
|
+
cursor += 1;
|
|
39
|
+
if ((firstLen & 0x80) === 0) {
|
|
40
|
+
length = firstLen;
|
|
41
|
+
}
|
|
42
|
+
else {
|
|
43
|
+
const lenBytes = firstLen & 0x7f;
|
|
44
|
+
if (lenBytes === 0) {
|
|
45
|
+
throw new DerParseError('indefinite-length form not allowed in DER');
|
|
46
|
+
}
|
|
47
|
+
if (lenBytes > 4) {
|
|
48
|
+
throw new DerParseError(`length field too large (${lenBytes} bytes)`);
|
|
49
|
+
}
|
|
50
|
+
if (cursor + lenBytes > buffer.length) {
|
|
51
|
+
throw new DerParseError('truncated: length octets extend past buffer');
|
|
52
|
+
}
|
|
53
|
+
length = 0;
|
|
54
|
+
for (let i = 0; i < lenBytes; i++) {
|
|
55
|
+
length = (length << 8) | buffer[cursor + i];
|
|
56
|
+
}
|
|
57
|
+
cursor += lenBytes;
|
|
58
|
+
}
|
|
59
|
+
if (cursor + length > buffer.length) {
|
|
60
|
+
throw new DerParseError(`truncated: value of length ${length} extends past buffer end`);
|
|
61
|
+
}
|
|
62
|
+
return { tag, length, valueStart: cursor, end: cursor + length, buffer };
|
|
63
|
+
}
|
|
64
|
+
/** Read sequential TLVs inside a SEQUENCE/SET value. */
|
|
65
|
+
export function readSequence(tlv) {
|
|
66
|
+
const out = [];
|
|
67
|
+
let cursor = tlv.valueStart;
|
|
68
|
+
while (cursor < tlv.end) {
|
|
69
|
+
const item = readTlv(tlv.buffer, cursor);
|
|
70
|
+
out.push(item);
|
|
71
|
+
cursor = item.end;
|
|
72
|
+
}
|
|
73
|
+
return out;
|
|
74
|
+
}
|
|
75
|
+
/** Return the raw value bytes of a TLV (a fresh slice). */
|
|
76
|
+
export function getValueBytes(tlv) {
|
|
77
|
+
return tlv.buffer.slice(tlv.valueStart, tlv.end);
|
|
78
|
+
}
|
|
79
|
+
/** Decode an INTEGER. Throws if larger than safe integer range. */
|
|
80
|
+
export function readInteger(tlv) {
|
|
81
|
+
if (tlv.tag !== 0x02) {
|
|
82
|
+
throw new DerParseError(`expected INTEGER (0x02), got tag 0x${tlv.tag.toString(16)}`);
|
|
83
|
+
}
|
|
84
|
+
let result = 0n;
|
|
85
|
+
for (let i = 0; i < tlv.length; i++) {
|
|
86
|
+
result = (result << 8n) | BigInt(tlv.buffer[tlv.valueStart + i]);
|
|
87
|
+
}
|
|
88
|
+
// Two's complement for signed: if high bit set, subtract.
|
|
89
|
+
if (tlv.length > 0 && (tlv.buffer[tlv.valueStart] & 0x80) !== 0) {
|
|
90
|
+
result -= 1n << BigInt(tlv.length * 8);
|
|
91
|
+
}
|
|
92
|
+
return result;
|
|
93
|
+
}
|
|
94
|
+
/** Decode an OID. */
|
|
95
|
+
export function readOid(tlv) {
|
|
96
|
+
if (tlv.tag !== 0x06) {
|
|
97
|
+
throw new DerParseError(`expected OBJECT IDENTIFIER (0x06), got tag 0x${tlv.tag.toString(16)}`);
|
|
98
|
+
}
|
|
99
|
+
const bytes = tlv.buffer;
|
|
100
|
+
const start = tlv.valueStart;
|
|
101
|
+
const end = tlv.end;
|
|
102
|
+
if (end <= start)
|
|
103
|
+
return '';
|
|
104
|
+
const first = bytes[start];
|
|
105
|
+
const arc1 = Math.floor(first / 40);
|
|
106
|
+
const arc2 = first % 40;
|
|
107
|
+
const arcs = [String(arc1), String(arc2)];
|
|
108
|
+
let i = start + 1;
|
|
109
|
+
while (i < end) {
|
|
110
|
+
let value = 0n;
|
|
111
|
+
while (i < end) {
|
|
112
|
+
const b = bytes[i];
|
|
113
|
+
i += 1;
|
|
114
|
+
value = (value << 7n) | BigInt(b & 0x7f);
|
|
115
|
+
if ((b & 0x80) === 0)
|
|
116
|
+
break;
|
|
117
|
+
}
|
|
118
|
+
arcs.push(value.toString());
|
|
119
|
+
}
|
|
120
|
+
return arcs.join('.');
|
|
121
|
+
}
|
|
122
|
+
/** Decode an OCTET STRING. */
|
|
123
|
+
export function readOctetString(tlv) {
|
|
124
|
+
if (tlv.tag !== 0x04) {
|
|
125
|
+
throw new DerParseError(`expected OCTET STRING (0x04), got tag 0x${tlv.tag.toString(16)}`);
|
|
126
|
+
}
|
|
127
|
+
return getValueBytes(tlv);
|
|
128
|
+
}
|
|
129
|
+
/** Decode a BIT STRING. Returns the raw bits (without the leading "unused bits" byte). */
|
|
130
|
+
export function readBitString(tlv) {
|
|
131
|
+
if (tlv.tag !== 0x03) {
|
|
132
|
+
throw new DerParseError(`expected BIT STRING (0x03), got tag 0x${tlv.tag.toString(16)}`);
|
|
133
|
+
}
|
|
134
|
+
if (tlv.length === 0) {
|
|
135
|
+
throw new DerParseError('BIT STRING is empty');
|
|
136
|
+
}
|
|
137
|
+
const unusedBits = tlv.buffer[tlv.valueStart];
|
|
138
|
+
const bytes = tlv.buffer.slice(tlv.valueStart + 1, tlv.end);
|
|
139
|
+
return { unusedBits, bytes };
|
|
140
|
+
}
|
|
141
|
+
/** Decode a GeneralizedTime to a Date. Format: YYYYMMDDhhmmss[.uuuuuu]Z. */
|
|
142
|
+
export function readGeneralizedTime(tlv) {
|
|
143
|
+
if (tlv.tag !== 0x18) {
|
|
144
|
+
throw new DerParseError(`expected GeneralizedTime (0x18), got tag 0x${tlv.tag.toString(16)}`);
|
|
145
|
+
}
|
|
146
|
+
const text = new TextDecoder('ascii').decode(getValueBytes(tlv));
|
|
147
|
+
// Strict: must end with Z.
|
|
148
|
+
if (!text.endsWith('Z')) {
|
|
149
|
+
throw new DerParseError(`GeneralizedTime not in UTC Z form: ${text}`);
|
|
150
|
+
}
|
|
151
|
+
const stripped = text.slice(0, -1);
|
|
152
|
+
// Match YYYYMMDDhhmmss with optional fractional seconds.
|
|
153
|
+
const m = /^(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})(?:\.(\d+))?$/.exec(stripped);
|
|
154
|
+
if (!m) {
|
|
155
|
+
throw new DerParseError(`GeneralizedTime not parseable: ${text}`);
|
|
156
|
+
}
|
|
157
|
+
const [, yy, mo, dd, hh, mi, ss, frac] = m;
|
|
158
|
+
// Build a JS Date in UTC. JS uses ms precision; truncate sub-ms.
|
|
159
|
+
const isoFrac = frac ? `.${frac.slice(0, 3).padEnd(3, '0')}` : '';
|
|
160
|
+
const iso = `${yy}-${mo}-${dd}T${hh}:${mi}:${ss}${isoFrac}Z`;
|
|
161
|
+
const d = new Date(iso);
|
|
162
|
+
if (Number.isNaN(d.getTime())) {
|
|
163
|
+
throw new DerParseError(`GeneralizedTime produced invalid Date: ${text}`);
|
|
164
|
+
}
|
|
165
|
+
return d;
|
|
166
|
+
}
|
|
167
|
+
/** Return the DER bytes of this TLV (including tag+length+value). */
|
|
168
|
+
export function tlvDer(tlv) {
|
|
169
|
+
// Find the start of this TLV. We track valueStart but tag is at the
|
|
170
|
+
// position before length-bytes; reconstruct by walking back.
|
|
171
|
+
// Easier: build from the buffer using known offsets.
|
|
172
|
+
const tagAt = _tagOffsetOf(tlv);
|
|
173
|
+
return tlv.buffer.slice(tagAt, tlv.end);
|
|
174
|
+
}
|
|
175
|
+
function _tagOffsetOf(tlv) {
|
|
176
|
+
// We know valueStart and length and the buffer. Walk back from
|
|
177
|
+
// valueStart to find the tag offset: there is exactly 1 byte for the
|
|
178
|
+
// tag, then 1 or more length bytes.
|
|
179
|
+
// length-form bytes count: length < 0x80 → 1 byte; else 1 + (firstLen & 0x7f).
|
|
180
|
+
// We can compute this from the recorded length.
|
|
181
|
+
// Actually it's simpler: tagOffset = valueStart - 1 - lenOctets.
|
|
182
|
+
let lenOctets;
|
|
183
|
+
if (tlv.length < 0x80) {
|
|
184
|
+
lenOctets = 1;
|
|
185
|
+
}
|
|
186
|
+
else if (tlv.length < 0x100) {
|
|
187
|
+
lenOctets = 2;
|
|
188
|
+
}
|
|
189
|
+
else if (tlv.length < 0x10000) {
|
|
190
|
+
lenOctets = 3;
|
|
191
|
+
}
|
|
192
|
+
else if (tlv.length < 0x1000000) {
|
|
193
|
+
lenOctets = 4;
|
|
194
|
+
}
|
|
195
|
+
else {
|
|
196
|
+
lenOctets = 5;
|
|
197
|
+
}
|
|
198
|
+
return tlv.valueStart - lenOctets - 1;
|
|
199
|
+
}
|
|
200
|
+
//# sourceMappingURL=der.js.map
|
package/dist/der.js.map
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"der.js","sourceRoot":"","sources":["../src/der.ts"],"names":[],"mappings":"AAAA,uDAAuD;AACvD,sCAAsC;AACtC;;;;;;;;;;;;;;;;GAgBG;AAEH,MAAM,OAAO,aAAc,SAAQ,KAAK;IACtC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;IAC9B,CAAC;CACF;AAgBD,qDAAqD;AACrD,MAAM,UAAU,OAAO,CAAC,MAAkB,EAAE,MAAc;IACxD,IAAI,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAC5B,MAAM,IAAI,aAAa,CAAC,UAAU,MAAM,wBAAwB,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;IACpF,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAW,CAAC;IACrC,IAAI,MAAM,GAAG,MAAM,GAAG,CAAC,CAAC;IACxB,IAAI,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAC5B,MAAM,IAAI,aAAa,CAAC,gCAAgC,CAAC,CAAC;IAC5D,CAAC;IACD,IAAI,MAAc,CAAC;IACnB,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAW,CAAC;IAC1C,MAAM,IAAI,CAAC,CAAC;IACZ,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,GAAG,QAAQ,CAAC;IACpB,CAAC;SAAM,CAAC;QACN,MAAM,QAAQ,GAAG,QAAQ,GAAG,IAAI,CAAC;QACjC,IAAI,QAAQ,KAAK,CAAC,EAAE,CAAC;YACnB,MAAM,IAAI,aAAa,CAAC,2CAA2C,CAAC,CAAC;QACvE,CAAC;QACD,IAAI,QAAQ,GAAG,CAAC,EAAE,CAAC;YACjB,MAAM,IAAI,aAAa,CAAC,2BAA2B,QAAQ,SAAS,CAAC,CAAC;QACxE,CAAC;QACD,IAAI,MAAM,GAAG,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;YACtC,MAAM,IAAI,aAAa,CAAC,6CAA6C,CAAC,CAAC;QACzE,CAAC;QACD,MAAM,GAAG,CAAC,CAAC;QACX,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,EAAE,CAAC,EAAE,EAAE,CAAC;YAClC,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,CAAC,GAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAY,CAAC;QAC1D,CAAC;QACD,MAAM,IAAI,QAAQ,CAAC;IACrB,CAAC;IACD,IAAI,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;QACpC,MAAM,IAAI,aAAa,CAAC,8BAA8B,MAAM,0BAA0B,CAAC,CAAC;IAC1F,CAAC;IACD,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,MAAM,EAAE,CAAC;AAC3E,CAAC;AAED,wDAAwD;AACxD,MAAM,UAAU,YAAY,CAAC,GAAW;IACtC,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,IAAI,MAAM,GAAG,GAAG,CAAC,UAAU,CAAC;IAC5B,OAAO,MAAM,GAAG,GAAG,CAAC,GAAG,EAAE,CAAC;QACxB,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACzC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACf,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC;IACpB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,2DAA2D;AAC3D,MAAM,UAAU,aAAa,CAAC,GAAW;IACvC,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;AACnD,CAAC;AAED,mEAAmE;AACnE,MAAM,UAAU,WAAW,CAAC,GAAW;IACrC,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QACrB,MAAM,IAAI,aAAa,CAAC,sCAAsC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IACxF,CAAC;IACD,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,MAAM,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,CAAW,CAAC,CAAC;IAC7E,CAAC;IACD,0DAA0D;IAC1D,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,CAAE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAY,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5E,MAAM,IAAI,EAAE,IAAI,MAAM,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACzC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,qBAAqB;AACrB,MAAM,UAAU,OAAO,CAAC,GAAW;IACjC,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QACrB,MAAM,IAAI,aAAa,CAAC,gDAAgD,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IAClG,CAAC;IACD,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC;IACzB,MAAM,KAAK,GAAG,GAAG,CAAC,UAAU,CAAC;IAC7B,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;IACpB,IAAI,GAAG,IAAI,KAAK;QAAE,OAAO,EAAE,CAAC;IAC5B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAW,CAAC;IACrC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,EAAE,CAAC,CAAC;IACpC,MAAM,IAAI,GAAG,KAAK,GAAG,EAAE,CAAC;IACxB,MAAM,IAAI,GAAa,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IACpD,IAAI,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;IAClB,OAAO,CAAC,GAAG,GAAG,EAAE,CAAC;QACf,IAAI,KAAK,GAAG,EAAE,CAAC;QACf,OAAO,CAAC,GAAG,GAAG,EAAE,CAAC;YACf,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAW,CAAC;YAC7B,CAAC,IAAI,CAAC,CAAC;YACP,KAAK,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC,GAAG,MAAM,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;YACzC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC;gBAAE,MAAM;QAC9B,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACxB,CAAC;AAED,8BAA8B;AAC9B,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QACrB,MAAM,IAAI,aAAa,CAAC,2CAA2C,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IAC7F,CAAC;IACD,OAAO,aAAa,CAAC,GAAG,CAAC,CAAC;AAC5B,CAAC;AAED,0FAA0F;AAC1F,MAAM,UAAU,aAAa,CAAC,GAAW;IACvC,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QACrB,MAAM,IAAI,aAAa,CAAC,yCAAyC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IAC3F,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,aAAa,CAAC,qBAAqB,CAAC,CAAC;IACjD,CAAC;IACD,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAW,CAAC;IACxD,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;IAC5D,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC;AAC/B,CAAC;AAED,4EAA4E;AAC5E,MAAM,UAAU,mBAAmB,CAAC,GAAW;IAC7C,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QACrB,MAAM,IAAI,aAAa,CAAC,8CAA8C,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IAChG,CAAC;IACD,MAAM,IAAI,GAAG,IAAI,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC;IACjE,2BAA2B;IAC3B,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,aAAa,CAAC,sCAAsC,IAAI,EAAE,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACnC,yDAAyD;IACzD,MAAM,CAAC,GAAG,0DAA0D,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACpF,IAAI,CAAC,CAAC,EAAE,CAAC;QACP,MAAM,IAAI,aAAa,CAAC,kCAAkC,IAAI,EAAE,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3C,iEAAiE;IACjE,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAClE,MAAM,GAAG,GAAG,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,OAAO,GAAG,CAAC;IAC7D,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC;IACxB,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,aAAa,CAAC,0CAA0C,IAAI,EAAE,CAAC,CAAC;IAC5E,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,qEAAqE;AACrE,MAAM,UAAU,MAAM,CAAC,GAAW;IAChC,oEAAoE;IACpE,6DAA6D;IAC7D,qDAAqD;IACrD,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IAChC,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;AAC1C,CAAC;AAED,SAAS,YAAY,CAAC,GAAW;IAC/B,+DAA+D;IAC/D,qEAAqE;IACrE,oCAAoC;IACpC,+EAA+E;IAC/E,gDAAgD;IAChD,iEAAiE;IACjE,IAAI,SAAiB,CAAC;IACtB,IAAI,GAAG,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC;QACtB,SAAS,GAAG,CAAC,CAAC;IAChB,CAAC;SAAM,IAAI,GAAG,CAAC,MAAM,GAAG,KAAK,EAAE,CAAC;QAC9B,SAAS,GAAG,CAAC,CAAC;IAChB,CAAC;SAAM,IAAI,GAAG,CAAC,MAAM,GAAG,OAAO,EAAE,CAAC;QAChC,SAAS,GAAG,CAAC,CAAC;IAChB,CAAC;SAAM,IAAI,GAAG,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;QAClC,SAAS,GAAG,CAAC,CAAC;IAChB,CAAC;SAAM,CAAC;QACN,SAAS,GAAG,CAAC,CAAC;IAChB,CAAC;IACD,OAAO,GAAG,CAAC,UAAU,GAAG,SAAS,GAAG,CAAC,CAAC;AACxC,CAAC"}
|
|
@@ -0,0 +1,118 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Event-payload interfaces + validators per ADR-0009 Mode A.6.
|
|
3
|
+
*
|
|
4
|
+
* Each interface here describes the **payload slot** of an `AuditEvent`
|
|
5
|
+
* for one v1 `event_type` (per `./event_types.ts` / ADR-0008). The
|
|
6
|
+
* substrate's `ChainedEvent` shape stays frozen — INV 2. Payload
|
|
7
|
+
* schemas are versioned independently of `chain.schema_version` /
|
|
8
|
+
* `anchor_schema_version` / `signature_schema_version` /
|
|
9
|
+
* `reason_code_schema_version`.
|
|
10
|
+
*
|
|
11
|
+
* Each payload schema also defines a small `validate*()` function that
|
|
12
|
+
* rejects malformed payloads (wrong types, missing required fields,
|
|
13
|
+
* forbidden field names per ADR-0004 § 2 column 3).
|
|
14
|
+
*/
|
|
15
|
+
/**
|
|
16
|
+
* Per ADR-0004 § 2 column 3 + ADR-0009 § 1 Mode A.6 redaction policy.
|
|
17
|
+
* Payload field names that MUST NEVER appear at the root of any event
|
|
18
|
+
* payload.
|
|
19
|
+
*/
|
|
20
|
+
export declare const FORBIDDEN_PAYLOAD_FIELDS: ReadonlySet<string>;
|
|
21
|
+
export declare class PayloadValidationError extends Error {
|
|
22
|
+
constructor(message: string);
|
|
23
|
+
}
|
|
24
|
+
export type LeaseLifecycle = 'granted' | 'consumed' | 'expired' | 'revoked';
|
|
25
|
+
/**
|
|
26
|
+
* Payload shape for the `lease_lifecycle_event` event_type.
|
|
27
|
+
*
|
|
28
|
+
* Schema-shape re-issue (Mode A.6 per ADR-0009 § 1) of fields
|
|
29
|
+
* originally observed at `~/aios/crates/aios-sdk-evidence/src/artifact.rs`
|
|
30
|
+
* and `~/aios/schemas/lease/lease.schema.json`. Authority-bearing
|
|
31
|
+
* fields (`signature`, `capability_required`, `budget_cap`, `hmac`)
|
|
32
|
+
* are explicitly NOT absorbed.
|
|
33
|
+
*/
|
|
34
|
+
export interface LeaseLifecycleEventPayload {
|
|
35
|
+
readonly lease_event_schema_version: 1;
|
|
36
|
+
readonly lease_id_hash: string;
|
|
37
|
+
readonly lifecycle: LeaseLifecycle;
|
|
38
|
+
readonly observed_at: string;
|
|
39
|
+
readonly grantor_runtime_id?: string;
|
|
40
|
+
readonly tenant_id_ref?: string;
|
|
41
|
+
readonly step_id_ref?: string;
|
|
42
|
+
readonly run_id_ref?: string;
|
|
43
|
+
readonly artifact_hash_ref?: string;
|
|
44
|
+
readonly reason_code?: string;
|
|
45
|
+
readonly reason_text?: string;
|
|
46
|
+
}
|
|
47
|
+
/**
|
|
48
|
+
* Throw `PayloadValidationError` if `payload` violates A.7 invariants.
|
|
49
|
+
*
|
|
50
|
+
* Mirrors `validate_lease_lifecycle_event_payload` in Python.
|
|
51
|
+
*/
|
|
52
|
+
export declare function validateLeaseLifecycleEventPayload(payload: unknown): void;
|
|
53
|
+
export type PolicyDecision = 'allow' | 'deny' | 'abstain' | 'require_approval';
|
|
54
|
+
export type PolicyEffect = 'INFO' | 'WARN' | 'BLOCK';
|
|
55
|
+
/**
|
|
56
|
+
* Payload shape for the `policy_check_event` event_type.
|
|
57
|
+
*
|
|
58
|
+
* Schema-shape re-issue (Mode A.6 per ADR-0009 § 1) of fields
|
|
59
|
+
* originally observed at `~/aios/schemas/policy/policy.schema.json`.
|
|
60
|
+
* Authority lifecycle fields (`expression` body / `PolicyUpdateCandidate`
|
|
61
|
+
* / `activated_at` / `deprecated_at`) are explicitly NOT absorbed —
|
|
62
|
+
* ADR-0004 § 2 case #10 keeps expression as hash only.
|
|
63
|
+
*/
|
|
64
|
+
export interface PolicyCheckEventPayload {
|
|
65
|
+
readonly policy_event_schema_version: 1;
|
|
66
|
+
readonly policy_id: string;
|
|
67
|
+
readonly rule_id: string;
|
|
68
|
+
readonly decision: PolicyDecision;
|
|
69
|
+
readonly observed_at: string;
|
|
70
|
+
readonly policy_version?: number;
|
|
71
|
+
readonly kind?: string;
|
|
72
|
+
readonly effect?: PolicyEffect;
|
|
73
|
+
readonly expression_hash?: string;
|
|
74
|
+
readonly evidence_refs?: readonly string[];
|
|
75
|
+
readonly reason_code?: string;
|
|
76
|
+
readonly reason_text?: string;
|
|
77
|
+
}
|
|
78
|
+
/**
|
|
79
|
+
* Throw `PayloadValidationError` if `payload` violates A.8 invariants.
|
|
80
|
+
*
|
|
81
|
+
* Mirrors `validate_policy_check_event_payload` in Python.
|
|
82
|
+
*/
|
|
83
|
+
export declare function validatePolicyCheckEventPayload(payload: unknown): void;
|
|
84
|
+
/**
|
|
85
|
+
* Payload shape for the `replay_event` event_type.
|
|
86
|
+
*
|
|
87
|
+
* Schema-shape re-issue (Mode A.6 per ADR-0009 § 1 + A.9) of fields
|
|
88
|
+
* observed at `~/aios/crates/aios-sdk-evidence/src/replay.rs` +
|
|
89
|
+
* `~/aios/schemas/replay/replay_proof.schema.json`. Records that an
|
|
90
|
+
* external runner observed the four boolean outcomes of a replay.
|
|
91
|
+
* Attestplane substrate does NOT re-execute — replay execution lives
|
|
92
|
+
* in REDLINE C.13 `aios-replay-runner`.
|
|
93
|
+
*
|
|
94
|
+
* The `deterministic_result` field MUST equal the logical AND of
|
|
95
|
+
* `input_hash_match`, `artifact_hash_match`, `audit_chain_match`.
|
|
96
|
+
* Validators enforce this cross-check.
|
|
97
|
+
*/
|
|
98
|
+
export interface ReplayEventPayload {
|
|
99
|
+
readonly replay_event_schema_version: 1;
|
|
100
|
+
readonly replay_run_id: string;
|
|
101
|
+
readonly original_run_id: string;
|
|
102
|
+
readonly input_hash_match: boolean;
|
|
103
|
+
readonly artifact_hash_match: boolean;
|
|
104
|
+
readonly audit_chain_match: boolean;
|
|
105
|
+
readonly deterministic_result: boolean;
|
|
106
|
+
readonly observed_at: string;
|
|
107
|
+
readonly snapshot_id_ref?: string;
|
|
108
|
+
readonly diff_summary_hash?: string;
|
|
109
|
+
readonly reason_code?: string;
|
|
110
|
+
readonly reason_text?: string;
|
|
111
|
+
}
|
|
112
|
+
/**
|
|
113
|
+
* Throw `PayloadValidationError` if `payload` violates A.9 invariants.
|
|
114
|
+
*
|
|
115
|
+
* Mirrors `validate_replay_event_payload` in Python.
|
|
116
|
+
*/
|
|
117
|
+
export declare function validateReplayEventPayload(payload: unknown): void;
|
|
118
|
+
//# sourceMappingURL=event_payloads.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"event_payloads.d.ts","sourceRoot":"","sources":["../src/event_payloads.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;GAaG;AAKH;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,EAAE,WAAW,CAAC,MAAM,CAkBvD,CAAC;AAEH,qBAAa,sBAAuB,SAAQ,KAAK;gBACnC,OAAO,EAAE,MAAM;CAI5B;AAwED,MAAM,MAAM,cAAc,GAAG,SAAS,GAAG,UAAU,GAAG,SAAS,GAAG,SAAS,CAAC;AAE5E;;;;;;;;GAQG;AACH,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,0BAA0B,EAAE,CAAC,CAAC;IACvC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,SAAS,EAAE,cAAc,CAAC;IACnC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IACrC,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC/B;AA6BD;;;;GAIG;AACH,wBAAgB,kCAAkC,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAsDzE;AAID,MAAM,MAAM,cAAc,GAAG,OAAO,GAAG,MAAM,GAAG,SAAS,GAAG,kBAAkB,CAAC;AAE/E,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;AAErD;;;;;;;;GAQG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,2BAA2B,EAAE,CAAC,CAAC;IACxC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,MAAM,CAAC,EAAE,YAAY,CAAC;IAC/B,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,aAAa,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC3C,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC/B;AAiCD;;;;GAIG;AACH,wBAAgB,+BAA+B,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CA6FtE;AAID;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,2BAA2B,EAAE,CAAC,CAAC;IACxC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;IACnC,QAAQ,CAAC,mBAAmB,EAAE,OAAO,CAAC;IACtC,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC,QAAQ,CAAC,oBAAoB,EAAE,OAAO,CAAC;IACvC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC/B;AA2BD;;;;GAIG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CA4EjE"}
|