npm - @joclaim/attestor-core - Versions diffs - 0.2.0 → 0.2.3 - Mend

@joclaim/attestor-core 0.2.0 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (420) hide show

package/README.md +21 -15
package/lib/avs/abis/avsDirectoryABI.d.ts +60 -0
package/lib/avs/abis/avsDirectoryABI.js +340 -0
package/lib/avs/abis/delegationABI.d.ts +126 -0
package/lib/avs/abis/delegationABI.js +1 -0
package/lib/avs/abis/registryABI.d.ts +136 -0
package/lib/avs/abis/registryABI.js +725 -0
package/lib/avs/client/create-claim-on-avs.d.ts +12 -0
package/lib/avs/client/create-claim-on-avs.js +138 -0
package/lib/avs/config.d.ts +7 -0
package/lib/avs/config.js +20 -0
package/lib/avs/contracts/ReclaimServiceManager.d.ts +697 -0
package/lib/avs/contracts/ReclaimServiceManager.js +1 -0
package/lib/avs/contracts/common.d.ts +21 -0
package/lib/avs/contracts/common.js +1 -0
package/lib/avs/contracts/factories/ReclaimServiceManager__factory.d.ts +888 -0
package/lib/avs/contracts/factories/ReclaimServiceManager__factory.js +1169 -0
package/lib/avs/contracts/factories/index.d.ts +1 -0
package/{src/avs/contracts/factories/index.ts → lib/avs/contracts/factories/index.js} +1 -1
package/{src/avs/contracts/index.ts → lib/avs/contracts/index.d.ts} +0 -3
package/lib/avs/contracts/index.js +2 -0
package/lib/avs/types/index.d.ts +55 -0
package/lib/avs/types/index.js +1 -0
package/lib/avs/utils/contracts.d.ts +21 -0
package/lib/avs/utils/contracts.js +33 -0
package/lib/avs/utils/register.d.ts +27 -0
package/lib/avs/utils/register.js +78 -0
package/lib/avs/utils/tasks.d.ts +22 -0
package/lib/avs/utils/tasks.js +40 -0
package/lib/client/create-claim.d.ts +5 -0
package/lib/client/create-claim.js +437 -0
package/lib/client/index.d.ts +3 -0
package/lib/client/index.js +3 -0
package/lib/client/tunnels/make-rpc-tcp-tunnel.d.ts +16 -0
package/lib/client/tunnels/make-rpc-tcp-tunnel.js +51 -0
package/lib/client/tunnels/make-rpc-tls-tunnel.d.ts +26 -0
package/lib/client/tunnels/make-rpc-tls-tunnel.js +131 -0
package/lib/client/utils/attestor-pool.d.ts +8 -0
package/lib/client/utils/attestor-pool.js +25 -0
package/lib/client/utils/client-socket.d.ts +11 -0
package/lib/client/utils/client-socket.js +98 -0
package/lib/client/utils/message-handler.d.ts +4 -0
package/lib/client/utils/message-handler.js +87 -0
package/lib/config/index.d.ts +30 -0
package/lib/config/index.js +43 -0
package/lib/external-rpc/benchmark.d.ts +1 -0
package/lib/external-rpc/benchmark.js +69 -0
package/lib/external-rpc/event-bus.d.ts +7 -0
package/lib/external-rpc/event-bus.js +14 -0
package/lib/external-rpc/handle-incoming-msg.d.ts +2 -0
package/lib/external-rpc/handle-incoming-msg.js +233 -0
package/lib/external-rpc/index.d.ts +3 -0
package/lib/external-rpc/index.js +3 -0
package/lib/external-rpc/jsc-polyfills/1.d.ts +14 -0
package/lib/external-rpc/jsc-polyfills/1.js +82 -0
package/lib/external-rpc/jsc-polyfills/2.d.ts +1 -0
package/lib/external-rpc/jsc-polyfills/2.js +20 -0
package/lib/external-rpc/jsc-polyfills/event.d.ts +10 -0
package/lib/external-rpc/jsc-polyfills/event.js +14 -0
package/lib/external-rpc/jsc-polyfills/index.d.ts +2 -0
package/lib/external-rpc/jsc-polyfills/index.js +2 -0
package/lib/external-rpc/jsc-polyfills/ws.d.ts +21 -0
package/lib/external-rpc/jsc-polyfills/ws.js +81 -0
package/lib/external-rpc/setup-browser.d.ts +6 -0
package/lib/external-rpc/setup-browser.js +33 -0
package/lib/external-rpc/setup-jsc.d.ts +24 -0
package/lib/external-rpc/setup-jsc.js +22 -0
package/lib/external-rpc/types.d.ts +213 -0
package/lib/external-rpc/types.js +1 -0
package/lib/external-rpc/utils.d.ts +20 -0
package/lib/external-rpc/utils.js +100 -0
package/lib/external-rpc/zk.d.ts +14 -0
package/lib/external-rpc/zk.js +63 -0
package/lib/index.d.ts +9 -0
package/lib/index.js +9 -0
package/lib/mechain/abis/governanceABI.d.ts +50 -0
package/lib/mechain/abis/governanceABI.js +458 -0
package/lib/mechain/abis/taskABI.d.ts +157 -0
package/lib/mechain/abis/taskABI.js +509 -0
package/lib/mechain/client/create-claim-on-mechain.d.ts +10 -0
package/lib/mechain/client/create-claim-on-mechain.js +28 -0
package/lib/mechain/client/index.d.ts +1 -0
package/lib/mechain/client/index.js +1 -0
package/lib/mechain/constants/index.d.ts +3 -0
package/{src/mechain/constants/index.ts → lib/mechain/constants/index.js} +3 -5
package/lib/mechain/index.d.ts +2 -0
package/lib/mechain/index.js +2 -0
package/lib/mechain/types/index.d.ts +23 -0
package/lib/mechain/types/index.js +1 -0
package/lib/proto/api.d.ts +633 -0
package/lib/proto/api.js +4258 -0
package/lib/proto/tee-bundle.d.ts +135 -0
package/lib/proto/tee-bundle.js +1161 -0
package/lib/providers/http/index.d.ts +18 -0
package/lib/providers/http/index.js +658 -0
package/lib/providers/http/patch-parse5-tree.d.ts +6 -0
package/lib/providers/http/patch-parse5-tree.js +33 -0
package/lib/providers/http/utils.d.ts +77 -0
package/lib/providers/http/utils.js +324 -0
package/lib/providers/index.d.ts +4 -0
package/lib/providers/index.js +4 -0
package/lib/scripts/build-browser.d.ts +1 -0
package/lib/scripts/build-browser.js +37 -0
package/lib/scripts/build-jsc.d.ts +1 -0
package/lib/scripts/build-jsc.js +49 -0
package/lib/scripts/check-avs-registration.d.ts +1 -0
package/lib/scripts/check-avs-registration.js +26 -0
package/lib/scripts/fallbacks/crypto.d.ts +1 -0
package/lib/scripts/fallbacks/crypto.js +1 -0
package/lib/scripts/fallbacks/empty.d.ts +3 -0
package/lib/scripts/fallbacks/empty.js +1 -0
package/lib/scripts/fallbacks/re2.d.ts +1 -0
package/lib/scripts/fallbacks/re2.js +4 -0
package/lib/scripts/fallbacks/snarkjs.d.ts +1 -0
package/lib/scripts/fallbacks/snarkjs.js +1 -0
package/lib/scripts/generate-provider-types.d.ts +5 -0
package/lib/scripts/generate-provider-types.js +78 -0
package/lib/scripts/generate-receipt.d.ts +9 -0
package/lib/scripts/generate-receipt.js +90 -0
package/lib/scripts/generate-toprf-keys.d.ts +1 -0
package/lib/scripts/generate-toprf-keys.js +20 -0
package/lib/scripts/jsc-cli-rpc.d.ts +1 -0
package/lib/scripts/jsc-cli-rpc.js +37 -0
package/lib/scripts/register-avs-operator.d.ts +1 -0
package/lib/scripts/register-avs-operator.js +4 -0
package/lib/scripts/start-server.d.ts +1 -0
package/lib/scripts/start-server.js +13 -0
package/lib/scripts/update-avs-metadata.d.ts +1 -0
package/lib/scripts/update-avs-metadata.js +19 -0
package/lib/scripts/utils.d.ts +1 -0
package/lib/scripts/utils.js +7 -0
package/lib/scripts/whitelist-operator.d.ts +1 -0
package/lib/scripts/whitelist-operator.js +15 -0
package/lib/server/create-server.d.ts +7 -0
package/lib/server/create-server.js +122 -0
package/lib/server/handlers/claimTeeBundle.d.ts +6 -0
package/lib/server/handlers/claimTeeBundle.js +206 -0
package/lib/server/handlers/claimTunnel.d.ts +2 -0
package/lib/server/handlers/claimTunnel.js +73 -0
package/lib/server/handlers/completeClaimOnChain.d.ts +2 -0
package/lib/server/handlers/completeClaimOnChain.js +22 -0
package/lib/server/handlers/createClaimOnChain.d.ts +2 -0
package/lib/server/handlers/createClaimOnChain.js +26 -0
package/lib/server/handlers/createTaskOnMechain.d.ts +2 -0
package/lib/server/handlers/createTaskOnMechain.js +47 -0
package/lib/server/handlers/createTunnel.d.ts +2 -0
package/lib/server/handlers/createTunnel.js +93 -0
package/lib/server/handlers/disconnectTunnel.d.ts +2 -0
package/lib/server/handlers/disconnectTunnel.js +5 -0
package/lib/server/handlers/fetchCertificateBytes.d.ts +2 -0
package/lib/server/handlers/fetchCertificateBytes.js +41 -0
package/lib/server/handlers/index.d.ts +4 -0
package/lib/server/handlers/index.js +22 -0
package/lib/server/handlers/init.d.ts +2 -0
package/lib/server/handlers/init.js +30 -0
package/lib/server/handlers/toprf.d.ts +2 -0
package/lib/server/handlers/toprf.js +16 -0
package/lib/server/index.d.ts +4 -0
package/lib/server/index.js +4 -0
package/lib/server/provider-api.d.ts +9 -0
package/lib/server/provider-api.js +98 -0
package/lib/server/provider-store.d.ts +53 -0
package/lib/server/provider-store.js +80 -0
package/lib/server/session-api.d.ts +9 -0
package/lib/server/session-api.js +95 -0
package/lib/server/session-store.d.ts +14 -0
package/lib/server/session-store.js +36 -0
package/lib/server/socket.d.ts +13 -0
package/lib/server/socket.js +109 -0
package/lib/server/tunnels/make-tcp-tunnel.d.ts +22 -0
package/lib/server/tunnels/make-tcp-tunnel.js +177 -0
package/lib/server/utils/apm.d.ts +11 -0
package/lib/server/utils/apm.js +36 -0
package/lib/server/utils/assert-valid-claim-request.d.ts +31 -0
package/lib/server/utils/assert-valid-claim-request.js +229 -0
package/lib/server/utils/config-env.d.ts +1 -0
package/lib/server/utils/config-env.js +4 -0
package/lib/server/utils/dns.d.ts +1 -0
package/lib/server/utils/dns.js +18 -0
package/lib/server/utils/gcp-attestation.d.ts +17 -0
package/lib/server/utils/gcp-attestation.js +289 -0
package/lib/server/utils/generics.d.ts +22 -0
package/lib/server/utils/generics.js +51 -0
package/lib/server/utils/iso.d.ts +1 -0
package/lib/server/utils/iso.js +256 -0
package/lib/server/utils/keep-alive.d.ts +7 -0
package/lib/server/utils/keep-alive.js +38 -0
package/lib/server/utils/nitro-attestation.d.ts +33 -0
package/lib/server/utils/nitro-attestation.js +325 -0
package/lib/server/utils/process-handshake.d.ts +13 -0
package/lib/server/utils/process-handshake.js +214 -0
package/lib/server/utils/proxy-session.d.ts +1 -0
package/lib/server/utils/proxy-session.js +6 -0
package/lib/server/utils/tee-oprf-verification.d.ts +22 -0
package/lib/server/utils/tee-oprf-verification.js +160 -0
package/lib/server/utils/tee-transcript-reconstruction.d.ts +24 -0
package/lib/server/utils/tee-transcript-reconstruction.js +187 -0
package/lib/server/utils/tee-verification.d.ts +27 -0
package/lib/server/utils/tee-verification.js +365 -0
package/lib/server/utils/validation.d.ts +2 -0
package/lib/server/utils/validation.js +38 -0
package/lib/types/bgp.d.ts +11 -0
package/lib/types/bgp.js +1 -0
package/lib/types/claims.d.ts +73 -0
package/lib/types/claims.js +1 -0
package/lib/types/client.d.ts +163 -0
package/lib/types/client.js +1 -0
package/lib/types/general.d.ts +54 -0
package/lib/types/general.js +1 -0
package/lib/types/handlers.d.ts +10 -0
package/lib/types/handlers.js +1 -0
package/lib/types/index.d.ts +10 -0
package/lib/types/index.js +10 -0
package/lib/types/providers.d.ts +161 -0
package/lib/types/providers.gen.d.ts +443 -0
package/lib/types/providers.gen.js +10 -0
package/lib/types/providers.js +1 -0
package/lib/types/rpc.d.ts +35 -0
package/lib/types/rpc.js +1 -0
package/lib/types/signatures.d.ts +28 -0
package/lib/types/signatures.js +1 -0
package/lib/types/tunnel.d.ts +18 -0
package/lib/types/tunnel.js +1 -0
package/lib/types/zk.d.ts +28 -0
package/lib/types/zk.js +1 -0
package/lib/utils/auth.d.ts +8 -0
package/lib/utils/auth.js +59 -0
package/lib/utils/b64-json.d.ts +2 -0
package/lib/utils/b64-json.js +17 -0
package/lib/utils/bgp-listener.d.ts +7 -0
package/lib/utils/bgp-listener.js +119 -0
package/lib/utils/claims.d.ts +33 -0
package/lib/utils/claims.js +101 -0
package/lib/utils/env.d.ts +3 -0
package/lib/utils/env.js +15 -0
package/lib/utils/error.d.ts +26 -0
package/lib/utils/error.js +50 -0
package/lib/utils/generics.d.ts +114 -0
package/lib/utils/generics.js +317 -0
package/lib/utils/http-parser.d.ts +59 -0
package/lib/utils/http-parser.js +246 -0
package/lib/utils/index.d.ts +13 -0
package/lib/utils/index.js +13 -0
package/lib/utils/logger.d.ts +13 -0
package/lib/utils/logger.js +91 -0
package/lib/utils/prepare-packets.d.ts +16 -0
package/lib/utils/prepare-packets.js +62 -0
package/lib/utils/redactions.d.ts +62 -0
package/lib/utils/redactions.js +148 -0
package/lib/utils/retries.d.ts +12 -0
package/lib/utils/retries.js +24 -0
package/lib/utils/signatures/eth.d.ts +2 -0
package/lib/utils/signatures/eth.js +29 -0
package/lib/utils/signatures/index.d.ts +5 -0
package/lib/utils/signatures/index.js +7 -0
package/lib/utils/socket-base.d.ts +23 -0
package/lib/utils/socket-base.js +90 -0
package/lib/utils/tls.d.ts +2 -0
package/{src/utils/tls.ts → lib/utils/tls.js} +28 -35
package/lib/utils/ws.d.ts +7 -0
package/lib/utils/ws.js +22 -0
package/lib/utils/zk.d.ts +70 -0
package/lib/utils/zk.js +572 -0
package/package.json +19 -12
package/src/avs/abis/avsDirectoryABI.ts +0 -340
package/src/avs/abis/delegationABI.ts +0 -1
package/src/avs/abis/registryABI.ts +0 -725
package/src/avs/client/create-claim-on-avs.ts +0 -206
package/src/avs/config.ts +0 -25
package/src/avs/contracts/ReclaimServiceManager.ts +0 -1457
package/src/avs/contracts/common.ts +0 -44
package/src/avs/contracts/factories/ReclaimServiceManager__factory.ts +0 -1213
package/src/avs/tests/test.operator.ts +0 -413
package/src/avs/tests/utils.ts +0 -51
package/src/avs/types/index.ts +0 -60
package/src/avs/utils/contracts.ts +0 -66
package/src/avs/utils/register.ts +0 -125
package/src/avs/utils/tasks.ts +0 -76
package/src/client/create-claim.ts +0 -626
package/src/client/index.ts +0 -3
package/src/client/tunnels/make-rpc-tcp-tunnel.ts +0 -78
package/src/client/tunnels/make-rpc-tls-tunnel.ts +0 -172
package/src/client/utils/attestor-pool.ts +0 -35
package/src/client/utils/client-socket.ts +0 -160
package/src/client/utils/message-handler.ts +0 -116
package/src/config/index.ts +0 -65
package/src/external-rpc/benchmark.ts +0 -102
package/src/external-rpc/event-bus.ts +0 -19
package/src/external-rpc/global.d.ts +0 -20
package/src/external-rpc/handle-incoming-msg.ts +0 -308
package/src/external-rpc/index.ts +0 -3
package/src/external-rpc/jsc-polyfills/1.ts +0 -117
package/src/external-rpc/jsc-polyfills/2.ts +0 -24
package/src/external-rpc/jsc-polyfills/event.ts +0 -16
package/src/external-rpc/jsc-polyfills/index.ts +0 -2
package/src/external-rpc/jsc-polyfills/ws.ts +0 -105
package/src/external-rpc/setup-browser.ts +0 -42
package/src/external-rpc/setup-jsc.ts +0 -48
package/src/external-rpc/types.ts +0 -289
package/src/external-rpc/utils.ts +0 -126
package/src/external-rpc/zk.ts +0 -79
package/src/index.ts +0 -9
package/src/mechain/abis/governanceABI.ts +0 -458
package/src/mechain/abis/taskABI.ts +0 -509
package/src/mechain/client/create-claim-on-mechain.ts +0 -52
package/src/mechain/client/index.ts +0 -1
package/src/mechain/index.ts +0 -2
package/src/mechain/types/index.ts +0 -29
package/src/proto/api.ts +0 -5285
package/src/proto/tee-bundle.ts +0 -1413
package/src/providers/http/index.ts +0 -873
package/src/providers/http/patch-parse5-tree.ts +0 -49
package/src/providers/http/utils.ts +0 -439
package/src/providers/index.ts +0 -8
package/src/scripts/build-browser.sh +0 -9
package/src/scripts/build-browser.ts +0 -40
package/src/scripts/build-jsc.ts +0 -55
package/src/scripts/check-avs-registration.ts +0 -38
package/src/scripts/contract-data-gen.sh +0 -8
package/src/scripts/fallbacks/crypto.ts +0 -1
package/src/scripts/fallbacks/empty.ts +0 -2
package/src/scripts/fallbacks/re2.ts +0 -5
package/src/scripts/fallbacks/snarkjs.ts +0 -5
package/src/scripts/generate-certs.sh +0 -11
package/src/scripts/generate-proto.sh +0 -5
package/src/scripts/generate-provider-types.ts +0 -121
package/src/scripts/generate-receipt.ts +0 -138
package/src/scripts/generate-toprf-keys.ts +0 -30
package/src/scripts/jsc-cli-rpc.ts +0 -48
package/src/scripts/register-avs-operator.ts +0 -5
package/src/scripts/start-server.ts +0 -17
package/src/scripts/update-avs-metadata.ts +0 -26
package/src/scripts/utils.ts +0 -8
package/src/scripts/whitelist-operator.ts +0 -22
package/src/server/create-server.ts +0 -169
package/src/server/handlers/claimTeeBundle.ts +0 -308
package/src/server/handlers/claimTunnel.ts +0 -106
package/src/server/handlers/completeClaimOnChain.ts +0 -36
package/src/server/handlers/createClaimOnChain.ts +0 -39
package/src/server/handlers/createTaskOnMechain.ts +0 -80
package/src/server/handlers/createTunnel.ts +0 -128
package/src/server/handlers/disconnectTunnel.ts +0 -11
package/src/server/handlers/fetchCertificateBytes.ts +0 -66
package/src/server/handlers/index.ts +0 -24
package/src/server/handlers/init.ts +0 -46
package/src/server/handlers/toprf.ts +0 -25
package/src/server/index.ts +0 -4
package/src/server/provider-api.ts +0 -118
package/src/server/provider-store.ts +0 -117
package/src/server/session-api.ts +0 -115
package/src/server/session-store.ts +0 -60
package/src/server/socket.ts +0 -156
package/src/server/tunnels/make-tcp-tunnel.ts +0 -275
package/src/server/utils/apm.ts +0 -49
package/src/server/utils/assert-valid-claim-request.ts +0 -375
package/src/server/utils/config-env.ts +0 -6
package/src/server/utils/dns.ts +0 -25
package/src/server/utils/gcp-attestation.ts +0 -415
package/src/server/utils/generics.ts +0 -68
package/src/server/utils/iso.ts +0 -258
package/src/server/utils/keep-alive.ts +0 -50
package/src/server/utils/nitro-attestation.ts +0 -396
package/src/server/utils/process-handshake.ts +0 -311
package/src/server/utils/proxy-session.ts +0 -6
package/src/server/utils/tee-oprf-verification.ts +0 -231
package/src/server/utils/tee-transcript-reconstruction.ts +0 -254
package/src/server/utils/tee-verification.ts +0 -513
package/src/server/utils/validation.ts +0 -57
package/src/tests/auth.test.ts +0 -105
package/src/tests/bgp-listener.test.ts +0 -193
package/src/tests/claim-creation.test.ts +0 -415
package/src/tests/describe-with-server.ts +0 -94
package/src/tests/gcp-attestation.test.ts +0 -206
package/src/tests/http-parser.test.ts +0 -135
package/src/tests/http-provider-utils.test.ts +0 -3306
package/src/tests/http-provider.test.ts +0 -125
package/src/tests/jsc.test_mac.ts +0 -296
package/src/tests/mock-provider-server.ts +0 -106
package/src/tests/mocks.ts +0 -25
package/src/tests/proof_bundle.bin +0 -0
package/src/tests/rpc-communication.test.ts +0 -115
package/src/tests/rpc-tunnel.test.ts +0 -239
package/src/tests/signatures.test.ts +0 -37
package/src/tests/tcp-tunnel.test.ts +0 -154
package/src/tests/tee-bundle.test.ts +0 -321
package/src/tests/tee-signatures.test.ts +0 -81
package/src/tests/utils.ts +0 -108
package/src/tests/verification_bundle.pb +0 -0
package/src/tests/verification_bundle_tee.pb +0 -0
package/src/tests/zk.test.ts +0 -453
package/src/types/bgp.ts +0 -17
package/src/types/claims.ts +0 -79
package/src/types/client.ts +0 -205
package/src/types/general.ts +0 -61
package/src/types/handlers.ts +0 -16
package/src/types/index.ts +0 -10
package/src/types/providers.gen.ts +0 -135
package/src/types/providers.ts +0 -203
package/src/types/rpc.ts +0 -46
package/src/types/signatures.ts +0 -29
package/src/types/tunnel.ts +0 -25
package/src/types/zk.ts +0 -31
package/src/utils/auth.ts +0 -92
package/src/utils/b64-json.ts +0 -25
package/src/utils/bgp-listener.ts +0 -159
package/src/utils/claims.ts +0 -132
package/src/utils/env.ts +0 -21
package/src/utils/error.ts +0 -76
package/src/utils/generics.ts +0 -429
package/src/utils/http-parser.ts +0 -312
package/src/utils/index.ts +0 -13
package/src/utils/logger.ts +0 -114
package/src/utils/prepare-packets.ts +0 -98
package/src/utils/redactions.ts +0 -203
package/src/utils/retries.ts +0 -41
package/src/utils/signatures/eth.ts +0 -35
package/src/utils/signatures/index.ts +0 -11
package/src/utils/socket-base.ts +0 -132
package/src/utils/ws.ts +0 -30
package/src/utils/zk.ts +0 -908

package/lib/server/utils/nitro-attestation.d.ts ADDED Viewed

@@ -0,0 +1,33 @@
+/**
+ * Working Nitro Attestation validation utilities
+ */
+export interface AttestationDocument {
+    module_id: string;
+    digest: string;
+    timestamp: bigint;
+    pcrs: {
+        [key: number]: Buffer;
+    };
+    certificate: Buffer;
+    cabundle: Buffer[];
+    public_key?: Buffer;
+    user_data?: Buffer;
+    nonce?: Buffer;
+}
+export interface NitroValidationResult {
+    isValid: boolean;
+    errors: string[];
+    warnings: string[];
+    userDataType?: 'tee_k' | 'tee_t';
+    ethAddress?: string;
+    pcr0: string;
+}
+export interface AddressExtractionResult {
+    teeType: 'tee_k' | 'tee_t';
+    ethAddress?: string;
+    pcr0: string;
+}
+/**
+ * Working validation function copied from nitroattestor
+ */
+export declare function validateNitroAttestationAndExtractKey(attestationBytes: Uint8Array): Promise<NitroValidationResult>;

package/lib/server/utils/nitro-attestation.js ADDED Viewed

@@ -0,0 +1,325 @@
+/**
+ * Working Nitro Attestation validation utilities
+ */
+import { AsnParser } from '@peculiar/asn1-schema';
+import { SubjectPublicKeyInfo } from '@peculiar/asn1-x509';
+import { Crypto } from '@peculiar/webcrypto';
+import { X509Certificate, X509ChainBuilder } from '@peculiar/x509';
+import { sign } from 'cose-js';
+// Helper function to dynamically import cbor-x
+async function getCborDecode() {
+    const { decode } = await import('cbor-x');
+    return decode;
+}
+// AWS Nitro root certificate (from nitrite)
+const AWS_NITRO_ROOT_CERT = `-----BEGIN CERTIFICATE-----
+MIICETCCAZagAwIBAgIRAPkxdWgbkK/hHUbMtOTn+FYwCgYIKoZIzj0EAwMwSTEL
+MAkGA1UEBhMCVVMxDzANBgNVBAoMBkFtYXpvbjEMMAoGA1UECwwDQVdTMRswGQYD
+VQQDDBJhd3Mubml0cm8tZW5jbGF2ZXMwHhcNMTkxMDI4MTMyODA1WhcNNDkxMDI4
+MTQyODA1WjBJMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGQW1hem9uMQwwCgYDVQQL
+DANBV1MxGzAZBgNVBAMMEmF3cy5uaXRyby1lbmNsYXZlczB2MBAGByqGSM49AgEG
+BSuBBAAiA2IABPwCVOumCMHzaHDimtqQvkY4MpJzbolL//Zy2YlES1BR5TSksfbb
+48C8WBoyt7F2Bw7eEtaaP+ohG2bnUs990d0JX28TcPQXCEPZ3BABIeTPYwEoCWZE
+h8l5YoQwTcU/9KNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkCW1DdkF
+R+eWw5b6cp3PmanfS5YwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2kAMGYC
+MQCjfy+Rocm9Xue4YnwWmNJVA44fA0P5W2OpYow9OYCVRaEevL8uO1XYru5xtMPW
+rfMCMQCi85sWBbJwKKXdS6BptQFuZbT73o/gBh1qUxl/nNr12UO8Yfwr6wPLb+6N
+IwLz3/Y=
+-----END CERTIFICATE-----`;
+// Expected PCR values (replace with actual values)
+// const EXPECTED_PCRS = {
+// 	//0: Buffer.from('000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000', 'hex'),
+// }
+//
+// // Secure buffer comparison to prevent timing attacks
+// function secureBufferCompare(a: Buffer, b: Buffer): boolean {
+// 	if(a.length !== b.length) {
+// 		return false
+// 	}
+//
+// 	let result = 0
+// 	for(const [i, element] of a.entries()) {
+// 		result |= element ^ b[i]
+// 	}
+//
+// 	return result === 0
+// }
+// Enhanced certificate chain validation
+async function validateCertificateChain(targetCert, intermediateCerts, rootCert, crypto) {
+    const errors = [];
+    try {
+        // Validate root certificate is self-signed and trusted
+        const rootSubject = rootCert.subject;
+        const rootIssuer = rootCert.issuer;
+        if (rootSubject !== rootIssuer) {
+            errors.push('Root certificate is not self-signed');
+        }
+        // Verify root certificate signature (self-verification)
+        try {
+            const isRootValid = await rootCert.verify(undefined, crypto);
+            if (!isRootValid) {
+                errors.push('Root certificate signature verification failed');
+            }
+        }
+        catch (error) {
+            errors.push(`Root certificate verification failed: ${error.message}`);
+        }
+        // Build the certificate chain
+        const chainBuilder = new X509ChainBuilder({
+            certificates: [rootCert, ...intermediateCerts]
+        });
+        let chain;
+        try {
+            chain = await chainBuilder.build(targetCert, crypto);
+        }
+        catch (error) {
+            errors.push(`Certificate chain building failed: ${error.message}`);
+            return { isValid: false, errors, chain: [] };
+        }
+        if (!chain || chain.length === 0) {
+            errors.push('No valid certificate chain could be built');
+            return { isValid: false, errors, chain: [] };
+        }
+        // Validate each certificate in the chain
+        const now = new Date();
+        for (let i = 0; i < chain.length; i++) {
+            const cert = chain[i];
+            // Check expiration dates
+            if (now < cert.notBefore) {
+                errors.push(`Certificate ${i} (${cert.subject}) is not yet valid`);
+            }
+            if (now > cert.notAfter) {
+                errors.push(`Certificate ${i} (${cert.subject}) has expired`);
+            }
+            // Verify each certificate's signature (except root which is self-signed)
+            if (i < chain.length - 1) {
+                try {
+                    const issuer = chain[i + 1];
+                    const isValid = await cert.verify(issuer, crypto);
+                    // eslint-disable-next-line max-depth
+                    if (!isValid) {
+                        errors.push(`Certificate ${i} signature verification failed`);
+                    }
+                }
+                catch (error) {
+                    errors.push(`Certificate ${i} verification failed: ${error.message}`);
+                }
+            }
+        }
+        return {
+            isValid: errors.length === 0,
+            errors,
+            chain
+        };
+    }
+    catch (error) {
+        errors.push(`Certificate chain validation error: ${error.message}`);
+        return { isValid: false, errors, chain: [] };
+    }
+}
+/**
+ * Extract public key from user_data field in attestation document
+ */
+function extractPublicKeyFromUserData(userDataBuffer) {
+    try {
+        const userDataString = userDataBuffer.toString('utf-8');
+        // Parse new format: "tee_k_public_key:0xETH_ADDRESS" or "tee_t_public_key:0xETH_ADDRESS"
+        const teeKMatch = userDataString.match(/^tee_k_public_key:(0x[0-9a-fA-F]{40})$/);
+        const teeTMatch = userDataString.match(/^tee_t_public_key:(0x[0-9a-fA-F]{40})$/);
+        if (teeKMatch) {
+            return {
+                teeType: 'tee_k',
+                ethAddress: teeKMatch[1], // Store the full ETH address with 0x prefix
+                pcr0: ''
+            };
+        }
+        if (teeTMatch) {
+            return {
+                teeType: 'tee_t',
+                ethAddress: teeTMatch[1], // Store the full ETH address with 0x prefix
+                pcr0: ''
+            };
+        }
+        return null;
+    }
+    catch (error) {
+        return null;
+    }
+}
+/**
+ * Working validation function copied from nitroattestor
+ */
+export async function validateNitroAttestationAndExtractKey(attestationBytes) {
+    const errors = [];
+    const warnings = [];
+    try {
+        // Set up WebCrypto
+        const crypto = new Crypto();
+        // Decode CBOR - use exact same approach as working nitroattestor
+        const decode = await getCborDecode();
+        let decoded;
+        try {
+            decoded = decode(Buffer.from(attestationBytes));
+        }
+        catch (error) {
+            errors.push(`CBOR decoding failed: ${error.message}`);
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        // Extract COSE_Sign1 structure
+        if (!Array.isArray(decoded) || decoded.length < 4) {
+            errors.push('Invalid COSE_Sign1 structure: expected array with 4 elements');
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        const [, , payload] = decoded;
+        // Validate payload exists and is not empty
+        if (!payload || payload.length === 0) {
+            errors.push('Empty or missing payload in COSE_Sign1 structure');
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        // Decode payload - use exact same approach as working code
+        let doc;
+        try {
+            doc = decode(payload);
+        }
+        catch (error) {
+            errors.push(`Payload decoding failed: ${error.message}`);
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        // Validate mandatory fields with strict type checking
+        if (doc.module_id.length === 0) {
+            errors.push('Missing or invalid module_id');
+        }
+        if (doc.digest.length === 0) {
+            errors.push('Missing or invalid digest');
+        }
+        if (!doc.pcrs || typeof doc.pcrs !== 'object') {
+            errors.push('Missing or invalid pcrs');
+        }
+        if (!Buffer.isBuffer(doc.certificate) || doc.certificate.length === 0) {
+            errors.push('Missing or invalid certificate');
+        }
+        if (!Array.isArray(doc.cabundle) || doc.cabundle.length === 0) {
+            errors.push('Missing or invalid cabundle');
+        }
+        // Early return if basic validation fails
+        if (errors.length > 0) {
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        const pcr0 = doc.pcrs[0].toString('hex');
+        // Validate PCRs with secure comparison
+        // for(const [index, expected] of Object.entries(EXPECTED_PCRS)) {
+        // 	const pcrIndex = parseInt(index)
+        // 	const actualPcr = doc.pcrs[pcrIndex]
+        //
+        // 	if(!Buffer.isBuffer(actualPcr)) {
+        // 		errors.push(`PCR${index} is not a Buffer`)
+        // 		continue
+        // 	}
+        //
+        // 	if(!secureBufferCompare(expected, actualPcr)) {
+        // 		errors.push(`PCR${index} mismatch`)
+        // 	}
+        // }
+        // Parse certificates with better error handling
+        const intermediateCerts = [];
+        for (let i = 0; i < doc.cabundle.length; i++) {
+            try {
+                const cert = new X509Certificate(doc.cabundle[i].toString('base64'));
+                intermediateCerts.push(cert);
+            }
+            catch (error) {
+                errors.push(`Failed to parse cabundle certificate ${i}: ${error.message}`);
+            }
+        }
+        // Parse target certificate
+        let targetCert;
+        try {
+            targetCert = new X509Certificate(doc.certificate.toString('base64'));
+        }
+        catch (error) {
+            errors.push(`Failed to parse target certificate: ${error.message}`);
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        // Parse root certificate
+        let rootCert;
+        try {
+            rootCert = new X509Certificate(AWS_NITRO_ROOT_CERT);
+        }
+        catch (error) {
+            errors.push(`Failed to parse AWS Nitro root certificate: ${error.message}`);
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        // Enhanced certificate chain validation
+        const chainResult = await validateCertificateChain(targetCert, intermediateCerts, rootCert, crypto);
+        if (!chainResult.isValid) {
+            errors.push(...chainResult.errors);
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        // Parse and validate public key
+        let publicKeyRaw;
+        try {
+            publicKeyRaw = Buffer.from(targetCert.publicKey.rawData);
+        }
+        catch (error) {
+            errors.push(`Failed to extract public key: ${error.message}`);
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        // Validate public key format (P-384 ECDSA)
+        if (publicKeyRaw.length !== 120 || publicKeyRaw[0] !== 0x30) {
+            errors.push(`Invalid public key format: expected 120-byte DER-encoded key, got ${publicKeyRaw.length} bytes`);
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        let spki;
+        try {
+            spki = AsnParser.parse(publicKeyRaw, SubjectPublicKeyInfo);
+        }
+        catch (error) {
+            errors.push(`Failed to parse SubjectPublicKeyInfo: ${error.message}`);
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        const ecPoint = Buffer.from(spki.subjectPublicKey);
+        if (ecPoint.length !== 97 || ecPoint[0] !== 0x04) {
+            errors.push('Invalid EC point: expected 97-byte uncompressed P-384 key');
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        const x = ecPoint.subarray(1, 49); // 48-byte x coordinate
+        const y = ecPoint.subarray(49, 97); // 48-byte y coordinate
+        // Validate ECDSA signature using cose-js
+        try {
+            const verifier = {
+                key: {
+                    x: x,
+                    y: y,
+                },
+            };
+            const options = { defaultType: 18 }; // cose.sign.Sign1Tag
+            await sign.verify(Buffer.from(attestationBytes), verifier, options);
+        }
+        catch (error) {
+            errors.push(`COSE signature verification failed: ${error.message}`);
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        // Extract public key from user_data if present
+        let userDataType;
+        let ethAddress;
+        if (doc.user_data) {
+            const keyInfo = extractPublicKeyFromUserData(doc.user_data);
+            if (keyInfo) {
+                userDataType = keyInfo.teeType;
+                ethAddress = keyInfo.ethAddress;
+            }
+        }
+        return {
+            isValid: errors.length === 0,
+            errors,
+            warnings,
+            userDataType,
+            ethAddress,
+            pcr0: pcr0
+        };
+    }
+    catch (error) {
+        errors.push(`Unexpected error during validation: ${error.message}`);
+        return { isValid: false, errors, warnings, pcr0: '' };
+    }
+}

package/lib/server/utils/process-handshake.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import type { ClaimTunnelRequest } from '../../proto/api.js';
+import type { Logger } from '../../types/index.js';
+/**
+ * Verifies server cert chain and removes handshake messages from transcript
+ * @param receipt
+ * @param logger
+ */
+export declare function processHandshake(receipt: ClaimTunnelRequest['transcript'], logger: Logger): Promise<{
+    tlsVersion: "TLS1_3" | "TLS1_2";
+    cipherSuite: "TLS_CHACHA20_POLY1305_SHA256" | "TLS_AES_256_GCM_SHA384" | "TLS_AES_128_GCM_SHA256" | "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" | "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" | "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" | "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" | "TLS_RSA_WITH_AES_128_GCM_SHA256" | "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" | "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" | "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" | "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA";
+    hostname: string;
+    nextMsgIndex: number;
+}>;

package/lib/server/utils/process-handshake.js ADDED Viewed

@@ -0,0 +1,214 @@
+import { concatenateUint8Arrays, getSignatureDataTls12, getSignatureDataTls13, PACKET_TYPE, parseCertificates, parseClientHello, parseServerCertificateVerify, parseServerHello, processServerKeyShare, SUPPORTED_RECORD_TYPE_MAP, uint8ArrayToDataView, verifyCertificateChain, verifyCertificateSignature } from '@joclaim/tls';
+import { TranscriptMessageSenderType } from '../../proto/api.js';
+import { decryptDirect } from '../../utils/index.js';
+const RECORD_LENGTH_BYTES = 3;
+/**
+ * Verifies server cert chain and removes handshake messages from transcript
+ * @param receipt
+ * @param logger
+ */
+export async function processHandshake(receipt, logger) {
+    const certificates = [];
+    const handshakeRawMessages = [];
+    let currentPacketIdx = 0;
+    let cipherSuite = undefined;
+    let tlsVersion = undefined;
+    let serverRandom = undefined;
+    let clientRandom = undefined;
+    let serverFinishedIdx = -1;
+    let clientFinishedIdx = -1;
+    let certVerified = false;
+    let certVerifyHandled = false;
+    let hostname = undefined;
+    let clientChangeCipherSpecMsgIdx = -1;
+    let serverChangeCipherSpecMsgIdx = -1;
+    let incompletePkt = undefined;
+    while (serverFinishedIdx < 0 || clientFinishedIdx < 0) {
+        const packetIdx = currentPacketIdx++;
+        if (packetIdx >= receipt.length) {
+            throw new Error('Receipt over but server finish: ' + serverFinishedIdx
+                + ', client finish: ' + clientFinishedIdx);
+        }
+        const { message, reveal, sender } = receipt[packetIdx];
+        // skip change cipher spec message
+        if (message[0] === PACKET_TYPE['CHANGE_CIPHER_SPEC']) {
+            if (sender === TranscriptMessageSenderType
+                .TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT) {
+                clientChangeCipherSpecMsgIdx = packetIdx;
+                logger.trace('found client change cipher spec message');
+            }
+            else {
+                serverChangeCipherSpecMsgIdx = packetIdx;
+                logger.trace('found server change cipher spec message');
+            }
+            continue;
+        }
+        let plaintext = getWithoutHeader(message);
+        if (!plaintext) {
+            throw new Error('incomplete TLS record encountered');
+        }
+        if (
+        // decrypt if wrapped record or after change cipher spec message,
+        // after which records are encrypted
+        message[0] === PACKET_TYPE['WRAPPED_RECORD']
+            || (serverChangeCipherSpecMsgIdx > 0
+                && sender === TranscriptMessageSenderType
+                    .TRANSCRIPT_MESSAGE_SENDER_TYPE_SERVER)
+            || (clientChangeCipherSpecMsgIdx > 0
+                && sender === TranscriptMessageSenderType
+                    .TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT)) { // encrypted
+            if (!tlsVersion || !cipherSuite) {
+                throw new Error('Could not find cipherSuite to use & got enc record');
+            }
+            if (!reveal?.directReveal?.key) {
+                throw new Error('no direct reveal for handshake packet: ' + packetIdx);
+            }
+            const recordHeader = message.slice(0, 5);
+            ({ plaintext } = await decryptDirect(reveal?.directReveal, cipherSuite, recordHeader, tlsVersion, plaintext));
+            if (tlsVersion === 'TLS1_3') {
+                plaintext = plaintext.slice(0, -1);
+            }
+        }
+        if (incompletePkt) {
+            const incSender = receipt[incompletePkt.packetIdx].sender;
+            if (incSender !== sender) {
+                throw new Error('Missing follow up to incomplete packet at idx: '
+                    + incompletePkt.packetIdx);
+            }
+            plaintext = concatenateUint8Arrays([
+                incompletePkt.remainingBytes,
+                plaintext
+            ]);
+            incompletePkt = undefined;
+        }
+        const handshakeMessages = [];
+        // each handshake packet may contain multiple handshake messages
+        for (let offset = 0; offset < plaintext.length;) {
+            const type = plaintext[offset];
+            // +1 for the record type byte
+            const content = readWithLength(plaintext.slice(offset + 1), RECORD_LENGTH_BYTES);
+            if (!content) {
+                incompletePkt = {
+                    remainingBytes: plaintext.slice(offset),
+                    packetIdx,
+                };
+                break;
+            }
+            handshakeMessages.push({
+                type,
+                content,
+                contentWithHeader: plaintext.slice(offset, offset + 1 + RECORD_LENGTH_BYTES + content.length),
+                packetIdx,
+            });
+            offset += 1 + RECORD_LENGTH_BYTES + content.length;
+        }
+        for (const msg of handshakeMessages) {
+            await processHandshakeMessage(msg);
+            handshakeRawMessages.push(msg.contentWithHeader);
+        }
+    }
+    if (!certVerified) {
+        throw new Error('No provider certificates received');
+    }
+    if (tlsVersion === 'TLS1_3' && serverFinishedIdx < 0) {
+        throw new Error('server finished message not found');
+    }
+    if (tlsVersion === 'TLS1_3' && !certVerifyHandled) {
+        throw new Error('TLS1.3 cert verify packet not received');
+    }
+    if (tlsVersion === 'TLS1_2' && (serverChangeCipherSpecMsgIdx < 0 || clientChangeCipherSpecMsgIdx < 0)) {
+        throw new Error('change cipher spec message not found');
+    }
+    const nextMsgIndex = Math.max(serverFinishedIdx, clientFinishedIdx) + 1;
+    return {
+        tlsVersion: tlsVersion,
+        cipherSuite: cipherSuite,
+        hostname: hostname,
+        nextMsgIndex,
+    };
+    async function processHandshakeMessage({ type, content, contentWithHeader, packetIdx }) {
+        switch (type) {
+            case SUPPORTED_RECORD_TYPE_MAP.CLIENT_HELLO:
+                const clientHello = parseClientHello(contentWithHeader);
+                clientRandom = clientHello.serverRandom;
+                const { SERVER_NAME: sni } = clientHello.extensions;
+                hostname = sni?.serverName;
+                if (!hostname) {
+                    throw new Error('client hello has no SNI');
+                }
+                break;
+            case SUPPORTED_RECORD_TYPE_MAP.SERVER_HELLO:
+                const serverHello = await parseServerHello(content);
+                cipherSuite = serverHello.cipherSuite;
+                tlsVersion = serverHello.serverTlsVersion;
+                serverRandom = serverHello.serverRandom;
+                logger.info({ serverTLSVersion: tlsVersion, cipherSuite }, 'extracted server hello params');
+                break;
+            case SUPPORTED_RECORD_TYPE_MAP.CERTIFICATE:
+                const parseResult = parseCertificates(content, { version: tlsVersion });
+                certificates.push(...parseResult.certificates);
+                await verifyCertificateChain(certificates, hostname, logger);
+                logger.info({ hostname }, 'verified provider certificate chain');
+                certVerified = true;
+                break;
+            case SUPPORTED_RECORD_TYPE_MAP.CERTIFICATE_VERIFY:
+                const signature = parseServerCertificateVerify(content);
+                if (!certificates?.length) {
+                    throw new Error('No provider certificates received');
+                }
+                const signatureData = await getSignatureDataTls13(handshakeRawMessages, cipherSuite);
+                await verifyCertificateSignature({
+                    ...signature,
+                    publicKey: certificates[0].getPublicKey(),
+                    signatureData,
+                });
+                certVerifyHandled = true;
+                break;
+            case SUPPORTED_RECORD_TYPE_MAP.SERVER_KEY_SHARE:
+                if (!certificates?.length) {
+                    throw new Error('No provider certificates received');
+                }
+                const keyShare = await processServerKeyShare(content);
+                const signatureData12 = await getSignatureDataTls12({
+                    clientRandom: clientRandom,
+                    serverRandom: serverRandom,
+                    curveType: keyShare.publicKeyType,
+                    publicKey: keyShare.publicKey,
+                });
+                // verify signature
+                await verifyCertificateSignature({
+                    signature: keyShare.signatureBytes,
+                    algorithm: keyShare.signatureAlgorithm,
+                    publicKey: certificates[0].getPublicKey(),
+                    signatureData: signatureData12,
+                });
+                await verifyCertificateChain(certificates, hostname, logger);
+                logger.info({ hostname }, 'verified provider certificate chain');
+                certVerified = true;
+                break;
+            case SUPPORTED_RECORD_TYPE_MAP.FINISHED:
+                const packet = receipt[packetIdx];
+                if (packet.sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT) {
+                    clientFinishedIdx = packetIdx;
+                }
+                else {
+                    serverFinishedIdx = packetIdx;
+                }
+                break;
+        }
+    }
+}
+function getWithoutHeader(message) {
+    // strip the record header (xx 03 03 xx xx)
+    return readWithLength(message.slice(3), 2);
+}
+function readWithLength(data, lengthBytes = 2) {
+    const dataView = uint8ArrayToDataView(data);
+    const length = lengthBytes === 1
+        ? dataView.getUint8(0)
+        : dataView.getUint16(lengthBytes === 3 ? 1 : 0);
+    if (data.length < lengthBytes + length) {
+        return undefined;
+    }
+    return data.slice(lengthBytes, lengthBytes + length);
+}

package/lib/server/utils/proxy-session.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export declare function isValidProxySessionId(sessionId: string): boolean;

package/lib/server/utils/proxy-session.js ADDED Viewed

@@ -0,0 +1,6 @@
+export function isValidProxySessionId(sessionId) {
+    return typeof sessionId === 'string'
+        && sessionId.length >= 8
+        && sessionId.length < 15
+        && /^[a-z0-9]+$/.test(sessionId);
+}

package/lib/server/utils/tee-oprf-verification.d.ts ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+ * TEE OPRF Verification and Replacement
+ * Verifies OPRF proofs and replaces ranges in reconstructed plaintext
+ */
+import type { OPRFVerificationData } from '../../proto/tee-bundle.js';
+import type { TeeBundleData } from '../../server/utils/tee-verification.js';
+import type { Logger } from '../../types/general.js';
+export interface OprfVerificationResult {
+    position: number;
+    length: number;
+    output: Uint8Array;
+}
+/**
+ * Verifies all OPRF proofs in the bundle and returns replacement data
+ */
+export declare function verifyOprfProofs(bundleData: TeeBundleData & {
+    oprfVerifications?: OPRFVerificationData[];
+}, logger: Logger): Promise<OprfVerificationResult[]>;
+/**
+ * Replaces OPRF ranges in the reconstructed plaintext with verified outputs
+ */
+export declare function replaceOprfRanges(plaintext: Uint8Array, oprfResults: OprfVerificationResult[], logger: Logger): Uint8Array;