@microsoft/ccf-app 5.0.0-dev1 → 5.0.0-dev10

package/crypto.d.ts

@@ -11,13 +11,17 @@ export declare const generateRsaKeyPair: (size: number, exponent?: number | unde
  */
 export declare const generateEcdsaKeyPair: (curve: string) => import("./global.js").CryptoKeyPair;
 /**
- * @inheritDoc global!CCFCrypto.generateEcdsaKeyPair
+ * @inheritDoc global!CCFCrypto.generateEddsaKeyPair
  */
 export declare const generateEddsaKeyPair: (curve: string) => import("./global.js").CryptoKeyPair;
 /**
  * @inheritDoc global!CCFCrypto.wrapKey
  */
 export declare const wrapKey: (key: ArrayBuffer, wrappingKey: ArrayBuffer, wrapAlgo: import("./global.js").WrapAlgoParams) => ArrayBuffer;
+/**
+ * @inheritDoc global!CCFCrypto.unwrapKey
+ */
+export declare const unwrapKey: (key: ArrayBuffer, wrappingKey: ArrayBuffer, wrapAlgo: import("./global.js").WrapAlgoParams) => ArrayBuffer;
 /**
  * @inheritDoc global!CCFCrypto.sign
  */

package/crypto.js

@@ -27,13 +27,17 @@ export const generateRsaKeyPair = ccf.crypto.generateRsaKeyPair;
  */
 export const generateEcdsaKeyPair = ccf.crypto.generateEcdsaKeyPair;
 /**
- * @inheritDoc global!CCFCrypto.generateEcdsaKeyPair
+ * @inheritDoc global!CCFCrypto.generateEddsaKeyPair
  */
 export const generateEddsaKeyPair = ccf.crypto.generateEddsaKeyPair;
 /**
  * @inheritDoc global!CCFCrypto.wrapKey
  */
 export const wrapKey = ccf.crypto.wrapKey;
+/**
+ * @inheritDoc global!CCFCrypto.unwrapKey
+ */
+export const unwrapKey = ccf.crypto.unwrapKey;
 /**
  * @inheritDoc global!CCFCrypto.sign
  */

package/global.d.ts

@@ -298,7 +298,7 @@ export interface CCFCrypto {
     /**
      * Generate an EdDSA key pair.
      *
-     * @param curve The name of the curve. Currently only "curve25519" is supported.
+     * @param curve The name of the curve. Only "curve25519" and "x25519" are supported.
      */
     generateEddsaKeyPair(curve: string): CryptoKeyPair;
     /**
@@ -308,6 +308,13 @@ export interface CCFCrypto {
      * on the wrapping algorithm that is used (`wrapAlgo`).
      */
     wrapKey(key: ArrayBuffer, wrappingKey: ArrayBuffer, wrapAlgo: WrapAlgoParams): ArrayBuffer;
+    /**
+     * Unwraps a key using a wrapping key.
+     *
+     * Constraints on the `key` and `wrappingKey` parameters depend
+     * on the wrapping algorithm that is used (`wrapAlgo`).
+     */
+    unwrapKey(key: ArrayBuffer, wrappingKey: ArrayBuffer, wrapAlgo: WrapAlgoParams): ArrayBuffer;
     /**
      * Generate a digest (hash) of the given data.
      */
@@ -355,7 +362,7 @@ export interface CCFCrypto {
     rsaPemToJwk(pem: string, kid?: string): JsonWebKeyRSAPrivate;
     /**
      * Converts an EdDSA public key as PEM to JSON Web Key (JWK) object.
-     * Currently only Curve25519 is supported.
+     * Only Curve25519 and X25519 are supported.
      *
      * @param pem EdDSA public key as PEM
      * @param kid Key identifier (optional)
@@ -363,7 +370,7 @@ export interface CCFCrypto {
     pubEddsaPemToJwk(pem: string, kid?: string): JsonWebKeyEdDSAPublic;
     /**
      * Converts an EdDSA private key as PEM to JSON Web Key (JWK) object.
-     * Currently only Curve25519 is supported.
+     * Only Curve25519 and X25519 are supported.
      *
      * @param pem EdDSA private key as PEM
      * @param kid Key identifier (optional)
@@ -608,3 +615,67 @@ export interface OpenEnclave {
      */
     verifyOpenEnclaveEvidence(format: string | undefined, evidence: ArrayBuffer, endorsements?: ArrayBuffer): EvidenceClaims;
 }
+export interface TcbVersion {
+    boot_loader: number;
+    tee: number;
+    snp: number;
+    microcode: number;
+}
+export interface SnpAttestationResult {
+    attestation: {
+        version: number;
+        guest_svn: number;
+        policy: {
+            abi_minor: number;
+            abi_major: number;
+            smt: number;
+            migrate_ma: number;
+            debug: number;
+            single_socket: number;
+        };
+        family_id: ArrayBuffer;
+        image_id: ArrayBuffer;
+        vmpl: number;
+        signature_algo: number;
+        platform_version: TcbVersion;
+        platform_info: {
+            smt_en: number;
+            tsme_en: number;
+        };
+        flags: {
+            author_key_en: number;
+            mask_chip_key: number;
+            signing_key: number;
+        };
+        report_data: ArrayBuffer;
+        measurement: ArrayBuffer;
+        host_data: ArrayBuffer;
+        id_key_digest: ArrayBuffer;
+        author_key_digest: ArrayBuffer;
+        report_id: ArrayBuffer;
+        report_id_ma: ArrayBuffer;
+        reported_tcb: TcbVersion;
+        chip_id: ArrayBuffer;
+        committed_tcb: TcbVersion;
+        current_minor: number;
+        current_build: number;
+        current_major: number;
+        committed_build: number;
+        committed_minor: number;
+        committed_major: number;
+        launch_tcb: TcbVersion;
+        signature: {
+            r: ArrayBuffer;
+            s: ArrayBuffer;
+        };
+    };
+    uvm_endorsements?: {
+        did: string;
+        feed: string;
+        svn: string;
+    };
+}
+export declare const snp_attestation: SnpAttestation;
+export interface SnpAttestation {
+    verifySnpAttestation(evidence: ArrayBuffer, endorsements: ArrayBuffer, uvm_endorsements?: ArrayBuffer, endorsed_tcb?: string): SnpAttestationResult;
+}

package/global.js

@@ -21,3 +21,5 @@
 // This avoids polluting the global namespace.
 export const ccf = globalThis.ccf;
 export const openenclave = globalThis.openenclave;
+export const snp_attestation = globalThis
+    .snp_attestation;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@microsoft/ccf-app",
-  "version": "5.0.0-dev1",
+  "version": "5.0.0-dev10",
   "description": "CCF app support package",
   "main": "index.js",
   "files": [
@@ -25,10 +25,11 @@
     "chai": "^4.3.4",
     "colors": "1.4.0",
     "cross-env": "^7.0.3",
+    "get-func-name": "3.0.0",
     "mocha": "^10.0.0",
     "node-forge": "^1.2.0",
     "ts-node": "^10.4.0",
-    "typedoc": "^0.24.1",
+    "typedoc": "^0.25.0",
     "typescript": "^5.0.2"
   }
 }

package/polyfill.js

@@ -207,19 +207,32 @@ class CCFPolyfill {
                 return ecdsaKeyPair;
             },
             generateEddsaKeyPair(curve) {
-                // `type` is always "ed25519" because currently only "curve25519" is supported for `curve`.
-                const type = "ed25519";
-                const ecdsaKeyPair = jscrypto.generateKeyPairSync(type, {
-                    publicKeyEncoding: {
-                        type: "spki",
-                        format: "pem",
-                    },
-                    privateKeyEncoding: {
-                        type: "pkcs8",
-                        format: "pem",
-                    },
-                });
-                return ecdsaKeyPair;
+                if (curve === "curve25519") {
+                    return jscrypto.generateKeyPairSync("ed25519", {
+                        publicKeyEncoding: {
+                            type: "spki",
+                            format: "pem",
+                        },
+                        privateKeyEncoding: {
+                            type: "pkcs8",
+                            format: "pem",
+                        },
+                    });
+                }
+                else {
+                    if (curve !== "x25519")
+                        throw new Error("Unsupported curve for EdDSA key pair generation: " + curve);
+                    return jscrypto.generateKeyPairSync("x25519", {
+                        publicKeyEncoding: {
+                            type: "spki",
+                            format: "pem",
+                        },
+                        privateKeyEncoding: {
+                            type: "pkcs8",
+                            format: "pem",
+                        },
+                    });
+                }
             },
             wrapKey(key, wrappingKey, parameters) {
                 if (parameters.name === "RSA-OAEP") {
@@ -252,6 +265,41 @@ class CCFPolyfill {
                     throw new Error("unsupported wrapAlgo.name");
                 }
             },
+            unwrapKey(wrappedKey, unwrappingKey, unwrapAlgo) {
+                if (unwrapAlgo.name == "RSA-OAEP") {
+                    return nodeBufToArrBuf(jscrypto.privateDecrypt({
+                        key: Buffer.from(unwrappingKey),
+                        oaepHash: "sha256",
+                        padding: jscrypto.constants.RSA_PKCS1_OAEP_PADDING,
+                    }, new Uint8Array(wrappedKey)));
+                }
+                else if (unwrapAlgo.name == "AES-KWP") {
+                    const iv = Buffer.from("A65959A6", "hex"); // defined in RFC 5649
+                    const decipher = jscrypto.createDecipheriv("id-aes256-wrap-pad", new Uint8Array(unwrappingKey), iv);
+                    return nodeBufToArrBuf(Buffer.concat([
+                        decipher.update(new Uint8Array(wrappedKey)),
+                        decipher.final(),
+                    ]));
+                }
+                else if (unwrapAlgo.name == "RSA-OAEP-AES-KWP") {
+                    const keyInfo = jscrypto.createPrivateKey(Buffer.from(unwrappingKey));
+                    // asymmetricKeyDetails added in Node.js 15.7.0, we're at 16.
+                    console.log(`Modulus length: `, keyInfo?.asymmetricKeyDetails?.modulusLength);
+                    const modulusLengthInBytes = (keyInfo?.asymmetricKeyDetails?.modulusLength || 2048) / 8;
+                    const wrap1 = wrappedKey.slice(0, modulusLengthInBytes);
+                    const wrap2 = wrappedKey.slice(modulusLengthInBytes);
+                    const aesKey = this.unwrapKey(wrap1, unwrappingKey, {
+                        name: "RSA-OAEP",
+                        label: unwrapAlgo.label,
+                    });
+                    return this.unwrapKey(wrap2, aesKey, {
+                        name: "AES-KWP",
+                    });
+                }
+                else {
+                    throw new Error("unsupported unwrapAlgo.name");
+                }
+            },
             digest(algorithm, data) {
                 if (algorithm === "SHA-256") {
                     return nodeBufToArrBuf(jscrypto.createHash("sha256").update(new Uint8Array(data)).digest());
@@ -456,6 +504,9 @@ class CCFPolyfill {
     wrapKey(key, wrappingKey, parameters) {
         return this.crypto.wrapKey(key, wrappingKey, parameters);
     }
+    unwrapKey(key, wrappingKey, parameters) {
+        return this.crypto.unwrapKey(key, wrappingKey, parameters);
+    }
     digest(algorithm, data) {
         return this.crypto.digest(algorithm, data);
     }
@@ -479,6 +530,12 @@ class OpenEnclavePolyfill {
     }
 }
 globalThis.openenclave = new OpenEnclavePolyfill();
+class SnpAttestationPolyfill {
+    verifySnpAttestation(evidence, endorsements, uvm_endorsements, endorsed_tcb) {
+        throw new Error("Method not implemented.");
+    }
+}
+globalThis.snp_attestation = new SnpAttestationPolyfill();
 function nodeBufToArrBuf(buf) {
     // Note: buf.buffer is not safe, see docs.
     const arrBuf = new ArrayBuffer(buf.byteLength);

package/snp_attestation.d.ts

@@ -0,0 +1,4 @@
+/**
+ * @inheritDoc global!SnpAttestation.verifySnpAttestation
+ */
+export declare const verifySnpAttestation: (evidence: ArrayBuffer, endorsements: ArrayBuffer, uvm_endorsements?: ArrayBuffer | undefined, endorsed_tcb?: string | undefined) => import("./global").SnpAttestationResult;

package/snp_attestation.js

@@ -0,0 +1,12 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the Apache 2.0 License.
+/**
+ * The `snp_attestation` module provides SNP Attestation Validation.
+ *
+ * @module
+ */
+import { snp_attestation } from "./global";
+/**
+ * @inheritDoc global!SnpAttestation.verifySnpAttestation
+ */
+export const verifySnpAttestation = snp_attestation.verifySnpAttestation;

package/textcodec.d.ts

@@ -0,0 +1,26 @@
+export type TextEncoderEncodeIntoResult = {
+    read?: number;
+    written?: number;
+};
+/**
+ * TextEncoder can be used to encode string to Uint8Array.
+ */
+export declare class TextEncoder {
+    /**
+     * Always returns "utf-8".
+     */
+    readonly encoding: string;
+    /**
+     * Returns Uint8Array containing UTF-8 encoded text.
+     * @param input Input string to encode.
+     * @returns Encoded bytes.
+     */
+    encode(input: string): Uint8Array;
+    /**
+     * Not implemented.
+     * @param input
+     * @param output
+     * @throws Always throws an Error object.
+     */
+    encodeInto(input: string, output: Uint8Array): TextEncoderEncodeIntoResult;
+}

package/textcodec.js

@@ -0,0 +1,53 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the Apache 2.0 License.
+/**
+ * The `textcodec` module provides access to TextEncoder Web API class.
+ *
+ * Example:
+ * ```
+ * import * as ccftextcodec from '@microsoft/ccf-app/textcodec.js';
+ *
+ * const bytes = new ccftextcodec.TextEncoder().encode("foo")
+ * ```
+ *
+ * If you need TextEncoder Web API as a globally accessible class:
+ * ```
+ * import * as ccftextcodec from '@microsoft/ccf-app/textcodec.js';
+ *
+ * if (globalThis != undefined && (globalThis as any).TextEncoder == undefined) {
+ *   (globalThis as any).TextEncoder = ccftextcodec.TextEncoder;
+ * }
+ *
+ * ```
+ *
+ * @module
+ */
+import { ccf } from "./global.js";
+/**
+ * TextEncoder can be used to encode string to Uint8Array.
+ */
+export class TextEncoder {
+    constructor() {
+        /**
+         * Always returns "utf-8".
+         */
+        this.encoding = "utf-8";
+    }
+    /**
+     * Returns Uint8Array containing UTF-8 encoded text.
+     * @param input Input string to encode.
+     * @returns Encoded bytes.
+     */
+    encode(input) {
+        return new Uint8Array(ccf.strToBuf(input));
+    }
+    /**
+     * Not implemented.
+     * @param input
+     * @param output
+     * @throws Always throws an Error object.
+     */
+    encodeInto(input, output) {
+        throw new Error("Not implemented");
+    }
+}