npm - @motebit/crypto-tpm - Versions diffs - 1.0.0 → 1.1.0 - Mend

@motebit/crypto-tpm 1.0.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md CHANGED Viewed

@@ -38,9 +38,10 @@ TPM 2.0's `TPMS_ATTEST` structure is ~100 lines of big-endian length-prefixed ma
 - [`@motebit/crypto`](https://www.npmjs.com/package/@motebit/crypto) — dispatcher (pure permissive-floor; zero deps)
 - [`@motebit/crypto-appattest`](https://www.npmjs.com/package/@motebit/crypto-appattest) — iOS sibling
-- [`@motebit/crypto-play-integrity`](https://www.npmjs.com/package/@motebit/crypto-play-integrity) — Android sibling
+- [`@motebit/crypto-android-keystore`](https://www.npmjs.com/package/@motebit/crypto-android-keystore) — Android sibling (canonical sovereign-verifiable Android primitive)
 - [`@motebit/crypto-webauthn`](https://www.npmjs.com/package/@motebit/crypto-webauthn) — browser sibling
-- [`@motebit/verify`](https://www.npmjs.com/package/@motebit/verify) — canonical CLI bundling all four leaves with motebit defaults
+- [`@motebit/crypto-play-integrity`](https://www.npmjs.com/package/@motebit/crypto-play-integrity) — _(deprecated — see `crypto-android-keystore`)_
+- [`@motebit/verify`](https://www.npmjs.com/package/@motebit/verify) — canonical CLI bundling the platform leaves with motebit defaults
 ## License

package/dist/index.d.ts CHANGED Viewed

@@ -30,7 +30,7 @@ import type { TpmVerifyResult } from "./verify.js";
 export { verifyTpmQuote } from "./verify.js";
 export type { TpmVerifyOptions, TpmVerifyResult, TpmVerifyError } from "./verify.js";
 export { parseTpmsAttest, composeTpmsAttestForTest, TPM_GENERATED_VALUE, TPM_ST_ATTEST_QUOTE, type TpmsAttest, } from "./tpm-parse.js";
-export { DEFAULT_PINNED_TPM_ROOTS, INFINEON_TPM_EK_ROOT_PEM, NUVOTON_TPM_EK_ROOT_PEM, STMICRO_TPM_EK_ROOT_PEM, INTEL_PTT_EK_ROOT_PEM, TPM_PLATFORM, } from "./tpm-roots.js";
+export { DEFAULT_PINNED_TPM_ROOTS, INFINEON_TPM_EK_ROOT_PEM, NUVOTON_TPM_EK_ROOT_PEM, STMICRO_TPM_EK_RSA_ROOT_PEM, STMICRO_TPM_EK_ECC_ROOT_PEM, STMICRO_TPM_EK_ROOT_PEM, INTEL_PTT_EK_ROOT_PEM, TPM_PLATFORM, } from "./tpm-roots.js";
 /**
  * Shape the optional verifier injected into `@motebit/crypto`'s
  * `HardwareAttestationVerifiers.tpm` slot carries — mirrors the

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,mBAAmB,CAAC;AAGlE,OAAO,KAAK,EAAoB,eAAe,EAAE,MAAM,aAAa,CAAC;AAErE,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AACrF,OAAO,EACL,eAAe,EACf,wBAAwB,EACxB,mBAAmB,EACnB,mBAAmB,EACnB,KAAK,UAAU,GAChB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,wBAAwB,EACxB,wBAAwB,EACxB,uBAAuB,EACvB,uBAAuB,EACvB,qBAAqB,EACrB,YAAY,GACb,MAAM,gBAAgB,CAAC;AAExB;;;;GAIG;AACH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,QAAQ,EAAE,KAAK,CAAC;IACzB,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;QAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC7D,QAAQ,CAAC,kBAAkB,CAAC,EAAE,eAAe,CAAC;CAC/C;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;CACtC;AAED,MAAM,WAAW,iBAAiB;IAChC,8EAA8E;IAC9E,QAAQ,CAAC,QAAQ,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACtC,8EAA8E;IAC9E,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;IAC5B;;;;;;OAMG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,kBAAkB,CAAC;CACvC;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CACzB,MAAM,CAAC,EAAE,iBAAiB,GACzB,CACD,KAAK,EAAE,wBAAwB,EAC/B,mBAAmB,EAAE,MAAM,EAC3B,OAAO,CAAC,EAAE,kBAAkB,KACzB,OAAO,CAAC,iBAAiB,CAAC,CAwB9B"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,mBAAmB,CAAC;AAGlE,OAAO,KAAK,EAAoB,eAAe,EAAE,MAAM,aAAa,CAAC;AAErE,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AACrF,OAAO,EACL,eAAe,EACf,wBAAwB,EACxB,mBAAmB,EACnB,mBAAmB,EACnB,KAAK,UAAU,GAChB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,wBAAwB,EACxB,wBAAwB,EACxB,uBAAuB,EACvB,2BAA2B,EAC3B,2BAA2B,EAE3B,uBAAuB,EACvB,qBAAqB,EACrB,YAAY,GACb,MAAM,gBAAgB,CAAC;AAExB;;;;GAIG;AACH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,QAAQ,EAAE,KAAK,CAAC;IACzB,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;QAAE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC7D,QAAQ,CAAC,kBAAkB,CAAC,EAAE,eAAe,CAAC;CAC/C;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;CACtC;AAED,MAAM,WAAW,iBAAiB;IAChC,8EAA8E;IAC9E,QAAQ,CAAC,QAAQ,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACtC,8EAA8E;IAC9E,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;IAC5B;;;;;;OAMG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,kBAAkB,CAAC;CACvC;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CACzB,MAAM,CAAC,EAAE,iBAAiB,GACzB,CACD,KAAK,EAAE,wBAAwB,EAC/B,mBAAmB,EAAE,MAAM,EAC3B,OAAO,CAAC,EAAE,kBAAkB,KACzB,OAAO,CAAC,iBAAiB,CAAC,CAwB9B"}

package/dist/index.js CHANGED Viewed

@@ -28,7 +28,9 @@
 import { verifyTpmQuote } from "./verify.js";
 export { verifyTpmQuote } from "./verify.js";
 export { parseTpmsAttest, composeTpmsAttestForTest, TPM_GENERATED_VALUE, TPM_ST_ATTEST_QUOTE, } from "./tpm-parse.js";
-export { DEFAULT_PINNED_TPM_ROOTS, INFINEON_TPM_EK_ROOT_PEM, NUVOTON_TPM_EK_ROOT_PEM, STMICRO_TPM_EK_ROOT_PEM, INTEL_PTT_EK_ROOT_PEM, TPM_PLATFORM, } from "./tpm-roots.js";
+export { DEFAULT_PINNED_TPM_ROOTS, INFINEON_TPM_EK_ROOT_PEM, NUVOTON_TPM_EK_ROOT_PEM, STMICRO_TPM_EK_RSA_ROOT_PEM, STMICRO_TPM_EK_ECC_ROOT_PEM,
+// eslint-disable-next-line @typescript-eslint/no-deprecated -- maintained for one minor cycle; consumers should migrate to the explicit RSA / ECC constants. Removed in 2.0.0.
+STMICRO_TPM_EK_ROOT_PEM, INTEL_PTT_EK_ROOT_PEM, TPM_PLATFORM, } from "./tpm-roots.js";
 /**
  * Factory — build a `tpm` verifier bound to an optional test-root /
  * clock / context override. The returned function matches the

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAIH,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAG7C,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,OAAO,EACL,eAAe,EACf,wBAAwB,EACxB,mBAAmB,EACnB,mBAAmB,GAEpB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,wBAAwB,EACxB,wBAAwB,EACxB,uBAAuB,EACvB,uBAAuB,EACvB,qBAAqB,EACrB,YAAY,GACb,MAAM,gBAAgB,CAAC;AAuDxB;;;;;;GAMG;AACH,MAAM,UAAU,WAAW,CACzB,MAA0B;IAM1B,OAAO,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,OAAO,EAAE,EAAE;QACnD,gEAAgE;QAChE,mEAAmE;QACnE,mDAAmD;QACnD,MAAM,SAAS,GAAG,OAAO,EAAE,iBAAiB,IAAI,MAAM,EAAE,OAAO,EAAE,iBAAiB,CAAC;QACnF,MAAM,QAAQ,GAAG,OAAO,EAAE,gBAAgB,IAAI,MAAM,EAAE,OAAO,EAAE,gBAAgB,CAAC;QAChF,MAAM,UAAU,GAAG,OAAO,EAAE,kBAAkB,IAAI,MAAM,EAAE,OAAO,EAAE,kBAAkB,CAAC;QACtF,MAAM,IAAI,GAAqB;YAC7B,4BAA4B,EAAE,mBAAmB;YACjD,GAAG,CAAC,MAAM,EAAE,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACxE,GAAG,CAAC,MAAM,EAAE,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACzD,GAAG,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACpE,GAAG,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,gBAAgB,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACjE,GAAG,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,kBAAkB,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACxE,CAAC;QACF,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACjD,OAAO;YACL,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,QAAQ,EAAE,KAAK;YACf,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,kBAAkB,EAAE,MAAM;SAC3B,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAIH,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAG7C,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,OAAO,EACL,eAAe,EACf,wBAAwB,EACxB,mBAAmB,EACnB,mBAAmB,GAEpB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,wBAAwB,EACxB,wBAAwB,EACxB,uBAAuB,EACvB,2BAA2B,EAC3B,2BAA2B;AAC3B,+KAA+K;AAC/K,uBAAuB,EACvB,qBAAqB,EACrB,YAAY,GACb,MAAM,gBAAgB,CAAC;AAuDxB;;;;;;GAMG;AACH,MAAM,UAAU,WAAW,CACzB,MAA0B;IAM1B,OAAO,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,OAAO,EAAE,EAAE;QACnD,gEAAgE;QAChE,mEAAmE;QACnE,mDAAmD;QACnD,MAAM,SAAS,GAAG,OAAO,EAAE,iBAAiB,IAAI,MAAM,EAAE,OAAO,EAAE,iBAAiB,CAAC;QACnF,MAAM,QAAQ,GAAG,OAAO,EAAE,gBAAgB,IAAI,MAAM,EAAE,OAAO,EAAE,gBAAgB,CAAC;QAChF,MAAM,UAAU,GAAG,OAAO,EAAE,kBAAkB,IAAI,MAAM,EAAE,OAAO,EAAE,kBAAkB,CAAC;QACtF,MAAM,IAAI,GAAqB;YAC7B,4BAA4B,EAAE,mBAAmB;YACjD,GAAG,CAAC,MAAM,EAAE,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACxE,GAAG,CAAC,MAAM,EAAE,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACzD,GAAG,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACpE,GAAG,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,gBAAgB,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACjE,GAAG,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,kBAAkB,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACxE,CAAC;QACF,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACjD,OAAO;YACL,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,QAAQ,EAAE,KAAK;YACf,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,kBAAkB,EAAE,MAAM;SAC3B,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC"}

package/dist/tpm-roots.d.ts CHANGED Viewed

@@ -16,68 +16,114 @@
  *
  *   - Infineon          (`OptigaTrustM`, `SLB966x` families)
  *   - Nuvoton            (`NPCT7xx` family)
- *   - STMicroelectronics (`ST33TPHF2ESPI`, `ST33HTPH2E32AHB3` families)
+ *   - STMicroelectronics (`ST33TPHF2ESPI`, `ST33HTPH2E32AHB3`,
+ *                         `ST33KTPM2X` families) — RSA + ECC parallel
+ *                         roots; both pinned
  *   - Intel PTT          (firmware TPM bundled with Intel CSME)
  *
  * AMD fTPM (firmware TPM bundled with AMD PSP) uses a vendor-signed
  * chain that roots to AMD's EK CA; that root is additive and lands in
  * a subsequent pass once the first AMD-shaped test vector is captured.
  *
- * ## Operator follow-up — ship-blocking for production rollout
+ * ## Real-fixture coverage is a separate concern
  *
- * The PEMs below are declared as exported constants so the test suite
- * exercises the same chain-verification code path end-to-end. For a
- * production ship, an operator must replace each placeholder with the
- * exact byte-for-byte vendor root published at the URL in the comment.
- * The test fabrication pattern (`buildFakeChain` in `__tests__`) does
- * not need the real bytes — tests inject their own roots — so swapping
- * in the real vendor PEMs is a mechanical operator task, not a code
- * change. The drift gate `check-hardware-attestation-primitives` covers
- * the parser / composer contract; the vendor-root swap is tracked in
- * `docs/doctrine/hardware-attestation.md` §Non-goals.
+ * Pinning the production vendor root bytes (this file) is one half of
+ * the moat-provability claim. The other half — proving the verifier
+ * agrees with what real hardware emits in the wild — requires a
+ * captured TPM2_Quote from an actual device with its full AK→vendor-
+ * root chain. Real-device captures expose serial-number-grade chip
+ * identity (each device's EK cert is unique by design), so projects
+ * systemically don't publish them. Real-fixture coverage stays deferred
+ * to an owned-hardware capture session; see
+ * `docs/doctrine/hardware-attestation.md` §"Real TPM fixture status".
+ * The `rootPems` test override path remains for synthetic chain-
+ * verification tests that don't require a real-device fixture.
+ *
+ * Each constant below ships its real vendor-published bytes. Each
+ * comment names: source URL, subject DN, SHA-256 fingerprint, and
+ * validity window. The fingerprint is the audit anchor — a third-party
+ * verifier that fetches the same vendor URL and computes its own
+ * SHA-256 should reach the byte-identical value below.
  */
 /**
- * Infineon OPTIGA TPM 2.0 Endorsement Key Root CA.
- *
- * Published at: https://pki.infineon.com/OptigaEccRootCA/OptigaEccRootCA.crt
+ * Infineon OPTIGA(TM) ECC Root CA.
  *
- * Placeholder PEM — replace with the real vendor bytes before
- * production rollout. Tests override via `rootPems` option.
+ *   Source:     https://pki.infineon.com/OptigaEccRootCA/OptigaEccRootCA.crt
+ *   Subject:    C=DE, O=Infineon Technologies AG, OU=OPTIGA(TM) Devices,
+ *               CN=Infineon OPTIGA(TM) ECC Root CA
+ *   SHA-256:    cfeb02fecd55ad7a73c6e1d11985d4c47dee248ab63dcb66091a2489660443c3
+ *   Public key: ECDSA P-384
+ *   Validity:   2013-07-26 → 2043-07-25
  */
-export declare const INFINEON_TPM_EK_ROOT_PEM = "-----BEGIN CERTIFICATE-----\nMIIBdjCCARygAwIBAgIJAIMw8f7k8+xyMAoGCCqGSM49BAMCMCIxIDAeBgNVBAMM\nF01vdGViaXQgSW5maW5lb24gUGxhY2Vob2xkZXIwHhcNMjYwNDIyMDAwMDAwWhcN\nNDYwNDIyMDAwMDAwWjAiMSAwHgYDVQQDDBdNb3RlYml0IEluZmluZW9uIFBsYWNl\naG9sZGVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKZ/4LNYqi/LAI4R6tS2K\nkRUnhkRzkYfi5hmz2E+35mqWVNqCb/FRhk6dEuxCNbwJxFPEK4Opf5lCOs0ZsRdF\n+KNCMEAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQp3ojpUGm1YB9N+9lQHg0s\nVpSoBTAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0kAMEYCIQCjxfFCCf6t\nCpGcGc7Gsk8h2RFQ7CFW8NzkjuvUZZ7bwwIhAJ/CB4+XzV5EhcOf0qRZN8zmJb8G\nB9Z9EFcZ7Nt1l4Tn\n-----END CERTIFICATE-----\n";
+export declare const INFINEON_TPM_EK_ROOT_PEM = "-----BEGIN CERTIFICATE-----\nMIICWzCCAeKgAwIBAgIBBDAKBggqhkjOPQQDAzB3MQswCQYDVQQGEwJERTEhMB8G\nA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJR0Eo\nVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkgRUNDIFJv\nb3QgQ0EwHhcNMTMwNzI2MDAwMDAwWhcNNDMwNzI1MjM1OTU5WjB3MQswCQYDVQQG\nEwJERTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQL\nDBJPUFRJR0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShU\nTSkgRUNDIFJvb3QgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQm1HxLVgvAu1q2\nGM+ymTz12zdTEu0JBVG9CdsVEJv/pE7pSWOlsG3YwU792YAvjSy7zL+WtDK40KGe\nOm8bSWt46QJ00MQUkYxz6YqXbb14BBr06hWD6u6IMBupNkPd9pKjQjBAMB0GA1Ud\nDgQWBBS0GIXISkrFEnryQDnexPWLHn5K0TAOBgNVHQ8BAf8EBAMCAAYwDwYDVR0T\nAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNnADBkAjA6QZcV8DjjbPuKjKDZQmTRywZk\nMAn8wE6kuW3EouVvBt+/2O+szxMe4vxj8R6TDCYCMG7c9ov86ll/jDlJb/q0L4G+\n+O3Bdel9P5+cOgzIGANkOPEzBQM3VfJegfnriT/kaA==\n-----END CERTIFICATE-----\n";
 /**
- * Nuvoton NPCT TPM 2.0 Endorsement Key Root CA.
+ * Nuvoton TPM Root CA 2110.
  *
- * Published at: https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton TPM Root CA 2110.cer
- *
- * Placeholder PEM — replace with the real vendor bytes before
- * production rollout. Tests override via `rootPems` option.
+ *   Source:     https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton TPM Root CA 2110.cer
+ *   Subject:    CN=Nuvoton TPM Root CA 2110, O=Nuvoton Technology Corporation, C=TW
+ *   SHA-256:    4aebe77a51ed29959a7f9f5e07a24a558dee8167f3985d724995a541c258dfda
+ *   Public key: ECDSA P-256
+ *   Validity:   2015-10-19 → 2035-10-15
  */
-export declare const NUVOTON_TPM_EK_ROOT_PEM = "-----BEGIN CERTIFICATE-----\nMIIBczCCARmgAwIBAgIJAL7X6p2yXxJJMAoGCCqGSM49BAMCMCAxHjAcBgNVBAMM\nFU1vdGViaXQgTnV2b3RvbiBQbGFjZWhvbGRlcjAeFw0yNjA0MjIwMDAwMDBaFw00\nNjA0MjIwMDAwMDBaMCAxHjAcBgNVBAMMFU1vdGViaXQgTnV2b3RvbiBQbGFjZWhv\nbGRlcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJgPwHoU+cVjX3HzkXpEksdn\nf3KPRwMbFYvE3tkqDcW8JqzG8qO5VwPKFPwoAEE2C8dJpKHEk7fA4iGrSXz7x/6j\nQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUNskUYy3Uz8Tvuvbu/B5VTJA2\nlLcwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiAAbU6/dL06n8Cw\nCYI/rHo/cLWEFQKH5VnzDJH4RN5fIgIgAN0F3fYbTBa9H8OXCJdXUDxSDr2iT8E5\nVDz6f2s3uFo=\n-----END CERTIFICATE-----\n";
+export declare const NUVOTON_TPM_EK_ROOT_PEM = "-----BEGIN CERTIFICATE-----\nMIICBjCCAaygAwIBAgIIP5MvnZk8FrswCgYIKoZIzj0EAwIwVTFTMB8GA1UEAxMY\nTnV2b3RvbiBUUE0gUm9vdCBDQSAyMTEwMCUGA1UEChMeTnV2b3RvbiBUZWNobm9s\nb2d5IENvcnBvcmF0aW9uMAkGA1UEBhMCVFcwHhcNMTUxMDE5MDQzMjAwWhcNMzUx\nMDE1MDQzMjAwWjBVMVMwHwYDVQQDExhOdXZvdG9uIFRQTSBSb290IENBIDIxMTAw\nJQYDVQQKEx5OdXZvdG9uIFRlY2hub2xvZ3kgQ29ycG9yYXRpb24wCQYDVQQGEwJU\nVzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPv9uK2BNm8/nmIyNsc2/aKHV0WR\nptzge3jKAIgUMosQIokl4LE3iopXWD3Hruxjf9vkLMDJrTeK3hWh2ySS4ySjZjBk\nMA4GA1UdDwEB/wQEAwICBDASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSf\nu3mqD1JieL7RUJKacXHpajW+9zAfBgNVHSMEGDAWgBSfu3mqD1JieL7RUJKacXHp\najW+9zAKBggqhkjOPQQDAgNIADBFAiEA/jiywhOKpiMOUnTfDmXsXfDFokhKVNTX\nB6Xtqm7J8L4CICjT3/Y+rrSnf8zrBXqWeHDh8Wi41+w2ppq6Ev9orZFI\n-----END CERTIFICATE-----\n";
 /**
- * STMicroelectronics ST33 TPM 2.0 Endorsement Key Root CA.
+ * STSAFE RSA Root CA 02 — STMicroelectronics's RSA-PKI anchor for the
+ * ST33 / STSAFE-TPM family. Modern ST33xxx devices provision EK certs
+ * under either this RSA root or the parallel ECC root below; pin both.
  *
- * Published at: https://sw-center.st.com/STM_ROOT_CA_2.crt
+ *   Source:     https://sw-center.st.com/STSAFE/STSAFERsaRootCA02.crt
+ *   Reference:  ST Technical Note TN1330
+ *   Subject:    C=CH, O=STMicroelectronics NV, CN=STSAFE RSA Root CA 02
+ *   SHA-256:    c8f179943356e13d9d84b100201cefabbf408880241e5329e60d950ce1dea623
+ *   Public key: RSA-4096
+ *   Validity:   2022-01-20 → 9999-12-31
+ */
+export declare const STMICRO_TPM_EK_RSA_ROOT_PEM = "-----BEGIN CERTIFICATE-----\nMIIFXjCCA0agAwIBAgIGVR0gAAACMA0GCSqGSIb3DQEBDAUAME0xCzAJBgNVBAYT\nAkNIMR4wHAYDVQQKExVTVE1pY3JvZWxlY3Ryb25pY3MgTlYxHjAcBgNVBAMTFVNU\nU0FGRSBSU0EgUm9vdCBDQSAwMjAgFw0yMjAxMjAwMDAwMDBaGA85OTk5MTIzMTAw\nMDAwMFowTTELMAkGA1UEBhMCQ0gxHjAcBgNVBAoTFVNUTWljcm9lbGVjdHJvbmlj\ncyBOVjEeMBwGA1UEAxMVU1RTQUZFIFJTQSBSb290IENBIDAyMIICIjANBgkqhkiG\n9w0BAQEFAAOCAg8AMIICCgKCAgEAyDtHbW51K/pnDbnPdLQTls2U/bu/aDATTi1W\nCZDAtFC9sWtCRK6jQ0SG9DCCys7ur170V3Q+HVov88FzH6bYg4TWY7+wEQKLR/4W\nIgdCjcW3uXMimsh9tOb+UlfRMW0yEozi7F+F/v07lULTJg+itCOMASi/caV1ySYI\ncX5z/5Woj3hDgJGa4scOoxdOfPg1GCkEjQPy7fG/IBt883palE/T4UNg1megfLcg\nhjOrbaPTFB3qXmm6E07QDYMkPiqryz3v9MCnOw62EXGcQLFIK4DwPxySU7NxO0ta\nDHXv+8B5ljv4Jtx5OLkDf9YAfjEg6ZOpsyIGKI+bgIoVYtGbXTDZAtoMKw3ystQX\nva9ceQ4cIQQUjpH6nFm8dbm/TOrkZd6m9pmLftR6kTuzRd8hhKCwpfcKbxQlMI2u\nTDVbw03IFUhk23uDSTOzsyOjB2f93SLEw1yTBuiYXhO2YHUHFJckbiuz7RdE4sjN\n1J0LwxKKbm9kleYEP+Kah6IJ0Zs7vbP3WNZUpmt6/XTmszb+paTSpanUYbBr2/IE\naQCRiAlv0H26i5u4CjSHRjjRIqLAuGnpn0gZ2Zgs1espJwmey7MPKvTJtK1H+TQN\n0HZW8DYtcdzPkpxqKndWIUR7JTnozVPCVOcirSPGdkSvhbAGPyoyv7ju86RnTiT0\nNLz7SbECAwEAAaNCMEAwHQYDVR0OBBYEFHzCjb5uWdhKVANGmxMIANL48G0nMA4G\nA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDAUAA4IC\nAQCykiyYyHAXHzRBdqJ3QLr8qTDDNO3RdLToZmiFRdslaRr2RtlDDjcAEFKf1u/E\n1qprZe926Ob5KxWIQREvDAgqAbRS9fd3+w6hZ+ZrmHNh5aH2UEgsfAi9vZ3K8BH/\nrReqTm0oxCMz4socJ9tIpvGSZhJg6PDTidsIscr8iNcSsVYJO60wSMxn7tv+Buh+\nZgJFddzEYZqTuezsdiXswkAkwqTJY9KM1w0bFLHrmifkc0y6I+jeBgjGxMknz8G5\np7YX4GoeJp5LjM8z36qBFKcjkKpYEb2H+u6CxgXFsxu6nkB0pn3u2uNwmXTYIQKO\ntrcshrmoKUv7mDvtaNIa0blMTRTEZzkwrR1BsHm/Gz7NLhgkDIv9p1u5oiCwlebh\neJ1cDJ9I7puSBPiDDpkdvVPg0wNFPai/SAhjW0OaULcybVR7kXzST9/xerCoquYp\nI+qLjTs+RqahgL5a9ZRPVABX3DwvnDCarwVqMSfRjGP4e8b2BspDM+wPTvQH1K4O\nxk+qc9HT7YubzqhtJ/yfcYd/eKTsk60aNmknatNZDSFzq03lxN048n3D9mcjGDkR\n15Kv5NX8DhZuCNcBddkGC96uYpgSvl089RgnSL/qPlM+QlVjPbqDpISd/z3X4RNb\nvdT+agOdZZJRB1MROQXDnACVdQB1ba/DTO4UNEou27D03Q==\n-----END CERTIFICATE-----\n";
+/**
+ * STSAFE ECC Root CA 02 — STMicroelectronics's ECC-PKI anchor for the
+ * ST33 / STSAFE-TPM family. Sibling of the RSA root above; modern ST33
+ * devices use one or the other depending on EK template firmware.
  *
- * Placeholder PEM — replace with the real vendor bytes before
- * production rollout. Tests override via `rootPems` option.
+ *   Source:     https://sw-center.st.com/STSAFE/STSAFEEccRootCA02.crt
+ *   Reference:  ST Technical Note TN1330
+ *   Subject:    C=CH, O=STMicroelectronics NV, CN=STSAFE ECC Root CA 02
+ *   SHA-256:    fd1e7b68accd825636b27b3177c67402d463a7f04c97b6c47ab705fcdc1a04f6
+ *   Public key: ECDSA P-521
+ *   Validity:   2022-01-20 → 9999-12-31
  */
-export declare const STMICRO_TPM_EK_ROOT_PEM = "-----BEGIN CERTIFICATE-----\nMIIBdDCCARqgAwIBAgIJAMZ4+9xZHMuaMAoGCCqGSM49BAMCMCExHzAdBgNVBAMM\nFk1vdGViaXQgU1RNaWNybyBQbGFjZWhvbGRlcjAeFw0yNjA0MjIwMDAwMDBaFw00\nNjA0MjIwMDAwMDBaMCExHzAdBgNVBAMMFk1vdGViaXQgU1RNaWNybyBQbGFjZWhv\nbGRlcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLnK3t7y4JBJxzE0EFq+zsOV\n+m9n9D1YDUFb7k6hVIsKvfoH9o3rZkc4uRuSsz7fjC+IsKsMrJKXaU0mxH6ncjej\nQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUe/x8wdJYzEypFT3M0K1Jy5C6\n1j8wDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiAc9Ln4qhL7fZ5c\noUbLFsTVTEc4aeBMkxqzLrJpZOYVegIgWSfLj2Q5CQ8OFvJx8fVDkxN9OXjYT6Jm\nH6Bvb0gQaG8=\n-----END CERTIFICATE-----\n";
+export declare const STMICRO_TPM_EK_ECC_ROOT_PEM = "-----BEGIN CERTIFICATE-----\nMIICWjCCAbugAwIBAgIGVR0gAAECMAoGCCqGSM49BAMEME0xCzAJBgNVBAYTAkNI\nMR4wHAYDVQQKExVTVE1pY3JvZWxlY3Ryb25pY3MgTlYxHjAcBgNVBAMTFVNUU0FG\nRSBFQ0MgUm9vdCBDQSAwMjAgFw0yMjAxMjAwMDAwMDBaGA85OTk5MTIzMTAwMDAw\nMFowTTELMAkGA1UEBhMCQ0gxHjAcBgNVBAoTFVNUTWljcm9lbGVjdHJvbmljcyBO\nVjEeMBwGA1UEAxMVU1RTQUZFIEVDQyBSb290IENBIDAyMIGbMBAGByqGSM49AgEG\nBSuBBAAjA4GGAAQAJFgkbtp5mZpvISjL8zAUSSJXxXpPhxhSVGQfqU0GEjPBIMMD\nKNvc23xCcyIsiFTMD4MZQ1wov0SaBE3M31bWx78BrbiPCJ4lXUvJWiwm9+v3EL1z\nlznBtyJDYUkrUe2n7r8NH7kAQ1X/csItvyomECdRtm4wwD8VX1n+l3npVlMNOxWj\nQjBAMB0GA1UdDgQWBBT1XLcHvEsXQiYkgEBLu3yAulo8vjAOBgNVHQ8BAf8EBAMC\nAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDBAOBjAAwgYgCQgC85uufYwd5\nyelX2EKkjx7s8LP6qgcXHxkO1zZYrTU7umomS5beVyPf2hA12yPVG9VnYUqs9+RA\nL0mbODJNfHR5yAJCAUf2a5qPe3a/BpZBoY7YI68nUt1UD8ScX+IbkLJQ6mPe8pNR\nxRJfSy8RvtTJcPEqH7kpj5sZjlRC5GUG/3Sco8uX\n-----END CERTIFICATE-----\n";
 /**
- * Intel PTT (Platform Trust Technology, firmware TPM inside Intel CSME)
- * Endorsement Key Root CA.
+ * Intel TPM EK Root Certificate (used by Intel PTT, the firmware TPM
+ * bundled with Intel CSME).
  *
- * Published at: https://upgrades.intel.com/content/CRL/ekcert/EKRootPublicKey.cer
+ *   Source:     https://upgrades.intel.com/content/CRL/ekcert/EKRootPublicKey.cer
+ *   Subject:    C=US, ST=CA, L=Santa Clara, O=Intel Corporation,
+ *               OU=TPM EK root cert signing, CN=www.intel.com
+ *   SHA-256:    2e1b3ba79af56d758be51697621bc4b9e8cee0983db3e749c55eb9b37c6d2ae0
+ *   Public key: ECDSA P-256
+ *   Validity:   2014-01-15 → 2049-12-31
+ */
+export declare const INTEL_PTT_EK_ROOT_PEM = "-----BEGIN CERTIFICATE-----\nMIICdzCCAh6gAwIBAgIUB+dPf7a3IyJGO923z34oQLRP7pwwCgYIKoZIzj0EAwIw\ngYcxCzAJBgNVBAYMAlVTMQswCQYDVQQIDAJDQTEUMBIGA1UEBwwLU2FudGEgQ2xh\ncmExGjAYBgNVBAoMEUludGVsIENvcnBvcmF0aW9uMSEwHwYDVQQLDBhUUE0gRUsg\ncm9vdCBjZXJ0IHNpZ25pbmcxFjAUBgNVBAMMDXd3dy5pbnRlbC5jb20wHhcNMTQw\nMTE1MDAwMDAwWhcNNDkxMjMxMjM1OTU5WjCBhzELMAkGA1UEBgwCVVMxCzAJBgNV\nBAgMAkNBMRQwEgYDVQQHDAtTYW50YSBDbGFyYTEaMBgGA1UECgwRSW50ZWwgQ29y\ncG9yYXRpb24xITAfBgNVBAsMGFRQTSBFSyByb290IGNlcnQgc2lnbmluZzEWMBQG\nA1UEAwwNd3d3LmludGVsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJR9\ngVEsjUrMb+E/dl19ywJsKZDnghmwVyG16dAfQ0Pftp1bjhtPEGEguvbLGRRopKWH\nVscAOlTFnvCHq+6/9/SjZjBkMB8GA1UdIwQYMBaAFOhSBcJP2NLVpSFHFrbODHtb\nuncPMB0GA1UdDgQWBBToUgXCT9jS1aUhRxa2zgx7W7p3DzASBgNVHRMBAf8ECDAG\nAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAgNHADBEAiAldFScWQ6L\nPQgW/YT+2GILcATEA2TgzASaCrG+AzL6FgIgLH8ABRzm028hRYR/JZVGkHiomzYX\nVILmTjHwSL7uZBU=\n-----END CERTIFICATE-----\n";
+/**
+ * @deprecated since 1.1.0, removed in 2.0.0. Use {@link STMICRO_TPM_EK_RSA_ROOT_PEM} (RSA-PKI) or {@link STMICRO_TPM_EK_ECC_ROOT_PEM} (ECC-PKI) directly.
  *
- * Placeholder PEM — replace with the real vendor bytes before
- * production rollout. Tests override via `rootPems` option.
+ *   Reason: ST runs parallel RSA + ECC trust anchors for the
+ *   ST33 / STSAFE-TPM family; the single-PEM constant could only
+ *   ever name one of them, and modern ST33 devices may chain to
+ *   either depending on EK template firmware. Kept as an alias for
+ *   the ECC root (the modern default for most ST33 EK templates) for
+ *   one minor release cycle so existing consumers don't break the
+ *   moment they pull `1.1.0`.
  */
-export declare const INTEL_PTT_EK_ROOT_PEM = "-----BEGIN CERTIFICATE-----\nMIIBcjCCARegAwIBAgIJAOQz8pPRrTIxMAoGCCqGSM49BAMCMB8xHTAbBgNVBAMM\nFE1vdGViaXQgSW50ZWwgUGxhY2Vob2xkZXIwHhcNMjYwNDIyMDAwMDAwWhcNNDYw\nNDIyMDAwMDAwWjAfMR0wGwYDVQQDDBRNb3RlYml0IEludGVsIFBsYWNlaG9sZGVy\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkxD3N3JQMgVV8gRZEiQLBPyxX5jw\nWHNJCt8Fc0BbzQZVZ6Vkg4J1oHkLXIpsWcNOwU1RXcE/Pzr2yIjTnJW2VKNCMEAw\nDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQxu9vHJmf+rQznfCVCd9vNQTRwPjAP\nBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIQCbX9rmZqJgk7lYPXGj\nWBR+oXt4AYzQ8pQvTSfkG/DBYwIgEY/oKZl5QL3Jt7lJx6lJxF3vLkaKBnJ9t4K4\ngHQ4nCY=\n-----END CERTIFICATE-----\n";
+export declare const STMICRO_TPM_EK_ROOT_PEM = "-----BEGIN CERTIFICATE-----\nMIICWjCCAbugAwIBAgIGVR0gAAECMAoGCCqGSM49BAMEME0xCzAJBgNVBAYTAkNI\nMR4wHAYDVQQKExVTVE1pY3JvZWxlY3Ryb25pY3MgTlYxHjAcBgNVBAMTFVNUU0FG\nRSBFQ0MgUm9vdCBDQSAwMjAgFw0yMjAxMjAwMDAwMDBaGA85OTk5MTIzMTAwMDAw\nMFowTTELMAkGA1UEBhMCQ0gxHjAcBgNVBAoTFVNUTWljcm9lbGVjdHJvbmljcyBO\nVjEeMBwGA1UEAxMVU1RTQUZFIEVDQyBSb290IENBIDAyMIGbMBAGByqGSM49AgEG\nBSuBBAAjA4GGAAQAJFgkbtp5mZpvISjL8zAUSSJXxXpPhxhSVGQfqU0GEjPBIMMD\nKNvc23xCcyIsiFTMD4MZQ1wov0SaBE3M31bWx78BrbiPCJ4lXUvJWiwm9+v3EL1z\nlznBtyJDYUkrUe2n7r8NH7kAQ1X/csItvyomECdRtm4wwD8VX1n+l3npVlMNOxWj\nQjBAMB0GA1UdDgQWBBT1XLcHvEsXQiYkgEBLu3yAulo8vjAOBgNVHQ8BAf8EBAMC\nAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDBAOBjAAwgYgCQgC85uufYwd5\nyelX2EKkjx7s8LP6qgcXHxkO1zZYrTU7umomS5beVyPf2hA12yPVG9VnYUqs9+RA\nL0mbODJNfHR5yAJCAUf2a5qPe3a/BpZBoY7YI68nUt1UD8ScX+IbkLJQ6mPe8pNR\nxRJfSy8RvtTJcPEqH7kpj5sZjlRC5GUG/3Sco8uX\n-----END CERTIFICATE-----\n";
 /**
  * Default pinned-root set returned when a caller passes no `rootPems`
- * override. Ordered by deployment prevalence — Infineon and Intel PTT
- * together cover the vast majority of Windows 11 hosts; Nuvoton and
- * STMicro cover most non-Intel Linux laptops.
+ * override. Five real vendor bytes covering the four major TPM 2.0
+ * silicon vendors (STMicroelectronics ships parallel RSA + ECC roots,
+ * both pinned). Ordered by deployment prevalence — Infineon and Intel
+ * PTT together cover the vast majority of Windows 11 hosts; Nuvoton
+ * and STMicro cover most non-Intel Linux laptops and ST33-based
+ * embedded systems.
  */
 export declare const DEFAULT_PINNED_TPM_ROOTS: readonly string[];
 /**

package/dist/tpm-roots.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"tpm-roots.d.ts","sourceRoot":"","sources":["../src/tpm-roots.ts"],"names":[],"mappings":"AAAA~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG~~;AAEH~~;;;;;;;GAOG~~;AACH,eAAO,MAAM,wBAAwB~~,+lBAWpC~~,CAAC;AAEF~~;;;;;;;GAOG~~;AACH,eAAO,MAAM,uBAAuB,~~2lBAWnC~~,CAAC;AAEF~~;;;;;;;GAOG~~;AACH,eAAO,MAAM,~~uBAAuB~~,~~2lBAWnC~~,CAAC;AAEF~~;;;;;;;;GAQG~~;AACH,eAAO,MAAM,qBAAqB,~~ulBAWjC~~,CAAC;AAEF~~;;;;;GAKG~~;AACH,eAAO,MAAM,wBAAwB,EAAE,SAAS,MAAM,~~EAKrD~~,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,YAAY,EAAG,KAAc,CAAC"}
1	+ {"version":3,"file":"tpm-roots.d.ts","sourceRoot":"","sources":["../src/tpm-roots.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8CG;AAEH;;;;;;;;;GASG;AACH,eAAO,MAAM,wBAAwB,m4BAepC,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,uBAAuB,2wBAanC,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,2BAA2B,u6DA+BvC,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,2BAA2B,+3BAevC,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,qBAAqB,y6BAgBjC,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,uBAAuB,+3BAA8B,CAAC;AAEnE;;;;;;;;GAQG;AACH,eAAO,MAAM,wBAAwB,EAAE,SAAS,MAAM,EAMrD,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,YAAY,EAAG,KAAc,CAAC"}

package/dist/tpm-roots.js CHANGED Viewed

@@ -16,117 +16,210 @@
  *
  *   - Infineon          (`OptigaTrustM`, `SLB966x` families)
  *   - Nuvoton            (`NPCT7xx` family)
- *   - STMicroelectronics (`ST33TPHF2ESPI`, `ST33HTPH2E32AHB3` families)
+ *   - STMicroelectronics (`ST33TPHF2ESPI`, `ST33HTPH2E32AHB3`,
+ *                         `ST33KTPM2X` families) — RSA + ECC parallel
+ *                         roots; both pinned
  *   - Intel PTT          (firmware TPM bundled with Intel CSME)
  *
  * AMD fTPM (firmware TPM bundled with AMD PSP) uses a vendor-signed
  * chain that roots to AMD's EK CA; that root is additive and lands in
  * a subsequent pass once the first AMD-shaped test vector is captured.
  *
- * ## Operator follow-up — ship-blocking for production rollout
+ * ## Real-fixture coverage is a separate concern
  *
- * The PEMs below are declared as exported constants so the test suite
- * exercises the same chain-verification code path end-to-end. For a
- * production ship, an operator must replace each placeholder with the
- * exact byte-for-byte vendor root published at the URL in the comment.
- * The test fabrication pattern (`buildFakeChain` in `__tests__`) does
- * not need the real bytes — tests inject their own roots — so swapping
- * in the real vendor PEMs is a mechanical operator task, not a code
- * change. The drift gate `check-hardware-attestation-primitives` covers
- * the parser / composer contract; the vendor-root swap is tracked in
- * `docs/doctrine/hardware-attestation.md` §Non-goals.
+ * Pinning the production vendor root bytes (this file) is one half of
+ * the moat-provability claim. The other half — proving the verifier
+ * agrees with what real hardware emits in the wild — requires a
+ * captured TPM2_Quote from an actual device with its full AK→vendor-
+ * root chain. Real-device captures expose serial-number-grade chip
+ * identity (each device's EK cert is unique by design), so projects
+ * systemically don't publish them. Real-fixture coverage stays deferred
+ * to an owned-hardware capture session; see
+ * `docs/doctrine/hardware-attestation.md` §"Real TPM fixture status".
+ * The `rootPems` test override path remains for synthetic chain-
+ * verification tests that don't require a real-device fixture.
+ *
+ * Each constant below ships its real vendor-published bytes. Each
+ * comment names: source URL, subject DN, SHA-256 fingerprint, and
+ * validity window. The fingerprint is the audit anchor — a third-party
+ * verifier that fetches the same vendor URL and computes its own
+ * SHA-256 should reach the byte-identical value below.
  */
 /**
- * Infineon OPTIGA TPM 2.0 Endorsement Key Root CA.
- *
- * Published at: https://pki.infineon.com/OptigaEccRootCA/OptigaEccRootCA.crt
+ * Infineon OPTIGA(TM) ECC Root CA.
  *
- * Placeholder PEM — replace with the real vendor bytes before
- * production rollout. Tests override via `rootPems` option.
+ *   Source:     https://pki.infineon.com/OptigaEccRootCA/OptigaEccRootCA.crt
+ *   Subject:    C=DE, O=Infineon Technologies AG, OU=OPTIGA(TM) Devices,
+ *               CN=Infineon OPTIGA(TM) ECC Root CA
+ *   SHA-256:    cfeb02fecd55ad7a73c6e1d11985d4c47dee248ab63dcb66091a2489660443c3
+ *   Public key: ECDSA P-384
+ *   Validity:   2013-07-26 → 2043-07-25
  */
 export const INFINEON_TPM_EK_ROOT_PEM = `-----BEGIN CERTIFICATE-----
-MIIBdjCCARygAwIBAgIJAIMw8f7k8+xyMAoGCCqGSM49BAMCMCIxIDAeBgNVBAMM
-F01vdGViaXQgSW5maW5lb24gUGxhY2Vob2xkZXIwHhcNMjYwNDIyMDAwMDAwWhcN
-NDYwNDIyMDAwMDAwWjAiMSAwHgYDVQQDDBdNb3RlYml0IEluZmluZW9uIFBsYWNl
-aG9sZGVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKZ/4LNYqi/LAI4R6tS2K
-kRUnhkRzkYfi5hmz2E+35mqWVNqCb/FRhk6dEuxCNbwJxFPEK4Opf5lCOs0ZsRdF
-+KNCMEAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQp3ojpUGm1YB9N+9lQHg0s
-VpSoBTAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0kAMEYCIQCjxfFCCf6t
-CpGcGc7Gsk8h2RFQ7CFW8NzkjuvUZZ7bwwIhAJ/CB4+XzV5EhcOf0qRZN8zmJb8G
-B9Z9EFcZ7Nt1l4Tn
+MIICWzCCAeKgAwIBAgIBBDAKBggqhkjOPQQDAzB3MQswCQYDVQQGEwJERTEhMB8G
+A1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJR0Eo
+VE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkgRUNDIFJv
+b3QgQ0EwHhcNMTMwNzI2MDAwMDAwWhcNNDMwNzI1MjM1OTU5WjB3MQswCQYDVQQG
+EwJERTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQL
+DBJPUFRJR0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShU
+TSkgRUNDIFJvb3QgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQm1HxLVgvAu1q2
+GM+ymTz12zdTEu0JBVG9CdsVEJv/pE7pSWOlsG3YwU792YAvjSy7zL+WtDK40KGe
+Om8bSWt46QJ00MQUkYxz6YqXbb14BBr06hWD6u6IMBupNkPd9pKjQjBAMB0GA1Ud
+DgQWBBS0GIXISkrFEnryQDnexPWLHn5K0TAOBgNVHQ8BAf8EBAMCAAYwDwYDVR0T
+AQH/BAUwAwEB/zAKBggqhkjOPQQDAwNnADBkAjA6QZcV8DjjbPuKjKDZQmTRywZk
+MAn8wE6kuW3EouVvBt+/2O+szxMe4vxj8R6TDCYCMG7c9ov86ll/jDlJb/q0L4G+
++O3Bdel9P5+cOgzIGANkOPEzBQM3VfJegfnriT/kaA==
 -----END CERTIFICATE-----
 `;
 /**
- * Nuvoton NPCT TPM 2.0 Endorsement Key Root CA.
- *
- * Published at: https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton TPM Root CA 2110.cer
+ * Nuvoton TPM Root CA 2110.
  *
- * Placeholder PEM — replace with the real vendor bytes before
- * production rollout. Tests override via `rootPems` option.
+ *   Source:     https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton TPM Root CA 2110.cer
+ *   Subject:    CN=Nuvoton TPM Root CA 2110, O=Nuvoton Technology Corporation, C=TW
+ *   SHA-256:    4aebe77a51ed29959a7f9f5e07a24a558dee8167f3985d724995a541c258dfda
+ *   Public key: ECDSA P-256
+ *   Validity:   2015-10-19 → 2035-10-15
  */
 export const NUVOTON_TPM_EK_ROOT_PEM = `-----BEGIN CERTIFICATE-----
-MIIBczCCARmgAwIBAgIJAL7X6p2yXxJJMAoGCCqGSM49BAMCMCAxHjAcBgNVBAMM
-FU1vdGViaXQgTnV2b3RvbiBQbGFjZWhvbGRlcjAeFw0yNjA0MjIwMDAwMDBaFw00
-NjA0MjIwMDAwMDBaMCAxHjAcBgNVBAMMFU1vdGViaXQgTnV2b3RvbiBQbGFjZWhv
-bGRlcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJgPwHoU+cVjX3HzkXpEksdn
-f3KPRwMbFYvE3tkqDcW8JqzG8qO5VwPKFPwoAEE2C8dJpKHEk7fA4iGrSXz7x/6j
-QjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUNskUYy3Uz8Tvuvbu/B5VTJA2
-lLcwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiAAbU6/dL06n8Cw
-CYI/rHo/cLWEFQKH5VnzDJH4RN5fIgIgAN0F3fYbTBa9H8OXCJdXUDxSDr2iT8E5
-VDz6f2s3uFo=
+MIICBjCCAaygAwIBAgIIP5MvnZk8FrswCgYIKoZIzj0EAwIwVTFTMB8GA1UEAxMY
+TnV2b3RvbiBUUE0gUm9vdCBDQSAyMTEwMCUGA1UEChMeTnV2b3RvbiBUZWNobm9s
+b2d5IENvcnBvcmF0aW9uMAkGA1UEBhMCVFcwHhcNMTUxMDE5MDQzMjAwWhcNMzUx
+MDE1MDQzMjAwWjBVMVMwHwYDVQQDExhOdXZvdG9uIFRQTSBSb290IENBIDIxMTAw
+JQYDVQQKEx5OdXZvdG9uIFRlY2hub2xvZ3kgQ29ycG9yYXRpb24wCQYDVQQGEwJU
+VzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPv9uK2BNm8/nmIyNsc2/aKHV0WR
+ptzge3jKAIgUMosQIokl4LE3iopXWD3Hruxjf9vkLMDJrTeK3hWh2ySS4ySjZjBk
+MA4GA1UdDwEB/wQEAwICBDASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSf
+u3mqD1JieL7RUJKacXHpajW+9zAfBgNVHSMEGDAWgBSfu3mqD1JieL7RUJKacXHp
+ajW+9zAKBggqhkjOPQQDAgNIADBFAiEA/jiywhOKpiMOUnTfDmXsXfDFokhKVNTX
+B6Xtqm7J8L4CICjT3/Y+rrSnf8zrBXqWeHDh8Wi41+w2ppq6Ev9orZFI
 -----END CERTIFICATE-----
 `;
 /**
- * STMicroelectronics ST33 TPM 2.0 Endorsement Key Root CA.
+ * STSAFE RSA Root CA 02 — STMicroelectronics's RSA-PKI anchor for the
+ * ST33 / STSAFE-TPM family. Modern ST33xxx devices provision EK certs
+ * under either this RSA root or the parallel ECC root below; pin both.
  *
- * Published at: https://sw-center.st.com/STM_ROOT_CA_2.crt
- *
- * Placeholder PEM — replace with the real vendor bytes before
- * production rollout. Tests override via `rootPems` option.
+ *   Source:     https://sw-center.st.com/STSAFE/STSAFERsaRootCA02.crt
+ *   Reference:  ST Technical Note TN1330
+ *   Subject:    C=CH, O=STMicroelectronics NV, CN=STSAFE RSA Root CA 02
+ *   SHA-256:    c8f179943356e13d9d84b100201cefabbf408880241e5329e60d950ce1dea623
+ *   Public key: RSA-4096
+ *   Validity:   2022-01-20 → 9999-12-31
  */
-export const STMICRO_TPM_EK_ROOT_PEM = `-----BEGIN CERTIFICATE-----
-MIIBdDCCARqgAwIBAgIJAMZ4+9xZHMuaMAoGCCqGSM49BAMCMCExHzAdBgNVBAMM
-Fk1vdGViaXQgU1RNaWNybyBQbGFjZWhvbGRlcjAeFw0yNjA0MjIwMDAwMDBaFw00
-NjA0MjIwMDAwMDBaMCExHzAdBgNVBAMMFk1vdGViaXQgU1RNaWNybyBQbGFjZWhv
-bGRlcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLnK3t7y4JBJxzE0EFq+zsOV
-+m9n9D1YDUFb7k6hVIsKvfoH9o3rZkc4uRuSsz7fjC+IsKsMrJKXaU0mxH6ncjej
-QjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUe/x8wdJYzEypFT3M0K1Jy5C6
-1j8wDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiAc9Ln4qhL7fZ5c
-oUbLFsTVTEc4aeBMkxqzLrJpZOYVegIgWSfLj2Q5CQ8OFvJx8fVDkxN9OXjYT6Jm
-H6Bvb0gQaG8=
+export const STMICRO_TPM_EK_RSA_ROOT_PEM = `-----BEGIN CERTIFICATE-----
+MIIFXjCCA0agAwIBAgIGVR0gAAACMA0GCSqGSIb3DQEBDAUAME0xCzAJBgNVBAYT
+AkNIMR4wHAYDVQQKExVTVE1pY3JvZWxlY3Ryb25pY3MgTlYxHjAcBgNVBAMTFVNU
+U0FGRSBSU0EgUm9vdCBDQSAwMjAgFw0yMjAxMjAwMDAwMDBaGA85OTk5MTIzMTAw
+MDAwMFowTTELMAkGA1UEBhMCQ0gxHjAcBgNVBAoTFVNUTWljcm9lbGVjdHJvbmlj
+cyBOVjEeMBwGA1UEAxMVU1RTQUZFIFJTQSBSb290IENBIDAyMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAyDtHbW51K/pnDbnPdLQTls2U/bu/aDATTi1W
+CZDAtFC9sWtCRK6jQ0SG9DCCys7ur170V3Q+HVov88FzH6bYg4TWY7+wEQKLR/4W
+IgdCjcW3uXMimsh9tOb+UlfRMW0yEozi7F+F/v07lULTJg+itCOMASi/caV1ySYI
+cX5z/5Woj3hDgJGa4scOoxdOfPg1GCkEjQPy7fG/IBt883palE/T4UNg1megfLcg
+hjOrbaPTFB3qXmm6E07QDYMkPiqryz3v9MCnOw62EXGcQLFIK4DwPxySU7NxO0ta
+DHXv+8B5ljv4Jtx5OLkDf9YAfjEg6ZOpsyIGKI+bgIoVYtGbXTDZAtoMKw3ystQX
+va9ceQ4cIQQUjpH6nFm8dbm/TOrkZd6m9pmLftR6kTuzRd8hhKCwpfcKbxQlMI2u
+TDVbw03IFUhk23uDSTOzsyOjB2f93SLEw1yTBuiYXhO2YHUHFJckbiuz7RdE4sjN
+1J0LwxKKbm9kleYEP+Kah6IJ0Zs7vbP3WNZUpmt6/XTmszb+paTSpanUYbBr2/IE
+aQCRiAlv0H26i5u4CjSHRjjRIqLAuGnpn0gZ2Zgs1espJwmey7MPKvTJtK1H+TQN
+0HZW8DYtcdzPkpxqKndWIUR7JTnozVPCVOcirSPGdkSvhbAGPyoyv7ju86RnTiT0
+NLz7SbECAwEAAaNCMEAwHQYDVR0OBBYEFHzCjb5uWdhKVANGmxMIANL48G0nMA4G
+A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDAUAA4IC
+AQCykiyYyHAXHzRBdqJ3QLr8qTDDNO3RdLToZmiFRdslaRr2RtlDDjcAEFKf1u/E
+1qprZe926Ob5KxWIQREvDAgqAbRS9fd3+w6hZ+ZrmHNh5aH2UEgsfAi9vZ3K8BH/
+rReqTm0oxCMz4socJ9tIpvGSZhJg6PDTidsIscr8iNcSsVYJO60wSMxn7tv+Buh+
+ZgJFddzEYZqTuezsdiXswkAkwqTJY9KM1w0bFLHrmifkc0y6I+jeBgjGxMknz8G5
+p7YX4GoeJp5LjM8z36qBFKcjkKpYEb2H+u6CxgXFsxu6nkB0pn3u2uNwmXTYIQKO
+trcshrmoKUv7mDvtaNIa0blMTRTEZzkwrR1BsHm/Gz7NLhgkDIv9p1u5oiCwlebh
+eJ1cDJ9I7puSBPiDDpkdvVPg0wNFPai/SAhjW0OaULcybVR7kXzST9/xerCoquYp
+I+qLjTs+RqahgL5a9ZRPVABX3DwvnDCarwVqMSfRjGP4e8b2BspDM+wPTvQH1K4O
+xk+qc9HT7YubzqhtJ/yfcYd/eKTsk60aNmknatNZDSFzq03lxN048n3D9mcjGDkR
+15Kv5NX8DhZuCNcBddkGC96uYpgSvl089RgnSL/qPlM+QlVjPbqDpISd/z3X4RNb
+vdT+agOdZZJRB1MROQXDnACVdQB1ba/DTO4UNEou27D03Q==
 -----END CERTIFICATE-----
 `;
 /**
- * Intel PTT (Platform Trust Technology, firmware TPM inside Intel CSME)
- * Endorsement Key Root CA.
+ * STSAFE ECC Root CA 02 — STMicroelectronics's ECC-PKI anchor for the
+ * ST33 / STSAFE-TPM family. Sibling of the RSA root above; modern ST33
+ * devices use one or the other depending on EK template firmware.
  *
- * Published at: https://upgrades.intel.com/content/CRL/ekcert/EKRootPublicKey.cer
+ *   Source:     https://sw-center.st.com/STSAFE/STSAFEEccRootCA02.crt
+ *   Reference:  ST Technical Note TN1330
+ *   Subject:    C=CH, O=STMicroelectronics NV, CN=STSAFE ECC Root CA 02
+ *   SHA-256:    fd1e7b68accd825636b27b3177c67402d463a7f04c97b6c47ab705fcdc1a04f6
+ *   Public key: ECDSA P-521
+ *   Validity:   2022-01-20 → 9999-12-31
+ */
+export const STMICRO_TPM_EK_ECC_ROOT_PEM = `-----BEGIN CERTIFICATE-----
+MIICWjCCAbugAwIBAgIGVR0gAAECMAoGCCqGSM49BAMEME0xCzAJBgNVBAYTAkNI
+MR4wHAYDVQQKExVTVE1pY3JvZWxlY3Ryb25pY3MgTlYxHjAcBgNVBAMTFVNUU0FG
+RSBFQ0MgUm9vdCBDQSAwMjAgFw0yMjAxMjAwMDAwMDBaGA85OTk5MTIzMTAwMDAw
+MFowTTELMAkGA1UEBhMCQ0gxHjAcBgNVBAoTFVNUTWljcm9lbGVjdHJvbmljcyBO
+VjEeMBwGA1UEAxMVU1RTQUZFIEVDQyBSb290IENBIDAyMIGbMBAGByqGSM49AgEG
+BSuBBAAjA4GGAAQAJFgkbtp5mZpvISjL8zAUSSJXxXpPhxhSVGQfqU0GEjPBIMMD
+KNvc23xCcyIsiFTMD4MZQ1wov0SaBE3M31bWx78BrbiPCJ4lXUvJWiwm9+v3EL1z
+lznBtyJDYUkrUe2n7r8NH7kAQ1X/csItvyomECdRtm4wwD8VX1n+l3npVlMNOxWj
+QjBAMB0GA1UdDgQWBBT1XLcHvEsXQiYkgEBLu3yAulo8vjAOBgNVHQ8BAf8EBAMC
+AQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDBAOBjAAwgYgCQgC85uufYwd5
+yelX2EKkjx7s8LP6qgcXHxkO1zZYrTU7umomS5beVyPf2hA12yPVG9VnYUqs9+RA
+L0mbODJNfHR5yAJCAUf2a5qPe3a/BpZBoY7YI68nUt1UD8ScX+IbkLJQ6mPe8pNR
+xRJfSy8RvtTJcPEqH7kpj5sZjlRC5GUG/3Sco8uX
+-----END CERTIFICATE-----
+`;
+/**
+ * Intel TPM EK Root Certificate (used by Intel PTT, the firmware TPM
+ * bundled with Intel CSME).
  *
- * Placeholder PEM — replace with the real vendor bytes before
- * production rollout. Tests override via `rootPems` option.
+ *   Source:     https://upgrades.intel.com/content/CRL/ekcert/EKRootPublicKey.cer
+ *   Subject:    C=US, ST=CA, L=Santa Clara, O=Intel Corporation,
+ *               OU=TPM EK root cert signing, CN=www.intel.com
+ *   SHA-256:    2e1b3ba79af56d758be51697621bc4b9e8cee0983db3e749c55eb9b37c6d2ae0
+ *   Public key: ECDSA P-256
+ *   Validity:   2014-01-15 → 2049-12-31
  */
 export const INTEL_PTT_EK_ROOT_PEM = `-----BEGIN CERTIFICATE-----
-MIIBcjCCARegAwIBAgIJAOQz8pPRrTIxMAoGCCqGSM49BAMCMB8xHTAbBgNVBAMM
-FE1vdGViaXQgSW50ZWwgUGxhY2Vob2xkZXIwHhcNMjYwNDIyMDAwMDAwWhcNNDYw
-NDIyMDAwMDAwWjAfMR0wGwYDVQQDDBRNb3RlYml0IEludGVsIFBsYWNlaG9sZGVy
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkxD3N3JQMgVV8gRZEiQLBPyxX5jw
-WHNJCt8Fc0BbzQZVZ6Vkg4J1oHkLXIpsWcNOwU1RXcE/Pzr2yIjTnJW2VKNCMEAw
-DgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQxu9vHJmf+rQznfCVCd9vNQTRwPjAP
-BgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIQCbX9rmZqJgk7lYPXGj
-WBR+oXt4AYzQ8pQvTSfkG/DBYwIgEY/oKZl5QL3Jt7lJx6lJxF3vLkaKBnJ9t4K4
-gHQ4nCY=
+MIICdzCCAh6gAwIBAgIUB+dPf7a3IyJGO923z34oQLRP7pwwCgYIKoZIzj0EAwIw
+gYcxCzAJBgNVBAYMAlVTMQswCQYDVQQIDAJDQTEUMBIGA1UEBwwLU2FudGEgQ2xh
+cmExGjAYBgNVBAoMEUludGVsIENvcnBvcmF0aW9uMSEwHwYDVQQLDBhUUE0gRUsg
+cm9vdCBjZXJ0IHNpZ25pbmcxFjAUBgNVBAMMDXd3dy5pbnRlbC5jb20wHhcNMTQw
+MTE1MDAwMDAwWhcNNDkxMjMxMjM1OTU5WjCBhzELMAkGA1UEBgwCVVMxCzAJBgNV
+BAgMAkNBMRQwEgYDVQQHDAtTYW50YSBDbGFyYTEaMBgGA1UECgwRSW50ZWwgQ29y
+cG9yYXRpb24xITAfBgNVBAsMGFRQTSBFSyByb290IGNlcnQgc2lnbmluZzEWMBQG
+A1UEAwwNd3d3LmludGVsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJR9
+gVEsjUrMb+E/dl19ywJsKZDnghmwVyG16dAfQ0Pftp1bjhtPEGEguvbLGRRopKWH
+VscAOlTFnvCHq+6/9/SjZjBkMB8GA1UdIwQYMBaAFOhSBcJP2NLVpSFHFrbODHtb
+uncPMB0GA1UdDgQWBBToUgXCT9jS1aUhRxa2zgx7W7p3DzASBgNVHRMBAf8ECDAG
+AQH/AgEBMA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAgNHADBEAiAldFScWQ6L
+PQgW/YT+2GILcATEA2TgzASaCrG+AzL6FgIgLH8ABRzm028hRYR/JZVGkHiomzYX
+VILmTjHwSL7uZBU=
 -----END CERTIFICATE-----
 `;
+/**
+ * @deprecated since 1.1.0, removed in 2.0.0. Use {@link STMICRO_TPM_EK_RSA_ROOT_PEM} (RSA-PKI) or {@link STMICRO_TPM_EK_ECC_ROOT_PEM} (ECC-PKI) directly.
+ *
+ *   Reason: ST runs parallel RSA + ECC trust anchors for the
+ *   ST33 / STSAFE-TPM family; the single-PEM constant could only
+ *   ever name one of them, and modern ST33 devices may chain to
+ *   either depending on EK template firmware. Kept as an alias for
+ *   the ECC root (the modern default for most ST33 EK templates) for
+ *   one minor release cycle so existing consumers don't break the
+ *   moment they pull `1.1.0`.
+ */
+export const STMICRO_TPM_EK_ROOT_PEM = STMICRO_TPM_EK_ECC_ROOT_PEM;
 /**
  * Default pinned-root set returned when a caller passes no `rootPems`
- * override. Ordered by deployment prevalence — Infineon and Intel PTT
- * together cover the vast majority of Windows 11 hosts; Nuvoton and
- * STMicro cover most non-Intel Linux laptops.
+ * override. Five real vendor bytes covering the four major TPM 2.0
+ * silicon vendors (STMicroelectronics ships parallel RSA + ECC roots,
+ * both pinned). Ordered by deployment prevalence — Infineon and Intel
+ * PTT together cover the vast majority of Windows 11 hosts; Nuvoton
+ * and STMicro cover most non-Intel Linux laptops and ST33-based
+ * embedded systems.
  */
 export const DEFAULT_PINNED_TPM_ROOTS = [
     INFINEON_TPM_EK_ROOT_PEM,
     NUVOTON_TPM_EK_ROOT_PEM,
-    STMICRO_TPM_EK_ROOT_PEM,
+    STMICRO_TPM_EK_RSA_ROOT_PEM,
+    STMICRO_TPM_EK_ECC_ROOT_PEM,
     INTEL_PTT_EK_ROOT_PEM,
 ];
 /**

package/dist/tpm-roots.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"tpm-roots.js","sourceRoot":"","sources":["../src/tpm-roots.ts"],"names":[],"mappings":"AAAA~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG~~;AAEH~~;;;;;;;GAOG~~;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG~~;;;;;;;;;;;CAWvC~~,CAAC;AAEF~~;;;;;;;GAOG~~;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG~~;;;;;;;;;;;CAWtC~~,CAAC;AAEF~~;;;;;;;GAOG~~;AACH,MAAM,CAAC,MAAM,~~uBAAuB~~,GAAG;;;;;;;;;;;~~CAWtC~~,CAAC;AAEF~~;;;;;;;;GAQG~~;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG~~;;;;;;;;;;;CAWpC~~,CAAC;AAEF~~;;;;;GAKG~~;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAsB;IACzD,wBAAwB;IACxB,uBAAuB;IACvB,~~uBAAuB~~;~~IACvB~~,qBAAqB;CACtB,CAAC;AAEF;;;;;GAKG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,KAAc,CAAC"}
1	+ {"version":3,"file":"tpm-roots.js","sourceRoot":"","sources":["../src/tpm-roots.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8CG;AAEH;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG;;;;;;;;;;;;;;;CAevC,CAAC;AAEF;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG;;;;;;;;;;;;;CAatC,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+B1C,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG;;;;;;;;;;;;;;;CAe1C,CAAC;AAEF;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG;;;;;;;;;;;;;;;;CAgBpC,CAAC;AAEF;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG,2BAA2B,CAAC;AAEnE;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAsB;IACzD,wBAAwB;IACxB,uBAAuB;IACvB,2BAA2B;IAC3B,2BAA2B;IAC3B,qBAAqB;CACtB,CAAC;AAEF;;;;;GAKG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,KAAc,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@motebit/crypto-tpm",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "Apache-2.0 verifier for TPM 2.0 Endorsement-Key hardware-attestation credentials — offline chain verification against pinned vendor EK roots (Infineon, Nuvoton, STMicro, Intel PTT) plus binary TPMS_ATTEST parsing. Plugs into @motebit/crypto's HardwareAttestationVerifiers dispatcher to validate TPM-attested motebit identities on Windows/Linux hosts.",
   "type": "module",
   "main": "./dist/index.js",
@@ -53,8 +53,8 @@
   },
   "dependencies": {
     "@peculiar/x509": "^1.12.0",
-    "@motebit/protocol": "1.0.0",
-    "@motebit/crypto": "1.0.0"
+    "@motebit/protocol": "1.1.0",
+    "@motebit/crypto": "1.1.0"
   },
   "devDependencies": {
     "@noble/curves": "~1.9.0",