@motebit/crypto-tpm 1.1.3 → 1.1.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +11 -0
- package/package.json +3 -3
package/README.md
CHANGED
|
@@ -30,6 +30,17 @@ const result = await verify(credential, {
|
|
|
30
30
|
|
|
31
31
|
A verifier that dynamically fetched vendor CAs has no sovereign story. The pinned vendor roots are the self-attesting contract — third parties audit `DEFAULT_PINNED_TPM_ROOTS` and know which EK CAs this library accepts. Adding a vendor is additive (one PEM constant + one accept-set entry), not a policy rewrite.
|
|
32
32
|
|
|
33
|
+
## Lower-level primitives
|
|
34
|
+
|
|
35
|
+
Beyond `tpmVerifier`, the package exports the parser internals + pinned-root constants for advanced consumers (test fabrications, third-party verifiers wiring custom dispatchers):
|
|
36
|
+
|
|
37
|
+
- `verifyTpmQuote(...)` — bare-metal entry: takes the already-parsed `TPMS_ATTEST` structure + AK chain and returns the structured verification result.
|
|
38
|
+
- `parseTpmsAttest(bytes)` — parse the raw TPM-marshaled binary into a typed `TpmsAttest`. Hand-rolled per TCG spec.
|
|
39
|
+
- `composeTpmsAttestForTest(...)` — inverse of the parser; emits canonical bytes for test fixtures so the round-trip is observable.
|
|
40
|
+
- `TPM_GENERATED_VALUE` (`0xff544347`) — the magic constant TPM-emitted quotes carry; format dispatchers use this to detect the structure.
|
|
41
|
+
- `TPM_PLATFORM` — the canonical platform-string constant (`"tpm"`) used to route by claim platform.
|
|
42
|
+
- `INFINEON_TPM_EK_ROOT_PEM`, `NUVOTON_TPM_EK_ROOT_PEM`, `STMICRO_TPM_EK_RSA_ROOT_PEM`, `STMICRO_TPM_EK_ECC_ROOT_PEM`, `INTEL_PTT_EK_ROOT_PEM` — the pinned vendor EK roots, exported for audit and for `HardwareVerifierBundleConfig.tpmRootPems` overrides in `@motebit/verify`.
|
|
43
|
+
|
|
33
44
|
## Why a hand-rolled parser
|
|
34
45
|
|
|
35
46
|
TPM 2.0's `TPMS_ATTEST` structure is ~100 lines of big-endian length-prefixed marshaling. Pulling a full TPM library for that would cross a larger surface area than the struct we actually parse. Scoped to exactly what verification needs.
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@motebit/crypto-tpm",
|
|
3
|
-
"version": "1.1.
|
|
3
|
+
"version": "1.1.4",
|
|
4
4
|
"description": "Apache-2.0 verifier for TPM 2.0 Endorsement-Key hardware-attestation credentials — offline chain verification against pinned vendor EK roots (Infineon, Nuvoton, STMicro, Intel PTT) plus binary TPMS_ATTEST parsing. Plugs into @motebit/crypto's HardwareAttestationVerifiers dispatcher to validate TPM-attested motebit identities on Windows/Linux hosts.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "./dist/index.js",
|
|
@@ -53,8 +53,8 @@
|
|
|
53
53
|
},
|
|
54
54
|
"dependencies": {
|
|
55
55
|
"@peculiar/x509": "^1.12.0",
|
|
56
|
-
"@motebit/protocol": "1.
|
|
57
|
-
"@motebit/crypto": "1.
|
|
56
|
+
"@motebit/protocol": "1.3.0",
|
|
57
|
+
"@motebit/crypto": "1.3.0"
|
|
58
58
|
},
|
|
59
59
|
"devDependencies": {
|
|
60
60
|
"@noble/curves": "~1.9.0",
|