@reclaimprotocol/attestor-core 5.0.1-beta.1 → 5.0.1-beta.2

package/lib/server/utils/oprf-raw.js

@@ -0,0 +1,61 @@
+import { getBytes } from "ethers";
+import { TOPRF_DOMAIN_SEPARATOR } from "../../config/index.js";
+import { getEnvVariable } from "../../utils/env.js";
+import { makeDefaultOPRFOperator } from "../../utils/zk.js";
+async function computeOPRFRaw(plaintext, markers, logger) {
+  if (!markers.length) {
+    return [];
+  }
+  const PRIVATE_KEY_STR = getEnvVariable("TOPRF_SHARE_PRIVATE_KEY");
+  const PUBLIC_KEY_STR = getEnvVariable("TOPRF_SHARE_PUBLIC_KEY");
+  if (!PRIVATE_KEY_STR || !PUBLIC_KEY_STR) {
+    throw new Error("TOPRF keys not configured. Cannot compute oprf-raw.");
+  }
+  const privateKey = getBytes(PRIVATE_KEY_STR);
+  const publicKey = getBytes(PUBLIC_KEY_STR);
+  const operator = makeDefaultOPRFOperator("chacha20", "gnark", logger);
+  const results = [];
+  for (const marker of markers) {
+    const { dataLocation } = marker;
+    if (!dataLocation) {
+      logger.warn("oprf-raw marker missing dataLocation, skipping");
+      continue;
+    }
+    const { fromIndex, length } = dataLocation;
+    const endIndex = fromIndex + length;
+    if (endIndex > plaintext.length) {
+      throw new Error(
+        `oprf-raw marker out of bounds: fromIndex=${fromIndex}, length=${length}, plaintextLength=${plaintext.length}`
+      );
+    }
+    const data = plaintext.slice(fromIndex, endIndex);
+    const request = await operator.generateOPRFRequestData(
+      data,
+      TOPRF_DOMAIN_SEPARATOR,
+      logger
+    );
+    const response = await operator.evaluateOPRF(
+      privateKey,
+      request.maskedData,
+      logger
+    );
+    const nullifier = await operator.finaliseOPRF(
+      publicKey,
+      request,
+      [{ ...response, publicKeyShare: publicKey }],
+      logger
+    );
+    results.push({
+      dataLocation: { fromIndex, length },
+      nullifier
+    });
+    logger.debug(
+      { fromIndex, length, nullifierHex: Buffer.from(nullifier).toString("hex").slice(0, 16) + "..." },
+      "computed oprf-raw nullifier"
+    );
+  }
+  return results;
+}
+export {
+  computeOPRFRaw
+};

package/lib/server/utils/process-handshake.d.ts

@@ -0,0 +1,13 @@
+import type { ClaimTunnelRequest } from '#src/proto/api.ts';
+import type { Logger } from '#src/types/index.ts';
+/**
+ * Verifies server cert chain and removes handshake messages from transcript
+ * @param receipt
+ * @param logger
+ */
+export declare function processHandshake(receipt: ClaimTunnelRequest['transcript'], logger: Logger): Promise<{
+    tlsVersion: "TLS1_3" | "TLS1_2";
+    cipherSuite: "TLS_CHACHA20_POLY1305_SHA256" | "TLS_AES_256_GCM_SHA384" | "TLS_AES_128_GCM_SHA256" | "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" | "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" | "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" | "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" | "TLS_RSA_WITH_AES_128_GCM_SHA256" | "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" | "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" | "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" | "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA";
+    hostname: string;
+    nextMsgIndex: number;
+}>;

package/lib/server/utils/process-handshake.js

@@ -0,0 +1,233 @@
+import {
+  concatenateUint8Arrays,
+  getSignatureDataTls12,
+  getSignatureDataTls13,
+  PACKET_TYPE,
+  parseCertificates,
+  parseClientHello,
+  parseServerCertificateVerify,
+  parseServerHello,
+  processServerKeyShare,
+  SUPPORTED_RECORD_TYPE_MAP,
+  uint8ArrayToDataView,
+  verifyCertificateChain,
+  verifyCertificateSignature
+} from "@reclaimprotocol/tls";
+import { TranscriptMessageSenderType } from "../../proto/api.js";
+import { decryptDirect } from "../../utils/index.js";
+const RECORD_LENGTH_BYTES = 3;
+async function processHandshake(receipt, logger) {
+  const certificates = [];
+  const handshakeRawMessages = [];
+  let currentPacketIdx = 0;
+  let cipherSuite = void 0;
+  let tlsVersion = void 0;
+  let serverRandom = void 0;
+  let clientRandom = void 0;
+  let serverFinishedIdx = -1;
+  let clientFinishedIdx = -1;
+  let certVerified = false;
+  let certVerifyHandled = false;
+  let hostname = void 0;
+  let clientChangeCipherSpecMsgIdx = -1;
+  let serverChangeCipherSpecMsgIdx = -1;
+  let incompletePkt = void 0;
+  while (serverFinishedIdx < 0 || clientFinishedIdx < 0) {
+    const packetIdx = currentPacketIdx++;
+    if (packetIdx >= receipt.length) {
+      throw new Error(
+        "Receipt over but server finish: " + serverFinishedIdx + ", client finish: " + clientFinishedIdx
+      );
+    }
+    const { message, reveal, sender } = receipt[packetIdx];
+    if (message[0] === PACKET_TYPE["CHANGE_CIPHER_SPEC"]) {
+      if (sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT) {
+        clientChangeCipherSpecMsgIdx = packetIdx;
+        logger.trace("found client change cipher spec message");
+      } else {
+        serverChangeCipherSpecMsgIdx = packetIdx;
+        logger.trace("found server change cipher spec message");
+      }
+      continue;
+    }
+    let plaintext = getWithoutHeader(message);
+    if (!plaintext) {
+      throw new Error("incomplete TLS record encountered");
+    }
+    if (
+      // decrypt if wrapped record or after change cipher spec message,
+      // after which records are encrypted
+      message[0] === PACKET_TYPE["WRAPPED_RECORD"] || serverChangeCipherSpecMsgIdx > 0 && sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_SERVER || clientChangeCipherSpecMsgIdx > 0 && sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT
+    ) {
+      if (!tlsVersion || !cipherSuite) {
+        throw new Error("Could not find cipherSuite to use & got enc record");
+      }
+      if (!reveal?.directReveal?.key) {
+        throw new Error(
+          "no direct reveal for handshake packet: " + packetIdx
+        );
+      }
+      const recordHeader = message.slice(0, 5);
+      ({ plaintext } = await decryptDirect(
+        reveal?.directReveal,
+        cipherSuite,
+        recordHeader,
+        tlsVersion,
+        plaintext
+      ));
+      if (tlsVersion === "TLS1_3") {
+        plaintext = plaintext.slice(0, -1);
+      }
+    }
+    if (incompletePkt) {
+      const incSender = receipt[incompletePkt.packetIdx].sender;
+      if (incSender !== sender) {
+        throw new Error(
+          "Missing follow up to incomplete packet at idx: " + incompletePkt.packetIdx
+        );
+      }
+      plaintext = concatenateUint8Arrays([
+        incompletePkt.remainingBytes,
+        plaintext
+      ]);
+      incompletePkt = void 0;
+    }
+    const handshakeMessages = [];
+    for (let offset = 0; offset < plaintext.length; ) {
+      const type = plaintext[offset];
+      const content = readWithLength(plaintext.slice(offset + 1), RECORD_LENGTH_BYTES);
+      if (!content) {
+        incompletePkt = {
+          remainingBytes: plaintext.slice(offset),
+          packetIdx
+        };
+        break;
+      }
+      handshakeMessages.push({
+        type,
+        content,
+        contentWithHeader: plaintext.slice(
+          offset,
+          offset + 1 + RECORD_LENGTH_BYTES + content.length
+        ),
+        packetIdx
+      });
+      offset += 1 + RECORD_LENGTH_BYTES + content.length;
+    }
+    for (const msg of handshakeMessages) {
+      await processHandshakeMessage(msg);
+      handshakeRawMessages.push(msg.contentWithHeader);
+    }
+  }
+  if (!certVerified) {
+    throw new Error("No provider certificates received");
+  }
+  if (tlsVersion === "TLS1_3" && serverFinishedIdx < 0) {
+    throw new Error("server finished message not found");
+  }
+  if (tlsVersion === "TLS1_3" && !certVerifyHandled) {
+    throw new Error("TLS1.3 cert verify packet not received");
+  }
+  if (tlsVersion === "TLS1_2" && (serverChangeCipherSpecMsgIdx < 0 || clientChangeCipherSpecMsgIdx < 0)) {
+    throw new Error("change cipher spec message not found");
+  }
+  const nextMsgIndex = Math.max(serverFinishedIdx, clientFinishedIdx) + 1;
+  return {
+    tlsVersion,
+    cipherSuite,
+    hostname,
+    nextMsgIndex
+  };
+  async function processHandshakeMessage({ type, content, contentWithHeader, packetIdx }) {
+    switch (type) {
+      case SUPPORTED_RECORD_TYPE_MAP.CLIENT_HELLO:
+        const clientHello = parseClientHello(contentWithHeader);
+        clientRandom = clientHello.serverRandom;
+        const { SERVER_NAME: sni } = clientHello.extensions;
+        hostname = sni?.serverName;
+        if (!hostname) {
+          throw new Error("client hello has no SNI");
+        }
+        break;
+      case SUPPORTED_RECORD_TYPE_MAP.SERVER_HELLO:
+        const serverHello = await parseServerHello(content);
+        cipherSuite = serverHello.cipherSuite;
+        tlsVersion = serverHello.serverTlsVersion;
+        serverRandom = serverHello.serverRandom;
+        logger.info(
+          { serverTLSVersion: tlsVersion, cipherSuite },
+          "extracted server hello params"
+        );
+        break;
+      case SUPPORTED_RECORD_TYPE_MAP.CERTIFICATE:
+        const parseResult = parseCertificates(content, { version: tlsVersion });
+        certificates.push(...parseResult.certificates);
+        await verifyCertificateChain(certificates, hostname, logger);
+        logger.info({ hostname }, "verified provider certificate chain");
+        certVerified = true;
+        break;
+      case SUPPORTED_RECORD_TYPE_MAP.CERTIFICATE_VERIFY:
+        const signature = parseServerCertificateVerify(content);
+        if (!certificates?.length) {
+          throw new Error("No provider certificates received");
+        }
+        const signatureData = await getSignatureDataTls13(
+          handshakeRawMessages,
+          cipherSuite
+        );
+        await verifyCertificateSignature({
+          ...signature,
+          publicKey: certificates[0].getPublicKey(),
+          signatureData
+        });
+        certVerifyHandled = true;
+        break;
+      case SUPPORTED_RECORD_TYPE_MAP.SERVER_KEY_SHARE:
+        if (!certificates?.length) {
+          throw new Error("No provider certificates received");
+        }
+        const keyShare = await processServerKeyShare(content);
+        const signatureData12 = await getSignatureDataTls12(
+          {
+            clientRandom,
+            serverRandom,
+            curveType: keyShare.publicKeyType,
+            publicKey: keyShare.publicKey
+          }
+        );
+        await verifyCertificateSignature({
+          signature: keyShare.signatureBytes,
+          algorithm: keyShare.signatureAlgorithm,
+          publicKey: certificates[0].getPublicKey(),
+          signatureData: signatureData12,
+          publicKeyType: keyShare.publicKeyType
+        });
+        await verifyCertificateChain(certificates, hostname, logger);
+        logger.info({ hostname }, "verified provider certificate chain");
+        certVerified = true;
+        break;
+      case SUPPORTED_RECORD_TYPE_MAP.FINISHED:
+        const packet = receipt[packetIdx];
+        if (packet.sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT) {
+          clientFinishedIdx = packetIdx;
+        } else {
+          serverFinishedIdx = packetIdx;
+        }
+        break;
+    }
+  }
+}
+function getWithoutHeader(message) {
+  return readWithLength(message.slice(3), 2);
+}
+function readWithLength(data, lengthBytes = 2) {
+  const dataView = uint8ArrayToDataView(data);
+  const length = lengthBytes === 1 ? dataView.getUint8(0) : dataView.getUint16(lengthBytes === 3 ? 1 : 0);
+  if (data.length < lengthBytes + length) {
+    return void 0;
+  }
+  return data.slice(lengthBytes, lengthBytes + length);
+}
+export {
+  processHandshake
+};

package/lib/server/utils/proxy-session.d.ts

@@ -0,0 +1 @@
+export declare function isValidProxySessionId(sessionId: string): boolean;

package/lib/server/utils/proxy-session.js

@@ -0,0 +1,6 @@
+function isValidProxySessionId(sessionId) {
+  return typeof sessionId === "string" && sessionId.length >= 8 && sessionId.length < 15 && /^[a-z0-9]+$/.test(sessionId);
+}
+export {
+  isValidProxySessionId
+};

package/lib/server/utils/tee-oprf-mpc-verification.d.ts

@@ -0,0 +1,16 @@
+/**
+ * TEE OPRF MPC Verification
+ * Verifies OPRF MPC outputs from TEE_K and TEE_T match
+ *
+ * Unlike ZK OPRF which requires proof verification, OPRF MPC outputs
+ * are already trusted because they are included in TEE-signed payloads.
+ * This module verifies that both TEEs computed identical outputs.
+ */
+import type { KOutputPayload, TOutputPayload } from '#src/proto/tee-bundle.ts';
+import type { OprfVerificationResult } from '#src/server/utils/tee-oprf-verification.ts';
+import type { Logger } from '#src/types/general.ts';
+/**
+ * Verifies OPRF MPC outputs from TEE_K and TEE_T match
+ * Returns verified outputs for transcript replacement (same format as ZK OPRF)
+ */
+export declare function verifyOprfMpcOutputs(kPayload: KOutputPayload, tPayload: TOutputPayload, logger: Logger): OprfVerificationResult[];

package/lib/server/utils/tee-oprf-mpc-verification.js

@@ -0,0 +1,86 @@
+import { AttestorError } from "../../utils/error.js";
+function verifyOprfMpcOutputs(kPayload, tPayload, logger) {
+  const kOutputs = kPayload.oprfOutputs || [];
+  const tOutputs = tPayload.oprfOutputs || [];
+  if (kOutputs.length === 0 && tOutputs.length === 0) {
+    logger.debug("No OPRF MPC outputs to verify");
+    return [];
+  }
+  if (kOutputs.length !== tOutputs.length) {
+    throw new AttestorError(
+      "ERROR_INVALID_CLAIM",
+      `OPRF MPC count mismatch: TEE_K has ${kOutputs.length}, TEE_T has ${tOutputs.length}`
+    );
+  }
+  logger.info(`Verifying ${kOutputs.length} OPRF MPC outputs`);
+  const results = [];
+  for (const [i, kOut] of kOutputs.entries()) {
+    const tOut = tOutputs[i];
+    if (kOut.tlsStart < 0 || tOut.tlsStart < 0) {
+      throw new AttestorError(
+        "ERROR_INVALID_CLAIM",
+        `OPRF MPC invalid position at index ${i}: negative start position`
+      );
+    }
+    if (kOut.tlsLength <= 0 || kOut.tlsLength > 64 || tOut.tlsLength <= 0 || tOut.tlsLength > 64) {
+      throw new AttestorError(
+        "ERROR_INVALID_CLAIM",
+        `OPRF MPC invalid length at index ${i}: must be 1-64 bytes (TEE_K: ${kOut.tlsLength}, TEE_T: ${tOut.tlsLength})`
+      );
+    }
+    if (kOut.hashOutput.length !== 32 || tOut.hashOutput.length !== 32) {
+      throw new AttestorError(
+        "ERROR_INVALID_CLAIM",
+        `OPRF MPC invalid hash size at index ${i}: expected 32 bytes (TEE_K: ${kOut.hashOutput.length}, TEE_T: ${tOut.hashOutput.length})`
+      );
+    }
+    if (kOut.tlsStart !== tOut.tlsStart || kOut.tlsLength !== tOut.tlsLength) {
+      throw new AttestorError(
+        "ERROR_INVALID_CLAIM",
+        `OPRF MPC position mismatch at index ${i}: TEE_K [${kOut.tlsStart}:${kOut.tlsStart + kOut.tlsLength}] vs TEE_T [${tOut.tlsStart}:${tOut.tlsStart + tOut.tlsLength}]`
+      );
+    }
+    if (!buffersEqual(kOut.hashOutput, tOut.hashOutput)) {
+      throw new AttestorError(
+        "ERROR_INVALID_CLAIM",
+        `OPRF MPC hash mismatch at index ${i}: outputs differ between TEE_K and TEE_T`
+      );
+    }
+    const hashOutputHex = Buffer.from(kOut.hashOutput).toString("hex");
+    const hashOutputBase64 = Buffer.from(kOut.hashOutput).toString("base64");
+    logger.info(
+      {
+        index: i,
+        position: kOut.tlsStart,
+        length: kOut.tlsLength,
+        hashOutputLen: kOut.hashOutput.length,
+        hashOutputHex: hashOutputHex.substring(0, 32) + "...",
+        hashOutputBase64Preview: hashOutputBase64.substring(0, 20) + "..."
+      },
+      "OPRF MPC output verified"
+    );
+    results.push({
+      position: kOut.tlsStart,
+      length: kOut.tlsLength,
+      output: new Uint8Array(kOut.hashOutput),
+      // Use SHA256(CMAC) as the replacement value
+      isMPC: true
+    });
+  }
+  logger.info(`Successfully verified ${results.length} OPRF MPC outputs`);
+  return results;
+}
+function buffersEqual(a, b) {
+  if (a.length !== b.length) {
+    return false;
+  }
+  for (const [i, element] of a.entries()) {
+    if (element !== b[i]) {
+      return false;
+    }
+  }
+  return true;
+}
+export {
+  verifyOprfMpcOutputs
+};

package/lib/server/utils/tee-oprf-verification.d.ts

@@ -0,0 +1,24 @@
+/**
+ * TEE OPRF Verification and Replacement
+ * Verifies OPRF proofs and replaces ranges in reconstructed plaintext
+ */
+import type { OPRFVerificationData } from '#src/proto/tee-bundle.ts';
+import type { TeeBundleData } from '#src/server/utils/tee-verification.ts';
+import type { Logger } from '#src/types/general.ts';
+export interface OprfVerificationResult {
+    position: number;
+    length: number;
+    output: Uint8Array;
+    isMPC?: boolean;
+}
+/**
+ * Verifies all OPRF proofs in the bundle and returns replacement data
+ */
+export declare function verifyOprfProofs(bundleData: TeeBundleData & {
+    oprfVerifications?: OPRFVerificationData[];
+}, logger: Logger): Promise<OprfVerificationResult[]>;
+/**
+ * Replaces OPRF ranges in the reconstructed plaintext with verified outputs.
+ * Properly expands or contracts the transcript to fit replacement hashes.
+ */
+export declare function replaceOprfRanges(plaintext: Uint8Array, oprfResults: OprfVerificationResult[], logger: Logger): Uint8Array;

package/lib/server/utils/tee-oprf-verification.js

@@ -0,0 +1,151 @@
+import bs58 from "bs58";
+import { AttestorError } from "../../utils/error.js";
+import { makeDefaultOPRFOperator } from "../../utils/zk.js";
+async function verifyOprfProofs(bundleData, logger) {
+  if (!bundleData.oprfVerifications || bundleData.oprfVerifications.length === 0) {
+    logger.debug("No OPRF verifications present in bundle");
+    return [];
+  }
+  const { tOutputPayload } = bundleData;
+  const consolidatedCiphertext = tOutputPayload.consolidatedResponseCiphertext;
+  if (!consolidatedCiphertext || consolidatedCiphertext.length === 0) {
+    throw new AttestorError("ERROR_INVALID_CLAIM", "No consolidated ciphertext for OPRF verification");
+  }
+  const results = [];
+  logger.info(`Verifying ${bundleData.oprfVerifications.length} OPRF proofs`);
+  for (const [idx, oprfData] of bundleData.oprfVerifications.entries()) {
+    try {
+      const result = await verifySingleOprfProof(
+        oprfData,
+        consolidatedCiphertext,
+        idx,
+        logger
+      );
+      results.push(result);
+    } catch (error) {
+      logger.error({ error, index: idx }, "OPRF proof verification failed");
+      throw new AttestorError(
+        "ERROR_INVALID_CLAIM",
+        `OPRF verification failed at index ${idx}: ${error.message}`
+      );
+    }
+  }
+  logger.info(`Successfully verified ${results.length} OPRF proofs`);
+  return results;
+}
+async function verifySingleOprfProof(oprfData, consolidatedCiphertext, index, logger) {
+  const publicSignalsJson = JSON.parse(new TextDecoder().decode(oprfData.publicSignalsJson));
+  const { proof, publicSignals, cipher } = publicSignalsJson;
+  if (!proof || !publicSignals) {
+    throw new Error("Missing proof or public signals in OPRF data");
+  }
+  const ciphertextChunk = consolidatedCiphertext.slice(
+    oprfData.streamPos,
+    oprfData.streamPos + oprfData.streamLength
+  );
+  const completePublicSignals = {
+    out: publicSignals.out || Uint8Array.from([]),
+    // Replace null input with extracted ciphertext
+    in: ciphertextChunk,
+    // Convert base64 nonces and counters
+    noncesAndCounters: publicSignals.blocks?.map((block) => ({
+      nonce: Buffer.from(block.nonce || "", "base64"),
+      counter: block.counter || 0,
+      boundary: block.boundary || ""
+    })) || [],
+    // Process TOPRF data
+    toprf: publicSignals.toprf ? {
+      ...publicSignals.toprf,
+      // Convert domain separator from base64
+      domainSeparator: publicSignals.toprf.domainSeparator ? Buffer.from(publicSignals.toprf.domainSeparator, "base64").toString("utf8") : "reclaim",
+      // Convert output from base64
+      output: publicSignals.toprf.output ? Buffer.from(publicSignals.toprf.output, "base64") : new Uint8Array(),
+      // Convert response fields from base64
+      responses: publicSignals.toprf.responses?.map((resp) => ({
+        publicKeyShare: Buffer.from(resp.publicKeyShare || "", "base64"),
+        evaluated: Buffer.from(resp.evaluated || "", "base64"),
+        c: Buffer.from(resp.c || "", "base64"),
+        r: Buffer.from(resp.r || "", "base64")
+      })) || [],
+      // Locations are already in correct format
+      locations: publicSignals.toprf.locations || []
+    } : void 0
+  };
+  const algorithm = cipher.replace("-toprf", "");
+  const zkEngine = "gnark";
+  const oprfOperator = makeDefaultOPRFOperator(algorithm, zkEngine, logger);
+  const proofBytes = Buffer.from(proof, "base64");
+  const isValid = await oprfOperator.groth16Verify(
+    completePublicSignals,
+    proofBytes,
+    logger
+  );
+  if (!isValid) {
+    throw new Error("OPRF proof verification failed");
+  }
+  logger.debug(`OPRF ${index}: Proof verified successfully`);
+  const oprfOutput = completePublicSignals.toprf?.output;
+  if (!oprfOutput || oprfOutput.length === 0) {
+    throw new Error("No OPRF output found in verified proof");
+  }
+  const oprfLocation = completePublicSignals.toprf?.locations?.[0];
+  if (!oprfLocation) {
+    throw new Error("No OPRF location found in public signals");
+  }
+  logger.info(`OPRF #${index}: streamPos=${oprfData.streamPos}, locationPos=${oprfLocation.pos}, finalPos=${oprfData.streamPos + oprfLocation.pos}, len=${oprfLocation.len}`);
+  return {
+    // The position in the plaintext where to replace (stream position + OPRF location within chunk)
+    position: oprfData.streamPos + oprfLocation.pos,
+    length: oprfLocation.len,
+    output: oprfOutput
+  };
+}
+function replaceOprfRanges(plaintext, oprfResults, logger) {
+  if (oprfResults.length === 0) {
+    return plaintext;
+  }
+  const replacements = oprfResults.map((result) => {
+    let outputBytes;
+    let encodedOutput;
+    if (result.isMPC) {
+      encodedOutput = bs58.encode(result.output);
+      outputBytes = new TextEncoder().encode(encodedOutput);
+    } else {
+      encodedOutput = Buffer.from(result.output).toString("base64");
+      const truncated = encodedOutput.substring(0, result.length);
+      outputBytes = new TextEncoder().encode(truncated);
+    }
+    return { result, outputBytes, encodedOutput };
+  });
+  replacements.sort((a, b) => a.result.position - b.result.position);
+  let newSize = plaintext.length;
+  for (const { result, outputBytes } of replacements) {
+    const sizeDiff = outputBytes.length - result.length;
+    newSize += sizeDiff;
+  }
+  logger.info(`Transcript size: ${plaintext.length} -> ${newSize} (${newSize - plaintext.length >= 0 ? "+" : ""}${newSize - plaintext.length} bytes)`);
+  const newPlaintext = new Uint8Array(newSize);
+  let srcPos = 0;
+  let dstPos = 0;
+  for (const [idx, { result, outputBytes, encodedOutput }] of replacements.entries()) {
+    const segmentLength = result.position - srcPos;
+    if (segmentLength > 0) {
+      newPlaintext.set(plaintext.slice(srcPos, result.position), dstPos);
+      dstPos += segmentLength;
+    }
+    const currentContent = plaintext.slice(result.position, result.position + result.length);
+    logger.info(`OPRF #${idx} at pos ${result.position}: "${Buffer.from(currentContent).toString("utf8")}" (${result.length}b) -> "${encodedOutput}" (${outputBytes.length}b)${result.isMPC ? " [MPC/base58]" : ""}`);
+    newPlaintext.set(outputBytes, dstPos);
+    dstPos += outputBytes.length;
+    srcPos = result.position + result.length;
+  }
+  if (srcPos < plaintext.length) {
+    newPlaintext.set(plaintext.slice(srcPos), dstPos);
+  }
+  logger.info(`Replaced ${oprfResults.length} OPRF ranges in plaintext`);
+  return newPlaintext;
+}
+export {
+  replaceOprfRanges,
+  verifyOprfProofs
+};

package/lib/server/utils/tee-transcript-reconstruction.d.ts

@@ -0,0 +1,24 @@
+/**
+ * TLS Transcript Reconstruction from TEE data
+ */
+import type { CertificateInfo } from '#src/proto/tee-bundle.ts';
+import type { TeeBundleData } from '#src/server/utils/tee-verification.ts';
+import type { Logger } from '#src/types/general.ts';
+export interface TeeTranscriptData {
+    revealedRequest: Uint8Array;
+    reconstructedResponse: Uint8Array;
+    certificateInfo?: CertificateInfo;
+    responseTrimOffset?: number;
+}
+/**
+ * Reconstructs TLS transcript from TEE bundle data
+ * @param bundleData - Validated TEE bundle data
+ * @param logger - Logger instance
+ * @param oprfResults - Optional OPRF results to apply during reconstruction
+ * @returns Reconstructed transcript data
+ */
+export declare function reconstructTlsTranscript(bundleData: TeeBundleData, logger: Logger, oprfResults?: Array<{
+    position: number;
+    length: number;
+    output: Uint8Array;
+}>): Promise<TeeTranscriptData>;