npm - @reclaimprotocol/attestor-core - Versions diffs - 5.0.1-beta.13 → 5.0.1-beta.16 - Mend

@reclaimprotocol/attestor-core 5.0.1-beta.13 → 5.0.1-beta.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (134) hide show

package/lib/external-rpc/index.js +17321 -3
package/lib/index.d.ts +1 -0
package/lib/index.js +15391 -11
package/lib/scripts/build-browser-debug.d.ts +1 -0
package/package.json +1 -1
package/lib/avs/abis/avsDirectoryABI.js +0 -343
package/lib/avs/abis/delegationABI.js +0 -4
package/lib/avs/abis/registryABI.js +0 -728
package/lib/avs/client/create-claim-on-avs.js +0 -168
package/lib/avs/config.js +0 -26
package/lib/avs/contracts/ReclaimServiceManager.js +0 -0
package/lib/avs/contracts/common.js +0 -0
package/lib/avs/contracts/factories/ReclaimServiceManager__factory.js +0 -1183
package/lib/avs/contracts/factories/index.js +0 -4
package/lib/avs/contracts/index.js +0 -6
package/lib/avs/types/index.js +0 -0
package/lib/avs/utils/contracts.js +0 -53
package/lib/avs/utils/register.js +0 -74
package/lib/avs/utils/tasks.js +0 -48
package/lib/client/create-claim.js +0 -461
package/lib/client/index.js +0 -3
package/lib/client/tunnels/make-rpc-tcp-tunnel.js +0 -53
package/lib/client/tunnels/make-rpc-tls-tunnel.js +0 -127
package/lib/client/utils/attestor-pool.js +0 -24
package/lib/client/utils/client-socket.js +0 -120
package/lib/client/utils/message-handler.js +0 -97
package/lib/config/index.js +0 -62
package/lib/external-rpc/benchmark.js +0 -82
package/lib/external-rpc/event-bus.js +0 -17
package/lib/external-rpc/handle-incoming-msg.js +0 -241
package/lib/external-rpc/jsc-polyfills/1.js +0 -80
package/lib/external-rpc/jsc-polyfills/2.js +0 -15
package/lib/external-rpc/jsc-polyfills/event.js +0 -19
package/lib/external-rpc/jsc-polyfills/index.js +0 -2
package/lib/external-rpc/jsc-polyfills/ws.js +0 -83
package/lib/external-rpc/setup-browser.js +0 -33
package/lib/external-rpc/setup-jsc.js +0 -22
package/lib/external-rpc/types.js +0 -0
package/lib/external-rpc/utils.js +0 -100
package/lib/external-rpc/zk.js +0 -58
package/lib/mechain/abis/governanceABI.js +0 -461
package/lib/mechain/abis/taskABI.js +0 -512
package/lib/mechain/client/create-claim-on-mechain.js +0 -33
package/lib/mechain/client/index.js +0 -1
package/lib/mechain/constants/index.js +0 -8
package/lib/mechain/index.js +0 -2
package/lib/mechain/types/index.js +0 -0
package/lib/proto/api.js +0 -4250
package/lib/proto/tee-bundle.js +0 -1296
package/lib/providers/http/index.js +0 -640
package/lib/providers/http/patch-parse5-tree.js +0 -34
package/lib/providers/http/utils.js +0 -283
package/lib/providers/index.js +0 -7
package/lib/scripts/build-browser.js +0 -38
package/lib/scripts/build-jsc.js +0 -47
package/lib/scripts/build-lib.js +0 -47
package/lib/scripts/check-avs-registration.js +0 -28
package/lib/scripts/fallbacks/crypto.js +0 -4
package/lib/scripts/fallbacks/empty.js +0 -4
package/lib/scripts/fallbacks/re2.js +0 -7
package/lib/scripts/fallbacks/snarkjs.js +0 -10
package/lib/scripts/fallbacks/stwo.js +0 -159
package/lib/scripts/generate-provider-types.js +0 -101
package/lib/scripts/generate-receipt.js +0 -101
package/lib/scripts/generate-toprf-keys.js +0 -24
package/lib/scripts/jsc-cli-rpc.js +0 -35
package/lib/scripts/register-avs-operator.js +0 -3
package/lib/scripts/start-server.js +0 -11
package/lib/scripts/update-avs-metadata.js +0 -20
package/lib/scripts/utils.js +0 -10
package/lib/scripts/whitelist-operator.js +0 -16
package/lib/server/create-server.js +0 -105
package/lib/server/handlers/claimTeeBundle.js +0 -232
package/lib/server/handlers/claimTunnel.js +0 -80
package/lib/server/handlers/completeClaimOnChain.js +0 -29
package/lib/server/handlers/createClaimOnChain.js +0 -32
package/lib/server/handlers/createTaskOnMechain.js +0 -57
package/lib/server/handlers/createTunnel.js +0 -98
package/lib/server/handlers/disconnectTunnel.js +0 -8
package/lib/server/handlers/fetchCertificateBytes.js +0 -57
package/lib/server/handlers/index.js +0 -25
package/lib/server/handlers/init.js +0 -33
package/lib/server/handlers/toprf.js +0 -19
package/lib/server/index.js +0 -4
package/lib/server/socket.js +0 -112
package/lib/server/tunnels/make-tcp-tunnel.js +0 -202
package/lib/server/utils/apm.js +0 -29
package/lib/server/utils/assert-valid-claim-request.js +0 -354
package/lib/server/utils/config-env.js +0 -4
package/lib/server/utils/dns.js +0 -24
package/lib/server/utils/gcp-attestation.js +0 -237
package/lib/server/utils/generics.js +0 -45
package/lib/server/utils/iso.js +0 -259
package/lib/server/utils/keep-alive.js +0 -38
package/lib/server/utils/nitro-attestation.js +0 -249
package/lib/server/utils/oprf-raw.js +0 -61
package/lib/server/utils/process-handshake.js +0 -233
package/lib/server/utils/proxy-session.js +0 -6
package/lib/server/utils/tee-oprf-mpc-verification.js +0 -86
package/lib/server/utils/tee-oprf-verification.js +0 -151
package/lib/server/utils/tee-transcript-reconstruction.js +0 -140
package/lib/server/utils/tee-verification.js +0 -358
package/lib/server/utils/validation.js +0 -45
package/lib/types/bgp.js +0 -0
package/lib/types/claims.js +0 -0
package/lib/types/client.js +0 -0
package/lib/types/general.js +0 -0
package/lib/types/handlers.js +0 -0
package/lib/types/index.js +0 -10
package/lib/types/providers.gen.js +0 -16
package/lib/types/providers.js +0 -0
package/lib/types/rpc.js +0 -0
package/lib/types/signatures.js +0 -0
package/lib/types/tunnel.js +0 -0
package/lib/types/zk.js +0 -0
package/lib/utils/auth.js +0 -71
package/lib/utils/b64-json.js +0 -17
package/lib/utils/bgp-listener.js +0 -123
package/lib/utils/claims.js +0 -89
package/lib/utils/env.js +0 -19
package/lib/utils/error.js +0 -54
package/lib/utils/generics.js +0 -268
package/lib/utils/http-parser.js +0 -201
package/lib/utils/index.js +0 -13
package/lib/utils/logger.js +0 -82
package/lib/utils/prepare-packets.js +0 -69
package/lib/utils/redactions.js +0 -135
package/lib/utils/retries.js +0 -26
package/lib/utils/signatures/eth.js +0 -31
package/lib/utils/signatures/index.js +0 -12
package/lib/utils/socket-base.js +0 -96
package/lib/utils/tls.js +0 -58
package/lib/utils/ws.js +0 -22
package/lib/utils/zk.js +0 -625

package/lib/server/utils/nitro-attestation.js DELETED Viewed

@@ -1,249 +0,0 @@
-import { AsnParser } from "@peculiar/asn1-schema";
-import { SubjectPublicKeyInfo } from "@peculiar/asn1-x509";
-import { Crypto } from "@peculiar/webcrypto";
-import { X509Certificate, X509ChainBuilder } from "@peculiar/x509";
-import { sign } from "cose-js";
-async function getCborDecode() {
-  const { decode } = await import("cbor-x");
-  return decode;
-}
-const AWS_NITRO_ROOT_CERT = `-----BEGIN CERTIFICATE-----
-MIICETCCAZagAwIBAgIRAPkxdWgbkK/hHUbMtOTn+FYwCgYIKoZIzj0EAwMwSTEL
-MAkGA1UEBhMCVVMxDzANBgNVBAoMBkFtYXpvbjEMMAoGA1UECwwDQVdTMRswGQYD
-VQQDDBJhd3Mubml0cm8tZW5jbGF2ZXMwHhcNMTkxMDI4MTMyODA1WhcNNDkxMDI4
-MTQyODA1WjBJMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGQW1hem9uMQwwCgYDVQQL
-DANBV1MxGzAZBgNVBAMMEmF3cy5uaXRyby1lbmNsYXZlczB2MBAGByqGSM49AgEG
-BSuBBAAiA2IABPwCVOumCMHzaHDimtqQvkY4MpJzbolL//Zy2YlES1BR5TSksfbb
-48C8WBoyt7F2Bw7eEtaaP+ohG2bnUs990d0JX28TcPQXCEPZ3BABIeTPYwEoCWZE
-h8l5YoQwTcU/9KNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkCW1DdkF
-R+eWw5b6cp3PmanfS5YwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2kAMGYC
-MQCjfy+Rocm9Xue4YnwWmNJVA44fA0P5W2OpYow9OYCVRaEevL8uO1XYru5xtMPW
-rfMCMQCi85sWBbJwKKXdS6BptQFuZbT73o/gBh1qUxl/nNr12UO8Yfwr6wPLb+6N
-IwLz3/Y=
------END CERTIFICATE-----`;
-async function validateCertificateChain(targetCert, intermediateCerts, rootCert, crypto) {
-  const errors = [];
-  try {
-    const rootSubject = rootCert.subject;
-    const rootIssuer = rootCert.issuer;
-    if (rootSubject !== rootIssuer) {
-      errors.push("Root certificate is not self-signed");
-    }
-    try {
-      const isRootValid = await rootCert.verify(void 0, crypto);
-      if (!isRootValid) {
-        errors.push("Root certificate signature verification failed");
-      }
-    } catch (error) {
-      errors.push(`Root certificate verification failed: ${error.message}`);
-    }
-    const chainBuilder = new X509ChainBuilder({
-      certificates: [rootCert, ...intermediateCerts]
-    });
-    let chain;
-    try {
-      chain = await chainBuilder.build(targetCert, crypto);
-    } catch (error) {
-      errors.push(`Certificate chain building failed: ${error.message}`);
-      return { isValid: false, errors, chain: [] };
-    }
-    if (!chain || chain.length === 0) {
-      errors.push("No valid certificate chain could be built");
-      return { isValid: false, errors, chain: [] };
-    }
-    const now = /* @__PURE__ */ new Date();
-    for (let i = 0; i < chain.length; i++) {
-      const cert = chain[i];
-      if (now < cert.notBefore) {
-        errors.push(`Certificate ${i} (${cert.subject}) is not yet valid`);
-      }
-      if (now > cert.notAfter) {
-        errors.push(`Certificate ${i} (${cert.subject}) has expired`);
-      }
-      if (i < chain.length - 1) {
-        try {
-          const issuer = chain[i + 1];
-          const isValid = await cert.verify(issuer, crypto);
-          if (!isValid) {
-            errors.push(`Certificate ${i} signature verification failed`);
-          }
-        } catch (error) {
-          errors.push(`Certificate ${i} verification failed: ${error.message}`);
-        }
-      }
-    }
-    return {
-      isValid: errors.length === 0,
-      errors,
-      chain
-    };
-  } catch (error) {
-    errors.push(`Certificate chain validation error: ${error.message}`);
-    return { isValid: false, errors, chain: [] };
-  }
-}
-function extractPublicKeyFromUserData(userDataBuffer) {
-  try {
-    const userDataString = userDataBuffer.toString("utf-8");
-    const teeKMatch = userDataString.match(/^tee_k_public_key:(0x[0-9a-fA-F]{40})$/);
-    const teeTMatch = userDataString.match(/^tee_t_public_key:(0x[0-9a-fA-F]{40})$/);
-    if (teeKMatch) {
-      return {
-        teeType: "tee_k",
-        ethAddress: teeKMatch[1],
-        // Store the full ETH address with 0x prefix
-        pcr0: ""
-      };
-    }
-    if (teeTMatch) {
-      return {
-        teeType: "tee_t",
-        ethAddress: teeTMatch[1],
-        // Store the full ETH address with 0x prefix
-        pcr0: ""
-      };
-    }
-    return null;
-  } catch {
-    return null;
-  }
-}
-async function validateNitroAttestationAndExtractKey(attestationBytes) {
-  const errors = [];
-  const warnings = [];
-  try {
-    const crypto = new Crypto();
-    const decode = await getCborDecode();
-    let decoded;
-    try {
-      decoded = decode(Buffer.from(attestationBytes));
-    } catch (error) {
-      errors.push(`CBOR decoding failed: ${error.message}`);
-      return { isValid: false, errors, warnings, pcr0: "" };
-    }
-    if (!Array.isArray(decoded) || decoded.length < 4) {
-      errors.push("Invalid COSE_Sign1 structure: expected array with 4 elements");
-      return { isValid: false, errors, warnings, pcr0: "" };
-    }
-    const [, , payload] = decoded;
-    if (!payload || payload.length === 0) {
-      errors.push("Empty or missing payload in COSE_Sign1 structure");
-      return { isValid: false, errors, warnings, pcr0: "" };
-    }
-    let doc;
-    try {
-      doc = decode(payload);
-    } catch (error) {
-      errors.push(`Payload decoding failed: ${error.message}`);
-      return { isValid: false, errors, warnings, pcr0: "" };
-    }
-    if (doc.module_id.length === 0) {
-      errors.push("Missing or invalid module_id");
-    }
-    if (doc.digest.length === 0) {
-      errors.push("Missing or invalid digest");
-    }
-    if (!doc.pcrs || typeof doc.pcrs !== "object") {
-      errors.push("Missing or invalid pcrs");
-    }
-    if (!Buffer.isBuffer(doc.certificate) || doc.certificate.length === 0) {
-      errors.push("Missing or invalid certificate");
-    }
-    if (!Array.isArray(doc.cabundle) || doc.cabundle.length === 0) {
-      errors.push("Missing or invalid cabundle");
-    }
-    if (errors.length > 0) {
-      return { isValid: false, errors, warnings, pcr0: "" };
-    }
-    const pcr0 = doc.pcrs[0].toString("hex");
-    const intermediateCerts = [];
-    for (let i = 0; i < doc.cabundle.length; i++) {
-      try {
-        const cert = new X509Certificate(doc.cabundle[i].toString("base64"));
-        intermediateCerts.push(cert);
-      } catch (error) {
-        errors.push(`Failed to parse cabundle certificate ${i}: ${error.message}`);
-      }
-    }
-    let targetCert;
-    try {
-      targetCert = new X509Certificate(doc.certificate.toString("base64"));
-    } catch (error) {
-      errors.push(`Failed to parse target certificate: ${error.message}`);
-      return { isValid: false, errors, warnings, pcr0: "" };
-    }
-    let rootCert;
-    try {
-      rootCert = new X509Certificate(AWS_NITRO_ROOT_CERT);
-    } catch (error) {
-      errors.push(`Failed to parse AWS Nitro root certificate: ${error.message}`);
-      return { isValid: false, errors, warnings, pcr0: "" };
-    }
-    const chainResult = await validateCertificateChain(targetCert, intermediateCerts, rootCert, crypto);
-    if (!chainResult.isValid) {
-      errors.push(...chainResult.errors);
-      return { isValid: false, errors, warnings, pcr0: "" };
-    }
-    let publicKeyRaw;
-    try {
-      publicKeyRaw = Buffer.from(targetCert.publicKey.rawData);
-    } catch (error) {
-      errors.push(`Failed to extract public key: ${error.message}`);
-      return { isValid: false, errors, warnings, pcr0: "" };
-    }
-    if (publicKeyRaw.length !== 120 || publicKeyRaw[0] !== 48) {
-      errors.push(`Invalid public key format: expected 120-byte DER-encoded key, got ${publicKeyRaw.length} bytes`);
-      return { isValid: false, errors, warnings, pcr0: "" };
-    }
-    let spki;
-    try {
-      spki = AsnParser.parse(publicKeyRaw, SubjectPublicKeyInfo);
-    } catch (error) {
-      errors.push(`Failed to parse SubjectPublicKeyInfo: ${error.message}`);
-      return { isValid: false, errors, warnings, pcr0: "" };
-    }
-    const ecPoint = Buffer.from(spki.subjectPublicKey);
-    if (ecPoint.length !== 97 || ecPoint[0] !== 4) {
-      errors.push("Invalid EC point: expected 97-byte uncompressed P-384 key");
-      return { isValid: false, errors, warnings, pcr0: "" };
-    }
-    const x = ecPoint.subarray(1, 49);
-    const y = ecPoint.subarray(49, 97);
-    try {
-      const verifier = {
-        key: {
-          x,
-          y
-        }
-      };
-      const options = { defaultType: 18 };
-      await sign.verify(Buffer.from(attestationBytes), verifier, options);
-    } catch (error) {
-      errors.push(`COSE signature verification failed: ${error.message}`);
-      return { isValid: false, errors, warnings, pcr0: "" };
-    }
-    let userDataType;
-    let ethAddress;
-    if (doc.user_data) {
-      const keyInfo = extractPublicKeyFromUserData(doc.user_data);
-      if (keyInfo) {
-        userDataType = keyInfo.teeType;
-        ethAddress = keyInfo.ethAddress;
-      }
-    }
-    return {
-      isValid: errors.length === 0,
-      errors,
-      warnings,
-      userDataType,
-      ethAddress,
-      pcr0
-    };
-  } catch (error) {
-    errors.push(`Unexpected error during validation: ${error.message}`);
-    return { isValid: false, errors, warnings, pcr0: "" };
-  }
-}
-export {
-  validateNitroAttestationAndExtractKey
-};

package/lib/server/utils/oprf-raw.js DELETED Viewed

@@ -1,61 +0,0 @@
-import { getBytes } from "ethers";
-import { TOPRF_DOMAIN_SEPARATOR } from "#src/config/index.js";
-import { getEnvVariable } from "#src/utils/env.js";
-import { makeDefaultOPRFOperator } from "#src/utils/zk.js";
-async function computeOPRFRaw(plaintext, markers, logger) {
-  if (!markers.length) {
-    return [];
-  }
-  const PRIVATE_KEY_STR = getEnvVariable("TOPRF_SHARE_PRIVATE_KEY");
-  const PUBLIC_KEY_STR = getEnvVariable("TOPRF_SHARE_PUBLIC_KEY");
-  if (!PRIVATE_KEY_STR || !PUBLIC_KEY_STR) {
-    throw new Error("TOPRF keys not configured. Cannot compute oprf-raw.");
-  }
-  const privateKey = getBytes(PRIVATE_KEY_STR);
-  const publicKey = getBytes(PUBLIC_KEY_STR);
-  const operator = makeDefaultOPRFOperator("chacha20", "gnark", logger);
-  const results = [];
-  for (const marker of markers) {
-    const { dataLocation } = marker;
-    if (!dataLocation) {
-      logger.warn("oprf-raw marker missing dataLocation, skipping");
-      continue;
-    }
-    const { fromIndex, length } = dataLocation;
-    const endIndex = fromIndex + length;
-    if (endIndex > plaintext.length) {
-      throw new Error(
-        `oprf-raw marker out of bounds: fromIndex=${fromIndex}, length=${length}, plaintextLength=${plaintext.length}`
-      );
-    }
-    const data = plaintext.slice(fromIndex, endIndex);
-    const request = await operator.generateOPRFRequestData(
-      data,
-      TOPRF_DOMAIN_SEPARATOR,
-      logger
-    );
-    const response = await operator.evaluateOPRF(
-      privateKey,
-      request.maskedData,
-      logger
-    );
-    const nullifier = await operator.finaliseOPRF(
-      publicKey,
-      request,
-      [{ ...response, publicKeyShare: publicKey }],
-      logger
-    );
-    results.push({
-      dataLocation: { fromIndex, length },
-      nullifier
-    });
-    logger.debug(
-      { fromIndex, length, nullifierHex: Buffer.from(nullifier).toString("hex").slice(0, 16) + "..." },
-      "computed oprf-raw nullifier"
-    );
-  }
-  return results;
-}
-export {
-  computeOPRFRaw
-};

package/lib/server/utils/process-handshake.js DELETED Viewed

@@ -1,233 +0,0 @@
-import {
-  concatenateUint8Arrays,
-  getSignatureDataTls12,
-  getSignatureDataTls13,
-  PACKET_TYPE,
-  parseCertificates,
-  parseClientHello,
-  parseServerCertificateVerify,
-  parseServerHello,
-  processServerKeyShare,
-  SUPPORTED_RECORD_TYPE_MAP,
-  uint8ArrayToDataView,
-  verifyCertificateChain,
-  verifyCertificateSignature
-} from "@reclaimprotocol/tls";
-import { TranscriptMessageSenderType } from "#src/proto/api.js";
-import { decryptDirect } from "#src/utils/index.js";
-const RECORD_LENGTH_BYTES = 3;
-async function processHandshake(receipt, logger) {
-  const certificates = [];
-  const handshakeRawMessages = [];
-  let currentPacketIdx = 0;
-  let cipherSuite = void 0;
-  let tlsVersion = void 0;
-  let serverRandom = void 0;
-  let clientRandom = void 0;
-  let serverFinishedIdx = -1;
-  let clientFinishedIdx = -1;
-  let certVerified = false;
-  let certVerifyHandled = false;
-  let hostname = void 0;
-  let clientChangeCipherSpecMsgIdx = -1;
-  let serverChangeCipherSpecMsgIdx = -1;
-  let incompletePkt = void 0;
-  while (serverFinishedIdx < 0 || clientFinishedIdx < 0) {
-    const packetIdx = currentPacketIdx++;
-    if (packetIdx >= receipt.length) {
-      throw new Error(
-        "Receipt over but server finish: " + serverFinishedIdx + ", client finish: " + clientFinishedIdx
-      );
-    }
-    const { message, reveal, sender } = receipt[packetIdx];
-    if (message[0] === PACKET_TYPE["CHANGE_CIPHER_SPEC"]) {
-      if (sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT) {
-        clientChangeCipherSpecMsgIdx = packetIdx;
-        logger.trace("found client change cipher spec message");
-      } else {
-        serverChangeCipherSpecMsgIdx = packetIdx;
-        logger.trace("found server change cipher spec message");
-      }
-      continue;
-    }
-    let plaintext = getWithoutHeader(message);
-    if (!plaintext) {
-      throw new Error("incomplete TLS record encountered");
-    }
-    if (
-      // decrypt if wrapped record or after change cipher spec message,
-      // after which records are encrypted
-      message[0] === PACKET_TYPE["WRAPPED_RECORD"] || serverChangeCipherSpecMsgIdx > 0 && sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_SERVER || clientChangeCipherSpecMsgIdx > 0 && sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT
-    ) {
-      if (!tlsVersion || !cipherSuite) {
-        throw new Error("Could not find cipherSuite to use & got enc record");
-      }
-      if (!reveal?.directReveal?.key) {
-        throw new Error(
-          "no direct reveal for handshake packet: " + packetIdx
-        );
-      }
-      const recordHeader = message.slice(0, 5);
-      ({ plaintext } = await decryptDirect(
-        reveal?.directReveal,
-        cipherSuite,
-        recordHeader,
-        tlsVersion,
-        plaintext
-      ));
-      if (tlsVersion === "TLS1_3") {
-        plaintext = plaintext.slice(0, -1);
-      }
-    }
-    if (incompletePkt) {
-      const incSender = receipt[incompletePkt.packetIdx].sender;
-      if (incSender !== sender) {
-        throw new Error(
-          "Missing follow up to incomplete packet at idx: " + incompletePkt.packetIdx
-        );
-      }
-      plaintext = concatenateUint8Arrays([
-        incompletePkt.remainingBytes,
-        plaintext
-      ]);
-      incompletePkt = void 0;
-    }
-    const handshakeMessages = [];
-    for (let offset = 0; offset < plaintext.length; ) {
-      const type = plaintext[offset];
-      const content = readWithLength(plaintext.slice(offset + 1), RECORD_LENGTH_BYTES);
-      if (!content) {
-        incompletePkt = {
-          remainingBytes: plaintext.slice(offset),
-          packetIdx
-        };
-        break;
-      }
-      handshakeMessages.push({
-        type,
-        content,
-        contentWithHeader: plaintext.slice(
-          offset,
-          offset + 1 + RECORD_LENGTH_BYTES + content.length
-        ),
-        packetIdx
-      });
-      offset += 1 + RECORD_LENGTH_BYTES + content.length;
-    }
-    for (const msg of handshakeMessages) {
-      await processHandshakeMessage(msg);
-      handshakeRawMessages.push(msg.contentWithHeader);
-    }
-  }
-  if (!certVerified) {
-    throw new Error("No provider certificates received");
-  }
-  if (tlsVersion === "TLS1_3" && serverFinishedIdx < 0) {
-    throw new Error("server finished message not found");
-  }
-  if (tlsVersion === "TLS1_3" && !certVerifyHandled) {
-    throw new Error("TLS1.3 cert verify packet not received");
-  }
-  if (tlsVersion === "TLS1_2" && (serverChangeCipherSpecMsgIdx < 0 || clientChangeCipherSpecMsgIdx < 0)) {
-    throw new Error("change cipher spec message not found");
-  }
-  const nextMsgIndex = Math.max(serverFinishedIdx, clientFinishedIdx) + 1;
-  return {
-    tlsVersion,
-    cipherSuite,
-    hostname,
-    nextMsgIndex
-  };
-  async function processHandshakeMessage({ type, content, contentWithHeader, packetIdx }) {
-    switch (type) {
-      case SUPPORTED_RECORD_TYPE_MAP.CLIENT_HELLO:
-        const clientHello = parseClientHello(contentWithHeader);
-        clientRandom = clientHello.serverRandom;
-        const { SERVER_NAME: sni } = clientHello.extensions;
-        hostname = sni?.serverName;
-        if (!hostname) {
-          throw new Error("client hello has no SNI");
-        }
-        break;
-      case SUPPORTED_RECORD_TYPE_MAP.SERVER_HELLO:
-        const serverHello = await parseServerHello(content);
-        cipherSuite = serverHello.cipherSuite;
-        tlsVersion = serverHello.serverTlsVersion;
-        serverRandom = serverHello.serverRandom;
-        logger.info(
-          { serverTLSVersion: tlsVersion, cipherSuite },
-          "extracted server hello params"
-        );
-        break;
-      case SUPPORTED_RECORD_TYPE_MAP.CERTIFICATE:
-        const parseResult = parseCertificates(content, { version: tlsVersion });
-        certificates.push(...parseResult.certificates);
-        await verifyCertificateChain(certificates, hostname, logger);
-        logger.info({ hostname }, "verified provider certificate chain");
-        certVerified = true;
-        break;
-      case SUPPORTED_RECORD_TYPE_MAP.CERTIFICATE_VERIFY:
-        const signature = parseServerCertificateVerify(content);
-        if (!certificates?.length) {
-          throw new Error("No provider certificates received");
-        }
-        const signatureData = await getSignatureDataTls13(
-          handshakeRawMessages,
-          cipherSuite
-        );
-        await verifyCertificateSignature({
-          ...signature,
-          publicKey: certificates[0].getPublicKey(),
-          signatureData
-        });
-        certVerifyHandled = true;
-        break;
-      case SUPPORTED_RECORD_TYPE_MAP.SERVER_KEY_SHARE:
-        if (!certificates?.length) {
-          throw new Error("No provider certificates received");
-        }
-        const keyShare = await processServerKeyShare(content);
-        const signatureData12 = await getSignatureDataTls12(
-          {
-            clientRandom,
-            serverRandom,
-            curveType: keyShare.publicKeyType,
-            publicKey: keyShare.publicKey
-          }
-        );
-        await verifyCertificateSignature({
-          signature: keyShare.signatureBytes,
-          algorithm: keyShare.signatureAlgorithm,
-          publicKey: certificates[0].getPublicKey(),
-          signatureData: signatureData12,
-          publicKeyType: keyShare.publicKeyType
-        });
-        await verifyCertificateChain(certificates, hostname, logger);
-        logger.info({ hostname }, "verified provider certificate chain");
-        certVerified = true;
-        break;
-      case SUPPORTED_RECORD_TYPE_MAP.FINISHED:
-        const packet = receipt[packetIdx];
-        if (packet.sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT) {
-          clientFinishedIdx = packetIdx;
-        } else {
-          serverFinishedIdx = packetIdx;
-        }
-        break;
-    }
-  }
-}
-function getWithoutHeader(message) {
-  return readWithLength(message.slice(3), 2);
-}
-function readWithLength(data, lengthBytes = 2) {
-  const dataView = uint8ArrayToDataView(data);
-  const length = lengthBytes === 1 ? dataView.getUint8(0) : dataView.getUint16(lengthBytes === 3 ? 1 : 0);
-  if (data.length < lengthBytes + length) {
-    return void 0;
-  }
-  return data.slice(lengthBytes, lengthBytes + length);
-}
-export {
-  processHandshake
-};

package/lib/server/utils/proxy-session.js DELETED Viewed

@@ -1,6 +0,0 @@
-function isValidProxySessionId(sessionId) {
-  return typeof sessionId === "string" && sessionId.length >= 8 && sessionId.length < 15 && /^[a-z0-9]+$/.test(sessionId);
-}
-export {
-  isValidProxySessionId
-};

package/lib/server/utils/tee-oprf-mpc-verification.js DELETED Viewed

@@ -1,86 +0,0 @@
-import { AttestorError } from "#src/utils/error.js";
-function verifyOprfMpcOutputs(kPayload, tPayload, logger) {
-  const kOutputs = kPayload.oprfOutputs || [];
-  const tOutputs = tPayload.oprfOutputs || [];
-  if (kOutputs.length === 0 && tOutputs.length === 0) {
-    logger.debug("No OPRF MPC outputs to verify");
-    return [];
-  }
-  if (kOutputs.length !== tOutputs.length) {
-    throw new AttestorError(
-      "ERROR_INVALID_CLAIM",
-      `OPRF MPC count mismatch: TEE_K has ${kOutputs.length}, TEE_T has ${tOutputs.length}`
-    );
-  }
-  logger.info(`Verifying ${kOutputs.length} OPRF MPC outputs`);
-  const results = [];
-  for (const [i, kOut] of kOutputs.entries()) {
-    const tOut = tOutputs[i];
-    if (kOut.tlsStart < 0 || tOut.tlsStart < 0) {
-      throw new AttestorError(
-        "ERROR_INVALID_CLAIM",
-        `OPRF MPC invalid position at index ${i}: negative start position`
-      );
-    }
-    if (kOut.tlsLength <= 0 || kOut.tlsLength > 64 || tOut.tlsLength <= 0 || tOut.tlsLength > 64) {
-      throw new AttestorError(
-        "ERROR_INVALID_CLAIM",
-        `OPRF MPC invalid length at index ${i}: must be 1-64 bytes (TEE_K: ${kOut.tlsLength}, TEE_T: ${tOut.tlsLength})`
-      );
-    }
-    if (kOut.hashOutput.length !== 32 || tOut.hashOutput.length !== 32) {
-      throw new AttestorError(
-        "ERROR_INVALID_CLAIM",
-        `OPRF MPC invalid hash size at index ${i}: expected 32 bytes (TEE_K: ${kOut.hashOutput.length}, TEE_T: ${tOut.hashOutput.length})`
-      );
-    }
-    if (kOut.tlsStart !== tOut.tlsStart || kOut.tlsLength !== tOut.tlsLength) {
-      throw new AttestorError(
-        "ERROR_INVALID_CLAIM",
-        `OPRF MPC position mismatch at index ${i}: TEE_K [${kOut.tlsStart}:${kOut.tlsStart + kOut.tlsLength}] vs TEE_T [${tOut.tlsStart}:${tOut.tlsStart + tOut.tlsLength}]`
-      );
-    }
-    if (!buffersEqual(kOut.hashOutput, tOut.hashOutput)) {
-      throw new AttestorError(
-        "ERROR_INVALID_CLAIM",
-        `OPRF MPC hash mismatch at index ${i}: outputs differ between TEE_K and TEE_T`
-      );
-    }
-    const hashOutputHex = Buffer.from(kOut.hashOutput).toString("hex");
-    const hashOutputBase64 = Buffer.from(kOut.hashOutput).toString("base64");
-    logger.info(
-      {
-        index: i,
-        position: kOut.tlsStart,
-        length: kOut.tlsLength,
-        hashOutputLen: kOut.hashOutput.length,
-        hashOutputHex: hashOutputHex.substring(0, 32) + "...",
-        hashOutputBase64Preview: hashOutputBase64.substring(0, 20) + "..."
-      },
-      "OPRF MPC output verified"
-    );
-    results.push({
-      position: kOut.tlsStart,
-      length: kOut.tlsLength,
-      output: new Uint8Array(kOut.hashOutput),
-      // Use SHA256(CMAC) as the replacement value
-      isMPC: true
-    });
-  }
-  logger.info(`Successfully verified ${results.length} OPRF MPC outputs`);
-  return results;
-}
-function buffersEqual(a, b) {
-  if (a.length !== b.length) {
-    return false;
-  }
-  for (const [i, element] of a.entries()) {
-    if (element !== b[i]) {
-      return false;
-    }
-  }
-  return true;
-}
-export {
-  verifyOprfMpcOutputs
-};