@reclaimprotocol/attestor-core 5.0.1-beta.13 → 5.0.1-beta.16

package/lib/server/utils/tee-oprf-verification.js

@@ -1,151 +0,0 @@
-import bs58 from "bs58";
-import { AttestorError } from "#src/utils/error.js";
-import { makeDefaultOPRFOperator } from "#src/utils/zk.js";
-async function verifyOprfProofs(bundleData, logger) {
-  if (!bundleData.oprfVerifications || bundleData.oprfVerifications.length === 0) {
-    logger.debug("No OPRF verifications present in bundle");
-    return [];
-  }
-  const { tOutputPayload } = bundleData;
-  const consolidatedCiphertext = tOutputPayload.consolidatedResponseCiphertext;
-  if (!consolidatedCiphertext || consolidatedCiphertext.length === 0) {
-    throw new AttestorError("ERROR_INVALID_CLAIM", "No consolidated ciphertext for OPRF verification");
-  }
-  const results = [];
-  logger.info(`Verifying ${bundleData.oprfVerifications.length} OPRF proofs`);
-  for (const [idx, oprfData] of bundleData.oprfVerifications.entries()) {
-    try {
-      const result = await verifySingleOprfProof(
-        oprfData,
-        consolidatedCiphertext,
-        idx,
-        logger
-      );
-      results.push(result);
-    } catch (error) {
-      logger.error({ error, index: idx }, "OPRF proof verification failed");
-      throw new AttestorError(
-        "ERROR_INVALID_CLAIM",
-        `OPRF verification failed at index ${idx}: ${error.message}`
-      );
-    }
-  }
-  logger.info(`Successfully verified ${results.length} OPRF proofs`);
-  return results;
-}
-async function verifySingleOprfProof(oprfData, consolidatedCiphertext, index, logger) {
-  const publicSignalsJson = JSON.parse(new TextDecoder().decode(oprfData.publicSignalsJson));
-  const { proof, publicSignals, cipher } = publicSignalsJson;
-  if (!proof || !publicSignals) {
-    throw new Error("Missing proof or public signals in OPRF data");
-  }
-  const ciphertextChunk = consolidatedCiphertext.slice(
-    oprfData.streamPos,
-    oprfData.streamPos + oprfData.streamLength
-  );
-  const completePublicSignals = {
-    out: publicSignals.out || Uint8Array.from([]),
-    // Replace null input with extracted ciphertext
-    in: ciphertextChunk,
-    // Convert base64 nonces and counters
-    noncesAndCounters: publicSignals.blocks?.map((block) => ({
-      nonce: Buffer.from(block.nonce || "", "base64"),
-      counter: block.counter || 0,
-      boundary: block.boundary || ""
-    })) || [],
-    // Process TOPRF data
-    toprf: publicSignals.toprf ? {
-      ...publicSignals.toprf,
-      // Convert domain separator from base64
-      domainSeparator: publicSignals.toprf.domainSeparator ? Buffer.from(publicSignals.toprf.domainSeparator, "base64").toString("utf8") : "reclaim",
-      // Convert output from base64
-      output: publicSignals.toprf.output ? Buffer.from(publicSignals.toprf.output, "base64") : new Uint8Array(),
-      // Convert response fields from base64
-      responses: publicSignals.toprf.responses?.map((resp) => ({
-        publicKeyShare: Buffer.from(resp.publicKeyShare || "", "base64"),
-        evaluated: Buffer.from(resp.evaluated || "", "base64"),
-        c: Buffer.from(resp.c || "", "base64"),
-        r: Buffer.from(resp.r || "", "base64")
-      })) || [],
-      // Locations are already in correct format
-      locations: publicSignals.toprf.locations || []
-    } : void 0
-  };
-  const algorithm = cipher.replace("-toprf", "");
-  const zkEngine = "gnark";
-  const oprfOperator = makeDefaultOPRFOperator(algorithm, zkEngine, logger);
-  const proofBytes = Buffer.from(proof, "base64");
-  const isValid = await oprfOperator.groth16Verify(
-    completePublicSignals,
-    proofBytes,
-    logger
-  );
-  if (!isValid) {
-    throw new Error("OPRF proof verification failed");
-  }
-  logger.debug(`OPRF ${index}: Proof verified successfully`);
-  const oprfOutput = completePublicSignals.toprf?.output;
-  if (!oprfOutput || oprfOutput.length === 0) {
-    throw new Error("No OPRF output found in verified proof");
-  }
-  const oprfLocation = completePublicSignals.toprf?.locations?.[0];
-  if (!oprfLocation) {
-    throw new Error("No OPRF location found in public signals");
-  }
-  logger.info(`OPRF #${index}: streamPos=${oprfData.streamPos}, locationPos=${oprfLocation.pos}, finalPos=${oprfData.streamPos + oprfLocation.pos}, len=${oprfLocation.len}`);
-  return {
-    // The position in the plaintext where to replace (stream position + OPRF location within chunk)
-    position: oprfData.streamPos + oprfLocation.pos,
-    length: oprfLocation.len,
-    output: oprfOutput
-  };
-}
-function replaceOprfRanges(plaintext, oprfResults, logger) {
-  if (oprfResults.length === 0) {
-    return plaintext;
-  }
-  const replacements = oprfResults.map((result) => {
-    let outputBytes;
-    let encodedOutput;
-    if (result.isMPC) {
-      encodedOutput = bs58.encode(result.output);
-      outputBytes = new TextEncoder().encode(encodedOutput);
-    } else {
-      encodedOutput = Buffer.from(result.output).toString("base64");
-      const truncated = encodedOutput.substring(0, result.length);
-      outputBytes = new TextEncoder().encode(truncated);
-    }
-    return { result, outputBytes, encodedOutput };
-  });
-  replacements.sort((a, b) => a.result.position - b.result.position);
-  let newSize = plaintext.length;
-  for (const { result, outputBytes } of replacements) {
-    const sizeDiff = outputBytes.length - result.length;
-    newSize += sizeDiff;
-  }
-  logger.info(`Transcript size: ${plaintext.length} -> ${newSize} (${newSize - plaintext.length >= 0 ? "+" : ""}${newSize - plaintext.length} bytes)`);
-  const newPlaintext = new Uint8Array(newSize);
-  let srcPos = 0;
-  let dstPos = 0;
-  for (const [idx, { result, outputBytes, encodedOutput }] of replacements.entries()) {
-    const segmentLength = result.position - srcPos;
-    if (segmentLength > 0) {
-      newPlaintext.set(plaintext.slice(srcPos, result.position), dstPos);
-      dstPos += segmentLength;
-    }
-    const currentContent = plaintext.slice(result.position, result.position + result.length);
-    logger.info(`OPRF #${idx} at pos ${result.position}: "${Buffer.from(currentContent).toString("utf8")}" (${result.length}b) -> "${encodedOutput}" (${outputBytes.length}b)${result.isMPC ? " [MPC/base58]" : ""}`);
-    newPlaintext.set(outputBytes, dstPos);
-    dstPos += outputBytes.length;
-    srcPos = result.position + result.length;
-  }
-  if (srcPos < plaintext.length) {
-    newPlaintext.set(plaintext.slice(srcPos), dstPos);
-  }
-  logger.info(`Replaced ${oprfResults.length} OPRF ranges in plaintext`);
-  return newPlaintext;
-}
-export {
-  replaceOprfRanges,
-  verifyOprfProofs
-};

package/lib/server/utils/tee-transcript-reconstruction.js

@@ -1,140 +0,0 @@
-import { AttestorError } from "#src/utils/error.js";
-import { REDACTION_CHAR_CODE } from "#src/utils/index.js";
-async function reconstructTlsTranscript(bundleData, logger, oprfResults) {
-  try {
-    const revealedRequest = reconstructRequest(bundleData, logger);
-    const reconstructedResponse = await reconstructConsolidatedResponse(bundleData, logger, oprfResults);
-    const certificateInfo = bundleData.kOutputPayload.certificateInfo;
-    logger.info("TLS transcript reconstruction completed successfully", {
-      requestSize: revealedRequest.length,
-      responseSize: reconstructedResponse.length,
-      hasCertificateInfo: !!certificateInfo
-    });
-    return {
-      revealedRequest,
-      reconstructedResponse,
-      certificateInfo
-    };
-  } catch (error) {
-    logger.error({ error }, "TLS transcript reconstruction failed");
-    throw new AttestorError("ERROR_INVALID_CLAIM", `Transcript reconstruction failed: ${error.message}`);
-  }
-}
-function reconstructRequest(bundleData, logger) {
-  const { kOutputPayload } = bundleData;
-  if (!kOutputPayload.requestRedactionRanges || kOutputPayload.requestRedactionRanges.length === 0) {
-    logger.warn("No request redaction ranges - using redacted request as-is");
-    return kOutputPayload.redactedRequest;
-  }
-  const revealedRequest = new Uint8Array(kOutputPayload.redactedRequest);
-  const prettyRequest = new Uint8Array(revealedRequest);
-  for (const range of kOutputPayload.requestRedactionRanges) {
-    if (!range.type.includes("proof")) {
-      const start = range.start;
-      const length = range.length;
-      for (let i = 0; i < length && start + i < prettyRequest.length; i++) {
-        prettyRequest[start + i] = REDACTION_CHAR_CODE;
-      }
-    }
-  }
-  return prettyRequest;
-}
-async function reconstructConsolidatedResponse(bundleData, logger, oprfResults) {
-  const { kOutputPayload, tOutputPayload } = bundleData;
-  const consolidatedKeystream = kOutputPayload.consolidatedResponseKeystream;
-  const consolidatedCiphertext = tOutputPayload.consolidatedResponseCiphertext;
-  if (!consolidatedKeystream || consolidatedKeystream.length === 0) {
-    throw new AttestorError("ERROR_INVALID_CLAIM", "No consolidated response keystream available");
-  }
-  if (!consolidatedCiphertext || consolidatedCiphertext.length === 0) {
-    throw new AttestorError("ERROR_INVALID_CLAIM", "No consolidated response ciphertext available");
-  }
-  if (consolidatedKeystream.length !== consolidatedCiphertext.length) {
-    logger.warn("Keystream and ciphertext length mismatch", {
-      keystreamLength: consolidatedKeystream.length,
-      ciphertextLength: consolidatedCiphertext.length
-    });
-  }
-  const minLength = Math.min(consolidatedKeystream.length, consolidatedCiphertext.length);
-  const reconstructedResponse = new Uint8Array(minLength);
-  for (let i = 0; i < minLength; i++) {
-    reconstructedResponse[i] = consolidatedKeystream[i] ^ consolidatedCiphertext[i];
-  }
-  logger.info(`Reconstructed response: ${reconstructedResponse.length} bytes, ${kOutputPayload.responseRedactionRanges?.length || 0} redaction ranges`);
-  let processedResponse = applyResponseRedactionRanges(reconstructedResponse, kOutputPayload.responseRedactionRanges, logger);
-  if (oprfResults && oprfResults.length > 0) {
-    logger.info(`Applying ${oprfResults.length} OPRF replacements before trimming`);
-    const { replaceOprfRanges } = await import("#src/server/utils/tee-oprf-verification.js");
-    processedResponse = replaceOprfRanges(processedResponse, oprfResults, logger);
-  }
-  let leadingAsterisks = 0;
-  for (const element of processedResponse) {
-    if (element === REDACTION_CHAR_CODE) {
-      leadingAsterisks++;
-    } else {
-      break;
-    }
-  }
-  let trailingAsterisks = 0;
-  for (let i = processedResponse.length - 1; i >= leadingAsterisks; i--) {
-    if (processedResponse[i] === REDACTION_CHAR_CODE) {
-      trailingAsterisks++;
-    } else {
-      break;
-    }
-  }
-  const finalLength = processedResponse.length - leadingAsterisks - trailingAsterisks;
-  logger.info(`After processing: ${processedResponse.length} bytes, ${leadingAsterisks} leading and ${trailingAsterisks} trailing asterisks trimmed, final: ${finalLength} bytes`);
-  return processedResponse.slice(leadingAsterisks, processedResponse.length - trailingAsterisks);
-}
-function applyResponseRedactionRanges(response, redactionRanges, logger) {
-  if (!redactionRanges || redactionRanges.length === 0) {
-    return response;
-  }
-  const result = new Uint8Array(response);
-  const consolidatedRanges = consolidateRedactionRanges(redactionRanges);
-  if (logger) {
-    logger.info(`Applying ${consolidatedRanges.length} redaction ranges to ${response.length} byte response`);
-  }
-  for (const [idx, range] of consolidatedRanges.entries()) {
-    const rangeStart = range.start;
-    const rangeEnd = range.start + range.length;
-    if (rangeStart < 0 || rangeEnd > result.length) {
-      if (logger) {
-        logger.warn(`Redaction range #${idx} out of bounds: [${rangeStart}-${rangeEnd}] vs ${result.length}`);
-      }
-      continue;
-    }
-    if (logger && idx < 3) {
-      logger.info(`Redaction range #${idx}: [${rangeStart}-${rangeEnd}]`);
-    }
-    for (let i = rangeStart; i < rangeEnd; i++) {
-      result[i] = REDACTION_CHAR_CODE;
-    }
-  }
-  return result;
-}
-function consolidateRedactionRanges(ranges) {
-  if (ranges.length === 0) {
-    return [];
-  }
-  const sortedRanges = [...ranges].sort((a, b) => a.start - b.start);
-  const consolidated = [];
-  let current = { ...sortedRanges[0] };
-  for (let i = 1; i < sortedRanges.length; i++) {
-    const next = sortedRanges[i];
-    if (next.start <= current.start + current.length) {
-      const endCurrent = current.start + current.length;
-      const endNext = next.start + next.length;
-      current.length = Math.max(endCurrent, endNext) - current.start;
-    } else {
-      consolidated.push(current);
-      current = { ...next };
-    }
-  }
-  consolidated.push(current);
-  return consolidated;
-}
-export {
-  reconstructTlsTranscript
-};

package/lib/server/utils/tee-verification.js

@@ -1,358 +0,0 @@
-import { ServiceSignatureType } from "#src/proto/api.js";
-import { BodyType, KOutputPayload, TOutputPayload, VerificationBundle } from "#src/proto/tee-bundle.js";
-import { validateGcpAttestationAndExtractKey } from "#src/server/utils/gcp-attestation.js";
-import { validateNitroAttestationAndExtractKey } from "#src/server/utils/nitro-attestation.js";
-import { AttestorError } from "#src/utils/error.js";
-import { SIGNATURES } from "#src/utils/signatures/index.js";
-async function verifyTeeBundle(bundleBytes, logger) {
-  const bundle = parseVerificationBundle(bundleBytes);
-  validateBundleCompleteness(bundle);
-  const { teekKeyResult, teetKeyResult } = await extractPublicKeys(bundle, logger);
-  await verifyTeeSignatures(bundle, teekKeyResult, teetKeyResult, logger);
-  if (!bundle.teekSigned || !bundle.teetSigned) {
-    throw new AttestorError("ERROR_INVALID_CLAIM", "Missing TEE signed messages");
-  }
-  const kOutputPayload = parseKOutputPayload(bundle.teekSigned);
-  const tOutputPayload = parseTOutputPayload(bundle.teetSigned);
-  validateTimestamps(kOutputPayload, tOutputPayload, logger);
-  const teeSessionId = validateSessionIds(kOutputPayload, tOutputPayload, logger);
-  logger.info("TEE bundle verification successful");
-  return {
-    teekSigned: bundle.teekSigned,
-    teetSigned: bundle.teetSigned,
-    kOutputPayload,
-    tOutputPayload,
-    teekPcr0: teekKeyResult.pcr0,
-    teetPcr0: teetKeyResult.pcr0,
-    teeSessionId
-  };
-}
-function parseVerificationBundle(bundleBytes) {
-  try {
-    return VerificationBundle.decode(bundleBytes);
-  } catch (error) {
-    throw new Error(`Failed to parse verification bundle: ${error.message}`);
-  }
-}
-function validateBundleCompleteness(bundle) {
-  if (!bundle.teekSigned) {
-    throw new Error("SECURITY ERROR: missing TEE_K signed message - verification bundle incomplete");
-  }
-  if (!bundle.teetSigned) {
-    throw new Error("SECURITY ERROR: missing TEE_T signed message - verification bundle incomplete");
-  }
-  const hasAttestations = bundle.teekSigned.attestationReport?.report && bundle.teekSigned.attestationReport.report.length > 0 || bundle.teetSigned.attestationReport?.report && bundle.teetSigned.attestationReport.report.length > 0;
-  const hasPublicKeys = bundle.teekSigned.ethAddress && bundle.teekSigned.ethAddress.length > 0 || bundle.teetSigned.ethAddress && bundle.teetSigned.ethAddress.length > 0;
-  if (!hasAttestations && !hasPublicKeys) {
-    throw new Error("SECURITY ERROR: bundle must have either Nitro attestations (production) or embedded public keys (development)");
-  }
-  if (bundle.teekSigned.bodyType !== BodyType.BODY_TYPE_K_OUTPUT) {
-    throw new Error("Invalid TEE_K signed message: wrong body type");
-  }
-  if (bundle.teetSigned.bodyType !== BodyType.BODY_TYPE_T_OUTPUT) {
-    throw new Error("Invalid TEE_T signed message: wrong body type");
-  }
-  if (!bundle.teekSigned.body || bundle.teekSigned.body.length === 0) {
-    throw new Error("Invalid TEE_K signed message: empty body");
-  }
-  if (!bundle.teetSigned.body || bundle.teetSigned.body.length === 0) {
-    throw new Error("Invalid TEE_T signed message: empty body");
-  }
-  if (!bundle.teekSigned.signature || bundle.teekSigned.signature.length === 0) {
-    throw new Error("Invalid TEE_K signed message: missing signature");
-  }
-  if (!bundle.teetSigned.signature || bundle.teetSigned.signature.length === 0) {
-    throw new Error("Invalid TEE_T signed message: missing signature");
-  }
-}
-async function extractPublicKeys(bundle, logger) {
-  const hasEmbeddedAttestations = bundle.teekSigned.attestationReport?.report && bundle.teekSigned.attestationReport.report.length > 0 && (bundle.teetSigned.attestationReport?.report && bundle.teetSigned.attestationReport.report.length > 0);
-  let teekKeyResult;
-  let teetKeyResult;
-  if (hasEmbeddedAttestations) {
-    logger.info("Using production mode: extracting keys from attestations");
-    if (!bundle.teekSigned?.attestationReport?.report) {
-      throw new Error("TEE_K embedded attestation report missing");
-    }
-    if (!bundle.teetSigned?.attestationReport?.report) {
-      throw new Error("TEE_T embedded attestation report missing");
-    }
-    const teekAttestationType = bundle.teekSigned.attestationReport.type || "nitro";
-    const teetAttestationType = bundle.teetSigned.attestationReport.type || "nitro";
-    logger.info(`TEE_K attestation type: ${teekAttestationType}`);
-    logger.info(`TEE_T attestation type: ${teetAttestationType}`);
-    const teekAttestationBytes = bundle.teekSigned.attestationReport.report;
-    const teetAttestationBytes = bundle.teetSigned.attestationReport.report;
-    if (teekAttestationType === "gcp") {
-      const gcpResult = await validateGcpAttestationAndExtractKey(teekAttestationBytes, logger);
-      if (!gcpResult.isValid) {
-        throw new Error(`TEE_K GCP attestation validation failed: ${gcpResult.errors.join(", ")}`);
-      }
-      if (!gcpResult.ethAddress) {
-        throw new Error("TEE_K GCP attestation validation failed: no address");
-      }
-      if (gcpResult.userDataType !== "tee_k") {
-        throw new Error(`TEE_K GCP attestation validation failed: wrong TEE type, expected tee_k, got ${gcpResult.userDataType}`);
-      }
-      teekKeyResult = {
-        teeType: gcpResult.userDataType,
-        ethAddress: "0x" + Buffer.from(gcpResult.ethAddress).toString("hex"),
-        pcr0: gcpResult.pcr0 || "gcp-no-digest"
-      };
-    } else {
-      const nitroResult = await validateNitroAttestationAndExtractKey(teekAttestationBytes);
-      if (!nitroResult.isValid) {
-        throw new Error(`TEE_K Nitro attestation validation failed: ${nitroResult.errors.join(", ")}`);
-      }
-      if (!nitroResult.ethAddress) {
-        throw new Error("TEE_K Nitro attestation validation failed: no address");
-      }
-      if (nitroResult.userDataType !== "tee_k") {
-        throw new Error(`TEE_K Nitro attestation validation failed: wrong TEE type, expected tee_k, got ${nitroResult.userDataType}`);
-      }
-      teekKeyResult = {
-        teeType: nitroResult.userDataType,
-        ethAddress: nitroResult.ethAddress,
-        pcr0: nitroResult.pcr0
-      };
-    }
-    if (teetAttestationType === "gcp") {
-      const gcpResult = await validateGcpAttestationAndExtractKey(teetAttestationBytes, logger);
-      if (!gcpResult.isValid) {
-        throw new Error(`TEE_T GCP attestation validation failed: ${gcpResult.errors.join(", ")}`);
-      }
-      if (!gcpResult.ethAddress) {
-        throw new Error("TEE_T GCP attestation validation failed: no address");
-      }
-      if (gcpResult.userDataType !== "tee_t") {
-        throw new Error(`TEE_T GCP attestation validation failed: wrong TEE type, expected tee_t, got ${gcpResult.userDataType}`);
-      }
-      teetKeyResult = {
-        teeType: gcpResult.userDataType,
-        ethAddress: "0x" + Buffer.from(gcpResult.ethAddress).toString("hex"),
-        pcr0: gcpResult.pcr0 || "gcp-no-digest"
-      };
-      if (!gcpResult.envVars?.EXPECTED_TEEK_PCR0) {
-        throw new Error("TEE_T GCP attestation missing required EXPECTED_TEEK_PCR0 environment variable");
-      }
-      const expectedPcr0 = gcpResult.envVars.EXPECTED_TEEK_PCR0;
-      const actualPcr0 = teekKeyResult.pcr0;
-      logger.info(`Cross-validating TEE_K PCR0: expected=${expectedPcr0}, actual=${actualPcr0}`);
-      if (expectedPcr0 !== actualPcr0) {
-        throw new Error(`TEE cross-validation failed: TEE_T expects TEE_K PCR0 "${expectedPcr0}" but got "${actualPcr0}"`);
-      }
-      logger.info("TEE cross-validation successful: TEE_K PCR0 matches TEE_T expectation");
-    } else {
-      const nitroResult = await validateNitroAttestationAndExtractKey(teetAttestationBytes);
-      if (!nitroResult.isValid) {
-        throw new Error(`TEE_T Nitro attestation validation failed: ${nitroResult.errors.join(", ")}`);
-      }
-      if (!nitroResult.ethAddress) {
-        throw new Error("TEE_T Nitro attestation validation failed: no address");
-      }
-      if (nitroResult.userDataType !== "tee_t") {
-        throw new Error(`TEE_T Nitro attestation validation failed: wrong TEE type, expected tee_t, got ${nitroResult.userDataType}`);
-      }
-      teetKeyResult = {
-        teeType: nitroResult.userDataType,
-        ethAddress: nitroResult.ethAddress,
-        pcr0: nitroResult.pcr0
-      };
-    }
-    logger.info("Attestations validated successfully");
-  } else {
-    const standaloneEnabled = process.env.TEE_STANDALONE === "true" || process.env.TEE_STANDALONE === "1";
-    if (!standaloneEnabled) {
-      throw new Error("Missing attestation reports and standalone mode is not enabled (set TEE_STANDALONE=true to enable)");
-    }
-    const hasEmbeddedKeys = bundle.teekSigned.ethAddress && bundle.teekSigned.ethAddress.length > 0 && (bundle.teetSigned.ethAddress && bundle.teetSigned.ethAddress.length > 0);
-    if (!hasEmbeddedKeys) {
-      throw new Error("Missing attestation and no embedded ETH addresses for standalone mode");
-    }
-    logger.warn("STANDALONE MODE ENABLED: Using embedded ETH addresses without attestation verification");
-    const teekAddress = Buffer.from(bundle.teekSigned.ethAddress).toString("utf8");
-    teekKeyResult = {
-      teeType: "tee_k",
-      ethAddress: teekAddress,
-      pcr0: "standalone-mode"
-      // No PCR0 in standalone mode
-    };
-    logger.info(`TEE_K standalone address: ${teekAddress}`);
-    const teetAddress = Buffer.from(bundle.teetSigned.ethAddress).toString("utf8");
-    teetKeyResult = {
-      teeType: "tee_t",
-      ethAddress: teetAddress,
-      pcr0: "standalone-mode"
-      // No PCR0 in standalone mode
-    };
-    logger.info(`TEE_T standalone address: ${teetAddress}`);
-    logger.info("Standalone mode key extraction successful");
-  }
-  return {
-    teekKeyResult,
-    teetKeyResult
-  };
-}
-async function verifyTeeSignatures(bundle, teekKeyResult, teetKeyResult, logger) {
-  if (!bundle.teekSigned) {
-    throw new Error("TEE_K signed message is missing");
-  }
-  const teekResult = await verifyTeeSignature(
-    bundle.teekSigned,
-    teekKeyResult,
-    "TEE_K",
-    logger
-  );
-  if (!teekResult.isValid) {
-    throw new Error(`TEE_K signature verification failed: ${teekResult.errors.join(", ")}`);
-  }
-  if (!bundle.teetSigned) {
-    throw new Error("TEE_T signed message is missing");
-  }
-  const teetResult = await verifyTeeSignature(
-    bundle.teetSigned,
-    teetKeyResult,
-    "TEE_T",
-    logger
-  );
-  if (!teetResult.isValid) {
-    throw new Error(`TEE_T signature verification failed: ${teetResult.errors.join(", ")}`);
-  }
-  logger.info("TEE signatures verified successfully");
-}
-async function verifyTeeSignature(signedMessage, extractedKey, teeType, logger) {
-  const errors = [];
-  if (!signedMessage) {
-    return {
-      isValid: false,
-      errors: ["Signed message is null or undefined"]
-    };
-  }
-  try {
-    let ethAddress;
-    if (extractedKey.ethAddress) {
-      ethAddress = extractedKey.ethAddress;
-      logger.debug(`${teeType} using ETH address from attestation: ${ethAddress}`);
-    } else {
-      return {
-        isValid: false,
-        errors: ["eth address is null"]
-      };
-    }
-    const { verify: verifySig } = SIGNATURES[ServiceSignatureType.SERVICE_SIGNATURE_TYPE_ETH];
-    const isValid = await verifySig(
-      signedMessage.body,
-      signedMessage.signature,
-      ethAddress
-    );
-    if (!isValid) {
-      errors.push(`${teeType} signature verification failed for address ${ethAddress}`);
-    }
-    logger.debug(`${teeType} signature verification result: ${isValid} for address ${ethAddress}`);
-    return {
-      isValid: errors.length === 0,
-      errors,
-      address: extractedKey.ethAddress
-    };
-  } catch (error) {
-    errors.push(`${teeType} signature verification error: ${error.message}`);
-    return {
-      isValid: false,
-      errors
-    };
-  }
-}
-function parseKOutputPayload(signedMessage) {
-  const payload = KOutputPayload.decode(signedMessage.body);
-  if (!payload.redactedRequest) {
-    throw new Error("Missing redacted request in TEE_K payload");
-  }
-  if (!payload.consolidatedResponseKeystream || payload.consolidatedResponseKeystream.length === 0) {
-    throw new Error("Missing consolidated response keystream in TEE_K payload");
-  }
-  if (!payload.certificateInfo) {
-    throw new Error("Missing certificate info in TEE_K payload");
-  }
-  return payload;
-}
-function parseTOutputPayload(signedMessage) {
-  const payload = TOutputPayload.decode(signedMessage.body);
-  if (!payload.consolidatedResponseCiphertext || payload.consolidatedResponseCiphertext.length === 0) {
-    throw new Error("Missing consolidated response ciphertext in TEE_T payload");
-  }
-  return payload;
-}
-function validateTimestamps(kPayload, tPayload, logger) {
-  const now = Date.now();
-  const kTimestamp = kPayload.timestampMs;
-  const tTimestamp = tPayload.timestampMs;
-  const kTimestampS = Math.floor(kTimestamp / 1e3);
-  const tTimestampS = Math.floor(tTimestamp / 1e3);
-  const nowS = Math.floor(now / 1e3);
-  logger.info("Validating TEE timestamps", {
-    kTimestampMs: kTimestamp,
-    tTimestampMs: tTimestamp,
-    kTimestampS,
-    tTimestampS,
-    nowS
-  });
-  const maxAgeMs = 10 * 60 * 1e3;
-  const oldestAllowed = now - maxAgeMs;
-  if (kTimestamp < oldestAllowed) {
-    throw new Error(`TEE_K timestamp ${kTimestamp} is too old. Must be within 10 minutes of current time ${now}`);
-  }
-  if (tTimestamp < oldestAllowed) {
-    throw new Error(`TEE_T timestamp ${tTimestamp} is too old. Must be within 10 minutes of current time ${now}`);
-  }
-  const maxFutureMs = 60 * 1e3;
-  const maxAllowed = now + maxFutureMs;
-  if (kTimestamp > maxAllowed) {
-    throw new Error(`TEE_K timestamp ${kTimestamp} is in the future. Current time is ${now}`);
-  }
-  if (tTimestamp > maxAllowed) {
-    throw new Error(`TEE_T timestamp ${tTimestamp} is in the future. Current time is ${now}`);
-  }
-  const timestampDiffMs = Math.abs(kTimestamp - tTimestamp);
-  const maxDiffMs = 60 * 1e3;
-  if (timestampDiffMs > maxDiffMs) {
-    throw new Error(`TEE timestamps differ by ${timestampDiffMs}ms, which exceeds maximum allowed difference of ${maxDiffMs}ms (1 minute)`);
-  }
-  logger.info("TEE timestamp validation successful", {
-    timestampDiffMs,
-    ageKMs: now - kTimestamp,
-    ageTMs: now - tTimestamp
-  });
-}
-function validateSessionIds(kPayload, tPayload, logger) {
-  const kSessionId = kPayload.sessionId;
-  const tSessionId = tPayload.sessionId;
-  logger.info("Validating TEE session IDs", {
-    kSessionId,
-    tSessionId
-  });
-  if (!kSessionId || kSessionId.length === 0) {
-    throw new AttestorError(
-      "ERROR_INVALID_CLAIM",
-      "Missing session_id in TEE_K payload - required for cross-TEE binding"
-    );
-  }
-  if (!tSessionId || tSessionId.length === 0) {
-    throw new AttestorError(
-      "ERROR_INVALID_CLAIM",
-      "Missing session_id in TEE_T payload - required for cross-TEE binding"
-    );
-  }
-  if (kSessionId !== tSessionId) {
-    throw new AttestorError(
-      "ERROR_INVALID_CLAIM",
-      `Session ID mismatch: TEE_K session_id "${kSessionId}" does not match TEE_T session_id "${tSessionId}".`
-    );
-  }
-  logger.info("TEE session ID validation successful", {
-    sessionId: kSessionId
-  });
-  return kSessionId;
-}
-export {
-  verifyTeeBundle
-};

package/lib/server/utils/validation.js

@@ -1,45 +0,0 @@
-import { Ajv } from "ajv";
-import { PROVIDER_SCHEMAS } from "#src/types/providers.gen.js";
-import { AttestorError } from "#src/utils/error.js";
-const PROVIDER_VALIDATOR_MAP = {};
-const AJV = new Ajv({
-  allErrors: true,
-  strict: true,
-  strictRequired: false,
-  formats: {
-    binary(data) {
-      return data instanceof Uint8Array || typeof Buffer !== "undefined" && Buffer.isBuffer(data);
-    },
-    url(data) {
-      try {
-        new URL(data);
-        return true;
-      } catch {
-        return false;
-      }
-    }
-  }
-});
-function assertValidateProviderParams(name, params) {
-  let validate = PROVIDER_VALIDATOR_MAP[name];
-  if (!validate) {
-    const schema = PROVIDER_SCHEMAS[name]?.parameters;
-    if (!schema) {
-      throw new AttestorError(
-        "ERROR_BAD_REQUEST",
-        `Invalid provider name "${String(name)}"`
-      );
-    }
-    validate = AJV.compile(schema);
-  }
-  if (!validate?.(params)) {
-    throw new AttestorError(
-      "ERROR_BAD_REQUEST",
-      "Params validation failed",
-      { errors: JSON.stringify(validate.errors) }
-    );
-  }
-}
-export {
-  assertValidateProviderParams
-};