@reclaimprotocol/attestor-core 5.0.1-beta.2 → 5.0.1-beta.22

package/lib/server/utils/config-env.js

@@ -1,4 +1,4 @@
-import { config } from "dotenv";
+import { config } from 'dotenv';
 import { getEnvVariable } from "../../utils/env.js";
-const nodeEnv = getEnvVariable("NODE_ENV") || "development";
+const nodeEnv = getEnvVariable('NODE_ENV') || 'development';
 config({ path: `.env.${nodeEnv}` });

package/lib/server/utils/dns.js

@@ -1,24 +1,18 @@
-import { resolve, setServers } from "dns";
+import { resolve, setServers } from 'dns';
 import { DNS_SERVERS } from "../../config/index.js";
 setDnsServers();
-async function resolveHostnames(hostname) {
-  return new Promise((_resolve, reject) => {
-    resolve(hostname, (err, addresses) => {
-      if (err) {
-        reject(
-          new Error(
-            `Could not resolve hostname: ${hostname}, ${err.message}`
-          )
-        );
-      } else {
-        _resolve(addresses);
-      }
+export async function resolveHostnames(hostname) {
+    return new Promise((_resolve, reject) => {
+        resolve(hostname, (err, addresses) => {
+            if (err) {
+                reject(new Error(`Could not resolve hostname: ${hostname}, ${err.message}`));
+            }
+            else {
+                _resolve(addresses);
+            }
+        });
     });
-  });
 }
 function setDnsServers() {
-  setServers(DNS_SERVERS);
+    setServers(DNS_SERVERS);
 }
-export {
-  resolveHostnames
-};

package/lib/server/utils/gcp-attestation.js

@@ -1,7 +1,13 @@
-import crypto, { X509Certificate } from "crypto";
+/**
+ * GCP attestation validation utilities
+ * Validates JWT tokens from Google Confidential Computing
+ */
+import crypto, { X509Certificate } from 'crypto';
+// Cache for Google's public keys
 let gcpKeysCache = null;
 let gcpKeysCacheTime = 0;
-const GCP_KEYS_CACHE_TTL = 36e5;
+const GCP_KEYS_CACHE_TTL = 3600000; // 1 hour in milliseconds
+// GCP Confidential Space Root CA
 const GCP_CONFIDENTIAL_SPACE_ROOT_CA = `-----BEGIN CERTIFICATE-----
 MIIGCDCCA/CgAwIBAgITYBvRy5g9aYYMh7tJS7pFwafL6jANBgkqhkiG9w0BAQsF
 ADCBizELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
@@ -37,201 +43,247 @@ cPmpPmx7pSMkSxEX2Vos2JNaNmCKJd2VaXz8M6F2cxscRdh9TbAYAjGEEjE1nLUH
 kNPLowCd0NqxYYSLNL7GroYCFPxoBpr+++4vsCaXalbs8iJxdU2EPqG4MB4xWKYg
 uyT5CnJulxSC5CT1
 -----END CERTIFICATE-----`;
+/**
+ * Base64url decode (RFC 4648, no padding)
+ */
 function base64urlDecode(input) {
-  let base64 = input.replace(/-/g, "+").replace(/_/g, "/");
-  while (base64.length % 4) {
-    base64 += "=";
-  }
-  return Buffer.from(base64, "base64");
-}
-async function fetchGooglePublicKeys(logger) {
-  const now = Date.now();
-  if (gcpKeysCache && now - gcpKeysCacheTime < GCP_KEYS_CACHE_TTL) {
-    if (logger) {
-      logger.debug("Using cached Google public keys");
+    // Add padding if needed
+    let base64 = input.replace(/-/g, '+').replace(/_/g, '/');
+    while (base64.length % 4) {
+        base64 += '=';
     }
-    return gcpKeysCache;
-  }
-  if (logger) {
-    logger.info("Fetching Google public keys from https://www.googleapis.com/oauth2/v3/certs");
-  }
-  const response = await fetch("https://www.googleapis.com/oauth2/v3/certs");
-  if (!response.ok) {
-    throw new Error(`Failed to fetch Google keys: ${response.status} ${response.statusText}`);
-  }
-  const keys = await response.json();
-  gcpKeysCache = keys;
-  gcpKeysCacheTime = now;
-  if (logger) {
-    logger.info(`Fetched ${keys.keys.length} Google public keys`);
-  }
-  return keys;
+    return Buffer.from(base64, 'base64');
 }
-function jwkToPublicKey(jwk) {
-  return crypto.createPublicKey({
-    key: {
-      kty: "RSA",
-      n: jwk.n,
-      e: jwk.e
-    },
-    format: "jwk"
-  });
-}
-function verifyX5cChain(x5cChain, logger) {
-  if (!x5cChain || x5cChain.length === 0) {
-    throw new Error("Empty x5c certificate chain");
-  }
-  const leafCertPem = `-----BEGIN CERTIFICATE-----
-${x5cChain[0]}
------END CERTIFICATE-----`;
-  const leafCert = new X509Certificate(leafCertPem);
-  if (logger) {
-    logger.info(`x5c leaf certificate: subject=${leafCert.subject}, issuer=${leafCert.issuer}`);
-  }
-  const rootCert = new X509Certificate(GCP_CONFIDENTIAL_SPACE_ROOT_CA);
-  let currentCert = leafCert;
-  for (let i = 1; i < x5cChain.length; i++) {
-    const intermediatePem = `-----BEGIN CERTIFICATE-----
-${x5cChain[i]}
------END CERTIFICATE-----`;
-    const intermediateCert = new X509Certificate(intermediatePem);
-    const isValid = currentCert.verify(intermediateCert.publicKey);
-    if (!isValid) {
-      throw new Error(`Certificate chain verification failed at level ${i}`);
+/**
+ * Fetch Google's public keys (with caching)
+ */
+async function fetchGooglePublicKeys(logger) {
+    const now = Date.now();
+    // Return cached keys if still valid
+    if (gcpKeysCache && (now - gcpKeysCacheTime) < GCP_KEYS_CACHE_TTL) {
+        if (logger) {
+            logger.debug('Using cached Google public keys');
+        }
+        return gcpKeysCache;
     }
+    // Fetch fresh keys
     if (logger) {
-      logger.debug(`Verified cert level ${i}: ${intermediateCert.subject}`);
+        logger.info('Fetching Google public keys from https://www.googleapis.com/oauth2/v3/certs');
     }
-    currentCert = intermediateCert;
-  }
-  const isRootValid = currentCert.verify(rootCert.publicKey);
-  if (!isRootValid) {
-    throw new Error("Certificate chain does not root to GCP Confidential Space Root CA");
-  }
-  if (logger) {
-    logger.info("x5c certificate chain verified successfully");
-  }
-  return leafCert.publicKey;
-}
-async function validateGcpAttestationAndExtractKey(attestationBytes, logger) {
-  const errors = [];
-  try {
-    const jwtString = Buffer.from(attestationBytes).toString("utf8");
-    const parts = jwtString.split(".");
-    if (parts.length !== 3) {
-      errors.push("Invalid JWT format: expected 3 parts");
-      return { isValid: false, errors };
+    const response = await fetch('https://www.googleapis.com/oauth2/v3/certs');
+    if (!response.ok) {
+        throw new Error(`Failed to fetch Google keys: ${response.status} ${response.statusText}`);
     }
-    const [headerB64, payloadB64, signatureB64] = parts;
-    const headerJson = base64urlDecode(headerB64).toString("utf8");
-    const payloadJson = base64urlDecode(payloadB64).toString("utf8");
-    const header = JSON.parse(headerJson);
-    const payload = JSON.parse(payloadJson);
+    const keys = await response.json();
+    // Update cache
+    gcpKeysCache = keys;
+    gcpKeysCacheTime = now;
     if (logger) {
-      logger.info(`GCP JWT header: kid=${header.kid}, alg=${header.alg}`);
-      logger.info(`GCP JWT payload: iss=${payload.iss}, aud=${payload.aud}`);
-    }
-    const now = Math.floor(Date.now() / 1e3);
-    const validIssuers = [
-      "https://accounts.google.com",
-      "https://confidentialcomputing.googleapis.com"
-    ];
-    if (!validIssuers.includes(payload.iss)) {
-      errors.push(`Invalid issuer: expected one of ${validIssuers.join(", ")}, got "${payload.iss}"`);
-    }
-    if (payload.exp <= now) {
-      errors.push(`Token expired: exp=${payload.exp}, now=${now}`);
-    }
-    if (payload.iat > now + 60) {
-      errors.push(`Token issued in future: iat=${payload.iat}, now=${now}`);
+        logger.info(`Fetched ${keys.keys.length} Google public keys`);
     }
-    const hasReclaimAudience = payload.aud?.includes("reclaimprotocol.org");
-    const hasGcpStsAudience = payload.aud?.includes("sts.googleapis.com");
-    if (!hasReclaimAudience && !hasGcpStsAudience) {
-      errors.push(`Invalid audience: expected "reclaimprotocol.org" or "sts.googleapis.com", got "${payload.aud}"`);
-    }
-    if (errors.length > 0) {
-      return { isValid: false, errors };
-    }
-    let publicKey;
-    if (header.x5c && header.x5c.length > 0) {
-      if (logger) {
-        logger.info(`Using x5c certificate chain (${header.x5c.length} certificates)`);
-      }
-      publicKey = verifyX5cChain(header.x5c, logger);
-    } else if (header.kid) {
-      if (logger) {
-        logger.info(`Using OIDC token with kid: ${header.kid}`);
-      }
-      const jwks = await fetchGooglePublicKeys(logger);
-      const jwk = jwks.keys.find((k) => k.kid === header.kid);
-      if (!jwk) {
-        errors.push(`No public key found for kid: ${header.kid}`);
-        return { isValid: false, errors };
-      }
-      publicKey = jwkToPublicKey(jwk);
-    } else {
-      errors.push("JWT header must contain either x5c or kid field");
-      return { isValid: false, errors };
-    }
-    const signedData = `${headerB64}.${payloadB64}`;
-    const signature = base64urlDecode(signatureB64);
-    const verify = crypto.createVerify("RSA-SHA256");
-    verify.update(signedData);
-    const isSignatureValid = verify.verify(publicKey, signature);
-    if (!isSignatureValid) {
-      errors.push("Signature verification failed");
-      return { isValid: false, errors };
+    return keys;
+}
+/**
+ * Convert JWK to RSA public key
+ */
+function jwkToPublicKey(jwk) {
+    // Create RSA public key from modulus and exponent
+    return crypto.createPublicKey({
+        key: {
+            kty: 'RSA',
+            n: jwk.n,
+            e: jwk.e,
+        },
+        format: 'jwk'
+    });
+}
+/**
+ * Verify x5c certificate chain and return leaf certificate's public key
+ */
+function verifyX5cChain(x5cChain, logger) {
+    if (!x5cChain || x5cChain.length === 0) {
+        throw new Error('Empty x5c certificate chain');
     }
+    // Parse leaf certificate (first in chain)
+    const leafCertPem = `-----BEGIN CERTIFICATE-----\n${x5cChain[0]}\n-----END CERTIFICATE-----`;
+    const leafCert = new X509Certificate(leafCertPem);
     if (logger) {
-      logger.info("GCP JWT signature verified successfully");
+        logger.info(`x5c leaf certificate: subject=${leafCert.subject}, issuer=${leafCert.issuer}`);
     }
-    if (!payload.eat_nonce) {
-      errors.push("No eat_nonce field found in JWT payload");
-      return { isValid: false, errors };
+    // Parse root CA
+    const rootCert = new X509Certificate(GCP_CONFIDENTIAL_SPACE_ROOT_CA);
+    // For chain verification with Node.js X509Certificate, we need to verify each cert in sequence
+    // Start with leaf and work up to root
+    let currentCert = leafCert;
+    // Verify intermediate certificates if present
+    for (let i = 1; i < x5cChain.length; i++) {
+        const intermediatePem = `-----BEGIN CERTIFICATE-----\n${x5cChain[i]}\n-----END CERTIFICATE-----`;
+        const intermediateCert = new X509Certificate(intermediatePem);
+        // Verify current cert was signed by intermediate
+        const isValid = currentCert.verify(intermediateCert.publicKey);
+        if (!isValid) {
+            throw new Error(`Certificate chain verification failed at level ${i}`);
+        }
+        if (logger) {
+            logger.debug(`Verified cert level ${i}: ${intermediateCert.subject}`);
+        }
+        currentCert = intermediateCert;
     }
-    const match = payload.eat_nonce.match(/^(tee_[kt])_public_key:0x([0-9a-fA-F]{40})$/);
-    if (!match) {
-      errors.push(`Invalid eat_nonce format: ${payload.eat_nonce}`);
-      return { isValid: false, errors };
+    // Verify the top cert was signed by root CA
+    const isRootValid = currentCert.verify(rootCert.publicKey);
+    if (!isRootValid) {
+        throw new Error('Certificate chain does not root to GCP Confidential Space Root CA');
     }
-    const userDataType = match[1];
-    const hexAddress = match[2];
-    const ethAddress = new Uint8Array(Buffer.from(hexAddress, "hex"));
     if (logger) {
-      logger.info(`Extracted address from eat_nonce: ${payload.eat_nonce}`);
-    }
-    let pcr0 = "gcp-no-digest";
-    if (payload.google?.compute_engine?.image_digest) {
-      pcr0 = payload.google.compute_engine.image_digest;
-    } else if (payload.submods?.container?.image_digest) {
-      pcr0 = payload.submods.container.image_digest;
+        logger.info('x5c certificate chain verified successfully');
     }
-    if (payload.dbgstat === "enabled" && pcr0.startsWith("sha256:")) {
-      pcr0 = "debug_" + pcr0;
+    // Return leaf certificate's public key for signature verification
+    return leafCert.publicKey;
+}
+/**
+ * Validates GCP JWT attestation and extracts ETH address
+ */
+export async function validateGcpAttestationAndExtractKey(attestationBytes, logger) {
+    const errors = [];
+    try {
+        // 1. Parse JWT structure
+        const jwtString = Buffer.from(attestationBytes).toString('utf8');
+        const parts = jwtString.split('.');
+        if (parts.length !== 3) {
+            errors.push('Invalid JWT format: expected 3 parts');
+            return { isValid: false, errors };
+        }
+        const [headerB64, payloadB64, signatureB64] = parts;
+        // Decode header and payload
+        const headerJson = base64urlDecode(headerB64).toString('utf8');
+        const payloadJson = base64urlDecode(payloadB64).toString('utf8');
+        const header = JSON.parse(headerJson);
+        const payload = JSON.parse(payloadJson);
+        if (logger) {
+            logger.info(`GCP JWT header: kid=${header.kid}, alg=${header.alg}`);
+            logger.info(`GCP JWT payload: iss=${payload.iss}, aud=${payload.aud}`);
+        }
+        // 2. Verify claims
+        const now = Math.floor(Date.now() / 1000);
+        // Check issuer - accept both Google accounts and Confidential Computing
+        const validIssuers = [
+            'https://accounts.google.com',
+            'https://confidentialcomputing.googleapis.com'
+        ];
+        if (!validIssuers.includes(payload.iss)) {
+            errors.push(`Invalid issuer: expected one of ${validIssuers.join(', ')}, got "${payload.iss}"`);
+        }
+        // Check expiration
+        if (payload.exp <= now) {
+            errors.push(`Token expired: exp=${payload.exp}, now=${now}`);
+        }
+        // Check issued at (allow 60 second clock skew)
+        if (payload.iat > now + 60) {
+            errors.push(`Token issued in future: iat=${payload.iat}, now=${now}`);
+        }
+        // Audience can be:
+        // 1. Custom Reclaim audience with data param: https://reclaimprotocol.org/attestation?data=tee_k_public_key:0x...
+        // 2. Reclaim domain only: https://reclaim-protocol.com (address in eat_nonce)
+        // 3. GCP STS audience: https://sts.googleapis.com (for Confidential Space)
+        const hasReclaimAudience = payload.aud?.includes('reclaimprotocol.org');
+        const hasGcpStsAudience = payload.aud?.includes('sts.googleapis.com');
+        if (!hasReclaimAudience && !hasGcpStsAudience) {
+            errors.push(`Invalid audience: expected "reclaimprotocol.org" or "sts.googleapis.com", got "${payload.aud}"`);
+        }
+        if (errors.length > 0) {
+            return { isValid: false, errors };
+        }
+        // 3. Get public key - either from x5c chain or JWKS
+        let publicKey;
+        if (header.x5c && header.x5c.length > 0) {
+            // PKI token with certificate chain
+            if (logger) {
+                logger.info(`Using x5c certificate chain (${header.x5c.length} certificates)`);
+            }
+            publicKey = verifyX5cChain(header.x5c, logger);
+        }
+        else if (header.kid) {
+            // OIDC token with kid
+            if (logger) {
+                logger.info(`Using OIDC token with kid: ${header.kid}`);
+            }
+            // Fetch Google's public keys
+            const jwks = await fetchGooglePublicKeys(logger);
+            // Find matching key
+            const jwk = jwks.keys.find(k => k.kid === header.kid);
+            if (!jwk) {
+                errors.push(`No public key found for kid: ${header.kid}`);
+                return { isValid: false, errors };
+            }
+            publicKey = jwkToPublicKey(jwk);
+        }
+        else {
+            errors.push('JWT header must contain either x5c or kid field');
+            return { isValid: false, errors };
+        }
+        // 4. Verify signature
+        const signedData = `${headerB64}.${payloadB64}`;
+        const signature = base64urlDecode(signatureB64);
+        const verify = crypto.createVerify('RSA-SHA256');
+        verify.update(signedData);
+        const isSignatureValid = verify.verify(publicKey, signature);
+        if (!isSignatureValid) {
+            errors.push('Signature verification failed');
+            return { isValid: false, errors };
+        }
+        if (logger) {
+            logger.info('GCP JWT signature verified successfully');
+        }
+        // 5. Extract ETH address from eat_nonce
+        if (!payload.eat_nonce) {
+            errors.push('No eat_nonce field found in JWT payload');
+            return { isValid: false, errors };
+        }
+        // Format: "tee_k_public_key:0x..." or "tee_t_public_key:0x..."
+        const match = payload.eat_nonce.match(/^(tee_[kt])_public_key:0x([0-9a-fA-F]{40})$/);
+        if (!match) {
+            errors.push(`Invalid eat_nonce format: ${payload.eat_nonce}`);
+            return { isValid: false, errors };
+        }
+        const userDataType = match[1]; // "tee_k" or "tee_t"
+        const hexAddress = match[2];
+        const ethAddress = new Uint8Array(Buffer.from(hexAddress, 'hex'));
+        if (logger) {
+            logger.info(`Extracted address from eat_nonce: ${payload.eat_nonce}`);
+        }
+        // Extract image digest from JWT payload (GCP's equivalent to PCR0)
+        let pcr0 = 'gcp-no-digest';
+        if (payload.google?.compute_engine?.image_digest) {
+            pcr0 = payload.google.compute_engine.image_digest;
+        }
+        else if (payload.submods?.container?.image_digest) {
+            pcr0 = payload.submods.container.image_digest;
+        }
+        // Add debug prefix if debug mode is enabled
+        if (payload.dbgstat === 'enabled' && pcr0.startsWith('sha256:')) {
+            pcr0 = 'debug_' + pcr0;
+        }
+        // Extract environment variables if present
+        const envVars = payload.submods?.container?.env || {};
+        if (logger) {
+            const hexAddr = Buffer.from(ethAddress).toString('hex');
+            logger.info(`Extracted ETH address from GCP attestation: 0x${hexAddr}, type: ${userDataType}, pcr0: ${pcr0}`);
+            if (Object.keys(envVars).length > 0) {
+                logger.debug(`Environment variables: ${Object.keys(envVars).join(', ')}`);
+            }
+        }
+        return {
+            isValid: true,
+            errors: [],
+            ethAddress,
+            userDataType,
+            pcr0,
+            envVars
+        };
     }
-    const envVars = payload.submods?.container?.env || {};
-    if (logger) {
-      const hexAddr = Buffer.from(ethAddress).toString("hex");
-      logger.info(`Extracted ETH address from GCP attestation: 0x${hexAddr}, type: ${userDataType}, pcr0: ${pcr0}`);
-      if (Object.keys(envVars).length > 0) {
-        logger.debug(`Environment variables: ${Object.keys(envVars).join(", ")}`);
-      }
+    catch (error) {
+        const errorMsg = error instanceof Error ? error.message : String(error);
+        errors.push(`GCP attestation validation error: ${errorMsg}`);
+        return { isValid: false, errors };
     }
-    return {
-      isValid: true,
-      errors: [],
-      ethAddress,
-      userDataType,
-      pcr0,
-      envVars
-    };
-  } catch (error) {
-    const errorMsg = error instanceof Error ? error.message : String(error);
-    errors.push(`GCP attestation validation error: ${errorMsg}`);
-    return { isValid: false, errors };
-  }
 }
-export {
-  validateGcpAttestationAndExtractKey
-};

package/lib/server/utils/generics.d.ts

@@ -3,7 +3,7 @@ import type { ServiceSignatureType } from '#src/proto/api.ts';
 /**
  * Sign message using the PRIVATE_KEY env var.
  */
-export declare function signAsAttestor(data: Uint8Array | string, scheme: ServiceSignatureType): Uint8Array<ArrayBufferLike> | Promise<Uint8Array<ArrayBufferLike>>;
+export declare function signAsAttestor(data: Uint8Array | string, scheme: ServiceSignatureType): import("../../index.ts").Awaitable<Uint8Array<ArrayBufferLike>>;
 /**
  * Obtain the address on chain, from the PRIVATE_KEY env var.
  */

package/lib/server/utils/generics.js

@@ -2,44 +2,50 @@ import { RPCMessages } from "../../proto/api.js";
 import { getEnvVariable } from "../../utils/env.js";
 import { AttestorError, strToUint8Array } from "../../utils/index.js";
 import { SIGNATURES } from "../../utils/signatures/index.js";
-const PRIVATE_KEY = getEnvVariable("PRIVATE_KEY");
-function signAsAttestor(data, scheme) {
-  const { sign } = SIGNATURES[scheme];
-  return sign(
-    typeof data === "string" ? strToUint8Array(data) : data,
-    PRIVATE_KEY
-  );
+const PRIVATE_KEY = getEnvVariable('PRIVATE_KEY');
+/**
+ * Sign message using the PRIVATE_KEY env var.
+ */
+export function signAsAttestor(data, scheme) {
+    const { sign } = SIGNATURES[scheme];
+    return sign(typeof data === 'string' ? strToUint8Array(data) : data, PRIVATE_KEY);
 }
-function getAttestorAddress(scheme) {
-  const { getAddress, getPublicKey } = SIGNATURES[scheme];
-  const publicKey = getPublicKey(PRIVATE_KEY);
-  return getAddress(publicKey);
+/**
+ * Obtain the address on chain, from the PRIVATE_KEY env var.
+ */
+export function getAttestorAddress(scheme) {
+    const { getAddress, getPublicKey } = SIGNATURES[scheme];
+    const publicKey = getPublicKey(PRIVATE_KEY);
+    return getAddress(publicKey);
 }
-function niceParseJsonObject(data, key) {
-  if (!data) {
-    return {};
-  }
-  try {
-    return JSON.parse(data);
-  } catch (e) {
-    throw AttestorError.badRequest(
-      `Invalid JSON in ${key}: ${e.message}`
-    );
-  }
+/**
+ * Nice parse JSON with a key.
+ * If the data is empty, returns an empty object.
+ * And if the JSON is invalid, throws a bad request error,
+ * with the key in the error message.
+ */
+export function niceParseJsonObject(data, key) {
+    if (!data) {
+        return {};
+    }
+    try {
+        return JSON.parse(data);
+    }
+    catch (e) {
+        throw AttestorError.badRequest(`Invalid JSON in ${key}: ${e.message}`);
+    }
 }
-function getInitialMessagesFromQuery(req) {
-  const url = new URL(req.url, "http://localhost");
-  const messagesB64 = url.searchParams.get("messages");
-  if (!messagesB64?.length) {
-    return [];
-  }
-  const msgsBytes = Buffer.from(messagesB64, "base64");
-  const msgs = RPCMessages.decode(msgsBytes);
-  return msgs.messages;
+/**
+ * Extract any initial messages sent via the query string,
+ * in the `messages` parameter.
+ */
+export function getInitialMessagesFromQuery(req) {
+    const url = new URL(req.url, 'http://localhost');
+    const messagesB64 = url.searchParams.get('messages');
+    if (!messagesB64?.length) {
+        return [];
+    }
+    const msgsBytes = Buffer.from(messagesB64, 'base64');
+    const msgs = RPCMessages.decode(msgsBytes);
+    return msgs.messages;
 }
-export {
-  getAttestorAddress,
-  getInitialMessagesFromQuery,
-  niceParseJsonObject,
-  signAsAttestor
-};