@reclaimprotocol/attestor-core 5.0.1-beta.21 → 5.0.1-beta.23

package/lib/server/utils/tee-oprf-mpc-verification.js

@@ -0,0 +1,90 @@
+/**
+ * TEE OPRF MPC Verification
+ * Verifies OPRF MPC outputs from TEE_K and TEE_T match
+ *
+ * Unlike ZK OPRF which requires proof verification, OPRF MPC outputs
+ * are already trusted because they are included in TEE-signed payloads.
+ * This module verifies that both TEEs computed identical outputs.
+ */
+import { AttestorError } from "../../utils/error.js";
+/**
+ * Verifies OPRF MPC outputs from TEE_K and TEE_T match
+ * Returns verified outputs for transcript replacement (same format as ZK OPRF)
+ */
+export function verifyOprfMpcOutputs(kPayload, tPayload, logger) {
+    const kOutputs = kPayload.oprfOutputs || [];
+    const tOutputs = tPayload.oprfOutputs || [];
+    // Empty is valid - no OPRF MPC was requested
+    if (kOutputs.length === 0 && tOutputs.length === 0) {
+        logger.debug('No OPRF MPC outputs to verify');
+        return [];
+    }
+    // Count must match between TEE_K and TEE_T
+    if (kOutputs.length !== tOutputs.length) {
+        throw new AttestorError('ERROR_INVALID_CLAIM', `OPRF MPC count mismatch: TEE_K has ${kOutputs.length}, TEE_T has ${tOutputs.length}`);
+    }
+    logger.info(`Verifying ${kOutputs.length} OPRF MPC outputs`);
+    const results = [];
+    for (const [i, kOut] of kOutputs.entries()) {
+        const tOut = tOutputs[i];
+        // Validate position bounds (must be non-negative)
+        if (kOut.tlsStart < 0 || tOut.tlsStart < 0) {
+            throw new AttestorError('ERROR_INVALID_CLAIM', `OPRF MPC invalid position at index ${i}: negative start position`);
+        }
+        // Validate length constraints (must be positive and <= 64 bytes, matching TEE validation)
+        if (kOut.tlsLength <= 0 || kOut.tlsLength > 64 || tOut.tlsLength <= 0 || tOut.tlsLength > 64) {
+            throw new AttestorError('ERROR_INVALID_CLAIM', `OPRF MPC invalid length at index ${i}: must be 1-64 bytes ` +
+                `(TEE_K: ${kOut.tlsLength}, TEE_T: ${tOut.tlsLength})`);
+        }
+        // Validate hash output size (must be exactly 32 bytes for SHA256)
+        if (kOut.hashOutput.length !== 32 || tOut.hashOutput.length !== 32) {
+            throw new AttestorError('ERROR_INVALID_CLAIM', `OPRF MPC invalid hash size at index ${i}: expected 32 bytes ` +
+                `(TEE_K: ${kOut.hashOutput.length}, TEE_T: ${tOut.hashOutput.length})`);
+        }
+        // Verify positions match
+        if (kOut.tlsStart !== tOut.tlsStart || kOut.tlsLength !== tOut.tlsLength) {
+            throw new AttestorError('ERROR_INVALID_CLAIM', `OPRF MPC position mismatch at index ${i}: ` +
+                `TEE_K [${kOut.tlsStart}:${kOut.tlsStart + kOut.tlsLength}] vs ` +
+                `TEE_T [${tOut.tlsStart}:${tOut.tlsStart + tOut.tlsLength}]`);
+        }
+        // Verify hash outputs match (hash = SHA256(CMAC), so this implies CMAC matched too)
+        if (!buffersEqual(kOut.hashOutput, tOut.hashOutput)) {
+            throw new AttestorError('ERROR_INVALID_CLAIM', `OPRF MPC hash mismatch at index ${i}: outputs differ between TEE_K and TEE_T`);
+        }
+        // Log the actual output data for debugging
+        const hashOutputHex = Buffer.from(kOut.hashOutput).toString('hex');
+        const hashOutputBase64 = Buffer.from(kOut.hashOutput).toString('base64');
+        logger.info({
+            index: i,
+            position: kOut.tlsStart,
+            length: kOut.tlsLength,
+            hashOutputLen: kOut.hashOutput.length,
+            hashOutputHex: hashOutputHex.substring(0, 32) + '...',
+            hashOutputBase64Preview: hashOutputBase64.substring(0, 20) + '...'
+        }, 'OPRF MPC output verified');
+        // Return in same format as ZK OPRF for unified replacement
+        // MPC OPRF uses full hash length (not truncated like TOPRF)
+        results.push({
+            position: kOut.tlsStart,
+            length: kOut.tlsLength,
+            output: new Uint8Array(kOut.hashOutput), // Use SHA256(CMAC) as the replacement value
+            isMPC: true
+        });
+    }
+    logger.info(`Successfully verified ${results.length} OPRF MPC outputs`);
+    return results;
+}
+/**
+ * Compare two Uint8Array buffers for equality
+ */
+function buffersEqual(a, b) {
+    if (a.length !== b.length) {
+        return false;
+    }
+    for (const [i, element] of a.entries()) {
+        if (element !== b[i]) {
+            return false;
+        }
+    }
+    return true;
+}

package/lib/server/utils/tee-oprf-verification.js

@@ -0,0 +1,174 @@
+/**
+ * TEE OPRF Verification and Replacement
+ * Verifies OPRF proofs and replaces ranges in reconstructed plaintext
+ */
+import bs58 from 'bs58';
+import { AttestorError } from "../../utils/error.js";
+import { makeDefaultOPRFOperator } from "../../utils/zk.js";
+/**
+ * Verifies all OPRF proofs in the bundle and returns replacement data
+ */
+export async function verifyOprfProofs(bundleData, logger) {
+    if (!bundleData.oprfVerifications || bundleData.oprfVerifications.length === 0) {
+        logger.debug('No OPRF verifications present in bundle');
+        return [];
+    }
+    const { tOutputPayload } = bundleData;
+    const consolidatedCiphertext = tOutputPayload.consolidatedResponseCiphertext;
+    if (!consolidatedCiphertext || consolidatedCiphertext.length === 0) {
+        throw new AttestorError('ERROR_INVALID_CLAIM', 'No consolidated ciphertext for OPRF verification');
+    }
+    const results = [];
+    logger.info(`Verifying ${bundleData.oprfVerifications.length} OPRF proofs`);
+    for (const [idx, oprfData] of bundleData.oprfVerifications.entries()) {
+        try {
+            const result = await verifySingleOprfProof(oprfData, consolidatedCiphertext, idx, logger);
+            results.push(result);
+        }
+        catch (error) {
+            logger.error({ error, index: idx }, 'OPRF proof verification failed');
+            throw new AttestorError('ERROR_INVALID_CLAIM', `OPRF verification failed at index ${idx}: ${error.message}`);
+        }
+    }
+    logger.info(`Successfully verified ${results.length} OPRF proofs`);
+    return results;
+}
+/**
+ * Verifies a single OPRF proof and extracts the output
+ */
+async function verifySingleOprfProof(oprfData, consolidatedCiphertext, index, logger) {
+    // Parse public signals JSON
+    const publicSignalsJson = JSON.parse(new TextDecoder().decode(oprfData.publicSignalsJson));
+    const { proof, publicSignals, cipher } = publicSignalsJson;
+    if (!proof || !publicSignals) {
+        throw new Error('Missing proof or public signals in OPRF data');
+    }
+    // Extract ciphertext chunk for verification
+    const ciphertextChunk = consolidatedCiphertext.slice(oprfData.streamPos, oprfData.streamPos + oprfData.streamLength);
+    // Build complete public signals for verification
+    // Start with original signals and override specific fields
+    const completePublicSignals = {
+        out: publicSignals.out || Uint8Array.from([]),
+        // Replace null input with extracted ciphertext
+        in: ciphertextChunk,
+        // Convert base64 nonces and counters
+        noncesAndCounters: publicSignals.blocks?.map((block) => ({
+            nonce: Buffer.from(block.nonce || '', 'base64'),
+            counter: block.counter || 0,
+            boundary: block.boundary || '',
+        })) || [],
+        // Process TOPRF data
+        toprf: publicSignals.toprf ? {
+            ...publicSignals.toprf,
+            // Convert domain separator from base64
+            domainSeparator: publicSignals.toprf.domainSeparator ?
+                Buffer.from(publicSignals.toprf.domainSeparator, 'base64').toString('utf8') :
+                'reclaim',
+            // Convert output from base64
+            output: publicSignals.toprf.output ?
+                Buffer.from(publicSignals.toprf.output, 'base64') :
+                new Uint8Array(),
+            // Convert response fields from base64
+            responses: publicSignals.toprf.responses?.map((resp) => ({
+                publicKeyShare: Buffer.from(resp.publicKeyShare || '', 'base64'),
+                evaluated: Buffer.from(resp.evaluated || '', 'base64'),
+                c: Buffer.from(resp.c || '', 'base64'),
+                r: Buffer.from(resp.r || '', 'base64')
+            })) || [],
+            // Locations are already in correct format
+            locations: publicSignals.toprf.locations || []
+        } : undefined
+    };
+    // Determine algorithm from cipher field
+    // Remove '-toprf' suffix but keep the rest of the algorithm name
+    const algorithm = cipher.replace('-toprf', '');
+    const zkEngine = 'gnark'; // Default to gnark for server-side verification
+    // Get OPRF operator for verification
+    const oprfOperator = makeDefaultOPRFOperator(algorithm, zkEngine, logger);
+    // Convert proof from base64
+    const proofBytes = Buffer.from(proof, 'base64');
+    // Verify the proof
+    const isValid = await oprfOperator.groth16Verify(completePublicSignals, proofBytes, logger);
+    if (!isValid) {
+        throw new Error('OPRF proof verification failed');
+    }
+    logger.debug(`OPRF ${index}: Proof verified successfully`);
+    // Extract OPRF output for replacement
+    const oprfOutput = completePublicSignals.toprf?.output;
+    if (!oprfOutput || oprfOutput.length === 0) {
+        throw new Error('No OPRF output found in verified proof');
+    }
+    // Get the actual location within the stream where OPRF data resides
+    const oprfLocation = completePublicSignals.toprf?.locations?.[0];
+    if (!oprfLocation) {
+        throw new Error('No OPRF location found in public signals');
+    }
+    // Log position calculation
+    logger.info(`OPRF #${index}: streamPos=${oprfData.streamPos}, locationPos=${oprfLocation.pos}, finalPos=${oprfData.streamPos + oprfLocation.pos}, len=${oprfLocation.len}`);
+    return {
+        // The position in the plaintext where to replace (stream position + OPRF location within chunk)
+        position: oprfData.streamPos + oprfLocation.pos,
+        length: oprfLocation.len,
+        output: oprfOutput
+    };
+}
+/**
+ * Replaces OPRF ranges in the reconstructed plaintext with verified outputs.
+ * Properly expands or contracts the transcript to fit replacement hashes.
+ */
+export function replaceOprfRanges(plaintext, oprfResults, logger) {
+    if (oprfResults.length === 0) {
+        return plaintext;
+    }
+    const replacements = oprfResults.map(result => {
+        let outputBytes;
+        let encodedOutput;
+        if (result.isMPC) {
+            // MPC OPRF: use base58 encoding, full hash length (no truncation)
+            encodedOutput = bs58.encode(result.output);
+            outputBytes = new TextEncoder().encode(encodedOutput);
+        }
+        else {
+            // TOPRF: use base64 encoding, truncate to fit original data length
+            encodedOutput = Buffer.from(result.output).toString('base64');
+            const truncated = encodedOutput.substring(0, result.length);
+            outputBytes = new TextEncoder().encode(truncated);
+        }
+        return { result, outputBytes, encodedOutput };
+    });
+    // Sort by position (ascending) to process in order
+    replacements.sort((a, b) => a.result.position - b.result.position);
+    // Calculate new transcript size
+    let newSize = plaintext.length;
+    for (const { result, outputBytes } of replacements) {
+        const sizeDiff = outputBytes.length - result.length;
+        newSize += sizeDiff;
+    }
+    logger.info(`Transcript size: ${plaintext.length} -> ${newSize} (${newSize - plaintext.length >= 0 ? '+' : ''}${newSize - plaintext.length} bytes)`);
+    // Build new transcript by copying segments and inserting replacements
+    const newPlaintext = new Uint8Array(newSize);
+    let srcPos = 0; // Position in original plaintext
+    let dstPos = 0; // Position in new plaintext
+    for (const [idx, { result, outputBytes, encodedOutput }] of replacements.entries()) {
+        // Copy segment before this replacement
+        const segmentLength = result.position - srcPos;
+        if (segmentLength > 0) {
+            newPlaintext.set(plaintext.slice(srcPos, result.position), dstPos);
+            dstPos += segmentLength;
+        }
+        // Log replacement
+        const currentContent = plaintext.slice(result.position, result.position + result.length);
+        logger.info(`OPRF #${idx} at pos ${result.position}: "${Buffer.from(currentContent).toString('utf8')}" (${result.length}b) -> "${encodedOutput}" (${outputBytes.length}b)${result.isMPC ? ' [MPC/base58]' : ''}`);
+        // Insert replacement hash
+        newPlaintext.set(outputBytes, dstPos);
+        dstPos += outputBytes.length;
+        // Move source position past the replaced range
+        srcPos = result.position + result.length;
+    }
+    // Copy remaining segment after last replacement
+    if (srcPos < plaintext.length) {
+        newPlaintext.set(plaintext.slice(srcPos), dstPos);
+    }
+    logger.info(`Replaced ${oprfResults.length} OPRF ranges in plaintext`);
+    return newPlaintext;
+}

package/lib/server/utils/tee-transcript-reconstruction.js

@@ -0,0 +1,187 @@
+/**
+ * TLS Transcript Reconstruction from TEE data
+ */
+import { AttestorError } from "../../utils/error.js";
+import { REDACTION_CHAR_CODE } from "../../utils/index.js";
+/**
+ * Reconstructs TLS transcript from TEE bundle data
+ * @param bundleData - Validated TEE bundle data
+ * @param logger - Logger instance
+ * @param oprfResults - Optional OPRF results to apply during reconstruction
+ * @returns Reconstructed transcript data
+ */
+export async function reconstructTlsTranscript(bundleData, logger, oprfResults) {
+    try {
+        // 1. Reconstruct request using proof stream
+        const revealedRequest = reconstructRequest(bundleData, logger);
+        // 2. Reconstruct response using consolidated keystream and ciphertext
+        const reconstructedResponse = await reconstructConsolidatedResponse(bundleData, logger, oprfResults);
+        // 3. Extract certificate info from TEE_K payload
+        const certificateInfo = bundleData.kOutputPayload.certificateInfo;
+        logger.info('TLS transcript reconstruction completed successfully', {
+            requestSize: revealedRequest.length,
+            responseSize: reconstructedResponse.length,
+            hasCertificateInfo: !!certificateInfo
+        });
+        return {
+            revealedRequest,
+            reconstructedResponse,
+            certificateInfo
+        };
+    }
+    catch (error) {
+        logger.error({ error }, 'TLS transcript reconstruction failed');
+        throw new AttestorError('ERROR_INVALID_CLAIM', `Transcript reconstruction failed: ${error.message}`);
+    }
+}
+/**
+ * Reconstructs the original request by applying proof stream to redacted request
+ */
+function reconstructRequest(bundleData, logger) {
+    const { kOutputPayload } = bundleData;
+    if (!kOutputPayload.requestRedactionRanges || kOutputPayload.requestRedactionRanges.length === 0) {
+        logger.warn('No request redaction ranges - using redacted request as-is');
+        return kOutputPayload.redactedRequest;
+    }
+    // Create a copy of the redacted request
+    const revealedRequest = new Uint8Array(kOutputPayload.redactedRequest);
+    // Create pretty display: show revealed proof data, but keep other sensitive data as '*'
+    const prettyRequest = new Uint8Array(revealedRequest);
+    for (const range of kOutputPayload.requestRedactionRanges) {
+        // Keep non-proof sensitive data as '*' for display
+        if (!range.type.includes('proof')) {
+            const start = range.start;
+            const length = range.length;
+            for (let i = 0; i < length && start + i < prettyRequest.length; i++) {
+                prettyRequest[start + i] = REDACTION_CHAR_CODE;
+            }
+        }
+    }
+    return prettyRequest;
+}
+/**
+ * NEW: Reconstructs response using consolidated keystream and ciphertext
+ * This is much simpler than the old packet-by-packet approach
+ */
+async function reconstructConsolidatedResponse(bundleData, logger, oprfResults) {
+    const { kOutputPayload, tOutputPayload } = bundleData;
+    // Get consolidated data from both TEEs
+    const consolidatedKeystream = kOutputPayload.consolidatedResponseKeystream;
+    const consolidatedCiphertext = tOutputPayload.consolidatedResponseCiphertext;
+    if (!consolidatedKeystream || consolidatedKeystream.length === 0) {
+        throw new AttestorError('ERROR_INVALID_CLAIM', 'No consolidated response keystream available');
+    }
+    if (!consolidatedCiphertext || consolidatedCiphertext.length === 0) {
+        throw new AttestorError('ERROR_INVALID_CLAIM', 'No consolidated response ciphertext available');
+    }
+    // Verify lengths match
+    if (consolidatedKeystream.length !== consolidatedCiphertext.length) {
+        logger.warn('Keystream and ciphertext length mismatch', {
+            keystreamLength: consolidatedKeystream.length,
+            ciphertextLength: consolidatedCiphertext.length
+        });
+    }
+    // XOR to get plaintext (keystream XOR ciphertext = plaintext)
+    const minLength = Math.min(consolidatedKeystream.length, consolidatedCiphertext.length);
+    const reconstructedResponse = new Uint8Array(minLength);
+    for (let i = 0; i < minLength; i++) {
+        reconstructedResponse[i] = consolidatedKeystream[i] ^ consolidatedCiphertext[i];
+    }
+    logger.info(`Reconstructed response: ${reconstructedResponse.length} bytes, ${kOutputPayload.responseRedactionRanges?.length || 0} redaction ranges`);
+    // Apply response redaction ranges to the reconstructed response
+    let processedResponse = applyResponseRedactionRanges(reconstructedResponse, kOutputPayload.responseRedactionRanges, logger);
+    // Apply OPRF replacements BEFORE trimming leading asterisks
+    if (oprfResults && oprfResults.length > 0) {
+        logger.info(`Applying ${oprfResults.length} OPRF replacements before trimming`);
+        const { replaceOprfRanges } = await import("./tee-oprf-verification.js");
+        processedResponse = replaceOprfRanges(processedResponse, oprfResults, logger);
+    }
+    // Count leading asterisks
+    let leadingAsterisks = 0;
+    for (const element of processedResponse) {
+        if (element === REDACTION_CHAR_CODE) {
+            leadingAsterisks++;
+        }
+        else {
+            break;
+        }
+    }
+    // Count trailing asterisks (may contain undesired data like alerts)
+    let trailingAsterisks = 0;
+    for (let i = processedResponse.length - 1; i >= leadingAsterisks; i--) {
+        if (processedResponse[i] === REDACTION_CHAR_CODE) {
+            trailingAsterisks++;
+        }
+        else {
+            break;
+        }
+    }
+    const finalLength = processedResponse.length - leadingAsterisks - trailingAsterisks;
+    logger.info(`After processing: ${processedResponse.length} bytes, ${leadingAsterisks} leading and ${trailingAsterisks} trailing asterisks trimmed, final: ${finalLength} bytes`);
+    return processedResponse.slice(leadingAsterisks, processedResponse.length - trailingAsterisks);
+}
+// Removed legacy packet-based extraction functions since we now use consolidated streams
+/**
+ * Applies response redaction ranges to replace random garbage with asterisks
+ * Response redaction ranges have NO type field - they all work the same way (binary redaction)
+ */
+function applyResponseRedactionRanges(response, redactionRanges, logger) {
+    if (!redactionRanges || redactionRanges.length === 0) {
+        return response;
+    }
+    const result = new Uint8Array(response);
+    // Consolidate overlapping ranges (same as client implementation)
+    const consolidatedRanges = consolidateRedactionRanges(redactionRanges);
+    if (logger) {
+        logger.info(`Applying ${consolidatedRanges.length} redaction ranges to ${response.length} byte response`);
+    }
+    // Apply each redaction range to replace random garbage with asterisks
+    for (const [idx, range] of consolidatedRanges.entries()) {
+        const rangeStart = range.start;
+        const rangeEnd = range.start + range.length;
+        // Check bounds
+        if (rangeStart < 0 || rangeEnd > result.length) {
+            if (logger) {
+                logger.warn(`Redaction range #${idx} out of bounds: [${rangeStart}-${rangeEnd}] vs ${result.length}`);
+            }
+            continue;
+        }
+        if (logger && idx < 3) {
+            logger.info(`Redaction range #${idx}: [${rangeStart}-${rangeEnd}]`);
+        }
+        // Replace random garbage with asterisks
+        for (let i = rangeStart; i < rangeEnd; i++) {
+            result[i] = REDACTION_CHAR_CODE;
+        }
+    }
+    return result;
+}
+/**
+ * Consolidates overlapping redaction ranges
+ */
+function consolidateRedactionRanges(ranges) {
+    if (ranges.length === 0) {
+        return [];
+    }
+    // Sort ranges by start position
+    const sortedRanges = [...ranges].sort((a, b) => a.start - b.start);
+    const consolidated = [];
+    let current = { ...sortedRanges[0] };
+    for (let i = 1; i < sortedRanges.length; i++) {
+        const next = sortedRanges[i];
+        // Check if ranges overlap or are adjacent
+        if (next.start <= current.start + current.length) {
+            // Merge ranges
+            const endCurrent = current.start + current.length;
+            const endNext = next.start + next.length;
+            current.length = Math.max(endCurrent, endNext) - current.start;
+        }
+        else {
+            // No overlap, add current and move to next
+            consolidated.push(current);
+            current = { ...next };
+        }
+    }
+    consolidated.push(current);
+    return consolidated;
+}