npm - @reclaimprotocol/attestor-core - Versions diffs - 5.0.1-beta.7 → 5.0.1 - Mend

@reclaimprotocol/attestor-core 5.0.1-beta.7 → 5.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (307) hide show

package/browser/resources/attestor-browser.min.mjs +4512 -0
package/lib/client/tunnels/make-rpc-tls-tunnel.d.ts +1 -1
package/lib/external-rpc/index.js +10399 -3
package/lib/index.js +8323 -10
package/lib/server/utils/proxy-session.d.ts +1 -1
package/lib/types/general.d.ts +0 -1
package/lib/utils/generics.d.ts +1 -6
package/lib/utils/index.d.ts +0 -1
package/package.json +8 -7
package/lib/avs/abis/avsDirectoryABI.js +0 -343
package/lib/avs/abis/delegationABI.js +0 -4
package/lib/avs/abis/registryABI.js +0 -728
package/lib/avs/client/create-claim-on-avs.js +0 -168
package/lib/avs/config.js +0 -26
package/lib/avs/contracts/ReclaimServiceManager.js +0 -0
package/lib/avs/contracts/common.js +0 -0
package/lib/avs/contracts/factories/ReclaimServiceManager__factory.js +0 -1183
package/lib/avs/contracts/factories/index.js +0 -4
package/lib/avs/contracts/index.js +0 -6
package/lib/avs/types/index.js +0 -0
package/lib/avs/utils/contracts.js +0 -53
package/lib/avs/utils/register.js +0 -74
package/lib/avs/utils/tasks.js +0 -48
package/lib/browser/avs/abis/avsDirectoryABI.d.ts +0 -60
package/lib/browser/avs/abis/avsDirectoryABI.js +0 -343
package/lib/browser/avs/abis/delegationABI.d.ts +0 -126
package/lib/browser/avs/abis/delegationABI.js +0 -4
package/lib/browser/avs/abis/registryABI.d.ts +0 -136
package/lib/browser/avs/abis/registryABI.js +0 -728
package/lib/browser/avs/client/create-claim-on-avs.d.ts +0 -12
package/lib/browser/avs/client/create-claim-on-avs.js +0 -168
package/lib/browser/avs/config.d.ts +0 -7
package/lib/browser/avs/config.js +0 -26
package/lib/browser/avs/contracts/ReclaimServiceManager.d.ts +0 -601
package/lib/browser/avs/contracts/ReclaimServiceManager.js +0 -0
package/lib/browser/avs/contracts/common.d.ts +0 -50
package/lib/browser/avs/contracts/common.js +0 -0
package/lib/browser/avs/contracts/factories/ReclaimServiceManager__factory.d.ts +0 -890
package/lib/browser/avs/contracts/factories/ReclaimServiceManager__factory.js +0 -1183
package/lib/browser/avs/contracts/factories/index.d.ts +0 -1
package/lib/browser/avs/contracts/factories/index.js +0 -4
package/lib/browser/avs/contracts/index.d.ts +0 -3
package/lib/browser/avs/contracts/index.js +0 -6
package/lib/browser/avs/types/index.d.ts +0 -55
package/lib/browser/avs/types/index.js +0 -0
package/lib/browser/avs/utils/contracts.d.ts +0 -21
package/lib/browser/avs/utils/contracts.js +0 -53
package/lib/browser/avs/utils/register.d.ts +0 -27
package/lib/browser/avs/utils/register.js +0 -74
package/lib/browser/avs/utils/tasks.d.ts +0 -22
package/lib/browser/avs/utils/tasks.js +0 -48
package/lib/browser/client/create-claim.d.ts +0 -5
package/lib/browser/client/create-claim.js +0 -461
package/lib/browser/client/index.d.ts +0 -3
package/lib/browser/client/index.js +0 -3
package/lib/browser/client/tunnels/make-rpc-tcp-tunnel.d.ts +0 -16
package/lib/browser/client/tunnels/make-rpc-tcp-tunnel.js +0 -53
package/lib/browser/client/tunnels/make-rpc-tls-tunnel.d.ts +0 -26
package/lib/browser/client/tunnels/make-rpc-tls-tunnel.js +0 -127
package/lib/browser/client/utils/attestor-pool.d.ts +0 -8
package/lib/browser/client/utils/attestor-pool.js +0 -24
package/lib/browser/client/utils/client-socket.d.ts +0 -11
package/lib/browser/client/utils/client-socket.js +0 -120
package/lib/browser/client/utils/message-handler.d.ts +0 -4
package/lib/browser/client/utils/message-handler.js +0 -97
package/lib/browser/config/index.d.ts +0 -31
package/lib/browser/config/index.js +0 -62
package/lib/browser/external-rpc/benchmark.d.ts +0 -1
package/lib/browser/external-rpc/benchmark.js +0 -82
package/lib/browser/external-rpc/event-bus.d.ts +0 -7
package/lib/browser/external-rpc/event-bus.js +0 -17
package/lib/browser/external-rpc/global.d.js +0 -0
package/lib/browser/external-rpc/handle-incoming-msg.d.ts +0 -2
package/lib/browser/external-rpc/handle-incoming-msg.js +0 -241
package/lib/browser/external-rpc/index.d.ts +0 -3
package/lib/browser/external-rpc/index.js +0 -3
package/lib/browser/external-rpc/jsc-polyfills/1.d.ts +0 -14
package/lib/browser/external-rpc/jsc-polyfills/1.js +0 -80
package/lib/browser/external-rpc/jsc-polyfills/2.d.ts +0 -1
package/lib/browser/external-rpc/jsc-polyfills/2.js +0 -15
package/lib/browser/external-rpc/jsc-polyfills/event.d.ts +0 -10
package/lib/browser/external-rpc/jsc-polyfills/event.js +0 -19
package/lib/browser/external-rpc/jsc-polyfills/index.d.ts +0 -2
package/lib/browser/external-rpc/jsc-polyfills/index.js +0 -2
package/lib/browser/external-rpc/jsc-polyfills/ws.d.ts +0 -21
package/lib/browser/external-rpc/jsc-polyfills/ws.js +0 -83
package/lib/browser/external-rpc/setup-browser.d.ts +0 -6
package/lib/browser/external-rpc/setup-browser.js +0 -33
package/lib/browser/external-rpc/setup-jsc.d.ts +0 -24
package/lib/browser/external-rpc/setup-jsc.js +0 -22
package/lib/browser/external-rpc/types.d.ts +0 -213
package/lib/browser/external-rpc/types.js +0 -0
package/lib/browser/external-rpc/utils.d.ts +0 -20
package/lib/browser/external-rpc/utils.js +0 -100
package/lib/browser/external-rpc/zk.d.ts +0 -14
package/lib/browser/external-rpc/zk.js +0 -58
package/lib/browser/index.browser.js +0 -13
package/lib/browser/index.d.ts +0 -9
package/lib/browser/index.js +0 -13
package/lib/browser/mechain/abis/governanceABI.d.ts +0 -50
package/lib/browser/mechain/abis/governanceABI.js +0 -461
package/lib/browser/mechain/abis/taskABI.d.ts +0 -157
package/lib/browser/mechain/abis/taskABI.js +0 -512
package/lib/browser/mechain/client/create-claim-on-mechain.d.ts +0 -10
package/lib/browser/mechain/client/create-claim-on-mechain.js +0 -33
package/lib/browser/mechain/client/index.d.ts +0 -1
package/lib/browser/mechain/client/index.js +0 -1
package/lib/browser/mechain/constants/index.d.ts +0 -3
package/lib/browser/mechain/constants/index.js +0 -8
package/lib/browser/mechain/index.d.ts +0 -2
package/lib/browser/mechain/index.js +0 -2
package/lib/browser/mechain/types/index.d.ts +0 -23
package/lib/browser/mechain/types/index.js +0 -0
package/lib/browser/proto/api.d.ts +0 -651
package/lib/browser/proto/api.js +0 -4250
package/lib/browser/proto/tee-bundle.d.ts +0 -156
package/lib/browser/proto/tee-bundle.js +0 -1296
package/lib/browser/providers/http/index.d.ts +0 -18
package/lib/browser/providers/http/index.js +0 -640
package/lib/browser/providers/http/patch-parse5-tree.d.ts +0 -6
package/lib/browser/providers/http/patch-parse5-tree.js +0 -34
package/lib/browser/providers/http/utils.d.ts +0 -77
package/lib/browser/providers/http/utils.js +0 -283
package/lib/browser/providers/index.d.ts +0 -4
package/lib/browser/providers/index.js +0 -7
package/lib/browser/types/bgp.d.ts +0 -11
package/lib/browser/types/bgp.js +0 -0
package/lib/browser/types/claims.d.ts +0 -70
package/lib/browser/types/claims.js +0 -0
package/lib/browser/types/client.d.ts +0 -163
package/lib/browser/types/client.js +0 -0
package/lib/browser/types/general.d.ts +0 -77
package/lib/browser/types/general.js +0 -0
package/lib/browser/types/handlers.d.ts +0 -10
package/lib/browser/types/handlers.js +0 -0
package/lib/browser/types/index.d.ts +0 -10
package/lib/browser/types/index.js +0 -10
package/lib/browser/types/providers.d.ts +0 -161
package/lib/browser/types/providers.gen.d.ts +0 -443
package/lib/browser/types/providers.gen.js +0 -16
package/lib/browser/types/providers.js +0 -0
package/lib/browser/types/rpc.d.ts +0 -35
package/lib/browser/types/rpc.js +0 -0
package/lib/browser/types/signatures.d.ts +0 -28
package/lib/browser/types/signatures.js +0 -0
package/lib/browser/types/tunnel.d.ts +0 -18
package/lib/browser/types/tunnel.js +0 -0
package/lib/browser/types/zk.d.ts +0 -38
package/lib/browser/types/zk.js +0 -0
package/lib/browser/utils/auth.d.ts +0 -8
package/lib/browser/utils/auth.js +0 -71
package/lib/browser/utils/b64-json.d.ts +0 -2
package/lib/browser/utils/b64-json.js +0 -17
package/lib/browser/utils/claims.d.ts +0 -33
package/lib/browser/utils/claims.js +0 -89
package/lib/browser/utils/env.d.ts +0 -3
package/lib/browser/utils/env.js +0 -19
package/lib/browser/utils/error.d.ts +0 -26
package/lib/browser/utils/error.js +0 -54
package/lib/browser/utils/generics.d.ts +0 -119
package/lib/browser/utils/generics.js +0 -272
package/lib/browser/utils/http-parser.d.ts +0 -59
package/lib/browser/utils/http-parser.js +0 -201
package/lib/browser/utils/index.browser.js +0 -13
package/lib/browser/utils/index.d.ts +0 -13
package/lib/browser/utils/index.js +0 -13
package/lib/browser/utils/logger.browser.js +0 -88
package/lib/browser/utils/logger.d.ts +0 -14
package/lib/browser/utils/logger.js +0 -88
package/lib/browser/utils/prepare-packets.d.ts +0 -16
package/lib/browser/utils/prepare-packets.js +0 -69
package/lib/browser/utils/redactions.d.ts +0 -73
package/lib/browser/utils/redactions.js +0 -135
package/lib/browser/utils/retries.d.ts +0 -12
package/lib/browser/utils/retries.js +0 -26
package/lib/browser/utils/signatures/eth.d.ts +0 -2
package/lib/browser/utils/signatures/eth.js +0 -31
package/lib/browser/utils/signatures/index.d.ts +0 -5
package/lib/browser/utils/signatures/index.js +0 -12
package/lib/browser/utils/socket-base.d.ts +0 -23
package/lib/browser/utils/socket-base.js +0 -96
package/lib/browser/utils/tls-imports.d.ts +0 -1
package/lib/browser/utils/tls-imports.js +0 -34
package/lib/browser/utils/tls.d.ts +0 -2
package/lib/browser/utils/tls.js +0 -58
package/lib/browser/utils/ws.d.ts +0 -7
package/lib/browser/utils/ws.js +0 -22
package/lib/browser/utils/zk.d.ts +0 -71
package/lib/browser/utils/zk.js +0 -625
package/lib/client/create-claim.js +0 -461
package/lib/client/index.js +0 -3
package/lib/client/tunnels/make-rpc-tcp-tunnel.js +0 -53
package/lib/client/tunnels/make-rpc-tls-tunnel.js +0 -127
package/lib/client/utils/attestor-pool.js +0 -24
package/lib/client/utils/client-socket.js +0 -120
package/lib/client/utils/message-handler.js +0 -97
package/lib/config/index.js +0 -62
package/lib/external-rpc/benchmark.js +0 -82
package/lib/external-rpc/event-bus.js +0 -17
package/lib/external-rpc/global.d.js +0 -0
package/lib/external-rpc/handle-incoming-msg.js +0 -241
package/lib/external-rpc/jsc-polyfills/1.js +0 -80
package/lib/external-rpc/jsc-polyfills/2.js +0 -15
package/lib/external-rpc/jsc-polyfills/event.js +0 -19
package/lib/external-rpc/jsc-polyfills/index.js +0 -2
package/lib/external-rpc/jsc-polyfills/ws.js +0 -83
package/lib/external-rpc/setup-browser.js +0 -33
package/lib/external-rpc/setup-jsc.js +0 -22
package/lib/external-rpc/types.js +0 -0
package/lib/external-rpc/utils.js +0 -100
package/lib/external-rpc/zk.js +0 -58
package/lib/index.browser.d.ts +0 -9
package/lib/mechain/abis/governanceABI.js +0 -461
package/lib/mechain/abis/taskABI.js +0 -512
package/lib/mechain/client/create-claim-on-mechain.js +0 -33
package/lib/mechain/client/index.js +0 -1
package/lib/mechain/constants/index.js +0 -8
package/lib/mechain/index.js +0 -2
package/lib/mechain/types/index.js +0 -0
package/lib/proto/api.js +0 -4250
package/lib/proto/tee-bundle.js +0 -1296
package/lib/providers/http/index.js +0 -640
package/lib/providers/http/patch-parse5-tree.js +0 -34
package/lib/providers/http/utils.js +0 -283
package/lib/providers/index.js +0 -7
package/lib/scripts/check-avs-registration.js +0 -28
package/lib/scripts/fallbacks/crypto.js +0 -4
package/lib/scripts/fallbacks/empty.js +0 -4
package/lib/scripts/fallbacks/re2.js +0 -7
package/lib/scripts/fallbacks/snarkjs.js +0 -10
package/lib/scripts/fallbacks/stwo.js +0 -159
package/lib/scripts/generate-provider-types.js +0 -101
package/lib/scripts/generate-receipt.js +0 -101
package/lib/scripts/generate-toprf-keys.js +0 -24
package/lib/scripts/jsc-cli-rpc.js +0 -35
package/lib/scripts/register-avs-operator.js +0 -3
package/lib/scripts/start-server.js +0 -11
package/lib/scripts/update-avs-metadata.js +0 -20
package/lib/scripts/utils.js +0 -10
package/lib/scripts/whitelist-operator.js +0 -16
package/lib/server/create-server.js +0 -105
package/lib/server/handlers/claimTeeBundle.js +0 -232
package/lib/server/handlers/claimTunnel.js +0 -80
package/lib/server/handlers/completeClaimOnChain.js +0 -29
package/lib/server/handlers/createClaimOnChain.js +0 -32
package/lib/server/handlers/createTaskOnMechain.js +0 -57
package/lib/server/handlers/createTunnel.js +0 -98
package/lib/server/handlers/disconnectTunnel.js +0 -8
package/lib/server/handlers/fetchCertificateBytes.js +0 -57
package/lib/server/handlers/index.js +0 -25
package/lib/server/handlers/init.js +0 -33
package/lib/server/handlers/toprf.js +0 -19
package/lib/server/index.js +0 -4
package/lib/server/socket.js +0 -112
package/lib/server/tunnels/make-tcp-tunnel.js +0 -202
package/lib/server/utils/apm.js +0 -29
package/lib/server/utils/assert-valid-claim-request.js +0 -354
package/lib/server/utils/config-env.js +0 -4
package/lib/server/utils/dns.js +0 -24
package/lib/server/utils/gcp-attestation.js +0 -237
package/lib/server/utils/generics.js +0 -45
package/lib/server/utils/iso.js +0 -259
package/lib/server/utils/keep-alive.js +0 -38
package/lib/server/utils/nitro-attestation.js +0 -249
package/lib/server/utils/oprf-raw.js +0 -61
package/lib/server/utils/process-handshake.js +0 -233
package/lib/server/utils/proxy-session.js +0 -4
package/lib/server/utils/tee-oprf-mpc-verification.js +0 -86
package/lib/server/utils/tee-oprf-verification.js +0 -151
package/lib/server/utils/tee-transcript-reconstruction.js +0 -140
package/lib/server/utils/tee-verification.js +0 -358
package/lib/server/utils/validation.js +0 -45
package/lib/types/bgp.js +0 -0
package/lib/types/claims.js +0 -0
package/lib/types/client.js +0 -0
package/lib/types/general.js +0 -0
package/lib/types/handlers.js +0 -0
package/lib/types/index.js +0 -10
package/lib/types/providers.gen.js +0 -16
package/lib/types/providers.js +0 -0
package/lib/types/rpc.js +0 -0
package/lib/types/signatures.js +0 -0
package/lib/types/tunnel.js +0 -0
package/lib/types/zk.js +0 -0
package/lib/utils/auth.js +0 -71
package/lib/utils/b64-json.js +0 -17
package/lib/utils/bgp-listener.js +0 -123
package/lib/utils/claims.js +0 -89
package/lib/utils/env.js +0 -19
package/lib/utils/error.js +0 -54
package/lib/utils/generics.js +0 -272
package/lib/utils/http-parser.js +0 -201
package/lib/utils/index.browser.d.ts +0 -13
package/lib/utils/index.js +0 -14
package/lib/utils/logger.browser.d.ts +0 -14
package/lib/utils/logger.js +0 -82
package/lib/utils/prepare-packets.js +0 -69
package/lib/utils/redactions.js +0 -135
package/lib/utils/retries.js +0 -26
package/lib/utils/signatures/eth.js +0 -31
package/lib/utils/signatures/index.js +0 -12
package/lib/utils/socket-base.js +0 -96
package/lib/utils/tls-imports.d.ts +0 -1
package/lib/utils/tls-imports.js +0 -34
package/lib/utils/tls.js +0 -58
package/lib/utils/ws.js +0 -22
package/lib/utils/zk.js +0 -625

package/lib/server/utils/process-handshake.js DELETED Viewed

@@ -1,233 +0,0 @@
-import {
-  concatenateUint8Arrays,
-  getSignatureDataTls12,
-  getSignatureDataTls13,
-  PACKET_TYPE,
-  parseCertificates,
-  parseClientHello,
-  parseServerCertificateVerify,
-  parseServerHello,
-  processServerKeyShare,
-  SUPPORTED_RECORD_TYPE_MAP,
-  uint8ArrayToDataView,
-  verifyCertificateChain,
-  verifyCertificateSignature
-} from "@reclaimprotocol/tls";
-import { TranscriptMessageSenderType } from "../../proto/api.js";
-import { decryptDirect } from "../../utils/index.js";
-const RECORD_LENGTH_BYTES = 3;
-async function processHandshake(receipt, logger) {
-  const certificates = [];
-  const handshakeRawMessages = [];
-  let currentPacketIdx = 0;
-  let cipherSuite = void 0;
-  let tlsVersion = void 0;
-  let serverRandom = void 0;
-  let clientRandom = void 0;
-  let serverFinishedIdx = -1;
-  let clientFinishedIdx = -1;
-  let certVerified = false;
-  let certVerifyHandled = false;
-  let hostname = void 0;
-  let clientChangeCipherSpecMsgIdx = -1;
-  let serverChangeCipherSpecMsgIdx = -1;
-  let incompletePkt = void 0;
-  while (serverFinishedIdx < 0 || clientFinishedIdx < 0) {
-    const packetIdx = currentPacketIdx++;
-    if (packetIdx >= receipt.length) {
-      throw new Error(
-        "Receipt over but server finish: " + serverFinishedIdx + ", client finish: " + clientFinishedIdx
-      );
-    }
-    const { message, reveal, sender } = receipt[packetIdx];
-    if (message[0] === PACKET_TYPE["CHANGE_CIPHER_SPEC"]) {
-      if (sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT) {
-        clientChangeCipherSpecMsgIdx = packetIdx;
-        logger.trace("found client change cipher spec message");
-      } else {
-        serverChangeCipherSpecMsgIdx = packetIdx;
-        logger.trace("found server change cipher spec message");
-      }
-      continue;
-    }
-    let plaintext = getWithoutHeader(message);
-    if (!plaintext) {
-      throw new Error("incomplete TLS record encountered");
-    }
-    if (
-      // decrypt if wrapped record or after change cipher spec message,
-      // after which records are encrypted
-      message[0] === PACKET_TYPE["WRAPPED_RECORD"] || serverChangeCipherSpecMsgIdx > 0 && sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_SERVER || clientChangeCipherSpecMsgIdx > 0 && sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT
-    ) {
-      if (!tlsVersion || !cipherSuite) {
-        throw new Error("Could not find cipherSuite to use & got enc record");
-      }
-      if (!reveal?.directReveal?.key) {
-        throw new Error(
-          "no direct reveal for handshake packet: " + packetIdx
-        );
-      }
-      const recordHeader = message.slice(0, 5);
-      ({ plaintext } = await decryptDirect(
-        reveal?.directReveal,
-        cipherSuite,
-        recordHeader,
-        tlsVersion,
-        plaintext
-      ));
-      if (tlsVersion === "TLS1_3") {
-        plaintext = plaintext.slice(0, -1);
-      }
-    }
-    if (incompletePkt) {
-      const incSender = receipt[incompletePkt.packetIdx].sender;
-      if (incSender !== sender) {
-        throw new Error(
-          "Missing follow up to incomplete packet at idx: " + incompletePkt.packetIdx
-        );
-      }
-      plaintext = concatenateUint8Arrays([
-        incompletePkt.remainingBytes,
-        plaintext
-      ]);
-      incompletePkt = void 0;
-    }
-    const handshakeMessages = [];
-    for (let offset = 0; offset < plaintext.length; ) {
-      const type = plaintext[offset];
-      const content = readWithLength(plaintext.slice(offset + 1), RECORD_LENGTH_BYTES);
-      if (!content) {
-        incompletePkt = {
-          remainingBytes: plaintext.slice(offset),
-          packetIdx
-        };
-        break;
-      }
-      handshakeMessages.push({
-        type,
-        content,
-        contentWithHeader: plaintext.slice(
-          offset,
-          offset + 1 + RECORD_LENGTH_BYTES + content.length
-        ),
-        packetIdx
-      });
-      offset += 1 + RECORD_LENGTH_BYTES + content.length;
-    }
-    for (const msg of handshakeMessages) {
-      await processHandshakeMessage(msg);
-      handshakeRawMessages.push(msg.contentWithHeader);
-    }
-  }
-  if (!certVerified) {
-    throw new Error("No provider certificates received");
-  }
-  if (tlsVersion === "TLS1_3" && serverFinishedIdx < 0) {
-    throw new Error("server finished message not found");
-  }
-  if (tlsVersion === "TLS1_3" && !certVerifyHandled) {
-    throw new Error("TLS1.3 cert verify packet not received");
-  }
-  if (tlsVersion === "TLS1_2" && (serverChangeCipherSpecMsgIdx < 0 || clientChangeCipherSpecMsgIdx < 0)) {
-    throw new Error("change cipher spec message not found");
-  }
-  const nextMsgIndex = Math.max(serverFinishedIdx, clientFinishedIdx) + 1;
-  return {
-    tlsVersion,
-    cipherSuite,
-    hostname,
-    nextMsgIndex
-  };
-  async function processHandshakeMessage({ type, content, contentWithHeader, packetIdx }) {
-    switch (type) {
-      case SUPPORTED_RECORD_TYPE_MAP.CLIENT_HELLO:
-        const clientHello = parseClientHello(contentWithHeader);
-        clientRandom = clientHello.serverRandom;
-        const { SERVER_NAME: sni } = clientHello.extensions;
-        hostname = sni?.serverName;
-        if (!hostname) {
-          throw new Error("client hello has no SNI");
-        }
-        break;
-      case SUPPORTED_RECORD_TYPE_MAP.SERVER_HELLO:
-        const serverHello = await parseServerHello(content);
-        cipherSuite = serverHello.cipherSuite;
-        tlsVersion = serverHello.serverTlsVersion;
-        serverRandom = serverHello.serverRandom;
-        logger.info(
-          { serverTLSVersion: tlsVersion, cipherSuite },
-          "extracted server hello params"
-        );
-        break;
-      case SUPPORTED_RECORD_TYPE_MAP.CERTIFICATE:
-        const parseResult = parseCertificates(content, { version: tlsVersion });
-        certificates.push(...parseResult.certificates);
-        await verifyCertificateChain(certificates, hostname, logger);
-        logger.info({ hostname }, "verified provider certificate chain");
-        certVerified = true;
-        break;
-      case SUPPORTED_RECORD_TYPE_MAP.CERTIFICATE_VERIFY:
-        const signature = parseServerCertificateVerify(content);
-        if (!certificates?.length) {
-          throw new Error("No provider certificates received");
-        }
-        const signatureData = await getSignatureDataTls13(
-          handshakeRawMessages,
-          cipherSuite
-        );
-        await verifyCertificateSignature({
-          ...signature,
-          publicKey: certificates[0].getPublicKey(),
-          signatureData
-        });
-        certVerifyHandled = true;
-        break;
-      case SUPPORTED_RECORD_TYPE_MAP.SERVER_KEY_SHARE:
-        if (!certificates?.length) {
-          throw new Error("No provider certificates received");
-        }
-        const keyShare = await processServerKeyShare(content);
-        const signatureData12 = await getSignatureDataTls12(
-          {
-            clientRandom,
-            serverRandom,
-            curveType: keyShare.publicKeyType,
-            publicKey: keyShare.publicKey
-          }
-        );
-        await verifyCertificateSignature({
-          signature: keyShare.signatureBytes,
-          algorithm: keyShare.signatureAlgorithm,
-          publicKey: certificates[0].getPublicKey(),
-          signatureData: signatureData12,
-          publicKeyType: keyShare.publicKeyType
-        });
-        await verifyCertificateChain(certificates, hostname, logger);
-        logger.info({ hostname }, "verified provider certificate chain");
-        certVerified = true;
-        break;
-      case SUPPORTED_RECORD_TYPE_MAP.FINISHED:
-        const packet = receipt[packetIdx];
-        if (packet.sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT) {
-          clientFinishedIdx = packetIdx;
-        } else {
-          serverFinishedIdx = packetIdx;
-        }
-        break;
-    }
-  }
-}
-function getWithoutHeader(message) {
-  return readWithLength(message.slice(3), 2);
-}
-function readWithLength(data, lengthBytes = 2) {
-  const dataView = uint8ArrayToDataView(data);
-  const length = lengthBytes === 1 ? dataView.getUint8(0) : dataView.getUint16(lengthBytes === 3 ? 1 : 0);
-  if (data.length < lengthBytes + length) {
-    return void 0;
-  }
-  return data.slice(lengthBytes, lengthBytes + length);
-}
-export {
-  processHandshake
-};

package/lib/server/utils/proxy-session.js DELETED Viewed

@@ -1,4 +0,0 @@
-import { isValidProxySessionId } from "../../utils/generics.js";
-export {
-  isValidProxySessionId
-};

package/lib/server/utils/tee-oprf-mpc-verification.js DELETED Viewed

@@ -1,86 +0,0 @@
-import { AttestorError } from "../../utils/error.js";
-function verifyOprfMpcOutputs(kPayload, tPayload, logger) {
-  const kOutputs = kPayload.oprfOutputs || [];
-  const tOutputs = tPayload.oprfOutputs || [];
-  if (kOutputs.length === 0 && tOutputs.length === 0) {
-    logger.debug("No OPRF MPC outputs to verify");
-    return [];
-  }
-  if (kOutputs.length !== tOutputs.length) {
-    throw new AttestorError(
-      "ERROR_INVALID_CLAIM",
-      `OPRF MPC count mismatch: TEE_K has ${kOutputs.length}, TEE_T has ${tOutputs.length}`
-    );
-  }
-  logger.info(`Verifying ${kOutputs.length} OPRF MPC outputs`);
-  const results = [];
-  for (const [i, kOut] of kOutputs.entries()) {
-    const tOut = tOutputs[i];
-    if (kOut.tlsStart < 0 || tOut.tlsStart < 0) {
-      throw new AttestorError(
-        "ERROR_INVALID_CLAIM",
-        `OPRF MPC invalid position at index ${i}: negative start position`
-      );
-    }
-    if (kOut.tlsLength <= 0 || kOut.tlsLength > 64 || tOut.tlsLength <= 0 || tOut.tlsLength > 64) {
-      throw new AttestorError(
-        "ERROR_INVALID_CLAIM",
-        `OPRF MPC invalid length at index ${i}: must be 1-64 bytes (TEE_K: ${kOut.tlsLength}, TEE_T: ${tOut.tlsLength})`
-      );
-    }
-    if (kOut.hashOutput.length !== 32 || tOut.hashOutput.length !== 32) {
-      throw new AttestorError(
-        "ERROR_INVALID_CLAIM",
-        `OPRF MPC invalid hash size at index ${i}: expected 32 bytes (TEE_K: ${kOut.hashOutput.length}, TEE_T: ${tOut.hashOutput.length})`
-      );
-    }
-    if (kOut.tlsStart !== tOut.tlsStart || kOut.tlsLength !== tOut.tlsLength) {
-      throw new AttestorError(
-        "ERROR_INVALID_CLAIM",
-        `OPRF MPC position mismatch at index ${i}: TEE_K [${kOut.tlsStart}:${kOut.tlsStart + kOut.tlsLength}] vs TEE_T [${tOut.tlsStart}:${tOut.tlsStart + tOut.tlsLength}]`
-      );
-    }
-    if (!buffersEqual(kOut.hashOutput, tOut.hashOutput)) {
-      throw new AttestorError(
-        "ERROR_INVALID_CLAIM",
-        `OPRF MPC hash mismatch at index ${i}: outputs differ between TEE_K and TEE_T`
-      );
-    }
-    const hashOutputHex = Buffer.from(kOut.hashOutput).toString("hex");
-    const hashOutputBase64 = Buffer.from(kOut.hashOutput).toString("base64");
-    logger.info(
-      {
-        index: i,
-        position: kOut.tlsStart,
-        length: kOut.tlsLength,
-        hashOutputLen: kOut.hashOutput.length,
-        hashOutputHex: hashOutputHex.substring(0, 32) + "...",
-        hashOutputBase64Preview: hashOutputBase64.substring(0, 20) + "..."
-      },
-      "OPRF MPC output verified"
-    );
-    results.push({
-      position: kOut.tlsStart,
-      length: kOut.tlsLength,
-      output: new Uint8Array(kOut.hashOutput),
-      // Use SHA256(CMAC) as the replacement value
-      isMPC: true
-    });
-  }
-  logger.info(`Successfully verified ${results.length} OPRF MPC outputs`);
-  return results;
-}
-function buffersEqual(a, b) {
-  if (a.length !== b.length) {
-    return false;
-  }
-  for (const [i, element] of a.entries()) {
-    if (element !== b[i]) {
-      return false;
-    }
-  }
-  return true;
-}
-export {
-  verifyOprfMpcOutputs
-};

package/lib/server/utils/tee-oprf-verification.js DELETED Viewed

@@ -1,151 +0,0 @@
-import bs58 from "bs58";
-import { AttestorError } from "../../utils/error.js";
-import { makeDefaultOPRFOperator } from "../../utils/zk.js";
-async function verifyOprfProofs(bundleData, logger) {
-  if (!bundleData.oprfVerifications || bundleData.oprfVerifications.length === 0) {
-    logger.debug("No OPRF verifications present in bundle");
-    return [];
-  }
-  const { tOutputPayload } = bundleData;
-  const consolidatedCiphertext = tOutputPayload.consolidatedResponseCiphertext;
-  if (!consolidatedCiphertext || consolidatedCiphertext.length === 0) {
-    throw new AttestorError("ERROR_INVALID_CLAIM", "No consolidated ciphertext for OPRF verification");
-  }
-  const results = [];
-  logger.info(`Verifying ${bundleData.oprfVerifications.length} OPRF proofs`);
-  for (const [idx, oprfData] of bundleData.oprfVerifications.entries()) {
-    try {
-      const result = await verifySingleOprfProof(
-        oprfData,
-        consolidatedCiphertext,
-        idx,
-        logger
-      );
-      results.push(result);
-    } catch (error) {
-      logger.error({ error, index: idx }, "OPRF proof verification failed");
-      throw new AttestorError(
-        "ERROR_INVALID_CLAIM",
-        `OPRF verification failed at index ${idx}: ${error.message}`
-      );
-    }
-  }
-  logger.info(`Successfully verified ${results.length} OPRF proofs`);
-  return results;
-}
-async function verifySingleOprfProof(oprfData, consolidatedCiphertext, index, logger) {
-  const publicSignalsJson = JSON.parse(new TextDecoder().decode(oprfData.publicSignalsJson));
-  const { proof, publicSignals, cipher } = publicSignalsJson;
-  if (!proof || !publicSignals) {
-    throw new Error("Missing proof or public signals in OPRF data");
-  }
-  const ciphertextChunk = consolidatedCiphertext.slice(
-    oprfData.streamPos,
-    oprfData.streamPos + oprfData.streamLength
-  );
-  const completePublicSignals = {
-    out: publicSignals.out || Uint8Array.from([]),
-    // Replace null input with extracted ciphertext
-    in: ciphertextChunk,
-    // Convert base64 nonces and counters
-    noncesAndCounters: publicSignals.blocks?.map((block) => ({
-      nonce: Buffer.from(block.nonce || "", "base64"),
-      counter: block.counter || 0,
-      boundary: block.boundary || ""
-    })) || [],
-    // Process TOPRF data
-    toprf: publicSignals.toprf ? {
-      ...publicSignals.toprf,
-      // Convert domain separator from base64
-      domainSeparator: publicSignals.toprf.domainSeparator ? Buffer.from(publicSignals.toprf.domainSeparator, "base64").toString("utf8") : "reclaim",
-      // Convert output from base64
-      output: publicSignals.toprf.output ? Buffer.from(publicSignals.toprf.output, "base64") : new Uint8Array(),
-      // Convert response fields from base64
-      responses: publicSignals.toprf.responses?.map((resp) => ({
-        publicKeyShare: Buffer.from(resp.publicKeyShare || "", "base64"),
-        evaluated: Buffer.from(resp.evaluated || "", "base64"),
-        c: Buffer.from(resp.c || "", "base64"),
-        r: Buffer.from(resp.r || "", "base64")
-      })) || [],
-      // Locations are already in correct format
-      locations: publicSignals.toprf.locations || []
-    } : void 0
-  };
-  const algorithm = cipher.replace("-toprf", "");
-  const zkEngine = "gnark";
-  const oprfOperator = makeDefaultOPRFOperator(algorithm, zkEngine, logger);
-  const proofBytes = Buffer.from(proof, "base64");
-  const isValid = await oprfOperator.groth16Verify(
-    completePublicSignals,
-    proofBytes,
-    logger
-  );
-  if (!isValid) {
-    throw new Error("OPRF proof verification failed");
-  }
-  logger.debug(`OPRF ${index}: Proof verified successfully`);
-  const oprfOutput = completePublicSignals.toprf?.output;
-  if (!oprfOutput || oprfOutput.length === 0) {
-    throw new Error("No OPRF output found in verified proof");
-  }
-  const oprfLocation = completePublicSignals.toprf?.locations?.[0];
-  if (!oprfLocation) {
-    throw new Error("No OPRF location found in public signals");
-  }
-  logger.info(`OPRF #${index}: streamPos=${oprfData.streamPos}, locationPos=${oprfLocation.pos}, finalPos=${oprfData.streamPos + oprfLocation.pos}, len=${oprfLocation.len}`);
-  return {
-    // The position in the plaintext where to replace (stream position + OPRF location within chunk)
-    position: oprfData.streamPos + oprfLocation.pos,
-    length: oprfLocation.len,
-    output: oprfOutput
-  };
-}
-function replaceOprfRanges(plaintext, oprfResults, logger) {
-  if (oprfResults.length === 0) {
-    return plaintext;
-  }
-  const replacements = oprfResults.map((result) => {
-    let outputBytes;
-    let encodedOutput;
-    if (result.isMPC) {
-      encodedOutput = bs58.encode(result.output);
-      outputBytes = new TextEncoder().encode(encodedOutput);
-    } else {
-      encodedOutput = Buffer.from(result.output).toString("base64");
-      const truncated = encodedOutput.substring(0, result.length);
-      outputBytes = new TextEncoder().encode(truncated);
-    }
-    return { result, outputBytes, encodedOutput };
-  });
-  replacements.sort((a, b) => a.result.position - b.result.position);
-  let newSize = plaintext.length;
-  for (const { result, outputBytes } of replacements) {
-    const sizeDiff = outputBytes.length - result.length;
-    newSize += sizeDiff;
-  }
-  logger.info(`Transcript size: ${plaintext.length} -> ${newSize} (${newSize - plaintext.length >= 0 ? "+" : ""}${newSize - plaintext.length} bytes)`);
-  const newPlaintext = new Uint8Array(newSize);
-  let srcPos = 0;
-  let dstPos = 0;
-  for (const [idx, { result, outputBytes, encodedOutput }] of replacements.entries()) {
-    const segmentLength = result.position - srcPos;
-    if (segmentLength > 0) {
-      newPlaintext.set(plaintext.slice(srcPos, result.position), dstPos);
-      dstPos += segmentLength;
-    }
-    const currentContent = plaintext.slice(result.position, result.position + result.length);
-    logger.info(`OPRF #${idx} at pos ${result.position}: "${Buffer.from(currentContent).toString("utf8")}" (${result.length}b) -> "${encodedOutput}" (${outputBytes.length}b)${result.isMPC ? " [MPC/base58]" : ""}`);
-    newPlaintext.set(outputBytes, dstPos);
-    dstPos += outputBytes.length;
-    srcPos = result.position + result.length;
-  }
-  if (srcPos < plaintext.length) {
-    newPlaintext.set(plaintext.slice(srcPos), dstPos);
-  }
-  logger.info(`Replaced ${oprfResults.length} OPRF ranges in plaintext`);
-  return newPlaintext;
-}
-export {
-  replaceOprfRanges,
-  verifyOprfProofs
-};

package/lib/server/utils/tee-transcript-reconstruction.js DELETED Viewed

@@ -1,140 +0,0 @@
-import { AttestorError } from "../../utils/error.js";
-import { REDACTION_CHAR_CODE } from "../../utils/index.js";
-async function reconstructTlsTranscript(bundleData, logger, oprfResults) {
-  try {
-    const revealedRequest = reconstructRequest(bundleData, logger);
-    const reconstructedResponse = await reconstructConsolidatedResponse(bundleData, logger, oprfResults);
-    const certificateInfo = bundleData.kOutputPayload.certificateInfo;
-    logger.info("TLS transcript reconstruction completed successfully", {
-      requestSize: revealedRequest.length,
-      responseSize: reconstructedResponse.length,
-      hasCertificateInfo: !!certificateInfo
-    });
-    return {
-      revealedRequest,
-      reconstructedResponse,
-      certificateInfo
-    };
-  } catch (error) {
-    logger.error({ error }, "TLS transcript reconstruction failed");
-    throw new AttestorError("ERROR_INVALID_CLAIM", `Transcript reconstruction failed: ${error.message}`);
-  }
-}
-function reconstructRequest(bundleData, logger) {
-  const { kOutputPayload } = bundleData;
-  if (!kOutputPayload.requestRedactionRanges || kOutputPayload.requestRedactionRanges.length === 0) {
-    logger.warn("No request redaction ranges - using redacted request as-is");
-    return kOutputPayload.redactedRequest;
-  }
-  const revealedRequest = new Uint8Array(kOutputPayload.redactedRequest);
-  const prettyRequest = new Uint8Array(revealedRequest);
-  for (const range of kOutputPayload.requestRedactionRanges) {
-    if (!range.type.includes("proof")) {
-      const start = range.start;
-      const length = range.length;
-      for (let i = 0; i < length && start + i < prettyRequest.length; i++) {
-        prettyRequest[start + i] = REDACTION_CHAR_CODE;
-      }
-    }
-  }
-  return prettyRequest;
-}
-async function reconstructConsolidatedResponse(bundleData, logger, oprfResults) {
-  const { kOutputPayload, tOutputPayload } = bundleData;
-  const consolidatedKeystream = kOutputPayload.consolidatedResponseKeystream;
-  const consolidatedCiphertext = tOutputPayload.consolidatedResponseCiphertext;
-  if (!consolidatedKeystream || consolidatedKeystream.length === 0) {
-    throw new AttestorError("ERROR_INVALID_CLAIM", "No consolidated response keystream available");
-  }
-  if (!consolidatedCiphertext || consolidatedCiphertext.length === 0) {
-    throw new AttestorError("ERROR_INVALID_CLAIM", "No consolidated response ciphertext available");
-  }
-  if (consolidatedKeystream.length !== consolidatedCiphertext.length) {
-    logger.warn("Keystream and ciphertext length mismatch", {
-      keystreamLength: consolidatedKeystream.length,
-      ciphertextLength: consolidatedCiphertext.length
-    });
-  }
-  const minLength = Math.min(consolidatedKeystream.length, consolidatedCiphertext.length);
-  const reconstructedResponse = new Uint8Array(minLength);
-  for (let i = 0; i < minLength; i++) {
-    reconstructedResponse[i] = consolidatedKeystream[i] ^ consolidatedCiphertext[i];
-  }
-  logger.info(`Reconstructed response: ${reconstructedResponse.length} bytes, ${kOutputPayload.responseRedactionRanges?.length || 0} redaction ranges`);
-  let processedResponse = applyResponseRedactionRanges(reconstructedResponse, kOutputPayload.responseRedactionRanges, logger);
-  if (oprfResults && oprfResults.length > 0) {
-    logger.info(`Applying ${oprfResults.length} OPRF replacements before trimming`);
-    const { replaceOprfRanges } = await import("../../server/utils/tee-oprf-verification.js");
-    processedResponse = replaceOprfRanges(processedResponse, oprfResults, logger);
-  }
-  let leadingAsterisks = 0;
-  for (const element of processedResponse) {
-    if (element === REDACTION_CHAR_CODE) {
-      leadingAsterisks++;
-    } else {
-      break;
-    }
-  }
-  let trailingAsterisks = 0;
-  for (let i = processedResponse.length - 1; i >= leadingAsterisks; i--) {
-    if (processedResponse[i] === REDACTION_CHAR_CODE) {
-      trailingAsterisks++;
-    } else {
-      break;
-    }
-  }
-  const finalLength = processedResponse.length - leadingAsterisks - trailingAsterisks;
-  logger.info(`After processing: ${processedResponse.length} bytes, ${leadingAsterisks} leading and ${trailingAsterisks} trailing asterisks trimmed, final: ${finalLength} bytes`);
-  return processedResponse.slice(leadingAsterisks, processedResponse.length - trailingAsterisks);
-}
-function applyResponseRedactionRanges(response, redactionRanges, logger) {
-  if (!redactionRanges || redactionRanges.length === 0) {
-    return response;
-  }
-  const result = new Uint8Array(response);
-  const consolidatedRanges = consolidateRedactionRanges(redactionRanges);
-  if (logger) {
-    logger.info(`Applying ${consolidatedRanges.length} redaction ranges to ${response.length} byte response`);
-  }
-  for (const [idx, range] of consolidatedRanges.entries()) {
-    const rangeStart = range.start;
-    const rangeEnd = range.start + range.length;
-    if (rangeStart < 0 || rangeEnd > result.length) {
-      if (logger) {
-        logger.warn(`Redaction range #${idx} out of bounds: [${rangeStart}-${rangeEnd}] vs ${result.length}`);
-      }
-      continue;
-    }
-    if (logger && idx < 3) {
-      logger.info(`Redaction range #${idx}: [${rangeStart}-${rangeEnd}]`);
-    }
-    for (let i = rangeStart; i < rangeEnd; i++) {
-      result[i] = REDACTION_CHAR_CODE;
-    }
-  }
-  return result;
-}
-function consolidateRedactionRanges(ranges) {
-  if (ranges.length === 0) {
-    return [];
-  }
-  const sortedRanges = [...ranges].sort((a, b) => a.start - b.start);
-  const consolidated = [];
-  let current = { ...sortedRanges[0] };
-  for (let i = 1; i < sortedRanges.length; i++) {
-    const next = sortedRanges[i];
-    if (next.start <= current.start + current.length) {
-      const endCurrent = current.start + current.length;
-      const endNext = next.start + next.length;
-      current.length = Math.max(endCurrent, endNext) - current.start;
-    } else {
-      consolidated.push(current);
-      current = { ...next };
-    }
-  }
-  consolidated.push(current);
-  return consolidated;
-}
-export {
-  reconstructTlsTranscript
-};