@reclaimprotocol/attestor-core 5.0.1-beta.9 → 5.0.1

package/lib/server/utils/assert-valid-claim-request.js

@@ -1,354 +0,0 @@
-import { areUint8ArraysEqual, concatenateUint8Arrays } from "@reclaimprotocol/tls";
-import { ClaimTunnelRequest, TranscriptMessageSenderType } from "../../proto/api.js";
-import { providers } from "../../providers/index.js";
-import { niceParseJsonObject } from "../../server/utils/generics.js";
-import { computeOPRFRaw } from "../../server/utils/oprf-raw.js";
-import { processHandshake } from "../../server/utils/process-handshake.js";
-import { assertValidateProviderParams } from "../../server/utils/validation.js";
-import {
-  AttestorError,
-  binaryHashToStr,
-  canonicalStringify,
-  decryptDirect,
-  extractApplicationDataFromTranscript,
-  hashProviderParams,
-  SIGNATURES,
-  verifyZkPacket
-} from "../../utils/index.js";
-import { getEngineString } from "../../utils/zk.js";
-async function assertValidClaimRequest(request, metadata, logger) {
-  const {
-    data,
-    signatures: { requestSignature } = {},
-    zkEngine,
-    fixedServerIV,
-    fixedClientIV
-  } = request;
-  if (!data) {
-    throw new AttestorError(
-      "ERROR_INVALID_CLAIM",
-      "No info provided on claim request"
-    );
-  }
-  if (!requestSignature?.length) {
-    throw new AttestorError(
-      "ERROR_INVALID_CLAIM",
-      "No signature provided on claim request"
-    );
-  }
-  const serialisedReq = ClaimTunnelRequest.encode({ ...request, signatures: void 0 }).finish();
-  const { verify: verifySig } = SIGNATURES[metadata.signatureType];
-  const verified = await verifySig(serialisedReq, requestSignature, data.owner);
-  if (!verified) {
-    throw new AttestorError(
-      "ERROR_INVALID_CLAIM",
-      "Invalid signature on claim request"
-    );
-  }
-  const receipt = await decryptTranscript(
-    request.transcript,
-    logger,
-    getEngineString(zkEngine),
-    fixedServerIV,
-    fixedClientIV
-  );
-  const reqHost = request.request?.host;
-  if (receipt.hostname !== reqHost) {
-    throw new Error(
-      `Expected server name ${reqHost}, got ${receipt.hostname}`
-    );
-  }
-  const applData = extractApplicationDataFromTranscript(receipt);
-  const newData = await assertValidProviderTranscript(
-    applData,
-    data,
-    logger,
-    { version: metadata.clientVersion },
-    receipt.oprfRawReplacements
-  );
-  if (newData !== data) {
-    logger.info({ newData }, "updated claim info");
-  }
-  return newData;
-}
-async function assertValidProviderTranscript(applData, info, logger, providerCtx, oprfRawReplacements) {
-  const providerName = info.provider;
-  const provider = providers[providerName];
-  if (!provider) {
-    throw new AttestorError(
-      "ERROR_INVALID_CLAIM",
-      `Unsupported provider: ${providerName}`
-    );
-  }
-  let params = niceParseJsonObject(info.parameters, "params");
-  const ctx = niceParseJsonObject(info.context, "context");
-  if (oprfRawReplacements?.length) {
-    let strParams = canonicalStringify(params) ?? "{}";
-    for (const { originalText, nullifierText } of oprfRawReplacements) {
-      strParams = strParams.replaceAll(originalText, nullifierText);
-    }
-    params = JSON.parse(strParams);
-    info.parameters = strParams;
-    logger.debug(
-      { replacements: oprfRawReplacements.length },
-      "applied oprf-raw parameter replacements"
-    );
-  }
-  assertValidateProviderParams(providerName, params);
-  const rslt = await provider.assertValidProviderReceipt({
-    receipt: applData,
-    params,
-    logger,
-    ctx: providerCtx
-  });
-  ctx.providerHash = hashProviderParams(params);
-  const extractedParameters = rslt?.extractedParameters || {};
-  if (Object.keys(extractedParameters).length) {
-    ctx.extractedParameters = extractedParameters;
-  }
-  info.context = canonicalStringify(ctx) ?? "";
-  return info;
-}
-function assertTranscriptsMatch(clientTranscript, tunnelTranscript) {
-  const clientSends = concatenateUint8Arrays(
-    clientTranscript.filter((m) => m.sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT).map((m) => m.message)
-  );
-  const tunnelSends = concatenateUint8Arrays(
-    tunnelTranscript.filter((m) => m.sender === "client").map((m) => m.message)
-  );
-  if (!areUint8ArraysEqual(clientSends, tunnelSends)) {
-    throw AttestorError.badRequest(
-      "Outgoing messages from client do not match the tunnel transcript"
-    );
-  }
-  const clientRecvs = concatenateUint8Arrays(
-    clientTranscript.filter((m) => m.sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_SERVER).map((m) => m.message)
-  );
-  const tunnelRecvs = concatenateUint8Arrays(
-    tunnelTranscript.filter((m) => m.sender === "server").map((m) => m.message)
-  ).slice(0, clientRecvs.length);
-  if (!areUint8ArraysEqual(clientRecvs, tunnelRecvs)) {
-    throw AttestorError.badRequest(
-      "Incoming messages from server do not match the tunnel transcript"
-    );
-  }
-}
-async function decryptTranscript(transcript, logger, zkEngine, serverIV, clientIV) {
-  const {
-    tlsVersion,
-    cipherSuite,
-    hostname,
-    nextMsgIndex
-  } = await processHandshake(transcript, logger);
-  let clientRecordNumber = tlsVersion === "TLS1_3" ? -1 : 0;
-  let serverRecordNumber = clientRecordNumber;
-  transcript = transcript.slice(nextMsgIndex);
-  const overshotMap = {};
-  const decryptedTranscript = [];
-  const oprfRawReplacements = [];
-  const pendingOprfRaw = {};
-  for (const [i, {
-    sender,
-    message,
-    reveal: { zkReveal, directReveal } = {}
-  }] of transcript.entries()) {
-    try {
-      await decryptMessage(sender, message, directReveal, zkReveal, i);
-    } catch (error) {
-      const err = new AttestorError(
-        "ERROR_INVALID_CLAIM",
-        `error in handling packet at idx ${i}: ${error}`,
-        { packetIdx: i, error }
-      );
-      if (error.stack) {
-        err.stack = error.stack;
-      }
-      throw err;
-    }
-  }
-  const remainingPending = Object.keys(pendingOprfRaw);
-  if (remainingPending.length) {
-    throw new AttestorError(
-      "ERROR_INVALID_CLAIM",
-      `oprf-raw cross-block markers incomplete: pending for packets ${remainingPending.join(", ")}`
-    );
-  }
-  return {
-    transcript: decryptedTranscript,
-    hostname,
-    tlsVersion,
-    oprfRawReplacements: oprfRawReplacements.length ? oprfRawReplacements : void 0
-  };
-  async function decryptMessage(sender, message, directReveal, zkReveal, i) {
-    const isServer = sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_SERVER;
-    const recordHeader = message.slice(0, 5);
-    const content = getWithoutHeader(message);
-    if (isServer) {
-      serverRecordNumber++;
-    } else {
-      clientRecordNumber++;
-    }
-    let redacted = true;
-    let plaintext = void 0;
-    let plaintextLength;
-    if (directReveal?.key?.length) {
-      const result = await decryptDirect(
-        directReveal,
-        cipherSuite,
-        recordHeader,
-        tlsVersion,
-        content
-      );
-      plaintext = result.plaintext;
-      redacted = false;
-      plaintextLength = plaintext.length;
-    } else if (zkReveal?.proofs?.length) {
-      const iv = sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_SERVER ? serverIV : clientIV;
-      const recordNumber = isServer ? serverRecordNumber : clientRecordNumber;
-      const result = await verifyZkPacket(
-        {
-          ciphertext: content,
-          zkReveal,
-          iv,
-          recordNumber,
-          toprfOvershotNullifier: overshotMap[i]?.data,
-          getNextPacket(overshot) {
-            const nextIdx = transcript.findIndex((t, j) => t.sender === sender && j > i);
-            if (nextIdx < 0) {
-              return;
-            }
-            overshotMap[nextIdx] = { data: overshot };
-            return getWithoutHeader(transcript[nextIdx].message);
-          },
-          logger,
-          cipherSuite,
-          zkEngine
-        }
-      );
-      plaintext = result.redactedPlaintext;
-      const pendingForThis = pendingOprfRaw[i];
-      if (pendingForThis && zkReveal?.overshotOprfRawLength) {
-        const overshootLen = zkReveal.overshotOprfRawLength;
-        const overshootData = plaintext.slice(0, overshootLen);
-        const fullData = concatenateUint8Arrays([
-          pendingForThis.partialData,
-          overshootData
-        ]);
-        const expectedLen = pendingForThis.dataLocation.length;
-        if (fullData.length !== expectedLen) {
-          throw new AttestorError(
-            "ERROR_INVALID_CLAIM",
-            `oprf-raw cross-block length mismatch: got ${fullData.length}, expected ${expectedLen}`
-          );
-        }
-        const oprfResults = await computeOPRFRaw(
-          fullData,
-          [{ dataLocation: { fromIndex: 0, length: fullData.length } }],
-          logger
-        );
-        if (oprfResults.length) {
-          const { nullifier } = oprfResults[0];
-          const originalText = new TextDecoder().decode(fullData);
-          const nullifierStr = binaryHashToStr(nullifier, fullData.length);
-          oprfRawReplacements.push({ originalText, nullifierText: nullifierStr });
-          const nullifierBytes = new TextEncoder().encode(nullifierStr);
-          const overshootNullifier = nullifierBytes.slice(pendingForThis.partialData.length);
-          plaintext.set(overshootNullifier, 0);
-          const prevPkt = decryptedTranscript[pendingForThis.originPktIdx];
-          if (prevPkt) {
-            const firstPartNullifier = nullifierBytes.slice(0, pendingForThis.partialData.length);
-            prevPkt.message.set(firstPartNullifier, pendingForThis.dataLocation.fromIndex);
-          }
-        }
-        delete pendingOprfRaw[i];
-      }
-      if (result.oprfRawMarkers?.length) {
-        const { markersThisPacket, pendingMarker } = separateOprfRawMarkers(
-          result.oprfRawMarkers,
-          plaintext.length,
-          () => transcript.findIndex((t, j) => t.sender === sender && j > i),
-          decryptedTranscript.length,
-          logger
-        );
-        if (pendingMarker) {
-          pendingMarker.pending.partialData.set(
-            plaintext.slice(pendingMarker.pending.dataLocation.fromIndex)
-          );
-          pendingOprfRaw[pendingMarker.nextIdx] = pendingMarker.pending;
-        }
-        if (markersThisPacket.length) {
-          const pt = plaintext;
-          const oprfResults = await computeOPRFRaw(pt, markersThisPacket, logger);
-          const originalTexts = oprfResults.map(({ dataLocation }) => new TextDecoder().decode(
-            pt.slice(dataLocation.fromIndex, dataLocation.fromIndex + dataLocation.length)
-          ));
-          for (const [idx, { dataLocation, nullifier }] of oprfResults.entries()) {
-            const originalText = originalTexts[idx];
-            const nullifierStr = binaryHashToStr(nullifier, dataLocation.length);
-            oprfRawReplacements.push({ originalText, nullifierText: nullifierStr });
-            const nullifierBytes = new TextEncoder().encode(nullifierStr);
-            pt.set(nullifierBytes, dataLocation.fromIndex);
-          }
-        }
-      }
-      redacted = false;
-      plaintextLength = plaintext.length;
-    } else {
-      plaintext = content;
-      plaintextLength = plaintext.length;
-    }
-    decryptedTranscript.push({
-      sender: sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT ? "client" : "server",
-      redacted,
-      message: plaintext,
-      recordHeader,
-      plaintextLength
-    });
-  }
-}
-function getWithoutHeader(message) {
-  return message.slice(5);
-}
-function separateOprfRawMarkers(markers, plaintextLength, findNextPacketIdx, currentTranscriptLength, logger) {
-  const markersThisPacket = [];
-  let pendingMarker;
-  for (const marker of markers) {
-    const dataLocation = marker.dataLocation;
-    if (!dataLocation) {
-      continue;
-    }
-    const { fromIndex, length } = dataLocation;
-    const endInPacket = fromIndex + length;
-    if (endInPacket <= plaintextLength) {
-      markersThisPacket.push({ dataLocation });
-      continue;
-    }
-    const nextIdx = findNextPacketIdx();
-    if (nextIdx < 0) {
-      throw new AttestorError(
-        "ERROR_INVALID_CLAIM",
-        "oprf-raw marker spans packets but no next packet found"
-      );
-    }
-    pendingMarker = {
-      nextIdx,
-      pending: {
-        partialData: new Uint8Array(plaintextLength - fromIndex),
-        dataLocation: { fromIndex, length },
-        originPktIdx: currentTranscriptLength
-      }
-    };
-    logger.debug(
-      { fromIndex, length, partialLen: plaintextLength - fromIndex, nextIdx },
-      "oprf-raw marker spans packets, storing partial data"
-    );
-  }
-  return { markersThisPacket, pendingMarker };
-}
-export {
-  assertTranscriptsMatch,
-  assertValidClaimRequest,
-  assertValidProviderTranscript,
-  decryptTranscript,
-  getWithoutHeader
-};

package/lib/server/utils/config-env.js

@@ -1,4 +0,0 @@
-import { config } from "dotenv";
-import { getEnvVariable } from "../../utils/env.js";
-const nodeEnv = getEnvVariable("NODE_ENV") || "development";
-config({ path: `.env.${nodeEnv}` });

package/lib/server/utils/dns.js

@@ -1,24 +0,0 @@
-import { resolve, setServers } from "dns";
-import { DNS_SERVERS } from "../../config/index.js";
-setDnsServers();
-async function resolveHostnames(hostname) {
-  return new Promise((_resolve, reject) => {
-    resolve(hostname, (err, addresses) => {
-      if (err) {
-        reject(
-          new Error(
-            `Could not resolve hostname: ${hostname}, ${err.message}`
-          )
-        );
-      } else {
-        _resolve(addresses);
-      }
-    });
-  });
-}
-function setDnsServers() {
-  setServers(DNS_SERVERS);
-}
-export {
-  resolveHostnames
-};

package/lib/server/utils/gcp-attestation.js

@@ -1,237 +0,0 @@
-import crypto, { X509Certificate } from "crypto";
-let gcpKeysCache = null;
-let gcpKeysCacheTime = 0;
-const GCP_KEYS_CACHE_TTL = 36e5;
-const GCP_CONFIDENTIAL_SPACE_ROOT_CA = `-----BEGIN CERTIFICATE-----
-MIIGCDCCA/CgAwIBAgITYBvRy5g9aYYMh7tJS7pFwafL6jANBgkqhkiG9w0BAQsF
-ADCBizELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
-DU1vdW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBMTEMxFTATBgNVBAsTDEdv
-b2dsZSBDbG91ZDEjMCEGA1UEAxMaQ29uZmlkZW50aWFsIFNwYWNlIFJvb3QgQ0Ew
-HhcNMjQwMTE5MjIxMDUwWhcNMzQwMTE2MjIxMDQ5WjCBizELMAkGA1UEBhMCVVMx
-EzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxEzAR
-BgNVBAoTCkdvb2dsZSBMTEMxFTATBgNVBAsTDEdvb2dsZSBDbG91ZDEjMCEGA1UE
-AxMaQ29uZmlkZW50aWFsIFNwYWNlIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUA
-A4ICDwAwggIKAoICAQCvRuZasczAqhMZe1ODHJ6MFLX8EYVV+RN7xiO9GpuA53iz
-l9Oxgp3NXik3FbYn+7bcIkMMSQpCr6K0jbSQCZT6d5P5PJT5DpNGYjLHkW67/fl+
-Bu7eSMb0qRCa1jS+3OhNK7t7SIaHm1XdmSRghjwoglKRuk3CGrF4Zia9RcE/p2MU
-69GyJZpqHYwTplNr3x4zF+2nJk86GywDP+sGwSPWfcmqY04VQD7ZPDEZZ/qgzdoL
-5ilE92eQnAsy+6m6LxBEHHVcFpfDtNVUIt2VMCWLBeOKUQcn5js756xblInqw/Qt
-QRR0An0yfRjBuGvmMjAwETDo5ETY/fc+nbQVYJzNQTc9EOpFFWPpw/ZjFcN9Amnd
-dxYUETFXPmBYerMez0LKNtGpfKYHHhMMTI3mj0m/V9fCbfh2YbBUnMS2Swd20YSI
-Mi/HiGaqOpGUqXMeQVw7phGTS3QYK8ZM65sC/QhIQzXdsiLDgFBitVnlIu3lIv6C
-uiHvXeSJBRlRxQ8Vu+t6J7hBdl0etWBKAu9Vti46af5cjC03dspkHR3MAUGcrLWE
-TkQ0msQAKvIAlwyQRLuQOI5D6pF+6af1Nbl+vR7sLCbDWdMqm1E9X6KyFKd6e3rn
-E9O4dkFJp35WvR2gqIAkUoa+Vq1MXLFYG4imanZKH0igrIblbawRCr3Gr24FXQID
-AQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
-FgQUF+fBOE6Th1snpKuvIb6S8/mtPL4wHwYDVR0jBBgwFoAUF+fBOE6Th1snpKuv
-Ib6S8/mtPL4wDQYJKoZIhvcNAQELBQADggIBAGtCuV5eHxWcffylK9GPumaD6Yjd
-cs76KDBe3mky5ItBIrEOeZq3z47zM4dbKZHhFuoq4yAaO1MyApnG0w9wIQLBDndI
-ovtkw6j9/64aqPWpNaoB5MB0SahCUCgI83Dx9SRqGmjPI/MTMfwDLdE5EF9gFmVI
-oH62YnG2aa/sc6m/8wIK8WtTJazEI16/8GPG4ZUhwT6aR3IGGnEBPMbMd5VZQ0Hw
-VbHBKWK3UykaSCxnEg8uaNx/rhNaOWuWtos4qL00dYyGV7ZXg4fpAq7244QUgkWV
-AtVcU2SPBjDd30OFHASnenDHRzQdOtHaxLp4a4WaY3jb2V6Sn3LfE8zSy6GevxmN
-COIWW3xnPF8rwKz4ABEPqECe37zzu3W1nzZAFtdkhPBNnlWYkIusTMtU+8v6EPKp
-GIIRphpaDhtGPJQukpENOfk2728lenPycRfjxwA96UKWq0dKZC45MwBEK9Jngn8Q
-cPmpPmx7pSMkSxEX2Vos2JNaNmCKJd2VaXz8M6F2cxscRdh9TbAYAjGEEjE1nLUH
-2YHDS8Y7xYNFIDSFaJAlqGcCUbzjGhrwHGj4voTe9ZvlmngrcA/ptSuBidvsnRDw
-kNPLowCd0NqxYYSLNL7GroYCFPxoBpr+++4vsCaXalbs8iJxdU2EPqG4MB4xWKYg
-uyT5CnJulxSC5CT1
------END CERTIFICATE-----`;
-function base64urlDecode(input) {
-  let base64 = input.replace(/-/g, "+").replace(/_/g, "/");
-  while (base64.length % 4) {
-    base64 += "=";
-  }
-  return Buffer.from(base64, "base64");
-}
-async function fetchGooglePublicKeys(logger) {
-  const now = Date.now();
-  if (gcpKeysCache && now - gcpKeysCacheTime < GCP_KEYS_CACHE_TTL) {
-    if (logger) {
-      logger.debug("Using cached Google public keys");
-    }
-    return gcpKeysCache;
-  }
-  if (logger) {
-    logger.info("Fetching Google public keys from https://www.googleapis.com/oauth2/v3/certs");
-  }
-  const response = await fetch("https://www.googleapis.com/oauth2/v3/certs");
-  if (!response.ok) {
-    throw new Error(`Failed to fetch Google keys: ${response.status} ${response.statusText}`);
-  }
-  const keys = await response.json();
-  gcpKeysCache = keys;
-  gcpKeysCacheTime = now;
-  if (logger) {
-    logger.info(`Fetched ${keys.keys.length} Google public keys`);
-  }
-  return keys;
-}
-function jwkToPublicKey(jwk) {
-  return crypto.createPublicKey({
-    key: {
-      kty: "RSA",
-      n: jwk.n,
-      e: jwk.e
-    },
-    format: "jwk"
-  });
-}
-function verifyX5cChain(x5cChain, logger) {
-  if (!x5cChain || x5cChain.length === 0) {
-    throw new Error("Empty x5c certificate chain");
-  }
-  const leafCertPem = `-----BEGIN CERTIFICATE-----
-${x5cChain[0]}
------END CERTIFICATE-----`;
-  const leafCert = new X509Certificate(leafCertPem);
-  if (logger) {
-    logger.info(`x5c leaf certificate: subject=${leafCert.subject}, issuer=${leafCert.issuer}`);
-  }
-  const rootCert = new X509Certificate(GCP_CONFIDENTIAL_SPACE_ROOT_CA);
-  let currentCert = leafCert;
-  for (let i = 1; i < x5cChain.length; i++) {
-    const intermediatePem = `-----BEGIN CERTIFICATE-----
-${x5cChain[i]}
------END CERTIFICATE-----`;
-    const intermediateCert = new X509Certificate(intermediatePem);
-    const isValid = currentCert.verify(intermediateCert.publicKey);
-    if (!isValid) {
-      throw new Error(`Certificate chain verification failed at level ${i}`);
-    }
-    if (logger) {
-      logger.debug(`Verified cert level ${i}: ${intermediateCert.subject}`);
-    }
-    currentCert = intermediateCert;
-  }
-  const isRootValid = currentCert.verify(rootCert.publicKey);
-  if (!isRootValid) {
-    throw new Error("Certificate chain does not root to GCP Confidential Space Root CA");
-  }
-  if (logger) {
-    logger.info("x5c certificate chain verified successfully");
-  }
-  return leafCert.publicKey;
-}
-async function validateGcpAttestationAndExtractKey(attestationBytes, logger) {
-  const errors = [];
-  try {
-    const jwtString = Buffer.from(attestationBytes).toString("utf8");
-    const parts = jwtString.split(".");
-    if (parts.length !== 3) {
-      errors.push("Invalid JWT format: expected 3 parts");
-      return { isValid: false, errors };
-    }
-    const [headerB64, payloadB64, signatureB64] = parts;
-    const headerJson = base64urlDecode(headerB64).toString("utf8");
-    const payloadJson = base64urlDecode(payloadB64).toString("utf8");
-    const header = JSON.parse(headerJson);
-    const payload = JSON.parse(payloadJson);
-    if (logger) {
-      logger.info(`GCP JWT header: kid=${header.kid}, alg=${header.alg}`);
-      logger.info(`GCP JWT payload: iss=${payload.iss}, aud=${payload.aud}`);
-    }
-    const now = Math.floor(Date.now() / 1e3);
-    const validIssuers = [
-      "https://accounts.google.com",
-      "https://confidentialcomputing.googleapis.com"
-    ];
-    if (!validIssuers.includes(payload.iss)) {
-      errors.push(`Invalid issuer: expected one of ${validIssuers.join(", ")}, got "${payload.iss}"`);
-    }
-    if (payload.exp <= now) {
-      errors.push(`Token expired: exp=${payload.exp}, now=${now}`);
-    }
-    if (payload.iat > now + 60) {
-      errors.push(`Token issued in future: iat=${payload.iat}, now=${now}`);
-    }
-    const hasReclaimAudience = payload.aud?.includes("reclaimprotocol.org");
-    const hasGcpStsAudience = payload.aud?.includes("sts.googleapis.com");
-    if (!hasReclaimAudience && !hasGcpStsAudience) {
-      errors.push(`Invalid audience: expected "reclaimprotocol.org" or "sts.googleapis.com", got "${payload.aud}"`);
-    }
-    if (errors.length > 0) {
-      return { isValid: false, errors };
-    }
-    let publicKey;
-    if (header.x5c && header.x5c.length > 0) {
-      if (logger) {
-        logger.info(`Using x5c certificate chain (${header.x5c.length} certificates)`);
-      }
-      publicKey = verifyX5cChain(header.x5c, logger);
-    } else if (header.kid) {
-      if (logger) {
-        logger.info(`Using OIDC token with kid: ${header.kid}`);
-      }
-      const jwks = await fetchGooglePublicKeys(logger);
-      const jwk = jwks.keys.find((k) => k.kid === header.kid);
-      if (!jwk) {
-        errors.push(`No public key found for kid: ${header.kid}`);
-        return { isValid: false, errors };
-      }
-      publicKey = jwkToPublicKey(jwk);
-    } else {
-      errors.push("JWT header must contain either x5c or kid field");
-      return { isValid: false, errors };
-    }
-    const signedData = `${headerB64}.${payloadB64}`;
-    const signature = base64urlDecode(signatureB64);
-    const verify = crypto.createVerify("RSA-SHA256");
-    verify.update(signedData);
-    const isSignatureValid = verify.verify(publicKey, signature);
-    if (!isSignatureValid) {
-      errors.push("Signature verification failed");
-      return { isValid: false, errors };
-    }
-    if (logger) {
-      logger.info("GCP JWT signature verified successfully");
-    }
-    if (!payload.eat_nonce) {
-      errors.push("No eat_nonce field found in JWT payload");
-      return { isValid: false, errors };
-    }
-    const match = payload.eat_nonce.match(/^(tee_[kt])_public_key:0x([0-9a-fA-F]{40})$/);
-    if (!match) {
-      errors.push(`Invalid eat_nonce format: ${payload.eat_nonce}`);
-      return { isValid: false, errors };
-    }
-    const userDataType = match[1];
-    const hexAddress = match[2];
-    const ethAddress = new Uint8Array(Buffer.from(hexAddress, "hex"));
-    if (logger) {
-      logger.info(`Extracted address from eat_nonce: ${payload.eat_nonce}`);
-    }
-    let pcr0 = "gcp-no-digest";
-    if (payload.google?.compute_engine?.image_digest) {
-      pcr0 = payload.google.compute_engine.image_digest;
-    } else if (payload.submods?.container?.image_digest) {
-      pcr0 = payload.submods.container.image_digest;
-    }
-    if (payload.dbgstat === "enabled" && pcr0.startsWith("sha256:")) {
-      pcr0 = "debug_" + pcr0;
-    }
-    const envVars = payload.submods?.container?.env || {};
-    if (logger) {
-      const hexAddr = Buffer.from(ethAddress).toString("hex");
-      logger.info(`Extracted ETH address from GCP attestation: 0x${hexAddr}, type: ${userDataType}, pcr0: ${pcr0}`);
-      if (Object.keys(envVars).length > 0) {
-        logger.debug(`Environment variables: ${Object.keys(envVars).join(", ")}`);
-      }
-    }
-    return {
-      isValid: true,
-      errors: [],
-      ethAddress,
-      userDataType,
-      pcr0,
-      envVars
-    };
-  } catch (error) {
-    const errorMsg = error instanceof Error ? error.message : String(error);
-    errors.push(`GCP attestation validation error: ${errorMsg}`);
-    return { isValid: false, errors };
-  }
-}
-export {
-  validateGcpAttestationAndExtractKey
-};

package/lib/server/utils/generics.js

@@ -1,45 +0,0 @@
-import { RPCMessages } from "../../proto/api.js";
-import { getEnvVariable } from "../../utils/env.js";
-import { AttestorError, strToUint8Array } from "../../utils/index.js";
-import { SIGNATURES } from "../../utils/signatures/index.js";
-const PRIVATE_KEY = getEnvVariable("PRIVATE_KEY");
-function signAsAttestor(data, scheme) {
-  const { sign } = SIGNATURES[scheme];
-  return sign(
-    typeof data === "string" ? strToUint8Array(data) : data,
-    PRIVATE_KEY
-  );
-}
-function getAttestorAddress(scheme) {
-  const { getAddress, getPublicKey } = SIGNATURES[scheme];
-  const publicKey = getPublicKey(PRIVATE_KEY);
-  return getAddress(publicKey);
-}
-function niceParseJsonObject(data, key) {
-  if (!data) {
-    return {};
-  }
-  try {
-    return JSON.parse(data);
-  } catch (e) {
-    throw AttestorError.badRequest(
-      `Invalid JSON in ${key}: ${e.message}`
-    );
-  }
-}
-function getInitialMessagesFromQuery(req) {
-  const url = new URL(req.url, "http://localhost");
-  const messagesB64 = url.searchParams.get("messages");
-  if (!messagesB64?.length) {
-    return [];
-  }
-  const msgsBytes = Buffer.from(messagesB64, "base64");
-  const msgs = RPCMessages.decode(msgsBytes);
-  return msgs.messages;
-}
-export {
-  getAttestorAddress,
-  getInitialMessagesFromQuery,
-  niceParseJsonObject,
-  signAsAttestor
-};