@reclaimprotocol/attestor-core 5.0.3 → 5.0.4

package/lib/server/utils/nitro-attestation.js

@@ -0,0 +1,325 @@
+/**
+ * Working Nitro Attestation validation utilities
+ */
+import { AsnParser } from '@peculiar/asn1-schema';
+import { SubjectPublicKeyInfo } from '@peculiar/asn1-x509';
+import { Crypto } from '@peculiar/webcrypto';
+import { X509Certificate, X509ChainBuilder } from '@peculiar/x509';
+import { sign } from 'cose-js';
+// Helper function to dynamically import cbor-x
+async function getCborDecode() {
+    const { decode } = await import('cbor-x');
+    return decode;
+}
+// AWS Nitro root certificate (from nitrite)
+const AWS_NITRO_ROOT_CERT = `-----BEGIN CERTIFICATE-----
+MIICETCCAZagAwIBAgIRAPkxdWgbkK/hHUbMtOTn+FYwCgYIKoZIzj0EAwMwSTEL
+MAkGA1UEBhMCVVMxDzANBgNVBAoMBkFtYXpvbjEMMAoGA1UECwwDQVdTMRswGQYD
+VQQDDBJhd3Mubml0cm8tZW5jbGF2ZXMwHhcNMTkxMDI4MTMyODA1WhcNNDkxMDI4
+MTQyODA1WjBJMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGQW1hem9uMQwwCgYDVQQL
+DANBV1MxGzAZBgNVBAMMEmF3cy5uaXRyby1lbmNsYXZlczB2MBAGByqGSM49AgEG
+BSuBBAAiA2IABPwCVOumCMHzaHDimtqQvkY4MpJzbolL//Zy2YlES1BR5TSksfbb
+48C8WBoyt7F2Bw7eEtaaP+ohG2bnUs990d0JX28TcPQXCEPZ3BABIeTPYwEoCWZE
+h8l5YoQwTcU/9KNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkCW1DdkF
+R+eWw5b6cp3PmanfS5YwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2kAMGYC
+MQCjfy+Rocm9Xue4YnwWmNJVA44fA0P5W2OpYow9OYCVRaEevL8uO1XYru5xtMPW
+rfMCMQCi85sWBbJwKKXdS6BptQFuZbT73o/gBh1qUxl/nNr12UO8Yfwr6wPLb+6N
+IwLz3/Y=
+-----END CERTIFICATE-----`;
+// Expected PCR values (replace with actual values)
+// const EXPECTED_PCRS = {
+// 	//0: Buffer.from('000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000', 'hex'),
+// }
+//
+// // Secure buffer comparison to prevent timing attacks
+// function secureBufferCompare(a: Buffer, b: Buffer): boolean {
+// 	if(a.length !== b.length) {
+// 		return false
+// 	}
+//
+// 	let result = 0
+// 	for(const [i, element] of a.entries()) {
+// 		result |= element ^ b[i]
+// 	}
+//
+// 	return result === 0
+// }
+// Enhanced certificate chain validation
+async function validateCertificateChain(targetCert, intermediateCerts, rootCert, crypto) {
+    const errors = [];
+    try {
+        // Validate root certificate is self-signed and trusted
+        const rootSubject = rootCert.subject;
+        const rootIssuer = rootCert.issuer;
+        if (rootSubject !== rootIssuer) {
+            errors.push('Root certificate is not self-signed');
+        }
+        // Verify root certificate signature (self-verification)
+        try {
+            const isRootValid = await rootCert.verify(undefined, crypto);
+            if (!isRootValid) {
+                errors.push('Root certificate signature verification failed');
+            }
+        }
+        catch (error) {
+            errors.push(`Root certificate verification failed: ${error.message}`);
+        }
+        // Build the certificate chain
+        const chainBuilder = new X509ChainBuilder({
+            certificates: [rootCert, ...intermediateCerts]
+        });
+        let chain;
+        try {
+            chain = await chainBuilder.build(targetCert, crypto);
+        }
+        catch (error) {
+            errors.push(`Certificate chain building failed: ${error.message}`);
+            return { isValid: false, errors, chain: [] };
+        }
+        if (!chain || chain.length === 0) {
+            errors.push('No valid certificate chain could be built');
+            return { isValid: false, errors, chain: [] };
+        }
+        // Validate each certificate in the chain
+        const now = new Date();
+        for (let i = 0; i < chain.length; i++) {
+            const cert = chain[i];
+            // Check expiration dates
+            if (now < cert.notBefore) {
+                errors.push(`Certificate ${i} (${cert.subject}) is not yet valid`);
+            }
+            if (now > cert.notAfter) {
+                errors.push(`Certificate ${i} (${cert.subject}) has expired`);
+            }
+            // Verify each certificate's signature (except root which is self-signed)
+            if (i < chain.length - 1) {
+                try {
+                    const issuer = chain[i + 1];
+                    const isValid = await cert.verify(issuer, crypto);
+                    // eslint-disable-next-line max-depth
+                    if (!isValid) {
+                        errors.push(`Certificate ${i} signature verification failed`);
+                    }
+                }
+                catch (error) {
+                    errors.push(`Certificate ${i} verification failed: ${error.message}`);
+                }
+            }
+        }
+        return {
+            isValid: errors.length === 0,
+            errors,
+            chain
+        };
+    }
+    catch (error) {
+        errors.push(`Certificate chain validation error: ${error.message}`);
+        return { isValid: false, errors, chain: [] };
+    }
+}
+/**
+ * Extract public key from user_data field in attestation document
+ */
+function extractPublicKeyFromUserData(userDataBuffer) {
+    try {
+        const userDataString = userDataBuffer.toString('utf-8');
+        // Parse new format: "tee_k_public_key:0xETH_ADDRESS" or "tee_t_public_key:0xETH_ADDRESS"
+        const teeKMatch = userDataString.match(/^tee_k_public_key:(0x[0-9a-fA-F]{40})$/);
+        const teeTMatch = userDataString.match(/^tee_t_public_key:(0x[0-9a-fA-F]{40})$/);
+        if (teeKMatch) {
+            return {
+                teeType: 'tee_k',
+                ethAddress: teeKMatch[1], // Store the full ETH address with 0x prefix
+                pcr0: ''
+            };
+        }
+        if (teeTMatch) {
+            return {
+                teeType: 'tee_t',
+                ethAddress: teeTMatch[1], // Store the full ETH address with 0x prefix
+                pcr0: ''
+            };
+        }
+        return null;
+    }
+    catch (error) {
+        return null;
+    }
+}
+/**
+ * Working validation function copied from nitroattestor
+ */
+export async function validateNitroAttestationAndExtractKey(attestationBytes) {
+    const errors = [];
+    const warnings = [];
+    try {
+        // Set up WebCrypto
+        const crypto = new Crypto();
+        // Decode CBOR - use exact same approach as working nitroattestor
+        const decode = await getCborDecode();
+        let decoded;
+        try {
+            decoded = decode(Buffer.from(attestationBytes));
+        }
+        catch (error) {
+            errors.push(`CBOR decoding failed: ${error.message}`);
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        // Extract COSE_Sign1 structure
+        if (!Array.isArray(decoded) || decoded.length < 4) {
+            errors.push('Invalid COSE_Sign1 structure: expected array with 4 elements');
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        const [, , payload] = decoded;
+        // Validate payload exists and is not empty
+        if (!payload || payload.length === 0) {
+            errors.push('Empty or missing payload in COSE_Sign1 structure');
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        // Decode payload - use exact same approach as working code
+        let doc;
+        try {
+            doc = decode(payload);
+        }
+        catch (error) {
+            errors.push(`Payload decoding failed: ${error.message}`);
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        // Validate mandatory fields with strict type checking
+        if (doc.module_id.length === 0) {
+            errors.push('Missing or invalid module_id');
+        }
+        if (doc.digest.length === 0) {
+            errors.push('Missing or invalid digest');
+        }
+        if (!doc.pcrs || typeof doc.pcrs !== 'object') {
+            errors.push('Missing or invalid pcrs');
+        }
+        if (!Buffer.isBuffer(doc.certificate) || doc.certificate.length === 0) {
+            errors.push('Missing or invalid certificate');
+        }
+        if (!Array.isArray(doc.cabundle) || doc.cabundle.length === 0) {
+            errors.push('Missing or invalid cabundle');
+        }
+        // Early return if basic validation fails
+        if (errors.length > 0) {
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        const pcr0 = doc.pcrs[0].toString('hex');
+        // Validate PCRs with secure comparison
+        // for(const [index, expected] of Object.entries(EXPECTED_PCRS)) {
+        // 	const pcrIndex = parseInt(index)
+        // 	const actualPcr = doc.pcrs[pcrIndex]
+        //
+        // 	if(!Buffer.isBuffer(actualPcr)) {
+        // 		errors.push(`PCR${index} is not a Buffer`)
+        // 		continue
+        // 	}
+        //
+        // 	if(!secureBufferCompare(expected, actualPcr)) {
+        // 		errors.push(`PCR${index} mismatch`)
+        // 	}
+        // }
+        // Parse certificates with better error handling
+        const intermediateCerts = [];
+        for (let i = 0; i < doc.cabundle.length; i++) {
+            try {
+                const cert = new X509Certificate(doc.cabundle[i].toString('base64'));
+                intermediateCerts.push(cert);
+            }
+            catch (error) {
+                errors.push(`Failed to parse cabundle certificate ${i}: ${error.message}`);
+            }
+        }
+        // Parse target certificate
+        let targetCert;
+        try {
+            targetCert = new X509Certificate(doc.certificate.toString('base64'));
+        }
+        catch (error) {
+            errors.push(`Failed to parse target certificate: ${error.message}`);
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        // Parse root certificate
+        let rootCert;
+        try {
+            rootCert = new X509Certificate(AWS_NITRO_ROOT_CERT);
+        }
+        catch (error) {
+            errors.push(`Failed to parse AWS Nitro root certificate: ${error.message}`);
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        // Enhanced certificate chain validation
+        const chainResult = await validateCertificateChain(targetCert, intermediateCerts, rootCert, crypto);
+        if (!chainResult.isValid) {
+            errors.push(...chainResult.errors);
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        // Parse and validate public key
+        let publicKeyRaw;
+        try {
+            publicKeyRaw = Buffer.from(targetCert.publicKey.rawData);
+        }
+        catch (error) {
+            errors.push(`Failed to extract public key: ${error.message}`);
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        // Validate public key format (P-384 ECDSA)
+        if (publicKeyRaw.length !== 120 || publicKeyRaw[0] !== 0x30) {
+            errors.push(`Invalid public key format: expected 120-byte DER-encoded key, got ${publicKeyRaw.length} bytes`);
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        let spki;
+        try {
+            spki = AsnParser.parse(publicKeyRaw, SubjectPublicKeyInfo);
+        }
+        catch (error) {
+            errors.push(`Failed to parse SubjectPublicKeyInfo: ${error.message}`);
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        const ecPoint = Buffer.from(spki.subjectPublicKey);
+        if (ecPoint.length !== 97 || ecPoint[0] !== 0x04) {
+            errors.push('Invalid EC point: expected 97-byte uncompressed P-384 key');
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        const x = ecPoint.subarray(1, 49); // 48-byte x coordinate
+        const y = ecPoint.subarray(49, 97); // 48-byte y coordinate
+        // Validate ECDSA signature using cose-js
+        try {
+            const verifier = {
+                key: {
+                    x: x,
+                    y: y,
+                },
+            };
+            const options = { defaultType: 18 }; // cose.sign.Sign1Tag
+            await sign.verify(Buffer.from(attestationBytes), verifier, options);
+        }
+        catch (error) {
+            errors.push(`COSE signature verification failed: ${error.message}`);
+            return { isValid: false, errors, warnings, pcr0: '' };
+        }
+        // Extract public key from user_data if present
+        let userDataType;
+        let ethAddress;
+        if (doc.user_data) {
+            const keyInfo = extractPublicKeyFromUserData(doc.user_data);
+            if (keyInfo) {
+                userDataType = keyInfo.teeType;
+                ethAddress = keyInfo.ethAddress;
+            }
+        }
+        return {
+            isValid: errors.length === 0,
+            errors,
+            warnings,
+            userDataType,
+            ethAddress,
+            pcr0: pcr0
+        };
+    }
+    catch (error) {
+        errors.push(`Unexpected error during validation: ${error.message}`);
+        return { isValid: false, errors, warnings, pcr0: '' };
+    }
+}

package/lib/server/utils/process-handshake.js

@@ -0,0 +1,215 @@
+import { concatenateUint8Arrays, getSignatureDataTls12, getSignatureDataTls13, PACKET_TYPE, parseCertificates, parseClientHello, parseServerCertificateVerify, parseServerHello, processServerKeyShare, SUPPORTED_RECORD_TYPE_MAP, uint8ArrayToDataView, verifyCertificateChain, verifyCertificateSignature } from '@reclaimprotocol/tls';
+import { TranscriptMessageSenderType } from "../../proto/api.js";
+import { decryptDirect } from "../../utils/index.js";
+const RECORD_LENGTH_BYTES = 3;
+/**
+ * Verifies server cert chain and removes handshake messages from transcript
+ * @param receipt
+ * @param logger
+ */
+export async function processHandshake(receipt, logger) {
+    const certificates = [];
+    const handshakeRawMessages = [];
+    let currentPacketIdx = 0;
+    let cipherSuite = undefined;
+    let tlsVersion = undefined;
+    let serverRandom = undefined;
+    let clientRandom = undefined;
+    let serverFinishedIdx = -1;
+    let clientFinishedIdx = -1;
+    let certVerified = false;
+    let certVerifyHandled = false;
+    let hostname = undefined;
+    let clientChangeCipherSpecMsgIdx = -1;
+    let serverChangeCipherSpecMsgIdx = -1;
+    let incompletePkt = undefined;
+    while (serverFinishedIdx < 0 || clientFinishedIdx < 0) {
+        const packetIdx = currentPacketIdx++;
+        if (packetIdx >= receipt.length) {
+            throw new Error('Receipt over but server finish: ' + serverFinishedIdx
+                + ', client finish: ' + clientFinishedIdx);
+        }
+        const { message, reveal, sender } = receipt[packetIdx];
+        // skip change cipher spec message
+        if (message[0] === PACKET_TYPE['CHANGE_CIPHER_SPEC']) {
+            if (sender === TranscriptMessageSenderType
+                .TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT) {
+                clientChangeCipherSpecMsgIdx = packetIdx;
+                logger.trace('found client change cipher spec message');
+            }
+            else {
+                serverChangeCipherSpecMsgIdx = packetIdx;
+                logger.trace('found server change cipher spec message');
+            }
+            continue;
+        }
+        let plaintext = getWithoutHeader(message);
+        if (!plaintext) {
+            throw new Error('incomplete TLS record encountered');
+        }
+        if (
+        // decrypt if wrapped record or after change cipher spec message,
+        // after which records are encrypted
+        message[0] === PACKET_TYPE['WRAPPED_RECORD']
+            || (serverChangeCipherSpecMsgIdx > 0
+                && sender === TranscriptMessageSenderType
+                    .TRANSCRIPT_MESSAGE_SENDER_TYPE_SERVER)
+            || (clientChangeCipherSpecMsgIdx > 0
+                && sender === TranscriptMessageSenderType
+                    .TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT)) { // encrypted
+            if (!tlsVersion || !cipherSuite) {
+                throw new Error('Could not find cipherSuite to use & got enc record');
+            }
+            if (!reveal?.directReveal?.key) {
+                throw new Error('no direct reveal for handshake packet: ' + packetIdx);
+            }
+            const recordHeader = message.slice(0, 5);
+            ({ plaintext } = await decryptDirect(reveal?.directReveal, cipherSuite, recordHeader, tlsVersion, plaintext));
+            if (tlsVersion === 'TLS1_3') {
+                plaintext = plaintext.slice(0, -1);
+            }
+        }
+        if (incompletePkt) {
+            const incSender = receipt[incompletePkt.packetIdx].sender;
+            if (incSender !== sender) {
+                throw new Error('Missing follow up to incomplete packet at idx: '
+                    + incompletePkt.packetIdx);
+            }
+            plaintext = concatenateUint8Arrays([
+                incompletePkt.remainingBytes,
+                plaintext
+            ]);
+            incompletePkt = undefined;
+        }
+        const handshakeMessages = [];
+        // each handshake packet may contain multiple handshake messages
+        for (let offset = 0; offset < plaintext.length;) {
+            const type = plaintext[offset];
+            // +1 for the record type byte
+            const content = readWithLength(plaintext.slice(offset + 1), RECORD_LENGTH_BYTES);
+            if (!content) {
+                incompletePkt = {
+                    remainingBytes: plaintext.slice(offset),
+                    packetIdx,
+                };
+                break;
+            }
+            handshakeMessages.push({
+                type,
+                content,
+                contentWithHeader: plaintext.slice(offset, offset + 1 + RECORD_LENGTH_BYTES + content.length),
+                packetIdx,
+            });
+            offset += 1 + RECORD_LENGTH_BYTES + content.length;
+        }
+        for (const msg of handshakeMessages) {
+            await processHandshakeMessage(msg);
+            handshakeRawMessages.push(msg.contentWithHeader);
+        }
+    }
+    if (!certVerified) {
+        throw new Error('No provider certificates received');
+    }
+    if (tlsVersion === 'TLS1_3' && serverFinishedIdx < 0) {
+        throw new Error('server finished message not found');
+    }
+    if (tlsVersion === 'TLS1_3' && !certVerifyHandled) {
+        throw new Error('TLS1.3 cert verify packet not received');
+    }
+    if (tlsVersion === 'TLS1_2' && (serverChangeCipherSpecMsgIdx < 0 || clientChangeCipherSpecMsgIdx < 0)) {
+        throw new Error('change cipher spec message not found');
+    }
+    const nextMsgIndex = Math.max(serverFinishedIdx, clientFinishedIdx) + 1;
+    return {
+        tlsVersion: tlsVersion,
+        cipherSuite: cipherSuite,
+        hostname: hostname,
+        nextMsgIndex,
+    };
+    async function processHandshakeMessage({ type, content, contentWithHeader, packetIdx }) {
+        switch (type) {
+            case SUPPORTED_RECORD_TYPE_MAP.CLIENT_HELLO:
+                const clientHello = parseClientHello(contentWithHeader);
+                clientRandom = clientHello.serverRandom;
+                const { SERVER_NAME: sni } = clientHello.extensions;
+                hostname = sni?.serverName;
+                if (!hostname) {
+                    throw new Error('client hello has no SNI');
+                }
+                break;
+            case SUPPORTED_RECORD_TYPE_MAP.SERVER_HELLO:
+                const serverHello = await parseServerHello(content);
+                cipherSuite = serverHello.cipherSuite;
+                tlsVersion = serverHello.serverTlsVersion;
+                serverRandom = serverHello.serverRandom;
+                logger.info({ serverTLSVersion: tlsVersion, cipherSuite }, 'extracted server hello params');
+                break;
+            case SUPPORTED_RECORD_TYPE_MAP.CERTIFICATE:
+                const parseResult = parseCertificates(content, { version: tlsVersion });
+                certificates.push(...parseResult.certificates);
+                await verifyCertificateChain(certificates, hostname, logger);
+                logger.info({ hostname }, 'verified provider certificate chain');
+                certVerified = true;
+                break;
+            case SUPPORTED_RECORD_TYPE_MAP.CERTIFICATE_VERIFY:
+                const signature = parseServerCertificateVerify(content);
+                if (!certificates?.length) {
+                    throw new Error('No provider certificates received');
+                }
+                const signatureData = await getSignatureDataTls13(handshakeRawMessages, cipherSuite);
+                await verifyCertificateSignature({
+                    ...signature,
+                    publicKey: certificates[0].getPublicKey(),
+                    signatureData,
+                });
+                certVerifyHandled = true;
+                break;
+            case SUPPORTED_RECORD_TYPE_MAP.SERVER_KEY_SHARE:
+                if (!certificates?.length) {
+                    throw new Error('No provider certificates received');
+                }
+                const keyShare = await processServerKeyShare(content);
+                const signatureData12 = await getSignatureDataTls12({
+                    clientRandom: clientRandom,
+                    serverRandom: serverRandom,
+                    curveType: keyShare.publicKeyType,
+                    publicKey: keyShare.publicKey,
+                });
+                // verify signature
+                await verifyCertificateSignature({
+                    signature: keyShare.signatureBytes,
+                    algorithm: keyShare.signatureAlgorithm,
+                    publicKey: certificates[0].getPublicKey(),
+                    signatureData: signatureData12,
+                    publicKeyType: keyShare.publicKeyType
+                });
+                await verifyCertificateChain(certificates, hostname, logger);
+                logger.info({ hostname }, 'verified provider certificate chain');
+                certVerified = true;
+                break;
+            case SUPPORTED_RECORD_TYPE_MAP.FINISHED:
+                const packet = receipt[packetIdx];
+                if (packet.sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT) {
+                    clientFinishedIdx = packetIdx;
+                }
+                else {
+                    serverFinishedIdx = packetIdx;
+                }
+                break;
+        }
+    }
+}
+function getWithoutHeader(message) {
+    // strip the record header (xx 03 03 xx xx)
+    return readWithLength(message.slice(3), 2);
+}
+function readWithLength(data, lengthBytes = 2) {
+    const dataView = uint8ArrayToDataView(data);
+    const length = lengthBytes === 1
+        ? dataView.getUint8(0)
+        : dataView.getUint16(lengthBytes === 3 ? 1 : 0);
+    if (data.length < lengthBytes + length) {
+        return undefined;
+    }
+    return data.slice(lengthBytes, lengthBytes + length);
+}

package/lib/server/utils/proxy-session.js

@@ -0,0 +1,6 @@
+export function isValidProxySessionId(sessionId) {
+    return typeof sessionId === 'string'
+        && sessionId.length >= 8
+        && sessionId.length < 15
+        && /^[a-z0-9]+$/.test(sessionId);
+}

package/lib/server/utils/tee-oprf-mpc-verification.js

@@ -0,0 +1,90 @@
+/**
+ * TEE OPRF MPC Verification
+ * Verifies OPRF MPC outputs from TEE_K and TEE_T match
+ *
+ * Unlike ZK OPRF which requires proof verification, OPRF MPC outputs
+ * are already trusted because they are included in TEE-signed payloads.
+ * This module verifies that both TEEs computed identical outputs.
+ */
+import { AttestorError } from "../../utils/error.js";
+/**
+ * Verifies OPRF MPC outputs from TEE_K and TEE_T match
+ * Returns verified outputs for transcript replacement (same format as ZK OPRF)
+ */
+export function verifyOprfMpcOutputs(kPayload, tPayload, logger) {
+    const kOutputs = kPayload.oprfOutputs || [];
+    const tOutputs = tPayload.oprfOutputs || [];
+    // Empty is valid - no OPRF MPC was requested
+    if (kOutputs.length === 0 && tOutputs.length === 0) {
+        logger.debug('No OPRF MPC outputs to verify');
+        return [];
+    }
+    // Count must match between TEE_K and TEE_T
+    if (kOutputs.length !== tOutputs.length) {
+        throw new AttestorError('ERROR_INVALID_CLAIM', `OPRF MPC count mismatch: TEE_K has ${kOutputs.length}, TEE_T has ${tOutputs.length}`);
+    }
+    logger.info(`Verifying ${kOutputs.length} OPRF MPC outputs`);
+    const results = [];
+    for (const [i, kOut] of kOutputs.entries()) {
+        const tOut = tOutputs[i];
+        // Validate position bounds (must be non-negative)
+        if (kOut.tlsStart < 0 || tOut.tlsStart < 0) {
+            throw new AttestorError('ERROR_INVALID_CLAIM', `OPRF MPC invalid position at index ${i}: negative start position`);
+        }
+        // Validate length constraints (must be positive and <= 64 bytes, matching TEE validation)
+        if (kOut.tlsLength <= 0 || kOut.tlsLength > 64 || tOut.tlsLength <= 0 || tOut.tlsLength > 64) {
+            throw new AttestorError('ERROR_INVALID_CLAIM', `OPRF MPC invalid length at index ${i}: must be 1-64 bytes ` +
+                `(TEE_K: ${kOut.tlsLength}, TEE_T: ${tOut.tlsLength})`);
+        }
+        // Validate hash output size (must be exactly 32 bytes for SHA256)
+        if (kOut.hashOutput.length !== 32 || tOut.hashOutput.length !== 32) {
+            throw new AttestorError('ERROR_INVALID_CLAIM', `OPRF MPC invalid hash size at index ${i}: expected 32 bytes ` +
+                `(TEE_K: ${kOut.hashOutput.length}, TEE_T: ${tOut.hashOutput.length})`);
+        }
+        // Verify positions match
+        if (kOut.tlsStart !== tOut.tlsStart || kOut.tlsLength !== tOut.tlsLength) {
+            throw new AttestorError('ERROR_INVALID_CLAIM', `OPRF MPC position mismatch at index ${i}: ` +
+                `TEE_K [${kOut.tlsStart}:${kOut.tlsStart + kOut.tlsLength}] vs ` +
+                `TEE_T [${tOut.tlsStart}:${tOut.tlsStart + tOut.tlsLength}]`);
+        }
+        // Verify hash outputs match (hash = SHA256(CMAC), so this implies CMAC matched too)
+        if (!buffersEqual(kOut.hashOutput, tOut.hashOutput)) {
+            throw new AttestorError('ERROR_INVALID_CLAIM', `OPRF MPC hash mismatch at index ${i}: outputs differ between TEE_K and TEE_T`);
+        }
+        // Log the actual output data for debugging
+        const hashOutputHex = Buffer.from(kOut.hashOutput).toString('hex');
+        const hashOutputBase64 = Buffer.from(kOut.hashOutput).toString('base64');
+        logger.info({
+            index: i,
+            position: kOut.tlsStart,
+            length: kOut.tlsLength,
+            hashOutputLen: kOut.hashOutput.length,
+            hashOutputHex: hashOutputHex.substring(0, 32) + '...',
+            hashOutputBase64Preview: hashOutputBase64.substring(0, 20) + '...'
+        }, 'OPRF MPC output verified');
+        // Return in same format as ZK OPRF for unified replacement
+        // MPC OPRF uses full hash length (not truncated like TOPRF)
+        results.push({
+            position: kOut.tlsStart,
+            length: kOut.tlsLength,
+            output: new Uint8Array(kOut.hashOutput), // Use SHA256(CMAC) as the replacement value
+            isMPC: true
+        });
+    }
+    logger.info(`Successfully verified ${results.length} OPRF MPC outputs`);
+    return results;
+}
+/**
+ * Compare two Uint8Array buffers for equality
+ */
+function buffersEqual(a, b) {
+    if (a.length !== b.length) {
+        return false;
+    }
+    for (const [i, element] of a.entries()) {
+        if (element !== b[i]) {
+            return false;
+        }
+    }
+    return true;
+}