@reclaimprotocol/attestor-core 5.0.3 → 5.0.4

package/lib/client/tunnels/make-rpc-tls-tunnel.js

@@ -0,0 +1,131 @@
+import { concatenateUint8Arrays, makeTLSClient } from '@reclaimprotocol/tls';
+import { makeRpcTcpTunnel } from "./make-rpc-tcp-tunnel.js";
+import { DEFAULT_HTTPS_PORT } from "../../config/index.js";
+import { generateRpcMessageId, generateTunnelId } from "../../utils/index.js";
+/**
+ * Makes a TLS tunnel that connects to the server via RPC protocol
+ */
+export const makeRpcTlsTunnel = async ({ onMessage, onClose, tlsOpts, request, connect, logger }) => {
+    const transcript = [];
+    const tunnelId = request.id || generateTunnelId();
+    let tunnel;
+    let client;
+    let handshakeResolve;
+    let handshakeReject;
+    const waitForHandshake = new Promise((resolve, reject) => {
+        handshakeResolve = resolve;
+        handshakeReject = reject;
+    });
+    const tls = makeTLSClient({
+        host: request.host,
+        ...tlsOpts,
+        logger,
+        onHandshake() {
+            handshakeResolve?.();
+        },
+        onApplicationData(plaintext) {
+            return onMessage?.(plaintext);
+        },
+        onTlsEnd: onConnectionClose,
+        async write(packet, ctx) {
+            const message = concatenateUint8Arrays([
+                packet.header,
+                packet.content
+            ]);
+            transcript.push({
+                sender: 'client',
+                message: { ...ctx, data: message }
+            });
+            if (!tunnel) {
+                // sends the packet as the initial message
+                // to the plaintext tunnel. Prevents another
+                // round trip to the server as we send the packet
+                // in the same message as the tunnel creation.
+                const createTunnelReqId = generateRpcMessageId();
+                client = connect([
+                    {
+                        id: createTunnelReqId,
+                        createTunnelRequest: {
+                            host: request.host || '',
+                            port: request.port || DEFAULT_HTTPS_PORT,
+                            geoLocation: request.geoLocation || '',
+                            proxySessionId: request.proxySessionId || '',
+                            id: tunnelId
+                        },
+                    },
+                    { tunnelMessage: { tunnelId, message } }
+                ]);
+                try {
+                    await makeTunnel();
+                    // wait for tunnel to be successfully created
+                    await client.waitForResponse(createTunnelReqId);
+                }
+                catch (err) {
+                    onConnectionClose(err);
+                }
+                return;
+            }
+            return tunnel.write(message);
+        },
+        onRead(packet, ctx) {
+            transcript.push({
+                sender: 'server',
+                message: {
+                    ...ctx,
+                    data: concatenateUint8Arrays([
+                        packet.header,
+                        // the TLS package sends us the decrypted
+                        // content, so we need to get the orginal
+                        // ciphertext received from the server
+                        // as that's part of the true transcript.
+                        ctx.type === 'ciphertext'
+                            ? ctx.ciphertext
+                            : packet.content
+                    ])
+                }
+            });
+        },
+    });
+    await tls.startHandshake();
+    // wait for handshake completion
+    await waitForHandshake;
+    handshakeResolve = handshakeReject = undefined;
+    return {
+        transcript,
+        tls,
+        write(data) {
+            return tls.write(data);
+        },
+        async close(err) {
+            onConnectionClose(err);
+            try {
+                await tunnel.close(err);
+            }
+            catch (err) {
+                logger?.error({ err }, 'err in close tunnel');
+            }
+        },
+    };
+    function onConnectionClose(err) {
+        onClose?.(err);
+        // once the TLS connection is closed, we no longer
+        // want to send `onClose` events back to the caller
+        // of this function.
+        onClose = undefined;
+        handshakeReject?.(err || new Error('TLS connection closed'));
+    }
+    async function makeTunnel() {
+        tunnel = await makeRpcTcpTunnel({
+            tunnelId,
+            client: client,
+            onMessage(data) {
+                tls.handleReceivedBytes(data);
+            },
+            onClose(err) {
+                tls.end(err);
+            },
+        });
+        logger?.debug('plaintext tunnel created');
+        return tunnel;
+    }
+};

package/lib/client/utils/attestor-pool.js

@@ -0,0 +1,25 @@
+import { AttestorClient } from "./client-socket.js";
+const POOL = {};
+/**
+ * Get a attestor client from the pool,
+ * if it doesn't exist, create one.
+ * @param [getCreateOpts] - Function to get the options for creating a new client.
+ *  called synchronously, in the same tick as this function.
+ */
+export function getAttestorClientFromPool(url, getCreateOpts = () => ({})) {
+    const key = url.toString();
+    let client = POOL[key];
+    let createReason;
+    if (client?.isClosed) {
+        createReason = 'closed';
+    }
+    else if (!client) {
+        createReason = 'non-existent';
+    }
+    if (createReason) {
+        const createOpts = getCreateOpts();
+        createOpts?.logger?.info({ key, createReason }, 'creating new client');
+        client = (POOL[key] = new AttestorClient({ ...createOpts, url }));
+    }
+    return client;
+}

package/lib/client/utils/client-socket.js

@@ -0,0 +1,98 @@
+import { utils } from 'ethers';
+import { DEFAULT_METADATA, DEFAULT_RPC_TIMEOUT_MS } from "../../config/index.js";
+import { RPCMessages } from "../../proto/api.js";
+import { AttestorError, generateRpcMessageId, getRpcRequestType, logger as LOGGER, packRpcMessages } from "../../utils/index.js";
+import { AttestorSocket } from "../../utils/socket-base.js";
+import { makeWebSocket as defaultMakeWebSocket } from "../../utils/ws.js";
+const { base64 } = utils;
+export class AttestorClient extends AttestorSocket {
+    waitForInitPromise;
+    initResponse;
+    constructor({ url, initMessages = [], signatureType = DEFAULT_METADATA.signatureType, logger = LOGGER, authRequest, makeWebSocket = defaultMakeWebSocket }) {
+        const initRequest = {
+            ...DEFAULT_METADATA,
+            signatureType,
+            auth: authRequest
+        };
+        const msg = packRpcMessages({ initRequest }, ...initMessages);
+        const initRequestBytes = RPCMessages.encode(msg).finish();
+        const initRequestB64 = base64.encode(initRequestBytes);
+        url = new URL(url.toString());
+        url.searchParams.set('messages', initRequestB64);
+        super(makeWebSocket(url), initRequest, logger);
+        const initReqId = msg.messages[0].id;
+        this.waitForInitPromise = this
+            .waitForResponse(initReqId, DEFAULT_RPC_TIMEOUT_MS)
+            .then(res => {
+            logger.info('client initialised');
+            this.isInitialised = true;
+            this.initResponse = res;
+        });
+        // swallow the error if anything bad happens, and we've no
+        // catch block to handle it
+        this.waitForInitPromise
+            .catch(() => { });
+        this.addEventListener('connection-terminated', ev => (logger.info({ err: ev.data }, 'connection terminated')));
+    }
+    async rpc(type, request, timeoutMs = DEFAULT_RPC_TIMEOUT_MS) {
+        const msgId = generateRpcMessageId();
+        this.logger.debug({ type, id: msgId }, 'sending rpc request');
+        const now = Date.now();
+        try {
+            const rslt = this.waitForResponse(msgId, timeoutMs);
+            await this.sendMessage({ id: msgId, [getRpcRequestType(type)]: request });
+            return await rslt;
+        }
+        finally {
+            const timeTakenMs = Date.now() - now;
+            this.logger.debug({ type, timeTakenMs }, 'received rpc response');
+        }
+    }
+    waitForResponse(id, timeoutMs = DEFAULT_RPC_TIMEOUT_MS) {
+        if (this.isClosed) {
+            throw new AttestorError('ERROR_NETWORK_ERROR', 'Client connection already closed');
+        }
+        // setup a promise to wait for the response
+        return new Promise((resolve, reject) => {
+            const handler = (event) => {
+                if (event.data.id !== id) {
+                    return;
+                }
+                removeHandlers();
+                if ('error' in event.data) {
+                    reject(event.data.error);
+                    return;
+                }
+                // @ts-expect-error
+                resolve(event.data.data);
+            };
+            const terminateHandler = (event) => {
+                removeHandlers();
+                // if the connection was terminated, reject the promise
+                // but update the error code to reflect the network error
+                if (event.data.code === 'ERROR_NO_ERROR') {
+                    reject(new AttestorError('ERROR_NETWORK_ERROR', event.data.message, event.data.data));
+                    return;
+                }
+                reject(event.data);
+            };
+            const timeout = setTimeout(() => {
+                removeHandlers();
+                reject(new AttestorError('ERROR_TIMEOUT', `RPC request timed out after ${timeoutMs}ms`, { id }));
+            }, timeoutMs);
+            const removeHandlers = () => {
+                clearTimeout(timeout);
+                this.removeEventListener('rpc-response', handler);
+                this.removeEventListener('connection-terminated', terminateHandler);
+            };
+            this.addEventListener('rpc-response', handler);
+            this.addEventListener('connection-terminated', terminateHandler);
+        });
+    }
+    waitForInit = () => {
+        if (this.isClosed) {
+            throw new AttestorError('ERROR_NETWORK_ERROR', 'Client connection already closed');
+        }
+        return this.waitForInitPromise;
+    };
+}

package/lib/client/utils/message-handler.js

@@ -0,0 +1,87 @@
+import { RPCMessages } from "../../proto/api.js";
+import { AttestorError, extractArrayBufferFromWsData, getRpcRequest, getRpcRequestType, getRpcResponseType } from "../../utils/index.js";
+export async function wsMessageHandler(data) {
+    // extract array buffer from WS data & decode proto
+    const buff = await extractArrayBufferFromWsData(data);
+    const { messages } = RPCMessages.decode(buff);
+    for (const msg of messages) {
+        await handleMessage.call(this, msg);
+    }
+}
+export function handleMessage(msg) {
+    this.logger?.trace({ msg }, 'received message');
+    // handle connection termination alert
+    if (msg.connectionTerminationAlert) {
+        const err = AttestorError.fromProto(msg.connectionTerminationAlert);
+        this.logger?.warn({
+            err: err.code !== 'ERROR_NO_ERROR'
+                ? err
+                : undefined
+        }, 'received connection termination alert');
+        this.dispatchRPCEvent('connection-terminated', err);
+        return;
+    }
+    const rpcRequest = getRpcRequest(msg);
+    if (rpcRequest) {
+        if (rpcRequest.direction === 'response'
+            && rpcRequest.type === 'error') {
+            this.dispatchRPCEvent('rpc-response', {
+                id: msg.id,
+                error: AttestorError.fromProto(msg.requestError)
+            });
+            return;
+        }
+        const resType = getRpcResponseType(rpcRequest.type);
+        if (rpcRequest.direction === 'response') {
+            this.dispatchRPCEvent('rpc-response', {
+                id: msg.id,
+                type: rpcRequest.type,
+                data: msg[resType]
+            });
+            return;
+        }
+        if (!this.isInitialised && rpcRequest.type !== 'init') {
+            this.logger.warn({ type: rpcRequest.type }, 'RPC request received before initialisation');
+            void this.sendMessage({
+                id: msg.id,
+                requestError: AttestorError
+                    .badRequest('Initialise connection first')
+                    .toProto()
+            });
+            return;
+        }
+        return new Promise((resolve, reject) => {
+            this.dispatchRPCEvent('rpc-request', {
+                requestId: msg.id,
+                type: rpcRequest.type,
+                data: msg[getRpcRequestType(rpcRequest.type)],
+                respond: (res) => {
+                    if (!this.isOpen) {
+                        this.logger?.debug({ type: rpcRequest.type, res }, 'connection closed before responding');
+                        reject(new Error('connection closed'));
+                        return;
+                    }
+                    if ('code' in res) {
+                        reject(res);
+                        return this.sendMessage({
+                            id: msg.id,
+                            requestError: res.toProto()
+                        });
+                    }
+                    resolve();
+                    return this
+                        .sendMessage({ id: msg.id, [resType]: res });
+                },
+            });
+        });
+    }
+    if (msg.tunnelMessage) {
+        this.dispatchRPCEvent('tunnel-message', msg.tunnelMessage);
+        return;
+    }
+    if (msg.tunnelDisconnectEvent) {
+        this.dispatchRPCEvent('tunnel-disconnect-event', msg.tunnelDisconnectEvent);
+        return;
+    }
+    this.logger.warn({ msg }, 'unhandled message');
+}

package/lib/config/index.d.ts

@@ -10,10 +10,10 @@ export declare const API_SERVER_PORT = 8001;
 export declare const CONNECTION_TIMEOUT_MS = 10000;
 export declare const DNS_SERVERS: string[];
 export declare const MAX_CLAIM_TIMESTAMP_DIFF_S: number;
-export declare const CURRENT_ATTESTOR_VERSION: 5;
+export declare const CURRENT_ATTESTOR_VERSION: 6;
 export declare const DEFAULT_METADATA: InitRequest;
 export declare const PROVIDER_CTX: {
-    version: 5;
+    version: 6;
 };
 export declare const PING_INTERVAL_MS = 10000;
 /**

package/lib/config/index.js

@@ -0,0 +1,44 @@
+import { AttestorVersion, ServiceSignatureType } from "../proto/api.js";
+export const DEFAULT_ZK_CONCURRENCY = 10;
+export const RECLAIM_USER_AGENT = 'reclaim/0.0.1';
+export const DEFAULT_HTTPS_PORT = 443;
+export const WS_PATHNAME = '/ws';
+export const BROWSER_RPC_PATHNAME = '/browser-rpc';
+export const ATTESTOR_ADDRESS_PATHNAME = '/address';
+export const DEFAULT_REMOTE_FILE_FETCH_BASE_URL = `${BROWSER_RPC_PATHNAME}/resources`;
+export const API_SERVER_PORT = 8001;
+// 10s
+export const CONNECTION_TIMEOUT_MS = 10_000;
+export const DNS_SERVERS = [
+    '8.8.8.8',
+    '8.8.4.4'
+];
+// 10m
+export const MAX_CLAIM_TIMESTAMP_DIFF_S = 10 * 60;
+export const CURRENT_ATTESTOR_VERSION = AttestorVersion.ATTESTOR_VERSION_3_0_0;
+export const DEFAULT_METADATA = {
+    signatureType: ServiceSignatureType.SERVICE_SIGNATURE_TYPE_ETH,
+    clientVersion: CURRENT_ATTESTOR_VERSION,
+    auth: undefined
+};
+export const PROVIDER_CTX = { version: CURRENT_ATTESTOR_VERSION };
+export const PING_INTERVAL_MS = 10_000;
+/**
+ * Maximum interval in seconds to wait for before assuming
+ * the connection is dead
+ * @default 30s
+ */
+export const MAX_NO_DATA_INTERVAL_MS = 30_000;
+export const MAX_PAYLOAD_SIZE = 512 * 1024 * 1024; // 512MB
+export const DEFAULT_AUTH_EXPIRY_S = 15 * 60; // 15m
+export const DEFAULT_RPC_TIMEOUT_MS = 90_000;
+export const TOPRF_DOMAIN_SEPARATOR = 'reclaim-toprf';
+export const MAX_CERT_SIZE_BYTES = 10 * 1024 * 1024 * 1024; // 10MB
+export const CERT_ALLOWED_MIMETYPES = [
+    'application/x-x509-ca-cert',
+    'application/x-x509-user-cert',
+    'application/pkix-cert',
+    'application/pkcs7-mime',
+    'application/octet-stream'
+];
+export const BGP_WS_URL = 'wss://ris-live.ripe.net/v1/ws/?client=reclaim-hijack-detector';

package/lib/external-rpc/benchmark.js

@@ -0,0 +1,69 @@
+import { crypto, encryptWrappedRecord, SUPPORTED_CIPHER_SUITE_MAP } from '@reclaimprotocol/tls';
+import { strToUint8Array } from "../utils/generics.js";
+import { logger } from "../utils/logger.js";
+import { makeZkProofGenerator } from "../utils/zk.js";
+const ZK_CIPHER_SUITES = [
+    'TLS_CHACHA20_POLY1305_SHA256',
+    'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
+    'TLS_AES_128_GCM_SHA256'
+];
+export async function benchmark() {
+    let benchmarkRes = '';
+    for (const cipherSuite of ZK_CIPHER_SUITES) {
+        const now = Date.now();
+        const alg = cipherSuite.includes('CHACHA20')
+            ? 'CHACHA20-POLY1305'
+            : (cipherSuite.includes('AES_256_GCM')
+                ? 'AES-256-GCM'
+                : 'AES-128-GCM');
+        const keylength = alg === 'AES-128-GCM' ? 16 : 32;
+        const key = Buffer.alloc(keylength, 0);
+        const { ivLength: fixedIvLength, } = SUPPORTED_CIPHER_SUITE_MAP[cipherSuite];
+        const fixedIv = Buffer.alloc(fixedIvLength, 0);
+        const encKey = await crypto.importKey(alg, key);
+        const vectors = [
+            {
+                plaintext: 'My cool API secret is "my name jeff". Please don\'t reveal it'
+            }
+        ];
+        const proofGenerator = await makeZkProofGenerator({
+            logger,
+            cipherSuite,
+        });
+        for (const { plaintext } of vectors) {
+            const plaintextArr = strToUint8Array(plaintext);
+            const { ciphertext, iv } = await encryptWrappedRecord(plaintextArr, {
+                key: encKey,
+                iv: fixedIv,
+                recordNumber: 0,
+                recordHeaderOpts: {
+                    type: 'WRAPPED_RECORD'
+                },
+                cipherSuite,
+                version: cipherSuite.includes('ECDHE_')
+                    ? 'TLS1_2'
+                    : 'TLS1_3',
+            });
+            const packet = {
+                type: 'ciphertext',
+                encKey,
+                iv,
+                recordNumber: 0,
+                plaintext: plaintextArr,
+                ciphertext,
+                fixedIv: new Uint8Array(0),
+                data: ciphertext
+            };
+            await proofGenerator.addPacketToProve(packet, {
+                type: 'zk',
+                redactedPlaintext: plaintextArr,
+            }, () => { }, () => {
+                throw new Error('should not be called in benchmark');
+            });
+            await proofGenerator.generateProofs();
+        }
+        benchmarkRes = benchmarkRes + `Benchmark ${alg} ok. Took ${Date.now() - now} ms \n`;
+    }
+    logger.info(benchmarkRes);
+    return benchmarkRes;
+}

package/lib/external-rpc/event-bus.js

@@ -0,0 +1,14 @@
+export class EventBus {
+    #listeners = [];
+    addListener(fn) {
+        this.#listeners.push(fn);
+        return () => {
+            this.#listeners = this.#listeners.filter(l => l !== fn);
+        };
+    }
+    dispatch(data) {
+        for (const listener of this.#listeners) {
+            listener(data);
+        }
+    }
+}