@reclaimprotocol/js-sdk 5.4.1 → 5.4.2-dev.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.ts +406 -9
- package/dist/index.js +156 -56
- package/dist/index.js.map +1 -1
- package/package.json +13 -2
package/dist/index.js
CHANGED
|
@@ -84,10 +84,20 @@ var require_package = __commonJS({
|
|
|
84
84
|
"package.json"(exports2, module2) {
|
|
85
85
|
module2.exports = {
|
|
86
86
|
name: "@reclaimprotocol/js-sdk",
|
|
87
|
-
version: "5.4.
|
|
87
|
+
version: "5.4.2-dev.0",
|
|
88
88
|
description: "Designed to request proofs from the Reclaim protocol and manage the flow of claims and witness interactions.",
|
|
89
89
|
main: "dist/index.js",
|
|
90
90
|
types: "dist/index.d.ts",
|
|
91
|
+
exports: {
|
|
92
|
+
".": {
|
|
93
|
+
types: "./dist/index.d.ts",
|
|
94
|
+
default: "./dist/index.js"
|
|
95
|
+
},
|
|
96
|
+
"./internal": {
|
|
97
|
+
types: "./dist/internal.d.ts",
|
|
98
|
+
default: "./dist/internal.js"
|
|
99
|
+
}
|
|
100
|
+
},
|
|
91
101
|
keywords: [
|
|
92
102
|
"reclaim",
|
|
93
103
|
"protocol",
|
|
@@ -108,7 +118,8 @@ var require_package = __commonJS({
|
|
|
108
118
|
],
|
|
109
119
|
tsup: {
|
|
110
120
|
entry: [
|
|
111
|
-
"src/index.ts"
|
|
121
|
+
"src/index.ts",
|
|
122
|
+
"src/internal.ts"
|
|
112
123
|
],
|
|
113
124
|
splitting: false,
|
|
114
125
|
sourcemap: true,
|
|
@@ -192,8 +203,40 @@ var require_package = __commonJS({
|
|
|
192
203
|
// src/index.ts
|
|
193
204
|
var index_exports = {};
|
|
194
205
|
__export(index_exports, {
|
|
206
|
+
ApplicationError: () => ApplicationError,
|
|
207
|
+
AttestorTeeVerificationError: () => AttestorTeeVerificationError,
|
|
208
|
+
BackendServerError: () => BackendServerError,
|
|
209
|
+
CallbackUrlRequiredError: () => CallbackUrlRequiredError,
|
|
210
|
+
ErrorDuringVerificationError: () => ErrorDuringVerificationError,
|
|
211
|
+
GetAppCallbackUrlError: () => GetAppCallbackUrlError,
|
|
212
|
+
GetStatusUrlError: () => GetStatusUrlError,
|
|
213
|
+
HASH_MATCH_MULTIPLE_DEFAULT: () => HASH_MATCH_MULTIPLE_DEFAULT,
|
|
214
|
+
HASH_REQUIRED_DEFAULT: () => HASH_REQUIRED_DEFAULT,
|
|
215
|
+
InavlidParametersError: () => InavlidParametersError,
|
|
216
|
+
InitError: () => InitError,
|
|
217
|
+
InitSessionError: () => InitSessionError,
|
|
218
|
+
InvalidParamError: () => InvalidParamError,
|
|
219
|
+
InvalidRequestSpecError: () => InvalidRequestSpecError,
|
|
220
|
+
InvalidSignatureError: () => InvalidSignatureError,
|
|
221
|
+
NoProviderParamsError: () => NoProviderParamsError,
|
|
222
|
+
ProofNotValidatedError: () => ProofNotValidatedError,
|
|
223
|
+
ProofNotVerifiedError: () => ProofNotVerifiedError,
|
|
224
|
+
ProofSubmissionFailedError: () => ProofSubmissionFailedError,
|
|
225
|
+
ProviderConfigFetchError: () => ProviderConfigFetchError,
|
|
226
|
+
ProviderFailedError: () => ProviderFailedError,
|
|
227
|
+
ProviderNotFoundError: () => ProviderNotFoundError,
|
|
195
228
|
ReclaimProofRequest: () => ReclaimProofRequest,
|
|
229
|
+
SessionNotStartedError: () => SessionNotStartedError,
|
|
230
|
+
SetContextError: () => SetContextError,
|
|
231
|
+
SetParamsError: () => SetParamsError,
|
|
232
|
+
SetSignatureError: () => SetSignatureError,
|
|
233
|
+
SignatureGeneratingError: () => SignatureGeneratingError,
|
|
234
|
+
SignatureNotFoundError: () => SignatureNotFoundError,
|
|
235
|
+
StatusUrlError: () => StatusUrlError,
|
|
196
236
|
TeeVerificationError: () => TeeVerificationError,
|
|
237
|
+
TimeoutError: () => TimeoutError,
|
|
238
|
+
UnknownProofsNotValidatedError: () => UnknownProofsNotValidatedError,
|
|
239
|
+
UpdateSessionError: () => UpdateSessionError,
|
|
197
240
|
assertValidProofsByHash: () => assertValidProofsByHash,
|
|
198
241
|
assertValidateProof: () => assertValidateProof,
|
|
199
242
|
assertVerifiedProof: () => assertVerifiedProof,
|
|
@@ -208,6 +251,7 @@ __export(index_exports, {
|
|
|
208
251
|
generateSpecsFromRequestSpecTemplate: () => generateSpecsFromRequestSpecTemplate,
|
|
209
252
|
getAttestors: () => getAttestors,
|
|
210
253
|
getDeviceType: () => getDeviceType,
|
|
254
|
+
getHashFromProof: () => getHashFromProof,
|
|
211
255
|
getHttpProviderClaimParamsFromProof: () => getHttpProviderClaimParamsFromProof,
|
|
212
256
|
getIdentifierFromClaimInfo: () => getIdentifierFromClaimInfo,
|
|
213
257
|
getMobileDeviceType: () => getMobileDeviceType,
|
|
@@ -1504,6 +1548,9 @@ function generateAttestationNonce(appSecret, applicationId, sessionId, timestamp
|
|
|
1504
1548
|
return import_ethers4.ethers.keccak256(import_ethers4.ethers.toUtf8Bytes(noncePayload)).replace(/^0x/i, "");
|
|
1505
1549
|
}
|
|
1506
1550
|
|
|
1551
|
+
// src/utils/proofValidationUtils.ts
|
|
1552
|
+
var import_assert = __toESM(require("assert"));
|
|
1553
|
+
|
|
1507
1554
|
// src/utils/providerUtils.ts
|
|
1508
1555
|
var logger7 = logger_default.logger;
|
|
1509
1556
|
function fetchProviderHashRequirementsBy(providerId, exactProviderVersionString, allowedTags, proofs) {
|
|
@@ -1625,7 +1672,20 @@ function hashRequestSpec(request) {
|
|
|
1625
1672
|
var logger8 = logger_default.logger;
|
|
1626
1673
|
var HASH_REQUIRED_DEFAULT = true;
|
|
1627
1674
|
var HASH_MATCH_MULTIPLE_DEFAULT = true;
|
|
1628
|
-
function
|
|
1675
|
+
function getHashFromProof(proof, piiConfig) {
|
|
1676
|
+
if ((piiConfig == null ? void 0 : piiConfig.hasNoPii) === true) {
|
|
1677
|
+
const contextObject = JSON.parse(proof.claimData.context);
|
|
1678
|
+
(0, import_assert.default)(contextObject, "Context must be present in proof's claimData");
|
|
1679
|
+
const providerHash = contextObject.providerHash;
|
|
1680
|
+
(0, import_assert.default)(providerHash, "Provider hash must be present in proof's claimData.context");
|
|
1681
|
+
return [providerHash];
|
|
1682
|
+
}
|
|
1683
|
+
const claimParams = getHttpProviderClaimParamsFromProof(proof);
|
|
1684
|
+
const computedHashesOfProof = hashProofClaimParams(claimParams);
|
|
1685
|
+
const proofHashes = Array.isArray(computedHashesOfProof) ? computedHashesOfProof.map((h) => h.toLowerCase().trim()) : [computedHashesOfProof.toLowerCase().trim()];
|
|
1686
|
+
return proofHashes;
|
|
1687
|
+
}
|
|
1688
|
+
function assertValidProofsByHash(proofs, config, piiConfig) {
|
|
1629
1689
|
var _a, _b;
|
|
1630
1690
|
if (!config.hashes) {
|
|
1631
1691
|
throw new ProofNotValidatedError("No proof hash was provided for validation");
|
|
@@ -1633,9 +1693,7 @@ function assertValidProofsByHash(proofs, config) {
|
|
|
1633
1693
|
const unvalidatedProofHashByIndex = /* @__PURE__ */ new Map();
|
|
1634
1694
|
for (let i = 0; i < proofs.length; i++) {
|
|
1635
1695
|
const proof = proofs[i];
|
|
1636
|
-
const
|
|
1637
|
-
const computedHashesOfProof = hashProofClaimParams(claimParams);
|
|
1638
|
-
const proofHashes = Array.isArray(computedHashesOfProof) ? computedHashesOfProof.map((h) => h.toLowerCase().trim()) : [computedHashesOfProof.toLowerCase().trim()];
|
|
1696
|
+
const proofHashes = getHashFromProof(proof, piiConfig);
|
|
1639
1697
|
unvalidatedProofHashByIndex.set(i, proofHashes);
|
|
1640
1698
|
}
|
|
1641
1699
|
for (const hashRequirement of config.hashes) {
|
|
@@ -1643,7 +1701,9 @@ function assertValidProofsByHash(proofs, config) {
|
|
|
1643
1701
|
const expectedHashes = Array.isArray(hashRequirement.value) ? hashRequirement.value.map((h) => h.toLowerCase().trim()) : [hashRequirement.value.toLowerCase().trim()];
|
|
1644
1702
|
const isRequired = (_a = hashRequirement.required) != null ? _a : HASH_REQUIRED_DEFAULT;
|
|
1645
1703
|
const canMatchMultiple = (_b = hashRequirement.multiple) != null ? _b : HASH_MATCH_MULTIPLE_DEFAULT;
|
|
1646
|
-
for (
|
|
1704
|
+
for (let i = 0; i < proofs.length; i++) {
|
|
1705
|
+
if (!unvalidatedProofHashByIndex.has(i)) continue;
|
|
1706
|
+
const proofHashes = unvalidatedProofHashByIndex.get(i);
|
|
1647
1707
|
const intersection = expectedHashes.filter((eh) => proofHashes.includes(eh));
|
|
1648
1708
|
if (intersection.length > 0) {
|
|
1649
1709
|
unvalidatedProofHashByIndex.delete(i);
|
|
@@ -1684,7 +1744,7 @@ function getHttpProviderClaimParamsFromProof(proof) {
|
|
|
1684
1744
|
}
|
|
1685
1745
|
throw new ProofNotValidatedError("Proof has no HTTP provider params to hash");
|
|
1686
1746
|
}
|
|
1687
|
-
function assertValidateProof(proofs, config) {
|
|
1747
|
+
function assertValidateProof(proofs, config, piiConfig) {
|
|
1688
1748
|
return __async(this, null, function* () {
|
|
1689
1749
|
if ("dangerouslyDisableContentValidation" in config && config.dangerouslyDisableContentValidation) {
|
|
1690
1750
|
logger8.warn("Validation skipped because it was disabled during proof verification");
|
|
@@ -1705,14 +1765,14 @@ function assertValidateProof(proofs, config) {
|
|
|
1705
1765
|
let lastError = null;
|
|
1706
1766
|
for (const hashRequirement of hashRequirementsFromProvider) {
|
|
1707
1767
|
try {
|
|
1708
|
-
return yield assertValidateProof(proofs, hashRequirement);
|
|
1768
|
+
return yield assertValidateProof(proofs, hashRequirement, piiConfig);
|
|
1709
1769
|
} catch (e) {
|
|
1710
1770
|
lastError = e;
|
|
1711
1771
|
}
|
|
1712
1772
|
}
|
|
1713
1773
|
throw new ProofNotValidatedError("Could not validate proof", lastError);
|
|
1714
1774
|
} else {
|
|
1715
|
-
return assertValidateProof(proofs, hashRequirementsFromProvider[0]);
|
|
1775
|
+
return assertValidateProof(proofs, hashRequirementsFromProvider[0], piiConfig);
|
|
1716
1776
|
}
|
|
1717
1777
|
}
|
|
1718
1778
|
const effectiveHashRequirement = ("hashes" in config && Array.isArray(config == null ? void 0 : config.hashes) ? config.hashes : []).map((it) => {
|
|
@@ -1724,9 +1784,13 @@ function assertValidateProof(proofs, config) {
|
|
|
1724
1784
|
return it;
|
|
1725
1785
|
}
|
|
1726
1786
|
});
|
|
1727
|
-
return assertValidProofsByHash(
|
|
1728
|
-
|
|
1729
|
-
|
|
1787
|
+
return assertValidProofsByHash(
|
|
1788
|
+
proofs,
|
|
1789
|
+
{
|
|
1790
|
+
hashes: effectiveHashRequirement
|
|
1791
|
+
},
|
|
1792
|
+
piiConfig
|
|
1793
|
+
);
|
|
1730
1794
|
});
|
|
1731
1795
|
}
|
|
1732
1796
|
|
|
@@ -1740,7 +1804,7 @@ var SUPPORTED_PROOF_VERSIONS = ["v2", "v3"];
|
|
|
1740
1804
|
var TOKEN_CLOCK_SKEW_S = 60;
|
|
1741
1805
|
var NONCE_TIMESTAMP_MAX_SKEW_MS = 10 * 60 * 1e3;
|
|
1742
1806
|
var BROWSER_ENVIRONMENT_ERROR = "TEE attestation verification is only supported in non-browser environments. Run verifyTeeAttestation on your server or API route.";
|
|
1743
|
-
function
|
|
1807
|
+
function assert2(condition, message) {
|
|
1744
1808
|
if (!condition) {
|
|
1745
1809
|
throw new Error(message);
|
|
1746
1810
|
}
|
|
@@ -1790,7 +1854,7 @@ function decodeUtf8(bytes) {
|
|
|
1790
1854
|
}
|
|
1791
1855
|
function decodeJwt(token) {
|
|
1792
1856
|
const parts = token.split(".");
|
|
1793
|
-
|
|
1857
|
+
assert2(parts.length === 3, "attestation token is not a JWT");
|
|
1794
1858
|
return {
|
|
1795
1859
|
header: JSON.parse(decodeUtf8(decodeBase64Url(parts[0]))),
|
|
1796
1860
|
payload: JSON.parse(decodeUtf8(decodeBase64Url(parts[1]))),
|
|
@@ -1800,7 +1864,7 @@ function decodeJwt(token) {
|
|
|
1800
1864
|
}
|
|
1801
1865
|
function getFetch() {
|
|
1802
1866
|
const fetchFn = globalThis.fetch;
|
|
1803
|
-
|
|
1867
|
+
assert2(fetchFn, "fetch is not available in this environment");
|
|
1804
1868
|
return fetchFn.bind(globalThis);
|
|
1805
1869
|
}
|
|
1806
1870
|
function getSubtleCrypto() {
|
|
@@ -1836,19 +1900,19 @@ var cachedJwksAt = 0;
|
|
|
1836
1900
|
function verifyJwtSignature(token, issuer) {
|
|
1837
1901
|
return __async(this, null, function* () {
|
|
1838
1902
|
const { header, payload, signingInput, signature } = decodeJwt(token);
|
|
1839
|
-
|
|
1840
|
-
|
|
1903
|
+
assert2(header.alg === "RS256", `unexpected attestation signing algorithm: ${header.alg}`);
|
|
1904
|
+
assert2(typeof header.kid === "string" && header.kid.length > 0, "attestation token kid is missing");
|
|
1841
1905
|
const isCacheFresh = cachedJwksKeys && Date.now() - cachedJwksAt < JWKS_CACHE_TTL_MS;
|
|
1842
1906
|
if (!isCacheFresh) {
|
|
1843
1907
|
const oidc = yield fetchJson(`${issuer}/.well-known/openid-configuration`);
|
|
1844
|
-
|
|
1908
|
+
assert2(typeof (oidc == null ? void 0 : oidc.jwks_uri) === "string" && oidc.jwks_uri.length > 0, "issuer JWKS URI is missing");
|
|
1845
1909
|
cachedJwksUri = oidc.jwks_uri;
|
|
1846
1910
|
const jwks = yield fetchJson(cachedJwksUri);
|
|
1847
1911
|
cachedJwksKeys = (jwks == null ? void 0 : jwks.keys) || [];
|
|
1848
1912
|
cachedJwksAt = Date.now();
|
|
1849
1913
|
}
|
|
1850
1914
|
const jwk = cachedJwksKeys.find((key) => key.kid === header.kid);
|
|
1851
|
-
|
|
1915
|
+
assert2(jwk, `no JWKS key found for kid ${header.kid}`);
|
|
1852
1916
|
const cryptoKey = yield getSubtleCrypto().importKey(
|
|
1853
1917
|
"jwk",
|
|
1854
1918
|
jwk,
|
|
@@ -1862,7 +1926,7 @@ function verifyJwtSignature(token, issuer) {
|
|
|
1862
1926
|
signature,
|
|
1863
1927
|
new TextEncoder().encode(signingInput)
|
|
1864
1928
|
);
|
|
1865
|
-
|
|
1929
|
+
assert2(isValid, "JWT signature verification failed");
|
|
1866
1930
|
return payload;
|
|
1867
1931
|
});
|
|
1868
1932
|
}
|
|
@@ -1883,16 +1947,16 @@ function parseProofContext(proof) {
|
|
|
1883
1947
|
}
|
|
1884
1948
|
const ctx = parsedContext;
|
|
1885
1949
|
const expectedNonce = ctx.attestationNonce;
|
|
1886
|
-
|
|
1950
|
+
assert2(typeof expectedNonce === "string" && expectedNonce.length > 0, "Proof context is missing attestationNonce");
|
|
1887
1951
|
const nonceDataObj = ctx.attestationNonceData;
|
|
1888
|
-
|
|
1952
|
+
assert2(isNonceContextData(nonceDataObj), "Proof context is missing or has invalid attestationNonceData (requires applicationId, sessionId, timestamp)");
|
|
1889
1953
|
return { parsedContext: ctx, nonceDataObj, expectedNonce };
|
|
1890
1954
|
}
|
|
1891
1955
|
function verifyApplicationAndSessionBinding(proof, parsedContext, nonceDataObj, expectedApplicationId) {
|
|
1892
1956
|
var _a;
|
|
1893
1957
|
const { applicationId, sessionId, timestamp } = nonceDataObj;
|
|
1894
1958
|
if (expectedApplicationId) {
|
|
1895
|
-
|
|
1959
|
+
assert2(
|
|
1896
1960
|
applicationId.toLowerCase() === expectedApplicationId.toLowerCase(),
|
|
1897
1961
|
`Application ID Mismatch! Expected ${expectedApplicationId}, but proof context contains ${applicationId}`
|
|
1898
1962
|
);
|
|
@@ -1927,11 +1991,11 @@ function verifyApplicationAndSessionBinding(proof, parsedContext, nonceDataObj,
|
|
|
1927
1991
|
function verifyNonceMaterial(expectedNonce, nonceDataObj, expectedAppSecret) {
|
|
1928
1992
|
const cleanExpectedNonce = normalizeHex(expectedNonce);
|
|
1929
1993
|
const { applicationId, sessionId, timestamp } = nonceDataObj;
|
|
1930
|
-
|
|
1931
|
-
|
|
1994
|
+
assert2(cleanExpectedNonce.length > 0, "Proof context attestationNonce is empty");
|
|
1995
|
+
assert2(isHex(cleanExpectedNonce), "Proof context attestationNonce is not valid hex");
|
|
1932
1996
|
if (expectedAppSecret) {
|
|
1933
1997
|
const recomputedNonce = generateAttestationNonce(expectedAppSecret, applicationId, sessionId, timestamp);
|
|
1934
|
-
|
|
1998
|
+
assert2(
|
|
1935
1999
|
recomputedNonce === cleanExpectedNonce,
|
|
1936
2000
|
"Attestation nonce verification failed: app secret, application ID, session ID, or timestamp do not match"
|
|
1937
2001
|
);
|
|
@@ -1944,7 +2008,7 @@ function verifyNonceMaterial(expectedNonce, nonceDataObj, expectedAppSecret) {
|
|
|
1944
2008
|
nonceMsg,
|
|
1945
2009
|
expectedNonce.startsWith("0x") ? expectedNonce : `0x${expectedNonce}`
|
|
1946
2010
|
);
|
|
1947
|
-
|
|
2011
|
+
assert2(
|
|
1948
2012
|
recoveredAddress.toLowerCase() === applicationId.toLowerCase(),
|
|
1949
2013
|
`Nonce signature verification failed: recovered ${recoveredAddress}, expected ${applicationId}`
|
|
1950
2014
|
);
|
|
@@ -1966,12 +2030,12 @@ function assertTokenFresh(claims) {
|
|
|
1966
2030
|
}
|
|
1967
2031
|
function assertAudienceClaim(aud) {
|
|
1968
2032
|
if (typeof aud === "string") {
|
|
1969
|
-
|
|
2033
|
+
assert2(aud.length > 0, "attestation token audience is empty");
|
|
1970
2034
|
return;
|
|
1971
2035
|
}
|
|
1972
2036
|
if (Array.isArray(aud)) {
|
|
1973
|
-
|
|
1974
|
-
|
|
2037
|
+
assert2(aud.length > 0, "attestation token audience is empty");
|
|
2038
|
+
assert2(aud.every((entry) => typeof entry === "string" && entry.length > 0), "attestation token audience contains invalid entries");
|
|
1975
2039
|
return;
|
|
1976
2040
|
}
|
|
1977
2041
|
throw new Error("attestation token audience is missing");
|
|
@@ -1986,22 +2050,22 @@ function assertProofShape(teeAttestation) {
|
|
|
1986
2050
|
throw new Error(`${teeAttestation.error.code}: ${teeAttestation.error.message}`);
|
|
1987
2051
|
}
|
|
1988
2052
|
const proofVersion = getProofVersion(teeAttestation);
|
|
1989
|
-
|
|
1990
|
-
|
|
1991
|
-
|
|
1992
|
-
|
|
1993
|
-
|
|
1994
|
-
|
|
1995
|
-
|
|
1996
|
-
|
|
1997
|
-
|
|
2053
|
+
assert2(typeof proofVersion === "string" && SUPPORTED_PROOF_VERSIONS.includes(proofVersion), `unexpected proof version: ${proofVersion}`);
|
|
2054
|
+
assert2(teeAttestation.tee_provider === EXPECTED_TEE_PROVIDER, `unexpected tee provider: ${teeAttestation.tee_provider}`);
|
|
2055
|
+
assert2(teeAttestation.tee_technology === EXPECTED_TEE_TECHNOLOGY, `unexpected tee technology: ${teeAttestation.tee_technology}`);
|
|
2056
|
+
assert2(typeof teeAttestation.nonce === "string" && teeAttestation.nonce.length > 0, "tee attestation nonce missing");
|
|
2057
|
+
assert2(typeof teeAttestation.timestamp === "string" && teeAttestation.timestamp.length > 0, "tee attestation timestamp missing");
|
|
2058
|
+
assert2(!Number.isNaN(Date.parse(teeAttestation.timestamp)), "tee attestation timestamp is invalid");
|
|
2059
|
+
assert2(typeof ((_a = teeAttestation.workload) == null ? void 0 : _a.image_digest) === "string" && teeAttestation.workload.image_digest.length > 0, "workload image digest missing");
|
|
2060
|
+
assert2(typeof ((_b = teeAttestation.verifier) == null ? void 0 : _b.image_digest) === "string" && teeAttestation.verifier.image_digest.length > 0, "verifier image digest missing");
|
|
2061
|
+
assert2(typeof ((_c = teeAttestation.attestation) == null ? void 0 : _c.token) === "string" && teeAttestation.attestation.token.length > 0, "attestation token missing");
|
|
1998
2062
|
}
|
|
1999
2063
|
function computeDigestBinding(teeAttestation) {
|
|
2000
2064
|
return __async(this, null, function* () {
|
|
2001
2065
|
const proofVersion = getProofVersion(teeAttestation);
|
|
2002
2066
|
if (proofVersion === "v3") {
|
|
2003
|
-
|
|
2004
|
-
|
|
2067
|
+
assert2(typeof teeAttestation.workload.container_name === "string" && teeAttestation.workload.container_name.length > 0, "workload container name missing");
|
|
2068
|
+
assert2(typeof teeAttestation.verifier.container_name === "string" && teeAttestation.verifier.container_name.length > 0, "verifier container name missing");
|
|
2005
2069
|
return sha256Hex([
|
|
2006
2070
|
"v3",
|
|
2007
2071
|
`workload.container_name=${teeAttestation.workload.container_name}`,
|
|
@@ -2020,15 +2084,15 @@ function verifyGcpClaims(teeAttestation, expectedNonce) {
|
|
|
2020
2084
|
return __async(this, null, function* () {
|
|
2021
2085
|
var _a;
|
|
2022
2086
|
const claims = yield verifyJwtSignature(teeAttestation.attestation.token, GCP_CONFIDENTIAL_SPACE_ISSUER);
|
|
2023
|
-
|
|
2087
|
+
assert2(claims.iss === GCP_CONFIDENTIAL_SPACE_ISSUER, `unexpected issuer: ${claims.iss}`);
|
|
2024
2088
|
assertAudienceClaim(claims.aud);
|
|
2025
|
-
|
|
2089
|
+
assert2(Array.isArray(claims.eat_nonce), "eat_nonce claim missing");
|
|
2026
2090
|
const digestBinding = yield computeDigestBinding(teeAttestation);
|
|
2027
|
-
|
|
2028
|
-
|
|
2029
|
-
|
|
2030
|
-
|
|
2031
|
-
|
|
2091
|
+
assert2(claims.eat_nonce.includes(expectedNonce), "request nonce is not present in attestation token");
|
|
2092
|
+
assert2(claims.eat_nonce.includes(digestBinding), "digest-binding nonce is not present in attestation token");
|
|
2093
|
+
assert2(claims.hwmodel === EXPECTED_HW_MODEL, `unexpected hwmodel: ${claims.hwmodel}`);
|
|
2094
|
+
assert2(claims.secboot === true, "secure boot claim is not true");
|
|
2095
|
+
assert2((_a = claims.submods) == null ? void 0 : _a.gce, "gce submod claim missing");
|
|
2032
2096
|
assertTokenFresh(claims);
|
|
2033
2097
|
});
|
|
2034
2098
|
}
|
|
@@ -2050,9 +2114,9 @@ function verifyTeeAttestation(proof, appSecret) {
|
|
|
2050
2114
|
verifyNonceMaterial(expectedNonce, nonceDataObj, appSecret);
|
|
2051
2115
|
const cleanExpectedNonce = normalizeHex(expectedNonce);
|
|
2052
2116
|
const cleanTeeNonce = normalizeHex(teeAttestation.nonce);
|
|
2053
|
-
|
|
2054
|
-
|
|
2055
|
-
|
|
2117
|
+
assert2(cleanTeeNonce.length > 0, "TEE attestation nonce is empty");
|
|
2118
|
+
assert2(isHex(cleanTeeNonce), "TEE attestation nonce is not valid hex");
|
|
2119
|
+
assert2(cleanTeeNonce === cleanExpectedNonce, `Nonce Mismatch! Expected ${cleanExpectedNonce}, got ${cleanTeeNonce}`);
|
|
2056
2120
|
yield verifyGcpClaims(teeAttestation, cleanExpectedNonce);
|
|
2057
2121
|
return { isVerified: true };
|
|
2058
2122
|
} catch (error) {
|
|
@@ -2318,11 +2382,14 @@ function verifyProof(proofOrProofs, config) {
|
|
|
2318
2382
|
if (!config) {
|
|
2319
2383
|
throw new ProofNotValidatedError("Verification configuration is required for `verifyProof(proof, config)`");
|
|
2320
2384
|
}
|
|
2321
|
-
|
|
2322
|
-
|
|
2323
|
-
yield
|
|
2385
|
+
if (config.hasNoPii !== true) {
|
|
2386
|
+
console.info({ pii: config.hasNoPii });
|
|
2387
|
+
const attestors = yield getAttestors();
|
|
2388
|
+
for (const proof of proofs) {
|
|
2389
|
+
yield assertVerifiedProof(proof, attestors);
|
|
2390
|
+
}
|
|
2324
2391
|
}
|
|
2325
|
-
yield assertValidateProof(proofs, config);
|
|
2392
|
+
yield assertValidateProof(proofs, config, { hasNoPii: config.hasNoPii });
|
|
2326
2393
|
let isTeeAttestationVerified;
|
|
2327
2394
|
let isAttestorTeeAttestationVerified;
|
|
2328
2395
|
if (config.teeAttestation && "dangerouslyDisableContentValidation" in config && config.dangerouslyDisableContentValidation) {
|
|
@@ -3899,8 +3966,40 @@ function generateInitSignature(appSecret, providerId, timestamp) {
|
|
|
3899
3966
|
}
|
|
3900
3967
|
// Annotate the CommonJS export names for ESM import in node:
|
|
3901
3968
|
0 && (module.exports = {
|
|
3969
|
+
ApplicationError,
|
|
3970
|
+
AttestorTeeVerificationError,
|
|
3971
|
+
BackendServerError,
|
|
3972
|
+
CallbackUrlRequiredError,
|
|
3973
|
+
ErrorDuringVerificationError,
|
|
3974
|
+
GetAppCallbackUrlError,
|
|
3975
|
+
GetStatusUrlError,
|
|
3976
|
+
HASH_MATCH_MULTIPLE_DEFAULT,
|
|
3977
|
+
HASH_REQUIRED_DEFAULT,
|
|
3978
|
+
InavlidParametersError,
|
|
3979
|
+
InitError,
|
|
3980
|
+
InitSessionError,
|
|
3981
|
+
InvalidParamError,
|
|
3982
|
+
InvalidRequestSpecError,
|
|
3983
|
+
InvalidSignatureError,
|
|
3984
|
+
NoProviderParamsError,
|
|
3985
|
+
ProofNotValidatedError,
|
|
3986
|
+
ProofNotVerifiedError,
|
|
3987
|
+
ProofSubmissionFailedError,
|
|
3988
|
+
ProviderConfigFetchError,
|
|
3989
|
+
ProviderFailedError,
|
|
3990
|
+
ProviderNotFoundError,
|
|
3902
3991
|
ReclaimProofRequest,
|
|
3992
|
+
SessionNotStartedError,
|
|
3993
|
+
SetContextError,
|
|
3994
|
+
SetParamsError,
|
|
3995
|
+
SetSignatureError,
|
|
3996
|
+
SignatureGeneratingError,
|
|
3997
|
+
SignatureNotFoundError,
|
|
3998
|
+
StatusUrlError,
|
|
3903
3999
|
TeeVerificationError,
|
|
4000
|
+
TimeoutError,
|
|
4001
|
+
UnknownProofsNotValidatedError,
|
|
4002
|
+
UpdateSessionError,
|
|
3904
4003
|
assertValidProofsByHash,
|
|
3905
4004
|
assertValidateProof,
|
|
3906
4005
|
assertVerifiedProof,
|
|
@@ -3915,6 +4014,7 @@ function generateInitSignature(appSecret, providerId, timestamp) {
|
|
|
3915
4014
|
generateSpecsFromRequestSpecTemplate,
|
|
3916
4015
|
getAttestors,
|
|
3917
4016
|
getDeviceType,
|
|
4017
|
+
getHashFromProof,
|
|
3918
4018
|
getHttpProviderClaimParamsFromProof,
|
|
3919
4019
|
getIdentifierFromClaimInfo,
|
|
3920
4020
|
getMobileDeviceType,
|