@super-protocol/swarm-contracts-sdk 0.0.1-beta.1

package/dist/cjs/tee/QuoteParser.js

@@ -0,0 +1,410 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TeeTdxParser = exports.TeeSgxParser = exports.TeeParser = void 0;
+const x509_1 = require("@fidm/x509");
+const asn1js = __importStar(require("asn1js"));
+const pkijs = __importStar(require("pkijs"));
+const buffer_1 = require("buffer");
+const errors_js_1 = require("./errors.js");
+const types_js_1 = require("./types.js");
+const helpers_js_1 = require("./helpers.js");
+const crypto = __importStar(require("crypto"));
+class TeeParser {
+    static reportDataHashSize = 32; /* 64 in report, but we need 32 only for sha256 hash */
+    extractRS(cert) {
+        const derSignature = Buffer.from(cert.signatureValue.valueBlock.valueHexView).toString('hex');
+        const parsedSignature = helpers_js_1.Signature.importFromDER(derSignature);
+        return {
+            r: parsedSignature.r,
+            s: parsedSignature.s,
+            derSignature,
+        };
+    }
+    parsePem(pem) {
+        const cert = x509_1.Certificate.fromPEM(Buffer.from(pem));
+        const asn1Certificate = asn1js.fromBER(cert.raw);
+        const certificate = new pkijs.Certificate({ schema: asn1Certificate.result });
+        const tbs = certificate.tbsView;
+        const { r, s } = this.extractRS(certificate);
+        const publicKey = cert.publicKey.keyRaw.toString('hex').slice(2);
+        const splitedTbs = Buffer.from(tbs).toString('hex').split(publicKey);
+        const x509PublicKey = '0x' + publicKey;
+        const x509Signature = '0x' + r + s;
+        return {
+            bodyPartOne: '0x' + splitedTbs[0],
+            publicKey: x509PublicKey,
+            bodyPartTwo: '0x' + splitedTbs[1],
+            signature: x509Signature,
+        };
+    }
+    getDataAndAdvance(blob, size) {
+        const buf = buffer_1.Buffer.from(blob.data.subarray(0, size));
+        blob.data = buffer_1.Buffer.from(blob.data.subarray(size));
+        return buf;
+    }
+    static determineQuoteType(quote) {
+        let type = types_js_1.QuoteType.SGX;
+        if (quote.length < 48) {
+            throw new errors_js_1.TeeQuoteParserError('data has invalid length');
+        }
+        const version = Buffer.from(quote).readUInt16LE(0);
+        if (version === 4) {
+            const quoteType = Buffer.from(quote).readUInt32LE(4);
+            if (quoteType === 0x00000081) {
+                type = types_js_1.QuoteType.TDX;
+            }
+            else if (quoteType !== 0x00000000) {
+                throw new errors_js_1.TeeQuoteParserError(`Unknown quote type ${quoteType}`);
+            }
+        }
+        else if (version !== 3) {
+            throw new errors_js_1.TeeQuoteParserError(`Unknown quote version ${version}`);
+        }
+        return { type, version };
+    }
+    static getMrEnclave(quote) {
+        const teeType = TeeParser.determineQuoteType(quote);
+        switch (teeType.type) {
+            case types_js_1.QuoteType.SGX: {
+                const sgxParser = new TeeSgxParser();
+                const parsedSgxQuote = sgxParser.parseQuote(quote);
+                const parsedReport = sgxParser.parseReport(parsedSgxQuote.report);
+                return parsedReport.mrEnclave;
+            }
+            case types_js_1.QuoteType.TDX: {
+                const tdxParser = new TeeTdxParser();
+                const parsedTdxQuote = tdxParser.parseQuote(quote);
+                const tdBody = tdxParser.parseBody(parsedTdxQuote.tdQuoteBody);
+                const hash = crypto.createHash('sha256');
+                hash.update(tdBody.tdAttributes);
+                hash.update(tdBody.mrTd);
+                hash.update(tdBody.rtmr0);
+                hash.update(tdBody.rtmr1);
+                hash.update(tdBody.rtmr2);
+                hash.update(tdBody.rtmr3);
+                return hash.digest();
+            }
+            default:
+                throw new errors_js_1.TeeQuoteParserError(`Unknown quote type`);
+        }
+    }
+}
+exports.TeeParser = TeeParser;
+class TeeSgxParser extends TeeParser {
+    static quoteHeaderSize = 48;
+    static pceSvnOffset = 10;
+    static reportSize = 384;
+    static userDataOffset = 28;
+    static userDataSize = 20;
+    static cpuSvnSize = 16;
+    static reportMrEnclaveOffset = 64;
+    static reportMrEnclaveSize = 32;
+    static reportMrSignerOffset = TeeSgxParser.reportMrEnclaveOffset + TeeSgxParser.reportMrEnclaveSize + /* reserved */ 32;
+    static reportMrSignerSize = 32;
+    static reportIsvProdIdOffset = TeeSgxParser.reportMrSignerOffset + TeeSgxParser.reportMrSignerSize + /* reserved */ 96;
+    static reportIsvProdIdSize = 2;
+    static reportIsvSvnOffset = TeeSgxParser.reportIsvProdIdOffset + TeeSgxParser.reportIsvProdIdSize;
+    static reportIsvSvnSize = 2;
+    static reportDataOffset = TeeSgxParser.reportIsvSvnOffset + TeeSgxParser.reportIsvSvnSize + /* reserved */ 60;
+    static reportUserDataSize = 64;
+    static ecdsaP256SignatureSize = 64;
+    static ecdsaP256PublicKeySize = 64;
+    parseQuote(data) {
+        const { quoteHeaderSize, pceSvnOffset, reportSize, userDataOffset, userDataSize, ecdsaP256SignatureSize, ecdsaP256PublicKeySize, } = TeeSgxParser;
+        if (data.length < quoteHeaderSize + reportSize) {
+            throw new errors_js_1.TeeQuoteParserError('data has invalid length');
+        }
+        const quoteRemainder = { data: buffer_1.Buffer.from(data) };
+        const quoteHeader = this.getDataAndAdvance(quoteRemainder, quoteHeaderSize);
+        const report = this.getDataAndAdvance(quoteRemainder, reportSize);
+        const version = quoteHeader.readUInt16LE(0);
+        const attestationKeyType = quoteHeader.readUInt16LE(2);
+        if (attestationKeyType > 3) {
+            throw new errors_js_1.TeeQuoteParserError('quote header has invalid or unsupported attestation key type');
+        }
+        const pceSvn = quoteHeader.readUInt16LE(pceSvnOffset);
+        const userData = quoteHeader.slice(userDataOffset, userDataOffset + userDataSize);
+        const quoteSignatureDateLen = quoteRemainder.data.readUInt32LE(0);
+        quoteRemainder.data = buffer_1.Buffer.from(quoteRemainder.data.subarray(4));
+        if (quoteSignatureDateLen != quoteRemainder.data.length) {
+            throw new errors_js_1.TeeQuoteParserError(`quoteSignatureDateLen has invalid length: ${quoteRemainder.data.length} instead of ${quoteSignatureDateLen} expected`);
+        }
+        const rawQuoteSignatureDataRemainder = {
+            data: this.getDataAndAdvance(quoteRemainder, quoteSignatureDateLen),
+        };
+        const isvEnclaveReportSignature = this.getDataAndAdvance(rawQuoteSignatureDataRemainder, ecdsaP256SignatureSize);
+        const ecdsaAttestationKey = this.getDataAndAdvance(rawQuoteSignatureDataRemainder, ecdsaP256PublicKeySize);
+        const qeReport = this.getDataAndAdvance(rawQuoteSignatureDataRemainder, reportSize);
+        const qeReportSignature = this.getDataAndAdvance(rawQuoteSignatureDataRemainder, ecdsaP256SignatureSize);
+        const qeAuthenticationDataSize = rawQuoteSignatureDataRemainder.data.readUInt16LE(0);
+        rawQuoteSignatureDataRemainder.data = buffer_1.Buffer.from(rawQuoteSignatureDataRemainder.data.subarray(2));
+        if (rawQuoteSignatureDataRemainder.data.length < qeAuthenticationDataSize) {
+            throw new errors_js_1.TeeQuoteParserError(`qeAuthenticationDataSize has invalid length: ${rawQuoteSignatureDataRemainder.data.length} instead of ${qeAuthenticationDataSize} expected`);
+        }
+        const qeAuthenticationData = this.getDataAndAdvance(rawQuoteSignatureDataRemainder, qeAuthenticationDataSize);
+        const qeCertificationDataType = rawQuoteSignatureDataRemainder.data.readUInt16LE(0);
+        if (qeCertificationDataType < 1 || qeCertificationDataType > 7) {
+            throw new errors_js_1.TeeQuoteParserError(`certificationDataType has invalid value: ${qeCertificationDataType}`);
+        }
+        const certificationDataSize = rawQuoteSignatureDataRemainder.data.readUInt32LE(2);
+        const qeCertificationData = rawQuoteSignatureDataRemainder.data.subarray(2 + 4);
+        if (certificationDataSize != qeCertificationData.length) {
+            throw new errors_js_1.TeeQuoteParserError(`certificationDataSize has invalid length: $PqeCertificationData.length} instead of ${certificationDataSize} expected`);
+        }
+        const certsPems = (0, helpers_js_1.splitChain)(qeCertificationData.toString()) || []; // [device, platform, root]
+        const certsData = certsPems.map((pem) => this.parsePem(pem));
+        return {
+            quoteType: types_js_1.QuoteType.SGX,
+            rawHeader: quoteHeader,
+            header: {
+                version,
+                attestationKeyType,
+                pceSvn,
+                userData,
+            },
+            report,
+            isvEnclaveReportSignature,
+            ecdsaAttestationKey,
+            qeReport,
+            qeReportSignature,
+            qeAuthenticationData,
+            qeCertificationDataType,
+            qeCertificationData,
+            certificates: {
+                device: {
+                    pem: certsPems[0],
+                    x509Data: certsData[0],
+                },
+                platform: {
+                    pem: certsPems[1],
+                    x509Data: certsData[1],
+                },
+                root: {
+                    pem: certsPems[2],
+                    x509Data: certsData[2],
+                },
+            },
+        };
+    }
+    parseReport(data) {
+        const { reportSize, cpuSvnSize, reportMrEnclaveOffset, reportMrEnclaveSize, reportMrSignerOffset, reportMrSignerSize, reportIsvProdIdOffset, reportIsvProdIdSize, reportIsvSvnOffset, reportIsvSvnSize, reportDataOffset, reportUserDataSize, reportDataHashSize, } = TeeSgxParser;
+        if (data.length < reportSize) {
+            throw new errors_js_1.TeeQuoteParserError('data has invalid length');
+        }
+        const report = buffer_1.Buffer.from(data);
+        const cpuSvn = report.slice(0, cpuSvnSize).toString('hex');
+        const mrEnclave = report.slice(reportMrEnclaveOffset, reportMrEnclaveOffset + reportMrEnclaveSize);
+        const mrSigner = report.slice(reportMrSignerOffset, reportMrSignerOffset + reportMrSignerSize);
+        const isvProdId = report
+            .slice(reportIsvProdIdOffset, reportIsvProdIdOffset + reportIsvProdIdSize)
+            .readUInt16LE(0);
+        const isvSvn = report
+            .slice(reportIsvSvnOffset, reportIsvSvnOffset + reportIsvSvnSize)
+            .readUInt16LE(0);
+        const userData = report.slice(reportDataOffset, reportDataOffset + reportUserDataSize);
+        const dataHash = report.slice(reportDataOffset, reportDataOffset + reportDataHashSize);
+        return {
+            cpuSvn,
+            mrEnclave,
+            mrSigner,
+            isvProdId,
+            isvSvn,
+            userData,
+            dataHash,
+        };
+    }
+}
+exports.TeeSgxParser = TeeSgxParser;
+class TeeTdxParser extends TeeParser {
+    //High-level quote structure
+    static quoteHeaderSize = 48;
+    static tdQuoteBodySize = 584;
+    static quoteSignatureDataLen = 4;
+    // Header fields
+    static headerVersionSize = 2;
+    static headerAttestationKeyTypeSize = 2;
+    static headerTeeTypeSize = 4;
+    static headerReserved1Size = 2;
+    static headerReserved2Size = 2;
+    static headerQeVendorIdSize = 16;
+    static headerUserDataSize = 20;
+    // Body fiedls
+    static bodyTeeTcbSvnSize = 16;
+    static bodyMrSeamSize = 48;
+    static bodyMrSignerSeamSize = 48;
+    static bodySeamAttributesSize = 8;
+    static bodyTdAttributesSize = 8;
+    static bodyXfamSize = 8;
+    static bodyMrTdSize = 48;
+    static bodyMrConfigIdSize = 48;
+    static bodyMrOwnerSize = 48;
+    static bodyMrOwnerConfigSize = 48;
+    static bodyRtmr0Size = 48;
+    static bodyRtmr1Size = 48;
+    static bodyRtmr2Size = 48;
+    static bodyRtmr3Size = 48;
+    static bodyReportDataSize = 64;
+    // Signature fields
+    static sigQuoteSignatureSize = 64;
+    static sigAttestationKeySize = 64;
+    static sigCertDataTypeSize = 2;
+    static sigCertDataSzSize = 4;
+    static sigQeReportSize = 384;
+    static sigQeReportSignatureSize = 64;
+    static sigQeAuthenticationDataSzSize = 2;
+    static sigSignatureTypeSize = 2;
+    static sigSignatureSzSize = 4;
+    parseQuote(data) {
+        const { quoteHeaderSize, tdQuoteBodySize, quoteSignatureDataLen, sigQuoteSignatureSize, sigAttestationKeySize, sigCertDataTypeSize, sigCertDataSzSize, sigQeReportSize, sigQeReportSignatureSize, sigQeAuthenticationDataSzSize, sigSignatureTypeSize, sigSignatureSzSize, } = TeeTdxParser;
+        const expectedSize = quoteHeaderSize + tdQuoteBodySize + quoteSignatureDataLen;
+        if (data.length < expectedSize) {
+            throw new errors_js_1.TeeQuoteParserError(`quote has invalid length ${data.length}, expected not less than ${expectedSize}`);
+        }
+        const quoteRemainder = { data: buffer_1.Buffer.from(data) };
+        const rawHeader = this.getDataAndAdvance(quoteRemainder, quoteHeaderSize);
+        const tdQuoteBody = this.getDataAndAdvance(quoteRemainder, tdQuoteBodySize);
+        const signatureLen = this.getDataAndAdvance(quoteRemainder, quoteSignatureDataLen);
+        const certificationDataSize = signatureLen.readUInt32LE(0);
+        const expectedQuoteLen = quoteHeaderSize + tdQuoteBodySize + quoteSignatureDataLen + certificationDataSize;
+        if (data.length < expectedQuoteLen) {
+            throw new errors_js_1.TeeQuoteParserError(`quote has invalid length ${data.length}, expected not less than ${expectedQuoteLen}`);
+        }
+        const signature = { data: this.getDataAndAdvance(quoteRemainder, certificationDataSize) };
+        const quoteSignature = this.getDataAndAdvance(signature, sigQuoteSignatureSize);
+        const ecdsaAttestationKey = this.getDataAndAdvance(signature, sigAttestationKeySize);
+        const certDataType = this.getDataAndAdvance(signature, sigCertDataTypeSize).readUint16LE(); //expected 6
+        if (certDataType !== 6)
+            throw new errors_js_1.TeeQuoteParserError(`certDataType has invalid value ${certDataType}, expected 6`);
+        const certDataSize = this.getDataAndAdvance(signature, sigCertDataSzSize).readUint32LE();
+        if (signature.data.length < certDataSize)
+            throw new errors_js_1.TeeQuoteParserError(`certData has invalid length ${data.length}, expected not less than ${certDataSize}`);
+        const qeReport = this.getDataAndAdvance(signature, sigQeReportSize);
+        const qeReportSignature = this.getDataAndAdvance(signature, sigQeReportSignatureSize);
+        const qeAuthenticationDataSize = this.getDataAndAdvance(signature, sigQeAuthenticationDataSzSize).readUint16LE();
+        if (signature.data.length < qeAuthenticationDataSize)
+            throw new errors_js_1.TeeQuoteParserError(`qeAuthenticationData has invalid length ${data.length}, expected not less than ${qeAuthenticationDataSize}`);
+        const qeAuthenticationData = this.getDataAndAdvance(signature, qeAuthenticationDataSize);
+        const qeCertificationDataType = this.getDataAndAdvance(signature, sigSignatureTypeSize).readUint16LE(); //expected 5
+        if (qeCertificationDataType !== 5)
+            throw new errors_js_1.TeeQuoteParserError(`signatureType has invalid value ${qeCertificationDataType}, expected 5`);
+        const signatureSize = this.getDataAndAdvance(signature, sigSignatureSzSize).readUint32LE();
+        if (signature.data.length < signatureSize)
+            throw new errors_js_1.TeeQuoteParserError(`certChain has invalid length ${data.length}, expected not less than ${signatureSize}`);
+        const qeCertificationData = this.getDataAndAdvance(signature, signatureSize);
+        const certsPems = (0, helpers_js_1.splitChain)(qeCertificationData.toString()) || []; // [device, platform, root]
+        const certsData = certsPems.map((pem) => this.parsePem(pem));
+        return {
+            quoteType: types_js_1.QuoteType.TDX,
+            rawHeader,
+            header: this.parseHeader(rawHeader),
+            tdQuoteBody,
+            quoteSignature,
+            ecdsaAttestationKey,
+            certDataType,
+            qeReport,
+            qeReportSignature,
+            qeAuthenticationData,
+            qeCertificationDataType,
+            qeCertificationData,
+            certificates: {
+                device: {
+                    pem: certsPems[0],
+                    x509Data: certsData[0],
+                },
+                platform: {
+                    pem: certsPems[1],
+                    x509Data: certsData[1],
+                },
+                root: {
+                    pem: certsPems[2],
+                    x509Data: certsData[2],
+                },
+            },
+        };
+    }
+    parseHeader(data) {
+        const { headerVersionSize, headerAttestationKeyTypeSize, headerTeeTypeSize, headerReserved1Size, headerReserved2Size, headerQeVendorIdSize, headerUserDataSize, } = TeeTdxParser;
+        const headerRemainder = { data: buffer_1.Buffer.from(data) };
+        const version = this.getDataAndAdvance(headerRemainder, headerVersionSize).readUInt16LE();
+        const attestationKeyType = this.getDataAndAdvance(headerRemainder, headerAttestationKeyTypeSize).readUInt16LE();
+        const teeType = this.getDataAndAdvance(headerRemainder, headerTeeTypeSize).readUInt32LE();
+        const reserved1 = this.getDataAndAdvance(headerRemainder, headerReserved1Size);
+        const reserved2 = this.getDataAndAdvance(headerRemainder, headerReserved2Size);
+        const qeVendorId = this.getDataAndAdvance(headerRemainder, headerQeVendorIdSize);
+        const userData = this.getDataAndAdvance(headerRemainder, headerUserDataSize);
+        return {
+            version,
+            attestationKeyType,
+            teeType,
+            reserved1,
+            reserved2,
+            qeVendorId,
+            userData,
+        };
+    }
+    parseBody(data) {
+        const { bodyTeeTcbSvnSize, bodyMrSeamSize, bodyMrSignerSeamSize, bodySeamAttributesSize, bodyTdAttributesSize, bodyXfamSize, bodyMrTdSize, bodyMrConfigIdSize, bodyMrOwnerSize, bodyMrOwnerConfigSize, bodyRtmr0Size, bodyRtmr1Size, bodyRtmr2Size, bodyRtmr3Size, bodyReportDataSize, reportDataHashSize, } = TeeTdxParser;
+        const bodyRemainder = { data: buffer_1.Buffer.from(data) };
+        if (bodyRemainder.data.length !== TeeTdxParser.tdQuoteBodySize)
+            throw new errors_js_1.TeeQuoteParserError(`body has invalid length ${bodyRemainder.data.length}, expected ${TeeTdxParser.tdQuoteBodySize}`);
+        const teeTcbSvn = this.getDataAndAdvance(bodyRemainder, bodyTeeTcbSvnSize);
+        const mrSeam = this.getDataAndAdvance(bodyRemainder, bodyMrSeamSize);
+        const mrSignerSeam = this.getDataAndAdvance(bodyRemainder, bodyMrSignerSeamSize);
+        const seamAttributes = this.getDataAndAdvance(bodyRemainder, bodySeamAttributesSize);
+        const tdAttributes = this.getDataAndAdvance(bodyRemainder, bodyTdAttributesSize);
+        const xfam = this.getDataAndAdvance(bodyRemainder, bodyXfamSize);
+        const mrTd = this.getDataAndAdvance(bodyRemainder, bodyMrTdSize);
+        const mrConfigId = this.getDataAndAdvance(bodyRemainder, bodyMrConfigIdSize);
+        const mrOwner = this.getDataAndAdvance(bodyRemainder, bodyMrOwnerSize);
+        const mrOwnerConfig = this.getDataAndAdvance(bodyRemainder, bodyMrOwnerConfigSize);
+        const rtmr0 = this.getDataAndAdvance(bodyRemainder, bodyRtmr0Size);
+        const rtmr1 = this.getDataAndAdvance(bodyRemainder, bodyRtmr1Size);
+        const rtmr2 = this.getDataAndAdvance(bodyRemainder, bodyRtmr2Size);
+        const rtmr3 = this.getDataAndAdvance(bodyRemainder, bodyRtmr3Size);
+        const reportData = this.getDataAndAdvance(bodyRemainder, bodyReportDataSize);
+        const dataHash = reportData.slice(0, reportDataHashSize);
+        return {
+            teeTcbSvn,
+            mrSeam,
+            mrSignerSeam,
+            seamAttributes,
+            tdAttributes,
+            xfam,
+            mrTd,
+            mrConfigId,
+            mrOwner,
+            mrOwnerConfig,
+            rtmr0,
+            rtmr1,
+            rtmr2,
+            rtmr3,
+            reportData,
+            dataHash,
+        };
+    }
+}
+exports.TeeTdxParser = TeeTdxParser;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiUXVvdGVQYXJzZXIuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvdGVlL1F1b3RlUGFyc2VyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0FBQUEscUNBQXlDO0FBQ3pDLCtDQUFpQztBQUNqQyw2Q0FBK0I7QUFDL0IsbUNBQXdDO0FBQ3hDLDJDQUFrRDtBQUNsRCx5Q0FTb0I7QUFDcEIsNkNBQXFEO0FBQ3JELCtDQUFpQztBQUVqQyxNQUFzQixTQUFTO0lBQzdCLE1BQU0sQ0FBVSxrQkFBa0IsR0FBRyxFQUFFLENBQUMsQ0FBQyx1REFBdUQ7SUFDdEYsU0FBUyxDQUFDLElBQXVCO1FBQ3pDLE1BQU0sWUFBWSxHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLGNBQWMsQ0FBQyxVQUFVLENBQUMsWUFBWSxDQUFDLENBQUMsUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFDO1FBQzlGLE1BQU0sZUFBZSxHQUFHLHNCQUFTLENBQUMsYUFBYSxDQUFDLFlBQVksQ0FBQyxDQUFDO1FBRTlELE9BQU87WUFDTCxDQUFDLEVBQUUsZUFBZSxDQUFDLENBQUM7WUFDcEIsQ0FBQyxFQUFFLGVBQWUsQ0FBQyxDQUFDO1lBQ3BCLFlBQVk7U0FDYixDQUFDO0lBQ0osQ0FBQztJQUVTLFFBQVEsQ0FBQyxHQUFXO1FBQzVCLE1BQU0sSUFBSSxHQUFHLGtCQUFXLENBQUMsT0FBTyxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQztRQUNuRCxNQUFNLGVBQWUsR0FBRyxNQUFNLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQztRQUNqRCxNQUFNLFdBQVcsR0FBRyxJQUFJLEtBQUssQ0FBQyxXQUFXLENBQUMsRUFBRSxNQUFNLEVBQUUsZUFBZSxDQUFDLE1BQU0sRUFBRSxDQUFDLENBQUM7UUFFOUUsTUFBTSxHQUFHLEdBQUcsV0FBVyxDQUFDLE9BQU8sQ0FBQztRQUVoQyxNQUFNLEVBQUUsQ0FBQyxFQUFFLENBQUMsRUFBRSxHQUFHLElBQUksQ0FBQyxTQUFTLENBQUMsV0FBVyxDQUFDLENBQUM7UUFFN0MsTUFBTSxTQUFTLEdBQUcsSUFBSSxDQUFDLFNBQVMsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUNqRSxNQUFNLFVBQVUsR0FBRyxNQUFNLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxLQUFLLENBQUMsQ0FBQyxLQUFLLENBQUMsU0FBUyxDQUFDLENBQUM7UUFDckUsTUFBTSxhQUFhLEdBQUcsSUFBSSxHQUFHLFNBQVMsQ0FBQztRQUN2QyxNQUFNLGFBQWEsR0FBRyxJQUFJLEdBQUcsQ0FBQyxHQUFHLENBQUMsQ0FBQztRQUVuQyxPQUFPO1lBQ0wsV0FBVyxFQUFFLElBQUksR0FBRyxVQUFVLENBQUMsQ0FBQyxDQUFDO1lBQ2pDLFNBQVMsRUFBRSxhQUFhO1lBQ3hCLFdBQVcsRUFBRSxJQUFJLEdBQUcsVUFBVSxDQUFDLENBQUMsQ0FBQztZQUNqQyxTQUFTLEVBQUUsYUFBYTtTQUN6QixDQUFDO0lBQ0osQ0FBQztJQUVTLGlCQUFpQixDQUFDLElBQW9CLEVBQUUsSUFBWTtRQUM1RCxNQUFNLEdBQUcsR0FBRyxlQUFJLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLENBQUMsRUFBRSxJQUFJLENBQUMsQ0FBQyxDQUFDO1FBQ25ELElBQUksQ0FBQyxJQUFJLEdBQUcsZUFBSSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDO1FBRWhELE9BQU8sR0FBRyxDQUFDO0lBQ2IsQ0FBQztJQUVNLE1BQU0sQ0FBQyxrQkFBa0IsQ0FBQyxLQUFpQjtRQUNoRCxJQUFJLElBQUksR0FBRyxvQkFBUyxDQUFDLEdBQUcsQ0FBQztRQUV6QixJQUFJLEtBQUssQ0FBQyxNQUFNLEdBQUcsRUFBRSxFQUFFLENBQUM7WUFDdEIsTUFBTSxJQUFJLCtCQUFtQixDQUFDLHlCQUF5QixDQUFDLENBQUM7UUFDM0QsQ0FBQztRQUVELE1BQU0sT0FBTyxHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDLENBQUMsWUFBWSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBRW5ELElBQUksT0FBTyxLQUFLLENBQUMsRUFBRSxDQUFDO1lBQ2xCLE1BQU0sU0FBUyxHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDLENBQUMsWUFBWSxDQUFDLENBQUMsQ0FBQyxDQUFDO1lBQ3JELElBQUksU0FBUyxLQUFLLFVBQVUsRUFBRSxDQUFDO2dCQUM3QixJQUFJLEdBQUcsb0JBQVMsQ0FBQyxHQUFHLENBQUM7WUFDdkIsQ0FBQztpQkFBTSxJQUFJLFNBQVMsS0FBSyxVQUFVLEVBQUUsQ0FBQztnQkFDcEMsTUFBTSxJQUFJLCtCQUFtQixDQUFDLHNCQUFzQixTQUFTLEVBQUUsQ0FBQyxDQUFDO1lBQ25FLENBQUM7UUFDSCxDQUFDO2FBQU0sSUFBSSxPQUFPLEtBQUssQ0FBQyxFQUFFLENBQUM7WUFDekIsTUFBTSxJQUFJLCtCQUFtQixDQUFDLHlCQUF5QixPQUFPLEVBQUUsQ0FBQyxDQUFDO1FBQ3BFLENBQUM7UUFFRCxPQUFPLEVBQUUsSUFBSSxFQUFFLE9BQU8sRUFBRSxDQUFDO0lBQzNCLENBQUM7SUFFTSxNQUFNLENBQUMsWUFBWSxDQUFDLEtBQWlCO1FBQzFDLE1BQU0sT0FBTyxHQUFHLFNBQVMsQ0FBQyxrQkFBa0IsQ0FBQyxLQUFLLENBQUMsQ0FBQztRQUNwRCxRQUFRLE9BQU8sQ0FBQyxJQUFJLEVBQUUsQ0FBQztZQUNyQixLQUFLLG9CQUFTLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQztnQkFDbkIsTUFBTSxTQUFTLEdBQUcsSUFBSSxZQUFZLEVBQUUsQ0FBQztnQkFDckMsTUFBTSxjQUFjLEdBQUcsU0FBUyxDQUFDLFVBQVUsQ0FBQyxLQUFLLENBQUMsQ0FBQztnQkFDbkQsTUFBTSxZQUFZLEdBQUcsU0FBUyxDQUFDLFdBQVcsQ0FBQyxjQUFjLENBQUMsTUFBTSxDQUFDLENBQUM7Z0JBRWxFLE9BQU8sWUFBWSxDQUFDLFNBQVMsQ0FBQztZQUNoQyxDQUFDO1lBQ0QsS0FBSyxvQkFBUyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7Z0JBQ25CLE1BQU0sU0FBUyxHQUFHLElBQUksWUFBWSxFQUFFLENBQUM7Z0JBQ3JDLE1BQU0sY0FBYyxHQUFHLFNBQVMsQ0FBQyxVQUFVLENBQUMsS0FBSyxDQUFDLENBQUM7Z0JBQ25ELE1BQU0sTUFBTSxHQUFHLFNBQVMsQ0FBQyxTQUFTLENBQUMsY0FBYyxDQUFDLFdBQVcsQ0FBQyxDQUFDO2dCQUMvRCxNQUFNLElBQUksR0FBRyxNQUFNLENBQUMsVUFBVSxDQUFDLFFBQVEsQ0FBQyxDQUFDO2dCQUN6QyxJQUFJLENBQUMsTUFBTSxDQUFDLE1BQU0sQ0FBQyxZQUFZLENBQUMsQ0FBQztnQkFDakMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLENBQUM7Z0JBQ3pCLElBQUksQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDLEtBQUssQ0FBQyxDQUFDO2dCQUMxQixJQUFJLENBQUMsTUFBTSxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQztnQkFDMUIsSUFBSSxDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsS0FBSyxDQUFDLENBQUM7Z0JBQzFCLElBQUksQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDLEtBQUssQ0FBQyxDQUFDO2dCQUUxQixPQUFPLElBQUksQ0FBQyxNQUFNLEVBQUUsQ0FBQztZQUN2QixDQUFDO1lBQ0Q7Z0JBQ0UsTUFBTSxJQUFJLCtCQUFtQixDQUFDLG9CQUFvQixDQUFDLENBQUM7UUFDeEQsQ0FBQztJQUNILENBQUM7O0FBNUZILDhCQTZGQztBQUVELE1BQWEsWUFBYSxTQUFRLFNBQVM7SUFDekMsTUFBTSxDQUFVLGVBQWUsR0FBRyxFQUFFLENBQUM7SUFDckMsTUFBTSxDQUFVLFlBQVksR0FBRyxFQUFFLENBQUM7SUFDbEMsTUFBTSxDQUFVLFVBQVUsR0FBRyxHQUFHLENBQUM7SUFDakMsTUFBTSxDQUFVLGNBQWMsR0FBRyxFQUFFLENBQUM7SUFDcEMsTUFBTSxDQUFVLFlBQVksR0FBRyxFQUFFLENBQUM7SUFDbEMsTUFBTSxDQUFVLFVBQVUsR0FBRyxFQUFFLENBQUM7SUFDaEMsTUFBTSxDQUFVLHFCQUFxQixHQUFHLEVBQUUsQ0FBQztJQUMzQyxNQUFNLENBQVUsbUJBQW1CLEdBQUcsRUFBRSxDQUFDO0lBQ3pDLE1BQU0sQ0FBVSxvQkFBb0IsR0FDbEMsWUFBWSxDQUFDLHFCQUFxQixHQUFHLFlBQVksQ0FBQyxtQkFBbUIsR0FBRyxjQUFjLENBQUMsRUFBRSxDQUFDO0lBQzVGLE1BQU0sQ0FBVSxrQkFBa0IsR0FBRyxFQUFFLENBQUM7SUFDeEMsTUFBTSxDQUFVLHFCQUFxQixHQUNuQyxZQUFZLENBQUMsb0JBQW9CLEdBQUcsWUFBWSxDQUFDLGtCQUFrQixHQUFHLGNBQWMsQ0FBQyxFQUFFLENBQUM7SUFDMUYsTUFBTSxDQUFVLG1CQUFtQixHQUFHLENBQUMsQ0FBQztJQUN4QyxNQUFNLENBQVUsa0JBQWtCLEdBQ2hDLFlBQVksQ0FBQyxxQkFBcUIsR0FBRyxZQUFZLENBQUMsbUJBQW1CLENBQUM7SUFDeEUsTUFBTSxDQUFVLGdCQUFnQixHQUFHLENBQUMsQ0FBQztJQUNyQyxNQUFNLENBQVUsZ0JBQWdCLEdBQzlCLFlBQVksQ0FBQyxrQkFBa0IsR0FBRyxZQUFZLENBQUMsZ0JBQWdCLEdBQUcsY0FBYyxDQUFDLEVBQUUsQ0FBQztJQUN0RixNQUFNLENBQVUsa0JBQWtCLEdBQUcsRUFBRSxDQUFDO0lBQ3hDLE1BQU0sQ0FBVSxzQkFBc0IsR0FBRyxFQUFFLENBQUM7SUFDNUMsTUFBTSxDQUFVLHNCQUFzQixHQUFHLEVBQUUsQ0FBQztJQUU1QyxVQUFVLENBQUMsSUFBZ0I7UUFDekIsTUFBTSxFQUNKLGVBQWUsRUFDZixZQUFZLEVBQ1osVUFBVSxFQUNWLGNBQWMsRUFDZCxZQUFZLEVBQ1osc0JBQXNCLEVBQ3RCLHNCQUFzQixHQUN2QixHQUFHLFlBQVksQ0FBQztRQUVqQixJQUFJLElBQUksQ0FBQyxNQUFNLEdBQUcsZUFBZSxHQUFHLFVBQVUsRUFBRSxDQUFDO1lBQy9DLE1BQU0sSUFBSSwrQkFBbUIsQ0FBQyx5QkFBeUIsQ0FBQyxDQUFDO1FBQzNELENBQUM7UUFDRCxNQUFNLGNBQWMsR0FBRyxFQUFFLElBQUksRUFBRSxlQUFJLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxFQUFFLENBQUM7UUFDakQsTUFBTSxXQUFXLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLGNBQWMsRUFBRSxlQUFlLENBQUMsQ0FBQztRQUM1RSxNQUFNLE1BQU0sR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsY0FBYyxFQUFFLFVBQVUsQ0FBQyxDQUFDO1FBRWxFLE1BQU0sT0FBTyxHQUFHLFdBQVcsQ0FBQyxZQUFZLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFFNUMsTUFBTSxrQkFBa0IsR0FBRyxXQUFXLENBQUMsWUFBWSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBRXZELElBQUksa0JBQWtCLEdBQUcsQ0FBQyxFQUFFLENBQUM7WUFDM0IsTUFBTSxJQUFJLCtCQUFtQixDQUFDLDhEQUE4RCxDQUFDLENBQUM7UUFDaEcsQ0FBQztRQUVELE1BQU0sTUFBTSxHQUFHLFdBQVcsQ0FBQyxZQUFZLENBQUMsWUFBWSxDQUFDLENBQUM7UUFFdEQsTUFBTSxRQUFRLEdBQUcsV0FBVyxDQUFDLEtBQUssQ0FBQyxjQUFjLEVBQUUsY0FBYyxHQUFHLFlBQVksQ0FBQyxDQUFDO1FBRWxGLE1BQU0scUJBQXFCLEdBQUcsY0FBYyxDQUFDLElBQUksQ0FBQyxZQUFZLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDbEUsY0FBYyxDQUFDLElBQUksR0FBRyxlQUFJLENBQUMsSUFBSSxDQUFDLGNBQWMsQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFFakUsSUFBSSxxQkFBcUIsSUFBSSxjQUFjLENBQUMsSUFBSSxDQUFDLE1BQU0sRUFBRSxDQUFDO1lBQ3hELE1BQU0sSUFBSSwrQkFBbUIsQ0FDM0IsNkNBQTZDLGNBQWMsQ0FBQyxJQUFJLENBQUMsTUFBTSxlQUFlLHFCQUFxQixXQUFXLENBQ3ZILENBQUM7UUFDSixDQUFDO1FBRUQsTUFBTSw4QkFBOEIsR0FBRztZQUNyQyxJQUFJLEVBQUUsSUFBSSxDQUFDLGlCQUFpQixDQUFDLGNBQWMsRUFBRSxxQkFBcUIsQ0FBQztTQUNwRSxDQUFDO1FBQ0YsTUFBTSx5QkFBeUIsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQ3RELDhCQUE4QixFQUM5QixzQkFBc0IsQ0FDdkIsQ0FBQztRQUNGLE1BQU0sbUJBQW1CLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUNoRCw4QkFBOEIsRUFDOUIsc0JBQXNCLENBQ3ZCLENBQUM7UUFDRixNQUFNLFFBQVEsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsOEJBQThCLEVBQUUsVUFBVSxDQUFDLENBQUM7UUFDcEYsTUFBTSxpQkFBaUIsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQzlDLDhCQUE4QixFQUM5QixzQkFBc0IsQ0FDdkIsQ0FBQztRQUNGLE1BQU0sd0JBQXdCLEdBQUcsOEJBQThCLENBQUMsSUFBSSxDQUFDLFlBQVksQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUNyRiw4QkFBOEIsQ0FBQyxJQUFJLEdBQUcsZUFBSSxDQUFDLElBQUksQ0FDN0MsOEJBQThCLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxDQUFDLENBQUMsQ0FDaEQsQ0FBQztRQUVGLElBQUksOEJBQThCLENBQUMsSUFBSSxDQUFDLE1BQU0sR0FBRyx3QkFBd0IsRUFBRSxDQUFDO1lBQzFFLE1BQU0sSUFBSSwrQkFBbUIsQ0FDM0IsZ0RBQWdELDhCQUE4QixDQUFDLElBQUksQ0FBQyxNQUFNLGVBQWUsd0JBQXdCLFdBQVcsQ0FDN0ksQ0FBQztRQUNKLENBQUM7UUFFRCxNQUFNLG9CQUFvQixHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FDakQsOEJBQThCLEVBQzlCLHdCQUF3QixDQUN6QixDQUFDO1FBRUYsTUFBTSx1QkFBdUIsR0FBRyw4QkFBOEIsQ0FBQyxJQUFJLENBQUMsWUFBWSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBRXBGLElBQUksdUJBQXVCLEdBQUcsQ0FBQyxJQUFJLHVCQUF1QixHQUFHLENBQUMsRUFBRSxDQUFDO1lBQy9ELE1BQU0sSUFBSSwrQkFBbUIsQ0FDM0IsNENBQTRDLHVCQUF1QixFQUFFLENBQ3RFLENBQUM7UUFDSixDQUFDO1FBRUQsTUFBTSxxQkFBcUIsR0FBRyw4QkFBOEIsQ0FBQyxJQUFJLENBQUMsWUFBWSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ2xGLE1BQU0sbUJBQW1CLEdBQUcsOEJBQThCLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7UUFFaEYsSUFBSSxxQkFBcUIsSUFBSSxtQkFBbUIsQ0FBQyxNQUFNLEVBQUUsQ0FBQztZQUN4RCxNQUFNLElBQUksK0JBQW1CLENBQzNCLHNGQUFzRixxQkFBcUIsV0FBVyxDQUN2SCxDQUFDO1FBQ0osQ0FBQztRQUVELE1BQU0sU0FBUyxHQUFHLElBQUEsdUJBQVUsRUFBQyxtQkFBbUIsQ0FBQyxRQUFRLEVBQUUsQ0FBQyxJQUFJLEVBQUUsQ0FBQyxDQUFDLDJCQUEyQjtRQUMvRixNQUFNLFNBQVMsR0FBRyxTQUFTLENBQUMsR0FBRyxDQUFDLENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7UUFFN0QsT0FBTztZQUNMLFNBQVMsRUFBRSxvQkFBUyxDQUFDLEdBQUc7WUFDeEIsU0FBUyxFQUFFLFdBQVc7WUFDdEIsTUFBTSxFQUFFO2dCQUNOLE9BQU87Z0JBQ1Asa0JBQWtCO2dCQUNsQixNQUFNO2dCQUNOLFFBQVE7YUFDVDtZQUNELE1BQU07WUFDTix5QkFBeUI7WUFDekIsbUJBQW1CO1lBQ25CLFFBQVE7WUFDUixpQkFBaUI7WUFDakIsb0JBQW9CO1lBQ3BCLHVCQUF1QjtZQUN2QixtQkFBbUI7WUFDbkIsWUFBWSxFQUFFO2dCQUNaLE1BQU0sRUFBRTtvQkFDTixHQUFHLEVBQUUsU0FBUyxDQUFDLENBQUMsQ0FBQztvQkFDakIsUUFBUSxFQUFFLFNBQVMsQ0FBQyxDQUFDLENBQUM7aUJBQ3ZCO2dCQUNELFFBQVEsRUFBRTtvQkFDUixHQUFHLEVBQUUsU0FBUyxDQUFDLENBQUMsQ0FBQztvQkFDakIsUUFBUSxFQUFFLFNBQVMsQ0FBQyxDQUFDLENBQUM7aUJBQ3ZCO2dCQUNELElBQUksRUFBRTtvQkFDSixHQUFHLEVBQUUsU0FBUyxDQUFDLENBQUMsQ0FBQztvQkFDakIsUUFBUSxFQUFFLFNBQVMsQ0FBQyxDQUFDLENBQUM7aUJBQ3ZCO2FBQ0Y7U0FDRixDQUFDO0lBQ0osQ0FBQztJQUVELFdBQVcsQ0FBQyxJQUFnQjtRQUMxQixNQUFNLEVBQ0osVUFBVSxFQUNWLFVBQVUsRUFDVixxQkFBcUIsRUFDckIsbUJBQW1CLEVBQ25CLG9CQUFvQixFQUNwQixrQkFBa0IsRUFDbEIscUJBQXFCLEVBQ3JCLG1CQUFtQixFQUNuQixrQkFBa0IsRUFDbEIsZ0JBQWdCLEVBQ2hCLGdCQUFnQixFQUNoQixrQkFBa0IsRUFDbEIsa0JBQWtCLEdBQ25CLEdBQUcsWUFBWSxDQUFDO1FBRWpCLElBQUksSUFBSSxDQUFDLE1BQU0sR0FBRyxVQUFVLEVBQUUsQ0FBQztZQUM3QixNQUFNLElBQUksK0JBQW1CLENBQUMseUJBQXlCLENBQUMsQ0FBQztRQUMzRCxDQUFDO1FBRUQsTUFBTSxNQUFNLEdBQUcsZUFBSSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUMvQixNQUFNLE1BQU0sR0FBRyxNQUFNLENBQUMsS0FBSyxDQUFDLENBQUMsRUFBRSxVQUFVLENBQUMsQ0FBQyxRQUFRLENBQUMsS0FBSyxDQUFDLENBQUM7UUFDM0QsTUFBTSxTQUFTLEdBQUcsTUFBTSxDQUFDLEtBQUssQ0FDNUIscUJBQXFCLEVBQ3JCLHFCQUFxQixHQUFHLG1CQUFtQixDQUM1QyxDQUFDO1FBQ0YsTUFBTSxRQUFRLEdBQUcsTUFBTSxDQUFDLEtBQUssQ0FBQyxvQkFBb0IsRUFBRSxvQkFBb0IsR0FBRyxrQkFBa0IsQ0FBQyxDQUFDO1FBQy9GLE1BQU0sU0FBUyxHQUFHLE1BQU07YUFDckIsS0FBSyxDQUFDLHFCQUFxQixFQUFFLHFCQUFxQixHQUFHLG1CQUFtQixDQUFDO2FBQ3pFLFlBQVksQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUNuQixNQUFNLE1BQU0sR0FBRyxNQUFNO2FBQ2xCLEtBQUssQ0FBQyxrQkFBa0IsRUFBRSxrQkFBa0IsR0FBRyxnQkFBZ0IsQ0FBQzthQUNoRSxZQUFZLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDbkIsTUFBTSxRQUFRLEdBQUcsTUFBTSxDQUFDLEtBQUssQ0FBQyxnQkFBZ0IsRUFBRSxnQkFBZ0IsR0FBRyxrQkFBa0IsQ0FBQyxDQUFDO1FBQ3ZGLE1BQU0sUUFBUSxHQUFHLE1BQU0sQ0FBQyxLQUFLLENBQUMsZ0JBQWdCLEVBQUUsZ0JBQWdCLEdBQUcsa0JBQWtCLENBQUMsQ0FBQztRQUV2RixPQUFPO1lBQ0wsTUFBTTtZQUNOLFNBQVM7WUFDVCxRQUFRO1lBQ1IsU0FBUztZQUNULE1BQU07WUFDTixRQUFRO1lBQ1IsUUFBUTtTQUNULENBQUM7SUFDSixDQUFDOztBQW5NSCxvQ0FvTUM7QUFFRCxNQUFhLFlBQWEsU0FBUSxTQUFTO0lBQ3pDLDRCQUE0QjtJQUM1QixNQUFNLENBQVUsZUFBZSxHQUFHLEVBQUUsQ0FBQztJQUNyQyxNQUFNLENBQVUsZUFBZSxHQUFHLEdBQUcsQ0FBQztJQUN0QyxNQUFNLENBQVUscUJBQXFCLEdBQUcsQ0FBQyxDQUFDO0lBRTFDLGdCQUFnQjtJQUNoQixNQUFNLENBQVUsaUJBQWlCLEdBQUcsQ0FBQyxDQUFDO0lBQ3RDLE1BQU0sQ0FBVSw0QkFBNEIsR0FBRyxDQUFDLENBQUM7SUFDakQsTUFBTSxDQUFVLGlCQUFpQixHQUFHLENBQUMsQ0FBQztJQUN0QyxNQUFNLENBQVUsbUJBQW1CLEdBQUcsQ0FBQyxDQUFDO0lBQ3hDLE1BQU0sQ0FBVSxtQkFBbUIsR0FBRyxDQUFDLENBQUM7SUFDeEMsTUFBTSxDQUFVLG9CQUFvQixHQUFHLEVBQUUsQ0FBQztJQUMxQyxNQUFNLENBQVUsa0JBQWtCLEdBQUcsRUFBRSxDQUFDO0lBRXhDLGNBQWM7SUFDZCxNQUFNLENBQVUsaUJBQWlCLEdBQUcsRUFBRSxDQUFDO0lBQ3ZDLE1BQU0sQ0FBVSxjQUFjLEdBQUcsRUFBRSxDQUFDO0lBQ3BDLE1BQU0sQ0FBVSxvQkFBb0IsR0FBRyxFQUFFLENBQUM7SUFDMUMsTUFBTSxDQUFVLHNCQUFzQixHQUFHLENBQUMsQ0FBQztJQUMzQyxNQUFNLENBQVUsb0JBQW9CLEdBQUcsQ0FBQyxDQUFDO0lBQ3pDLE1BQU0sQ0FBVSxZQUFZLEdBQUcsQ0FBQyxDQUFDO0lBQ2pDLE1BQU0sQ0FBVSxZQUFZLEdBQUcsRUFBRSxDQUFDO0lBQ2xDLE1BQU0sQ0FBVSxrQkFBa0IsR0FBRyxFQUFFLENBQUM7SUFDeEMsTUFBTSxDQUFVLGVBQWUsR0FBRyxFQUFFLENBQUM7SUFDckMsTUFBTSxDQUFVLHFCQUFxQixHQUFHLEVBQUUsQ0FBQztJQUMzQyxNQUFNLENBQVUsYUFBYSxHQUFHLEVBQUUsQ0FBQztJQUNuQyxNQUFNLENBQVUsYUFBYSxHQUFHLEVBQUUsQ0FBQztJQUNuQyxNQUFNLENBQVUsYUFBYSxHQUFHLEVBQUUsQ0FBQztJQUNuQyxNQUFNLENBQVUsYUFBYSxHQUFHLEVBQUUsQ0FBQztJQUNuQyxNQUFNLENBQVUsa0JBQWtCLEdBQUcsRUFBRSxDQUFDO0lBRXhDLG1CQUFtQjtJQUNuQixNQUFNLENBQVUscUJBQXFCLEdBQUcsRUFBRSxDQUFDO0lBQzNDLE1BQU0sQ0FBVSxxQkFBcUIsR0FBRyxFQUFFLENBQUM7SUFDM0MsTUFBTSxDQUFVLG1CQUFtQixHQUFHLENBQUMsQ0FBQztJQUN4QyxNQUFNLENBQVUsaUJBQWlCLEdBQUcsQ0FBQyxDQUFDO0lBQ3RDLE1BQU0sQ0FBVSxlQUFlLEdBQUcsR0FBRyxDQUFDO0lBQ3RDLE1BQU0sQ0FBVSx3QkFBd0IsR0FBRyxFQUFFLENBQUM7SUFDOUMsTUFBTSxDQUFVLDZCQUE2QixHQUFHLENBQUMsQ0FBQztJQUNsRCxNQUFNLENBQVUsb0JBQW9CLEdBQUcsQ0FBQyxDQUFDO0lBQ3pDLE1BQU0sQ0FBVSxrQkFBa0IsR0FBRyxDQUFDLENBQUM7SUFFdkMsVUFBVSxDQUFDLElBQWdCO1FBQ3pCLE1BQU0sRUFDSixlQUFlLEVBQ2YsZUFBZSxFQUNmLHFCQUFxQixFQUVyQixxQkFBcUIsRUFDckIscUJBQXFCLEVBQ3JCLG1CQUFtQixFQUNuQixpQkFBaUIsRUFDakIsZUFBZSxFQUNmLHdCQUF3QixFQUN4Qiw2QkFBNkIsRUFDN0Isb0JBQW9CLEVBQ3BCLGtCQUFrQixHQUNuQixHQUFHLFlBQVksQ0FBQztRQUVqQixNQUFNLFlBQVksR0FBRyxlQUFlLEdBQUcsZUFBZSxHQUFHLHFCQUFxQixDQUFDO1FBQy9FLElBQUksSUFBSSxDQUFDLE1BQU0sR0FBRyxZQUFZLEVBQUUsQ0FBQztZQUMvQixNQUFNLElBQUksK0JBQW1CLENBQzNCLDRCQUE0QixJQUFJLENBQUMsTUFBTSw0QkFBNEIsWUFBWSxFQUFFLENBQ2xGLENBQUM7UUFDSixDQUFDO1FBRUQsTUFBTSxjQUFjLEdBQUcsRUFBRSxJQUFJLEVBQUUsZUFBSSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDO1FBQ2pELE1BQU0sU0FBUyxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxjQUFjLEVBQUUsZUFBZSxDQUFDLENBQUM7UUFDMUUsTUFBTSxXQUFXLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLGNBQWMsRUFBRSxlQUFlLENBQUMsQ0FBQztRQUM1RSxNQUFNLFlBQVksR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsY0FBYyxFQUFFLHFCQUFxQixDQUFDLENBQUM7UUFDbkYsTUFBTSxxQkFBcUIsR0FBRyxZQUFZLENBQUMsWUFBWSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBRTNELE1BQU0sZ0JBQWdCLEdBQ3BCLGVBQWUsR0FBRyxlQUFlLEdBQUcscUJBQXFCLEdBQUcscUJBQXFCLENBQUM7UUFDcEYsSUFBSSxJQUFJLENBQUMsTUFBTSxHQUFHLGdCQUFnQixFQUFFLENBQUM7WUFDbkMsTUFBTSxJQUFJLCtCQUFtQixDQUMzQiw0QkFBNEIsSUFBSSxDQUFDLE1BQU0sNEJBQTRCLGdCQUFnQixFQUFFLENBQ3RGLENBQUM7UUFDSixDQUFDO1FBRUQsTUFBTSxTQUFTLEdBQUcsRUFBRSxJQUFJLEVBQUUsSUFBSSxDQUFDLGlCQUFpQixDQUFDLGNBQWMsRUFBRSxxQkFBcUIsQ0FBQyxFQUFFLENBQUM7UUFFMUYsTUFBTSxjQUFjLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLFNBQVMsRUFBRSxxQkFBcUIsQ0FBQyxDQUFDO1FBQ2hGLE1BQU0sbUJBQW1CLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLFNBQVMsRUFBRSxxQkFBcUIsQ0FBQyxDQUFDO1FBRXJGLE1BQU0sWUFBWSxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxTQUFTLEVBQUUsbUJBQW1CLENBQUMsQ0FBQyxZQUFZLEVBQUUsQ0FBQyxDQUFDLFlBQVk7UUFDeEcsSUFBSSxZQUFZLEtBQUssQ0FBQztZQUNwQixNQUFNLElBQUksK0JBQW1CLENBQUMsa0NBQWtDLFlBQVksY0FBYyxDQUFDLENBQUM7UUFFOUYsTUFBTSxZQUFZLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLFNBQVMsRUFBRSxpQkFBaUIsQ0FBQyxDQUFDLFlBQVksRUFBRSxDQUFDO1FBRXpGLElBQUksU0FBUyxDQUFDLElBQUksQ0FBQyxNQUFNLEdBQUcsWUFBWTtZQUN0QyxNQUFNLElBQUksK0JBQW1CLENBQzNCLCtCQUErQixJQUFJLENBQUMsTUFBTSw0QkFBNEIsWUFBWSxFQUFFLENBQ3JGLENBQUM7UUFFSixNQUFNLFFBQVEsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsU0FBUyxFQUFFLGVBQWUsQ0FBQyxDQUFDO1FBQ3BFLE1BQU0saUJBQWlCLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLFNBQVMsRUFBRSx3QkFBd0IsQ0FBQyxDQUFDO1FBRXRGLE1BQU0sd0JBQXdCLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUNyRCxTQUFTLEVBQ1QsNkJBQTZCLENBQzlCLENBQUMsWUFBWSxFQUFFLENBQUM7UUFFakIsSUFBSSxTQUFTLENBQUMsSUFBSSxDQUFDLE1BQU0sR0FBRyx3QkFBd0I7WUFDbEQsTUFBTSxJQUFJLCtCQUFtQixDQUMzQiwyQ0FBMkMsSUFBSSxDQUFDLE1BQU0sNEJBQTRCLHdCQUF3QixFQUFFLENBQzdHLENBQUM7UUFFSixNQUFNLG9CQUFvQixHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxTQUFTLEVBQUUsd0JBQXdCLENBQUMsQ0FBQztRQUV6RixNQUFNLHVCQUF1QixHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FDcEQsU0FBUyxFQUNULG9CQUFvQixDQUNyQixDQUFDLFlBQVksRUFBRSxDQUFDLENBQUMsWUFBWTtRQUM5QixJQUFJLHVCQUF1QixLQUFLLENBQUM7WUFDL0IsTUFBTSxJQUFJLCtCQUFtQixDQUMzQixtQ0FBbUMsdUJBQXVCLGNBQWMsQ0FDekUsQ0FBQztRQUVKLE1BQU0sYUFBYSxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxTQUFTLEVBQUUsa0JBQWtCLENBQUMsQ0FBQyxZQUFZLEVBQUUsQ0FBQztRQUUzRixJQUFJLFNBQVMsQ0FBQyxJQUFJLENBQUMsTUFBTSxHQUFHLGFBQWE7WUFDdkMsTUFBTSxJQUFJLCtCQUFtQixDQUMzQixnQ0FBZ0MsSUFBSSxDQUFDLE1BQU0sNEJBQTRCLGFBQWEsRUFBRSxDQUN2RixDQUFDO1FBRUosTUFBTSxtQkFBbUIsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsU0FBUyxFQUFFLGFBQWEsQ0FBQyxDQUFDO1FBRTdFLE1BQU0sU0FBUyxHQUFHLElBQUEsdUJBQVUsRUFBQyxtQkFBbUIsQ0FBQyxRQUFRLEVBQUUsQ0FBQyxJQUFJLEVBQUUsQ0FBQyxDQUFDLDJCQUEyQjtRQUMvRixNQUFNLFNBQVMsR0FBRyxTQUFTLENBQUMsR0FBRyxDQUFDLENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7UUFFN0QsT0FBTztZQUNMLFNBQVMsRUFBRSxvQkFBUyxDQUFDLEdBQUc7WUFDeEIsU0FBUztZQUNULE1BQU0sRUFBRSxJQUFJLENBQUMsV0FBVyxDQUFDLFNBQVMsQ0FBQztZQUNuQyxXQUFXO1lBQ1gsY0FBYztZQUNkLG1CQUFtQjtZQUNuQixZQUFZO1lBQ1osUUFBUTtZQUNSLGlCQUFpQjtZQUNqQixvQkFBb0I7WUFDcEIsdUJBQXVCO1lBQ3ZCLG1CQUFtQjtZQUNuQixZQUFZLEVBQUU7Z0JBQ1osTUFBTSxFQUFFO29CQUNOLEdBQUcsRUFBRSxTQUFTLENBQUMsQ0FBQyxDQUFDO29CQUNqQixRQUFRLEVBQUUsU0FBUyxDQUFDLENBQUMsQ0FBQztpQkFDdkI7Z0JBQ0QsUUFBUSxFQUFFO29CQUNSLEdBQUcsRUFBRSxTQUFTLENBQUMsQ0FBQyxDQUFDO29CQUNqQixRQUFRLEVBQUUsU0FBUyxDQUFDLENBQUMsQ0FBQztpQkFDdkI7Z0JBQ0QsSUFBSSxFQUFFO29CQUNKLEdBQUcsRUFBRSxTQUFTLENBQUMsQ0FBQyxDQUFDO29CQUNqQixRQUFRLEVBQUUsU0FBUyxDQUFDLENBQUMsQ0FBQztpQkFDdkI7YUFDRjtTQUNGLENBQUM7SUFDSixDQUFDO0lBRUQsV0FBVyxDQUFDLElBQWdCO1FBQzFCLE1BQU0sRUFDSixpQkFBaUIsRUFDakIsNEJBQTRCLEVBQzVCLGlCQUFpQixFQUNqQixtQkFBbUIsRUFDbkIsbUJBQW1CLEVBQ25CLG9CQUFvQixFQUNwQixrQkFBa0IsR0FDbkIsR0FBRyxZQUFZLENBQUM7UUFFakIsTUFBTSxlQUFlLEdBQUcsRUFBRSxJQUFJLEVBQUUsZUFBSSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDO1FBRWxELE1BQU0sT0FBTyxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxlQUFlLEVBQUUsaUJBQWlCLENBQUMsQ0FBQyxZQUFZLEVBQUUsQ0FBQztRQUMxRixNQUFNLGtCQUFrQixHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FDL0MsZUFBZSxFQUNmLDRCQUE0QixDQUM3QixDQUFDLFlBQVksRUFBRSxDQUFDO1FBQ2pCLE1BQU0sT0FBTyxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxlQUFlLEVBQUUsaUJBQWlCLENBQUMsQ0FBQyxZQUFZLEVBQUUsQ0FBQztRQUMxRixNQUFNLFNBQVMsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsZUFBZSxFQUFFLG1CQUFtQixDQUFDLENBQUM7UUFDL0UsTUFBTSxTQUFTLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLGVBQWUsRUFBRSxtQkFBbUIsQ0FBQyxDQUFDO1FBQy9FLE1BQU0sVUFBVSxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxlQUFlLEVBQUUsb0JBQW9CLENBQUMsQ0FBQztRQUNqRixNQUFNLFFBQVEsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsZUFBZSxFQUFFLGtCQUFrQixDQUFDLENBQUM7UUFFN0UsT0FBTztZQUNMLE9BQU87WUFDUCxrQkFBa0I7WUFDbEIsT0FBTztZQUNQLFNBQVM7WUFDVCxTQUFTO1lBQ1QsVUFBVTtZQUNWLFFBQVE7U0FDVCxDQUFDO0lBQ0osQ0FBQztJQUVELFNBQVMsQ0FBQyxJQUFnQjtRQUN4QixNQUFNLEVBQ0osaUJBQWlCLEVBQ2pCLGNBQWMsRUFDZCxvQkFBb0IsRUFDcEIsc0JBQXNCLEVBQ3RCLG9CQUFvQixFQUNwQixZQUFZLEVBQ1osWUFBWSxFQUNaLGtCQUFrQixFQUNsQixlQUFlLEVBQ2YscUJBQXFCLEVBQ3JCLGFBQWEsRUFDYixhQUFhLEVBQ2IsYUFBYSxFQUNiLGFBQWEsRUFDYixrQkFBa0IsRUFDbEIsa0JBQWtCLEdBQ25CLEdBQUcsWUFBWSxDQUFDO1FBRWpCLE1BQU0sYUFBYSxHQUFHLEVBQUUsSUFBSSxFQUFFLGVBQUksQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQztRQUVoRCxJQUFJLGFBQWEsQ0FBQyxJQUFJLENBQUMsTUFBTSxLQUFLLFlBQVksQ0FBQyxlQUFlO1lBQzVELE1BQU0sSUFBSSwrQkFBbUIsQ0FDM0IsMkJBQTJCLGFBQWEsQ0FBQyxJQUFJLENBQUMsTUFBTSxjQUFjLFlBQVksQ0FBQyxlQUFlLEVBQUUsQ0FDakcsQ0FBQztRQUVKLE1BQU0sU0FBUyxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxhQUFhLEVBQUUsaUJBQWlCLENBQUMsQ0FBQztRQUMzRSxNQUFNLE1BQU0sR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsYUFBYSxFQUFFLGNBQWMsQ0FBQyxDQUFDO1FBQ3JFLE1BQU0sWUFBWSxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxhQUFhLEVBQUUsb0JBQW9CLENBQUMsQ0FBQztRQUNqRixNQUFNLGNBQWMsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsYUFBYSxFQUFFLHNCQUFzQixDQUFDLENBQUM7UUFDckYsTUFBTSxZQUFZLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLGFBQWEsRUFBRSxvQkFBb0IsQ0FBQyxDQUFDO1FBQ2pGLE1BQU0sSUFBSSxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxhQUFhLEVBQUUsWUFBWSxDQUFDLENBQUM7UUFDakUsTUFBTSxJQUFJLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLGFBQWEsRUFBRSxZQUFZLENBQUMsQ0FBQztRQUNqRSxNQUFNLFVBQVUsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsYUFBYSxFQUFFLGtCQUFrQixDQUFDLENBQUM7UUFDN0UsTUFBTSxPQUFPLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLGFBQWEsRUFBRSxlQUFlLENBQUMsQ0FBQztRQUN2RSxNQUFNLGFBQWEsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsYUFBYSxFQUFFLHFCQUFxQixDQUFDLENBQUM7UUFDbkYsTUFBTSxLQUFLLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLGFBQWEsRUFBRSxhQUFhLENBQUMsQ0FBQztRQUNuRSxNQUFNLEtBQUssR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsYUFBYSxFQUFFLGFBQWEsQ0FBQyxDQUFDO1FBQ25FLE1BQU0sS0FBSyxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxhQUFhLEVBQUUsYUFBYSxDQUFDLENBQUM7UUFDbkUsTUFBTSxLQUFLLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLGFBQWEsRUFBRSxhQUFhLENBQUMsQ0FBQztRQUNuRSxNQUFNLFVBQVUsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsYUFBYSxFQUFFLGtCQUFrQixDQUFDLENBQUM7UUFDN0UsTUFBTSxRQUFRLEdBQUcsVUFBVSxDQUFDLEtBQUssQ0FBQyxDQUFDLEVBQUUsa0JBQWtCLENBQUMsQ0FBQztRQUN6RCxPQUFPO1lBQ0wsU0FBUztZQUNULE1BQU07WUFDTixZQUFZO1lBQ1osY0FBYztZQUNkLFlBQVk7WUFDWixJQUFJO1lBQ0osSUFBSTtZQUNKLFVBQVU7WUFDVixPQUFPO1lBQ1AsYUFBYTtZQUNiLEtBQUs7WUFDTCxLQUFLO1lBQ0wsS0FBSztZQUNMLEtBQUs7WUFDTCxVQUFVO1lBQ1YsUUFBUTtTQUNULENBQUM7SUFDSixDQUFDOztBQW5RSCxvQ0FvUUMifQ==

package/dist/cjs/tee/TeeCertificateService.d.ts

@@ -0,0 +1,20 @@
+export declare enum ValidateTeeCertChainErrorCode {
+    CERT_CHAIN_IS_INVALID = "CERT_CHAIN_IS_INVALID",
+    NOT_ALLOWED_CHALLENGE = "NOT_ALLOWED_CHALLENGE",
+    CHALLENGE_IS_INVALID = "CHALLENGE_IS_INVALID"
+}
+export interface ValidateTeeCertChainResult {
+    isValid: boolean;
+    errorCode?: string;
+    errorMessage?: string;
+}
+export declare class TeeCertificateService {
+    static validateTeeCertChainOrFail(certsPem: string): Promise<void>;
+    static validateTeeCertChain(certsPem: string): Promise<ValidateTeeCertChainResult>;
+    private static validateChallenge;
+    private static validateGpuChallenge;
+    private static validateChallengeSgx;
+    private static validateChallengeId;
+    private static getGpuInfoFromCert;
+    private static validateCertificateWithSubtype;
+}

package/dist/cjs/tee/TeeCertificateService.js

@@ -0,0 +1,143 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TeeCertificateService = exports.ValidateTeeCertChainErrorCode = void 0;
+const constants_js_1 = require("../constants.js");
+const pki_common_1 = require("@super-protocol/pki-common");
+const TeeSignatureVerifier_js_1 = require("./TeeSignatureVerifier.js");
+const errors_js_1 = require("./errors.js");
+const index_js_1 = require("../certificates/index.js");
+const Nvtrust_js_1 = require("../proto/Nvtrust.js");
+var ValidateTeeCertChainErrorCode;
+(function (ValidateTeeCertChainErrorCode) {
+    ValidateTeeCertChainErrorCode["CERT_CHAIN_IS_INVALID"] = "CERT_CHAIN_IS_INVALID";
+    ValidateTeeCertChainErrorCode["NOT_ALLOWED_CHALLENGE"] = "NOT_ALLOWED_CHALLENGE";
+    ValidateTeeCertChainErrorCode["CHALLENGE_IS_INVALID"] = "CHALLENGE_IS_INVALID";
+})(ValidateTeeCertChainErrorCode || (exports.ValidateTeeCertChainErrorCode = ValidateTeeCertChainErrorCode = {}));
+class TeeCertificateService {
+    static async validateTeeCertChainOrFail(certsPem) {
+        const result = await TeeCertificateService.validateTeeCertChain(certsPem);
+        if (!result.isValid) {
+            throw new Error(result.errorMessage);
+        }
+    }
+    static async validateTeeCertChain(certsPem) {
+        const { isValid, errorMessage } = await index_js_1.CertificatesHelper.validateCertChain(certsPem, constants_js_1.SUPERPROTOCOL_CA);
+        if (!isValid) {
+            return {
+                isValid: false,
+                errorCode: ValidateTeeCertChainErrorCode.CERT_CHAIN_IS_INVALID,
+                errorMessage: `Cert chain is invalid! (${errorMessage})`,
+            };
+        }
+        // ROOT CA doesn't have challenge. but we trust it as it is in SUPERPROTOCOL_CA constant
+        const { certs } = index_js_1.CertificatesHelper.extractCAFromChain(certsPem);
+        const sortedCerts = index_js_1.CertificatesHelper.sortCertsFromLeafToRoot(certs).map((certWithKeyIdent) => certWithKeyIdent.cert);
+        try {
+            await Promise.all(sortedCerts.map((cert) => TeeCertificateService.validateChallenge(cert)));
+            const leafCert = sortedCerts[0];
+            await TeeCertificateService.validateGpuChallenge(leafCert);
+        }
+        catch (err) {
+            return {
+                isValid: false,
+                errorCode: err instanceof errors_js_1.NotAllowedChallengeError
+                    ? ValidateTeeCertChainErrorCode.NOT_ALLOWED_CHALLENGE
+                    : ValidateTeeCertChainErrorCode.CHALLENGE_IS_INVALID,
+                errorMessage: `Challenge is not valid! (${err.message})`,
+            };
+        }
+        return { isValid: true };
+    }
+    static async validateChallenge(cert) {
+        const challengeType = index_js_1.CertificatesHelper.getExtensionValue(cert, pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_TYPE)?.toString('binary');
+        if (challengeType === pki_common_1.ChallengeType.Untrusted) {
+            throw new errors_js_1.NotAllowedChallengeError(`Cert chain has cert with Untrusted challenge`);
+        }
+        switch (challengeType) {
+            case pki_common_1.ChallengeType.SGXDCAP:
+                TeeCertificateService.validateChallengeSgx(cert);
+                break;
+            case pki_common_1.ChallengeType.TDX:
+            case pki_common_1.ChallengeType.SEVSNP:
+                await TeeCertificateService.validateChallengeId(cert, challengeType);
+                break;
+            case pki_common_1.ChallengeType.Certificate:
+            case pki_common_1.ChallengeType.Token:
+                await TeeCertificateService.validateCertificateWithSubtype(cert, challengeType);
+                break;
+            default:
+                throw new errors_js_1.NotAllowedChallengeError(`Challenge type ${challengeType || `[none]`} is missing or not allowed!`);
+        }
+    }
+    static validateGpuChallenge(cert) {
+        const gpusInfo = TeeCertificateService.getGpuInfoFromCert(cert);
+        const gpusInDebugMode = gpusInfo.filter((gpu) => gpu.dbgStat);
+        if (gpusInDebugMode.length) {
+            throw new Error(`The certificate contains information about GPU that is running in debug mode: ${JSON.stringify(gpusInDebugMode)}`);
+        }
+    }
+    static validateChallengeSgx(cert) {
+        const mrSignerBinaryString = index_js_1.CertificatesHelper.getExtensionValue(cert, pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_COMMON_ID);
+        if (!mrSignerBinaryString) {
+            throw new Error(`SGX challenge signature is wrong!`);
+        }
+        try {
+            TeeSignatureVerifier_js_1.TeeSignatureVerifier.validateSignatureSgx(mrSignerBinaryString);
+        }
+        catch (err) {
+            throw new Error(`SGX challenge signature is wrong!`);
+        }
+    }
+    static async validateChallengeId(cert, challengeType) {
+        const oid = challengeType === pki_common_1.ChallengeType.Certificate
+            ? pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_CERTIFICATE_ID
+            : pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_ID;
+        const mrEnclaveBinaryString = index_js_1.CertificatesHelper.getExtensionValue(cert, oid);
+        if (!mrEnclaveBinaryString) {
+            throw new Error(`Challenge id is missing in certificate!`);
+        }
+        try {
+            await TeeSignatureVerifier_js_1.TeeSignatureVerifier.validateSignature(mrEnclaveBinaryString, challengeType);
+        }
+        catch (err) {
+            const message = `${challengeType} signature is invalid!`;
+            if (err instanceof errors_js_1.InvalidSignatureError) {
+                throw new Error(`${message} ${err.message}`);
+            }
+            throw new Error(message);
+        }
+    }
+    static getGpuInfoFromCert(cert) {
+        let gpusInfo = { gpus: [] };
+        const gpusInfoRaw = index_js_1.CertificatesHelper.getExtensionValue(cert, pki_common_1.OID_CUSTOM_EXTENSION_NVIDIA_INFO_GPU);
+        if (gpusInfoRaw) {
+            try {
+                gpusInfo = Nvtrust_js_1.NvtrustGPUList.decode(gpusInfoRaw);
+            }
+            catch (err) {
+                const message = 'Failed to decode GPU info';
+                if (err instanceof Error) {
+                    throw new Error(`${message} ${err.message}`);
+                }
+                throw new Error(message);
+            }
+        }
+        return gpusInfo.gpus;
+    }
+    static async validateCertificateWithSubtype(cert, challengeType) {
+        if (challengeType === pki_common_1.ChallengeType.Certificate) {
+            await TeeCertificateService.validateChallengeId(cert, pki_common_1.ChallengeType.Certificate);
+        }
+        const subType = index_js_1.CertificatesHelper.getExtensionValue(cert, pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_SUBTYPE)?.toString('binary');
+        switch (subType) {
+            case pki_common_1.ChallengeType.TDX:
+            case pki_common_1.ChallengeType.SEVSNP:
+                await TeeCertificateService.validateChallengeId(cert, subType);
+                break;
+            default:
+                throw new Error(`Unsupported subtype: ${subType}`);
+        }
+    }
+}
+exports.TeeCertificateService = TeeCertificateService;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiVGVlQ2VydGlmaWNhdGVTZXJ2aWNlLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL3RlZS9UZWVDZXJ0aWZpY2F0ZVNlcnZpY2UudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQUEsa0RBQW1EO0FBQ25ELDJEQVFvQztBQUNwQyx1RUFBaUU7QUFDakUsMkNBQThFO0FBQzlFLHVEQUE4RDtBQUM5RCxvREFBcUU7QUFHckUsSUFBWSw2QkFJWDtBQUpELFdBQVksNkJBQTZCO0lBQ3ZDLGdGQUErQyxDQUFBO0lBQy9DLGdGQUErQyxDQUFBO0lBQy9DLDhFQUE2QyxDQUFBO0FBQy9DLENBQUMsRUFKVyw2QkFBNkIsNkNBQTdCLDZCQUE2QixRQUl4QztBQU9ELE1BQWEscUJBQXFCO0lBQ2hDLE1BQU0sQ0FBQyxLQUFLLENBQUMsMEJBQTBCLENBQUMsUUFBZ0I7UUFDdEQsTUFBTSxNQUFNLEdBQUcsTUFBTSxxQkFBcUIsQ0FBQyxvQkFBb0IsQ0FBQyxRQUFRLENBQUMsQ0FBQztRQUMxRSxJQUFJLENBQUMsTUFBTSxDQUFDLE9BQU8sRUFBRSxDQUFDO1lBQ3BCLE1BQU0sSUFBSSxLQUFLLENBQUMsTUFBTSxDQUFDLFlBQVksQ0FBQyxDQUFDO1FBQ3ZDLENBQUM7SUFDSCxDQUFDO0lBRUQsTUFBTSxDQUFDLEtBQUssQ0FBQyxvQkFBb0IsQ0FBQyxRQUFnQjtRQUNoRCxNQUFNLEVBQUUsT0FBTyxFQUFFLFlBQVksRUFBRSxHQUFHLE1BQU0sNkJBQWtCLENBQUMsaUJBQWlCLENBQzFFLFFBQVEsRUFDUiwrQkFBZ0IsQ0FDakIsQ0FBQztRQUVGLElBQUksQ0FBQyxPQUFPLEVBQUUsQ0FBQztZQUNiLE9BQU87Z0JBQ0wsT0FBTyxFQUFFLEtBQUs7Z0JBQ2QsU0FBUyxFQUFFLDZCQUE2QixDQUFDLHFCQUFxQjtnQkFDOUQsWUFBWSxFQUFFLDJCQUEyQixZQUFZLEdBQUc7YUFDekQsQ0FBQztRQUNKLENBQUM7UUFFRCx3RkFBd0Y7UUFDeEYsTUFBTSxFQUFFLEtBQUssRUFBRSxHQUFHLDZCQUFrQixDQUFDLGtCQUFrQixDQUFDLFFBQVEsQ0FBQyxDQUFDO1FBQ2xFLE1BQU0sV0FBVyxHQUFHLDZCQUFrQixDQUFDLHVCQUF1QixDQUFDLEtBQUssQ0FBQyxDQUFDLEdBQUcsQ0FDdkUsQ0FBQyxnQkFBZ0IsRUFBRSxFQUFFLENBQUMsZ0JBQWdCLENBQUMsSUFBSSxDQUM1QyxDQUFDO1FBRUYsSUFBSSxDQUFDO1lBQ0gsTUFBTSxPQUFPLENBQUMsR0FBRyxDQUFDLFdBQVcsQ0FBQyxHQUFHLENBQUMsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLHFCQUFxQixDQUFDLGlCQUFpQixDQUFDLElBQUksQ0FBQyxDQUFDLENBQUMsQ0FBQztZQUU1RixNQUFNLFFBQVEsR0FBRyxXQUFXLENBQUMsQ0FBQyxDQUFDLENBQUM7WUFDaEMsTUFBTSxxQkFBcUIsQ0FBQyxvQkFBb0IsQ0FBQyxRQUFRLENBQUMsQ0FBQztRQUM3RCxDQUFDO1FBQUMsT0FBTyxHQUFHLEVBQUUsQ0FBQztZQUNiLE9BQU87Z0JBQ0wsT0FBTyxFQUFFLEtBQUs7Z0JBQ2QsU0FBUyxFQUNQLEdBQUcsWUFBWSxvQ0FBd0I7b0JBQ3JDLENBQUMsQ0FBQyw2QkFBNkIsQ0FBQyxxQkFBcUI7b0JBQ3JELENBQUMsQ0FBQyw2QkFBNkIsQ0FBQyxvQkFBb0I7Z0JBQ3hELFlBQVksRUFBRSw0QkFBNkIsR0FBYSxDQUFDLE9BQU8sR0FBRzthQUNwRSxDQUFDO1FBQ0osQ0FBQztRQUVELE9BQU8sRUFBRSxPQUFPLEVBQUUsSUFBSSxFQUFFLENBQUM7SUFDM0IsQ0FBQztJQUVPLE1BQU0sQ0FBQyxLQUFLLENBQUMsaUJBQWlCLENBQUMsSUFBZ0M7UUFDckUsTUFBTSxhQUFhLEdBQUcsNkJBQWtCLENBQUMsaUJBQWlCLENBQ3hELElBQUksRUFDSixnREFBbUMsQ0FDcEMsRUFBRSxRQUFRLENBQUMsUUFBUSxDQUFDLENBQUM7UUFFdEIsSUFBSSxhQUFhLEtBQUssMEJBQWEsQ0FBQyxTQUFTLEVBQUUsQ0FBQztZQUM5QyxNQUFNLElBQUksb0NBQXdCLENBQUMsOENBQThDLENBQUMsQ0FBQztRQUNyRixDQUFDO1FBRUQsUUFBUSxhQUFhLEVBQUUsQ0FBQztZQUN0QixLQUFLLDBCQUFhLENBQUMsT0FBTztnQkFDeEIscUJBQXFCLENBQUMsb0JBQW9CLENBQUMsSUFBSSxDQUFDLENBQUM7Z0JBQ2pELE1BQU07WUFDUixLQUFLLDBCQUFhLENBQUMsR0FBRyxDQUFDO1lBQ3ZCLEtBQUssMEJBQWEsQ0FBQyxNQUFNO2dCQUN2QixNQUFNLHFCQUFxQixDQUFDLG1CQUFtQixDQUFDLElBQUksRUFBRSxhQUFhLENBQUMsQ0FBQztnQkFDckUsTUFBTTtZQUNSLEtBQUssMEJBQWEsQ0FBQyxXQUFXLENBQUM7WUFDL0IsS0FBSywwQkFBYSxDQUFDLEtBQUs7Z0JBQ3RCLE1BQU0scUJBQXFCLENBQUMsOEJBQThCLENBQUMsSUFBSSxFQUFFLGFBQWEsQ0FBQyxDQUFDO2dCQUNoRixNQUFNO1lBRVI7Z0JBQ0UsTUFBTSxJQUFJLG9DQUF3QixDQUNoQyxrQkFBa0IsYUFBYSxJQUFJLFFBQVEsNkJBQTZCLENBQ3pFLENBQUM7UUFDTixDQUFDO0lBQ0gsQ0FBQztJQUVPLE1BQU0sQ0FBQyxvQkFBb0IsQ0FBQyxJQUFnQztRQUNsRSxNQUFNLFFBQVEsR0FBRyxxQkFBcUIsQ0FBQyxrQkFBa0IsQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUNoRSxNQUFNLGVBQWUsR0FBRyxRQUFRLENBQUMsTUFBTSxDQUFDLENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUMsT0FBTyxDQUFDLENBQUM7UUFDOUQsSUFBSSxlQUFlLENBQUMsTUFBTSxFQUFFLENBQUM7WUFDM0IsTUFBTSxJQUFJLEtBQUssQ0FDYixpRkFBaUYsSUFBSSxDQUFDLFNBQVMsQ0FBQyxlQUFlLENBQUMsRUFBRSxDQUNuSCxDQUFDO1FBQ0osQ0FBQztJQUNILENBQUM7SUFFTyxNQUFNLENBQUMsb0JBQW9CLENBQUMsSUFBZ0M7UUFDbEUsTUFBTSxvQkFBb0IsR0FBRyw2QkFBa0IsQ0FBQyxpQkFBaUIsQ0FDL0QsSUFBSSxFQUNKLHFEQUF3QyxDQUN6QyxDQUFDO1FBQ0YsSUFBSSxDQUFDLG9CQUFvQixFQUFFLENBQUM7WUFDMUIsTUFBTSxJQUFJLEtBQUssQ0FBQyxtQ0FBbUMsQ0FBQyxDQUFDO1FBQ3ZELENBQUM7UUFFRCxJQUFJLENBQUM7WUFDSCw4Q0FBb0IsQ0FBQyxvQkFBb0IsQ0FBQyxvQkFBb0IsQ0FBQyxDQUFDO1FBQ2xFLENBQUM7UUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO1lBQ2IsTUFBTSxJQUFJLEtBQUssQ0FBQyxtQ0FBbUMsQ0FBQyxDQUFDO1FBQ3ZELENBQUM7SUFDSCxDQUFDO0lBRU8sTUFBTSxDQUFDLEtBQUssQ0FBQyxtQkFBbUIsQ0FDdEMsSUFBZ0MsRUFDaEMsYUFBNEI7UUFFNUIsTUFBTSxHQUFHLEdBQ1AsYUFBYSxLQUFLLDBCQUFhLENBQUMsV0FBVztZQUN6QyxDQUFDLENBQUMsMERBQTZDO1lBQy9DLENBQUMsQ0FBQyw4Q0FBaUMsQ0FBQztRQUN4QyxNQUFNLHFCQUFxQixHQUFHLDZCQUFrQixDQUFDLGlCQUFpQixDQUFDLElBQUksRUFBRSxHQUFHLENBQUMsQ0FBQztRQUM5RSxJQUFJLENBQUMscUJBQXFCLEVBQUUsQ0FBQztZQUMzQixNQUFNLElBQUksS0FBSyxDQUFDLHlDQUF5QyxDQUFDLENBQUM7UUFDN0QsQ0FBQztRQUVELElBQUksQ0FBQztZQUNILE1BQU0sOENBQW9CLENBQUMsaUJBQWlCLENBQUMscUJBQXFCLEVBQUUsYUFBYSxDQUFDLENBQUM7UUFDckYsQ0FBQztRQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7WUFDYixNQUFNLE9BQU8sR0FBRyxHQUFHLGFBQWEsd0JBQXdCLENBQUM7WUFDekQsSUFBSSxHQUFHLFlBQVksaUNBQXFCLEVBQUUsQ0FBQztnQkFDekMsTUFBTSxJQUFJLEtBQUssQ0FBQyxHQUFHLE9BQU8sSUFBSSxHQUFHLENBQUMsT0FBTyxFQUFFLENBQUMsQ0FBQztZQUMvQyxDQUFDO1lBQ0QsTUFBTSxJQUFJLEtBQUssQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUMzQixDQUFDO0lBQ0gsQ0FBQztJQUVPLE1BQU0sQ0FBQyxrQkFBa0IsQ0FBQyxJQUFnQztRQUNoRSxJQUFJLFFBQVEsR0FBbUIsRUFBRSxJQUFJLEVBQUUsRUFBRSxFQUFFLENBQUM7UUFDNUMsTUFBTSxXQUFXLEdBQUcsNkJBQWtCLENBQUMsaUJBQWlCLENBQ3RELElBQUksRUFDSixpREFBb0MsQ0FDckMsQ0FBQztRQUVGLElBQUksV0FBVyxFQUFFLENBQUM7WUFDaEIsSUFBSSxDQUFDO2dCQUNILFFBQVEsR0FBRywyQkFBYyxDQUFDLE1BQU0sQ0FBQyxXQUFXLENBQUMsQ0FBQztZQUNoRCxDQUFDO1lBQUMsT0FBTyxHQUFHLEVBQUUsQ0FBQztnQkFDYixNQUFNLE9BQU8sR0FBRywyQkFBMkIsQ0FBQztnQkFDNUMsSUFBSSxHQUFHLFlBQVksS0FBSyxFQUFFLENBQUM7b0JBQ3pCLE1BQU0sSUFBSSxLQUFLLENBQUMsR0FBRyxPQUFPLElBQUksR0FBRyxDQUFDLE9BQU8sRUFBRSxDQUFDLENBQUM7Z0JBQy9DLENBQUM7Z0JBQ0QsTUFBTSxJQUFJLEtBQUssQ0FBQyxPQUFPLENBQUMsQ0FBQztZQUMzQixDQUFDO1FBQ0gsQ0FBQztRQUNELE9BQU8sUUFBUSxDQUFDLElBQUksQ0FBQztJQUN2QixDQUFDO0lBRU8sTUFBTSxDQUFDLEtBQUssQ0FBQyw4QkFBOEIsQ0FDakQsSUFBZ0MsRUFDaEMsYUFBNEI7UUFFNUIsSUFBSSxhQUFhLEtBQUssMEJBQWEsQ0FBQyxXQUFXLEVBQUUsQ0FBQztZQUNoRCxNQUFNLHFCQUFxQixDQUFDLG1CQUFtQixDQUFDLElBQUksRUFBRSwwQkFBYSxDQUFDLFdBQVcsQ0FBQyxDQUFDO1FBQ25GLENBQUM7UUFFRCxNQUFNLE9BQU8sR0FBRyw2QkFBa0IsQ0FBQyxpQkFBaUIsQ0FDbEQsSUFBSSxFQUNKLG1EQUFzQyxDQUN2QyxFQUFFLFFBQVEsQ0FBQyxRQUFRLENBQUMsQ0FBQztRQUV0QixRQUFRLE9BQU8sRUFBRSxDQUFDO1lBQ2hCLEtBQUssMEJBQWEsQ0FBQyxHQUFHLENBQUM7WUFDdkIsS0FBSywwQkFBYSxDQUFDLE1BQU07Z0JBQ3ZCLE1BQU0scUJBQXFCLENBQUMsbUJBQW1CLENBQUMsSUFBSSxFQUFFLE9BQU8sQ0FBQyxDQUFDO2dCQUMvRCxNQUFNO1lBQ1I7Z0JBQ0UsTUFBTSxJQUFJLEtBQUssQ0FBQyx3QkFBd0IsT0FBTyxFQUFFLENBQUMsQ0FBQztRQUN2RCxDQUFDO0lBQ0gsQ0FBQztDQUNGO0FBMUtELHNEQTBLQyJ9

package/dist/cjs/tee/TeeSignatureVerifier.d.ts

@@ -0,0 +1,24 @@
+/// <reference types="node" />
+import { BinaryType, GetSignatureOptions } from './types.js';
+import { ChallengeType } from '@super-protocol/pki-common';
+export type GetMrEnclaveSignatureFn = (mrEnclave: Buffer, challengeType: ChallengeType) => Promise<Buffer>;
+export type CheckSignatureOptions = {
+    getMrEnclaveSignature: GetMrEnclaveSignatureFn;
+};
+export declare const SignatureFolderMap: Partial<Record<ChallengeType, string>>;
+export declare class TeeSignatureVerifier {
+    /**
+     * Validates tee signature for SGX
+     * @param mrSigner - Buffer
+     * @throws Error If signature validation fails
+     */
+    static validateSignatureSgx(mrSigner: BinaryType): void;
+    /**
+     * Validates TDX and SEV-SNP TEE signature by verifying the MRENCLAVE
+     * @param mrEnclave - Binary measurement of the TEE environment to verify
+     * @param options - Configuration for signature validation, including getMrEnclaveSignature callback
+     * @throws Error If signature validation fails or signature cannot be retrieved
+     */
+    static validateSignature(mrEnclave: BinaryType, challengeType: ChallengeType, options?: CheckSignatureOptions): Promise<void>;
+    static getSignature(mrEnclave: Buffer, challengeType: ChallengeType, options?: GetSignatureOptions): Promise<Buffer>;
+}