@super-protocol/swarm-contracts-sdk 0.0.1-beta.1

package/dist/mjs/tee/QuoteParser.js

@@ -0,0 +1,381 @@
+import { Certificate } from '@fidm/x509';
+import * as asn1js from 'asn1js';
+import * as pkijs from 'pkijs';
+import { Buffer as Blob } from 'buffer';
+import { TeeQuoteParserError } from './errors.js';
+import { QuoteType, } from './types.js';
+import { splitChain, Signature } from './helpers.js';
+import * as crypto from 'crypto';
+export class TeeParser {
+    static reportDataHashSize = 32; /* 64 in report, but we need 32 only for sha256 hash */
+    extractRS(cert) {
+        const derSignature = Buffer.from(cert.signatureValue.valueBlock.valueHexView).toString('hex');
+        const parsedSignature = Signature.importFromDER(derSignature);
+        return {
+            r: parsedSignature.r,
+            s: parsedSignature.s,
+            derSignature,
+        };
+    }
+    parsePem(pem) {
+        const cert = Certificate.fromPEM(Buffer.from(pem));
+        const asn1Certificate = asn1js.fromBER(cert.raw);
+        const certificate = new pkijs.Certificate({ schema: asn1Certificate.result });
+        const tbs = certificate.tbsView;
+        const { r, s } = this.extractRS(certificate);
+        const publicKey = cert.publicKey.keyRaw.toString('hex').slice(2);
+        const splitedTbs = Buffer.from(tbs).toString('hex').split(publicKey);
+        const x509PublicKey = '0x' + publicKey;
+        const x509Signature = '0x' + r + s;
+        return {
+            bodyPartOne: '0x' + splitedTbs[0],
+            publicKey: x509PublicKey,
+            bodyPartTwo: '0x' + splitedTbs[1],
+            signature: x509Signature,
+        };
+    }
+    getDataAndAdvance(blob, size) {
+        const buf = Blob.from(blob.data.subarray(0, size));
+        blob.data = Blob.from(blob.data.subarray(size));
+        return buf;
+    }
+    static determineQuoteType(quote) {
+        let type = QuoteType.SGX;
+        if (quote.length < 48) {
+            throw new TeeQuoteParserError('data has invalid length');
+        }
+        const version = Buffer.from(quote).readUInt16LE(0);
+        if (version === 4) {
+            const quoteType = Buffer.from(quote).readUInt32LE(4);
+            if (quoteType === 0x00000081) {
+                type = QuoteType.TDX;
+            }
+            else if (quoteType !== 0x00000000) {
+                throw new TeeQuoteParserError(`Unknown quote type ${quoteType}`);
+            }
+        }
+        else if (version !== 3) {
+            throw new TeeQuoteParserError(`Unknown quote version ${version}`);
+        }
+        return { type, version };
+    }
+    static getMrEnclave(quote) {
+        const teeType = TeeParser.determineQuoteType(quote);
+        switch (teeType.type) {
+            case QuoteType.SGX: {
+                const sgxParser = new TeeSgxParser();
+                const parsedSgxQuote = sgxParser.parseQuote(quote);
+                const parsedReport = sgxParser.parseReport(parsedSgxQuote.report);
+                return parsedReport.mrEnclave;
+            }
+            case QuoteType.TDX: {
+                const tdxParser = new TeeTdxParser();
+                const parsedTdxQuote = tdxParser.parseQuote(quote);
+                const tdBody = tdxParser.parseBody(parsedTdxQuote.tdQuoteBody);
+                const hash = crypto.createHash('sha256');
+                hash.update(tdBody.tdAttributes);
+                hash.update(tdBody.mrTd);
+                hash.update(tdBody.rtmr0);
+                hash.update(tdBody.rtmr1);
+                hash.update(tdBody.rtmr2);
+                hash.update(tdBody.rtmr3);
+                return hash.digest();
+            }
+            default:
+                throw new TeeQuoteParserError(`Unknown quote type`);
+        }
+    }
+}
+export class TeeSgxParser extends TeeParser {
+    static quoteHeaderSize = 48;
+    static pceSvnOffset = 10;
+    static reportSize = 384;
+    static userDataOffset = 28;
+    static userDataSize = 20;
+    static cpuSvnSize = 16;
+    static reportMrEnclaveOffset = 64;
+    static reportMrEnclaveSize = 32;
+    static reportMrSignerOffset = TeeSgxParser.reportMrEnclaveOffset + TeeSgxParser.reportMrEnclaveSize + /* reserved */ 32;
+    static reportMrSignerSize = 32;
+    static reportIsvProdIdOffset = TeeSgxParser.reportMrSignerOffset + TeeSgxParser.reportMrSignerSize + /* reserved */ 96;
+    static reportIsvProdIdSize = 2;
+    static reportIsvSvnOffset = TeeSgxParser.reportIsvProdIdOffset + TeeSgxParser.reportIsvProdIdSize;
+    static reportIsvSvnSize = 2;
+    static reportDataOffset = TeeSgxParser.reportIsvSvnOffset + TeeSgxParser.reportIsvSvnSize + /* reserved */ 60;
+    static reportUserDataSize = 64;
+    static ecdsaP256SignatureSize = 64;
+    static ecdsaP256PublicKeySize = 64;
+    parseQuote(data) {
+        const { quoteHeaderSize, pceSvnOffset, reportSize, userDataOffset, userDataSize, ecdsaP256SignatureSize, ecdsaP256PublicKeySize, } = TeeSgxParser;
+        if (data.length < quoteHeaderSize + reportSize) {
+            throw new TeeQuoteParserError('data has invalid length');
+        }
+        const quoteRemainder = { data: Blob.from(data) };
+        const quoteHeader = this.getDataAndAdvance(quoteRemainder, quoteHeaderSize);
+        const report = this.getDataAndAdvance(quoteRemainder, reportSize);
+        const version = quoteHeader.readUInt16LE(0);
+        const attestationKeyType = quoteHeader.readUInt16LE(2);
+        if (attestationKeyType > 3) {
+            throw new TeeQuoteParserError('quote header has invalid or unsupported attestation key type');
+        }
+        const pceSvn = quoteHeader.readUInt16LE(pceSvnOffset);
+        const userData = quoteHeader.slice(userDataOffset, userDataOffset + userDataSize);
+        const quoteSignatureDateLen = quoteRemainder.data.readUInt32LE(0);
+        quoteRemainder.data = Blob.from(quoteRemainder.data.subarray(4));
+        if (quoteSignatureDateLen != quoteRemainder.data.length) {
+            throw new TeeQuoteParserError(`quoteSignatureDateLen has invalid length: ${quoteRemainder.data.length} instead of ${quoteSignatureDateLen} expected`);
+        }
+        const rawQuoteSignatureDataRemainder = {
+            data: this.getDataAndAdvance(quoteRemainder, quoteSignatureDateLen),
+        };
+        const isvEnclaveReportSignature = this.getDataAndAdvance(rawQuoteSignatureDataRemainder, ecdsaP256SignatureSize);
+        const ecdsaAttestationKey = this.getDataAndAdvance(rawQuoteSignatureDataRemainder, ecdsaP256PublicKeySize);
+        const qeReport = this.getDataAndAdvance(rawQuoteSignatureDataRemainder, reportSize);
+        const qeReportSignature = this.getDataAndAdvance(rawQuoteSignatureDataRemainder, ecdsaP256SignatureSize);
+        const qeAuthenticationDataSize = rawQuoteSignatureDataRemainder.data.readUInt16LE(0);
+        rawQuoteSignatureDataRemainder.data = Blob.from(rawQuoteSignatureDataRemainder.data.subarray(2));
+        if (rawQuoteSignatureDataRemainder.data.length < qeAuthenticationDataSize) {
+            throw new TeeQuoteParserError(`qeAuthenticationDataSize has invalid length: ${rawQuoteSignatureDataRemainder.data.length} instead of ${qeAuthenticationDataSize} expected`);
+        }
+        const qeAuthenticationData = this.getDataAndAdvance(rawQuoteSignatureDataRemainder, qeAuthenticationDataSize);
+        const qeCertificationDataType = rawQuoteSignatureDataRemainder.data.readUInt16LE(0);
+        if (qeCertificationDataType < 1 || qeCertificationDataType > 7) {
+            throw new TeeQuoteParserError(`certificationDataType has invalid value: ${qeCertificationDataType}`);
+        }
+        const certificationDataSize = rawQuoteSignatureDataRemainder.data.readUInt32LE(2);
+        const qeCertificationData = rawQuoteSignatureDataRemainder.data.subarray(2 + 4);
+        if (certificationDataSize != qeCertificationData.length) {
+            throw new TeeQuoteParserError(`certificationDataSize has invalid length: $PqeCertificationData.length} instead of ${certificationDataSize} expected`);
+        }
+        const certsPems = splitChain(qeCertificationData.toString()) || []; // [device, platform, root]
+        const certsData = certsPems.map((pem) => this.parsePem(pem));
+        return {
+            quoteType: QuoteType.SGX,
+            rawHeader: quoteHeader,
+            header: {
+                version,
+                attestationKeyType,
+                pceSvn,
+                userData,
+            },
+            report,
+            isvEnclaveReportSignature,
+            ecdsaAttestationKey,
+            qeReport,
+            qeReportSignature,
+            qeAuthenticationData,
+            qeCertificationDataType,
+            qeCertificationData,
+            certificates: {
+                device: {
+                    pem: certsPems[0],
+                    x509Data: certsData[0],
+                },
+                platform: {
+                    pem: certsPems[1],
+                    x509Data: certsData[1],
+                },
+                root: {
+                    pem: certsPems[2],
+                    x509Data: certsData[2],
+                },
+            },
+        };
+    }
+    parseReport(data) {
+        const { reportSize, cpuSvnSize, reportMrEnclaveOffset, reportMrEnclaveSize, reportMrSignerOffset, reportMrSignerSize, reportIsvProdIdOffset, reportIsvProdIdSize, reportIsvSvnOffset, reportIsvSvnSize, reportDataOffset, reportUserDataSize, reportDataHashSize, } = TeeSgxParser;
+        if (data.length < reportSize) {
+            throw new TeeQuoteParserError('data has invalid length');
+        }
+        const report = Blob.from(data);
+        const cpuSvn = report.slice(0, cpuSvnSize).toString('hex');
+        const mrEnclave = report.slice(reportMrEnclaveOffset, reportMrEnclaveOffset + reportMrEnclaveSize);
+        const mrSigner = report.slice(reportMrSignerOffset, reportMrSignerOffset + reportMrSignerSize);
+        const isvProdId = report
+            .slice(reportIsvProdIdOffset, reportIsvProdIdOffset + reportIsvProdIdSize)
+            .readUInt16LE(0);
+        const isvSvn = report
+            .slice(reportIsvSvnOffset, reportIsvSvnOffset + reportIsvSvnSize)
+            .readUInt16LE(0);
+        const userData = report.slice(reportDataOffset, reportDataOffset + reportUserDataSize);
+        const dataHash = report.slice(reportDataOffset, reportDataOffset + reportDataHashSize);
+        return {
+            cpuSvn,
+            mrEnclave,
+            mrSigner,
+            isvProdId,
+            isvSvn,
+            userData,
+            dataHash,
+        };
+    }
+}
+export class TeeTdxParser extends TeeParser {
+    //High-level quote structure
+    static quoteHeaderSize = 48;
+    static tdQuoteBodySize = 584;
+    static quoteSignatureDataLen = 4;
+    // Header fields
+    static headerVersionSize = 2;
+    static headerAttestationKeyTypeSize = 2;
+    static headerTeeTypeSize = 4;
+    static headerReserved1Size = 2;
+    static headerReserved2Size = 2;
+    static headerQeVendorIdSize = 16;
+    static headerUserDataSize = 20;
+    // Body fiedls
+    static bodyTeeTcbSvnSize = 16;
+    static bodyMrSeamSize = 48;
+    static bodyMrSignerSeamSize = 48;
+    static bodySeamAttributesSize = 8;
+    static bodyTdAttributesSize = 8;
+    static bodyXfamSize = 8;
+    static bodyMrTdSize = 48;
+    static bodyMrConfigIdSize = 48;
+    static bodyMrOwnerSize = 48;
+    static bodyMrOwnerConfigSize = 48;
+    static bodyRtmr0Size = 48;
+    static bodyRtmr1Size = 48;
+    static bodyRtmr2Size = 48;
+    static bodyRtmr3Size = 48;
+    static bodyReportDataSize = 64;
+    // Signature fields
+    static sigQuoteSignatureSize = 64;
+    static sigAttestationKeySize = 64;
+    static sigCertDataTypeSize = 2;
+    static sigCertDataSzSize = 4;
+    static sigQeReportSize = 384;
+    static sigQeReportSignatureSize = 64;
+    static sigQeAuthenticationDataSzSize = 2;
+    static sigSignatureTypeSize = 2;
+    static sigSignatureSzSize = 4;
+    parseQuote(data) {
+        const { quoteHeaderSize, tdQuoteBodySize, quoteSignatureDataLen, sigQuoteSignatureSize, sigAttestationKeySize, sigCertDataTypeSize, sigCertDataSzSize, sigQeReportSize, sigQeReportSignatureSize, sigQeAuthenticationDataSzSize, sigSignatureTypeSize, sigSignatureSzSize, } = TeeTdxParser;
+        const expectedSize = quoteHeaderSize + tdQuoteBodySize + quoteSignatureDataLen;
+        if (data.length < expectedSize) {
+            throw new TeeQuoteParserError(`quote has invalid length ${data.length}, expected not less than ${expectedSize}`);
+        }
+        const quoteRemainder = { data: Blob.from(data) };
+        const rawHeader = this.getDataAndAdvance(quoteRemainder, quoteHeaderSize);
+        const tdQuoteBody = this.getDataAndAdvance(quoteRemainder, tdQuoteBodySize);
+        const signatureLen = this.getDataAndAdvance(quoteRemainder, quoteSignatureDataLen);
+        const certificationDataSize = signatureLen.readUInt32LE(0);
+        const expectedQuoteLen = quoteHeaderSize + tdQuoteBodySize + quoteSignatureDataLen + certificationDataSize;
+        if (data.length < expectedQuoteLen) {
+            throw new TeeQuoteParserError(`quote has invalid length ${data.length}, expected not less than ${expectedQuoteLen}`);
+        }
+        const signature = { data: this.getDataAndAdvance(quoteRemainder, certificationDataSize) };
+        const quoteSignature = this.getDataAndAdvance(signature, sigQuoteSignatureSize);
+        const ecdsaAttestationKey = this.getDataAndAdvance(signature, sigAttestationKeySize);
+        const certDataType = this.getDataAndAdvance(signature, sigCertDataTypeSize).readUint16LE(); //expected 6
+        if (certDataType !== 6)
+            throw new TeeQuoteParserError(`certDataType has invalid value ${certDataType}, expected 6`);
+        const certDataSize = this.getDataAndAdvance(signature, sigCertDataSzSize).readUint32LE();
+        if (signature.data.length < certDataSize)
+            throw new TeeQuoteParserError(`certData has invalid length ${data.length}, expected not less than ${certDataSize}`);
+        const qeReport = this.getDataAndAdvance(signature, sigQeReportSize);
+        const qeReportSignature = this.getDataAndAdvance(signature, sigQeReportSignatureSize);
+        const qeAuthenticationDataSize = this.getDataAndAdvance(signature, sigQeAuthenticationDataSzSize).readUint16LE();
+        if (signature.data.length < qeAuthenticationDataSize)
+            throw new TeeQuoteParserError(`qeAuthenticationData has invalid length ${data.length}, expected not less than ${qeAuthenticationDataSize}`);
+        const qeAuthenticationData = this.getDataAndAdvance(signature, qeAuthenticationDataSize);
+        const qeCertificationDataType = this.getDataAndAdvance(signature, sigSignatureTypeSize).readUint16LE(); //expected 5
+        if (qeCertificationDataType !== 5)
+            throw new TeeQuoteParserError(`signatureType has invalid value ${qeCertificationDataType}, expected 5`);
+        const signatureSize = this.getDataAndAdvance(signature, sigSignatureSzSize).readUint32LE();
+        if (signature.data.length < signatureSize)
+            throw new TeeQuoteParserError(`certChain has invalid length ${data.length}, expected not less than ${signatureSize}`);
+        const qeCertificationData = this.getDataAndAdvance(signature, signatureSize);
+        const certsPems = splitChain(qeCertificationData.toString()) || []; // [device, platform, root]
+        const certsData = certsPems.map((pem) => this.parsePem(pem));
+        return {
+            quoteType: QuoteType.TDX,
+            rawHeader,
+            header: this.parseHeader(rawHeader),
+            tdQuoteBody,
+            quoteSignature,
+            ecdsaAttestationKey,
+            certDataType,
+            qeReport,
+            qeReportSignature,
+            qeAuthenticationData,
+            qeCertificationDataType,
+            qeCertificationData,
+            certificates: {
+                device: {
+                    pem: certsPems[0],
+                    x509Data: certsData[0],
+                },
+                platform: {
+                    pem: certsPems[1],
+                    x509Data: certsData[1],
+                },
+                root: {
+                    pem: certsPems[2],
+                    x509Data: certsData[2],
+                },
+            },
+        };
+    }
+    parseHeader(data) {
+        const { headerVersionSize, headerAttestationKeyTypeSize, headerTeeTypeSize, headerReserved1Size, headerReserved2Size, headerQeVendorIdSize, headerUserDataSize, } = TeeTdxParser;
+        const headerRemainder = { data: Blob.from(data) };
+        const version = this.getDataAndAdvance(headerRemainder, headerVersionSize).readUInt16LE();
+        const attestationKeyType = this.getDataAndAdvance(headerRemainder, headerAttestationKeyTypeSize).readUInt16LE();
+        const teeType = this.getDataAndAdvance(headerRemainder, headerTeeTypeSize).readUInt32LE();
+        const reserved1 = this.getDataAndAdvance(headerRemainder, headerReserved1Size);
+        const reserved2 = this.getDataAndAdvance(headerRemainder, headerReserved2Size);
+        const qeVendorId = this.getDataAndAdvance(headerRemainder, headerQeVendorIdSize);
+        const userData = this.getDataAndAdvance(headerRemainder, headerUserDataSize);
+        return {
+            version,
+            attestationKeyType,
+            teeType,
+            reserved1,
+            reserved2,
+            qeVendorId,
+            userData,
+        };
+    }
+    parseBody(data) {
+        const { bodyTeeTcbSvnSize, bodyMrSeamSize, bodyMrSignerSeamSize, bodySeamAttributesSize, bodyTdAttributesSize, bodyXfamSize, bodyMrTdSize, bodyMrConfigIdSize, bodyMrOwnerSize, bodyMrOwnerConfigSize, bodyRtmr0Size, bodyRtmr1Size, bodyRtmr2Size, bodyRtmr3Size, bodyReportDataSize, reportDataHashSize, } = TeeTdxParser;
+        const bodyRemainder = { data: Blob.from(data) };
+        if (bodyRemainder.data.length !== TeeTdxParser.tdQuoteBodySize)
+            throw new TeeQuoteParserError(`body has invalid length ${bodyRemainder.data.length}, expected ${TeeTdxParser.tdQuoteBodySize}`);
+        const teeTcbSvn = this.getDataAndAdvance(bodyRemainder, bodyTeeTcbSvnSize);
+        const mrSeam = this.getDataAndAdvance(bodyRemainder, bodyMrSeamSize);
+        const mrSignerSeam = this.getDataAndAdvance(bodyRemainder, bodyMrSignerSeamSize);
+        const seamAttributes = this.getDataAndAdvance(bodyRemainder, bodySeamAttributesSize);
+        const tdAttributes = this.getDataAndAdvance(bodyRemainder, bodyTdAttributesSize);
+        const xfam = this.getDataAndAdvance(bodyRemainder, bodyXfamSize);
+        const mrTd = this.getDataAndAdvance(bodyRemainder, bodyMrTdSize);
+        const mrConfigId = this.getDataAndAdvance(bodyRemainder, bodyMrConfigIdSize);
+        const mrOwner = this.getDataAndAdvance(bodyRemainder, bodyMrOwnerSize);
+        const mrOwnerConfig = this.getDataAndAdvance(bodyRemainder, bodyMrOwnerConfigSize);
+        const rtmr0 = this.getDataAndAdvance(bodyRemainder, bodyRtmr0Size);
+        const rtmr1 = this.getDataAndAdvance(bodyRemainder, bodyRtmr1Size);
+        const rtmr2 = this.getDataAndAdvance(bodyRemainder, bodyRtmr2Size);
+        const rtmr3 = this.getDataAndAdvance(bodyRemainder, bodyRtmr3Size);
+        const reportData = this.getDataAndAdvance(bodyRemainder, bodyReportDataSize);
+        const dataHash = reportData.slice(0, reportDataHashSize);
+        return {
+            teeTcbSvn,
+            mrSeam,
+            mrSignerSeam,
+            seamAttributes,
+            tdAttributes,
+            xfam,
+            mrTd,
+            mrConfigId,
+            mrOwner,
+            mrOwnerConfig,
+            rtmr0,
+            rtmr1,
+            rtmr2,
+            rtmr3,
+            reportData,
+            dataHash,
+        };
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiUXVvdGVQYXJzZXIuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvdGVlL1F1b3RlUGFyc2VyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sRUFBRSxXQUFXLEVBQUUsTUFBTSxZQUFZLENBQUM7QUFDekMsT0FBTyxLQUFLLE1BQU0sTUFBTSxRQUFRLENBQUM7QUFDakMsT0FBTyxLQUFLLEtBQUssTUFBTSxPQUFPLENBQUM7QUFDL0IsT0FBTyxFQUFFLE1BQU0sSUFBSSxJQUFJLEVBQUUsTUFBTSxRQUFRLENBQUM7QUFDeEMsT0FBTyxFQUFFLG1CQUFtQixFQUFFLE1BQU0sYUFBYSxDQUFDO0FBQ2xELE9BQU8sRUFRTCxTQUFTLEdBQ1YsTUFBTSxZQUFZLENBQUM7QUFDcEIsT0FBTyxFQUFFLFVBQVUsRUFBRSxTQUFTLEVBQUUsTUFBTSxjQUFjLENBQUM7QUFDckQsT0FBTyxLQUFLLE1BQU0sTUFBTSxRQUFRLENBQUM7QUFFakMsTUFBTSxPQUFnQixTQUFTO0lBQzdCLE1BQU0sQ0FBVSxrQkFBa0IsR0FBRyxFQUFFLENBQUMsQ0FBQyx1REFBdUQ7SUFDdEYsU0FBUyxDQUFDLElBQXVCO1FBQ3pDLE1BQU0sWUFBWSxHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLGNBQWMsQ0FBQyxVQUFVLENBQUMsWUFBWSxDQUFDLENBQUMsUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFDO1FBQzlGLE1BQU0sZUFBZSxHQUFHLFNBQVMsQ0FBQyxhQUFhLENBQUMsWUFBWSxDQUFDLENBQUM7UUFFOUQsT0FBTztZQUNMLENBQUMsRUFBRSxlQUFlLENBQUMsQ0FBQztZQUNwQixDQUFDLEVBQUUsZUFBZSxDQUFDLENBQUM7WUFDcEIsWUFBWTtTQUNiLENBQUM7SUFDSixDQUFDO0lBRVMsUUFBUSxDQUFDLEdBQVc7UUFDNUIsTUFBTSxJQUFJLEdBQUcsV0FBVyxDQUFDLE9BQU8sQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7UUFDbkQsTUFBTSxlQUFlLEdBQUcsTUFBTSxDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUM7UUFDakQsTUFBTSxXQUFXLEdBQUcsSUFBSSxLQUFLLENBQUMsV0FBVyxDQUFDLEVBQUUsTUFBTSxFQUFFLGVBQWUsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxDQUFDO1FBRTlFLE1BQU0sR0FBRyxHQUFHLFdBQVcsQ0FBQyxPQUFPLENBQUM7UUFFaEMsTUFBTSxFQUFFLENBQUMsRUFBRSxDQUFDLEVBQUUsR0FBRyxJQUFJLENBQUMsU0FBUyxDQUFDLFdBQVcsQ0FBQyxDQUFDO1FBRTdDLE1BQU0sU0FBUyxHQUFHLElBQUksQ0FBQyxTQUFTLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxLQUFLLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDakUsTUFBTSxVQUFVLEdBQUcsTUFBTSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQyxRQUFRLENBQUMsS0FBSyxDQUFDLENBQUMsS0FBSyxDQUFDLFNBQVMsQ0FBQyxDQUFDO1FBQ3JFLE1BQU0sYUFBYSxHQUFHLElBQUksR0FBRyxTQUFTLENBQUM7UUFDdkMsTUFBTSxhQUFhLEdBQUcsSUFBSSxHQUFHLENBQUMsR0FBRyxDQUFDLENBQUM7UUFFbkMsT0FBTztZQUNMLFdBQVcsRUFBRSxJQUFJLEdBQUcsVUFBVSxDQUFDLENBQUMsQ0FBQztZQUNqQyxTQUFTLEVBQUUsYUFBYTtZQUN4QixXQUFXLEVBQUUsSUFBSSxHQUFHLFVBQVUsQ0FBQyxDQUFDLENBQUM7WUFDakMsU0FBUyxFQUFFLGFBQWE7U0FDekIsQ0FBQztJQUNKLENBQUM7SUFFUyxpQkFBaUIsQ0FBQyxJQUFvQixFQUFFLElBQVk7UUFDNUQsTUFBTSxHQUFHLEdBQUcsSUFBSSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxDQUFDLEVBQUUsSUFBSSxDQUFDLENBQUMsQ0FBQztRQUNuRCxJQUFJLENBQUMsSUFBSSxHQUFHLElBQUksQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQztRQUVoRCxPQUFPLEdBQUcsQ0FBQztJQUNiLENBQUM7SUFFTSxNQUFNLENBQUMsa0JBQWtCLENBQUMsS0FBaUI7UUFDaEQsSUFBSSxJQUFJLEdBQUcsU0FBUyxDQUFDLEdBQUcsQ0FBQztRQUV6QixJQUFJLEtBQUssQ0FBQyxNQUFNLEdBQUcsRUFBRSxFQUFFLENBQUM7WUFDdEIsTUFBTSxJQUFJLG1CQUFtQixDQUFDLHlCQUF5QixDQUFDLENBQUM7UUFDM0QsQ0FBQztRQUVELE1BQU0sT0FBTyxHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDLENBQUMsWUFBWSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBRW5ELElBQUksT0FBTyxLQUFLLENBQUMsRUFBRSxDQUFDO1lBQ2xCLE1BQU0sU0FBUyxHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDLENBQUMsWUFBWSxDQUFDLENBQUMsQ0FBQyxDQUFDO1lBQ3JELElBQUksU0FBUyxLQUFLLFVBQVUsRUFBRSxDQUFDO2dCQUM3QixJQUFJLEdBQUcsU0FBUyxDQUFDLEdBQUcsQ0FBQztZQUN2QixDQUFDO2lCQUFNLElBQUksU0FBUyxLQUFLLFVBQVUsRUFBRSxDQUFDO2dCQUNwQyxNQUFNLElBQUksbUJBQW1CLENBQUMsc0JBQXNCLFNBQVMsRUFBRSxDQUFDLENBQUM7WUFDbkUsQ0FBQztRQUNILENBQUM7YUFBTSxJQUFJLE9BQU8sS0FBSyxDQUFDLEVBQUUsQ0FBQztZQUN6QixNQUFNLElBQUksbUJBQW1CLENBQUMseUJBQXlCLE9BQU8sRUFBRSxDQUFDLENBQUM7UUFDcEUsQ0FBQztRQUVELE9BQU8sRUFBRSxJQUFJLEVBQUUsT0FBTyxFQUFFLENBQUM7SUFDM0IsQ0FBQztJQUVNLE1BQU0sQ0FBQyxZQUFZLENBQUMsS0FBaUI7UUFDMUMsTUFBTSxPQUFPLEdBQUcsU0FBUyxDQUFDLGtCQUFrQixDQUFDLEtBQUssQ0FBQyxDQUFDO1FBQ3BELFFBQVEsT0FBTyxDQUFDLElBQUksRUFBRSxDQUFDO1lBQ3JCLEtBQUssU0FBUyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7Z0JBQ25CLE1BQU0sU0FBUyxHQUFHLElBQUksWUFBWSxFQUFFLENBQUM7Z0JBQ3JDLE1BQU0sY0FBYyxHQUFHLFNBQVMsQ0FBQyxVQUFVLENBQUMsS0FBSyxDQUFDLENBQUM7Z0JBQ25ELE1BQU0sWUFBWSxHQUFHLFNBQVMsQ0FBQyxXQUFXLENBQUMsY0FBYyxDQUFDLE1BQU0sQ0FBQyxDQUFDO2dCQUVsRSxPQUFPLFlBQVksQ0FBQyxTQUFTLENBQUM7WUFDaEMsQ0FBQztZQUNELEtBQUssU0FBUyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7Z0JBQ25CLE1BQU0sU0FBUyxHQUFHLElBQUksWUFBWSxFQUFFLENBQUM7Z0JBQ3JDLE1BQU0sY0FBYyxHQUFHLFNBQVMsQ0FBQyxVQUFVLENBQUMsS0FBSyxDQUFDLENBQUM7Z0JBQ25ELE1BQU0sTUFBTSxHQUFHLFNBQVMsQ0FBQyxTQUFTLENBQUMsY0FBYyxDQUFDLFdBQVcsQ0FBQyxDQUFDO2dCQUMvRCxNQUFNLElBQUksR0FBRyxNQUFNLENBQUMsVUFBVSxDQUFDLFFBQVEsQ0FBQyxDQUFDO2dCQUN6QyxJQUFJLENBQUMsTUFBTSxDQUFDLE1BQU0sQ0FBQyxZQUFZLENBQUMsQ0FBQztnQkFDakMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLENBQUM7Z0JBQ3pCLElBQUksQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDLEtBQUssQ0FBQyxDQUFDO2dCQUMxQixJQUFJLENBQUMsTUFBTSxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQztnQkFDMUIsSUFBSSxDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsS0FBSyxDQUFDLENBQUM7Z0JBQzFCLElBQUksQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDLEtBQUssQ0FBQyxDQUFDO2dCQUUxQixPQUFPLElBQUksQ0FBQyxNQUFNLEVBQUUsQ0FBQztZQUN2QixDQUFDO1lBQ0Q7Z0JBQ0UsTUFBTSxJQUFJLG1CQUFtQixDQUFDLG9CQUFvQixDQUFDLENBQUM7UUFDeEQsQ0FBQztJQUNILENBQUM7O0FBR0gsTUFBTSxPQUFPLFlBQWEsU0FBUSxTQUFTO0lBQ3pDLE1BQU0sQ0FBVSxlQUFlLEdBQUcsRUFBRSxDQUFDO0lBQ3JDLE1BQU0sQ0FBVSxZQUFZLEdBQUcsRUFBRSxDQUFDO0lBQ2xDLE1BQU0sQ0FBVSxVQUFVLEdBQUcsR0FBRyxDQUFDO0lBQ2pDLE1BQU0sQ0FBVSxjQUFjLEdBQUcsRUFBRSxDQUFDO0lBQ3BDLE1BQU0sQ0FBVSxZQUFZLEdBQUcsRUFBRSxDQUFDO0lBQ2xDLE1BQU0sQ0FBVSxVQUFVLEdBQUcsRUFBRSxDQUFDO0lBQ2hDLE1BQU0sQ0FBVSxxQkFBcUIsR0FBRyxFQUFFLENBQUM7SUFDM0MsTUFBTSxDQUFVLG1CQUFtQixHQUFHLEVBQUUsQ0FBQztJQUN6QyxNQUFNLENBQVUsb0JBQW9CLEdBQ2xDLFlBQVksQ0FBQyxxQkFBcUIsR0FBRyxZQUFZLENBQUMsbUJBQW1CLEdBQUcsY0FBYyxDQUFDLEVBQUUsQ0FBQztJQUM1RixNQUFNLENBQVUsa0JBQWtCLEdBQUcsRUFBRSxDQUFDO0lBQ3hDLE1BQU0sQ0FBVSxxQkFBcUIsR0FDbkMsWUFBWSxDQUFDLG9CQUFvQixHQUFHLFlBQVksQ0FBQyxrQkFBa0IsR0FBRyxjQUFjLENBQUMsRUFBRSxDQUFDO0lBQzFGLE1BQU0sQ0FBVSxtQkFBbUIsR0FBRyxDQUFDLENBQUM7SUFDeEMsTUFBTSxDQUFVLGtCQUFrQixHQUNoQyxZQUFZLENBQUMscUJBQXFCLEdBQUcsWUFBWSxDQUFDLG1CQUFtQixDQUFDO0lBQ3hFLE1BQU0sQ0FBVSxnQkFBZ0IsR0FBRyxDQUFDLENBQUM7SUFDckMsTUFBTSxDQUFVLGdCQUFnQixHQUM5QixZQUFZLENBQUMsa0JBQWtCLEdBQUcsWUFBWSxDQUFDLGdCQUFnQixHQUFHLGNBQWMsQ0FBQyxFQUFFLENBQUM7SUFDdEYsTUFBTSxDQUFVLGtCQUFrQixHQUFHLEVBQUUsQ0FBQztJQUN4QyxNQUFNLENBQVUsc0JBQXNCLEdBQUcsRUFBRSxDQUFDO0lBQzVDLE1BQU0sQ0FBVSxzQkFBc0IsR0FBRyxFQUFFLENBQUM7SUFFNUMsVUFBVSxDQUFDLElBQWdCO1FBQ3pCLE1BQU0sRUFDSixlQUFlLEVBQ2YsWUFBWSxFQUNaLFVBQVUsRUFDVixjQUFjLEVBQ2QsWUFBWSxFQUNaLHNCQUFzQixFQUN0QixzQkFBc0IsR0FDdkIsR0FBRyxZQUFZLENBQUM7UUFFakIsSUFBSSxJQUFJLENBQUMsTUFBTSxHQUFHLGVBQWUsR0FBRyxVQUFVLEVBQUUsQ0FBQztZQUMvQyxNQUFNLElBQUksbUJBQW1CLENBQUMseUJBQXlCLENBQUMsQ0FBQztRQUMzRCxDQUFDO1FBQ0QsTUFBTSxjQUFjLEdBQUcsRUFBRSxJQUFJLEVBQUUsSUFBSSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDO1FBQ2pELE1BQU0sV0FBVyxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxjQUFjLEVBQUUsZUFBZSxDQUFDLENBQUM7UUFDNUUsTUFBTSxNQUFNLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLGNBQWMsRUFBRSxVQUFVLENBQUMsQ0FBQztRQUVsRSxNQUFNLE9BQU8sR0FBRyxXQUFXLENBQUMsWUFBWSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBRTVDLE1BQU0sa0JBQWtCLEdBQUcsV0FBVyxDQUFDLFlBQVksQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUV2RCxJQUFJLGtCQUFrQixHQUFHLENBQUMsRUFBRSxDQUFDO1lBQzNCLE1BQU0sSUFBSSxtQkFBbUIsQ0FBQyw4REFBOEQsQ0FBQyxDQUFDO1FBQ2hHLENBQUM7UUFFRCxNQUFNLE1BQU0sR0FBRyxXQUFXLENBQUMsWUFBWSxDQUFDLFlBQVksQ0FBQyxDQUFDO1FBRXRELE1BQU0sUUFBUSxHQUFHLFdBQVcsQ0FBQyxLQUFLLENBQUMsY0FBYyxFQUFFLGNBQWMsR0FBRyxZQUFZLENBQUMsQ0FBQztRQUVsRixNQUFNLHFCQUFxQixHQUFHLGNBQWMsQ0FBQyxJQUFJLENBQUMsWUFBWSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ2xFLGNBQWMsQ0FBQyxJQUFJLEdBQUcsSUFBSSxDQUFDLElBQUksQ0FBQyxjQUFjLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBRWpFLElBQUkscUJBQXFCLElBQUksY0FBYyxDQUFDLElBQUksQ0FBQyxNQUFNLEVBQUUsQ0FBQztZQUN4RCxNQUFNLElBQUksbUJBQW1CLENBQzNCLDZDQUE2QyxjQUFjLENBQUMsSUFBSSxDQUFDLE1BQU0sZUFBZSxxQkFBcUIsV0FBVyxDQUN2SCxDQUFDO1FBQ0osQ0FBQztRQUVELE1BQU0sOEJBQThCLEdBQUc7WUFDckMsSUFBSSxFQUFFLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxjQUFjLEVBQUUscUJBQXFCLENBQUM7U0FDcEUsQ0FBQztRQUNGLE1BQU0seUJBQXlCLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUN0RCw4QkFBOEIsRUFDOUIsc0JBQXNCLENBQ3ZCLENBQUM7UUFDRixNQUFNLG1CQUFtQixHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FDaEQsOEJBQThCLEVBQzlCLHNCQUFzQixDQUN2QixDQUFDO1FBQ0YsTUFBTSxRQUFRLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLDhCQUE4QixFQUFFLFVBQVUsQ0FBQyxDQUFDO1FBQ3BGLE1BQU0saUJBQWlCLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUM5Qyw4QkFBOEIsRUFDOUIsc0JBQXNCLENBQ3ZCLENBQUM7UUFDRixNQUFNLHdCQUF3QixHQUFHLDhCQUE4QixDQUFDLElBQUksQ0FBQyxZQUFZLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDckYsOEJBQThCLENBQUMsSUFBSSxHQUFHLElBQUksQ0FBQyxJQUFJLENBQzdDLDhCQUE4QixDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsQ0FBQyxDQUFDLENBQ2hELENBQUM7UUFFRixJQUFJLDhCQUE4QixDQUFDLElBQUksQ0FBQyxNQUFNLEdBQUcsd0JBQXdCLEVBQUUsQ0FBQztZQUMxRSxNQUFNLElBQUksbUJBQW1CLENBQzNCLGdEQUFnRCw4QkFBOEIsQ0FBQyxJQUFJLENBQUMsTUFBTSxlQUFlLHdCQUF3QixXQUFXLENBQzdJLENBQUM7UUFDSixDQUFDO1FBRUQsTUFBTSxvQkFBb0IsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQ2pELDhCQUE4QixFQUM5Qix3QkFBd0IsQ0FDekIsQ0FBQztRQUVGLE1BQU0sdUJBQXVCLEdBQUcsOEJBQThCLENBQUMsSUFBSSxDQUFDLFlBQVksQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUVwRixJQUFJLHVCQUF1QixHQUFHLENBQUMsSUFBSSx1QkFBdUIsR0FBRyxDQUFDLEVBQUUsQ0FBQztZQUMvRCxNQUFNLElBQUksbUJBQW1CLENBQzNCLDRDQUE0Qyx1QkFBdUIsRUFBRSxDQUN0RSxDQUFDO1FBQ0osQ0FBQztRQUVELE1BQU0scUJBQXFCLEdBQUcsOEJBQThCLENBQUMsSUFBSSxDQUFDLFlBQVksQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUNsRixNQUFNLG1CQUFtQixHQUFHLDhCQUE4QixDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDO1FBRWhGLElBQUkscUJBQXFCLElBQUksbUJBQW1CLENBQUMsTUFBTSxFQUFFLENBQUM7WUFDeEQsTUFBTSxJQUFJLG1CQUFtQixDQUMzQixzRkFBc0YscUJBQXFCLFdBQVcsQ0FDdkgsQ0FBQztRQUNKLENBQUM7UUFFRCxNQUFNLFNBQVMsR0FBRyxVQUFVLENBQUMsbUJBQW1CLENBQUMsUUFBUSxFQUFFLENBQUMsSUFBSSxFQUFFLENBQUMsQ0FBQywyQkFBMkI7UUFDL0YsTUFBTSxTQUFTLEdBQUcsU0FBUyxDQUFDLEdBQUcsQ0FBQyxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDO1FBRTdELE9BQU87WUFDTCxTQUFTLEVBQUUsU0FBUyxDQUFDLEdBQUc7WUFDeEIsU0FBUyxFQUFFLFdBQVc7WUFDdEIsTUFBTSxFQUFFO2dCQUNOLE9BQU87Z0JBQ1Asa0JBQWtCO2dCQUNsQixNQUFNO2dCQUNOLFFBQVE7YUFDVDtZQUNELE1BQU07WUFDTix5QkFBeUI7WUFDekIsbUJBQW1CO1lBQ25CLFFBQVE7WUFDUixpQkFBaUI7WUFDakIsb0JBQW9CO1lBQ3BCLHVCQUF1QjtZQUN2QixtQkFBbUI7WUFDbkIsWUFBWSxFQUFFO2dCQUNaLE1BQU0sRUFBRTtvQkFDTixHQUFHLEVBQUUsU0FBUyxDQUFDLENBQUMsQ0FBQztvQkFDakIsUUFBUSxFQUFFLFNBQVMsQ0FBQyxDQUFDLENBQUM7aUJBQ3ZCO2dCQUNELFFBQVEsRUFBRTtvQkFDUixHQUFHLEVBQUUsU0FBUyxDQUFDLENBQUMsQ0FBQztvQkFDakIsUUFBUSxFQUFFLFNBQVMsQ0FBQyxDQUFDLENBQUM7aUJBQ3ZCO2dCQUNELElBQUksRUFBRTtvQkFDSixHQUFHLEVBQUUsU0FBUyxDQUFDLENBQUMsQ0FBQztvQkFDakIsUUFBUSxFQUFFLFNBQVMsQ0FBQyxDQUFDLENBQUM7aUJBQ3ZCO2FBQ0Y7U0FDRixDQUFDO0lBQ0osQ0FBQztJQUVELFdBQVcsQ0FBQyxJQUFnQjtRQUMxQixNQUFNLEVBQ0osVUFBVSxFQUNWLFVBQVUsRUFDVixxQkFBcUIsRUFDckIsbUJBQW1CLEVBQ25CLG9CQUFvQixFQUNwQixrQkFBa0IsRUFDbEIscUJBQXFCLEVBQ3JCLG1CQUFtQixFQUNuQixrQkFBa0IsRUFDbEIsZ0JBQWdCLEVBQ2hCLGdCQUFnQixFQUNoQixrQkFBa0IsRUFDbEIsa0JBQWtCLEdBQ25CLEdBQUcsWUFBWSxDQUFDO1FBRWpCLElBQUksSUFBSSxDQUFDLE1BQU0sR0FBRyxVQUFVLEVBQUUsQ0FBQztZQUM3QixNQUFNLElBQUksbUJBQW1CLENBQUMseUJBQXlCLENBQUMsQ0FBQztRQUMzRCxDQUFDO1FBRUQsTUFBTSxNQUFNLEdBQUcsSUFBSSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUMvQixNQUFNLE1BQU0sR0FBRyxNQUFNLENBQUMsS0FBSyxDQUFDLENBQUMsRUFBRSxVQUFVLENBQUMsQ0FBQyxRQUFRLENBQUMsS0FBSyxDQUFDLENBQUM7UUFDM0QsTUFBTSxTQUFTLEdBQUcsTUFBTSxDQUFDLEtBQUssQ0FDNUIscUJBQXFCLEVBQ3JCLHFCQUFxQixHQUFHLG1CQUFtQixDQUM1QyxDQUFDO1FBQ0YsTUFBTSxRQUFRLEdBQUcsTUFBTSxDQUFDLEtBQUssQ0FBQyxvQkFBb0IsRUFBRSxvQkFBb0IsR0FBRyxrQkFBa0IsQ0FBQyxDQUFDO1FBQy9GLE1BQU0sU0FBUyxHQUFHLE1BQU07YUFDckIsS0FBSyxDQUFDLHFCQUFxQixFQUFFLHFCQUFxQixHQUFHLG1CQUFtQixDQUFDO2FBQ3pFLFlBQVksQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUNuQixNQUFNLE1BQU0sR0FBRyxNQUFNO2FBQ2xCLEtBQUssQ0FBQyxrQkFBa0IsRUFBRSxrQkFBa0IsR0FBRyxnQkFBZ0IsQ0FBQzthQUNoRSxZQUFZLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDbkIsTUFBTSxRQUFRLEdBQUcsTUFBTSxDQUFDLEtBQUssQ0FBQyxnQkFBZ0IsRUFBRSxnQkFBZ0IsR0FBRyxrQkFBa0IsQ0FBQyxDQUFDO1FBQ3ZGLE1BQU0sUUFBUSxHQUFHLE1BQU0sQ0FBQyxLQUFLLENBQUMsZ0JBQWdCLEVBQUUsZ0JBQWdCLEdBQUcsa0JBQWtCLENBQUMsQ0FBQztRQUV2RixPQUFPO1lBQ0wsTUFBTTtZQUNOLFNBQVM7WUFDVCxRQUFRO1lBQ1IsU0FBUztZQUNULE1BQU07WUFDTixRQUFRO1lBQ1IsUUFBUTtTQUNULENBQUM7SUFDSixDQUFDOztBQUdILE1BQU0sT0FBTyxZQUFhLFNBQVEsU0FBUztJQUN6Qyw0QkFBNEI7SUFDNUIsTUFBTSxDQUFVLGVBQWUsR0FBRyxFQUFFLENBQUM7SUFDckMsTUFBTSxDQUFVLGVBQWUsR0FBRyxHQUFHLENBQUM7SUFDdEMsTUFBTSxDQUFVLHFCQUFxQixHQUFHLENBQUMsQ0FBQztJQUUxQyxnQkFBZ0I7SUFDaEIsTUFBTSxDQUFVLGlCQUFpQixHQUFHLENBQUMsQ0FBQztJQUN0QyxNQUFNLENBQVUsNEJBQTRCLEdBQUcsQ0FBQyxDQUFDO0lBQ2pELE1BQU0sQ0FBVSxpQkFBaUIsR0FBRyxDQUFDLENBQUM7SUFDdEMsTUFBTSxDQUFVLG1CQUFtQixHQUFHLENBQUMsQ0FBQztJQUN4QyxNQUFNLENBQVUsbUJBQW1CLEdBQUcsQ0FBQyxDQUFDO0lBQ3hDLE1BQU0sQ0FBVSxvQkFBb0IsR0FBRyxFQUFFLENBQUM7SUFDMUMsTUFBTSxDQUFVLGtCQUFrQixHQUFHLEVBQUUsQ0FBQztJQUV4QyxjQUFjO0lBQ2QsTUFBTSxDQUFVLGlCQUFpQixHQUFHLEVBQUUsQ0FBQztJQUN2QyxNQUFNLENBQVUsY0FBYyxHQUFHLEVBQUUsQ0FBQztJQUNwQyxNQUFNLENBQVUsb0JBQW9CLEdBQUcsRUFBRSxDQUFDO0lBQzFDLE1BQU0sQ0FBVSxzQkFBc0IsR0FBRyxDQUFDLENBQUM7SUFDM0MsTUFBTSxDQUFVLG9CQUFvQixHQUFHLENBQUMsQ0FBQztJQUN6QyxNQUFNLENBQVUsWUFBWSxHQUFHLENBQUMsQ0FBQztJQUNqQyxNQUFNLENBQVUsWUFBWSxHQUFHLEVBQUUsQ0FBQztJQUNsQyxNQUFNLENBQVUsa0JBQWtCLEdBQUcsRUFBRSxDQUFDO0lBQ3hDLE1BQU0sQ0FBVSxlQUFlLEdBQUcsRUFBRSxDQUFDO0lBQ3JDLE1BQU0sQ0FBVSxxQkFBcUIsR0FBRyxFQUFFLENBQUM7SUFDM0MsTUFBTSxDQUFVLGFBQWEsR0FBRyxFQUFFLENBQUM7SUFDbkMsTUFBTSxDQUFVLGFBQWEsR0FBRyxFQUFFLENBQUM7SUFDbkMsTUFBTSxDQUFVLGFBQWEsR0FBRyxFQUFFLENBQUM7SUFDbkMsTUFBTSxDQUFVLGFBQWEsR0FBRyxFQUFFLENBQUM7SUFDbkMsTUFBTSxDQUFVLGtCQUFrQixHQUFHLEVBQUUsQ0FBQztJQUV4QyxtQkFBbUI7SUFDbkIsTUFBTSxDQUFVLHFCQUFxQixHQUFHLEVBQUUsQ0FBQztJQUMzQyxNQUFNLENBQVUscUJBQXFCLEdBQUcsRUFBRSxDQUFDO0lBQzNDLE1BQU0sQ0FBVSxtQkFBbUIsR0FBRyxDQUFDLENBQUM7SUFDeEMsTUFBTSxDQUFVLGlCQUFpQixHQUFHLENBQUMsQ0FBQztJQUN0QyxNQUFNLENBQVUsZUFBZSxHQUFHLEdBQUcsQ0FBQztJQUN0QyxNQUFNLENBQVUsd0JBQXdCLEdBQUcsRUFBRSxDQUFDO0lBQzlDLE1BQU0sQ0FBVSw2QkFBNkIsR0FBRyxDQUFDLENBQUM7SUFDbEQsTUFBTSxDQUFVLG9CQUFvQixHQUFHLENBQUMsQ0FBQztJQUN6QyxNQUFNLENBQVUsa0JBQWtCLEdBQUcsQ0FBQyxDQUFDO0lBRXZDLFVBQVUsQ0FBQyxJQUFnQjtRQUN6QixNQUFNLEVBQ0osZUFBZSxFQUNmLGVBQWUsRUFDZixxQkFBcUIsRUFFckIscUJBQXFCLEVBQ3JCLHFCQUFxQixFQUNyQixtQkFBbUIsRUFDbkIsaUJBQWlCLEVBQ2pCLGVBQWUsRUFDZix3QkFBd0IsRUFDeEIsNkJBQTZCLEVBQzdCLG9CQUFvQixFQUNwQixrQkFBa0IsR0FDbkIsR0FBRyxZQUFZLENBQUM7UUFFakIsTUFBTSxZQUFZLEdBQUcsZUFBZSxHQUFHLGVBQWUsR0FBRyxxQkFBcUIsQ0FBQztRQUMvRSxJQUFJLElBQUksQ0FBQyxNQUFNLEdBQUcsWUFBWSxFQUFFLENBQUM7WUFDL0IsTUFBTSxJQUFJLG1CQUFtQixDQUMzQiw0QkFBNEIsSUFBSSxDQUFDLE1BQU0sNEJBQTRCLFlBQVksRUFBRSxDQUNsRixDQUFDO1FBQ0osQ0FBQztRQUVELE1BQU0sY0FBYyxHQUFHLEVBQUUsSUFBSSxFQUFFLElBQUksQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQztRQUNqRCxNQUFNLFNBQVMsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsY0FBYyxFQUFFLGVBQWUsQ0FBQyxDQUFDO1FBQzFFLE1BQU0sV0FBVyxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxjQUFjLEVBQUUsZUFBZSxDQUFDLENBQUM7UUFDNUUsTUFBTSxZQUFZLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLGNBQWMsRUFBRSxxQkFBcUIsQ0FBQyxDQUFDO1FBQ25GLE1BQU0scUJBQXFCLEdBQUcsWUFBWSxDQUFDLFlBQVksQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUUzRCxNQUFNLGdCQUFnQixHQUNwQixlQUFlLEdBQUcsZUFBZSxHQUFHLHFCQUFxQixHQUFHLHFCQUFxQixDQUFDO1FBQ3BGLElBQUksSUFBSSxDQUFDLE1BQU0sR0FBRyxnQkFBZ0IsRUFBRSxDQUFDO1lBQ25DLE1BQU0sSUFBSSxtQkFBbUIsQ0FDM0IsNEJBQTRCLElBQUksQ0FBQyxNQUFNLDRCQUE0QixnQkFBZ0IsRUFBRSxDQUN0RixDQUFDO1FBQ0osQ0FBQztRQUVELE1BQU0sU0FBUyxHQUFHLEVBQUUsSUFBSSxFQUFFLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxjQUFjLEVBQUUscUJBQXFCLENBQUMsRUFBRSxDQUFDO1FBRTFGLE1BQU0sY0FBYyxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxTQUFTLEVBQUUscUJBQXFCLENBQUMsQ0FBQztRQUNoRixNQUFNLG1CQUFtQixHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxTQUFTLEVBQUUscUJBQXFCLENBQUMsQ0FBQztRQUVyRixNQUFNLFlBQVksR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsU0FBUyxFQUFFLG1CQUFtQixDQUFDLENBQUMsWUFBWSxFQUFFLENBQUMsQ0FBQyxZQUFZO1FBQ3hHLElBQUksWUFBWSxLQUFLLENBQUM7WUFDcEIsTUFBTSxJQUFJLG1CQUFtQixDQUFDLGtDQUFrQyxZQUFZLGNBQWMsQ0FBQyxDQUFDO1FBRTlGLE1BQU0sWUFBWSxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxTQUFTLEVBQUUsaUJBQWlCLENBQUMsQ0FBQyxZQUFZLEVBQUUsQ0FBQztRQUV6RixJQUFJLFNBQVMsQ0FBQyxJQUFJLENBQUMsTUFBTSxHQUFHLFlBQVk7WUFDdEMsTUFBTSxJQUFJLG1CQUFtQixDQUMzQiwrQkFBK0IsSUFBSSxDQUFDLE1BQU0sNEJBQTRCLFlBQVksRUFBRSxDQUNyRixDQUFDO1FBRUosTUFBTSxRQUFRLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLFNBQVMsRUFBRSxlQUFlLENBQUMsQ0FBQztRQUNwRSxNQUFNLGlCQUFpQixHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxTQUFTLEVBQUUsd0JBQXdCLENBQUMsQ0FBQztRQUV0RixNQUFNLHdCQUF3QixHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FDckQsU0FBUyxFQUNULDZCQUE2QixDQUM5QixDQUFDLFlBQVksRUFBRSxDQUFDO1FBRWpCLElBQUksU0FBUyxDQUFDLElBQUksQ0FBQyxNQUFNLEdBQUcsd0JBQXdCO1lBQ2xELE1BQU0sSUFBSSxtQkFBbUIsQ0FDM0IsMkNBQTJDLElBQUksQ0FBQyxNQUFNLDRCQUE0Qix3QkFBd0IsRUFBRSxDQUM3RyxDQUFDO1FBRUosTUFBTSxvQkFBb0IsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsU0FBUyxFQUFFLHdCQUF3QixDQUFDLENBQUM7UUFFekYsTUFBTSx1QkFBdUIsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQ3BELFNBQVMsRUFDVCxvQkFBb0IsQ0FDckIsQ0FBQyxZQUFZLEVBQUUsQ0FBQyxDQUFDLFlBQVk7UUFDOUIsSUFBSSx1QkFBdUIsS0FBSyxDQUFDO1lBQy9CLE1BQU0sSUFBSSxtQkFBbUIsQ0FDM0IsbUNBQW1DLHVCQUF1QixjQUFjLENBQ3pFLENBQUM7UUFFSixNQUFNLGFBQWEsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsU0FBUyxFQUFFLGtCQUFrQixDQUFDLENBQUMsWUFBWSxFQUFFLENBQUM7UUFFM0YsSUFBSSxTQUFTLENBQUMsSUFBSSxDQUFDLE1BQU0sR0FBRyxhQUFhO1lBQ3ZDLE1BQU0sSUFBSSxtQkFBbUIsQ0FDM0IsZ0NBQWdDLElBQUksQ0FBQyxNQUFNLDRCQUE0QixhQUFhLEVBQUUsQ0FDdkYsQ0FBQztRQUVKLE1BQU0sbUJBQW1CLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLFNBQVMsRUFBRSxhQUFhLENBQUMsQ0FBQztRQUU3RSxNQUFNLFNBQVMsR0FBRyxVQUFVLENBQUMsbUJBQW1CLENBQUMsUUFBUSxFQUFFLENBQUMsSUFBSSxFQUFFLENBQUMsQ0FBQywyQkFBMkI7UUFDL0YsTUFBTSxTQUFTLEdBQUcsU0FBUyxDQUFDLEdBQUcsQ0FBQyxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDO1FBRTdELE9BQU87WUFDTCxTQUFTLEVBQUUsU0FBUyxDQUFDLEdBQUc7WUFDeEIsU0FBUztZQUNULE1BQU0sRUFBRSxJQUFJLENBQUMsV0FBVyxDQUFDLFNBQVMsQ0FBQztZQUNuQyxXQUFXO1lBQ1gsY0FBYztZQUNkLG1CQUFtQjtZQUNuQixZQUFZO1lBQ1osUUFBUTtZQUNSLGlCQUFpQjtZQUNqQixvQkFBb0I7WUFDcEIsdUJBQXVCO1lBQ3ZCLG1CQUFtQjtZQUNuQixZQUFZLEVBQUU7Z0JBQ1osTUFBTSxFQUFFO29CQUNOLEdBQUcsRUFBRSxTQUFTLENBQUMsQ0FBQyxDQUFDO29CQUNqQixRQUFRLEVBQUUsU0FBUyxDQUFDLENBQUMsQ0FBQztpQkFDdkI7Z0JBQ0QsUUFBUSxFQUFFO29CQUNSLEdBQUcsRUFBRSxTQUFTLENBQUMsQ0FBQyxDQUFDO29CQUNqQixRQUFRLEVBQUUsU0FBUyxDQUFDLENBQUMsQ0FBQztpQkFDdkI7Z0JBQ0QsSUFBSSxFQUFFO29CQUNKLEdBQUcsRUFBRSxTQUFTLENBQUMsQ0FBQyxDQUFDO29CQUNqQixRQUFRLEVBQUUsU0FBUyxDQUFDLENBQUMsQ0FBQztpQkFDdkI7YUFDRjtTQUNGLENBQUM7SUFDSixDQUFDO0lBRUQsV0FBVyxDQUFDLElBQWdCO1FBQzFCLE1BQU0sRUFDSixpQkFBaUIsRUFDakIsNEJBQTRCLEVBQzVCLGlCQUFpQixFQUNqQixtQkFBbUIsRUFDbkIsbUJBQW1CLEVBQ25CLG9CQUFvQixFQUNwQixrQkFBa0IsR0FDbkIsR0FBRyxZQUFZLENBQUM7UUFFakIsTUFBTSxlQUFlLEdBQUcsRUFBRSxJQUFJLEVBQUUsSUFBSSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDO1FBRWxELE1BQU0sT0FBTyxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxlQUFlLEVBQUUsaUJBQWlCLENBQUMsQ0FBQyxZQUFZLEVBQUUsQ0FBQztRQUMxRixNQUFNLGtCQUFrQixHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FDL0MsZUFBZSxFQUNmLDRCQUE0QixDQUM3QixDQUFDLFlBQVksRUFBRSxDQUFDO1FBQ2pCLE1BQU0sT0FBTyxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxlQUFlLEVBQUUsaUJBQWlCLENBQUMsQ0FBQyxZQUFZLEVBQUUsQ0FBQztRQUMxRixNQUFNLFNBQVMsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsZUFBZSxFQUFFLG1CQUFtQixDQUFDLENBQUM7UUFDL0UsTUFBTSxTQUFTLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLGVBQWUsRUFBRSxtQkFBbUIsQ0FBQyxDQUFDO1FBQy9FLE1BQU0sVUFBVSxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxlQUFlLEVBQUUsb0JBQW9CLENBQUMsQ0FBQztRQUNqRixNQUFNLFFBQVEsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsZUFBZSxFQUFFLGtCQUFrQixDQUFDLENBQUM7UUFFN0UsT0FBTztZQUNMLE9BQU87WUFDUCxrQkFBa0I7WUFDbEIsT0FBTztZQUNQLFNBQVM7WUFDVCxTQUFTO1lBQ1QsVUFBVTtZQUNWLFFBQVE7U0FDVCxDQUFDO0lBQ0osQ0FBQztJQUVELFNBQVMsQ0FBQyxJQUFnQjtRQUN4QixNQUFNLEVBQ0osaUJBQWlCLEVBQ2pCLGNBQWMsRUFDZCxvQkFBb0IsRUFDcEIsc0JBQXNCLEVBQ3RCLG9CQUFvQixFQUNwQixZQUFZLEVBQ1osWUFBWSxFQUNaLGtCQUFrQixFQUNsQixlQUFlLEVBQ2YscUJBQXFCLEVBQ3JCLGFBQWEsRUFDYixhQUFhLEVBQ2IsYUFBYSxFQUNiLGFBQWEsRUFDYixrQkFBa0IsRUFDbEIsa0JBQWtCLEdBQ25CLEdBQUcsWUFBWSxDQUFDO1FBRWpCLE1BQU0sYUFBYSxHQUFHLEVBQUUsSUFBSSxFQUFFLElBQUksQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQztRQUVoRCxJQUFJLGFBQWEsQ0FBQyxJQUFJLENBQUMsTUFBTSxLQUFLLFlBQVksQ0FBQyxlQUFlO1lBQzVELE1BQU0sSUFBSSxtQkFBbUIsQ0FDM0IsMkJBQTJCLGFBQWEsQ0FBQyxJQUFJLENBQUMsTUFBTSxjQUFjLFlBQVksQ0FBQyxlQUFlLEVBQUUsQ0FDakcsQ0FBQztRQUVKLE1BQU0sU0FBUyxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxhQUFhLEVBQUUsaUJBQWlCLENBQUMsQ0FBQztRQUMzRSxNQUFNLE1BQU0sR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsYUFBYSxFQUFFLGNBQWMsQ0FBQyxDQUFDO1FBQ3JFLE1BQU0sWUFBWSxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxhQUFhLEVBQUUsb0JBQW9CLENBQUMsQ0FBQztRQUNqRixNQUFNLGNBQWMsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsYUFBYSxFQUFFLHNCQUFzQixDQUFDLENBQUM7UUFDckYsTUFBTSxZQUFZLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLGFBQWEsRUFBRSxvQkFBb0IsQ0FBQyxDQUFDO1FBQ2pGLE1BQU0sSUFBSSxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxhQUFhLEVBQUUsWUFBWSxDQUFDLENBQUM7UUFDakUsTUFBTSxJQUFJLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLGFBQWEsRUFBRSxZQUFZLENBQUMsQ0FBQztRQUNqRSxNQUFNLFVBQVUsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsYUFBYSxFQUFFLGtCQUFrQixDQUFDLENBQUM7UUFDN0UsTUFBTSxPQUFPLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLGFBQWEsRUFBRSxlQUFlLENBQUMsQ0FBQztRQUN2RSxNQUFNLGFBQWEsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsYUFBYSxFQUFFLHFCQUFxQixDQUFDLENBQUM7UUFDbkYsTUFBTSxLQUFLLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLGFBQWEsRUFBRSxhQUFhLENBQUMsQ0FBQztRQUNuRSxNQUFNLEtBQUssR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsYUFBYSxFQUFFLGFBQWEsQ0FBQyxDQUFDO1FBQ25FLE1BQU0sS0FBSyxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxhQUFhLEVBQUUsYUFBYSxDQUFDLENBQUM7UUFDbkUsTUFBTSxLQUFLLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLGFBQWEsRUFBRSxhQUFhLENBQUMsQ0FBQztRQUNuRSxNQUFNLFVBQVUsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsYUFBYSxFQUFFLGtCQUFrQixDQUFDLENBQUM7UUFDN0UsTUFBTSxRQUFRLEdBQUcsVUFBVSxDQUFDLEtBQUssQ0FBQyxDQUFDLEVBQUUsa0JBQWtCLENBQUMsQ0FBQztRQUN6RCxPQUFPO1lBQ0wsU0FBUztZQUNULE1BQU07WUFDTixZQUFZO1lBQ1osY0FBYztZQUNkLFlBQVk7WUFDWixJQUFJO1lBQ0osSUFBSTtZQUNKLFVBQVU7WUFDVixPQUFPO1lBQ1AsYUFBYTtZQUNiLEtBQUs7WUFDTCxLQUFLO1lBQ0wsS0FBSztZQUNMLEtBQUs7WUFDTCxVQUFVO1lBQ1YsUUFBUTtTQUNULENBQUM7SUFDSixDQUFDIn0=

package/dist/mjs/tee/TeeCertificateService.d.ts

@@ -0,0 +1,20 @@
+export declare enum ValidateTeeCertChainErrorCode {
+    CERT_CHAIN_IS_INVALID = "CERT_CHAIN_IS_INVALID",
+    NOT_ALLOWED_CHALLENGE = "NOT_ALLOWED_CHALLENGE",
+    CHALLENGE_IS_INVALID = "CHALLENGE_IS_INVALID"
+}
+export interface ValidateTeeCertChainResult {
+    isValid: boolean;
+    errorCode?: string;
+    errorMessage?: string;
+}
+export declare class TeeCertificateService {
+    static validateTeeCertChainOrFail(certsPem: string): Promise<void>;
+    static validateTeeCertChain(certsPem: string): Promise<ValidateTeeCertChainResult>;
+    private static validateChallenge;
+    private static validateGpuChallenge;
+    private static validateChallengeSgx;
+    private static validateChallengeId;
+    private static getGpuInfoFromCert;
+    private static validateCertificateWithSubtype;
+}

package/dist/mjs/tee/TeeCertificateService.js

@@ -0,0 +1,139 @@
+import { SUPERPROTOCOL_CA } from '../constants.js';
+import { ChallengeType, OID_CUSTOM_EXTENSION_CHALLENGE_CERTIFICATE_ID, OID_CUSTOM_EXTENSION_CHALLENGE_COMMON_ID, OID_CUSTOM_EXTENSION_CHALLENGE_ID, OID_CUSTOM_EXTENSION_CHALLENGE_SUBTYPE, OID_CUSTOM_EXTENSION_CHALLENGE_TYPE, OID_CUSTOM_EXTENSION_NVIDIA_INFO_GPU, } from '@super-protocol/pki-common';
+import { TeeSignatureVerifier } from './TeeSignatureVerifier.js';
+import { InvalidSignatureError, NotAllowedChallengeError } from './errors.js';
+import { CertificatesHelper } from '../certificates/index.js';
+import { NvtrustGPUList } from '../proto/Nvtrust.js';
+export var ValidateTeeCertChainErrorCode;
+(function (ValidateTeeCertChainErrorCode) {
+    ValidateTeeCertChainErrorCode["CERT_CHAIN_IS_INVALID"] = "CERT_CHAIN_IS_INVALID";
+    ValidateTeeCertChainErrorCode["NOT_ALLOWED_CHALLENGE"] = "NOT_ALLOWED_CHALLENGE";
+    ValidateTeeCertChainErrorCode["CHALLENGE_IS_INVALID"] = "CHALLENGE_IS_INVALID";
+})(ValidateTeeCertChainErrorCode || (ValidateTeeCertChainErrorCode = {}));
+export class TeeCertificateService {
+    static async validateTeeCertChainOrFail(certsPem) {
+        const result = await TeeCertificateService.validateTeeCertChain(certsPem);
+        if (!result.isValid) {
+            throw new Error(result.errorMessage);
+        }
+    }
+    static async validateTeeCertChain(certsPem) {
+        const { isValid, errorMessage } = await CertificatesHelper.validateCertChain(certsPem, SUPERPROTOCOL_CA);
+        if (!isValid) {
+            return {
+                isValid: false,
+                errorCode: ValidateTeeCertChainErrorCode.CERT_CHAIN_IS_INVALID,
+                errorMessage: `Cert chain is invalid! (${errorMessage})`,
+            };
+        }
+        // ROOT CA doesn't have challenge. but we trust it as it is in SUPERPROTOCOL_CA constant
+        const { certs } = CertificatesHelper.extractCAFromChain(certsPem);
+        const sortedCerts = CertificatesHelper.sortCertsFromLeafToRoot(certs).map((certWithKeyIdent) => certWithKeyIdent.cert);
+        try {
+            await Promise.all(sortedCerts.map((cert) => TeeCertificateService.validateChallenge(cert)));
+            const leafCert = sortedCerts[0];
+            await TeeCertificateService.validateGpuChallenge(leafCert);
+        }
+        catch (err) {
+            return {
+                isValid: false,
+                errorCode: err instanceof NotAllowedChallengeError
+                    ? ValidateTeeCertChainErrorCode.NOT_ALLOWED_CHALLENGE
+                    : ValidateTeeCertChainErrorCode.CHALLENGE_IS_INVALID,
+                errorMessage: `Challenge is not valid! (${err.message})`,
+            };
+        }
+        return { isValid: true };
+    }
+    static async validateChallenge(cert) {
+        const challengeType = CertificatesHelper.getExtensionValue(cert, OID_CUSTOM_EXTENSION_CHALLENGE_TYPE)?.toString('binary');
+        if (challengeType === ChallengeType.Untrusted) {
+            throw new NotAllowedChallengeError(`Cert chain has cert with Untrusted challenge`);
+        }
+        switch (challengeType) {
+            case ChallengeType.SGXDCAP:
+                TeeCertificateService.validateChallengeSgx(cert);
+                break;
+            case ChallengeType.TDX:
+            case ChallengeType.SEVSNP:
+                await TeeCertificateService.validateChallengeId(cert, challengeType);
+                break;
+            case ChallengeType.Certificate:
+            case ChallengeType.Token:
+                await TeeCertificateService.validateCertificateWithSubtype(cert, challengeType);
+                break;
+            default:
+                throw new NotAllowedChallengeError(`Challenge type ${challengeType || `[none]`} is missing or not allowed!`);
+        }
+    }
+    static validateGpuChallenge(cert) {
+        const gpusInfo = TeeCertificateService.getGpuInfoFromCert(cert);
+        const gpusInDebugMode = gpusInfo.filter((gpu) => gpu.dbgStat);
+        if (gpusInDebugMode.length) {
+            throw new Error(`The certificate contains information about GPU that is running in debug mode: ${JSON.stringify(gpusInDebugMode)}`);
+        }
+    }
+    static validateChallengeSgx(cert) {
+        const mrSignerBinaryString = CertificatesHelper.getExtensionValue(cert, OID_CUSTOM_EXTENSION_CHALLENGE_COMMON_ID);
+        if (!mrSignerBinaryString) {
+            throw new Error(`SGX challenge signature is wrong!`);
+        }
+        try {
+            TeeSignatureVerifier.validateSignatureSgx(mrSignerBinaryString);
+        }
+        catch (err) {
+            throw new Error(`SGX challenge signature is wrong!`);
+        }
+    }
+    static async validateChallengeId(cert, challengeType) {
+        const oid = challengeType === ChallengeType.Certificate
+            ? OID_CUSTOM_EXTENSION_CHALLENGE_CERTIFICATE_ID
+            : OID_CUSTOM_EXTENSION_CHALLENGE_ID;
+        const mrEnclaveBinaryString = CertificatesHelper.getExtensionValue(cert, oid);
+        if (!mrEnclaveBinaryString) {
+            throw new Error(`Challenge id is missing in certificate!`);
+        }
+        try {
+            await TeeSignatureVerifier.validateSignature(mrEnclaveBinaryString, challengeType);
+        }
+        catch (err) {
+            const message = `${challengeType} signature is invalid!`;
+            if (err instanceof InvalidSignatureError) {
+                throw new Error(`${message} ${err.message}`);
+            }
+            throw new Error(message);
+        }
+    }
+    static getGpuInfoFromCert(cert) {
+        let gpusInfo = { gpus: [] };
+        const gpusInfoRaw = CertificatesHelper.getExtensionValue(cert, OID_CUSTOM_EXTENSION_NVIDIA_INFO_GPU);
+        if (gpusInfoRaw) {
+            try {
+                gpusInfo = NvtrustGPUList.decode(gpusInfoRaw);
+            }
+            catch (err) {
+                const message = 'Failed to decode GPU info';
+                if (err instanceof Error) {
+                    throw new Error(`${message} ${err.message}`);
+                }
+                throw new Error(message);
+            }
+        }
+        return gpusInfo.gpus;
+    }
+    static async validateCertificateWithSubtype(cert, challengeType) {
+        if (challengeType === ChallengeType.Certificate) {
+            await TeeCertificateService.validateChallengeId(cert, ChallengeType.Certificate);
+        }
+        const subType = CertificatesHelper.getExtensionValue(cert, OID_CUSTOM_EXTENSION_CHALLENGE_SUBTYPE)?.toString('binary');
+        switch (subType) {
+            case ChallengeType.TDX:
+            case ChallengeType.SEVSNP:
+                await TeeCertificateService.validateChallengeId(cert, subType);
+                break;
+            default:
+                throw new Error(`Unsupported subtype: ${subType}`);
+        }
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiVGVlQ2VydGlmaWNhdGVTZXJ2aWNlLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL3RlZS9UZWVDZXJ0aWZpY2F0ZVNlcnZpY2UudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLGdCQUFnQixFQUFFLE1BQU0saUJBQWlCLENBQUM7QUFDbkQsT0FBTyxFQUNMLGFBQWEsRUFDYiw2Q0FBNkMsRUFDN0Msd0NBQXdDLEVBQ3hDLGlDQUFpQyxFQUNqQyxzQ0FBc0MsRUFDdEMsbUNBQW1DLEVBQ25DLG9DQUFvQyxHQUNyQyxNQUFNLDRCQUE0QixDQUFDO0FBQ3BDLE9BQU8sRUFBRSxvQkFBb0IsRUFBRSxNQUFNLDJCQUEyQixDQUFDO0FBQ2pFLE9BQU8sRUFBRSxxQkFBcUIsRUFBRSx3QkFBd0IsRUFBRSxNQUFNLGFBQWEsQ0FBQztBQUM5RSxPQUFPLEVBQUUsa0JBQWtCLEVBQUUsTUFBTSwwQkFBMEIsQ0FBQztBQUM5RCxPQUFPLEVBQWtCLGNBQWMsRUFBRSxNQUFNLHFCQUFxQixDQUFDO0FBR3JFLE1BQU0sQ0FBTixJQUFZLDZCQUlYO0FBSkQsV0FBWSw2QkFBNkI7SUFDdkMsZ0ZBQStDLENBQUE7SUFDL0MsZ0ZBQStDLENBQUE7SUFDL0MsOEVBQTZDLENBQUE7QUFDL0MsQ0FBQyxFQUpXLDZCQUE2QixLQUE3Qiw2QkFBNkIsUUFJeEM7QUFPRCxNQUFNLE9BQU8scUJBQXFCO0lBQ2hDLE1BQU0sQ0FBQyxLQUFLLENBQUMsMEJBQTBCLENBQUMsUUFBZ0I7UUFDdEQsTUFBTSxNQUFNLEdBQUcsTUFBTSxxQkFBcUIsQ0FBQyxvQkFBb0IsQ0FBQyxRQUFRLENBQUMsQ0FBQztRQUMxRSxJQUFJLENBQUMsTUFBTSxDQUFDLE9BQU8sRUFBRSxDQUFDO1lBQ3BCLE1BQU0sSUFBSSxLQUFLLENBQUMsTUFBTSxDQUFDLFlBQVksQ0FBQyxDQUFDO1FBQ3ZDLENBQUM7SUFDSCxDQUFDO0lBRUQsTUFBTSxDQUFDLEtBQUssQ0FBQyxvQkFBb0IsQ0FBQyxRQUFnQjtRQUNoRCxNQUFNLEVBQUUsT0FBTyxFQUFFLFlBQVksRUFBRSxHQUFHLE1BQU0sa0JBQWtCLENBQUMsaUJBQWlCLENBQzFFLFFBQVEsRUFDUixnQkFBZ0IsQ0FDakIsQ0FBQztRQUVGLElBQUksQ0FBQyxPQUFPLEVBQUUsQ0FBQztZQUNiLE9BQU87Z0JBQ0wsT0FBTyxFQUFFLEtBQUs7Z0JBQ2QsU0FBUyxFQUFFLDZCQUE2QixDQUFDLHFCQUFxQjtnQkFDOUQsWUFBWSxFQUFFLDJCQUEyQixZQUFZLEdBQUc7YUFDekQsQ0FBQztRQUNKLENBQUM7UUFFRCx3RkFBd0Y7UUFDeEYsTUFBTSxFQUFFLEtBQUssRUFBRSxHQUFHLGtCQUFrQixDQUFDLGtCQUFrQixDQUFDLFFBQVEsQ0FBQyxDQUFDO1FBQ2xFLE1BQU0sV0FBVyxHQUFHLGtCQUFrQixDQUFDLHVCQUF1QixDQUFDLEtBQUssQ0FBQyxDQUFDLEdBQUcsQ0FDdkUsQ0FBQyxnQkFBZ0IsRUFBRSxFQUFFLENBQUMsZ0JBQWdCLENBQUMsSUFBSSxDQUM1QyxDQUFDO1FBRUYsSUFBSSxDQUFDO1lBQ0gsTUFBTSxPQUFPLENBQUMsR0FBRyxDQUFDLFdBQVcsQ0FBQyxHQUFHLENBQUMsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLHFCQUFxQixDQUFDLGlCQUFpQixDQUFDLElBQUksQ0FBQyxDQUFDLENBQUMsQ0FBQztZQUU1RixNQUFNLFFBQVEsR0FBRyxXQUFXLENBQUMsQ0FBQyxDQUFDLENBQUM7WUFDaEMsTUFBTSxxQkFBcUIsQ0FBQyxvQkFBb0IsQ0FBQyxRQUFRLENBQUMsQ0FBQztRQUM3RCxDQUFDO1FBQUMsT0FBTyxHQUFHLEVBQUUsQ0FBQztZQUNiLE9BQU87Z0JBQ0wsT0FBTyxFQUFFLEtBQUs7Z0JBQ2QsU0FBUyxFQUNQLEdBQUcsWUFBWSx3QkFBd0I7b0JBQ3JDLENBQUMsQ0FBQyw2QkFBNkIsQ0FBQyxxQkFBcUI7b0JBQ3JELENBQUMsQ0FBQyw2QkFBNkIsQ0FBQyxvQkFBb0I7Z0JBQ3hELFlBQVksRUFBRSw0QkFBNkIsR0FBYSxDQUFDLE9BQU8sR0FBRzthQUNwRSxDQUFDO1FBQ0osQ0FBQztRQUVELE9BQU8sRUFBRSxPQUFPLEVBQUUsSUFBSSxFQUFFLENBQUM7SUFDM0IsQ0FBQztJQUVPLE1BQU0sQ0FBQyxLQUFLLENBQUMsaUJBQWlCLENBQUMsSUFBZ0M7UUFDckUsTUFBTSxhQUFhLEdBQUcsa0JBQWtCLENBQUMsaUJBQWlCLENBQ3hELElBQUksRUFDSixtQ0FBbUMsQ0FDcEMsRUFBRSxRQUFRLENBQUMsUUFBUSxDQUFDLENBQUM7UUFFdEIsSUFBSSxhQUFhLEtBQUssYUFBYSxDQUFDLFNBQVMsRUFBRSxDQUFDO1lBQzlDLE1BQU0sSUFBSSx3QkFBd0IsQ0FBQyw4Q0FBOEMsQ0FBQyxDQUFDO1FBQ3JGLENBQUM7UUFFRCxRQUFRLGFBQWEsRUFBRSxDQUFDO1lBQ3RCLEtBQUssYUFBYSxDQUFDLE9BQU87Z0JBQ3hCLHFCQUFxQixDQUFDLG9CQUFvQixDQUFDLElBQUksQ0FBQyxDQUFDO2dCQUNqRCxNQUFNO1lBQ1IsS0FBSyxhQUFhLENBQUMsR0FBRyxDQUFDO1lBQ3ZCLEtBQUssYUFBYSxDQUFDLE1BQU07Z0JBQ3ZCLE1BQU0scUJBQXFCLENBQUMsbUJBQW1CLENBQUMsSUFBSSxFQUFFLGFBQWEsQ0FBQyxDQUFDO2dCQUNyRSxNQUFNO1lBQ1IsS0FBSyxhQUFhLENBQUMsV0FBVyxDQUFDO1lBQy9CLEtBQUssYUFBYSxDQUFDLEtBQUs7Z0JBQ3RCLE1BQU0scUJBQXFCLENBQUMsOEJBQThCLENBQUMsSUFBSSxFQUFFLGFBQWEsQ0FBQyxDQUFDO2dCQUNoRixNQUFNO1lBRVI7Z0JBQ0UsTUFBTSxJQUFJLHdCQUF3QixDQUNoQyxrQkFBa0IsYUFBYSxJQUFJLFFBQVEsNkJBQTZCLENBQ3pFLENBQUM7UUFDTixDQUFDO0lBQ0gsQ0FBQztJQUVPLE1BQU0sQ0FBQyxvQkFBb0IsQ0FBQyxJQUFnQztRQUNsRSxNQUFNLFFBQVEsR0FBRyxxQkFBcUIsQ0FBQyxrQkFBa0IsQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUNoRSxNQUFNLGVBQWUsR0FBRyxRQUFRLENBQUMsTUFBTSxDQUFDLENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUMsT0FBTyxDQUFDLENBQUM7UUFDOUQsSUFBSSxlQUFlLENBQUMsTUFBTSxFQUFFLENBQUM7WUFDM0IsTUFBTSxJQUFJLEtBQUssQ0FDYixpRkFBaUYsSUFBSSxDQUFDLFNBQVMsQ0FBQyxlQUFlLENBQUMsRUFBRSxDQUNuSCxDQUFDO1FBQ0osQ0FBQztJQUNILENBQUM7SUFFTyxNQUFNLENBQUMsb0JBQW9CLENBQUMsSUFBZ0M7UUFDbEUsTUFBTSxvQkFBb0IsR0FBRyxrQkFBa0IsQ0FBQyxpQkFBaUIsQ0FDL0QsSUFBSSxFQUNKLHdDQUF3QyxDQUN6QyxDQUFDO1FBQ0YsSUFBSSxDQUFDLG9CQUFvQixFQUFFLENBQUM7WUFDMUIsTUFBTSxJQUFJLEtBQUssQ0FBQyxtQ0FBbUMsQ0FBQyxDQUFDO1FBQ3ZELENBQUM7UUFFRCxJQUFJLENBQUM7WUFDSCxvQkFBb0IsQ0FBQyxvQkFBb0IsQ0FBQyxvQkFBb0IsQ0FBQyxDQUFDO1FBQ2xFLENBQUM7UUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO1lBQ2IsTUFBTSxJQUFJLEtBQUssQ0FBQyxtQ0FBbUMsQ0FBQyxDQUFDO1FBQ3ZELENBQUM7SUFDSCxDQUFDO0lBRU8sTUFBTSxDQUFDLEtBQUssQ0FBQyxtQkFBbUIsQ0FDdEMsSUFBZ0MsRUFDaEMsYUFBNEI7UUFFNUIsTUFBTSxHQUFHLEdBQ1AsYUFBYSxLQUFLLGFBQWEsQ0FBQyxXQUFXO1lBQ3pDLENBQUMsQ0FBQyw2Q0FBNkM7WUFDL0MsQ0FBQyxDQUFDLGlDQUFpQyxDQUFDO1FBQ3hDLE1BQU0scUJBQXFCLEdBQUcsa0JBQWtCLENBQUMsaUJBQWlCLENBQUMsSUFBSSxFQUFFLEdBQUcsQ0FBQyxDQUFDO1FBQzlFLElBQUksQ0FBQyxxQkFBcUIsRUFBRSxDQUFDO1lBQzNCLE1BQU0sSUFBSSxLQUFLLENBQUMseUNBQXlDLENBQUMsQ0FBQztRQUM3RCxDQUFDO1FBRUQsSUFBSSxDQUFDO1lBQ0gsTUFBTSxvQkFBb0IsQ0FBQyxpQkFBaUIsQ0FBQyxxQkFBcUIsRUFBRSxhQUFhLENBQUMsQ0FBQztRQUNyRixDQUFDO1FBQUMsT0FBTyxHQUFHLEVBQUUsQ0FBQztZQUNiLE1BQU0sT0FBTyxHQUFHLEdBQUcsYUFBYSx3QkFBd0IsQ0FBQztZQUN6RCxJQUFJLEdBQUcsWUFBWSxxQkFBcUIsRUFBRSxDQUFDO2dCQUN6QyxNQUFNLElBQUksS0FBSyxDQUFDLEdBQUcsT0FBTyxJQUFJLEdBQUcsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO1lBQy9DLENBQUM7WUFDRCxNQUFNLElBQUksS0FBSyxDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBQzNCLENBQUM7SUFDSCxDQUFDO0lBRU8sTUFBTSxDQUFDLGtCQUFrQixDQUFDLElBQWdDO1FBQ2hFLElBQUksUUFBUSxHQUFtQixFQUFFLElBQUksRUFBRSxFQUFFLEVBQUUsQ0FBQztRQUM1QyxNQUFNLFdBQVcsR0FBRyxrQkFBa0IsQ0FBQyxpQkFBaUIsQ0FDdEQsSUFBSSxFQUNKLG9DQUFvQyxDQUNyQyxDQUFDO1FBRUYsSUFBSSxXQUFXLEVBQUUsQ0FBQztZQUNoQixJQUFJLENBQUM7Z0JBQ0gsUUFBUSxHQUFHLGNBQWMsQ0FBQyxNQUFNLENBQUMsV0FBVyxDQUFDLENBQUM7WUFDaEQsQ0FBQztZQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7Z0JBQ2IsTUFBTSxPQUFPLEdBQUcsMkJBQTJCLENBQUM7Z0JBQzVDLElBQUksR0FBRyxZQUFZLEtBQUssRUFBRSxDQUFDO29CQUN6QixNQUFNLElBQUksS0FBSyxDQUFDLEdBQUcsT0FBTyxJQUFJLEdBQUcsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO2dCQUMvQyxDQUFDO2dCQUNELE1BQU0sSUFBSSxLQUFLLENBQUMsT0FBTyxDQUFDLENBQUM7WUFDM0IsQ0FBQztRQUNILENBQUM7UUFDRCxPQUFPLFFBQVEsQ0FBQyxJQUFJLENBQUM7SUFDdkIsQ0FBQztJQUVPLE1BQU0sQ0FBQyxLQUFLLENBQUMsOEJBQThCLENBQ2pELElBQWdDLEVBQ2hDLGFBQTRCO1FBRTVCLElBQUksYUFBYSxLQUFLLGFBQWEsQ0FBQyxXQUFXLEVBQUUsQ0FBQztZQUNoRCxNQUFNLHFCQUFxQixDQUFDLG1CQUFtQixDQUFDLElBQUksRUFBRSxhQUFhLENBQUMsV0FBVyxDQUFDLENBQUM7UUFDbkYsQ0FBQztRQUVELE1BQU0sT0FBTyxHQUFHLGtCQUFrQixDQUFDLGlCQUFpQixDQUNsRCxJQUFJLEVBQ0osc0NBQXNDLENBQ3ZDLEVBQUUsUUFBUSxDQUFDLFFBQVEsQ0FBQyxDQUFDO1FBRXRCLFFBQVEsT0FBTyxFQUFFLENBQUM7WUFDaEIsS0FBSyxhQUFhLENBQUMsR0FBRyxDQUFDO1lBQ3ZCLEtBQUssYUFBYSxDQUFDLE1BQU07Z0JBQ3ZCLE1BQU0scUJBQXFCLENBQUMsbUJBQW1CLENBQUMsSUFBSSxFQUFFLE9BQU8sQ0FBQyxDQUFDO2dCQUMvRCxNQUFNO1lBQ1I7Z0JBQ0UsTUFBTSxJQUFJLEtBQUssQ0FBQyx3QkFBd0IsT0FBTyxFQUFFLENBQUMsQ0FBQztRQUN2RCxDQUFDO0lBQ0gsQ0FBQztDQUNGIn0=

package/dist/mjs/tee/TeeSignatureVerifier.d.ts

@@ -0,0 +1,24 @@
+/// <reference types="node" />
+import { BinaryType, GetSignatureOptions } from './types.js';
+import { ChallengeType } from '@super-protocol/pki-common';
+export type GetMrEnclaveSignatureFn = (mrEnclave: Buffer, challengeType: ChallengeType) => Promise<Buffer>;
+export type CheckSignatureOptions = {
+    getMrEnclaveSignature: GetMrEnclaveSignatureFn;
+};
+export declare const SignatureFolderMap: Partial<Record<ChallengeType, string>>;
+export declare class TeeSignatureVerifier {
+    /**
+     * Validates tee signature for SGX
+     * @param mrSigner - Buffer
+     * @throws Error If signature validation fails
+     */
+    static validateSignatureSgx(mrSigner: BinaryType): void;
+    /**
+     * Validates TDX and SEV-SNP TEE signature by verifying the MRENCLAVE
+     * @param mrEnclave - Binary measurement of the TEE environment to verify
+     * @param options - Configuration for signature validation, including getMrEnclaveSignature callback
+     * @throws Error If signature validation fails or signature cannot be retrieved
+     */
+    static validateSignature(mrEnclave: BinaryType, challengeType: ChallengeType, options?: CheckSignatureOptions): Promise<void>;
+    static getSignature(mrEnclave: Buffer, challengeType: ChallengeType, options?: GetSignatureOptions): Promise<Buffer>;
+}