pi-privacy 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "pi-privacy",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.1",
|
|
4
4
|
"description": "Privacy posture + TEE attestation for Pi providers: cryptographically verified confidential-enclave (TEE) inference, enforced/labeled zero-data-retention (ZDR), and on-device detection — honestly graded so a verified guarantee never reads like a claimed one.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"license": "MIT",
|
|
@@ -168,11 +168,19 @@ export const httpsTransport: TinfoilTransport = (host) =>
|
|
|
168
168
|
path: url.pathname,
|
|
169
169
|
method: "GET",
|
|
170
170
|
timeout: TIMEOUT_MS,
|
|
171
|
+
// Force a fresh connection + full TLS handshake every time. A pooled/
|
|
172
|
+
// resumed TLS session skips re-sending the server cert, so
|
|
173
|
+
// getPeerCertificate() returns {} on the abbreviated handshake and the
|
|
174
|
+
// key binding silently fails (posture flips green→yellow on re-verify).
|
|
175
|
+
// Attestation must observe a real handshake anyway, so no session reuse.
|
|
176
|
+
agent: false,
|
|
171
177
|
},
|
|
172
178
|
(res) => {
|
|
173
179
|
let liveTlsKeyFp: string | undefined;
|
|
174
180
|
try {
|
|
175
|
-
|
|
181
|
+
// getPeerCertificate(true) → include the full chain / raw DER even when
|
|
182
|
+
// the default view would omit it.
|
|
183
|
+
const peer = (res.socket as TLSSocket).getPeerCertificate(true);
|
|
176
184
|
if (peer?.raw) {
|
|
177
185
|
const spki = new X509Certificate(peer.raw).publicKey.export({ type: "spki", format: "der" });
|
|
178
186
|
liveTlsKeyFp = createHash("sha256").update(spki).digest("hex");
|