routex-settlement 0.1.1

package/index.d.ts

@@ -0,0 +1,21 @@
+export declare class KeySettlement {
+    private _url;
+    private _onErrorResponse;
+    private _secretKey;
+    private _requirements;
+    private _yaxiSigningKeys;
+    private _serverKey?;
+    private _measurement?;
+    constructor(url: URL, onErrorResponse: (response: Response) => void);
+    private _settle;
+    measurement(): Uint8Array | undefined;
+    private _getServerKey;
+    getBase64SessionId(settlementHeaders?: HeadersInit): Promise<string>;
+    seal(plaintext: Uint8Array, settlementHeaders?: HeadersInit): Promise<Uint8Array>;
+    unseal(ciphertext: Uint8Array): Uint8Array;
+    private _verifyAttestation;
+    private _verifyReport;
+    private _verifyVcekChain;
+}
+export declare function binaryStringToBytes(binaryString: string): Uint8Array<ArrayBuffer>;
+export declare function bytesToBinaryString(bytes: Uint8Array): string;

package/index.js

@@ -0,0 +1,402 @@
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+import { chacha20poly1305 } from "@noble/ciphers/chacha";
+import { bytesToUtf8 } from "@noble/ciphers/utils";
+import { bytesToNumberLE, equalBytes } from "@noble/curves/abstract/utils";
+import { ed25519, x25519 } from "@noble/curves/ed25519";
+import { blake2b } from "@noble/hashes/blake2b";
+import { p384 } from "@noble/curves/p384";
+import { hkdf } from "@noble/hashes/hkdf";
+import { wrapConstructor } from "@noble/hashes/utils";
+import { sha256 } from "@noble/hashes/sha2";
+import * as x509 from "@peculiar/x509";
+import { AsnConvert } from "@peculiar/asn1-schema";
+import { SubjectPublicKeyInfo } from "@peculiar/asn1-x509";
+const REQUIREMENTS = {
+    Genoa: {
+        minCommittedVersion: [0x1, 0x37, 0x26],
+        minCommitedTcbSnp: 0x16,
+    },
+    Milan: {
+        minCommittedVersion: [0x1, 0x37, 0x16],
+        minCommitedTcbSnp: 0x17,
+    },
+};
+const YAXI_SIGNING_KEYS = {
+    "AhrUXsV/XAvIE24RQ/Vt/zXoLodvjXoWD2fhLGuRM7U=": new Uint8Array([
+        101, 188, 76, 33, 245, 155, 42, 79, 214, 181, 125, 49, 68, 133, 87, 232,
+        123, 91, 209, 21, 239, 36, 195, 215, 82, 140, 160, 195, 236, 111, 180, 226,
+    ]),
+    "D30zRYe8Ug9732b4Pe2BAwWAXn/T5Nss2HJOp3kLC1w=": new Uint8Array([
+        8, 203, 107, 97, 17, 140, 16, 240, 29, 197, 104, 26, 179, 115, 86, 2, 210,
+        73, 107, 211, 46, 34, 89, 174, 117, 193, 126, 215, 12, 133, 106, 37,
+    ]),
+};
+const ROOT_STORE = new x509.X509ChainBuilder({
+    certificates: [
+        // ARK-Genoa
+        new x509.X509Certificate(`
+-----BEGIN CERTIFICATE-----
+MIIGiTCCBDigAwIBAgIDAgACMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC
+BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS
+BgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg
+Q2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp
+Y2VzMRIwEAYDVQQDDAlBUkstR2Vub2EwHhcNMjIxMDMxMTMzMzQ4WhcNNDcxMDMx
+MTMzMzQ4WjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS
+BgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j
+ZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJU0VWLUdlbm9hMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAoHJhvk4Fwwkwb03AMfLySXJSXmEaCZMTRbLg
+Paj4oEzaD9tGfxCSw/nsCAiXHQaWUt++bnbjJO05TKT5d+Cdrz4/fiRBpbhf0xzv
+h11O+wJTBPj3uCzDm48vEZ8l5SXMO4wd/QqwsrejFERPD/Hdfv1mGCMW7ac0ug8t
+rDzqGe+l+p8NMjp/EqBDY2vd8hLaVLmS+XjAqlYVNRksh9aTzSYL19/cTrBDmqQ2
+y8k23zNl2lW6q/BtQOpWGVs3EWvBHb/Qnf3f3S9+lC4H2jdDy9yn7kqyTWq4WCBn
+E4qhYJRokulYtzMZM1Ilk4Z6RPkOTR1MJ4gdFtj7lKmrkSuOoJYmqhJIsQJ854lA
+bJybgU7zyzWAwu3uaslkYKUEAQf2ja5Hyl3IBqOzpqY31SpKzbl8NXveZybRMklw
+fe4iDLI25T9ku9CVetDYifCbdGeuHdTwZBBemW4NE57L7iEV8+zz8nxng8OMX//4
+pXntWqmQbEAnBLv2ToTgd1H2zYRthyDLc3V119/+FnTW17LK6bKzTCgEnCHQEcAt
+0hDQLLF799+2lZTxxfBEoduAZax6IjgAMCi6e1ZfKPJSkdvb2m3BwfP8bniG7+AE
+Jv1WOEmnBJc1pVQCttbJUodbi07Vfen5JRUqAvSM3ObWQOzSAGzsGnpIigwFpW6m
+9F7uYVUCAwEAAaOBozCBoDAdBgNVHQ4EFgQUssZ7pDW7HJVkHAmgQf/F3EmGFVow
+HwYDVR0jBBgwFoAUn135/g3Y81rQMxol74EpT74xqFswEgYDVR0TAQH/BAgwBgEB
+/wIBADAOBgNVHQ8BAf8EBAMCAQQwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cHM6Ly9r
+ZHNpbnRmLmFtZC5jb20vdmNlay92MS9HZW5vYS9jcmwwRgYJKoZIhvcNAQEKMDmg
+DzANBglghkgBZQMEAgIFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgIFAKID
+AgEwowMCAQEDggIBAIgu3V2tQJOo0/6GvNmwLXbLDrsLKXqHUqdGyOZUpPHM3ujT
+aex1G+8bEgBswwBa+wNvl1SQqRqy2x2QwP+i//BcWr3lMrUxci4G7/P8hZBV821n
+rAUZtbvfqla5MrRH9AKJXWW/pmtd10czqCHkzdLQNZNjt2dnZHMQAMtGs1AtynRE
+HNwEBiH2KAt7gUc/sKWnSCipztKE76puN/XXbSx+Ws+VPiFw6CBAeI9dqnEiQ1tp
+EgqtWEtcKm7Ggb1XH6oWbISoowvc00/ADWfNom0xl6v2C6RIWYgUoZ2f7PCyV3Dt
+bu/fQfyyZvmtVLA4gB2Ehc6Omjy21Y55WY9IweHlKENMPEUVtRqOvRVI0ml9Wbal
+f049joCu2j33XPqwp3IrzevmPBDGpR2Stdm3K66a/g/BSY7Wc9/VeykP3RXlxY1T
+MMJ8F1lpg6Tmu+c+vow7cliyqOoayAnR71U8+rWrL3HRHheSVX8GPYOaDNBTt831
+Z027vDWv3811vMoxYxhuTRaokvNWCSzmJ2EWrPYHcHOtkjSFKN7ot0Rc70fIRZEY
+c2rb3ywLSicEq3JQCnnz6iCZ1tMfplzcrJ2LnW2F1C8yRV+okylyORlsaxOLKYOW
+jaDTSFaq1NIwodHp7X9fOG48uRuJWS8GmifD969sC4Ut2FJFoklceBVUNCHR
+-----END CERTIFICATE-----
+`),
+        // SEV-Genoa
+        new x509.X509Certificate(`
+-----BEGIN CERTIFICATE-----
+MIIGYzCCBBKgAwIBAgIDAgAAMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC
+BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS
+BgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg
+Q2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp
+Y2VzMRIwEAYDVQQDDAlBUkstR2Vub2EwHhcNMjIwMTI2MTUzNDM3WhcNNDcwMTI2
+MTUzNDM3WjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS
+BgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j
+ZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJQVJLLUdlbm9hMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEA3Cd95S/uFOuRIskW9vz9VDBF69NDQF79oRhL
+/L2PVQGhK3YdfEBgpF/JiwWFBsT/fXDhzA01p3LkcT/7LdjcRfKXjHl+0Qq/M4dZ
+kh6QDoUeKzNBLDcBKDDGWo3v35NyrxbA1DnkYwUKU5AAk4P94tKXLp80oxt84ahy
+HoLmc/LqsGsp+oq1Bz4PPsYLwTG4iMKVaaT90/oZ4I8oibSru92vJhlqWO27d/Rx
+c3iUMyhNeGToOvgx/iUo4gGpG61NDpkEUvIzuKcaMx8IdTpWg2DF6SwF0IgVMffn
+vtJmA68BwJNWo1E4PLJdaPfBifcJpuBFwNVQIPQEVX3aP89HJSp8YbY9lySS6PlV
+EqTBBtaQmi4ATGmMR+n2K/e+JAhU2Gj7jIpJhOkdH9firQDnmlA2SFfJ/Cc0mGNz
+W9RmIhyOUnNFoclmkRhl3/AQU5Ys9Qsan1jT/EiyT+pCpmnA+y9edvhDCbOG8F2o
+xHGRdTBkylungrkXJGYiwGrR8kaiqv7NN8QhOBMqYjcbrkEr0f8QMKklIS5ruOfq
+lLMCBw8JLB3LkjpWgtD7OpxkzSsohN47Uom86RY6lp72g8eXHP1qYrnvhzaG1S70
+vw6OkbaaC9EjiH/uHgAJQGxon7u0Q7xgoREWA/e7JcBQwLg80Hq/sbRuqesxz7wB
+WSY254cCAwEAAaN+MHwwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSfXfn+Ddjz
+WtAzGiXvgSlPvjGoWzAPBgNVHRMBAf8EBTADAQH/MDoGA1UdHwQzMDEwL6AtoCuG
+KWh0dHBzOi8va2RzaW50Zi5hbWQuY29tL3ZjZWsvdjEvR2Vub2EvY3JsMEYGCSqG
+SIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZI
+AWUDBAICBQCiAwIBMKMDAgEBA4ICAQAdIlPBC7DQmvH7kjlOznFx3i21SzOPDs5L
+7SgFjMC9rR07292GQCA7Z7Ulq97JQaWeD2ofGGse5swj4OQfKfVv/zaJUFjvosZO
+nfZ63epu8MjWgBSXJg5QE/Al0zRsZsp53DBTdA+Uv/s33fexdenT1mpKYzhIg/cK
+tz4oMxq8JKWJ8Po1CXLzKcfrTphjlbkh8AVKMXeBd2SpM33B1YP4g1BOdk013kqb
+7bRHZ1iB2JHG5cMKKbwRCSAAGHLTzASgDcXr9Fp7Z3liDhGu/ci1opGmkp12QNiJ
+uBbkTU+xDZHm5X8Jm99BX7NEpzlOwIVR8ClgBDyuBkBC2ljtr3ZSaUIYj2xuyWN9
+5KFY49nWxcz90CFa3Hzmy4zMQmBe9dVyls5eL5p9bkXcgRMDTbgmVZiAf4afe8DL
+dmQcYcMFQbHhgVzMiyZHGJgcCrQmA7MkTwEIds1wx/HzMcwU4qqNBAoZV7oeIIPx
+dqFXfPqHqiRlEbRDfX1TG5NFVaeByX0GyH6jzYVuezETzruaky6fp2bl2bczxPE8
+HdS38ijiJmm9vl50RGUeOAXjSuInGR4bsRufeGPB9peTa9BcBOeTWzstqTUB/F/q
+aZCIZKr4X6TyfUuSDz/1JDAGl+lxdM0P9+lLaP9NahQjHCVf0zf1c1salVuGFk2w
+/wMz1R1BHg==
+-----END CERTIFICATE-----
+`),
+        // ARK-Milan
+        new x509.X509Certificate(`
+-----BEGIN CERTIFICATE-----
+MIIGiTCCBDigAwIBAgIDAQABMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC
+BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS
+BgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg
+Q2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp
+Y2VzMRIwEAYDVQQDDAlBUkstTWlsYW4wHhcNMjAxMDIyMTgyNDIwWhcNNDUxMDIy
+MTgyNDIwWjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS
+BgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j
+ZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJU0VWLU1pbGFuMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAnU2drrNTfbhNQIllf+W2y+ROCbSzId1aKZft
+2T9zjZQOzjGccl17i1mIKWl7NTcB0VYXt3JxZSzOZjsjLNVAEN2MGj9TiedL+Qew
+KZX0JmQEuYjm+WKksLtxgdLp9E7EZNwNDqV1r0qRP5tB8OWkyQbIdLeu4aCz7j/S
+l1FkBytev9sbFGzt7cwnjzi9m7noqsk+uRVBp3+In35QPdcj8YflEmnHBNvuUDJh
+LCJMW8KOjP6++Phbs3iCitJcANEtW4qTNFoKW3CHlbcSCjTM8KsNbUx3A8ek5EVL
+jZWH1pt9E3TfpR6XyfQKnY6kl5aEIPwdW3eFYaqCFPrIo9pQT6WuDSP4JCYJbZne
+KKIbZjzXkJt3NQG32EukYImBb9SCkm9+fS5LZFg9ojzubMX3+NkBoSXI7OPvnHMx
+jup9mw5se6QUV7GqpCA2TNypolmuQ+cAaxV7JqHE8dl9pWf+Y3arb+9iiFCwFt4l
+AlJw5D0CTRTC1Y5YWFDBCrA/vGnmTnqG8C+jjUAS7cjjR8q4OPhyDmJRPnaC/ZG5
+uP0K0z6GoO/3uen9wqshCuHegLTpOeHEJRKrQFr4PVIwVOB0+ebO5FgoyOw43nyF
+D5UKBDxEB4BKo/0uAiKHLRvvgLbORbU8KARIs1EoqEjmF8UtrmQWV2hUjwzqwvHF
+ei8rPxMCAwEAAaOBozCBoDAdBgNVHQ4EFgQUO8ZuGCrD/T1iZEib47dHLLT8v/gw
+HwYDVR0jBBgwFoAUhawa0UP3yKxV1MUdQUir1XhK1FMwEgYDVR0TAQH/BAgwBgEB
+/wIBADAOBgNVHQ8BAf8EBAMCAQQwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cHM6Ly9r
+ZHNpbnRmLmFtZC5jb20vdmNlay92MS9NaWxhbi9jcmwwRgYJKoZIhvcNAQEKMDmg
+DzANBglghkgBZQMEAgIFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgIFAKID
+AgEwowMCAQEDggIBAIgeUQScAf3lDYqgWU1VtlDbmIN8S2dC5kmQzsZ/HtAjQnLE
+PI1jh3gJbLxL6gf3K8jxctzOWnkYcbdfMOOr28KT35IaAR20rekKRFptTHhe+DFr
+3AFzZLDD7cWK29/GpPitPJDKCvI7A4Ug06rk7J0zBe1fz/qe4i2/F12rvfwCGYhc
+RxPy7QF3q8fR6GCJdB1UQ5SlwCjFxD4uezURztIlIAjMkt7DFvKRh+2zK+5plVGG
+FsjDJtMz2ud9y0pvOE4j3dH5IW9jGxaSGStqNrabnnpF236ETr1/a43b8FFKL5QN
+mt8Vr9xnXRpznqCRvqjr+kVrb6dlfuTlliXeQTMlBoRWFJORL8AcBJxGZ4K2mXft
+l1jU5TLeh5KXL9NW7a/qAOIUs2FiOhqrtzAhJRg9Ij8QkQ9Pk+cKGzw6El3T3kFr
+Eg6zkxmvMuabZOsdKfRkWfhH2ZKcTlDfmH1H0zq0Q2bG3uvaVdiCtFY1LlWyB38J
+S2fNsR/Py6t5brEJCFNvzaDky6KeC4ion/cVgUai7zzS3bGQWzKDKU35SqNU2WkP
+I8xCZ00WtIiKKFnXWUQxvlKmmgZBIYPe01zD0N8atFxmWiSnfJl690B9rJpNR/fI
+ajxCW3Seiws6r1Zm+tCuVbMiNtpS9ThjNX4uve5thyfE2DgoxRFvY1CsoF5M
+-----END CERTIFICATE-----
+`),
+        // SEV-Milan
+        new x509.X509Certificate(`
+-----BEGIN CERTIFICATE-----
+MIIGYzCCBBKgAwIBAgIDAQAAMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC
+BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS
+BgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg
+Q2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp
+Y2VzMRIwEAYDVQQDDAlBUkstTWlsYW4wHhcNMjAxMDIyMTcyMzA1WhcNNDUxMDIy
+MTcyMzA1WjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS
+BgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j
+ZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJQVJLLU1pbGFuMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEA0Ld52RJOdeiJlqK2JdsVmD7FktuotWwX1fNg
+W41XY9Xz1HEhSUmhLz9Cu9DHRlvgJSNxbeYYsnJfvyjx1MfU0V5tkKiU1EesNFta
+1kTA0szNisdYc9isqk7mXT5+KfGRbfc4V/9zRIcE8jlHN61S1ju8X93+6dxDUrG2
+SzxqJ4BhqyYmUDruPXJSX4vUc01P7j98MpqOS95rORdGHeI52Naz5m2B+O+vjsC0
+60d37jY9LFeuOP4Meri8qgfi2S5kKqg/aF6aPtuAZQVR7u3KFYXP59XmJgtcog05
+gmI0T/OitLhuzVvpZcLph0odh/1IPXqx3+MnjD97A7fXpqGd/y8KxX7jksTEzAOg
+bKAeam3lm+3yKIcTYMlsRMXPcjNbIvmsBykD//xSniusuHBkgnlENEWx1UcbQQrs
++gVDkuVPhsnzIRNgYvM48Y+7LGiJYnrmE8xcrexekBxrva2V9TJQqnN3Q53kt5vi
+Qi3+gCfmkwC0F0tirIZbLkXPrPwzZ0M9eNxhIySb2npJfgnqz55I0u33wh4r0ZNQ
+eTGfw03MBUtyuzGesGkcw+loqMaq1qR4tjGbPYxCvpCq7+OgpCCoMNit2uLo9M18
+fHz10lOMT8nWAUvRZFzteXCm+7PHdYPlmQwUw3LvenJ/ILXoQPHfbkH0CyPfhl1j
+WhJFZasCAwEAAaN+MHwwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSFrBrRQ/fI
+rFXUxR1BSKvVeErUUzAPBgNVHRMBAf8EBTADAQH/MDoGA1UdHwQzMDEwL6AtoCuG
+KWh0dHBzOi8va2RzaW50Zi5hbWQuY29tL3ZjZWsvdjEvTWlsYW4vY3JsMEYGCSqG
+SIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZI
+AWUDBAICBQCiAwIBMKMDAgEBA4ICAQC6m0kDp6zv4Ojfgy+zleehsx6ol0ocgVel
+ETobpx+EuCsqVFRPK1jZ1sp/lyd9+0fQ0r66n7kagRk4Ca39g66WGTJMeJdqYriw
+STjjDCKVPSesWXYPVAyDhmP5n2v+BYipZWhpvqpaiO+EGK5IBP+578QeW/sSokrK
+dHaLAxG2LhZxj9aF73fqC7OAJZ5aPonw4RE299FVarh1Tx2eT3wSgkDgutCTB1Yq
+zT5DuwvAe+co2CIVIzMDamYuSFjPN0BCgojl7V+bTou7dMsqIu/TW/rPCX9/EUcp
+KGKqPQ3P+N9r1hjEFY1plBg93t53OOo49GNI+V1zvXPLI6xIFVsh+mto2RtgEX/e
+pmMKTNN6psW88qg7c1hTWtN6MbRuQ0vm+O+/2tKBF2h8THb94OvvHHoFDpbCELlq
+HnIYhxy0YKXGyaW1NjfULxrrmxVW4wcn5E8GddmvNa6yYm8scJagEi13mhGu4Jqh
+3QU3sf8iUSUr09xQDwHtOQUVIqx4maBZPBtSMf+qUDtjXSSq8lfWcd8bLr9mdsUn
+JZJ0+tuPMKmBnSH860llKk+VpVQsgqbzDIvOLvD6W1Umq25boxCYJ+TuBoa4s+HH
+CViAvgT9kf/rBq1d+ivj6skkHxuzcxbk1xv6ZGxrteJxVH7KlX7YRdZ6eARKwLe4
+AFZEAwoKCQ==
+-----END CERTIFICATE-----
+`),
+    ],
+});
+export class KeySettlement {
+    constructor(url, onErrorResponse) {
+        this._requirements = REQUIREMENTS;
+        this._yaxiSigningKeys = YAXI_SIGNING_KEYS;
+        this._url = url;
+        this._onErrorResponse = onErrorResponse;
+        this._secretKey = x25519.utils.randomPrivateKey();
+    }
+    _settle(headers) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const response = yield fetch(this._url, {
+                method: "POST",
+                headers: headers,
+                body: JSON.stringify({
+                    publicKey: btoa(bytesToBinaryString(x25519.getPublicKey(this._secretKey))),
+                }),
+            });
+            if (response.status >= 400) {
+                throw yield this._onErrorResponse(response);
+            }
+            const responseData = yield response.json();
+            const measurement = yield this._verifyAttestation(responseData);
+            const settlementBoxMessage = JSON.parse(bytesToUtf8(this.unseal(binaryStringToBytes(atob(responseData.chachaBox)))));
+            this._serverKey = [
+                binaryStringToBytes(atob(settlementBoxMessage.publicKey)),
+                settlementBoxMessage.sessionId,
+            ];
+            this._measurement = measurement;
+        });
+    }
+    measurement() {
+        return this._measurement;
+    }
+    _getServerKey(settlementHeaders) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (this._serverKey == null) {
+                yield this._settle(settlementHeaders);
+            }
+            return this._serverKey;
+        });
+    }
+    getBase64SessionId() {
+        return __awaiter(this, arguments, void 0, function* (settlementHeaders = {}) {
+            return (yield this._getServerKey(settlementHeaders))[1];
+        });
+    }
+    seal(plaintext_1) {
+        return __awaiter(this, arguments, void 0, function* (plaintext, settlementHeaders = {}) {
+            const serverPublicKey = (yield this._getServerKey(settlementHeaders))[0];
+            const tagLength = 16;
+            const ephemeralSecretKey = x25519.utils.randomPrivateKey();
+            const ephemeralPublicKey = x25519.getPublicKey(ephemeralSecretKey);
+            const nonce = _getSealNonce(ephemeralPublicKey, serverPublicKey);
+            const info = _getInfo(ephemeralPublicKey, serverPublicKey);
+            const cipher = _createCipher(serverPublicKey, ephemeralSecretKey, info, nonce);
+            const ciphertext = new Uint8Array(ephemeralPublicKey.length + tagLength + plaintext.length);
+            ciphertext.set(ephemeralPublicKey);
+            ciphertext.set(cipher.encrypt(plaintext), ephemeralPublicKey.length);
+            return ciphertext;
+        });
+    }
+    unseal(ciphertext) {
+        const ephemeralPublicKey = ciphertext.subarray(0, 32);
+        const publicKey = x25519.getPublicKey(this._secretKey);
+        const nonce = _getSealNonce(ephemeralPublicKey, publicKey);
+        const info = _getInfo(ephemeralPublicKey, publicKey);
+        const cipher = _createCipher(ephemeralPublicKey, this._secretKey, info, nonce);
+        return cipher.decrypt(ciphertext.subarray(32));
+    }
+    _verifyAttestation(response) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const attestationReport = binaryStringToBytes(atob(response.attestationReport));
+            yield this._verifyReport(attestationReport, response.vcek);
+            if (!equalBytes(attestationReport.slice(REPORT_OFFSETS.reportData, REPORT_OFFSETS.reportData + 32), sha256(binaryStringToBytes(atob(response.chachaBox))))) {
+                throw new Error("Data in attestation report doesn't match chacha box");
+            }
+            const encoder = new TextEncoder();
+            const launchMeasurement = binaryStringToBytes(atob(response.systemVersion.launchMeasurement));
+            const input = new Uint8Array([
+                ...encoder.encode(response.systemVersion.kind),
+                ...encoder.encode(response.systemVersion.generation.toString()),
+                ...encoder.encode(response.systemVersion.createdAt.replace("Z", "+00:00")),
+                ...encoder.encode(response.systemVersion.ref),
+                ...launchMeasurement,
+            ]);
+            const key = this._yaxiSigningKeys[response.systemVersion.signature.keyId];
+            if (key == null) {
+                throw new Error("The system version's signature key is unknown");
+            }
+            if (!ed25519.verify(binaryStringToBytes(atob(response.systemVersion.signature.value)), input, key)) {
+                throw new Error("Verification failed: Invalid system version signature");
+            }
+            if (!equalBytes(attestationReport.slice(REPORT_OFFSETS.measurement, REPORT_OFFSETS.measurement + 48), launchMeasurement)) {
+                throw new Error("Reported measurement doesn't match expected measurement");
+            }
+            return launchMeasurement;
+        });
+    }
+    _verifyReport(attestationReport, vcekChain) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { requirements, publicKey } = yield this._verifyVcekChain(vcekChain);
+            const sig = {
+                r: bytesToNumberLE(attestationReport.slice(REPORT_OFFSETS.signatureR, REPORT_OFFSETS.signatureR + 48)),
+                s: bytesToNumberLE(attestationReport.slice(REPORT_OFFSETS.signatureS, REPORT_OFFSETS.signatureS + 48)),
+            };
+            if (!p384.verify(sig, attestationReport.slice(0, 672), new Uint8Array(publicKey), { prehash: true })) {
+                throw new Error("Verification failed: Invalid attestation report signature");
+            }
+            if ((attestationReport[REPORT_OFFSETS.platInfo] & (1 << 5)) == 0) {
+                throw new Error("Verification failed: Alias check complete is false");
+            }
+            if ([
+                attestationReport[REPORT_OFFSETS.committedMajor],
+                attestationReport[REPORT_OFFSETS.committedMinor],
+                attestationReport[REPORT_OFFSETS.committedBuild],
+            ] < requirements.minCommittedVersion) {
+                throw new Error("Verification failed: Firmware version too small");
+            }
+            if (attestationReport[REPORT_OFFSETS.committedTcbSnp] <
+                requirements.minCommitedTcbSnp) {
+                throw new Error("Verification failed: SNP patch level too small");
+            }
+        });
+    }
+    _verifyVcekChain(vcek) {
+        return __awaiter(this, void 0, void 0, function* () {
+            let cert;
+            try {
+                cert = new x509.X509Certificate(vcek);
+            }
+            catch (e) {
+                throw new Error(`Invalid VCEK: ${e}\n\nVCEK: ${vcek}`);
+            }
+            const chain = yield ROOT_STORE.build(cert);
+            if (chain.length != 3) {
+                throw new Error(`Certificate chain verification failed\n\nChain: ${chain}`);
+            }
+            const productExt = chain[0].extensions.find((ext) => ext.type == "1.3.6.1.4.1.3704.1.2");
+            if (!productExt) {
+                throw new Error(`Could not find product name\n\nExtensions: ${chain[0].extensions}`);
+            }
+            const product = String.fromCharCode(...new Uint8Array(productExt.value.slice(2))).split("-", 1)[0];
+            if (!(product in this._requirements)) {
+                throw new Error(`Unexpected product: ${product}`);
+            }
+            const subjectPublicKeyInfo = AsnConvert.parse(chain[0].publicKey.rawData, SubjectPublicKeyInfo);
+            return {
+                requirements: this._requirements[product],
+                publicKey: new Uint8Array(subjectPublicKeyInfo.subjectPublicKey),
+            };
+        });
+    }
+}
+export function binaryStringToBytes(binaryString) {
+    const byteArray = new Uint8Array(binaryString.length);
+    for (let i = 0; i < binaryString.length; i++) {
+        byteArray[i] = binaryString.charCodeAt(i);
+    }
+    return byteArray;
+}
+export function bytesToBinaryString(bytes) {
+    let binaryString = "";
+    for (let i = 0; i < bytes.length; i++) {
+        binaryString += String.fromCharCode(bytes[i]);
+    }
+    return binaryString;
+}
+function _createCipher(publicKey, secretKey, info, nonce) {
+    const sharedSecret = x25519.getSharedSecret(secretKey, publicKey);
+    const key = hkdf(wrapConstructor(() => blake2b.create({ dkLen: 64 })), sharedSecret, Uint8Array.from([]), info, 32);
+    return chacha20poly1305(key, nonce);
+}
+function _getInfo(ephemeralPublicKey, recipientPublicKey) {
+    const info = new Uint8Array(ephemeralPublicKey.length + recipientPublicKey.length);
+    info.set(ephemeralPublicKey);
+    info.set(recipientPublicKey, ephemeralPublicKey.length);
+    return info;
+}
+function _getSealNonce(ephemeralPublicKey, recipientPublicKey) {
+    return blake2b
+        .create({ dkLen: 12 })
+        .update(ephemeralPublicKey)
+        .update(recipientPublicKey)
+        .digest();
+}
+const REPORT_OFFSETS = {
+    sigAlgo: 52,
+    platInfo: 64,
+    reportData: 80,
+    measurement: 144,
+    committedTcbSnp: 486,
+    committedBuild: 492,
+    committedMinor: 493,
+    committedMajor: 494,
+    signatureR: 672,
+    signatureS: 744,
+};

package/package.json

@@ -0,0 +1,38 @@
+{
+  "name": "routex-settlement",
+  "version": "0.1.1",
+  "description": "Key settlement for the YAXI routex client",
+  "homepage": "https://yaxi.tech",
+  "author": "YAXI GmbH",
+  "license": "UNLICENSED",
+  "type": "module",
+  "module": "./index.js",
+  "exports": "./index.js",
+  "types": "./index.d.ts",
+  "files": [
+    "index.d.ts",
+    "index.js"
+  ],
+  "scripts": {
+    "build": "tsc --build",
+    "clean": "tsc --build --clean",
+    "lint": "eslint",
+    "test": "tsc --build && NODE_OPTIONS=\"$NODE_OPTIONS --experimental-vm-modules\" jest"
+  },
+  "dependencies": {
+    "@noble/ciphers": "^1.2.1",
+    "@noble/curves": "^1.8.1",
+    "@noble/hashes": "^1.7.1",
+    "@peculiar/asn1-schema": "^2.3.15",
+    "@peculiar/asn1-x509": "^2.3.15",
+    "@peculiar/x509": "^1.12.3"
+  },
+  "devDependencies": {
+    "@eslint/js": "^9.21.0",
+    "eslint": "^9.21.0",
+    "globals": "^16.0.0",
+    "jest": "^29.7.0",
+    "typescript": "^5.7.3",
+    "typescript-eslint": "^8.24.1"
+  }
+}