Fix sdk attestation validation

ts/shielder-sdk-crypto-wasm-light/src/circuits/crypto.ts

@@ -1,5 +1,5 @@
 import { uint8ToHex } from "@/nitro-attestation";
-import { hexToUint8 } from "@/utils";
+import { getCrypto, hexToUint8 } from "@/utils";
 import * as secp from "@noble/secp256k1";
 
 type Keypair = { sk: Uint8Array; pk: Uint8Array };
@@ -87,9 +87,3 @@ export async function decrypt(
   );
   return new Uint8Array(plaintextBuffer);
 }
-
-async function getCrypto(): Promise<Crypto> {
-  return typeof globalThis.crypto !== "undefined"
-    ? globalThis.crypto
-    : ((await import("node:crypto")).webcrypto as Crypto);
-}

ts/shielder-sdk-crypto-wasm-light/src/nitro-attestation/certificate.ts

@@ -5,6 +5,7 @@
 import * as asn1js from "asn1js";
 import * as pkijs from "pkijs";
 import { AWS_NITRO_ROOT_CERTIFICATE } from "./constants";
+import { getCrypto } from "@/utils";
 
 /**
  * Validate certificate chain against AWS Nitro root certificate
@@ -97,6 +98,7 @@ function parseAWSRootCertificate(): pkijs.Certificate {
 async function extractPublicKeyFromCertificate(
   certificate: pkijs.Certificate
 ): Promise<CryptoKey> {
+  const cryptoApi = await getCrypto();
   // Get the Subject Public Key Info (SPKI) from the certificate
   const spkiBytes =
     certificate.subjectPublicKeyInfo.subjectPublicKey.toBER(false);
@@ -107,7 +109,7 @@ async function extractPublicKeyFromCertificate(
 
   // Import the key for use with Web Crypto API
   // AWS Nitro uses ECDSA with P-384 curve for attestation signatures
-  return await window.crypto.subtle.importKey(
+  return await cryptoApi.subtle.importKey(
     "raw",
     publicKeyBytes,
     {

ts/shielder-sdk-crypto-wasm-light/src/nitro-attestation/constants.ts

@@ -29,9 +29,9 @@ IwLz3/Y=
  * TODO: Replace with actual measurements from your enclave build process
  */
 export const EXPECTED_PCR_MEASUREMENTS = {
-  0: "84a3d1f71b260580211bb51d1f7a42970ca03790de5e5e7cb5bfb7a0ba852377a2a8178926825d79c875855805ebe318",
-  1: "4b4d5b3661b3efc12920900c80e126e4ce783c522de6c02a2a5bf7af3a2b9327b86776f188e4be1c1c404a129dbda493",
-  2: "40c32b3120d25fa9bda3feb85c30eefc280898c4496ca9e586108bb45b54c44bf66845cde172d7c674a8ee3cf2f30dfc"
+  0: "2a099d81a42f14435bc2c4d0399c377cd62d2462bca71ace2c1bf461a41dfe88e6913079b3c83b64d2bb06870c885612",
+  1: "927e084e583f5c2d60a39e2b9cd9728bfb390aa9f83dee4b6ac768509850ba273ea8b019ccfbf3180eb18a2dd0c4a678",
+  2: "bf458fd0b974d400be57fe6063900fac7d170d5d1937f41db9f851f7dbbb30894fc16f8efb017c56ac1a86f5e5b26ec0"
 } as const;
 
 /**

ts/shielder-sdk-crypto-wasm-light/src/nitro-attestation/cose.ts

@@ -8,6 +8,7 @@ import {
   CBOR_SIGNATURE_FIX_POSITION,
   CBOR_SIGNATURE_FIX_VALUE
 } from "./constants";
+import { getCrypto } from "@/utils";
 
 /**
  * Decode CBOR-encoded COSE_Sign1 signature structure
@@ -97,7 +98,8 @@ export async function verifyCOSESignature(
   publicKey: CryptoKey
 ): Promise<void> {
   try {
-    const isValid = await window.crypto.subtle.verify(
+    const cryptoApi = await getCrypto();
+    const isValid = await cryptoApi.subtle.verify(
       {
         name: "ECDSA",
         hash: "SHA-384"

ts/shielder-sdk-crypto-wasm-light/src/nitro-attestation/validation.ts

@@ -91,15 +91,15 @@ function validateFieldTypes(doc: AttestationDocument): void {
   }
 
   // Validate optional fields if present
-  if (doc.public_key !== undefined && !(doc.public_key instanceof Uint8Array)) {
+  if (doc.public_key && !(doc.public_key instanceof Uint8Array)) {
     throw new Error("Invalid public_key: must be Uint8Array");
   }
 
-  if (doc.user_data !== undefined && !(doc.user_data instanceof Uint8Array)) {
+  if (doc.user_data && !(doc.user_data instanceof Uint8Array)) {
     throw new Error("Invalid user_data: must be Uint8Array");
   }
 
-  if (doc.nonce !== undefined && !(doc.nonce instanceof Uint8Array)) {
+  if (doc.nonce && !(doc.nonce instanceof Uint8Array)) {
     throw new Error("Invalid nonce: must be Uint8Array");
   }
 }

ts/shielder-sdk-crypto-wasm-light/src/utils/index.ts

@@ -59,3 +59,9 @@ export function hexToUint8(hex: string): Uint8Array {
   }
   return bytes;
 }
+
+export async function getCrypto(): Promise<Crypto> {
+  return typeof globalThis.crypto !== "undefined"
+    ? globalThis.crypto
+    : ((await import("node:crypto")).webcrypto as Crypto);
+}