(Refactor) Move Pcr list to tunnel module and clarify isProductionParam

Dashlane · Aug 9, 2024 · d522bce · d522bce
1 parent cc9472e
commit d522bce
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 15 deletions.
diff --git a/src/endpoints/getAuditLogs.ts b/src/endpoints/getAuditLogs.ts
@@ -72,11 +72,7 @@ export const getAuditLogs = async (params: {
     const { teamDeviceCredentials, queryParams } = params;
 
     const api = await apiConnect({
-        isProduction: true,
-        enclavePcrList: [
-            [3, 'dfb6428f132530b8c021bea8cbdba2c87c96308ba7e81c7aff0655ec71228122a9297fd31fe5db7927a7322e396e4c16'],
-            [8, '4dbb92401207e019e132d86677857081d8e4d21f946f3561b264b7389c6982d3a86bcf9560cef4a2327eac5c5c6ab820'],
-        ],
+        useProductionCertificate: true,
     });
 
     const { queryExecutionId } = await api.sendSecureContent<StartAuditLogsQueryRequest>({

diff --git a/src/modules/auth/confidential-sso/index.ts b/src/modules/auth/confidential-sso/index.ts
@@ -10,11 +10,7 @@ interface ConfidentialSSOParams {
 
 export const doConfidentialSSOVerification = async ({ requestedLogin }: ConfidentialSSOParams) => {
     const api = await apiConnect({
-        isProduction: true,
-        enclavePcrList: [
-            [3, 'dfb6428f132530b8c021bea8cbdba2c87c96308ba7e81c7aff0655ec71228122a9297fd31fe5db7927a7322e396e4c16'],
-            [8, '4dbb92401207e019e132d86677857081d8e4d21f946f3561b264b7389c6982d3a86bcf9560cef4a2327eac5c5c6ab820'],
-        ],
+        useProductionCertificate: true,
     });
     const requestLoginResponse = await api.sendSecureContent<RequestLogin2Request>({
         ...api,

diff --git a/src/modules/tunnel-api-connect/apiconnect.ts b/src/modules/tunnel-api-connect/apiconnect.ts
@@ -1,4 +1,5 @@
 import sodium from 'libsodium-wrappers';
+import { EnclavePcr } from '@dashlane/nsm-attestation';
 import { clientHello, terminateHello, SendSecureContentParams, sendSecureContent } from './steps/index.js';
 import { ApiConnectParams, ApiConnect, ApiData, ApiRequestsDefault } from './types.js';
 import { makeClientKeyPair, makeOrRefreshSession } from './utils/index.js';
@@ -15,13 +16,27 @@ const hasFullApiData = (data: Partial<ApiData>): data is ApiData => {
     return false;
 };
 
+const getEnclavePcrList = (): EnclavePcr<string>[] => {
+    if (process.env.DCLI_STAGING_HOST) {
+        return [
+            [3, '90528150e0f0537fa9e96b067137f6494d525f2fcfd15b478ce28ab2cfaf38dd4e24ad73f9d9d6f238a7f39f2d1956b7'],
+        ];
+    }
+
+    return [
+        [3, 'dfb6428f132530b8c021bea8cbdba2c87c96308ba7e81c7aff0655ec71228122a9297fd31fe5db7927a7322e396e4c16'],
+        [8, '4dbb92401207e019e132d86677857081d8e4d21f946f3561b264b7389c6982d3a86bcf9560cef4a2327eac5c5c6ab820'],
+    ];
+};
+
 /** Return an object that can be used to send secure content through the tunnel
  */
 export const apiConnect = async (apiParametersIn: ApiConnectParams): Promise<ApiConnect> => {
     await sodium.ready;
 
     const apiParameters = {
         ...apiParametersIn,
+        enclavePcrList: getEnclavePcrList(),
         ...{ clientKeyPair: apiParametersIn.clientKeyPair ?? makeClientKeyPair() },
     };
 

diff --git a/src/modules/tunnel-api-connect/steps/terminateHello.ts b/src/modules/tunnel-api-connect/steps/terminateHello.ts
@@ -17,12 +17,12 @@ export const terminateHello = async (
         throw new SecureTunnelNotInitialized();
     }
 
-    const { clientKeyPair, attestation, isProduction, enclavePcrList } = params;
+    const { clientKeyPair, attestation, useProductionCertificate, enclavePcrList } = params;
     const { tunnelUuid } = apiData.clientHello;
 
     const { userData } = await verifyAttestation({
         attestation,
-        useProductionCertificate: isProduction,
+        useProductionCertificate,
         pcrs: enclavePcrList,
     });
 

diff --git a/src/modules/tunnel-api-connect/steps/types.ts b/src/modules/tunnel-api-connect/steps/types.ts
@@ -1,5 +1,6 @@
 import type sodium from 'libsodium-wrappers';
 import { ApiRequestsDefault } from '../types.js';
+import { EnclavePcr } from '@dashlane/nsm-attestation';
 
 export interface ApiEndpointResponse<T> {
     requestId: string;
@@ -56,6 +57,7 @@ export interface SendSecureContentParams<R extends ApiRequestsDefault> {
 
 export interface TerminateHelloParams {
     attestation: Buffer;
+    enclavePcrList: EnclavePcr<string>[];
 }
 
 export interface TerminateHelloResponse {

diff --git a/src/modules/tunnel-api-connect/types.ts b/src/modules/tunnel-api-connect/types.ts
@@ -1,4 +1,3 @@
-import type { EnclavePcr } from '@dashlane/nsm-attestation';
 import type sodium from 'libsodium-wrappers';
 import type { ClientHelloParsedResponse, SendSecureContentParams, TerminateHelloResponse } from './steps/index.js';
 
@@ -23,9 +22,8 @@ export interface ApiData {
 }
 
 export interface ApiConnectParams {
-    isProduction: boolean;
+    useProductionCertificate: boolean;
     clientKeyPair?: sodium.KeyPair;
-    enclavePcrList: EnclavePcr<string>[];
 }
 
 export interface ApiConnectInternalParams extends ApiConnectParams {