@opentdf/sdk 0.1.0-beta.1718 → 0.2.0-beta.1941

package/dist/web/src/index.js

@@ -1,313 +1,7 @@
-import { Client, NanoTDF, encrypt, decrypt, encryptDataset, getHkdfSalt, DefaultParams, } from './nanotdf/index.js';
-import { keyAgreement } from './nanotdf-crypto/index.js';
-import { createAttribute, Policy } from './tdf/index.js';
-import { fetchECKasPubKey } from './access.js';
-import { ConfigurationError } from './errors.js';
-export { attributeFQNsAsValues } from './policy/api.js';
-// Define default options
-const defaultOptions = {
-    ecdsaBinding: false,
-};
-/**
- * NanoTDF SDK Client
- *
- * @example
- * ```
- * import { clientSecretAuthProvider, NanoTDFClient } from '@opentdf/sdk';
- *
- * const OIDC_ENDPOINT = 'http://localhost:65432/auth/realms/opentdf-demo';
- * const KAS_URL = 'http://localhost:65432/api/kas/';
- *
- * const ciphertext = '...';
- * const client = new NanoTDFClient({
- *   authProvider: await clientSecretAuthProvider({
- *     clientId: 'tdf-client',
- *     clientSecret: '123-456',
- *     oidcOrigin: OIDC_ENDPOINT,
- *   }),
- *   kasEndpoint: KAS_URL
- *  }
- * );
- * client.decrypt(ciphertext)
- *   .then(plaintext => {
- *     console.log('Plaintext', plaintext);
- *   })
- *   .catch(err => {
- *     console.error('Some error occurred', err);
- *   })
- */
-export class NanoTDFClient extends Client {
-    /**
-     * Decrypt ciphertext
-     *
-     * Pass a base64 string, TypedArray, or ArrayBuffer ciphertext and get a promise which resolves plaintext
-     *
-     * @param ciphertext Ciphertext to decrypt
-     */
-    async decrypt(ciphertext) {
-        // Parse ciphertext
-        const nanotdf = NanoTDF.from(ciphertext);
-        await this.fetchOIDCToken();
-        // TODO: The version number should be fetched from the API
-        const version = '0.0.1';
-        const kasUrl = nanotdf.header.getKasRewrapUrl();
-        // Rewrap key on every request
-        const ukey = await this.rewrapKey(nanotdf.header.toBuffer(), kasUrl, nanotdf.header.magicNumberVersion, version);
-        if (!ukey) {
-            throw new Error('internal: key rewrap failure');
-        }
-        // Return decrypt promise
-        return decrypt(ukey, nanotdf);
-    }
-    /**
-     * Decrypt ciphertext of the legacy TDF, with the older, smaller i.v. calculation.
-     *
-     * Pass a base64 string, TypedArray, or ArrayBuffer ciphertext and get a promise which resolves plaintext
-     *
-     * @param ciphertext Ciphertext to decrypt
-     */
-    async decryptLegacyTDF(ciphertext) {
-        // Parse ciphertext
-        const nanotdf = NanoTDF.from(ciphertext, undefined, true);
-        await this.fetchOIDCToken();
-        const legacyVersion = '0.0.0';
-        // Rewrap key on every request
-        const key = await this.rewrapKey(nanotdf.header.toBuffer(), nanotdf.header.getKasRewrapUrl(), nanotdf.header.magicNumberVersion, legacyVersion);
-        if (!key) {
-            throw new Error('internal: failed unwrap');
-        }
-        // Return decrypt promise
-        return decrypt(key, nanotdf);
-    }
-    /**
-     * Encrypts the given data using the NanoTDF encryption scheme.
-     *
-     * @param {string | TypedArray | ArrayBuffer} data - The data to be encrypted.
-     * @param {EncryptOptions} [options=defaultOptions] - The encryption options (currently unused).
-     * @returns {Promise<ArrayBuffer>} A promise that resolves to the encrypted data as an ArrayBuffer.
-     * @throws {Error} If the initialization vector is not a number.
-     */
-    async encrypt(data, options) {
-        // For encrypt always generate the client ephemeralKeyPair
-        const ephemeralKeyPair = await this.ephemeralKeyPair;
-        const initializationVector = this.iv;
-        if (typeof initializationVector !== 'number') {
-            throw new ConfigurationError('NanoTDF clients are single use. Please generate a new client and keypair.');
-        }
-        delete this.iv;
-        if (!this.kasPubKey) {
-            this.kasPubKey = await fetchECKasPubKey(this.kasUrl);
-        }
-        // Create a policy for the tdf
-        const policy = new Policy();
-        // Add data attributes.
-        for (const dataAttribute of this.dataAttributes) {
-            const attribute = await createAttribute(dataAttribute, this.kasPubKey, this.kasUrl);
-            policy.addAttribute(attribute);
-        }
-        if (this.dissems.length == 0 && this.dataAttributes.length == 0) {
-            console.warn('This policy has an empty attributes list and an empty dissemination list. This will allow any entity with a valid Entity Object to access this TDF.');
-        }
-        // Encrypt the policy.
-        const policyObjectAsStr = policy.toJSON();
-        // IV is always '1', since the new keypair is generated on encrypt
-        // using the same key is fine.
-        const lengthAsUint32 = new Uint32Array(1);
-        lengthAsUint32[0] = initializationVector;
-        const lengthAsUint24 = new Uint8Array(lengthAsUint32.buffer);
-        // NOTE: We are only interested in only first 3 bytes.
-        const payloadIV = new Uint8Array(12).fill(0);
-        payloadIV[9] = lengthAsUint24[2];
-        payloadIV[10] = lengthAsUint24[1];
-        payloadIV[11] = lengthAsUint24[0];
-        const mergedOptions = { ...defaultOptions, ...options };
-        return encrypt(policyObjectAsStr, this.kasPubKey, ephemeralKeyPair, payloadIV, data, mergedOptions.ecdsaBinding);
-    }
-}
-/**
- * NanoTDF Dataset SDK Client
- *
- *
- * @example
- * ```
- * import { clientSecretAuthProvider, NanoTDFDatasetClient } from '@opentdf/sdk';
- *
- * const OIDC_ENDPOINT = 'http://localhost:65432/auth/realms/tdf';
- * const KAS_URL = 'http://localhost:65432/api/kas/';
- *
- * const ciphertext = '...';
- * const client = new NanoTDFDatasetClient({
- *   authProvider: await clientSecretAuthProvider({
- *     clientId: 'tdf-client',
- *     clientSecret: '123-456',
- *     exchange: 'client',
- *     oidcOrigin: OIDC_ENDPOINT,
- *   }),
- *   kasEndpoint: KAS_URL,
- * });
- * const plaintext = client.decrypt(ciphertext);
- * console.log('Plaintext', plaintext);
- * ```
- */
-export class NanoTDFDatasetClient extends Client {
-    /**
-     * Create new NanoTDF Dataset Client
-     *
-     * The Ephemeral Key Pair can either be provided or will be generate when fetching the entity object. Once set it
-     * cannot be changed. If a new ephemeral key is desired it a new client should be initialized.
-     * There is no performance impact for creating a new client IFF the ephemeral key pair is provided.
-     *
-     * @param clientConfig OIDC client credentials
-     * @param kasUrl Key access service URL
-     * @param ephemeralKeyPair (optional) ephemeral key pair to use
-     * @param maxKeyIterations Max iteration to performe without a key rotation
-     */
-    constructor(opts) {
-        if (opts.maxKeyIterations &&
-            opts.maxKeyIterations > NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS) {
-            throw new ConfigurationError(`key iteration exceeds max iterations(${NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS})`);
-        }
-        super(opts);
-        this.maxKeyIteration = opts.maxKeyIterations || NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS;
-        this.keyIterationCount = 0;
-    }
-    /**
-     * Encrypt data
-     *
-     * Pass a string, TypedArray, or ArrayBuffer data and get a promise which resolves ciphertext
-     *
-     * @param data to decrypt
-     */
-    async encrypt(data, options) {
-        // Intial encrypt
-        if (this.keyIterationCount == 0) {
-            const mergedOptions = { ...defaultOptions, ...options };
-            this.ecdsaBinding = mergedOptions.ecdsaBinding;
-            // For encrypt always generate the client ephemeralKeyPair
-            const ephemeralKeyPair = await this.ephemeralKeyPair;
-            if (!this.kasPubKey) {
-                this.kasPubKey = await fetchECKasPubKey(this.kasUrl);
-            }
-            // Create a policy for the tdf
-            const policy = new Policy();
-            // Add data attributes.
-            for (const dataAttribute of this.dataAttributes) {
-                const attribute = await createAttribute(dataAttribute, this.kasPubKey, this.kasUrl);
-                policy.addAttribute(attribute);
-            }
-            if (this.dissems.length == 0 || this.dataAttributes.length == 0) {
-                console.warn('This policy has an empty attributes list and an empty dissemination list. This will allow any entity with a valid Entity Object to access this TDF.');
-            }
-            // Encrypt the policy.
-            const policyObjectAsStr = policy.toJSON();
-            const ivVector = this.generateIV();
-            // Generate a symmetric key.
-            this.symmetricKey = await keyAgreement(ephemeralKeyPair.privateKey, await this.kasPubKey.key, await getHkdfSalt(DefaultParams.magicNumberVersion));
-            const nanoTDFBuffer = await encrypt(policyObjectAsStr, this.kasPubKey, ephemeralKeyPair, ivVector, data, this.ecdsaBinding);
-            // Cache the header and increment the key iteration
-            if (!this.cachedHeader) {
-                const nanoTDF = NanoTDF.from(nanoTDFBuffer);
-                this.cachedHeader = nanoTDF.header;
-            }
-            this.keyIterationCount += 1;
-            return nanoTDFBuffer;
-        }
-        this.keyIterationCount += 1;
-        if (!this.cachedHeader) {
-            throw new ConfigurationError('invalid dataset client: empty nanoTDF header');
-        }
-        if (!this.symmetricKey) {
-            throw new ConfigurationError('invalid dataset client: empty dek');
-        }
-        this.keyIterationCount += 1;
-        if (this.keyIterationCount == this.maxKeyIteration) {
-            // reset the key iteration
-            this.keyIterationCount = 0;
-        }
-        const ivVector = this.generateIV();
-        return encryptDataset(this.symmetricKey, this.cachedHeader, ivVector, data);
-    }
-    /**
-     * Decrypt ciphertext
-     *
-     * Pass a base64 string, TypedArray, or ArrayBuffer ciphertext and get a promise which resolves plaintext
-     *
-     * @param ciphertext Ciphertext to decrypt
-     */
-    async decrypt(ciphertext) {
-        // Parse ciphertext
-        const nanotdf = NanoTDF.from(ciphertext);
-        if (!this.cachedEphemeralKey) {
-            // First decrypt
-            return this.rewrapAndDecrypt(nanotdf);
-        }
-        // Other encrypts
-        if (this.cachedEphemeralKey.toString() == nanotdf.header.ephemeralPublicKey.toString()) {
-            const ukey = this.unwrappedKey;
-            if (!ukey) {
-                // These should have thrown already.
-                throw new Error('internal: key rewrap failure');
-            }
-            // Return decrypt promise
-            return decrypt(ukey, nanotdf);
-        }
-        else {
-            return this.rewrapAndDecrypt(nanotdf);
-        }
-    }
-    async rewrapAndDecrypt(nanotdf) {
-        // TODO: The version number should be fetched from the API
-        await this.fetchOIDCToken();
-        const version = '0.0.1';
-        // Rewrap key on every request
-        const ukey = await this.rewrapKey(nanotdf.header.toBuffer(), nanotdf.header.getKasRewrapUrl(), nanotdf.header.magicNumberVersion, version);
-        if (!ukey) {
-            // These should have thrown already.
-            throw new Error('internal: key rewrap failure');
-        }
-        this.cachedEphemeralKey = nanotdf.header.ephemeralPublicKey;
-        this.unwrappedKey = ukey;
-        // Return decrypt promise
-        return decrypt(ukey, nanotdf);
-    }
-    generateIV() {
-        const iv = this.iv;
-        if (iv === undefined) {
-            // iv has passed the maximum iteration count for this dek
-            throw new ConfigurationError('dataset full');
-        }
-        // assert iv ∈ ℤ ∩ (0, 2^24)
-        if (!Number.isInteger(iv) || iv <= 0 || 16777215 < iv) {
-            // Something has fiddled with the iv outside of the expected behavior
-            // could indicate a race condition, e.g. if two workers or handlers are
-            // processing the file at once, for example.
-            throw new Error('internal: invalid state');
-        }
-        const lengthAsUint32 = new Uint32Array(1);
-        lengthAsUint32[0] = iv;
-        const lengthAsUint24 = new Uint8Array(lengthAsUint32.buffer);
-        // NOTE: We are only interested in only first 3 bytes.
-        const ivVector = new Uint8Array(Client.IV_SIZE).fill(0);
-        ivVector[9] = lengthAsUint24[2];
-        ivVector[10] = lengthAsUint24[1];
-        ivVector[11] = lengthAsUint24[0];
-        // Increment the IV
-        if (iv == 16777215) {
-            delete this.iv;
-        }
-        else {
-            this.iv = iv + 1;
-        }
-        return ivVector;
-    }
-}
-// Total unique IVs(2^24 -1) used for encrypting the nano tdf payloads
-// IV starts from 1 since the 0 IV is reserved for policy encryption
-NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS = 8388606;
-/**
- * Authorization for connecting authZ tokens to
- * remote requests.
- */
+export { HttpRequest, withHeaders } from './auth/auth.js';
 export * as AuthProviders from './auth/providers.js';
-export { version, clientType } from './version.js';
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUNMLE1BQU0sRUFDTixPQUFPLEVBRVAsT0FBTyxFQUNQLE9BQU8sRUFDUCxjQUFjLEVBQ2QsV0FBVyxFQUNYLGFBQWEsR0FDZCxNQUFNLG9CQUFvQixDQUFDO0FBQzVCLE9BQU8sRUFBRSxZQUFZLEVBQUUsTUFBTSwyQkFBMkIsQ0FBQztBQUN6RCxPQUFPLEVBQWMsZUFBZSxFQUFFLE1BQU0sRUFBRSxNQUFNLGdCQUFnQixDQUFDO0FBQ3JFLE9BQU8sRUFBRSxnQkFBZ0IsRUFBRSxNQUFNLGFBQWEsQ0FBQztBQUUvQyxPQUFPLEVBQUUsa0JBQWtCLEVBQUUsTUFBTSxhQUFhLENBQUM7QUFDakQsT0FBTyxFQUFFLHFCQUFxQixFQUFFLE1BQU0saUJBQWlCLENBQUM7QUFPeEQseUJBQXlCO0FBQ3pCLE1BQU0sY0FBYyxHQUFtQjtJQUNyQyxZQUFZLEVBQUUsS0FBSztDQUNwQixDQUFDO0FBRUY7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OztHQTJCRztBQUNILE1BQU0sT0FBTyxhQUFjLFNBQVEsTUFBTTtJQUN2Qzs7Ozs7O09BTUc7SUFDSCxLQUFLLENBQUMsT0FBTyxDQUFDLFVBQTZDO1FBQ3pELG1CQUFtQjtRQUNuQixNQUFNLE9BQU8sR0FBRyxPQUFPLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxDQUFDO1FBRXpDLE1BQU0sSUFBSSxDQUFDLGNBQWMsRUFBRSxDQUFDO1FBRTVCLDBEQUEwRDtRQUMxRCxNQUFNLE9BQU8sR0FBRyxPQUFPLENBQUM7UUFDeEIsTUFBTSxNQUFNLEdBQUcsT0FBTyxDQUFDLE1BQU0sQ0FBQyxlQUFlLEVBQUUsQ0FBQztRQUVoRCw4QkFBOEI7UUFDOUIsTUFBTSxJQUFJLEdBQUcsTUFBTSxJQUFJLENBQUMsU0FBUyxDQUMvQixPQUFPLENBQUMsTUFBTSxDQUFDLFFBQVEsRUFBRSxFQUN6QixNQUFNLEVBQ04sT0FBTyxDQUFDLE1BQU0sQ0FBQyxrQkFBa0IsRUFDakMsT0FBTyxDQUNSLENBQUM7UUFFRixJQUFJLENBQUMsSUFBSSxFQUFFO1lBQ1QsTUFBTSxJQUFJLEtBQUssQ0FBQyw4QkFBOEIsQ0FBQyxDQUFDO1NBQ2pEO1FBQ0QseUJBQXlCO1FBQ3pCLE9BQU8sT0FBTyxDQUFDLElBQUksRUFBRSxPQUFPLENBQUMsQ0FBQztJQUNoQyxDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0gsS0FBSyxDQUFDLGdCQUFnQixDQUFDLFVBQTZDO1FBQ2xFLG1CQUFtQjtRQUNuQixNQUFNLE9BQU8sR0FBRyxPQUFPLENBQUMsSUFBSSxDQUFDLFVBQVUsRUFBRSxTQUFTLEVBQUUsSUFBSSxDQUFDLENBQUM7UUFFMUQsTUFBTSxJQUFJLENBQUMsY0FBYyxFQUFFLENBQUM7UUFFNUIsTUFBTSxhQUFhLEdBQUcsT0FBTyxDQUFDO1FBQzlCLDhCQUE4QjtRQUM5QixNQUFNLEdBQUcsR0FBRyxNQUFNLElBQUksQ0FBQyxTQUFTLENBQzlCLE9BQU8sQ0FBQyxNQUFNLENBQUMsUUFBUSxFQUFFLEVBQ3pCLE9BQU8sQ0FBQyxNQUFNLENBQUMsZUFBZSxFQUFFLEVBQ2hDLE9BQU8sQ0FBQyxNQUFNLENBQUMsa0JBQWtCLEVBQ2pDLGFBQWEsQ0FDZCxDQUFDO1FBRUYsSUFBSSxDQUFDLEdBQUcsRUFBRTtZQUNSLE1BQU0sSUFBSSxLQUFLLENBQUMseUJBQXlCLENBQUMsQ0FBQztTQUM1QztRQUNELHlCQUF5QjtRQUN6QixPQUFPLE9BQU8sQ0FBQyxHQUFHLEVBQUUsT0FBTyxDQUFDLENBQUM7SUFDL0IsQ0FBQztJQUVEOzs7Ozs7O09BT0c7SUFDSCxLQUFLLENBQUMsT0FBTyxDQUNYLElBQXVDLEVBQ3ZDLE9BQXdCO1FBRXhCLDBEQUEwRDtRQUMxRCxNQUFNLGdCQUFnQixHQUFHLE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUFDO1FBQ3JELE1BQU0sb0JBQW9CLEdBQUcsSUFBSSxDQUFDLEVBQUUsQ0FBQztRQUVyQyxJQUFJLE9BQU8sb0JBQW9CLEtBQUssUUFBUSxFQUFFO1lBQzVDLE1BQU0sSUFBSSxrQkFBa0IsQ0FDMUIsMkVBQTJFLENBQzVFLENBQUM7U0FDSDtRQUNELE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQztRQUVmLElBQUksQ0FBQyxJQUFJLENBQUMsU0FBUyxFQUFFO1lBQ25CLElBQUksQ0FBQyxTQUFTLEdBQUcsTUFBTSxnQkFBZ0IsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLENBQUM7U0FDdEQ7UUFFRCw4QkFBOEI7UUFDOUIsTUFBTSxNQUFNLEdBQUcsSUFBSSxNQUFNLEVBQUUsQ0FBQztRQUU1Qix1QkFBdUI7UUFDdkIsS0FBSyxNQUFNLGFBQWEsSUFBSSxJQUFJLENBQUMsY0FBYyxFQUFFO1lBQy9DLE1BQU0sU0FBUyxHQUFHLE1BQU0sZUFBZSxDQUFDLGFBQWEsRUFBRSxJQUFJLENBQUMsU0FBUyxFQUFFLElBQUksQ0FBQyxNQUFNLENBQUMsQ0FBQztZQUNwRixNQUFNLENBQUMsWUFBWSxDQUFDLFNBQVMsQ0FBQyxDQUFDO1NBQ2hDO1FBRUQsSUFBSSxJQUFJLENBQUMsT0FBTyxDQUFDLE1BQU0sSUFBSSxDQUFDLElBQUksSUFBSSxDQUFDLGNBQWMsQ0FBQyxNQUFNLElBQUksQ0FBQyxFQUFFO1lBQy9ELE9BQU8sQ0FBQyxJQUFJLENBQ1YscUpBQXFKLENBQ3RKLENBQUM7U0FDSDtRQUVELHNCQUFzQjtRQUN0QixNQUFNLGlCQUFpQixHQUFHLE1BQU0sQ0FBQyxNQUFNLEVBQUUsQ0FBQztRQUUxQyxrRUFBa0U7UUFDbEUsOEJBQThCO1FBQzlCLE1BQU0sY0FBYyxHQUFHLElBQUksV0FBVyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQzFDLGNBQWMsQ0FBQyxDQUFDLENBQUMsR0FBRyxvQkFBb0IsQ0FBQztRQUV6QyxNQUFNLGNBQWMsR0FBRyxJQUFJLFVBQVUsQ0FBQyxjQUFjLENBQUMsTUFBTSxDQUFDLENBQUM7UUFFN0Qsc0RBQXNEO1FBQ3RELE1BQU0sU0FBUyxHQUFHLElBQUksVUFBVSxDQUFDLEVBQUUsQ0FBQyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUM3QyxTQUFTLENBQUMsQ0FBQyxDQUFDLEdBQUcsY0FBYyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ2pDLFNBQVMsQ0FBQyxFQUFFLENBQUMsR0FBRyxjQUFjLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDbEMsU0FBUyxDQUFDLEVBQUUsQ0FBQyxHQUFHLGNBQWMsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUVsQyxNQUFNLGFBQWEsR0FBbUIsRUFBRSxHQUFHLGNBQWMsRUFBRSxHQUFHLE9BQU8sRUFBRSxDQUFDO1FBQ3hFLE9BQU8sT0FBTyxDQUNaLGlCQUFpQixFQUNqQixJQUFJLENBQUMsU0FBUyxFQUNkLGdCQUFnQixFQUNoQixTQUFTLEVBQ1QsSUFBSSxFQUNKLGFBQWEsQ0FBQyxZQUFZLENBQzNCLENBQUM7SUFDSixDQUFDO0NBQ0Y7QUFNRDs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0dBd0JHO0FBQ0gsTUFBTSxPQUFPLG9CQUFxQixTQUFRLE1BQU07SUFhOUM7Ozs7Ozs7Ozs7O09BV0c7SUFDSCxZQUFZLElBQW1CO1FBQzdCLElBQ0UsSUFBSSxDQUFDLGdCQUFnQjtZQUNyQixJQUFJLENBQUMsZ0JBQWdCLEdBQUcsb0JBQW9CLENBQUMsdUJBQXVCLEVBQ3BFO1lBQ0EsTUFBTSxJQUFJLGtCQUFrQixDQUMxQix3Q0FBd0Msb0JBQW9CLENBQUMsdUJBQXVCLEdBQUcsQ0FDeEYsQ0FBQztTQUNIO1FBQ0QsS0FBSyxDQUFDLElBQUksQ0FBQyxDQUFDO1FBRVosSUFBSSxDQUFDLGVBQWUsR0FBRyxJQUFJLENBQUMsZ0JBQWdCLElBQUksb0JBQW9CLENBQUMsdUJBQXVCLENBQUM7UUFDN0YsSUFBSSxDQUFDLGlCQUFpQixHQUFHLENBQUMsQ0FBQztJQUM3QixDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0gsS0FBSyxDQUFDLE9BQU8sQ0FDWCxJQUF1QyxFQUN2QyxPQUF3QjtRQUV4QixpQkFBaUI7UUFDakIsSUFBSSxJQUFJLENBQUMsaUJBQWlCLElBQUksQ0FBQyxFQUFFO1lBQy9CLE1BQU0sYUFBYSxHQUFtQixFQUFFLEdBQUcsY0FBYyxFQUFFLEdBQUcsT0FBTyxFQUFFLENBQUM7WUFDeEUsSUFBSSxDQUFDLFlBQVksR0FBRyxhQUFhLENBQUMsWUFBWSxDQUFDO1lBQy9DLDBEQUEwRDtZQUMxRCxNQUFNLGdCQUFnQixHQUFHLE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUFDO1lBRXJELElBQUksQ0FBQyxJQUFJLENBQUMsU0FBUyxFQUFFO2dCQUNuQixJQUFJLENBQUMsU0FBUyxHQUFHLE1BQU0sZ0JBQWdCLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxDQUFDO2FBQ3REO1lBRUQsOEJBQThCO1lBQzlCLE1BQU0sTUFBTSxHQUFHLElBQUksTUFBTSxFQUFFLENBQUM7WUFFNUIsdUJBQXVCO1lBQ3ZCLEtBQUssTUFBTSxhQUFhLElBQUksSUFBSSxDQUFDLGNBQWMsRUFBRTtnQkFDL0MsTUFBTSxTQUFTLEdBQUcsTUFBTSxlQUFlLENBQUMsYUFBYSxFQUFFLElBQUksQ0FBQyxTQUFTLEVBQUUsSUFBSSxDQUFDLE1BQU0sQ0FBQyxDQUFDO2dCQUNwRixNQUFNLENBQUMsWUFBWSxDQUFDLFNBQVMsQ0FBQyxDQUFDO2FBQ2hDO1lBRUQsSUFBSSxJQUFJLENBQUMsT0FBTyxDQUFDLE1BQU0sSUFBSSxDQUFDLElBQUksSUFBSSxDQUFDLGNBQWMsQ0FBQyxNQUFNLElBQUksQ0FBQyxFQUFFO2dCQUMvRCxPQUFPLENBQUMsSUFBSSxDQUNWLHFKQUFxSixDQUN0SixDQUFDO2FBQ0g7WUFFRCxzQkFBc0I7WUFDdEIsTUFBTSxpQkFBaUIsR0FBRyxNQUFNLENBQUMsTUFBTSxFQUFFLENBQUM7WUFFMUMsTUFBTSxRQUFRLEdBQUcsSUFBSSxDQUFDLFVBQVUsRUFBRSxDQUFDO1lBRW5DLDRCQUE0QjtZQUM1QixJQUFJLENBQUMsWUFBWSxHQUFHLE1BQU0sWUFBWSxDQUNwQyxnQkFBZ0IsQ0FBQyxVQUFVLEVBQzNCLE1BQU0sSUFBSSxDQUFDLFNBQVMsQ0FBQyxHQUFHLEVBQ3hCLE1BQU0sV0FBVyxDQUFDLGFBQWEsQ0FBQyxrQkFBa0IsQ0FBQyxDQUNwRCxDQUFDO1lBRUYsTUFBTSxhQUFhLEdBQUcsTUFBTSxPQUFPLENBQ2pDLGlCQUFpQixFQUNqQixJQUFJLENBQUMsU0FBUyxFQUNkLGdCQUFnQixFQUNoQixRQUFRLEVBQ1IsSUFBSSxFQUNKLElBQUksQ0FBQyxZQUFZLENBQ2xCLENBQUM7WUFFRixtREFBbUQ7WUFDbkQsSUFBSSxDQUFDLElBQUksQ0FBQyxZQUFZLEVBQUU7Z0JBQ3RCLE1BQU0sT0FBTyxHQUFHLE9BQU8sQ0FBQyxJQUFJLENBQUMsYUFBYSxDQUFDLENBQUM7Z0JBQzVDLElBQUksQ0FBQyxZQUFZLEdBQUcsT0FBTyxDQUFDLE1BQU0sQ0FBQzthQUNwQztZQUVELElBQUksQ0FBQyxpQkFBaUIsSUFBSSxDQUFDLENBQUM7WUFFNUIsT0FBTyxhQUFhLENBQUM7U0FDdEI7UUFFRCxJQUFJLENBQUMsaUJBQWlCLElBQUksQ0FBQyxDQUFDO1FBRTVCLElBQUksQ0FBQyxJQUFJLENBQUMsWUFBWSxFQUFFO1lBQ3RCLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyw4Q0FBOEMsQ0FBQyxDQUFDO1NBQzlFO1FBQ0QsSUFBSSxDQUFDLElBQUksQ0FBQyxZQUFZLEVBQUU7WUFDdEIsTUFBTSxJQUFJLGtCQUFrQixDQUFDLG1DQUFtQyxDQUFDLENBQUM7U0FDbkU7UUFFRCxJQUFJLENBQUMsaUJBQWlCLElBQUksQ0FBQyxDQUFDO1FBQzVCLElBQUksSUFBSSxDQUFDLGlCQUFpQixJQUFJLElBQUksQ0FBQyxlQUFlLEVBQUU7WUFDbEQsMEJBQTBCO1lBQzFCLElBQUksQ0FBQyxpQkFBaUIsR0FBRyxDQUFDLENBQUM7U0FDNUI7UUFFRCxNQUFNLFFBQVEsR0FBRyxJQUFJLENBQUMsVUFBVSxFQUFFLENBQUM7UUFFbkMsT0FBTyxjQUFjLENBQUMsSUFBSSxDQUFDLFlBQVksRUFBRSxJQUFJLENBQUMsWUFBWSxFQUFFLFFBQVEsRUFBRSxJQUFJLENBQUMsQ0FBQztJQUM5RSxDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0gsS0FBSyxDQUFDLE9BQU8sQ0FBQyxVQUE2QztRQUN6RCxtQkFBbUI7UUFDbkIsTUFBTSxPQUFPLEdBQUcsT0FBTyxDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsQ0FBQztRQUV6QyxJQUFJLENBQUMsSUFBSSxDQUFDLGtCQUFrQixFQUFFO1lBQzVCLGdCQUFnQjtZQUNoQixPQUFPLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxPQUFPLENBQUMsQ0FBQztTQUN2QztRQUVELGlCQUFpQjtRQUNqQixJQUFJLElBQUksQ0FBQyxrQkFBa0IsQ0FBQyxRQUFRLEVBQUUsSUFBSSxPQUFPLENBQUMsTUFBTSxDQUFDLGtCQUFrQixDQUFDLFFBQVEsRUFBRSxFQUFFO1lBQ3RGLE1BQU0sSUFBSSxHQUFHLElBQUksQ0FBQyxZQUFZLENBQUM7WUFDL0IsSUFBSSxDQUFDLElBQUksRUFBRTtnQkFDVCxvQ0FBb0M7Z0JBQ3BDLE1BQU0sSUFBSSxLQUFLLENBQUMsOEJBQThCLENBQUMsQ0FBQzthQUNqRDtZQUNELHlCQUF5QjtZQUN6QixPQUFPLE9BQU8sQ0FBQyxJQUFJLEVBQUUsT0FBTyxDQUFDLENBQUM7U0FDL0I7YUFBTTtZQUNMLE9BQU8sSUFBSSxDQUFDLGdCQUFnQixDQUFDLE9BQU8sQ0FBQyxDQUFDO1NBQ3ZDO0lBQ0gsQ0FBQztJQUVELEtBQUssQ0FBQyxnQkFBZ0IsQ0FBQyxPQUFnQjtRQUNyQywwREFBMEQ7UUFDMUQsTUFBTSxJQUFJLENBQUMsY0FBYyxFQUFFLENBQUM7UUFFNUIsTUFBTSxPQUFPLEdBQUcsT0FBTyxDQUFDO1FBQ3hCLDhCQUE4QjtRQUM5QixNQUFNLElBQUksR0FBRyxNQUFNLElBQUksQ0FBQyxTQUFTLENBQy9CLE9BQU8sQ0FBQyxNQUFNLENBQUMsUUFBUSxFQUFFLEVBQ3pCLE9BQU8sQ0FBQyxNQUFNLENBQUMsZUFBZSxFQUFFLEVBQ2hDLE9BQU8sQ0FBQyxNQUFNLENBQUMsa0JBQWtCLEVBQ2pDLE9BQU8sQ0FDUixDQUFDO1FBQ0YsSUFBSSxDQUFDLElBQUksRUFBRTtZQUNULG9DQUFvQztZQUNwQyxNQUFNLElBQUksS0FBSyxDQUFDLDhCQUE4QixDQUFDLENBQUM7U0FDakQ7UUFFRCxJQUFJLENBQUMsa0JBQWtCLEdBQUcsT0FBTyxDQUFDLE1BQU0sQ0FBQyxrQkFBa0IsQ0FBQztRQUM1RCxJQUFJLENBQUMsWUFBWSxHQUFHLElBQUksQ0FBQztRQUV6Qix5QkFBeUI7UUFDekIsT0FBTyxPQUFPLENBQUMsSUFBSSxFQUFFLE9BQU8sQ0FBQyxDQUFDO0lBQ2hDLENBQUM7SUFFRCxVQUFVO1FBQ1IsTUFBTSxFQUFFLEdBQUcsSUFBSSxDQUFDLEVBQUUsQ0FBQztRQUNuQixJQUFJLEVBQUUsS0FBSyxTQUFTLEVBQUU7WUFDcEIseURBQXlEO1lBQ3pELE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyxjQUFjLENBQUMsQ0FBQztTQUM5QztRQUNELDRCQUE0QjtRQUM1QixJQUFJLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxFQUFFLENBQUMsSUFBSSxFQUFFLElBQUksQ0FBQyxJQUFJLFFBQVMsR0FBRyxFQUFFLEVBQUU7WUFDdEQscUVBQXFFO1lBQ3JFLHVFQUF1RTtZQUN2RSw0Q0FBNEM7WUFDNUMsTUFBTSxJQUFJLEtBQUssQ0FBQyx5QkFBeUIsQ0FBQyxDQUFDO1NBQzVDO1FBRUQsTUFBTSxjQUFjLEdBQUcsSUFBSSxXQUFXLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDMUMsY0FBYyxDQUFDLENBQUMsQ0FBQyxHQUFHLEVBQUUsQ0FBQztRQUV2QixNQUFNLGNBQWMsR0FBRyxJQUFJLFVBQVUsQ0FBQyxjQUFjLENBQUMsTUFBTSxDQUFDLENBQUM7UUFFN0Qsc0RBQXNEO1FBQ3RELE1BQU0sUUFBUSxHQUFHLElBQUksVUFBVSxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDeEQsUUFBUSxDQUFDLENBQUMsQ0FBQyxHQUFHLGNBQWMsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUNoQyxRQUFRLENBQUMsRUFBRSxDQUFDLEdBQUcsY0FBYyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ2pDLFFBQVEsQ0FBQyxFQUFFLENBQUMsR0FBRyxjQUFjLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFFakMsbUJBQW1CO1FBQ25CLElBQUksRUFBRSxJQUFJLFFBQVMsRUFBRTtZQUNuQixPQUFPLElBQUksQ0FBQyxFQUFFLENBQUM7U0FDaEI7YUFBTTtZQUNMLElBQUksQ0FBQyxFQUFFLEdBQUcsRUFBRSxHQUFHLENBQUMsQ0FBQztTQUNsQjtRQUVELE9BQU8sUUFBUSxDQUFDO0lBQ2xCLENBQUM7O0FBdk5ELHNFQUFzRTtBQUN0RSxvRUFBb0U7QUFDcEQsNENBQXVCLEdBQUcsT0FBTyxDQUFDO0FBd05wRDs7O0dBR0c7QUFDSCxPQUFPLEtBQUssYUFBYSxNQUFNLHFCQUFxQixDQUFDO0FBQ3JELE9BQU8sRUFBRSxPQUFPLEVBQUUsVUFBVSxFQUFFLE1BQU0sY0FBYyxDQUFDIn0=
+export { attributeFQNsAsValues } from './policy/api.js';
+export { version, clientType, tdfSpecVersion } from './version.js';
+export * from './opentdf.js';
+export * from './seekable.js';
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFzQyxXQUFXLEVBQUUsV0FBVyxFQUFFLE1BQU0sZ0JBQWdCLENBQUM7QUFDOUYsT0FBTyxLQUFLLGFBQWEsTUFBTSxxQkFBcUIsQ0FBQztBQUNyRCxPQUFPLEVBQUUscUJBQXFCLEVBQUUsTUFBTSxpQkFBaUIsQ0FBQztBQUN4RCxPQUFPLEVBQUUsT0FBTyxFQUFFLFVBQVUsRUFBRSxjQUFjLEVBQUUsTUFBTSxjQUFjLENBQUM7QUFDbkUsY0FBYyxjQUFjLENBQUM7QUFDN0IsY0FBYyxlQUFlLENBQUMifQ==

package/dist/web/src/nanoclients.js

@@ -0,0 +1,280 @@
+import { Client, NanoTDF, encrypt, decrypt, encryptDataset, getHkdfSalt, DefaultParams, } from './nanotdf/index.js';
+import { keyAgreement } from './nanotdf-crypto/index.js';
+import { Policy } from './tdf/Policy.js';
+import { createAttribute } from './tdf/AttributeObject.js';
+import { fetchECKasPubKey } from './access.js';
+import { ConfigurationError } from './errors.js';
+// Define default options
+const defaultOptions = {
+    ecdsaBinding: false,
+};
+/**
+ * NanoTDF SDK Client. Deprecated in favor of OpenTDF.
+ *
+ */
+export class NanoTDFClient extends Client {
+    /**
+     * Decrypt ciphertext
+     *
+     * Pass a base64 string, TypedArray, or ArrayBuffer ciphertext and get a promise which resolves plaintext
+     *
+     * @param ciphertext Ciphertext to decrypt
+     */
+    async decrypt(ciphertext) {
+        // Parse ciphertext
+        const nanotdf = NanoTDF.from(ciphertext);
+        // TODO: The version number should be fetched from the API
+        const version = '0.0.1';
+        const kasUrl = nanotdf.header.getKasRewrapUrl();
+        // Rewrap key on every request
+        const ukey = await this.rewrapKey(nanotdf.header.toBuffer(), kasUrl, nanotdf.header.magicNumberVersion, version);
+        if (!ukey) {
+            throw new Error('internal: key rewrap failure');
+        }
+        // Return decrypt promise
+        return decrypt(ukey, nanotdf);
+    }
+    /**
+     * Decrypt ciphertext of the legacy TDF, with the older, smaller i.v. calculation.
+     *
+     * Pass a base64 string, TypedArray, or ArrayBuffer ciphertext and get a promise which resolves plaintext
+     *
+     * @param ciphertext Ciphertext to decrypt
+     */
+    async decryptLegacyTDF(ciphertext) {
+        // Parse ciphertext
+        const nanotdf = NanoTDF.from(ciphertext, undefined, true);
+        const legacyVersion = '0.0.0';
+        // Rewrap key on every request
+        const key = await this.rewrapKey(nanotdf.header.toBuffer(), nanotdf.header.getKasRewrapUrl(), nanotdf.header.magicNumberVersion, legacyVersion);
+        if (!key) {
+            throw new Error('internal: failed unwrap');
+        }
+        // Return decrypt promise
+        return decrypt(key, nanotdf);
+    }
+    /**
+     * Encrypts the given data using the NanoTDF encryption scheme.
+     *
+     * @param {string | TypedArray | ArrayBuffer} data - The data to be encrypted.
+     * @param {EncryptOptions} [options=defaultOptions] - The encryption options (currently unused).
+     * @returns {Promise<ArrayBuffer>} A promise that resolves to the encrypted data as an ArrayBuffer.
+     * @throws {Error} If the initialization vector is not a number.
+     */
+    async encrypt(data, options) {
+        // For encrypt always generate the client ephemeralKeyPair
+        const ephemeralKeyPair = await this.ephemeralKeyPair;
+        const initializationVector = this.iv;
+        if (typeof initializationVector !== 'number') {
+            throw new ConfigurationError('NanoTDF clients are single use. Please generate a new client and keypair.');
+        }
+        delete this.iv;
+        if (!this.kasPubKey) {
+            this.kasPubKey = await fetchECKasPubKey(this.kasUrl);
+        }
+        // Create a policy for the tdf
+        const policy = new Policy();
+        // Add data attributes.
+        for (const dataAttribute of this.dataAttributes) {
+            const attribute = await createAttribute(dataAttribute, this.kasPubKey, this.kasUrl);
+            policy.addAttribute(attribute);
+        }
+        if (this.dissems.length == 0 && this.dataAttributes.length == 0) {
+            console.warn('This policy has an empty attributes list and an empty dissemination list. This will allow any entity with a valid Entity Object to access this TDF.');
+        }
+        // Encrypt the policy.
+        const policyObjectAsStr = policy.toJSON();
+        // IV is always '1', since the new keypair is generated on encrypt
+        // using the same key is fine.
+        const lengthAsUint32 = new Uint32Array(1);
+        lengthAsUint32[0] = initializationVector;
+        const lengthAsUint24 = new Uint8Array(lengthAsUint32.buffer);
+        // NOTE: We are only interested in only first 3 bytes.
+        const payloadIV = new Uint8Array(12).fill(0);
+        payloadIV[9] = lengthAsUint24[2];
+        payloadIV[10] = lengthAsUint24[1];
+        payloadIV[11] = lengthAsUint24[0];
+        const mergedOptions = { ...defaultOptions, ...options };
+        return encrypt(policyObjectAsStr, this.kasPubKey, ephemeralKeyPair, payloadIV, data, mergedOptions.ecdsaBinding);
+    }
+}
+/**
+ * NanoTDF Dataset SDK Client
+ *
+ *
+ * @example
+ * ```
+ * import { clientSecretAuthProvider, NanoTDFDatasetClient } from '@opentdf/sdk';
+ *
+ * const OIDC_ENDPOINT = 'http://localhost:65432/auth/realms/opentdf';
+ * const KAS_URL = 'http://localhost:65432/api/kas/';
+ *
+ * const ciphertext = '...';
+ * const client = new NanoTDFDatasetClient({
+ *   authProvider: await clientSecretAuthProvider({
+ *     clientId: 'tdf-client',
+ *     clientSecret: '123-456',
+ *     exchange: 'client',
+ *     oidcOrigin: OIDC_ENDPOINT,
+ *   }),
+ *   kasEndpoint: KAS_URL,
+ * });
+ * const plaintext = client.decrypt(ciphertext);
+ * console.log('Plaintext', plaintext);
+ * ```
+ */
+export class NanoTDFDatasetClient extends Client {
+    /**
+     * Create new NanoTDF Dataset Client
+     *
+     * The Ephemeral Key Pair can either be provided or will be generate when fetching the entity object. Once set it
+     * cannot be changed. If a new ephemeral key is desired it a new client should be initialized.
+     * There is no performance impact for creating a new client IFF the ephemeral key pair is provided.
+     *
+     * @param clientConfig OIDC client credentials
+     * @param kasUrl Key access service URL
+     * @param ephemeralKeyPair (optional) ephemeral key pair to use
+     * @param maxKeyIterations Max iteration to performe without a key rotation
+     */
+    constructor(opts) {
+        if (opts.maxKeyIterations &&
+            opts.maxKeyIterations > NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS) {
+            throw new ConfigurationError(`key iteration exceeds max iterations(${NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS})`);
+        }
+        super(opts);
+        this.maxKeyIteration = opts.maxKeyIterations || NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS;
+        this.keyIterationCount = 0;
+    }
+    /**
+     * Encrypt data
+     *
+     * Pass a string, TypedArray, or ArrayBuffer data and get a promise which resolves ciphertext
+     *
+     * @param data to decrypt
+     */
+    async encrypt(data, options) {
+        // Intial encrypt
+        if (this.keyIterationCount == 0) {
+            const mergedOptions = { ...defaultOptions, ...options };
+            this.ecdsaBinding = mergedOptions.ecdsaBinding;
+            // For encrypt always generate the client ephemeralKeyPair
+            const ephemeralKeyPair = await this.ephemeralKeyPair;
+            if (!this.kasPubKey) {
+                this.kasPubKey = await fetchECKasPubKey(this.kasUrl);
+            }
+            // Create a policy for the tdf
+            const policy = new Policy();
+            // Add data attributes.
+            for (const dataAttribute of this.dataAttributes) {
+                const attribute = await createAttribute(dataAttribute, this.kasPubKey, this.kasUrl);
+                policy.addAttribute(attribute);
+            }
+            if (this.dissems.length == 0 || this.dataAttributes.length == 0) {
+                console.warn('This policy has an empty attributes list and an empty dissemination list. This will allow any entity with a valid Entity Object to access this TDF.');
+            }
+            // Encrypt the policy.
+            const policyObjectAsStr = policy.toJSON();
+            const ivVector = this.generateIV();
+            // Generate a symmetric key.
+            this.symmetricKey = await keyAgreement(ephemeralKeyPair.privateKey, await this.kasPubKey.key, await getHkdfSalt(DefaultParams.magicNumberVersion));
+            const nanoTDFBuffer = await encrypt(policyObjectAsStr, this.kasPubKey, ephemeralKeyPair, ivVector, data, this.ecdsaBinding);
+            // Cache the header and increment the key iteration
+            if (!this.cachedHeader) {
+                const nanoTDF = NanoTDF.from(nanoTDFBuffer);
+                this.cachedHeader = nanoTDF.header;
+            }
+            this.keyIterationCount += 1;
+            return nanoTDFBuffer;
+        }
+        this.keyIterationCount += 1;
+        if (!this.cachedHeader) {
+            throw new ConfigurationError('invalid dataset client: empty nanoTDF header');
+        }
+        if (!this.symmetricKey) {
+            throw new ConfigurationError('invalid dataset client: empty dek');
+        }
+        this.keyIterationCount += 1;
+        if (this.keyIterationCount == this.maxKeyIteration) {
+            // reset the key iteration
+            this.keyIterationCount = 0;
+        }
+        const ivVector = this.generateIV();
+        return encryptDataset(this.symmetricKey, this.cachedHeader, ivVector, data);
+    }
+    /**
+     * Decrypt ciphertext
+     *
+     * Pass a base64 string, TypedArray, or ArrayBuffer ciphertext and get a promise which resolves plaintext
+     *
+     * @param ciphertext Ciphertext to decrypt
+     */
+    async decrypt(ciphertext) {
+        // Parse ciphertext
+        const nanotdf = NanoTDF.from(ciphertext);
+        if (!this.cachedEphemeralKey) {
+            // First decrypt
+            return this.rewrapAndDecrypt(nanotdf);
+        }
+        // Other encrypts
+        if (this.cachedEphemeralKey.toString() == nanotdf.header.ephemeralPublicKey.toString()) {
+            const ukey = this.unwrappedKey;
+            if (!ukey) {
+                // These should have thrown already.
+                throw new Error('internal: key rewrap failure');
+            }
+            // Return decrypt promise
+            return decrypt(ukey, nanotdf);
+        }
+        else {
+            return this.rewrapAndDecrypt(nanotdf);
+        }
+    }
+    async rewrapAndDecrypt(nanotdf) {
+        // TODO: The version number should be fetched from the API
+        const version = '0.0.1';
+        // Rewrap key on every request
+        const ukey = await this.rewrapKey(nanotdf.header.toBuffer(), nanotdf.header.getKasRewrapUrl(), nanotdf.header.magicNumberVersion, version);
+        if (!ukey) {
+            // These should have thrown already.
+            throw new Error('internal: key rewrap failure');
+        }
+        this.cachedEphemeralKey = nanotdf.header.ephemeralPublicKey;
+        this.unwrappedKey = ukey;
+        // Return decrypt promise
+        return decrypt(ukey, nanotdf);
+    }
+    generateIV() {
+        const iv = this.iv;
+        if (iv === undefined) {
+            // iv has passed the maximum iteration count for this dek
+            throw new ConfigurationError('dataset full');
+        }
+        // assert iv ∈ ℤ ∩ (0, 2^24)
+        if (!Number.isInteger(iv) || iv <= 0 || 0xff_ffff < iv) {
+            // Something has fiddled with the iv outside of the expected behavior
+            // could indicate a race condition, e.g. if two workers or handlers are
+            // processing the file at once, for example.
+            throw new Error('internal: invalid state');
+        }
+        const lengthAsUint32 = new Uint32Array(1);
+        lengthAsUint32[0] = iv;
+        const lengthAsUint24 = new Uint8Array(lengthAsUint32.buffer);
+        // NOTE: We are only interested in only first 3 bytes.
+        const ivVector = new Uint8Array(Client.IV_SIZE).fill(0);
+        ivVector[9] = lengthAsUint24[2];
+        ivVector[10] = lengthAsUint24[1];
+        ivVector[11] = lengthAsUint24[0];
+        // Increment the IV
+        if (iv == 0xff_ffff) {
+            delete this.iv;
+        }
+        else {
+            this.iv = iv + 1;
+        }
+        return ivVector;
+    }
+}
+// Total unique IVs(2^24 -1) used for encrypting the nano tdf payloads
+// IV starts from 1 since the 0 IV is reserved for policy encryption
+NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS = 8388606;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibmFub2NsaWVudHMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbmFub2NsaWVudHMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUNMLE1BQU0sRUFDTixPQUFPLEVBRVAsT0FBTyxFQUNQLE9BQU8sRUFDUCxjQUFjLEVBQ2QsV0FBVyxFQUNYLGFBQWEsR0FDZCxNQUFNLG9CQUFvQixDQUFDO0FBQzVCLE9BQU8sRUFBRSxZQUFZLEVBQUUsTUFBTSwyQkFBMkIsQ0FBQztBQUN6RCxPQUFPLEVBQUUsTUFBTSxFQUFFLE1BQU0saUJBQWlCLENBQUM7QUFFekMsT0FBTyxFQUFFLGVBQWUsRUFBRSxNQUFNLDBCQUEwQixDQUFDO0FBQzNELE9BQU8sRUFBRSxnQkFBZ0IsRUFBRSxNQUFNLGFBQWEsQ0FBQztBQUUvQyxPQUFPLEVBQUUsa0JBQWtCLEVBQUUsTUFBTSxhQUFhLENBQUM7QUFPakQseUJBQXlCO0FBQ3pCLE1BQU0sY0FBYyxHQUFtQjtJQUNyQyxZQUFZLEVBQUUsS0FBSztDQUNwQixDQUFDO0FBRUY7OztHQUdHO0FBQ0gsTUFBTSxPQUFPLGFBQWMsU0FBUSxNQUFNO0lBQ3ZDOzs7Ozs7T0FNRztJQUNILEtBQUssQ0FBQyxPQUFPLENBQUMsVUFBNkM7UUFDekQsbUJBQW1CO1FBQ25CLE1BQU0sT0FBTyxHQUFHLE9BQU8sQ0FBQyxJQUFJLENBQUMsVUFBVSxDQUFDLENBQUM7UUFFekMsMERBQTBEO1FBQzFELE1BQU0sT0FBTyxHQUFHLE9BQU8sQ0FBQztRQUN4QixNQUFNLE1BQU0sR0FBRyxPQUFPLENBQUMsTUFBTSxDQUFDLGVBQWUsRUFBRSxDQUFDO1FBRWhELDhCQUE4QjtRQUM5QixNQUFNLElBQUksR0FBRyxNQUFNLElBQUksQ0FBQyxTQUFTLENBQy9CLE9BQU8sQ0FBQyxNQUFNLENBQUMsUUFBUSxFQUFFLEVBQ3pCLE1BQU0sRUFDTixPQUFPLENBQUMsTUFBTSxDQUFDLGtCQUFrQixFQUNqQyxPQUFPLENBQ1IsQ0FBQztRQUVGLElBQUksQ0FBQyxJQUFJLEVBQUUsQ0FBQztZQUNWLE1BQU0sSUFBSSxLQUFLLENBQUMsOEJBQThCLENBQUMsQ0FBQztRQUNsRCxDQUFDO1FBQ0QseUJBQXlCO1FBQ3pCLE9BQU8sT0FBTyxDQUFDLElBQUksRUFBRSxPQUFPLENBQUMsQ0FBQztJQUNoQyxDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0gsS0FBSyxDQUFDLGdCQUFnQixDQUFDLFVBQTZDO1FBQ2xFLG1CQUFtQjtRQUNuQixNQUFNLE9BQU8sR0FBRyxPQUFPLENBQUMsSUFBSSxDQUFDLFVBQVUsRUFBRSxTQUFTLEVBQUUsSUFBSSxDQUFDLENBQUM7UUFFMUQsTUFBTSxhQUFhLEdBQUcsT0FBTyxDQUFDO1FBQzlCLDhCQUE4QjtRQUM5QixNQUFNLEdBQUcsR0FBRyxNQUFNLElBQUksQ0FBQyxTQUFTLENBQzlCLE9BQU8sQ0FBQyxNQUFNLENBQUMsUUFBUSxFQUFFLEVBQ3pCLE9BQU8sQ0FBQyxNQUFNLENBQUMsZUFBZSxFQUFFLEVBQ2hDLE9BQU8sQ0FBQyxNQUFNLENBQUMsa0JBQWtCLEVBQ2pDLGFBQWEsQ0FDZCxDQUFDO1FBRUYsSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDO1lBQ1QsTUFBTSxJQUFJLEtBQUssQ0FBQyx5QkFBeUIsQ0FBQyxDQUFDO1FBQzdDLENBQUM7UUFDRCx5QkFBeUI7UUFDekIsT0FBTyxPQUFPLENBQUMsR0FBRyxFQUFFLE9BQU8sQ0FBQyxDQUFDO0lBQy9CLENBQUM7SUFFRDs7Ozs7OztPQU9HO0lBQ0gsS0FBSyxDQUFDLE9BQU8sQ0FDWCxJQUF1QyxFQUN2QyxPQUF3QjtRQUV4QiwwREFBMEQ7UUFDMUQsTUFBTSxnQkFBZ0IsR0FBRyxNQUFNLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQztRQUNyRCxNQUFNLG9CQUFvQixHQUFHLElBQUksQ0FBQyxFQUFFLENBQUM7UUFFckMsSUFBSSxPQUFPLG9CQUFvQixLQUFLLFFBQVEsRUFBRSxDQUFDO1lBQzdDLE1BQU0sSUFBSSxrQkFBa0IsQ0FDMUIsMkVBQTJFLENBQzVFLENBQUM7UUFDSixDQUFDO1FBQ0QsT0FBTyxJQUFJLENBQUMsRUFBRSxDQUFDO1FBRWYsSUFBSSxDQUFDLElBQUksQ0FBQyxTQUFTLEVBQUUsQ0FBQztZQUNwQixJQUFJLENBQUMsU0FBUyxHQUFHLE1BQU0sZ0JBQWdCLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBQ3ZELENBQUM7UUFFRCw4QkFBOEI7UUFDOUIsTUFBTSxNQUFNLEdBQUcsSUFBSSxNQUFNLEVBQUUsQ0FBQztRQUU1Qix1QkFBdUI7UUFDdkIsS0FBSyxNQUFNLGFBQWEsSUFBSSxJQUFJLENBQUMsY0FBYyxFQUFFLENBQUM7WUFDaEQsTUFBTSxTQUFTLEdBQUcsTUFBTSxlQUFlLENBQUMsYUFBYSxFQUFFLElBQUksQ0FBQyxTQUFTLEVBQUUsSUFBSSxDQUFDLE1BQU0sQ0FBQyxDQUFDO1lBQ3BGLE1BQU0sQ0FBQyxZQUFZLENBQUMsU0FBUyxDQUFDLENBQUM7UUFDakMsQ0FBQztRQUVELElBQUksSUFBSSxDQUFDLE9BQU8sQ0FBQyxNQUFNLElBQUksQ0FBQyxJQUFJLElBQUksQ0FBQyxjQUFjLENBQUMsTUFBTSxJQUFJLENBQUMsRUFBRSxDQUFDO1lBQ2hFLE9BQU8sQ0FBQyxJQUFJLENBQ1YscUpBQXFKLENBQ3RKLENBQUM7UUFDSixDQUFDO1FBRUQsc0JBQXNCO1FBQ3RCLE1BQU0saUJBQWlCLEdBQUcsTUFBTSxDQUFDLE1BQU0sRUFBRSxDQUFDO1FBRTFDLGtFQUFrRTtRQUNsRSw4QkFBOEI7UUFDOUIsTUFBTSxjQUFjLEdBQUcsSUFBSSxXQUFXLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDMUMsY0FBYyxDQUFDLENBQUMsQ0FBQyxHQUFHLG9CQUFvQixDQUFDO1FBRXpDLE1BQU0sY0FBYyxHQUFHLElBQUksVUFBVSxDQUFDLGNBQWMsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUU3RCxzREFBc0Q7UUFDdEQsTUFBTSxTQUFTLEdBQUcsSUFBSSxVQUFVLENBQUMsRUFBRSxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQzdDLFNBQVMsQ0FBQyxDQUFDLENBQUMsR0FBRyxjQUFjLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDakMsU0FBUyxDQUFDLEVBQUUsQ0FBQyxHQUFHLGNBQWMsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUNsQyxTQUFTLENBQUMsRUFBRSxDQUFDLEdBQUcsY0FBYyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBRWxDLE1BQU0sYUFBYSxHQUFtQixFQUFFLEdBQUcsY0FBYyxFQUFFLEdBQUcsT0FBTyxFQUFFLENBQUM7UUFDeEUsT0FBTyxPQUFPLENBQ1osaUJBQWlCLEVBQ2pCLElBQUksQ0FBQyxTQUFTLEVBQ2QsZ0JBQWdCLEVBQ2hCLFNBQVMsRUFDVCxJQUFJLEVBQ0osYUFBYSxDQUFDLFlBQVksQ0FDM0IsQ0FBQztJQUNKLENBQUM7Q0FDRjtBQU1EOzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7R0F3Qkc7QUFDSCxNQUFNLE9BQU8sb0JBQXFCLFNBQVEsTUFBTTtJQWE5Qzs7Ozs7Ozs7Ozs7T0FXRztJQUNILFlBQVksSUFBbUI7UUFDN0IsSUFDRSxJQUFJLENBQUMsZ0JBQWdCO1lBQ3JCLElBQUksQ0FBQyxnQkFBZ0IsR0FBRyxvQkFBb0IsQ0FBQyx1QkFBdUIsRUFDcEUsQ0FBQztZQUNELE1BQU0sSUFBSSxrQkFBa0IsQ0FDMUIsd0NBQXdDLG9CQUFvQixDQUFDLHVCQUF1QixHQUFHLENBQ3hGLENBQUM7UUFDSixDQUFDO1FBQ0QsS0FBSyxDQUFDLElBQUksQ0FBQyxDQUFDO1FBRVosSUFBSSxDQUFDLGVBQWUsR0FBRyxJQUFJLENBQUMsZ0JBQWdCLElBQUksb0JBQW9CLENBQUMsdUJBQXVCLENBQUM7UUFDN0YsSUFBSSxDQUFDLGlCQUFpQixHQUFHLENBQUMsQ0FBQztJQUM3QixDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0gsS0FBSyxDQUFDLE9BQU8sQ0FDWCxJQUF1QyxFQUN2QyxPQUF3QjtRQUV4QixpQkFBaUI7UUFDakIsSUFBSSxJQUFJLENBQUMsaUJBQWlCLElBQUksQ0FBQyxFQUFFLENBQUM7WUFDaEMsTUFBTSxhQUFhLEdBQW1CLEVBQUUsR0FBRyxjQUFjLEVBQUUsR0FBRyxPQUFPLEVBQUUsQ0FBQztZQUN4RSxJQUFJLENBQUMsWUFBWSxHQUFHLGFBQWEsQ0FBQyxZQUFZLENBQUM7WUFDL0MsMERBQTBEO1lBQzFELE1BQU0sZ0JBQWdCLEdBQUcsTUFBTSxJQUFJLENBQUMsZ0JBQWdCLENBQUM7WUFFckQsSUFBSSxDQUFDLElBQUksQ0FBQyxTQUFTLEVBQUUsQ0FBQztnQkFDcEIsSUFBSSxDQUFDLFNBQVMsR0FBRyxNQUFNLGdCQUFnQixDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsQ0FBQztZQUN2RCxDQUFDO1lBRUQsOEJBQThCO1lBQzlCLE1BQU0sTUFBTSxHQUFHLElBQUksTUFBTSxFQUFFLENBQUM7WUFFNUIsdUJBQXVCO1lBQ3ZCLEtBQUssTUFBTSxhQUFhLElBQUksSUFBSSxDQUFDLGNBQWMsRUFBRSxDQUFDO2dCQUNoRCxNQUFNLFNBQVMsR0FBRyxNQUFNLGVBQWUsQ0FBQyxhQUFhLEVBQUUsSUFBSSxDQUFDLFNBQVMsRUFBRSxJQUFJLENBQUMsTUFBTSxDQUFDLENBQUM7Z0JBQ3BGLE1BQU0sQ0FBQyxZQUFZLENBQUMsU0FBUyxDQUFDLENBQUM7WUFDakMsQ0FBQztZQUVELElBQUksSUFBSSxDQUFDLE9BQU8sQ0FBQyxNQUFNLElBQUksQ0FBQyxJQUFJLElBQUksQ0FBQyxjQUFjLENBQUMsTUFBTSxJQUFJLENBQUMsRUFBRSxDQUFDO2dCQUNoRSxPQUFPLENBQUMsSUFBSSxDQUNWLHFKQUFxSixDQUN0SixDQUFDO1lBQ0osQ0FBQztZQUVELHNCQUFzQjtZQUN0QixNQUFNLGlCQUFpQixHQUFHLE1BQU0sQ0FBQyxNQUFNLEVBQUUsQ0FBQztZQUUxQyxNQUFNLFFBQVEsR0FBRyxJQUFJLENBQUMsVUFBVSxFQUFFLENBQUM7WUFFbkMsNEJBQTRCO1lBQzVCLElBQUksQ0FBQyxZQUFZLEdBQUcsTUFBTSxZQUFZLENBQ3BDLGdCQUFnQixDQUFDLFVBQVUsRUFDM0IsTUFBTSxJQUFJLENBQUMsU0FBUyxDQUFDLEdBQUcsRUFDeEIsTUFBTSxXQUFXLENBQUMsYUFBYSxDQUFDLGtCQUFrQixDQUFDLENBQ3BELENBQUM7WUFFRixNQUFNLGFBQWEsR0FBRyxNQUFNLE9BQU8sQ0FDakMsaUJBQWlCLEVBQ2pCLElBQUksQ0FBQyxTQUFTLEVBQ2QsZ0JBQWdCLEVBQ2hCLFFBQVEsRUFDUixJQUFJLEVBQ0osSUFBSSxDQUFDLFlBQVksQ0FDbEIsQ0FBQztZQUVGLG1EQUFtRDtZQUNuRCxJQUFJLENBQUMsSUFBSSxDQUFDLFlBQVksRUFBRSxDQUFDO2dCQUN2QixNQUFNLE9BQU8sR0FBRyxPQUFPLENBQUMsSUFBSSxDQUFDLGFBQWEsQ0FBQyxDQUFDO2dCQUM1QyxJQUFJLENBQUMsWUFBWSxHQUFHLE9BQU8sQ0FBQyxNQUFNLENBQUM7WUFDckMsQ0FBQztZQUVELElBQUksQ0FBQyxpQkFBaUIsSUFBSSxDQUFDLENBQUM7WUFFNUIsT0FBTyxhQUFhLENBQUM7UUFDdkIsQ0FBQztRQUVELElBQUksQ0FBQyxpQkFBaUIsSUFBSSxDQUFDLENBQUM7UUFFNUIsSUFBSSxDQUFDLElBQUksQ0FBQyxZQUFZLEVBQUUsQ0FBQztZQUN2QixNQUFNLElBQUksa0JBQWtCLENBQUMsOENBQThDLENBQUMsQ0FBQztRQUMvRSxDQUFDO1FBQ0QsSUFBSSxDQUFDLElBQUksQ0FBQyxZQUFZLEVBQUUsQ0FBQztZQUN2QixNQUFNLElBQUksa0JBQWtCLENBQUMsbUNBQW1DLENBQUMsQ0FBQztRQUNwRSxDQUFDO1FBRUQsSUFBSSxDQUFDLGlCQUFpQixJQUFJLENBQUMsQ0FBQztRQUM1QixJQUFJLElBQUksQ0FBQyxpQkFBaUIsSUFBSSxJQUFJLENBQUMsZUFBZSxFQUFFLENBQUM7WUFDbkQsMEJBQTBCO1lBQzFCLElBQUksQ0FBQyxpQkFBaUIsR0FBRyxDQUFDLENBQUM7UUFDN0IsQ0FBQztRQUVELE1BQU0sUUFBUSxHQUFHLElBQUksQ0FBQyxVQUFVLEVBQUUsQ0FBQztRQUVuQyxPQUFPLGNBQWMsQ0FBQyxJQUFJLENBQUMsWUFBWSxFQUFFLElBQUksQ0FBQyxZQUFZLEVBQUUsUUFBUSxFQUFFLElBQUksQ0FBQyxDQUFDO0lBQzlFLENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSCxLQUFLLENBQUMsT0FBTyxDQUFDLFVBQTZDO1FBQ3pELG1CQUFtQjtRQUNuQixNQUFNLE9BQU8sR0FBRyxPQUFPLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxDQUFDO1FBRXpDLElBQUksQ0FBQyxJQUFJLENBQUMsa0JBQWtCLEVBQUUsQ0FBQztZQUM3QixnQkFBZ0I7WUFDaEIsT0FBTyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsT0FBTyxDQUFDLENBQUM7UUFDeEMsQ0FBQztRQUVELGlCQUFpQjtRQUNqQixJQUFJLElBQUksQ0FBQyxrQkFBa0IsQ0FBQyxRQUFRLEVBQUUsSUFBSSxPQUFPLENBQUMsTUFBTSxDQUFDLGtCQUFrQixDQUFDLFFBQVEsRUFBRSxFQUFFLENBQUM7WUFDdkYsTUFBTSxJQUFJLEdBQUcsSUFBSSxDQUFDLFlBQVksQ0FBQztZQUMvQixJQUFJLENBQUMsSUFBSSxFQUFFLENBQUM7Z0JBQ1Ysb0NBQW9DO2dCQUNwQyxNQUFNLElBQUksS0FBSyxDQUFDLDhCQUE4QixDQUFDLENBQUM7WUFDbEQsQ0FBQztZQUNELHlCQUF5QjtZQUN6QixPQUFPLE9BQU8sQ0FBQyxJQUFJLEVBQUUsT0FBTyxDQUFDLENBQUM7UUFDaEMsQ0FBQzthQUFNLENBQUM7WUFDTixPQUFPLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUN4QyxDQUFDO0lBQ0gsQ0FBQztJQUVELEtBQUssQ0FBQyxnQkFBZ0IsQ0FBQyxPQUFnQjtRQUNyQywwREFBMEQ7UUFDMUQsTUFBTSxPQUFPLEdBQUcsT0FBTyxDQUFDO1FBQ3hCLDhCQUE4QjtRQUM5QixNQUFNLElBQUksR0FBRyxNQUFNLElBQUksQ0FBQyxTQUFTLENBQy9CLE9BQU8sQ0FBQyxNQUFNLENBQUMsUUFBUSxFQUFFLEVBQ3pCLE9BQU8sQ0FBQyxNQUFNLENBQUMsZUFBZSxFQUFFLEVBQ2hDLE9BQU8sQ0FBQyxNQUFNLENBQUMsa0JBQWtCLEVBQ2pDLE9BQU8sQ0FDUixDQUFDO1FBQ0YsSUFBSSxDQUFDLElBQUksRUFBRSxDQUFDO1lBQ1Ysb0NBQW9DO1lBQ3BDLE1BQU0sSUFBSSxLQUFLLENBQUMsOEJBQThCLENBQUMsQ0FBQztRQUNsRCxDQUFDO1FBRUQsSUFBSSxDQUFDLGtCQUFrQixHQUFHLE9BQU8sQ0FBQyxNQUFNLENBQUMsa0JBQWtCLENBQUM7UUFDNUQsSUFBSSxDQUFDLFlBQVksR0FBRyxJQUFJLENBQUM7UUFFekIseUJBQXlCO1FBQ3pCLE9BQU8sT0FBTyxDQUFDLElBQUksRUFBRSxPQUFPLENBQUMsQ0FBQztJQUNoQyxDQUFDO0lBRUQsVUFBVTtRQUNSLE1BQU0sRUFBRSxHQUFHLElBQUksQ0FBQyxFQUFFLENBQUM7UUFDbkIsSUFBSSxFQUFFLEtBQUssU0FBUyxFQUFFLENBQUM7WUFDckIseURBQXlEO1lBQ3pELE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyxjQUFjLENBQUMsQ0FBQztRQUMvQyxDQUFDO1FBQ0QsNEJBQTRCO1FBQzVCLElBQUksQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUFDLEVBQUUsQ0FBQyxJQUFJLEVBQUUsSUFBSSxDQUFDLElBQUksU0FBUyxHQUFHLEVBQUUsRUFBRSxDQUFDO1lBQ3ZELHFFQUFxRTtZQUNyRSx1RUFBdUU7WUFDdkUsNENBQTRDO1lBQzVDLE1BQU0sSUFBSSxLQUFLLENBQUMseUJBQXlCLENBQUMsQ0FBQztRQUM3QyxDQUFDO1FBRUQsTUFBTSxjQUFjLEdBQUcsSUFBSSxXQUFXLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDMUMsY0FBYyxDQUFDLENBQUMsQ0FBQyxHQUFHLEVBQUUsQ0FBQztRQUV2QixNQUFNLGNBQWMsR0FBRyxJQUFJLFVBQVUsQ0FBQyxjQUFjLENBQUMsTUFBTSxDQUFDLENBQUM7UUFFN0Qsc0RBQXNEO1FBQ3RELE1BQU0sUUFBUSxHQUFHLElBQUksVUFBVSxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDeEQsUUFBUSxDQUFDLENBQUMsQ0FBQyxHQUFHLGNBQWMsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUNoQyxRQUFRLENBQUMsRUFBRSxDQUFDLEdBQUcsY0FBYyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ2pDLFFBQVEsQ0FBQyxFQUFFLENBQUMsR0FBRyxjQUFjLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFFakMsbUJBQW1CO1FBQ25CLElBQUksRUFBRSxJQUFJLFNBQVMsRUFBRSxDQUFDO1lBQ3BCLE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQztRQUNqQixDQUFDO2FBQU0sQ0FBQztZQUNOLElBQUksQ0FBQyxFQUFFLEdBQUcsRUFBRSxHQUFHLENBQUMsQ0FBQztRQUNuQixDQUFDO1FBRUQsT0FBTyxRQUFRLENBQUM7SUFDbEIsQ0FBQzs7QUFyTkQsc0VBQXNFO0FBQ3RFLG9FQUFvRTtBQUNwRCw0Q0FBdUIsR0FBRyxPQUFPLENBQUMifQ==

package/dist/web/src/nanoindex.js

@@ -0,0 +1,5 @@
+export * as AuthProviders from './auth/providers.js';
+export { attributeFQNsAsValues } from './policy/api.js';
+export * from './nanoclients.js';
+export { version, clientType } from './version.js';
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibmFub2luZGV4LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL25hbm9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEtBQUssYUFBYSxNQUFNLHFCQUFxQixDQUFDO0FBQ3JELE9BQU8sRUFBRSxxQkFBcUIsRUFBRSxNQUFNLGlCQUFpQixDQUFDO0FBQ3hELGNBQWMsa0JBQWtCLENBQUM7QUFDakMsT0FBTyxFQUFFLE9BQU8sRUFBRSxVQUFVLEVBQUUsTUFBTSxjQUFjLENBQUMifQ==