npm - @opentdf/sdk - Versions diffs - 0.1.0-beta.1718 → 0.2.0-beta.1941 - Mend

@opentdf/sdk 0.1.0-beta.1718 → 0.2.0-beta.1941

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (321) hide show

package/README.md +45 -38
package/dist/cjs/src/access.js +99 -62
package/dist/cjs/src/auth/auth.js +5 -26
package/dist/cjs/src/auth/oidc-clientcredentials-provider.js +1 -1
package/dist/cjs/src/auth/oidc-externaljwt-provider.js +1 -1
package/dist/cjs/src/auth/oidc-refreshtoken-provider.js +1 -1
package/dist/cjs/src/auth/oidc.js +1 -1
package/dist/cjs/src/auth/providers.js +1 -1
package/dist/cjs/src/concurrency.js +3 -4
package/dist/cjs/src/encodings/base64.js +4 -4
package/dist/cjs/src/encodings/hex.js +5 -6
package/dist/cjs/src/encodings/index.js +18 -8
package/dist/cjs/src/errors.js +1 -1
package/dist/cjs/src/index.js +28 -320
package/dist/cjs/src/nanoclients.js +285 -0
package/dist/cjs/src/nanoindex.js +47 -0
package/dist/cjs/src/nanotdf/Client.js +35 -30
package/dist/cjs/src/nanotdf/NanoTDF.js +1 -1
package/dist/cjs/src/nanotdf/decrypt.js +2 -2
package/dist/cjs/src/nanotdf/encrypt-dataset.js +2 -2
package/dist/cjs/src/nanotdf/encrypt.js +2 -2
package/dist/cjs/src/nanotdf/helpers/calculateByCurve.js +3 -4
package/dist/cjs/src/nanotdf/helpers/getHkdfSalt.js +2 -2
package/dist/cjs/src/nanotdf/models/Ciphers.js +3 -3
package/dist/cjs/src/nanotdf/models/EcCurves.js +3 -3
package/dist/cjs/src/nanotdf/models/Header.js +1 -1
package/dist/cjs/src/nanotdf/models/Payload.js +1 -1
package/dist/cjs/src/nanotdf/models/Policy/AbstractPolicy.js +1 -1
package/dist/cjs/src/nanotdf/models/Policy/EmbeddedPolicy.js +1 -1
package/dist/cjs/src/nanotdf/models/Policy/PolicyFactory.js +1 -1
package/dist/cjs/src/nanotdf/models/ResourceLocator.js +1 -1
package/dist/cjs/src/nanotdf/models/Signature.js +1 -1
package/dist/cjs/src/nanotdf-crypto/ciphers.js +1 -1
package/dist/cjs/src/nanotdf-crypto/decrypt.js +2 -2
package/dist/cjs/src/nanotdf-crypto/digest.js +2 -2
package/dist/cjs/src/nanotdf-crypto/ecdsaSignature.js +4 -5
package/dist/cjs/src/nanotdf-crypto/encrypt.js +2 -2
package/dist/cjs/src/nanotdf-crypto/exportCryptoKey.js +2 -2
package/dist/cjs/src/nanotdf-crypto/generateKeyPair.js +2 -2
package/dist/cjs/src/nanotdf-crypto/generateRandomNumber.js +2 -2
package/dist/cjs/src/nanotdf-crypto/index.js +21 -13
package/dist/cjs/src/nanotdf-crypto/keyAgreement.js +10 -8
package/dist/cjs/src/nanotdf-crypto/pemPublicToCrypto.js +20 -11
package/dist/cjs/src/opentdf.js +243 -0
package/dist/cjs/src/policy/api.js +2 -3
package/dist/cjs/src/policy/granter.js +3 -4
package/dist/cjs/src/seekable.js +157 -0
package/dist/cjs/src/tdf/AttributeObject.js +2 -4
package/dist/cjs/src/tdf/Policy.js +3 -3
package/dist/cjs/src/utils.js +13 -21
package/dist/cjs/src/version.js +7 -3
package/dist/cjs/tdf3/index.js +27 -16
package/dist/cjs/tdf3/src/assertions.js +25 -11
package/dist/cjs/tdf3/src/binary.js +1 -1
package/dist/cjs/tdf3/src/ciphers/aes-gcm-cipher.js +1 -1
package/dist/cjs/tdf3/src/ciphers/symmetric-cipher-base.js +1 -1
package/dist/cjs/tdf3/src/client/DecoratedReadableStream.js +7 -74
package/dist/cjs/tdf3/src/client/builders.js +26 -22
package/dist/cjs/tdf3/src/client/index.js +91 -117
package/dist/cjs/tdf3/src/client/validation.js +3 -3
package/dist/cjs/tdf3/src/crypto/crypto-utils.js +1 -1
package/dist/cjs/tdf3/src/crypto/index.js +18 -18
package/dist/cjs/tdf3/src/index.js +22 -11
package/dist/cjs/tdf3/src/models/attribute-set.js +1 -1
package/dist/cjs/tdf3/src/models/encryption-information.js +3 -3
package/dist/cjs/tdf3/src/models/index.js +1 -2
package/dist/cjs/tdf3/src/models/key-access.js +67 -35
package/dist/cjs/tdf3/src/models/policy.js +3 -3
package/dist/cjs/tdf3/src/tdf.js +180 -395
package/dist/cjs/tdf3/src/utils/buffer-crc32.js +2 -3
package/dist/cjs/tdf3/src/utils/index.js +48 -38
package/dist/cjs/tdf3/src/utils/keysplit.js +4 -5
package/dist/cjs/tdf3/src/utils/unwrap.js +21 -0
package/dist/cjs/tdf3/src/utils/zip-reader.js +4 -4
package/dist/cjs/tdf3/src/utils/zip-writer.js +4 -4
package/dist/types/src/access.d.ts +10 -4
package/dist/types/src/access.d.ts.map +1 -1
package/dist/types/src/auth/auth.d.ts +1 -28
package/dist/types/src/auth/auth.d.ts.map +1 -1
package/dist/types/src/auth/providers.d.ts.map +1 -1
package/dist/types/src/index.d.ts +5 -136
package/dist/types/src/index.d.ts.map +1 -1
package/dist/types/src/nanoclients.d.ts +107 -0
package/dist/types/src/nanoclients.d.ts.map +1 -0
package/dist/types/src/nanoindex.d.ts +5 -0
package/dist/types/src/nanoindex.d.ts.map +1 -0
package/dist/types/src/nanotdf/Client.d.ts +1 -13
package/dist/types/src/nanotdf/Client.d.ts.map +1 -1
package/dist/types/src/nanotdf/NanoTDF.d.ts +1 -1
package/dist/types/src/nanotdf/NanoTDF.d.ts.map +1 -1
package/dist/types/src/nanotdf/encrypt-dataset.d.ts +1 -1
package/dist/types/src/nanotdf/encrypt-dataset.d.ts.map +1 -1
package/dist/types/src/nanotdf/encrypt.d.ts +1 -1
package/dist/types/src/nanotdf/encrypt.d.ts.map +1 -1
package/dist/types/src/nanotdf/enum/CipherEnum.d.ts +1 -1
package/dist/types/src/nanotdf/enum/CipherEnum.d.ts.map +1 -1
package/dist/types/src/nanotdf/enum/PolicyTypeEnum.d.ts +1 -1
package/dist/types/src/nanotdf/enum/PolicyTypeEnum.d.ts.map +1 -1
package/dist/types/src/nanotdf/helpers/getHkdfSalt.d.ts +1 -1
package/dist/types/src/nanotdf/helpers/getHkdfSalt.d.ts.map +1 -1
package/dist/types/src/nanotdf/models/DefaultParams.d.ts +1 -1
package/dist/types/src/nanotdf/models/ResourceLocator.d.ts.map +1 -1
package/dist/types/src/nanotdf-crypto/digest.d.ts +1 -1
package/dist/types/src/nanotdf-crypto/digest.d.ts.map +1 -1
package/dist/types/src/nanotdf-crypto/generateKeyPair.d.ts +1 -1
package/dist/types/src/nanotdf-crypto/generateKeyPair.d.ts.map +1 -1
package/dist/types/src/nanotdf-crypto/generateRandomNumber.d.ts +1 -1
package/dist/types/src/nanotdf-crypto/generateRandomNumber.d.ts.map +1 -1
package/dist/types/src/nanotdf-crypto/index.d.ts +2 -3
package/dist/types/src/nanotdf-crypto/index.d.ts.map +1 -1
package/dist/types/src/nanotdf-crypto/keyAgreement.d.ts.map +1 -1
package/dist/types/src/opentdf.d.ts +106 -0
package/dist/types/src/opentdf.d.ts.map +1 -0
package/dist/types/src/seekable.d.ts +39 -0
package/dist/types/src/seekable.d.ts.map +1 -0
package/dist/types/src/tdf/AttributeObject.d.ts +0 -2
package/dist/types/src/tdf/AttributeObject.d.ts.map +1 -1
package/dist/types/src/tdf/NanoTDF/NanoTDF.d.ts +2 -2
package/dist/types/src/tdf/NanoTDF/NanoTDF.d.ts.map +1 -1
package/dist/types/src/tdf/Policy.d.ts +1 -1
package/dist/types/src/tdf/Policy.d.ts.map +1 -1
package/dist/types/src/tdf/PolicyObject.d.ts +1 -2
package/dist/types/src/tdf/PolicyObject.d.ts.map +1 -1
package/dist/types/src/tdf/TypedArray.d.ts +1 -2
package/dist/types/src/tdf/TypedArray.d.ts.map +1 -1
package/dist/types/src/utils.d.ts +1 -3
package/dist/types/src/utils.d.ts.map +1 -1
package/dist/types/src/version.d.ts +5 -1
package/dist/types/src/version.d.ts.map +1 -1
package/dist/types/tdf3/index.d.ts +5 -4
package/dist/types/tdf3/index.d.ts.map +1 -1
package/dist/types/tdf3/src/assertions.d.ts +3 -3
package/dist/types/tdf3/src/assertions.d.ts.map +1 -1
package/dist/types/tdf3/src/client/DecoratedReadableStream.d.ts +2 -15
package/dist/types/tdf3/src/client/DecoratedReadableStream.d.ts.map +1 -1
package/dist/types/tdf3/src/client/builders.d.ts +43 -42
package/dist/types/tdf3/src/client/builders.d.ts.map +1 -1
package/dist/types/tdf3/src/client/index.d.ts +12 -17
package/dist/types/tdf3/src/client/index.d.ts.map +1 -1
package/dist/types/tdf3/src/client/validation.d.ts +3 -3
package/dist/types/tdf3/src/client/validation.d.ts.map +1 -1
package/dist/types/tdf3/src/crypto/crypto-utils.d.ts.map +1 -1
package/dist/types/tdf3/src/index.d.ts +1 -1
package/dist/types/tdf3/src/index.d.ts.map +1 -1
package/dist/types/tdf3/src/models/index.d.ts +0 -1
package/dist/types/tdf3/src/models/index.d.ts.map +1 -1
package/dist/types/tdf3/src/models/key-access.d.ts +63 -15
package/dist/types/tdf3/src/models/key-access.d.ts.map +1 -1
package/dist/types/tdf3/src/models/manifest.d.ts +2 -0
package/dist/types/tdf3/src/models/manifest.d.ts.map +1 -1
package/dist/types/tdf3/src/models/policy.d.ts +0 -1
package/dist/types/tdf3/src/models/policy.d.ts.map +1 -1
package/dist/types/tdf3/src/tdf.d.ts +24 -37
package/dist/types/tdf3/src/tdf.d.ts.map +1 -1
package/dist/types/tdf3/src/utils/index.d.ts +0 -4
package/dist/types/tdf3/src/utils/index.d.ts.map +1 -1
package/dist/types/tdf3/src/utils/unwrap.d.ts +2 -0
package/dist/types/tdf3/src/utils/unwrap.d.ts.map +1 -0
package/dist/types/tdf3/src/utils/zip-reader.d.ts +1 -1
package/dist/types/tdf3/src/utils/zip-reader.d.ts.map +1 -1
package/dist/types/tdf3/src/utils/zip-writer.d.ts +2 -2
package/dist/web/src/access.js +93 -58
package/dist/web/src/auth/auth.js +1 -21
package/dist/web/src/auth/oidc-clientcredentials-provider.js +1 -1
package/dist/web/src/auth/oidc-externaljwt-provider.js +1 -1
package/dist/web/src/auth/oidc-refreshtoken-provider.js +1 -1
package/dist/web/src/auth/oidc.js +1 -1
package/dist/web/src/auth/providers.js +1 -1
package/dist/web/src/concurrency.js +1 -1
package/dist/web/src/encodings/base64.js +1 -1
package/dist/web/src/encodings/hex.js +1 -1
package/dist/web/src/errors.js +1 -1
package/dist/web/src/index.js +6 -312
package/dist/web/src/nanoclients.js +280 -0
package/dist/web/src/nanoindex.js +5 -0
package/dist/web/src/nanotdf/Client.js +18 -23
package/dist/web/src/nanotdf/NanoTDF.js +1 -1
package/dist/web/src/nanotdf/encrypt-dataset.js +1 -1
package/dist/web/src/nanotdf/encrypt.js +1 -1
package/dist/web/src/nanotdf/models/Ciphers.js +1 -1
package/dist/web/src/nanotdf/models/EcCurves.js +1 -1
package/dist/web/src/nanotdf/models/Header.js +1 -1
package/dist/web/src/nanotdf/models/Payload.js +1 -1
package/dist/web/src/nanotdf/models/Policy/AbstractPolicy.js +1 -1
package/dist/web/src/nanotdf/models/Policy/EmbeddedPolicy.js +1 -1
package/dist/web/src/nanotdf/models/Policy/PolicyFactory.js +1 -1
package/dist/web/src/nanotdf/models/ResourceLocator.js +1 -1
package/dist/web/src/nanotdf/models/Signature.js +1 -1
package/dist/web/src/nanotdf-crypto/ciphers.js +1 -1
package/dist/web/src/nanotdf-crypto/ecdsaSignature.js +1 -1
package/dist/web/src/nanotdf-crypto/generateKeyPair.js +2 -2
package/dist/web/src/nanotdf-crypto/generateRandomNumber.js +2 -2
package/dist/web/src/nanotdf-crypto/index.js +3 -4
package/dist/web/src/nanotdf-crypto/keyAgreement.js +9 -6
package/dist/web/src/nanotdf-crypto/pemPublicToCrypto.js +1 -1
package/dist/web/src/opentdf.js +234 -0
package/dist/web/src/policy/api.js +1 -1
package/dist/web/src/policy/granter.js +1 -1
package/dist/web/src/seekable.js +148 -0
package/dist/web/src/tdf/AttributeObject.js +1 -2
package/dist/web/src/tdf/Policy.js +2 -4
package/dist/web/src/utils.js +3 -10
package/dist/web/src/version.js +6 -2
package/dist/web/tdf3/index.js +5 -4
package/dist/web/tdf3/src/assertions.js +21 -6
package/dist/web/tdf3/src/binary.js +1 -1
package/dist/web/tdf3/src/ciphers/aes-gcm-cipher.js +1 -1
package/dist/web/tdf3/src/ciphers/symmetric-cipher-base.js +1 -1
package/dist/web/tdf3/src/client/DecoratedReadableStream.js +4 -68
package/dist/web/tdf3/src/client/builders.js +26 -22
package/dist/web/tdf3/src/client/index.js +74 -105
package/dist/web/tdf3/src/client/validation.js +1 -1
package/dist/web/tdf3/src/crypto/crypto-utils.js +1 -1
package/dist/web/tdf3/src/crypto/index.js +1 -1
package/dist/web/tdf3/src/index.js +2 -2
package/dist/web/tdf3/src/models/attribute-set.js +1 -1
package/dist/web/tdf3/src/models/encryption-information.js +3 -3
package/dist/web/tdf3/src/models/index.js +1 -2
package/dist/web/tdf3/src/models/key-access.js +47 -24
package/dist/web/tdf3/src/models/policy.js +1 -1
package/dist/web/tdf3/src/tdf.js +153 -371
package/dist/web/tdf3/src/utils/buffer-crc32.js +1 -1
package/dist/web/tdf3/src/utils/index.js +19 -14
package/dist/web/tdf3/src/utils/keysplit.js +1 -1
package/dist/web/tdf3/src/utils/unwrap.js +18 -0
package/dist/web/tdf3/src/utils/zip-reader.js +1 -1
package/dist/web/tdf3/src/utils/zip-writer.js +1 -1
package/package.json +45 -45
package/src/access.ts +111 -54
package/src/auth/auth.ts +1 -31
package/src/index.ts +5 -440
package/src/nanoclients.ts +405 -0
package/src/nanoindex.ts +4 -0
package/src/nanotdf/Client.ts +18 -25
package/src/nanotdf/NanoTDF.ts +1 -1
package/src/nanotdf/encrypt-dataset.ts +1 -1
package/src/nanotdf/encrypt.ts +1 -1
package/src/nanotdf/helpers/getHkdfSalt.ts +1 -1
package/src/nanotdf-crypto/digest.ts +1 -1
package/src/nanotdf-crypto/generateKeyPair.ts +1 -1
package/src/nanotdf-crypto/generateRandomNumber.ts +1 -1
package/src/nanotdf-crypto/index.ts +2 -3
package/src/nanotdf-crypto/keyAgreement.ts +14 -7
package/src/opentdf.ts +441 -0
package/src/seekable.ts +180 -0
package/src/tdf/AttributeObject.ts +0 -3
package/src/tdf/Policy.ts +1 -2
package/src/tdf/PolicyObject.ts +1 -2
package/src/tdf/TypedArray.ts +1 -3
package/src/utils.ts +3 -11
package/src/version.ts +6 -1
package/tdf3/index.ts +15 -10
package/tdf3/src/assertions.ts +33 -8
package/tdf3/src/client/DecoratedReadableStream.ts +3 -80
package/tdf3/src/client/builders.ts +44 -28
package/tdf3/src/client/index.ts +109 -165
package/tdf3/src/index.ts +1 -1
package/tdf3/src/models/encryption-information.ts +2 -2
package/tdf3/src/models/index.ts +0 -1
package/tdf3/src/models/key-access.ts +120 -38
package/tdf3/src/models/manifest.ts +3 -0
package/tdf3/src/models/policy.ts +0 -1
package/tdf3/src/tdf.ts +266 -522
package/tdf3/src/utils/index.ts +19 -18
package/tdf3/src/utils/unwrap.ts +17 -0
package/tdf3/src/utils/zip-reader.ts +1 -1
package/dist/cjs/src/auth/Eas.js +0 -60
package/dist/cjs/src/nanotdf-crypto/importRawKey.js +0 -18
package/dist/cjs/src/tdf/Crypto.js +0 -47
package/dist/cjs/src/tdf/EntityObject.js +0 -3
package/dist/cjs/src/tdf/index.js +0 -35
package/dist/cjs/tdf3/src/models/upsert-response.js +0 -3
package/dist/cjs/tdf3/src/templates/default.html.js +0 -98
package/dist/cjs/tdf3/src/templates/escaper.js +0 -15
package/dist/cjs/tdf3/src/templates/index.js +0 -12
package/dist/cjs/tdf3/src/utils/chunkers.js +0 -106
package/dist/cjs/tdf3/src/version.js +0 -6
package/dist/types/src/auth/Eas.d.ts +0 -34
package/dist/types/src/auth/Eas.d.ts.map +0 -1
package/dist/types/src/nanotdf-crypto/importRawKey.d.ts +0 -13
package/dist/types/src/nanotdf-crypto/importRawKey.d.ts.map +0 -1
package/dist/types/src/tdf/Crypto.d.ts +0 -37
package/dist/types/src/tdf/Crypto.d.ts.map +0 -1
package/dist/types/src/tdf/EntityObject.d.ts +0 -18
package/dist/types/src/tdf/EntityObject.d.ts.map +0 -1
package/dist/types/src/tdf/index.d.ts +0 -7
package/dist/types/src/tdf/index.d.ts.map +0 -1
package/dist/types/tdf3/src/models/upsert-response.d.ts +0 -16
package/dist/types/tdf3/src/models/upsert-response.d.ts.map +0 -1
package/dist/types/tdf3/src/templates/default.html.d.ts +0 -8
package/dist/types/tdf3/src/templates/default.html.d.ts.map +0 -1
package/dist/types/tdf3/src/templates/escaper.d.ts +0 -6
package/dist/types/tdf3/src/templates/escaper.d.ts.map +0 -1
package/dist/types/tdf3/src/templates/index.d.ts +0 -3
package/dist/types/tdf3/src/templates/index.d.ts.map +0 -1
package/dist/types/tdf3/src/utils/chunkers.d.ts +0 -29
package/dist/types/tdf3/src/utils/chunkers.d.ts.map +0 -1
package/dist/types/tdf3/src/version.d.ts +0 -3
package/dist/types/tdf3/src/version.d.ts.map +0 -1
package/dist/web/src/auth/Eas.js +0 -55
package/dist/web/src/nanotdf-crypto/importRawKey.js +0 -15
package/dist/web/src/tdf/Crypto.js +0 -44
package/dist/web/src/tdf/EntityObject.js +0 -2
package/dist/web/src/tdf/index.js +0 -4
package/dist/web/tdf3/src/models/upsert-response.js +0 -2
package/dist/web/tdf3/src/templates/default.html.js +0 -96
package/dist/web/tdf3/src/templates/escaper.js +0 -10
package/dist/web/tdf3/src/templates/index.js +0 -3
package/dist/web/tdf3/src/utils/chunkers.js +0 -96
package/dist/web/tdf3/src/version.js +0 -3
package/src/auth/Eas.ts +0 -79
package/src/nanotdf-crypto/importRawKey.ts +0 -19
package/src/tdf/Crypto.ts +0 -42
package/src/tdf/EntityObject.ts +0 -18
package/src/tdf/index.ts +0 -6
package/tdf3/src/models/upsert-response.ts +0 -17
package/tdf3/src/templates/default.html.ts +0 -105
package/tdf3/src/templates/escaper.ts +0 -10
package/tdf3/src/templates/index.ts +0 -2
package/tdf3/src/utils/chunkers.ts +0 -118
package/tdf3/src/version.ts +0 -2

package/src/nanoclients.ts ADDED Viewed

@@ -0,0 +1,405 @@
+import {
+  Client,
+  NanoTDF,
+  Header,
+  encrypt,
+  decrypt,
+  encryptDataset,
+  getHkdfSalt,
+  DefaultParams,
+} from './nanotdf/index.js';
+import { keyAgreement } from './nanotdf-crypto/index.js';
+import { Policy } from './tdf/Policy.js';
+import { type TypedArray } from './tdf/TypedArray.js';
+import { createAttribute } from './tdf/AttributeObject.js';
+import { fetchECKasPubKey } from './access.js';
+import { ClientConfig } from './nanotdf/Client.js';
+import { ConfigurationError } from './errors.js';
+// Define the EncryptOptions type
+export type EncryptOptions = {
+  ecdsaBinding: boolean;
+};
+// Define default options
+const defaultOptions: EncryptOptions = {
+  ecdsaBinding: false,
+};
+/**
+ * NanoTDF SDK Client. Deprecated in favor of OpenTDF.
+ *
+ */
+export class NanoTDFClient extends Client {
+  /**
+   * Decrypt ciphertext
+   *
+   * Pass a base64 string, TypedArray, or ArrayBuffer ciphertext and get a promise which resolves plaintext
+   *
+   * @param ciphertext Ciphertext to decrypt
+   */
+  async decrypt(ciphertext: string | TypedArray | ArrayBuffer): Promise<ArrayBuffer> {
+    // Parse ciphertext
+    const nanotdf = NanoTDF.from(ciphertext);
+    // TODO: The version number should be fetched from the API
+    const version = '0.0.1';
+    const kasUrl = nanotdf.header.getKasRewrapUrl();
+    // Rewrap key on every request
+    const ukey = await this.rewrapKey(
+      nanotdf.header.toBuffer(),
+      kasUrl,
+      nanotdf.header.magicNumberVersion,
+      version
+    );
+    if (!ukey) {
+      throw new Error('internal: key rewrap failure');
+    }
+    // Return decrypt promise
+    return decrypt(ukey, nanotdf);
+  }
+  /**
+   * Decrypt ciphertext of the legacy TDF, with the older, smaller i.v. calculation.
+   *
+   * Pass a base64 string, TypedArray, or ArrayBuffer ciphertext and get a promise which resolves plaintext
+   *
+   * @param ciphertext Ciphertext to decrypt
+   */
+  async decryptLegacyTDF(ciphertext: string | TypedArray | ArrayBuffer): Promise<ArrayBuffer> {
+    // Parse ciphertext
+    const nanotdf = NanoTDF.from(ciphertext, undefined, true);
+    const legacyVersion = '0.0.0';
+    // Rewrap key on every request
+    const key = await this.rewrapKey(
+      nanotdf.header.toBuffer(),
+      nanotdf.header.getKasRewrapUrl(),
+      nanotdf.header.magicNumberVersion,
+      legacyVersion
+    );
+    if (!key) {
+      throw new Error('internal: failed unwrap');
+    }
+    // Return decrypt promise
+    return decrypt(key, nanotdf);
+  }
+  /**
+   * Encrypts the given data using the NanoTDF encryption scheme.
+   *
+   * @param {string | TypedArray | ArrayBuffer} data - The data to be encrypted.
+   * @param {EncryptOptions} [options=defaultOptions] - The encryption options (currently unused).
+   * @returns {Promise<ArrayBuffer>} A promise that resolves to the encrypted data as an ArrayBuffer.
+   * @throws {Error} If the initialization vector is not a number.
+   */
+  async encrypt(
+    data: string | TypedArray | ArrayBuffer,
+    options?: EncryptOptions
+  ): Promise<ArrayBuffer> {
+    // For encrypt always generate the client ephemeralKeyPair
+    const ephemeralKeyPair = await this.ephemeralKeyPair;
+    const initializationVector = this.iv;
+    if (typeof initializationVector !== 'number') {
+      throw new ConfigurationError(
+        'NanoTDF clients are single use. Please generate a new client and keypair.'
+      );
+    }
+    delete this.iv;
+    if (!this.kasPubKey) {
+      this.kasPubKey = await fetchECKasPubKey(this.kasUrl);
+    }
+    // Create a policy for the tdf
+    const policy = new Policy();
+    // Add data attributes.
+    for (const dataAttribute of this.dataAttributes) {
+      const attribute = await createAttribute(dataAttribute, this.kasPubKey, this.kasUrl);
+      policy.addAttribute(attribute);
+    }
+    if (this.dissems.length == 0 && this.dataAttributes.length == 0) {
+      console.warn(
+        'This policy has an empty attributes list and an empty dissemination list. This will allow any entity with a valid Entity Object to access this TDF.'
+      );
+    }
+    // Encrypt the policy.
+    const policyObjectAsStr = policy.toJSON();
+    // IV is always '1', since the new keypair is generated on encrypt
+    // using the same key is fine.
+    const lengthAsUint32 = new Uint32Array(1);
+    lengthAsUint32[0] = initializationVector;
+    const lengthAsUint24 = new Uint8Array(lengthAsUint32.buffer);
+    // NOTE: We are only interested in only first 3 bytes.
+    const payloadIV = new Uint8Array(12).fill(0);
+    payloadIV[9] = lengthAsUint24[2];
+    payloadIV[10] = lengthAsUint24[1];
+    payloadIV[11] = lengthAsUint24[0];
+    const mergedOptions: EncryptOptions = { ...defaultOptions, ...options };
+    return encrypt(
+      policyObjectAsStr,
+      this.kasPubKey,
+      ephemeralKeyPair,
+      payloadIV,
+      data,
+      mergedOptions.ecdsaBinding
+    );
+  }
+}
+export type DatasetConfig = ClientConfig & {
+  maxKeyIterations?: number;
+};
+/**
+ * NanoTDF Dataset SDK Client
+ *
+ *
+ * @example
+ * ```
+ * import { clientSecretAuthProvider, NanoTDFDatasetClient } from '@opentdf/sdk';
+ *
+ * const OIDC_ENDPOINT = 'http://localhost:65432/auth/realms/opentdf';
+ * const KAS_URL = 'http://localhost:65432/api/kas/';
+ *
+ * const ciphertext = '...';
+ * const client = new NanoTDFDatasetClient({
+ *   authProvider: await clientSecretAuthProvider({
+ *     clientId: 'tdf-client',
+ *     clientSecret: '123-456',
+ *     exchange: 'client',
+ *     oidcOrigin: OIDC_ENDPOINT,
+ *   }),
+ *   kasEndpoint: KAS_URL,
+ * });
+ * const plaintext = client.decrypt(ciphertext);
+ * console.log('Plaintext', plaintext);
+ * ```
+ */
+export class NanoTDFDatasetClient extends Client {
+  // Total unique IVs(2^24 -1) used for encrypting the nano tdf payloads
+  // IV starts from 1 since the 0 IV is reserved for policy encryption
+  static readonly NTDF_MAX_KEY_ITERATIONS = 8388606;
+  private maxKeyIteration: number;
+  private keyIterationCount: number;
+  private cachedEphemeralKey?: Uint8Array;
+  private unwrappedKey?: CryptoKey;
+  private symmetricKey?: CryptoKey;
+  private cachedHeader?: Header;
+  private ecdsaBinding: boolean;
+  /**
+   * Create new NanoTDF Dataset Client
+   *
+   * The Ephemeral Key Pair can either be provided or will be generate when fetching the entity object. Once set it
+   * cannot be changed. If a new ephemeral key is desired it a new client should be initialized.
+   * There is no performance impact for creating a new client IFF the ephemeral key pair is provided.
+   *
+   * @param clientConfig OIDC client credentials
+   * @param kasUrl Key access service URL
+   * @param ephemeralKeyPair (optional) ephemeral key pair to use
+   * @param maxKeyIterations Max iteration to performe without a key rotation
+   */
+  constructor(opts: DatasetConfig) {
+    if (
+      opts.maxKeyIterations &&
+      opts.maxKeyIterations > NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS
+    ) {
+      throw new ConfigurationError(
+        `key iteration exceeds max iterations(${NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS})`
+      );
+    }
+    super(opts);
+    this.maxKeyIteration = opts.maxKeyIterations || NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS;
+    this.keyIterationCount = 0;
+  }
+  /**
+   * Encrypt data
+   *
+   * Pass a string, TypedArray, or ArrayBuffer data and get a promise which resolves ciphertext
+   *
+   * @param data to decrypt
+   */
+  async encrypt(
+    data: string | TypedArray | ArrayBuffer,
+    options?: EncryptOptions
+  ): Promise<ArrayBuffer> {
+    // Intial encrypt
+    if (this.keyIterationCount == 0) {
+      const mergedOptions: EncryptOptions = { ...defaultOptions, ...options };
+      this.ecdsaBinding = mergedOptions.ecdsaBinding;
+      // For encrypt always generate the client ephemeralKeyPair
+      const ephemeralKeyPair = await this.ephemeralKeyPair;
+      if (!this.kasPubKey) {
+        this.kasPubKey = await fetchECKasPubKey(this.kasUrl);
+      }
+      // Create a policy for the tdf
+      const policy = new Policy();
+      // Add data attributes.
+      for (const dataAttribute of this.dataAttributes) {
+        const attribute = await createAttribute(dataAttribute, this.kasPubKey, this.kasUrl);
+        policy.addAttribute(attribute);
+      }
+      if (this.dissems.length == 0 || this.dataAttributes.length == 0) {
+        console.warn(
+          'This policy has an empty attributes list and an empty dissemination list. This will allow any entity with a valid Entity Object to access this TDF.'
+        );
+      }
+      // Encrypt the policy.
+      const policyObjectAsStr = policy.toJSON();
+      const ivVector = this.generateIV();
+      // Generate a symmetric key.
+      this.symmetricKey = await keyAgreement(
+        ephemeralKeyPair.privateKey,
+        await this.kasPubKey.key,
+        await getHkdfSalt(DefaultParams.magicNumberVersion)
+      );
+      const nanoTDFBuffer = await encrypt(
+        policyObjectAsStr,
+        this.kasPubKey,
+        ephemeralKeyPair,
+        ivVector,
+        data,
+        this.ecdsaBinding
+      );
+      // Cache the header and increment the key iteration
+      if (!this.cachedHeader) {
+        const nanoTDF = NanoTDF.from(nanoTDFBuffer);
+        this.cachedHeader = nanoTDF.header;
+      }
+      this.keyIterationCount += 1;
+      return nanoTDFBuffer;
+    }
+    this.keyIterationCount += 1;
+    if (!this.cachedHeader) {
+      throw new ConfigurationError('invalid dataset client: empty nanoTDF header');
+    }
+    if (!this.symmetricKey) {
+      throw new ConfigurationError('invalid dataset client: empty dek');
+    }
+    this.keyIterationCount += 1;
+    if (this.keyIterationCount == this.maxKeyIteration) {
+      // reset the key iteration
+      this.keyIterationCount = 0;
+    }
+    const ivVector = this.generateIV();
+    return encryptDataset(this.symmetricKey, this.cachedHeader, ivVector, data);
+  }
+  /**
+   * Decrypt ciphertext
+   *
+   * Pass a base64 string, TypedArray, or ArrayBuffer ciphertext and get a promise which resolves plaintext
+   *
+   * @param ciphertext Ciphertext to decrypt
+   */
+  async decrypt(ciphertext: string | TypedArray | ArrayBuffer): Promise<ArrayBuffer> {
+    // Parse ciphertext
+    const nanotdf = NanoTDF.from(ciphertext);
+    if (!this.cachedEphemeralKey) {
+      // First decrypt
+      return this.rewrapAndDecrypt(nanotdf);
+    }
+    // Other encrypts
+    if (this.cachedEphemeralKey.toString() == nanotdf.header.ephemeralPublicKey.toString()) {
+      const ukey = this.unwrappedKey;
+      if (!ukey) {
+        // These should have thrown already.
+        throw new Error('internal: key rewrap failure');
+      }
+      // Return decrypt promise
+      return decrypt(ukey, nanotdf);
+    } else {
+      return this.rewrapAndDecrypt(nanotdf);
+    }
+  }
+  async rewrapAndDecrypt(nanotdf: NanoTDF) {
+    // TODO: The version number should be fetched from the API
+    const version = '0.0.1';
+    // Rewrap key on every request
+    const ukey = await this.rewrapKey(
+      nanotdf.header.toBuffer(),
+      nanotdf.header.getKasRewrapUrl(),
+      nanotdf.header.magicNumberVersion,
+      version
+    );
+    if (!ukey) {
+      // These should have thrown already.
+      throw new Error('internal: key rewrap failure');
+    }
+    this.cachedEphemeralKey = nanotdf.header.ephemeralPublicKey;
+    this.unwrappedKey = ukey;
+    // Return decrypt promise
+    return decrypt(ukey, nanotdf);
+  }
+  generateIV(): Uint8Array {
+    const iv = this.iv;
+    if (iv === undefined) {
+      // iv has passed the maximum iteration count for this dek
+      throw new ConfigurationError('dataset full');
+    }
+    // assert iv ∈ ℤ ∩ (0, 2^24)
+    if (!Number.isInteger(iv) || iv <= 0 || 0xff_ffff < iv) {
+      // Something has fiddled with the iv outside of the expected behavior
+      // could indicate a race condition, e.g. if two workers or handlers are
+      // processing the file at once, for example.
+      throw new Error('internal: invalid state');
+    }
+    const lengthAsUint32 = new Uint32Array(1);
+    lengthAsUint32[0] = iv;
+    const lengthAsUint24 = new Uint8Array(lengthAsUint32.buffer);
+    // NOTE: We are only interested in only first 3 bytes.
+    const ivVector = new Uint8Array(Client.IV_SIZE).fill(0);
+    ivVector[9] = lengthAsUint24[2];
+    ivVector[10] = lengthAsUint24[1];
+    ivVector[11] = lengthAsUint24[0];
+    // Increment the IV
+    if (iv == 0xff_ffff) {
+      delete this.iv;
+    } else {
+      this.iv = iv + 1;
+    }
+    return ivVector;
+  }
+}

package/src/nanoindex.ts ADDED Viewed

@@ -0,0 +1,4 @@
+export * as AuthProviders from './auth/providers.js';
+export { attributeFQNsAsValues } from './policy/api.js';
+export * from './nanoclients.js';
+export { version, clientType } from './version.js';

package/src/nanotdf/Client.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { type TypedArray } from '../tdf/index.js';
+import { type TypedArray } from '../tdf/TypedArray.js';
 import * as base64 from '../encodings/base64.js';
 import { generateKeyPair, keyAgreement } from '../nanotdf-crypto/index.js';
 import getHkdfSalt from './helpers/getHkdfSalt.js';
@@ -128,8 +128,23 @@ export default class Client {
     ephemeralKeyPair?: CryptoKeyPair,
     dpopEnabled = false
   ) {
+    const enwrapAuthProvider = (a: AuthProvider): AuthProvider => {
+      return {
+        updateClientPublicKey: async (signingKey) => {
+          await a.updateClientPublicKey(signingKey);
+        },
+        withCreds: async (httpReq) => {
+          const signer = await this.requestSignerKeyPair;
+          if (!signer) {
+            throw new ConfigurationError('failed to find or generate signer session key');
+          }
+          await a.updateClientPublicKey(signer);
+          return a.withCreds(httpReq);
+        },
+      };
+    };
     if (isAuthProvider(optsOrOldAuthProvider)) {
-      this.authProvider = optsOrOldAuthProvider;
+      this.authProvider = enwrapAuthProvider(optsOrOldAuthProvider);
       if (!kasUrl) {
         throw new ConfigurationError('please specify kasEndpoint');
       }
@@ -155,7 +170,7 @@ export default class Client {
         ephemeralKeyPair,
         kasEndpoint,
       } = optsOrOldAuthProvider;
-      this.authProvider = authProvider;
+      this.authProvider = enwrapAuthProvider(authProvider);
       // TODO Disallow http KAS. For now just log as error
       validateSecureUrl(kasEndpoint);
       this.kasUrl = kasEndpoint;
@@ -185,26 +200,6 @@ export default class Client {
     this.dataAttributes.push(attribute);
   }
-  /**
-   * Explicitly get a new Entity Object using the supplied EntityAttributeService.
-   *
-   * This method is expected to be called at least once per encrypt/decrypt cycle. If the entityObject is expired then
-   * this will need to be called again.
-   *
-   * @security the ephemeralKeyPair must be set in the constructor if desired to use here. If this is wished to be changed
-   * then a new client should be initialized.
-   * @performance key pair is generated when the entity object is fetched IFF the ephemeralKeyPair is not set. This will
-   * either be set on the first call or passed in the constructor.
-   */
-  async fetchOIDCToken(): Promise<void> {
-    const signer = await this.requestSignerKeyPair;
-    if (!signer) {
-      throw new ConfigurationError('failed to find or generate signer session key');
-    }
-    await this.authProvider.updateClientPublicKey(signer);
-  }
   /**
    * Rewrap key
    *
@@ -224,8 +219,6 @@ export default class Client {
       throw new UnsafeUrlError(`request URL ∉ ${this.allowedKases.origins};`, kasRewrapUrl);
     }
-    // Ensure the ephemeral key pair has been set or generated (see createOidcServiceProvider)
-    await this.fetchOIDCToken();
     const ephemeralKeyPair = await this.ephemeralKeyPair;
     const requestSignerKeyPair = await this.requestSignerKeyPair;

package/src/nanotdf/NanoTDF.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { TypedArray } from '../tdf/index.js';
+import { TypedArray } from '../tdf/TypedArray.js';
 import { base64 } from '../encodings/index.js';
 import Header from './models/Header.js';
 import Payload from './models/Payload.js';

package/src/nanotdf/encrypt-dataset.ts CHANGED Viewed

@@ -3,7 +3,7 @@ import Header from './models/Header.js';
 import DefaultParams from './models/DefaultParams.js';
 import Payload from './models/Payload.js';
 import { getBitLength as authTagLengthForCipher } from './models/Ciphers.js';
-import TypedArray from '../tdf/TypedArray.js';
+import { TypedArray } from '../tdf/TypedArray.js';
 import encrypt from '../nanotdf-crypto/encrypt.js';
 /**

package/src/nanotdf/encrypt.ts CHANGED Viewed

@@ -6,7 +6,7 @@ import EmbeddedPolicy from './models/Policy/EmbeddedPolicy.js';
 import Payload from './models/Payload.js';
 import getHkdfSalt from './helpers/getHkdfSalt.js';
 import { getBitLength as authTagLengthForCipher } from './models/Ciphers.js';
-import { TypedArray } from '../tdf/index.js';
+import { TypedArray } from '../tdf/TypedArray.js';
 import { GMAC_BINDING_LEN } from './constants.js';
 import { AlgorithmName, KeyFormat, KeyUsageType } from './../nanotdf-crypto/enums.js';

package/src/nanotdf/helpers/getHkdfSalt.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { TypedArray } from '../../tdf/index.js';
+import { TypedArray } from '../../tdf/TypedArray.js';
 import { digest, enums } from '../../nanotdf-crypto/index.js';

package/src/nanotdf-crypto/digest.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { TypedArray } from '../tdf/index.js';
+import { TypedArray } from '../tdf/TypedArray.js';
 export default function digest(
   hashType: AlgorithmIdentifier,

package/src/nanotdf-crypto/generateKeyPair.ts CHANGED Viewed

@@ -7,7 +7,7 @@ interface GenerateKeyPairOptions {
   isExtractable: boolean;
 }
-export default async function generateKeyPair(
+export async function generateKeyPair(
   { type: name, curve: namedCurve, keyUsages, isExtractable }: GenerateKeyPairOptions = {
     type: AlgorithmName.ECDH,
     curve: NamedCurve.P256,

package/src/nanotdf-crypto/generateRandomNumber.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 /**
  * Generate a random number of given length
  */
-export default function generateRandomNumber(length: number): Uint8Array {
+export function generateRandomNumber(length: number): Uint8Array {
   const byteArray = new Uint8Array(length);
   crypto.getRandomValues(byteArray);
   return byteArray;

package/src/nanotdf-crypto/index.ts CHANGED Viewed

@@ -2,10 +2,9 @@ export { Ciphers } from './ciphers.js';
 export { default as decrypt } from './decrypt.js';
 export { default as digest } from './digest.js';
 export { default as encrypt } from './encrypt.js';
-export { default as generateKeyPair } from './generateKeyPair.js';
-export { default as importRawKey } from './importRawKey.js';
+export { generateKeyPair } from './generateKeyPair.js';
 export { keyAgreement } from './keyAgreement.js';
 export { default as exportCryptoKey } from './exportCryptoKey.js';
-export { default as generateRandomNumber } from './generateRandomNumber.js';
+export { generateRandomNumber } from './generateRandomNumber.js';
 export { pemPublicToCrypto, pemCertToCrypto } from './pemPublicToCrypto.js';
 export * as enums from './enums.js';

package/src/nanotdf-crypto/keyAgreement.ts CHANGED Viewed

@@ -27,6 +27,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  */
+import { keyAlgorithmToPublicKeyAlgorithm } from '../access.js';
 import { ConfigurationError } from '../errors.js';
 import { AlgorithmName, CipherType, HashType, KeyFormat, KeyType, KeyUsageType } from './enums.js';
@@ -69,19 +70,25 @@ export async function keyAgreement(
     isExtractable: true,
   }
 ): Promise<CryptoKey> {
-  if (
-    publicKey?.algorithm?.name !== AlgorithmName.ECDSA &&
-    publicKey?.algorithm?.name !== AlgorithmName.ECDH
-  ) {
-    throw new ConfigurationError('CryptoKey is expected to be of type ECDSA or ECDH');
+  for (const k of [privateKey, publicKey]) {
+    const mechanism = keyAlgorithmToPublicKeyAlgorithm(k.algorithm);
+    if (mechanism !== 'ec:secp256r1') {
+      throw new ConfigurationError(
+        `${k.type} CryptoKey is expected to be of type ECDSA or ECDH, not [${k.algorithm?.name}]`
+      );
+    }
   }
   if (privateKey.type !== KeyType.Private) {
-    throw new ConfigurationError('Expected input of privateKey to be a CryptoKey of type private');
+    throw new ConfigurationError(
+      `Expected input of privateKey to be a CryptoKey of type private, not [${privateKey.type}]`
+    );
   }
   if (publicKey.type !== KeyType.Public) {
-    throw new ConfigurationError('Expected input of publicKey to be a CryptoKey of type public');
+    throw new ConfigurationError(
+      `Expected input of publicKey to be a CryptoKey of type public, not [${publicKey.type}]`
+    );
   }
   const {