npm - @opentdf/sdk - Versions diffs - 0.1.0-beta.1718 → 0.2.0-beta.1941 - Mend

@opentdf/sdk 0.1.0-beta.1718 → 0.2.0-beta.1941

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (321) hide show

package/README.md +45 -38
package/dist/cjs/src/access.js +99 -62
package/dist/cjs/src/auth/auth.js +5 -26
package/dist/cjs/src/auth/oidc-clientcredentials-provider.js +1 -1
package/dist/cjs/src/auth/oidc-externaljwt-provider.js +1 -1
package/dist/cjs/src/auth/oidc-refreshtoken-provider.js +1 -1
package/dist/cjs/src/auth/oidc.js +1 -1
package/dist/cjs/src/auth/providers.js +1 -1
package/dist/cjs/src/concurrency.js +3 -4
package/dist/cjs/src/encodings/base64.js +4 -4
package/dist/cjs/src/encodings/hex.js +5 -6
package/dist/cjs/src/encodings/index.js +18 -8
package/dist/cjs/src/errors.js +1 -1
package/dist/cjs/src/index.js +28 -320
package/dist/cjs/src/nanoclients.js +285 -0
package/dist/cjs/src/nanoindex.js +47 -0
package/dist/cjs/src/nanotdf/Client.js +35 -30
package/dist/cjs/src/nanotdf/NanoTDF.js +1 -1
package/dist/cjs/src/nanotdf/decrypt.js +2 -2
package/dist/cjs/src/nanotdf/encrypt-dataset.js +2 -2
package/dist/cjs/src/nanotdf/encrypt.js +2 -2
package/dist/cjs/src/nanotdf/helpers/calculateByCurve.js +3 -4
package/dist/cjs/src/nanotdf/helpers/getHkdfSalt.js +2 -2
package/dist/cjs/src/nanotdf/models/Ciphers.js +3 -3
package/dist/cjs/src/nanotdf/models/EcCurves.js +3 -3
package/dist/cjs/src/nanotdf/models/Header.js +1 -1
package/dist/cjs/src/nanotdf/models/Payload.js +1 -1
package/dist/cjs/src/nanotdf/models/Policy/AbstractPolicy.js +1 -1
package/dist/cjs/src/nanotdf/models/Policy/EmbeddedPolicy.js +1 -1
package/dist/cjs/src/nanotdf/models/Policy/PolicyFactory.js +1 -1
package/dist/cjs/src/nanotdf/models/ResourceLocator.js +1 -1
package/dist/cjs/src/nanotdf/models/Signature.js +1 -1
package/dist/cjs/src/nanotdf-crypto/ciphers.js +1 -1
package/dist/cjs/src/nanotdf-crypto/decrypt.js +2 -2
package/dist/cjs/src/nanotdf-crypto/digest.js +2 -2
package/dist/cjs/src/nanotdf-crypto/ecdsaSignature.js +4 -5
package/dist/cjs/src/nanotdf-crypto/encrypt.js +2 -2
package/dist/cjs/src/nanotdf-crypto/exportCryptoKey.js +2 -2
package/dist/cjs/src/nanotdf-crypto/generateKeyPair.js +2 -2
package/dist/cjs/src/nanotdf-crypto/generateRandomNumber.js +2 -2
package/dist/cjs/src/nanotdf-crypto/index.js +21 -13
package/dist/cjs/src/nanotdf-crypto/keyAgreement.js +10 -8
package/dist/cjs/src/nanotdf-crypto/pemPublicToCrypto.js +20 -11
package/dist/cjs/src/opentdf.js +243 -0
package/dist/cjs/src/policy/api.js +2 -3
package/dist/cjs/src/policy/granter.js +3 -4
package/dist/cjs/src/seekable.js +157 -0
package/dist/cjs/src/tdf/AttributeObject.js +2 -4
package/dist/cjs/src/tdf/Policy.js +3 -3
package/dist/cjs/src/utils.js +13 -21
package/dist/cjs/src/version.js +7 -3
package/dist/cjs/tdf3/index.js +27 -16
package/dist/cjs/tdf3/src/assertions.js +25 -11
package/dist/cjs/tdf3/src/binary.js +1 -1
package/dist/cjs/tdf3/src/ciphers/aes-gcm-cipher.js +1 -1
package/dist/cjs/tdf3/src/ciphers/symmetric-cipher-base.js +1 -1
package/dist/cjs/tdf3/src/client/DecoratedReadableStream.js +7 -74
package/dist/cjs/tdf3/src/client/builders.js +26 -22
package/dist/cjs/tdf3/src/client/index.js +91 -117
package/dist/cjs/tdf3/src/client/validation.js +3 -3
package/dist/cjs/tdf3/src/crypto/crypto-utils.js +1 -1
package/dist/cjs/tdf3/src/crypto/index.js +18 -18
package/dist/cjs/tdf3/src/index.js +22 -11
package/dist/cjs/tdf3/src/models/attribute-set.js +1 -1
package/dist/cjs/tdf3/src/models/encryption-information.js +3 -3
package/dist/cjs/tdf3/src/models/index.js +1 -2
package/dist/cjs/tdf3/src/models/key-access.js +67 -35
package/dist/cjs/tdf3/src/models/policy.js +3 -3
package/dist/cjs/tdf3/src/tdf.js +180 -395
package/dist/cjs/tdf3/src/utils/buffer-crc32.js +2 -3
package/dist/cjs/tdf3/src/utils/index.js +48 -38
package/dist/cjs/tdf3/src/utils/keysplit.js +4 -5
package/dist/cjs/tdf3/src/utils/unwrap.js +21 -0
package/dist/cjs/tdf3/src/utils/zip-reader.js +4 -4
package/dist/cjs/tdf3/src/utils/zip-writer.js +4 -4
package/dist/types/src/access.d.ts +10 -4
package/dist/types/src/access.d.ts.map +1 -1
package/dist/types/src/auth/auth.d.ts +1 -28
package/dist/types/src/auth/auth.d.ts.map +1 -1
package/dist/types/src/auth/providers.d.ts.map +1 -1
package/dist/types/src/index.d.ts +5 -136
package/dist/types/src/index.d.ts.map +1 -1
package/dist/types/src/nanoclients.d.ts +107 -0
package/dist/types/src/nanoclients.d.ts.map +1 -0
package/dist/types/src/nanoindex.d.ts +5 -0
package/dist/types/src/nanoindex.d.ts.map +1 -0
package/dist/types/src/nanotdf/Client.d.ts +1 -13
package/dist/types/src/nanotdf/Client.d.ts.map +1 -1
package/dist/types/src/nanotdf/NanoTDF.d.ts +1 -1
package/dist/types/src/nanotdf/NanoTDF.d.ts.map +1 -1
package/dist/types/src/nanotdf/encrypt-dataset.d.ts +1 -1
package/dist/types/src/nanotdf/encrypt-dataset.d.ts.map +1 -1
package/dist/types/src/nanotdf/encrypt.d.ts +1 -1
package/dist/types/src/nanotdf/encrypt.d.ts.map +1 -1
package/dist/types/src/nanotdf/enum/CipherEnum.d.ts +1 -1
package/dist/types/src/nanotdf/enum/CipherEnum.d.ts.map +1 -1
package/dist/types/src/nanotdf/enum/PolicyTypeEnum.d.ts +1 -1
package/dist/types/src/nanotdf/enum/PolicyTypeEnum.d.ts.map +1 -1
package/dist/types/src/nanotdf/helpers/getHkdfSalt.d.ts +1 -1
package/dist/types/src/nanotdf/helpers/getHkdfSalt.d.ts.map +1 -1
package/dist/types/src/nanotdf/models/DefaultParams.d.ts +1 -1
package/dist/types/src/nanotdf/models/ResourceLocator.d.ts.map +1 -1
package/dist/types/src/nanotdf-crypto/digest.d.ts +1 -1
package/dist/types/src/nanotdf-crypto/digest.d.ts.map +1 -1
package/dist/types/src/nanotdf-crypto/generateKeyPair.d.ts +1 -1
package/dist/types/src/nanotdf-crypto/generateKeyPair.d.ts.map +1 -1
package/dist/types/src/nanotdf-crypto/generateRandomNumber.d.ts +1 -1
package/dist/types/src/nanotdf-crypto/generateRandomNumber.d.ts.map +1 -1
package/dist/types/src/nanotdf-crypto/index.d.ts +2 -3
package/dist/types/src/nanotdf-crypto/index.d.ts.map +1 -1
package/dist/types/src/nanotdf-crypto/keyAgreement.d.ts.map +1 -1
package/dist/types/src/opentdf.d.ts +106 -0
package/dist/types/src/opentdf.d.ts.map +1 -0
package/dist/types/src/seekable.d.ts +39 -0
package/dist/types/src/seekable.d.ts.map +1 -0
package/dist/types/src/tdf/AttributeObject.d.ts +0 -2
package/dist/types/src/tdf/AttributeObject.d.ts.map +1 -1
package/dist/types/src/tdf/NanoTDF/NanoTDF.d.ts +2 -2
package/dist/types/src/tdf/NanoTDF/NanoTDF.d.ts.map +1 -1
package/dist/types/src/tdf/Policy.d.ts +1 -1
package/dist/types/src/tdf/Policy.d.ts.map +1 -1
package/dist/types/src/tdf/PolicyObject.d.ts +1 -2
package/dist/types/src/tdf/PolicyObject.d.ts.map +1 -1
package/dist/types/src/tdf/TypedArray.d.ts +1 -2
package/dist/types/src/tdf/TypedArray.d.ts.map +1 -1
package/dist/types/src/utils.d.ts +1 -3
package/dist/types/src/utils.d.ts.map +1 -1
package/dist/types/src/version.d.ts +5 -1
package/dist/types/src/version.d.ts.map +1 -1
package/dist/types/tdf3/index.d.ts +5 -4
package/dist/types/tdf3/index.d.ts.map +1 -1
package/dist/types/tdf3/src/assertions.d.ts +3 -3
package/dist/types/tdf3/src/assertions.d.ts.map +1 -1
package/dist/types/tdf3/src/client/DecoratedReadableStream.d.ts +2 -15
package/dist/types/tdf3/src/client/DecoratedReadableStream.d.ts.map +1 -1
package/dist/types/tdf3/src/client/builders.d.ts +43 -42
package/dist/types/tdf3/src/client/builders.d.ts.map +1 -1
package/dist/types/tdf3/src/client/index.d.ts +12 -17
package/dist/types/tdf3/src/client/index.d.ts.map +1 -1
package/dist/types/tdf3/src/client/validation.d.ts +3 -3
package/dist/types/tdf3/src/client/validation.d.ts.map +1 -1
package/dist/types/tdf3/src/crypto/crypto-utils.d.ts.map +1 -1
package/dist/types/tdf3/src/index.d.ts +1 -1
package/dist/types/tdf3/src/index.d.ts.map +1 -1
package/dist/types/tdf3/src/models/index.d.ts +0 -1
package/dist/types/tdf3/src/models/index.d.ts.map +1 -1
package/dist/types/tdf3/src/models/key-access.d.ts +63 -15
package/dist/types/tdf3/src/models/key-access.d.ts.map +1 -1
package/dist/types/tdf3/src/models/manifest.d.ts +2 -0
package/dist/types/tdf3/src/models/manifest.d.ts.map +1 -1
package/dist/types/tdf3/src/models/policy.d.ts +0 -1
package/dist/types/tdf3/src/models/policy.d.ts.map +1 -1
package/dist/types/tdf3/src/tdf.d.ts +24 -37
package/dist/types/tdf3/src/tdf.d.ts.map +1 -1
package/dist/types/tdf3/src/utils/index.d.ts +0 -4
package/dist/types/tdf3/src/utils/index.d.ts.map +1 -1
package/dist/types/tdf3/src/utils/unwrap.d.ts +2 -0
package/dist/types/tdf3/src/utils/unwrap.d.ts.map +1 -0
package/dist/types/tdf3/src/utils/zip-reader.d.ts +1 -1
package/dist/types/tdf3/src/utils/zip-reader.d.ts.map +1 -1
package/dist/types/tdf3/src/utils/zip-writer.d.ts +2 -2
package/dist/web/src/access.js +93 -58
package/dist/web/src/auth/auth.js +1 -21
package/dist/web/src/auth/oidc-clientcredentials-provider.js +1 -1
package/dist/web/src/auth/oidc-externaljwt-provider.js +1 -1
package/dist/web/src/auth/oidc-refreshtoken-provider.js +1 -1
package/dist/web/src/auth/oidc.js +1 -1
package/dist/web/src/auth/providers.js +1 -1
package/dist/web/src/concurrency.js +1 -1
package/dist/web/src/encodings/base64.js +1 -1
package/dist/web/src/encodings/hex.js +1 -1
package/dist/web/src/errors.js +1 -1
package/dist/web/src/index.js +6 -312
package/dist/web/src/nanoclients.js +280 -0
package/dist/web/src/nanoindex.js +5 -0
package/dist/web/src/nanotdf/Client.js +18 -23
package/dist/web/src/nanotdf/NanoTDF.js +1 -1
package/dist/web/src/nanotdf/encrypt-dataset.js +1 -1
package/dist/web/src/nanotdf/encrypt.js +1 -1
package/dist/web/src/nanotdf/models/Ciphers.js +1 -1
package/dist/web/src/nanotdf/models/EcCurves.js +1 -1
package/dist/web/src/nanotdf/models/Header.js +1 -1
package/dist/web/src/nanotdf/models/Payload.js +1 -1
package/dist/web/src/nanotdf/models/Policy/AbstractPolicy.js +1 -1
package/dist/web/src/nanotdf/models/Policy/EmbeddedPolicy.js +1 -1
package/dist/web/src/nanotdf/models/Policy/PolicyFactory.js +1 -1
package/dist/web/src/nanotdf/models/ResourceLocator.js +1 -1
package/dist/web/src/nanotdf/models/Signature.js +1 -1
package/dist/web/src/nanotdf-crypto/ciphers.js +1 -1
package/dist/web/src/nanotdf-crypto/ecdsaSignature.js +1 -1
package/dist/web/src/nanotdf-crypto/generateKeyPair.js +2 -2
package/dist/web/src/nanotdf-crypto/generateRandomNumber.js +2 -2
package/dist/web/src/nanotdf-crypto/index.js +3 -4
package/dist/web/src/nanotdf-crypto/keyAgreement.js +9 -6
package/dist/web/src/nanotdf-crypto/pemPublicToCrypto.js +1 -1
package/dist/web/src/opentdf.js +234 -0
package/dist/web/src/policy/api.js +1 -1
package/dist/web/src/policy/granter.js +1 -1
package/dist/web/src/seekable.js +148 -0
package/dist/web/src/tdf/AttributeObject.js +1 -2
package/dist/web/src/tdf/Policy.js +2 -4
package/dist/web/src/utils.js +3 -10
package/dist/web/src/version.js +6 -2
package/dist/web/tdf3/index.js +5 -4
package/dist/web/tdf3/src/assertions.js +21 -6
package/dist/web/tdf3/src/binary.js +1 -1
package/dist/web/tdf3/src/ciphers/aes-gcm-cipher.js +1 -1
package/dist/web/tdf3/src/ciphers/symmetric-cipher-base.js +1 -1
package/dist/web/tdf3/src/client/DecoratedReadableStream.js +4 -68
package/dist/web/tdf3/src/client/builders.js +26 -22
package/dist/web/tdf3/src/client/index.js +74 -105
package/dist/web/tdf3/src/client/validation.js +1 -1
package/dist/web/tdf3/src/crypto/crypto-utils.js +1 -1
package/dist/web/tdf3/src/crypto/index.js +1 -1
package/dist/web/tdf3/src/index.js +2 -2
package/dist/web/tdf3/src/models/attribute-set.js +1 -1
package/dist/web/tdf3/src/models/encryption-information.js +3 -3
package/dist/web/tdf3/src/models/index.js +1 -2
package/dist/web/tdf3/src/models/key-access.js +47 -24
package/dist/web/tdf3/src/models/policy.js +1 -1
package/dist/web/tdf3/src/tdf.js +153 -371
package/dist/web/tdf3/src/utils/buffer-crc32.js +1 -1
package/dist/web/tdf3/src/utils/index.js +19 -14
package/dist/web/tdf3/src/utils/keysplit.js +1 -1
package/dist/web/tdf3/src/utils/unwrap.js +18 -0
package/dist/web/tdf3/src/utils/zip-reader.js +1 -1
package/dist/web/tdf3/src/utils/zip-writer.js +1 -1
package/package.json +45 -45
package/src/access.ts +111 -54
package/src/auth/auth.ts +1 -31
package/src/index.ts +5 -440
package/src/nanoclients.ts +405 -0
package/src/nanoindex.ts +4 -0
package/src/nanotdf/Client.ts +18 -25
package/src/nanotdf/NanoTDF.ts +1 -1
package/src/nanotdf/encrypt-dataset.ts +1 -1
package/src/nanotdf/encrypt.ts +1 -1
package/src/nanotdf/helpers/getHkdfSalt.ts +1 -1
package/src/nanotdf-crypto/digest.ts +1 -1
package/src/nanotdf-crypto/generateKeyPair.ts +1 -1
package/src/nanotdf-crypto/generateRandomNumber.ts +1 -1
package/src/nanotdf-crypto/index.ts +2 -3
package/src/nanotdf-crypto/keyAgreement.ts +14 -7
package/src/opentdf.ts +441 -0
package/src/seekable.ts +180 -0
package/src/tdf/AttributeObject.ts +0 -3
package/src/tdf/Policy.ts +1 -2
package/src/tdf/PolicyObject.ts +1 -2
package/src/tdf/TypedArray.ts +1 -3
package/src/utils.ts +3 -11
package/src/version.ts +6 -1
package/tdf3/index.ts +15 -10
package/tdf3/src/assertions.ts +33 -8
package/tdf3/src/client/DecoratedReadableStream.ts +3 -80
package/tdf3/src/client/builders.ts +44 -28
package/tdf3/src/client/index.ts +109 -165
package/tdf3/src/index.ts +1 -1
package/tdf3/src/models/encryption-information.ts +2 -2
package/tdf3/src/models/index.ts +0 -1
package/tdf3/src/models/key-access.ts +120 -38
package/tdf3/src/models/manifest.ts +3 -0
package/tdf3/src/models/policy.ts +0 -1
package/tdf3/src/tdf.ts +266 -522
package/tdf3/src/utils/index.ts +19 -18
package/tdf3/src/utils/unwrap.ts +17 -0
package/tdf3/src/utils/zip-reader.ts +1 -1
package/dist/cjs/src/auth/Eas.js +0 -60
package/dist/cjs/src/nanotdf-crypto/importRawKey.js +0 -18
package/dist/cjs/src/tdf/Crypto.js +0 -47
package/dist/cjs/src/tdf/EntityObject.js +0 -3
package/dist/cjs/src/tdf/index.js +0 -35
package/dist/cjs/tdf3/src/models/upsert-response.js +0 -3
package/dist/cjs/tdf3/src/templates/default.html.js +0 -98
package/dist/cjs/tdf3/src/templates/escaper.js +0 -15
package/dist/cjs/tdf3/src/templates/index.js +0 -12
package/dist/cjs/tdf3/src/utils/chunkers.js +0 -106
package/dist/cjs/tdf3/src/version.js +0 -6
package/dist/types/src/auth/Eas.d.ts +0 -34
package/dist/types/src/auth/Eas.d.ts.map +0 -1
package/dist/types/src/nanotdf-crypto/importRawKey.d.ts +0 -13
package/dist/types/src/nanotdf-crypto/importRawKey.d.ts.map +0 -1
package/dist/types/src/tdf/Crypto.d.ts +0 -37
package/dist/types/src/tdf/Crypto.d.ts.map +0 -1
package/dist/types/src/tdf/EntityObject.d.ts +0 -18
package/dist/types/src/tdf/EntityObject.d.ts.map +0 -1
package/dist/types/src/tdf/index.d.ts +0 -7
package/dist/types/src/tdf/index.d.ts.map +0 -1
package/dist/types/tdf3/src/models/upsert-response.d.ts +0 -16
package/dist/types/tdf3/src/models/upsert-response.d.ts.map +0 -1
package/dist/types/tdf3/src/templates/default.html.d.ts +0 -8
package/dist/types/tdf3/src/templates/default.html.d.ts.map +0 -1
package/dist/types/tdf3/src/templates/escaper.d.ts +0 -6
package/dist/types/tdf3/src/templates/escaper.d.ts.map +0 -1
package/dist/types/tdf3/src/templates/index.d.ts +0 -3
package/dist/types/tdf3/src/templates/index.d.ts.map +0 -1
package/dist/types/tdf3/src/utils/chunkers.d.ts +0 -29
package/dist/types/tdf3/src/utils/chunkers.d.ts.map +0 -1
package/dist/types/tdf3/src/version.d.ts +0 -3
package/dist/types/tdf3/src/version.d.ts.map +0 -1
package/dist/web/src/auth/Eas.js +0 -55
package/dist/web/src/nanotdf-crypto/importRawKey.js +0 -15
package/dist/web/src/tdf/Crypto.js +0 -44
package/dist/web/src/tdf/EntityObject.js +0 -2
package/dist/web/src/tdf/index.js +0 -4
package/dist/web/tdf3/src/models/upsert-response.js +0 -2
package/dist/web/tdf3/src/templates/default.html.js +0 -96
package/dist/web/tdf3/src/templates/escaper.js +0 -10
package/dist/web/tdf3/src/templates/index.js +0 -3
package/dist/web/tdf3/src/utils/chunkers.js +0 -96
package/dist/web/tdf3/src/version.js +0 -3
package/src/auth/Eas.ts +0 -79
package/src/nanotdf-crypto/importRawKey.ts +0 -19
package/src/tdf/Crypto.ts +0 -42
package/src/tdf/EntityObject.ts +0 -18
package/src/tdf/index.ts +0 -6
package/tdf3/src/models/upsert-response.ts +0 -17
package/tdf3/src/templates/default.html.ts +0 -105
package/tdf3/src/templates/escaper.ts +0 -10
package/tdf3/src/templates/index.ts +0 -2
package/tdf3/src/utils/chunkers.ts +0 -118
package/tdf3/src/version.ts +0 -2

package/src/opentdf.ts ADDED Viewed

@@ -0,0 +1,441 @@
+import { type AuthProvider } from './auth/providers.js';
+import { ConfigurationError, InvalidFileError } from './errors.js';
+import { NanoTDFDatasetClient } from './nanoclients.js';
+export { Client as TDF3Client } from '../tdf3/src/client/index.js';
+import NanoTDF from './nanotdf/NanoTDF.js';
+import decryptNanoTDF from './nanotdf/decrypt.js';
+import Client from './nanotdf/Client.js';
+import Header from './nanotdf/models/Header.js';
+import { fromSource, sourceToStream, type Source } from './seekable.js';
+import { Client as TDF3Client } from '../tdf3/src/client/index.js';
+import { AssertionConfig, AssertionVerificationKeys } from '../tdf3/src/assertions.js';
+import { type KasPublicKeyAlgorithm, OriginAllowList, isPublicKeyAlgorithm } from './access.js';
+import { type Manifest } from '../tdf3/src/models/manifest.js';
+export { type KasPublicKeyAlgorithm, isPublicKeyAlgorithm };
+export type Keys = {
+  [keyID: string]: CryptoKey | CryptoKeyPair;
+};
+// Options when creating a new TDF object
+// that are shared between all container types.
+export type CreateOptions = {
+  // If the policy service should be used to control creation options
+  autoconfigure?: boolean;
+  // List of attributes that will be assigned to the object's policy
+  attributes?: string[];
+  // If set and positive, this represents the maxiumum number of bytes to read from a stream to encrypt.
+  // This is helpful for enforcing size limits and preventing DoS attacks.
+  byteLimit?: number;
+  // The KAS to use for creation, if none is specified by the attribute service.
+  defaultKASEndpoint?: string;
+  // Private (or shared) keys for signing assertions and bindings
+  signers?: Keys;
+  // Source of plaintext data
+  source: Source;
+};
+export type CreateNanoTDFOptions = CreateOptions & {
+  bindingType?: 'ecdsa' | 'gmac';
+  // When creating a new collection, use ECDSA binding with this key id from the signers,
+  // instead of the DEK.
+  ecdsaBindingKeyID?: string;
+  // When creating a new collection,
+  // use the key in the `signers` list with this id
+  // to generate a signature for each element.
+  // When absent, the nanotdf is unsigned.
+  signingKeyID?: string;
+};
+export type CreateNanoTDFCollectionOptions = CreateNanoTDFOptions & {
+  // The maximum number of key iterations to use for a single DEK.
+  maxKeyIterations?: number;
+};
+// Metadata for a TDF object.
+export type Metadata = object;
+// MIME type of the decrypted content.
+export type MimeType = `${string}/${string}`;
+// Template for a Key Access Object (KAO) to be filled in during encrypt.
+export type SplitStep = {
+  // Which KAS to use to rewrap this segment of the key
+  kas: string;
+  // An identifier for a key segment.
+  // Leave empty to share the key.
+  sid?: string;
+};
+/// Options specific to the ZTDF container format.
+export type CreateZTDFOptions = CreateOptions & {
+  // Configuration for bound metadata.
+  assertionConfigs?: AssertionConfig[];
+  // Unbound metadata (deprecated)
+  metadata?: Metadata;
+  // MIME type of the decrypted content. Used for display.
+  mimeType?: MimeType;
+  // How to split or share the data encryption key across multiple KASes.
+  splitPlan?: SplitStep[];
+  // The segment size for the content; smaller is slower, but allows faster random access.
+  // The current default is 1 MiB (2^20 bytes).
+  windowSize?: number;
+  // Preferred algorithm to use for Key Access Objects.
+  wrappingKeyAlgorithm?: KasPublicKeyAlgorithm;
+};
+// Settings for decrypting any variety of TDF file.
+export type ReadOptions = {
+  // ciphertext
+  source: Source;
+  // list of KASes that may be contacted for a rewrap
+  allowedKASEndpoints?: string[];
+  // Optionally disable checking the allowlist
+  ignoreAllowlist?: boolean;
+  // Public (or shared) keys for verifying assertions
+  assertionVerificationKeys?: AssertionVerificationKeys;
+  // Optionally disable assertion verification
+  noVerify?: boolean;
+  // If set, prevents more than this number of concurrent requests to the KAS.
+  concurrencyLimit?: number;
+  // Type of key to use for wrapping responses.
+  wrappingKeyAlgorithm?: KasPublicKeyAlgorithm;
+};
+// Defaults and shared settings that are relevant to creating TDF objects.
+export type OpenTDFOptions = {
+  // Policy service endpoint
+  policyEndpoint?: string;
+  // Auth provider for connections to the policy service and KASes.
+  authProvider: AuthProvider;
+  // Default settings for 'encrypt' type requests.
+  defaultCreateOptions?: Omit<CreateOptions, 'source'>;
+  // Default settings for 'decrypt' type requests.
+  defaultReadOptions?: Omit<ReadOptions, 'source'>;
+  // If we want to *not* send a DPoP token
+  disableDPoP?: boolean;
+  // Optional keys for DPoP requests to a server.
+  // These often must be registered via a DPoP flow with the IdP
+  // which is out of the scope of this library.
+  dpopKeys?: Promise<CryptoKeyPair>;
+  // Configuration options for the collection header cache.
+  rewrapCacheOptions?: RewrapCacheOptions;
+};
+export type DecoratedStream = ReadableStream<Uint8Array> & {
+  // If the source is a TDF3/ZTDF, and includes metadata, and it has been read.
+  metadata?: Promise<unknown>;
+  manifest?: Promise<Manifest>;
+  // If the source is a NanoTDF, this will be set.
+  header?: Header;
+};
+// Configuration options for the collection header cache.
+export type RewrapCacheOptions = {
+  // If we should disable (bypass) the cache.
+  bypass?: boolean;
+  // Evict keys after this many milliseconds.
+  maxAge?: number;
+  // Check for expired keys once every this many milliseconds.
+  pollInterval?: number;
+};
+const defaultRewrapCacheOptions: Required<RewrapCacheOptions> = {
+  bypass: false,
+  maxAge: 300000,
+  pollInterval: 500,
+};
+// Cache for headers of nanotdf collections.
+// This allows the SDK to quickly open multiple entries of the same collection.
+// It has a demon that removes all keys that have not been accessed in the last 5 minutes.
+// To cancel the demon, and clear the cache, call `close()`.
+export class RewrapCache {
+  private cache?: Map<Uint8Array, { lastAccessTime: number; value: CryptoKey }>;
+  private closer?: ReturnType<typeof setInterval>;
+  constructor(opts?: RewrapCacheOptions) {
+    const { bypass, maxAge, pollInterval } = { ...defaultRewrapCacheOptions, ...opts };
+    if (bypass) {
+      return;
+    }
+    this.cache = new Map();
+    this.closer = setInterval(() => {
+      const now = Date.now();
+      const c = this.cache;
+      if (!c) {
+        return;
+      }
+      for (const [key, value] of c.entries()) {
+        if (now - value.lastAccessTime > maxAge) {
+          c.delete(key);
+        }
+      }
+    }, pollInterval);
+  }
+  get(key: Uint8Array): CryptoKey | undefined {
+    if (!this.cache) {
+      return undefined;
+    }
+    const entry = this.cache.get(key);
+    if (entry) {
+      entry.lastAccessTime = Date.now();
+      return entry.value;
+    }
+    return undefined;
+  }
+  set(key: Uint8Array, value: CryptoKey) {
+    if (!this.cache) {
+      return;
+    }
+    this.cache.set(key, { lastAccessTime: Date.now(), value });
+  }
+  close() {
+    if (this.closer !== undefined) {
+      clearInterval(this.closer);
+      delete this.closer;
+      delete this.cache;
+    }
+  }
+}
+// SDK for dealing with OpenTDF data and policy services.
+export class OpenTDF {
+  // Configuration service and more is at this URL/connectRPC endpoint
+  readonly policyEndpoint: string;
+  readonly authProvider: AuthProvider;
+  readonly dpopEnabled: boolean;
+  defaultCreateOptions: Omit<CreateOptions, 'source'>;
+  defaultReadOptions: Omit<ReadOptions, 'source'>;
+  readonly dpopKeys: Promise<CryptoKeyPair>;
+  // Header cache for reading nanotdf collections
+  private readonly rewrapCache: RewrapCache;
+  private tdf3Client: TDF3Client;
+  constructor({
+    authProvider,
+    dpopKeys,
+    defaultCreateOptions,
+    defaultReadOptions,
+    disableDPoP,
+    policyEndpoint,
+    rewrapCacheOptions,
+  }: OpenTDFOptions) {
+    this.authProvider = authProvider;
+    this.defaultCreateOptions = defaultCreateOptions || {};
+    this.defaultReadOptions = defaultReadOptions || {};
+    this.dpopEnabled = !!disableDPoP;
+    this.policyEndpoint = policyEndpoint || '';
+    this.rewrapCache = new RewrapCache(rewrapCacheOptions);
+    this.tdf3Client = new TDF3Client({
+      authProvider,
+      dpopKeys,
+      kasEndpoint: 'https://disallow.all.invalid',
+      policyEndpoint,
+    });
+    this.dpopKeys =
+      dpopKeys ??
+      crypto.subtle.generateKey(
+        {
+          name: 'RSASSA-PKCS1-v1_5',
+          hash: 'SHA-256',
+          modulusLength: 2048,
+          publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
+        },
+        true,
+        ['sign', 'verify']
+      );
+  }
+  async createNanoTDF(opts: CreateNanoTDFOptions): Promise<DecoratedStream> {
+    opts = { ...this.defaultCreateOptions, ...opts };
+    const collection = await this.createNanoTDFCollection(opts);
+    try {
+      return await collection.encrypt(opts.source);
+    } finally {
+      await collection.close();
+    }
+  }
+  /**
+   * Creates a new collection object, which can be used to encrypt a series of data with the same policy.
+   * @returns
+   */
+  async createNanoTDFCollection(opts: CreateNanoTDFCollectionOptions): Promise<NanoTDFCollection> {
+    opts = { ...this.defaultCreateOptions, ...opts };
+    return new Collection(this.authProvider, opts);
+  }
+  async createZTDF(opts: CreateZTDFOptions): Promise<DecoratedStream> {
+    opts = { ...this.defaultCreateOptions, ...opts };
+    const oldStream = await this.tdf3Client.encrypt({
+      source: await sourceToStream(opts.source),
+      assertionConfigs: opts.assertionConfigs,
+      autoconfigure: !!opts.autoconfigure,
+      defaultKASEndpoint: opts.defaultKASEndpoint,
+      byteLimit: opts.byteLimit,
+      mimeType: opts.mimeType,
+      scope: {
+        attributes: opts.attributes,
+      },
+      splitPlan: opts.splitPlan,
+      windowSize: opts.windowSize,
+      wrappingKeyAlgorithm: opts.wrappingKeyAlgorithm,
+    });
+    const stream: DecoratedStream = oldStream.stream;
+    stream.manifest = Promise.resolve(oldStream.manifest);
+    stream.metadata = Promise.resolve(oldStream.metadata);
+    return stream;
+  }
+  /**
+   * Decrypts a nanotdf object. Optionally, stores the collection header and its DEK.
+   * @param ciphertext
+   */
+  async read(opts: ReadOptions): Promise<DecoratedStream> {
+    opts = { ...this.defaultReadOptions, ...opts };
+    const chunker = await fromSource(opts.source);
+    const prefix = await chunker(0, 3);
+    // switch for prefix, if starts with `PK` in ascii, or `L1L` in ascii:
+    if (prefix[0] === 0x50 && prefix[1] === 0x4b) {
+      const allowList = new OriginAllowList(opts.allowedKASEndpoints ?? [], opts.ignoreAllowlist);
+      const oldStream = await this.tdf3Client.decrypt({
+        source: opts.source,
+        allowList,
+        assertionVerificationKeys: opts.assertionVerificationKeys,
+        noVerifyAssertions: opts.noVerify,
+        wrappingKeyAlgorithm: opts.wrappingKeyAlgorithm,
+      });
+      const stream: DecoratedStream = oldStream.stream;
+      stream.metadata = Promise.resolve(oldStream.metadata);
+      return stream;
+    } else if (prefix[0] === 0x4c && prefix[1] === 0x31 && prefix[2] === 0x4c) {
+      const ciphertext = await chunker();
+      const nanotdf = NanoTDF.from(ciphertext);
+      const cachedDEK = this.rewrapCache.get(nanotdf.header.ephemeralPublicKey);
+      if (cachedDEK) {
+        const r: DecoratedStream = await streamify(decryptNanoTDF(cachedDEK, nanotdf));
+        r.header = nanotdf.header;
+        return r;
+      }
+      const nc = new Client({
+        allowedKases: opts.allowedKASEndpoints,
+        authProvider: this.authProvider,
+        ignoreAllowList: opts.ignoreAllowlist,
+        dpopEnabled: this.dpopEnabled,
+        dpopKeys: this.dpopKeys,
+        kasEndpoint: opts.allowedKASEndpoints?.[0] || 'https://disallow.all.invalid',
+      });
+      // TODO: The version number should be fetched from the API
+      const version = '0.0.1';
+      // Rewrap key on every request
+      const dek = await nc.rewrapKey(
+        nanotdf.header.toBuffer(),
+        nanotdf.header.getKasRewrapUrl(),
+        nanotdf.header.magicNumberVersion,
+        version
+      );
+      if (!dek) {
+        // These should have thrown already.
+        throw new Error('internal: key rewrap failure');
+      }
+      this.rewrapCache.set(nanotdf.header.ephemeralPublicKey, dek);
+      const r: DecoratedStream = await streamify(decryptNanoTDF(dek, nanotdf));
+      r.header = nanotdf.header;
+      return r;
+    }
+    throw new InvalidFileError(`unsupported format; prefix not recognized ${prefix}`);
+  }
+  close() {
+    this.rewrapCache.close();
+  }
+}
+async function streamify(ab: Promise<ArrayBuffer>): Promise<ReadableStream<Uint8Array>> {
+  const stream = new ReadableStream<Uint8Array>({
+    start(controller) {
+      ab.then((arrayBuffer) => {
+        controller.enqueue(new Uint8Array(arrayBuffer));
+        controller.close();
+      });
+    },
+  });
+  return stream;
+}
+export type NanoTDFCollection = {
+  encrypt: (source: Source) => Promise<ReadableStream<Uint8Array>>;
+  close: () => Promise<void>;
+};
+class Collection {
+  client?: NanoTDFDatasetClient;
+  constructor(authProvider: AuthProvider, opts: CreateNanoTDFCollectionOptions) {
+    if (opts.signers || opts.signingKeyID) {
+      throw new ConfigurationError('ntdf signing not implemented');
+    }
+    if (opts.autoconfigure) {
+      throw new ConfigurationError('autoconfigure not implemented');
+    }
+    if (opts.ecdsaBindingKeyID) {
+      throw new ConfigurationError('custom binding key not implemented');
+    }
+    this.client = new NanoTDFDatasetClient({
+      authProvider,
+      kasEndpoint: opts.defaultKASEndpoint ?? 'https://disallow.all.invalid',
+      maxKeyIterations: opts.maxKeyIterations,
+    });
+  }
+  async encrypt(source: Source): Promise<DecoratedStream> {
+    if (!this.client) {
+      throw new ConfigurationError('Collection is closed');
+    }
+    const chunker = await fromSource(source);
+    const cipherChunk = await this.client.encrypt(await chunker());
+    const stream: DecoratedStream = new ReadableStream<Uint8Array>({
+      start(controller) {
+        controller.enqueue(new Uint8Array(cipherChunk));
+        controller.close();
+      },
+    });
+    // TODO: client's header object is private
+    // stream.header = this.client.header;
+    return stream;
+  }
+  async close() {
+    delete this.client;
+  }
+}

package/src/seekable.ts ADDED Viewed

@@ -0,0 +1,180 @@
+import { ConfigurationError, InvalidFileError, NetworkError } from './errors.js';
+/**
+ * Read data from a seekable stream.
+ * This is an abstraction for URLs with range queries and local file objects.
+ * @param byteStart First byte to read. If negative, reads from the end. If absent, reads everything
+ * @param byteEnd Index after last byte to read (exclusive)
+ */
+export type Chunker = (byteStart?: number, byteEnd?: number) => Promise<Uint8Array>;
+/**
+ * Type union for a variety of inputs.
+ */
+export type Source =
+  | { type: 'buffer'; location: Uint8Array }
+  | { type: 'chunker'; location: Chunker }
+  | { type: 'file-browser'; location: Blob }
+  | { type: 'remote'; location: string }
+  | { type: 'stream'; location: ReadableStream<Uint8Array> };
+/**
+ * Creates a seekable object from a browser file object.
+ * @param fileRef the browser file data
+ */
+export const fromBrowserFile = (fileRef: Blob): Chunker => {
+  return async (byteStart?: number, byteEnd?: number): Promise<Uint8Array> => {
+    if (byteStart === undefined) {
+      return new Uint8Array(await fileRef.arrayBuffer());
+    }
+    const chunkBlob = fileRef.slice(byteStart, byteEnd);
+    const arrayBuffer = await new Response(chunkBlob).arrayBuffer();
+    return new Uint8Array(arrayBuffer);
+  };
+};
+export const fromBuffer = (source: Uint8Array): Chunker => {
+  return (byteStart?: number, byteEnd?: number) => {
+    return Promise.resolve(source.slice(byteStart, byteEnd));
+  };
+};
+export const fromString = (source: string): Chunker => {
+  return fromBuffer(new TextEncoder().encode(source));
+};
+async function sleep(ms: number) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function getRemoteChunk(url: string, range?: string): Promise<Uint8Array> {
+  // loop with fetch for three times, with an exponential backoff
+  // if the fetch fails with a network error
+  // this is to handle transient network errors
+  const errors: Error[] = [];
+  for (let i = 0; i < 3; i++) {
+    let res: Response;
+    try {
+      res = await fetch(url, {
+        redirect: 'follow', // manual, *follow, error
+        ...(range && {
+          headers: {
+            Range: `bytes=${range}`,
+          },
+        }),
+      });
+    } catch (e) {
+      console.warn(`fetch failed with network error [${e}], retrying...`);
+      sleep(2 ** i * 1000);
+      continue;
+    }
+    if (!res.ok) {
+      if (res.status === 416) {
+        throw new InvalidFileError(
+          `${res.status}: range not satisfiable: requested [${range}] from [${url}]; response [${res.statusText}]`
+        );
+      } else if (res.status === 404) {
+        throw new InvalidFileError(
+          `${res.status}: [${url}] not found; response: [${res.statusText}]`
+        );
+      }
+      console.warn(`fetch failed with status [${res.status}: ${res.statusText}], retrying...`);
+      // waits for 1, 2, 4 seconds
+      sleep(2 ** i * 1000);
+      continue;
+    }
+    const data = await res.arrayBuffer();
+    if (!data) {
+      throw new NetworkError(
+        `empty response for range request: requested [${range}] from [${url}]`
+      );
+    }
+    return new Uint8Array(data);
+  }
+  throw new AggregateError(errors, 'fetch failed after 3 retries');
+}
+export const fromUrl = async (location: string): Promise<Chunker> => {
+  return async (byteStart?: number, byteEnd?: number): Promise<Uint8Array> => {
+    if (byteStart === undefined) {
+      return getRemoteChunk(location);
+    }
+    let rangeHeader = `${byteStart}`;
+    if (byteEnd && byteEnd < 0) {
+      // NOTE: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Range
+      throw Error('negative end unsupported');
+    } else if (byteEnd) {
+      rangeHeader += `-${byteEnd - 1}`;
+    }
+    return await getRemoteChunk(location, rangeHeader);
+  };
+};
+export const fromSource = async ({ type, location }: Source): Promise<Chunker> => {
+  switch (type) {
+    case 'buffer':
+      if (!(location instanceof Uint8Array)) {
+        throw new ConfigurationError('Invalid data source; must be uint8 array');
+      }
+      return fromBuffer(location);
+    case 'chunker':
+      if (!(location instanceof Function)) {
+        throw new ConfigurationError('Invalid data source; must be uint8 array');
+      }
+      return location;
+    case 'file-browser':
+      if (!(location instanceof Blob)) {
+        throw new ConfigurationError('Invalid data source; must be at least a Blob');
+      }
+      return fromBrowserFile(location);
+    case 'remote':
+      if (typeof location !== 'string') {
+        throw new ConfigurationError('Invalid data source; url not provided');
+      }
+      return fromUrl(location);
+    case 'stream':
+      return fromBuffer(new Uint8Array(await new Response(location).arrayBuffer()));
+    default:
+      throw new ConfigurationError(`Data source type not defined, or not supported: ${type}}`);
+  }
+};
+export async function sourceToStream(source: Source): Promise<ReadableStream<Uint8Array>> {
+  switch (source.type) {
+    case 'stream':
+      return source.location;
+    case 'file-browser':
+      return source.location.stream();
+    case 'chunker': {
+      const chunkSize = 8 * 1024 * 1024; // 8 megabytes
+      let offset = 0;
+      return new ReadableStream({
+        async pull(controller) {
+          const chunk = await source.location(offset, offset + chunkSize);
+          if (chunk.length === 0) {
+            controller.close();
+            return;
+          }
+          controller.enqueue(chunk);
+          offset += chunk.length;
+        },
+      });
+    }
+    default: {
+      const chunker = await fromSource(source);
+      return new ReadableStream({
+        async start(controller) {
+          const chunk = await chunker();
+          controller.enqueue(chunk);
+          controller.close();
+        },
+      });
+    }
+  }
+}
+// Deprected name, prefer `fromSource`
+export const fromDataSource = fromSource;
+// Deprecated Name; prefer just `Source`
+export type DataSource = Source;

package/src/tdf/AttributeObject.ts CHANGED Viewed

@@ -7,8 +7,6 @@ export interface AttributeObject {
   /** PEM encoded public key */
   readonly pubKey: string;
   readonly kasUrl: string;
-  /** The most recent version 1.1.0. */
-  readonly schemaVersion?: string;
 }
 export async function createAttribute(
@@ -22,6 +20,5 @@ export async function createAttribute(
     displayName: '',
     pubKey: pubKey.publicKey,
     kasUrl,
-    schemaVersion: '1.1.0',
   };
 }

package/src/tdf/Policy.ts CHANGED Viewed

@@ -1,13 +1,12 @@
 import { type AttributeObject } from './AttributeObject.js';
 import { v4 as uuid } from 'uuid';
-export default class Policy {
+export class Policy {
   static CURRENT_VERSION = '1.1.0';
   private uuidStr = uuid();
   private dataAttributesList: AttributeObject[] = [];
   private dissemList: string[] = [];
-  // private schemaVersionStr = Policy.CURRENT_VERSION;
   /**
    * Adds a group of entities, to the Policy's dissem list

package/src/tdf/PolicyObject.ts CHANGED Viewed

@@ -5,8 +5,7 @@ export interface PolicyObjectBody {
   readonly dissem: string[];
 }
-export default interface PolicyObject {
+export interface PolicyObject {
   readonly uuid: string;
   readonly body: PolicyObjectBody;
-  readonly schemaVersion?: string;
 }

package/src/tdf/TypedArray.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-type TypedArray =
+export type TypedArray =
   | Int8Array
   | Uint8Array
   | Int16Array
@@ -8,5 +8,3 @@ type TypedArray =
   | Uint8ClampedArray
   | Float32Array
   | Float64Array;
-export default TypedArray;