@opentdf/sdk 0.1.0-beta.1718 → 0.2.0-beta.1941

package/src/utils.ts

@@ -1,8 +1,7 @@
-import { type AxiosResponseHeaders, type RawAxiosResponseHeaders } from 'axios';
 import { exportSPKI, importX509 } from 'jose';
 
 import { base64 } from './encodings/index.js';
-import { pemCertToCrypto, pemPublicToCrypto } from './nanotdf-crypto/index.js';
+import { pemCertToCrypto, pemPublicToCrypto } from './nanotdf-crypto/pemPublicToCrypto.js';
 import { ConfigurationError } from './errors.js';
 
 /**
@@ -46,8 +45,6 @@ export function isBrowser() {
   return typeof window !== 'undefined'; // eslint-disable-line
 }
 
-export const isFirefox = (): boolean => isBrowser() && 'InstallTrigger' in window;
-
 export const rstrip = (str: string, suffix = ' '): string => {
   while (str && suffix && str.endsWith(suffix)) {
     str = str.slice(0, -suffix.length);
@@ -68,7 +65,7 @@ export const estimateSkew = async (serverEndpoint = window.origin): Promise<numb
   return estimateSkewFromHeaders(response.headers, localUnixTimeBefore);
 };
 
-export type AnyHeaders = AxiosResponseHeaders | RawAxiosResponseHeaders | Headers;
+export type AnyHeaders = Headers;
 
 /**
  * Rough estimate of number of seconds to add to the curren time to get
@@ -82,12 +79,7 @@ export type AnyHeaders = AxiosResponseHeaders | RawAxiosResponseHeaders | Header
  */
 export const estimateSkewFromHeaders = (headers: AnyHeaders, dateNowBefore?: number): number => {
   const localUnixTimeBefore = (dateNowBefore || Date.now()) / 1000;
-  let serverDateString;
-  if (headers.get) {
-    serverDateString = (headers as Headers).get('Date');
-  } else {
-    serverDateString = (headers as AxiosResponseHeaders | RawAxiosResponseHeaders).date;
-  }
+  const serverDateString = headers.get('Date');
   if (serverDateString === null) {
     throw Error('Cannot get access to Date header!');
   }

package/src/version.ts

@@ -1,9 +1,14 @@
 /**
  * Exposes the released version number of the `@opentdf/sdk` package
  */
-export const version = '0.1.0';
+export const version = '0.2.0';
 
 /**
  * A string name used to label requests as coming from this library client.
  */
 export const clientType = 'web-sdk';
+
+/**
+ * Version of the opentdf/spec this library is targeting
+ */
+export const tdfSpecVersion = '4.3.0';

package/tdf3/index.ts

@@ -25,13 +25,7 @@ import {
   SplitKey,
   type EncryptionInformation,
 } from './src/models/encryption-information.js';
-import {
-  AuthProvider,
-  AppIdAuthProvider,
-  type HttpMethod,
-  HttpRequest,
-  withHeaders,
-} from '../src/auth/auth.js';
+import { AuthProvider, type HttpMethod, HttpRequest, withHeaders } from '../src/auth/auth.js';
 import { AesGcmCipher } from './src/ciphers/aes-gcm-cipher.js';
 import {
   NanoTDFClient,
@@ -39,9 +33,9 @@ import {
   AuthProviders,
   version,
   clientType,
-} from '../src/index.js';
+} from '../src/nanoindex.js';
 import { Algorithms, type AlgorithmName, type AlgorithmUrn } from './src/ciphers/algorithms.js';
-import { type Chunker } from './src/utils/chunkers.js';
+import { type Chunker } from '../src/seekable.js';
 
 export type {
   AlgorithmName,
@@ -63,7 +57,6 @@ export type {
 export {
   AesGcmCipher,
   Algorithms,
-  AppIdAuthProvider,
   AuthProviders,
   Binary,
   Client,
@@ -89,3 +82,15 @@ export {
 };
 
 export * as WebCryptoService from './src/crypto/index.js';
+export {
+  type CreateNanoTDFCollectionOptions,
+  type CreateNanoTDFOptions,
+  type CreateOptions,
+  type CreateZTDFOptions,
+  type DecoratedStream,
+  type Keys,
+  type OpenTDFOptions,
+  type NanoTDFCollection,
+  type ReadOptions,
+  OpenTDF,
+} from '../src/opentdf.js';

package/tdf3/src/assertions.ts

@@ -3,7 +3,7 @@ import { type KeyLike, SignJWT, jwtVerify } from 'jose';
 import { base64, hex } from '../../src/encodings/index.js';
 import { ConfigurationError, IntegrityError, InvalidFileError } from '../../src/errors.js';
 
-export type AssertionKeyAlg = 'RS256' | 'HS256';
+export type AssertionKeyAlg = 'ES256' | 'RS256' | 'HS256';
 export type AssertionType = 'handling' | 'other';
 export type Scope = 'tdo' | 'payload';
 export type AppliesToState = 'encrypted' | 'unencrypted';
@@ -110,8 +110,9 @@ export function isAssertionConfig(obj: unknown): obj is AssertionConfig {
  */
 export async function verify(
   thiz: Assertion,
-  aggregateHash: string,
-  key: AssertionKey
+  aggregateHash: Uint8Array,
+  key: AssertionKey,
+  isLegacyTDF: boolean
 ): Promise<void> {
   let payload: AssertionPayload;
   try {
@@ -126,14 +127,25 @@ export async function verify(
 
   // Get the hash of the assertion
   const hashOfAssertion = await hash(thiz);
-  const combinedHash = aggregateHash + hashOfAssertion;
-  const encodedHash = base64.encode(combinedHash);
 
   // check if assertionHash is same as hashOfAssertion
   if (hashOfAssertion !== assertionHash) {
     throw new IntegrityError('Assertion hash mismatch');
   }
 
+  let encodedHash: string;
+  if (isLegacyTDF) {
+    const aggregateHashAsStr = new TextDecoder('utf-8').decode(aggregateHash);
+    const combinedHash = aggregateHashAsStr + hashOfAssertion;
+    encodedHash = base64.encode(combinedHash);
+  } else {
+    const combinedHash = concatenateUint8Arrays(
+      aggregateHash,
+      new Uint8Array(hex.decodeArrayBuffer(assertionHash))
+    );
+    encodedHash = base64.encodeArrayBuffer(combinedHash);
+  }
+
   // check if assertionSig is same as encodedHash
   if (assertionSig !== encodedHash) {
     throw new IntegrityError('Failed integrity check on assertion signature');
@@ -144,7 +156,7 @@ export async function verify(
  * Creates an Assertion object with the specified properties.
  */
 export async function CreateAssertion(
-  aggregateHash: string,
+  aggregateHash: Uint8Array,
   assertionConfig: AssertionConfig
 ): Promise<Assertion> {
   if (!assertionConfig.signingKey) {
@@ -162,8 +174,11 @@ export async function CreateAssertion(
   };
 
   const assertionHash = await hash(a);
-  const combinedHash = aggregateHash + assertionHash;
-  const encodedHash = base64.encode(combinedHash);
+  const combinedHash = concatenateUint8Arrays(
+    aggregateHash,
+    new Uint8Array(hex.decodeArrayBuffer(assertionHash))
+  );
+  const encodedHash = base64.encodeArrayBuffer(combinedHash);
 
   return await sign(a, assertionHash, encodedHash, assertionConfig.signingKey);
 }
@@ -189,3 +204,13 @@ export type AssertionVerificationKeys = {
   DefaultKey?: AssertionKey;
   Keys: Record<string, AssertionKey>;
 };
+
+function concatenateUint8Arrays(array1: Uint8Array, array2: Uint8Array): Uint8Array {
+  const combinedLength = array1.length + array2.length;
+  const combinedArray = new Uint8Array(combinedLength);
+
+  combinedArray.set(array1, 0);
+  combinedArray.set(array2, array1.length);
+
+  return combinedArray;
+}

package/tdf3/src/client/DecoratedReadableStream.ts

@@ -1,11 +1,5 @@
-import { EventEmitter } from 'eventemitter3';
-import streamSaver from 'streamsaver';
-import { fileSave } from 'browser-fs-access';
-import { isFirefox } from '../../../src/utils.js';
-
 import { type Metadata } from '../tdf.js';
-import { type Manifest, type UpsertResponse } from '../models/index.js';
-import { ConfigurationError } from '../../../src/errors.js';
+import { type Manifest } from '../models/index.js';
 
 export async function streamToBuffer(stream: ReadableStream<Uint8Array>): Promise<Uint8Array> {
   const accumulator = await new Response(stream).arrayBuffer();
@@ -24,12 +18,8 @@ export class DecoratedReadableStream {
   tdfSize: number;
   fileSize: number | undefined;
   stream: ReadableStream<Uint8Array>;
-  ee: EventEmitter;
-  on: EventEmitter['on'];
-  emit: EventEmitter['emit'];
   metadata?: Metadata;
   manifest: Manifest;
-  upsertResponse?: UpsertResponse;
   fileStreamServiceWorker?: string;
 
   constructor(
@@ -43,23 +33,10 @@ export class DecoratedReadableStream {
     this.stream = new ReadableStream(underlyingSource, {
       highWaterMark: 1,
     }) as ReadableStream<Uint8Array>;
-    this.ee = new EventEmitter();
-    this.on = (...args) => this.ee.on(...args);
-    this.emit = (...args) => this.ee.emit(...args);
   }
 
   async getMetadata() {
-    return new Promise((resolve, reject) => {
-      if (this.metadata) {
-        resolve(this.metadata);
-      } else {
-        this.on('error', reject);
-        this.on('rewrap', (rewrapResponse: Metadata) => {
-          this.metadata = rewrapResponse;
-          resolve(rewrapResponse);
-        });
-      }
-    });
+    return this.metadata;
   }
 
   /**
@@ -83,66 +60,12 @@ export class DecoratedReadableStream {
   async toString(): Promise<string> {
     return new Response(this.stream).text();
   }
-
-  /**
-   * Dump the stream content to a local file. This will consume the stream.
-   *
-   * @param filepath The path of the local file to write plaintext to.
-   * @param encoding The charset encoding to use. Defaults to utf-8.
-   */
-  async toFile(
-    filepath = 'download.tdf',
-    options?: BufferEncoding | DecoratedReadableStreamSinkOptions
-  ): Promise<void> {
-    if (options && typeof options === 'string') {
-      throw new ConfigurationError('unsupported operation: Cannot set encoding in browser');
-    }
-    if (isFirefox()) {
-      await fileSave(new Response(this.stream), {
-        fileName: filepath,
-        extensions: [`.${filepath.split('.').pop()}`],
-      });
-      return;
-    }
-
-    if (this.fileStreamServiceWorker) {
-      streamSaver.mitm = this.fileStreamServiceWorker;
-    }
-
-    const fileStream = streamSaver.createWriteStream(filepath, {
-      writableStrategy: { highWaterMark: 1 },
-      readableStrategy: { highWaterMark: 1 },
-    });
-
-    if (WritableStream) {
-      return this.stream.pipeTo(fileStream, options);
-    }
-
-    // Write (pipe) manually
-    const reader = this.stream.getReader();
-    const writer = fileStream.getWriter();
-    const pump = async (): Promise<void> => {
-      const res = await reader.read();
-
-      if (res.done) {
-        return await writer.close();
-      } else {
-        await writer.write(res.value);
-        return pump();
-      }
-    };
-    return pump();
-
-    // const pump = (): Promise<void> =>
-    //   reader.read().then((res) => (res.done ? writer.close() : writer.write(res.value).then(pump)));
-    // pump();
-  }
 }
 
 export function isDecoratedReadableStream(s: unknown): s is DecoratedReadableStream {
   return (
+    typeof (s as DecoratedReadableStream)?.stream !== 'undefined' &&
     typeof (s as DecoratedReadableStream)?.toBuffer !== 'undefined' &&
-    typeof (s as DecoratedReadableStream)?.toFile !== 'undefined' &&
     typeof (s as DecoratedReadableStream)?.toString !== 'undefined'
   );
 }

package/tdf3/src/client/builders.ts

@@ -5,11 +5,11 @@ import { Binary } from '../binary.js';
 
 import { ConfigurationError } from '../../../src/errors.js';
 import { PemKeyPair } from '../crypto/declarations.js';
-import { EntityObject } from '../../../src/tdf/EntityObject.js';
 import { DecoratedReadableStream } from './DecoratedReadableStream.js';
-import { type Chunker } from '../utils/chunkers.js';
+import { type Chunker } from '../../../src/seekable.js';
 import { AssertionConfig, AssertionVerificationKeys } from '../assertions.js';
 import { Value } from '../../../src/policy/attributes.js';
+import { KasPublicKeyAlgorithm, OriginAllowList } from '../../../src/access.js';
 
 export const DEFAULT_SEGMENT_SIZE: number = 1024 * 1024;
 export type Scope = {
@@ -35,27 +35,33 @@ export type SplitStep = {
 };
 
 export type EncryptParams = {
+  byteLimit?: number;
   source: ReadableStream<Uint8Array>;
   opts?: { keypair: PemKeyPair };
   autoconfigure?: boolean;
   scope?: Scope;
   metadata?: Metadata;
   keypair?: CryptoKeyPair;
-  offline?: boolean;
   windowSize?: number;
-  asHtml?: boolean;
   getPolicyId?: () => Scope['policyId'];
   mimeType?: string;
-  eo?: EntityObject;
   payloadKey?: Binary;
   keyMiddleware?: EncryptKeyMiddleware;
   splitPlan?: SplitStep[];
   streamMiddleware?: EncryptStreamMiddleware;
   assertionConfigs?: AssertionConfig[];
+  defaultKASEndpoint?: string;
+
+  // Preferred wrapping key algorithm. Used when KID resolution is not available.
+  wrappingKeyAlgorithm?: KasPublicKeyAlgorithm;
+
+  // Unsupported
+  asHtml?: boolean;
+  // Unsupported
+  offline?: boolean;
 };
 
 // 'Readonly<EncryptParams>': scope, metadata, offline, windowSize, asHtml
-
 // deep copy is expensive, could be faster is Immer used, but to keep SDK work
 // stable we can just make this object readonly
 function freeze<Type>(obj: Type): Readonly<Type> {
@@ -76,9 +82,7 @@ class EncryptParamsBuilder {
         attributes: [],
       },
       keypair: undefined,
-      offline: false,
       windowSize: DEFAULT_SEGMENT_SIZE,
-      asHtml: false,
       assertionConfigs: [],
     }
   ) {
@@ -94,6 +98,11 @@ class EncryptParamsBuilder {
    * @param {Readable} readStream - a Readable Stream to encrypt.
    */
   setStreamSource(readStream: ReadableStream<Uint8Array>) {
+    if (!readStream?.getReader) {
+      throw new ConfigurationError(
+        `Source must be a WebReadableStream. Run node streams through stream.Readable.toWeb()`
+      );
+    }
     this._params.source = readStream;
   }
 
@@ -118,6 +127,9 @@ class EncryptParamsBuilder {
    * @param {string} string - a string to encrypt.
    */
   setStringSource(string: string) {
+    if (!(string && typeof string === 'string')) {
+      throw new ConfigurationError('StringSource must be a string');
+    }
     const stream = new ReadableStream({
       pull(controller) {
         controller.enqueue(new TextEncoder().encode(string));
@@ -383,37 +395,24 @@ class EncryptParamsBuilder {
   }
 
   /**
-   * Whether the encrypted data should be formatted using html. This allows authorized users to
-   * double click and read using the Virtru Secure Reader, at the cost of reduced space efficiency.
-   * <br/><br/>
-   * This is enabled by default.
-   * @return {boolean} true if the encrypted data will be in html format.
+   * @deprecated This feature is not supported
    */
   hasHtmlFormat(): boolean {
-    return !!this._params.asHtml;
+    return false;
   }
 
   /**
-   * Specify that the encrypted data should be formatted using html. This allows authorized users to
-   * double click and read using the Virtru Secure Reader, at the cost of reduced space efficiency.
-   * <br/><br/>
-   * This is enabled by default.
+   * @deprecated This feature is not supported
    */
   setHtmlFormat() {
-    this._params.asHtml = true;
+    throw new ConfigurationError('HTML format is not supported');
   }
 
   /**
-   * Specify that the encrypted data should be formatted using html. This allows authorized users to
-   * double click and read using the Virtru Secure Reader, at the cost of reduced space efficiency.
-   * Returns this object for method chaining.
-   * <br/><br/>
-   * This is enabled by default.
-   * @return {EncryptParamsBuilder} - this object.
+   * @deprecated This feature is not supported
    */
   withHtmlFormat(): EncryptParamsBuilder {
-    this.setHtmlFormat();
-    return this;
+    throw new ConfigurationError('HTML format is not supported');
   }
 
   /**
@@ -514,13 +513,14 @@ export type DecryptSource =
   | { type: 'file-browser'; location: Blob };
 
 export type DecryptParams = {
-  eo?: EntityObject;
   source: DecryptSource;
+  allowList?: OriginAllowList;
   keyMiddleware?: DecryptKeyMiddleware;
   streamMiddleware?: DecryptStreamMiddleware;
   assertionVerificationKeys?: AssertionVerificationKeys;
   concurrencyLimit?: number;
   noVerifyAssertions?: boolean;
+  wrappingKeyAlgorithm?: KasPublicKeyAlgorithm;
 };
 
 /**
@@ -639,6 +639,9 @@ class DecryptParamsBuilder {
    * @param source (node) the path of the local file to decrypt, or the Blob (browser/node)
    */
   setFileSource(source: Blob) {
+    if (!(source instanceof Blob)) {
+      throw new ConfigurationError('File source must be a Blob');
+    }
     this._params.source = { type: 'file-browser', location: source };
   }
 
@@ -682,6 +685,19 @@ class DecryptParamsBuilder {
     return this;
   }
 
+  /**
+   * Sets the assertion verification keys for the decryption parameters.
+   *
+   * @param {AssertionVerificationKeys} assertionVerificationKeys - An array of assertion configurations to be set.
+   * @returns {DecryptParamsBuilder} The current instance of the EncryptParamsBuilder for method chaining.
+   */
+  withAssertionVerificationKeys(
+    assertionVerificationKeys: AssertionVerificationKeys
+  ): DecryptParamsBuilder {
+    this._params.assertionVerificationKeys = assertionVerificationKeys;
+    return this;
+  }
+
   _deepCopy(_params: DecryptParams) {
     return freeze({ ..._params });
   }