npm - @opentdf/sdk - Versions diffs - 0.1.0-beta.1718 → 0.2.0-beta.1941 - Mend

@opentdf/sdk 0.1.0-beta.1718 → 0.2.0-beta.1941

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (321) hide show

package/README.md +45 -38
package/dist/cjs/src/access.js +99 -62
package/dist/cjs/src/auth/auth.js +5 -26
package/dist/cjs/src/auth/oidc-clientcredentials-provider.js +1 -1
package/dist/cjs/src/auth/oidc-externaljwt-provider.js +1 -1
package/dist/cjs/src/auth/oidc-refreshtoken-provider.js +1 -1
package/dist/cjs/src/auth/oidc.js +1 -1
package/dist/cjs/src/auth/providers.js +1 -1
package/dist/cjs/src/concurrency.js +3 -4
package/dist/cjs/src/encodings/base64.js +4 -4
package/dist/cjs/src/encodings/hex.js +5 -6
package/dist/cjs/src/encodings/index.js +18 -8
package/dist/cjs/src/errors.js +1 -1
package/dist/cjs/src/index.js +28 -320
package/dist/cjs/src/nanoclients.js +285 -0
package/dist/cjs/src/nanoindex.js +47 -0
package/dist/cjs/src/nanotdf/Client.js +35 -30
package/dist/cjs/src/nanotdf/NanoTDF.js +1 -1
package/dist/cjs/src/nanotdf/decrypt.js +2 -2
package/dist/cjs/src/nanotdf/encrypt-dataset.js +2 -2
package/dist/cjs/src/nanotdf/encrypt.js +2 -2
package/dist/cjs/src/nanotdf/helpers/calculateByCurve.js +3 -4
package/dist/cjs/src/nanotdf/helpers/getHkdfSalt.js +2 -2
package/dist/cjs/src/nanotdf/models/Ciphers.js +3 -3
package/dist/cjs/src/nanotdf/models/EcCurves.js +3 -3
package/dist/cjs/src/nanotdf/models/Header.js +1 -1
package/dist/cjs/src/nanotdf/models/Payload.js +1 -1
package/dist/cjs/src/nanotdf/models/Policy/AbstractPolicy.js +1 -1
package/dist/cjs/src/nanotdf/models/Policy/EmbeddedPolicy.js +1 -1
package/dist/cjs/src/nanotdf/models/Policy/PolicyFactory.js +1 -1
package/dist/cjs/src/nanotdf/models/ResourceLocator.js +1 -1
package/dist/cjs/src/nanotdf/models/Signature.js +1 -1
package/dist/cjs/src/nanotdf-crypto/ciphers.js +1 -1
package/dist/cjs/src/nanotdf-crypto/decrypt.js +2 -2
package/dist/cjs/src/nanotdf-crypto/digest.js +2 -2
package/dist/cjs/src/nanotdf-crypto/ecdsaSignature.js +4 -5
package/dist/cjs/src/nanotdf-crypto/encrypt.js +2 -2
package/dist/cjs/src/nanotdf-crypto/exportCryptoKey.js +2 -2
package/dist/cjs/src/nanotdf-crypto/generateKeyPair.js +2 -2
package/dist/cjs/src/nanotdf-crypto/generateRandomNumber.js +2 -2
package/dist/cjs/src/nanotdf-crypto/index.js +21 -13
package/dist/cjs/src/nanotdf-crypto/keyAgreement.js +10 -8
package/dist/cjs/src/nanotdf-crypto/pemPublicToCrypto.js +20 -11
package/dist/cjs/src/opentdf.js +243 -0
package/dist/cjs/src/policy/api.js +2 -3
package/dist/cjs/src/policy/granter.js +3 -4
package/dist/cjs/src/seekable.js +157 -0
package/dist/cjs/src/tdf/AttributeObject.js +2 -4
package/dist/cjs/src/tdf/Policy.js +3 -3
package/dist/cjs/src/utils.js +13 -21
package/dist/cjs/src/version.js +7 -3
package/dist/cjs/tdf3/index.js +27 -16
package/dist/cjs/tdf3/src/assertions.js +25 -11
package/dist/cjs/tdf3/src/binary.js +1 -1
package/dist/cjs/tdf3/src/ciphers/aes-gcm-cipher.js +1 -1
package/dist/cjs/tdf3/src/ciphers/symmetric-cipher-base.js +1 -1
package/dist/cjs/tdf3/src/client/DecoratedReadableStream.js +7 -74
package/dist/cjs/tdf3/src/client/builders.js +26 -22
package/dist/cjs/tdf3/src/client/index.js +91 -117
package/dist/cjs/tdf3/src/client/validation.js +3 -3
package/dist/cjs/tdf3/src/crypto/crypto-utils.js +1 -1
package/dist/cjs/tdf3/src/crypto/index.js +18 -18
package/dist/cjs/tdf3/src/index.js +22 -11
package/dist/cjs/tdf3/src/models/attribute-set.js +1 -1
package/dist/cjs/tdf3/src/models/encryption-information.js +3 -3
package/dist/cjs/tdf3/src/models/index.js +1 -2
package/dist/cjs/tdf3/src/models/key-access.js +67 -35
package/dist/cjs/tdf3/src/models/policy.js +3 -3
package/dist/cjs/tdf3/src/tdf.js +180 -395
package/dist/cjs/tdf3/src/utils/buffer-crc32.js +2 -3
package/dist/cjs/tdf3/src/utils/index.js +48 -38
package/dist/cjs/tdf3/src/utils/keysplit.js +4 -5
package/dist/cjs/tdf3/src/utils/unwrap.js +21 -0
package/dist/cjs/tdf3/src/utils/zip-reader.js +4 -4
package/dist/cjs/tdf3/src/utils/zip-writer.js +4 -4
package/dist/types/src/access.d.ts +10 -4
package/dist/types/src/access.d.ts.map +1 -1
package/dist/types/src/auth/auth.d.ts +1 -28
package/dist/types/src/auth/auth.d.ts.map +1 -1
package/dist/types/src/auth/providers.d.ts.map +1 -1
package/dist/types/src/index.d.ts +5 -136
package/dist/types/src/index.d.ts.map +1 -1
package/dist/types/src/nanoclients.d.ts +107 -0
package/dist/types/src/nanoclients.d.ts.map +1 -0
package/dist/types/src/nanoindex.d.ts +5 -0
package/dist/types/src/nanoindex.d.ts.map +1 -0
package/dist/types/src/nanotdf/Client.d.ts +1 -13
package/dist/types/src/nanotdf/Client.d.ts.map +1 -1
package/dist/types/src/nanotdf/NanoTDF.d.ts +1 -1
package/dist/types/src/nanotdf/NanoTDF.d.ts.map +1 -1
package/dist/types/src/nanotdf/encrypt-dataset.d.ts +1 -1
package/dist/types/src/nanotdf/encrypt-dataset.d.ts.map +1 -1
package/dist/types/src/nanotdf/encrypt.d.ts +1 -1
package/dist/types/src/nanotdf/encrypt.d.ts.map +1 -1
package/dist/types/src/nanotdf/enum/CipherEnum.d.ts +1 -1
package/dist/types/src/nanotdf/enum/CipherEnum.d.ts.map +1 -1
package/dist/types/src/nanotdf/enum/PolicyTypeEnum.d.ts +1 -1
package/dist/types/src/nanotdf/enum/PolicyTypeEnum.d.ts.map +1 -1
package/dist/types/src/nanotdf/helpers/getHkdfSalt.d.ts +1 -1
package/dist/types/src/nanotdf/helpers/getHkdfSalt.d.ts.map +1 -1
package/dist/types/src/nanotdf/models/DefaultParams.d.ts +1 -1
package/dist/types/src/nanotdf/models/ResourceLocator.d.ts.map +1 -1
package/dist/types/src/nanotdf-crypto/digest.d.ts +1 -1
package/dist/types/src/nanotdf-crypto/digest.d.ts.map +1 -1
package/dist/types/src/nanotdf-crypto/generateKeyPair.d.ts +1 -1
package/dist/types/src/nanotdf-crypto/generateKeyPair.d.ts.map +1 -1
package/dist/types/src/nanotdf-crypto/generateRandomNumber.d.ts +1 -1
package/dist/types/src/nanotdf-crypto/generateRandomNumber.d.ts.map +1 -1
package/dist/types/src/nanotdf-crypto/index.d.ts +2 -3
package/dist/types/src/nanotdf-crypto/index.d.ts.map +1 -1
package/dist/types/src/nanotdf-crypto/keyAgreement.d.ts.map +1 -1
package/dist/types/src/opentdf.d.ts +106 -0
package/dist/types/src/opentdf.d.ts.map +1 -0
package/dist/types/src/seekable.d.ts +39 -0
package/dist/types/src/seekable.d.ts.map +1 -0
package/dist/types/src/tdf/AttributeObject.d.ts +0 -2
package/dist/types/src/tdf/AttributeObject.d.ts.map +1 -1
package/dist/types/src/tdf/NanoTDF/NanoTDF.d.ts +2 -2
package/dist/types/src/tdf/NanoTDF/NanoTDF.d.ts.map +1 -1
package/dist/types/src/tdf/Policy.d.ts +1 -1
package/dist/types/src/tdf/Policy.d.ts.map +1 -1
package/dist/types/src/tdf/PolicyObject.d.ts +1 -2
package/dist/types/src/tdf/PolicyObject.d.ts.map +1 -1
package/dist/types/src/tdf/TypedArray.d.ts +1 -2
package/dist/types/src/tdf/TypedArray.d.ts.map +1 -1
package/dist/types/src/utils.d.ts +1 -3
package/dist/types/src/utils.d.ts.map +1 -1
package/dist/types/src/version.d.ts +5 -1
package/dist/types/src/version.d.ts.map +1 -1
package/dist/types/tdf3/index.d.ts +5 -4
package/dist/types/tdf3/index.d.ts.map +1 -1
package/dist/types/tdf3/src/assertions.d.ts +3 -3
package/dist/types/tdf3/src/assertions.d.ts.map +1 -1
package/dist/types/tdf3/src/client/DecoratedReadableStream.d.ts +2 -15
package/dist/types/tdf3/src/client/DecoratedReadableStream.d.ts.map +1 -1
package/dist/types/tdf3/src/client/builders.d.ts +43 -42
package/dist/types/tdf3/src/client/builders.d.ts.map +1 -1
package/dist/types/tdf3/src/client/index.d.ts +12 -17
package/dist/types/tdf3/src/client/index.d.ts.map +1 -1
package/dist/types/tdf3/src/client/validation.d.ts +3 -3
package/dist/types/tdf3/src/client/validation.d.ts.map +1 -1
package/dist/types/tdf3/src/crypto/crypto-utils.d.ts.map +1 -1
package/dist/types/tdf3/src/index.d.ts +1 -1
package/dist/types/tdf3/src/index.d.ts.map +1 -1
package/dist/types/tdf3/src/models/index.d.ts +0 -1
package/dist/types/tdf3/src/models/index.d.ts.map +1 -1
package/dist/types/tdf3/src/models/key-access.d.ts +63 -15
package/dist/types/tdf3/src/models/key-access.d.ts.map +1 -1
package/dist/types/tdf3/src/models/manifest.d.ts +2 -0
package/dist/types/tdf3/src/models/manifest.d.ts.map +1 -1
package/dist/types/tdf3/src/models/policy.d.ts +0 -1
package/dist/types/tdf3/src/models/policy.d.ts.map +1 -1
package/dist/types/tdf3/src/tdf.d.ts +24 -37
package/dist/types/tdf3/src/tdf.d.ts.map +1 -1
package/dist/types/tdf3/src/utils/index.d.ts +0 -4
package/dist/types/tdf3/src/utils/index.d.ts.map +1 -1
package/dist/types/tdf3/src/utils/unwrap.d.ts +2 -0
package/dist/types/tdf3/src/utils/unwrap.d.ts.map +1 -0
package/dist/types/tdf3/src/utils/zip-reader.d.ts +1 -1
package/dist/types/tdf3/src/utils/zip-reader.d.ts.map +1 -1
package/dist/types/tdf3/src/utils/zip-writer.d.ts +2 -2
package/dist/web/src/access.js +93 -58
package/dist/web/src/auth/auth.js +1 -21
package/dist/web/src/auth/oidc-clientcredentials-provider.js +1 -1
package/dist/web/src/auth/oidc-externaljwt-provider.js +1 -1
package/dist/web/src/auth/oidc-refreshtoken-provider.js +1 -1
package/dist/web/src/auth/oidc.js +1 -1
package/dist/web/src/auth/providers.js +1 -1
package/dist/web/src/concurrency.js +1 -1
package/dist/web/src/encodings/base64.js +1 -1
package/dist/web/src/encodings/hex.js +1 -1
package/dist/web/src/errors.js +1 -1
package/dist/web/src/index.js +6 -312
package/dist/web/src/nanoclients.js +280 -0
package/dist/web/src/nanoindex.js +5 -0
package/dist/web/src/nanotdf/Client.js +18 -23
package/dist/web/src/nanotdf/NanoTDF.js +1 -1
package/dist/web/src/nanotdf/encrypt-dataset.js +1 -1
package/dist/web/src/nanotdf/encrypt.js +1 -1
package/dist/web/src/nanotdf/models/Ciphers.js +1 -1
package/dist/web/src/nanotdf/models/EcCurves.js +1 -1
package/dist/web/src/nanotdf/models/Header.js +1 -1
package/dist/web/src/nanotdf/models/Payload.js +1 -1
package/dist/web/src/nanotdf/models/Policy/AbstractPolicy.js +1 -1
package/dist/web/src/nanotdf/models/Policy/EmbeddedPolicy.js +1 -1
package/dist/web/src/nanotdf/models/Policy/PolicyFactory.js +1 -1
package/dist/web/src/nanotdf/models/ResourceLocator.js +1 -1
package/dist/web/src/nanotdf/models/Signature.js +1 -1
package/dist/web/src/nanotdf-crypto/ciphers.js +1 -1
package/dist/web/src/nanotdf-crypto/ecdsaSignature.js +1 -1
package/dist/web/src/nanotdf-crypto/generateKeyPair.js +2 -2
package/dist/web/src/nanotdf-crypto/generateRandomNumber.js +2 -2
package/dist/web/src/nanotdf-crypto/index.js +3 -4
package/dist/web/src/nanotdf-crypto/keyAgreement.js +9 -6
package/dist/web/src/nanotdf-crypto/pemPublicToCrypto.js +1 -1
package/dist/web/src/opentdf.js +234 -0
package/dist/web/src/policy/api.js +1 -1
package/dist/web/src/policy/granter.js +1 -1
package/dist/web/src/seekable.js +148 -0
package/dist/web/src/tdf/AttributeObject.js +1 -2
package/dist/web/src/tdf/Policy.js +2 -4
package/dist/web/src/utils.js +3 -10
package/dist/web/src/version.js +6 -2
package/dist/web/tdf3/index.js +5 -4
package/dist/web/tdf3/src/assertions.js +21 -6
package/dist/web/tdf3/src/binary.js +1 -1
package/dist/web/tdf3/src/ciphers/aes-gcm-cipher.js +1 -1
package/dist/web/tdf3/src/ciphers/symmetric-cipher-base.js +1 -1
package/dist/web/tdf3/src/client/DecoratedReadableStream.js +4 -68
package/dist/web/tdf3/src/client/builders.js +26 -22
package/dist/web/tdf3/src/client/index.js +74 -105
package/dist/web/tdf3/src/client/validation.js +1 -1
package/dist/web/tdf3/src/crypto/crypto-utils.js +1 -1
package/dist/web/tdf3/src/crypto/index.js +1 -1
package/dist/web/tdf3/src/index.js +2 -2
package/dist/web/tdf3/src/models/attribute-set.js +1 -1
package/dist/web/tdf3/src/models/encryption-information.js +3 -3
package/dist/web/tdf3/src/models/index.js +1 -2
package/dist/web/tdf3/src/models/key-access.js +47 -24
package/dist/web/tdf3/src/models/policy.js +1 -1
package/dist/web/tdf3/src/tdf.js +153 -371
package/dist/web/tdf3/src/utils/buffer-crc32.js +1 -1
package/dist/web/tdf3/src/utils/index.js +19 -14
package/dist/web/tdf3/src/utils/keysplit.js +1 -1
package/dist/web/tdf3/src/utils/unwrap.js +18 -0
package/dist/web/tdf3/src/utils/zip-reader.js +1 -1
package/dist/web/tdf3/src/utils/zip-writer.js +1 -1
package/package.json +45 -45
package/src/access.ts +111 -54
package/src/auth/auth.ts +1 -31
package/src/index.ts +5 -440
package/src/nanoclients.ts +405 -0
package/src/nanoindex.ts +4 -0
package/src/nanotdf/Client.ts +18 -25
package/src/nanotdf/NanoTDF.ts +1 -1
package/src/nanotdf/encrypt-dataset.ts +1 -1
package/src/nanotdf/encrypt.ts +1 -1
package/src/nanotdf/helpers/getHkdfSalt.ts +1 -1
package/src/nanotdf-crypto/digest.ts +1 -1
package/src/nanotdf-crypto/generateKeyPair.ts +1 -1
package/src/nanotdf-crypto/generateRandomNumber.ts +1 -1
package/src/nanotdf-crypto/index.ts +2 -3
package/src/nanotdf-crypto/keyAgreement.ts +14 -7
package/src/opentdf.ts +441 -0
package/src/seekable.ts +180 -0
package/src/tdf/AttributeObject.ts +0 -3
package/src/tdf/Policy.ts +1 -2
package/src/tdf/PolicyObject.ts +1 -2
package/src/tdf/TypedArray.ts +1 -3
package/src/utils.ts +3 -11
package/src/version.ts +6 -1
package/tdf3/index.ts +15 -10
package/tdf3/src/assertions.ts +33 -8
package/tdf3/src/client/DecoratedReadableStream.ts +3 -80
package/tdf3/src/client/builders.ts +44 -28
package/tdf3/src/client/index.ts +109 -165
package/tdf3/src/index.ts +1 -1
package/tdf3/src/models/encryption-information.ts +2 -2
package/tdf3/src/models/index.ts +0 -1
package/tdf3/src/models/key-access.ts +120 -38
package/tdf3/src/models/manifest.ts +3 -0
package/tdf3/src/models/policy.ts +0 -1
package/tdf3/src/tdf.ts +266 -522
package/tdf3/src/utils/index.ts +19 -18
package/tdf3/src/utils/unwrap.ts +17 -0
package/tdf3/src/utils/zip-reader.ts +1 -1
package/dist/cjs/src/auth/Eas.js +0 -60
package/dist/cjs/src/nanotdf-crypto/importRawKey.js +0 -18
package/dist/cjs/src/tdf/Crypto.js +0 -47
package/dist/cjs/src/tdf/EntityObject.js +0 -3
package/dist/cjs/src/tdf/index.js +0 -35
package/dist/cjs/tdf3/src/models/upsert-response.js +0 -3
package/dist/cjs/tdf3/src/templates/default.html.js +0 -98
package/dist/cjs/tdf3/src/templates/escaper.js +0 -15
package/dist/cjs/tdf3/src/templates/index.js +0 -12
package/dist/cjs/tdf3/src/utils/chunkers.js +0 -106
package/dist/cjs/tdf3/src/version.js +0 -6
package/dist/types/src/auth/Eas.d.ts +0 -34
package/dist/types/src/auth/Eas.d.ts.map +0 -1
package/dist/types/src/nanotdf-crypto/importRawKey.d.ts +0 -13
package/dist/types/src/nanotdf-crypto/importRawKey.d.ts.map +0 -1
package/dist/types/src/tdf/Crypto.d.ts +0 -37
package/dist/types/src/tdf/Crypto.d.ts.map +0 -1
package/dist/types/src/tdf/EntityObject.d.ts +0 -18
package/dist/types/src/tdf/EntityObject.d.ts.map +0 -1
package/dist/types/src/tdf/index.d.ts +0 -7
package/dist/types/src/tdf/index.d.ts.map +0 -1
package/dist/types/tdf3/src/models/upsert-response.d.ts +0 -16
package/dist/types/tdf3/src/models/upsert-response.d.ts.map +0 -1
package/dist/types/tdf3/src/templates/default.html.d.ts +0 -8
package/dist/types/tdf3/src/templates/default.html.d.ts.map +0 -1
package/dist/types/tdf3/src/templates/escaper.d.ts +0 -6
package/dist/types/tdf3/src/templates/escaper.d.ts.map +0 -1
package/dist/types/tdf3/src/templates/index.d.ts +0 -3
package/dist/types/tdf3/src/templates/index.d.ts.map +0 -1
package/dist/types/tdf3/src/utils/chunkers.d.ts +0 -29
package/dist/types/tdf3/src/utils/chunkers.d.ts.map +0 -1
package/dist/types/tdf3/src/version.d.ts +0 -3
package/dist/types/tdf3/src/version.d.ts.map +0 -1
package/dist/web/src/auth/Eas.js +0 -55
package/dist/web/src/nanotdf-crypto/importRawKey.js +0 -15
package/dist/web/src/tdf/Crypto.js +0 -44
package/dist/web/src/tdf/EntityObject.js +0 -2
package/dist/web/src/tdf/index.js +0 -4
package/dist/web/tdf3/src/models/upsert-response.js +0 -2
package/dist/web/tdf3/src/templates/default.html.js +0 -96
package/dist/web/tdf3/src/templates/escaper.js +0 -10
package/dist/web/tdf3/src/templates/index.js +0 -3
package/dist/web/tdf3/src/utils/chunkers.js +0 -96
package/dist/web/tdf3/src/version.js +0 -3
package/src/auth/Eas.ts +0 -79
package/src/nanotdf-crypto/importRawKey.ts +0 -19
package/src/tdf/Crypto.ts +0 -42
package/src/tdf/EntityObject.ts +0 -18
package/src/tdf/index.ts +0 -6
package/tdf3/src/models/upsert-response.ts +0 -17
package/tdf3/src/templates/default.html.ts +0 -105
package/tdf3/src/templates/escaper.ts +0 -10
package/tdf3/src/templates/index.ts +0 -2
package/tdf3/src/utils/chunkers.ts +0 -118
package/tdf3/src/version.ts +0 -2

package/tdf3/src/models/key-access.ts CHANGED Viewed

@@ -1,16 +1,19 @@
-import { Binary } from '../binary.js';
 import { base64, hex } from '../../../src/encodings/index.js';
+import { generateRandomNumber } from '../../../src/nanotdf-crypto/generateRandomNumber.js';
+import { keyAgreement } from '../../../src/nanotdf-crypto/keyAgreement.js';
+import { pemPublicToCrypto } from '../../../src/nanotdf-crypto/pemPublicToCrypto.js';
+import { cryptoPublicToPem } from '../../../src/utils.js';
+import { Binary } from '../binary.js';
 import * as cryptoService from '../crypto/index.js';
 import { Policy } from './policy.js';
-export type KeyAccessType = 'remote' | 'wrapped';
+export type KeyAccessType = 'remote' | 'wrapped' | 'ec-wrapped';
-export function isRemote(keyAccessJSON: KeyAccess | KeyAccessObject): boolean {
-  return keyAccessJSON.type === 'remote';
-}
+export const schemaVersion = '1.0';
-export class Wrapped {
-  readonly type = 'wrapped';
+export class ECWrapped {
+  readonly type = 'ec-wrapped';
+  readonly ephemeralKeyPair: Promise<CryptoKeyPair>;
   keyAccessObject?: KeyAccessObject;
   constructor(
@@ -18,60 +21,78 @@ export class Wrapped {
     public readonly kid: string | undefined,
     public readonly publicKey: string,
     public readonly metadata: unknown,
-    public readonly sid: string
-  ) {}
+    public readonly sid?: string
+  ) {
+    this.ephemeralKeyPair = crypto.subtle.generateKey(
+      {
+        name: 'ECDH',
+        namedCurve: 'P-256',
+      },
+      false,
+      ['deriveBits', 'deriveKey']
+    );
+  }
   async write(
     policy: Policy,
-    keyBuffer: Uint8Array,
+    dek: Uint8Array,
     encryptedMetadataStr: string
   ): Promise<KeyAccessObject> {
     const policyStr = JSON.stringify(policy);
-    const unwrappedKeyBinary = Binary.fromArrayBuffer(keyBuffer.buffer);
-    const wrappedKeyBinary = await cryptoService.encryptWithPublicKey(
-      unwrappedKeyBinary,
-      this.publicKey
-    );
+    const [ek, clientPublicKey] = await Promise.all([
+      this.ephemeralKeyPair,
+      pemPublicToCrypto(this.publicKey),
+    ]);
+    const kek = await keyAgreement(ek.privateKey, clientPublicKey, {
+      hkdfSalt: new TextEncoder().encode('salt'),
+      hkdfHash: 'SHA-256',
+    });
+    const iv = generateRandomNumber(12);
+    const cek = await crypto.subtle.encrypt({ name: 'AES-GCM', iv, tagLength: 128 }, kek, dek);
+    const entityWrappedKey = new Uint8Array(iv.length + cek.byteLength);
+    entityWrappedKey.set(iv);
+    entityWrappedKey.set(new Uint8Array(cek), iv.length);
     const policyBinding = await cryptoService.hmac(
-      hex.encodeArrayBuffer(keyBuffer),
+      hex.encodeArrayBuffer(dek),
       base64.encode(policyStr)
     );
-    this.keyAccessObject = {
-      type: 'wrapped',
+    const ephemeralPublicKeyPEM = await cryptoPublicToPem(ek.publicKey);
+    const kao: KeyAccessObject = {
+      type: 'ec-wrapped',
       url: this.url,
       protocol: 'kas',
-      wrappedKey: base64.encode(wrappedKeyBinary.asString()),
+      wrappedKey: base64.encodeArrayBuffer(entityWrappedKey),
       encryptedMetadata: base64.encode(encryptedMetadataStr),
       policyBinding: {
         alg: 'HS256',
         hash: base64.encode(policyBinding),
       },
+      schemaVersion,
+      ephemeralPublicKey: ephemeralPublicKeyPEM,
     };
     if (this.kid) {
-      this.keyAccessObject.kid = this.kid;
+      kao.kid = this.kid;
     }
     if (this.sid?.length) {
-      this.keyAccessObject.sid = this.sid;
+      kao.sid = this.sid;
     }
-    return this.keyAccessObject;
+    this.keyAccessObject = kao;
+    return kao;
   }
 }
-export class Remote {
-  readonly type = 'remote';
+export class Wrapped {
+  readonly type = 'wrapped';
   keyAccessObject?: KeyAccessObject;
-  wrappedKey?: string;
-  policyBinding?: string;
   constructor(
     public readonly url: string,
     public readonly kid: string | undefined,
     public readonly publicKey: string,
     public readonly metadata: unknown,
-    public readonly sid: string
+    public readonly sid?: string
   ) {}
   async write(
@@ -80,49 +101,110 @@ export class Remote {
     encryptedMetadataStr: string
   ): Promise<KeyAccessObject> {
     const policyStr = JSON.stringify(policy);
-    const policyBinding = await cryptoService.hmac(
-      hex.encodeArrayBuffer(keyBuffer),
-      base64.encode(policyStr)
-    );
     const unwrappedKeyBinary = Binary.fromArrayBuffer(keyBuffer.buffer);
     const wrappedKeyBinary = await cryptoService.encryptWithPublicKey(
       unwrappedKeyBinary,
       this.publicKey
     );
-    // this.wrappedKey = wrappedKeyBinary.asBuffer().toString('hex');
-    this.wrappedKey = base64.encode(wrappedKeyBinary.asString());
+    const policyBinding = await cryptoService.hmac(
+      hex.encodeArrayBuffer(keyBuffer),
+      base64.encode(policyStr)
+    );
     this.keyAccessObject = {
-      type: 'remote',
+      type: 'wrapped',
       url: this.url,
       protocol: 'kas',
-      wrappedKey: this.wrappedKey,
+      wrappedKey: base64.encode(wrappedKeyBinary.asString()),
       encryptedMetadata: base64.encode(encryptedMetadataStr),
       policyBinding: {
         alg: 'HS256',
         hash: base64.encode(policyBinding),
       },
+      schemaVersion,
     };
     if (this.kid) {
       this.keyAccessObject.kid = this.kid;
     }
+    if (this.sid?.length) {
+      this.keyAccessObject.sid = this.sid;
+    }
     return this.keyAccessObject;
   }
 }
-export type KeyAccess = Remote | Wrapped;
+export type KeyAccess = ECWrapped | Wrapped;
+/**
+ * A KeyAccess object stores all information about how an object key OR one key split is stored.
+ */
 export type KeyAccessObject = {
-  sid?: string;
+  /**
+   * Specifies how the key is stored. Possible Values:
+   * **wrapped**: The wrapped key is stored as part of the manifest.
+   * **remote**: [Unsupported] The wrapped key (see below) is stored remotely and is thus not part of the final TDF manifest.
+   */
   type: KeyAccessType;
+  /**
+   * A key split (or share) identifier.
+   * To allow sharing a key across several access domains,
+   * the KAO supports a 'Split Identifier'.
+   * To reconstruct such a key when encryptionInformation type is 'split',
+   * use the xor operation to combine one of each separate sid.
+   */
+  sid?: string;
+  /**
+   * A locator for a Key Access service capable of granting access to the wrapped key.
+   */
   url: string;
+  /**
+   * Additional information for the Key Access service to identify how to unwrap the key.
+   */
   kid?: string;
+  /**
+   * The protocol used to access the key.
+   */
   protocol: 'kas';
+  /**
+   * The symmetric key used to encrypt the payload.
+   * It is encrypted using the public key of the KAS,
+   * then base64 encoded.
+   */
   wrappedKey?: string;
+  /**
+   * An object that contains a keyed hash that will provide cryptographic integrity on the policy object,
+   * such that it cannot be modified or copied to another TDF
+   * without invalidating the binding.
+   * Specifically, you would have to have access to the key in order to overwrite the policy.
+   */
   policyBinding?: {
     alg: string;
     hash: string;
   };
+  /**
+   * Metadata associated with the TDF and the request.
+   * The contents of the metadata are freeform,
+   * and are used to pass information from the client to the KAS.
+   * The metadata stored here should not be used for primary access decisions.
+   */
   encryptedMetadata?: string;
+  /**
+   * Version information for the KAO format.
+   */
+  schemaVersion?: string;
+  /**
+   * PEM encoded ephemeral public key, if wrapped with a KAS EC key.
+   */
+  ephemeralPublicKey?: string;
 };

package/tdf3/src/models/manifest.ts CHANGED Viewed

@@ -6,4 +6,7 @@ export type Manifest = {
   payload: Payload;
   encryptionInformation: EncryptionInformation;
   assertions: Assertion[];
+  schemaVersion: string;
+  // Deprecated
+  tdf_spec_version?: string;
 };

package/tdf3/src/models/policy.ts CHANGED Viewed

@@ -9,7 +9,6 @@ export type PolicyBody = {
 };
 export type Policy = {
-  tdf_spec_version?: string;
   uuid?: string;
   body?: PolicyBody;
 };