@opentdf/sdk 0.3.1 → 0.3.2-beta.2

package/src/auth/oidc.ts

@@ -222,7 +222,7 @@ export class AccessToken {
         return this.data.access_token;
       } catch (e) {
         console.log('access_token fails on user_info endpoint; attempting to renew', e);
-        if (this.data.refresh_token) {
+        if (this.data?.refresh_token) {
           // Prefer the latest refresh_token if present over creds passed in
           // to constructor
           this.config = {

package/src/nanotdf/Client.ts

@@ -2,7 +2,12 @@ import * as base64 from '../encodings/base64.js';
 import { generateKeyPair, keyAgreement } from '../nanotdf-crypto/index.js';
 import getHkdfSalt from './helpers/getHkdfSalt.js';
 import DefaultParams from './models/DefaultParams.js';
-import { fetchWrappedKey, KasPublicKeyInfo, OriginAllowList } from '../access.js';
+import {
+  fetchKeyAccessServers,
+  fetchWrappedKey,
+  KasPublicKeyInfo,
+  OriginAllowList,
+} from '../access.js';
 import { AuthProvider, isAuthProvider, reqSignature } from '../auth/providers.js';
 import { ConfigurationError, DecryptError, TdfError, UnsafeUrlError } from '../errors.js';
 import { cryptoPublicToPem, pemToCryptoPublicKey, validateSecureUrl } from '../utils.js';
@@ -15,6 +20,7 @@ export interface ClientConfig {
   dpopKeys?: Promise<CryptoKeyPair>;
   ephemeralKeyPair?: Promise<CryptoKeyPair>;
   kasEndpoint: string;
+  platformUrl: string;
 }
 
 function toJWSAlg(c: CryptoKey): string {
@@ -99,12 +105,13 @@ export default class Client {
   static readonly INITIAL_RELEASE_IV_SIZE = 3;
   static readonly IV_SIZE = 12;
 
-  allowedKases: OriginAllowList;
+  allowedKases?: OriginAllowList;
   /*
     These variables are expected to be either assigned during initialization or within the methods.
     This is needed as the flow is very specific. Errors should be thrown if the necessary step is not completed.
   */
   protected kasUrl: string;
+  readonly platformUrl: string;
   kasPubKey?: KasPublicKeyInfo;
   readonly authProvider: AuthProvider;
   readonly dpopEnabled: boolean;
@@ -150,7 +157,6 @@ export default class Client {
       // TODO Disallow http KAS. For now just log as error
       validateSecureUrl(kasUrl);
       this.kasUrl = kasUrl;
-      this.allowedKases = new OriginAllowList([kasUrl]);
       this.dpopEnabled = dpopEnabled;
 
       if (ephemeralKeyPair) {
@@ -168,12 +174,16 @@ export default class Client {
         dpopKeys,
         ephemeralKeyPair,
         kasEndpoint,
+        platformUrl,
       } = optsOrOldAuthProvider;
       this.authProvider = enwrapAuthProvider(authProvider);
       // TODO Disallow http KAS. For now just log as error
       validateSecureUrl(kasEndpoint);
       this.kasUrl = kasEndpoint;
-      this.allowedKases = new OriginAllowList(allowedKases || [kasEndpoint], !!ignoreAllowList);
+      this.platformUrl = platformUrl;
+      if (allowedKases?.length || ignoreAllowList) {
+        this.allowedKases = new OriginAllowList(allowedKases || [], ignoreAllowList);
+      }
       this.dpopEnabled = !!dpopEnabled;
       if (dpopKeys) {
         this.requestSignerKeyPair = dpopKeys;
@@ -214,8 +224,14 @@ export default class Client {
     magicNumberVersion: ArrayBufferLike,
     clientVersion: string
   ): Promise<CryptoKey> {
-    if (!this.allowedKases.allows(kasRewrapUrl)) {
-      throw new UnsafeUrlError(`request URL ∉ ${this.allowedKases.origins};`, kasRewrapUrl);
+    let allowedKases = this.allowedKases;
+
+    if (!allowedKases) {
+      allowedKases = await fetchKeyAccessServers(this.platformUrl, this.authProvider);
+    }
+
+    if (!allowedKases.allows(kasRewrapUrl)) {
+      throw new UnsafeUrlError(`request URL ∉ ${allowedKases.origins};`, kasRewrapUrl);
     }
 
     const ephemeralKeyPair = await this.ephemeralKeyPair;
@@ -243,22 +259,16 @@ export default class Client {
     });
 
     const jwtPayload = { requestBody: requestBodyStr };
-    const requestBody = {
-      signedRequestToken: await reqSignature(jwtPayload, requestSignerKeyPair.privateKey, {
-        alg: toJWSAlg(requestSignerKeyPair.publicKey),
-      }),
-    };
+
+    const signedRequestToken = await reqSignature(jwtPayload, requestSignerKeyPair.privateKey, {
+      alg: toJWSAlg(requestSignerKeyPair.publicKey),
+    });
 
     // Wrapped
-    const wrappedKey = await fetchWrappedKey(
-      kasRewrapUrl,
-      requestBody,
-      this.authProvider,
-      clientVersion
-    );
+    const wrappedKey = await fetchWrappedKey(kasRewrapUrl, signedRequestToken, this.authProvider);
 
     // Extract the iv and ciphertext
-    const entityWrappedKey = new Uint8Array(base64.decodeArrayBuffer(wrappedKey.entityWrappedKey));
+    const entityWrappedKey = wrappedKey.entityWrappedKey;
     const ivLength =
       clientVersion == Client.SDK_INITIAL_RELEASE ? Client.INITIAL_RELEASE_IV_SIZE : Client.IV_SIZE;
     const iv = entityWrappedKey.subarray(0, ivLength);

package/src/nanotdf/models/Header.ts

@@ -314,7 +314,7 @@ export default class Header {
    */
   getKasRewrapUrl(): string {
     try {
-      return `${rstrip(this.kas.url, '/')}/v2/rewrap`;
+      return `${rstrip(this.kas.url, '/')}`;
     } catch (e) {
       throw new ConfigurationError(`cannot construct KAS Rewrap URL: ${e.message}`);
     }

package/src/nanotdf-crypto/keyAgreement.ts

@@ -71,7 +71,7 @@ export async function keyAgreement(
   }
 ): Promise<CryptoKey> {
   for (const k of [privateKey, publicKey]) {
-    const mechanism = keyAlgorithmToPublicKeyAlgorithm(k.algorithm);
+    const mechanism = keyAlgorithmToPublicKeyAlgorithm(k);
     if (mechanism !== 'ec:secp256r1') {
       throw new ConfigurationError(
         `${k.type} CryptoKey is expected to be of type ECDSA or ECDH, not [${k.algorithm?.name}]`

package/src/opentdf.ts

@@ -13,7 +13,12 @@ import {
   AssertionConfig,
   AssertionVerificationKeys,
 } from '../tdf3/src/assertions.js';
-import { type KasPublicKeyAlgorithm, OriginAllowList, isPublicKeyAlgorithm } from './access.js';
+import {
+  type KasPublicKeyAlgorithm,
+  OriginAllowList,
+  fetchKeyAccessServers,
+  isPublicKeyAlgorithm,
+} from './access.js';
 import { type Manifest } from '../tdf3/src/models/manifest.js';
 import { type Payload } from '../tdf3/src/models/payload.js';
 import {
@@ -87,6 +92,7 @@ export type CreateNanoTDFOptions = CreateOptions & {
 };
 
 export type CreateNanoTDFCollectionOptions = CreateNanoTDFOptions & {
+  platformUrl: string;
   // The maximum number of key iterations to use for a single DEK.
   maxKeyIterations?: number;
 };
@@ -136,6 +142,8 @@ export type CreateZTDFOptions = CreateOptions & {
 export type ReadOptions = {
   // ciphertext
   source: Source;
+  // Platform URL
+  platformUrl?: string;
   // list of KASes that may be contacted for a rewrap
   allowedKASEndpoints?: string[];
   // Optionally disable checking the allowlist
@@ -157,6 +165,9 @@ export type OpenTDFOptions = {
   // Policy service endpoint
   policyEndpoint?: string;
 
+  // Platform URL
+  platformUrl?: string;
+
   // Auth provider for connections to the policy service and KASes.
   authProvider: AuthProvider;
 
@@ -286,6 +297,7 @@ export type TDFReader = {
 // SDK for dealing with OpenTDF data and policy services.
 export class OpenTDF {
   // Configuration service and more is at this URL/connectRPC endpoint
+  readonly platformUrl: string;
   readonly policyEndpoint: string;
   readonly authProvider: AuthProvider;
   readonly dpopEnabled: boolean;
@@ -305,17 +317,25 @@ export class OpenTDF {
     disableDPoP,
     policyEndpoint,
     rewrapCacheOptions,
+    platformUrl,
   }: OpenTDFOptions) {
     this.authProvider = authProvider;
     this.defaultCreateOptions = defaultCreateOptions || {};
     this.defaultReadOptions = defaultReadOptions || {};
     this.dpopEnabled = !!disableDPoP;
+    if (platformUrl) {
+      this.platformUrl = platformUrl;
+    } else {
+      console.warn(
+        "Warning: 'platformUrl' is required for security to ensure the SDK uses the platform-configured Key Access Server list"
+      );
+    }
     this.policyEndpoint = policyEndpoint || '';
     this.rewrapCache = new RewrapCache(rewrapCacheOptions);
     this.tdf3Client = new TDF3Client({
       authProvider,
       dpopKeys,
-      kasEndpoint: 'https://disallow.all.invalid',
+      kasEndpoint: this.platformUrl || 'https://disallow.all.invalid',
       policyEndpoint,
     });
     this.dpopKeys =
@@ -333,8 +353,14 @@ export class OpenTDF {
   }
 
   async createNanoTDF(opts: CreateNanoTDFOptions): Promise<DecoratedStream> {
-    opts = { ...this.defaultCreateOptions, ...opts };
-    const collection = await this.createNanoTDFCollection(opts);
+    opts = {
+      ...this.defaultCreateOptions,
+      ...opts,
+    };
+    const collection = await this.createNanoTDFCollection({
+      ...opts,
+      platformUrl: this.platformUrl,
+    });
     try {
       return await collection.encrypt(opts.source);
     } finally {
@@ -415,6 +441,9 @@ class UnknownTypeReader {
     this.state = 'resolving';
     const chunker = await fromSource(this.opts.source);
     const prefix = await chunker(0, 3);
+    if (!this.opts.platformUrl && this.outer.platformUrl) {
+      this.opts.platformUrl = this.outer.platformUrl;
+    }
     if (prefix[0] === 0x50 && prefix[1] === 0x4b) {
       this.state = 'loaded';
       return new ZTDFReader(this.outer.tdf3Client, this.opts, chunker);
@@ -466,6 +495,13 @@ class NanoTDFReader {
     readonly chunker: Chunker,
     private readonly rewrapCache: RewrapCache
   ) {
+    if (
+      !this.opts.ignoreAllowlist &&
+      !this.opts.platformUrl &&
+      !this.opts.allowedKASEndpoints?.length
+    ) {
+      throw new ConfigurationError('platformUrl is required when allowedKasEndpoints is empty');
+    }
     // lazily load the container
     this.container = new Promise(async (resolve, reject) => {
       try {
@@ -486,13 +522,17 @@ class NanoTDFReader {
       r.header = nanotdf.header;
       return r;
     }
+    const platformUrl = this.opts.platformUrl || this.outer.platformUrl;
+    const kasEndpoint =
+      this.opts.allowedKASEndpoints?.[0] || platformUrl || 'https://disallow.all.invalid';
     const nc = new Client({
       allowedKases: this.opts.allowedKASEndpoints,
       authProvider: this.outer.authProvider,
       ignoreAllowList: this.opts.ignoreAllowlist,
       dpopEnabled: this.outer.dpopEnabled,
       dpopKeys: this.outer.dpopKeys,
-      kasEndpoint: this.opts.allowedKASEndpoints?.[0] || 'https://disallow.all.invalid',
+      kasEndpoint,
+      platformUrl,
     });
     // TODO: The version number should be fetched from the API
     const version = '0.0.1';
@@ -550,10 +590,11 @@ class ZTDFReader {
       noVerify: noVerifyAssertions,
       wrappingKeyAlgorithm,
     } = this.opts;
-    const allowList = new OriginAllowList(
-      this.opts.allowedKASEndpoints ?? [],
-      this.opts.ignoreAllowlist
-    );
+
+    if (!this.opts.ignoreAllowlist && !this.opts.allowedKASEndpoints && !this.opts.platformUrl) {
+      throw new ConfigurationError('platformUrl is required when allowedKasEndpoints is empty');
+    }
+
     const dpopKeys = await this.client.dpopKeys;
 
     const { authProvider, cryptoService } = this.client;
@@ -561,6 +602,17 @@ class ZTDFReader {
       throw new ConfigurationError('authProvider is required');
     }
 
+    let allowList: OriginAllowList | undefined;
+
+    if (this.opts.allowedKASEndpoints?.length || this.opts.ignoreAllowlist) {
+      allowList = new OriginAllowList(
+        this.opts.allowedKASEndpoints || [],
+        this.opts.ignoreAllowlist
+      );
+    } else if (this.opts.platformUrl) {
+      allowList = await fetchKeyAccessServers(this.opts.platformUrl, authProvider);
+    }
+
     const overview = await this.overview;
     const oldStream = await decryptStreamFrom(
       {
@@ -642,10 +694,14 @@ class Collection {
         break;
     }
 
+    const kasEndpoint =
+      opts.defaultKASEndpoint || opts.platformUrl || 'https://disallow.all.invalid';
+
     this.client = new NanoTDFDatasetClient({
       authProvider,
-      kasEndpoint: opts.defaultKASEndpoint ?? 'https://disallow.all.invalid',
+      kasEndpoint: kasEndpoint,
       maxKeyIterations: opts.maxKeyIterations,
+      platformUrl: opts.platformUrl,
     });
   }