npm - @opentdf/sdk - Versions diffs - 0.3.2-beta.2468 → 0.3.2-beta.3 - Mend

@opentdf/sdk 0.3.2-beta.2468 → 0.3.2-beta.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/dist/cjs/src/access/access-rpc.js +49 -1
package/dist/cjs/src/access.js +50 -16
package/dist/cjs/src/nanotdf-crypto/keyAgreement.js +2 -2
package/dist/cjs/src/opentdf.js +8 -5
package/dist/cjs/src/version.js +2 -2
package/dist/cjs/tdf3/src/client/index.js +3 -4
package/dist/cjs/tdf3/src/tdf.js +2 -2
package/dist/types/src/access/access-rpc.d.ts +8 -0
package/dist/types/src/access/access-rpc.d.ts.map +1 -1
package/dist/types/src/access.d.ts +15 -4
package/dist/types/src/access.d.ts.map +1 -1
package/dist/types/src/opentdf.d.ts.map +1 -1
package/dist/types/tdf3/src/client/index.d.ts.map +1 -1
package/dist/web/src/access/access-rpc.js +49 -2
package/dist/web/src/access.js +51 -17
package/dist/web/src/nanotdf-crypto/keyAgreement.js +2 -2
package/dist/web/src/opentdf.js +8 -5
package/dist/web/src/version.js +2 -2
package/dist/web/tdf3/src/client/index.js +3 -4
package/dist/web/tdf3/src/tdf.js +2 -2
package/package.json +1 -1
package/src/access/access-rpc.ts +68 -0
package/src/access.ts +59 -17
package/src/nanotdf-crypto/keyAgreement.ts +1 -1
package/src/opentdf.ts +10 -4
package/src/version.ts +1 -1
package/tdf3/src/client/index.ts +2 -3
package/tdf3/src/tdf.ts +1 -1

package/src/access.ts CHANGED Viewed

@@ -3,7 +3,10 @@ import { ServiceError } from './errors.js';
 import { RewrapResponse } from './platform/kas/kas_pb.js';
 import { getPlatformUrlFromKasEndpoint, validateSecureUrl } from './utils.js';
-import { fetchKeyAccessServers as fetchKeyAccessServersRpc } from './access/access-rpc.js';
+import {
+  fetchKasBasePubKey,
+  fetchKeyAccessServers as fetchKeyAccessServersRpc,
+} from './access/access-rpc.js';
 import { fetchKeyAccessServers as fetchKeyAccessServersLegacy } from './access/access-fetch.js';
 import { fetchWrappedKey as fetchWrappedKeysRpc } from './access/access-rpc.js';
 import { fetchWrappedKey as fetchWrappedKeysLegacy } from './access/access-fetch.js';
@@ -39,30 +42,44 @@ export async function fetchWrappedKey(
   );
 }
-export type KasPublicKeyAlgorithm = 'ec:secp256r1' | 'rsa:2048';
+export type KasPublicKeyAlgorithm =
+  | 'ec:secp256r1'
+  | 'ec:secp384r1'
+  | 'ec:secp521r1'
+  | 'rsa:2048'
+  | 'rsa:4096';
 export const isPublicKeyAlgorithm = (a: string): a is KasPublicKeyAlgorithm => {
   return a === 'ec:secp256r1' || a === 'rsa:2048';
 };
-export const keyAlgorithmToPublicKeyAlgorithm = (a: KeyAlgorithm): KasPublicKeyAlgorithm => {
+export const keyAlgorithmToPublicKeyAlgorithm = (k: CryptoKey): KasPublicKeyAlgorithm => {
+  const a = k.algorithm;
   if (a.name === 'ECDSA' || a.name === 'ECDH') {
     const eca = a as EcKeyAlgorithm;
-    if (eca.namedCurve === 'P-256') {
-      return 'ec:secp256r1';
+    switch (eca.namedCurve) {
+      case 'P-256':
+        return 'ec:secp256r1';
+      case 'P-384':
+        return 'ec:secp384r1';
+      case 'P-521':
+        return 'ec:secp521r1';
+      default:
+        throw new Error(`unsupported EC curve: ${eca.namedCurve}`);
     }
-    throw new Error(`unsupported EC curve: ${eca.namedCurve}`);
   }
-  if (a.name === 'RSA-OAEP') {
+  if (a.name === 'RSA-OAEP' || a.name === 'RSASSA-PKCS1-v1_5') {
     const rsaa = a as RsaHashedKeyAlgorithm;
-    if (rsaa.modulusLength === 2048) {
-      // if (rsaa.hash.name !== 'RSASSA-PKCS1-v1_5') {
-      //   throw new Error(`unsupported RSA hash: ${rsaa.hash.name}`);
-      // }
-      if (rsaa.publicExponent.toString() !== '1,0,1') {
-        throw new Error(`unsupported RSA public exponent: ${rsaa.publicExponent}`);
-      }
-      return 'rsa:2048';
+    if (rsaa.publicExponent.toString() !== '1,0,1') {
+      throw new Error(`unsupported RSA public exponent: ${rsaa.publicExponent}`);
+    }
+    switch (rsaa.modulusLength) {
+      case 2048:
+        return 'rsa:2048';
+      case 4096:
+        return 'rsa:4096';
+      default:
+        throw new Error(`unsupported RSA modulus length: ${rsaa.modulusLength}`);
     }
   }
   throw new Error(`unsupported key algorithm: ${a.name}`);
@@ -74,6 +91,14 @@ export const publicKeyAlgorithmToJwa = (a: KasPublicKeyAlgorithm): string => {
       return 'ES256';
     case 'rsa:2048':
       return 'RS256';
+    case 'rsa:4096':
+      return 'RS512';
+    case 'ec:secp384r1':
+      return 'ES384';
+    case 'ec:secp521r1':
+      return 'ES512';
+    default:
+      throw new Error(`unsupported public key algorithm: ${a}`);
   }
 };
@@ -122,17 +147,34 @@ export async function fetchKeyAccessServers(
 }
 /**
- * If we have KAS url but not public key we can fetch it from KAS, fetching
- * the value from `${kas}/kas_public_key`.
+ * Fetch the EC (secp256r1) public key for a KAS endpoint.
+ * @param kasEndpoint The KAS endpoint URL.
+ * @returns The public key information for the KAS endpoint.
  */
 export async function fetchECKasPubKey(kasEndpoint: string): Promise<KasPublicKeyInfo> {
   return fetchKasPubKey(kasEndpoint, 'ec:secp256r1');
 }
+/**
+ * Fetch the public key for a KAS endpoint.
+ * This function will first try to fetch the base public key,
+ * then it will try to fetch the public key using the RPC method,
+ * and finally it will try to fetch the public key using the legacy method.
+ * If all attempts fail, it will return the error from RPC Public Key fetch.
+ * @param kasEndpoint The KAS endpoint URL.
+ * @param algorithm Optional algorithm to fetch the public key for.
+ * @returns The public key information.
+ */
 export async function fetchKasPubKey(
   kasEndpoint: string,
   algorithm?: KasPublicKeyAlgorithm
 ): Promise<KasPublicKeyInfo> {
+  try {
+    return await fetchKasBasePubKey(kasEndpoint);
+  } catch (e) {
+    console.log(e);
+  }
   return await tryPromisesUntilFirstSuccess(
     () => fetchKasPubKeyRpc(kasEndpoint, algorithm),
     () => fetchKasPubKeyLegacy(kasEndpoint, algorithm)

package/src/nanotdf-crypto/keyAgreement.ts CHANGED Viewed

@@ -71,7 +71,7 @@ export async function keyAgreement(
   }
 ): Promise<CryptoKey> {
   for (const k of [privateKey, publicKey]) {
-    const mechanism = keyAlgorithmToPublicKeyAlgorithm(k.algorithm);
+    const mechanism = keyAlgorithmToPublicKeyAlgorithm(k);
     if (mechanism !== 'ec:secp256r1') {
       throw new ConfigurationError(
         `${k.type} CryptoKey is expected to be of type ECDSA or ECDH, not [${k.algorithm?.name}]`

package/src/opentdf.ts CHANGED Viewed

@@ -335,7 +335,7 @@ export class OpenTDF {
     this.tdf3Client = new TDF3Client({
       authProvider,
       dpopKeys,
-      kasEndpoint: 'https://disallow.all.invalid',
+      kasEndpoint: this.platformUrl || 'https://disallow.all.invalid',
       policyEndpoint,
     });
     this.dpopKeys =
@@ -522,14 +522,17 @@ class NanoTDFReader {
       r.header = nanotdf.header;
       return r;
     }
+    const platformUrl = this.opts.platformUrl || this.outer.platformUrl;
+    const kasEndpoint =
+      this.opts.allowedKASEndpoints?.[0] || platformUrl || 'https://disallow.all.invalid';
     const nc = new Client({
       allowedKases: this.opts.allowedKASEndpoints,
       authProvider: this.outer.authProvider,
       ignoreAllowList: this.opts.ignoreAllowlist,
       dpopEnabled: this.outer.dpopEnabled,
       dpopKeys: this.outer.dpopKeys,
-      kasEndpoint: this.opts.allowedKASEndpoints?.[0] || 'https://disallow.all.invalid',
-      platformUrl: this.opts.platformUrl || this.outer.platformUrl,
+      kasEndpoint,
+      platformUrl,
     });
     // TODO: The version number should be fetched from the API
     const version = '0.0.1';
@@ -691,9 +694,12 @@ class Collection {
         break;
     }
+    const kasEndpoint =
+      opts.defaultKASEndpoint || opts.platformUrl || 'https://disallow.all.invalid';
     this.client = new NanoTDFDatasetClient({
       authProvider,
-      kasEndpoint: opts.defaultKASEndpoint ?? 'https://disallow.all.invalid',
+      kasEndpoint: kasEndpoint,
       maxKeyIterations: opts.maxKeyIterations,
       platformUrl: opts.platformUrl,
     });

package/src/version.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 /**
  * Exposes the released version number of the `@opentdf/sdk` package
  */
-export const version = '0.3.2';
+export const version = '0.3.2'; // x-release-please-version
 /**
  * A string name used to label requests as coming from this library client.

package/tdf3/src/client/index.ts CHANGED Viewed

@@ -79,7 +79,7 @@ export const resolveKasInfo = async (
   kid?: string
 ): Promise<KasPublicKeyInfo> => {
   const k: CryptoKey = await pemToCryptoPublicKey(pem);
-  const algorithm = keyAlgorithmToPublicKeyAlgorithm(k.algorithm);
+  const algorithm = keyAlgorithmToPublicKeyAlgorithm(k);
   return {
     key: Promise.resolve(k),
     publicKey: pem,
@@ -398,7 +398,7 @@ export class Client {
       keyMiddleware = defaultKeyMiddleware,
       streamMiddleware = async (stream: DecoratedReadableStream) => stream,
       tdfSpecVersion,
-      wrappingKeyAlgorithm = 'rsa:2048',
+      wrappingKeyAlgorithm,
     } = opts;
     const scope = opts.scope ?? { attributes: [], dissem: [] };
@@ -462,7 +462,6 @@ export class Client {
         ? maxByteLimit
         : opts.byteLimit;
     const encryptionInformation = new SplitKey(new AesGcmCipher(this.cryptoService));
-    // TODO KAS: check here
     const splits: SplitStep[] = splitPlan?.length
       ? splitPlan
       : [{ kas: opts.defaultKASEndpoint ?? this.kasEndpoint }];

package/tdf3/src/tdf.ts CHANGED Viewed

@@ -199,7 +199,7 @@ export async function fetchKasPublicKey(
   kas: string,
   algorithm?: KasPublicKeyAlgorithm
 ): Promise<KasPublicKeyInfo> {
-  return fetchKasPubKeyV2(kas, algorithm || 'rsa:2048');
+  return fetchKasPubKeyV2(kas, algorithm);
 }
 export async function extractPemFromKeyString(