@opentdf/sdk 0.4.1-rc.37 → 0.5.0-beta.42

package/tdf3/src/tdf.ts

@@ -55,6 +55,7 @@ import { ZipReader, ZipWriter, keyMerge, concatUint8, buffToString } from './uti
 import { CentralDirectory } from './utils/zip-reader.js';
 import { ztdfSalt } from './crypto/salt.js';
 import { Payload } from './models/payload.js';
+import { getRequiredObligationFQNs } from '../../src/utils.js';
 
 // TODO: input validation on manifest JSON
 const DEFAULT_SEGMENT_SIZE = 1024 * 1024;
@@ -147,10 +148,12 @@ export type EncryptConfiguration = {
   keyForEncryption: KeyInfo;
   keyForManifest: KeyInfo;
   assertionConfigs?: AssertionConfig[];
+  systemMetadataAssertion?: boolean;
   tdfSpecVersion?: string;
 };
 
 export type DecryptConfiguration = {
+  fulfillableObligations: string[];
   allowedKases?: string[];
   allowList?: OriginAllowList;
   authProvider: AuthProvider;
@@ -197,8 +200,15 @@ export type RewrapResponse = {
  */
 export async function fetchKasPublicKey(
   kas: string,
-  algorithm?: KasPublicKeyAlgorithm
+  algorithm?: KasPublicKeyAlgorithm,
+  kid?: string
 ): Promise<KasPublicKeyInfo> {
+  if (kid) {
+    // Some specific thing for fetching a key by kid?
+    // Currently this is just "using" `kid` so TypeScript doesn't complain and
+    // we can use the type for our cache parameters.
+    // So this empty `if` is actually doing something.
+  }
   return fetchKasPubKeyV2(kas, algorithm);
 }
 
@@ -527,8 +537,24 @@ export async function writeStream(cfg: EncryptConfiguration): Promise<DecoratedR
         manifest.encryptionInformation.integrityInformation.segments = segmentInfos;
 
         manifest.encryptionInformation.method.isStreamable = true;
-
         const signedAssertions: assertions.Assertion[] = [];
+        if (cfg.systemMetadataAssertion) {
+          const systemMetadataConfigBase = assertions.getSystemMetadataAssertionConfig();
+          const signingKeyForSystemMetadata: AssertionKey = {
+            alg: 'HS256', // Default algorithm, can be configured if needed
+            key: new Uint8Array(cfg.keyForEncryption.unwrappedKeyBinary.asArrayBuffer()),
+          };
+          signedAssertions.push(
+            await assertions.CreateAssertion(
+              aggregateHash,
+              {
+                ...systemMetadataConfigBase, // Spread the properties from the base config
+                signingKey: signingKeyForSystemMetadata, // Add the signing key
+              },
+              cfg.tdfSpecVersion // Pass the TDF spec version
+            )
+          );
+        }
         if (cfg.assertionConfigs && cfg.assertionConfigs.length > 0) {
           await Promise.all(
             cfg.assertionConfigs.map(async (assertionConfig) => {
@@ -711,6 +737,7 @@ export function splitLookupTableFactory(
 type RewrapResponseData = {
   key: Uint8Array;
   metadata: Record<string, unknown>;
+  requiredObligations: string[];
 };
 
 async function unwrapKey({
@@ -721,6 +748,7 @@ async function unwrapKey({
   concurrencyLimit,
   cryptoService,
   wrappingKeyAlgorithm,
+  fulfillableObligations,
 }: {
   manifest: Manifest;
   allowedKases: OriginAllowList;
@@ -729,6 +757,7 @@ async function unwrapKey({
   dpopKeys: CryptoKeyPair;
   cryptoService: CryptoService;
   wrappingKeyAlgorithm?: KasPublicKeyAlgorithm;
+  fulfillableObligations: string[];
 }) {
   if (authProvider === undefined) {
     throw new ConfigurationError(
@@ -764,11 +793,14 @@ async function unwrapKey({
     const jwtPayload = { requestBody: requestBodyStr };
     const signedRequestToken = await reqSignature(jwtPayload, dpopKeys.privateKey);
 
-    const { entityWrappedKey, metadata, sessionPublicKey } = await fetchWrappedKey(
+    const rewrapResp = await fetchWrappedKey(
       url,
       signedRequestToken,
-      authProvider
+      authProvider,
+      fulfillableObligations
     );
+    const { entityWrappedKey, metadata, sessionPublicKey } = rewrapResp;
+    const requiredObligations = getRequiredObligationFQNs(rewrapResp);
 
     if (wrappingKeyAlgorithm === 'ec:secp256r1') {
       const serverEphemeralKey: CryptoKey = await pemPublicToCrypto(sessionPublicKey);
@@ -786,6 +818,7 @@ async function unwrapKey({
       return {
         key: new Uint8Array(dek),
         metadata,
+        requiredObligations,
       };
     }
     const key = Binary.fromArrayBuffer(entityWrappedKey);
@@ -797,6 +830,7 @@ async function unwrapKey({
     return {
       key: new Uint8Array(decryptedKeyBinary.asByteArray()),
       metadata,
+      requiredObligations,
     };
   }
 
@@ -826,12 +860,20 @@ async function unwrapKey({
     splitPromises[splitId] = () => anyPool(poolSize, anyPromises);
   }
   try {
-    const splitResults = await allPool(poolSize, splitPromises);
-    // Merge all the split keys
-    const reconstructedKey = keyMerge(splitResults.map((r) => r.key));
+    const rewrapResponseData = await allPool(poolSize, splitPromises);
+    const splitKeys = [];
+    const requiredObligations = new Set<string>();
+    for (const resp of rewrapResponseData) {
+      splitKeys.push(resp.key);
+      for (const requiredObligation of resp.requiredObligations) {
+        requiredObligations.add(requiredObligation.toLowerCase());
+      }
+    }
+    const reconstructedKey = keyMerge(splitKeys);
     return {
       reconstructedKeyBinary: Binary.fromArrayBuffer(reconstructedKey),
-      metadata: splitResults[0].metadata, // Use metadata from first split
+      metadata: rewrapResponseData[0].metadata, // Use metadata from first split
+      requiredObligations: [...requiredObligations],
     };
   } catch (e) {
     if (e instanceof AggregateError) {
@@ -1015,7 +1057,8 @@ export async function decryptStreamFrom(
     segmentSizeDefault,
     segments,
   } = manifest.encryptionInformation.integrityInformation;
-  const { metadata, reconstructedKeyBinary } = await unwrapKey({
+  const { metadata, reconstructedKeyBinary, requiredObligations } = await unwrapKey({
+    fulfillableObligations: cfg.fulfillableObligations,
     manifest,
     authProvider: cfg.authProvider,
     allowedKases: allowList,
@@ -1138,6 +1181,7 @@ export async function decryptStreamFrom(
 
   const outputStream = new DecoratedReadableStream(underlyingSource);
 
+  outputStream.requiredObligations = requiredObligations;
   outputStream.manifest = manifest;
   outputStream.metadata = metadata;
   return outputStream;

package/tdf3/src/utils/unwrap.ts

@@ -3,7 +3,8 @@ import { InvalidFileError } from '../../../src/errors.js';
 
 export function unwrapHtml(htmlPayload: Uint8Array): Uint8Array {
   const html = new TextDecoder().decode(htmlPayload);
-  const payloadRe = /<input id=['"]?data-input['"]?[^>]*?value=['"]?([a-zA-Z0-9+/=]+)['"]?/;
+  const payloadRe =
+    /<input\s+[^>]*id=(?:['"]?)data-input(?:['"]?)[^>]*value=(?:['"]?)([a-zA-Z0-9+/=\-_]+)(?:['"]?)/;
   const reResult = payloadRe.exec(html);
   if (!reResult) {
     throw new InvalidFileError('Payload is missing');