@opentdf/sdk 0.8.0-beta.74 → 0.8.0-rc.73

package/src/opentdf.ts

@@ -1,6 +1,11 @@
 import { type AuthProvider } from './auth/providers.js';
 import { ConfigurationError, InvalidFileError } from './errors.js';
+import { type EncryptOptions as NanoEncryptOptions, NanoTDFDatasetClient } from './nanoclients.js';
 export { Client as TDF3Client } from '../tdf3/src/client/index.js';
+import NanoTDF from './nanotdf/NanoTDF.js';
+import decryptNanoTDF from './nanotdf/decrypt.js';
+import Client from './nanotdf/Client.js';
+import Header from './nanotdf/models/Header.js';
 import { Chunker, fromSource, sourceToStream, type Source } from './seekable.js';
 import { Client as TDF3Client } from '../tdf3/src/client/index.js';
 import {
@@ -29,6 +34,7 @@ import {
   type IntegrityAlgorithm,
 } from '../tdf3/src/tdf.js';
 import { base64 } from './encodings/index.js';
+import PolicyType from './nanotdf/enum/PolicyTypeEnum.js';
 import { Policy } from '../tdf3/src/models/policy.js';
 
 export {
@@ -79,6 +85,29 @@ export type CreateOptions = {
   source: Source;
 };
 
+/** Options for creating a NanoTDF. */
+export type CreateNanoTDFOptions = CreateOptions & {
+  /** The type of binding to use for the NanoTDF. */
+  bindingType?: 'ecdsa' | 'gmac';
+
+  /** When creating a new collection, use ECDSA binding with this key id from the signers, instead of the DEK. */
+  ecdsaBindingKeyID?: string;
+
+  /**
+   * When creating a new collection, use the key in the `signers` list with this id
+   * to generate a signature for each element. When absent, the nanotdf is unsigned.
+   */
+  signingKeyID?: string;
+};
+
+/** Options for creating a NanoTDF collection. */
+export type CreateNanoTDFCollectionOptions = CreateNanoTDFOptions & {
+  /** The platform URL. */
+  platformUrl: string;
+  /** The maximum number of key iterations to use for a single DEK. */
+  maxKeyIterations?: number;
+};
+
 /** Metadata for a TDF object. */
 export type Metadata = object;
 
@@ -173,6 +202,9 @@ export type OpenTDFOptions = {
    * which is out of the scope of this library.
    */
   dpopKeys?: Promise<CryptoKeyPair>;
+
+  /** Configuration options for the collection header cache. */
+  rewrapCacheOptions?: RewrapCacheOptions;
 };
 
 /** A decorated readable stream. */
@@ -181,8 +213,86 @@ export type DecoratedStream = ReadableStream<Uint8Array> & {
   metadata?: Promise<unknown>;
   /** The TDF manifest. */
   manifest?: Promise<Manifest>;
+  /** If the source is a NanoTDF, this will be set. */
+  header?: Header;
+};
+
+/** Configuration options for the collection header cache. */
+export type RewrapCacheOptions = {
+  /** If we should disable (bypass) the cache. */
+  bypass?: boolean;
+
+  /** Evict keys after this many milliseconds. */
+  maxAge?: number;
+
+  /** Check for expired keys once every this many milliseconds. */
+  pollInterval?: number;
+};
+
+const defaultRewrapCacheOptions: Required<RewrapCacheOptions> = {
+  bypass: false,
+  maxAge: 300000,
+  pollInterval: 500,
 };
 
+/**
+ * Cache for headers of nanotdf collections, to quickly open multiple entries of the same collection.
+ * It has a demon that removes all keys that have not been accessed in the last 5 minutes.
+ * To cancel the demon, and clear the cache, call `close()`.
+ * */
+export class RewrapCache {
+  private cache?: Map<Uint8Array, { lastAccessTime: number; value: CryptoKey }>;
+  private closer?: ReturnType<typeof setInterval>;
+  constructor(opts?: RewrapCacheOptions) {
+    const { bypass, maxAge, pollInterval } = { ...defaultRewrapCacheOptions, ...opts };
+    if (bypass) {
+      return;
+    }
+    this.cache = new Map();
+    this.closer = setInterval(() => {
+      const now = Date.now();
+      const c = this.cache;
+      if (!c) {
+        return;
+      }
+      for (const [key, value] of c.entries()) {
+        if (now - value.lastAccessTime > maxAge) {
+          c.delete(key);
+        }
+      }
+    }, pollInterval);
+  }
+
+  get(key: Uint8Array): CryptoKey | undefined {
+    if (!this.cache) {
+      return undefined;
+    }
+    const entry = this.cache.get(key);
+    if (entry) {
+      entry.lastAccessTime = Date.now();
+      return entry.value;
+    }
+    return undefined;
+  }
+
+  /** Set a key in the cache. */
+  set(key: Uint8Array, value: CryptoKey) {
+    if (!this.cache) {
+      return;
+    }
+    this.cache.set(key, { lastAccessTime: Date.now(), value });
+  }
+
+  /** Close the cache and release any resources. */
+  close() {
+    if (this.closer !== undefined) {
+      clearInterval(this.closer);
+      delete this.closer;
+      delete this.cache;
+    }
+  }
+}
+
 /**
  * A TDF reader that can decrypt and inspect a TDF file.
  */
@@ -214,6 +324,7 @@ export type TDFReader = {
 
 /**
  * The main OpenTDF class that provides methods for creating and reading TDF files.
+ * It supports both NanoTDF and ZTDF formats.
  * It can be used to create new TDF files and read existing ones.
  * This class is the entry point for using the OpenTDF SDK.
  * It requires an authentication provider to be passed in the constructor.
@@ -258,6 +369,8 @@ export class OpenTDF {
   defaultReadOptions: Omit<ReadOptions, 'source'>;
   /** The DPoP keys for this instance, if any. */
   readonly dpopKeys: Promise<CryptoKeyPair>;
+  /** Cache for rewrapped keys */
+  private readonly rewrapCache: RewrapCache;
   /** The TDF3 client for encrypting and decrypting ZTDF files. */
   readonly tdf3Client: TDF3Client;
 
@@ -268,6 +381,7 @@ export class OpenTDF {
     defaultReadOptions,
     disableDPoP,
     policyEndpoint,
+    rewrapCacheOptions,
     platformUrl,
   }: OpenTDFOptions) {
     this.authProvider = authProvider;
@@ -282,6 +396,7 @@ export class OpenTDF {
       );
     }
     this.policyEndpoint = policyEndpoint || '';
+    this.rewrapCache = new RewrapCache(rewrapCacheOptions);
     this.tdf3Client = new TDF3Client({
       authProvider,
       dpopKeys,
@@ -303,6 +418,33 @@ export class OpenTDF {
       );
   }
 
+  /** Creates a new NanoTDF stream. */
+  async createNanoTDF(opts: CreateNanoTDFOptions): Promise<DecoratedStream> {
+    opts = {
+      ...this.defaultCreateOptions,
+      ...opts,
+    };
+    const collection = await this.createNanoTDFCollection({
+      ...opts,
+      platformUrl: this.platformUrl,
+    });
+    try {
+      return await collection.encrypt(opts.source);
+    } finally {
+      await collection.close();
+    }
+  }
+
+  /**
+   * Creates a new collection object, which can be used to encrypt a series of data with the same policy.
+   */
+  async createNanoTDFCollection(
+    opts: CreateNanoTDFCollectionOptions
+  ): Promise<NanoTDFCollectionWriter> {
+    opts = { ...this.defaultCreateOptions, ...opts };
+    return new Collection(this.authProvider, opts);
+  }
+
   /** Creates a new ZTDF stream. */
   async createZTDF(opts: CreateZTDFOptions): Promise<DecoratedStream> {
     opts = { ...this.defaultCreateOptions, ...opts };
@@ -331,7 +473,7 @@ export class OpenTDF {
   /** Opens a TDF file for inspection and decryption. */
   open(opts: ReadOptions): TDFReader {
     opts = { ...this.defaultReadOptions, ...opts };
-    return new ZTDFReaderWrapper(this, opts);
+    return new UnknownTypeReader(this, opts, this.rewrapCache);
   }
 
   /** Decrypts a TDF file. */
@@ -342,17 +484,18 @@ export class OpenTDF {
 
   /** Closes the OpenTDF instance and releases any resources. */
   close() {
-    // No-op for now, but kept for API compatibility
+    this.rewrapCache.close();
   }
 }
 
-/** A TDF reader wrapper that handles ZTDF files. */
-class ZTDFReaderWrapper {
+/** A TDF reader that can automatically detect the TDF type. */
+class UnknownTypeReader {
   delegate: Promise<TDFReader>;
   state: 'init' | 'resolving' | 'loaded' | 'decrypting' | 'closing' | 'done' | 'error' = 'init';
   constructor(
     readonly outer: OpenTDF,
-    readonly opts: ReadOptions
+    readonly opts: ReadOptions,
+    private readonly rewrapCache: RewrapCache
   ) {
     this.delegate = this.resolveType();
   }
@@ -371,6 +514,9 @@ class ZTDFReaderWrapper {
     if (prefix[0] === 0x50 && prefix[1] === 0x4b) {
       this.state = 'loaded';
       return new ZTDFReader(this.outer.tdf3Client, this.opts, chunker);
+    } else if (prefix[0] === 0x4c && prefix[1] === 0x31 && prefix[2] === 0x4c) {
+      this.state = 'loaded';
+      return new NanoTDFReader(this.outer, this.opts, chunker, this.rewrapCache);
     }
     this.state = 'done';
     throw new InvalidFileError(`unsupported format; prefix not recognized ${prefix}`);
@@ -417,7 +563,117 @@ class ZTDFReaderWrapper {
   }
 }
 
-/** A reader for ZTDF files. */
+/** A TDF reader for NanoTDF files. */
+class NanoTDFReader {
+  container: Promise<NanoTDF>;
+  // Required obligation FQNs that must be fulfilled, provided via the decrypt flow.
+  private requiredObligations?: RequiredObligations;
+  constructor(
+    readonly outer: OpenTDF,
+    readonly opts: ReadOptions,
+    readonly chunker: Chunker,
+    private readonly rewrapCache: RewrapCache
+  ) {
+    if (
+      !this.opts.ignoreAllowlist &&
+      !this.opts.platformUrl &&
+      !this.opts.allowedKASEndpoints?.length
+    ) {
+      throw new ConfigurationError('platformUrl is required when allowedKasEndpoints is empty');
+    }
+    // lazily load the container
+    this.container = new Promise(async (resolve, reject) => {
+      try {
+        const ciphertext = await chunker();
+        const nanotdf = NanoTDF.from(ciphertext);
+        resolve(nanotdf);
+      } catch (e) {
+        reject(e);
+      }
+    });
+  }
+
+  /**
+   * Decrypts the NanoTDF file and returns a decorated stream.
+   * Sets required obligations on the reader when retrieved from KAS rewrap response.
+   */
+  async decrypt(): Promise<DecoratedStream> {
+    const nanotdf = await this.container;
+    const cachedDEK = this.rewrapCache.get(nanotdf.header.ephemeralPublicKey);
+    if (cachedDEK) {
+      const r: DecoratedStream = await streamify(decryptNanoTDF(cachedDEK, nanotdf));
+      r.header = nanotdf.header;
+      return r;
+    }
+    const platformUrl = this.opts.platformUrl || this.outer.platformUrl;
+    const kasEndpoint =
+      this.opts.allowedKASEndpoints?.[0] || platformUrl || 'https://disallow.all.invalid';
+    const nc = new Client({
+      allowedKases: this.opts.allowedKASEndpoints,
+      fulfillableObligationFQNs: this.opts.fulfillableObligationFQNs,
+      authProvider: this.outer.authProvider,
+      ignoreAllowList: this.opts.ignoreAllowlist,
+      dpopEnabled: this.outer.dpopEnabled,
+      dpopKeys: this.outer.dpopKeys,
+      kasEndpoint,
+      platformUrl,
+    });
+    // TODO: The version number should be fetched from the API
+    const version = '0.0.1';
+    // Rewrap key on every request
+    const { unwrappedKey: dek, requiredObligations } = await nc.rewrapKey(
+      nanotdf.header.toBuffer(),
+      nanotdf.header.getKasRewrapUrl(),
+      nanotdf.header.magicNumberVersion,
+      version
+    );
+    if (!dek) {
+      // These should have thrown already.
+      throw new Error('internal: key rewrap failure');
+    }
+    this.requiredObligations = { fqns: requiredObligations };
+    this.rewrapCache.set(nanotdf.header.ephemeralPublicKey, dek);
+    const r: DecoratedStream = await streamify(decryptNanoTDF(dek, nanotdf));
+    // TODO figure out how to attach policy and metadata to the stream
+    r.header = nanotdf.header;
+    return r;
+  }
+
+  async close() {}
+
+  /** Returns blank manifest. NanoTDF has no manifest. */
+  async manifest(): Promise<Manifest> {
+    return {} as Manifest;
+  }
+
+  /** Returns the attributes of the NanoTDF file. */
+  async attributes(): Promise<string[]> {
+    const nanotdf = await this.container;
+    if (!nanotdf.header.policy?.content) {
+      return [];
+    }
+    if (nanotdf.header.policy.type !== PolicyType.EmbeddedText) {
+      throw new Error('unsupported policy type');
+    }
+    const policyString = new TextDecoder().decode(nanotdf.header.policy.content);
+    const policy = JSON.parse(policyString) as Policy;
+    return policy?.body?.dataAttributes.map((a) => a.attribute) || [];
+  }
+
+  /**
+   * Returns obligations populated from the decrypt flow.
+   * If a decrypt has not occurred, attempts one to retrieve obligations.
+   */
+  async obligations(): Promise<RequiredObligations> {
+    if (this.requiredObligations) {
+      return this.requiredObligations;
+    }
+    await this.decrypt();
+    return this.requiredObligations ?? { fqns: [] };
+  }
+}
+
+/** A reader for TDF files. */
 class ZTDFReader {
   overview: Promise<InspectedTDFOverview>;
   // Required obligation FQNs that must be fulfilled, provided via the decrypt flow.
@@ -522,3 +778,84 @@ class ZTDFReader {
     return this.requiredObligations ?? { fqns: [] };
   }
 }
+
+async function streamify(ab: Promise<ArrayBuffer>): Promise<ReadableStream<Uint8Array>> {
+  const stream = new ReadableStream<Uint8Array>({
+    start(controller) {
+      ab.then((arrayBuffer) => {
+        controller.enqueue(new Uint8Array(arrayBuffer));
+        controller.close();
+      });
+    },
+  });
+  return stream;
+}
+
+/** A writer for NanoTDF collections. */
+export type NanoTDFCollectionWriter = {
+  /** The NanoTDF client used for encrypting data in this collection. */
+  encrypt: (source: Source) => Promise<ReadableStream<Uint8Array>>;
+  /** Closes the collection and releases any resources. */
+  close: () => Promise<void>;
+};
+
+class Collection {
+  /** The NanoTDF client used for encrypting data in this collection. */
+  client?: NanoTDFDatasetClient;
+  /** Options for encrypting data in this collection. */
+  encryptOptions?: NanoEncryptOptions;
+
+  constructor(authProvider: AuthProvider, opts: CreateNanoTDFCollectionOptions) {
+    if (opts.signers || opts.signingKeyID) {
+      throw new ConfigurationError('ntdf signing not implemented');
+    }
+    if (opts.autoconfigure) {
+      throw new ConfigurationError('autoconfigure not implemented');
+    }
+    if (opts.ecdsaBindingKeyID) {
+      throw new ConfigurationError('custom binding key not implemented');
+    }
+    switch (opts.bindingType) {
+      case 'ecdsa':
+        this.encryptOptions = { ecdsaBinding: true };
+        break;
+      case 'gmac':
+        this.encryptOptions = { ecdsaBinding: false };
+        break;
+    }
+
+    const kasEndpoint =
+      opts.defaultKASEndpoint || opts.platformUrl || 'https://disallow.all.invalid';
+
+    this.client = new NanoTDFDatasetClient({
+      authProvider,
+      kasEndpoint: kasEndpoint,
+      maxKeyIterations: opts.maxKeyIterations,
+      platformUrl: opts.platformUrl,
+    });
+    this.client.dataAttributes = opts.attributes || [];
+  }
+
+  /** Encrypts a source into a NanoTDF stream. */
+  async encrypt(source: Source): Promise<DecoratedStream> {
+    if (!this.client) {
+      throw new ConfigurationError('Collection is closed');
+    }
+    const chunker = await fromSource(source);
+    const cipherChunk = await this.client.encrypt(await chunker(), this.encryptOptions);
+    const stream: DecoratedStream = new ReadableStream<Uint8Array>({
+      start(controller) {
+        controller.enqueue(new Uint8Array(cipherChunk));
+        controller.close();
+      },
+    });
+    // TODO: client's header object is private
+    // stream.header = this.client.header;
+    return stream;
+  }
+
+  /** Releases client resources. */
+  async close() {
+    delete this.client;
+  }
+}

package/src/tdf/NanoTDF/NanoTDF.ts

@@ -0,0 +1,120 @@
+enum CipherType {
+  Aes256Gcm64, // Default cipher
+  Aes256Gcm96,
+  Aes256Gcm104,
+  Aes256Gcm112,
+  Aes256Gcm120,
+  Aes256Gcm128,
+}
+
+/**
+ * The Signature ECC Mode is used to determine the length of the signature at the end of a nanotdf. This, in
+ * combination with the previous HAS_SIGNATURE section, describe the signature of the nanotdf. The following table
+ * describes the valid values and the associated ECC Params.
+ */
+enum CurveName {
+  Secp256R1,
+  Secp384R1,
+  Secp521R1,
+}
+
+export enum ResourceLocatorProtocol {
+  Http,
+  Https,
+  Unreserverd,
+  SharedResourceDirectory = 0xff,
+}
+
+export enum PolicyType {
+  Remote,
+  EmbeddedText,
+  EmbeddedEncrypted, // Default policy
+  EmbeddedEncryptedPKA, // Todo: Not implemented
+}
+
+/**
+ * Resource Locator interface
+ */
+export interface ResourceLocator {
+  protocol: ResourceLocatorProtocol;
+  length: number;
+  body: string;
+}
+
+/**
+ * Policy interface
+ */
+export interface Policy {
+  type: PolicyType;
+  binding: Uint8Array;
+}
+
+/**
+ * Remote policy interface
+ */
+export interface RemotePolicy extends Policy {
+  protocol: ResourceLocatorProtocol;
+  urn: string;
+}
+
+/**
+ * Embedded policy interface
+ */
+export interface EmbeddedPolicy extends Policy {
+  content: Uint8Array;
+}
+
+/**
+ * Header interface
+ */
+export interface Header {
+  // Magic Number & Version
+  magicNumberVersion: Uint8Array;
+
+  // KAS Resource Locator
+  kas: ResourceLocator;
+
+  // ECC & Binding Mode
+  useECDSABinding: boolean;
+  ephemeralCurveName: CurveName;
+
+  // Symmetric & Payload Config
+  hasSignature: boolean;
+  signatureCurveName: CurveName;
+  symmetricCipher: CipherType;
+  // Auth tag length is not part of the spec, but is needed for decrypt
+  authTagLength: number;
+
+  // Policy
+  policy: RemotePolicy | EmbeddedPolicy;
+
+  // Ephemeral Public Key
+  ephemeralPublicKey: Uint8Array;
+}
+
+/**
+ * Payload interface
+ */
+export interface Payload {
+  iv: Uint8Array;
+  ciphertext: Uint8Array;
+  authTag: Uint8Array;
+  ciphertextAuthTag: Uint8Array;
+}
+
+/**
+ * Signature interface
+ */
+export interface Signature {
+  publicKey: Uint8Array;
+  signature: Uint8Array;
+}
+
+/**
+ * NanoTDF interface
+ */
+export interface NanoTDF {
+  header: Header;
+  payload: Payload;
+  signature: Signature;
+}

package/src/types/index.ts

@@ -0,0 +1,55 @@
+import PolicyTypeEnum from '../nanotdf/enum/PolicyTypeEnum.js';
+
+export type InputSource =
+  | ReadableStream<Uint8Array>
+  | Uint8Array
+  | string
+  | ArrayBuffer
+  | Promise<ReadableStream<Uint8Array>>;
+
+type Header = {
+  magicNumberVersion: string[];
+  kas: {
+    protocol: number;
+    length: number;
+    body: string;
+  };
+  eccBindingMode: {
+    useECDSABinding: boolean;
+    ephemeralCurveName: number;
+  };
+  symmetricPayloadConfig: {
+    hasSignature: boolean;
+    signatureCurveName: number;
+    symmetricCipher: number;
+  };
+  ephemeralPublicKey: string[];
+};
+
+type HeaderPolicy = {
+  type: PolicyTypeEnum;
+  content: string[];
+  binding: string[];
+};
+
+type RemotePolicy = {
+  protocol: number;
+  length: number;
+  body: string;
+};
+
+export type PlainEmbeddedHeader = Header & {
+  policy: HeaderPolicy;
+};
+
+export type EmbeddedHeader = Header & {
+  policy: HeaderPolicy;
+};
+
+export type RemoteHeader = Header & {
+  policy: {
+    type: PolicyTypeEnum;
+    remotePolicy: RemotePolicy;
+    binding: string[];
+  };
+};

package/src/utils.ts

@@ -1,7 +1,7 @@
 import { exportSPKI, importX509 } from 'jose';
 
 import { base64 } from './encodings/index.js';
-import { pemCertToCrypto, pemPublicToCrypto } from './crypto/pemPublicToCrypto.js';
+import { pemCertToCrypto, pemPublicToCrypto } from './nanotdf-crypto/pemPublicToCrypto.js';
 import { ConfigurationError } from './errors.js';
 import {
   RewrapResponse,

package/tdf3/index.ts

@@ -27,8 +27,13 @@ import {
 } from './src/models/encryption-information.js';
 import { AuthProvider, type HttpMethod, HttpRequest, withHeaders } from '../src/auth/auth.js';
 import { AesGcmCipher } from './src/ciphers/aes-gcm-cipher.js';
-import * as AuthProviders from '../src/auth/providers.js';
-import { version, clientType } from '../src/version.js';
+import {
+  NanoTDFClient,
+  NanoTDFDatasetClient,
+  AuthProviders,
+  version,
+  clientType,
+} from '../src/nanoindex.js';
 import { Algorithms, type AlgorithmName, type AlgorithmUrn } from './src/ciphers/algorithms.js';
 import { type Chunker } from '../src/seekable.js';
 
@@ -66,6 +71,8 @@ export {
   Errors,
   HttpRequest,
   KeyInfo,
+  NanoTDFClient,
+  NanoTDFDatasetClient,
   SplitKey,
   TDF3Client,
   clientType,
@@ -76,11 +83,14 @@ export {
 
 export * as WebCryptoService from './src/crypto/index.js';
 export {
+  type CreateNanoTDFCollectionOptions,
+  type CreateNanoTDFOptions,
   type CreateOptions,
   type CreateZTDFOptions,
   type DecoratedStream,
   type Keys,
   type OpenTDFOptions,
+  type NanoTDFCollectionWriter,
   type ReadOptions,
   type TDFReader,
   OpenTDF,

package/tdf3/src/models/key-access.ts

@@ -1,7 +1,7 @@
 import { base64, hex } from '../../../src/encodings/index.js';
-import { generateRandomNumber } from '../../../src/crypto/generateRandomNumber.js';
-import { keyAgreement } from '../../../src/crypto/keyAgreement.js';
-import { pemPublicToCrypto } from '../../../src/crypto/pemPublicToCrypto.js';
+import { generateRandomNumber } from '../../../src/nanotdf-crypto/generateRandomNumber.js';
+import { keyAgreement } from '../../../src/nanotdf-crypto/keyAgreement.js';
+import { pemPublicToCrypto } from '../../../src/nanotdf-crypto/pemPublicToCrypto.js';
 import { cryptoPublicToPem } from '../../../src/utils.js';
 import { Binary } from '../binary.js';
 import * as cryptoService from '../crypto/index.js';

package/tdf3/src/tdf.ts

@@ -29,9 +29,9 @@ import {
   UnsafeUrlError,
   UnsupportedFeatureError as UnsupportedError,
 } from '../../src/errors.js';
-import { generateKeyPair } from '../../src/crypto/generateKeyPair.js';
-import { keyAgreement } from '../../src/crypto/keyAgreement.js';
-import { pemPublicToCrypto } from '../../src/crypto/pemPublicToCrypto.js';
+import { generateKeyPair } from '../../src/nanotdf-crypto/generateKeyPair.js';
+import { keyAgreement } from '../../src/nanotdf-crypto/keyAgreement.js';
+import { pemPublicToCrypto } from '../../src/nanotdf-crypto/pemPublicToCrypto.js';
 import { type Chunker } from '../../src/seekable.js';
 import { tdfSpecVersion } from '../../src/version.js';
 import { AssertionConfig, AssertionKey, AssertionVerificationKeys } from './assertions.js';