npm - @opentdf/sdk - Versions diffs - 0.9.0-beta.91 → 0.9.0-beta.93 - Mend

@opentdf/sdk 0.9.0-beta.91 → 0.9.0-beta.93

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (182) hide show

package/dist/cjs/src/access/access-fetch.js +1 -2
package/dist/cjs/src/access/access-rpc.js +1 -3
package/dist/cjs/src/access.js +1 -14
package/dist/cjs/src/auth/auth.js +13 -10
package/dist/cjs/src/auth/dpop.js +121 -0
package/dist/cjs/src/auth/oidc-clientcredentials-provider.js +37 -3
package/dist/cjs/src/auth/oidc-externaljwt-provider.js +37 -3
package/dist/cjs/src/auth/oidc-refreshtoken-provider.js +37 -3
package/dist/cjs/src/auth/oidc.js +10 -8
package/dist/cjs/src/auth/providers.js +35 -12
package/dist/cjs/src/crypto/index.js +16 -2
package/dist/cjs/src/crypto/pemPublicToCrypto.js +17 -11
package/dist/cjs/src/opentdf.js +40 -10
package/dist/cjs/tdf3/index.js +4 -2
package/dist/cjs/tdf3/src/assertions.js +71 -31
package/dist/cjs/tdf3/src/ciphers/aes-gcm-cipher.js +1 -1
package/dist/cjs/tdf3/src/ciphers/symmetric-cipher-base.js +4 -2
package/dist/cjs/tdf3/src/client/index.js +23 -33
package/dist/cjs/tdf3/src/crypto/crypto-utils.js +12 -5
package/dist/cjs/tdf3/src/crypto/declarations.js +1 -1
package/dist/cjs/tdf3/src/crypto/index.js +849 -88
package/dist/cjs/tdf3/src/crypto/jose/jwt-claims-set.js +11 -0
package/dist/cjs/tdf3/src/crypto/jose/validate-crit.js +8 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/buffer_utils.js +41 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/epoch.js +6 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/is_object.js +21 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.js +112 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/secs.js +60 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/validate_crit.js +38 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/util/errors.js +135 -0
package/dist/cjs/tdf3/src/crypto/jwt.js +183 -0
package/dist/cjs/tdf3/src/crypto/salt.js +14 -8
package/dist/cjs/tdf3/src/models/encryption-information.js +17 -20
package/dist/cjs/tdf3/src/models/key-access.js +43 -63
package/dist/cjs/tdf3/src/tdf.js +75 -75
package/dist/cjs/tdf3/src/utils/index.js +5 -39
package/dist/types/src/access/access-fetch.d.ts.map +1 -1
package/dist/types/src/access/access-rpc.d.ts.map +1 -1
package/dist/types/src/access.d.ts +0 -5
package/dist/types/src/access.d.ts.map +1 -1
package/dist/types/src/auth/auth.d.ts +9 -6
package/dist/types/src/auth/auth.d.ts.map +1 -1
package/dist/types/src/auth/dpop.d.ts +60 -0
package/dist/types/src/auth/dpop.d.ts.map +1 -0
package/dist/types/src/auth/oidc-clientcredentials-provider.d.ts +3 -2
package/dist/types/src/auth/oidc-clientcredentials-provider.d.ts.map +1 -1
package/dist/types/src/auth/oidc-externaljwt-provider.d.ts +3 -2
package/dist/types/src/auth/oidc-externaljwt-provider.d.ts.map +1 -1
package/dist/types/src/auth/oidc-refreshtoken-provider.d.ts +3 -2
package/dist/types/src/auth/oidc-refreshtoken-provider.d.ts.map +1 -1
package/dist/types/src/auth/oidc.d.ts +6 -4
package/dist/types/src/auth/oidc.d.ts.map +1 -1
package/dist/types/src/auth/providers.d.ts +5 -4
package/dist/types/src/auth/providers.d.ts.map +1 -1
package/dist/types/src/crypto/index.d.ts +2 -1
package/dist/types/src/crypto/index.d.ts.map +1 -1
package/dist/types/src/crypto/pemPublicToCrypto.d.ts +18 -0
package/dist/types/src/crypto/pemPublicToCrypto.d.ts.map +1 -1
package/dist/types/src/opentdf.d.ts +13 -4
package/dist/types/src/opentdf.d.ts.map +1 -1
package/dist/types/tdf3/index.d.ts +3 -3
package/dist/types/tdf3/index.d.ts.map +1 -1
package/dist/types/tdf3/src/assertions.d.ts +23 -8
package/dist/types/tdf3/src/assertions.d.ts.map +1 -1
package/dist/types/tdf3/src/ciphers/aes-gcm-cipher.d.ts +3 -3
package/dist/types/tdf3/src/ciphers/aes-gcm-cipher.d.ts.map +1 -1
package/dist/types/tdf3/src/ciphers/symmetric-cipher-base.d.ts +4 -4
package/dist/types/tdf3/src/ciphers/symmetric-cipher-base.d.ts.map +1 -1
package/dist/types/tdf3/src/client/builders.d.ts +2 -2
package/dist/types/tdf3/src/client/builders.d.ts.map +1 -1
package/dist/types/tdf3/src/client/index.d.ts +6 -5
package/dist/types/tdf3/src/client/index.d.ts.map +1 -1
package/dist/types/tdf3/src/crypto/crypto-utils.d.ts +14 -4
package/dist/types/tdf3/src/crypto/crypto-utils.d.ts.map +1 -1
package/dist/types/tdf3/src/crypto/declarations.d.ts +283 -18
package/dist/types/tdf3/src/crypto/declarations.d.ts.map +1 -1
package/dist/types/tdf3/src/crypto/index.d.ts +105 -28
package/dist/types/tdf3/src/crypto/index.d.ts.map +1 -1
package/dist/types/tdf3/src/crypto/jose/jwt-claims-set.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/jwt-claims-set.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/validate-crit.d.ts +5 -0
package/dist/types/tdf3/src/crypto/jose/validate-crit.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/buffer_utils.d.ts +6 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/buffer_utils.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/epoch.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/epoch.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/is_object.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/is_object.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/secs.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/secs.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/validate_crit.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/validate_crit.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/util/errors.d.ts +76 -0
package/dist/types/tdf3/src/crypto/jose/vendor/util/errors.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jwt.d.ts +76 -0
package/dist/types/tdf3/src/crypto/jwt.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/salt.d.ts +6 -1
package/dist/types/tdf3/src/crypto/salt.d.ts.map +1 -1
package/dist/types/tdf3/src/models/encryption-information.d.ts +4 -4
package/dist/types/tdf3/src/models/encryption-information.d.ts.map +1 -1
package/dist/types/tdf3/src/models/key-access.d.ts +8 -5
package/dist/types/tdf3/src/models/key-access.d.ts.map +1 -1
package/dist/types/tdf3/src/tdf.d.ts +8 -8
package/dist/types/tdf3/src/tdf.d.ts.map +1 -1
package/dist/types/tdf3/src/utils/index.d.ts +4 -3
package/dist/types/tdf3/src/utils/index.d.ts.map +1 -1
package/dist/web/src/access/access-fetch.js +3 -4
package/dist/web/src/access/access-rpc.js +3 -5
package/dist/web/src/access.js +1 -13
package/dist/web/src/auth/auth.js +13 -10
package/dist/web/src/auth/dpop.js +118 -0
package/dist/web/src/auth/oidc-clientcredentials-provider.js +4 -3
package/dist/web/src/auth/oidc-externaljwt-provider.js +4 -3
package/dist/web/src/auth/oidc-refreshtoken-provider.js +4 -3
package/dist/web/src/auth/oidc.js +11 -9
package/dist/web/src/auth/providers.js +13 -12
package/dist/web/src/crypto/index.js +4 -2
package/dist/web/src/crypto/pemPublicToCrypto.js +11 -9
package/dist/web/src/opentdf.js +7 -10
package/dist/web/tdf3/index.js +3 -2
package/dist/web/tdf3/src/assertions.js +71 -31
package/dist/web/tdf3/src/ciphers/aes-gcm-cipher.js +1 -1
package/dist/web/tdf3/src/ciphers/symmetric-cipher-base.js +4 -2
package/dist/web/tdf3/src/client/index.js +25 -35
package/dist/web/tdf3/src/crypto/crypto-utils.js +12 -5
package/dist/web/tdf3/src/crypto/declarations.js +1 -1
package/dist/web/tdf3/src/crypto/index.js +830 -84
package/dist/web/tdf3/src/crypto/jose/jwt-claims-set.js +5 -0
package/dist/web/tdf3/src/crypto/jose/validate-crit.js +3 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/buffer_utils.js +35 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/epoch.js +4 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/is_object.js +19 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.js +107 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/secs.js +58 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/validate_crit.js +36 -0
package/dist/web/tdf3/src/crypto/jose/vendor/util/errors.js +117 -0
package/dist/web/tdf3/src/crypto/jwt.js +174 -0
package/dist/web/tdf3/src/crypto/salt.js +13 -7
package/dist/web/tdf3/src/models/encryption-information.js +11 -14
package/dist/web/tdf3/src/models/key-access.js +44 -31
package/dist/web/tdf3/src/tdf.js +71 -71
package/dist/web/tdf3/src/utils/index.js +5 -6
package/package.json +11 -4
package/src/access/access-fetch.ts +2 -8
package/src/access/access-rpc.ts +0 -7
package/src/access.ts +0 -17
package/src/auth/auth.ts +21 -12
package/src/auth/dpop.ts +222 -0
package/src/auth/oidc-clientcredentials-provider.ts +23 -15
package/src/auth/oidc-externaljwt-provider.ts +23 -15
package/src/auth/oidc-refreshtoken-provider.ts +23 -15
package/src/auth/oidc.ts +21 -10
package/src/auth/providers.ts +46 -29
package/src/crypto/index.ts +21 -1
package/src/crypto/pemPublicToCrypto.ts +11 -9
package/src/opentdf.ts +19 -14
package/tdf3/index.ts +32 -5
package/tdf3/src/assertions.ts +99 -30
package/tdf3/src/ciphers/aes-gcm-cipher.ts +7 -2
package/tdf3/src/ciphers/symmetric-cipher-base.ts +7 -4
package/tdf3/src/client/builders.ts +2 -2
package/tdf3/src/client/index.ts +60 -59
package/tdf3/src/crypto/crypto-utils.ts +15 -8
package/tdf3/src/crypto/declarations.ts +338 -22
package/tdf3/src/crypto/index.ts +1021 -118
package/tdf3/src/crypto/jose/jwt-claims-set.ts +10 -0
package/tdf3/src/crypto/jose/validate-crit.ts +9 -0
package/tdf3/src/crypto/jose/vendor/lib/buffer_utils.ts +34 -0
package/tdf3/src/crypto/jose/vendor/lib/epoch.ts +3 -0
package/tdf3/src/crypto/jose/vendor/lib/is_object.ts +18 -0
package/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.ts +106 -0
package/tdf3/src/crypto/jose/vendor/lib/secs.ts +57 -0
package/tdf3/src/crypto/jose/vendor/lib/validate_crit.ts +35 -0
package/tdf3/src/crypto/jose/vendor/util/errors.ts +101 -0
package/tdf3/src/crypto/jwt.ts +256 -0
package/tdf3/src/crypto/salt.ts +16 -8
package/tdf3/src/models/encryption-information.ts +14 -21
package/tdf3/src/models/key-access.ts +57 -41
package/tdf3/src/tdf.ts +110 -93
package/tdf3/src/utils/index.ts +5 -6

package/tdf3/src/ciphers/aes-gcm-cipher.ts CHANGED Viewed

@@ -7,6 +7,7 @@ import {
   type CryptoService,
   type DecryptResult,
   type EncryptResult,
+  type SymmetricKey,
 } from '../crypto/declarations.js';
 const KEY_LENGTH = 32;
@@ -45,7 +46,7 @@ export class AesGcmCipher extends SymmetricCipher {
    * result from the crypto service and construct the payload automatically from
    * it's parts.  There is no need to process the payload.
    */
-  override async encrypt(payload: Binary, key: Binary, iv: Binary): Promise<EncryptResult> {
+  override async encrypt(payload: Binary, key: SymmetricKey, iv: Binary): Promise<EncryptResult> {
     const toConcat: Uint8Array[] = [];
     const result = await this.cryptoService.encrypt(payload, key, iv, Algorithms.AES_256_GCM);
     toConcat.push(new Uint8Array(iv.asArrayBuffer()));
@@ -62,7 +63,11 @@ export class AesGcmCipher extends SymmetricCipher {
    * @returns
    */
   // eslint-disable-next-line @typescript-eslint/no-unused-vars
-  override async decrypt(buffer: ArrayBuffer, key: Binary, iv?: Binary): Promise<DecryptResult> {
+  override async decrypt(
+    buffer: ArrayBuffer,
+    key: SymmetricKey,
+    iv?: Binary
+  ): Promise<DecryptResult> {
     const { payload, payloadIv, payloadAuthTag } = processGcmPayload(buffer);
     return this.cryptoService.decrypt(

package/tdf3/src/ciphers/symmetric-cipher-base.ts CHANGED Viewed

@@ -3,7 +3,9 @@ import {
   type CryptoService,
   type DecryptResult,
   type EncryptResult,
+  type SymmetricKey,
 } from '../crypto/declarations.js';
+import { encodeArrayBuffer as hexEncode } from '../../../src/encodings/hex.js';
 export abstract class SymmetricCipher {
   cryptoService: CryptoService;
@@ -22,17 +24,18 @@ export abstract class SymmetricCipher {
     if (!this.ivLength) {
       throw Error('No iv length');
     }
-    return this.cryptoService.generateInitializationVector(this.ivLength);
+    const bytes = await this.cryptoService.randomBytes(this.ivLength);
+    return hexEncode(bytes.buffer);
   }
-  async generateKey(): Promise<string> {
+  async generateKey(): Promise<SymmetricKey> {
     if (!this.keyLength) {
       throw Error('No key length');
     }
     return this.cryptoService.generateKey(this.keyLength);
   }
-  abstract encrypt(payload: Binary, key: Binary, iv: Binary): Promise<EncryptResult>;
+  abstract encrypt(payload: Binary, key: SymmetricKey, iv: Binary): Promise<EncryptResult>;
-  abstract decrypt(payload: Uint8Array, key: Binary, iv?: Binary): Promise<DecryptResult>;
+  abstract decrypt(payload: Uint8Array, key: SymmetricKey, iv?: Binary): Promise<DecryptResult>;
 }

package/tdf3/src/client/builders.ts CHANGED Viewed

@@ -4,7 +4,7 @@ import { type Metadata } from '../tdf.js';
 import { Binary } from '../binary.js';
 import { ConfigurationError } from '../../../src/errors.js';
-import { PemKeyPair } from '../crypto/declarations.js';
+import { PemKeyPair, type SymmetricKey } from '../crypto/declarations.js';
 import { DecoratedReadableStream } from './DecoratedReadableStream.js';
 import { type Chunker } from '../../../src/seekable.js';
 import { AssertionConfig, AssertionVerificationKeys } from '../assertions.js';
@@ -516,7 +516,7 @@ class EncryptParamsBuilder {
   }
 }
-export type DecryptKeyMiddleware = (key: Binary) => Promise<Binary>;
+export type DecryptKeyMiddleware = (key: SymmetricKey) => Promise<SymmetricKey>;
 export type DecryptStreamMiddleware = (
   stream: DecoratedReadableStream

package/tdf3/src/client/index.ts CHANGED Viewed

@@ -19,12 +19,7 @@ import { OIDCRefreshTokenProvider } from '../../../src/auth/oidc-refreshtoken-pr
 import { OIDCExternalJwtProvider } from '../../../src/auth/oidc-externaljwt-provider.js';
 import { CryptoService } from '../crypto/declarations.js';
 import { type AuthProvider, HttpRequest, withHeaders } from '../../../src/auth/auth.js';
-import {
-  getPlatformUrlFromKasEndpoint,
-  pemToCryptoPublicKey,
-  rstrip,
-  validateSecureUrl,
-} from '../../../src/utils.js';
+import { getPlatformUrlFromKasEndpoint, rstrip, validateSecureUrl } from '../../../src/utils.js';
 import {
   type DecryptParams,
@@ -42,13 +37,11 @@ import { DecoratedReadableStream } from './DecoratedReadableStream.js';
 import {
   fetchKeyAccessServers,
   type KasPublicKeyInfo,
-  keyAlgorithmToPublicKeyAlgorithm,
   OriginAllowList,
 } from '../../../src/access.js';
 import { ConfigurationError } from '../../../src/errors.js';
-import { Binary } from '../binary.js';
 import { AesGcmCipher } from '../ciphers/aes-gcm-cipher.js';
-import { toCryptoKeyPair } from '../crypto/crypto-utils.js';
+import { type KeyPair, type SymmetricKey } from '../crypto/declarations.js';
 import * as defaultCryptoService from '../crypto/index.js';
 import {
   type AttributeObject,
@@ -69,24 +62,23 @@ const defaultClientConfig = { oidcOrigin: '', cryptoService: defaultCryptoServic
 const getFirstTwoBytes = async (chunker: Chunker) => new TextDecoder().decode(await chunker(0, 2));
-async function algorithmFromPEM(pem: string) {
-  const k: CryptoKey = await pemToCryptoPublicKey(pem);
-  return keyAlgorithmToPublicKeyAlgorithm(k);
+async function algorithmFromPEM(pem: string, cryptoService: CryptoService) {
+  const keyInfo = await cryptoService.parsePublicKeyPem(pem);
+  return keyInfo.algorithm;
 }
-// Convert a PEM string to a CryptoKey
+// Convert a PEM string to KasPublicKeyInfo
 export const resolveKasInfo = async (
   pem: string,
   uri: string,
+  cryptoService: CryptoService,
   kid?: string
 ): Promise<KasPublicKeyInfo> => {
-  const k: CryptoKey = await pemToCryptoPublicKey(pem);
-  const algorithm = keyAlgorithmToPublicKeyAlgorithm(k);
+  const keyInfo = await cryptoService.parsePublicKeyPem(pem);
   return {
-    key: Promise.resolve(k),
     publicKey: pem,
     url: uri,
-    algorithm,
+    algorithm: keyInfo.algorithm,
     kid: kid,
   };
 };
@@ -132,7 +124,7 @@ export interface ClientConfig {
   /// oauth client id; used to generate oauth authProvider
   clientId?: string;
   dpopEnabled?: boolean;
-  dpopKeys?: Promise<CryptoKeyPair>;
+  dpopKeys?: Promise<KeyPair>;
   kasEndpoint: string;
   /**
    * Service to use to look up ABAC. Used during autoconfigure. Defaults to
@@ -177,28 +169,23 @@ export interface ClientConfig {
  */
 export async function createSessionKeys({
   authProvider,
-  // FIXME use cryptoservice to generate keys again
   cryptoService,
   dpopKeys,
 }: {
   authProvider?: AuthProvider;
   cryptoService: CryptoService;
-  dpopKeys?: Promise<CryptoKeyPair>;
-}): Promise<CryptoKeyPair> {
-  let signingKeys: CryptoKeyPair;
+  dpopKeys?: Promise<KeyPair>;
+}): Promise<KeyPair> {
+  let signingKeys: KeyPair;
   if (dpopKeys) {
     signingKeys = await dpopKeys;
   } else {
-    const keys = await cryptoService.generateSigningKeyPair();
-    // signingKeys = await crypto.subtle.generateKey(rsaPkcs1Sha256(), true, ['sign']);
-    signingKeys = await toCryptoKeyPair(keys);
+    // generateSigningKeyPair returns opaque KeyPair
+    signingKeys = await cryptoService.generateSigningKeyPair();
   }
   // This will contact the auth server and forcibly refresh the auth token claims,
   // binding the token and the (new) pubkey together.
-  // Note that we base64 encode the PEM string here as a quick workaround, simply because
-  // a formatted raw PEM string isn't a valid header value and sending it raw makes keycloak's
-  // header parser barf. There are more subtle ways to solve this, but this works for now.
   if (authProvider) {
     await authProvider?.updateClientPublicKey(signingKeys);
   }
@@ -301,7 +288,8 @@ const putKasKeyIntoCache = (
   cache: KasKeyInfoCache,
   kasKey: Omit<SimpleKasKey, 'publicKey'> & {
     publicKey: Exclude<SimpleKasKey['publicKey'], undefined>;
-  }
+  },
+  cryptoService: CryptoService
 ): ReturnType<typeof fetchKasPublicKey> => {
   const algorithmString = algorithmEnumValueToString(kasKey.publicKey.algorithm);
   const cachedEntry = findEntryInCache(cache, kasKey.kasUri, algorithmString, kasKey.publicKey.kid);
@@ -309,12 +297,9 @@ const putKasKeyIntoCache = (
     return cachedEntry;
   }
   const keyInfoPromise = (async function () {
-    const keyPromise = pemToCryptoPublicKey(kasKey.publicKey.pem);
-    const key = await keyPromise;
-    const algorithm = keyAlgorithmToPublicKeyAlgorithm(key);
+    const keyInfo = await cryptoService.parsePublicKeyPem(kasKey.publicKey.pem);
     return {
-      algorithm: algorithm,
-      key: keyPromise,
+      algorithm: keyInfo.algorithm,
       kid: kasKey.publicKey.kid,
       publicKey: kasKey.publicKey.pem,
       url: kasKey.kasUri,
@@ -371,7 +356,7 @@ export class Client {
   /**
    * Session binding keys. Used for DPoP and signed request bodies.
    */
-  readonly dpopKeys: Promise<CryptoKeyPair>;
+  readonly dpopKeys: Promise<KeyPair>;
   readonly dpopEnabled: boolean;
@@ -453,18 +438,24 @@ export class Client {
       //browser-based OIDC login and authentication process against the OIDC endpoint using their chosen method,
       //and provide us with a valid refresh token/clientId obtained from that process.
       if (clientConfig.refreshToken) {
-        this.authProvider = new OIDCRefreshTokenProvider({
-          clientId: clientConfig.clientId,
-          refreshToken: clientConfig.refreshToken,
-          oidcOrigin: clientConfig.oidcOrigin,
-        });
+        this.authProvider = new OIDCRefreshTokenProvider(
+          {
+            clientId: clientConfig.clientId,
+            refreshToken: clientConfig.refreshToken,
+            oidcOrigin: clientConfig.oidcOrigin,
+          },
+          this.cryptoService
+        );
       } else if (clientConfig.externalJwt) {
         //Are we exchanging a JWT previously issued by a trusted external entity (e.g. Google) for a bearer token?
-        this.authProvider = new OIDCExternalJwtProvider({
-          clientId: clientConfig.clientId,
-          externalJwt: clientConfig.externalJwt,
-          oidcOrigin: clientConfig.oidcOrigin,
-        });
+        this.authProvider = new OIDCExternalJwtProvider(
+          {
+            clientId: clientConfig.clientId,
+            externalJwt: clientConfig.externalJwt,
+            oidcOrigin: clientConfig.oidcOrigin,
+          },
+          this.cryptoService
+        );
       }
     }
     this.dpopKeys = createSessionKeys({
@@ -509,22 +500,27 @@ export class Client {
       metadata,
       mimeType = 'unknown',
       windowSize = DEFAULT_SEGMENT_SIZE,
-      keyMiddleware = defaultKeyMiddleware,
+      keyMiddleware: keyMiddlewareOpt,
       splitPlan: preconfiguredSplitPlan,
       streamMiddleware = async (stream: DecoratedReadableStream) => stream,
       tdfSpecVersion,
       wrappingKeyAlgorithm,
     } = opts;
+    const keyMiddleware = keyMiddlewareOpt ?? (() => defaultKeyMiddleware(this.cryptoService));
     const scope = opts.scope ?? { attributes: [], dissem: [] };
     for (const attributeValue of scope.attributeValues || []) {
       for (const kasKey of attributeValue.kasKeys) {
         if (kasKey.publicKey !== undefined) {
-          await putKasKeyIntoCache(this.kasKeyInfoCache, {
-            // TypeScript is silly and cannot infer that publicKey is not undefined, without re-referencing it like this, even though we checked already.
-            ...kasKey,
-            publicKey: kasKey.publicKey,
-          });
+          await putKasKeyIntoCache(
+            this.kasKeyInfoCache,
+            {
+              // TypeScript is silly and cannot infer that publicKey is not undefined, without re-referencing it like this, even though we checked already.
+              ...kasKey,
+              publicKey: kasKey.publicKey,
+            },
+            this.cryptoService
+          );
         }
       }
     }
@@ -594,11 +590,15 @@ export class Client {
       for (const attributeValue of attributeValues) {
         for (const kasKey of effectiveKasKeys(attributeValue)) {
           if (kasKey.publicKey !== undefined) {
-            await putKasKeyIntoCache(this.kasKeyInfoCache, {
-              // TypeScript is silly and cannot infer that publicKey is not undefined, without re-referencing it like this, even though we checked already.
-              ...kasKey,
-              publicKey: kasKey.publicKey,
-            });
+            await putKasKeyIntoCache(
+              this.kasKeyInfoCache,
+              {
+                // TypeScript is silly and cannot infer that publicKey is not undefined, without re-referencing it like this, even though we checked already.
+                ...kasKey,
+                publicKey: kasKey.publicKey,
+              },
+              this.cryptoService
+            );
           }
         }
       }
@@ -606,7 +606,7 @@ export class Client {
       const detailedPlan = plan(attributeValues);
       for (const item of detailedPlan) {
         if ('kid' in item.kas) {
-          const pemAlgorithm = await algorithmFromPEM(item.kas.pem);
+          const pemAlgorithm = await algorithmFromPEM(item.kas.pem, this.cryptoService);
           const kasPublicKeyInfo = await this._doFetchKasKeyWithCache(
             this.kasKeyInfoCache,
             item.kas.kasUri,
@@ -694,7 +694,7 @@ export class Client {
     }
     encryptionInformation.keyAccess = await Promise.all(
       splitPlan.map(async ({ kas, kid, pem, sid }) => {
-        const algorithm = await algorithmFromPEM(pem);
+        const algorithm = await algorithmFromPEM(pem, this.cryptoService);
         if (algorithm !== wrappingKeyAlgorithm) {
           console.warn(
             `Mismatched wrapping key algorithm: [${algorithm}] is not requested type, [${wrappingKeyAlgorithm}]`
@@ -722,6 +722,7 @@ export class Client {
           publicKey: pem,
           metadata,
           sid,
+          cryptoService: this.cryptoService,
         });
       })
     );
@@ -765,7 +766,7 @@ export class Client {
   async decrypt({
     source,
     allowList,
-    keyMiddleware = async (key: Binary) => key,
+    keyMiddleware = async (key: SymmetricKey) => key,
     streamMiddleware = async (stream: DecoratedReadableStream) => stream,
     assertionVerificationKeys,
     noVerifyAssertions,

package/tdf3/src/crypto/crypto-utils.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { base64 } from '../../../src/encodings/index.js';
-import { type AnyKeyPair, type PemKeyPair } from './declarations.js';
+import { type PemKeyPair } from './declarations.js';
 import { rsaPkcs1Sha256 } from './index.js';
 /**
@@ -73,7 +73,10 @@ export const removePemFormatting = (input: string): string => {
 const PEMRE =
   /-----BEGIN\s((?:RSA\s)?(?:PUBLIC\sKEY|PRIVATE\sKEY|CERTIFICATE))-----[\s0-9A-Za-z+/=]+-----END\s\1-----/;
-export const isPemKeyPair = (i: AnyKeyPair): i is PemKeyPair => {
+/**
+ * Type guard to check if a key pair is a PemKeyPair.
+ */
+export const isPemKeyPair = (i: PemKeyPair | CryptoKeyPair): i is PemKeyPair => {
   const { privateKey, publicKey } = i;
   if (typeof privateKey !== 'string' || typeof publicKey !== 'string') {
     return false;
@@ -89,7 +92,10 @@ export const isPemKeyPair = (i: AnyKeyPair): i is PemKeyPair => {
   return true;
 };
-export const isCryptoKeyPair = (i: AnyKeyPair): i is CryptoKeyPair => {
+/**
+ * Type guard to check if a key pair is a CryptoKeyPair.
+ */
+export const isCryptoKeyPair = (i: PemKeyPair | CryptoKeyPair): i is CryptoKeyPair => {
   const { privateKey, publicKey } = i;
   if (typeof privateKey !== 'object' || typeof publicKey !== 'object') {
     return false;
@@ -100,12 +106,13 @@ export const isCryptoKeyPair = (i: AnyKeyPair): i is CryptoKeyPair => {
   return privateKey.type === 'private' && publicKey.type === 'public';
 };
-export const toCryptoKeyPair = async (input: AnyKeyPair): Promise<CryptoKeyPair> => {
-  if (isCryptoKeyPair(input)) {
-    return input;
-  }
+/**
+ * Convert a PemKeyPair to CryptoKeyPair for internal use.
+ * This is needed when interfacing with APIs that still require CryptoKey objects.
+ */
+export const toCryptoKeyPair = async (input: PemKeyPair): Promise<CryptoKeyPair> => {
   if (!isPemKeyPair(input)) {
-    throw new Error('internal: generated invalid keypair');
+    throw new Error('internal: invalid PEM keypair');
   }
   const k = [input.publicKey, input.privateKey]
     .map(removePemFormatting)