npm - @opentdf/sdk - Versions diffs - 0.9.0-beta.91 → 0.9.0-beta.93 - Mend

@opentdf/sdk 0.9.0-beta.91 → 0.9.0-beta.93

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (182) hide show

package/dist/cjs/src/access/access-fetch.js +1 -2
package/dist/cjs/src/access/access-rpc.js +1 -3
package/dist/cjs/src/access.js +1 -14
package/dist/cjs/src/auth/auth.js +13 -10
package/dist/cjs/src/auth/dpop.js +121 -0
package/dist/cjs/src/auth/oidc-clientcredentials-provider.js +37 -3
package/dist/cjs/src/auth/oidc-externaljwt-provider.js +37 -3
package/dist/cjs/src/auth/oidc-refreshtoken-provider.js +37 -3
package/dist/cjs/src/auth/oidc.js +10 -8
package/dist/cjs/src/auth/providers.js +35 -12
package/dist/cjs/src/crypto/index.js +16 -2
package/dist/cjs/src/crypto/pemPublicToCrypto.js +17 -11
package/dist/cjs/src/opentdf.js +40 -10
package/dist/cjs/tdf3/index.js +4 -2
package/dist/cjs/tdf3/src/assertions.js +71 -31
package/dist/cjs/tdf3/src/ciphers/aes-gcm-cipher.js +1 -1
package/dist/cjs/tdf3/src/ciphers/symmetric-cipher-base.js +4 -2
package/dist/cjs/tdf3/src/client/index.js +23 -33
package/dist/cjs/tdf3/src/crypto/crypto-utils.js +12 -5
package/dist/cjs/tdf3/src/crypto/declarations.js +1 -1
package/dist/cjs/tdf3/src/crypto/index.js +849 -88
package/dist/cjs/tdf3/src/crypto/jose/jwt-claims-set.js +11 -0
package/dist/cjs/tdf3/src/crypto/jose/validate-crit.js +8 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/buffer_utils.js +41 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/epoch.js +6 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/is_object.js +21 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.js +112 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/secs.js +60 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/validate_crit.js +38 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/util/errors.js +135 -0
package/dist/cjs/tdf3/src/crypto/jwt.js +183 -0
package/dist/cjs/tdf3/src/crypto/salt.js +14 -8
package/dist/cjs/tdf3/src/models/encryption-information.js +17 -20
package/dist/cjs/tdf3/src/models/key-access.js +43 -63
package/dist/cjs/tdf3/src/tdf.js +75 -75
package/dist/cjs/tdf3/src/utils/index.js +5 -39
package/dist/types/src/access/access-fetch.d.ts.map +1 -1
package/dist/types/src/access/access-rpc.d.ts.map +1 -1
package/dist/types/src/access.d.ts +0 -5
package/dist/types/src/access.d.ts.map +1 -1
package/dist/types/src/auth/auth.d.ts +9 -6
package/dist/types/src/auth/auth.d.ts.map +1 -1
package/dist/types/src/auth/dpop.d.ts +60 -0
package/dist/types/src/auth/dpop.d.ts.map +1 -0
package/dist/types/src/auth/oidc-clientcredentials-provider.d.ts +3 -2
package/dist/types/src/auth/oidc-clientcredentials-provider.d.ts.map +1 -1
package/dist/types/src/auth/oidc-externaljwt-provider.d.ts +3 -2
package/dist/types/src/auth/oidc-externaljwt-provider.d.ts.map +1 -1
package/dist/types/src/auth/oidc-refreshtoken-provider.d.ts +3 -2
package/dist/types/src/auth/oidc-refreshtoken-provider.d.ts.map +1 -1
package/dist/types/src/auth/oidc.d.ts +6 -4
package/dist/types/src/auth/oidc.d.ts.map +1 -1
package/dist/types/src/auth/providers.d.ts +5 -4
package/dist/types/src/auth/providers.d.ts.map +1 -1
package/dist/types/src/crypto/index.d.ts +2 -1
package/dist/types/src/crypto/index.d.ts.map +1 -1
package/dist/types/src/crypto/pemPublicToCrypto.d.ts +18 -0
package/dist/types/src/crypto/pemPublicToCrypto.d.ts.map +1 -1
package/dist/types/src/opentdf.d.ts +13 -4
package/dist/types/src/opentdf.d.ts.map +1 -1
package/dist/types/tdf3/index.d.ts +3 -3
package/dist/types/tdf3/index.d.ts.map +1 -1
package/dist/types/tdf3/src/assertions.d.ts +23 -8
package/dist/types/tdf3/src/assertions.d.ts.map +1 -1
package/dist/types/tdf3/src/ciphers/aes-gcm-cipher.d.ts +3 -3
package/dist/types/tdf3/src/ciphers/aes-gcm-cipher.d.ts.map +1 -1
package/dist/types/tdf3/src/ciphers/symmetric-cipher-base.d.ts +4 -4
package/dist/types/tdf3/src/ciphers/symmetric-cipher-base.d.ts.map +1 -1
package/dist/types/tdf3/src/client/builders.d.ts +2 -2
package/dist/types/tdf3/src/client/builders.d.ts.map +1 -1
package/dist/types/tdf3/src/client/index.d.ts +6 -5
package/dist/types/tdf3/src/client/index.d.ts.map +1 -1
package/dist/types/tdf3/src/crypto/crypto-utils.d.ts +14 -4
package/dist/types/tdf3/src/crypto/crypto-utils.d.ts.map +1 -1
package/dist/types/tdf3/src/crypto/declarations.d.ts +283 -18
package/dist/types/tdf3/src/crypto/declarations.d.ts.map +1 -1
package/dist/types/tdf3/src/crypto/index.d.ts +105 -28
package/dist/types/tdf3/src/crypto/index.d.ts.map +1 -1
package/dist/types/tdf3/src/crypto/jose/jwt-claims-set.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/jwt-claims-set.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/validate-crit.d.ts +5 -0
package/dist/types/tdf3/src/crypto/jose/validate-crit.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/buffer_utils.d.ts +6 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/buffer_utils.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/epoch.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/epoch.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/is_object.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/is_object.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/secs.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/secs.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/validate_crit.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/validate_crit.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/util/errors.d.ts +76 -0
package/dist/types/tdf3/src/crypto/jose/vendor/util/errors.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jwt.d.ts +76 -0
package/dist/types/tdf3/src/crypto/jwt.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/salt.d.ts +6 -1
package/dist/types/tdf3/src/crypto/salt.d.ts.map +1 -1
package/dist/types/tdf3/src/models/encryption-information.d.ts +4 -4
package/dist/types/tdf3/src/models/encryption-information.d.ts.map +1 -1
package/dist/types/tdf3/src/models/key-access.d.ts +8 -5
package/dist/types/tdf3/src/models/key-access.d.ts.map +1 -1
package/dist/types/tdf3/src/tdf.d.ts +8 -8
package/dist/types/tdf3/src/tdf.d.ts.map +1 -1
package/dist/types/tdf3/src/utils/index.d.ts +4 -3
package/dist/types/tdf3/src/utils/index.d.ts.map +1 -1
package/dist/web/src/access/access-fetch.js +3 -4
package/dist/web/src/access/access-rpc.js +3 -5
package/dist/web/src/access.js +1 -13
package/dist/web/src/auth/auth.js +13 -10
package/dist/web/src/auth/dpop.js +118 -0
package/dist/web/src/auth/oidc-clientcredentials-provider.js +4 -3
package/dist/web/src/auth/oidc-externaljwt-provider.js +4 -3
package/dist/web/src/auth/oidc-refreshtoken-provider.js +4 -3
package/dist/web/src/auth/oidc.js +11 -9
package/dist/web/src/auth/providers.js +13 -12
package/dist/web/src/crypto/index.js +4 -2
package/dist/web/src/crypto/pemPublicToCrypto.js +11 -9
package/dist/web/src/opentdf.js +7 -10
package/dist/web/tdf3/index.js +3 -2
package/dist/web/tdf3/src/assertions.js +71 -31
package/dist/web/tdf3/src/ciphers/aes-gcm-cipher.js +1 -1
package/dist/web/tdf3/src/ciphers/symmetric-cipher-base.js +4 -2
package/dist/web/tdf3/src/client/index.js +25 -35
package/dist/web/tdf3/src/crypto/crypto-utils.js +12 -5
package/dist/web/tdf3/src/crypto/declarations.js +1 -1
package/dist/web/tdf3/src/crypto/index.js +830 -84
package/dist/web/tdf3/src/crypto/jose/jwt-claims-set.js +5 -0
package/dist/web/tdf3/src/crypto/jose/validate-crit.js +3 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/buffer_utils.js +35 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/epoch.js +4 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/is_object.js +19 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.js +107 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/secs.js +58 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/validate_crit.js +36 -0
package/dist/web/tdf3/src/crypto/jose/vendor/util/errors.js +117 -0
package/dist/web/tdf3/src/crypto/jwt.js +174 -0
package/dist/web/tdf3/src/crypto/salt.js +13 -7
package/dist/web/tdf3/src/models/encryption-information.js +11 -14
package/dist/web/tdf3/src/models/key-access.js +44 -31
package/dist/web/tdf3/src/tdf.js +71 -71
package/dist/web/tdf3/src/utils/index.js +5 -6
package/package.json +11 -4
package/src/access/access-fetch.ts +2 -8
package/src/access/access-rpc.ts +0 -7
package/src/access.ts +0 -17
package/src/auth/auth.ts +21 -12
package/src/auth/dpop.ts +222 -0
package/src/auth/oidc-clientcredentials-provider.ts +23 -15
package/src/auth/oidc-externaljwt-provider.ts +23 -15
package/src/auth/oidc-refreshtoken-provider.ts +23 -15
package/src/auth/oidc.ts +21 -10
package/src/auth/providers.ts +46 -29
package/src/crypto/index.ts +21 -1
package/src/crypto/pemPublicToCrypto.ts +11 -9
package/src/opentdf.ts +19 -14
package/tdf3/index.ts +32 -5
package/tdf3/src/assertions.ts +99 -30
package/tdf3/src/ciphers/aes-gcm-cipher.ts +7 -2
package/tdf3/src/ciphers/symmetric-cipher-base.ts +7 -4
package/tdf3/src/client/builders.ts +2 -2
package/tdf3/src/client/index.ts +60 -59
package/tdf3/src/crypto/crypto-utils.ts +15 -8
package/tdf3/src/crypto/declarations.ts +338 -22
package/tdf3/src/crypto/index.ts +1021 -118
package/tdf3/src/crypto/jose/jwt-claims-set.ts +10 -0
package/tdf3/src/crypto/jose/validate-crit.ts +9 -0
package/tdf3/src/crypto/jose/vendor/lib/buffer_utils.ts +34 -0
package/tdf3/src/crypto/jose/vendor/lib/epoch.ts +3 -0
package/tdf3/src/crypto/jose/vendor/lib/is_object.ts +18 -0
package/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.ts +106 -0
package/tdf3/src/crypto/jose/vendor/lib/secs.ts +57 -0
package/tdf3/src/crypto/jose/vendor/lib/validate_crit.ts +35 -0
package/tdf3/src/crypto/jose/vendor/util/errors.ts +101 -0
package/tdf3/src/crypto/jwt.ts +256 -0
package/tdf3/src/crypto/salt.ts +16 -8
package/tdf3/src/models/encryption-information.ts +14 -21
package/tdf3/src/models/key-access.ts +57 -41
package/tdf3/src/tdf.ts +110 -93
package/tdf3/src/utils/index.ts +5 -6

package/tdf3/src/models/encryption-information.ts CHANGED Viewed

@@ -1,4 +1,3 @@
-import { keySplit } from '../utils/index.js';
 import { base64, hex } from '../../../src/encodings/index.js';
 import { Binary } from '../binary.js';
 import { type SymmetricCipher } from '../ciphers/symmetric-cipher-base.js';
@@ -8,12 +7,13 @@ import {
   type CryptoService,
   type DecryptResult,
   type EncryptResult,
+  type SymmetricKey,
 } from '../crypto/declarations.js';
 import { IntegrityAlgorithm } from '../tdf.js';
 import { ConfigurationError } from '../../../src/errors.js';
 export type KeyInfo = {
-  readonly unwrappedKeyBinary: Binary;
+  readonly unwrappedKey: SymmetricKey;
   readonly unwrappedKeyIvBinary: Binary;
 };
@@ -59,42 +59,39 @@ export class SplitKey {
   async generateKey(): Promise<KeyInfo> {
     const unwrappedKey = await this.cipher.generateKey();
-    const unwrappedKeyBinary = Binary.fromString(hex.decode(unwrappedKey));
     const unwrappedKeyIvBinary = await this.generateIvBinary();
-    return { unwrappedKeyBinary, unwrappedKeyIvBinary };
+    return { unwrappedKey, unwrappedKeyIvBinary };
   }
   async encrypt(
     contentBinary: Binary,
-    keyBinary: Binary,
+    key: SymmetricKey,
     ivBinaryOptional?: Binary
   ): Promise<EncryptResult> {
     const ivBinary = ivBinaryOptional || (await this.generateIvBinary());
-    return this.cipher.encrypt(contentBinary, keyBinary, ivBinary);
+    return this.cipher.encrypt(contentBinary, key, ivBinary);
   }
-  async decrypt(content: Uint8Array, keyBinary: Binary): Promise<DecryptResult> {
-    return this.cipher.decrypt(content, keyBinary);
+  async decrypt(content: Uint8Array, key: SymmetricKey): Promise<DecryptResult> {
+    return this.cipher.decrypt(content, key);
   }
   async getKeyAccessObjects(policy: Policy, keyInfo: KeyInfo): Promise<KeyAccessObject[]> {
     const splitIds = [...new Set(this.keyAccess.map(({ sid }) => sid))].sort((a = '', b = '') =>
       a.localeCompare(b)
     );
-    const unwrappedKeySplitBuffers = await keySplit(
-      new Uint8Array(keyInfo.unwrappedKeyBinary.asByteArray()),
-      splitIds.length,
-      this.cryptoService
+    const unwrappedKeySplits = await this.cryptoService.splitSymmetricKey(
+      keyInfo.unwrappedKey,
+      splitIds.length
     );
     const splitsByName = Object.fromEntries(
-      splitIds.map((sid, index) => [sid, unwrappedKeySplitBuffers[index]])
+      splitIds.map((sid, index) => [sid, unwrappedKeySplits[index]])
     );
     const keyAccessObjects = [];
     for (const item of this.keyAccess) {
       // use the key split to encrypt metadata for each key access object
-      const unwrappedKeySplitBuffer = splitsByName[item.sid || ''];
-      const unwrappedKeySplitBinary = Binary.fromArrayBuffer(unwrappedKeySplitBuffer.buffer);
+      const unwrappedKeySplit = splitsByName[item.sid || ''];
       const metadata = item.metadata || '';
       const metadataStr = (
@@ -113,7 +110,7 @@ export class SplitKey {
       const encryptedMetadataResult = await this.encrypt(
         metadataBinary,
-        unwrappedKeySplitBinary,
+        unwrappedKeySplit,
         keyInfo.unwrappedKeyIvBinary
       );
@@ -123,11 +120,7 @@ export class SplitKey {
       };
       const encryptedMetadataStr = JSON.stringify(encryptedMetadataOb);
-      const keyAccessObject = await item.write(
-        policy,
-        unwrappedKeySplitBuffer,
-        encryptedMetadataStr
-      );
+      const keyAccessObject = await item.write(policy, unwrappedKeySplit, encryptedMetadataStr);
       keyAccessObjects.push(keyAccessObject);
     }

package/tdf3/src/models/key-access.ts CHANGED Viewed

@@ -1,11 +1,8 @@
 import { base64, hex } from '../../../src/encodings/index.js';
-import { generateRandomNumber } from '../../../src/crypto/generateRandomNumber.js';
-import { keyAgreement } from '../../../src/crypto/keyAgreement.js';
-import { pemPublicToCrypto } from '../../../src/crypto/pemPublicToCrypto.js';
-import { cryptoPublicToPem } from '../../../src/utils.js';
 import { Binary } from '../binary.js';
-import * as cryptoService from '../crypto/index.js';
-import { ztdfSalt } from '../crypto/salt.js';
+import type { CryptoService, KeyPair, SymmetricKey } from '../crypto/declarations.js';
+import { getZtdfSalt } from '../crypto/salt.js';
+import { Algorithms } from '../ciphers/index.js';
 import { Policy } from './policy.js';
 export type KeyAccessType = 'remote' | 'wrapped' | 'ec-wrapped';
@@ -14,7 +11,7 @@ export const schemaVersion = '1.0';
 export class ECWrapped {
   readonly type = 'ec-wrapped';
-  readonly ephemeralKeyPair: Promise<CryptoKeyPair>;
+  readonly ephemeralKeyPair: Promise<KeyPair>;
   keyAccessObject?: KeyAccessObject;
   constructor(
@@ -22,44 +19,62 @@ export class ECWrapped {
     public readonly kid: string | undefined,
     public readonly publicKey: string,
     public readonly metadata: unknown,
+    public readonly cryptoService: CryptoService,
     public readonly sid?: string
   ) {
-    this.ephemeralKeyPair = crypto.subtle.generateKey(
-      {
-        name: 'ECDH',
-        namedCurve: 'P-256',
-      },
-      false,
-      ['deriveBits', 'deriveKey']
-    );
+    // Generate EC key pair using CryptoService - returns opaque keys
+    this.ephemeralKeyPair = this.cryptoService.generateECKeyPair('P-256');
   }
   async write(
     policy: Policy,
-    dek: Uint8Array,
+    dek: SymmetricKey,
     encryptedMetadataStr: string
   ): Promise<KeyAccessObject> {
     const policyStr = JSON.stringify(policy);
-    const [ek, clientPublicKey] = await Promise.all([
-      this.ephemeralKeyPair,
-      pemPublicToCrypto(this.publicKey),
-    ]);
-    const kek = await keyAgreement(ek.privateKey, clientPublicKey, {
-      hkdfSalt: await ztdfSalt,
-      hkdfHash: 'SHA-256',
+    const ek = await this.ephemeralKeyPair;
+    // Import KAS public key from PEM
+    const kasPublicKey = await this.cryptoService.importPublicKey(this.publicKey, {
+      usage: 'derive',
     });
-    const iv = generateRandomNumber(12);
-    const cek = await crypto.subtle.encrypt({ name: 'AES-GCM', iv, tagLength: 128 }, kek, dek);
-    const entityWrappedKey = new Uint8Array(iv.length + cek.byteLength);
+    // Derive encryption key using ECDH + HKDF via CryptoService
+    const derivedKey = await this.cryptoService.deriveKeyFromECDH(ek.privateKey, kasPublicKey, {
+      hash: 'SHA-256',
+      salt: await getZtdfSalt(this.cryptoService),
+    });
+    // Generate random IV
+    const iv = await this.cryptoService.randomBytes(12);
+    // Encrypt DEK using derived key with AES-GCM
+    // Payload is SymmetricKey (the DEK), key is SymmetricKey (derived from ECDH)
+    const encryptResult = await this.cryptoService.encrypt(
+      dek,
+      derivedKey,
+      Binary.fromArrayBuffer(iv.buffer),
+      Algorithms.AES_256_GCM
+    );
+    // Combine IV, ciphertext, and authTag to form the wrapped key.
+    const ciphertext = new Uint8Array(encryptResult.payload.asArrayBuffer());
+    const authTag = encryptResult.authTag
+      ? new Uint8Array(encryptResult.authTag.asArrayBuffer())
+      : new Uint8Array(0);
+    const entityWrappedKey = new Uint8Array(iv.length + ciphertext.length + authTag.length);
     entityWrappedKey.set(iv);
-    entityWrappedKey.set(new Uint8Array(cek), iv.length);
+    entityWrappedKey.set(ciphertext, iv.length);
+    entityWrappedKey.set(authTag, iv.length + ciphertext.length);
-    const policyBinding = await cryptoService.hmac(
-      hex.encodeArrayBuffer(dek),
-      base64.encode(policyStr)
+    const policyBinding = hex.encodeArrayBuffer(
+      (await this.cryptoService.hmac(new TextEncoder().encode(base64.encode(policyStr)), dek))
+        .buffer
     );
-    const ephemeralPublicKeyPEM = await cryptoPublicToPem(ek.publicKey);
+    // Export ephemeral public key to PEM for manifest
+    const ephemeralPublicKeyPem = await this.cryptoService.exportPublicKeyPem(ek.publicKey);
     const kao: KeyAccessObject = {
       type: 'ec-wrapped',
       url: this.url,
@@ -71,7 +86,7 @@ export class ECWrapped {
         hash: base64.encode(policyBinding),
       },
       schemaVersion,
-      ephemeralPublicKey: ephemeralPublicKeyPEM,
+      ephemeralPublicKey: ephemeralPublicKeyPem,
     };
     if (this.kid) {
       kao.kid = this.kid;
@@ -93,24 +108,25 @@ export class Wrapped {
     public readonly kid: string | undefined,
     public readonly publicKey: string,
     public readonly metadata: unknown,
+    public readonly cryptoService: CryptoService,
     public readonly sid?: string
   ) {}
   async write(
     policy: Policy,
-    keyBuffer: Uint8Array,
+    key: SymmetricKey,
     encryptedMetadataStr: string
   ): Promise<KeyAccessObject> {
     const policyStr = JSON.stringify(policy);
-    const unwrappedKeyBinary = Binary.fromArrayBuffer(keyBuffer.buffer);
-    const wrappedKeyBinary = await cryptoService.encryptWithPublicKey(
-      unwrappedKeyBinary,
-      this.publicKey
-    );
+    // Import KAS public key from PEM
+    const kasPublicKey = await this.cryptoService.importPublicKey(this.publicKey, {
+      usage: 'encrypt',
+    });
+    const wrappedKeyBinary = await this.cryptoService.encryptWithPublicKey(key, kasPublicKey);
-    const policyBinding = await cryptoService.hmac(
-      hex.encodeArrayBuffer(keyBuffer),
-      base64.encode(policyStr)
+    const policyBinding = hex.encodeArrayBuffer(
+      (await this.cryptoService.hmac(new TextEncoder().encode(base64.encode(policyStr)), key))
+        .buffer
     );
     this.keyAccessObject = {