npm - @opentdf/sdk - Versions diffs - 0.9.0-beta.92 → 0.9.0-beta.94 - Mend

@opentdf/sdk 0.9.0-beta.92 → 0.9.0-beta.94

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (187) hide show

package/README.md +2 -2
package/dist/cjs/src/access/access-fetch.js +1 -2
package/dist/cjs/src/access/access-rpc.js +1 -3
package/dist/cjs/src/access.js +1 -14
package/dist/cjs/src/auth/auth.js +13 -10
package/dist/cjs/src/auth/dpop.js +121 -0
package/dist/cjs/src/auth/oidc-clientcredentials-provider.js +37 -3
package/dist/cjs/src/auth/oidc-externaljwt-provider.js +37 -3
package/dist/cjs/src/auth/oidc-refreshtoken-provider.js +37 -3
package/dist/cjs/src/auth/oidc.js +10 -8
package/dist/cjs/src/auth/providers.js +35 -12
package/dist/cjs/src/crypto/index.js +16 -2
package/dist/cjs/src/crypto/pemPublicToCrypto.js +17 -11
package/dist/cjs/src/opentdf.js +50 -13
package/dist/cjs/src/policy/discovery.js +2 -2
package/dist/cjs/tdf3/index.js +4 -2
package/dist/cjs/tdf3/src/assertions.js +71 -31
package/dist/cjs/tdf3/src/ciphers/aes-gcm-cipher.js +1 -1
package/dist/cjs/tdf3/src/ciphers/symmetric-cipher-base.js +4 -2
package/dist/cjs/tdf3/src/client/index.js +23 -33
package/dist/cjs/tdf3/src/crypto/crypto-utils.js +12 -5
package/dist/cjs/tdf3/src/crypto/declarations.js +1 -1
package/dist/cjs/tdf3/src/crypto/index.js +849 -88
package/dist/cjs/tdf3/src/crypto/jose/jwt-claims-set.js +11 -0
package/dist/cjs/tdf3/src/crypto/jose/validate-crit.js +8 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/buffer_utils.js +41 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/epoch.js +6 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/is_object.js +21 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.js +112 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/secs.js +60 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/validate_crit.js +38 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/util/errors.js +135 -0
package/dist/cjs/tdf3/src/crypto/jwt.js +183 -0
package/dist/cjs/tdf3/src/crypto/salt.js +14 -8
package/dist/cjs/tdf3/src/models/encryption-information.js +17 -20
package/dist/cjs/tdf3/src/models/key-access.js +43 -63
package/dist/cjs/tdf3/src/tdf.js +75 -75
package/dist/cjs/tdf3/src/utils/index.js +5 -39
package/dist/types/src/access/access-fetch.d.ts.map +1 -1
package/dist/types/src/access/access-rpc.d.ts.map +1 -1
package/dist/types/src/access.d.ts +0 -5
package/dist/types/src/access.d.ts.map +1 -1
package/dist/types/src/auth/auth.d.ts +9 -6
package/dist/types/src/auth/auth.d.ts.map +1 -1
package/dist/types/src/auth/dpop.d.ts +60 -0
package/dist/types/src/auth/dpop.d.ts.map +1 -0
package/dist/types/src/auth/oidc-clientcredentials-provider.d.ts +3 -2
package/dist/types/src/auth/oidc-clientcredentials-provider.d.ts.map +1 -1
package/dist/types/src/auth/oidc-externaljwt-provider.d.ts +3 -2
package/dist/types/src/auth/oidc-externaljwt-provider.d.ts.map +1 -1
package/dist/types/src/auth/oidc-refreshtoken-provider.d.ts +3 -2
package/dist/types/src/auth/oidc-refreshtoken-provider.d.ts.map +1 -1
package/dist/types/src/auth/oidc.d.ts +6 -4
package/dist/types/src/auth/oidc.d.ts.map +1 -1
package/dist/types/src/auth/providers.d.ts +5 -4
package/dist/types/src/auth/providers.d.ts.map +1 -1
package/dist/types/src/crypto/index.d.ts +2 -1
package/dist/types/src/crypto/index.d.ts.map +1 -1
package/dist/types/src/crypto/pemPublicToCrypto.d.ts +18 -0
package/dist/types/src/crypto/pemPublicToCrypto.d.ts.map +1 -1
package/dist/types/src/opentdf.d.ts +26 -7
package/dist/types/src/opentdf.d.ts.map +1 -1
package/dist/types/src/policy/discovery.d.ts +2 -2
package/dist/types/tdf3/index.d.ts +3 -3
package/dist/types/tdf3/index.d.ts.map +1 -1
package/dist/types/tdf3/src/assertions.d.ts +23 -8
package/dist/types/tdf3/src/assertions.d.ts.map +1 -1
package/dist/types/tdf3/src/ciphers/aes-gcm-cipher.d.ts +3 -3
package/dist/types/tdf3/src/ciphers/aes-gcm-cipher.d.ts.map +1 -1
package/dist/types/tdf3/src/ciphers/symmetric-cipher-base.d.ts +4 -4
package/dist/types/tdf3/src/ciphers/symmetric-cipher-base.d.ts.map +1 -1
package/dist/types/tdf3/src/client/builders.d.ts +2 -2
package/dist/types/tdf3/src/client/builders.d.ts.map +1 -1
package/dist/types/tdf3/src/client/index.d.ts +6 -5
package/dist/types/tdf3/src/client/index.d.ts.map +1 -1
package/dist/types/tdf3/src/crypto/crypto-utils.d.ts +14 -4
package/dist/types/tdf3/src/crypto/crypto-utils.d.ts.map +1 -1
package/dist/types/tdf3/src/crypto/declarations.d.ts +283 -18
package/dist/types/tdf3/src/crypto/declarations.d.ts.map +1 -1
package/dist/types/tdf3/src/crypto/index.d.ts +105 -28
package/dist/types/tdf3/src/crypto/index.d.ts.map +1 -1
package/dist/types/tdf3/src/crypto/jose/jwt-claims-set.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/jwt-claims-set.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/validate-crit.d.ts +5 -0
package/dist/types/tdf3/src/crypto/jose/validate-crit.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/buffer_utils.d.ts +6 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/buffer_utils.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/epoch.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/epoch.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/is_object.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/is_object.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/secs.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/secs.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/validate_crit.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/validate_crit.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/util/errors.d.ts +76 -0
package/dist/types/tdf3/src/crypto/jose/vendor/util/errors.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jwt.d.ts +76 -0
package/dist/types/tdf3/src/crypto/jwt.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/salt.d.ts +6 -1
package/dist/types/tdf3/src/crypto/salt.d.ts.map +1 -1
package/dist/types/tdf3/src/models/encryption-information.d.ts +4 -4
package/dist/types/tdf3/src/models/encryption-information.d.ts.map +1 -1
package/dist/types/tdf3/src/models/key-access.d.ts +8 -5
package/dist/types/tdf3/src/models/key-access.d.ts.map +1 -1
package/dist/types/tdf3/src/tdf.d.ts +8 -8
package/dist/types/tdf3/src/tdf.d.ts.map +1 -1
package/dist/types/tdf3/src/utils/index.d.ts +4 -3
package/dist/types/tdf3/src/utils/index.d.ts.map +1 -1
package/dist/web/src/access/access-fetch.js +3 -4
package/dist/web/src/access/access-rpc.js +3 -5
package/dist/web/src/access.js +1 -13
package/dist/web/src/auth/auth.js +13 -10
package/dist/web/src/auth/dpop.js +118 -0
package/dist/web/src/auth/oidc-clientcredentials-provider.js +4 -3
package/dist/web/src/auth/oidc-externaljwt-provider.js +4 -3
package/dist/web/src/auth/oidc-refreshtoken-provider.js +4 -3
package/dist/web/src/auth/oidc.js +11 -9
package/dist/web/src/auth/providers.js +13 -12
package/dist/web/src/crypto/index.js +4 -2
package/dist/web/src/crypto/pemPublicToCrypto.js +11 -9
package/dist/web/src/opentdf.js +17 -13
package/dist/web/src/policy/discovery.js +2 -2
package/dist/web/tdf3/index.js +3 -2
package/dist/web/tdf3/src/assertions.js +71 -31
package/dist/web/tdf3/src/ciphers/aes-gcm-cipher.js +1 -1
package/dist/web/tdf3/src/ciphers/symmetric-cipher-base.js +4 -2
package/dist/web/tdf3/src/client/index.js +25 -35
package/dist/web/tdf3/src/crypto/crypto-utils.js +12 -5
package/dist/web/tdf3/src/crypto/declarations.js +1 -1
package/dist/web/tdf3/src/crypto/index.js +830 -84
package/dist/web/tdf3/src/crypto/jose/jwt-claims-set.js +5 -0
package/dist/web/tdf3/src/crypto/jose/validate-crit.js +3 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/buffer_utils.js +35 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/epoch.js +4 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/is_object.js +19 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.js +107 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/secs.js +58 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/validate_crit.js +36 -0
package/dist/web/tdf3/src/crypto/jose/vendor/util/errors.js +117 -0
package/dist/web/tdf3/src/crypto/jwt.js +174 -0
package/dist/web/tdf3/src/crypto/salt.js +13 -7
package/dist/web/tdf3/src/models/encryption-information.js +11 -14
package/dist/web/tdf3/src/models/key-access.js +44 -31
package/dist/web/tdf3/src/tdf.js +71 -71
package/dist/web/tdf3/src/utils/index.js +5 -6
package/package.json +11 -4
package/src/access/access-fetch.ts +2 -8
package/src/access/access-rpc.ts +0 -7
package/src/access.ts +0 -17
package/src/auth/auth.ts +21 -12
package/src/auth/dpop.ts +222 -0
package/src/auth/oidc-clientcredentials-provider.ts +23 -15
package/src/auth/oidc-externaljwt-provider.ts +23 -15
package/src/auth/oidc-refreshtoken-provider.ts +23 -15
package/src/auth/oidc.ts +21 -10
package/src/auth/providers.ts +46 -29
package/src/crypto/index.ts +21 -1
package/src/crypto/pemPublicToCrypto.ts +11 -9
package/src/opentdf.ts +36 -17
package/src/policy/discovery.ts +2 -2
package/tdf3/index.ts +32 -5
package/tdf3/src/assertions.ts +99 -30
package/tdf3/src/ciphers/aes-gcm-cipher.ts +7 -2
package/tdf3/src/ciphers/symmetric-cipher-base.ts +7 -4
package/tdf3/src/client/builders.ts +2 -2
package/tdf3/src/client/index.ts +60 -59
package/tdf3/src/crypto/crypto-utils.ts +15 -8
package/tdf3/src/crypto/declarations.ts +338 -22
package/tdf3/src/crypto/index.ts +1021 -118
package/tdf3/src/crypto/jose/jwt-claims-set.ts +10 -0
package/tdf3/src/crypto/jose/validate-crit.ts +9 -0
package/tdf3/src/crypto/jose/vendor/lib/buffer_utils.ts +34 -0
package/tdf3/src/crypto/jose/vendor/lib/epoch.ts +3 -0
package/tdf3/src/crypto/jose/vendor/lib/is_object.ts +18 -0
package/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.ts +106 -0
package/tdf3/src/crypto/jose/vendor/lib/secs.ts +57 -0
package/tdf3/src/crypto/jose/vendor/lib/validate_crit.ts +35 -0
package/tdf3/src/crypto/jose/vendor/util/errors.ts +101 -0
package/tdf3/src/crypto/jwt.ts +256 -0
package/tdf3/src/crypto/salt.ts +16 -8
package/tdf3/src/models/encryption-information.ts +14 -21
package/tdf3/src/models/key-access.ts +57 -41
package/tdf3/src/tdf.ts +110 -93
package/tdf3/src/utils/index.ts +5 -6

package/src/auth/oidc.ts CHANGED Viewed

@@ -1,8 +1,9 @@
-import { default as dpopFn } from 'dpop';
+import { default as dpopFn } from './dpop.js';
 import { HttpRequest, withHeaders } from './auth.js';
 import { base64 } from '../encodings/index.js';
 import { ConfigurationError, TdfError } from '../errors.js';
-import { cryptoPublicToPem, rstrip } from '../utils.js';
+import { rstrip } from '../utils.js';
+import { type CryptoService, type KeyPair } from '../../tdf3/src/crypto/declarations.js';
 /**
  * Common fields used by all OIDC credentialing flows.
@@ -18,7 +19,7 @@ export type CommonCredentials = {
   dpopEnabled?: boolean;
   /** the client's public key, base64 encoded. Will be bound to the OIDC token. Deprecated. If not set in the constructor, */
-  signingKey?: CryptoKeyPair;
+  signingKey?: KeyPair;
 };
 /**
@@ -94,13 +95,15 @@ export class AccessToken {
   tokenEndpoint: string;
   userInfoEndpoint: string;
-  signingKey?: CryptoKeyPair;
+  signingKey?: KeyPair;
   extraHeaders: Record<string, string> = {};
   currentAccessToken?: string;
-  constructor(cfg: OIDCCredentials, request?: typeof fetch) {
+  cryptoService: CryptoService;
+  constructor(cfg: OIDCCredentials, cryptoService: CryptoService, request?: typeof fetch) {
     if (!cfg.clientId) {
       throw new ConfigurationError(
         'A Keycloak client identifier is currently required for all auth mechanisms'
@@ -121,6 +124,7 @@ export class AccessToken {
       throw new ConfigurationError('Invalid oidc configuration');
     }
     this.config = cfg;
+    this.cryptoService = cryptoService;
     this.request = request;
     this.baseUrl = rstrip(cfg.oidcOrigin, '/');
     this.tokenEndpoint = cfg.oidcTokenEndpoint || `${this.baseUrl}/protocol/openid-connect/token`;
@@ -140,7 +144,12 @@ export class AccessToken {
       Authorization: `Bearer ${accessToken}`,
     } as Record<string, string>;
     if (this.config.dpopEnabled && this.signingKey) {
-      headers.DPoP = await dpopFn(this.signingKey, this.userInfoEndpoint, 'POST');
+      headers.DPoP = await dpopFn(
+        this.signingKey,
+        this.cryptoService,
+        this.userInfoEndpoint,
+        'POST'
+      );
     }
     const response = await (this.request || fetch)(this.userInfoEndpoint, {
       headers,
@@ -165,9 +174,10 @@ export class AccessToken {
       if (!this.signingKey) {
         throw new ConfigurationError('No signature configured');
       }
-      const clientPubKey = await cryptoPublicToPem(this.signingKey.publicKey);
-      headers['X-VirtruPubKey'] = base64.encode(clientPubKey);
-      headers.DPoP = await dpopFn(this.signingKey, url, 'POST');
+      // Export opaque public key to PEM format for header
+      const publicKeyPem = await this.cryptoService.exportPublicKeyPem(this.signingKey.publicKey);
+      headers['X-VirtruPubKey'] = base64.encode(publicKeyPem);
+      headers.DPoP = await dpopFn(this.signingKey, this.cryptoService, url, 'POST');
     }
     return (this.request || fetch)(url, {
       method: 'POST',
@@ -251,7 +261,7 @@ export class AccessToken {
    *
    * Calling this function will trigger a forcible token refresh using the cached refresh token, and contact the auth server.
    */
-  async refreshTokenClaimsWithClientPubkeyIfNeeded(signingKey: CryptoKeyPair): Promise<void> {
+  async refreshTokenClaimsWithClientPubkeyIfNeeded(signingKey: KeyPair): Promise<void> {
     // If we already have a token, and the pubkey changes,
     // we need to force a refresh now - otherwise
     // we can wait until we create the token for the first time
@@ -299,6 +309,7 @@ export class AccessToken {
     if (this.config.dpopEnabled && this.signingKey) {
       const dpopToken = await dpopFn(
         this.signingKey,
+        this.cryptoService,
         httpReq.url,
         httpReq.method,
         /* nonce */ undefined,

package/src/auth/providers.ts CHANGED Viewed

@@ -10,6 +10,8 @@ import { type AuthProvider } from './auth.js';
 import { OIDCRefreshTokenProvider } from './oidc-refreshtoken-provider.js';
 import { isBrowser } from '../utils.js';
 import { ConfigurationError } from '../errors.js';
+import { type CryptoService } from '../../tdf3/src/crypto/declarations.js';
+import * as defaultCryptoService from '../../tdf3/src/crypto/index.js';
 /**
  * Creates an OIDC Client Credentials Provider for non-browser contexts.
@@ -30,15 +32,19 @@ import { ConfigurationError } from '../errors.js';
  *
  */
 export const clientSecretAuthProvider = async (
-  clientConfig: ClientSecretCredentials
+  clientConfig: ClientSecretCredentials,
+  cryptoService: CryptoService = defaultCryptoService
 ): Promise<OIDCClientCredentialsProvider> => {
-  return new OIDCClientCredentialsProvider({
-    clientId: clientConfig.clientId,
-    clientSecret: clientConfig.clientSecret,
-    oidcOrigin: clientConfig.oidcOrigin,
-    oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
-    oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
-  });
+  return new OIDCClientCredentialsProvider(
+    {
+      clientId: clientConfig.clientId,
+      clientSecret: clientConfig.clientSecret,
+      oidcOrigin: clientConfig.oidcOrigin,
+      oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
+      oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
+    },
+    cryptoService
+  );
 };
 /**
@@ -58,15 +64,19 @@ export const clientSecretAuthProvider = async (
  * {@link updateClientPublicKey}, which will force an explicit token refresh.
  */
 export const externalAuthProvider = async (
-  clientConfig: ExternalJwtCredentials
+  clientConfig: ExternalJwtCredentials,
+  cryptoService: CryptoService = defaultCryptoService
 ): Promise<OIDCExternalJwtProvider> => {
-  return new OIDCExternalJwtProvider({
-    clientId: clientConfig.clientId,
-    externalJwt: clientConfig.externalJwt,
-    oidcOrigin: clientConfig.oidcOrigin,
-    oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
-    oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
-  });
+  return new OIDCExternalJwtProvider(
+    {
+      clientId: clientConfig.clientId,
+      externalJwt: clientConfig.externalJwt,
+      oidcOrigin: clientConfig.oidcOrigin,
+      oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
+      oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
+    },
+    cryptoService
+  );
 };
 /**
@@ -84,15 +94,19 @@ export const externalAuthProvider = async (
  * {@link updateClientPublicKey} which will force an explicit token refresh
  */
 export const refreshAuthProvider = async (
-  clientConfig: RefreshTokenCredentials
+  clientConfig: RefreshTokenCredentials,
+  cryptoService: CryptoService = defaultCryptoService
 ): Promise<OIDCRefreshTokenProvider> => {
-  return new OIDCRefreshTokenProvider({
-    clientId: clientConfig.clientId,
-    refreshToken: clientConfig.refreshToken,
-    oidcOrigin: clientConfig.oidcOrigin,
-    oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
-    oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
-  });
+  return new OIDCRefreshTokenProvider(
+    {
+      clientId: clientConfig.clientId,
+      refreshToken: clientConfig.refreshToken,
+      oidcOrigin: clientConfig.oidcOrigin,
+      oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
+      oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
+    },
+    cryptoService
+  );
 };
 /**
@@ -100,7 +114,10 @@ export const refreshAuthProvider = async (
  * @param clientConfig OIDC client credentials
  * @returns a promise for a new auth provider with the requested excahnge type
  */
-export const clientAuthProvider = async (clientConfig: OIDCCredentials): Promise<AuthProvider> => {
+export const clientAuthProvider = async (
+  clientConfig: OIDCCredentials,
+  cryptoService: CryptoService = defaultCryptoService
+): Promise<AuthProvider> => {
   if (!clientConfig.clientId) {
     throw new ConfigurationError('Client ID must be provided to constructor');
   }
@@ -116,13 +133,13 @@ export const clientAuthProvider = async (clientConfig: OIDCCredentials): Promise
     //and provide us with a valid refresh token/clientId obtained from that process.
     switch (clientConfig.exchange) {
       case 'refresh': {
-        return refreshAuthProvider(clientConfig);
+        return refreshAuthProvider(clientConfig, cryptoService);
       }
       case 'external': {
-        return externalAuthProvider(clientConfig);
+        return externalAuthProvider(clientConfig, cryptoService);
       }
       case 'client': {
-        return clientSecretAuthProvider(clientConfig);
+        return clientSecretAuthProvider(clientConfig, cryptoService);
       }
       default:
         throw new ConfigurationError(`Unsupported client type`);
@@ -136,7 +153,7 @@ export const clientAuthProvider = async (clientConfig: OIDCCredentials): Promise
       'When using client credentials, must supply both client ID and client secret to constructor'
     );
   }
-  return clientSecretAuthProvider(clientConfig);
+  return clientSecretAuthProvider(clientConfig, cryptoService);
 };
 export * from './auth.js';

package/src/crypto/index.ts CHANGED Viewed

@@ -6,5 +6,25 @@ export { generateKeyPair } from './generateKeyPair.js';
 export { keyAgreement } from './keyAgreement.js';
 export { default as exportCryptoKey } from './exportCryptoKey.js';
 export { generateRandomNumber } from './generateRandomNumber.js';
-export { pemPublicToCrypto, pemCertToCrypto } from './pemPublicToCrypto.js';
+export {
+  pemPublicToCrypto,
+  pemCertToCrypto,
+  guessAlgorithmName,
+  guessCurveName,
+  toJwsAlg,
+  RSA_OID,
+  EC_OID,
+  P256_OID,
+  P384_OID,
+  P521_OID,
+  type AlgorithmName,
+} from './pemPublicToCrypto.js';
 export * as enums from './enums.js';
+// PEM Formatting Utilities from tdf3
+export {
+  formatAsPem,
+  removePemFormatting,
+  isPemKeyPair,
+  isCryptoKeyPair,
+} from '../../tdf3/src/crypto/crypto-utils.js';

package/src/crypto/pemPublicToCrypto.ts CHANGED Viewed

@@ -33,11 +33,12 @@ import { encodeArrayBuffer as hexEncodeArrayBuffer } from '../encodings/hex.js';
 import { ConfigurationError, TdfError } from '../errors.js';
 import { NamedCurve } from './enums.js';
-const RSA_OID = '06092a864886f70d010101';
-const EC_OID = '06072a8648ce3d0201';
-const P256_OID = '06082a8648ce3d030107';
-const P384_OID = '06052b81040022';
-const P521_OID = '06052b81040023';
+// OID constants for algorithm detection (hex-encoded ASN.1 OIDs)
+export const RSA_OID = '06092a864886f70d010101';
+export const EC_OID = '06072a8648ce3d0201';
+export const P256_OID = '06082a8648ce3d030107';
+export const P384_OID = '06052b81040022';
+export const P521_OID = '06052b81040023';
 const SHA_512 = 'SHA-512';
 const SPKI = 'spki';
 const CERT_BEGIN = '-----BEGIN CERTIFICATE-----';
@@ -47,7 +48,7 @@ const ECDH = 'ECDH';
 const ECDSA = 'ECDSA';
 const RSA_OAEP = 'RSA-OAEP';
 const RSA_PSS = 'RSA-PSS';
-type AlgorithmName = typeof ECDH | typeof ECDSA | typeof RSA_OAEP | typeof RSA_PSS;
+export type AlgorithmName = typeof ECDH | typeof ECDSA | typeof RSA_OAEP | typeof RSA_PSS;
 interface PemPublicToCryptoOptions {
   name?: string;
@@ -71,7 +72,7 @@ function guessKeyUsages(algorithmName: AlgorithmName, usages?: KeyUsage[]): KeyU
   }
 }
-function guessAlgorithmName(hex: string, algorithmName?: string): AlgorithmName {
+export function guessAlgorithmName(hex: string, algorithmName?: string): AlgorithmName {
   if (hex.includes(EC_OID)) {
     if (!algorithmName || algorithmName === ECDH) {
       return ECDH;
@@ -88,7 +89,7 @@ function guessAlgorithmName(hex: string, algorithmName?: string): AlgorithmName
   throw new TypeError(`Invalid public key, ${algorithmName}`);
 }
-function guessCurveName(hex: string): NamedCurve {
+export function guessCurveName(hex: string): NamedCurve {
   if (hex.includes(P256_OID)) {
     return NamedCurve.P256;
   } else if (hex.includes(P384_OID)) {
@@ -155,9 +156,10 @@ export async function pemPublicToCrypto(
 }
 /**
+ * Detect JWS algorithm from hex-encoded key/certificate data.
  * Look up JWK algorithm at https://github.com/panva/jose/issues/210
  */
-function toJwsAlg(hex: string) {
+export function toJwsAlg(hex: string) {
   const a = guessAlgorithmName(hex);
   if (a === ECDH) {
     return 'ECDH-ES';

package/src/opentdf.ts CHANGED Viewed

@@ -3,6 +3,8 @@ import { ConfigurationError, InvalidFileError } from './errors.js';
 export { Client as TDF3Client } from '../tdf3/src/client/index.js';
 import { Chunker, fromSource, sourceToStream, type Source } from './seekable.js';
 import { Client as TDF3Client } from '../tdf3/src/client/index.js';
+import { type CryptoService, type KeyPair } from '../tdf3/src/crypto/declarations.js';
+import * as DefaultCryptoService from '../tdf3/src/crypto/index.js';
 import {
   type Assertion,
   AssertionConfig,
@@ -33,6 +35,7 @@ import { Policy } from '../tdf3/src/models/policy.js';
 export {
   type Assertion,
+  type CryptoService,
   type EncryptionInformation,
   type IntegrityAlgorithm,
   type KasPublicKeyAlgorithm,
@@ -96,7 +99,10 @@ export type SplitStep = {
   sid?: string;
 };
-/** Options specific to the ZTDF container format. */
+/**
+ * Options specific to the ZTDF container format.
+ * @deprecated Use {@link CreateTDFOptions} instead.
+ */
 export type CreateZTDFOptions = CreateOptions & {
   /** Configuration for bound metadata. */
   assertionConfigs?: AssertionConfig[];
@@ -123,6 +129,9 @@ export type CreateZTDFOptions = CreateOptions & {
   tdfSpecVersion?: '4.2.2' | '4.3.0';
 };
+/** Options for creating a TDF. */
+export type CreateTDFOptions = CreateZTDFOptions;
 /** Settings for decrypting any variety of TDF file. */
 export type ReadOptions = {
   /** The ciphertext source. */
@@ -172,7 +181,14 @@ export type OpenTDFOptions = {
    * These often must be registered via a DPoP flow with the IdP
    * which is out of the scope of this library.
    */
-  dpopKeys?: Promise<CryptoKeyPair>;
+  dpopKeys?: Promise<KeyPair>;
+  /**
+   * Optional custom CryptoService implementation.
+   * If not provided, defaults to the browser's native Web Crypto API.
+   * This allows injecting HSM-backed or other secure crypto implementations.
+   */
+  cryptoService?: CryptoService;
 };
 /** A decorated readable stream. */
@@ -235,7 +251,7 @@ export type TDFReader = {
  *   platformUrl: 'https://platform.example.com',
  * });
  *
- * const cipherText = await client.createZTDF({
+ * const cipherText = await client.createTDF({
  *   source: { type: 'stream', location: source },
  *   autoconfigure: false,
  * });
@@ -257,7 +273,9 @@ export class OpenTDF {
   /** Default options for reading TDF objects. */
   defaultReadOptions: Omit<ReadOptions, 'source'>;
   /** The DPoP keys for this instance, if any. */
-  readonly dpopKeys: Promise<CryptoKeyPair>;
+  readonly dpopKeys: Promise<KeyPair>;
+  /** The CryptoService implementation for this instance. */
+  readonly cryptoService: CryptoService;
   /** The TDF3 client for encrypting and decrypting ZTDF files. */
   readonly tdf3Client: TDF3Client;
@@ -269,6 +287,7 @@ export class OpenTDF {
     disableDPoP,
     policyEndpoint,
     platformUrl,
+    cryptoService,
   }: OpenTDFOptions) {
     this.authProvider = authProvider;
     this.defaultCreateOptions = defaultCreateOptions || {};
@@ -282,28 +301,28 @@ export class OpenTDF {
       );
     }
     this.policyEndpoint = policyEndpoint || '';
+    this.cryptoService = cryptoService ?? DefaultCryptoService;
     this.tdf3Client = new TDF3Client({
       authProvider,
       dpopKeys,
       kasEndpoint: this.platformUrl || 'https://disallow.all.invalid',
       platformUrl,
       policyEndpoint,
+      cryptoService: this.cryptoService,
     });
-    this.dpopKeys =
-      dpopKeys ??
-      crypto.subtle.generateKey(
-        {
-          name: 'RSASSA-PKCS1-v1_5',
-          hash: 'SHA-256',
-          modulusLength: 2048,
-          publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
-        },
-        true,
-        ['sign', 'verify']
-      );
+    // Use CryptoService for key generation (returns opaque KeyPair)
+    this.dpopKeys = dpopKeys ?? this.cryptoService.generateSigningKeyPair();
+  }
+  /** Creates a new TDF stream. */
+  async createTDF(opts: CreateTDFOptions): Promise<DecoratedStream> {
+    return this.createZTDF(opts);
   }
-  /** Creates a new ZTDF stream. */
+  /**
+   * Creates a new TDF stream.
+   * @deprecated Use {@link createTDF} instead.
+   */
   async createZTDF(opts: CreateZTDFOptions): Promise<DecoratedStream> {
     opts = { ...this.defaultCreateOptions, ...opts };
     const oldStream = await this.tdf3Client.encrypt({

package/src/policy/discovery.ts CHANGED Viewed

@@ -32,7 +32,7 @@ const ATTRIBUTE_FQN_RE = /^https?:\/\/[a-zA-Z0-9._~%-]+\/attr\/[a-zA-Z0-9._~%-]+
  * Returns all active attributes available on the platform, auto-paginating through all results.
  * An optional namespace name or ID may be provided to filter results.
  *
- * Use this before calling `createZTDF()` to see what attributes are available for data tagging.
+ * Use this before calling `createTDF()` to see what attributes are available for data tagging.
  *
  * @param platformUrl The platform base URL.
  * @param authProvider An auth provider for the request.
@@ -86,7 +86,7 @@ export async function listAttributes(
  * Checks that all provided attribute value FQNs exist on the platform.
  * Validates FQN format first, then verifies existence via the platform API.
  *
- * Use this before `createZTDF()` to catch missing or misspelled attributes early
+ * Use this before `createTDF()` to catch missing or misspelled attributes early
  * instead of discovering the problem at decryption time.
  *
  * @param platformUrl The platform base URL.

package/tdf3/index.ts CHANGED Viewed

@@ -14,10 +14,23 @@ import {
 } from './src/client/builders.js';
 import { type ClientConfig, createSessionKeys } from './src/client/index.js';
 import {
+  type AsymmetricSigningAlgorithm,
   type CryptoService,
   type DecryptResult,
+  type ECCurve,
   type EncryptResult,
+  type HashAlgorithm,
+  type HkdfParams,
+  type KeyPair,
+  type KeyOptions,
+  type KeyAlgorithm,
   type PemKeyPair,
+  type PrivateKey,
+  type PublicKey,
+  type PublicKeyInfo,
+  type SigningAlgorithm,
+  type SymmetricKey,
+  type SymmetricSigningAlgorithm,
 } from './src/crypto/declarations.js';
 import { Client, Errors, TDF3Client } from './src/index.js';
 import {
@@ -35,18 +48,31 @@ import { type Chunker } from '../src/seekable.js';
 export type {
   AlgorithmName,
   AlgorithmUrn,
+  AsymmetricSigningAlgorithm,
   AuthProvider,
   Chunker,
   CryptoService,
+  DecryptKeyMiddleware,
   DecryptResult,
+  DecryptStreamMiddleware,
+  ECCurve,
+  EncryptKeyMiddleware,
   EncryptResult,
+  EncryptStreamMiddleware,
+  HashAlgorithm,
+  HkdfParams,
   HttpMethod,
+  KeyPair,
+  KeyOptions,
+  KeyAlgorithm,
   PemKeyPair,
-  EncryptKeyMiddleware,
-  EncryptStreamMiddleware,
-  DecryptKeyMiddleware,
-  DecryptStreamMiddleware,
+  PrivateKey,
+  PublicKey,
+  PublicKeyInfo,
+  SigningAlgorithm,
   SplitStep,
+  SymmetricKey,
+  SymmetricSigningAlgorithm,
 };
 export {
@@ -74,7 +100,8 @@ export {
   version,
 };
-export * as WebCryptoService from './src/crypto/index.js';
+export { DefaultCryptoService as WebCryptoService } from './src/crypto/index.js';
+// export the other methods from crypto/index.js that aren't part of CryptoService but are needed for JWT handling
 export {
   type CreateOptions,
   type CreateZTDFOptions,