@opentdf/sdk 0.9.0-beta.92 → 0.9.0-beta.94

package/tdf3/src/assertions.ts

@@ -1,8 +1,14 @@
 import { canonicalizeEx } from 'json-canonicalize';
-import { SignJWT, jwtVerify, importJWK, importX509 } from 'jose';
 import { base64, hex } from '../../src/encodings/index.js';
 import { ConfigurationError, IntegrityError, InvalidFileError } from '../../src/errors.js';
 import { tdfSpecVersion, version as sdkVersion } from '../../src/version.js';
+import {
+  type CryptoService,
+  type PrivateKey,
+  type PublicKey,
+  type SymmetricKey,
+} from './crypto/declarations.js';
+import { decodeProtectedHeader, signJwt, verifyJwt, type JwtHeader } from './crypto/jwt.js';
 
 export type AssertionKeyAlg = 'ES256' | 'RS256' | 'HS256';
 export type AssertionType = 'handling' | 'other';
@@ -41,39 +47,69 @@ export type AssertionPayload = {
 /**
  * Computes the SHA-256 hash of the assertion object, excluding the 'binding' and 'hash' properties.
  *
+ * @param a - The assertion to hash
+ * @param cryptoService - The crypto service to use for hashing
  * @returns the hexadecimal string representation of the hash
  */
-export async function hash(a: Assertion): Promise<string> {
+export async function hash(a: Assertion, cryptoService: CryptoService): Promise<string> {
   const result = canonicalizeEx(a, {
     exclude: ['binding', 'hash', 'sign', 'verify', 'signingKey'],
   });
 
-  const hash = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(result));
-  return hex.encodeArrayBuffer(hash);
+  const hashBytes = await cryptoService.digest('SHA-256', new TextEncoder().encode(result));
+  return hex.encodeArrayBuffer(hashBytes.buffer);
 }
 
 /**
  * Signs the given hash and signature using the provided key and sets the binding method and signature.
  *
- * @param hash - The hash to be signed.
+ * @param thiz - The assertion to sign.
+ * @param assertionHash - The hash to be signed.
  * @param sig - The signature to be signed.
- * @param {AssertionKey} key - The key used for signing.
- * @returns {Promise<void>} A promise that resolves when the signing is complete.
+ * @param key - The key used for signing.
+ * @param cryptoService - The crypto service to use for signing.
+ * @returns A promise that resolves to the signed assertion.
  */
 async function sign(
   thiz: Assertion,
   assertionHash: string,
   sig: string,
-  key: AssertionKey
+  key: AssertionKey,
+  cryptoService: CryptoService
 ): Promise<Assertion> {
   const payload: AssertionPayload = {
     assertionHash,
     assertionSig: sig,
   };
 
+  const header: JwtHeader = { alg: key.alg };
+
+  if (typeof key.key === 'object' && '_brand' in key.key && key.key._brand === 'PublicKey') {
+    throw new ConfigurationError(
+      'Cannot sign assertion with PublicKey. Use PrivateKey or SymmetricKey for signing.'
+    );
+  }
+
+  let signingMaterial: PrivateKey | SymmetricKey;
+  if (typeof key.key === 'string') {
+    if (!cryptoService.importPrivateKey) {
+      throw new ConfigurationError(
+        'CryptoService does not support importing private keys. Cannot sign assertion with a PEM string. Use PrivateKey or SymmetricKey for signing.'
+      );
+    }
+    signingMaterial = await cryptoService.importPrivateKey(key.key, {
+      usage: 'sign',
+      extractable: false,
+    });
+  } else if (key.key instanceof Uint8Array) {
+    signingMaterial = await cryptoService.importSymmetricKey(key.key);
+  } else {
+    signingMaterial = key.key as PrivateKey | SymmetricKey;
+  }
+
   let token: string;
   try {
-    token = await new SignJWT(payload).setProtectedHeader({ alg: key.alg }).sign(key.key);
+    token = await signJwt(cryptoService, payload, signingMaterial, header);
   } catch (error) {
     throw new ConfigurationError(`Signing assertion failed: ${error.message}`, error);
   }
@@ -107,36 +143,54 @@ export function isAssertionConfig(obj: unknown): obj is AssertionConfig {
 /**
  * Verifies the signature of the assertion using the provided key.
  *
- * @param {AssertionKey} key - The key used for verification.
- * @returns {Promise<[string, string]>} A promise that resolves to a tuple containing the assertion hash and signature.
- * @throws {Error} If the verification fails.
+ * @param thiz - The assertion to verify.
+ * @param aggregateHash - The aggregate hash for integrity checking.
+ * @param key - The key used for verification.
+ * @param isLegacyTDF - Whether this is a legacy TDF format.
+ * @param cryptoService - The crypto service to use for verification.
+ * @throws {InvalidFileError} If the verification fails.
+ * @throws {IntegrityError} If the integrity check fails.
  */
 export async function verify(
   thiz: Assertion,
   aggregateHash: Uint8Array,
   key: AssertionKey,
-  isLegacyTDF: boolean
+  isLegacyTDF: boolean,
+  cryptoService: CryptoService
 ): Promise<void> {
   let payload: AssertionPayload;
   try {
-    const uj = await jwtVerify(thiz.binding.signature, async (header) => {
-      if (header.jwk) {
-        return await importJWK(header.jwk, header.alg);
-      }
-      if (header.x5c && header.x5c.length > 0) {
-        const cert = `-----BEGIN CERTIFICATE-----\n${header.x5c[0]}\n-----END CERTIFICATE-----`;
-        return await importX509(cert, header.alg);
-      }
-      return key.key;
+    // Parse JWT header to check for embedded keys (jwk or x5c)
+    const header = decodeProtectedHeader(thiz.binding.signature);
+
+    // Runtime check: ensure we have a verification key, not a signing key
+    if (typeof key.key === 'object' && '_brand' in key.key && key.key._brand === 'PrivateKey') {
+      throw new ConfigurationError(
+        'Cannot verify assertion with PrivateKey. Use PublicKey or SymmetricKey for verification.'
+      );
+    }
+    let verificationKey: string | Uint8Array | PublicKey | SymmetricKey = key.key;
+
+    if (header.jwk) {
+      // Convert embedded JWK to PEM
+      verificationKey = await cryptoService.jwkToPublicKeyPem(header.jwk as JsonWebKey);
+    } else if (header.x5c && Array.isArray(header.x5c) && header.x5c.length > 0) {
+      // Extract public key from X.509 certificate
+      const cert = `-----BEGIN CERTIFICATE-----\n${header.x5c[0]}\n-----END CERTIFICATE-----`;
+      verificationKey = await cryptoService.extractPublicKeyPem(cert);
+    }
+
+    const result = await verifyJwt(cryptoService, thiz.binding.signature, verificationKey, {
+      algorithms: [key.alg],
     });
-    payload = uj.payload as AssertionPayload;
+    payload = result.payload as AssertionPayload;
   } catch (error) {
     throw new InvalidFileError(`Verifying assertion failed: ${error.message}`, error);
   }
   const { assertionHash, assertionSig } = payload;
 
   // Get the hash of the assertion
-  const hashOfAssertion = await hash(thiz);
+  const hashOfAssertion = await hash(thiz, cryptoService);
 
   // check if assertionHash is same as hashOfAssertion
   if (hashOfAssertion !== assertionHash) {
@@ -164,13 +218,17 @@ export async function verify(
 
 /**
  * Creates an Assertion object with the specified properties.
- */
-/**
- * Creates an Assertion object with the specified properties.
+ *
+ * @param aggregateHash - The aggregate hash for the assertion.
+ * @param assertionConfig - The configuration for the assertion.
+ * @param cryptoService - The crypto service to use for signing.
+ * @param targetVersion - The target TDF spec version.
+ * @returns The created assertion.
  */
 export async function CreateAssertion(
   aggregateHash: Uint8Array | string,
   assertionConfig: AssertionConfig,
+  cryptoService: CryptoService,
   targetVersion?: string
 ): Promise<Assertion> {
   if (!assertionConfig.signingKey) {
@@ -187,7 +245,7 @@ export async function CreateAssertion(
     binding: { method: '', signature: '' },
   };
 
-  const assertionHash = await hash(a);
+  const assertionHash = await hash(a, cryptoService);
   let encodedHash: string;
   switch (targetVersion || '4.3.0') {
     case '4.2.2':
@@ -212,12 +270,23 @@ export async function CreateAssertion(
       throw new ConfigurationError(`Unsupported TDF spec version: [${targetVersion}]`);
   }
 
-  return await sign(a, assertionHash, encodedHash, assertionConfig.signingKey);
+  return await sign(a, assertionHash, encodedHash, assertionConfig.signingKey, cryptoService);
 }
 
+// TODO: Split AssertionKey into two separate types:
+//   - AssertionSigningKey: key restricted to PrivateKey | SymmetricKey (no strings, no raw bytes)
+//   - AssertionVerificationKey: key restricted to string | PublicKey | SymmetricKey
+// This would make the signing/verification distinction type-safe rather than relying on runtime checks.
+// AssertionConfig.signingKey would use AssertionSigningKey; verify() and AssertionVerificationKeys would use AssertionVerificationKey.
+
+/**
+ * Key used for signing or verifying assertions.
+ * For asymmetric algorithms (RS256, ES256): PEM string, PrivateKey (for signing), or PublicKey (for verification).
+ * For symmetric algorithms (HS256): Uint8Array or SymmetricKey (opaque).
+ */
 export type AssertionKey = {
   alg: AssertionKeyAlg;
-  key: CryptoKey | Uint8Array;
+  key: string | Uint8Array | PrivateKey | PublicKey | SymmetricKey;
 };
 
 // AssertionConfig is a shadow of Assertion with the addition of the signing key.

package/tdf3/src/ciphers/aes-gcm-cipher.ts

@@ -7,6 +7,7 @@ import {
   type CryptoService,
   type DecryptResult,
   type EncryptResult,
+  type SymmetricKey,
 } from '../crypto/declarations.js';
 
 const KEY_LENGTH = 32;
@@ -45,7 +46,7 @@ export class AesGcmCipher extends SymmetricCipher {
    * result from the crypto service and construct the payload automatically from
    * it's parts.  There is no need to process the payload.
    */
-  override async encrypt(payload: Binary, key: Binary, iv: Binary): Promise<EncryptResult> {
+  override async encrypt(payload: Binary, key: SymmetricKey, iv: Binary): Promise<EncryptResult> {
     const toConcat: Uint8Array[] = [];
     const result = await this.cryptoService.encrypt(payload, key, iv, Algorithms.AES_256_GCM);
     toConcat.push(new Uint8Array(iv.asArrayBuffer()));
@@ -62,7 +63,11 @@ export class AesGcmCipher extends SymmetricCipher {
    * @returns
    */
   // eslint-disable-next-line @typescript-eslint/no-unused-vars
-  override async decrypt(buffer: ArrayBuffer, key: Binary, iv?: Binary): Promise<DecryptResult> {
+  override async decrypt(
+    buffer: ArrayBuffer,
+    key: SymmetricKey,
+    iv?: Binary
+  ): Promise<DecryptResult> {
     const { payload, payloadIv, payloadAuthTag } = processGcmPayload(buffer);
 
     return this.cryptoService.decrypt(

package/tdf3/src/ciphers/symmetric-cipher-base.ts

@@ -3,7 +3,9 @@ import {
   type CryptoService,
   type DecryptResult,
   type EncryptResult,
+  type SymmetricKey,
 } from '../crypto/declarations.js';
+import { encodeArrayBuffer as hexEncode } from '../../../src/encodings/hex.js';
 
 export abstract class SymmetricCipher {
   cryptoService: CryptoService;
@@ -22,17 +24,18 @@ export abstract class SymmetricCipher {
     if (!this.ivLength) {
       throw Error('No iv length');
     }
-    return this.cryptoService.generateInitializationVector(this.ivLength);
+    const bytes = await this.cryptoService.randomBytes(this.ivLength);
+    return hexEncode(bytes.buffer);
   }
 
-  async generateKey(): Promise<string> {
+  async generateKey(): Promise<SymmetricKey> {
     if (!this.keyLength) {
       throw Error('No key length');
     }
     return this.cryptoService.generateKey(this.keyLength);
   }
 
-  abstract encrypt(payload: Binary, key: Binary, iv: Binary): Promise<EncryptResult>;
+  abstract encrypt(payload: Binary, key: SymmetricKey, iv: Binary): Promise<EncryptResult>;
 
-  abstract decrypt(payload: Uint8Array, key: Binary, iv?: Binary): Promise<DecryptResult>;
+  abstract decrypt(payload: Uint8Array, key: SymmetricKey, iv?: Binary): Promise<DecryptResult>;
 }

package/tdf3/src/client/builders.ts

@@ -4,7 +4,7 @@ import { type Metadata } from '../tdf.js';
 import { Binary } from '../binary.js';
 
 import { ConfigurationError } from '../../../src/errors.js';
-import { PemKeyPair } from '../crypto/declarations.js';
+import { PemKeyPair, type SymmetricKey } from '../crypto/declarations.js';
 import { DecoratedReadableStream } from './DecoratedReadableStream.js';
 import { type Chunker } from '../../../src/seekable.js';
 import { AssertionConfig, AssertionVerificationKeys } from '../assertions.js';
@@ -516,7 +516,7 @@ class EncryptParamsBuilder {
   }
 }
 
-export type DecryptKeyMiddleware = (key: Binary) => Promise<Binary>;
+export type DecryptKeyMiddleware = (key: SymmetricKey) => Promise<SymmetricKey>;
 
 export type DecryptStreamMiddleware = (
   stream: DecoratedReadableStream

package/tdf3/src/client/index.ts

@@ -19,12 +19,7 @@ import { OIDCRefreshTokenProvider } from '../../../src/auth/oidc-refreshtoken-pr
 import { OIDCExternalJwtProvider } from '../../../src/auth/oidc-externaljwt-provider.js';
 import { CryptoService } from '../crypto/declarations.js';
 import { type AuthProvider, HttpRequest, withHeaders } from '../../../src/auth/auth.js';
-import {
-  getPlatformUrlFromKasEndpoint,
-  pemToCryptoPublicKey,
-  rstrip,
-  validateSecureUrl,
-} from '../../../src/utils.js';
+import { getPlatformUrlFromKasEndpoint, rstrip, validateSecureUrl } from '../../../src/utils.js';
 
 import {
   type DecryptParams,
@@ -42,13 +37,11 @@ import { DecoratedReadableStream } from './DecoratedReadableStream.js';
 import {
   fetchKeyAccessServers,
   type KasPublicKeyInfo,
-  keyAlgorithmToPublicKeyAlgorithm,
   OriginAllowList,
 } from '../../../src/access.js';
 import { ConfigurationError } from '../../../src/errors.js';
-import { Binary } from '../binary.js';
 import { AesGcmCipher } from '../ciphers/aes-gcm-cipher.js';
-import { toCryptoKeyPair } from '../crypto/crypto-utils.js';
+import { type KeyPair, type SymmetricKey } from '../crypto/declarations.js';
 import * as defaultCryptoService from '../crypto/index.js';
 import {
   type AttributeObject,
@@ -69,24 +62,23 @@ const defaultClientConfig = { oidcOrigin: '', cryptoService: defaultCryptoServic
 
 const getFirstTwoBytes = async (chunker: Chunker) => new TextDecoder().decode(await chunker(0, 2));
 
-async function algorithmFromPEM(pem: string) {
-  const k: CryptoKey = await pemToCryptoPublicKey(pem);
-  return keyAlgorithmToPublicKeyAlgorithm(k);
+async function algorithmFromPEM(pem: string, cryptoService: CryptoService) {
+  const keyInfo = await cryptoService.parsePublicKeyPem(pem);
+  return keyInfo.algorithm;
 }
 
-// Convert a PEM string to a CryptoKey
+// Convert a PEM string to KasPublicKeyInfo
 export const resolveKasInfo = async (
   pem: string,
   uri: string,
+  cryptoService: CryptoService,
   kid?: string
 ): Promise<KasPublicKeyInfo> => {
-  const k: CryptoKey = await pemToCryptoPublicKey(pem);
-  const algorithm = keyAlgorithmToPublicKeyAlgorithm(k);
+  const keyInfo = await cryptoService.parsePublicKeyPem(pem);
   return {
-    key: Promise.resolve(k),
     publicKey: pem,
     url: uri,
-    algorithm,
+    algorithm: keyInfo.algorithm,
     kid: kid,
   };
 };
@@ -132,7 +124,7 @@ export interface ClientConfig {
   /// oauth client id; used to generate oauth authProvider
   clientId?: string;
   dpopEnabled?: boolean;
-  dpopKeys?: Promise<CryptoKeyPair>;
+  dpopKeys?: Promise<KeyPair>;
   kasEndpoint: string;
   /**
    * Service to use to look up ABAC. Used during autoconfigure. Defaults to
@@ -177,28 +169,23 @@ export interface ClientConfig {
  */
 export async function createSessionKeys({
   authProvider,
-  // FIXME use cryptoservice to generate keys again
   cryptoService,
   dpopKeys,
 }: {
   authProvider?: AuthProvider;
   cryptoService: CryptoService;
-  dpopKeys?: Promise<CryptoKeyPair>;
-}): Promise<CryptoKeyPair> {
-  let signingKeys: CryptoKeyPair;
+  dpopKeys?: Promise<KeyPair>;
+}): Promise<KeyPair> {
+  let signingKeys: KeyPair;
   if (dpopKeys) {
     signingKeys = await dpopKeys;
   } else {
-    const keys = await cryptoService.generateSigningKeyPair();
-    // signingKeys = await crypto.subtle.generateKey(rsaPkcs1Sha256(), true, ['sign']);
-    signingKeys = await toCryptoKeyPair(keys);
+    // generateSigningKeyPair returns opaque KeyPair
+    signingKeys = await cryptoService.generateSigningKeyPair();
   }
 
   // This will contact the auth server and forcibly refresh the auth token claims,
   // binding the token and the (new) pubkey together.
-  // Note that we base64 encode the PEM string here as a quick workaround, simply because
-  // a formatted raw PEM string isn't a valid header value and sending it raw makes keycloak's
-  // header parser barf. There are more subtle ways to solve this, but this works for now.
   if (authProvider) {
     await authProvider?.updateClientPublicKey(signingKeys);
   }
@@ -301,7 +288,8 @@ const putKasKeyIntoCache = (
   cache: KasKeyInfoCache,
   kasKey: Omit<SimpleKasKey, 'publicKey'> & {
     publicKey: Exclude<SimpleKasKey['publicKey'], undefined>;
-  }
+  },
+  cryptoService: CryptoService
 ): ReturnType<typeof fetchKasPublicKey> => {
   const algorithmString = algorithmEnumValueToString(kasKey.publicKey.algorithm);
   const cachedEntry = findEntryInCache(cache, kasKey.kasUri, algorithmString, kasKey.publicKey.kid);
@@ -309,12 +297,9 @@ const putKasKeyIntoCache = (
     return cachedEntry;
   }
   const keyInfoPromise = (async function () {
-    const keyPromise = pemToCryptoPublicKey(kasKey.publicKey.pem);
-    const key = await keyPromise;
-    const algorithm = keyAlgorithmToPublicKeyAlgorithm(key);
+    const keyInfo = await cryptoService.parsePublicKeyPem(kasKey.publicKey.pem);
     return {
-      algorithm: algorithm,
-      key: keyPromise,
+      algorithm: keyInfo.algorithm,
       kid: kasKey.publicKey.kid,
       publicKey: kasKey.publicKey.pem,
       url: kasKey.kasUri,
@@ -371,7 +356,7 @@ export class Client {
   /**
    * Session binding keys. Used for DPoP and signed request bodies.
    */
-  readonly dpopKeys: Promise<CryptoKeyPair>;
+  readonly dpopKeys: Promise<KeyPair>;
 
   readonly dpopEnabled: boolean;
 
@@ -453,18 +438,24 @@ export class Client {
       //browser-based OIDC login and authentication process against the OIDC endpoint using their chosen method,
       //and provide us with a valid refresh token/clientId obtained from that process.
       if (clientConfig.refreshToken) {
-        this.authProvider = new OIDCRefreshTokenProvider({
-          clientId: clientConfig.clientId,
-          refreshToken: clientConfig.refreshToken,
-          oidcOrigin: clientConfig.oidcOrigin,
-        });
+        this.authProvider = new OIDCRefreshTokenProvider(
+          {
+            clientId: clientConfig.clientId,
+            refreshToken: clientConfig.refreshToken,
+            oidcOrigin: clientConfig.oidcOrigin,
+          },
+          this.cryptoService
+        );
       } else if (clientConfig.externalJwt) {
         //Are we exchanging a JWT previously issued by a trusted external entity (e.g. Google) for a bearer token?
-        this.authProvider = new OIDCExternalJwtProvider({
-          clientId: clientConfig.clientId,
-          externalJwt: clientConfig.externalJwt,
-          oidcOrigin: clientConfig.oidcOrigin,
-        });
+        this.authProvider = new OIDCExternalJwtProvider(
+          {
+            clientId: clientConfig.clientId,
+            externalJwt: clientConfig.externalJwt,
+            oidcOrigin: clientConfig.oidcOrigin,
+          },
+          this.cryptoService
+        );
       }
     }
     this.dpopKeys = createSessionKeys({
@@ -509,22 +500,27 @@ export class Client {
       metadata,
       mimeType = 'unknown',
       windowSize = DEFAULT_SEGMENT_SIZE,
-      keyMiddleware = defaultKeyMiddleware,
+      keyMiddleware: keyMiddlewareOpt,
       splitPlan: preconfiguredSplitPlan,
       streamMiddleware = async (stream: DecoratedReadableStream) => stream,
       tdfSpecVersion,
       wrappingKeyAlgorithm,
     } = opts;
+    const keyMiddleware = keyMiddlewareOpt ?? (() => defaultKeyMiddleware(this.cryptoService));
     const scope = opts.scope ?? { attributes: [], dissem: [] };
 
     for (const attributeValue of scope.attributeValues || []) {
       for (const kasKey of attributeValue.kasKeys) {
         if (kasKey.publicKey !== undefined) {
-          await putKasKeyIntoCache(this.kasKeyInfoCache, {
-            // TypeScript is silly and cannot infer that publicKey is not undefined, without re-referencing it like this, even though we checked already.
-            ...kasKey,
-            publicKey: kasKey.publicKey,
-          });
+          await putKasKeyIntoCache(
+            this.kasKeyInfoCache,
+            {
+              // TypeScript is silly and cannot infer that publicKey is not undefined, without re-referencing it like this, even though we checked already.
+              ...kasKey,
+              publicKey: kasKey.publicKey,
+            },
+            this.cryptoService
+          );
         }
       }
     }
@@ -594,11 +590,15 @@ export class Client {
       for (const attributeValue of attributeValues) {
         for (const kasKey of effectiveKasKeys(attributeValue)) {
           if (kasKey.publicKey !== undefined) {
-            await putKasKeyIntoCache(this.kasKeyInfoCache, {
-              // TypeScript is silly and cannot infer that publicKey is not undefined, without re-referencing it like this, even though we checked already.
-              ...kasKey,
-              publicKey: kasKey.publicKey,
-            });
+            await putKasKeyIntoCache(
+              this.kasKeyInfoCache,
+              {
+                // TypeScript is silly and cannot infer that publicKey is not undefined, without re-referencing it like this, even though we checked already.
+                ...kasKey,
+                publicKey: kasKey.publicKey,
+              },
+              this.cryptoService
+            );
           }
         }
       }
@@ -606,7 +606,7 @@ export class Client {
       const detailedPlan = plan(attributeValues);
       for (const item of detailedPlan) {
         if ('kid' in item.kas) {
-          const pemAlgorithm = await algorithmFromPEM(item.kas.pem);
+          const pemAlgorithm = await algorithmFromPEM(item.kas.pem, this.cryptoService);
           const kasPublicKeyInfo = await this._doFetchKasKeyWithCache(
             this.kasKeyInfoCache,
             item.kas.kasUri,
@@ -694,7 +694,7 @@ export class Client {
     }
     encryptionInformation.keyAccess = await Promise.all(
       splitPlan.map(async ({ kas, kid, pem, sid }) => {
-        const algorithm = await algorithmFromPEM(pem);
+        const algorithm = await algorithmFromPEM(pem, this.cryptoService);
         if (algorithm !== wrappingKeyAlgorithm) {
           console.warn(
             `Mismatched wrapping key algorithm: [${algorithm}] is not requested type, [${wrappingKeyAlgorithm}]`
@@ -722,6 +722,7 @@ export class Client {
           publicKey: pem,
           metadata,
           sid,
+          cryptoService: this.cryptoService,
         });
       })
     );
@@ -765,7 +766,7 @@ export class Client {
   async decrypt({
     source,
     allowList,
-    keyMiddleware = async (key: Binary) => key,
+    keyMiddleware = async (key: SymmetricKey) => key,
     streamMiddleware = async (stream: DecoratedReadableStream) => stream,
     assertionVerificationKeys,
     noVerifyAssertions,

package/tdf3/src/crypto/crypto-utils.ts

@@ -1,5 +1,5 @@
 import { base64 } from '../../../src/encodings/index.js';
-import { type AnyKeyPair, type PemKeyPair } from './declarations.js';
+import { type PemKeyPair } from './declarations.js';
 import { rsaPkcs1Sha256 } from './index.js';
 
 /**
@@ -73,7 +73,10 @@ export const removePemFormatting = (input: string): string => {
 const PEMRE =
   /-----BEGIN\s((?:RSA\s)?(?:PUBLIC\sKEY|PRIVATE\sKEY|CERTIFICATE))-----[\s0-9A-Za-z+/=]+-----END\s\1-----/;
 
-export const isPemKeyPair = (i: AnyKeyPair): i is PemKeyPair => {
+/**
+ * Type guard to check if a key pair is a PemKeyPair.
+ */
+export const isPemKeyPair = (i: PemKeyPair | CryptoKeyPair): i is PemKeyPair => {
   const { privateKey, publicKey } = i;
   if (typeof privateKey !== 'string' || typeof publicKey !== 'string') {
     return false;
@@ -89,7 +92,10 @@ export const isPemKeyPair = (i: AnyKeyPair): i is PemKeyPair => {
   return true;
 };
 
-export const isCryptoKeyPair = (i: AnyKeyPair): i is CryptoKeyPair => {
+/**
+ * Type guard to check if a key pair is a CryptoKeyPair.
+ */
+export const isCryptoKeyPair = (i: PemKeyPair | CryptoKeyPair): i is CryptoKeyPair => {
   const { privateKey, publicKey } = i;
   if (typeof privateKey !== 'object' || typeof publicKey !== 'object') {
     return false;
@@ -100,12 +106,13 @@ export const isCryptoKeyPair = (i: AnyKeyPair): i is CryptoKeyPair => {
   return privateKey.type === 'private' && publicKey.type === 'public';
 };
 
-export const toCryptoKeyPair = async (input: AnyKeyPair): Promise<CryptoKeyPair> => {
-  if (isCryptoKeyPair(input)) {
-    return input;
-  }
+/**
+ * Convert a PemKeyPair to CryptoKeyPair for internal use.
+ * This is needed when interfacing with APIs that still require CryptoKey objects.
+ */
+export const toCryptoKeyPair = async (input: PemKeyPair): Promise<CryptoKeyPair> => {
   if (!isPemKeyPair(input)) {
-    throw new Error('internal: generated invalid keypair');
+    throw new Error('internal: invalid PEM keypair');
   }
   const k = [input.publicKey, input.privateKey]
     .map(removePemFormatting)