npm - @opentdf/sdk - Versions diffs - 0.9.0-rc.82 → 0.10.0-beta.95 - Mend

@opentdf/sdk 0.9.0-rc.82 → 0.10.0-beta.95

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (207) hide show

package/README.md +2 -2
package/dist/cjs/src/access/access-fetch.js +1 -2
package/dist/cjs/src/access/access-rpc.js +1 -3
package/dist/cjs/src/access.js +1 -14
package/dist/cjs/src/auth/auth.js +13 -10
package/dist/cjs/src/auth/dpop.js +121 -0
package/dist/cjs/src/auth/oidc-clientcredentials-provider.js +37 -3
package/dist/cjs/src/auth/oidc-externaljwt-provider.js +37 -3
package/dist/cjs/src/auth/oidc-refreshtoken-provider.js +37 -3
package/dist/cjs/src/auth/oidc.js +10 -8
package/dist/cjs/src/auth/providers.js +35 -12
package/dist/cjs/src/crypto/enums.js +1 -1
package/dist/cjs/src/crypto/index.js +16 -2
package/dist/cjs/src/crypto/pemPublicToCrypto.js +24 -20
package/dist/cjs/src/errors.js +14 -2
package/dist/cjs/src/index.js +8 -2
package/dist/cjs/src/opentdf.js +50 -13
package/dist/cjs/src/policy/discovery.js +188 -0
package/dist/cjs/src/version.js +2 -2
package/dist/cjs/tdf3/index.js +4 -2
package/dist/cjs/tdf3/src/assertions.js +71 -31
package/dist/cjs/tdf3/src/ciphers/aes-gcm-cipher.js +1 -1
package/dist/cjs/tdf3/src/ciphers/symmetric-cipher-base.js +4 -2
package/dist/cjs/tdf3/src/client/index.js +23 -33
package/dist/cjs/tdf3/src/crypto/crypto-utils.js +12 -5
package/dist/cjs/tdf3/src/crypto/declarations.js +1 -1
package/dist/cjs/tdf3/src/crypto/index.js +849 -88
package/dist/cjs/tdf3/src/crypto/jose/jwt-claims-set.js +11 -0
package/dist/cjs/tdf3/src/crypto/jose/validate-crit.js +8 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/buffer_utils.js +41 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/epoch.js +6 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/is_object.js +21 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.js +112 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/secs.js +60 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/validate_crit.js +38 -0
package/dist/cjs/tdf3/src/crypto/jose/vendor/util/errors.js +135 -0
package/dist/cjs/tdf3/src/crypto/jwt.js +183 -0
package/dist/cjs/tdf3/src/crypto/salt.js +14 -8
package/dist/cjs/tdf3/src/models/encryption-information.js +17 -20
package/dist/cjs/tdf3/src/models/key-access.js +43 -63
package/dist/cjs/tdf3/src/tdf.js +75 -75
package/dist/cjs/tdf3/src/utils/index.js +5 -39
package/dist/types/src/access/access-fetch.d.ts.map +1 -1
package/dist/types/src/access/access-rpc.d.ts.map +1 -1
package/dist/types/src/access.d.ts +0 -5
package/dist/types/src/access.d.ts.map +1 -1
package/dist/types/src/auth/auth.d.ts +9 -6
package/dist/types/src/auth/auth.d.ts.map +1 -1
package/dist/types/src/auth/dpop.d.ts +60 -0
package/dist/types/src/auth/dpop.d.ts.map +1 -0
package/dist/types/src/auth/oidc-clientcredentials-provider.d.ts +3 -2
package/dist/types/src/auth/oidc-clientcredentials-provider.d.ts.map +1 -1
package/dist/types/src/auth/oidc-externaljwt-provider.d.ts +3 -2
package/dist/types/src/auth/oidc-externaljwt-provider.d.ts.map +1 -1
package/dist/types/src/auth/oidc-refreshtoken-provider.d.ts +3 -2
package/dist/types/src/auth/oidc-refreshtoken-provider.d.ts.map +1 -1
package/dist/types/src/auth/oidc.d.ts +6 -4
package/dist/types/src/auth/oidc.d.ts.map +1 -1
package/dist/types/src/auth/providers.d.ts +5 -4
package/dist/types/src/auth/providers.d.ts.map +1 -1
package/dist/types/src/crypto/enums.d.ts +1 -1
package/dist/types/src/crypto/index.d.ts +2 -1
package/dist/types/src/crypto/index.d.ts.map +1 -1
package/dist/types/src/crypto/pemPublicToCrypto.d.ts +18 -0
package/dist/types/src/crypto/pemPublicToCrypto.d.ts.map +1 -1
package/dist/types/src/errors.d.ts +8 -0
package/dist/types/src/errors.d.ts.map +1 -1
package/dist/types/src/index.d.ts +2 -1
package/dist/types/src/index.d.ts.map +1 -1
package/dist/types/src/opentdf.d.ts +26 -7
package/dist/types/src/opentdf.d.ts.map +1 -1
package/dist/types/src/policy/discovery.d.ts +74 -0
package/dist/types/src/policy/discovery.d.ts.map +1 -0
package/dist/types/src/version.d.ts +1 -1
package/dist/types/src/version.d.ts.map +1 -1
package/dist/types/tdf3/index.d.ts +3 -3
package/dist/types/tdf3/index.d.ts.map +1 -1
package/dist/types/tdf3/src/assertions.d.ts +23 -8
package/dist/types/tdf3/src/assertions.d.ts.map +1 -1
package/dist/types/tdf3/src/ciphers/aes-gcm-cipher.d.ts +3 -3
package/dist/types/tdf3/src/ciphers/aes-gcm-cipher.d.ts.map +1 -1
package/dist/types/tdf3/src/ciphers/symmetric-cipher-base.d.ts +4 -4
package/dist/types/tdf3/src/ciphers/symmetric-cipher-base.d.ts.map +1 -1
package/dist/types/tdf3/src/client/builders.d.ts +2 -2
package/dist/types/tdf3/src/client/builders.d.ts.map +1 -1
package/dist/types/tdf3/src/client/index.d.ts +6 -5
package/dist/types/tdf3/src/client/index.d.ts.map +1 -1
package/dist/types/tdf3/src/crypto/crypto-utils.d.ts +14 -4
package/dist/types/tdf3/src/crypto/crypto-utils.d.ts.map +1 -1
package/dist/types/tdf3/src/crypto/declarations.d.ts +283 -18
package/dist/types/tdf3/src/crypto/declarations.d.ts.map +1 -1
package/dist/types/tdf3/src/crypto/index.d.ts +105 -28
package/dist/types/tdf3/src/crypto/index.d.ts.map +1 -1
package/dist/types/tdf3/src/crypto/jose/jwt-claims-set.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/jwt-claims-set.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/validate-crit.d.ts +5 -0
package/dist/types/tdf3/src/crypto/jose/validate-crit.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/buffer_utils.d.ts +6 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/buffer_utils.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/epoch.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/epoch.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/is_object.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/is_object.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/secs.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/secs.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/validate_crit.d.ts +3 -0
package/dist/types/tdf3/src/crypto/jose/vendor/lib/validate_crit.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jose/vendor/util/errors.d.ts +76 -0
package/dist/types/tdf3/src/crypto/jose/vendor/util/errors.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/jwt.d.ts +76 -0
package/dist/types/tdf3/src/crypto/jwt.d.ts.map +1 -0
package/dist/types/tdf3/src/crypto/salt.d.ts +6 -1
package/dist/types/tdf3/src/crypto/salt.d.ts.map +1 -1
package/dist/types/tdf3/src/models/encryption-information.d.ts +4 -4
package/dist/types/tdf3/src/models/encryption-information.d.ts.map +1 -1
package/dist/types/tdf3/src/models/key-access.d.ts +8 -5
package/dist/types/tdf3/src/models/key-access.d.ts.map +1 -1
package/dist/types/tdf3/src/tdf.d.ts +8 -8
package/dist/types/tdf3/src/tdf.d.ts.map +1 -1
package/dist/types/tdf3/src/utils/index.d.ts +4 -3
package/dist/types/tdf3/src/utils/index.d.ts.map +1 -1
package/dist/web/src/access/access-fetch.js +3 -4
package/dist/web/src/access/access-rpc.js +3 -5
package/dist/web/src/access.js +1 -13
package/dist/web/src/auth/auth.js +13 -10
package/dist/web/src/auth/dpop.js +118 -0
package/dist/web/src/auth/oidc-clientcredentials-provider.js +4 -3
package/dist/web/src/auth/oidc-externaljwt-provider.js +4 -3
package/dist/web/src/auth/oidc-refreshtoken-provider.js +4 -3
package/dist/web/src/auth/oidc.js +11 -9
package/dist/web/src/auth/providers.js +13 -12
package/dist/web/src/crypto/enums.js +1 -1
package/dist/web/src/crypto/index.js +4 -2
package/dist/web/src/crypto/pemPublicToCrypto.js +18 -18
package/dist/web/src/errors.js +12 -1
package/dist/web/src/index.js +3 -2
package/dist/web/src/opentdf.js +17 -13
package/dist/web/src/policy/discovery.js +182 -0
package/dist/web/src/version.js +2 -2
package/dist/web/tdf3/index.js +3 -2
package/dist/web/tdf3/src/assertions.js +71 -31
package/dist/web/tdf3/src/ciphers/aes-gcm-cipher.js +1 -1
package/dist/web/tdf3/src/ciphers/symmetric-cipher-base.js +4 -2
package/dist/web/tdf3/src/client/index.js +25 -35
package/dist/web/tdf3/src/crypto/crypto-utils.js +12 -5
package/dist/web/tdf3/src/crypto/declarations.js +1 -1
package/dist/web/tdf3/src/crypto/index.js +830 -84
package/dist/web/tdf3/src/crypto/jose/jwt-claims-set.js +5 -0
package/dist/web/tdf3/src/crypto/jose/validate-crit.js +3 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/buffer_utils.js +35 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/epoch.js +4 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/is_object.js +19 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.js +107 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/secs.js +58 -0
package/dist/web/tdf3/src/crypto/jose/vendor/lib/validate_crit.js +36 -0
package/dist/web/tdf3/src/crypto/jose/vendor/util/errors.js +117 -0
package/dist/web/tdf3/src/crypto/jwt.js +174 -0
package/dist/web/tdf3/src/crypto/salt.js +13 -7
package/dist/web/tdf3/src/models/encryption-information.js +11 -14
package/dist/web/tdf3/src/models/key-access.js +44 -31
package/dist/web/tdf3/src/tdf.js +71 -71
package/dist/web/tdf3/src/utils/index.js +5 -6
package/package.json +11 -4
package/src/access/access-fetch.ts +2 -8
package/src/access/access-rpc.ts +0 -7
package/src/access.ts +0 -17
package/src/auth/auth.ts +21 -12
package/src/auth/dpop.ts +222 -0
package/src/auth/oidc-clientcredentials-provider.ts +23 -15
package/src/auth/oidc-externaljwt-provider.ts +23 -15
package/src/auth/oidc-refreshtoken-provider.ts +23 -15
package/src/auth/oidc.ts +21 -10
package/src/auth/providers.ts +46 -29
package/src/crypto/enums.ts +1 -1
package/src/crypto/index.ts +21 -1
package/src/crypto/pemPublicToCrypto.ts +18 -20
package/src/errors.ts +9 -0
package/src/index.ts +7 -0
package/src/opentdf.ts +36 -17
package/src/policy/discovery.ts +222 -0
package/src/version.ts +1 -1
package/tdf3/index.ts +32 -5
package/tdf3/src/assertions.ts +99 -30
package/tdf3/src/ciphers/aes-gcm-cipher.ts +7 -2
package/tdf3/src/ciphers/symmetric-cipher-base.ts +7 -4
package/tdf3/src/client/builders.ts +2 -2
package/tdf3/src/client/index.ts +60 -59
package/tdf3/src/crypto/crypto-utils.ts +15 -8
package/tdf3/src/crypto/declarations.ts +338 -22
package/tdf3/src/crypto/index.ts +1021 -118
package/tdf3/src/crypto/jose/jwt-claims-set.ts +10 -0
package/tdf3/src/crypto/jose/validate-crit.ts +9 -0
package/tdf3/src/crypto/jose/vendor/lib/buffer_utils.ts +34 -0
package/tdf3/src/crypto/jose/vendor/lib/epoch.ts +3 -0
package/tdf3/src/crypto/jose/vendor/lib/is_object.ts +18 -0
package/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.ts +106 -0
package/tdf3/src/crypto/jose/vendor/lib/secs.ts +57 -0
package/tdf3/src/crypto/jose/vendor/lib/validate_crit.ts +35 -0
package/tdf3/src/crypto/jose/vendor/util/errors.ts +101 -0
package/tdf3/src/crypto/jwt.ts +256 -0
package/tdf3/src/crypto/salt.ts +16 -8
package/tdf3/src/models/encryption-information.ts +14 -21
package/tdf3/src/models/key-access.ts +57 -41
package/tdf3/src/tdf.ts +110 -93
package/tdf3/src/utils/index.ts +5 -6

package/src/auth/oidc.ts CHANGED Viewed

@@ -1,8 +1,9 @@
-import { default as dpopFn } from 'dpop';
+import { default as dpopFn } from './dpop.js';
 import { HttpRequest, withHeaders } from './auth.js';
 import { base64 } from '../encodings/index.js';
 import { ConfigurationError, TdfError } from '../errors.js';
-import { cryptoPublicToPem, rstrip } from '../utils.js';
+import { rstrip } from '../utils.js';
+import { type CryptoService, type KeyPair } from '../../tdf3/src/crypto/declarations.js';
 /**
  * Common fields used by all OIDC credentialing flows.
@@ -18,7 +19,7 @@ export type CommonCredentials = {
   dpopEnabled?: boolean;
   /** the client's public key, base64 encoded. Will be bound to the OIDC token. Deprecated. If not set in the constructor, */
-  signingKey?: CryptoKeyPair;
+  signingKey?: KeyPair;
 };
 /**
@@ -94,13 +95,15 @@ export class AccessToken {
   tokenEndpoint: string;
   userInfoEndpoint: string;
-  signingKey?: CryptoKeyPair;
+  signingKey?: KeyPair;
   extraHeaders: Record<string, string> = {};
   currentAccessToken?: string;
-  constructor(cfg: OIDCCredentials, request?: typeof fetch) {
+  cryptoService: CryptoService;
+  constructor(cfg: OIDCCredentials, cryptoService: CryptoService, request?: typeof fetch) {
     if (!cfg.clientId) {
       throw new ConfigurationError(
         'A Keycloak client identifier is currently required for all auth mechanisms'
@@ -121,6 +124,7 @@ export class AccessToken {
       throw new ConfigurationError('Invalid oidc configuration');
     }
     this.config = cfg;
+    this.cryptoService = cryptoService;
     this.request = request;
     this.baseUrl = rstrip(cfg.oidcOrigin, '/');
     this.tokenEndpoint = cfg.oidcTokenEndpoint || `${this.baseUrl}/protocol/openid-connect/token`;
@@ -140,7 +144,12 @@ export class AccessToken {
       Authorization: `Bearer ${accessToken}`,
     } as Record<string, string>;
     if (this.config.dpopEnabled && this.signingKey) {
-      headers.DPoP = await dpopFn(this.signingKey, this.userInfoEndpoint, 'POST');
+      headers.DPoP = await dpopFn(
+        this.signingKey,
+        this.cryptoService,
+        this.userInfoEndpoint,
+        'POST'
+      );
     }
     const response = await (this.request || fetch)(this.userInfoEndpoint, {
       headers,
@@ -165,9 +174,10 @@ export class AccessToken {
       if (!this.signingKey) {
         throw new ConfigurationError('No signature configured');
       }
-      const clientPubKey = await cryptoPublicToPem(this.signingKey.publicKey);
-      headers['X-VirtruPubKey'] = base64.encode(clientPubKey);
-      headers.DPoP = await dpopFn(this.signingKey, url, 'POST');
+      // Export opaque public key to PEM format for header
+      const publicKeyPem = await this.cryptoService.exportPublicKeyPem(this.signingKey.publicKey);
+      headers['X-VirtruPubKey'] = base64.encode(publicKeyPem);
+      headers.DPoP = await dpopFn(this.signingKey, this.cryptoService, url, 'POST');
     }
     return (this.request || fetch)(url, {
       method: 'POST',
@@ -251,7 +261,7 @@ export class AccessToken {
    *
    * Calling this function will trigger a forcible token refresh using the cached refresh token, and contact the auth server.
    */
-  async refreshTokenClaimsWithClientPubkeyIfNeeded(signingKey: CryptoKeyPair): Promise<void> {
+  async refreshTokenClaimsWithClientPubkeyIfNeeded(signingKey: KeyPair): Promise<void> {
     // If we already have a token, and the pubkey changes,
     // we need to force a refresh now - otherwise
     // we can wait until we create the token for the first time
@@ -299,6 +309,7 @@ export class AccessToken {
     if (this.config.dpopEnabled && this.signingKey) {
       const dpopToken = await dpopFn(
         this.signingKey,
+        this.cryptoService,
         httpReq.url,
         httpReq.method,
         /* nonce */ undefined,

package/src/auth/providers.ts CHANGED Viewed

@@ -10,6 +10,8 @@ import { type AuthProvider } from './auth.js';
 import { OIDCRefreshTokenProvider } from './oidc-refreshtoken-provider.js';
 import { isBrowser } from '../utils.js';
 import { ConfigurationError } from '../errors.js';
+import { type CryptoService } from '../../tdf3/src/crypto/declarations.js';
+import * as defaultCryptoService from '../../tdf3/src/crypto/index.js';
 /**
  * Creates an OIDC Client Credentials Provider for non-browser contexts.
@@ -30,15 +32,19 @@ import { ConfigurationError } from '../errors.js';
  *
  */
 export const clientSecretAuthProvider = async (
-  clientConfig: ClientSecretCredentials
+  clientConfig: ClientSecretCredentials,
+  cryptoService: CryptoService = defaultCryptoService
 ): Promise<OIDCClientCredentialsProvider> => {
-  return new OIDCClientCredentialsProvider({
-    clientId: clientConfig.clientId,
-    clientSecret: clientConfig.clientSecret,
-    oidcOrigin: clientConfig.oidcOrigin,
-    oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
-    oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
-  });
+  return new OIDCClientCredentialsProvider(
+    {
+      clientId: clientConfig.clientId,
+      clientSecret: clientConfig.clientSecret,
+      oidcOrigin: clientConfig.oidcOrigin,
+      oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
+      oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
+    },
+    cryptoService
+  );
 };
 /**
@@ -58,15 +64,19 @@ export const clientSecretAuthProvider = async (
  * {@link updateClientPublicKey}, which will force an explicit token refresh.
  */
 export const externalAuthProvider = async (
-  clientConfig: ExternalJwtCredentials
+  clientConfig: ExternalJwtCredentials,
+  cryptoService: CryptoService = defaultCryptoService
 ): Promise<OIDCExternalJwtProvider> => {
-  return new OIDCExternalJwtProvider({
-    clientId: clientConfig.clientId,
-    externalJwt: clientConfig.externalJwt,
-    oidcOrigin: clientConfig.oidcOrigin,
-    oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
-    oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
-  });
+  return new OIDCExternalJwtProvider(
+    {
+      clientId: clientConfig.clientId,
+      externalJwt: clientConfig.externalJwt,
+      oidcOrigin: clientConfig.oidcOrigin,
+      oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
+      oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
+    },
+    cryptoService
+  );
 };
 /**
@@ -84,15 +94,19 @@ export const externalAuthProvider = async (
  * {@link updateClientPublicKey} which will force an explicit token refresh
  */
 export const refreshAuthProvider = async (
-  clientConfig: RefreshTokenCredentials
+  clientConfig: RefreshTokenCredentials,
+  cryptoService: CryptoService = defaultCryptoService
 ): Promise<OIDCRefreshTokenProvider> => {
-  return new OIDCRefreshTokenProvider({
-    clientId: clientConfig.clientId,
-    refreshToken: clientConfig.refreshToken,
-    oidcOrigin: clientConfig.oidcOrigin,
-    oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
-    oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
-  });
+  return new OIDCRefreshTokenProvider(
+    {
+      clientId: clientConfig.clientId,
+      refreshToken: clientConfig.refreshToken,
+      oidcOrigin: clientConfig.oidcOrigin,
+      oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
+      oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
+    },
+    cryptoService
+  );
 };
 /**
@@ -100,7 +114,10 @@ export const refreshAuthProvider = async (
  * @param clientConfig OIDC client credentials
  * @returns a promise for a new auth provider with the requested excahnge type
  */
-export const clientAuthProvider = async (clientConfig: OIDCCredentials): Promise<AuthProvider> => {
+export const clientAuthProvider = async (
+  clientConfig: OIDCCredentials,
+  cryptoService: CryptoService = defaultCryptoService
+): Promise<AuthProvider> => {
   if (!clientConfig.clientId) {
     throw new ConfigurationError('Client ID must be provided to constructor');
   }
@@ -116,13 +133,13 @@ export const clientAuthProvider = async (clientConfig: OIDCCredentials): Promise
     //and provide us with a valid refresh token/clientId obtained from that process.
     switch (clientConfig.exchange) {
       case 'refresh': {
-        return refreshAuthProvider(clientConfig);
+        return refreshAuthProvider(clientConfig, cryptoService);
       }
       case 'external': {
-        return externalAuthProvider(clientConfig);
+        return externalAuthProvider(clientConfig, cryptoService);
       }
       case 'client': {
-        return clientSecretAuthProvider(clientConfig);
+        return clientSecretAuthProvider(clientConfig, cryptoService);
       }
       default:
         throw new ConfigurationError(`Unsupported client type`);
@@ -136,7 +153,7 @@ export const clientAuthProvider = async (clientConfig: OIDCCredentials): Promise
       'When using client credentials, must supply both client ID and client secret to constructor'
     );
   }
-  return clientSecretAuthProvider(clientConfig);
+  return clientSecretAuthProvider(clientConfig, cryptoService);
 };
 export * from './auth.js';

package/src/crypto/enums.ts CHANGED Viewed

@@ -10,7 +10,7 @@ export enum AlgorithmName {
 export enum NamedCurve {
   P256 = 'P-256',
   P384 = 'P-384',
-  P512 = 'P-512',
+  P521 = 'P-521',
 }
 export enum CipherType {

package/src/crypto/index.ts CHANGED Viewed

@@ -6,5 +6,25 @@ export { generateKeyPair } from './generateKeyPair.js';
 export { keyAgreement } from './keyAgreement.js';
 export { default as exportCryptoKey } from './exportCryptoKey.js';
 export { generateRandomNumber } from './generateRandomNumber.js';
-export { pemPublicToCrypto, pemCertToCrypto } from './pemPublicToCrypto.js';
+export {
+  pemPublicToCrypto,
+  pemCertToCrypto,
+  guessAlgorithmName,
+  guessCurveName,
+  toJwsAlg,
+  RSA_OID,
+  EC_OID,
+  P256_OID,
+  P384_OID,
+  P521_OID,
+  type AlgorithmName,
+} from './pemPublicToCrypto.js';
 export * as enums from './enums.js';
+// PEM Formatting Utilities from tdf3
+export {
+  formatAsPem,
+  removePemFormatting,
+  isPemKeyPair,
+  isCryptoKeyPair,
+} from '../../tdf3/src/crypto/crypto-utils.js';

package/src/crypto/pemPublicToCrypto.ts CHANGED Viewed

@@ -31,27 +31,24 @@ import * as base64 from '../encodings/base64.js';
 import { importX509 } from 'jose';
 import { encodeArrayBuffer as hexEncodeArrayBuffer } from '../encodings/hex.js';
 import { ConfigurationError, TdfError } from '../errors.js';
+import { NamedCurve } from './enums.js';
-const RSA_OID = '06092a864886f70d010101';
-const EC_OID = '06072a8648ce3d0201';
-const P256_OID = '06082a8648ce3d030107';
-const P384_OID = '06052b81040022';
-const P521_OID = '06052b81040023';
+// OID constants for algorithm detection (hex-encoded ASN.1 OIDs)
+export const RSA_OID = '06092a864886f70d010101';
+export const EC_OID = '06072a8648ce3d0201';
+export const P256_OID = '06082a8648ce3d030107';
+export const P384_OID = '06052b81040022';
+export const P521_OID = '06052b81040023';
 const SHA_512 = 'SHA-512';
 const SPKI = 'spki';
 const CERT_BEGIN = '-----BEGIN CERTIFICATE-----';
 const CERT_END = '-----END CERTIFICATE-----';
-const P_256 = 'P-256';
-const P_384 = 'P-384';
-const P_512 = 'P-512';
-type CurveName = typeof P_256 | typeof P_384 | typeof P_512;
 const ECDH = 'ECDH';
 const ECDSA = 'ECDSA';
 const RSA_OAEP = 'RSA-OAEP';
 const RSA_PSS = 'RSA-PSS';
-type AlgorithmName = typeof ECDH | typeof ECDSA | typeof RSA_OAEP | typeof RSA_PSS;
+export type AlgorithmName = typeof ECDH | typeof ECDSA | typeof RSA_OAEP | typeof RSA_PSS;
 interface PemPublicToCryptoOptions {
   name?: string;
@@ -75,7 +72,7 @@ function guessKeyUsages(algorithmName: AlgorithmName, usages?: KeyUsage[]): KeyU
   }
 }
-function guessAlgorithmName(hex: string, algorithmName?: string): AlgorithmName {
+export function guessAlgorithmName(hex: string, algorithmName?: string): AlgorithmName {
   if (hex.includes(EC_OID)) {
     if (!algorithmName || algorithmName === ECDH) {
       return ECDH;
@@ -92,13 +89,13 @@ function guessAlgorithmName(hex: string, algorithmName?: string): AlgorithmName
   throw new TypeError(`Invalid public key, ${algorithmName}`);
 }
-function guessCurveName(hex: string): CurveName {
+export function guessCurveName(hex: string): NamedCurve {
   if (hex.includes(P256_OID)) {
-    return P_256;
+    return NamedCurve.P256;
   } else if (hex.includes(P384_OID)) {
-    return P_384;
+    return NamedCurve.P384;
   } else if (hex.includes(P521_OID)) {
-    return P_512;
+    return NamedCurve.P521;
   }
   throw new TdfError('Unsupported curve name or invalid key');
 }
@@ -159,19 +156,20 @@ export async function pemPublicToCrypto(
 }
 /**
+ * Detect JWS algorithm from hex-encoded key/certificate data.
  * Look up JWK algorithm at https://github.com/panva/jose/issues/210
  */
-function toJwsAlg(hex: string) {
+export function toJwsAlg(hex: string) {
   const a = guessAlgorithmName(hex);
   if (a === ECDH) {
     return 'ECDH-ES';
   } else if (a === ECDSA) {
     switch (guessCurveName(hex)) {
-      case 'P-256':
+      case NamedCurve.P256:
         return 'ES256';
-      case 'P-384':
+      case NamedCurve.P384:
         return 'ES384';
-      case 'P-512':
+      case NamedCurve.P521:
         return 'ES512';
     }
   } else if (a === RSA_OAEP) {

package/src/errors.ts CHANGED Viewed

@@ -119,3 +119,12 @@ export class PermissionDeniedError extends TdfError {
 export class UnsupportedFeatureError extends TdfError {
   override name = 'UnsupportedFeatureError';
 }
+/**
+ * One or more attribute value FQNs were not found on the platform.
+ * Thrown by {@link validateAttributes} and {@link validateAttributeValue} when the platform
+ * does not recognize the requested FQNs.
+ */
+export class AttributeNotFoundError extends TdfError {
+  override name = 'AttributeNotFoundError';
+}

package/src/index.ts CHANGED Viewed

@@ -1,6 +1,12 @@
 export { type AuthProvider, type HttpMethod, HttpRequest, withHeaders } from './auth/auth.js';
 export * as AuthProviders from './auth/providers.js';
 export { attributeFQNsAsValues } from './policy/api.js';
+export {
+  listAttributes,
+  validateAttributes,
+  attributeExists,
+  attributeValueExists,
+} from './policy/discovery.js';
 export { version, clientType, tdfSpecVersion } from './version.js';
 export { PlatformClient, type PlatformClientOptions, type PlatformServices } from './platform.js';
 export * from './opentdf.js';
@@ -12,6 +18,7 @@ export {
   DecryptError,
   NetworkError,
   AttributeValidationError,
+  AttributeNotFoundError,
   ConfigurationError,
 } from './errors.js';
 export * from './seekable.js';

package/src/opentdf.ts CHANGED Viewed

@@ -3,6 +3,8 @@ import { ConfigurationError, InvalidFileError } from './errors.js';
 export { Client as TDF3Client } from '../tdf3/src/client/index.js';
 import { Chunker, fromSource, sourceToStream, type Source } from './seekable.js';
 import { Client as TDF3Client } from '../tdf3/src/client/index.js';
+import { type CryptoService, type KeyPair } from '../tdf3/src/crypto/declarations.js';
+import * as DefaultCryptoService from '../tdf3/src/crypto/index.js';
 import {
   type Assertion,
   AssertionConfig,
@@ -33,6 +35,7 @@ import { Policy } from '../tdf3/src/models/policy.js';
 export {
   type Assertion,
+  type CryptoService,
   type EncryptionInformation,
   type IntegrityAlgorithm,
   type KasPublicKeyAlgorithm,
@@ -96,7 +99,10 @@ export type SplitStep = {
   sid?: string;
 };
-/** Options specific to the ZTDF container format. */
+/**
+ * Options specific to the ZTDF container format.
+ * @deprecated Use {@link CreateTDFOptions} instead.
+ */
 export type CreateZTDFOptions = CreateOptions & {
   /** Configuration for bound metadata. */
   assertionConfigs?: AssertionConfig[];
@@ -123,6 +129,9 @@ export type CreateZTDFOptions = CreateOptions & {
   tdfSpecVersion?: '4.2.2' | '4.3.0';
 };
+/** Options for creating a TDF. */
+export type CreateTDFOptions = CreateZTDFOptions;
 /** Settings for decrypting any variety of TDF file. */
 export type ReadOptions = {
   /** The ciphertext source. */
@@ -172,7 +181,14 @@ export type OpenTDFOptions = {
    * These often must be registered via a DPoP flow with the IdP
    * which is out of the scope of this library.
    */
-  dpopKeys?: Promise<CryptoKeyPair>;
+  dpopKeys?: Promise<KeyPair>;
+  /**
+   * Optional custom CryptoService implementation.
+   * If not provided, defaults to the browser's native Web Crypto API.
+   * This allows injecting HSM-backed or other secure crypto implementations.
+   */
+  cryptoService?: CryptoService;
 };
 /** A decorated readable stream. */
@@ -235,7 +251,7 @@ export type TDFReader = {
  *   platformUrl: 'https://platform.example.com',
  * });
  *
- * const cipherText = await client.createZTDF({
+ * const cipherText = await client.createTDF({
  *   source: { type: 'stream', location: source },
  *   autoconfigure: false,
  * });
@@ -257,7 +273,9 @@ export class OpenTDF {
   /** Default options for reading TDF objects. */
   defaultReadOptions: Omit<ReadOptions, 'source'>;
   /** The DPoP keys for this instance, if any. */
-  readonly dpopKeys: Promise<CryptoKeyPair>;
+  readonly dpopKeys: Promise<KeyPair>;
+  /** The CryptoService implementation for this instance. */
+  readonly cryptoService: CryptoService;
   /** The TDF3 client for encrypting and decrypting ZTDF files. */
   readonly tdf3Client: TDF3Client;
@@ -269,6 +287,7 @@ export class OpenTDF {
     disableDPoP,
     policyEndpoint,
     platformUrl,
+    cryptoService,
   }: OpenTDFOptions) {
     this.authProvider = authProvider;
     this.defaultCreateOptions = defaultCreateOptions || {};
@@ -282,28 +301,28 @@ export class OpenTDF {
       );
     }
     this.policyEndpoint = policyEndpoint || '';
+    this.cryptoService = cryptoService ?? DefaultCryptoService;
     this.tdf3Client = new TDF3Client({
       authProvider,
       dpopKeys,
       kasEndpoint: this.platformUrl || 'https://disallow.all.invalid',
       platformUrl,
       policyEndpoint,
+      cryptoService: this.cryptoService,
     });
-    this.dpopKeys =
-      dpopKeys ??
-      crypto.subtle.generateKey(
-        {
-          name: 'RSASSA-PKCS1-v1_5',
-          hash: 'SHA-256',
-          modulusLength: 2048,
-          publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
-        },
-        true,
-        ['sign', 'verify']
-      );
+    // Use CryptoService for key generation (returns opaque KeyPair)
+    this.dpopKeys = dpopKeys ?? this.cryptoService.generateSigningKeyPair();
+  }
+  /** Creates a new TDF stream. */
+  async createTDF(opts: CreateTDFOptions): Promise<DecoratedStream> {
+    return this.createZTDF(opts);
   }
-  /** Creates a new ZTDF stream. */
+  /**
+   * Creates a new TDF stream.
+   * @deprecated Use {@link createTDF} instead.
+   */
   async createZTDF(opts: CreateZTDFOptions): Promise<DecoratedStream> {
     opts = { ...this.defaultCreateOptions, ...opts };
     const oldStream = await this.tdf3Client.encrypt({