@opentdf/sdk 0.9.0-rc.82 → 0.10.0-beta.95

package/src/policy/discovery.ts

@@ -0,0 +1,222 @@
+import { ConnectError, Code } from '@connectrpc/connect';
+import { AttributeNotFoundError, ConfigurationError, NetworkError } from '../errors.js';
+import { type AuthProvider } from '../auth/auth.js';
+import { extractRpcErrorMessage, validateSecureUrl } from '../utils.js';
+import { PlatformClient } from '../platform.js';
+import type { Attribute } from '../platform/policy/objects_pb.js';
+
+// Caps the pagination loop in listAttributes. 10 pages × 1000 records = 10,000
+// attributes maximum, which is generous for browser use while preventing runaway
+// memory growth if a server repeatedly returns a non-zero next_offset.
+const MAX_LIST_ATTRIBUTES_PAGES = 10;
+
+// Number of attributes to request per page. Matches the platform's default
+// (ListRequestLimitDefault = 1000) so behavior is stable regardless of server config.
+const LIST_ATTRIBUTES_PAGE_SIZE = 1000;
+
+// Matches the server-side proto constraint: GetAttributeValuesByFqnsRequest has
+// max_items: 250 on the fqns field, so the client rejects oversized requests
+// locally instead of receiving a cryptic server validation error.
+const MAX_VALIDATE_FQNS = 250;
+
+// Attribute value FQN format: https://<namespace>/attr/<name>/value/<value>
+// Restricts to safe URL characters to prevent XSS via FQNs in error messages
+const ATTRIBUTE_VALUE_FQN_RE =
+  /^https?:\/\/[a-zA-Z0-9._~%-]+\/attr\/[a-zA-Z0-9._~%-]+\/value\/[a-zA-Z0-9._~%-]+$/i;
+
+// Attribute-level FQN format: https://<namespace>/attr/<name>  (no /value/ segment)
+// Restricts to safe URL characters to prevent XSS via FQNs in error messages
+const ATTRIBUTE_FQN_RE = /^https?:\/\/[a-zA-Z0-9._~%-]+\/attr\/[a-zA-Z0-9._~%-]+$/i;
+
+/**
+ * Returns all active attributes available on the platform, auto-paginating through all results.
+ * An optional namespace name or ID may be provided to filter results.
+ *
+ * Use this before calling `createTDF()` to see what attributes are available for data tagging.
+ *
+ * @param platformUrl The platform base URL.
+ * @param authProvider An auth provider for the request.
+ * @param namespace Optional namespace name or ID to filter results.
+ * @returns All active {@link Attribute} objects on the platform.
+ *
+ * @example
+ * ```ts
+ * const attrs = await listAttributes(platformUrl, authProvider);
+ * for (const a of attrs) {
+ *   console.log(a.fqn);
+ * }
+ * ```
+ */
+export async function listAttributes(
+  platformUrl: string,
+  authProvider: AuthProvider,
+  namespace?: string
+): Promise<Attribute[]> {
+  if (!validateSecureUrl(platformUrl)) {
+    throw new ConfigurationError('platformUrl must use HTTPS protocol');
+  }
+  const platform = new PlatformClient({ authProvider, platformUrl });
+  const result: Attribute[] = [];
+  let nextOffset = 0;
+
+  for (let pages = 0; pages < MAX_LIST_ATTRIBUTES_PAGES; pages++) {
+    let resp;
+    try {
+      resp = await platform.v1.attributes.listAttributes({
+        namespace: namespace ?? '',
+        pagination: { offset: nextOffset, limit: LIST_ATTRIBUTES_PAGE_SIZE },
+      });
+    } catch (e) {
+      throw new NetworkError(`[ListAttributes] ${extractRpcErrorMessage(e)}`);
+    }
+
+    result.push(...resp.attributes);
+    nextOffset = resp.pagination?.nextOffset ?? 0;
+    if (nextOffset === 0) {
+      return result;
+    }
+  }
+
+  throw new ConfigurationError(
+    `listAttributes returned more than ${MAX_LIST_ATTRIBUTES_PAGES * LIST_ATTRIBUTES_PAGE_SIZE} attributes. Use the namespace parameter to narrow results.`
+  );
+}
+
+/**
+ * Checks that all provided attribute value FQNs exist on the platform.
+ * Validates FQN format first, then verifies existence via the platform API.
+ *
+ * Use this before `createTDF()` to catch missing or misspelled attributes early
+ * instead of discovering the problem at decryption time.
+ *
+ * @param platformUrl The platform base URL.
+ * @param authProvider An auth provider for the request.
+ * @param fqns Attribute value FQNs to validate, in the form
+ *   `https://<namespace>/attr/<name>/value/<value>`.
+ * @throws {@link AttributeNotFoundError} if any FQNs are not found on the platform.
+ * @throws {@link ConfigurationError} if the FQN format is invalid or there are too many FQNs.
+ *
+ * @example
+ * ```ts
+ * await validateAttributes(platformUrl, authProvider, [
+ *   'https://opentdf.io/attr/department/value/marketing',
+ * ]);
+ * // Safe to encrypt — all attributes confirmed present
+ * ```
+ */
+export async function validateAttributes(
+  platformUrl: string,
+  authProvider: AuthProvider,
+  fqns: string[]
+): Promise<void> {
+  if (!fqns || fqns.length === 0) {
+    return;
+  }
+
+  if (!validateSecureUrl(platformUrl)) {
+    throw new ConfigurationError('platformUrl must use HTTPS protocol');
+  }
+
+  if (fqns.length > MAX_VALIDATE_FQNS) {
+    throw new ConfigurationError(
+      `too many attribute FQNs: ${fqns.length} exceeds maximum of ${MAX_VALIDATE_FQNS}`
+    );
+  }
+
+  for (const fqn of fqns) {
+    if (!ATTRIBUTE_VALUE_FQN_RE.test(fqn)) {
+      throw new ConfigurationError('invalid attribute value FQN format');
+    }
+  }
+
+  const platform = new PlatformClient({ authProvider, platformUrl });
+  let resp;
+  try {
+    resp = await platform.v1.attributes.getAttributeValuesByFqns({ fqns });
+  } catch (e) {
+    throw new NetworkError(`[GetAttributeValuesByFqns] ${extractRpcErrorMessage(e)}`);
+  }
+
+  const found = resp.fqnAttributeValues;
+  const missing = fqns.filter((fqn) => !(fqn in found));
+  if (missing.length > 0) {
+    throw new AttributeNotFoundError(`attribute not found: ${missing.length} FQN(s) missing`);
+  }
+}
+
+/**
+ * Reports whether the attribute definition identified by `attributeFqn` exists on the platform.
+ *
+ * `attributeFqn` should be an attribute-level FQN (no `/value/` segment):
+ * `https://<namespace>/attr/<attribute_name>`
+ *
+ * @param platformUrl The platform base URL.
+ * @param authProvider An auth provider for the request.
+ * @param attributeFqn The attribute-level FQN to check.
+ * @returns `true` if the attribute exists, `false` if it does not.
+ * @throws {@link ConfigurationError} if the FQN format is invalid or the URL is insecure.
+ * @throws {@link NetworkError} if a non-not-found service error occurs.
+ */
+export async function attributeExists(
+  platformUrl: string,
+  authProvider: AuthProvider,
+  attributeFqn: string
+): Promise<boolean> {
+  if (!validateSecureUrl(platformUrl)) {
+    throw new ConfigurationError('platformUrl must use HTTPS protocol');
+  }
+
+  if (!ATTRIBUTE_FQN_RE.test(attributeFqn)) {
+    throw new ConfigurationError('invalid attribute FQN format');
+  }
+
+  const platform = new PlatformClient({ authProvider, platformUrl });
+  try {
+    await platform.v1.attributes.getAttribute({
+      identifier: { case: 'fqn', value: attributeFqn },
+    });
+    return true;
+  } catch (e) {
+    if (e instanceof ConnectError && e.code === Code.NotFound) {
+      return false;
+    }
+    throw new NetworkError(`[GetAttribute] ${extractRpcErrorMessage(e)}`);
+  }
+}
+
+/**
+ * Reports whether the attribute value FQN exists on the platform.
+ *
+ * `valueFqn` should be a full attribute value FQN (with `/value/` segment):
+ * `https://<namespace>/attr/<attribute_name>/value/<value>`
+ *
+ * @param platformUrl The platform base URL.
+ * @param authProvider An auth provider for the request.
+ * @param valueFqn The attribute value FQN to check.
+ * @returns `true` if the value exists, `false` if it does not.
+ * @throws {@link ConfigurationError} if the FQN format is invalid or the URL is insecure.
+ * @throws {@link NetworkError} if a service error occurs.
+ */
+export async function attributeValueExists(
+  platformUrl: string,
+  authProvider: AuthProvider,
+  valueFqn: string
+): Promise<boolean> {
+  if (!validateSecureUrl(platformUrl)) {
+    throw new ConfigurationError('platformUrl must use HTTPS protocol');
+  }
+
+  if (!ATTRIBUTE_VALUE_FQN_RE.test(valueFqn)) {
+    throw new ConfigurationError('invalid attribute value FQN format');
+  }
+
+  const platform = new PlatformClient({ authProvider, platformUrl });
+  let resp;
+  try {
+    resp = await platform.v1.attributes.getAttributeValuesByFqns({ fqns: [valueFqn] });
+  } catch (e) {
+    throw new NetworkError(`[GetAttributeValuesByFqns] ${extractRpcErrorMessage(e)}`);
+  }
+
+  return valueFqn in resp.fqnAttributeValues;
+}

package/src/version.ts

@@ -1,7 +1,7 @@
 /**
  * Exposes the released version number of the `@opentdf/sdk` package
  */
-export const version = '0.9.0'; // x-release-please-version
+export const version = '0.10.0'; // x-release-please-version
 
 /**
  * A string name used to label requests as coming from this library client.

package/tdf3/index.ts

@@ -14,10 +14,23 @@ import {
 } from './src/client/builders.js';
 import { type ClientConfig, createSessionKeys } from './src/client/index.js';
 import {
+  type AsymmetricSigningAlgorithm,
   type CryptoService,
   type DecryptResult,
+  type ECCurve,
   type EncryptResult,
+  type HashAlgorithm,
+  type HkdfParams,
+  type KeyPair,
+  type KeyOptions,
+  type KeyAlgorithm,
   type PemKeyPair,
+  type PrivateKey,
+  type PublicKey,
+  type PublicKeyInfo,
+  type SigningAlgorithm,
+  type SymmetricKey,
+  type SymmetricSigningAlgorithm,
 } from './src/crypto/declarations.js';
 import { Client, Errors, TDF3Client } from './src/index.js';
 import {
@@ -35,18 +48,31 @@ import { type Chunker } from '../src/seekable.js';
 export type {
   AlgorithmName,
   AlgorithmUrn,
+  AsymmetricSigningAlgorithm,
   AuthProvider,
   Chunker,
   CryptoService,
+  DecryptKeyMiddleware,
   DecryptResult,
+  DecryptStreamMiddleware,
+  ECCurve,
+  EncryptKeyMiddleware,
   EncryptResult,
+  EncryptStreamMiddleware,
+  HashAlgorithm,
+  HkdfParams,
   HttpMethod,
+  KeyPair,
+  KeyOptions,
+  KeyAlgorithm,
   PemKeyPair,
-  EncryptKeyMiddleware,
-  EncryptStreamMiddleware,
-  DecryptKeyMiddleware,
-  DecryptStreamMiddleware,
+  PrivateKey,
+  PublicKey,
+  PublicKeyInfo,
+  SigningAlgorithm,
   SplitStep,
+  SymmetricKey,
+  SymmetricSigningAlgorithm,
 };
 
 export {
@@ -74,7 +100,8 @@ export {
   version,
 };
 
-export * as WebCryptoService from './src/crypto/index.js';
+export { DefaultCryptoService as WebCryptoService } from './src/crypto/index.js';
+// export the other methods from crypto/index.js that aren't part of CryptoService but are needed for JWT handling
 export {
   type CreateOptions,
   type CreateZTDFOptions,

package/tdf3/src/assertions.ts

@@ -1,8 +1,14 @@
 import { canonicalizeEx } from 'json-canonicalize';
-import { SignJWT, jwtVerify, importJWK, importX509 } from 'jose';
 import { base64, hex } from '../../src/encodings/index.js';
 import { ConfigurationError, IntegrityError, InvalidFileError } from '../../src/errors.js';
 import { tdfSpecVersion, version as sdkVersion } from '../../src/version.js';
+import {
+  type CryptoService,
+  type PrivateKey,
+  type PublicKey,
+  type SymmetricKey,
+} from './crypto/declarations.js';
+import { decodeProtectedHeader, signJwt, verifyJwt, type JwtHeader } from './crypto/jwt.js';
 
 export type AssertionKeyAlg = 'ES256' | 'RS256' | 'HS256';
 export type AssertionType = 'handling' | 'other';
@@ -41,39 +47,69 @@ export type AssertionPayload = {
 /**
  * Computes the SHA-256 hash of the assertion object, excluding the 'binding' and 'hash' properties.
  *
+ * @param a - The assertion to hash
+ * @param cryptoService - The crypto service to use for hashing
  * @returns the hexadecimal string representation of the hash
  */
-export async function hash(a: Assertion): Promise<string> {
+export async function hash(a: Assertion, cryptoService: CryptoService): Promise<string> {
   const result = canonicalizeEx(a, {
     exclude: ['binding', 'hash', 'sign', 'verify', 'signingKey'],
   });
 
-  const hash = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(result));
-  return hex.encodeArrayBuffer(hash);
+  const hashBytes = await cryptoService.digest('SHA-256', new TextEncoder().encode(result));
+  return hex.encodeArrayBuffer(hashBytes.buffer);
 }
 
 /**
  * Signs the given hash and signature using the provided key and sets the binding method and signature.
  *
- * @param hash - The hash to be signed.
+ * @param thiz - The assertion to sign.
+ * @param assertionHash - The hash to be signed.
  * @param sig - The signature to be signed.
- * @param {AssertionKey} key - The key used for signing.
- * @returns {Promise<void>} A promise that resolves when the signing is complete.
+ * @param key - The key used for signing.
+ * @param cryptoService - The crypto service to use for signing.
+ * @returns A promise that resolves to the signed assertion.
  */
 async function sign(
   thiz: Assertion,
   assertionHash: string,
   sig: string,
-  key: AssertionKey
+  key: AssertionKey,
+  cryptoService: CryptoService
 ): Promise<Assertion> {
   const payload: AssertionPayload = {
     assertionHash,
     assertionSig: sig,
   };
 
+  const header: JwtHeader = { alg: key.alg };
+
+  if (typeof key.key === 'object' && '_brand' in key.key && key.key._brand === 'PublicKey') {
+    throw new ConfigurationError(
+      'Cannot sign assertion with PublicKey. Use PrivateKey or SymmetricKey for signing.'
+    );
+  }
+
+  let signingMaterial: PrivateKey | SymmetricKey;
+  if (typeof key.key === 'string') {
+    if (!cryptoService.importPrivateKey) {
+      throw new ConfigurationError(
+        'CryptoService does not support importing private keys. Cannot sign assertion with a PEM string. Use PrivateKey or SymmetricKey for signing.'
+      );
+    }
+    signingMaterial = await cryptoService.importPrivateKey(key.key, {
+      usage: 'sign',
+      extractable: false,
+    });
+  } else if (key.key instanceof Uint8Array) {
+    signingMaterial = await cryptoService.importSymmetricKey(key.key);
+  } else {
+    signingMaterial = key.key as PrivateKey | SymmetricKey;
+  }
+
   let token: string;
   try {
-    token = await new SignJWT(payload).setProtectedHeader({ alg: key.alg }).sign(key.key);
+    token = await signJwt(cryptoService, payload, signingMaterial, header);
   } catch (error) {
     throw new ConfigurationError(`Signing assertion failed: ${error.message}`, error);
   }
@@ -107,36 +143,54 @@ export function isAssertionConfig(obj: unknown): obj is AssertionConfig {
 /**
  * Verifies the signature of the assertion using the provided key.
  *
- * @param {AssertionKey} key - The key used for verification.
- * @returns {Promise<[string, string]>} A promise that resolves to a tuple containing the assertion hash and signature.
- * @throws {Error} If the verification fails.
+ * @param thiz - The assertion to verify.
+ * @param aggregateHash - The aggregate hash for integrity checking.
+ * @param key - The key used for verification.
+ * @param isLegacyTDF - Whether this is a legacy TDF format.
+ * @param cryptoService - The crypto service to use for verification.
+ * @throws {InvalidFileError} If the verification fails.
+ * @throws {IntegrityError} If the integrity check fails.
  */
 export async function verify(
   thiz: Assertion,
   aggregateHash: Uint8Array,
   key: AssertionKey,
-  isLegacyTDF: boolean
+  isLegacyTDF: boolean,
+  cryptoService: CryptoService
 ): Promise<void> {
   let payload: AssertionPayload;
   try {
-    const uj = await jwtVerify(thiz.binding.signature, async (header) => {
-      if (header.jwk) {
-        return await importJWK(header.jwk, header.alg);
-      }
-      if (header.x5c && header.x5c.length > 0) {
-        const cert = `-----BEGIN CERTIFICATE-----\n${header.x5c[0]}\n-----END CERTIFICATE-----`;
-        return await importX509(cert, header.alg);
-      }
-      return key.key;
+    // Parse JWT header to check for embedded keys (jwk or x5c)
+    const header = decodeProtectedHeader(thiz.binding.signature);
+
+    // Runtime check: ensure we have a verification key, not a signing key
+    if (typeof key.key === 'object' && '_brand' in key.key && key.key._brand === 'PrivateKey') {
+      throw new ConfigurationError(
+        'Cannot verify assertion with PrivateKey. Use PublicKey or SymmetricKey for verification.'
+      );
+    }
+    let verificationKey: string | Uint8Array | PublicKey | SymmetricKey = key.key;
+
+    if (header.jwk) {
+      // Convert embedded JWK to PEM
+      verificationKey = await cryptoService.jwkToPublicKeyPem(header.jwk as JsonWebKey);
+    } else if (header.x5c && Array.isArray(header.x5c) && header.x5c.length > 0) {
+      // Extract public key from X.509 certificate
+      const cert = `-----BEGIN CERTIFICATE-----\n${header.x5c[0]}\n-----END CERTIFICATE-----`;
+      verificationKey = await cryptoService.extractPublicKeyPem(cert);
+    }
+
+    const result = await verifyJwt(cryptoService, thiz.binding.signature, verificationKey, {
+      algorithms: [key.alg],
     });
-    payload = uj.payload as AssertionPayload;
+    payload = result.payload as AssertionPayload;
   } catch (error) {
     throw new InvalidFileError(`Verifying assertion failed: ${error.message}`, error);
   }
   const { assertionHash, assertionSig } = payload;
 
   // Get the hash of the assertion
-  const hashOfAssertion = await hash(thiz);
+  const hashOfAssertion = await hash(thiz, cryptoService);
 
   // check if assertionHash is same as hashOfAssertion
   if (hashOfAssertion !== assertionHash) {
@@ -164,13 +218,17 @@ export async function verify(
 
 /**
  * Creates an Assertion object with the specified properties.
- */
-/**
- * Creates an Assertion object with the specified properties.
+ *
+ * @param aggregateHash - The aggregate hash for the assertion.
+ * @param assertionConfig - The configuration for the assertion.
+ * @param cryptoService - The crypto service to use for signing.
+ * @param targetVersion - The target TDF spec version.
+ * @returns The created assertion.
  */
 export async function CreateAssertion(
   aggregateHash: Uint8Array | string,
   assertionConfig: AssertionConfig,
+  cryptoService: CryptoService,
   targetVersion?: string
 ): Promise<Assertion> {
   if (!assertionConfig.signingKey) {
@@ -187,7 +245,7 @@ export async function CreateAssertion(
     binding: { method: '', signature: '' },
   };
 
-  const assertionHash = await hash(a);
+  const assertionHash = await hash(a, cryptoService);
   let encodedHash: string;
   switch (targetVersion || '4.3.0') {
     case '4.2.2':
@@ -212,12 +270,23 @@ export async function CreateAssertion(
       throw new ConfigurationError(`Unsupported TDF spec version: [${targetVersion}]`);
   }
 
-  return await sign(a, assertionHash, encodedHash, assertionConfig.signingKey);
+  return await sign(a, assertionHash, encodedHash, assertionConfig.signingKey, cryptoService);
 }
 
+// TODO: Split AssertionKey into two separate types:
+//   - AssertionSigningKey: key restricted to PrivateKey | SymmetricKey (no strings, no raw bytes)
+//   - AssertionVerificationKey: key restricted to string | PublicKey | SymmetricKey
+// This would make the signing/verification distinction type-safe rather than relying on runtime checks.
+// AssertionConfig.signingKey would use AssertionSigningKey; verify() and AssertionVerificationKeys would use AssertionVerificationKey.
+
+/**
+ * Key used for signing or verifying assertions.
+ * For asymmetric algorithms (RS256, ES256): PEM string, PrivateKey (for signing), or PublicKey (for verification).
+ * For symmetric algorithms (HS256): Uint8Array or SymmetricKey (opaque).
+ */
 export type AssertionKey = {
   alg: AssertionKeyAlg;
-  key: CryptoKey | Uint8Array;
+  key: string | Uint8Array | PrivateKey | PublicKey | SymmetricKey;
 };
 
 // AssertionConfig is a shadow of Assertion with the addition of the signing key.

package/tdf3/src/ciphers/aes-gcm-cipher.ts

@@ -7,6 +7,7 @@ import {
   type CryptoService,
   type DecryptResult,
   type EncryptResult,
+  type SymmetricKey,
 } from '../crypto/declarations.js';
 
 const KEY_LENGTH = 32;
@@ -45,7 +46,7 @@ export class AesGcmCipher extends SymmetricCipher {
    * result from the crypto service and construct the payload automatically from
    * it's parts.  There is no need to process the payload.
    */
-  override async encrypt(payload: Binary, key: Binary, iv: Binary): Promise<EncryptResult> {
+  override async encrypt(payload: Binary, key: SymmetricKey, iv: Binary): Promise<EncryptResult> {
     const toConcat: Uint8Array[] = [];
     const result = await this.cryptoService.encrypt(payload, key, iv, Algorithms.AES_256_GCM);
     toConcat.push(new Uint8Array(iv.asArrayBuffer()));
@@ -62,7 +63,11 @@ export class AesGcmCipher extends SymmetricCipher {
    * @returns
    */
   // eslint-disable-next-line @typescript-eslint/no-unused-vars
-  override async decrypt(buffer: ArrayBuffer, key: Binary, iv?: Binary): Promise<DecryptResult> {
+  override async decrypt(
+    buffer: ArrayBuffer,
+    key: SymmetricKey,
+    iv?: Binary
+  ): Promise<DecryptResult> {
     const { payload, payloadIv, payloadAuthTag } = processGcmPayload(buffer);
 
     return this.cryptoService.decrypt(

package/tdf3/src/ciphers/symmetric-cipher-base.ts

@@ -3,7 +3,9 @@ import {
   type CryptoService,
   type DecryptResult,
   type EncryptResult,
+  type SymmetricKey,
 } from '../crypto/declarations.js';
+import { encodeArrayBuffer as hexEncode } from '../../../src/encodings/hex.js';
 
 export abstract class SymmetricCipher {
   cryptoService: CryptoService;
@@ -22,17 +24,18 @@ export abstract class SymmetricCipher {
     if (!this.ivLength) {
       throw Error('No iv length');
     }
-    return this.cryptoService.generateInitializationVector(this.ivLength);
+    const bytes = await this.cryptoService.randomBytes(this.ivLength);
+    return hexEncode(bytes.buffer);
   }
 
-  async generateKey(): Promise<string> {
+  async generateKey(): Promise<SymmetricKey> {
     if (!this.keyLength) {
       throw Error('No key length');
     }
     return this.cryptoService.generateKey(this.keyLength);
   }
 
-  abstract encrypt(payload: Binary, key: Binary, iv: Binary): Promise<EncryptResult>;
+  abstract encrypt(payload: Binary, key: SymmetricKey, iv: Binary): Promise<EncryptResult>;
 
-  abstract decrypt(payload: Uint8Array, key: Binary, iv?: Binary): Promise<DecryptResult>;
+  abstract decrypt(payload: Uint8Array, key: SymmetricKey, iv?: Binary): Promise<DecryptResult>;
 }

package/tdf3/src/client/builders.ts

@@ -4,7 +4,7 @@ import { type Metadata } from '../tdf.js';
 import { Binary } from '../binary.js';
 
 import { ConfigurationError } from '../../../src/errors.js';
-import { PemKeyPair } from '../crypto/declarations.js';
+import { PemKeyPair, type SymmetricKey } from '../crypto/declarations.js';
 import { DecoratedReadableStream } from './DecoratedReadableStream.js';
 import { type Chunker } from '../../../src/seekable.js';
 import { AssertionConfig, AssertionVerificationKeys } from '../assertions.js';
@@ -516,7 +516,7 @@ class EncryptParamsBuilder {
   }
 }
 
-export type DecryptKeyMiddleware = (key: Binary) => Promise<Binary>;
+export type DecryptKeyMiddleware = (key: SymmetricKey) => Promise<SymmetricKey>;
 
 export type DecryptStreamMiddleware = (
   stream: DecoratedReadableStream