@storacha/encrypt-upload-client 1.1.80 → 1.1.82

package/dist/test/helpers/test-file-utils.js

@@ -0,0 +1,139 @@
+import { KMSMetadata } from '../../src/core/metadata/encrypted-metadata.js';
+/**
+ * Create test data with specific patterns for easy verification
+ *
+ * @param {number} sizeMB - Size of the test file in megabytes
+ * @returns {Blob} A Blob containing test data with predictable patterns
+ */
+export function createTestFile(sizeMB) {
+    const chunkSize = 64 * 1024; // 64KB chunks
+    const totalSize = sizeMB * 1024 * 1024;
+    const numChunks = Math.ceil(totalSize / chunkSize);
+    const chunks = [];
+    for (let i = 0; i < numChunks; i++) {
+        const isLastChunk = i === numChunks - 1;
+        const currentChunkSize = isLastChunk
+            ? totalSize % chunkSize || chunkSize
+            : chunkSize;
+        const chunk = new Uint8Array(currentChunkSize);
+        // Create pattern: chunk index in first byte, then sequence
+        chunk[0] = i % 256;
+        for (let j = 1; j < currentChunkSize; j++) {
+            chunk[j] = (i + j) % 256;
+        }
+        chunks.push(chunk);
+    }
+    return new Blob(chunks, { type: 'application/octet-stream' });
+}
+/**
+ * Convert ReadableStream to Uint8Array
+ *
+ * @param {ReadableStream} stream - The stream to convert
+ * @returns {Promise<Uint8Array>} The stream content as a Uint8Array
+ */
+export async function streamToUint8Array(stream) {
+    const reader = stream.getReader();
+    const chunks = [];
+    // eslint-disable-next-line no-constant-condition
+    while (true) {
+        const { done, value } = await reader.read();
+        if (done)
+            break;
+        chunks.push(value);
+    }
+    const totalLength = chunks.reduce((acc, val) => acc + val.length, 0);
+    const result = new Uint8Array(totalLength);
+    let offset = 0;
+    for (const chunk of chunks) {
+        result.set(chunk, offset);
+        offset += chunk.length;
+    }
+    return result;
+}
+/**
+ * @param {Uint8Array} arr
+ * @returns {string}
+ */
+export function uint8ArrayToString(arr) {
+    return new TextDecoder().decode(arr);
+}
+/**
+ * @param {string} str
+ * @returns {Uint8Array}
+ */
+export function stringToUint8Array(str) {
+    return new TextEncoder().encode(str);
+}
+/**
+ * Check if an error is a memory-related error (out of heap space, etc.)
+ *
+ * @param {unknown} error - The error to check
+ * @returns {boolean} True if the error appears to be memory-related
+ */
+export function isMemoryError(error) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    return (errorMessage.includes('heap') ||
+        errorMessage.includes('memory') ||
+        errorMessage.includes('allocation failed') ||
+        errorMessage.includes('out of memory'));
+}
+/**
+ * Test an encryption operation and expect it might fail with memory errors
+ *
+ * @param {Function} encryptOperation - Function that performs encryption
+ * @param {string} operationName - Name of the operation for logging
+ * @returns {Promise<{success: boolean, error?: Error}>} Result of the operation
+ */
+export async function testEncryptionWithMemoryHandling(encryptOperation, operationName) {
+    try {
+        await encryptOperation();
+        return { success: true };
+    }
+    catch (error) {
+        if (isMemoryError(error)) {
+            console.log(`✓ ${operationName} failed as expected: Out of memory`);
+            return {
+                success: false,
+                error: error instanceof Error ? error : new Error(String(error)),
+            };
+        }
+        else {
+            // Re-throw if it's not a memory error
+            throw error;
+        }
+    }
+}
+/**
+ * Create a CAR file with KMS metadata content
+ *
+ * @param {any} content - The KMS metadata content
+ * @returns {Promise<{car: Uint8Array, actualRootCID: import('multiformats').UnknownLink}>}
+ */
+export async function createTestCar(content) {
+    // Create KMS metadata and archive it to get the CAR
+    const kmsMetadata = KMSMetadata.create(content);
+    const { cid, bytes } = await kmsMetadata.archiveBlock();
+    // Use UCANTO's CAR encoding to create a proper CAR file
+    const { CAR } = await import('@ucanto/core');
+    const car = CAR.encode({ roots: [{ cid, bytes }] });
+    return { car, actualRootCID: cid };
+}
+/**
+ * Create a mock BlobLike object for testing
+ *
+ * @param {Uint8Array} data
+ * @returns {import('../../src/types.js').BlobLike}
+ */
+export function createMockBlob(data) {
+    return {
+        stream() {
+            return new ReadableStream({
+                start(controller) {
+                    controller.enqueue(data);
+                    controller.close();
+                },
+            });
+        },
+    };
+}
+//# sourceMappingURL=test-file-utils.js.map

package/dist/test/https-enforcement.spec.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=https-enforcement.spec.d.ts.map

package/dist/test/https-enforcement.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"https-enforcement.spec.d.ts","sourceRoot":"","sources":["../../test/https-enforcement.spec.js"],"names":[],"mappings":""}

package/dist/test/https-enforcement.spec.js

@@ -0,0 +1,125 @@
+import assert from 'node:assert';
+import { describe, test } from 'node:test';
+import { KMSCryptoAdapter } from '../src/crypto/adapters/kms-crypto-adapter.js';
+import { GenericAesCtrStreamingCrypto } from '../src/crypto/symmetric/generic-aes-ctr-streaming-crypto.js';
+await describe('HTTPS Enforcement', async () => {
+    await describe('KMSCryptoAdapter Constructor', async () => {
+        await test('should accept valid HTTPS URL as string', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            // Should not throw
+            const adapter = new KMSCryptoAdapter(symmetricCrypto, 'https://private.storacha.link', 'did:web:private.storacha.link');
+            assert(adapter instanceof KMSCryptoAdapter, 'Should create adapter successfully');
+            assert.strictEqual(adapter.keyManagerServiceURL.protocol, 'https:', 'Should store HTTPS protocol');
+            assert.strictEqual(adapter.keyManagerServiceURL.toString(), 'https://private.storacha.link/', 'Should store correct URL');
+        });
+        await test('should accept valid HTTPS URL object', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            const httpsURL = new URL('https://example.com:8443/path');
+            // Should not throw
+            const adapter = new KMSCryptoAdapter(symmetricCrypto, httpsURL, 'did:web:example.com');
+            assert(adapter instanceof KMSCryptoAdapter, 'Should create adapter successfully');
+            assert.strictEqual(adapter.keyManagerServiceURL.protocol, 'https:', 'Should store HTTPS protocol');
+            assert.strictEqual(adapter.keyManagerServiceURL.toString(), 'https://example.com:8443/path', 'Should preserve URL structure');
+        });
+        await test('should reject HTTP URL string', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            assert.throws(() => new KMSCryptoAdapter(symmetricCrypto, 'http://insecure.example.com', 'did:web:example.com'), /Key manager service must use HTTPS protocol for security/, 'Should reject HTTP protocol');
+        });
+        await test('should reject HTTP URL object', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            const httpURL = new URL('http://insecure.example.com');
+            assert.throws(() => new KMSCryptoAdapter(symmetricCrypto, httpURL, 'did:web:example.com'), /Key manager service must use HTTPS protocol for security/, 'Should reject HTTP URL object');
+        });
+        await test('should reject other protocols', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            const protocolTestCases = [
+                'ftp://example.com',
+                'ws://example.com',
+                'file://example.com',
+                'data:text/plain;base64,SGVsbG8=',
+            ];
+            for (const testURL of protocolTestCases) {
+                assert.throws(() => new KMSCryptoAdapter(symmetricCrypto, testURL, 'did:web:example.com'), /Key manager service must use HTTPS protocol for security/, `Should reject protocol: ${testURL}`);
+            }
+        });
+        await test('should provide helpful error message', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            try {
+                new KMSCryptoAdapter(symmetricCrypto, 'http://example.com', 'did:web:example.com');
+                assert.fail('Should have thrown an error');
+            }
+            catch (error) {
+                assert(error instanceof Error, 'Should throw Error instance');
+                assert(error.message.includes('Key manager service must use HTTPS protocol'), 'Should include main error message');
+                assert(error.message.includes('Received: http:'), 'Should include received protocol');
+                assert(error.message.includes('https://your-key-manager-service.com'), 'Should include example of correct format');
+            }
+        });
+        await test('should handle localhost development URLs correctly', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            // Even localhost should require HTTPS for consistency
+            assert.throws(() => new KMSCryptoAdapter(symmetricCrypto, 'http://localhost:3000', 'did:web:localhost'), /Key manager service must use HTTPS protocol for security/, 'Should reject HTTP even for localhost');
+            // But HTTPS localhost should work
+            const adapter = new KMSCryptoAdapter(symmetricCrypto, 'https://localhost:3000', 'did:web:localhost');
+            assert(adapter instanceof KMSCryptoAdapter, 'Should accept HTTPS localhost');
+        });
+        await test('should handle invalid URL strings gracefully', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            assert.throws(() => new KMSCryptoAdapter(symmetricCrypto, 'not-a-valid-url', 'did:web:example.com'), /Invalid URL/, 'Should throw URL parsing error for invalid URLs');
+        });
+        await test('should preserve all adapter functionality after HTTPS validation', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            const adapter = new KMSCryptoAdapter(symmetricCrypto, 'https://private.storacha.link', 'did:web:private.storacha.link');
+            // Verify all expected methods exist
+            assert.strictEqual(typeof adapter.encryptStream, 'function', 'Should have encryptStream method');
+            assert.strictEqual(typeof adapter.decryptStream, 'function', 'Should have decryptStream method');
+            assert.strictEqual(typeof adapter.encryptSymmetricKey, 'function', 'Should have encryptSymmetricKey method');
+            assert.strictEqual(typeof adapter.decryptSymmetricKey, 'function', 'Should have decryptSymmetricKey method');
+            assert.strictEqual(typeof adapter.extractEncryptedMetadata, 'function', 'Should have extractEncryptedMetadata method');
+            assert.strictEqual(typeof adapter.getEncryptedKey, 'function', 'Should have getEncryptedKey method');
+            assert.strictEqual(typeof adapter.encodeMetadata, 'function', 'Should have encodeMetadata method');
+            // Verify adapter properties are set correctly
+            assert(adapter.symmetricCrypto === symmetricCrypto, 'Should store symmetric crypto reference');
+            assert.strictEqual(adapter.keyManagerServiceDID.did(), 'did:web:private.storacha.link', 'Should store gateway DID');
+        });
+    });
+    await describe('Secure by Default Principle', async () => {
+        await test('should demonstrate secure by default - HTTPS is automatically used', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            // All of these should work without any special configuration
+            const validHttpsUrls = [
+                'https://gateway.example.com',
+                'https://localhost:8080',
+                'https://192.168.1.100:3000',
+                'https://api.storacha.network:443/v1',
+            ];
+            for (const url of validHttpsUrls) {
+                const adapter = new KMSCryptoAdapter(symmetricCrypto, url, 'did:web:example.com');
+                assert.strictEqual(adapter.keyManagerServiceURL.protocol, 'https:', `Should store HTTPS protocol for URL: ${url}`);
+            }
+        });
+        await test('should require explicit insecure configuration to bypass HTTPS', async () => {
+            // This demonstrates that HTTP is never accidentally allowed
+            // If someone really needs HTTP (like for testing), they would need to
+            // modify our security validation code intentionally
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            const httpUrls = [
+                'http://example.com',
+                'http://localhost:3000',
+                'http://192.168.1.100:8080',
+            ];
+            for (const url of httpUrls) {
+                assert.throws(() => new KMSCryptoAdapter(symmetricCrypto, url, 'did:web:example.com'), /Key manager service must use HTTPS protocol for security/, `Should reject HTTP URL: ${url}`);
+            }
+        });
+        await test('should allow HTTP for testing when explicitly enabled', async () => {
+            // This demonstrates the testing escape hatch
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            const adapter = new KMSCryptoAdapter(symmetricCrypto, 'http://localhost:8080', 'did:web:localhost', { allowInsecureHttp: true } // Explicit testing option
+            );
+            assert.strictEqual(adapter.keyManagerServiceURL.protocol, 'http:', 'Should allow HTTP when explicitly enabled for testing');
+            assert.strictEqual(adapter.keyManagerServiceURL.toString(), 'http://localhost:8080/', 'Should preserve HTTP URL when testing option is enabled');
+        });
+    });
+});
+//# sourceMappingURL=https-enforcement.spec.js.map

package/dist/test/kms-crypto-adapter.spec.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=kms-crypto-adapter.spec.d.ts.map

package/dist/test/kms-crypto-adapter.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kms-crypto-adapter.spec.d.ts","sourceRoot":"","sources":["../../test/kms-crypto-adapter.spec.js"],"names":[],"mappings":""}

package/dist/test/kms-crypto-adapter.spec.js

@@ -0,0 +1,305 @@
+import './setup.js';
+import { test, describe } from 'node:test';
+import assert from 'node:assert';
+import * as Server from '@ucanto/server';
+import { base64 } from 'multiformats/bases/base64';
+import * as Space from '@storacha/capabilities/space';
+import { GenericAesCtrStreamingCrypto } from '../src/crypto/symmetric/generic-aes-ctr-streaming-crypto.js';
+import { KMSCryptoAdapter } from '../src/crypto/adapters/kms-crypto-adapter.js';
+import { createMockKeyManagerService, createMockKeyManagerServer, } from './mocks/key-manager.js';
+import { createTestFixtures } from './fixtures/test-fixtures.js';
+import { stringToUint8Array, streamToUint8Array, uint8ArrayToString, } from './helpers/test-file-utils.js';
+await describe('KMSCryptoAdapter', async () => {
+    await describe('Unit Tests', async () => {
+        await test('should delegate symmetric crypto operations to the injected implementation', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            const adapter = new KMSCryptoAdapter(symmetricCrypto, 'https://private.storacha.link', 'did:web:private.storacha.link');
+            const originalText = 'Op, this is a test for KMS strategy-based encryption!';
+            const blob = new Blob([stringToUint8Array(originalText)]);
+            // Test that it delegates to the symmetric crypto implementation
+            const { key, iv, encryptedStream } = await adapter.encryptStream(blob);
+            assert(key instanceof Uint8Array, 'Key should be a Uint8Array');
+            assert(iv instanceof Uint8Array, 'IV should be a Uint8Array');
+            assert(encryptedStream instanceof ReadableStream, 'Encrypted stream should be a ReadableStream');
+            // Test decryption delegation
+            const decryptedStream = await adapter.decryptStream(encryptedStream, key, iv);
+            const decryptedBytes = await streamToUint8Array(decryptedStream);
+            const decryptedText = uint8ArrayToString(decryptedBytes);
+            assert.strictEqual(decryptedText, originalText, 'Decrypted text should match original');
+        });
+        await test('should initialize KMS adapter with correct configuration', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            const adapter = new KMSCryptoAdapter(symmetricCrypto, 'https://private.storacha.link', 'did:web:private.storacha.link');
+            // Test that the adapter can handle encryption options directly
+            assert(typeof adapter.encryptSymmetricKey === 'function', 'encryptSymmetricKey should be a function');
+            // Verify adapter constructor sets properties correctly
+            assert(typeof adapter.keyManagerServiceDID === 'object', 'Adapter should have gateway DID object');
+            assert.strictEqual(adapter.keyManagerServiceDID.did(), 'did:web:private.storacha.link', 'Adapter should have correct gateway DID');
+            assert(adapter.keyManagerServiceURL instanceof URL, 'Adapter should have gateway URL');
+        });
+        await test('should handle metadata extraction with invalid CAR data', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            const adapter = new KMSCryptoAdapter(symmetricCrypto, 'https://private.storacha.link', 'did:web:private.storacha.link');
+            // Test that the method exists
+            assert(typeof adapter.extractEncryptedMetadata === 'function', 'extractEncryptedMetadata should be a function');
+            assert(typeof adapter.getEncryptedKey === 'function', 'getEncryptedKey should be a function');
+            // Should throw error for invalid CAR data
+            const mockCar = new Uint8Array([1, 2, 3]);
+            assert.throws(() => {
+                adapter.extractEncryptedMetadata(mockCar);
+            }, /Invalid CAR header format/, 'Should throw error for invalid CAR data');
+        });
+        await test('should sanitize space DID for KMS key ID', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            const adapter = new KMSCryptoAdapter(symmetricCrypto, 'https://mock-gateway.example.com', 'did:web:mock');
+            const spaceDID = 'did:key:z6MkwDK3M4PxU1FqcSt6quBH1xRBSGnPRdQYP9B13h3Wq5X1';
+            const sanitized = adapter.sanitizeSpaceDIDForKMSKeyId(spaceDID);
+            assert.strictEqual(sanitized, 'z6MkwDK3M4PxU1FqcSt6quBH1xRBSGnPRdQYP9B13h3Wq5X1');
+            assert(!sanitized.includes('did:key:'));
+        });
+    });
+    await describe('Integration Tests', async () => {
+        await test('should complete full encryption workflow with mocked private gateway', async () => {
+            const fixtures = await createTestFixtures();
+            const { keyManagerServiceDID, spaceDID, issuer, publicKeyPem, keyPair, delegationProof, } = fixtures;
+            let setupCalled = false;
+            let decryptCalled = false;
+            let actualEncryptedKey = '';
+            // Create mock gateway service that performs real RSA encryption/decryption
+            const service = createMockKeyManagerService({
+                mockPublicKey: publicKeyPem,
+                onEncryptionSetup: (/** @type {any} */ input) => {
+                    setupCalled = true;
+                    assert.strictEqual(input.capability.with, spaceDID);
+                    assert.strictEqual(input.capability.can, 'space/encryption/setup');
+                },
+                onKeyDecrypt: (/** @type {any} */ input) => {
+                    decryptCalled = true;
+                    assert.strictEqual(input.capability.with, spaceDID);
+                    assert.strictEqual(input.capability.can, 'space/encryption/key/decrypt');
+                },
+            });
+            // Override the decrypt handler to actually decrypt with the private key
+            service.space.encryption.key.decrypt = Server.provide(Space.EncryptionKeyDecrypt, async (input) => {
+                decryptCalled = true;
+                assert.strictEqual(input.capability.with, spaceDID);
+                assert.strictEqual(input.capability.can, 'space/encryption/key/decrypt');
+                // Get the encrypted key from the request
+                const encryptedKeyBytes = input.capability.nb.key;
+                const encryptedSymmetricKey = base64.encode(encryptedKeyBytes);
+                actualEncryptedKey = encryptedSymmetricKey;
+                // Decrypt with RSA private key (simulate real KMS decryption)
+                const encryptedBytes = encryptedKeyBytes;
+                const decryptedBytes = await globalThis.crypto.subtle.decrypt({ name: 'RSA-OAEP' }, keyPair.privateKey, encryptedBytes);
+                // Return the decrypted symmetric key as base64
+                const decryptedKey = base64.encode(new Uint8Array(decryptedBytes));
+                return Server.ok({
+                    decryptedSymmetricKey: decryptedKey,
+                });
+            });
+            // Create mock gateway server (HTTPS by default)
+            const keyManagerServiceServer = await createMockKeyManagerServer(service, keyManagerServiceDID, 5555);
+            // Create KMS adapter with HTTP allowed for testing
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            const adapter = new KMSCryptoAdapter(symmetricCrypto, keyManagerServiceServer.url, keyManagerServiceDID.did(), { allowInsecureHttp: true } // Allow HTTP for testing
+            );
+            try {
+                // Create test file and encrypt it to get real symmetric keys
+                const testFile = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8, 9, 10]);
+                const testBlob = new Blob([testFile], {
+                    type: 'application/octet-stream',
+                });
+                // Encrypt the file to get real symmetric keys
+                const { key, iv } = await adapter.encryptStream(testBlob);
+                const encryptionConfig = {
+                    issuer,
+                    spaceDID,
+                    location: 'us-central1',
+                    keyring: 'test-keyring',
+                };
+                // Test key encryption with real symmetric keys - this will call the mock setup
+                const encryptResult = await adapter.encryptSymmetricKey(key, iv, encryptionConfig);
+                assert(setupCalled, 'EncryptionSetup should have been called');
+                assert.strictEqual(encryptResult.strategy, 'kms');
+                const kmsMetadata = 
+                /** @type {import('../src/types.js').KMSKeyMetadata} */ (encryptResult.metadata);
+                assert.strictEqual(kmsMetadata.space, spaceDID);
+                assert.strictEqual(kmsMetadata.kms.provider, 'google-kms');
+                assert.strictEqual(kmsMetadata.kms.algorithm, 'RSA-OAEP-2048-SHA256');
+                assert(typeof encryptResult.encryptedKey === 'string');
+                // Test key decryption - this will call the mock decrypt
+                const decryptionConfig = {
+                    spaceDID,
+                    decryptDelegation: delegationProof,
+                    proofs: [],
+                };
+                const mockMetadata = {
+                    strategy: /** @type {'kms'} */ ('kms'),
+                    encryptedDataCID: 'bafybeid',
+                    encryptedSymmetricKey: encryptResult.encryptedKey,
+                    space: spaceDID,
+                    kms: kmsMetadata.kms,
+                };
+                const decryptResult = await adapter.decryptSymmetricKey(encryptResult.encryptedKey, {
+                    decryptionConfig,
+                    metadata: mockMetadata,
+                    resourceCID: 
+                    /** @type {import('@storacha/upload-client/types').AnyLink} */ (
+                    /** @type {any} */ ('bafybeid')),
+                    issuer,
+                    audience: keyManagerServiceDID.did(),
+                });
+                // Verify the round-trip worked
+                assert(setupCalled, 'EncryptionSetup should have been called');
+                assert(decryptCalled, 'KeyDecrypt should have been called');
+                assert(decryptResult.key instanceof Uint8Array, 'Decrypted key should be Uint8Array');
+                assert(decryptResult.iv instanceof Uint8Array, 'Decrypted IV should be Uint8Array');
+                // Most importantly: verify the decrypted keys match the original
+                assert.deepStrictEqual(decryptResult.key, key, 'Decrypted key should match original key');
+                assert.deepStrictEqual(decryptResult.iv, iv, 'Decrypted IV should match original IV');
+                // Verify the encrypted key was actually encrypted (different from original)
+                const originalCombined = adapter.symmetricCrypto.combineKeyAndIV(key, iv);
+                const originalBase64 = base64.encode(originalCombined);
+                assert.notStrictEqual(actualEncryptedKey, originalBase64, 'Encrypted key should be different from original');
+            }
+            catch (error) {
+                console.error('Test failed with error:', error);
+                throw error;
+            }
+            finally {
+                // Clean up server
+                await keyManagerServiceServer.close();
+            }
+        });
+        await test('should handle encryption setup errors gracefully', async () => {
+            const fixtures = await createTestFixtures();
+            const { keyManagerServiceDID, spaceDID, issuer } = fixtures;
+            // Create service that returns errors
+            const service = createMockKeyManagerService({
+                mockPublicKey: 'invalid',
+                onEncryptionSetup: () => {
+                    // This will be called but service will return error
+                },
+            });
+            // Override service to return error
+            service.space.encryption.setup = Server.provide(Space.EncryptionSetup, async () => {
+                return Server.error({
+                    name: 'SpaceNotProvisioned',
+                    message: 'Space is not provisioned for encryption',
+                });
+            });
+            const keyManagerServiceServer = await createMockKeyManagerServer(service, keyManagerServiceDID, 5556);
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            const adapter = new KMSCryptoAdapter(symmetricCrypto, keyManagerServiceServer.url, keyManagerServiceDID.did(), { allowInsecureHttp: true } // Allow HTTP for testing
+            );
+            try {
+                const testKey = new Uint8Array(32).fill(1);
+                const testIV = new Uint8Array(16).fill(2);
+                const encryptionConfig = {
+                    issuer,
+                    spaceDID,
+                };
+                // Should throw error
+                await assert.rejects(() => adapter.encryptSymmetricKey(testKey, testIV, encryptionConfig), /Space is not provisioned for encryption/);
+            }
+            finally {
+                await keyManagerServiceServer.close();
+            }
+        });
+        await test('should handle key decryption errors gracefully', async () => {
+            const fixtures = await createTestFixtures();
+            const { keyManagerServiceDID, spaceDID, issuer, delegationProof } = fixtures;
+            // Create service that returns errors for decrypt
+            const service = createMockKeyManagerService({
+                mockPublicKey: 'mock-key',
+            });
+            // Override decrypt service to return error
+            service.space.encryption.key.decrypt = Server.provide(Space.EncryptionKeyDecrypt, async () => {
+                return Server.error({
+                    name: 'KeyNotFound',
+                    message: 'KMS key not found',
+                });
+            });
+            const keyManagerServiceServer = await createMockKeyManagerServer(service, keyManagerServiceDID, 5557);
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            const adapter = new KMSCryptoAdapter(symmetricCrypto, keyManagerServiceServer.url, keyManagerServiceDID.did(), { allowInsecureHttp: true } // Allow HTTP for testing
+            );
+            const decryptionOptions = {
+                spaceDID,
+                decryptDelegation: delegationProof,
+            };
+            const mockKey = new Uint8Array([1, 2, 3]); // test value as bytes
+            const mockKeyString = base64.encode(mockKey);
+            const mockMetadata = {
+                strategy: /** @type {'kms'} */ ('kms'),
+                encryptedDataCID: 'bafybeid',
+                key: mockKey, // use bytes, not string
+                space: spaceDID,
+                kms: {
+                    provider: /** @type {'google-kms'} */ ('google-kms'),
+                    keyId: 'test-key',
+                    algorithm: /** @type {'RSA-OAEP-2048-SHA256'} */ ('RSA-OAEP-2048-SHA256'),
+                },
+            };
+            const decryptConfigs = /** @type {any} */ ({
+                decryptionConfig: decryptionOptions,
+                metadata: mockMetadata,
+                delegationCAR: new Uint8Array(),
+                resourceCID: 'bafybeid',
+                issuer,
+                audience: keyManagerServiceDID.did(),
+            });
+            try {
+                // Should throw error
+                await assert.rejects(() => adapter.decryptSymmetricKey(mockKeyString, decryptConfigs), /KMS key not found/);
+            }
+            finally {
+                await keyManagerServiceServer.close();
+            }
+        });
+    });
+    await describe('Validation Tests', async () => {
+        await test('should validate required decryption parameters', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            const adapter = new KMSCryptoAdapter(symmetricCrypto, 'https://mock-gateway.example.com', 'did:web:mock');
+            const invalidConfigs = /** @type {any} */ ({
+                decryptionConfig: {}, // Missing spaceDID and decryptDelegation
+                metadata: { strategy: 'kms' },
+                delegationCAR: new Uint8Array(),
+                resourceCID: 'bafybeid',
+                issuer: null,
+                audience: 'did:web:mock',
+            });
+            await assert.rejects(() => adapter.decryptSymmetricKey('key', invalidConfigs), /SpaceDID and decryptDelegation are required/);
+        });
+        await test('should validate issuer is provided', async () => {
+            const fixtures = await createTestFixtures();
+            const { spaceDID, delegationProof } = fixtures;
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            const adapter = new KMSCryptoAdapter(symmetricCrypto, 'https://mock-gateway.example.com', 'did:web:mock');
+            const invalidConfigs = /** @type {any} */ ({
+                decryptionConfig: { spaceDID, decryptDelegation: delegationProof },
+                metadata: { strategy: 'kms' },
+                delegationCAR: new Uint8Array(),
+                resourceCID: 'bafybeid',
+                issuer: null, // Missing issuer
+                audience: 'did:web:mock',
+            });
+            await assert.rejects(() => adapter.decryptSymmetricKey('key', invalidConfigs), /Issuer is required/);
+        });
+        await test('should reject non-KMS metadata', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            const adapter = new KMSCryptoAdapter(symmetricCrypto, 'https://mock-gateway.example.com', 'did:web:mock');
+            const invalidConfigs = /** @type {any} */ ({
+                decryptionOptions: { spaceDID: 'did:key:test', delegationProof: {} },
+                metadata: { strategy: 'lit' }, // Wrong strategy
+                delegationCAR: new Uint8Array(),
+                resourceCID: 'bafybeid',
+                issuer: {},
+                audience: 'did:web:mock',
+            });
+            await assert.rejects(() => adapter.decryptSymmetricKey('key', invalidConfigs), /KMSCryptoAdapter can only handle KMS metadata/);
+        });
+    });
+});
+//# sourceMappingURL=kms-crypto-adapter.spec.js.map

package/dist/test/lit-crypto-adapter.spec.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=lit-crypto-adapter.spec.d.ts.map

package/dist/test/lit-crypto-adapter.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"lit-crypto-adapter.spec.d.ts","sourceRoot":"","sources":["../../test/lit-crypto-adapter.spec.js"],"names":[],"mappings":""}