@striae-org/striae 4.3.3 → 5.0.0

package/.env.example

@@ -66,6 +66,10 @@ DATA_WORKER_DOMAIN=your_data_worker_domain_here
 MANIFEST_SIGNING_PRIVATE_KEY=your_manifest_signing_private_key_here
 MANIFEST_SIGNING_KEY_ID=your_manifest_signing_key_id_here
 MANIFEST_SIGNING_PUBLIC_KEY=your_manifest_signing_public_key_here
+EXPORT_ENCRYPTION_PRIVATE_KEY=your_export_encryption_private_key_here
+EXPORT_ENCRYPTION_KEY_ID=your_export_encryption_key_id_here
+EXPORT_ENCRYPTION_PUBLIC_KEY=your_export_encryption_public_key_here
+
 
 # ================================
 # AUDIT WORKER ENVIRONMENT VARIABLES

package/app/components/actions/case-export/download-handlers.ts

@@ -7,7 +7,9 @@ import {
   calculateSHA256Secure,
   createPublicSigningKeyFileName,
   getCurrentPublicSigningKeyDetails,
-  getVerificationPublicKey
+  getVerificationPublicKey,
+  getCurrentEncryptionPublicKeyDetails,
+  encryptExportDataWithAllImages
 } from '~/utils/forensics';
 import { signForensicManifest } from '~/utils/data';
 import { type ExportFormat, formatDateForFilename, CSV_HEADERS } from './types-constants';
@@ -717,6 +719,56 @@ export async function downloadCaseAsZip(
       // Add dedicated forensic manifest file for validation
       zip.file('FORENSIC_MANIFEST.json', JSON.stringify(signedForensicManifest, null, 2));
       
+      // Export encryption is mandatory
+      const encKeyDetails = getCurrentEncryptionPublicKeyDetails();
+      
+      if (!encKeyDetails.publicKeyPem || !encKeyDetails.keyId) {
+        throw new Error(
+          'Export encryption is mandatory. Your Striae instance does not have a configured encryption public key. ' +
+          'Please contact your administrator to set up export encryption.'
+        );
+      }
+      
+      let encryptionManifestJson: string | null = null;
+      const isEncrypted = true;
+      
+      try {
+        // Build image blobs array from the collected imageFiles
+        const imagesToEncrypt = Object.entries(imageFiles).map(([filename, blob]) => ({
+          filename,
+          blob
+        }));
+
+        // Encrypt data file and all images with shared AES key
+        const encryptionResult = await encryptExportDataWithAllImages(
+          contentForHash,
+          imagesToEncrypt,
+          encKeyDetails.publicKeyPem,
+          encKeyDetails.keyId
+        );
+
+        // Replace data file with encrypted ciphertext
+        zip.file(`${caseNumber}_data.${format}`, encryptionResult.ciphertext);
+
+        // Replace images in the ZIP with encrypted versions
+        if (imageFolder && encryptionResult.encryptedImages.length > 0) {
+          for (let i = 0; i < imagesToEncrypt.length; i++) {
+            const originalFilename = imagesToEncrypt[i].filename;
+            // Remove the original file and add encrypted version
+            imageFolder.file(originalFilename, encryptionResult.encryptedImages[i]);
+          }
+        }
+
+        // Add encryption manifest
+        encryptionManifestJson = JSON.stringify(encryptionResult.encryptionManifest, null, 2);
+        zip.file('ENCRYPTION_MANIFEST.json', encryptionManifestJson);
+
+        onProgress?.(80);
+      } catch (error) {
+        console.error('Export encryption failed:', error);
+        throw new Error(`Failed to encrypt export: ${error instanceof Error ? error.message : 'Unknown error'}`);
+      }
+      
       // Add read-only instruction file
       const instructionContent = `EVIDENCE ARCHIVE - READ ONLY
 
@@ -727,11 +779,13 @@ IMPORTANT WARNINGS:
 - Do not modify, rename, or delete any files in this archive
 - Any modifications may compromise evidence integrity
 - Maintain proper chain of custody procedures
+${isEncrypted ? '- This archive is encrypted. Only Striae can decrypt and re-import it.\n' : ''}
 
 Archive Contents:
-- ${caseNumber}_data.${format}: Complete case data in ${format.toUpperCase()} format
-- images/: Original image files with annotations
+- ${caseNumber}_data.${format}: Complete case data in ${format.toUpperCase()} format${isEncrypted ? ' (encrypted)' : ''}
+- images/: Image files with annotations${isEncrypted ? ' (encrypted)' : ''}
 - FORENSIC_MANIFEST.json: File integrity validation manifest
+${isEncrypted ? '- ENCRYPTION_MANIFEST.json: Encryption metadata and encrypted file hashes\n' : ''}
 - ${publicKeyFileName}: Public signing key PEM for verification
 - README.txt: General information about this export
 
@@ -743,6 +797,7 @@ Case Information:
 - Total Annotations: ${(exportData.summary?.filesWithAnnotations || 0) + (exportData.summary?.totalBoxAnnotations || 0)}
 - Total Confirmations: ${exportData.summary?.filesWithConfirmations || 0}
 - Confirmations Requested: ${exportData.summary?.filesWithConfirmationsRequested || 0}
+${isEncrypted ? `- Encryption Status: ENCRYPTED (key ID: ${encKeyDetails.keyId})\n` : ''}
 
 For questions about this export, contact your Striae system administrator.
 `;
@@ -769,7 +824,8 @@ For questions about this export, contact your Striae system administrator.
       // Download
       const url = URL.createObjectURL(zipBlob);
       const protectionSuffix = options.protectForensicData ? '-protected' : '';
-      const exportFileName = `striae-case-${caseNumber}-export${protectionSuffix}-${formatDateForFilename(new Date())}.zip`;
+      const encryptedSuffix = isEncrypted ? '-encrypted' : '';
+      const exportFileName = `striae-case-${caseNumber}-export${protectionSuffix}${encryptedSuffix}-${formatDateForFilename(new Date())}.zip`;
       
       const linkElement = document.createElement('a');
       linkElement.href = url;

package/app/components/actions/case-import/confirmation-import.ts

@@ -1,7 +1,8 @@
 import type { User } from 'firebase/auth';
 import { fetchDataApi } from '~/utils/api';
-import { upsertFileConfirmationSummary } from '~/utils/data';
+import { upsertFileConfirmationSummary, decryptExportBatch } from '~/utils/data';
 import { type AnnotationData, type ConfirmationImportResult, type ConfirmationImportData } from '~/types';
+import type { EncryptionManifest } from '~/utils/forensics/export-encryption';
 import { checkExistingCase } from '../case-manage';
 import { extractConfirmationImportPackage } from './confirmation-package';
 import { validateExporterUid, validateConfirmationHash, validateConfirmationSignatureFile } from './validation';
@@ -23,6 +24,21 @@ type AnnotationImportData = Record<string, unknown> & {
   updatedAt?: string;
 };
 
+function isEncryptionManifest(value: unknown): value is EncryptionManifest {
+  if (!value || typeof value !== 'object') {
+    return false;
+  }
+
+  const candidate = value as Partial<EncryptionManifest>;
+  return (
+    typeof candidate.encryptionVersion === 'string' &&
+    typeof candidate.algorithm === 'string' &&
+    typeof candidate.keyId === 'string' &&
+    typeof candidate.wrappedKey === 'string' &&
+    typeof candidate.dataIv === 'string'
+  );
+}
+
 /**
  * Import confirmation data from JSON file
  */
@@ -52,12 +68,39 @@ export async function importConfirmationData(
   try {
     onProgress?.('Reading confirmation file', 10, 'Loading confirmation package...');
 
-    const {
-      confirmationData,
-      confirmationJsonContent,
-      verificationPublicKeyPem,
-      confirmationFileName
-    } = await extractConfirmationImportPackage(confirmationFile);
+    const packageData = await extractConfirmationImportPackage(confirmationFile);
+
+    let confirmationData = packageData.confirmationData;
+    let confirmationJsonContent = packageData.confirmationJsonContent;
+    const verificationPublicKeyPem = packageData.verificationPublicKeyPem;
+    const confirmationFileName = packageData.confirmationFileName;
+
+    // Handle encrypted confirmation data
+    if (packageData.isEncrypted && packageData.encryptionManifest && packageData.encryptedDataBase64) {
+      onProgress?.('Decrypting confirmation data', 15, 'Decrypting exported confirmation...');
+
+      try {
+        if (!isEncryptionManifest(packageData.encryptionManifest)) {
+          throw new Error('Invalid encryption manifest format.');
+        }
+
+        const decryptResult = await decryptExportBatch(
+          user,
+          packageData.encryptionManifest,
+          packageData.encryptedDataBase64,
+          {} // No image hashes for confirmation-only exports
+        );
+
+        // Parse decrypted plaintext as confirmation data
+        const decryptedJsonString = decryptResult.plaintext;
+        confirmationData = JSON.parse(decryptedJsonString) as ConfirmationImportData;
+        confirmationJsonContent = decryptedJsonString;
+      } catch (error) {
+        throw new Error(
+          `Failed to decrypt confirmation data: ${error instanceof Error ? error.message : 'Unknown decryption error'}`
+        );
+      }
+    }
 
     confirmationDataForAudit = confirmationData;
     confirmationJsonFileNameForAudit = confirmationFileName;

package/app/components/actions/case-import/confirmation-package.ts

@@ -1,12 +1,34 @@
 import { type ConfirmationImportData } from '~/types';
 
 const CONFIRMATION_EXPORT_FILE_REGEX = /^confirmation-data-.*\.json$/i;
+const ENCRYPTION_MANIFEST_FILE_NAME = 'encryption_manifest.json';
+
+function uint8ArrayToBase64Url(data: Uint8Array): string {
+  const chunkSize = 8192;
+  let binaryString = '';
+
+  for (let index = 0; index < data.length; index += chunkSize) {
+    const chunk = data.subarray(index, Math.min(index + chunkSize, data.length));
+
+    for (let chunkIndex = 0; chunkIndex < chunk.length; chunkIndex += 1) {
+      binaryString += String.fromCharCode(chunk[chunkIndex]);
+    }
+  }
+
+  return btoa(binaryString)
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/g, '');
+}
 
 export interface ConfirmationImportPackage {
   confirmationData: ConfirmationImportData;
   confirmationJsonContent: string;
   verificationPublicKeyPem?: string;
   confirmationFileName: string;
+  isEncrypted?: boolean;
+  encryptionManifest?: unknown;
+  encryptedDataBase64?: string;
 }
 
 function getLeafFileName(path: string): string {
@@ -32,22 +54,78 @@ async function extractConfirmationPackageFromZip(file: File): Promise<Confirmati
   const zip = await JSZip.loadAsync(file);
   const fileEntries = Object.keys(zip.files).filter((path) => !zip.files[path].dir);
 
-  const confirmationPaths = fileEntries.filter((path) =>
-    CONFIRMATION_EXPORT_FILE_REGEX.test(getLeafFileName(path))
+  // Check for encryption manifest first
+  const hasEncryptionManifest = fileEntries.some((path) =>
+    getLeafFileName(path).toLowerCase() === ENCRYPTION_MANIFEST_FILE_NAME
   );
 
-  if (confirmationPaths.length !== 1) {
-    throw new Error('Confirmation ZIP must contain exactly one confirmation-data JSON file.');
-  }
-
-  const confirmationPath = confirmationPaths[0];
-  const confirmationJsonContent = await zip.file(confirmationPath)?.async('text');
-  if (!confirmationJsonContent) {
-    throw new Error('Failed to read confirmation JSON from ZIP package.');
+  let confirmationData: ConfirmationImportData;
+  let confirmationJsonContent: string;
+  let confirmationFileName: string;
+  let isEncrypted = false;
+  let encryptionManifest: unknown;
+  let encryptedDataBase64: string | undefined;
+
+  if (hasEncryptionManifest) {
+    // Handle encrypted confirmation export
+    isEncrypted = true;
+
+    // Read encryption manifest
+    const manifestPath = fileEntries.find((path) =>
+      getLeafFileName(path).toLowerCase() === ENCRYPTION_MANIFEST_FILE_NAME
+    );
+    if (!manifestPath) {
+      throw new Error('Encrypted confirmation ZIP is missing ENCRYPTION_MANIFEST.json.');
+    }
+
+    const manifestFile = zip.file(manifestPath);
+    if (!manifestFile) {
+      throw new Error('Failed to read ENCRYPTION_MANIFEST.json from encrypted confirmation ZIP package.');
+    }
+
+    const manifestContent = await manifestFile.async('text');
+    if (manifestContent.trim().length === 0) {
+      throw new Error('ENCRYPTION_MANIFEST.json is empty in the encrypted confirmation ZIP package.');
+    }
+
+    try {
+      encryptionManifest = JSON.parse(manifestContent);
+    } catch {
+      throw new Error('ENCRYPTION_MANIFEST.json is invalid in the encrypted confirmation ZIP package.');
+    }
+
+    // Find and read encrypted confirmation data file
+    const confirmationPaths = fileEntries.filter((path) =>
+      CONFIRMATION_EXPORT_FILE_REGEX.test(getLeafFileName(path))
+    );
+
+    if (confirmationPaths.length !== 1) {
+      throw new Error('Encrypted confirmation ZIP must contain exactly one confirmation-data file.');
+    }
+
+    const confirmationPath = confirmationPaths[0];
+    const encryptedContent = await zip.file(confirmationPath)?.async('uint8array');
+    if (!encryptedContent) {
+      throw new Error('Failed to read encrypted confirmation data from ZIP package.');
+    }
+
+    encryptedDataBase64 = uint8ArrayToBase64Url(encryptedContent);
+    confirmationFileName = getLeafFileName(confirmationPath);
+
+    // For encrypted data, return placeholder confirmationData for now
+    // The actual decryption will happen in confirmation-import.ts
+    confirmationData = {
+      metadata: {},
+      confirmations: {}
+    } as ConfirmationImportData;
+    confirmationJsonContent = encryptedDataBase64;
+  } else {
+    throw new Error(
+      'Confirmation imports now require an encrypted confirmation ZIP package exported from Striae. ' +
+      'Legacy plaintext confirmation ZIP packages are no longer supported.'
+    );
   }
 
-  const confirmationData = JSON.parse(confirmationJsonContent) as ConfirmationImportData;
-
   const pemPaths = fileEntries.filter((path) => getLeafFileName(path).toLowerCase().endsWith('.pem'));
   const preferredPemPath = selectPreferredPemPath(pemPaths);
 
@@ -60,7 +138,10 @@ async function extractConfirmationPackageFromZip(file: File): Promise<Confirmati
     confirmationData,
     confirmationJsonContent,
     verificationPublicKeyPem,
-    confirmationFileName: getLeafFileName(confirmationPath)
+    confirmationFileName,
+    isEncrypted,
+    encryptionManifest,
+    encryptedDataBase64
   };
 }
 
@@ -68,19 +149,15 @@ export async function extractConfirmationImportPackage(file: File): Promise<Conf
   const lowerName = file.name.toLowerCase();
 
   if (lowerName.endsWith('.json')) {
-    const confirmationJsonContent = await file.text();
-    const confirmationData = JSON.parse(confirmationJsonContent) as ConfirmationImportData;
-
-    return {
-      confirmationData,
-      confirmationJsonContent,
-      confirmationFileName: file.name
-    };
+    throw new Error(
+      'Confirmation imports now require an encrypted confirmation ZIP package exported from Striae. ' +
+      'Plaintext confirmation JSON files are no longer supported.'
+    );
   }
 
   if (lowerName.endsWith('.zip')) {
     return extractConfirmationPackageFromZip(file);
   }
 
-  throw new Error('Unsupported confirmation import file type. Use a confirmation JSON or confirmation ZIP file.');
+  throw new Error('Unsupported confirmation import file type. Use an encrypted confirmation ZIP package exported from Striae.');
 }

package/app/components/actions/case-import/orchestrator.ts

@@ -5,13 +5,15 @@ import {
   type ReadOnlyCaseMetadata,
   type FileData,
   type BundledAuditTrailData,
-  type ValidationAuditEntry
+  type ValidationAuditEntry,
+  type CaseExportData
 } from '~/types';
-import { checkExistingCase } from '../case-manage';
+import { checkExistingCase, validateCaseNumber } from '../case-manage';
 import {
   type SignedForensicManifest,
   verifyCasePackageIntegrity
 } from '~/utils/forensics';
+import type { EncryptionManifest } from '~/utils/forensics/export-encryption';
 import { deleteFile } from '../image-manage';
 import { parseImportZip } from './zip-processing';
 import { 
@@ -25,6 +27,8 @@ import {
 import { uploadImageBlob } from './image-operations';
 import { importAnnotations } from './annotation-import';
 import { auditService } from '~/services/audit';
+import { decryptExportBatch } from '~/utils/data/operations/signing-operations';
+import { validateCaseExporterUidForImport } from './validation';
 
 /**
  * Track the state of an import operation for cleanup purposes
@@ -46,6 +50,22 @@ interface BundledAuditTrailFile {
   };
 }
 
+function isEncryptionManifest(value: unknown): value is EncryptionManifest {
+  if (!value || typeof value !== 'object') {
+    return false;
+  }
+
+  const candidate = value as Partial<EncryptionManifest>;
+  return (
+    typeof candidate.encryptionVersion === 'string' &&
+    typeof candidate.algorithm === 'string' &&
+    typeof candidate.keyId === 'string' &&
+    typeof candidate.wrappedKey === 'string' &&
+    typeof candidate.dataIv === 'string' &&
+    Array.isArray(candidate.encryptedImages)
+  );
+}
+
 function extractBundledAuditTrailData(
   bundledAuditFiles: {
     auditTrailContent?: string;
@@ -179,21 +199,104 @@ export async function importCaseForReview(
   let signatureValidationPassed = false;
   let signatureKeyId: string | undefined;
   let parsedForensicManifest: SignedForensicManifest | undefined;
+  let exporterUidValidationPassed = false;
   
   try {
     onProgress?.('Parsing ZIP file', 10, 'Extracting archive contents...');
     
     // Step 1: Parse ZIP file
     const {
-      caseData,
-      imageFiles,
+      caseData: initialCaseData,
+      imageFiles: initialImageFiles,
       imageIdMapping,
       isArchivedExport,
       bundledAuditFiles,
       metadata,
-      cleanedContent,
-      verificationPublicKeyPem
+      cleanedContent: initialCleanedContent,
+      verificationPublicKeyPem,
+      encryptionManifest,
+      encryptedDataBase64,
+      encryptedImages,
+      isEncrypted
     } = await parseImportZip(zipFile, user);
+
+    // Step 1.2: Handle decryption if export is encrypted
+    let caseData = initialCaseData;
+    let cleanedContent = initialCleanedContent || '';
+    let imageFiles = initialImageFiles;
+    let resolvedBundledAuditFiles = bundledAuditFiles;
+    let decryptedImageBlobMap: { [filename: string]: Blob } | undefined;
+
+    if (isEncrypted && isEncryptionManifest(encryptionManifest) && encryptedDataBase64) {
+      onProgress?.('Decrypting export', 11, 'Decrypting case data and images...');
+      
+      try {
+        // Call decrypt endpoint on data-worker
+        const decryptResult = await decryptExportBatch(
+          user,
+          encryptionManifest,
+          encryptedDataBase64,
+          encryptedImages ?? {}
+        );
+
+        // Decrypted data is plaintext JSON
+        cleanedContent = decryptResult.plaintext;
+        const parsedCaseData = JSON.parse(cleanedContent) as unknown;
+        caseData = parsedCaseData as CaseExportData;
+
+        const decryptedFiles = decryptResult.decryptedImages;
+        const decryptedAuditTrailBlob = decryptedFiles['audit/case-audit-trail.json'];
+        const decryptedAuditSignatureBlob = decryptedFiles['audit/case-audit-signature.json'];
+
+        if (decryptedAuditTrailBlob || decryptedAuditSignatureBlob) {
+          resolvedBundledAuditFiles = {
+            ...(resolvedBundledAuditFiles ?? {}),
+            auditTrailContent: decryptedAuditTrailBlob
+              ? await decryptedAuditTrailBlob.text()
+              : resolvedBundledAuditFiles?.auditTrailContent,
+            auditSignatureContent: decryptedAuditSignatureBlob
+              ? await decryptedAuditSignatureBlob.text()
+              : resolvedBundledAuditFiles?.auditSignatureContent
+          };
+        }
+
+        decryptedImageBlobMap = Object.fromEntries(
+          Object.entries(decryptedFiles).filter(([filename]) => !filename.startsWith('audit/'))
+        );
+
+        // Update imageFiles with decrypted images only
+        imageFiles = { ...imageFiles, ...decryptedImageBlobMap };
+
+        onProgress?.('Decryption successful', 13, `Decrypted case data and ${Object.keys(decryptedImageBlobMap).length} images`);
+      } catch (decryptError) {
+        throw new Error(
+          `Failed to decrypt export: ${decryptError instanceof Error ? decryptError.message : 'Unknown error'}. ` +
+          'Ensure your Striae instance has export encryption configured.'
+        );
+      }
+    }
+
+    if (isEncrypted) {
+      await validateCaseExporterUidForImport(caseData, user);
+      exporterUidValidationPassed = true;
+    } else {
+      exporterUidValidationPassed = true;
+    }
+
+    // Now validate case number and format
+    if (!caseData.metadata?.caseNumber) {
+      throw new Error('Invalid case data: missing case number');
+    }
+
+    if (!validateCaseNumber(caseData.metadata.caseNumber)) {
+      throw new Error(`Invalid case number format: ${caseData.metadata.caseNumber}`);
+    }
+
+    const resolvedIsArchivedExport =
+      isArchivedExport ||
+      caseData.metadata.archived === true ||
+      (typeof caseData.metadata.archivedAt === 'string' && caseData.metadata.archivedAt.trim().length > 0);
+
     parsedForensicManifest = metadata?.forensicManifest as SignedForensicManifest | undefined;
     result.caseNumber = caseData.metadata.caseNumber;
     importState.caseNumber = result.caseNumber;
@@ -240,7 +343,7 @@ export async function importCaseForReview(
         imageFiles: imageBlobs,
         forensicManifest: parsedForensicManifest,
         verificationPublicKeyPem,
-        bundledAuditFiles
+        bundledAuditFiles: resolvedBundledAuditFiles
       });
 
       signatureValidationPassed = casePackageResult.signatureResult.isValid;
@@ -283,10 +386,10 @@ export async function importCaseForReview(
     
     // Step 2a: Check if case already exists in user's regular cases (original analyst)
     const existingRegularCase = await checkExistingCase(user, result.caseNumber);
-    if (existingRegularCase && !isArchivedExport) {
+    if (existingRegularCase && !resolvedIsArchivedExport) {
       throw new Error(`Case "${result.caseNumber}" already exists in your case list. You cannot import a case for review if you were the original analyst.`);
     }
-    if (existingRegularCase && isArchivedExport) {
+    if (existingRegularCase && resolvedIsArchivedExport) {
       throw new Error(`Cannot import this archived case because "${result.caseNumber}" already exists in your regular case list. Delete the regular case before importing this archive.`);
     }
     
@@ -366,8 +469,8 @@ export async function importCaseForReview(
       importedFiles,
       originalImageIdMapping,
       parsedForensicManifest,
-      isArchivedExport,
-      isArchivedExport ? extractBundledAuditTrailData(bundledAuditFiles) : undefined
+      resolvedIsArchivedExport,
+      resolvedIsArchivedExport ? extractBundledAuditTrailData(resolvedBundledAuditFiles) : undefined
     );
     importState.caseDataStored = true;
     
@@ -414,7 +517,7 @@ export async function importCaseForReview(
         validationStepsCompleted: result.filesImported + result.annotationsImported,
         validationStepsFailed: 0
       },
-      true, // Exporter UID was validated during zip parsing
+      exporterUidValidationPassed,
       {
         present: !!parsedForensicManifest,
         valid: signatureValidationPassed,
@@ -445,7 +548,7 @@ export async function importCaseForReview(
         processingTimeMs: endTime - startTime,
         fileSizeBytes: zipFile.size
       },
-      false, // If import failed, exporter UID validation may not have completed
+      exporterUidValidationPassed,
       {
         present: !!parsedForensicManifest,
         valid: signatureValidationPassed,