@striae-org/striae 4.3.3 → 5.0.0

package/workers/data-worker/src/data-worker.example.ts

@@ -1,4 +1,5 @@
 import { signPayload as signWithWorkerKey } from './signature-utils';
+import { decryptExportData, decryptImageBlob } from './encryption-utils';
 import {
   AUDIT_EXPORT_SIGNATURE_VERSION,
   CONFIRMATION_SIGNATURE_VERSION,
@@ -20,6 +21,8 @@ interface Env {
   STRIAE_DATA: R2Bucket;
   MANIFEST_SIGNING_PRIVATE_KEY: string;
   MANIFEST_SIGNING_KEY_ID: string;
+  EXPORT_ENCRYPTION_PRIVATE_KEY?: string;
+  EXPORT_ENCRYPTION_KEY_ID?: string;
 }
 
 interface SuccessResponse {
@@ -50,6 +53,7 @@ const hasValidHeader = (request: Request, env: Env): boolean =>
 const SIGN_MANIFEST_PATH = '/api/forensic/sign-manifest';
 const SIGN_CONFIRMATION_PATH = '/api/forensic/sign-confirmation';
 const SIGN_AUDIT_EXPORT_PATH = '/api/forensic/sign-audit-export';
+const DECRYPT_EXPORT_PATH = '/api/forensic/decrypt-export';
 
 async function signPayloadWithWorkerKey(payload: string, env: Env): Promise<{
   algorithm: string;
@@ -196,6 +200,128 @@ async function handleSignAuditExport(request: Request, env: Env): Promise<Respon
   }
 }
 
+async function handleDecryptExport(request: Request, env: Env): Promise<Response> {
+  try {
+    // Check if encryption is configured
+    if (!env.EXPORT_ENCRYPTION_PRIVATE_KEY || !env.EXPORT_ENCRYPTION_KEY_ID) {
+      return createResponse(
+        { error: 'Export decryption is not configured on this server' },
+        400
+      );
+    }
+
+    const requestBody = await request.json() as {
+      wrappedKey?: string;
+      dataIv?: string;
+      encryptedData?: string;
+      encryptedImages?: Array<{ filename: string; encryptedData: string; iv?: string }>;
+      keyId?: string;
+    };
+
+    const { wrappedKey, dataIv, encryptedData, encryptedImages, keyId } = requestBody;
+
+    // Validate required fields
+    if (
+      !wrappedKey ||
+      typeof wrappedKey !== 'string' ||
+      !dataIv ||
+      typeof dataIv !== 'string' ||
+      !encryptedData ||
+      typeof encryptedData !== 'string' ||
+      !keyId ||
+      typeof keyId !== 'string'
+    ) {
+      return createResponse(
+        { error: 'Missing or invalid required fields: wrappedKey, dataIv, encryptedData, keyId' },
+        400
+      );
+    }
+
+    // Validate keyId matches configured key
+    if (keyId !== env.EXPORT_ENCRYPTION_KEY_ID) {
+      return createResponse(
+        { error: `Key ID mismatch: expected ${env.EXPORT_ENCRYPTION_KEY_ID}, got ${keyId}` },
+        400
+      );
+    }
+
+    // Decrypt data file
+    let plaintextData: string;
+    try {
+      plaintextData = await decryptExportData(
+        encryptedData,
+        wrappedKey,
+        dataIv,
+        env.EXPORT_ENCRYPTION_PRIVATE_KEY
+      );
+    } catch (error) {
+      console.error('Data file decryption failed:', error);
+      const errorMessage = error instanceof Error ? error.message : 'Decryption failed';
+      return createResponse(
+        { error: `Failed to decrypt data file: ${errorMessage}` },
+        500
+      );
+    }
+
+    // Decrypt images if provided
+    const decryptedImages: Array<{ filename: string; data: string }> = [];
+    if (Array.isArray(encryptedImages) && encryptedImages.length > 0) {
+      for (const imageEntry of encryptedImages) {
+        try {
+          if (!imageEntry.iv || typeof imageEntry.iv !== 'string') {
+            return createResponse(
+              { error: `Missing IV for image ${imageEntry.filename}` },
+              400
+            );
+          }
+
+          const imageBlob = await decryptImageBlob(
+            imageEntry.encryptedData,
+            wrappedKey,
+            imageEntry.iv,
+            env.EXPORT_ENCRYPTION_PRIVATE_KEY
+          );
+
+          // Convert blob to base64 for transport
+          const arrayBuffer = await imageBlob.arrayBuffer();
+          const bytes = new Uint8Array(arrayBuffer);
+            const chunkSize = 8192;
+            let binary = '';
+            for (let i = 0; i < bytes.length; i += chunkSize) {
+              const chunk = bytes.subarray(i, Math.min(i + chunkSize, bytes.length));
+              for (let j = 0; j < chunk.length; j++) {
+                binary += String.fromCharCode(chunk[j]);
+              }
+            }
+            const base64Data = btoa(binary);
+
+          decryptedImages.push({
+            filename: imageEntry.filename,
+            data: base64Data
+          });
+        } catch (error) {
+          console.error(`Image decryption failed for ${imageEntry.filename}:`, error);
+          const errorMessage = error instanceof Error ? error.message : 'Decryption failed';
+          return createResponse(
+            { error: `Failed to decrypt image ${imageEntry.filename}: ${errorMessage}` },
+            500
+          );
+        }
+      }
+    }
+
+    return createResponse({
+      success: true,
+      plaintext: plaintextData,
+      decryptedImages
+    });
+  } catch (error) {
+    console.error('Export decryption request failed:', error);
+    const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
+    return createResponse({ error: errorMessage }, 500);
+  }
+}
+
 export default {
   async fetch(request: Request, env: Env): Promise<Response> {
     if (request.method === 'OPTIONS') {
@@ -223,6 +349,10 @@ export default {
         return await handleSignAuditExport(request, env);
       }
 
+      if (request.method === 'POST' && pathname === DECRYPT_EXPORT_PATH) {
+        return await handleDecryptExport(request, env);
+      }
+
       const filename = pathname.slice(1) || 'data.json';
 
       if (!filename.endsWith('.json')) {

package/workers/data-worker/src/encryption-utils.ts

@@ -0,0 +1,125 @@
+export function base64UrlDecode(value: string): Uint8Array {
+  const normalized = value.replace(/-/g, '+').replace(/_/g, '/');
+  const padding = '='.repeat((4 - (normalized.length % 4)) % 4);
+  const decoded = atob(normalized + padding);
+  const bytes = new Uint8Array(decoded.length);
+
+  for (let i = 0; i < decoded.length; i += 1) {
+    bytes[i] = decoded.charCodeAt(i);
+  }
+
+  return bytes;
+}
+
+function parsePkcs8PrivateKey(privateKey: string): ArrayBuffer {
+  const normalizedKey = privateKey
+    .trim()
+    .replace(/^['"]|['"]$/g, '')
+    .replace(/\\n/g, '\n');
+
+  const pemBody = normalizedKey
+    .replace('-----BEGIN PRIVATE KEY-----', '')
+    .replace('-----END PRIVATE KEY-----', '')
+    .replace(/\s+/g, '');
+
+  if (!pemBody) {
+    throw new Error('Encryption private key is invalid');
+  }
+
+  const binary = atob(pemBody);
+  const bytes = new Uint8Array(binary.length);
+
+  for (let index = 0; index < binary.length; index += 1) {
+    bytes[index] = binary.charCodeAt(index);
+  }
+
+  return bytes.buffer;
+}
+
+/**
+ * Import RSA private key from PKCS8 PEM format
+ */
+async function importRsaOaepPrivateKey(privateKeyPem: string): Promise<CryptoKey> {
+  const key = await crypto.subtle.importKey(
+    'pkcs8',
+    parsePkcs8PrivateKey(privateKeyPem),
+    {
+      name: 'RSA-OAEP',
+      hash: 'SHA-256'
+    },
+    false,
+    ['decrypt']
+  );
+
+  return key;
+}
+
+/**
+ * Decrypt AES key from RSA-OAEP wrapped form
+ */
+async function unwrapAesKey(
+  wrappedKeyBase64: string,
+  privateKeyPem: string
+): Promise<CryptoKey> {
+  const rsaPrivateKey = await importRsaOaepPrivateKey(privateKeyPem);
+  const wrappedKeyBytes = base64UrlDecode(wrappedKeyBase64);
+
+  const rawAesKey = await crypto.subtle.decrypt(
+    { name: 'RSA-OAEP' },
+    rsaPrivateKey,
+    wrappedKeyBytes as BufferSource
+  );
+
+  return crypto.subtle.importKey(
+    'raw',
+    rawAesKey,
+    { name: 'AES-GCM' },
+    false,
+    ['decrypt']
+  );
+}
+
+/**
+ * Decrypt data file (plaintext JSON/CSV)
+ */
+export async function decryptExportData(
+  encryptedDataBase64: string,
+  wrappedKeyBase64: string,
+  ivBase64: string,
+  privateKeyPem: string
+): Promise<string> {
+  const aesKey = await unwrapAesKey(wrappedKeyBase64, privateKeyPem);
+  const iv = base64UrlDecode(ivBase64);
+  const ciphertext = base64UrlDecode(encryptedDataBase64);
+
+  const plaintext = await crypto.subtle.decrypt(
+    { name: 'AES-GCM', iv: iv as BufferSource },
+    aesKey,
+    ciphertext as BufferSource
+  );
+
+  return new TextDecoder().decode(plaintext);
+}
+
+/**
+ * Decrypt a single image blob
+ */
+export async function decryptImageBlob(
+  encryptedImageBase64: string,
+  wrappedKeyBase64: string,
+  ivBase64: string,
+  privateKeyPem: string
+): Promise<Blob> {
+  const aesKey = await unwrapAesKey(wrappedKeyBase64, privateKeyPem);
+  const iv = base64UrlDecode(ivBase64);
+  const ciphertext = base64UrlDecode(encryptedImageBase64);
+
+  const plaintext = await crypto.subtle.decrypt(
+    { name: 'AES-GCM', iv: iv as BufferSource },
+    aesKey,
+    ciphertext as BufferSource
+  );
+
+  // Return as blob (caller can determine MIME type from context)
+  return new Blob([plaintext]);
+}

package/workers/data-worker/worker-configuration.d.ts

@@ -1,6 +1,6 @@
 /* eslint-disable */
 // Generated by Wrangler by running `wrangler types` (hash: 4ccb8b314830f4c7bb743cb9b033a6cb)
-// Runtime types generated with workerd@1.20250823.0 2026-03-20 nodejs_compat
+// Runtime types generated with workerd@1.20250823.0 2026-03-23 nodejs_compat
 declare namespace Cloudflare {
 	interface Env {
 		STRIAE_DATA: R2Bucket;

package/workers/data-worker/wrangler.jsonc.example

@@ -1,9 +1,9 @@
 {
-  // Required secrets: R2_KEY_SECRET, MANIFEST_SIGNING_PRIVATE_KEY, MANIFEST_SIGNING_KEY_ID
+  // Required secrets: R2_KEY_SECRET, MANIFEST_SIGNING_PRIVATE_KEY, MANIFEST_SIGNING_KEY_ID, EXPORT_ENCRYPTION_PRIVATE_KEY, EXPORT_ENCRYPTION_KEY_ID
   "name": "DATA_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/data-worker.ts",
-  "compatibility_date": "2026-03-23",
+  "compatibility_date": "2026-03-24",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/image-worker/wrangler.jsonc.example

@@ -2,7 +2,7 @@
   "name": "IMAGES_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/image-worker.ts",
-  "compatibility_date": "2026-03-23",
+  "compatibility_date": "2026-03-24",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/keys-worker/wrangler.jsonc.example

@@ -2,7 +2,7 @@
   "name": "KEYS_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/keys.ts",
-  "compatibility_date": "2026-03-23",
+  "compatibility_date": "2026-03-24",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/pdf-worker/wrangler.jsonc.example

@@ -2,7 +2,7 @@
   "name": "PDF_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/pdf-worker.ts",
-  "compatibility_date": "2026-03-23",
+  "compatibility_date": "2026-03-24",
   "compatibility_flags": [
     "nodejs_compat"
   ],

package/workers/user-worker/wrangler.jsonc.example

@@ -2,7 +2,7 @@
   "name": "USER_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/user-worker.ts",
-  "compatibility_date": "2026-03-23",
+  "compatibility_date": "2026-03-24",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/wrangler.toml.example

@@ -1,6 +1,6 @@
 #:schema node_modules/wrangler/config-schema.json
 name = "PAGES_PROJECT_NAME"
-compatibility_date = "2026-03-23"
+compatibility_date = "2026-03-24"
 compatibility_flags = ["nodejs_compat"]
 pages_build_output_dir = "./build/client"
 

package/app/components/public-signing-key-modal/public-signing-key-modal.module.css

@@ -1,287 +0,0 @@
-.overlay {
-  position: fixed;
-  inset: 0;
-  background-color: color-mix(in lab, var(--background) 60%, transparent);
-  display: flex;
-  justify-content: center;
-  align-items: center;
-  z-index: var(--zIndex5);
-  padding: var(--spaceL);
-  cursor: default;
-}
-
-.modal {
-  position: relative;
-  width: 100%;
-  max-width: 640px;
-  max-height: 90vh;
-  background: var(--backgroundLight);
-  border-radius: var(--spaceXS);
-  display: flex;
-  flex-direction: column;
-  box-shadow: 0 var(--spaceXS) var(--spaceL)
-    color-mix(in lab, var(--black) 18%, transparent);
-  overflow: hidden;
-  cursor: default;
-}
-
-.header {
-  display: flex;
-  justify-content: space-between;
-  align-items: center;
-  padding: var(--spaceL);
-  border-bottom: 1px solid color-mix(in lab, var(--text) 10%, transparent);
-}
-
-.title {
-  margin: 0;
-  font-size: var(--fontSizeBodyL);
-  font-weight: 600;
-  color: var(--textTitle);
-}
-
-.closeButton {
-  background: none;
-  border: none;
-  font-size: var(--fontSizeH5);
-  cursor: pointer;
-  padding: var(--spaceS);
-  color: var(--textLight);
-  transition: color var(--durationS) var(--bezierFastoutSlowin);
-}
-
-.closeButton:hover {
-  color: var(--text);
-}
-
-.content {
-  padding: var(--spaceL);
-  flex: 1 1 auto;
-  min-height: 0;
-  display: flex;
-  flex-direction: column;
-  gap: var(--spaceM);
-  overflow-y: auto;
-  overflow-x: hidden;
-}
-
-.description {
-  margin: 0;
-  font-size: var(--fontSizeBodyS);
-  color: var(--textBody);
-}
-
-.meta {
-  margin: 0;
-  font-size: var(--fontSizeBodyS);
-  color: var(--textTitle);
-}
-
-.meta span {
-  font-weight: var(--fontWeightMedium);
-}
-
-.verifierLayout {
-  display: flex;
-  flex-direction: column;
-  gap: var(--spaceL);
-}
-
-.verificationField {
-  display: flex;
-  flex-direction: column;
-  gap: var(--spaceS);
-}
-
-.fieldHeader {
-  display: flex;
-  align-items: center;
-  justify-content: space-between;
-  gap: var(--spaceS);
-}
-
-.fieldLabel {
-  font-size: var(--fontSizeBodyXS);
-  font-weight: var(--fontWeightMedium);
-  color: var(--textTitle);
-}
-
-.hiddenFileInput {
-  display: none;
-}
-
-.clearButton {
-  background: none;
-  border: none;
-  padding: 0;
-  color: var(--primary);
-  font-size: var(--fontSizeBodyXS);
-  font-weight: var(--fontWeightMedium);
-  cursor: pointer;
-}
-
-.dropZone {
-  min-height: 144px;
-  margin: 0;
-  display: flex;
-  flex-direction: column;
-  justify-content: center;
-  gap: var(--spaceXS);
-  padding: var(--spaceL);
-  border: 1px dashed color-mix(in lab, var(--text) 18%, transparent);
-  border-radius: var(--radiusM);
-  background: linear-gradient(
-    135deg,
-    color-mix(in lab, var(--primary) 4%, var(--backgroundLight)),
-    color-mix(in lab, var(--background) 94%, transparent)
-  );
-  cursor: pointer;
-  transition:
-    border-color var(--durationS) var(--bezierFastoutSlowin),
-    background-color var(--durationS) var(--bezierFastoutSlowin),
-    box-shadow var(--durationS) var(--bezierFastoutSlowin);
-}
-
-.dropZone:hover {
-  border-color: color-mix(in lab, var(--primary) 35%, transparent);
-  background: linear-gradient(
-    135deg,
-    color-mix(in lab, var(--primary) 7%, var(--backgroundLight)),
-    color-mix(in lab, var(--background) 92%, transparent)
-  );
-}
-
-.dropZone:focus-visible {
-  outline: none;
-  border-color: color-mix(in lab, var(--primary) 48%, transparent);
-  box-shadow: 0 0 0 3px color-mix(in lab, var(--primary) 14%, transparent);
-}
-
-.dropZoneActive {
-  border-color: color-mix(in lab, var(--primary) 50%, transparent);
-  background: linear-gradient(
-    135deg,
-    color-mix(in lab, var(--primary) 10%, var(--backgroundLight)),
-    color-mix(in lab, var(--background) 90%, transparent)
-  );
-  box-shadow: 0 0 0 3px color-mix(in lab, var(--primary) 12%, transparent);
-}
-
-.dropZoneDisabled {
-  opacity: 0.7;
-  cursor: not-allowed;
-}
-
-.dropZonePrimary {
-  margin: 0;
-  font-size: var(--fontSizeBodyS);
-  font-weight: var(--fontWeightMedium);
-  color: var(--textTitle);
-}
-
-.dropZoneSecondary {
-  margin: 0;
-  font-size: var(--fontSizeBodyXS);
-  color: var(--textBody);
-}
-
-.fieldActions {
-  display: flex;
-  flex-wrap: wrap;
-  gap: var(--spaceS);
-}
-
-.fieldError {
-  margin: 0;
-  font-size: var(--fontSizeBodyXS);
-  color: var(--error);
-}
-
-.resultCard {
-  display: flex;
-  flex-direction: column;
-  gap: var(--spaceXS);
-  padding: var(--spaceM) var(--spaceL);
-  border-radius: var(--radiusM);
-}
-
-.resultPass {
-  border: 1px solid color-mix(in lab, var(--success) 38%, transparent);
-  background: color-mix(in lab, var(--success) 12%, var(--backgroundLight));
-}
-
-.resultFail {
-  border: 1px solid color-mix(in lab, var(--error) 32%, transparent);
-  background: color-mix(in lab, var(--errorLight) 40%, var(--backgroundLight));
-}
-
-.resultTitle {
-  margin: 0;
-  font-size: var(--fontSizeBodyM);
-  font-weight: var(--fontWeightBold);
-  letter-spacing: 0.06em;
-}
-
-.resultPass .resultTitle {
-  color: color-mix(in lab, var(--success) 78%, var(--black));
-}
-
-.resultFail .resultTitle {
-  color: color-mix(in lab, var(--error) 78%, var(--black));
-}
-
-.resultMessage {
-  margin: 0;
-  font-size: var(--fontSizeBodyS);
-  color: var(--textBody);
-}
-
-.actions {
-  display: flex;
-  justify-content: flex-end;
-  gap: var(--spaceS);
-  flex-wrap: wrap;
-}
-
-.primaryButton,
-.secondaryButton {
-  border-radius: var(--spaceXS);
-  padding: var(--spaceS) var(--spaceL);
-  font-size: var(--fontSizeBodyS);
-  font-weight: var(--fontWeightMedium);
-  cursor: pointer;
-  transition:
-    background-color var(--durationS) var(--bezierFastoutSlowin),
-    border-color var(--durationS) var(--bezierFastoutSlowin),
-    color var(--durationS) var(--bezierFastoutSlowin);
-}
-
-.primaryButton {
-  background: var(--primary);
-  color: var(--white);
-  border: 1px solid var(--primary);
-}
-
-.primaryButton:hover:not(:disabled) {
-  background: color-mix(in lab, var(--primary) 84%, var(--black));
-  border-color: color-mix(in lab, var(--primary) 84%, var(--black));
-}
-
-.secondaryButton {
-  background: transparent;
-  color: var(--textTitle);
-  border: 1px solid color-mix(in lab, var(--text) 16%, transparent);
-}
-
-.secondaryButton:hover:not(:disabled) {
-  background: color-mix(in lab, var(--text) 5%, transparent);
-  border-color: color-mix(in lab, var(--text) 22%, transparent);
-}
-
-.primaryButton:disabled,
-.secondaryButton:disabled {
-  background: color-mix(in lab, var(--background) 95%, transparent);
-  color: var(--textLight);
-  border-color: color-mix(in lab, var(--text) 10%, transparent);
-  cursor: not-allowed;
-}