npm - @striae-org/striae - Versions diffs - 4.3.4 → 5.0.0 - Mend

@striae-org/striae 4.3.4 → 5.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (42) hide show

package/app/components/sidebar/case-import/components/ConfirmationPreviewSection.tsx CHANGED Viewed

@@ -1,13 +1,6 @@
 import styles from '../case-import.module.css';
-// Confirmation preview interface
-export interface ConfirmationPreview {
-  caseNumber: string;
-  fullName: string;
-  exportDate: string;
-  totalConfirmations: number;
-  confirmationIds: string[];
-}
+export type ConfirmationPreview = Record<string, never>;
 interface ConfirmationPreviewSectionProps {
   confirmationPreview: ConfirmationPreview | null;
@@ -29,43 +22,10 @@ export const ConfirmationPreviewSection = ({ confirmationPreview, isLoadingPrevi
   return (
     <div className={styles.previewSection}>
-      <h3 className={styles.previewTitle}>Confirmation Data Information</h3>
-      <div className={styles.previewGrid}>
-        <div className={styles.previewItem}>
-          <span className={styles.previewLabel}>Case Number:</span>
-          <span className={styles.previewValue}>{confirmationPreview.caseNumber}</span>
-        </div>
-        <div className={styles.previewItem}>
-          <span className={styles.previewLabel}>Exported by:</span>
-          <span className={styles.previewValue}>{confirmationPreview.fullName}</span>
-        </div>
-        <div className={styles.previewItem}>
-          <span className={styles.previewLabel}>Export Date:</span>
-          <span className={styles.previewValue}>
-            {new Date(confirmationPreview.exportDate).toLocaleDateString(undefined, {
-              year: 'numeric',
-              month: 'long',
-              day: 'numeric',
-              hour: '2-digit',
-              minute: '2-digit',
-              timeZoneName: 'short'
-            })}
-          </span>
-        </div>
-        <div className={styles.previewItem}>
-          <span className={styles.previewLabel}>Total Confirmations:</span>
-          <span className={styles.previewValue}>{confirmationPreview.totalConfirmations}</span>
-        </div>
-        <div className={styles.previewItem}>
-          <span className={styles.previewLabel}>Confirmation IDs:</span>
-          <span className={styles.previewValue}>
-            {confirmationPreview.confirmationIds.length > 0
-              ? confirmationPreview.confirmationIds.join(', ')
-              : 'None'
-            }
-          </span>
-        </div>
-      </div>
+      <h3 className={styles.previewTitle}>Confirmation Import Preview</h3>
+      <p className={styles.previewMessage}>
+        Confirmation package detected. Details are hidden until import verification completes.
+      </p>
     </div>
   );
 };

package/app/components/sidebar/case-import/components/FileSelector.tsx CHANGED Viewed

@@ -61,8 +61,7 @@ export const FileSelector = ({
       const file = files[0];
       // Check file type (same as input accept attribute)
-      const isValidType = file.name.toLowerCase().endsWith('.zip') ||
-                         file.name.toLowerCase().endsWith('.json');
+      const isValidType = file.name.toLowerCase().endsWith('.zip');
       if (isValidType) {
         if (onFileSelectDirect) {
@@ -92,11 +91,11 @@ export const FileSelector = ({
           ref={fileInputRef}
           type="file"
           id="zipFile"
-          accept=".zip,.json"
+          accept=".zip"
           onChange={onFileSelect}
           disabled={isDisabled}
           className={styles.fileInput}
-          aria-label="File picker for ZIP or JSON files"
+          aria-label="File picker for ZIP packages"
         />
         <div
           className={`${styles.fileLabel} ${isDragOver ? styles.fileLabelDragOver : ''}`}
@@ -111,7 +110,7 @@ export const FileSelector = ({
           role="button"
           tabIndex={isDisabled ? -1 : 0}
           aria-disabled={isDisabled}
-          aria-label="File selection area. Drag and drop a ZIP file for case import or JSON file for confirmation import."
+          aria-label="File selection area. Drag and drop a case ZIP or encrypted confirmation ZIP package for import."
           onKeyDown={(e) => {
             if ((e.key === 'Enter' || e.key === ' ') && !isDisabled) {
               if (e.key === ' ') {
@@ -128,7 +127,7 @@ export const FileSelector = ({
                 ? selectedFile.name
                 : isDragOver
                   ? 'Drop file here...'
-                  : 'Select ZIP or JSON file... or drag & drop'
+                  : 'Select ZIP package... or drag & drop'
               }
             </span>
           </div>

package/app/components/sidebar/case-import/hooks/useFilePreview.ts CHANGED Viewed

@@ -4,11 +4,6 @@ import { previewCaseImport, extractConfirmationImportPackage } from '~/component
 import { type CaseImportPreview } from '~/types';
 import { type ConfirmationPreview } from '../components/ConfirmationPreviewSection';
-type UnknownRecord = Record<string, unknown>;
-const isRecord = (value: unknown): value is UnknownRecord =>
-  typeof value === 'object' && value !== null && !Array.isArray(value);
 interface UseFilePreviewReturn {
   casePreview: CaseImportPreview | null;
   confirmationPreview: ConfirmationPreview | null;
@@ -56,50 +51,9 @@ export const useFilePreview = (
     setIsLoadingPreview(true);
     try {
-      const { confirmationData } = await extractConfirmationImportPackage(file);
-      const parsed = confirmationData as unknown;
-      if (!isRecord(parsed)) {
-        throw new Error('Invalid confirmation data format');
-      }
-      const metadata = isRecord(parsed.metadata) ? parsed.metadata : undefined;
-      const confirmations = isRecord(parsed.confirmations) ? parsed.confirmations : undefined;
-      // Extract confirmation IDs from the confirmations object
-      const confirmationIds: string[] = [];
-      if (confirmations) {
-        Object.values(confirmations).forEach((imageConfirmations) => {
-          if (Array.isArray(imageConfirmations)) {
-            imageConfirmations.forEach((confirmation) => {
-              if (isRecord(confirmation) && typeof confirmation.confirmationId === 'string') {
-                confirmationIds.push(confirmation.confirmationId);
-              }
-            });
-          }
-        });
-      }
-      const caseNumber =
-        metadata && typeof metadata.caseNumber === 'string' ? metadata.caseNumber : 'Unknown';
-      const fullName =
-        metadata && typeof metadata.exportedByName === 'string' ? metadata.exportedByName : 'Unknown';
-      const exportDate =
-        metadata && typeof metadata.exportDate === 'string'
-          ? metadata.exportDate
-          : new Date().toISOString();
-      const totalConfirmations =
-        metadata && typeof metadata.totalConfirmations === 'number'
-          ? metadata.totalConfirmations
-          : confirmationIds.length;
+      await extractConfirmationImportPackage(file);
-      const preview: ConfirmationPreview = {
-        caseNumber,
-        fullName,
-        exportDate,
-        totalConfirmations,
-        confirmationIds
-      };
+      const preview: ConfirmationPreview = {};
       setConfirmationPreview(preview);
     } catch (error) {

package/app/components/sidebar/case-import/utils/file-validation.ts CHANGED Viewed

@@ -1,8 +1,7 @@
-import { isConfirmationDataFile } from '~/components/actions/case-review';
 const CASE_EXPORT_DATA_FILE_REGEX = /_data\.(json|csv)$/i;
 const CONFIRMATION_EXPORT_FILE_REGEX = /^confirmation-data-.*\.json$/i;
 const FORENSIC_MANIFEST_FILE_NAME = 'forensic_manifest.json';
+const ENCRYPTION_MANIFEST_FILE_NAME = 'encryption_manifest.json';
 function getLeafFileName(path: string): string {
   const segments = path.split('/').filter(Boolean);
@@ -19,20 +18,10 @@ export const isValidZipFile = (file: File): boolean => {
 };
 /**
- * Check if a file is a valid confirmation JSON file
- */
-export const isValidConfirmationFile = (file: File): boolean => {
-  const lowerName = file.name.toLowerCase();
-  const jsonType = file.type === 'application/json' || file.type === '';
-  return lowerName.endsWith('.json') && jsonType && isConfirmationDataFile(file.name);
-};
-/**
- * Check if a file is valid for import (either ZIP or confirmation JSON)
+ * Check if a file is valid for import (ZIP packages only)
  */
 export const isValidImportFile = (file: File): boolean => {
-  return isValidZipFile(file) || isValidConfirmationFile(file);
+  return isValidZipFile(file);
 };
 /**
@@ -40,20 +29,15 @@ export const isValidImportFile = (file: File): boolean => {
  */
 export const getImportType = (file: File): 'case' | 'confirmation' | null => {
   if (isValidZipFile(file)) return 'case';
-  if (isValidConfirmationFile(file)) return 'confirmation';
   return null;
 };
 /**
  * Resolve import type, including ZIP package inspection.
  * Case ZIPs are identified by case data files or FORENSIC_MANIFEST.json.
- * Confirmation ZIPs are identified by confirmation-data-*.json.
+ * Confirmation ZIPs are identified by confirmation-data-*.json plus ENCRYPTION_MANIFEST.json.
  */
 export const resolveImportType = async (file: File): Promise<'case' | 'confirmation' | null> => {
-  if (isValidConfirmationFile(file)) {
-    return 'confirmation';
-  }
   if (!isValidZipFile(file)) {
     return null;
   }
@@ -78,7 +62,11 @@ export const resolveImportType = async (file: File): Promise<'case' | 'confirmat
       CONFIRMATION_EXPORT_FILE_REGEX.test(getLeafFileName(path))
     );
-    if (hasConfirmationData) {
+    const hasEncryptionManifest = fileEntries.some(
+      (path) => getLeafFileName(path).toLowerCase() === ENCRYPTION_MANIFEST_FILE_NAME
+    );
+    if (hasConfirmationData && hasEncryptionManifest) {
       return 'confirmation';
     }

package/app/config-example/config.json CHANGED Viewed

@@ -6,6 +6,11 @@
   "manifest_signing_public_keys": {
     "MANIFEST_SIGNING_KEY_ID": "MANIFEST_SIGNING_PUBLIC_KEY"
   },
+  "export_encryption_key_id": "EXPORT_ENCRYPTION_KEY_ID",
+  "export_encryption_public_key": "EXPORT_ENCRYPTION_PUBLIC_KEY",
+  "export_encryption_public_keys": {
+    "EXPORT_ENCRYPTION_KEY_ID": "EXPORT_ENCRYPTION_PUBLIC_KEY"
+  },
   "max_cases_review": 0,
   "max_files_per_case_review": 0
 }

package/app/routes/auth/login.tsx CHANGED Viewed

@@ -28,7 +28,7 @@ import { generateUniqueId } from '~/utils/common';
 import { evaluatePasswordPolicy, buildActionCodeSettings, userHasMFA } from '~/utils/auth';
 import type { UserData } from '~/types';
-const APP_CANONICAL_ORIGIN = 'PAGES_CUSTOM_DOMAIN';
+const APP_CANONICAL_ORIGIN = 'https://striae.app';
 const SOCIAL_IMAGE_PATH = '/social-image.png';
 const SOCIAL_IMAGE_ALT = 'Striae forensic annotation and comparison workspace';
 const LOGIN_PATH_ALIASES = new Set(['/auth', '/auth/', '/auth/login', '/auth/login/']);

package/app/utils/data/operations/signing-operations.ts CHANGED Viewed

@@ -13,6 +13,7 @@ import {
   type ForensicManifestSignature,
   FORENSIC_MANIFEST_VERSION
 } from '../../forensics/SHA256';
+import type { EncryptionManifest } from '../../forensics/export-encryption';
 import { canAccessCase, validateUserSession } from '../permissions';
 import type {
   AuditExportSigningResponse,
@@ -223,3 +224,95 @@ export const signAuditExportData = async (
     throw error;
   }
 };
+/**
+ * Request batch decryption of export data file and images from the data worker
+ */
+export const decryptExportBatch = async (
+  user: User,
+  encryptionManifest: EncryptionManifest,
+  encryptedDataBase64: string,
+  encryptedImageMap: Record<string, string>
+): Promise<{ plaintext: string; decryptedImages: Record<string, Blob> }> => {
+  try {
+    const sessionValidation = await validateUserSession(user);
+    if (!sessionValidation.valid) {
+      throw new Error(`Session validation failed: ${sessionValidation.reason}`);
+    }
+    // Convert encryptedImageMap to array format expected by worker, including per-image IV from manifest
+    const encryptedImages = Object.entries(encryptedImageMap).map(([filename, encryptedData]) => {
+      const manifestEntry = encryptionManifest.encryptedImages.find(e => e.filename === filename);
+      return {
+        filename,
+        encryptedData,
+        iv: manifestEntry?.iv
+      };
+    });
+    const response = await fetchDataApi(user, '/api/forensic/decrypt-export', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify({
+        userId: user.uid,
+        wrappedKey: encryptionManifest.wrappedKey,
+        dataIv: encryptionManifest.dataIv,
+        encryptedData: encryptedDataBase64,
+        encryptedImages,
+        keyId: encryptionManifest.keyId
+      })
+    });
+    const responseData = await response.json().catch(() => null) as {
+      success?: boolean;
+      error?: string;
+      plaintext?: string;
+      decryptedImages?: Array<{ filename: string; data: string }>;
+    } | null;
+    if (!response.ok) {
+      const errorMessage = responseData?.error || `Failed to decrypt export: ${response.status} ${response.statusText}`;
+      // Special handling for encrypted exports without configured key
+      if (response.status === 400 && errorMessage.includes('not configured')) {
+        throw new Error(
+          'This export is encrypted. To import it, your Striae instance must have EXPORT_ENCRYPTION_PRIVATE_KEY configured.'
+        );
+      }
+      throw new Error(errorMessage);
+    }
+    if (!responseData?.success || !responseData.plaintext) {
+      throw new Error('Invalid decrypt response from data worker');
+    }
+    // Convert decrypted image base64 data back to Blobs
+    const decryptedImages: Record<string, Blob> = {};
+    if (Array.isArray(responseData.decryptedImages)) {
+      for (const imageEntry of responseData.decryptedImages) {
+        try {
+          const binaryString = atob(imageEntry.data);
+          const bytes = new Uint8Array(binaryString.length);
+          for (let i = 0; i < binaryString.length; i++) {
+            bytes[i] = binaryString.charCodeAt(i);
+          }
+          decryptedImages[imageEntry.filename] = new Blob([bytes]);
+        } catch (error) {
+          console.error(`Failed to convert decrypted image ${imageEntry.filename}:`, error);
+          throw new Error(`Failed to convert decrypted image: ${imageEntry.filename}`);
+        }
+      }
+    }
+    return {
+      plaintext: responseData.plaintext,
+      decryptedImages
+    };
+  } catch (error) {
+    console.error('Error decrypting export batch:', error);
+    throw error;
+  }
+};

package/app/utils/data/operations/types.ts CHANGED Viewed

@@ -39,4 +39,10 @@ export interface AuditExportSigningResponse {
   signature: ForensicManifestSignature;
 }
+export interface DecryptExportBatchResponse {
+  success: boolean;
+  plaintext: string;
+  decryptedImages: Array<{ filename: string; data: string }>;
+}
 export type DataOperation<T> = (user: User, ...args: unknown[]) => Promise<T>;

package/app/utils/forensics/export-encryption.ts ADDED Viewed

@@ -0,0 +1,316 @@
+import paths from '~/config/config.json';
+export const EXPORT_ENCRYPTION_VERSION = '1.0';
+export const EXPORT_ENCRYPTION_ALGORITHM = 'RSA-OAEP-AES-256-GCM';
+export interface EncryptedImageEntry {
+  filename: string;
+  encryptedHash: string; // SHA256 of encrypted bytes (lowercase hex)
+  iv: string; // base64url — per-image nonce
+}
+export interface EncryptionManifest {
+  encryptionVersion: string;
+  algorithm: string;
+  keyId: string;
+  wrappedKey: string; // base64url
+  dataIv: string; // base64url — nonce for the data file
+  encryptedImages: EncryptedImageEntry[];
+}
+export interface EncryptedExportResult {
+  ciphertext: Uint8Array;
+  encryptedImages: Uint8Array[];
+  encryptionManifest: EncryptionManifest;
+}
+export interface PublicEncryptionKeyDetails {
+  keyId: string | null;
+  publicKeyPem: string | null;
+}
+type ManifestEncryptionConfig = {
+  export_encryption_key_id?: string;
+  export_encryption_public_key?: string;
+  export_encryption_public_keys?: Record<string, string>;
+};
+function base64UrlEncode(value: Uint8Array): string {
+  let binary = '';
+  for (const byte of value) {
+    binary += String.fromCharCode(byte);
+  }
+  return btoa(binary)
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/g, '');
+}
+export function base64UrlDecode(value: string): Uint8Array {
+  const normalized = value.replace(/-/g, '+').replace(/_/g, '/');
+  const padding = '='.repeat((4 - (normalized.length % 4)) % 4);
+  const decoded = atob(normalized + padding);
+  const bytes = new Uint8Array(decoded.length);
+  for (let i = 0; i < decoded.length; i += 1) {
+    bytes[i] = decoded.charCodeAt(i);
+  }
+  return bytes;
+}
+function normalizePemPublicKey(pem: string): string {
+  return pem.replace(/\\n/g, '\n').trim();
+}
+function publicKeyPemToArrayBuffer(publicKeyPem: string): ArrayBuffer {
+  const normalized = normalizePemPublicKey(publicKeyPem);
+  const pemBody = normalized
+    .replace('-----BEGIN PUBLIC KEY-----', '')
+    .replace('-----END PUBLIC KEY-----', '')
+    .replace(/\s+/g, '');
+  if (!pemBody) {
+    throw new Error('Encryption public key is invalid');
+  }
+  const binary = atob(pemBody);
+  const bytes = new Uint8Array(binary.length);
+  for (let index = 0; index < binary.length; index += 1) {
+    bytes[index] = binary.charCodeAt(index);
+  }
+  return bytes.buffer;
+}
+async function importRsaOaepPublicKey(publicKeyPem: string): Promise<CryptoKey> {
+  const key = await crypto.subtle.importKey(
+    'spki',
+    publicKeyPemToArrayBuffer(publicKeyPem),
+    {
+      name: 'RSA-OAEP',
+      hash: 'SHA-256'
+    },
+    false,
+    ['encrypt']
+  );
+  return key;
+}
+export function getCurrentEncryptionPublicKeyDetails(): PublicEncryptionKeyDetails {
+  const config = paths as unknown as ManifestEncryptionConfig;
+  const configuredKeyId =
+    typeof config.export_encryption_key_id === 'string' &&
+    config.export_encryption_key_id.trim().length > 0
+      ? config.export_encryption_key_id
+      : null;
+  if (configuredKeyId) {
+    const configuredKey = getEncryptionPublicKey(configuredKeyId);
+    if (configuredKey) {
+      return {
+        keyId: configuredKeyId,
+        publicKeyPem: configuredKey
+      };
+    }
+  }
+  const keyMap = config.export_encryption_public_keys;
+  if (keyMap && typeof keyMap === 'object') {
+    const firstConfiguredEntry = Object.entries(keyMap).find(
+      ([, value]) => typeof value === 'string' && value.trim().length > 0
+    );
+    if (firstConfiguredEntry) {
+      return {
+        keyId: firstConfiguredEntry[0],
+        publicKeyPem: normalizePemPublicKey(firstConfiguredEntry[1])
+      };
+    }
+  }
+  return {
+    keyId: null,
+    publicKeyPem:
+      typeof config.export_encryption_public_key === 'string' &&
+      config.export_encryption_public_key.trim().length > 0
+        ? normalizePemPublicKey(config.export_encryption_public_key)
+        : null
+  };
+}
+function getEncryptionPublicKey(keyId: string): string | null {
+  const config = paths as unknown as ManifestEncryptionConfig;
+  const keyMap = config.export_encryption_public_keys;
+  if (keyMap && typeof keyMap === 'object') {
+    const mappedKey = keyMap[keyId];
+    if (typeof mappedKey === 'string' && mappedKey.trim().length > 0) {
+      return normalizePemPublicKey(mappedKey);
+    }
+  }
+  if (
+    typeof config.export_encryption_key_id === 'string' &&
+    config.export_encryption_key_id === keyId &&
+    typeof config.export_encryption_public_key === 'string' &&
+    config.export_encryption_public_key.trim().length > 0
+  ) {
+    return normalizePemPublicKey(config.export_encryption_public_key);
+  }
+  return null;
+}
+/**
+ * Generate a shared AES-256-GCM key for all exports in one batch
+ */
+export async function generateSharedAesKey(): Promise<CryptoKey> {
+  return crypto.subtle.generateKey(
+    { name: 'AES-GCM', length: 256 },
+    true, // extractable for wrapping
+    ['encrypt', 'decrypt']
+  );
+}
+/**
+ * Encrypt plaintext data file with shared AES key
+ */
+export async function encryptDataWithSharedKey(
+  plaintextString: string,
+  sharedAesKey: CryptoKey,
+  iv: Uint8Array
+): Promise<Uint8Array> {
+  const plaintext = new TextEncoder().encode(plaintextString);
+  const ciphertext = await crypto.subtle.encrypt(
+    { name: 'AES-GCM', iv: iv as BufferSource },
+    sharedAesKey,
+    plaintext
+  );
+  return new Uint8Array(ciphertext);
+}
+/**
+ * Encrypt a single image blob with shared AES key, return ciphertext and SHA256 hash
+ */
+export async function encryptImageWithSharedKey(
+  imageBlob: Blob,
+  sharedAesKey: CryptoKey,
+  iv: Uint8Array
+): Promise<{ ciphertext: Uint8Array; hash: string }> {
+  const imageBuffer = await imageBlob.arrayBuffer();
+  const imageBytes = new Uint8Array(imageBuffer);
+  const ciphertext = await crypto.subtle.encrypt(
+    { name: 'AES-GCM', iv: iv as BufferSource },
+    sharedAesKey,
+    imageBytes
+  );
+  const ciphertextBytes = new Uint8Array(ciphertext);
+  // Calculate SHA256 of encrypted bytes
+  const hashBuffer = await crypto.subtle.digest('SHA-256', ciphertextBytes);
+  const hashArray = Array.from(new Uint8Array(hashBuffer));
+  const hash = hashArray.map((b) => b.toString(16).padStart(2, '0')).join('');
+  return {
+    ciphertext: ciphertextBytes,
+    hash: hash.toLowerCase()
+  };
+}
+/**
+ * Wrap AES key with RSA-OAEP public key
+ */
+export async function wrapAesKeyWithPublicKey(
+  aesKey: CryptoKey,
+  publicKeyPem: string
+): Promise<string> {
+  const rsaPublicKey = await importRsaOaepPublicKey(publicKeyPem);
+  // Export the AES key to raw format
+  const rawAesKey = await crypto.subtle.exportKey('raw', aesKey);
+  // Wrap the raw AES key with RSA-OAEP
+  const wrappedKey = await crypto.subtle.encrypt(
+    { name: 'RSA-OAEP' },
+    rsaPublicKey,
+    rawAesKey
+  );
+  return base64UrlEncode(new Uint8Array(wrappedKey));
+}
+/**
+ * Encrypt export data file and all images with a shared AES-256 key
+ * Returns ciphertext, encrypted image array, and encryption manifest
+ */
+export async function encryptExportDataWithAllImages(
+  plaintextString: string,
+  imageBlobs: Array<{ filename: string; blob: Blob }>,
+  publicKeyPem: string,
+  keyId: string
+): Promise<EncryptedExportResult> {
+  // Generate shared AES-256 key
+  const sharedAesKey = await generateSharedAesKey();
+  // Generate a unique 96-bit IV for the data file
+  const dataIv = crypto.getRandomValues(new Uint8Array(12));
+  const dataIvBase64 = base64UrlEncode(dataIv);
+  // Encrypt data file with its own IV
+  const dataCiphertext = await encryptDataWithSharedKey(
+    plaintextString,
+    sharedAesKey,
+    dataIv
+  );
+  // Encrypt all images — each with its own unique IV
+  const encryptedImages: Uint8Array[] = [];
+  const encryptedImageEntries: EncryptedImageEntry[] = [];
+  for (const { filename, blob } of imageBlobs) {
+    const imageIv = crypto.getRandomValues(new Uint8Array(12));
+    const imageIvBase64 = base64UrlEncode(imageIv);
+    const { ciphertext, hash } = await encryptImageWithSharedKey(
+      blob,
+      sharedAesKey,
+      imageIv
+    );
+    encryptedImages.push(ciphertext);
+    encryptedImageEntries.push({
+      filename,
+      encryptedHash: hash,
+      iv: imageIvBase64
+    });
+  }
+  // Wrap shared AES key with RSA-OAEP
+  const wrappedKeyBase64 = await wrapAesKeyWithPublicKey(
+    sharedAesKey,
+    publicKeyPem
+  );
+  const encryptionManifest: EncryptionManifest = {
+    encryptionVersion: EXPORT_ENCRYPTION_VERSION,
+    algorithm: EXPORT_ENCRYPTION_ALGORITHM,
+    keyId,
+    wrappedKey: wrappedKeyBase64,
+    dataIv: dataIvBase64,
+    encryptedImages: encryptedImageEntries
+  };
+  return {
+    ciphertext: dataCiphertext,
+    encryptedImages,
+    encryptionManifest
+  };
+}