@striae-org/striae 4.3.4 → 5.1.0

package/app/utils/forensics/export-verification.ts

@@ -1,4 +1,3 @@
-import { type ConfirmationImportData } from '~/types';
 import {
   extractForensicManifestData,
   type ManifestSignatureVerificationResult,
@@ -11,7 +10,6 @@ import {
   type AuditExportSigningPayload,
   verifyAuditExportSignature
 } from './audit-export-signature';
-import { verifyConfirmationSignature } from './confirmation-signature';
 
 export interface ExportVerificationResult {
   isValid: boolean;
@@ -19,9 +17,6 @@ export interface ExportVerificationResult {
   exportType?: 'case-zip' | 'confirmation' | 'audit-json';
 }
 
-const CASE_EXPORT_FILE_REGEX = /_data\.(json|csv)$/i;
-const CONFIRMATION_EXPORT_FILE_REGEX = /^confirmation-data-.*\.json$/i;
-
 interface BundledAuditExportFile {
   metadata?: {
     exportTimestamp?: string;
@@ -45,12 +40,6 @@ interface BundledAuditExportFile {
   auditEntries?: unknown;
 }
 
-interface StandaloneAuditExportFile extends BundledAuditExportFile {
-  metadata?: BundledAuditExportFile['metadata'] & {
-    integrityNote?: string;
-  };
-}
-
 export interface CasePackageIntegrityInput {
   cleanedContent: string;
   imageFiles: Record<string, Blob>;
@@ -100,146 +89,7 @@ function getSignatureFailureMessage(
   return `The ${targetLabel} signature did not verify with the selected public key.`;
 }
 
-function isConfirmationImportCandidate(candidate: unknown): candidate is Partial<ConfirmationImportData> {
-  if (!candidate || typeof candidate !== 'object') {
-    return false;
-  }
-
-  const confirmationCandidate = candidate as Partial<ConfirmationImportData>;
-  return (
-    !!confirmationCandidate.metadata &&
-    typeof confirmationCandidate.metadata.hash === 'string' &&
-    !!confirmationCandidate.confirmations &&
-    typeof confirmationCandidate.confirmations === 'object'
-  );
-}
-
-function isAuditExportCandidate(candidate: unknown): candidate is StandaloneAuditExportFile {
-  if (!candidate || typeof candidate !== 'object') {
-    return false;
-  }
-
-  const auditCandidate = candidate as StandaloneAuditExportFile;
-  const metadata = auditCandidate.metadata;
-
-  if (!metadata || typeof metadata !== 'object') {
-    return false;
-  }
-
-  return (
-    typeof metadata.exportTimestamp === 'string' &&
-    typeof metadata.exportType === 'string' &&
-    typeof metadata.scopeType === 'string' &&
-    typeof metadata.scopeIdentifier === 'string' &&
-    typeof metadata.hash === 'string' &&
-    !!metadata.signature &&
-    (auditCandidate.auditTrail !== undefined || auditCandidate.auditEntries !== undefined)
-  );
-}
-
-async function verifyAuditExportContent(
-  fileContent: string,
-  verificationPublicKeyPem: string
-): Promise<ExportVerificationResult> {
-  try {
-    const parsedContent = JSON.parse(fileContent) as unknown;
-
-    if (!isAuditExportCandidate(parsedContent)) {
-      return createVerificationResult(
-        false,
-        'The JSON file is not a supported Striae audit export.',
-        'audit-json'
-      );
-    }
-
-    const auditExport = parsedContent as StandaloneAuditExportFile;
-    const metadata = auditExport.metadata!;
-
-    const unsignedAuditExport = auditExport.auditTrail !== undefined
-      ? {
-          metadata: {
-            exportTimestamp: metadata.exportTimestamp,
-            exportVersion: metadata.exportVersion,
-            totalEntries: metadata.totalEntries,
-            application: metadata.application,
-            exportType: metadata.exportType,
-            scopeType: metadata.scopeType,
-            scopeIdentifier: metadata.scopeIdentifier,
-          },
-          auditTrail: auditExport.auditTrail,
-        }
-      : {
-          metadata: {
-            exportTimestamp: metadata.exportTimestamp,
-            exportVersion: metadata.exportVersion,
-            totalEntries: metadata.totalEntries,
-            application: metadata.application,
-            exportType: metadata.exportType,
-            scopeType: metadata.scopeType,
-            scopeIdentifier: metadata.scopeIdentifier,
-          },
-          auditEntries: auditExport.auditEntries,
-        };
-
-    const recalculatedHash = await calculateSHA256Secure(JSON.stringify(unsignedAuditExport, null, 2));
-    const hashValid = recalculatedHash.toUpperCase() === metadata.hash!.toUpperCase();
-
-    const signaturePayload: Partial<AuditExportSigningPayload> = {
-      signatureVersion: metadata.signatureVersion,
-      exportFormat: 'json',
-      exportType: metadata.exportType,
-      scopeType: metadata.scopeType,
-      scopeIdentifier: metadata.scopeIdentifier,
-      generatedAt: metadata.exportTimestamp,
-      totalEntries: metadata.totalEntries,
-      hash: metadata.hash,
-    };
-
-    const signatureResult = await verifyAuditExportSignature(
-      signaturePayload,
-      metadata.signature,
-      verificationPublicKeyPem
-    );
-
-    if (hashValid && signatureResult.isValid) {
-      return createVerificationResult(
-        true,
-        'The audit export passed signature and integrity verification.',
-        'audit-json'
-      );
-    }
-
-    if (!hashValid && !signatureResult.isValid) {
-      return createVerificationResult(
-        false,
-        'The audit export failed signature and integrity verification.',
-        'audit-json'
-      );
-    }
-
-    if (!signatureResult.isValid) {
-      return createVerificationResult(
-        false,
-        getSignatureFailureMessage(signatureResult.error, 'audit export'),
-        'audit-json'
-      );
-    }
-
-    return createVerificationResult(
-      false,
-      'The audit export failed integrity verification.',
-      'audit-json'
-    );
-  } catch {
-    return createVerificationResult(
-      false,
-      'The JSON file could not be read as a supported Striae audit export.',
-      'audit-json'
-    );
-  }
-}
-
-export async function verifyBundledAuditExport(
+async function verifyBundledAuditExport(
   zip: {
     file: (path: string) => { async: (type: 'text') => Promise<string> } | null;
   },
@@ -412,264 +262,6 @@ export async function validateConfirmationHash(jsonContent: string, expectedHash
   }
 }
 
-async function verifyCaseZipExport(
-  file: File,
-  verificationPublicKeyPem: string
-): Promise<ExportVerificationResult> {
-  const JSZip = (await import('jszip')).default;
-
-  try {
-    const zip = await JSZip.loadAsync(file);
-    const dataFiles = Object.keys(zip.files).filter((name) => CASE_EXPORT_FILE_REGEX.test(name));
-
-    if (dataFiles.length !== 1) {
-      return createVerificationResult(
-        false,
-        'The ZIP file must contain exactly one case export data file.',
-        'case-zip'
-      );
-    }
-
-    const dataContent = await zip.file(dataFiles[0])?.async('text');
-    if (!dataContent) {
-      return createVerificationResult(false, 'The ZIP data file could not be read.', 'case-zip');
-    }
-
-    const manifestContent = await zip.file('FORENSIC_MANIFEST.json')?.async('text');
-    if (!manifestContent) {
-      return createVerificationResult(
-        false,
-        'The ZIP file does not contain FORENSIC_MANIFEST.json.',
-        'case-zip'
-      );
-    }
-
-    const forensicManifest = JSON.parse(manifestContent) as SignedForensicManifest;
-    const manifestData = extractForensicManifestData(forensicManifest);
-
-    if (!manifestData) {
-      return createVerificationResult(false, 'The forensic manifest is malformed.', 'case-zip');
-    }
-
-    const cleanedContent = removeForensicWarning(dataContent);
-    const imageFiles: Record<string, Blob> = {};
-
-    await Promise.all(
-      Object.keys(zip.files).map(async (path) => {
-        if (!path.startsWith('images/') || path.endsWith('/')) {
-          return;
-        }
-
-        const zipEntry = zip.file(path);
-        if (!zipEntry) {
-          return;
-        }
-
-        imageFiles[path.replace('images/', '')] = await zipEntry.async('blob');
-      })
-    );
-
-    const bundledAuditFiles = {
-      auditTrailContent: await zip.file('audit/case-audit-trail.json')?.async('text'),
-      auditSignatureContent: await zip.file('audit/case-audit-signature.json')?.async('text')
-    };
-
-    const casePackageResult = await verifyCasePackageIntegrity({
-      cleanedContent,
-      imageFiles,
-      forensicManifest,
-      verificationPublicKeyPem,
-      bundledAuditFiles
-    });
-
-    const signatureResult = casePackageResult.signatureResult;
-    const integrityResult = casePackageResult.integrityResult;
-    const bundledAuditVerification = casePackageResult.bundledAuditVerification;
-
-    if (bundledAuditVerification) {
-      return bundledAuditVerification;
-    }
-
-    if (signatureResult.isValid && integrityResult.isValid) {
-      return createVerificationResult(
-        true,
-        'The export ZIP passed signature and integrity verification.',
-        'case-zip'
-      );
-    }
-
-    if (!signatureResult.isValid && !integrityResult.isValid) {
-      return createVerificationResult(
-        false,
-        'The export ZIP failed signature and integrity verification.',
-        'case-zip'
-      );
-    }
-
-    if (!signatureResult.isValid) {
-      return createVerificationResult(
-        false,
-        getSignatureFailureMessage(signatureResult.error, 'export ZIP'),
-        'case-zip'
-      );
-    }
-
-    return createVerificationResult(false, 'The export ZIP failed integrity verification.', 'case-zip');
-  } catch {
-    return createVerificationResult(
-      false,
-      'The ZIP file could not be read as a supported Striae export.',
-      'case-zip'
-    );
-  }
-}
-
-async function verifyConfirmationContent(
-  fileContent: string,
-  verificationPublicKeyPem: string
-): Promise<ExportVerificationResult> {
-  try {
-    const parsedContent = JSON.parse(fileContent) as unknown;
-
-    if (!isConfirmationImportCandidate(parsedContent)) {
-      return createVerificationResult(
-        false,
-        'The JSON file is not a supported Striae confirmation export.',
-        'confirmation'
-      );
-    }
-
-    const confirmationData = parsedContent as Partial<ConfirmationImportData>;
-    const hashValid = await validateConfirmationHash(fileContent, confirmationData.metadata!.hash);
-    const signatureResult = await verifyConfirmationSignature(confirmationData, verificationPublicKeyPem);
-
-    if (hashValid && signatureResult.isValid) {
-      return createVerificationResult(
-        true,
-        'The confirmation file passed signature and integrity verification.',
-        'confirmation'
-      );
-    }
-
-    if (!signatureResult.isValid && signatureResult.error === 'Confirmation content is malformed') {
-      return createVerificationResult(
-        false,
-        'The JSON file is not a supported Striae confirmation export.',
-        'confirmation'
-      );
-    }
-
-    if (!hashValid && !signatureResult.isValid) {
-      return createVerificationResult(
-        false,
-        'The confirmation file failed signature and integrity verification.',
-        'confirmation'
-      );
-    }
-
-    if (!signatureResult.isValid) {
-      return createVerificationResult(
-        false,
-        getSignatureFailureMessage(signatureResult.error, 'confirmation file'),
-        'confirmation'
-      );
-    }
-
-    return createVerificationResult(
-      false,
-      'The confirmation file failed integrity verification.',
-      'confirmation'
-    );
-  } catch {
-    return createVerificationResult(
-      false,
-      'The confirmation content could not be read as a supported Striae confirmation export.',
-      'confirmation'
-    );
-  }
-}
-
-async function verifyConfirmationZipExport(
-  file: File,
-  verificationPublicKeyPem: string
-): Promise<ExportVerificationResult> {
-  const JSZip = (await import('jszip')).default;
-
-  try {
-    const zip = await JSZip.loadAsync(file);
-    const confirmationFiles = Object.keys(zip.files).filter((name) => CONFIRMATION_EXPORT_FILE_REGEX.test(name));
-
-    if (confirmationFiles.length !== 1) {
-      return createVerificationResult(
-        false,
-        'The ZIP file is not a supported Striae confirmation export package.'
-      );
-    }
-
-    const confirmationContent = await zip.file(confirmationFiles[0])?.async('text');
-    if (!confirmationContent) {
-      return createVerificationResult(
-        false,
-        'The confirmation JSON file inside the ZIP could not be read.',
-        'confirmation'
-      );
-    }
-
-    return verifyConfirmationContent(confirmationContent, verificationPublicKeyPem);
-  } catch {
-    return createVerificationResult(
-      false,
-      'The ZIP file could not be read as a supported Striae export.'
-    );
-  }
-}
-
-export async function verifyExportFile(
-  file: File,
-  verificationPublicKeyPem: string
-): Promise<ExportVerificationResult> {
-  const lowerName = file.name.toLowerCase();
-
-  if (lowerName.endsWith('.zip')) {
-    const confirmationZipResult = await verifyConfirmationZipExport(file, verificationPublicKeyPem);
-    if (confirmationZipResult.exportType === 'confirmation' || confirmationZipResult.isValid) {
-      return confirmationZipResult;
-    }
-
-    return verifyCaseZipExport(file, verificationPublicKeyPem);
-  }
-
-  if (lowerName.endsWith('.json')) {
-    try {
-      const fileContent = await file.text();
-      const parsedContent = JSON.parse(fileContent) as unknown;
-
-      if (isConfirmationImportCandidate(parsedContent)) {
-        return verifyConfirmationContent(fileContent, verificationPublicKeyPem);
-      }
-
-      if (isAuditExportCandidate(parsedContent)) {
-        return verifyAuditExportContent(fileContent, verificationPublicKeyPem);
-      }
-
-      return createVerificationResult(
-        false,
-        'Select a confirmation JSON/ZIP file, standalone audit JSON export, or a case export ZIP file.'
-      );
-    } catch {
-      return createVerificationResult(
-        false,
-        'The JSON file could not be read as a supported Striae confirmation or audit export.'
-      );
-    }
-  }
-
-  return createVerificationResult(
-    false,
-    'Select a confirmation JSON/ZIP file, standalone audit JSON export, or a case export ZIP file.'
-  );
-}
-
 export async function verifyCasePackageIntegrity(
   input: CasePackageIntegrityInput
 ): Promise<CasePackageIntegrityResult> {

package/app/utils/forensics/index.ts

@@ -1,5 +1,6 @@
 export * from './SHA256';
 export * from './audit-export-signature';
 export * from './confirmation-signature';
+export * from './export-encryption';
 export * from './export-verification';
 export * from './signature-utils';

package/app/utils/ui/case-messages.ts

@@ -5,15 +5,18 @@
 
 // Import validation messages
 export const IMPORT_FILE_TYPE_NOT_ALLOWED =
-  'Only Striae case ZIP files, confirmation ZIP files, or confirmation JSON files are allowed.';
+  'Only Striae case ZIP files and encrypted confirmation ZIP packages exported from Striae are allowed.';
 
 export const IMPORT_FILE_TYPE_NOT_SUPPORTED =
-  'The selected file is not a supported Striae case or confirmation import package.';
+  'The selected file is not a supported Striae case ZIP or encrypted confirmation package.';
 
 // Import blocking messages
 export const ARCHIVED_REGULAR_CASE_BLOCK_MESSAGE =
   'This archived case cannot be imported because the case already exists in your regular case list. Delete the regular case before importing this archive.';
 
+export const ARCHIVED_SELF_IMPORT_NOTE =
+  'Archived export detected. Original exporter imports are only allowed after the case has been deleted from your regular case list.';
+
 // Read-only case operations
 export const CREATE_READ_ONLY_CASE_EXISTS_ERROR = (caseNumber: string): string =>
   `Case "${caseNumber}" already exists as a read-only review case.`;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@striae-org/striae",
-  "version": "4.3.4",
+  "version": "5.1.0",
   "private": false,
   "description": "Striae is a specialized, cloud-native platform designed to streamline forensic firearms identification by providing an intuitive environment for digital comparison image annotation, authenticated confirmations, and automated report generation.",
   "license": "Apache-2.0",
@@ -106,7 +106,7 @@
     "deploy-workers:image": "cd workers/image-worker && npm run deploy",
     "deploy-workers:keys": "cd workers/keys-worker && npm run deploy",
     "deploy-workers:pdf": "cd workers/pdf-worker && npm run deploy",
-    "deploy-workers:user": "cd workers/user-worker && npm run deploy"
+    "deploy-workers:user": "cd workers/user-worker && npm run deploy"    
   },
   "dependencies": {
     "@react-router/cloudflare": "^7.13.2",