@striae-org/striae 5.2.0 → 5.3.0

package/workers/data-worker/src/handlers/decrypt-export.ts

@@ -0,0 +1,118 @@
+import {
+  buildExportDecryptionContext,
+  decryptExportDataWithRegistry,
+  decryptExportImageWithRegistry,
+  getNonEmptyString
+} from '../registry/key-registry';
+import type { CreateResponse, Env } from '../types';
+
+function arrayBufferToBase64(buffer: ArrayBuffer): string {
+  const bytes = new Uint8Array(buffer);
+  const chunkSize = 8192;
+  let binary = '';
+
+  for (let i = 0; i < bytes.length; i += chunkSize) {
+    const chunk = bytes.subarray(i, Math.min(i + chunkSize, bytes.length));
+    for (let j = 0; j < chunk.length; j += 1) {
+      binary += String.fromCharCode(chunk[j]);
+    }
+  }
+
+  return btoa(binary);
+}
+
+export async function handleDecryptExport(
+  request: Request,
+  env: Env,
+  respond: CreateResponse
+): Promise<Response> {
+  try {
+    const requestBody = await request.json() as {
+      wrappedKey?: string;
+      dataIv?: string;
+      encryptedData?: string;
+      encryptedImages?: Array<{ filename: string; encryptedData: string; iv?: string }>;
+      keyId?: string;
+    };
+
+    const { wrappedKey, dataIv, encryptedData, encryptedImages, keyId } = requestBody;
+
+    if (
+      !wrappedKey ||
+      typeof wrappedKey !== 'string' ||
+      !dataIv ||
+      typeof dataIv !== 'string' ||
+      !encryptedData ||
+      typeof encryptedData !== 'string'
+    ) {
+      return respond(
+        { error: 'Missing or invalid required fields: wrappedKey, dataIv, encryptedData' },
+        400
+      );
+    }
+
+    const recordKeyId = getNonEmptyString(keyId);
+    const decryptionContext = buildExportDecryptionContext(recordKeyId, env);
+
+    let plaintextData: string;
+    try {
+      plaintextData = await decryptExportDataWithRegistry(
+        encryptedData,
+        wrappedKey,
+        dataIv,
+        decryptionContext
+      );
+    } catch (error) {
+      console.error('Data file decryption failed:', error);
+      const errorMessage = error instanceof Error ? error.message : 'Decryption failed';
+      return respond(
+        { error: `Failed to decrypt data file: ${errorMessage}` },
+        500
+      );
+    }
+
+    const decryptedImages: Array<{ filename: string; data: string }> = [];
+    if (Array.isArray(encryptedImages) && encryptedImages.length > 0) {
+      for (const imageEntry of encryptedImages) {
+        try {
+          if (!imageEntry.iv || typeof imageEntry.iv !== 'string') {
+            return respond(
+              { error: `Missing IV for image ${imageEntry.filename}` },
+              400
+            );
+          }
+
+          const imageBlob = await decryptExportImageWithRegistry(
+            imageEntry.encryptedData,
+            wrappedKey,
+            imageEntry.iv,
+            decryptionContext
+          );
+
+          const base64Data = arrayBufferToBase64(await imageBlob.arrayBuffer());
+          decryptedImages.push({
+            filename: imageEntry.filename,
+            data: base64Data
+          });
+        } catch (error) {
+          console.error(`Image decryption failed for ${imageEntry.filename}:`, error);
+          const errorMessage = error instanceof Error ? error.message : 'Decryption failed';
+          return respond(
+            { error: `Failed to decrypt image ${imageEntry.filename}: ${errorMessage}` },
+            500
+          );
+        }
+      }
+    }
+
+    return respond({
+      success: true,
+      plaintext: plaintextData,
+      decryptedImages
+    });
+  } catch (error) {
+    console.error('Export decryption request failed:', error);
+    const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
+    return respond({ error: errorMessage }, 500);
+  }
+}

package/workers/data-worker/src/handlers/signing.ts

@@ -0,0 +1,174 @@
+import { signPayload as signWithWorkerKey } from '../signature-utils';
+import {
+  AUDIT_EXPORT_SIGNATURE_VERSION,
+  CONFIRMATION_SIGNATURE_VERSION,
+  FORENSIC_MANIFEST_SIGNATURE_ALGORITHM,
+  FORENSIC_MANIFEST_VERSION,
+  type AuditExportSigningPayload,
+  type ConfirmationSigningPayload,
+  type ForensicManifestPayload,
+  createAuditExportSigningPayload,
+  createConfirmationSigningPayload,
+  createManifestSigningPayload,
+  isValidAuditExportPayload,
+  isValidConfirmationPayload,
+  isValidManifestPayload
+} from '../signing-payload-utils';
+import type { CreateResponse, Env } from '../types';
+
+async function signPayloadWithWorkerKey(payload: string, env: Env): Promise<{
+  algorithm: string;
+  keyId: string;
+  signedAt: string;
+  value: string;
+}> {
+  return signWithWorkerKey(
+    payload,
+    env.MANIFEST_SIGNING_PRIVATE_KEY,
+    env.MANIFEST_SIGNING_KEY_ID,
+    FORENSIC_MANIFEST_SIGNATURE_ALGORITHM
+  );
+}
+
+async function signManifest(manifest: ForensicManifestPayload, env: Env): Promise<{
+  algorithm: string;
+  keyId: string;
+  signedAt: string;
+  value: string;
+}> {
+  const payload = createManifestSigningPayload(manifest);
+  return signPayloadWithWorkerKey(payload, env);
+}
+
+async function signConfirmation(confirmationData: ConfirmationSigningPayload, env: Env): Promise<{
+  algorithm: string;
+  keyId: string;
+  signedAt: string;
+  value: string;
+}> {
+  const payload = createConfirmationSigningPayload(confirmationData);
+  return signPayloadWithWorkerKey(payload, env);
+}
+
+async function signAuditExport(auditExportData: AuditExportSigningPayload, env: Env): Promise<{
+  algorithm: string;
+  keyId: string;
+  signedAt: string;
+  value: string;
+}> {
+  const payload = createAuditExportSigningPayload(auditExportData);
+  return signPayloadWithWorkerKey(payload, env);
+}
+
+export async function handleSignManifest(
+  request: Request,
+  env: Env,
+  respond: CreateResponse
+): Promise<Response> {
+  try {
+    const requestBody = await request.json() as { manifest?: Partial<ForensicManifestPayload> } & Partial<ForensicManifestPayload>;
+    const manifestCandidate: Partial<ForensicManifestPayload> = requestBody.manifest ?? requestBody;
+
+    if (!manifestCandidate || !isValidManifestPayload(manifestCandidate)) {
+      return respond({ error: 'Invalid manifest payload' }, 400);
+    }
+
+    const signature = await signManifest(manifestCandidate, env);
+
+    return respond({
+      success: true,
+      manifestVersion: FORENSIC_MANIFEST_VERSION,
+      signature
+    });
+  } catch (error) {
+    console.error('Manifest signing failed:', error);
+    const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
+    return respond({ error: errorMessage }, 500);
+  }
+}
+
+export async function handleSignConfirmation(
+  request: Request,
+  env: Env,
+  respond: CreateResponse
+): Promise<Response> {
+  try {
+    const requestBody = await request.json() as {
+      confirmationData?: Partial<ConfirmationSigningPayload>;
+      signatureVersion?: string;
+    } & Partial<ConfirmationSigningPayload>;
+
+    const requestedSignatureVersion =
+      typeof requestBody.signatureVersion === 'string' && requestBody.signatureVersion.trim().length > 0
+        ? requestBody.signatureVersion
+        : CONFIRMATION_SIGNATURE_VERSION;
+
+    if (requestedSignatureVersion !== CONFIRMATION_SIGNATURE_VERSION) {
+      return respond(
+        { error: `Unsupported confirmation signature version: ${requestedSignatureVersion}` },
+        400
+      );
+    }
+
+    const confirmationCandidate: Partial<ConfirmationSigningPayload> = requestBody.confirmationData ?? requestBody;
+
+    if (!confirmationCandidate || !isValidConfirmationPayload(confirmationCandidate)) {
+      return respond({ error: 'Invalid confirmation payload' }, 400);
+    }
+
+    const signature = await signConfirmation(confirmationCandidate, env);
+
+    return respond({
+      success: true,
+      signatureVersion: CONFIRMATION_SIGNATURE_VERSION,
+      signature
+    });
+  } catch (error) {
+    console.error('Confirmation signing failed:', error);
+    const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
+    return respond({ error: errorMessage }, 500);
+  }
+}
+
+export async function handleSignAuditExport(
+  request: Request,
+  env: Env,
+  respond: CreateResponse
+): Promise<Response> {
+  try {
+    const requestBody = await request.json() as {
+      auditExport?: Partial<AuditExportSigningPayload>;
+      signatureVersion?: string;
+    } & Partial<AuditExportSigningPayload>;
+
+    const requestedSignatureVersion =
+      typeof requestBody.signatureVersion === 'string' && requestBody.signatureVersion.trim().length > 0
+        ? requestBody.signatureVersion
+        : AUDIT_EXPORT_SIGNATURE_VERSION;
+
+    if (requestedSignatureVersion !== AUDIT_EXPORT_SIGNATURE_VERSION) {
+      return respond(
+        { error: `Unsupported audit export signature version: ${requestedSignatureVersion}` },
+        400
+      );
+    }
+
+    const auditExportCandidate: Partial<AuditExportSigningPayload> = requestBody.auditExport ?? requestBody;
+
+    if (!auditExportCandidate || !isValidAuditExportPayload(auditExportCandidate)) {
+      return respond({ error: 'Invalid audit export payload' }, 400);
+    }
+
+    const signature = await signAuditExport(auditExportCandidate, env);
+
+    return respond({
+      success: true,
+      signatureVersion: AUDIT_EXPORT_SIGNATURE_VERSION,
+      signature
+    });
+  } catch (error) {
+    console.error('Audit export signing failed:', error);
+    const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
+    return respond({ error: errorMessage }, 500);
+  }
+}

package/workers/data-worker/src/handlers/storage-routes.ts

@@ -0,0 +1,129 @@
+import {
+  DATA_AT_REST_ENCRYPTION_ALGORITHM,
+  DATA_AT_REST_ENCRYPTION_VERSION
+} from '../config';
+import { encryptJsonForStorage } from '../encryption-utils';
+import {
+  decryptJsonFromStorageWithRegistry,
+  extractDataAtRestEnvelope,
+  isDataAtRestEncryptionEnabled
+} from '../registry/key-registry';
+import type { CreateResponse, Env } from '../types';
+
+export async function handleStorageRequest(
+  request: Request,
+  env: Env,
+  pathname: string,
+  respond: CreateResponse
+): Promise<Response> {
+  const bucket = env.STRIAE_DATA;
+  const filename = pathname.slice(1) || 'data.json';
+
+  if (!filename.endsWith('.json')) {
+    return respond({ error: 'Invalid file type. Only JSON files are allowed.' }, 400);
+  }
+
+  switch (request.method) {
+    case 'GET': {
+      const file = await bucket.get(filename);
+      if (!file) {
+        return respond([], 200);
+      }
+
+      const atRestEnvelope = extractDataAtRestEnvelope(file);
+      if (atRestEnvelope) {
+        if (atRestEnvelope.algorithm !== DATA_AT_REST_ENCRYPTION_ALGORITHM) {
+          return respond({ error: 'Unsupported data-at-rest encryption algorithm' }, 500);
+        }
+
+        if (atRestEnvelope.encryptionVersion !== DATA_AT_REST_ENCRYPTION_VERSION) {
+          return respond({ error: 'Unsupported data-at-rest encryption version' }, 500);
+        }
+
+        try {
+          const encryptedData = await file.arrayBuffer();
+          const plaintext = await decryptJsonFromStorageWithRegistry(
+            encryptedData,
+            atRestEnvelope,
+            env
+          );
+          const decryptedPayload = JSON.parse(plaintext);
+          return respond(decryptedPayload);
+        } catch (error) {
+          console.error('Data-at-rest decryption failed:', error);
+          return respond({ error: 'Failed to decrypt stored data' }, 500);
+        }
+      }
+
+      try {
+        const fileText = await file.text();
+        const data = JSON.parse(fileText);
+        return respond(data);
+      } catch (error) {
+        console.error('Stored JSON parse failed:', error);
+        return respond({ error: 'Stored data is corrupted or not valid JSON' }, 500);
+      }
+    }
+
+    case 'PUT': {
+      let newData: unknown;
+
+      try {
+        newData = await request.json();
+      } catch (error) {
+        console.error('Request JSON parse failed:', error);
+        return respond({ error: 'Invalid JSON request body' }, 400);
+      }
+
+      const serializedData = JSON.stringify(newData);
+
+      if (!isDataAtRestEncryptionEnabled(env)) {
+        await bucket.put(filename, serializedData);
+        return respond({ success: true });
+      }
+
+      if (!env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY || !env.DATA_AT_REST_ENCRYPTION_KEY_ID) {
+        return respond(
+          { error: 'Data-at-rest encryption is enabled but not fully configured' },
+          500
+        );
+      }
+
+      try {
+        const encryptedPayload = await encryptJsonForStorage(
+          serializedData,
+          env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY,
+          env.DATA_AT_REST_ENCRYPTION_KEY_ID
+        );
+
+        await bucket.put(filename, encryptedPayload.ciphertext, {
+          customMetadata: {
+            algorithm: encryptedPayload.envelope.algorithm,
+            encryptionVersion: encryptedPayload.envelope.encryptionVersion,
+            keyId: encryptedPayload.envelope.keyId,
+            dataIv: encryptedPayload.envelope.dataIv,
+            wrappedKey: encryptedPayload.envelope.wrappedKey
+          }
+        });
+      } catch (error) {
+        console.error('Data-at-rest encryption failed:', error);
+        return respond({ error: 'Failed to encrypt data for storage' }, 500);
+      }
+
+      return respond({ success: true });
+    }
+
+    case 'DELETE': {
+      const file = await bucket.get(filename);
+      if (!file) {
+        return respond({ error: 'File not found' }, 404);
+      }
+
+      await bucket.delete(filename);
+      return respond({ success: true });
+    }
+
+    default:
+      return respond({ error: 'Method not allowed' }, 405);
+  }
+}