feat(sdk): Assertion support (#350)

* feat(sdk): Assertion support

Author: sujankota

lib/package-lock.json

@@ -69,6 +69,7 @@
     "dpop": "^1.2.0",
     "eventemitter3": "^5.0.1",
     "jose": "^4.14.4",
+    "json-canonicalize": "^1.0.6",
     "streamsaver": "^2.0.6",
     "uuid": "~9.0.0"
   },

lib/package.json

@@ -0,0 +1,29 @@
+import {
+  AssertionKeyAlg,
+  AssertionType,
+  Scope,
+  AppliesToState,
+  Statement,
+} from '../models/assertion.js';
+
+export type AssertionKey = {
+  alg: AssertionKeyAlg;
+  key: any; // Replace AnyKey with the actual type of your key
+};
+
+// AssertionConfig is a shadow of Assertion with the addition of the signing key.
+// It is used on creation of the assertion.
+export type AssertionConfig = {
+  id: string;
+  type: AssertionType;
+  scope: Scope;
+  appliesToState: AppliesToState;
+  statement: Statement;
+  signingKey?: AssertionKey;
+};
+
+// AssertionVerificationKeys represents the verification keys for assertions.
+export type AssertionVerificationKeys = {
+  DefaultKey?: AssertionKey;
+  Keys: Record<string, AssertionKey>;
+};

lib/tdf3/src/client/AssertionConfig.ts

@@ -8,6 +8,7 @@ import { PemKeyPair } from '../crypto/declarations.js';
 import { EntityObject } from '../../../src/tdf/EntityObject.js';
 import { DecoratedReadableStream } from './DecoratedReadableStream.js';
 import { type Chunker } from '../utils/chunkers.js';
+import { AssertionConfig, AssertionVerificationKeys } from './AssertionConfig.js';
 import { Value } from '../../../src/policy/attributes.js';
 
 export const DEFAULT_SEGMENT_SIZE: number = 1024 * 1024;
@@ -50,6 +51,7 @@ export type EncryptParams = {
   keyMiddleware?: EncryptKeyMiddleware;
   splitPlan?: SplitStep[];
   streamMiddleware?: EncryptStreamMiddleware;
+  assertionConfigs?: AssertionConfig[];
 };
 
 // 'Readonly<EncryptParams>': scope, metadata, offline, windowSize, asHtml
@@ -77,6 +79,7 @@ class EncryptParamsBuilder {
       offline: false,
       windowSize: DEFAULT_SEGMENT_SIZE,
       asHtml: false,
+      assertionConfigs: [],
     }
   ) {
     this._params = { ...params };
@@ -485,6 +488,17 @@ class EncryptParamsBuilder {
   build(): Readonly<EncryptParams> {
     return this._deepCopy(this._params as EncryptParams);
   }
+
+  /**
+   * Sets the assertion configurations for the encryption parameters.
+   *
+   * @param {AssertionConfig[]} assertionConfigs - An array of assertion configurations to be set.
+   * @returns {EncryptParamsBuilder} The current instance of the EncryptParamsBuilder for method chaining.
+   */
+  withAssertions(assertionConfigs: AssertionConfig[]): EncryptParamsBuilder {
+    this._params.assertionConfigs = assertionConfigs;
+    return this;
+  }
 }
 
 export type DecryptKeyMiddleware = (key: Binary) => Promise<Binary>;
@@ -505,6 +519,7 @@ export type DecryptParams = {
   source: DecryptSource;
   keyMiddleware?: DecryptKeyMiddleware;
   streamMiddleware?: DecryptStreamMiddleware;
+  assertionVerificationKeys?: AssertionVerificationKeys;
 };
 
 /**

lib/tdf3/src/client/builders.ts

@@ -407,6 +407,7 @@ export class Client {
     keyMiddleware = defaultKeyMiddleware,
     streamMiddleware = async (stream: DecoratedReadableStream) => stream,
     splitPlan,
+    assertionConfigs = [],
   }: EncryptParams): Promise<DecoratedReadableStream> {
     const dpopKeys = await this.dpopKeys;
 
@@ -519,6 +520,7 @@ export class Client {
       progressHandler: this.clientConfig.progressHandler,
       keyForEncryption,
       keyForManifest,
+      assertionConfigs,
     };
 
     const stream = await (streamMiddleware as EncryptStreamMiddleware)(await writeStream(ecfg));
@@ -549,6 +551,7 @@ export class Client {
    * @param params streamMiddleware fucntion to process streamMiddleware
    * @param params.source A data stream object, one of remote, stream, buffer, etc. types.
    * @param params.eo Optional entity object (legacy AuthZ)
+   * @param params.assertionVerificationKeys Optional verification keys for assertions.
    * @return a {@link https://nodejs.org/api/stream.html#stream_class_stream_readable|Readable} stream containing the decrypted plaintext.
    * @see DecryptParamsBuilder
    */
@@ -557,6 +560,7 @@ export class Client {
     source,
     keyMiddleware = async (key: Binary) => key,
     streamMiddleware = async (stream: DecoratedReadableStream) => stream,
+    assertionVerificationKeys,
   }: DecryptParams): Promise<DecoratedReadableStream> {
     const dpopKeys = await this.dpopKeys;
     let entityObject;
@@ -588,6 +592,7 @@ export class Client {
         fileStreamServiceWorker: this.clientConfig.fileStreamServiceWorker,
         keyMiddleware,
         progressHandler: this.clientConfig.progressHandler,
+        assertionVerificationKeys,
       })
     );
   }

lib/tdf3/src/client/index.ts

@@ -0,0 +1,129 @@
+import { canonicalizeEx } from 'json-canonicalize';
+import { SignJWT, jwtVerify } from 'jose';
+import { AssertionKey } from './../client/AssertionConfig.js';
+
+export type AssertionKeyAlg = 'RS256' | 'HS256';
+export type AssertionType = 'handling' | 'other';
+export type Scope = 'tdo' | 'payload';
+export type AppliesToState = 'encrypted' | 'unencrypted';
+export type BindingMethod = 'jws';
+
+const kAssertionHash = 'assertionHash';
+const kAssertionSignature = 'assertionSig';
+
+// Statement type
+export type Statement = {
+  format: string;
+  schema: string;
+  value: string;
+};
+
+// Binding type
+export type Binding = {
+  method: string;
+  signature: string;
+};
+
+// Assertion type
+export type Assertion = {
+  id: string;
+  type: AssertionType;
+  scope: Scope;
+  appliesToState?: AppliesToState;
+  statement: Statement;
+  binding: Binding;
+  hash: () => Promise<string>;
+  sign: (hash: string, sig: string, key: AssertionKey) => Promise<void>;
+  verify: (key: AssertionKey) => Promise<[string, string]>;
+};
+
+/**
+ * Computes the SHA-256 hash of the assertion object, excluding the 'binding' and 'hash' properties.
+ *
+ * @returns {Promise<string>} A promise that resolves to the hexadecimal string representation of the hash.
+ */
+export async function hash(this: Assertion): Promise<string> {
+  const result = canonicalizeEx(this, { exclude: ['binding', 'hash', 'sign', 'verify'] });
+
+  const hash = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(result));
+  return Buffer.from(hash).toString('hex');
+}
+
+/**
+ * Signs the given hash and signature using the provided key and sets the binding method and signature.
+ *
+ * @param {string} hash - The hash to be signed.
+ * @param {string} sig - The signature to be signed.
+ * @param {AssertionKey} key - The key used for signing.
+ * @returns {Promise<void>} A promise that resolves when the signing is complete.
+ */
+export async function sign(
+  this: Assertion,
+  assertionHash: string,
+  sig: string,
+  key: AssertionKey
+): Promise<void> {
+  const payload: any = {};
+  payload[kAssertionHash] = assertionHash;
+  payload[kAssertionSignature] = sig;
+
+  try {
+    const token = await new SignJWT(payload).setProtectedHeader({ alg: key.alg }).sign(key.key);
+
+    this.binding.method = 'jws';
+    this.binding.signature = token;
+  } catch (error) {
+    throw new Error(`Signing assertion failed: ${error.message}`);
+  }
+}
+
+/**
+ * Verifies the signature of the assertion using the provided key.
+ *
+ * @param {AssertionKey} key - The key used for verification.
+ * @returns {Promise<[string, string]>} A promise that resolves to a tuple containing the assertion hash and signature.
+ * @throws {Error} If the verification fails.
+ */
+export async function verify(this: Assertion, key: AssertionKey): Promise<[string, string]> {
+  try {
+    const { payload } = await jwtVerify(this.binding.signature, key.key, {
+      algorithms: [key.alg],
+    });
+
+    return [payload[kAssertionHash] as string, payload[kAssertionSignature] as string];
+  } catch (error) {
+    throw new Error(`Verifying assertion failed: ${error.message}`);
+  }
+}
+
+/**
+ * Creates an Assertion object with the specified properties.
+ *
+ * @param {string} id - The unique identifier for the assertion.
+ * @param {AssertionType} type - The type of the assertion (e.g., 'handling', 'other').
+ * @param {Scope} scope - The scope of the assertion (e.g., 'tdo', 'payload').
+ * @param {Statement} statement - The statement associated with the assertion.
+ * @param {Binding} binding - The binding method and signature for the assertion.
+ * @param {AppliesToState} [appliesToState] - The state to which the assertion applies (optional).
+ * @returns {Assertion} The created Assertion object.
+ */
+export function CreateAssertion(
+  id: string,
+  type: AssertionType,
+  scope: Scope,
+  statement: Statement,
+  appliesToState?: AppliesToState,
+  binding?: Binding
+): Assertion {
+  return {
+    id,
+    type,
+    scope,
+    appliesToState,
+    statement,
+    binding: { method: binding?.method ?? '', signature: binding?.signature ?? '' },
+    hash,
+    sign,
+    verify,
+  };
+}

lib/tdf3/src/models/assertion.ts

@@ -5,3 +5,4 @@ export * from './manifest.js';
 export * from './payload.js';
 export * from './policy.js';
 export * from './upsert-response.js';
+export * from './assertion.js';

lib/tdf3/src/models/index.ts

@@ -1,7 +1,9 @@
+import { type Assertion } from './assertion.js';
 import { type Payload } from './payload.js';
 import { type EncryptionInformation } from './encryption-information.js';
 
 export type Manifest = {
   payload: Payload;
   encryptionInformation: EncryptionInformation;
+  assertions: Assertion[];
 };