feat: upgrade tdf clients to rewrap v2 proto structure

Author: jakedoublev

lib/src/nanotdf/Client.ts

@@ -1,4 +1,5 @@
-import * as base64 from '../encodings/base64.js';
+import { create, toJsonString } from '@bufbuild/protobuf';
+import { UnsignedRewrapRequest_WithPolicyRequestSchema, UnsignedRewrapRequestSchema } from '../platform/kas/kas_pb.js';
 import { generateKeyPair, keyAgreement } from '../nanotdf-crypto/index.js';
 import getHkdfSalt from './helpers/getHkdfSalt.js';
 import DefaultParams from './models/DefaultParams.js';
@@ -246,18 +247,29 @@ export default class Client {
       throw new ConfigurationError('Signer key has not been set or generated');
     }
 
-    const requestBodyStr = JSON.stringify({
-      algorithm: DefaultParams.defaultECAlgorithm,
-      // nano keyAccess minimum, header is used for nano
-      keyAccess: {
-        type: Client.KEY_ACCESS_REMOTE,
-        url: '',
-        protocol: Client.KAS_PROTOCOL,
-        header: base64.encodeArrayBuffer(nanoTdfHeader),
-      },
+    const unsignedRequest = create(UnsignedRewrapRequestSchema, {
       clientPublicKey: await cryptoPublicToPem(ephemeralKeyPair.publicKey),
+      requests: [
+        create(UnsignedRewrapRequest_WithPolicyRequestSchema, {
+          keyAccessObjects: [
+            {
+              keyAccessObjectId: 'kao-0',
+              keyAccessObject: {
+                header: new Uint8Array(nanoTdfHeader),
+                kasUrl: '',
+                protocol: Client.KAS_PROTOCOL,
+                // type: Client.KEY_ACCESS_REMOTE,
+              },
+            },
+          ],
+          algorithm: DefaultParams.defaultECAlgorithm,
+          // policy in nano is present within the header?
+        }),
+      ],
     });
 
+    const requestBodyStr = toJsonString(UnsignedRewrapRequestSchema, unsignedRequest);
+
     const jwtPayload = { requestBody: requestBodyStr };
 
     const signedRequestToken = await reqSignature(jwtPayload, requestSignerKeyPair.privateKey, {

lib/tdf3/src/tdf.ts

@@ -8,6 +8,14 @@ import {
   fetchWrappedKey,
   publicKeyAlgorithmToJwa,
 } from '../../src/access.js';
+import { create, toJsonString } from '@bufbuild/protobuf';
+import {
+  KeyAccessSchema,
+  UnsignedRewrapRequestSchema,
+  UnsignedRewrapRequest_WithPolicyRequestSchema,
+  UnsignedRewrapRequest_WithPolicySchema,
+  UnsignedRewrapRequest_WithKeyAccessObjectSchema,
+} from '../../src/platform/kas/kas_pb.js';
 import { type AuthProvider, reqSignature } from '../../src/auth/auth.js';
 import { allPool, anyPool } from '../../src/concurrency.js';
 import { base64, hex } from '../../src/encodings/index.js';
@@ -778,13 +786,41 @@ async function unwrapKey({
 
     const clientPublicKey = ephemeralEncryptionKeys.publicKey;
 
-    const requestBodyStr = JSON.stringify({
-      algorithm: 'RS256',
-      keyAccess: keySplitInfo,
-      policy: manifest.encryptionInformation.policy,
+    // TODO: how to handle defaults here?
+    // Convert keySplitInfo to protobuf KeyAccess
+    const keyAccessProto = create(KeyAccessSchema, {
+      keyType: keySplitInfo.type || '',
+      kasUrl: keySplitInfo.url || '',
+      protocol: keySplitInfo.protocol || '',
+      wrappedKey: keySplitInfo.wrappedKey ? new Uint8Array(base64.decodeArrayBuffer(keySplitInfo.wrappedKey)) : new Uint8Array(),
+      policyBinding: keySplitInfo.policyBinding,
+      kid: keySplitInfo.kid || '',
+      splitId: keySplitInfo.sid || '',
+      encryptedMetadata: keySplitInfo.encryptedMetadata || '',
+    });
+
+    // Create the protobuf request
+    const unsignedRequest = create(UnsignedRewrapRequestSchema, {
       clientPublicKey,
+      requests: [
+        create(UnsignedRewrapRequest_WithPolicyRequestSchema, {
+          keyAccessObjects: [
+            create(UnsignedRewrapRequest_WithKeyAccessObjectSchema, {
+              keyAccessObjectId: 'kao-0',
+              keyAccessObject: keyAccessProto,
+            }),
+          ],
+          policy: create(UnsignedRewrapRequest_WithPolicySchema, {
+            id: 'policy-0',
+            body: manifest.encryptionInformation.policy,
+          }),
+          algorithm: 'RS256',
+        }),
+      ],
     });
 
+    const requestBodyStr = toJsonString(UnsignedRewrapRequestSchema, unsignedRequest);
+
     const jwtPayload = { requestBody: requestBodyStr };
     const signedRequestToken = await reqSignature(jwtPayload, dpopKeys.privateKey);
 

web-app/src/App.tsx

@@ -353,6 +353,7 @@ function App() {
     const client = new OpenTDF({
       authProvider: oidcClient,
       defaultCreateOptions: {
+        attributes: ['https://demo.com/attr/classification/value/secret'],
         defaultKASEndpoint: c.kas,
       },
       dpopKeys: oidcClient.getSigningKey(),
@@ -432,6 +433,7 @@ function App() {
     const client = new OpenTDF({
       authProvider: oidcClient,
       defaultReadOptions: {
+        // fulfillableObligationFQNs: ['https://demo.com/obl/drm/value/watermark'],
         allowedKASEndpoints: [c.kas],
       },
       dpopKeys: oidcClient.getSigningKey(),