v1 backwards compatability

Author: elizabethhealy

lib/src/nanotdf/Client.ts

@@ -18,6 +18,7 @@ import {
   cryptoPublicToPem,
   getRequiredObligationFQNs,
   pemToCryptoPublicKey,
+  upgradeRewrapResponseV1,
   validateSecureUrl,
 } from '../utils.js';
 
@@ -282,6 +283,13 @@ export default class Client {
           algorithm: DefaultParams.defaultECAlgorithm,
         }),
       ],
+      keyAccess: {
+        header: new Uint8Array(nanoTdfHeader),
+        kasUrl: '',
+        protocol: Client.KAS_PROTOCOL,
+        keyType: Client.KEY_ACCESS_REMOTE,
+      },
+      algorithm: DefaultParams.defaultECAlgorithm,
     });
 
     const requestBodyStr = toJsonString(UnsignedRewrapRequestSchema, unsignedRequest);
@@ -299,6 +307,7 @@ export default class Client {
       this.authProvider,
       this.fulfillableObligationFQNs
     );
+    upgradeRewrapResponseV1(rewrapResp);
 
     // Assume only one response and one result for now (V1 style)
     const result = rewrapResp.responses[0].results[0];

lib/src/utils.ts

@@ -3,7 +3,12 @@ import { exportSPKI, importX509 } from 'jose';
 import { base64 } from './encodings/index.js';
 import { pemCertToCrypto, pemPublicToCrypto } from './nanotdf-crypto/pemPublicToCrypto.js';
 import { ConfigurationError } from './errors.js';
-import { RewrapResponse } from './platform/kas/kas_pb.js';
+import {
+  RewrapResponse,
+  PolicyRewrapResultSchema,
+  KeyAccessRewrapResultSchema,
+} from './platform/kas/kas_pb.js';
+import { create } from '@bufbuild/protobuf';
 import { ConnectError } from '@connectrpc/connect';
 
 const REQUIRED_OBLIGATIONS_METADATA_KEY = 'X-Required-Obligations';
@@ -255,3 +260,31 @@ export function getRequiredObligationFQNs(response: RewrapResponse) {
 
   return [...requiredObligations.values()];
 }
+
+/**
+ * Upgrades a RewrapResponse from v1 format to v2.
+ */
+export function upgradeRewrapResponseV1(response: RewrapResponse) {
+  if (response.responses.length > 0) {
+    return;
+  }
+  if (response.entityWrappedKey.length === 0) {
+    return;
+  }
+
+  response.responses = [
+    create(PolicyRewrapResultSchema, {
+      policyId: 'policy',
+      results: [
+        create(KeyAccessRewrapResultSchema, {
+          keyAccessObjectId: 'kao-0',
+          status: 'permit',
+          result: {
+            case: 'kasWrappedKey',
+            value: response.entityWrappedKey,
+          },
+        }),
+      ],
+    }),
+  ];
+}

lib/tdf3/src/tdf.ts

@@ -63,7 +63,7 @@ import { ZipReader, ZipWriter, keyMerge, concatUint8, buffToString } from './uti
 import { CentralDirectory } from './utils/zip-reader.js';
 import { ztdfSalt } from './crypto/salt.js';
 import { Payload } from './models/payload.js';
-import { getRequiredObligationFQNs } from '../../src/utils.js';
+import { getRequiredObligationFQNs, upgradeRewrapResponseV1 } from '../../src/utils.js';
 
 // TODO: input validation on manifest JSON
 const DEFAULT_SEGMENT_SIZE = 1024 * 1024;
@@ -822,6 +822,10 @@ async function unwrapKey({
           }),
         }),
       ],
+      // include deprecated fields for backward compatibility
+      algorithm: 'RS256',
+      keyAccess: keyAccessProto,
+      policy: manifest.encryptionInformation.policy,
     });
 
     const requestBodyStr = toJsonString(UnsignedRewrapRequestSchema, unsignedRequest);
@@ -835,6 +839,7 @@ async function unwrapKey({
       authProvider,
       fulfillableObligations
     );
+    upgradeRewrapResponseV1(rewrapResp);
     const { sessionPublicKey } = rewrapResp;
     const requiredObligations = getRequiredObligationFQNs(rewrapResp);
     // Assume only one response and one result for now (V1 style)