fix(nano): Allow padding of kids (#338)

* fix(nano): Allow padding of kids

also does a refactor: parse should take a buffer; constructor should take the types

Still a lot of code duplication. Arguably these both should be static methods that call a hidden constructor

* prettier

* Update package.json

* more error tests; simplified construction

* sonarcloud suggestions

* Update ResourceLocator.test.ts

* more error condition tests

* Update ResourceLocator.test.ts

* fixup: names

Author: dmihalcik-virtru

lib/package.json

@@ -55,7 +55,7 @@
     "test": "npm run build && npm run test:with-server",
     "test:with-server": "node dist/web/tests/server.js & trap \"node dist/web/tests/stopServer.js\" EXIT; npm run test:mocha && npm run test:wtr && npm run test:browser && npm run coverage:merge",
     "test:browser": "npx webpack --config webpack.test.config.cjs && npx karma start karma.conf.cjs",
-    "test:mocha": "c8 --exclude=\"dist/web/tests/\" --exclude=\"dist/web/tdf3/src/utils/aws-lib-storage/\"  --exclude=\"dist/web/tests/**/*\" --report-dir=./coverage/mocha mocha 'dist/web/tests/mocha/**/*.spec.js' --file dist/web/tests/mocha/setup.js && npx c8 report --reporter=json --report-dir=./coverage/mocha",
+    "test:mocha": "c8 --exclude=\"dist/web/tests/**/*\" --report-dir=./coverage/mocha mocha 'dist/web/tests/mocha/**/*.spec.js' --file dist/web/tests/mocha/setup.js && npx c8 report --reporter=json --report-dir=./coverage/mocha",
     "test:wtr": "web-test-runner",
     "watch": "(trap 'kill 0' SIGINT; npm run build && (npm run build:watch & npm run test -- --watch))"
   },

lib/src/access.ts

@@ -75,7 +75,6 @@ export async function fetchECKasPubKey(kasEndpoint: string): Promise<KasPublicKe
         `unable to load KAS public key from [${pkUrlV2}]. Received [${kasPubKeyResponse.status}:${kasPubKeyResponse.statusText}]`
       );
     }
-    console.log('falling back to v1 key');
     // most likely a server that does not implement v2 endpoint, so no key identifier
     const pkUrlV1 = `${kasEndpoint}/kas_public_key?algorithm=ec:secp256r1`;
     const r2 = await fetch(pkUrlV1);
@@ -85,7 +84,6 @@ export async function fetchECKasPubKey(kasEndpoint: string): Promise<KasPublicKe
       );
     }
     const pem = await r2.json();
-    console.log('pem returned', pem);
     return {
       key: pemToCryptoPublicKey(pem),
       publicKey: pem,

lib/src/nanotdf/encrypt.ts

@@ -45,12 +45,7 @@ export default async function encrypt(
   );
 
   // Construct the kas locator
-  let kasResourceLocator;
-  if (kasInfo.kid) {
-    kasResourceLocator = ResourceLocator.parse(kasInfo.url, kasInfo.kid);
-  } else {
-    kasResourceLocator = ResourceLocator.parse(kasInfo.url);
-  }
+  const kasResourceLocator = ResourceLocator.fromURL(kasInfo.url, kasInfo.kid);
 
   // Auth tag length for policy and payload
   const authTagLengthInBytes = authTagLengthForCipher(DefaultParams.symmetricCipher) / 8;

lib/src/nanotdf/models/Header.ts

@@ -11,6 +11,7 @@ import CurveNameEnum from '../enum/CurveNameEnum.js';
 import { lengthOfPublicKey } from '../helpers/calculateByCurve.js';
 import DefaultParams from './DefaultParams.js';
 import { InvalidEphemeralKeyError } from '../../errors.js';
+import { rstrip } from '../../utils.js';
 
 /**
  * NanoTDF Header
@@ -95,7 +96,7 @@ export default class Header {
      * @link https://github.com/virtru/nanotdf/blob/master/spec/index.md#3312-kas
      * @link https://github.com/virtru/nanotdf/blob/master/spec/index.md#341-resource-locator
      */
-    const kas = new ResourceLocator(buff.subarray(offset));
+    const kas = ResourceLocator.parse(buff.subarray(offset));
     offset += kas.length;
 
     /**
@@ -313,7 +314,7 @@ export default class Header {
    */
   getKasRewrapUrl(): string {
     try {
-      return `${this.kas.getUrl()}/v2/rewrap`;
+      return `${rstrip(this.kas.url, '/')}/v2/rewrap`;
     } catch (e) {
       throw new Error(`Cannot construct KAS Rewrap URL: ${e.message}`);
     }

lib/src/nanotdf/models/Policy/RemotePolicy.ts

@@ -18,7 +18,7 @@ class RemotePolicy extends AbstractPolicy implements RemotePolicyInterface {
     useEcdsaBinding: boolean
   ): { offset: number; policy: RemotePolicy } {
     let offset = 0;
-    const resource = new ResourceLocator(buff);
+    const resource = ResourceLocator.parse(buff);
     offset += resource.offset;
 
     const { binding, newOffset: bindingOffset } = this.parseBinding(buff, useEcdsaBinding, offset);

lib/src/nanotdf/models/ResourceLocator.ts

@@ -17,13 +17,6 @@ import ResourceLocatorIdentifierEnum from '../enum/ResourceLocatorIdentifierEnum
  * @link https://github.com/virtru/nanotdf/blob/master/spec/index.md#341-resource-locator
  */
 export default class ResourceLocator {
-  readonly protocol: ProtocolEnum;
-  readonly lengthOfBody: number;
-  readonly body: string;
-  readonly identifier: string;
-  readonly identifierType: ResourceLocatorIdentifierEnum = ResourceLocatorIdentifierEnum.None;
-  readonly offset: number = 0;
-
   static readonly PROTOCOL_OFFSET = 0;
   static readonly PROTOCOL_LENGTH = 1;
   static readonly LENGTH_OFFSET = 1;
@@ -34,100 +27,121 @@ export default class ResourceLocator {
   static readonly IDENTIFIER_8_BYTE: number = 2 << 4; // 32
   static readonly IDENTIFIER_32_BYTE: number = 3 << 4; // 48
 
-  static parse(url: string, identifier: string = ''): ResourceLocator {
-    const [protocol, body] = url.split('://');
+  constructor(
+    readonly protocol: ProtocolEnum,
+    readonly lengthOfBody: number,
+    readonly body: string,
+    readonly offset: number,
+    readonly id?: string,
+    readonly idType: ResourceLocatorIdentifierEnum = ResourceLocatorIdentifierEnum.None
+  ) {}
+
+  static fromURL(url: string, identifier?: string): ResourceLocator {
+    const [protocolStr, body] = url.split('://');
+
+    let protocol: ProtocolEnum;
 
     // Validate and set protocol identifier byte
-    const protocolIdentifierByte = new Uint8Array(1);
-    switch (protocol.toLowerCase()) {
+    switch (protocolStr.toLowerCase()) {
       case 'http':
-        protocolIdentifierByte[0] = 0x00;
+        protocol = ProtocolEnum.Http;
         break;
       case 'https':
-        protocolIdentifierByte[0] = 0x01;
+        protocol = ProtocolEnum.Https;
         break;
       default:
-        throw new Error('resource locator protocol unsupported');
+        throw new Error(`resource locator protocol [${protocolStr}] unsupported`);
     }
 
     // Set identifier padded length and protocol identifier byte
-    const identifierPaddedLength = (() => {
-      switch (identifier.length) {
-        case 0:
-          protocolIdentifierByte[0] |= ResourceLocator.IDENTIFIER_0_BYTE;
-          return ResourceLocatorIdentifierEnum.None.valueOf();
-        case 2:
-          protocolIdentifierByte[0] |= ResourceLocator.IDENTIFIER_2_BYTE;
-          return ResourceLocatorIdentifierEnum.TwoBytes.valueOf();
-        case 8:
-          protocolIdentifierByte[0] |= ResourceLocator.IDENTIFIER_8_BYTE;
-          return ResourceLocatorIdentifierEnum.EightBytes.valueOf();
-        case 32:
-          protocolIdentifierByte[0] |= ResourceLocator.IDENTIFIER_32_BYTE;
-          return ResourceLocatorIdentifierEnum.ThirtyTwoBytes.valueOf();
-        default:
-          throw new Error(`Unsupported identifier length: ${identifier.length}`);
+    const identifierType = (() => {
+      if (!identifier) {
+        return ResourceLocatorIdentifierEnum.None;
+      }
+      const identifierLength = new TextEncoder().encode(identifier).length;
+      if (identifierLength <= 2) {
+        return ResourceLocatorIdentifierEnum.TwoBytes;
+      } else if (identifierLength <= 8) {
+        return ResourceLocatorIdentifierEnum.EightBytes;
+      } else if (identifierLength <= 32) {
+        return ResourceLocatorIdentifierEnum.ThirtyTwoBytes;
       }
+      throw new Error(`unsupported identifier length: ${identifier.length}`);
     })();
 
     // Create buffer to hold protocol, body length, body, and identifier
-    const bodyBytes = new TextEncoder().encode(body);
-    const buffer = new Uint8Array(1 + 1 + bodyBytes.length + identifierPaddedLength);
-
-    // Set the protocol, body length, body and identifier into buffer
-    buffer.set(protocolIdentifierByte, 0);
-    buffer.set([bodyBytes.length], 1);
-    buffer.set(bodyBytes, 2);
-
-    if (identifierPaddedLength > 0) {
-      const identifierBytes = new TextEncoder()
-        .encode(identifier)
-        .subarray(0, identifierPaddedLength);
-      buffer.set(identifierBytes, 2 + bodyBytes.length);
+    const lengthOfBody = new TextEncoder().encode(body).length;
+    if (lengthOfBody == 0) {
+      throw new Error('url body empty');
     }
-
-    return new ResourceLocator(buffer);
+    const identifierLength = identifierType.valueOf();
+    const offset = ResourceLocator.BODY_OFFSET + lengthOfBody + identifierLength;
+    return new ResourceLocator(protocol, lengthOfBody, body, offset, identifier, identifierType);
   }
 
-  constructor(buff: Uint8Array) {
+  static parse(buff: Uint8Array) {
     // Protocol
-    this.protocol = buff[ResourceLocator.PROTOCOL_OFFSET];
+    const protocolAndIdentifierType = buff[ResourceLocator.PROTOCOL_OFFSET];
     // Length of body
-    this.lengthOfBody = buff[ResourceLocator.LENGTH_OFFSET];
+    const lengthOfBody = buff[ResourceLocator.LENGTH_OFFSET];
+    if (lengthOfBody == 0) {
+      throw new Error('url body empty');
+    }
     // Body as utf8 string
     const decoder = new TextDecoder();
-    this.body = decoder.decode(
-      buff.subarray(ResourceLocator.BODY_OFFSET, ResourceLocator.BODY_OFFSET + this.lengthOfBody)
-    );
+    let offset = ResourceLocator.BODY_OFFSET + lengthOfBody;
+    if (offset > buff.length) {
+      throw new Error('parse out of bounds error');
+    }
+    const body = decoder.decode(buff.subarray(ResourceLocator.BODY_OFFSET, offset));
+    const protocol = protocolAndIdentifierType & 0xf;
+    switch (protocol) {
+      case ProtocolEnum.Http:
+      case ProtocolEnum.Https:
+        break;
+      default:
+        throw new Error(`unsupported protocol type [${protocol}]`);
+    }
     // identifier
-    const identifierTypeNibble = this.protocol & 0xf0;
+    const identifierTypeNibble = protocolAndIdentifierType & 0xf0;
+    let identifierType = ResourceLocatorIdentifierEnum.None;
     if (identifierTypeNibble === ResourceLocator.IDENTIFIER_2_BYTE) {
-      this.identifierType = ResourceLocatorIdentifierEnum.TwoBytes;
+      identifierType = ResourceLocatorIdentifierEnum.TwoBytes;
     } else if (identifierTypeNibble === ResourceLocator.IDENTIFIER_8_BYTE) {
-      this.identifierType = ResourceLocatorIdentifierEnum.EightBytes;
+      identifierType = ResourceLocatorIdentifierEnum.EightBytes;
     } else if (identifierTypeNibble === ResourceLocator.IDENTIFIER_32_BYTE) {
-      this.identifierType = ResourceLocatorIdentifierEnum.ThirtyTwoBytes;
+      identifierType = ResourceLocatorIdentifierEnum.ThirtyTwoBytes;
+    } else if (identifierTypeNibble !== ResourceLocator.IDENTIFIER_0_BYTE) {
+      throw new Error(`unsupported key identifier type [${identifierTypeNibble}]`);
     }
-    switch (this.identifierType) {
+
+    let identifier: string | undefined = undefined;
+
+    switch (identifierType) {
       case ResourceLocatorIdentifierEnum.None:
         // noop
         break;
       case ResourceLocatorIdentifierEnum.TwoBytes:
       case ResourceLocatorIdentifierEnum.EightBytes:
-      case ResourceLocatorIdentifierEnum.ThirtyTwoBytes:
-        const start = ResourceLocator.BODY_OFFSET + this.lengthOfBody;
-        const end = start + this.identifierType.valueOf();
-        const subarray = buff.subarray(start, end);
+      case ResourceLocatorIdentifierEnum.ThirtyTwoBytes: {
+        const kidStart = offset;
+        offset = kidStart + identifierType.valueOf();
+        if (offset > buff.length) {
+          throw new Error('parse out of bounds error');
+        }
+        const kidSubarray = buff.subarray(kidStart, offset);
         // Remove padding (assuming the padding is null bytes, 0x00)
-        const trimmedSubarray = subarray.filter((byte) => byte !== 0x00);
-        this.identifier = decoder.decode(trimmedSubarray);
+        const zeroIndex = kidSubarray.indexOf(0);
+        if (zeroIndex >= 0) {
+          const trimmedSubarray = kidSubarray.subarray(0, zeroIndex);
+          identifier = decoder.decode(trimmedSubarray);
+        } else {
+          identifier = decoder.decode(kidSubarray);
+        }
         break;
+      }
     }
-    this.offset =
-      ResourceLocator.PROTOCOL_LENGTH +
-      ResourceLocator.LENGTH_LENGTH +
-      this.lengthOfBody +
-      this.identifierType.valueOf();
+    return new ResourceLocator(protocol, lengthOfBody, body, offset, identifier, identifierType);
   }
 
   /**
@@ -136,20 +150,11 @@ export default class ResourceLocator {
    * @returns { number } Length of resource locator
    */
   get length(): number {
-    return (
-      // Protocol
-      1 +
-      // Length of the body( 1 byte)
-      1 +
-      // Content length
-      this.body.length +
-      // Identifier length
-      this.identifierType.valueOf()
-    );
+    return this.offset;
   }
 
   get url(): string | never {
-    switch (this.protocol & 0xf) {
+    switch (this.protocol) {
       case ProtocolEnum.Http:
         return 'http://' + this.body;
       case ProtocolEnum.Https:
@@ -163,33 +168,26 @@ export default class ResourceLocator {
    * Return the contents of the Resource Locator in buffer
    */
   toBuffer(): Uint8Array {
-    const buffer = new Uint8Array(2 + this.body.length + this.identifierType.valueOf());
-    buffer.set([this.protocol], 0);
-    buffer.set([this.lengthOfBody], 1);
-    buffer.set(new TextEncoder().encode(this.body), 2);
-    if (this.identifier) {
-      buffer.set(new TextEncoder().encode(this.identifier), 2 + this.body.length);
+    const buffer = new Uint8Array(ResourceLocator.BODY_OFFSET + this.body.length + this.idType);
+    let idTypeNibble = 0;
+    switch (this.idType) {
+      case ResourceLocatorIdentifierEnum.TwoBytes:
+        idTypeNibble = ResourceLocator.IDENTIFIER_2_BYTE;
+        break;
+      case ResourceLocatorIdentifierEnum.EightBytes:
+        idTypeNibble = ResourceLocator.IDENTIFIER_8_BYTE;
+        break;
+      case ResourceLocatorIdentifierEnum.ThirtyTwoBytes:
+        idTypeNibble = ResourceLocator.IDENTIFIER_32_BYTE;
+        break;
     }
-    return buffer;
-  }
-
-  /**
-   * Get URL
-   *
-   * Construct URL from ResourceLocator or throw error
-   */
-  getUrl(): string | never {
-    let protocol: string;
-    // protocolIndex get the first four bits
-    const protocolIndex: number = this.protocol & 0xf;
-    if (protocolIndex === ProtocolEnum.Http) {
-      protocol = 'http';
-    } else if (protocolIndex === ProtocolEnum.Https) {
-      protocol = 'https';
-    } else {
-      throw new Error(`Cannot create URL from protocol, "${ProtocolEnum[this.protocol]}"`);
+    buffer.set([this.protocol | idTypeNibble], ResourceLocator.PROTOCOL_OFFSET);
+    buffer.set([this.lengthOfBody], ResourceLocator.LENGTH_OFFSET);
+    buffer.set(new TextEncoder().encode(this.body), ResourceLocator.BODY_OFFSET);
+    if (this.id) {
+      buffer.set(new TextEncoder().encode(this.id), ResourceLocator.BODY_OFFSET + this.body.length);
     }
-    return `${protocol}://${this.body}`;
+    return buffer;
   }
 
   /**
@@ -198,7 +196,7 @@ export default class ResourceLocator {
    * Returns the identifier of the ResourceLocator or an empty string if no identifier is present.
    * @returns { string } Identifier of the resource locator.
    */
-  getIdentifier(): string {
-    return this.identifier || '';
+  get identifier(): string {
+    return this.id ?? '';
   }
 }

lib/tests/web/nano-roundtrip.test.ts

@@ -23,8 +23,10 @@ describe('Local roundtrip Tests', () => {
     const cipherText = await client.encrypt('hello world');
     const client2 = new NanoTDFClient({ authProvider, kasEndpoint });
     const nanotdfParsed = NanoTDF.from(cipherText);
+
     expect(nanotdfParsed.header.kas.url).to.equal(kasEndpoint);
-    expect(nanotdfParsed.header.kas.getIdentifier()).to.equal('e1');
+    expect(nanotdfParsed.header.kas.identifier).to.equal('e1');
+
     const actual = await client2.decrypt(cipherText);
     expect(new TextDecoder().decode(actual)).to.be.equal('hello world');
   });