fix(sdk): deserialize object statement values correctly (#219)

Some SDKs don't set assertion values as objects instead of strings so we
set them to string values when we deserialize

Also:
* encapsulate the `gson` instance that we use for `Manifest`
deserialization so that we don't have to
keep setting the options in different places
* remove the `ManifestDeserializer` since its purpose is to make the
`assertions` list non-null but since
we have encapsulated the deserialization we can set it there
* add a setting to ignore assertions in the `cmdline` app so that we can
do so in xtests

Author: mkleene

cmdline/src/main/java/io/opentdf/platform/Command.java

@@ -1,22 +1,22 @@
 package io.opentdf.platform;
 
+import com.google.gson.Gson;
 import com.google.gson.JsonSyntaxException;
 import com.nimbusds.jose.JOSEException;
-import io.opentdf.platform.sdk.*;
-import io.opentdf.platform.sdk.TDF;
+import io.opentdf.platform.sdk.AssertionConfig;
+import io.opentdf.platform.sdk.AutoConfigureException;
+import io.opentdf.platform.sdk.Config;
 import io.opentdf.platform.sdk.Config.AssertionVerificationKeys;
-
-import com.google.gson.Gson;
+import io.opentdf.platform.sdk.NanoTDF;
+import io.opentdf.platform.sdk.SDK;
+import io.opentdf.platform.sdk.SDKBuilder;
+import io.opentdf.platform.sdk.TDF;
+import nl.altindag.ssl.SSLFactory;
 import org.apache.commons.codec.DecoderException;
-import org.bouncycastle.crypto.RuntimeCryptoException;
-
 import picocli.CommandLine;
 import picocli.CommandLine.HelpCommand;
 import picocli.CommandLine.Option;
 
-import javax.crypto.BadPaddingException;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.NoSuchPaddingException;
 import java.io.BufferedInputStream;
 import java.io.BufferedOutputStream;
 import java.io.File;
@@ -30,14 +30,11 @@
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.nio.file.StandardOpenOption;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.InvalidKeyException;
+import java.security.KeyFactory;
 import java.security.NoSuchAlgorithmException;
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.security.spec.X509EncodedKeySpec;
-import java.security.KeyFactory;
-import java.security.PrivateKey;
 import java.text.ParseException;
 import java.util.ArrayList;
 import java.util.Base64;
@@ -47,11 +44,6 @@
 import java.util.concurrent.ExecutionException;
 import java.util.function.Consumer;
 
-import nl.altindag.ssl.SSLFactory;
-import nl.altindag.ssl.util.TrustManagerUtils;
-
-import javax.net.ssl.TrustManager;
-
 @CommandLine.Command(
     name = "tdf",
     subcommands = {HelpCommand.class},
@@ -234,12 +226,11 @@ private SDK buildSDK() {
 
     @CommandLine.Command(name = "decrypt")
     void decrypt(@Option(names = { "-f", "--file" }, required = true) Path tdfPath,
+            @Option(names = { "--with-assertion-verification-disabled" }, defaultValue = "false") boolean disableAssertionVerification,
             @Option(names = { "--with-assertion-verification-keys" }, defaultValue = Option.NULL_VALUE) Optional<String> assertionVerification)
-             throws IOException,
-            InvalidAlgorithmParameterException, NoSuchPaddingException, IllegalBlockSizeException,
-            BadPaddingException, InvalidKeyException, TDF.FailedToCreateGMAC,
-            JOSEException, ParseException, NoSuchAlgorithmException, DecoderException {
+             throws IOException, TDF.FailedToCreateGMAC, JOSEException, ParseException, NoSuchAlgorithmException, DecoderException {
         var sdk = buildSDK();
+        var opts = new ArrayList<Consumer<Config.TDFReaderConfig>>();
         try (var in = FileChannel.open(tdfPath, StandardOpenOption.READ)) {
             try (var stdout = new BufferedOutputStream(System.out)) {
                 if (assertionVerification.isPresent()) {
@@ -269,14 +260,16 @@ void decrypt(@Option(names = { "-f", "--file" }, required = true) Path tdfPath,
                             throw new RuntimeException("Error with assertion verification key: " + e.getMessage(), e);
                         }
                     }
-                    Config.TDFReaderConfig readerConfig = Config.newTDFReaderConfig(
-                        Config.withAssertionVerificationKeys(assertionVerificationKeys));
-                    var reader = new TDF().loadTDF(in, sdk.getServices().kas(), readerConfig);
-                    reader.readPayload(stdout);
-                } else {
-                    var reader = new TDF().loadTDF(in, sdk.getServices().kas());
-                    reader.readPayload(stdout);
+                    opts.add(Config.withAssertionVerificationKeys(assertionVerificationKeys));
                 }
+
+                if (disableAssertionVerification) {
+                    opts.add(Config.withDisableAssertionVerification(true));
+                }
+
+                var readerConfig = Config.newTDFReaderConfig(opts.toArray(new Consumer[0]));
+                var reader = new TDF().loadTDF(in, sdk.getServices().kas(), readerConfig);
+                reader.readPayload(stdout);
             }
         }
     }

sdk/src/main/java/io/opentdf/platform/sdk/Manifest.java

@@ -52,11 +52,15 @@ public class Manifest {
     private static final String kAssertionSignature = "assertionSig";
 
     private static final Gson gson = new GsonBuilder()
-                                        .registerTypeAdapter(Manifest.class, new ManifestDeserializer())
-                                        .create();
+            .registerTypeAdapter(AssertionConfig.Statement.class, new AssertionValueAdapter())
+            .create();
     @SerializedName(value = "schemaVersion")
     String tdfVersion;
 
+    public static String toJson(Manifest manifest) {
+        return gson.toJson(manifest);
+    }
+
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;
@@ -318,7 +322,6 @@ static public class Assertion {
         public String appliesToState;
         public AssertionConfig.Statement statement;
         public Binding binding;
-
         static public class HashValues {
             private final String assertionHash;
             private final String signature;
@@ -467,28 +470,43 @@ private JWSVerifier createVerifier(AssertionConfig.AssertionKey assertionKey) th
         }
     }
 
-    public EncryptionInformation encryptionInformation;
-    public Payload payload;
-    public List<Assertion> assertions = new ArrayList<>();
-
-    public static class ManifestDeserializer implements JsonDeserializer<Object> {
+    public static class AssertionValueAdapter implements JsonDeserializer<AssertionConfig.Statement> {
         @Override
-        public Manifest deserialize(JsonElement json, Type typeOfT, JsonDeserializationContext context) throws JsonParseException {
-            // Let Gson handle the default deserialization of the object first
-            Manifest manifest = new Gson().fromJson(json, typeOfT);
-            // Now check if the `assertions` field is null and replace it with an empty list if necessary
-            if (manifest.assertions == null) {
-                manifest.assertions = new ArrayList<>();  // Replace null with empty list
+        public AssertionConfig.Statement deserialize(JsonElement json, Type typeOfT, JsonDeserializationContext context) throws JsonParseException {
+            if (!json.isJsonObject()) {
+                throw new IllegalArgumentException(String.format("%s is not a JSON object", AssertionConfig.Statement.class.getName()));
+            }
+            var obj = json.getAsJsonObject();
+            var statement = new AssertionConfig.Statement();
+            if (obj.has("format")) {
+                statement.format = obj.get("format").getAsString();
             }
-            return manifest;
+            if (obj.has("schema")) {
+                statement.schema = obj.get("schema").getAsString();
+            }
+            if (obj.has("value")) {
+                var value = obj.get("value");
+                if (value.isJsonPrimitive()) {
+                    // it's already a primitive (hopefully string) so we don't need its escaped value here
+                    statement.value = value.getAsString();
+                } else {
+                    statement.value = value.toString();
+                }
+            }
+            return statement;
         }
     }
 
+    public EncryptionInformation encryptionInformation;
+    public Payload payload;
+    public List<Assertion> assertions = new ArrayList<>();
     protected static Manifest readManifest(Reader reader) {
         Manifest result = gson.fromJson(reader, Manifest.class);
-        if (result == null) {
-            throw new IllegalArgumentException("Manifest is null");
-        } else if (result.payload == null) {
+        if (result.assertions == null) {
+            result.assertions = new ArrayList<>();
+        }
+
+        if (result.payload == null) {
             throw new IllegalArgumentException("Manifest with null payload");
         } else if (result.encryptionInformation == null) {
             throw new IllegalArgumentException("Manifest with null encryptionInformation");

sdk/src/main/java/io/opentdf/platform/sdk/TDF.java

@@ -7,13 +7,11 @@
 import io.opentdf.platform.policy.Value;
 import io.opentdf.platform.policy.attributes.AttributesServiceGrpc.AttributesServiceFutureStub;
 import io.opentdf.platform.sdk.Config.TDFConfig;
-import io.opentdf.platform.sdk.Manifest.ManifestDeserializer;
 import io.opentdf.platform.sdk.Autoconfigure.AttributeValueFQN;
 import io.opentdf.platform.sdk.Config.KASInfo;
 
 import org.apache.commons.codec.DecoderException;
 import org.apache.commons.codec.binary.Hex;
-import org.erdtman.jcs.JsonCanonicalizer;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -79,9 +77,7 @@ public TDF() {
 
     private static final SecureRandom sRandom = new SecureRandom();
 
-    private static final Gson gson = new GsonBuilder()
-                                        .registerTypeAdapter(Manifest.class, new ManifestDeserializer())
-                                        .create();
+    private static final Gson gson = new GsonBuilder().create();
 
     public class SplitKeyException extends IOException {
         public SplitKeyException(String errorMessage) {
@@ -561,7 +557,7 @@ public TDFObject createTDF(InputStream payload,
         }
 
         tdfObject.manifest.assertions = signedAssertions;
-        String manifestAsStr = gson.toJson(tdfObject.manifest);
+        String manifestAsStr = Manifest.toJson(tdfObject.manifest);
 
         tdfWriter.appendManifest(manifestAsStr);
         tdfObject.size = tdfWriter.finish();

sdk/src/test/java/io/opentdf/platform/sdk/ManifestTest.java

@@ -1,17 +1,15 @@
 package io.opentdf.platform.sdk;
 
-import org.junit.jupiter.api.Test;
 import com.google.gson.Gson;
-import com.google.gson.GsonBuilder;
-
-import io.opentdf.platform.sdk.Manifest.ManifestDeserializer;
+import org.junit.jupiter.api.Test;
 
-import java.nio.charset.Charset;
-import java.nio.charset.StandardCharsets;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.StringReader;
 import java.util.List;
 import java.util.Map;
 
-import static org.junit.Assert.assertNotNull;
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
 public class ManifestTest {
@@ -64,15 +62,11 @@ void testManifestMarshalAndUnMarshal() {
                 "  }\n" +
                 "}";
 
-        GsonBuilder gsonBuilder = new GsonBuilder();
-        Gson gson = gsonBuilder.setPrettyPrinting()
-                        .registerTypeAdapter(Manifest.class, new ManifestDeserializer())
-                        .create();
-        Manifest manifest = gson.fromJson(kManifestJsonFromTDF, Manifest.class);
+        Manifest manifest = Manifest.readManifest(new StringReader(kManifestJsonFromTDF));
 
         // Test payload
         assertEquals(manifest.payload.url, "0.payload");
-        assertEquals(manifest.payload.isEncrypted, true);
+        assertThat(manifest.payload.isEncrypted).isTrue();
 
         // Test encryptionInformation
         assertEquals(manifest.encryptionInformation.keyAccessType, "split");
@@ -90,8 +84,8 @@ void testManifestMarshalAndUnMarshal() {
         assertEquals(manifest.encryptionInformation.integrityInformation.segmentHashAlg, "GMAC");
         assertEquals(manifest.encryptionInformation.integrityInformation.segments.get(0).segmentSize, 1048576);
 
-        var serialized = gson.toJson(manifest);
-        var deserializedAgain = gson.fromJson(serialized, Manifest.class);
+        var serialized = Manifest.toJson(manifest);
+        var deserializedAgain = Manifest.readManifest(new StringReader(serialized));
 
         assertEquals(manifest, deserializedAgain, "something changed when we deserialized -> serialized -> deserialized");
     }
@@ -146,18 +140,43 @@ void testAssertionNull() {
                 "   \"assertions\": null\n"+
                 "}";
 
-        GsonBuilder gsonBuilder = new GsonBuilder();
-        Gson gson = gsonBuilder.setPrettyPrinting()
-                        .registerTypeAdapter(Manifest.class, new ManifestDeserializer())
-                        .create();
-        Manifest manifest = gson.fromJson(kManifestJsonFromTDF, Manifest.class);
+        Manifest manifest = Manifest.readManifest(new StringReader(kManifestJsonFromTDF));
 
         // Test payload for sanity check
         assertEquals(manifest.payload.url, "0.payload");
-        assertEquals(manifest.payload.isEncrypted, true);
+        assertThat(manifest.payload.isEncrypted).isTrue();
         // Test assertion deserialization
-        assertNotNull(manifest.assertions);
+        assertThat(manifest.assertions).isNotNull();
         assertEquals(manifest.assertions.size(), 0);
+    }
+
+    @Test
+    void testReadingManifestWithObjectStatementValue() throws IOException {
+        final Manifest manifest;
+        try (var mStream = getClass().getResourceAsStream("/io.opentdf.platform.sdk.TestData/manifest-with-object-statement-value.json")) {
+            assert mStream != null;
+            manifest = Manifest.readManifest(new InputStreamReader(mStream)) ;
+        }
+
+        assertThat(manifest.assertions).hasSize(2);
 
+        var statementValStr = manifest.assertions.get(0).statement.value;
+        var statementVal = new Gson().fromJson(statementValStr, Map.class);
+        assertThat(statementVal).isEqualTo(
+                Map.of("ocl",
+                        Map.of("pol", "2ccf11cb-6c9a-4e49-9746-a7f0a295945d",
+                                "cls", "SECRET",
+                                "catl", List.of(
+                                        Map.of(
+                                                "type", "P",
+                                                "name", "Releasable To",
+                                                "vals", List.of("usa")
+                                        )
+                                ),
+                                "dcr", "2024-12-17T13:00:52Z"
+                                ),
+                        "context", Map.of("@base", "urn:nato:stanag:5636:A:1:elements:json")
+                        )
+        );
     }
 }

sdk/src/test/java/io/opentdf/platform/sdk/ZipReaderTest.java

@@ -1,8 +1,6 @@
 package io.opentdf.platform.sdk;
-import com.google.gson.GsonBuilder;
-
-import io.opentdf.platform.sdk.Manifest.ManifestDeserializer;
 
+import com.google.gson.Gson;
 import org.apache.commons.compress.archivers.zip.Zip64Mode;
 import org.apache.commons.compress.archivers.zip.ZipArchiveEntry;
 import org.apache.commons.compress.archivers.zip.ZipArchiveOutputStream;
@@ -22,9 +20,6 @@
 import java.util.stream.IntStream;
 
 import static org.assertj.core.api.Assertions.assertThat;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
 
 public class ZipReaderTest {
 
@@ -47,9 +42,7 @@ protected static void testReadingZipChannel(SeekableByteChannel fileChannel, boo
             if (entry.getName().endsWith(".json")) {
                 entry.getData().transferTo(stream);
                 var data = stream.toString(StandardCharsets.UTF_8);
-                var gson = new GsonBuilder()
-                                    .registerTypeAdapter(Manifest.class, new ManifestDeserializer())
-                                    .create();
+                var gson = new Gson();
                 var map = gson.fromJson(data, Map.class);
 
                 if (test) {