fixes for subtle crypto, serialization issues

.github/workflows/roundtrip/Tiltfile

@@ -1,7 +1,7 @@
 load("ext://helm_remote", "helm_remote")
 load("ext://helm_resource", "helm_resource", "helm_repo")
 
-BACKEND_CHART_TAG = "1.6.0"
+BACKEND_CHART_TAG = "0.0.0-sha-dbfcea7"
 
 EXTERNAL_URL = os.getenv("OPENTDF_EXTERNAL_URL", "http://localhost:65432")
 INGRESS_HOST_PORT = os.getenv("OPENTDF_INGRESS_HOST_PORT", "65432")

README.md

@@ -28,9 +28,6 @@ Start a local, blank cluster. See [Integrate](https://github.com/opentdf/opentdf
   const cipherText = await client.encrypt(plainText);
   const clearText = await client.decrypt(cipherText);
 ```
-### Examples
-
-Review examples to see how to integrate. See [Examples](https://github.com/opentdf/opentdf/tree/main/examples)
 
 ## Distribute
 
@@ -58,3 +55,4 @@ nvm use
 make test
 make start
 ```
+

lib/src/auth/oidc.ts

@@ -1,5 +1,6 @@
 import { default as dpopFn } from 'dpop';
 import { HttpRequest, withHeaders } from './auth.js';
+import { base64 } from '../encodings/index.js';
 import { IllegalArgumentError } from '../errors.js';
 import { cryptoPublicToPem, rstrip } from '../utils.js';
 
@@ -149,7 +150,7 @@ export class AccessToken {
       throw new IllegalArgumentError('No signature configured');
     }
     const clientPubKey = await cryptoPublicToPem(this.signingKey.publicKey);
-    headers['X-VirtruPubKey'] = clientPubKey;
+    headers['X-VirtruPubKey'] = base64.encode(clientPubKey);
     headers.DPoP = await dpopFn(this.signingKey, url, 'POST');
     return (this.request || fetch)(url, {
       method: 'POST',

lib/tdf3/src/client/index.ts

@@ -165,7 +165,7 @@ export async function createSessionKeys({
   if (dpopKeys) {
     signingKeys = await dpopKeys;
   } else {
-    const keys = await cryptoService.generateKeyPair();
+    const keys = await cryptoService.generateSigningKeyPair();
     // signingKeys = await crypto.subtle.generateKey(rsaPkcs1Sha256(), true, ['sign']);
     signingKeys = await toCryptoKeyPair(keys);
   }

lib/tdf3/src/crypto/declarations.ts

@@ -75,6 +75,8 @@ export type CryptoService = {
    */
   generateKeyPair: (size?: number) => Promise<AnyKeyPair>;
 
+  generateSigningKeyPair: () => Promise<AnyKeyPair>;
+
   /**
    * Create an HMAC SHA256 hash
    */

lib/tdf3/src/crypto/index.ts

@@ -83,6 +83,23 @@ export async function generateKeyPair(size?: number): Promise<CryptoKeyPair> {
   return crypto.subtle.generateKey(algoDomString, true, METHODS);
 }
 
+/**
+ * Generate an RSA key pair suitable for signatures
+ * @see    {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey}
+ */
+export async function generateSigningKeyPair(): Promise<CryptoKeyPair> {
+  return crypto.subtle.generateKey(
+    {
+      name: 'RSASSA-PKCS1-v1_5',
+      hash: 'SHA-256',
+      modulusLength: 2048,
+      publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
+    },
+    true,
+    ['sign', 'verify']
+  );
+}
+
 export async function cryptoToPemPair(keysMaybe: unknown): Promise<PemKeyPair> {
   const keys = keysMaybe as CryptoKeyPair;
   if (!keys.privateKey || !keys.publicKey) {
@@ -374,6 +391,7 @@ export const DefaultCryptoService: CryptoService = {
   generateInitializationVector,
   generateKey,
   generateKeyPair,
+  generateSigningKeyPair,
   hmac,
   randomBytes,
   sha256,

lib/tests/mocha/unit/crypto-di.spec.ts

@@ -52,6 +52,9 @@ describe('CryptoService DI', () => {
       generateKeyPair: function (size?: number | undefined): Promise<CryptoKeyPair> {
         throw new Error('Function not implemented.');
       },
+      generateSigningKeyPair: function (): Promise<CryptoKeyPair> {
+        throw new Error('Function not implemented.');
+      },
       hmac: function (key: string, content: string): Promise<string> {
         throw new Error('Function not implemented.');
       },