opentdf · elizabethhealy · Dec 9, 2024 · Dec 9, 2024 · Dec 9, 2024 · Dec 9, 2024
@@ -22,6 +22,8 @@ import { webcrypto } from 'crypto';
 import * as assertions from '@opentdf/sdk/assertions';
 import { attributeFQNsAsValues } from '@opentdf/sdk/nano';
 import { base64 } from '@opentdf/sdk/encodings';
+import { importPKCS8, importSPKI, KeyLike } from 'jose'; // for RS256
+import { TextEncoder } from 'util'; // for HS256
 
 type AuthToProcess = {
   auth?: string;
@@ -120,11 +122,53 @@ function addParams(client: AnyNanoClient, argv: Partial<mainArgs>) {
   log('SILLY', `Built encrypt params dissems: ${client.dissems}, attrs: ${client.dataAttributes}`);
 }
 
+async function parseAssertionVerificationKeys(
+  s: string
+): Promise<assertions.AssertionVerificationKeys> {
+  const u = JSON.parse(s);
+  if (typeof u !== 'object' || u === null) {
+    throw new Error('Invalid input: The input must be an object');
+  }
+  // handle both cases of "keys"
+  if (!('Keys' in u && typeof u.Keys === 'object')) {
+    if ('keys' in u && typeof u.keys === 'object') {
+      u.Keys = u.keys;
+    } else {
+      throw new Error('Invalid input: invalid structure of assertionVerificationKeys');
+    }
+  }
+  for (const assertionName in u.Keys) {
+    const assertionKey = u.Keys[assertionName];
+    // Ensure each entry has the required 'key' and 'alg' fields
+    if (typeof assertionKey !== 'object' || assertionKey === null) {
+      throw new CLIError('CRITICAL', `Invalid assertion for ${assertionName}: Must be an object`);
+    }
+
+    if (typeof assertionKey.key !== 'string' || typeof assertionKey.alg !== 'string') {
+      throw new CLIError(
+        'CRITICAL',
+        `Invalid assertion for ${assertionName}: Missing or invalid 'key' or 'alg'`
+      );
+    }
+    try {
+      u.Keys[assertionName].key = await correctAssertionKeys(assertionKey.alg, assertionKey.key);
+    } catch (err) {
+      throw new CLIError('CRITICAL', `Issue converting assertion key from string: ${err.message}`);
+    }
+  }
+  return u;
+}
+
 async function tdf3DecryptParamsFor(argv: Partial<mainArgs>): Promise<DecryptParams> {
   const c = new DecryptParamsBuilder();
   if (argv.noVerifyAssertions) {
     c.withNoVerifyAssertions(true);
   }
+  if (argv.assertionVerificationKeys) {
+    c.withAssertionVerificaitonKeys(
+      await parseAssertionVerificationKeys(argv.assertionVerificationKeys)
+    );
+  }
   if (argv.concurrencyLimit) {
     c.withConcurrencyLimit(argv.concurrencyLimit);
   } else {
@@ -134,25 +178,67 @@ async function tdf3DecryptParamsFor(argv: Partial<mainArgs>): Promise<DecryptPar
   return c.build();
 }
 
-function parseAssertionConfig(s: string): assertions.AssertionConfig[] {
+async function correctAssertionKeys(
+  alg: string,
+  key: KeyLike | Uint8Array
+): Promise<KeyLike | Uint8Array> {
+  if (alg === 'HS256') {
+    // Convert key string to Uint8Array
+    if (typeof key !== 'string') {
+      throw new CLIError('CRITICAL', 'HS256 key must be a string');
+    }
+    return new TextEncoder().encode(key); // Update array element directly
+  } else if (alg === 'RS256') {
+    // Convert PEM string to a KeyLike object
+    if (typeof key !== 'string') {
+      throw new CLIError('CRITICAL', 'RS256 key must be a PEM string');
+    }
+    try {
+      return await importPKCS8(key, 'RS256'); // Import private key
+    } catch (err) {
+      // If importing as a private key fails, try importing as a public key
+      try {
+        return await importSPKI(key, 'RS256'); // Import public key
+      } catch (err) {
+        throw new CLIError('CRITICAL', `Failed to parse RS256 key: ${err.message}`);
+      }
+    }
+  }
+  // Otherwise its an unsupported alg
+  throw new CLIError('CRITICAL', `Unsupported signing key algorithm: ${alg}`); // Handle unsupported algs
+}
+
+async function parseAssertionConfig(s: string): Promise<assertions.AssertionConfig[]> {
   const u = JSON.parse(s);
   // if u is null or empty, return an empty array
   if (!u) {
     return [];
   }
   const a = Array.isArray(u) ? u : [u];
-  for (const assertion of a) {
+  for (let i = 0; i < a.length; i++) {
+    const assertion = a[i];
     if (!assertions.isAssertionConfig(assertion)) {
       throw new CLIError('CRITICAL', `invalid assertion config ${JSON.stringify(assertion)}`);
     }
+    if (assertion.signingKey) {
+      const { alg, key } = assertion.signingKey;
+      try {
+        a[i].signingKey.key = await correctAssertionKeys(alg, key);
+      } catch (err) {
+        throw new CLIError(
+          'CRITICAL',
+          `Issue converting assertion key from string: ${err.message}`
+        );
+      }
+    }
   }
   return a;
 }
 
 async function tdf3EncryptParamsFor(argv: Partial<mainArgs>): Promise<EncryptParams> {
   const c = new EncryptParamsBuilder();
   if (argv.assertions?.length) {
-    c.withAssertions(parseAssertionConfig(argv.assertions));
+    c.withAssertions(await parseAssertionConfig(argv.assertions));
   }
   if (argv.attributes?.length) {
     c.setAttributes(argv.attributes.split(','));
@@ -249,6 +335,14 @@ export const handleArgs = (args: string[]) => {
         desc: 'Do not verify assertions',
         type: 'boolean',
       })
+      .option('assertionVerificationKeys', {
+        alias: 'with-assertion-verification-keys',
+        group: 'Decrypt',
+        desc: 'keys for assertion verification',
+        type: 'string',
+        default: '',
+        validate: parseAssertionVerificationKeys,
+      })
       .option('concurrencyLimit', {
         alias: 'concurrency-limit',
         group: 'Decrypt',

@@ -682,6 +682,19 @@ class DecryptParamsBuilder {
     return this;
   }
 
+  /**
+   * Sets the assertion verification keys for the decryption parameters.
+   *
+   * @param {AssertionVerificationKeys} assertionVerificationKeys - An array of assertion configurations to be set.
+   * @returns {DecryptParamsBuilder} The current instance of the EncryptParamsBuilder for method chaining.
+   */
+  withAssertionVerificaitonKeys(
+    assertionVerificationKeys: AssertionVerificationKeys
+  ): DecryptParamsBuilder {
+    this._params.assertionVerificationKeys = assertionVerificationKeys;
+    return this;
+  }
+
   _deepCopy(_params: DecryptParams) {
     return freeze({ ..._params });
   }

@@ -8,7 +8,7 @@ const aex = {
   pubKey: 'PUBKEY',
 };
 
-describe('EncyptParamsBuilder', () => {
+describe('EncryptParamsBuilder', () => {
   describe('setAttributes', () => {
     it('should accept valid attribute', () => {
       const paramsBuilder = new EncryptParamsBuilder();