fix(sdk): assertion support in tdf3 (#82)

sujankota · web-flow · commit c299dbdcb0c7 · 2024-07-11T12:20:39.000-04:00
diff --git a/cmdline/src/main/java/io/opentdf/platform/Command.java b/cmdline/src/main/java/io/opentdf/platform/Command.java
@@ -1,7 +1,9 @@
 package io.opentdf.platform;
 
+import com.nimbusds.jose.JOSEException;
 import io.opentdf.platform.sdk.*;
 import io.opentdf.platform.sdk.TDF;
+import org.apache.commons.codec.DecoderException;
 import picocli.CommandLine;
 import picocli.CommandLine.Option;
 
@@ -23,6 +25,7 @@
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
+import java.text.ParseException;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
@@ -47,7 +50,8 @@ class Command {
     void encrypt(
             @Option(names = {"-f", "--file"}, defaultValue = Option.NULL_VALUE) Optional<File> file,
             @Option(names = {"-k", "--kas-url"}, required = true) List<String> kas,
-            @Option(names = {"-m", "--metadata"}, defaultValue = Option.NULL_VALUE) Optional<String> metadata) throws IOException {
+            @Option(names = {"-m", "--metadata"}, defaultValue = Option.NULL_VALUE) Optional<String> metadata) throws
+            IOException, JOSEException {
 
         var sdk = buildSDK();
         var kasInfos = kas.stream().map(k -> {
@@ -77,22 +81,26 @@ private SDK buildSDK() {
     }
 
     @CommandLine.Command(name = "decrypt")
-    void decrypt(@Option(names = {"-f", "--file"}, required = true) Path tdfPath) throws IOException, InvalidAlgorithmParameterException, NoSuchPaddingException, IllegalBlockSizeException, NoSuchAlgorithmException, BadPaddingException, InvalidKeyException {
+    void decrypt(@Option(names = {"-f", "--file"}, required = true) Path tdfPath) throws IOException,
+            InvalidAlgorithmParameterException, NoSuchPaddingException, IllegalBlockSizeException,
+            BadPaddingException, InvalidKeyException, TDF.FailedToCreateGMAC,
+            JOSEException, ParseException, NoSuchAlgorithmException, DecoderException {
         var sdk = buildSDK();
         try (var in = FileChannel.open(tdfPath, StandardOpenOption.READ)) {
             try (var stdout = new BufferedOutputStream(System.out)) {
-                    var reader = new TDF().loadTDF(in, sdk.getServices().kas());
+                    var reader = new TDF().loadTDF(in, new Config.AssertionConfig(), sdk.getServices().kas());
                     reader.readPayload(stdout);
                 }
         }
     }
     @CommandLine.Command(name = "metadata")
-    void readMetadata(@Option(names = {"-f", "--file"}, required = true) Path tdfPath) throws IOException, InvalidAlgorithmParameterException, NoSuchPaddingException, IllegalBlockSizeException, NoSuchAlgorithmException, BadPaddingException, InvalidKeyException {
+    void readMetadata(@Option(names = {"-f", "--file"}, required = true) Path tdfPath) throws IOException,
+            TDF.FailedToCreateGMAC, JOSEException, NoSuchAlgorithmException, ParseException, DecoderException {
         var sdk = buildSDK();
 
         try (var in = FileChannel.open(tdfPath, StandardOpenOption.READ)) {
             try (var stdout = new PrintWriter(System.out)) {
-                var reader = new TDF().loadTDF(in, sdk.getServices().kas());
+                var reader = new TDF().loadTDF(in, new Config.AssertionConfig(), sdk.getServices().kas());
                 stdout.write(reader.getMetadata() == null ? "" : reader.getMetadata());
             }
         }
diff --git a/sdk/pom.xml b/sdk/pom.xml
@@ -121,5 +121,10 @@
             <version>5.0.0-alpha.14</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.github.erdtman</groupId>
+            <artifactId>java-json-canonicalization</artifactId>
+            <version>1.1</version>
+        </dependency>
     </dependencies>
 </project>
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/AesGcm.java b/sdk/src/main/java/io/opentdf/platform/sdk/AesGcm.java
@@ -19,6 +19,16 @@ public class AesGcm {
 
     private final SecretKey key;
 
+
+    /**
+     * <p>Return symmetric key</p>
+     *
+     * @return
+     */
+    public byte[] getKey() {
+        return key.getEncoded();
+    }
+
     public static class Encrypted {
         private final byte[] iv;
         private final byte[] ciphertext;
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/Assertion.java b/sdk/src/main/java/io/opentdf/platform/sdk/Assertion.java
@@ -0,0 +1,87 @@
+package io.opentdf.platform.sdk;
+
+public class Assertion {
+
+    public enum Type {
+        HandlingAssertion("Handling"),
+        BaseAssertion("Base");
+
+        private final String type;
+
+        Type(String assertionType) {
+            this.type = assertionType;
+        }
+
+        @Override
+        public String toString() {
+            return type;
+        }
+    }
+
+    public enum Scope {
+        TrustedDataObj("TDO"),
+        Payload("PAYL"),
+        Explicit("EXPLICIT");
+
+        private final String scope;
+
+        Scope(String scope) {
+            this.scope = scope;
+        }
+    }
+
+    public enum AppliesToState {
+        Encrypted("encrypted"),
+        Unencrypted("unencrypted");
+
+        private final String state;
+
+        AppliesToState(String state) {
+            this.state = state;
+        }
+    }
+
+    public enum StatementFormat {
+        ReferenceStatement("ReferenceStatement"),
+        StructuredStatement("StructuredStatement"),
+        StringStatement("StringStatement"),
+        Base64BinaryStatement("Base64BinaryStatement"),
+        XMLBase64("XMLBase64"),
+        HandlingStatement("HandlingStatement"),
+        StringType("String");
+
+        private String format;
+
+        StatementFormat(String format) {
+            this.format = format;
+        }
+    }
+
+
+    public enum BindingMethod {
+        JWT("jwt");
+
+        private String method;
+
+        BindingMethod(String method) {
+            this.method = method;
+        }
+    }
+
+    static public class Statement {
+        public String format;
+        public String value;
+    }
+
+    static public class Binding {
+        public String method;
+        public String signature;
+    }
+
+    public String id;
+    public String type;
+    public String scope;
+    public String appliesToState;
+    public Statement statement;
+    public Binding binding;
+}
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/Config.java b/sdk/src/main/java/io/opentdf/platform/sdk/Config.java
@@ -4,6 +4,8 @@
 import io.opentdf.platform.sdk.nanotdf.NanoTDFType;
 import io.opentdf.platform.sdk.nanotdf.SymmetricAndPayloadConfig;
 
+import com.nimbusds.jose.jwk.RSAKey;
+import java.security.Key;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
@@ -33,6 +35,23 @@ public static class KASInfo {
         public String KID;
     }
 
+    public static class AssertionConfig {
+        public enum KeyType {
+            RS256,
+            HS256PayloadKey,
+            HS256UserDefined;
+        }
+
+        public RSAKey rs256PrivateKeyForSigning;
+        public RSAKey rs256PublicKeyForVerifying;
+        public byte[] hs256SymmetricKey;
+        public KeyType keyType;
+
+        public AssertionConfig() {
+            this.keyType = KeyType.HS256PayloadKey;
+        }
+    }
+
     public static class TDFConfig {
         public int defaultSegmentSize;
         public boolean enableEncryption;
@@ -44,6 +63,8 @@ public static class TDFConfig {
         public IntegrityAlgorithm segmentIntegrityAlgorithm;
         public List<String> attributes;
         public List<KASInfo> kasInfoList;
+        public List<Assertion> assertionList;
+        public AssertionConfig assertionConfig;
 
         public TDFConfig() {
             this.defaultSegmentSize = DEFAULT_SEGMENT_SIZE;
@@ -53,6 +74,7 @@ public TDFConfig() {
             this.segmentIntegrityAlgorithm = IntegrityAlgorithm.GMAC;
             this.attributes = new ArrayList<>();
             this.kasInfoList = new ArrayList<>();
+            this.assertionList = new ArrayList<>();
         }
     }
 
@@ -77,14 +99,32 @@ public static Consumer<TDFConfig> withKasInformation(KASInfo... kasInfoList) {
         };
     }
 
+    public static Consumer<TDFConfig> WithAssertions(Assertion... assertionList) {
+        return (TDFConfig config) -> {
+            Collections.addAll(config.assertionList, assertionList);
+        };
+    }
+
+    public static Consumer<TDFConfig> WithAssertion(Assertion assertion) {
+        return (TDFConfig config) -> config.assertionList.add(assertion);
+    }
+
     public static Consumer<TDFConfig> withMetaData(String metaData) {
         return (TDFConfig config) -> config.metaData = metaData;
     }
 
+    public static Consumer<TDFConfig> withAssertionConfig(AssertionConfig assertionConfig) {
+        return (TDFConfig config) -> config.assertionConfig = assertionConfig;
+    }
+
     public static Consumer<TDFConfig> withSegmentSize(int size) {
         return (TDFConfig config) -> config.defaultSegmentSize = size;
     }
 
+    public static Consumer<TDFConfig> withDisableEncryption() {
+        return (TDFConfig config) -> config.enableEncryption = false;
+    }
+
     public static class NanoTDFConfig {
         public ECCMode eccMode;
         public NanoTDFType.Cipher cipher;
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/CryptoUtils.java b/sdk/src/main/java/io/opentdf/platform/sdk/CryptoUtils.java
@@ -2,11 +2,7 @@
 
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
-import java.security.InvalidKeyException;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.NoSuchAlgorithmException;
-import java.security.PublicKey;
+import java.security.*;
 import java.util.Base64;
 
 public class CryptoUtils {
@@ -49,4 +45,16 @@ public static String getRSAPublicKeyPEM(PublicKey publicKey) {
                 Base64.getMimeEncoder().encodeToString(publicKey.getEncoded()) +
                 "\r\n-----END PUBLIC KEY-----";
     }
+
+    public static String getRSAPrivateKeyPEM(PrivateKey privateKey) {
+        if (!"RSA".equals(privateKey.getAlgorithm())) {
+            throw new IllegalArgumentException("can't get private key PEM for algorithm [" + privateKey.getAlgorithm() + "]");
+        }
+
+        return "-----BEGIN PRIVATE KEY-----\r\n" +
+                Base64.getMimeEncoder().encodeToString(privateKey.getEncoded()) +
+                "\r\n-----END PRIVATE KEY-----";
+    }
+
+
 }
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/Manifest.java b/sdk/src/main/java/io/opentdf/platform/sdk/Manifest.java
@@ -54,13 +54,15 @@ static public class EncryptionInformation {
         public IntegrityInformation integrityInformation;
     }
 
-    static  public class Payload {
+    static public class Payload {
         public String type;
         public String url;
         public String protocol;
         public String mimeType;
         public Boolean isEncrypted;
     }
+
     public EncryptionInformation encryptionInformation;
     public Payload payload;
+    public  List<Assertion> assertions;
 }
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/TDF.java b/sdk/src/main/java/io/opentdf/platform/sdk/TDF.java
diff --git a/sdk/src/test/java/io/opentdf/platform/sdk/TDFE2ETest.java b/sdk/src/test/java/io/opentdf/platform/sdk/TDFE2ETest.java
diff --git a/sdk/src/test/java/io/opentdf/platform/sdk/TDFTest.java b/sdk/src/test/java/io/opentdf/platform/sdk/TDFTest.java

Original file line number	Diff line number	Diff line change
`@@ -54,13 +54,15 @@ static public class EncryptionInformation {`
`54`	`54`	`public IntegrityInformation integrityInformation;`
`55`	`55`	`}`
`56`	`56`
`57`		`- static public class Payload {`
	`57`	`+ static public class Payload {`
`58`	`58`	`public String type;`
`59`	`59`	`public String url;`
`60`	`60`	`public String protocol;`
`61`	`61`	`public String mimeType;`
`62`	`62`	`public Boolean isEncrypted;`
`63`	`63`	`}`
	`64`	`+`
`64`	`65`	`public EncryptionInformation encryptionInformation;`
`65`	`66`	`public Payload payload;`
	`67`	`+ public List<Assertion> assertions;`
`66`	`68`	`}`