Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(sdk): remove hex encoding for segment hash #397

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 32 additions & 7 deletions lib/tdf3/src/assertions.ts
Original file line number Diff line number Diff line change
@@ -110,8 +110,9 @@ export function isAssertionConfig(obj: unknown): obj is AssertionConfig {
*/
export async function verify(
thiz: Assertion,
aggregateHash: string,
key: AssertionKey
aggregateHash: Uint8Array,
key: AssertionKey,
isLegacyTDF: boolean
): Promise<void> {
let payload: AssertionPayload;
try {
@@ -126,14 +127,25 @@ export async function verify(

// Get the hash of the assertion
const hashOfAssertion = await hash(thiz);
const combinedHash = aggregateHash + hashOfAssertion;
const encodedHash = base64.encode(combinedHash);

// check if assertionHash is same as hashOfAssertion
if (hashOfAssertion !== assertionHash) {
throw new IntegrityError('Assertion hash mismatch');
}

let encodedHash: string;
if (isLegacyTDF) {
const aggregateHashAsStr = new TextDecoder('utf-8').decode(aggregateHash);
const combinedHash = aggregateHashAsStr + hashOfAssertion;
encodedHash = base64.encode(combinedHash);
} else {
const combinedHash = concatenateUint8Arrays(
aggregateHash,
new Uint8Array(hex.decodeArrayBuffer(assertionHash))
);
encodedHash = base64.encodeArrayBuffer(combinedHash);
}

// check if assertionSig is same as encodedHash
if (assertionSig !== encodedHash) {
throw new IntegrityError('Failed integrity check on assertion signature');
@@ -144,7 +156,7 @@ export async function verify(
* Creates an Assertion object with the specified properties.
*/
export async function CreateAssertion(
aggregateHash: string,
aggregateHash: Uint8Array,
assertionConfig: AssertionConfig
): Promise<Assertion> {
if (!assertionConfig.signingKey) {
@@ -162,8 +174,11 @@ export async function CreateAssertion(
};

const assertionHash = await hash(a);
const combinedHash = aggregateHash + assertionHash;
const encodedHash = base64.encode(combinedHash);
const combinedHash = concatenateUint8Arrays(
aggregateHash,
new Uint8Array(hex.decodeArrayBuffer(assertionHash))
);
const encodedHash = base64.encodeArrayBuffer(combinedHash);

return await sign(a, assertionHash, encodedHash, assertionConfig.signingKey);
}
@@ -189,3 +204,13 @@ export type AssertionVerificationKeys = {
DefaultKey?: AssertionKey;
Keys: Record<string, AssertionKey>;
};

function concatenateUint8Arrays(array1: Uint8Array, array2: Uint8Array): Uint8Array {
const combinedLength = array1.length + array2.length;
const combinedArray = new Uint8Array(combinedLength);

combinedArray.set(array1, 0);
combinedArray.set(array2, array1.length);

return combinedArray;
}
1 change: 1 addition & 0 deletions lib/tdf3/src/models/manifest.ts
Original file line number Diff line number Diff line change
@@ -6,4 +6,5 @@ export type Manifest = {
payload: Payload;
encryptionInformation: EncryptionInformation;
assertions: Assertion[];
tdf_spec_version: string;
};
84 changes: 61 additions & 23 deletions lib/tdf3/src/tdf.ts
Original file line number Diff line number Diff line change
@@ -6,6 +6,8 @@ import { EntityObject } from '../../src/tdf/index.js';
import { pemToCryptoPublicKey, validateSecureUrl } from '../../src/utils.js';
import { DecryptParams } from './client/builders.js';
import { AssertionConfig, AssertionKey, AssertionVerificationKeys } from './assertions.js';
import { version } from './version.js';
import { hex } from '../../src/encodings/index.js';
import * as assertions from './assertions.js';

import {
@@ -457,6 +459,7 @@ async function _generateManifest(
// generate the manifest first, then insert integrity information into it
encryptionInformation: encryptionInformationStr,
assertions: assertions,
tdf_spec_version: version,
};
}

@@ -616,7 +619,7 @@ export async function writeStream(cfg: EncryptConfiguration): Promise<DecoratedR
let bytesProcessed = 0;
let crcCounter = 0;
let fileByteCount = 0;
let aggregateHash = '';
const segmentHashList: Uint8Array[] = [];

const zipWriter = new ZipWriter();
const manifest = await _generateManifest(
@@ -720,14 +723,17 @@ export async function writeStream(cfg: EncryptConfiguration): Promise<DecoratedR
fileByteCount = 0;

// hash the concat of all hashes
const payloadSigStr = await getSignature(
const aggregateHash = await concatenateUint8Array(segmentHashList);
const payloadSigInHex = await getSignature(
cfg.keyForEncryption.unwrappedKeyBinary,
Binary.fromString(aggregateHash),
Binary.fromArrayBuffer(aggregateHash.buffer),
cfg.integrityAlgorithm,
cfg.cryptoService
);

const payloadSig = hex.decodeArrayBuffer(payloadSigInHex);
manifest.encryptionInformation.integrityInformation.rootSignature.sig =
base64.encode(payloadSigStr);
base64.encodeArrayBuffer(payloadSig);
manifest.encryptionInformation.integrityInformation.rootSignature.alg =
cfg.integrityAlgorithm;

@@ -839,18 +845,18 @@ export async function writeStream(cfg: EncryptConfiguration): Promise<DecoratedR
cfg.keyForEncryption.unwrappedKeyBinary
);
const payloadBuffer = new Uint8Array(encryptedResult.payload.asByteArray());
const payloadSigStr = await getSignature(
const payloadSigInHex = await getSignature(
cfg.keyForEncryption.unwrappedKeyBinary,
encryptedResult.payload,
cfg.segmentIntegrityAlgorithm,
cfg.cryptoService
);

// combined string of all hashes for root signature
aggregateHash += payloadSigStr;
const payloadSig = hex.decodeArrayBuffer(payloadSigInHex);
segmentHashList.push(new Uint8Array(payloadSig));

segmentInfos.push({
hash: base64.encode(payloadSigStr),
hash: base64.encodeArrayBuffer(payloadSig),
segmentSize: chunk.length === segmentSizeDefault ? undefined : chunk.length,
encryptedSegmentSize:
payloadBuffer.length === encryptedSegmentSizeDefault ? undefined : payloadBuffer.length,
@@ -1068,17 +1074,23 @@ async function decryptChunk(
hash: string,
cipher: SymmetricCipher,
segmentIntegrityAlgorithm: IntegrityAlgorithm,
cryptoService: CryptoService
cryptoService: CryptoService,
isLegacyTDF: boolean
): Promise<DecryptResult> {
if (segmentIntegrityAlgorithm !== 'GMAC' && segmentIntegrityAlgorithm !== 'HS256') {
}
const segmentHashStr = await getSignature(
const segmentHashAsHex = await getSignature(
reconstructedKeyBinary,
Binary.fromArrayBuffer(encryptedChunk.buffer),
segmentIntegrityAlgorithm,
cryptoService
);
if (hash !== btoa(segmentHashStr)) {

const segmentHash = isLegacyTDF
? btoa(segmentHashAsHex)
: btoa(String.fromCharCode(...new Uint8Array(hex.decodeArrayBuffer(segmentHashAsHex))));

if (hash !== segmentHash) {
throw new IntegrityError('Failed integrity check on segment hash');
}
return await cipher.decrypt(encryptedChunk, reconstructedKeyBinary);
@@ -1091,7 +1103,8 @@ async function updateChunkQueue(
reconstructedKeyBinary: Binary,
cipher: SymmetricCipher,
segmentIntegrityAlgorithm: IntegrityAlgorithm,
cryptoService: CryptoService
cryptoService: CryptoService,
isLegacyTDF: boolean
) {
const chunksInOneDownload = 500;
let requests = [];
@@ -1132,6 +1145,7 @@ async function updateChunkQueue(
slice,
cipher,
segmentIntegrityAlgorithm,
isLegacyTDF,
});
}
})()
@@ -1146,13 +1160,15 @@ export async function sliceAndDecrypt({
cipher,
cryptoService,
segmentIntegrityAlgorithm,
isLegacyTDF,
}: {
buffer: Uint8Array;
reconstructedKeyBinary: Binary;
slice: Chunk[];
cipher: SymmetricCipher;
cryptoService: CryptoService;
segmentIntegrityAlgorithm: IntegrityAlgorithm;
isLegacyTDF: boolean;
}) {
for (const index in slice) {
const { encryptedOffset, encryptedSegmentSize, _resolve, _reject } = slice[index];
@@ -1170,7 +1186,8 @@ export async function sliceAndDecrypt({
slice[index]['hash'],
cipher,
segmentIntegrityAlgorithm,
cryptoService
cryptoService,
isLegacyTDF
);
slice[index].decryptedChunk = result;
if (_resolve) {
@@ -1218,23 +1235,37 @@ export async function readStream(cfg: DecryptConfiguration) {
const keyForDecryption = await cfg.keyMiddleware(reconstructedKeyBinary);
const encryptedSegmentSizeDefault = defaultSegmentSize || DEFAULT_SEGMENT_SIZE;

// check the combined string of hashes
const aggregateHash = segments.map(({ hash }) => base64.decode(hash)).join('');
// check if the TDF is a legacy TDF
const isLegacyTDF = manifest.tdf_spec_version ? false : true;

// Decode each hash and store it in an array of Uint8Array
const segmentHashList = segments.map(
({ hash }) => new Uint8Array(base64.decodeArrayBuffer(hash))
);

// Concatenate all segment hashes into a single Uint8Array
const aggregateHash = await concatenateUint8Array(segmentHashList);

const integrityAlgorithm = rootSignature.alg;
if (integrityAlgorithm !== 'GMAC' && integrityAlgorithm !== 'HS256') {
throw new UnsupportedError(`Unsupported integrity alg [${integrityAlgorithm}]`);
}
const payloadSigStr = await getSignature(

const payloadForSigCalculation = isLegacyTDF
? Binary.fromString(hex.encodeArrayBuffer(aggregateHash))
: Binary.fromArrayBuffer(aggregateHash.buffer);
const payloadSigInHex = await getSignature(
keyForDecryption,
Binary.fromString(aggregateHash),
payloadForSigCalculation,
integrityAlgorithm,
cfg.cryptoService
);

if (
manifest.encryptionInformation.integrityInformation.rootSignature.sig !==
base64.encode(payloadSigStr)
) {
const rootSig = isLegacyTDF
? base64.encode(payloadSigInHex)
: base64.encodeArrayBuffer(hex.decodeArrayBuffer(payloadSigInHex));

if (manifest.encryptionInformation.integrityInformation.rootSignature.sig !== rootSig) {
throw new IntegrityError('Failed integrity check on root signature');
}

@@ -1252,7 +1283,7 @@ export async function readStream(cfg: DecryptConfiguration) {
assertionKey = foundKey;
}
}
await assertions.verify(assertion, aggregateHash, assertionKey);
await assertions.verify(assertion, aggregateHash, assertionKey, isLegacyTDF);
}
}

@@ -1293,7 +1324,8 @@ export async function readStream(cfg: DecryptConfiguration) {
keyForDecryption,
cipher,
segmentIntegrityAlg,
cfg.cryptoService
cfg.cryptoService,
isLegacyTDF
);

let progress = 0;
@@ -1328,3 +1360,9 @@ export async function readStream(cfg: DecryptConfiguration) {
outputStream.emit('rewrap', metadata);
return outputStream;
}

async function concatenateUint8Array(uint8arrays: Uint8Array[]): Promise<Uint8Array> {
const blob = new Blob(uint8arrays);
const buffer = await blob.arrayBuffer();
return new Uint8Array(buffer);
}
2 changes: 1 addition & 1 deletion lib/tdf3/src/version.ts
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
export const version = '0.1.0';
export const version = '1.0.0';
export const clientType = 'tdf3-js-client';