opentdf · dmihalcik-virtru · Jan 21, 2025 · Dec 2, 2024 · Dec 2, 2024 · Dec 2, 2024
@@ -62,6 +62,7 @@ type Manifest struct {
 	EncryptionInformation `json:"encryptionInformation"`
 	Payload               `json:"payload"`
 	Assertions            []Assertion `json:"assertions,omitempty"`
+	TDFVersion            string      `json:"tdf_spec_version,omitempty"`
 }
 
 type attributeObject struct {

@@ -20,6 +20,7 @@ import (
 )
 
 const (
+	sdkVersion              = "4.3.0"
 	maxFileSizeSupported    = 68719476736 // 64gb
 	defaultMimeType         = "application/octet-stream"
 	tdfAsZip                = "zip"
@@ -197,7 +198,8 @@ func (s SDK) CreateTDFContext(ctx context.Context, writer io.Writer, reader io.R
 			return nil, fmt.Errorf("io.writer.Write failed: %w", err)
 		}
 
-		segmentSig, err := calculateSignature(cipherData, tdfObject.payloadKey[:], tdfConfig.segmentIntegrityAlgorithm)
+		segmentSig, err := calculateSignature(cipherData, tdfObject.payloadKey[:],
+			tdfConfig.segmentIntegrityAlgorithm, false)
 		if err != nil {
 			return nil, fmt.Errorf("splitKey.GetSignaturefailed: %w", err)
 		}
@@ -216,7 +218,8 @@ func (s SDK) CreateTDFContext(ctx context.Context, writer io.Writer, reader io.R
 		readPos += readSize
 	}
 
-	rootSignature, err := calculateSignature([]byte(aggregateHash), tdfObject.payloadKey[:], tdfConfig.integrityAlgorithm)
+	rootSignature, err := calculateSignature([]byte(aggregateHash), tdfObject.payloadKey[:],
+		tdfConfig.integrityAlgorithm, false)
 	if err != nil {
 		return nil, fmt.Errorf("splitKey.GetSignaturefailed: %w", err)
 	}
@@ -263,11 +266,17 @@ func (s SDK) CreateTDFContext(ctx context.Context, writer io.Writer, reader io.R
 		tmpAssertion.Statement = assertion.Statement
 		tmpAssertion.AppliesToState = assertion.AppliesToState
 
-		hashOfAssertion, err := tmpAssertion.GetHash()
+		hashOfAssertionAsHex, err := tmpAssertion.GetHash()
 		if err != nil {
 			return nil, err
 		}
 
+		hashOfAssertion := make([]byte, hex.DecodedLen(len(hashOfAssertionAsHex)))
+		_, err = hex.Decode(hashOfAssertion, hashOfAssertionAsHex)
+		if err != nil {
+			return nil, fmt.Errorf("error decoding hex string: %w", err)
+		}
+
 		var completeHashBuilder strings.Builder
 		completeHashBuilder.WriteString(aggregateHash)
 		completeHashBuilder.Write(hashOfAssertion)
@@ -284,7 +293,7 @@ func (s SDK) CreateTDFContext(ctx context.Context, writer io.Writer, reader io.R
 			assertionSigningKey = assertion.SigningKey
 		}
 
-		if err := tmpAssertion.Sign(string(hashOfAssertion), string(encoded), assertionSigningKey); err != nil {
+		if err := tmpAssertion.Sign(string(hashOfAssertionAsHex), string(encoded), assertionSigningKey); err != nil {
 			return nil, fmt.Errorf("failed to sign assertion: %w", err)
 		}
 
@@ -322,6 +331,14 @@ func (r *Reader) Manifest() Manifest {
 // prepare the manifest for TDF
 func (s SDK) prepareManifest(ctx context.Context, t *TDFObject, tdfConfig TDFConfig) error { //nolint:funlen,gocognit // Better readability keeping it as is
 	manifest := Manifest{}
+
+	version, err := ParseVersion(sdkVersion)
+	if err != nil {
+		return fmt.Errorf("ReadVersion failed:%w", err)
+	}
+
+	manifest.TDFVersion = version.String()
+
 	if len(tdfConfig.splitPlan) == 0 && len(tdfConfig.kasInfoList) == 0 {
 		return fmt.Errorf("%w: no key access template specified or inferred", errInvalidKasInfo)
 	}
@@ -567,6 +584,8 @@ func (r *Reader) WriteTo(writer io.Writer) (int64, error) {
 		}
 	}
 
+	isLegacyTDF := r.manifest.TDFVersion == ""
+
 	var totalBytes int64
 	var payloadReadOffset int64
 	for _, seg := range r.manifest.EncryptionInformation.IntegrityInformation.Segments {
@@ -585,7 +604,7 @@ func (r *Reader) WriteTo(writer io.Writer) (int64, error) {
 			sigAlg = GMAC
 		}
 
-		payloadSig, err := calculateSignature(readBuf, r.payloadKey, sigAlg)
+		payloadSig, err := calculateSignature(readBuf, r.payloadKey, sigAlg, isLegacyTDF)
 		if err != nil {
 			return totalBytes, fmt.Errorf("splitKey.GetSignaturefailed: %w", err)
 		}
@@ -646,6 +665,7 @@ func (r *Reader) ReadAt(buf []byte, offset int64) (int, error) { //nolint:funlen
 		return 0, ErrTDFPayloadReadFail
 	}
 
+	isLegacyTDF := r.manifest.TDFVersion == ""
 	var decryptedBuf bytes.Buffer
 	var payloadReadOffset int64
 	for index, seg := range r.manifest.EncryptionInformation.IntegrityInformation.Segments {
@@ -669,7 +689,7 @@ func (r *Reader) ReadAt(buf []byte, offset int64) (int, error) { //nolint:funlen
 			sigAlg = GMAC
 		}
 
-		payloadSig, err := calculateSignature(readBuf, r.payloadKey, sigAlg)
+		payloadSig, err := calculateSignature(readBuf, r.payloadKey, sigAlg, isLegacyTDF)
 		if err != nil {
 			return 0, fmt.Errorf("splitKey.GetSignaturefailed: %w", err)
 		}
@@ -933,18 +953,29 @@ func (r *Reader) doPayloadKeyUnwrap(ctx context.Context) error { //nolint:gocogn
 		}
 
 		// Get the hash of the assertion
-		hashOfAssertion, err := assertion.GetHash()
+		hashOfAssertionAsHex, err := assertion.GetHash()
 		if err != nil {
 			return fmt.Errorf("%w: failed to get hash of assertion: %w", ErrAssertionFailure{ID: assertion.ID}, err)
 		}
 
+		hashOfAssertion := make([]byte, hex.DecodedLen(len(hashOfAssertionAsHex)))
+		_, err = hex.Decode(hashOfAssertion, hashOfAssertionAsHex)
+		if err != nil {
+			return fmt.Errorf("error decoding hex string: %w", err)
+		}
+
+		isLegacyTDF := r.manifest.TDFVersion == ""
+		if isLegacyTDF {
+			hashOfAssertion = hashOfAssertionAsHex
+		}
+
 		var completeHashBuilder bytes.Buffer
 		completeHashBuilder.Write(aggregateHash.Bytes())
 		completeHashBuilder.Write(hashOfAssertion)
 
 		base64Hash := ocrypto.Base64Encode(completeHashBuilder.Bytes())
 
-		if string(hashOfAssertion) != assertionHash {
+		if string(hashOfAssertionAsHex) != assertionHash {
 			return fmt.Errorf("%w: assertion hash missmatch", ErrAssertionFailure{ID: assertion.ID})
 		}
 
@@ -972,29 +1003,36 @@ func (r *Reader) doPayloadKeyUnwrap(ctx context.Context) error { //nolint:gocogn
 }
 
 // calculateSignature calculate signature of data of the given algorithm.
-func calculateSignature(data []byte, secret []byte, alg IntegrityAlgorithm) (string, error) {
+func calculateSignature(data []byte, secret []byte, alg IntegrityAlgorithm, isLegacyTDF bool) (string, error) {
 	if alg == HS256 {
 		hmac := ocrypto.CalculateSHA256Hmac(secret, data)
-		return hex.EncodeToString(hmac), nil
+		if isLegacyTDF {
+			return hex.EncodeToString(hmac), nil
+		}
+		return string(hmac), nil
 	}
 	if kGMACPayloadLength > len(data) {
 		return "", fmt.Errorf("fail to create gmac signature")
 	}
 
-	return hex.EncodeToString(data[len(data)-kGMACPayloadLength:]), nil
+	if isLegacyTDF {
+		return hex.EncodeToString(data[len(data)-kGMACPayloadLength:]), nil
+	}
+	return string(data[len(data)-kGMACPayloadLength:]), nil
 }
 
 // validate the root signature
 func validateRootSignature(manifest Manifest, aggregateHash, secret []byte) (bool, error) {
 	rootSigAlg := manifest.EncryptionInformation.IntegrityInformation.RootSignature.Algorithm
 	rootSigValue := manifest.EncryptionInformation.IntegrityInformation.RootSignature.Signature
+	isLegacyTDF := manifest.TDFVersion == ""
 
 	sigAlg := HS256
 	if strings.EqualFold(gmacIntegrityAlgorithm, rootSigAlg) {
 		sigAlg = GMAC
 	}
 
-	sig, err := calculateSignature(aggregateHash, secret, sigAlg)
+	sig, err := calculateSignature(aggregateHash, secret, sigAlg, isLegacyTDF)
 	if err != nil {
 		return false, fmt.Errorf("splitkey.getSignature failed:%w", err)
 	}

@@ -18,6 +18,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/stretchr/testify/require"
+
 	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/opentdf/platform/lib/ocrypto"
 	kaspb "github.com/opentdf/platform/protocol/go/kas"
@@ -264,7 +266,7 @@ func (s *TDFSuite) Test_SimpleTDF() {
 		"https://example.com/attr/Classification/value/X",
 	}
 
-	expectedTdfSize := int64(2095)
+	expectedTdfSize := int64(2058)
 	tdfFilename := "secure-text.tdf"
 	plainText := "Virtru"
 	{
@@ -394,7 +396,7 @@ func (s *TDFSuite) Test_TDFWithAssertion() {
 			},
 			assertionVerificationKeys:    nil,
 			disableAssertionVerification: false,
-			expectedSize:                 2896,
+			expectedSize:                 2689,
 		},
 		{
 			assertions: []AssertionConfig{
@@ -427,7 +429,7 @@ func (s *TDFSuite) Test_TDFWithAssertion() {
 				DefaultKey: defaultKey,
 			},
 			disableAssertionVerification: false,
-			expectedSize:                 2896,
+			expectedSize:                 2689,
 		},
 		{
 			assertions: []AssertionConfig{
@@ -476,7 +478,7 @@ func (s *TDFSuite) Test_TDFWithAssertion() {
 				},
 			},
 			disableAssertionVerification: false,
-			expectedSize:                 3195,
+			expectedSize:                 2988,
 		},
 		{
 			assertions: []AssertionConfig{
@@ -516,7 +518,7 @@ func (s *TDFSuite) Test_TDFWithAssertion() {
 				},
 			},
 			disableAssertionVerification: false,
-			expectedSize:                 2896,
+			expectedSize:                 2689,
 		},
 		{
 			assertions: []AssertionConfig{
@@ -533,7 +535,7 @@ func (s *TDFSuite) Test_TDFWithAssertion() {
 				},
 			},
 			disableAssertionVerification: true,
-			expectedSize:                 2302,
+			expectedSize:                 2180,
 		},
 	} {
 		expectedTdfSize := test.expectedSize
@@ -642,7 +644,7 @@ func (s *TDFSuite) Test_TDFWithAssertionNegativeTests() {
 					SigningKey: defaultKey,
 				},
 			},
-			expectedSize: 2896,
+			expectedSize: 2689,
 		},
 		{
 			assertions: []AssertionConfig{
@@ -690,7 +692,7 @@ func (s *TDFSuite) Test_TDFWithAssertionNegativeTests() {
 					},
 				},
 			},
-			expectedSize: 3195,
+			expectedSize: 2988,
 		},
 		{
 			assertions: []AssertionConfig{
@@ -724,7 +726,7 @@ func (s *TDFSuite) Test_TDFWithAssertionNegativeTests() {
 			assertionVerificationKeys: &AssertionVerificationKeys{
 				DefaultKey: defaultKey,
 			},
-			expectedSize: 2896,
+			expectedSize: 2689,
 		},
 	} {
 		expectedTdfSize := test.expectedSize
@@ -1479,3 +1481,30 @@ func (s *TDFSuite) checkIdentical(file, checksum string) bool {
 	c := h.Sum(nil)
 	return checksum == fmt.Sprintf("%x", c)
 }
+
+func TestParseVersion(t *testing.T) {
+	tests := []struct {
+		input    string
+		expected Version
+		hasError bool
+	}{
+		{"1.2.3", Version{Major: 1, Minor: 2, Patch: 3}, false},
+		{"1.2.3+p1", Version{Major: 1, Minor: 2, Patch: 3, Preview: 1}, false},
+		{"1.2.3+p1.2", Version{Major: 1, Minor: 2, Patch: 3, Preview: 1, Revision: 2}, false},
+		{"1.2", Version{}, true},
+		{"1.2.3+p", Version{}, true},
+		{"1.2.3+p1.", Version{}, true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.input, func(t *testing.T) {
+			result, err := ParseVersion(tt.input)
+			if tt.hasError {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+				require.Equal(t, tt.expected, *result)
+			}
+		})
+	}
+}
diff --git a/sdk/version-parser.go b/sdk/version-parser.go
@@ -0,0 +1,76 @@
+package sdk
+
+import (
+	"fmt"
+	"os"
+	"strings"
+)
+
+type Version struct {
+	Major    int
+	Minor    int
+	Patch    int
+	Preview  int
+	Revision int
+}
+
+func ReadVersion() (*Version, error) {
+	content, err := os.ReadFile("VERSION")
+	if err != nil {
+		return nil, fmt.Errorf("reading VERSION file: %w", err)
+	}
+
+	return ParseVersion(strings.TrimSpace(string(content)))
+}
+
+func ParseVersion(v string) (*Version, error) {
+	const maxParts = 2
+	var ver Version
+	var preview, revision string
+
+	parts := strings.SplitN(v, "+p", maxParts)
+	mainVersion := parts[0]
+
+	if len(parts) > 1 {
+		if parts[1] == "" {
+			return nil, fmt.Errorf("invalid preview format")
+		}
+		previewParts := strings.SplitN(parts[1], ".", maxParts)
+		preview = previewParts[0]
+		if len(previewParts) > 1 {
+			if previewParts[1] == "" {
+				return nil, fmt.Errorf("invalid revision format")
+			}
+			revision = previewParts[1]
+		}
+	}
+
+	if _, err := fmt.Sscanf(mainVersion, "%d.%d.%d", &ver.Major, &ver.Minor, &ver.Patch); err != nil {
+		return nil, fmt.Errorf("parsing version: %w", err)
+	}
+
+	if preview != "" {
+		if _, err := fmt.Sscanf(preview, "%d", &ver.Preview); err != nil {
+			return nil, fmt.Errorf("parsing preview version: %w", err)
+		}
+	}
+
+	if revision != "" {
+		if _, err := fmt.Sscanf(revision, "%d", &ver.Revision); err != nil {
+			return nil, fmt.Errorf("parsing revision: %w", err)
+		}
+	}
+
+	return &ver, nil
+}
+
+func (v *Version) String() string {
+	base := fmt.Sprintf("%d.%d.%d", v.Major, v.Minor, v.Patch)
+	if v.Preview > 0 {
+		if v.Revision > 0 {
+			return fmt.Sprintf("%s+p%d.%d", base, v.Preview, v.Revision)
+		}
+		return fmt.Sprintf("%s+p%d", base, v.Preview)
+	}
+	return base
+}