feat(sdk): remove hex encoding for segment hash

.github/workflows/publish-to.sh

@@ -7,13 +7,13 @@ v="${1%%+*}"
 t="${2}"
 
 cd lib
-for f in {,tdf3/}src/version.ts; do
-  if ! sed "s/export const version = \'[^']\{1,\}\';\$/export const version = \'${v}\';/" "${f}" >"${f}.tmp"; then
-    echo "Failed to insert version [${v}] into file [$f]"
-    exit 1
-  fi
-  mv "${f}.tmp" "${f}"
-done
+f=src/version.ts
+if ! sed "s/export const version = \'[^']\{1,\}\';\$/export const version = \'${v}\';/" "${f}" >"${f}.tmp"; then
+  echo "Failed to insert version [${v}] into file [$f]"
+  exit 1
+fi
+mv "${f}.tmp" "${f}"
+
 npm version --no-git-tag-version --allow-same-version "$v"
 npm publish --access public --tag "$t"
 

cli/src/cli.ts

@@ -13,6 +13,7 @@ import {
   type Source,
   AuthProviders,
   version,
+  tdfSpecVersion,
   OpenTDF,
   DecoratedStream,
 } from '@opentdf/sdk';
@@ -650,6 +651,7 @@ export const handleArgs = (args: string[]) => {
         JSON.stringify({
           '@opentdf/ctl': process.env.npm_package_version || 'UNRELEASED',
           '@opentdf/sdk': version,
+          tdfSpecVersion,
         })
       )
       .alias('version', 'V')

lib/src/index.ts

@@ -1,6 +1,6 @@
 export { type AuthProvider, type HttpMethod, HttpRequest, withHeaders } from './auth/auth.js';
 export * as AuthProviders from './auth/providers.js';
 export { attributeFQNsAsValues } from './policy/api.js';
-export { version, clientType } from './version.js';
+export { version, clientType, tdfSpecVersion } from './version.js';
 export * from './opentdf.js';
 export * from './seekable.js';

lib/src/version.ts

@@ -7,3 +7,8 @@ export const version = '0.2.0';
  * A string name used to label requests as coming from this library client.
  */
 export const clientType = 'web-sdk';
+
+/**
+ * Version of the opentdf/spec this library is targeting
+ */
+export const tdfSpecVersion = '4.3.0';

lib/tdf3/src/assertions.ts

@@ -110,8 +110,9 @@ export function isAssertionConfig(obj: unknown): obj is AssertionConfig {
  */
 export async function verify(
   thiz: Assertion,
-  aggregateHash: string,
-  key: AssertionKey
+  aggregateHash: Uint8Array,
+  key: AssertionKey,
+  isLegacyTDF: boolean
 ): Promise<void> {
   let payload: AssertionPayload;
   try {
@@ -126,14 +127,25 @@ export async function verify(
 
   // Get the hash of the assertion
   const hashOfAssertion = await hash(thiz);
-  const combinedHash = aggregateHash + hashOfAssertion;
-  const encodedHash = base64.encode(combinedHash);
 
   // check if assertionHash is same as hashOfAssertion
   if (hashOfAssertion !== assertionHash) {
     throw new IntegrityError('Assertion hash mismatch');
   }
 
+  let encodedHash: string;
+  if (isLegacyTDF) {
+    const aggregateHashAsStr = new TextDecoder('utf-8').decode(aggregateHash);
+    const combinedHash = aggregateHashAsStr + hashOfAssertion;
+    encodedHash = base64.encode(combinedHash);
+  } else {
+    const combinedHash = concatenateUint8Arrays(
+      aggregateHash,
+      new Uint8Array(hex.decodeArrayBuffer(assertionHash))
+    );
+    encodedHash = base64.encodeArrayBuffer(combinedHash);
+  }
+
   // check if assertionSig is same as encodedHash
   if (assertionSig !== encodedHash) {
     throw new IntegrityError('Failed integrity check on assertion signature');
@@ -144,7 +156,7 @@ export async function verify(
  * Creates an Assertion object with the specified properties.
  */
 export async function CreateAssertion(
-  aggregateHash: string,
+  aggregateHash: Uint8Array,
   assertionConfig: AssertionConfig
 ): Promise<Assertion> {
   if (!assertionConfig.signingKey) {
@@ -162,8 +174,11 @@ export async function CreateAssertion(
   };
 
   const assertionHash = await hash(a);
-  const combinedHash = aggregateHash + assertionHash;
-  const encodedHash = base64.encode(combinedHash);
+  const combinedHash = concatenateUint8Arrays(
+    aggregateHash,
+    new Uint8Array(hex.decodeArrayBuffer(assertionHash))
+  );
+  const encodedHash = base64.encodeArrayBuffer(combinedHash);
 
   return await sign(a, assertionHash, encodedHash, assertionConfig.signingKey);
 }
@@ -189,3 +204,13 @@ export type AssertionVerificationKeys = {
   DefaultKey?: AssertionKey;
   Keys: Record<string, AssertionKey>;
 };
+
+function concatenateUint8Arrays(array1: Uint8Array, array2: Uint8Array): Uint8Array {
+  const combinedLength = array1.length + array2.length;
+  const combinedArray = new Uint8Array(combinedLength);
+
+  combinedArray.set(array1, 0);
+  combinedArray.set(array2, array1.length);
+
+  return combinedArray;
+}

lib/tdf3/src/index.ts

@@ -1,4 +1,4 @@
 export * as Client from './client/index.js';
 export { Client as TDF3Client } from './client/index.js';
 export * as Errors from '../../src/errors.js';
-export { version, clientType } from './version.js';
+export { clientType, tdfSpecVersion, version } from '../../src/version.js';

lib/tdf3/src/models/manifest.ts

@@ -6,4 +6,5 @@ export type Manifest = {
   payload: Payload;
   encryptionInformation: EncryptionInformation;
   assertions: Assertion[];
+  tdf_spec_version: string;
 };