feat: add system metadata assertion (#270)

Co-authored-by: Morgan Kleene <mkleene@virtru.com>

Author: strantalis

.github/release-please/release-please-config.main.json

@@ -12,6 +12,10 @@
  {
  "type": "generic",
  "path": "cmdline/src/main/java/io/opentdf/platform/Command.java"
+ },
+ {
+ "type": "generic",
+ "path": "sdk/src/main/java/io/opentdf/platform/sdk/Version.java"
  }
  ]
 }

.github/release-please/release-please-config.release_branches.json

@@ -12,6 +12,10 @@
  {
  "type": "generic",
  "path": "cmdline/src/main/java/io/opentdf/platform/Command.java"
+ },
+ {
+ "type": "generic",
+ "path": "sdk/src/main/java/io/opentdf/platform/sdk/Version.java"
  }
  ]
 }

cmdline/src/main/java/io/opentdf/platform/Command.java

@@ -54,15 +54,11 @@ class Versions {
  public static final String TDF_SPEC = "4.3.0";
 }
 
-@CommandLine.Command(
- name = "tdf",
- subcommands = {HelpCommand.class},
- version =
- "{\"version\":\"" + Versions.SDK + "\",\"tdfSpecVersion\":\"" + Versions.TDF_SPEC + "\"}"
-)
+@CommandLine.Command(name = "tdf", subcommands = { HelpCommand.class }, version = "{\"version\":\"" + Versions.SDK
+ + "\",\"tdfSpecVersion\":\"" + Versions.TDF_SPEC + "\"}")
 class Command {
 
- @Option(names = {"-V", "--version"}, versionHelp = true, description = "display version info")
+ @Option(names = { "-V", "--version" }, versionHelp = true, description = "display version info")
  boolean versionInfoRequested;
 
  private static final String PRIVATE_KEY_HEADER = "-----BEGIN PRIVATE KEY-----";
@@ -85,7 +81,8 @@ class Command {
  @Option(names = { "-p", "--platform-endpoint" }, required = true)
  private String platformEndpoint;
 
- private Object correctKeyType(AssertionConfig.AssertionKeyAlg alg, Object key, boolean publicKey) throws RuntimeException{
+ private Object correctKeyType(AssertionConfig.AssertionKeyAlg alg, Object key, boolean publicKey)
+ throws RuntimeException {
  if (alg == AssertionConfig.AssertionKeyAlg.HS256) {
  if (key instanceof String) {
  key = ((String) key).getBytes(StandardCharsets.UTF_8);
@@ -101,14 +98,14 @@ private Object correctKeyType(AssertionConfig.AssertionKeyAlg alg, Object key, b
  }
  String pem = (String) key;
  String pemWithNewlines = pem.replace("\\n", "\n");
- if (publicKey){
- String base64EncodedPem= pemWithNewlines
- .replaceAll(PEM_HEADER, "")
- .replaceAll(PEM_FOOTER, "")
- .replaceAll("\\s", "")
- .replaceAll("\r\n", "")
- .replaceAll("\n", "")
- .trim();
+ if (publicKey) {
+ String base64EncodedPem = pemWithNewlines
+  .replaceAll(PEM_HEADER, "")
+  .replaceAll(PEM_FOOTER, "")
+  .replaceAll("\\s", "")
+  .replaceAll("\r\n", "")
+  .replaceAll("\n", "")
+  .trim();
  byte[] decoded = Base64.getDecoder().decode(base64EncodedPem);
  X509EncodedKeySpec spec = new X509EncodedKeySpec(decoded);
  KeyFactory kf = null;
@@ -122,7 +119,7 @@ private Object correctKeyType(AssertionConfig.AssertionKeyAlg alg, Object key, b
  } catch (InvalidKeySpecException e) {
  throw new RuntimeException(e);
  }
- }else {
+ } else {
  String privateKeyPEM = pemWithNewlines
  .replace(PRIVATE_KEY_HEADER, "")
  .replace(PRIVATE_KEY_FOOTER, "")
@@ -174,6 +171,7 @@ void encrypt(
  List<Consumer<Config.TDFConfig>> configs = new ArrayList<>();
  configs.add(Config.withKasInformation(kasInfos));
  metadata.map(Config::withMetaData).ifPresent(configs::add);
+ configs.add(Config.withSystemMetadataAssertion());
  autoconfigure.map(Config::withAutoconfigure).ifPresent(configs::add);
  encapKeyType.map(Config::WithWrappingKeyAlg).ifPresent(configs::add);
  mimeType.map(Config::withMimeType).ifPresent(configs::add);
@@ -191,8 +189,9 @@ void encrypt(
  String fileJson = new String(Files.readAllBytes(Paths.get(assertionConfig)));
  assertionConfigs = gson.fromJson(fileJson, AssertionConfig[].class);
  } catch (JsonSyntaxException e2) {
- throw new RuntimeException("Failed to parse assertion from file, expects an list of assertions", e2);
- } catch(Exception e3) {
+ throw new RuntimeException("Failed to parse assertion from file, expects an list of assertions",
+ e2);
+ } catch (Exception e3) {
  throw new RuntimeException("Could not parse assertion as json string or path to file", e3);
  }
  }
@@ -238,11 +237,15 @@ private SDK buildSDK() {
 
  @CommandLine.Command(name = "decrypt")
  void decrypt(@Option(names = { "-f", "--file" }, required = true) Path tdfPath,
- @Option(names = { "--rewrap-key-type" }, defaultValue = Option.NULL_VALUE, description = "Preferred rewrap algorithm, one of ${COMPLETION-CANDIDATES}") Optional<KeyType> rewrapKeyType,
- @Option(names = { "--with-assertion-verification-disabled" }, defaultValue = "false") boolean disableAssertionVerification,
- @Option(names = { "--with-assertion-verification-keys" }, defaultValue = Option.NULL_VALUE) Optional<String> assertionVerification,
+ @Option(names = {
+ "--rewrap-key-type" }, defaultValue = Option.NULL_VALUE, description = "Preferred rewrap algorithm, one of ${COMPLETION-CANDIDATES}") Optional<KeyType> rewrapKeyType,
+ @Option(names = {
+ "--with-assertion-verification-disabled" }, defaultValue = "false") boolean disableAssertionVerification,
+ @Option(names = {
+ "--with-assertion-verification-keys" }, defaultValue = Option.NULL_VALUE) Optional<String> assertionVerification,
  @Option(names = { "--kas-allowlist" }, defaultValue = Option.NULL_VALUE) Optional<String> kasAllowlistStr,
- @Option(names = { "--ignore-kas-allowlist" }, defaultValue = Option.NULL_VALUE) Optional<Boolean> ignoreAllowlist)
+ @Option(names = {
+ "--ignore-kas-allowlist" }, defaultValue = Option.NULL_VALUE) Optional<Boolean> ignoreAllowlist)
  throws Exception {
  try (var sdk = buildSDK()) {
  var opts = new ArrayList<Consumer<Config.TDFReaderConfig>>();
@@ -254,7 +257,8 @@ void decrypt(@Option(names = { "-f", "--file" }, required = true) Path tdfPath,
 
  AssertionVerificationKeys assertionVerificationKeys;
  try {
- assertionVerificationKeys = gson.fromJson(assertionVerificationInput, AssertionVerificationKeys.class);
+ assertionVerificationKeys = gson.fromJson(assertionVerificationInput,
+ AssertionVerificationKeys.class);
  } catch (JsonSyntaxException e) {
  // try it as a file path
  try {
@@ -263,16 +267,20 @@ void decrypt(@Option(names = { "-f", "--file" }, required = true) Path tdfPath,
  } catch (JsonSyntaxException e2) {
  throw new RuntimeException("Failed to parse assertion verification keys from file", e2);
  } catch (Exception e3) {
- throw new RuntimeException("Could not parse assertion verification keys as json string or path to file", e3);
+ throw new RuntimeException(
+ "Could not parse assertion verification keys as json string or path to file",
+ e3);
  }
  }
 
- for (Map.Entry<String, AssertionConfig.AssertionKey> entry : assertionVerificationKeys.keys.entrySet()) {
+ for (Map.Entry<String, AssertionConfig.AssertionKey> entry : assertionVerificationKeys.keys
+ .entrySet()) {
  try {
  Object correctedKey = correctKeyType(entry.getValue().alg, entry.getValue().key, true);
  entry.setValue(new AssertionConfig.AssertionKey(entry.getValue().alg, correctedKey));
  } catch (Exception e) {
- throw new RuntimeException("Error with assertion verification key: " + e.getMessage(), e);
+ throw new RuntimeException("Error with assertion verification key: " + e.getMessage(),
+ e);
  }
  }
  opts.add(Config.withAssertionVerificationKeys(assertionVerificationKeys));
@@ -296,8 +304,10 @@ void decrypt(@Option(names = { "-f", "--file" }, required = true) Path tdfPath,
 
  @CommandLine.Command(name = "metadata")
  void readMetadata(@Option(names = { "-f", "--file" }, required = true) Path tdfPath,
- @Option(names = { "--kas-allowlist" }, defaultValue = Option.NULL_VALUE) Optional<String> kasAllowlistStr,
- @Option(names = { "--ignore-kas-allowlist" }, defaultValue = Option.NULL_VALUE) Optional<Boolean> ignoreAllowlist) throws IOException {
+ @Option(names = { "--kas-allowlist" }, defaultValue = Option.NULL_VALUE) Optional<String> kasAllowlistStr,
+ @Option(names = {
+ "--ignore-kas-allowlist" }, defaultValue = Option.NULL_VALUE) Optional<Boolean> ignoreAllowlist)
+ throws IOException {
  var sdk = buildSDK();
  var opts = new ArrayList<Consumer<Config.TDFReaderConfig>>();
  try (var in = FileChannel.open(tdfPath, StandardOpenOption.READ)) {
@@ -344,8 +354,10 @@ void createNanoTDF(
 
  @CommandLine.Command(name = "decryptnano")
  void readNanoTDF(@Option(names = { "-f", "--file" }, required = true) Path nanoTDFPath,
- @Option(names = { "--kas-allowlist" }, defaultValue = Option.NULL_VALUE) Optional<String> kasAllowlistStr,
- @Option(names = { "--ignore-kas-allowlist" }, defaultValue = Option.NULL_VALUE) Optional<Boolean> ignoreAllowlist) throws Exception {
+ @Option(names = { "--kas-allowlist" }, defaultValue = Option.NULL_VALUE) Optional<String> kasAllowlistStr,
+ @Option(names = {
+ "--ignore-kas-allowlist" }, defaultValue = Option.NULL_VALUE) Optional<Boolean> ignoreAllowlist)
+ throws Exception {
  var sdk = buildSDK();
  try (var in = FileChannel.open(nanoTDFPath, StandardOpenOption.READ)) {
  try (var stdout = new BufferedOutputStream(System.out)) {