fix: policy-binding new structure

sdk/src/main/java/io/opentdf/platform/sdk/Manifest.java

@@ -1,22 +1,87 @@
 package io.opentdf.platform.sdk;
 
+import com.google.gson.JsonDeserializationContext;
+import com.google.gson.JsonDeserializer;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonParseException;
+import com.google.gson.JsonSerializationContext;
+import com.google.gson.JsonSerializer;
+import com.google.gson.annotations.JsonAdapter;
 import com.google.gson.annotations.SerializedName;
 
+import java.lang.reflect.Type;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Objects;
 
 public class Manifest {
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        Manifest manifest = (Manifest) o;
+        return Objects.equals(encryptionInformation, manifest.encryptionInformation) && Objects.equals(payload, manifest.payload) && Objects.equals(assertions, manifest.assertions);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(encryptionInformation, payload, assertions);
+    }
+
+    private static class PolicyBindingSerializer implements JsonDeserializer<Object>, JsonSerializer<Object> {
+        @Override
+        public Object deserialize(JsonElement json, Type typeOfT, JsonDeserializationContext context) throws JsonParseException {
+            if (json.isJsonObject()) {
+                return context.deserialize(json, Manifest.PolicyBinding.class);
+            } else if (json.isJsonPrimitive() && json.getAsJsonPrimitive().isString()) {
+                return json.getAsString();
+            } else {
+                throw new JsonParseException("Unexpected type for policyBinding");
+            }
+        }
+
+        @Override
+        public JsonElement serialize(Object src, Type typeOfSrc, JsonSerializationContext context) {
+            return context.serialize(src, typeOfSrc);
+        }
+    }
     static public class Segment {
         public String hash;
         public long segmentSize;
         public long encryptedSegmentSize;
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) return true;
+            if (o == null || getClass() != o.getClass()) return false;
+            Segment segment = (Segment) o;
+            return segmentSize == segment.segmentSize && encryptedSegmentSize == segment.encryptedSegmentSize && Objects.equals(hash, segment.hash);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(hash, segmentSize, encryptedSegmentSize);
+        }
     }
 
     static public class RootSignature {
         @SerializedName(value = "alg")
         public String algorithm;
         @SerializedName(value = "sig")
         public String signature;
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) return true;
+            if (o == null || getClass() != o.getClass()) return false;
+            RootSignature that = (RootSignature) o;
+            return Objects.equals(algorithm, that.algorithm) && Objects.equals(signature, that.signature);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(algorithm, signature);
+        }
     }
 
     static public class IntegrityInformation {
@@ -25,6 +90,37 @@ static public class IntegrityInformation {
         public int segmentSizeDefault;
         public int encryptedSegmentSizeDefault;
         public List<Segment> segments;
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) return true;
+            if (o == null || getClass() != o.getClass()) return false;
+            IntegrityInformation that = (IntegrityInformation) o;
+            return segmentSizeDefault == that.segmentSizeDefault && encryptedSegmentSizeDefault == that.encryptedSegmentSizeDefault && Objects.equals(rootSignature, that.rootSignature) && Objects.equals(segmentHashAlg, that.segmentHashAlg) && Objects.equals(segments, that.segments);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(rootSignature, segmentHashAlg, segmentSizeDefault, encryptedSegmentSizeDefault, segments);
+        }
+    }
+
+    static public class PolicyBinding {
+        public String alg;
+        public String hash;
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) return true;
+            if (o == null || getClass() != o.getClass()) return false;
+            PolicyBinding that = (PolicyBinding) o;
+            return Objects.equals(alg, that.alg) && Objects.equals(hash, that.hash);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(alg, hash);
+        }
     }
 
     static public class KeyAccess {
@@ -33,17 +129,47 @@ static public class KeyAccess {
         public String url;
         public String protocol;
         public String wrappedKey;
-        public String policyBinding;
+        @JsonAdapter(PolicyBindingSerializer.class)
+        public Object policyBinding;
+
         public String encryptedMetadata;
         public String kid;
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) return true;
+            if (o == null || getClass() != o.getClass()) return false;
+            KeyAccess keyAccess = (KeyAccess) o;
+            return Objects.equals(keyType, keyAccess.keyType) && Objects.equals(url, keyAccess.url) && Objects.equals(protocol, keyAccess.protocol) && Objects.equals(wrappedKey, keyAccess.wrappedKey) && Objects.equals(policyBinding, keyAccess.policyBinding) && Objects.equals(encryptedMetadata, keyAccess.encryptedMetadata) && Objects.equals(kid, keyAccess.kid);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(keyType, url, protocol, wrappedKey, policyBinding, encryptedMetadata, kid);
+        }
     }
 
     static public class Method {
         public String algorithm;
         public String iv;
         public Boolean IsStreamable;
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) return true;
+            if (o == null || getClass() != o.getClass()) return false;
+            Method method = (Method) o;
+            return Objects.equals(algorithm, method.algorithm) && Objects.equals(iv, method.iv) && Objects.equals(IsStreamable, method.IsStreamable);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(algorithm, iv, IsStreamable);
+        }
     }
 
+
+
     static public class EncryptionInformation {
         @SerializedName(value = "type")
         public String keyAccessType;
@@ -53,6 +179,19 @@ static public class EncryptionInformation {
         public List<KeyAccess> keyAccessObj;
         public Method method;
         public IntegrityInformation integrityInformation;
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) return true;
+            if (o == null || getClass() != o.getClass()) return false;
+            EncryptionInformation that = (EncryptionInformation) o;
+            return Objects.equals(keyAccessType, that.keyAccessType) && Objects.equals(policy, that.policy) && Objects.equals(keyAccessObj, that.keyAccessObj) && Objects.equals(method, that.method) && Objects.equals(integrityInformation, that.integrityInformation);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(keyAccessType, policy, keyAccessObj, method, integrityInformation);
+        }
     }
 
     static public class Payload {
@@ -61,6 +200,19 @@ static public class Payload {
         public String protocol;
         public String mimeType;
         public Boolean isEncrypted;
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) return true;
+            if (o == null || getClass() != o.getClass()) return false;
+            Payload payload = (Payload) o;
+            return Objects.equals(type, payload.type) && Objects.equals(url, payload.url) && Objects.equals(protocol, payload.protocol) && Objects.equals(mimeType, payload.mimeType) && Objects.equals(isEncrypted, payload.isEncrypted);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(type, url, protocol, mimeType, isEncrypted);
+        }
     }
 
     public EncryptionInformation encryptionInformation;

sdk/src/main/java/io/opentdf/platform/sdk/TDF.java

@@ -2,36 +2,34 @@
 
 
 import com.google.gson.Gson;
-import com.google.gson.GsonBuilder;
+import com.google.gson.JsonDeserializationContext;
+import com.google.gson.JsonDeserializer;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonParseException;
+import com.google.gson.JsonSerializationContext;
+import com.google.gson.JsonSerializer;
 import com.nimbusds.jose.*;
 import com.nimbusds.jose.crypto.MACVerifier;
 import com.nimbusds.jose.crypto.RSASSAVerifier;
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
 import com.nimbusds.jose.crypto.RSASSASigner;
 import com.nimbusds.jose.crypto.MACSigner;
-import com.nimbusds.jose.jwk.RSAKey;
-import io.opentdf.platform.kas.RewrapRequest;
 import org.apache.commons.codec.DecoderException;
 import org.apache.commons.codec.binary.Hex;
-import org.bouncycastle.pqc.crypto.lms.HSSSigner;
 import org.erdtman.jcs.JsonCanonicalizer;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.crypto.BadPaddingException;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.NoSuchPaddingException;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.lang.reflect.Type;
 import java.nio.channels.SeekableByteChannel;
 import java.nio.charset.StandardCharsets;
 import java.security.*;
 import java.text.ParseException;
-import java.time.Duration;
-import java.time.Instant;
 import java.util.*;
 
 public class TDF {
@@ -68,7 +66,8 @@ public TDF() {
     private static final String kAssertionHash = "assertionHash";
 
     private static final SecureRandom sRandom = new SecureRandom();
-    private static final Gson gson = new GsonBuilder().create();
+
+    private static final Gson gson = new Gson();
 
     public static class DataSizeNotSupported extends RuntimeException {
         public DataSizeNotSupported(String errorMessage) {
@@ -191,7 +190,10 @@ private void prepareManifest(Config.TDFConfig tdfConfig) {
 
                 // Add policyBinding
                 var hexBinding = Hex.encodeHexString(CryptoUtils.CalculateSHA256Hmac(symKey, base64PolicyObject.getBytes(StandardCharsets.UTF_8)));
-                keyAccess.policyBinding = encoder.encodeToString(hexBinding.getBytes(StandardCharsets.UTF_8));
+                var policyBinding = new Manifest.PolicyBinding();
+                policyBinding.alg = kHmacIntegrityAlgorithm;
+                policyBinding.hash = encoder.encodeToString(hexBinding.getBytes(StandardCharsets.UTF_8));
+                keyAccess.policyBinding = policyBinding;
 
                 // Wrap the key with kas public key
                 AsymEncryption asymmetricEncrypt = new AsymEncryption(kasInfo.PublicKey);
@@ -206,7 +208,7 @@ private void prepareManifest(Config.TDFConfig tdfConfig) {
 
                     EncryptedMetadata encryptedMetadata = new EncryptedMetadata();
                     encryptedMetadata.iv = encoder.encodeToString(encrypted.getIv());
-                    encryptedMetadata.ciphertext = encoder.encodeToString(encrypted.getCiphertext());
+                    encryptedMetadata.ciphertext = encoder.encodeToString(encrypted.asBytes());
 
                     var metadata = gson.toJson(encryptedMetadata);
                     keyAccess.encryptedMetadata = encoder.encodeToString(metadata.getBytes(StandardCharsets.UTF_8));
@@ -514,7 +516,6 @@ public Reader loadTDF(SeekableByteChannel tdf, Config.AssertionConfig assertionC
                     EncryptedMetadata encryptedMetadata = gson.fromJson(decodedMetadata, EncryptedMetadata.class);
 
                     var encryptedData = new AesGcm.Encrypted(
-                            decoder.decode(encryptedMetadata.iv),
                             decoder.decode(encryptedMetadata.ciphertext)
                     );
 
@@ -604,4 +605,4 @@ public Reader loadTDF(SeekableByteChannel tdf, Config.AssertionConfig assertionC
 
         return new Reader(tdfReader, manifest, payloadKey, unencryptedMetadata);
     }
-}
+}

sdk/src/test/java/io/opentdf/platform/sdk/ManifestTest.java

@@ -4,13 +4,16 @@
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
 
+import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 import java.util.List;
+import java.util.Map;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
 public class ManifestTest {
     @Test
-    void testManifestMarshalAndUnMarshal()  {
+    void testManifestMarshalAndUnMarshal() {
         String kManifestJsonFromTDF = "{\n" +
                 "  \"encryptionInformation\": {\n" +
                 "    \"integrityInformation\": {\n" +
@@ -31,7 +34,10 @@ void testManifestMarshalAndUnMarshal()  {
                 "    },\n" +
                 "    \"keyAccess\": [\n" +
                 "      {\n" +
-                "        \"policyBinding\": \"YTgzNThhNzc5NWRhMjdjYThlYjk4ZmNmODliNzc2Y2E5ZmZiZDExZDQ3OTM5ODFjZTRjNmE3MmVjOTUzZTFlMA==\",\n" +
+                "        \"policyBinding\": {\n" +
+                "          \"alg\": \"HS256\",\n" +
+                "          \"hash\": \"YTgzNThhNzc5NWRhMjdjYThlYjk4ZmNmODliNzc2Y2E5ZmZiZDExZDQ3OTM5ODFjZTRjNmE3MmVjOTUzZTFlMA==\"\n" +
+                "        },\n" +
                 "        \"protocol\": \"kas\",\n" +
                 "        \"type\": \"wrapped\",\n" +
                 "        \"url\": \"http://localhost:65432/kas\",\n" +
@@ -70,25 +76,18 @@ void testManifestMarshalAndUnMarshal()  {
         List<Manifest.KeyAccess> keyAccess = manifest.encryptionInformation.keyAccessObj;
         assertEquals(keyAccess.get(0).keyType, "wrapped");
         assertEquals(keyAccess.get(0).protocol, "kas");
-
+        assertEquals(Manifest.PolicyBinding.class, keyAccess.get(0).policyBinding.getClass());
+        var policyBinding = (Manifest.PolicyBinding) keyAccess.get(0).policyBinding;
+        assertEquals(policyBinding.alg, "HS256");
+        assertEquals(policyBinding.hash, "YTgzNThhNzc5NWRhMjdjYThlYjk4ZmNmODliNzc2Y2E5ZmZiZDExZDQ3OTM5ODFjZTRjNmE3MmVjOTUzZTFlMA==");
         assertEquals(manifest.encryptionInformation.method.algorithm, "AES-256-GCM");
         assertEquals(manifest.encryptionInformation.integrityInformation.rootSignature.algorithm, "HS256");
         assertEquals(manifest.encryptionInformation.integrityInformation.segmentHashAlg, "GMAC");
         assertEquals(manifest.encryptionInformation.integrityInformation.segments.get(0).segmentSize, 1048576);
 
-        System.out.println(gson.toJson(manifest));
-
-
-        Manifest.Payload payload = new Manifest.Payload();
-        payload.protocol = "zip";
-
-        Manifest.EncryptionInformation encryptionInformation = manifest.encryptionInformation;
-        encryptionInformation.policy = "updated policy";
-
-        Manifest newManifest = new Manifest();
-        newManifest.payload = payload;
-        newManifest.encryptionInformation = encryptionInformation;
+        var serialized = gson.toJson(manifest);
+        var deserializedAgain = gson.fromJson(serialized, Manifest.class);
 
-        System.out.println(gson.toJson(newManifest));
+        assertEquals(manifest, deserializedAgain, "something changed when we deserialized -> serialized -> deserialized");
     }
 }

sdk/src/test/java/io/opentdf/platform/sdk/TDFWriterTest.java

@@ -16,7 +16,7 @@ public class TDFWriterTest {
     @Test
     void simpleTDFCreate() throws IOException {
 
-        String kManifestJsonFromTDF = "{\n" +
+String kManifestJsonFromTDF = "{\n" +
                 "  \"encryptionInformation\": {\n" +
                 "    \"integrityInformation\": {\n" +
                 "      \"encryptedSegmentSizeDefault\": 1048604,\n" +
@@ -36,7 +36,10 @@ void simpleTDFCreate() throws IOException {
                 "    },\n" +
                 "    \"keyAccess\": [\n" +
                 "      {\n" +
-                "        \"policyBinding\": \"YTgzNThhNzc5NWRhMjdjYThlYjk4ZmNmODliNzc2Y2E5ZmZiZDExZDQ3OTM5ODFjZTRjNmE3MmVjOTUzZTFlMA==\",\n" +
+                "        \"policyBinding\": {\n" +
+                "          \"alg\": \"HS256\",\n" +
+                "          \"hash\": \"YTgzNThhNzc5NWRhMjdjYThlYjk4ZmNmODliNzc2Y2E5ZmZiZDExZDQ3OTM5ODFjZTRjNmE3MmVjOTUzZTFlMA==\"\n" +
+                "        },\n" +
                 "        \"protocol\": \"kas\",\n" +
                 "        \"type\": \"wrapped\",\n" +
                 "        \"url\": \"http://localhost:65432/kas\",\n" +