feat: assertion verification disable (#419)

.github/spellcheck.ignore

@@ -77,6 +77,7 @@ localhost
 namespace
 namespaces
 nano
+no-verify-assertions
 ns
 otdfctl
 performant

cmd/tdf-decrypt.go

@@ -20,6 +20,7 @@ func dev_tdfDecryptCmd(cmd *cobra.Command, args []string) {
 
 	output := c.Flags.GetOptionalString("out")
 	tdfType := c.Flags.GetOptionalString("tdf-type")
+	disableAssertionVerification := c.Flags.GetOptionalBool("no-verify-assertions")
 	if tdfType == "" {
 		tdfType = TDF3
 	}
@@ -43,7 +44,7 @@ func dev_tdfDecryptCmd(cmd *cobra.Command, args []string) {
 	var err error
 	switch tdfType {
 	case TDF3:
-		decrypted, err = h.DecryptTDF(bytesToDecrypt)
+		decrypted, err = h.DecryptTDF(bytesToDecrypt, disableAssertionVerification)
 	case NANO:
 		decrypted, err = h.DecryptNanoTDF(bytesToDecrypt)
 	default:
@@ -86,6 +87,12 @@ func init() {
 		decryptCmd.GetDocFlag("tdf-type").Default,
 		decryptCmd.GetDocFlag("tdf-type").Description,
 	)
+	decryptCmd.Flags().Bool(
+		decryptCmd.GetDocFlag("no-verify-assertions").Name,
+		decryptCmd.GetDocFlag("no-verify-assertions").DefaultAsBool(),
+		decryptCmd.GetDocFlag("no-verify-assertions").Description,
+	)
+
 	decryptCmd.Command.GroupID = TDF
 
 	RootCmd.AddCommand(&decryptCmd.Command)

docs/man/decrypt/_index.md

@@ -14,6 +14,9 @@ command:
         - tdf3
         - nano
       default: tdf3
+    - name: no-verify-assertions
+      description: disable verification of assertions
+      default: false
 ---
 
 Decrypt a Trusted Data Format (TDF) file and output the contents to stdout or a file in the current working directory.

go.mod

@@ -12,11 +12,12 @@ require (
 	github.com/creasty/defaults v1.8.0
 	github.com/evertras/bubble-table v0.16.1
 	github.com/gabriel-vasile/mimetype v1.4.5
+	github.com/go-jose/go-jose/v3 v3.0.3
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/google/uuid v1.6.0
 	github.com/opentdf/platform/lib/flattening v0.1.1
 	github.com/opentdf/platform/protocol/go v0.2.18
-	github.com/opentdf/platform/sdk v0.3.15
+	github.com/opentdf/platform/sdk v0.3.17
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/viper v1.19.0
 	github.com/stretchr/testify v1.9.0
@@ -49,7 +50,6 @@ require (
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect

go.sum

@@ -223,8 +223,8 @@ github.com/opentdf/platform/lib/ocrypto v0.1.6 h1:rd4ctCZOE/c3qDJORtkSK9tw6dEXb+
 github.com/opentdf/platform/lib/ocrypto v0.1.6/go.mod h1:ne+l8Q922OdzA0xesK3XJmfECBnn5vLSGYU3/3OhiHM=
 github.com/opentdf/platform/protocol/go v0.2.18 h1:s+TVZkOPGCzy7WyObtJWJNaFeOGDUTuSmAsq3omvugY=
 github.com/opentdf/platform/protocol/go v0.2.18/go.mod h1:WqDcnFQJb0v8ivRQPidbehcL8ils5ZSZYXkuv0nyvsI=
-github.com/opentdf/platform/sdk v0.3.15 h1:RFSZ93SlBiZfFY6JAFLWbv4JC/H/KwC1acxyxCjPNnM=
-github.com/opentdf/platform/sdk v0.3.15/go.mod h1:c2+nrsRLvLf2OOryXnNy0iGZN/TScc21Pul7uqKVXIs=
+github.com/opentdf/platform/sdk v0.3.17 h1:Uo/kTMneB18i0gZNfTRtvw34bGLFUc8BEnA/BMK0VVs=
+github.com/opentdf/platform/sdk v0.3.17/go.mod h1:c2+nrsRLvLf2OOryXnNy0iGZN/TScc21Pul7uqKVXIs=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=

pkg/handlers/tdf.go

@@ -47,8 +47,10 @@ func (h Handler) EncryptBytes(b []byte, values []string, mimeType string, kasUrl
 	return enc, nil
 }
 
-func (h Handler) DecryptTDF(toDecrypt []byte) (*bytes.Buffer, error) {
-	tdfreader, err := h.sdk.LoadTDF(bytes.NewReader(toDecrypt))
+func (h Handler) DecryptTDF(toDecrypt []byte, disableAssertionVerification bool) (*bytes.Buffer, error) {
+	tdfreader, err := h.sdk.LoadTDF(bytes.NewReader(toDecrypt),
+		sdk.WithDisableAssertionVerification(disableAssertionVerification),
+	)
 	if err != nil {
 		return nil, err
 	}