Skip to content

feat(docs): expand TDF documentation #225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
marythought wants to merge 18 commits into
base: main
Choose a base branch
from
+2,094 −20
Open

feat(docs): expand TDF documentation #225

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
d8c8ddd
feat(docs): expand TDF documentation with full encrypt/decrypt options
marythought Mar 4, 2026
757c398
Merge branch 'main' into docs/DSPX-2427-expand-tdf-documentation
marythought Mar 4, 2026
3f138c0
Remove OpenTDF brand reference from tdf.mdx prose for DSP import
marythought Mar 4, 2026
a793b6f
Remove prerequisites callout; add intro to Basic Encrypt & Decrypt se…
marythought Mar 4, 2026
ff319f1
restructure TDF page as API reference with method signatures and para…
marythought Mar 4, 2026
658e994
fix code review: remove unused open() call and define ctx in bulk dec…
marythought Mar 4, 2026
4e4076c
add necessary imports to all Go, Java, and TypeScript code blocks
marythought Mar 4, 2026
97e6a2f
add Manifest Object reference section with field tables and example
marythought Mar 4, 2026
0bb1b9b
add KASInfo and PolicyObject type reference sections
marythought Mar 4, 2026
4dbdff5
fix: add cross-reference links and fix anchor in tdf.mdx
marythought Mar 4, 2026
20b549f
refactor: demote method sub-sections to bold labels in tdf.mdx
marythought Mar 4, 2026
9fe3e0b
fix: use real angle brackets inside backtick spans in PolicyObject table
marythought Mar 4, 2026
45ccf8e
docs: clarify wrapping key algorithm and session key type descriptions
marythought Mar 4, 2026
a40cebb
docs: replace classification/secret FQNs with clearance/executive acr…
marythought Mar 4, 2026
bb0a77e
Merge branch 'main' into docs/DSPX-2427-expand-tdf-documentation
marythought Mar 4, 2026
16d814f
refactor: remove duplicate Reading the Decrypted Payload section
marythought Mar 4, 2026
8121305
docs(tdf): address developer experience blockers
marythought Mar 4, 2026
77052ab
docs(tdf): add page intro with section map and remove auth guide link
marythought Mar 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
358 changes: 358 additions & 0 deletions code_samples/tdf/decrypt_options.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,358 @@
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';

## Decrypt Options

The following options can be passed to the decrypt call to control how the TDF is opened and validated.

---

### KAS Allowlist

Restrict decryption to only contact KAS endpoints on an explicit allowlist. If the TDF references a KAS not on the list, decryption will fail. This is a security control to prevent credential exfiltration to a rogue KAS.

<Tabs>
<TabItem value="go" label="Go">

```go
import (
"bytes"

"github.com/opentdf/platform/sdk"
)

tdfReader, err := client.LoadTDF(
bytes.NewReader(encryptedBytes),
sdk.WithKasAllowlist([]string{
"https://kas.example.com",
"https://kas-backup.example.com",
}),
)
```

</TabItem>
<TabItem value="java" label="Java">

```java
import io.opentdf.platform.sdk.Config;
import io.opentdf.platform.sdk.TDF;

Config.TDFReaderConfig readerConfig = Config.newTDFReaderConfig(
Config.WithKasAllowlist(
"https://kas.example.com",
"https://kas-backup.example.com"
)
);
TDF.Reader reader = sdk.loadTDF(fileChannel, readerConfig);
```

</TabItem>
<TabItem value="js" label="JavaScript">

```typescript
const plaintext = await client.read({
source: { type: 'buffer', location: encryptedBytes },
allowedKASEndpoints: [
'https://kas.example.com',
'https://kas-backup.example.com',
],
});
```

</TabItem>
</Tabs>

---

### Ignore KAS Allowlist

Disable the KAS allowlist check entirely. The SDK will contact any KAS referenced in the TDF manifest without restriction.

:::warning Security consideration
Only use this in controlled environments (e.g., integration tests, airgapped deployments where all KAS endpoints are trusted). In production, the allowlist is an important defence against credential forwarding attacks.
:::

<Tabs>
<TabItem value="go" label="Go">

```go
import (
"bytes"

"github.com/opentdf/platform/sdk"
)

tdfReader, err := client.LoadTDF(
bytes.NewReader(encryptedBytes),
sdk.WithIgnoreAllowlist(true),
)
```

</TabItem>
<TabItem value="java" label="Java">

```java
import io.opentdf.platform.sdk.Config;
import io.opentdf.platform.sdk.TDF;

Config.TDFReaderConfig readerConfig = Config.newTDFReaderConfig(
Config.WithIgnoreKasAllowlist(true)
);
TDF.Reader reader = sdk.loadTDF(fileChannel, readerConfig);
```

</TabItem>
<TabItem value="js" label="JavaScript">

```typescript
const plaintext = await client.read({
source: { type: 'buffer', location: encryptedBytes },
ignoreAllowlist: true,
});
```

</TabItem>
</Tabs>

---

### Assertion Verification Keys

Provide public keys used to verify signed assertions embedded in the TDF. If an assertion was signed during encryption, you must supply the corresponding verification key here or verification will fail.

<Tabs>
<TabItem value="go" label="Go">

```go
import (
"bytes"

"github.com/opentdf/platform/sdk"
)

verificationKeys := sdk.AssertionVerificationKeys{
Keys: map[string]sdk.AssertionKey{
"assertion-1": {
Alg: sdk.AssertionKeyAlgRS256,
Key: rsaPublicKey, // *rsa.PublicKey
},
},
}

tdfReader, err := client.LoadTDF(
bytes.NewReader(encryptedBytes),
sdk.WithAssertionVerificationKeys(verificationKeys),
)
```

</TabItem>
<TabItem value="java" label="Java">

```java
import io.opentdf.platform.sdk.AssertionConfig;
import io.opentdf.platform.sdk.Config;
import io.opentdf.platform.sdk.TDF;
import java.util.Map;

var assertionKey = new AssertionConfig.AssertionKey(
AssertionConfig.AssertionKeyAlg.RS256,
rsaPublicKey
);

var verificationKeys = new Config.AssertionVerificationKeys();
verificationKeys.keys = Map.of("assertion-1", assertionKey);

Config.TDFReaderConfig readerConfig = Config.newTDFReaderConfig(
Config.withAssertionVerificationKeys(verificationKeys)
);
TDF.Reader reader = sdk.loadTDF(fileChannel, readerConfig);
```

</TabItem>
<TabItem value="js" label="JavaScript">

```typescript
const plaintext = await client.read({
source: { type: 'buffer', location: encryptedBytes },
assertionVerificationKeys: {
keys: {
'assertion-1': {
alg: 'RS256',
key: rsaPublicKey, // CryptoKey
},
},
},
});
```

</TabItem>
</Tabs>

---

### Disable Assertion Verification

Skip cryptographic verification of all assertions in the TDF. The assertions will still be read and returned, but their signatures will not be checked.

:::warning
Disabling assertion verification removes a tamper-detection layer. Only use this when you have explicitly verified the TDF's integrity through another mechanism.
:::

<Tabs>
<TabItem value="go" label="Go">

```go
import (
"bytes"

"github.com/opentdf/platform/sdk"
)

tdfReader, err := client.LoadTDF(
bytes.NewReader(encryptedBytes),
sdk.WithDisableAssertionVerification(true),
)
```

</TabItem>
<TabItem value="java" label="Java">

```java
import io.opentdf.platform.sdk.Config;
import io.opentdf.platform.sdk.TDF;

Config.TDFReaderConfig readerConfig = Config.newTDFReaderConfig(
Config.withDisableAssertionVerification(true)
);
TDF.Reader reader = sdk.loadTDF(fileChannel, readerConfig);
```

</TabItem>
<TabItem value="js" label="JavaScript">

```typescript
const plaintext = await client.read({
source: { type: 'buffer', location: encryptedBytes },
noVerify: true,
});
```

</TabItem>
</Tabs>

---

### Session Key Type

During decryption, the SDK generates a short-lived (ephemeral) asymmetric key pair and sends the public half to the KAS. The KAS uses it to securely return the unwrapped Data Encryption Key back to the SDK. This option controls the algorithm used for that ephemeral key pair.

The default is `rsa:2048`. Use `ec:secp256r1` (or another EC variant) for smaller messages and faster key exchange. Must match an algorithm supported by the KAS.

<Tabs>
<TabItem value="go" label="Go">

```go
import (
"bytes"

"github.com/opentdf/platform/lib/ocrypto"
"github.com/opentdf/platform/sdk"
)

tdfReader, err := client.LoadTDF(
bytes.NewReader(encryptedBytes),
sdk.WithSessionKeyType(ocrypto.EC256Key),
)
```

</TabItem>
<TabItem value="java" label="Java">

```java
import io.opentdf.platform.sdk.Config;
import io.opentdf.platform.sdk.TDF;

Config.TDFReaderConfig readerConfig = Config.newTDFReaderConfig(
Config.WithSessionKeyType(KeyType.EC256Key)
);
TDF.Reader reader = sdk.loadTDF(fileChannel, readerConfig);
```

</TabItem>
<TabItem value="js" label="JavaScript">

```typescript
const plaintext = await client.read({
source: { type: 'buffer', location: encryptedBytes },
wrappingKeyAlgorithm: 'ec:secp256r1',
});
```

</TabItem>
</Tabs>

---

### Fulfillable Obligations

Declare which obligation FQNs the calling application is prepared to fulfil. The platform may attach obligations to an access decision — if an obligation is not declared as fulfillable, decryption may be denied.

<Tabs>
<TabItem value="go" label="Go">

```go
import (
"bytes"

"github.com/opentdf/platform/sdk"
)

tdfReader, err := client.LoadTDF(
bytes.NewReader(encryptedBytes),
sdk.WithTDFFulfillableObligationFQNs([]string{
"https://example.com/obl/audit/value/log",
"https://example.com/obl/watermark/value/apply",
}),
)
```

</TabItem>
<TabItem value="java" label="Java">

Fulfillable obligations are not yet supported in the Java SDK TDF reader config. Configure them at the SDK level via `SDKBuilder` if available, or handle obligation enforcement in your application logic after reading the policy object.

</TabItem>
<TabItem value="js" label="JavaScript">

```typescript
const plaintext = await client.read({
source: { type: 'buffer', location: encryptedBytes },
fulfillableObligationFQNs: [
'https://example.com/obl/audit/value/log',
'https://example.com/obl/watermark/value/apply',
],
});
```

</TabItem>
</Tabs>

---

### Max Manifest Size (Go only)

Limit the maximum size of the TDF manifest that the SDK will parse. This is a defence against malformed or malicious TDFs with abnormally large manifests.

```go
import (
"bytes"

"github.com/opentdf/platform/sdk"
)

tdfReader, err := client.LoadTDF(
bytes.NewReader(encryptedBytes),
sdk.WithMaxManifestSize(1 * 1024 * 1024), // 1 MB limit
)
```

Loading