fix(tdf): align policy binding encoding with spec, keep legacy compat

[biscoe916]

Fixes 3578

Proposed Changes

• Gate policy binding writer in sdk/tdf.go on the existing tdfConfig.useHex flag. Default (spec >= 4.3.0)
  emits Base64(HMAC) per spec; WithTargetMode("<4.3.0") keeps legacy Base64(hex(HMAC)) for
  byte-identical compatibility
• Extract shared decodePolicyBinding helper in service/kas/access/rewrap.go. Length-detects the encoding
  (32 bytes raw vs 64 bytes hex after base64 decode) so KAS dual-accepts both formats — no manifest version
  trust needed
• Fix latent bug in the production rewrap path where the raw branch fed an untrimmed buffer to
  dek.VerifyBinding
• Replace two near-duplicate inline decode blocks with the shared helper

Checklist

• I have added or updated unit tests
• I have added or updated integration tests (if appropriate)
• I have added or updated documentation

Testing Instructions

Automated:

• go test ./sdk/... ./service/kas/... — round-trip tests cover both encodings; TestDecodePolicyBinding
  covers raw/hex/invalid base64
• golangci-lint run ./sdk/... ./service/kas/...

Manual interop check (recommended before rollout):

1. Encrypt a TDF with this branch's SDK (default mode → raw binding) and rewrap against this branch's KAS —
   should succeed
2. Encrypt a TDF with WithTargetMode("4.2.2") (legacy hex binding) and rewrap against this branch's KAS —
   should succeed
3. Decrypt an existing pre-fix TDF (hex binding) against this branch's KAS — should succeed

Rollout Notes

• Platform KAS dual-accept has been in place since May 2025 (feat(core): New Key Index and Manager Plugin SPI #2095). Customer KAS deployments older than that
  will reject raw bindings — those operators need to upgrade before SDK writers in their fleet default to raw,
  or pin SDKs to WithTargetMode("<4.3.0") until they do
• Hex acceptance must be retained indefinitely — TDFs are archival
• Java and JS SDKs have the same writer bug and need analogous fixes (out of scope here)
• Spec doc should note Base64(hex(HMAC)) as deprecated-but-MUST-accept so third-party KAS implementations
  don't break on archival TDFs

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates the TDF policy binding encoding to comply with the latest specification while maintaining backward compatibility for archival TDFs. By introducing a shared decoding helper, the KAS service can now transparently handle both raw and hex-encoded HMAC bindings. Additionally, the changes include necessary adjustments to the SDK configuration and internal rewrap verification logic to ensure robust and consistent behavior across different TDF versions.

Highlights

• Policy Binding Encoding: Updated the SDK to align policy binding encoding with the TDF spec (>= 4.3.0), which now uses Base64(HMAC) instead of the legacy Base64(hex(HMAC)).
• Legacy Compatibility: Implemented a dual-accept mechanism in the KAS service using a new helper function, allowing the system to support both modern and legacy TDF policy bindings without requiring manifest version checks.
• Bug Fixes: Resolved a latent bug in the production rewrap path where an untrimmed buffer was incorrectly passed to the verification logic.

New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

---

Old bindings held in hex and base, New standards take a cleaner space. With dual support for past and new, The TDF remains in view.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Warning

Gemini encountered an error creating the review. You can try again by commenting /gemini review.

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	179.265468ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	122.236025ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	439.700328ms
Throughput	227.43 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	44.751548924s
Average Latency	445.719496ms
Throughput	111.73 requests/second

[github-actions]

⚠️ Govulncheck found vulnerabilities ⚠️

The following modules have known vulnerabilities:

• examples
• otdfctl
• sdk
• service
• lib/fixtures
• tests-bdd

See the workflow run for details.

[github-actions]

X-Test Results

✅ go@main-pull-3597
✅ go@main-v0.9.0
✅ java@main-pull-3597
✅ js@main-pull-3597
✅ java@main-v0.9.0
✅ js@main-v0.9.0
cukes-report
opentdfplatformW1YOLU.dockerbuild
govulncheck-failure-8
govulncheck-failure-2
govulncheck-failure-0
govulncheck-failure-3
govulncheck-failure-1
govulncheck-failure-5