feat!: Updates to the AWS Encryption SDK.

This change includes fixes for issues that were reported by Thai Duong from Google's Security team, and
for issues that were identified by AWS Cryptography.

BREAKING CHANGE: AWS KMS KeyIDs must be specified explicitly or Discovery mode explicitly chosen.
Key committing suites are now default. CommitmentPolicy requires commitment by default.

See: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/migration.html

Author: seebees

modules/client-browser/src/index.ts

@@ -16,7 +16,7 @@ import { buildEncrypt } from '@aws-crypto/encrypt-browser'
 import { buildDecrypt } from '@aws-crypto/decrypt-browser'
 
 export function buildClient(
-  commitmentPolicy: CommitmentPolicy
+  commitmentPolicy: CommitmentPolicy = CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT
 ): ReturnType<typeof buildEncrypt> & ReturnType<typeof buildDecrypt> {
   return {
     ...buildEncrypt(commitmentPolicy),

modules/client-node/src/index.ts

@@ -15,7 +15,7 @@ import { buildEncrypt } from '@aws-crypto/encrypt-node'
 import { buildDecrypt } from '@aws-crypto/decrypt-node'
 
 export function buildClient(
-  commitmentPolicy: CommitmentPolicy
+  commitmentPolicy: CommitmentPolicy = CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT
 ): ReturnType<typeof buildEncrypt> & ReturnType<typeof buildDecrypt> {
   return {
     ...buildEncrypt(commitmentPolicy),

modules/decrypt-browser/src/decrypt.ts

@@ -64,7 +64,7 @@ export async function _decrypt(
     .map((i) => (i > 15 ? i.toString(16) : '0' + i.toString(16)))
     .join('')
 
-  /* The parsed header algorithmSuite in _decrypt must be supported by the commitmentPolicy. */
+  /* Precondition: The parsed header algorithmSuite in _decrypt must be supported by the commitmentPolicy. */
   CommitmentPolicySuites.isDecryptEnabled(
     commitmentPolicy,
     algorithmSuite,
@@ -79,7 +79,7 @@ export async function _decrypt(
     encryptedDataKeys,
   })
 
-  /* The material algorithmSuite returned to _decrypt must be supported by the commitmentPolicy. */
+  /* Precondition: The material algorithmSuite returned to _decrypt must be supported by the commitmentPolicy. */
   CommitmentPolicySuites.isDecryptEnabled(
     commitmentPolicy,
     material.suite,

modules/decrypt-browser/src/decrypt_client.ts

@@ -15,7 +15,7 @@ type CurryFirst<fn extends (...a: any[]) => any> = fn extends (
   : []
 
 export function buildDecrypt(
-  commitmentPolicy: CommitmentPolicy
+  commitmentPolicy: CommitmentPolicy = CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT
 ): {
   decrypt: (...args: CurryFirst<typeof _decrypt>) => ReturnType<typeof _decrypt>
 } {

modules/decrypt-browser/src/index.ts

@@ -1,11 +1,5 @@
 // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-import { CommitmentPolicy } from '@aws-crypto/material-management-browser'
-import { buildDecrypt } from './decrypt_client'
+export { buildDecrypt } from './decrypt_client'
 export { MessageHeader } from '@aws-crypto/serialize'
-/** @deprecated Use `buildDecrypt(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)` for migration. */
-export const { decrypt } = buildDecrypt(
-  CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT
-)
-export { buildDecrypt }

modules/decrypt-browser/test/compatibility.test.ts

@@ -5,7 +5,7 @@
 
 import * as chai from 'chai'
 import chaiAsPromised from 'chai-as-promised'
-import { decrypt } from '../src/index'
+import { buildDecrypt } from '../src/index'
 import {
   needs,
   importForWebCryptoDecryptionMaterial,
@@ -15,7 +15,10 @@ import {
   WebCryptoEncryptionMaterial,
 } from '@aws-crypto/material-management-browser'
 import * as fixtures from './fixtures'
-import { MessageFormat } from '@aws-crypto/material-management'
+import {
+  CommitmentPolicy,
+  MessageFormat,
+} from '@aws-crypto/material-management'
 import {
   KmsKeyringBrowser,
   KMS,
@@ -26,6 +29,8 @@ import { toUtf8 } from '@aws-sdk/util-utf8-browser'
 chai.use(chaiAsPromised)
 const { expect } = chai
 
+const { decrypt } = buildDecrypt(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)
+
 declare const credentials: {
   accessKeyId: string
   secretAccessKey: string

modules/decrypt-browser/test/decrypt.test.ts

@@ -5,7 +5,7 @@
 
 import * as chai from 'chai'
 import chaiAsPromised from 'chai-as-promised'
-import { decrypt } from '../src/index'
+import { buildDecrypt } from '../src/index'
 import { _decrypt } from '../src/decrypt'
 import {
   AlgorithmSuiteIdentifier,
@@ -16,9 +16,15 @@ import {
   WebCryptoEncryptionMaterial,
 } from '@aws-crypto/material-management-browser'
 import * as fixtures from './fixtures'
-import { MessageFormat } from '@aws-crypto/material-management'
+import {
+  CommitmentPolicy,
+  MessageFormat,
+  WebCryptoAlgorithmSuite,
+} from '@aws-crypto/material-management'
+import { fromBase64 } from '@aws-sdk/util-base64-browser'
 chai.use(chaiAsPromised)
 const { expect } = chai
+const { decrypt } = buildDecrypt(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)
 
 describe('decrypt', () => {
   it('buffer', async () => {
@@ -42,41 +48,41 @@ describe('decrypt', () => {
     ).to.rejectedWith(Error, 'Invalid commitment policy.')
   })
 
-  // it('The parsed header algorithmSuite in _decrypt must be supported by the commitmentPolicy.', async () => {
-  //   await expect(
-  //     _decrypt(
-  //       CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT,
-  //       fixtures.decryptKeyring(),
-  //       fixtures.base64CiphertextAlgAes256GcmIv12Tag16HkdfSha384EcdsaP384With4Frames()
-  //     )
-  //   ).to.rejectedWith(
-  //     Error,
-  //     'Configuration conflict. Cannot process message with ID'
-  //   )
-  // })
-
-  // it('The material algorithmSuite returned to _decrypt must be supported by the commitmentPolicy.', async () => {
-  //   const cmm = {
-  //     async decryptMaterials() {
-  //       return new WebCryptoDecryptionMaterial(
-  //         new WebCryptoAlgorithmSuite(
-  //           AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384
-  //         ),
-  //         {}
-  //       )
-  //     },
-  //   } as any
-  //   await expect(
-  //     _decrypt(
-  //       CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT,
-  //       cmm,
-  //       fromBase64(fixtures.compatibilityVectors().tests[0].ciphertext)
-  //     )
-  //   ).to.rejectedWith(
-  //     Error,
-  //     'Configuration conflict. Cannot process message with ID'
-  //   )
-  // })
+  it('Precondition: The parsed header algorithmSuite in _decrypt must be supported by the commitmentPolicy.', async () => {
+    await expect(
+      _decrypt(
+        CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT,
+        fixtures.decryptKeyring(),
+        fixtures.base64CiphertextAlgAes256GcmIv12Tag16HkdfSha384EcdsaP384With4Frames()
+      )
+    ).to.rejectedWith(
+      Error,
+      'Configuration conflict. Cannot process message with ID'
+    )
+  })
+
+  it('Precondition: The material algorithmSuite returned to _decrypt must be supported by the commitmentPolicy.', async () => {
+    const cmm = {
+      async decryptMaterials() {
+        return new WebCryptoDecryptionMaterial(
+          new WebCryptoAlgorithmSuite(
+            AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384
+          ),
+          {}
+        )
+      },
+    } as any
+    await expect(
+      _decrypt(
+        CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT,
+        cmm,
+        fromBase64(fixtures.compatibilityVectors().tests[0].ciphertext)
+      )
+    ).to.rejectedWith(
+      Error,
+      'Configuration conflict. Cannot process message with ID'
+    )
+  })
 
   it('Precondition: The sequenceNumber is required to monotonically increase, starting from 1.', async () => {
     return decrypt(

modules/decrypt-node/src/decrypt_client.ts

@@ -13,7 +13,7 @@ type CurryFirst<fn extends (...a: any[]) => any> = fn extends (
   : never
 
 export function buildDecrypt(
-  commitmentPolicy: CommitmentPolicy
+  commitmentPolicy: CommitmentPolicy = CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT
 ): {
   decryptStream: (
     ...args: CurryFirst<typeof _decryptStream>

modules/decrypt-node/src/index.ts

@@ -1,21 +1,5 @@
 // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-import { CommitmentPolicy } from '@aws-crypto/material-management-node'
-import { buildDecrypt } from './decrypt_client'
+
+export { buildDecrypt } from './decrypt_client'
 export { MessageHeader } from '@aws-crypto/serialize'
-import { deprecate } from 'util'
-const { decrypt: decryptTmp, decryptStream: decryptStreamTmp } = buildDecrypt(
-  CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT
-)
-/** @deprecated Use `buildDecrypt(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)` for migration. */
-const decrypt = deprecate(
-  decryptTmp,
-  'Use `buildClient(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)` for migration. See: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/troubleshooting-migration.html'
-)
-/** @deprecated Use `buildDecrypt(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)` for migration. */
-const decryptStream = deprecate(
-  decryptStreamTmp,
-  'Use `buildClient(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)` for migration. See: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/troubleshooting-migration.html'
-)
-export { decrypt, decryptStream }
-export { buildDecrypt }

modules/decrypt-node/src/parse_header_stream.ts

@@ -67,7 +67,7 @@ export class ParseHeaderStream extends PortableTransformWithType {
 
     const { messageHeader, algorithmSuite } = headerInfo
     const messageIDStr = Buffer.from(messageHeader.messageId).toString('hex')
-    /* The parsed header algorithmSuite from ParseHeaderStream must be supported by the commitmentPolicy. */
+    /* Precondition: The parsed header algorithmSuite from ParseHeaderStream must be supported by the commitmentPolicy. */
     CommitmentPolicySuites.isDecryptEnabled(
       commitmentPolicy,
       algorithmSuite,
@@ -83,7 +83,7 @@ export class ParseHeaderStream extends PortableTransformWithType {
     materialsManager
       .decryptMaterials({ suite, encryptionContext, encryptedDataKeys })
       .then((material) => {
-        /* The material algorithmSuite returned to ParseHeaderStream must be supported by the commitmentPolicy. */
+        /* Precondition: The material algorithmSuite returned to ParseHeaderStream must be supported by the commitmentPolicy. */
         CommitmentPolicySuites.isDecryptEnabled(
           commitmentPolicy,
           material.suite,

modules/decrypt-node/test/compatibility.test.ts

@@ -11,14 +11,20 @@ import {
   NodeDecryptionMaterial,
   NodeEncryptionMaterial,
 } from '@aws-crypto/material-management-node'
-import { decrypt } from '../src/index'
+import { buildDecrypt } from '../src/index'
 import * as fixtures from './fixtures'
 chai.use(chaiAsPromised)
 const { expect } = chai
-import { MessageFormat, needs } from '@aws-crypto/material-management'
+import {
+  CommitmentPolicy,
+  MessageFormat,
+  needs,
+} from '@aws-crypto/material-management'
 
 import { KmsKeyringNode } from '@aws-crypto/kms-keyring-node'
 
+const { decrypt } = buildDecrypt(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)
+
 describe('committing algorithm test', () => {
   fixtures.compatibilityVectors().tests.forEach((test) => {
     it(test.comment, async () => {

modules/decrypt-node/test/decrypt.test.ts

@@ -5,12 +5,16 @@
 
 import * as chai from 'chai'
 import chaiAsPromised from 'chai-as-promised'
-import { AlgorithmSuiteIdentifier } from '@aws-crypto/material-management-node'
-import { decrypt } from '../src/index'
+import {
+  AlgorithmSuiteIdentifier,
+  CommitmentPolicy,
+} from '@aws-crypto/material-management-node'
+import { buildDecrypt } from '../src/index'
 import * as fixtures from './fixtures'
 chai.use(chaiAsPromised)
 const { expect } = chai
 import from from 'from2'
+const { decrypt } = buildDecrypt(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)
 
 describe('decrypt', () => {
   it('string with encoding', async () => {

modules/decrypt-node/test/parse_header_stream.test.ts

@@ -10,6 +10,9 @@ import * as stream from 'stream'
 const pipeline = util.promisify(stream.pipeline)
 import { ParseHeaderStream } from '../src/parse_header_stream'
 import {
+  NodeAlgorithmSuite,
+  NodeDecryptionMaterial,
+  AlgorithmSuiteIdentifier,
   NodeDefaultCryptographicMaterialsManager,
   needs,
 } from '@aws-crypto/material-management-node'
@@ -37,40 +40,48 @@ describe('ParseHeaderStream', () => {
     )
   })
 
-  // it('The parsed header algorithmSuite from ParseHeaderStream must be supported by the commitmentPolicy.', async () => {
-  //   const cmm = new NodeDefaultCryptographicMaterialsManager(
-  //     fixtures.decryptKeyring()
-  //   )
-  //   const data = Buffer.from(
-  //     fixtures.base64Ciphertext4BytesWith4KFrameLength(),
-  //     'base64'
-  //   )
+  it('Precondition: The parsed header algorithmSuite from ParseHeaderStream must be supported by the commitmentPolicy.', async () => {
+    const cmm = new NodeDefaultCryptographicMaterialsManager(
+      fixtures.decryptKeyring()
+    )
+    const data = Buffer.from(
+      fixtures.base64Ciphertext4BytesWith4KFrameLength(),
+      'base64'
+    )
 
-  //   await expect(
-  //     testStream(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT, cmm, data)
-  //   ).to.rejectedWith(Error, 'Configuration conflict. Cannot process message with ID')
-  // })
+    await expect(
+      testStream(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT, cmm, data)
+    ).to.rejectedWith(
+      Error,
+      'Configuration conflict. Cannot process message with ID'
+    )
+  })
 
-  // it('The material algorithmSuite returned to ParseHeaderStream must be supported by the commitmentPolicy.', async () => {
-  //   let called_decryptMaterials = false
-  //   const cmm = {
-  //     async decryptMaterials() {
-  //       called_decryptMaterials = true
-  //       const suite = new NodeAlgorithmSuite(AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384)
-  //       return new NodeDecryptionMaterial(suite, {})
-  //     }
-  //   } as any
-  //   const data = Buffer.from(
-  //     fixtures.compatibilityVectors().tests[0].ciphertext,
-  //     'base64'
-  //   )
+  it('Precondition: The material algorithmSuite returned to ParseHeaderStream must be supported by the commitmentPolicy.', async () => {
+    let called_decryptMaterials = false
+    const cmm = {
+      async decryptMaterials() {
+        called_decryptMaterials = true
+        const suite = new NodeAlgorithmSuite(
+          AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384
+        )
+        return new NodeDecryptionMaterial(suite, {})
+      },
+    } as any
+    const data = Buffer.from(
+      fixtures.compatibilityVectors().tests[0].ciphertext,
+      'base64'
+    )
 
-  //   await expect(
-  //     testStream(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT, cmm, data)
-  //   ).to.rejectedWith(Error, 'Configuration conflict. Cannot process message with ID')
+    await expect(
+      testStream(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT, cmm, data)
+    ).to.rejectedWith(
+      Error,
+      'Configuration conflict. Cannot process message with ID'
+    )
 
-  //   expect(called_decryptMaterials).to.equal(true)
-  // })
+    expect(called_decryptMaterials).to.equal(true)
+  })
 
   it('Postcondition: A completed header MUST have been processed.', async () => {
     const completeHeaderLength = 73

modules/encrypt-browser/src/encrypt_client.ts

@@ -15,7 +15,7 @@ type CurryFirst<fn extends (...a: any[]) => any> = fn extends (
   : []
 
 export function buildEncrypt(
-  commitmentPolicy: CommitmentPolicy
+  commitmentPolicy: CommitmentPolicy = CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT
 ): {
   encrypt: (...args: CurryFirst<typeof _encrypt>) => ReturnType<typeof _encrypt>
 } {

modules/encrypt-browser/src/index.ts

@@ -1,13 +1,5 @@
 // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-import { CommitmentPolicy } from '@aws-crypto/material-management-browser'
-import { buildEncrypt } from './encrypt_client'
+export { buildEncrypt } from './encrypt_client'
 export { MessageHeader } from '@aws-crypto/serialize'
-
-/** @deprecated Use `buildEncrypt(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)` for migration. */
-export const { encrypt } = buildEncrypt(
-  CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT
-)
-
-export { buildEncrypt }