fix: material-management should not export DOM types (#147)

seebees · web-flow · commit 0f4dd7ebf25d · 2019-07-17T13:09:09.000-07:00
resolves #137 Cryptographic materials need to understand CryptoKeys to insure that a given algorithm suite is satisfied. However, by exporting the DOM types in function calls, all dependent modules must import DOM types. This pollution is not needed, especially for node packages. Pull the type structure into the module and export that interface. Update raw_aes_materials to use new types.
diff --git a/modules/material-management/src/cryptographic_material.ts b/modules/material-management/src/cryptographic_material.ts
@@ -13,7 +13,7 @@
  * limitations under the License.
  */
 
-import { MixedBackendCryptoKey, SupportedAlgorithmSuites } from './types' // eslint-disable-line no-unused-vars
+import { MixedBackendCryptoKey, SupportedAlgorithmSuites, AwsEsdkJsCryptoKey, AwsEsdkJsKeyUsage } from './types' // eslint-disable-line no-unused-vars
 import { EncryptedDataKey } from './encrypted_data_key'
 import { SignatureKey, VerificationKey } from './signature_key'
 import { frozenClass, readOnlyProperty } from './immutable_class'
@@ -97,10 +97,10 @@ export interface DecryptionMaterial<T extends CryptographicMaterial<T>> extends
 }
 
 export interface WebCryptoMaterial<T extends CryptographicMaterial<T>> extends CryptographicMaterial<T> {
-  setCryptoKey: (dataKey: CryptoKey|MixedBackendCryptoKey, trace: KeyringTrace) => T
-  getCryptoKey: () => CryptoKey|MixedBackendCryptoKey
+  setCryptoKey: (dataKey: AwsEsdkJsCryptoKey|MixedBackendCryptoKey, trace: KeyringTrace) => T
+  getCryptoKey: () => AwsEsdkJsCryptoKey|MixedBackendCryptoKey
   hasCryptoKey: boolean
-  validUsages: ReadonlyArray<KeyUsage>
+  validUsages: ReadonlyArray<AwsEsdkJsKeyUsage>
 }
 
 export class NodeEncryptionMaterial implements
@@ -178,15 +178,15 @@ export class WebCryptoEncryptionMaterial implements
   addEncryptedDataKey!: (edk: EncryptedDataKey, flags: KeyringTraceFlag) => WebCryptoEncryptionMaterial
   setSignatureKey!: (key: SignatureKey) => WebCryptoEncryptionMaterial
   signatureKey?: SignatureKey
-  setCryptoKey!: (dataKey: CryptoKey|MixedBackendCryptoKey, trace: KeyringTrace) => WebCryptoEncryptionMaterial
-  getCryptoKey!: () => CryptoKey|MixedBackendCryptoKey
+  setCryptoKey!: (dataKey: AwsEsdkJsCryptoKey|MixedBackendCryptoKey, trace: KeyringTrace) => WebCryptoEncryptionMaterial
+  getCryptoKey!: () => AwsEsdkJsCryptoKey|MixedBackendCryptoKey
   hasCryptoKey!: boolean
-  validUsages: ReadonlyArray<KeyUsage>
+  validUsages: ReadonlyArray<AwsEsdkJsKeyUsage>
   constructor (suite: WebCryptoAlgorithmSuite) {
     /* Precondition: WebCryptoEncryptionMaterial suite must be WebCryptoAlgorithmSuite. */
     needs(suite instanceof WebCryptoAlgorithmSuite, 'Suite must be a WebCryptoAlgorithmSuite')
     this.suite = suite
-    this.validUsages = Object.freeze(<KeyUsage[]>['deriveKey', 'encrypt'])
+    this.validUsages = Object.freeze(<AwsEsdkJsKeyUsage[]>['deriveKey', 'encrypt'])
     // EncryptionMaterial have generated a data key on setUnencryptedDataKey
     const setFlag = KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY
     decorateCryptographicMaterial<WebCryptoEncryptionMaterial>(this, setFlag)
@@ -214,15 +214,15 @@ export class WebCryptoDecryptionMaterial implements
   keyringTrace: KeyringTrace[] = []
   setVerificationKey!: (key: VerificationKey) => WebCryptoDecryptionMaterial
   verificationKey?: VerificationKey
-  setCryptoKey!: (dataKey: CryptoKey|MixedBackendCryptoKey, trace: KeyringTrace) => WebCryptoDecryptionMaterial
-  getCryptoKey!: () => CryptoKey|MixedBackendCryptoKey
+  setCryptoKey!: (dataKey: AwsEsdkJsCryptoKey|MixedBackendCryptoKey, trace: KeyringTrace) => WebCryptoDecryptionMaterial
+  getCryptoKey!: () => AwsEsdkJsCryptoKey|MixedBackendCryptoKey
   hasCryptoKey!: boolean
-  validUsages: ReadonlyArray<KeyUsage>
+  validUsages: ReadonlyArray<AwsEsdkJsKeyUsage>
   constructor (suite: WebCryptoAlgorithmSuite) {
     /* Precondition: WebCryptoDecryptionMaterial suite must be WebCryptoAlgorithmSuite. */
     needs(suite instanceof WebCryptoAlgorithmSuite, 'Suite must be a WebCryptoAlgorithmSuite')
     this.suite = suite
-    this.validUsages = Object.freeze(<KeyUsage[]>['deriveKey', 'decrypt'])
+    this.validUsages = Object.freeze(<AwsEsdkJsKeyUsage[]>['deriveKey', 'decrypt'])
     // DecryptionMaterial have decrypted a data key on setUnencryptedDataKey
     const setFlag = KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY
     decorateCryptographicMaterial<WebCryptoDecryptionMaterial>(this, setFlag)
@@ -460,9 +460,9 @@ export function decorateDecryptionMaterial<T extends DecryptionMaterial<T>> (mat
 }
 
 export function decorateWebCryptoMaterial<T extends WebCryptoMaterial<T>> (material: T, setFlags: KeyringTraceFlag) {
-  let cryptoKey: Readonly<CryptoKey|MixedBackendCryptoKey>|undefined
+  let cryptoKey: Readonly<AwsEsdkJsCryptoKey|MixedBackendCryptoKey>|undefined
 
-  const setCryptoKey = (dataKey: CryptoKey|MixedBackendCryptoKey, trace: KeyringTrace) => {
+  const setCryptoKey = (dataKey: AwsEsdkJsCryptoKey|MixedBackendCryptoKey, trace: KeyringTrace) => {
     /* Precondition: cryptoKey must not be set.  Modifying the cryptoKey is denied */
     needs(!cryptoKey, 'cryptoKey is already set.')
     /* Precondition: dataKey must be a supported type. */
@@ -504,7 +504,7 @@ export function decorateWebCryptoMaterial<T extends WebCryptoMaterial<T>> (mater
     needs(cryptoKey, 'Crypto key is not set.')
     // In the case of MixedBackendCryptoKey the object
     // has already been frozen above so it is safe to return
-    return <Readonly<CryptoKey|MixedBackendCryptoKey>>cryptoKey
+    return <Readonly<AwsEsdkJsCryptoKey|MixedBackendCryptoKey>>cryptoKey
   }
   readOnlyProperty(material, 'getCryptoKey', getCryptoKey)
 
@@ -516,7 +516,7 @@ export function decorateWebCryptoMaterial<T extends WebCryptoMaterial<T>> (mater
   return material
 }
 
-export function isCryptoKey (dataKey: any): dataKey is CryptoKey {
+export function isCryptoKey (dataKey: any): dataKey is AwsEsdkJsCryptoKey {
   return dataKey &&
     'algorithm' in dataKey &&
     'type' in dataKey &&
@@ -526,7 +526,7 @@ export function isCryptoKey (dataKey: any): dataKey is CryptoKey {
 }
 
 export function isValidCryptoKey<T extends WebCryptoMaterial<T>> (
-  dataKey: CryptoKey|MixedBackendCryptoKey,
+  dataKey: AwsEsdkJsCryptoKey|MixedBackendCryptoKey,
   material: T
 ) : boolean {
   if (!isCryptoKey(dataKey)) {
@@ -565,7 +565,7 @@ function isMixedBackendCryptoKey (dataKey: any): dataKey is MixedBackendCryptoKe
   return isCryptoKey(zeroByteCryptoKey) && isCryptoKey(nonZeroByteCryptoKey)
 }
 
-export function keyUsageForMaterial<T extends WebCryptoMaterial<T>> (material: T): KeyUsage {
+export function keyUsageForMaterial<T extends WebCryptoMaterial<T>> (material: T): AwsEsdkJsKeyUsage {
   const { suite } = material
   if (suite.kdf) return 'deriveKey'
   return subtleFunctionForMaterial(material)
diff --git a/modules/material-management/src/signature_key.ts b/modules/material-management/src/signature_key.ts
@@ -18,6 +18,7 @@ import { encodeNamedCurves } from './ecc_encode'
 import { decodeNamedCurves } from './ecc_decode'
 import { frozenClass, readOnlyBinaryProperty, readOnlyProperty } from './immutable_class'
 import { publicKeyPem, privateKeyPem } from './pem_helpers'
+import { AwsEsdkJsCryptoKey } from './types' // eslint-disable-line no-unused-vars
 
 /*
  * This public interface to the SignatureKey object is provided for
@@ -27,10 +28,10 @@ import { publicKeyPem, privateKeyPem } from './pem_helpers'
  */
 
 export class SignatureKey {
-  public readonly privateKey!: string|CryptoKey
+  public readonly privateKey!: string|AwsEsdkJsCryptoKey
   public readonly compressPoint!: Uint8Array
   public readonly signatureCurve!: NodeECDHCurve|WebCryptoECDHCurve
-  constructor (privateKey: Uint8Array|CryptoKey, compressPoint: Uint8Array, suite: AlgorithmSuite) {
+  constructor (privateKey: Uint8Array|AwsEsdkJsCryptoKey, compressPoint: Uint8Array, suite: AlgorithmSuite) {
     const { signatureCurve: namedCurve } = suite
     /* Precondition: Do not create a SignatureKey for an algorithm suite that does not have an EC named curve. */
     if (!namedCurve) throw new Error('Unsupported Algorithm')
@@ -63,9 +64,9 @@ export class SignatureKey {
 frozenClass(SignatureKey)
 
 export class VerificationKey {
-  public readonly publicKey!: string|CryptoKey
+  public readonly publicKey!: string|AwsEsdkJsCryptoKey
   public readonly signatureCurve!: NodeECDHCurve|WebCryptoECDHCurve
-  constructor (publicKey: Uint8Array|CryptoKey, suite: AlgorithmSuite) {
+  constructor (publicKey: Uint8Array|AwsEsdkJsCryptoKey, suite: AlgorithmSuite) {
     const { signatureCurve: namedCurve } = suite
     /* Precondition: Do not create a VerificationKey for an algorithm suite that does not have an EC named curve. */
     if (!namedCurve) throw new Error('Unsupported Algorithm')
diff --git a/modules/material-management/src/types.ts b/modules/material-management/src/types.ts
@@ -23,9 +23,23 @@ import {
 
 export type EncryptionContext = {[index: string]: string}
 
+/* need to copy some things from DOM */
+export interface AwsEsdkJsKeyAlgorithm {
+  name: string
+}
+export type AwsEsdkJsKeyType = 'public' | 'private' | 'secret'
+export type AwsEsdkJsKeyUsage = 'encrypt' | 'decrypt' | 'sign' | 'verify' | 'deriveKey' | 'deriveBits' | 'wrapKey' | 'unwrapKey'
+
+export interface AwsEsdkJsCryptoKey {
+  readonly algorithm: AwsEsdkJsKeyAlgorithm
+  readonly extractable: boolean
+  readonly type: AwsEsdkJsKeyType
+  readonly usages: AwsEsdkJsKeyUsage[]
+}
+
 export type MixedBackendCryptoKey = {
-  nonZeroByteCryptoKey: CryptoKey
-  zeroByteCryptoKey: CryptoKey
+  nonZeroByteCryptoKey: AwsEsdkJsCryptoKey
+  zeroByteCryptoKey: AwsEsdkJsCryptoKey
 }
 
 export interface EncryptionRequest<S extends NodeAlgorithmSuite|WebCryptoAlgorithmSuite> {
diff --git a/modules/raw-keyring/src/raw_aes_material.ts b/modules/raw-keyring/src/raw_aes_material.ts
@@ -29,6 +29,8 @@ import {
   frozenClass,
   NodeAlgorithmSuite,
   WebCryptoAlgorithmSuite,
+  AwsEsdkJsCryptoKey, // eslint-disable-line no-unused-vars
+  AwsEsdkJsKeyUsage, // eslint-disable-line no-unused-vars
   KeyringTrace, // eslint-disable-line no-unused-vars
   KeyringTraceFlag,
   needs
@@ -77,15 +79,15 @@ export class WebCryptoRawAesMaterial implements
   hasUnencryptedDataKey!: boolean
   unencryptedDataKeyLength!: number
   keyringTrace: KeyringTrace[] = []
-  setCryptoKey!: (dataKey: CryptoKey|MixedBackendCryptoKey, trace: KeyringTrace) => WebCryptoRawAesMaterial
-  getCryptoKey!: () => CryptoKey|MixedBackendCryptoKey
+  setCryptoKey!: (dataKey: AwsEsdkJsCryptoKey|MixedBackendCryptoKey, trace: KeyringTrace) => WebCryptoRawAesMaterial
+  getCryptoKey!: () => AwsEsdkJsCryptoKey|MixedBackendCryptoKey
   hasCryptoKey!: boolean
-  validUsages: ReadonlyArray<KeyUsage>
+  validUsages: ReadonlyArray<AwsEsdkJsKeyUsage>
   constructor (suiteId: WrappingSuiteIdentifier) {
     /* Precondition: WebCryptoAlgorithmSuite suiteId must be RawAesWrappingSuiteIdentifier. */
     needs(RawAesWrappingSuiteIdentifier[suiteId], 'suiteId not supported.')
     this.suite = new WebCryptoAlgorithmSuite(suiteId)
-    this.validUsages = Object.freeze([<KeyUsage>'decrypt', <KeyUsage>'encrypt'])
+    this.validUsages = Object.freeze([<AwsEsdkJsKeyUsage>'decrypt', <AwsEsdkJsKeyUsage>'encrypt'])
     /* WebCryptoRawAesMaterial need to set a flag, this is an abuse of TraceFlags
      * because the material is not generated.
      * but CryptographicMaterial force a flag to be set.
