feat: Support AWS SDK V2

Addresses feedback in #1177:
#1177 (review)

Author: texastony

modules/kms-keyring-browser/test/kms_keyring_browser.test.ts

@@ -6,6 +6,7 @@
 import * as chai from 'chai'
 import chaiAsPromised from 'chai-as-promised'
 import { KmsKeyringBrowser, getClient } from '../src/index'
+import { KMS as V2KMS } from 'aws-sdk'
 import { KMS as V3KMS } from '@aws-sdk/client-kms'
 import {
   KeyringWebCrypto,
@@ -29,7 +30,7 @@ describe('KmsKeyringBrowser::constructor', () => {
     const keyArn =
       'arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f'
     const keyIds = [keyArn]
-    const clientProvider = getClient(V3KMS, { credentials })
+    const clientProvider = getClient(V2KMS, { credentials })
 
     const test = new KmsKeyringBrowser({
       clientProvider,
@@ -50,6 +51,46 @@ describe('KmsKeyringBrowser::constructor', () => {
   })
 })
 
+describe('KmsKeyringBrowser can encrypt/decrypt with AWS SDK v2 client', () => {
+  const generatorKeyId =
+    'arn:aws:kms:us-west-2:658956600833:alias/EncryptDecrypt'
+  const keyArn =
+    'arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f'
+  const keyIds = [keyArn]
+  const clientProvider = getClient(V2KMS, { credentials })
+  const keyring = new KmsKeyringBrowser({
+    clientProvider,
+    generatorKeyId,
+    keyIds,
+  })
+  let encryptedDataKey: EncryptedDataKey
+
+  it('can encrypt and create unencrypted data key', async () => {
+    const suite = new WebCryptoAlgorithmSuite(
+      AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA256
+    )
+    const material = new WebCryptoEncryptionMaterial(suite, {})
+    const test = await keyring.onEncrypt(material)
+    expect(test.hasValidKey()).to.equal(true)
+    const udk = test.getUnencryptedDataKey()
+    expect(udk).to.have.lengthOf(suite.keyLengthBytes)
+    expect(test.encryptedDataKeys).to.have.lengthOf(2)
+    const [edk] = test.encryptedDataKeys
+    encryptedDataKey = edk
+  })
+
+  it('can decrypt an EncryptedDataKey', async () => {
+    const suite = new WebCryptoAlgorithmSuite(
+      AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA256
+    )
+    const material = new WebCryptoDecryptionMaterial(suite, {})
+    const test = await keyring.onDecrypt(material, [encryptedDataKey])
+    expect(test.hasValidKey()).to.equal(true)
+    // The UnencryptedDataKey should be zeroed, because the cryptoKey has been set
+    expect(() => test.getUnencryptedDataKey()).to.throw()
+  })
+})
+
 describe('KmsKeyringBrowser can encrypt/decrypt with AWS SDK v3 client', () => {
   const generatorKeyId =
     'arn:aws:kms:us-west-2:658956600833:alias/EncryptDecrypt'

modules/kms-keyring-browser/test/kms_mrk_discovery_keyring_browser.test.ts

@@ -16,6 +16,7 @@ import {
   AlgorithmSuiteIdentifier,
   WebCryptoDecryptionMaterial,
 } from '@aws-crypto/material-management-browser'
+import { KMS as V2KMS } from 'aws-sdk'
 import { KMS as V3KMS } from '@aws-sdk/client-kms'
 
 chai.use(chaiAsPromised)
@@ -56,6 +57,54 @@ describe('AwsKmsMrkAwareSymmetricDiscoveryKeyringBrowser::constructor', () => {
 /* Injected from @aws-sdk/karma-credential-loader. */
 declare const credentials: any
 
+describe('AwsKmsMrkAwareSymmetricKeyringBrowser can encrypt/decrypt with AWS SDK v2 client', () => {
+  const discoveryFilter = { accountIDs: ['658956600833'], partition: 'aws' }
+
+  const eastKeyId =
+    'arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7'
+  const grantTokens = ['grant']
+  const encryptionContext = { some: 'context' }
+  const suite = new WebCryptoAlgorithmSuite(
+    AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA256
+  )
+
+  const keyring = new AwsKmsMrkAwareSymmetricDiscoveryKeyringBrowser({
+    // Note the difference in the region from the keyId
+    client: new V2KMS({ region: 'us-west-2', credentials }),
+    discoveryFilter,
+    grantTokens,
+  })
+
+  it('throws an error on encrypt', async () => {
+    const material = new WebCryptoEncryptionMaterial(suite, encryptionContext)
+    return expect(keyring.onEncrypt(material)).to.rejectedWith(
+      Error,
+      'AwsKmsMrkAwareSymmetricDiscoveryKeyring cannot be used to encrypt'
+    )
+  })
+
+  it('can decrypt an EncryptedDataKey', async () => {
+    const encryptKeyring = new AwsKmsMrkAwareSymmetricKeyringBrowser({
+      client: new V2KMS({ region: 'us-east-1', credentials }),
+      keyId: eastKeyId,
+      grantTokens,
+    })
+    const encryptMaterial = await encryptKeyring.onEncrypt(
+      new WebCryptoEncryptionMaterial(suite, encryptionContext)
+    )
+    const [edk] = encryptMaterial.encryptedDataKeys
+
+    const material = await keyring.onDecrypt(
+      new WebCryptoDecryptionMaterial(suite, encryptionContext),
+      [edk]
+    )
+    const test = await keyring.onDecrypt(material, [edk])
+    expect(test.hasValidKey()).to.equal(true)
+    // The UnencryptedDataKey should be zeroed, because the cryptoKey has been set
+    expect(() => test.getUnencryptedDataKey()).to.throw()
+  })
+})
+
 describe('AwsKmsMrkAwareSymmetricKeyringBrowser can encrypt/decrypt with AWS SDK v3 client', () => {
   const discoveryFilter = { accountIDs: ['658956600833'], partition: 'aws' }
 

modules/kms-keyring-browser/test/kms_mrk_keyring_browser.test.ts

@@ -15,6 +15,7 @@ import {
   WebCryptoDecryptionMaterial,
   KeyringTraceFlag,
 } from '@aws-crypto/material-management-browser'
+import { KMS as V2KMS } from 'aws-sdk'
 import { KMS as V3KMS } from '@aws-sdk/client-kms'
 
 chai.use(chaiAsPromised)
@@ -50,6 +51,69 @@ describe('AwsKmsMrkAwareSymmetricKeyringBrowser::constructor', () => {
 /* Injected from @aws-sdk/karma-credential-loader. */
 declare const credentials: any
 
+describe('AwsKmsMrkAwareSymmetricKeyringBrowser can encrypt/decrypt with AWS SDK v2 client', () => {
+  const westKeyId =
+    'arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7'
+  const eastKeyId =
+    'arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7'
+  const grantTokens = ['grant']
+  const encryptionContext = { some: 'context' }
+  const suite = new WebCryptoAlgorithmSuite(
+    AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA256
+  )
+
+  const encryptKeyring = new AwsKmsMrkAwareSymmetricKeyringBrowser({
+    client: new V2KMS({ region: 'us-west-2', credentials }),
+    keyId: westKeyId,
+    grantTokens,
+  })
+  const decryptKeyring = new AwsKmsMrkAwareSymmetricKeyringBrowser({
+    client: new V2KMS({ region: 'us-east-1', credentials }),
+    keyId: eastKeyId,
+    grantTokens,
+  })
+  let encryptedDataKey: EncryptedDataKey
+
+  it('can encrypt and create unencrypted data key', async () => {
+    const material = new WebCryptoEncryptionMaterial(suite, encryptionContext)
+    const test = await encryptKeyring.onEncrypt(material)
+    expect(test.hasValidKey()).to.equal(true)
+    const udk = test.getUnencryptedDataKey()
+    expect(udk).to.have.lengthOf(suite.keyLengthBytes)
+    expect(test.encryptedDataKeys).to.have.lengthOf(1)
+    const [edk] = test.encryptedDataKeys
+    encryptedDataKey = edk
+  })
+
+  it('can encrypt a pre-existing plaintext data key', async () => {
+    const seedMaterial = new WebCryptoEncryptionMaterial(
+      suite,
+      encryptionContext
+    ).setUnencryptedDataKey(new Uint8Array(suite.keyLengthBytes), {
+      keyName: 'keyName',
+      keyNamespace: 'keyNamespace',
+      flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY,
+    })
+    const encryptTest = await encryptKeyring.onEncrypt(seedMaterial)
+    expect(encryptTest.hasValidKey()).to.equal(true)
+    expect(encryptTest.encryptedDataKeys).to.have.lengthOf(1)
+    const [kmsEDK] = encryptTest.encryptedDataKeys
+    expect(kmsEDK.providerId).to.equal('aws-kms')
+    expect(kmsEDK.providerInfo).to.equal(westKeyId)
+  })
+
+  it('can decrypt an EncryptedDataKey', async () => {
+    const suite = new WebCryptoAlgorithmSuite(
+      AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA256
+    )
+    const material = new WebCryptoDecryptionMaterial(suite, encryptionContext)
+    const test = await decryptKeyring.onDecrypt(material, [encryptedDataKey])
+    expect(test.hasValidKey()).to.equal(true)
+    // The UnencryptedDataKey should be zeroed, because the cryptoKey has been set
+    expect(() => test.getUnencryptedDataKey()).to.throw()
+  })
+})
+
 describe('AwsKmsMrkAwareSymmetricKeyringBrowser can encrypt/decrypt with AWS SDK v3 client', () => {
   const westKeyId =
     'arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7'

modules/kms-keyring-node/test/kms_keyring_node.test.ts

@@ -5,6 +5,7 @@
 
 import { expect } from 'chai'
 import { KmsKeyringNode, getClient } from '../src/index'
+import { KMS as V2KMS } from 'aws-sdk'
 import { KMS as V3KMS } from '@aws-sdk/client-kms'
 import {
   KeyringNode,
@@ -39,6 +40,44 @@ describe('KmsKeyringNode::constructor', () => {
   })
 })
 
+describe('KmsKeyringNode can encrypt/decrypt with AWS SDK v2 client', () => {
+  const generatorKeyId =
+    'arn:aws:kms:us-west-2:658956600833:alias/EncryptDecrypt'
+  const keyArn =
+    'arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f'
+  const keyIds = [keyArn]
+
+  const clientProvider = getClient(V2KMS)
+
+  const keyring = new KmsKeyringNode({ clientProvider, generatorKeyId, keyIds })
+  let encryptedDataKey: EncryptedDataKey
+  let udk: Uint8Array
+
+  it('can encrypt and create unencrypted data key', async () => {
+    const suite = new NodeAlgorithmSuite(
+      AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA256
+    )
+    const material = new NodeEncryptionMaterial(suite, {})
+    const test = await keyring.onEncrypt(material)
+    expect(test.hasValidKey()).to.equal(true)
+    udk = unwrapDataKey(test.getUnencryptedDataKey())
+    expect(udk).to.have.lengthOf(suite.keyLengthBytes)
+    expect(test.encryptedDataKeys).to.have.lengthOf(2)
+    const [edk] = test.encryptedDataKeys
+    encryptedDataKey = edk
+  })
+
+  it('can decrypt an EncryptedDataKey', async () => {
+    const suite = new NodeAlgorithmSuite(
+      AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA256
+    )
+    const material = new NodeDecryptionMaterial(suite, {})
+    const test = await keyring.onDecrypt(material, [encryptedDataKey])
+    expect(test.hasValidKey()).to.equal(true)
+    expect(unwrapDataKey(test.getUnencryptedDataKey())).to.deep.equal(udk)
+  })
+})
+
 describe('KmsKeyringNode can encrypt/decrypt with AWS SDK v3 client', () => {
   const generatorKeyId =
     'arn:aws:kms:us-west-2:658956600833:alias/EncryptDecrypt'

modules/kms-keyring-node/test/kms_mrk_discovery_keyring_node.test.ts

@@ -17,6 +17,7 @@ import {
 } from '@aws-crypto/material-management-node'
 chai.use(chaiAsPromised)
 const { expect } = chai
+import { KMS as V2KMS } from 'aws-sdk'
 import { KMS as V3KMS } from '@aws-sdk/client-kms'
 
 describe('AwsKmsMrkAwareSymmetricKeyringNode::constructor', () => {
@@ -51,6 +52,54 @@ describe('AwsKmsMrkAwareSymmetricKeyringNode::constructor', () => {
   })
 })
 
+describe('AwsKmsMrkAwareSymmetricDiscoveryKeyringNode can encrypt/decrypt with AWS SDK v2 client', () => {
+  const discoveryFilter = { accountIDs: ['658956600833'], partition: 'aws' }
+  const keyId =
+    'arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f'
+  const grantTokens = ['grant']
+  const encryptionContext = { some: 'context' }
+  const suite = new NodeAlgorithmSuite(
+    AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA256
+  )
+  const client = new V2KMS({ region: 'us-west-2' })
+
+  const keyring = new AwsKmsMrkAwareSymmetricDiscoveryKeyringNode({
+    client,
+    discoveryFilter,
+    grantTokens,
+  })
+  it('throws an error on encrypt', async () => {
+    const material = new NodeEncryptionMaterial(suite, encryptionContext)
+    await expect(keyring.onEncrypt(material)).to.rejectedWith(
+      Error,
+      'AwsKmsMrkAwareSymmetricDiscoveryKeyring cannot be used to encrypt'
+    )
+  })
+
+  it('can decrypt an EncryptedDataKey', async () => {
+    const { CiphertextBlob } = await client
+      .generateDataKey({
+        KeyId: keyId,
+        NumberOfBytes: suite.keyLengthBytes,
+        EncryptionContext: encryptionContext,
+      })
+      .promise()
+    needs(Buffer.isBuffer(CiphertextBlob), 'never')
+    const edk = new EncryptedDataKey({
+      providerId: 'aws-kms',
+      providerInfo: keyId,
+      encryptedDataKey: new Uint8Array(CiphertextBlob),
+    })
+
+    const material = await keyring.onDecrypt(
+      new NodeDecryptionMaterial(suite, encryptionContext),
+      [edk]
+    )
+    const decryptTest = await keyring.onDecrypt(material, [edk])
+    expect(decryptTest.hasValidKey()).to.equal(true)
+  })
+})
+
 describe('AwsKmsMrkAwareSymmetricDiscoveryKeyringNode can encrypt/decrypt with AWS SDK v3 client', () => {
   const discoveryFilter = { accountIDs: ['658956600833'], partition: 'aws' }
   const keyId =