Merge branch 'master' into sequence-number-order

Author: seebees

modules/decrypt-node/src/decipher_stream.ts

@@ -16,8 +16,11 @@
 // @ts-ignore
 import { Transform as PortableTransform } from 'readable-stream'
 import { Transform } from 'stream' // eslint-disable-line no-unused-vars
-import { DecipherGCM } from 'crypto' // eslint-disable-line no-unused-vars
-import { needs } from '@aws-crypto/material-management-node'
+import {
+  needs,
+  GetDecipher, // eslint-disable-line no-unused-vars
+  AwsEsdkJsDecipherGCM // eslint-disable-line no-unused-vars
+} from '@aws-crypto/material-management-node'
 import {
   aadFactory,
   ContentType // eslint-disable-line no-unused-vars
@@ -31,12 +34,12 @@ const PortableTransformWithType = (<new (...args: any[]) => Transform>PortableTr
 export interface DecipherInfo {
   messageId: Buffer
   contentType: ContentType
-  getDecipher: (iv: Uint8Array) => DecipherGCM
+  getDecipher: GetDecipher
   dispose: () => void
 }
 
 interface DecipherState {
-  decipher: DecipherGCM
+  decipher: AwsEsdkJsDecipherGCM
   content: Buffer[]
   contentLength: number
 }

modules/decrypt-node/src/verify_stream.ts

@@ -16,10 +16,10 @@
 // @ts-ignore
 import { Transform as PortableTransform } from 'readable-stream'
 import { Transform } from 'stream' // eslint-disable-line no-unused-vars
-import { DecipherGCM } from 'crypto' // eslint-disable-line no-unused-vars
 import {
   needs,
-  GetVerify // eslint-disable-line no-unused-vars
+  GetVerify, // eslint-disable-line no-unused-vars
+  GetDecipher // eslint-disable-line no-unused-vars
 } from '@aws-crypto/material-management-node'
 import {
   deserializeSignature,
@@ -35,7 +35,7 @@ const PortableTransformWithType = (<new (...args: any[]) => Transform>PortableTr
 
 export interface VerifyInfo {
   headerInfo: HeaderInfo
-  getDecipher: (iv: Uint8Array) => DecipherGCM
+  getDecipher: GetDecipher
   dispose: () => void
   verify?: AWSVerify
 }

modules/encrypt-browser/src/encrypt.ts

@@ -21,6 +21,7 @@ import {
   AlgorithmSuiteIdentifier,
   getEncryptHelper,
   KeyringWebCrypto,
+  needs,
   WebCryptoMaterialsManager // eslint-disable-line no-unused-vars
 } from '@aws-crypto/material-management-browser'
 import {
@@ -35,7 +36,8 @@ import {
   serializeSignatureInfo,
   FRAME_LENGTH,
   MESSAGE_ID_LENGTH,
-  raw2der
+  raw2der,
+  Maximum
 } from '@aws-crypto/serialize'
 import { fromUtf8 } from '@aws-sdk/util-utf8-browser'
 import { getWebCryptoBackend } from '@aws-crypto/web-crypto-backend'
@@ -60,6 +62,9 @@ export async function encrypt (
   plaintext: Uint8Array,
   { suiteId, encryptionContext, frameLength = FRAME_LENGTH }: EncryptInput = {}
 ): Promise<EncryptResult> {
+  /* Precondition: The frameLength must be less than the maximum frame size for browser encryption. */
+  needs(frameLength > 0 && Maximum.FRAME_SIZE >= frameLength, `frameLength out of bounds: 0 > frameLength >= ${Maximum.FRAME_SIZE}`)
+
   const backend = await getWebCryptoBackend()
   if (!backend) throw new Error('No supported crypto backend')
 

modules/encrypt-browser/test/encrypt.test.ts

@@ -85,4 +85,9 @@ describe('encrypt structural testing', () => {
 
     expect(messageHeader).to.deep.equal(messageInfo.messageHeader)
   })
+
+  it('Precondition: The frameLength must be less than the maximum frame size for browser encryption.', async () => {
+    const frameLength = 0
+    expect(encrypt(keyRing, 'asdf', { frameLength })).to.rejectedWith(Error)
+  })
 })

modules/encrypt-node/src/encrypt_stream.ts

@@ -16,7 +16,8 @@
 import {
   NodeDefaultCryptographicMaterialsManager, NodeAlgorithmSuite, AlgorithmSuiteIdentifier, // eslint-disable-line no-unused-vars
   KeyringNode, NodeEncryptionMaterial, getEncryptHelper, EncryptionContext, // eslint-disable-line no-unused-vars
-  NodeMaterialsManager // eslint-disable-line no-unused-vars
+  NodeMaterialsManager, // eslint-disable-line no-unused-vars
+  needs
 } from '@aws-crypto/material-management-node'
 import { getFramedEncryptStream } from './framed_encrypt_stream'
 import { SignatureStream } from './signature_stream'
@@ -26,7 +27,8 @@ import {
   MessageHeader, // eslint-disable-line no-unused-vars
   serializeFactory, kdfInfo, ContentType, SerializationVersion, ObjectType,
   FRAME_LENGTH,
-  MESSAGE_ID_LENGTH
+  MESSAGE_ID_LENGTH,
+  Maximum
 } from '@aws-crypto/serialize'
 
 // @ts-ignore
@@ -56,6 +58,9 @@ export function encryptStream (
 ): Duplex {
   const { suiteId, context, frameLength = FRAME_LENGTH } = op
 
+  /* Precondition: The frameLength must be less than the maximum frame size Node.js stream. */
+  needs(frameLength > 0 && Maximum.FRAME_SIZE >= frameLength, `frameLength out of bounds: 0 > frameLength >= ${Maximum.FRAME_SIZE}`)
+
   /* If the cmm is a Keyring, wrap it with NodeDefaultCryptographicMaterialsManager. */
   cmm = cmm instanceof KeyringNode
     ? new NodeDefaultCryptographicMaterialsManager(cmm)

modules/encrypt-node/src/framed_encrypt_stream.ts

@@ -19,9 +19,12 @@ import {
 } from '@aws-crypto/serialize'
 // @ts-ignore
 import { Transform as PortableTransform } from 'readable-stream'
-import { CipherGCM } from 'crypto' // eslint-disable-line no-unused-vars
 import { Transform } from 'stream' // eslint-disable-line no-unused-vars
-import { needs } from '@aws-crypto/material-management-node'
+import {
+  GetCipher, // eslint-disable-line no-unused-vars
+  AwsEsdkJsCipherGCM, // eslint-disable-line no-unused-vars
+  needs
+} from '@aws-crypto/material-management-node'
 
 const fromUtf8 = (input: string) => Buffer.from(input, 'utf8')
 const serialize = serializeFactory(fromUtf8)
@@ -38,7 +41,7 @@ interface EncryptFrame {
   content: Buffer[]
   bodyHeader: Buffer
   headerSent?: boolean
-  cipher: CipherGCM,
+  cipher: AwsEsdkJsCipherGCM,
   isFinalFrame: boolean
 }
 
@@ -165,8 +168,6 @@ export function getFramedEncryptStream (getCipher: GetCipher, messageHeader: Mes
   })()
 }
 
-type GetCipher = (iv: Uint8Array) => CipherGCM
-
 type EncryptFrameInput = {
   pendingFrame: AccumulatingFrame,
   messageHeader: MessageHeader,

modules/encrypt-node/test/encrypt.test.ts

@@ -184,6 +184,11 @@ describe('encrypt structural testing', () => {
 
     expect(messageHeader).to.deep.equal(messageInfo.messageHeader)
   })
+
+  it('Precondition: The frameLength must be less than the maximum frame size Node.js stream.', async () => {
+    const frameLength = 0
+    expect(encrypt(keyRing, 'asdf', { frameLength })).to.rejectedWith(Error)
+  })
 })
 
 function finishedAsync (stream: any) {

modules/integration-node/package.json

@@ -15,8 +15,10 @@
   "license": "Apache-2.0",
   "dependencies": {
     "@aws-crypto/client-node": "^0.1.0-preview.2",
+    "@types/got": "^9.6.2",
     "@types/unzipper": "^0.9.1",
     "@types/yargs": "^13.0.0",
+    "got": "^9.6.0",
     "tslib": "^1.9.3",
     "unzipper": "^0.9.11",
     "yargs": "^13.2.2"

modules/integration-node/src/cli.ts

@@ -15,15 +15,37 @@
  */
 
 import yargs from 'yargs'
-import { integrationTestVectors } from './integration_tests'
+import { integrationDecryptTestVectors, integrationEncryptTestVectors } from './integration_tests'
 
-const argv = yargs
-  .option('vectorFile', {
-    alias: 'v',
-    describe: 'a vector zip file from aws-encryption-sdk-test-vectors',
-    demandOption: true,
-    type: 'string'
-  })
+const cli = yargs
+  .command('decrypt', 'verify decrypt vectors', y => y
+    .option('vectorFile', {
+      alias: 'v',
+      describe: 'a vector zip file from aws-encryption-sdk-test-vectors',
+      demandOption: true,
+      type: 'string'
+    })
+  )
+  .command('encrypt', 'verify encrypt manifest', y => y
+    .option('manifestFile', {
+      alias: 'm',
+      describe: 'a path/url to aws-crypto-tools-test-vector-framework canonical manifest',
+      demandOption: true,
+      type: 'string'
+    })
+    .option('keyFile', {
+      alias: 'k',
+      describe: 'a path/url to aws-crypto-tools-test-vector-framework canonical key list',
+      demandOption: true,
+      type: 'string'
+    })
+    .option('decryptOracle', {
+      alias: 'o',
+      describe: 'a url to the decrypt oracle',
+      demandOption: true,
+      type: 'string'
+    })
+  )
   .option('tolerateFailures', {
     alias: 'f',
     describe: 'an optional number of failures to tolerate before exiting',
@@ -35,7 +57,24 @@ const argv = yargs
     describe: 'an optional test name to execute',
     type: 'string'
   })
-  .argv
+  .demandCommand()
+
+;(async (argv) => {
+  const { _: [ command ], tolerateFailures, testName } = argv
+  /* I set the result to 1 so that if I fall through the exit condition is a failure */
+  let result = 1
+  if (command === 'decrypt') {
+    const { vectorFile } = argv
+    // @ts-ignore
+    result = await integrationDecryptTestVectors(vectorFile, tolerateFailures, testName)
+  } else if (command === 'encrypt') {
+    const { manifestFile, keyFile, decryptOracle } = argv
+    // @ts-ignore
+    result = await integrationEncryptTestVectors(manifestFile, keyFile, decryptOracle, tolerateFailures, testName)
+  } else {
+    console.log(`Unknown command ${command}`)
+    cli.showHelp()
+  }
 
-const { vectorFile, tolerateFailures, testName } = argv
-integrationTestVectors(vectorFile, tolerateFailures, testName)
+  if (result) process.exit(result)
+})(cli.argv)

modules/integration-node/src/decrypt_materials_manager_node.ts

@@ -39,6 +39,11 @@ const Bits2RawAesWrappingSuiteIdentifier: {[key: number]: WrappingSuiteIdentifie
   256: RawAesWrappingSuiteIdentifier.AES256_GCM_IV12_TAG16_NO_PADDING
 }
 
+export function encryptMaterialsManagerNode (keyInfos: KeyInfoTuple[]) {
+  const [generator, ...children] = keyInfos.map(keyringNode)
+  return new MultiKeyringNode({ generator, children })
+}
+
 export function decryptMaterialsManagerNode (keyInfos: KeyInfoTuple[]) {
   const children = keyInfos.map(keyringNode)
   return new MultiKeyringNode({ children })
@@ -58,8 +63,8 @@ function keyringNode ([ info, key ]: KeyInfoTuple) {
 }
 
 function kmsKeyring (_keyInfo: KmsKeyInfo, key: KMSKey) {
-  const keyIds = [key['key-id']]
-  return new KmsKeyringNode({ keyIds })
+  const generatorKeyId = key['key-id']
+  return new KmsKeyringNode({ generatorKeyId })
 }
 
 function aesKeyring (keyInfo:AesKeyInfo, key: AESKey) {

modules/integration-node/src/get_test_iterator.ts renamed to modules/integration-node/src/get_decrypt_test_iterator.ts

@@ -15,13 +15,13 @@
 
 import { Open } from 'unzipper'
 import {
-  ManifestList, // eslint-disable-line no-unused-vars
+  DecryptManifestList, // eslint-disable-line no-unused-vars
   KeyList, // eslint-disable-line no-unused-vars
   KeyInfoTuple // eslint-disable-line no-unused-vars
 } from './types'
 import { Readable } from 'stream' // eslint-disable-line no-unused-vars
 
-export async function getTestVectorIterator (vectorFile: string) {
+export async function getDecryptTestVectorIterator (vectorFile: string) {
   const centralDirectory = await Open.file(vectorFile)
   // @ts-ignore
   const filesMap = new Map(centralDirectory.files.map(file => [file.path, file]))
@@ -40,7 +40,7 @@ export async function getTestVectorIterator (vectorFile: string) {
   })()
 
   const manifestBuffer = await readUriOnce('manifest.json')
-  const { keys: keysFile, tests }: ManifestList = JSON.parse(manifestBuffer.toString('utf8'))
+  const { keys: keysFile, tests }: DecryptManifestList = JSON.parse(manifestBuffer.toString('utf8'))
   const keysBuffer = await readUriOnce(keysFile)
   const { keys }: KeyList = JSON.parse(keysBuffer.toString('utf8'))
 

modules/integration-node/src/get_encrypt_test_iterator.ts

@@ -0,0 +1,101 @@
+/*
+ * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. A copy of the License is
+ * located at
+ *
+ *     http://aws.amazon.com/apache2.0/
+ *
+ * or in the "license" file accompanying this file. This file is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {
+  EncryptManifestList, // eslint-disable-line no-unused-vars
+  KeyList, // eslint-disable-line no-unused-vars
+  KeyInfoTuple // eslint-disable-line no-unused-vars
+} from './types'
+import { randomBytes } from 'crypto'
+import {
+  AlgorithmSuiteIdentifier, // eslint-disable-line no-unused-vars
+  EncryptionContext // eslint-disable-line no-unused-vars
+} from '@aws-crypto/client-node'
+import { URL } from 'url'
+import { readFileSync } from 'fs'
+import got from 'got'
+
+export async function getEncryptTestVectorIterator (manifestFile: string, keyFile: string) {
+  const { tests, plaintexts }: EncryptManifestList = await getParsedJSON(manifestFile)
+  const { keys }: KeyList = await getParsedJSON(keyFile)
+
+  const plaintextBytes: {[name: string]: Buffer} = {}
+
+  Object
+    .keys(plaintexts)
+    .forEach(name => {
+      plaintextBytes[name] = randomBytes(plaintexts[name])
+    })
+
+  return (function * nextTest (): IterableIterator<EncryptTestVectorInfo> {
+    for (const [name, testInfo] of Object.entries(tests)) {
+      const {
+        plaintext,
+        'master-keys': masterKeys,
+        algorithm,
+        'frame-size': frameLength,
+        'encryption-context': encryptionContext
+      } = testInfo
+      const keysInfo = <KeyInfoTuple[]>masterKeys.map(keyInfo => {
+        const key = keys[keyInfo.key]
+        if (!key) throw new Error(`no key for ${name}`)
+        return [keyInfo, key]
+      })
+
+      /* I'm expecting that the encrypt function will throw if this is not a supported AlgorithmSuiteIdentifier */
+      const suiteId = <AlgorithmSuiteIdentifier>parseInt(algorithm, 16)
+
+      yield {
+        name,
+        keysInfo,
+        plainTextData: plaintextBytes[plaintext],
+        encryptOp: { suiteId, frameLength, encryptionContext }
+      }
+    }
+  })()
+}
+
+export interface EncryptTestVectorInfo {
+  name: string,
+  keysInfo: KeyInfoTuple[],
+  plainTextData: Buffer,
+  encryptOp: {
+    suiteId: AlgorithmSuiteIdentifier,
+    frameLength: number,
+    encryptionContext: EncryptionContext
+  }
+}
+
+async function getParsedJSON (thing: string) {
+  try {
+    const url = new URL(thing)
+    if (url.protocol === 'file:') {
+      return jsonAtPath(thing)
+    } else {
+      return jsonAtUrl(url)
+    }
+  } catch (ex) {
+    return jsonAtPath(thing)
+  }
+}
+async function jsonAtUrl (url: URL) {
+  const { body } = await got(url)
+  return JSON.parse(body)
+}
+
+function jsonAtPath (path: string) {
+  const json = readFileSync(path, { encoding: 'utf-8' })
+  return JSON.parse(json)
+}