Skip to content

Commit ddd49ab

Browse files
seebeesseebees
committed
fix!: Remove Keyring Trace (#402)
resolves: #351 As outlined the intention of the keyring trace is better satisfied by constructing correct keyrings and CMMs. BREAKING CHANGE: - Remove trace from all cryptographic materials. - Remove KeyringTrace exports Merge
1 parent 238dd58 commit ddd49ab

36 files changed

+327
-1696
lines changed

modules/cache-material/test/caching_cryptographic_materials_decorators.test.ts

Lines changed: 11 additions & 49 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,6 @@ import { createHash } from 'crypto'
1717
import {
1818
NodeAlgorithmSuite,
1919
AlgorithmSuiteIdentifier,
20-
KeyringTraceFlag,
2120
EncryptedDataKey,
2221
NodeEncryptionMaterial,
2322
NodeDecryptionMaterial,
@@ -205,37 +204,22 @@ describe('Cryptographic Material Functions', () => {
205204
15,
206205
16,
207206
])
208-
const encryptTrace = {
209-
keyNamespace: 'keyNamespace',
210-
keyName: 'keyName',
211-
flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY,
212-
}
213-
const decryptTrace = {
214-
keyNamespace: 'keyNamespace',
215-
keyName: 'keyName',
216-
flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY,
217-
}
218207

219208
const edk1 = new EncryptedDataKey({
220209
providerId: 'keyNamespace',
221210
providerInfo: 'keyName',
222211
encryptedDataKey: new Uint8Array([1]),
223212
})
224-
const edk2 = new EncryptedDataKey({
225-
providerId: 'p2',
226-
providerInfo: 'pi2',
227-
encryptedDataKey: new Uint8Array([2]),
228-
})
229213

230-
const encryptionMaterial = new NodeEncryptionMaterial(nodeSuite, {})
231-
.setUnencryptedDataKey(udk128, encryptTrace)
232-
.addEncryptedDataKey(edk1, KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY)
233-
.addEncryptedDataKey(edk2, KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY)
214+
const encryptionMaterial = new NodeEncryptionMaterial(
215+
nodeSuite,
216+
{}
217+
).setUnencryptedDataKey(udk128)
234218

235219
const decryptionMaterial = new NodeDecryptionMaterial(
236220
nodeSuite,
237221
{}
238-
).setUnencryptedDataKey(udk128, decryptTrace)
222+
).setUnencryptedDataKey(udk128)
239223

240224
const context = {}
241225

@@ -398,11 +382,6 @@ describe('Cryptographic Material Functions', () => {
398382
15,
399383
16,
400384
])
401-
const encryptTrace = {
402-
keyNamespace: 'keyNamespace',
403-
keyName: 'keyName',
404-
flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY,
405-
}
406385

407386
const edk1 = new EncryptedDataKey({
408387
providerId: 'keyNamespace',
@@ -416,15 +395,9 @@ describe('Cryptographic Material Functions', () => {
416395
})
417396

418397
const encryptionMaterial = new NodeEncryptionMaterial(nodeSuite, {})
419-
.setUnencryptedDataKey(udk128, encryptTrace)
420-
.addEncryptedDataKey(
421-
edk1,
422-
KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
423-
)
424-
.addEncryptedDataKey(
425-
edk2,
426-
KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
427-
)
398+
.setUnencryptedDataKey(udk128)
399+
.addEncryptedDataKey(edk1)
400+
.addEncryptedDataKey(edk2)
428401

429402
const testCMM = {
430403
_partition,
@@ -489,11 +462,6 @@ describe('Cryptographic Material Functions', () => {
489462
15,
490463
16,
491464
])
492-
const encryptTrace = {
493-
keyNamespace: 'keyNamespace',
494-
keyName: 'keyName',
495-
flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY,
496-
}
497465

498466
const edk1 = new EncryptedDataKey({
499467
providerId: 'keyNamespace',
@@ -507,15 +475,9 @@ describe('Cryptographic Material Functions', () => {
507475
})
508476

509477
const encryptionMaterial = new NodeEncryptionMaterial(nodeSuite, {})
510-
.setUnencryptedDataKey(udk128, encryptTrace)
511-
.addEncryptedDataKey(
512-
edk1,
513-
KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
514-
)
515-
.addEncryptedDataKey(
516-
edk2,
517-
KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
518-
)
478+
.setUnencryptedDataKey(udk128)
479+
.addEncryptedDataKey(edk1)
480+
.addEncryptedDataKey(edk2)
519481

520482
const testCMM = {
521483
_partition,

modules/decrypt-browser/test/compatibility.test.ts

Lines changed: 1 addition & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,6 @@ import { buildDecrypt } from '../src/index'
99
import {
1010
needs,
1111
importForWebCryptoDecryptionMaterial,
12-
KeyringTraceFlag,
1312
KeyringWebCrypto,
1413
WebCryptoDecryptionMaterial,
1514
WebCryptoEncryptionMaterial,
@@ -86,11 +85,7 @@ describe('committing algorithm test', () => {
8685
async _onDecrypt(material: WebCryptoDecryptionMaterial) {
8786
const unencryptedDataKey = dataKey
8887
return importForWebCryptoDecryptionMaterial(
89-
material.setUnencryptedDataKey(unencryptedDataKey, {
90-
keyNamespace: 'k',
91-
keyName: 'k',
92-
flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY,
93-
})
88+
material.setUnencryptedDataKey(unencryptedDataKey)
9489
)
9590
}
9691
})()

modules/decrypt-browser/test/decrypt.test.ts

Lines changed: 1 addition & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,6 @@ import { _decrypt } from '../src/decrypt'
1010
import {
1111
AlgorithmSuiteIdentifier,
1212
importForWebCryptoDecryptionMaterial,
13-
KeyringTraceFlag,
1413
KeyringWebCrypto,
1514
WebCryptoDecryptionMaterial,
1615
WebCryptoEncryptionMaterial,
@@ -193,14 +192,8 @@ describe('committing algorithm test', () => {
193192
}
194193
async _onDecrypt(material: WebCryptoDecryptionMaterial) {
195194
const unencryptedDataKey = dataKey
196-
const trace = {
197-
keyNamespace: 'k',
198-
keyName: 'k',
199-
flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY,
200-
}
201-
202195
return importForWebCryptoDecryptionMaterial(
203-
material.setUnencryptedDataKey(unencryptedDataKey, trace)
196+
material.setUnencryptedDataKey(unencryptedDataKey)
204197
)
205198
}
206199
}

modules/decrypt-browser/test/fixtures.ts

Lines changed: 1 addition & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,6 @@ import {
77
WebCryptoDecryptionMaterial,
88
WebCryptoEncryptionMaterial,
99
KeyringWebCrypto,
10-
KeyringTraceFlag,
1110
importForWebCryptoDecryptionMaterial,
1211
} from '@aws-crypto/material-management-browser'
1312

@@ -258,13 +257,8 @@ class TestKeyring extends KeyringWebCrypto {
258257
const unencryptedDataKey = new Uint8Array(
259258
material.suite.keyLengthBytes
260259
).fill(0)
261-
const trace = {
262-
keyNamespace: 'k',
263-
keyName: 'k',
264-
flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY,
265-
}
266260
return importForWebCryptoDecryptionMaterial(
267-
material.setUnencryptedDataKey(unencryptedDataKey, trace)
261+
material.setUnencryptedDataKey(unencryptedDataKey)
268262
)
269263
}
270264
}

modules/decrypt-node/test/compatibility.test.ts

Lines changed: 1 addition & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,6 @@ import * as chai from 'chai'
77
import chaiAsPromised from 'chai-as-promised'
88
import {
99
KeyringNode,
10-
KeyringTraceFlag,
1110
NodeDecryptionMaterial,
1211
NodeEncryptionMaterial,
1312
} from '@aws-crypto/material-management-node'
@@ -79,12 +78,7 @@ describe('committing algorithm test', () => {
7978
}
8079
async _onDecrypt(material: NodeDecryptionMaterial) {
8180
const unencryptedDataKey = dataKey
82-
const trace = {
83-
keyNamespace: 'k',
84-
keyName: 'k',
85-
flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY,
86-
}
87-
return material.setUnencryptedDataKey(unencryptedDataKey, trace)
81+
return material.setUnencryptedDataKey(unencryptedDataKey)
8882
}
8983
})()
9084
}

modules/decrypt-node/test/fixtures.ts

Lines changed: 2 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,6 @@ import {
77
NodeDecryptionMaterial,
88
NodeEncryptionMaterial,
99
KeyringNode,
10-
KeyringTraceFlag,
1110
} from '@aws-crypto/material-management-node'
1211

1312
export function base64CiphertextAlgAes256GcmIv12Tag16HkdfSha384EcdsaP384() {
@@ -71,12 +70,8 @@ export function decryptKeyring() {
7170
const unencryptedDataKey = new Uint8Array(
7271
material.suite.keyLengthBytes
7372
).fill(0)
74-
const trace = {
75-
keyNamespace: 'k',
76-
keyName: 'k',
77-
flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY,
78-
}
79-
return material.setUnencryptedDataKey(unencryptedDataKey, trace)
73+
74+
return material.setUnencryptedDataKey(unencryptedDataKey)
8075
}
8176
}
8277

modules/encrypt-browser/test/encrypt.test.ts

Lines changed: 3 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,6 @@ import {
1010
WebCryptoEncryptionMaterial,
1111
KeyringWebCrypto,
1212
EncryptedDataKey,
13-
KeyringTraceFlag,
1413
WebCryptoAlgorithmSuite,
1514
importForWebCryptoEncryptionMaterial,
1615
CommitmentPolicy,
@@ -54,17 +53,10 @@ describe('encrypt structural testing', () => {
5453
const unencryptedDataKey = new Uint8Array(
5554
material.suite.keyLengthBytes
5655
).fill(0)
57-
const trace = {
58-
keyNamespace: 'k',
59-
keyName: 'k',
60-
flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY,
61-
}
56+
6257
material
63-
.setUnencryptedDataKey(unencryptedDataKey, trace)
64-
.addEncryptedDataKey(
65-
edk,
66-
KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
67-
)
58+
.setUnencryptedDataKey(unencryptedDataKey)
59+
.addEncryptedDataKey(edk)
6860
return importForWebCryptoEncryptionMaterial(material)
6961
}
7062
async _onDecrypt(): Promise<WebCryptoDecryptionMaterial> {

modules/encrypt-node/test/encrypt.test.ts

Lines changed: 3 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,6 @@ import {
1010
NodeEncryptionMaterial,
1111
KeyringNode,
1212
EncryptedDataKey,
13-
KeyringTraceFlag,
1413
AlgorithmSuiteIdentifier,
1514
NodeAlgorithmSuite,
1615
CommitmentPolicy,
@@ -61,17 +60,10 @@ describe('encrypt structural testing', () => {
6160
const unencryptedDataKey = new Uint8Array(
6261
material.suite.keyLengthBytes
6362
).fill(0)
64-
const trace = {
65-
keyNamespace: 'k',
66-
keyName: 'k',
67-
flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY,
68-
}
63+
6964
return material
70-
.setUnencryptedDataKey(unencryptedDataKey, trace)
71-
.addEncryptedDataKey(
72-
edk,
73-
KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
74-
)
65+
.setUnencryptedDataKey(unencryptedDataKey)
66+
.addEncryptedDataKey(edk)
7567
}
7668
async _onDecrypt(): Promise<NodeDecryptionMaterial> {
7769
throw new Error('I should never see this error')

modules/kms-keyring/src/kms_keyring.ts

Lines changed: 4 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,6 @@ import {
99
EncryptionMaterial,
1010
DecryptionMaterial,
1111
SupportedAlgorithmSuites,
12-
KeyringTrace,
13-
KeyringTraceFlag,
1412
EncryptedDataKey,
1513
immutableClass,
1614
readOnlyProperty,
@@ -183,26 +181,12 @@ export function KmsKeyringClass<
183181
if (!dataKey)
184182
throw new Error('Generator KMS key did not generate a data key')
185183

186-
const flags =
187-
KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY |
188-
KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX |
189-
KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
190-
const trace: KeyringTrace = {
191-
keyNamespace: KMS_PROVIDER_ID,
192-
keyName: dataKey.KeyId,
193-
flags,
194-
}
195-
196184
material
197185
/* Postcondition: The generated unencryptedDataKey length must match the algorithm specification.
198186
* See cryptographic_materials as setUnencryptedDataKey will throw in this case.
199187
*/
200-
.setUnencryptedDataKey(dataKey.Plaintext, trace)
201-
.addEncryptedDataKey(
202-
kmsResponseToEncryptedDataKey(dataKey),
203-
KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY |
204-
KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX
205-
)
188+
.setUnencryptedDataKey(dataKey.Plaintext)
189+
.addEncryptedDataKey(kmsResponseToEncryptedDataKey(dataKey))
206190
} else if (generatorKeyId) {
207191
keyIds.unshift(generatorKeyId)
208192
}
@@ -213,9 +197,6 @@ export function KmsKeyringClass<
213197
*/
214198
const unencryptedDataKey = unwrapDataKey(material.getUnencryptedDataKey())
215199

216-
const flags =
217-
KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY |
218-
KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX
219200
for (const kmsKey of keyIds) {
220201
const kmsEDK = await encrypt(
221202
clientProvider,
@@ -227,10 +208,7 @@ export function KmsKeyringClass<
227208

228209
/* clientProvider may not return a client, in this case there is not an EDK to add */
229210
if (kmsEDK)
230-
material.addEncryptedDataKey(
231-
kmsResponseToEncryptedDataKey(kmsEDK),
232-
flags
233-
)
211+
material.addEncryptedDataKey(kmsResponseToEncryptedDataKey(kmsEDK))
234212
}
235213

236214
return material
@@ -280,19 +258,10 @@ export function KmsKeyringClass<
280258
'KMS Decryption key does not match serialized provider.'
281259
)
282260

283-
const flags =
284-
KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY |
285-
KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX
286-
const trace: KeyringTrace = {
287-
keyNamespace: KMS_PROVIDER_ID,
288-
keyName: dataKey.KeyId,
289-
flags,
290-
}
291-
292261
/* Postcondition: The decrypted unencryptedDataKey length must match the algorithm specification.
293262
* See cryptographic_materials as setUnencryptedDataKey will throw in this case.
294263
*/
295-
material.setUnencryptedDataKey(dataKey.Plaintext, trace)
264+
material.setUnencryptedDataKey(dataKey.Plaintext)
296265
return material
297266
}
298267

0 commit comments

Comments
 (0)