feat!: Drop Support & Dependency on AWS SDK V2

BREAKING CHANGE:
The AWS Encryption SDK for JavaScript:
- does not supports the AWS SDK for JavaScript V2
- requires the AWS SDK for JavaScript V3's kms-client
  (if using the KMS Keyring).

Author: texastony

modules/integration-browser/package.json

@@ -19,10 +19,10 @@
   "dependencies": {
     "@aws-crypto/client-browser": "file:../client-browser",
     "@aws-crypto/integration-vectors": "file:../integration-vectors",
-    "@aws-sdk/credential-provider-node": "^3.11.0",
-    "@aws-sdk/karma-credential-loader": "3.38.0",
-    "@aws-sdk/util-base64-browser": "^3.10.0",
-    "@aws-sdk/util-utf8-browser": "3.23.0",
+    "@aws-sdk/credential-provider-node": "^3.362.0",
+    "@aws-sdk/karma-credential-loader": "^3.38.0",
+    "@aws-sdk/util-base64-browser": "^3.209.0",
+    "@aws-sdk/util-utf8-browser": "^3.23.0",
     "@trust/keyto": "^1.0.1",
     "@types/got": "^9.6.9",
     "@types/stream-to-promise": "^2.2.0",

modules/kms-keyring-browser/package.json

@@ -22,7 +22,6 @@
     "@aws-crypto/kms-keyring": "file:../kms-keyring",
     "@aws-crypto/material-management-browser": "file:../material-management-browser",
     "@aws-crypto/web-crypto-backend": "file:../web-crypto-backend",
-    "aws-sdk": "^2.650.0",
     "tslib": "^2.2.0"
   },
   "sideEffects": false,

modules/kms-keyring-browser/src/kms_keyring_browser.ts

@@ -23,7 +23,7 @@ import {
   KeyringWebCrypto,
   Newable,
 } from '@aws-crypto/material-management-browser'
-import { KMS } from 'aws-sdk'
+import { KMS, KMSClientConfig } from '@aws-sdk/client-kms'
 import { version } from './version'
 const getKmsClient = getClient(KMS, {
   customUserAgent: `AwsEncryptionSdkJavascriptBrowser/${version}`,
@@ -33,10 +33,7 @@ const cacheKmsClients = cacheClients(getKmsClient)
 export type KmsKeyringWebCryptoInput = Partial<
   KmsKeyringInput<AwsEsdkKMSInterface>
 >
-export type KMSWebCryptoConstructible = KMSConstructible<
-  KMS,
-  KMS.ClientConfiguration
->
+export type KMSWebCryptoConstructible = KMSConstructible<KMS, KMSClientConfig>
 export type KmsWebCryptoClientSupplier = KmsClientSupplier<AwsEsdkKMSInterface>
 
 export class KmsKeyringBrowser extends KmsKeyringClass<

modules/kms-keyring-browser/test/kms_keyring_browser.test.ts

@@ -6,7 +6,6 @@
 import * as chai from 'chai'
 import chaiAsPromised from 'chai-as-promised'
 import { KmsKeyringBrowser, getClient } from '../src/index'
-import { KMS as V2KMS } from 'aws-sdk'
 import { KMS as V3KMS } from '@aws-sdk/client-kms'
 import {
   KeyringWebCrypto,
@@ -30,7 +29,7 @@ describe('KmsKeyringBrowser::constructor', () => {
     const keyArn =
       'arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f'
     const keyIds = [keyArn]
-    const clientProvider = getClient(V2KMS, { credentials })
+    const clientProvider = getClient(V3KMS, { credentials })
 
     const test = new KmsKeyringBrowser({
       clientProvider,
@@ -51,46 +50,6 @@ describe('KmsKeyringBrowser::constructor', () => {
   })
 })
 
-describe('KmsKeyringBrowser can encrypt/decrypt with AWS SDK v2 client', () => {
-  const generatorKeyId =
-    'arn:aws:kms:us-west-2:658956600833:alias/EncryptDecrypt'
-  const keyArn =
-    'arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f'
-  const keyIds = [keyArn]
-  const clientProvider = getClient(V2KMS, { credentials })
-  const keyring = new KmsKeyringBrowser({
-    clientProvider,
-    generatorKeyId,
-    keyIds,
-  })
-  let encryptedDataKey: EncryptedDataKey
-
-  it('can encrypt and create unencrypted data key', async () => {
-    const suite = new WebCryptoAlgorithmSuite(
-      AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA256
-    )
-    const material = new WebCryptoEncryptionMaterial(suite, {})
-    const test = await keyring.onEncrypt(material)
-    expect(test.hasValidKey()).to.equal(true)
-    const udk = test.getUnencryptedDataKey()
-    expect(udk).to.have.lengthOf(suite.keyLengthBytes)
-    expect(test.encryptedDataKeys).to.have.lengthOf(2)
-    const [edk] = test.encryptedDataKeys
-    encryptedDataKey = edk
-  })
-
-  it('can decrypt an EncryptedDataKey', async () => {
-    const suite = new WebCryptoAlgorithmSuite(
-      AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA256
-    )
-    const material = new WebCryptoDecryptionMaterial(suite, {})
-    const test = await keyring.onDecrypt(material, [encryptedDataKey])
-    expect(test.hasValidKey()).to.equal(true)
-    // The UnencryptedDataKey should be zeroed, because the cryptoKey has been set
-    expect(() => test.getUnencryptedDataKey()).to.throw()
-  })
-})
-
 describe('KmsKeyringBrowser can encrypt/decrypt with AWS SDK v3 client', () => {
   const generatorKeyId =
     'arn:aws:kms:us-west-2:658956600833:alias/EncryptDecrypt'

modules/kms-keyring-browser/test/kms_mrk_discovery_keyring_browser.test.ts

@@ -16,7 +16,6 @@ import {
   AlgorithmSuiteIdentifier,
   WebCryptoDecryptionMaterial,
 } from '@aws-crypto/material-management-browser'
-import { KMS as V2KMS } from 'aws-sdk'
 import { KMS as V3KMS } from '@aws-sdk/client-kms'
 
 chai.use(chaiAsPromised)
@@ -57,54 +56,6 @@ describe('AwsKmsMrkAwareSymmetricDiscoveryKeyringBrowser::constructor', () => {
 /* Injected from @aws-sdk/karma-credential-loader. */
 declare const credentials: any
 
-describe('AwsKmsMrkAwareSymmetricKeyringBrowser can encrypt/decrypt with AWS SDK v2 client', () => {
-  const discoveryFilter = { accountIDs: ['658956600833'], partition: 'aws' }
-
-  const eastKeyId =
-    'arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7'
-  const grantTokens = ['grant']
-  const encryptionContext = { some: 'context' }
-  const suite = new WebCryptoAlgorithmSuite(
-    AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA256
-  )
-
-  const keyring = new AwsKmsMrkAwareSymmetricDiscoveryKeyringBrowser({
-    // Note the difference in the region from the keyId
-    client: new V2KMS({ region: 'us-west-2', credentials }),
-    discoveryFilter,
-    grantTokens,
-  })
-
-  it('throws an error on encrypt', async () => {
-    const material = new WebCryptoEncryptionMaterial(suite, encryptionContext)
-    return expect(keyring.onEncrypt(material)).to.rejectedWith(
-      Error,
-      'AwsKmsMrkAwareSymmetricDiscoveryKeyring cannot be used to encrypt'
-    )
-  })
-
-  it('can decrypt an EncryptedDataKey', async () => {
-    const encryptKeyring = new AwsKmsMrkAwareSymmetricKeyringBrowser({
-      client: new V2KMS({ region: 'us-east-1', credentials }),
-      keyId: eastKeyId,
-      grantTokens,
-    })
-    const encryptMaterial = await encryptKeyring.onEncrypt(
-      new WebCryptoEncryptionMaterial(suite, encryptionContext)
-    )
-    const [edk] = encryptMaterial.encryptedDataKeys
-
-    const material = await keyring.onDecrypt(
-      new WebCryptoDecryptionMaterial(suite, encryptionContext),
-      [edk]
-    )
-    const test = await keyring.onDecrypt(material, [edk])
-    expect(test.hasValidKey()).to.equal(true)
-    // The UnencryptedDataKey should be zeroed, because the cryptoKey has been set
-    expect(() => test.getUnencryptedDataKey()).to.throw()
-  })
-})
-
 describe('AwsKmsMrkAwareSymmetricKeyringBrowser can encrypt/decrypt with AWS SDK v3 client', () => {
   const discoveryFilter = { accountIDs: ['658956600833'], partition: 'aws' }
 

modules/kms-keyring-browser/test/kms_mrk_keyring_browser.test.ts

@@ -15,7 +15,6 @@ import {
   WebCryptoDecryptionMaterial,
   KeyringTraceFlag,
 } from '@aws-crypto/material-management-browser'
-import { KMS as V2KMS } from 'aws-sdk'
 import { KMS as V3KMS } from '@aws-sdk/client-kms'
 
 chai.use(chaiAsPromised)
@@ -51,69 +50,6 @@ describe('AwsKmsMrkAwareSymmetricKeyringBrowser::constructor', () => {
 /* Injected from @aws-sdk/karma-credential-loader. */
 declare const credentials: any
 
-describe('AwsKmsMrkAwareSymmetricKeyringBrowser can encrypt/decrypt with AWS SDK v2 client', () => {
-  const westKeyId =
-    'arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7'
-  const eastKeyId =
-    'arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7'
-  const grantTokens = ['grant']
-  const encryptionContext = { some: 'context' }
-  const suite = new WebCryptoAlgorithmSuite(
-    AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA256
-  )
-
-  const encryptKeyring = new AwsKmsMrkAwareSymmetricKeyringBrowser({
-    client: new V2KMS({ region: 'us-west-2', credentials }),
-    keyId: westKeyId,
-    grantTokens,
-  })
-  const decryptKeyring = new AwsKmsMrkAwareSymmetricKeyringBrowser({
-    client: new V2KMS({ region: 'us-east-1', credentials }),
-    keyId: eastKeyId,
-    grantTokens,
-  })
-  let encryptedDataKey: EncryptedDataKey
-
-  it('can encrypt and create unencrypted data key', async () => {
-    const material = new WebCryptoEncryptionMaterial(suite, encryptionContext)
-    const test = await encryptKeyring.onEncrypt(material)
-    expect(test.hasValidKey()).to.equal(true)
-    const udk = test.getUnencryptedDataKey()
-    expect(udk).to.have.lengthOf(suite.keyLengthBytes)
-    expect(test.encryptedDataKeys).to.have.lengthOf(1)
-    const [edk] = test.encryptedDataKeys
-    encryptedDataKey = edk
-  })
-
-  it('can encrypt a pre-existing plaintext data key', async () => {
-    const seedMaterial = new WebCryptoEncryptionMaterial(
-      suite,
-      encryptionContext
-    ).setUnencryptedDataKey(new Uint8Array(suite.keyLengthBytes), {
-      keyName: 'keyName',
-      keyNamespace: 'keyNamespace',
-      flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY,
-    })
-    const encryptTest = await encryptKeyring.onEncrypt(seedMaterial)
-    expect(encryptTest.hasValidKey()).to.equal(true)
-    expect(encryptTest.encryptedDataKeys).to.have.lengthOf(1)
-    const [kmsEDK] = encryptTest.encryptedDataKeys
-    expect(kmsEDK.providerId).to.equal('aws-kms')
-    expect(kmsEDK.providerInfo).to.equal(westKeyId)
-  })
-
-  it('can decrypt an EncryptedDataKey', async () => {
-    const suite = new WebCryptoAlgorithmSuite(
-      AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA256
-    )
-    const material = new WebCryptoDecryptionMaterial(suite, encryptionContext)
-    const test = await decryptKeyring.onDecrypt(material, [encryptedDataKey])
-    expect(test.hasValidKey()).to.equal(true)
-    // The UnencryptedDataKey should be zeroed, because the cryptoKey has been set
-    expect(() => test.getUnencryptedDataKey()).to.throw()
-  })
-})
-
 describe('AwsKmsMrkAwareSymmetricKeyringBrowser can encrypt/decrypt with AWS SDK v3 client', () => {
   const westKeyId =
     'arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7'

modules/kms-keyring-node/package.json

@@ -21,7 +21,7 @@
   "dependencies": {
     "@aws-crypto/kms-keyring": "file:../kms-keyring",
     "@aws-crypto/material-management-node": "file:../material-management-node",
-    "aws-sdk": "^2.650.0",
+    "@aws-sdk/client-kms": "^3.362.0",
     "tslib": "^2.2.0"
   },
   "sideEffects": false,

modules/kms-keyring-node/src/kms_keyring_node.ts

@@ -18,18 +18,15 @@ import {
   Newable,
   NodeAlgorithmSuite,
 } from '@aws-crypto/material-management-node'
-import { KMS } from 'aws-sdk'
+import { KMS, KMSClientConfig } from '@aws-sdk/client-kms'
 import { version } from './version'
 const getKmsClient = getClient(KMS, {
   customUserAgent: `AwsEncryptionSdkJavascriptNodejs/${version}`,
 })
 const cacheKmsClients = cacheClients(getKmsClient)
 
 export type KmsKeyringNodeInput = Partial<KmsKeyringInput<AwsEsdkKMSInterface>>
-export type KMSNodeConstructible = KMSConstructible<
-  KMS,
-  KMS.ClientConfiguration
->
+export type KMSNodeConstructible = KMSConstructible<KMS, KMSClientConfig>
 export type KmsNodeClientSupplier = KmsClientSupplier<AwsEsdkKMSInterface>
 
 export class KmsKeyringNode extends KmsKeyringClass<

modules/kms-keyring-node/test/kms_keyring_node.test.ts

@@ -5,7 +5,6 @@
 
 import { expect } from 'chai'
 import { KmsKeyringNode, getClient } from '../src/index'
-import { KMS as V2KMS } from 'aws-sdk'
 import { KMS as V3KMS } from '@aws-sdk/client-kms'
 import {
   KeyringNode,
@@ -40,44 +39,6 @@ describe('KmsKeyringNode::constructor', () => {
   })
 })
 
-describe('KmsKeyringNode can encrypt/decrypt with AWS SDK v2 client', () => {
-  const generatorKeyId =
-    'arn:aws:kms:us-west-2:658956600833:alias/EncryptDecrypt'
-  const keyArn =
-    'arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f'
-  const keyIds = [keyArn]
-
-  const clientProvider = getClient(V2KMS)
-
-  const keyring = new KmsKeyringNode({ clientProvider, generatorKeyId, keyIds })
-  let encryptedDataKey: EncryptedDataKey
-  let udk: Uint8Array
-
-  it('can encrypt and create unencrypted data key', async () => {
-    const suite = new NodeAlgorithmSuite(
-      AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA256
-    )
-    const material = new NodeEncryptionMaterial(suite, {})
-    const test = await keyring.onEncrypt(material)
-    expect(test.hasValidKey()).to.equal(true)
-    udk = unwrapDataKey(test.getUnencryptedDataKey())
-    expect(udk).to.have.lengthOf(suite.keyLengthBytes)
-    expect(test.encryptedDataKeys).to.have.lengthOf(2)
-    const [edk] = test.encryptedDataKeys
-    encryptedDataKey = edk
-  })
-
-  it('can decrypt an EncryptedDataKey', async () => {
-    const suite = new NodeAlgorithmSuite(
-      AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA256
-    )
-    const material = new NodeDecryptionMaterial(suite, {})
-    const test = await keyring.onDecrypt(material, [encryptedDataKey])
-    expect(test.hasValidKey()).to.equal(true)
-    expect(unwrapDataKey(test.getUnencryptedDataKey())).to.deep.equal(udk)
-  })
-})
-
 describe('KmsKeyringNode can encrypt/decrypt with AWS SDK v3 client', () => {
   const generatorKeyId =
     'arn:aws:kms:us-west-2:658956600833:alias/EncryptDecrypt'

modules/kms-keyring-node/test/kms_mrk_discovery_keyring_node.test.ts

@@ -17,7 +17,6 @@ import {
 } from '@aws-crypto/material-management-node'
 chai.use(chaiAsPromised)
 const { expect } = chai
-import { KMS as V2KMS } from 'aws-sdk'
 import { KMS as V3KMS } from '@aws-sdk/client-kms'
 
 describe('AwsKmsMrkAwareSymmetricKeyringNode::constructor', () => {
@@ -52,54 +51,6 @@ describe('AwsKmsMrkAwareSymmetricKeyringNode::constructor', () => {
   })
 })
 
-describe('AwsKmsMrkAwareSymmetricDiscoveryKeyringNode can encrypt/decrypt with AWS SDK v2 client', () => {
-  const discoveryFilter = { accountIDs: ['658956600833'], partition: 'aws' }
-  const keyId =
-    'arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f'
-  const grantTokens = ['grant']
-  const encryptionContext = { some: 'context' }
-  const suite = new NodeAlgorithmSuite(
-    AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA256
-  )
-  const client = new V2KMS({ region: 'us-west-2' })
-
-  const keyring = new AwsKmsMrkAwareSymmetricDiscoveryKeyringNode({
-    client,
-    discoveryFilter,
-    grantTokens,
-  })
-  it('throws an error on encrypt', async () => {
-    const material = new NodeEncryptionMaterial(suite, encryptionContext)
-    await expect(keyring.onEncrypt(material)).to.rejectedWith(
-      Error,
-      'AwsKmsMrkAwareSymmetricDiscoveryKeyring cannot be used to encrypt'
-    )
-  })
-
-  it('can decrypt an EncryptedDataKey', async () => {
-    const { CiphertextBlob } = await client
-      .generateDataKey({
-        KeyId: keyId,
-        NumberOfBytes: suite.keyLengthBytes,
-        EncryptionContext: encryptionContext,
-      })
-      .promise()
-    needs(Buffer.isBuffer(CiphertextBlob), 'never')
-    const edk = new EncryptedDataKey({
-      providerId: 'aws-kms',
-      providerInfo: keyId,
-      encryptedDataKey: new Uint8Array(CiphertextBlob),
-    })
-
-    const material = await keyring.onDecrypt(
-      new NodeDecryptionMaterial(suite, encryptionContext),
-      [edk]
-    )
-    const decryptTest = await keyring.onDecrypt(material, [edk])
-    expect(decryptTest.hasValidKey()).to.equal(true)
-  })
-})
-
 describe('AwsKmsMrkAwareSymmetricDiscoveryKeyringNode can encrypt/decrypt with AWS SDK v3 client', () => {
   const discoveryFilter = { accountIDs: ['658956600833'], partition: 'aws' }
   const keyId =