feat: Suport Node.js crypto KeyObjects #200
Conversation
resolves aws#74 KeyObjects were introduced in Node.js v11. They wrap the Buffer in an object that has even better security properties than an isolated buffer.
| @@ -212,10 +216,17 @@ export function nodeKdf (material: NodeEncryptionMaterial|NodeDecryptionMaterial | |||
| info instanceof Uint8Array, | |||
| 'Invalid HKDF values.' | |||
| ) | |||
| /* The unwrap is done once we *know* that a KDF in required. | |||
| @@ -65,3 +65,27 @@ export type DecryptionMaterial<Suite> = | |||
| Suite extends NodeAlgorithmSuite ? NodeDecryptionMaterial : | |||
| Suite extends WebCryptoAlgorithmSuite ? WebCryptoDecryptionMaterial : | |||
| never | |||
|
|
|||
| export type AwsEsdkKeyObjectType = 'secret' | 'public' | 'private' | |||
There was a problem hiding this comment.
What is the purpose of these exports?
There was a problem hiding this comment.
Need to add comments. Sorry. This is because there are different versions of Node.js. If I use/export the v11/v12 version then Typescript will complain if consumers of this package use any other version of Node.js (and we must support older versions.)
| @@ -163,7 +180,14 @@ describe('decorateCryptographicMaterial', () => { | |||
| material.setUnencryptedDataKey(dataKey, { keyNamespace: 'k', keyName: 'k', flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY }) | |||
| const test = material.getUnencryptedDataKey() | |||
| test[0] = 12 | |||
| expect(() => material.getUnencryptedDataKey()).to.throw() | |||
There was a problem hiding this comment.
If I understand the code below, we are testing that one way to try to modify a KeyObject udk doesn't work. The purpose of this test should be to test that if it does get modified, then we fail. If it should be impossible to modify the KeyObject, then perhaps the below is fine for the KeyObject case, however I still think we should check that is the udk is not a KeyObject then it still correctly fails if modified.
There was a problem hiding this comment.
In the non-KeyObject case getUnencryptedDataKey will throw before the dataKey is even returned. In this case we are dealing with Uint8Array (raw memory). The cryptographic material keeps an independent copy of the dataKey and compares it to the dataKey that it is going to return.
This is because all returned instances are references to the same memory so anyone could have manipulated the memory.
resolves #74
KeyObjects were introduced in Node.js v11.
They wrap the Buffer in an object that has
even better security properties than an isolated buffer.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Check any applicable: