From 7be9c654ff02c4c1a50ec61809f7c45fd048300c Mon Sep 17 00:00:00 2001 From: seebees Date: Tue, 4 Aug 2020 17:39:52 -0700 Subject: [PATCH 1/4] fix!: Remove Keyring Trace resolves: #351 As outlined the intention of the keyring trace is better satisfied by constructing correct keyrings and CMMs. BREAKING CHANGE: - Remove trace from all cryptographic materials. - Remove KeyringTrace exports --- ...cryptographic_materials_decorators.test.ts | 60 +--- modules/decrypt-browser/test/fixtures.ts | 8 +- modules/decrypt-node/test/fixtures.ts | 9 +- modules/encrypt-browser/test/encrypt.test.ts | 14 +- modules/encrypt-node/test/encrypt.test.ts | 14 +- modules/kms-keyring/src/kms_keyring.ts | 39 +-- .../test/kms_keyring.ondecrypt.test.ts | 25 -- .../test/kms_keyring.onencrypt.test.ts | 56 +-- .../material-management-browser/src/index.ts | 2 - .../src/keyring_helpers.ts | 5 +- ...er_cryptographic_materials_manager.test.ts | 63 +--- .../test/keyring_helpers.test.ts | 16 +- .../test/material_helpers.test.ts | 269 ++++----------- modules/material-management-node/src/index.ts | 2 - .../test/material_helpers.test.ts | 96 ++---- ...de_cryptographic_materials_manager.test.ts | 17 +- .../src/clone_cryptographic_material.ts | 37 +- .../src/cryptographic_material.ts | 152 ++------- modules/material-management/src/index.ts | 1 - .../material-management/src/keyring_trace.ts | 86 ----- .../test/clone_cryptographic_material.test.ts | 102 +----- .../test/cryptographic_material.test.ts | 320 ++---------------- .../material-management/test/keyring.test.ts | 16 +- .../test/multi_keyring.test.ts | 107 ++---- .../src/raw_aes_keyring_browser.ts | 54 +-- .../src/raw_aes_keyring_node.ts | 44 +-- modules/raw-keyring/src/raw_aes_material.ts | 31 +- .../raw-keyring/src/raw_keyring_decorators.ts | 9 +- .../test/raw_keyring_decorators.test.ts | 33 +- .../src/raw_rsa_keyring_web_crypto.ts | 17 +- .../src/raw_rsa_keyring_node.ts | 13 +- 31 files changed, 272 insertions(+), 1445 deletions(-) delete mode 100644 modules/material-management/src/keyring_trace.ts diff --git a/modules/cache-material/test/caching_cryptographic_materials_decorators.test.ts b/modules/cache-material/test/caching_cryptographic_materials_decorators.test.ts index 6a6fae299..5dbb85e11 100644 --- a/modules/cache-material/test/caching_cryptographic_materials_decorators.test.ts +++ b/modules/cache-material/test/caching_cryptographic_materials_decorators.test.ts @@ -17,7 +17,6 @@ import { createHash } from 'crypto' import { NodeAlgorithmSuite, AlgorithmSuiteIdentifier, - KeyringTraceFlag, EncryptedDataKey, NodeEncryptionMaterial, NodeDecryptionMaterial, @@ -202,37 +201,22 @@ describe('Cryptographic Material Functions', () => { 15, 16, ]) - const encryptTrace = { - keyNamespace: 'keyNamespace', - keyName: 'keyName', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - const decryptTrace = { - keyNamespace: 'keyNamespace', - keyName: 'keyName', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } const edk1 = new EncryptedDataKey({ providerId: 'keyNamespace', providerInfo: 'keyName', encryptedDataKey: new Uint8Array([1]), }) - const edk2 = new EncryptedDataKey({ - providerId: 'p2', - providerInfo: 'pi2', - encryptedDataKey: new Uint8Array([2]), - }) - const encryptionMaterial = new NodeEncryptionMaterial(nodeSuite, {}) - .setUnencryptedDataKey(udk128, encryptTrace) - .addEncryptedDataKey(edk1, KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY) - .addEncryptedDataKey(edk2, KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY) + const encryptionMaterial = new NodeEncryptionMaterial( + nodeSuite, + {} + ).setUnencryptedDataKey(udk128) const decryptionMaterial = new NodeDecryptionMaterial( nodeSuite, {} - ).setUnencryptedDataKey(udk128, decryptTrace) + ).setUnencryptedDataKey(udk128) const context = {} @@ -392,11 +376,6 @@ describe('Cryptographic Material Functions', () => { 15, 16, ]) - const encryptTrace = { - keyNamespace: 'keyNamespace', - keyName: 'keyName', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } const edk1 = new EncryptedDataKey({ providerId: 'keyNamespace', @@ -410,15 +389,9 @@ describe('Cryptographic Material Functions', () => { }) const encryptionMaterial = new NodeEncryptionMaterial(nodeSuite, {}) - .setUnencryptedDataKey(udk128, encryptTrace) - .addEncryptedDataKey( - edk1, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) - .addEncryptedDataKey( - edk2, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) + .setUnencryptedDataKey(udk128) + .addEncryptedDataKey(edk1) + .addEncryptedDataKey(edk2) const testCMM = { _partition, @@ -482,11 +455,6 @@ describe('Cryptographic Material Functions', () => { 15, 16, ]) - const encryptTrace = { - keyNamespace: 'keyNamespace', - keyName: 'keyName', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } const edk1 = new EncryptedDataKey({ providerId: 'keyNamespace', @@ -500,15 +468,9 @@ describe('Cryptographic Material Functions', () => { }) const encryptionMaterial = new NodeEncryptionMaterial(nodeSuite, {}) - .setUnencryptedDataKey(udk128, encryptTrace) - .addEncryptedDataKey( - edk1, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) - .addEncryptedDataKey( - edk2, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) + .setUnencryptedDataKey(udk128) + .addEncryptedDataKey(edk1) + .addEncryptedDataKey(edk2) const testCMM = { _partition, diff --git a/modules/decrypt-browser/test/fixtures.ts b/modules/decrypt-browser/test/fixtures.ts index 1b76e9ed2..b20fa9dc2 100644 --- a/modules/decrypt-browser/test/fixtures.ts +++ b/modules/decrypt-browser/test/fixtures.ts @@ -7,7 +7,6 @@ import { WebCryptoDecryptionMaterial, WebCryptoEncryptionMaterial, KeyringWebCrypto, - KeyringTraceFlag, importForWebCryptoDecryptionMaterial, } from '@aws-crypto/material-management-browser' @@ -6359,13 +6358,8 @@ class TestKeyring extends KeyringWebCrypto { const unencryptedDataKey = new Uint8Array( material.suite.keyLengthBytes ).fill(0) - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } return importForWebCryptoDecryptionMaterial( - material.setUnencryptedDataKey(unencryptedDataKey, trace) + material.setUnencryptedDataKey(unencryptedDataKey) ) } } diff --git a/modules/decrypt-node/test/fixtures.ts b/modules/decrypt-node/test/fixtures.ts index ba938879d..658a9414b 100644 --- a/modules/decrypt-node/test/fixtures.ts +++ b/modules/decrypt-node/test/fixtures.ts @@ -7,7 +7,6 @@ import { NodeDecryptionMaterial, NodeEncryptionMaterial, KeyringNode, - KeyringTraceFlag, } from '@aws-crypto/material-management-node' export function base64CiphertextAlgAes256GcmIv12Tag16HkdfSha384EcdsaP384() { @@ -71,12 +70,8 @@ export function decryptKeyring() { const unencryptedDataKey = new Uint8Array( material.suite.keyLengthBytes ).fill(0) - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } - return material.setUnencryptedDataKey(unencryptedDataKey, trace) + + return material.setUnencryptedDataKey(unencryptedDataKey) } } diff --git a/modules/encrypt-browser/test/encrypt.test.ts b/modules/encrypt-browser/test/encrypt.test.ts index 2a50d584a..539ac20c4 100644 --- a/modules/encrypt-browser/test/encrypt.test.ts +++ b/modules/encrypt-browser/test/encrypt.test.ts @@ -10,7 +10,6 @@ import { WebCryptoEncryptionMaterial, KeyringWebCrypto, EncryptedDataKey, - KeyringTraceFlag, WebCryptoAlgorithmSuite, importForWebCryptoEncryptionMaterial, } from '@aws-crypto/material-management-browser' @@ -50,17 +49,10 @@ describe('encrypt structural testing', () => { const unencryptedDataKey = new Uint8Array( material.suite.keyLengthBytes ).fill(0) - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } + material - .setUnencryptedDataKey(unencryptedDataKey, trace) - .addEncryptedDataKey( - edk, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) + .setUnencryptedDataKey(unencryptedDataKey) + .addEncryptedDataKey(edk) return importForWebCryptoEncryptionMaterial(material) } async _onDecrypt(): Promise { diff --git a/modules/encrypt-node/test/encrypt.test.ts b/modules/encrypt-node/test/encrypt.test.ts index 95ba2ae25..18990faf5 100644 --- a/modules/encrypt-node/test/encrypt.test.ts +++ b/modules/encrypt-node/test/encrypt.test.ts @@ -10,7 +10,6 @@ import { NodeEncryptionMaterial, KeyringNode, EncryptedDataKey, - KeyringTraceFlag, AlgorithmSuiteIdentifier, NodeAlgorithmSuite, } from '@aws-crypto/material-management-node' @@ -56,17 +55,10 @@ describe('encrypt structural testing', () => { const unencryptedDataKey = new Uint8Array( material.suite.keyLengthBytes ).fill(0) - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } + return material - .setUnencryptedDataKey(unencryptedDataKey, trace) - .addEncryptedDataKey( - edk, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) + .setUnencryptedDataKey(unencryptedDataKey) + .addEncryptedDataKey(edk) } async _onDecrypt(): Promise { throw new Error('I should never see this error') diff --git a/modules/kms-keyring/src/kms_keyring.ts b/modules/kms-keyring/src/kms_keyring.ts index 5740f6e31..8c2826ee6 100644 --- a/modules/kms-keyring/src/kms_keyring.ts +++ b/modules/kms-keyring/src/kms_keyring.ts @@ -9,8 +9,6 @@ import { EncryptionMaterial, DecryptionMaterial, SupportedAlgorithmSuites, - KeyringTrace, - KeyringTraceFlag, EncryptedDataKey, immutableClass, readOnlyProperty, @@ -136,26 +134,12 @@ export function KmsKeyringClass< if (!dataKey) throw new Error('Generator KMS key did not generate a data key') - const flags = - KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY | - KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX | - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - const trace: KeyringTrace = { - keyNamespace: KMS_PROVIDER_ID, - keyName: dataKey.KeyId, - flags, - } - material /* Postcondition: The generated unencryptedDataKey length must match the algorithm specification. * See cryptographic_materials as setUnencryptedDataKey will throw in this case. */ - .setUnencryptedDataKey(dataKey.Plaintext, trace) - .addEncryptedDataKey( - kmsResponseToEncryptedDataKey(dataKey), - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY | - KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX - ) + .setUnencryptedDataKey(dataKey.Plaintext) + .addEncryptedDataKey(kmsResponseToEncryptedDataKey(dataKey)) } else if (generatorKeyId) { keyIds.unshift(generatorKeyId) } @@ -166,9 +150,6 @@ export function KmsKeyringClass< */ const unencryptedDataKey = unwrapDataKey(material.getUnencryptedDataKey()) - const flags = - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY | - KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX for (const kmsKey of keyIds) { const kmsEDK = await encrypt( clientProvider, @@ -180,10 +161,7 @@ export function KmsKeyringClass< /* clientProvider may not return a client, in this case there is not an EDK to add */ if (kmsEDK) - material.addEncryptedDataKey( - kmsResponseToEncryptedDataKey(kmsEDK), - flags - ) + material.addEncryptedDataKey(kmsResponseToEncryptedDataKey(kmsEDK)) } return material @@ -241,19 +219,10 @@ export function KmsKeyringClass< 'KMS Decryption key does not match serialized provider.' ) - const flags = - KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY | - KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX - const trace: KeyringTrace = { - keyNamespace: KMS_PROVIDER_ID, - keyName: dataKey.KeyId, - flags, - } - /* Postcondition: The decrypted unencryptedDataKey length must match the algorithm specification. * See cryptographic_materials as setUnencryptedDataKey will throw in this case. */ - material.setUnencryptedDataKey(dataKey.Plaintext, trace) + material.setUnencryptedDataKey(dataKey.Plaintext) return material } diff --git a/modules/kms-keyring/test/kms_keyring.ondecrypt.test.ts b/modules/kms-keyring/test/kms_keyring.ondecrypt.test.ts index fba2e50d9..965e7f706 100644 --- a/modules/kms-keyring/test/kms_keyring.ondecrypt.test.ts +++ b/modules/kms-keyring/test/kms_keyring.ondecrypt.test.ts @@ -9,7 +9,6 @@ import { KmsKeyringClass, KeyRingConstructible } from '../src/kms_keyring' import { NodeAlgorithmSuite, AlgorithmSuiteIdentifier, - KeyringTraceFlag, NodeDecryptionMaterial, EncryptedDataKey, Keyring, @@ -68,17 +67,6 @@ describe('KmsKeyring: _onDecrypt', () => { ) expect(material.hasUnencryptedDataKey).to.equal(true) - - expect(material.keyringTrace).to.have.lengthOf(1) - const [traceDecrypt] = material.keyringTrace - expect(traceDecrypt.keyNamespace).to.equal('aws-kms') - expect(traceDecrypt.keyName).to.equal(generatorKeyId) - expect( - traceDecrypt.flags & KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY - ).to.equal(KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY) - expect( - traceDecrypt.flags & KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX - ).to.equal(KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX) }) it('discovery keyring should return material', async () => { @@ -128,17 +116,6 @@ describe('KmsKeyring: _onDecrypt', () => { ) expect(material.hasUnencryptedDataKey).to.equal(true) - - expect(material.keyringTrace).to.have.lengthOf(1) - const [traceDecrypt] = material.keyringTrace - expect(traceDecrypt.keyNamespace).to.equal('aws-kms') - expect(traceDecrypt.keyName).to.equal(generatorKeyId) - expect( - traceDecrypt.flags & KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY - ).to.equal(KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY) - expect( - traceDecrypt.flags & KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX - ).to.equal(KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX) }) it('decrypt errors should not halt', async () => { @@ -193,7 +170,6 @@ describe('KmsKeyring: _onDecrypt', () => { ) expect(material.hasUnencryptedDataKey).to.equal(true) - expect(material.keyringTrace).to.have.lengthOf(1) }) it('Check for early return (Postcondition): clientProvider may not return a client.', async () => { @@ -232,7 +208,6 @@ describe('KmsKeyring: _onDecrypt', () => { ) expect(material.hasUnencryptedDataKey).to.equal(false) - expect(material.keyringTrace).to.have.lengthOf(0) }) it('Postcondition: The KeyId from KMS must match the encoded KeyID.', async () => { diff --git a/modules/kms-keyring/test/kms_keyring.onencrypt.test.ts b/modules/kms-keyring/test/kms_keyring.onencrypt.test.ts index c90543370..625d0444b 100644 --- a/modules/kms-keyring/test/kms_keyring.onencrypt.test.ts +++ b/modules/kms-keyring/test/kms_keyring.onencrypt.test.ts @@ -10,7 +10,6 @@ import { NodeAlgorithmSuite, AlgorithmSuiteIdentifier, NodeEncryptionMaterial, - KeyringTraceFlag, Keyring, } from '@aws-crypto/material-management' chai.use(chaiAsPromised) @@ -72,37 +71,6 @@ describe('KmsKeyring: _onEncrypt', () => { expect(edkGenerate.providerInfo).to.equal(generatorKeyId) expect(edkEncrypt.providerId).to.equal('aws-kms') expect(edkEncrypt.providerInfo).to.equal(encryptKmsKey) - - expect(material.keyringTrace).to.have.lengthOf(3) - const [traceGenerate, traceEncrypt1, traceEncrypt2] = material.keyringTrace - expect(traceGenerate.keyNamespace).to.equal('aws-kms') - expect(traceGenerate.keyName).to.equal(generatorKeyId) - expect( - traceGenerate.flags & KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY - ).to.equal(KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY) - expect( - traceGenerate.flags & KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ).to.equal(KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY) - expect( - traceGenerate.flags & KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX - ).to.equal(KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX) - - expect(traceEncrypt1.keyNamespace).to.equal('aws-kms') - expect(traceEncrypt1.keyName).to.equal(generatorKeyId) - expect( - traceEncrypt1.flags & KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ).to.equal(KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY) - expect( - traceEncrypt1.flags & KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX - ).to.equal(KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX) - expect(traceEncrypt2.keyNamespace).to.equal('aws-kms') - expect(traceEncrypt2.keyName).to.equal(encryptKmsKey) - expect( - traceEncrypt2.flags & KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ).to.equal(KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY) - expect( - traceEncrypt2.flags & KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX - ).to.equal(KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX) }) it('Check for early return (Postcondition): Discovery Keyrings do not encrypt.', async () => { @@ -261,11 +229,7 @@ describe('KmsKeyring: _onEncrypt', () => { const seedMaterial = new NodeEncryptionMaterial( suite, {} - ).setUnencryptedDataKey(new Uint8Array(suite.keyLengthBytes), { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - }) + ).setUnencryptedDataKey(new Uint8Array(suite.keyLengthBytes)) const material = await testKeyring.onEncrypt(seedMaterial) @@ -274,17 +238,6 @@ describe('KmsKeyring: _onEncrypt', () => { const [kmsEDK] = material.encryptedDataKeys expect(kmsEDK.providerId).to.equal('aws-kms') expect(kmsEDK.providerInfo).to.equal(generatorKeyId) - - expect(material.keyringTrace).to.have.lengthOf(2) - const [, kmsTrace] = material.keyringTrace - expect(kmsTrace.keyNamespace).to.equal('aws-kms') - expect(kmsTrace.keyName).to.equal(generatorKeyId) - expect( - kmsTrace.flags & KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ).to.equal(KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY) - expect( - kmsTrace.flags & KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX - ).to.equal(KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX) }) it('clientProvider may not return a client, in this case there is not an EDK to add', async () => { @@ -309,16 +262,11 @@ describe('KmsKeyring: _onEncrypt', () => { const seedMaterial = new NodeEncryptionMaterial( suite, {} - ).setUnencryptedDataKey(new Uint8Array(suite.keyLengthBytes), { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - }) + ).setUnencryptedDataKey(new Uint8Array(suite.keyLengthBytes)) const material = await testKeyring.onEncrypt(seedMaterial) // only setUnencryptedDataKey on seedMaterial expect(material.encryptedDataKeys).to.have.lengthOf(0) - expect(material.keyringTrace).to.have.lengthOf(1) }) }) diff --git a/modules/material-management-browser/src/index.ts b/modules/material-management-browser/src/index.ts index 664b50ec8..8eb62df48 100644 --- a/modules/material-management-browser/src/index.ts +++ b/modules/material-management-browser/src/index.ts @@ -13,8 +13,6 @@ export { EncryptionContext, EncryptedDataKey, KeyringWebCrypto, - KeyringTrace, - KeyringTraceFlag, needs, MixedBackendCryptoKey, MultiKeyringWebCrypto, diff --git a/modules/material-management-browser/src/keyring_helpers.ts b/modules/material-management-browser/src/keyring_helpers.ts index ba1a96436..8b1d9f6d7 100644 --- a/modules/material-management-browser/src/keyring_helpers.ts +++ b/modules/material-management-browser/src/keyring_helpers.ts @@ -44,8 +44,5 @@ export async function importCryptoKeyToMaterial>( ) { const backend = await getWebCryptoBackend() const cryptoKey = await importCryptoKey(backend, material) - // The trace is only set when the material does not already have - // an hasUnencryptedDataKey. This is an implementation detail :( - const [trace] = material.keyringTrace - return material.setCryptoKey(cryptoKey, trace) + return material.setCryptoKey(cryptoKey) } diff --git a/modules/material-management-browser/test/browser_cryptographic_materials_manager.test.ts b/modules/material-management-browser/test/browser_cryptographic_materials_manager.test.ts index 2fc60b0ac..19c91fbfb 100644 --- a/modules/material-management-browser/test/browser_cryptographic_materials_manager.test.ts +++ b/modules/material-management-browser/test/browser_cryptographic_materials_manager.test.ts @@ -16,7 +16,6 @@ import { KeyringWebCrypto, WebCryptoAlgorithmSuite, AlgorithmSuiteIdentifier, - KeyringTraceFlag, EncryptedDataKey, } from '@aws-crypto/material-management' import { ENCODED_SIGNER_KEY } from '@aws-crypto/serialize' @@ -213,22 +212,12 @@ describe('WebCryptoDefaultCryptographicMaterialsManager', () => { material: WebCryptoEncryptionMaterial ): Promise { const udk = synchronousRandomValues(suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } const edk = new EncryptedDataKey({ providerId: ' keyNamespace', providerInfo: 'keyName', encryptedDataKey: new Uint8Array(5), }) - material - .setUnencryptedDataKey(udk, trace) - .addEncryptedDataKey( - edk, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) + material.setUnencryptedDataKey(udk).addEncryptedDataKey(edk) return importForWebCryptoEncryptionMaterial(material) } @@ -263,22 +252,13 @@ describe('WebCryptoDefaultCryptographicMaterialsManager', () => { material: WebCryptoEncryptionMaterial ): Promise { const udk = synchronousRandomValues(material.suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } + const edk = new EncryptedDataKey({ providerId: ' keyNamespace', providerInfo: 'keyName', encryptedDataKey: new Uint8Array(5), }) - material - .setUnencryptedDataKey(udk, trace) - .addEncryptedDataKey( - edk, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) + material.setUnencryptedDataKey(udk).addEncryptedDataKey(edk) return importForWebCryptoEncryptionMaterial(material) } @@ -331,22 +311,13 @@ describe('WebCryptoDefaultCryptographicMaterialsManager', () => { material: WebCryptoEncryptionMaterial ): Promise { const udk = synchronousRandomValues(material.suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } + const edk = new EncryptedDataKey({ providerId: ' keyNamespace', providerInfo: 'keyName', encryptedDataKey: new Uint8Array(5), }) - return material - .setUnencryptedDataKey(udk, trace) - .addEncryptedDataKey( - edk, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) + return material.setUnencryptedDataKey(udk).addEncryptedDataKey(edk) } async _onDecrypt(): Promise { throw new Error('I should never see this error') @@ -370,12 +341,8 @@ describe('WebCryptoDefaultCryptographicMaterialsManager', () => { material: WebCryptoEncryptionMaterial ): Promise { const udk = synchronousRandomValues(material.suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - material.setUnencryptedDataKey(udk, trace) + + material.setUnencryptedDataKey(udk) return importForWebCryptoEncryptionMaterial(material) } @@ -404,12 +371,8 @@ describe('WebCryptoDefaultCryptographicMaterialsManager', () => { material: WebCryptoDecryptionMaterial ): Promise { const udk = synchronousRandomValues(material.suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } - material.setUnencryptedDataKey(udk, trace) + + material.setUnencryptedDataKey(udk) return importForWebCryptoDecryptionMaterial(material) } @@ -452,15 +415,11 @@ describe('WebCryptoDefaultCryptographicMaterialsManager', () => { material: WebCryptoDecryptionMaterial ): Promise { const udk = synchronousRandomValues(material.suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } + /* This is intentionally trickery. * An unencrypted data key *without* a cryptoKey, should not be valid. */ - return material.setUnencryptedDataKey(udk, trace) + return material.setUnencryptedDataKey(udk) } } diff --git a/modules/material-management-browser/test/keyring_helpers.test.ts b/modules/material-management-browser/test/keyring_helpers.test.ts index 777963174..d2baa4fe9 100644 --- a/modules/material-management-browser/test/keyring_helpers.test.ts +++ b/modules/material-management-browser/test/keyring_helpers.test.ts @@ -15,7 +15,6 @@ import { WebCryptoDecryptionMaterial, WebCryptoAlgorithmSuite, AlgorithmSuiteIdentifier, - KeyringTraceFlag, } from '@aws-crypto/material-management' import { synchronousRandomValues } from '@aws-crypto/web-crypto-backend' @@ -92,12 +91,8 @@ function getWebCryptoDecryptionMaterial() { ) const material = new WebCryptoDecryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } - return material.setUnencryptedDataKey(udk, trace) + + return material.setUnencryptedDataKey(udk) } function getWebCryptoEncryptionMaterial() { @@ -106,10 +101,5 @@ function getWebCryptoEncryptionMaterial() { ) const material = new WebCryptoEncryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - return material.setUnencryptedDataKey(udk, trace) + return material.setUnencryptedDataKey(udk) } diff --git a/modules/material-management-browser/test/material_helpers.test.ts b/modules/material-management-browser/test/material_helpers.test.ts index 5b51e409c..c6ec188e8 100644 --- a/modules/material-management-browser/test/material_helpers.test.ts +++ b/modules/material-management-browser/test/material_helpers.test.ts @@ -18,7 +18,6 @@ import { WebCryptoDecryptionMaterial, WebCryptoAlgorithmSuite, AlgorithmSuiteIdentifier, - KeyringTraceFlag, isValidCryptoKey, SignatureKey, VerificationKey, @@ -44,12 +43,8 @@ describe('_importCryptoKey', () => { ) const material = new WebCryptoEncryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - material.setUnencryptedDataKey(udk, trace) + + material.setUnencryptedDataKey(udk) const backend = await getWebCryptoBackend() const subtle = getZeroByteSubtle(backend) @@ -65,12 +60,8 @@ describe('_importCryptoKey', () => { ) const material = new WebCryptoEncryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - material.setUnencryptedDataKey(udk, trace) + + material.setUnencryptedDataKey(udk) const backend = await getWebCryptoBackend() const subtle = getZeroByteSubtle(backend) @@ -85,12 +76,8 @@ describe('_importCryptoKey', () => { ) const material = new WebCryptoDecryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } - material.setUnencryptedDataKey(udk, trace) + + material.setUnencryptedDataKey(udk) const backend = await getWebCryptoBackend() const subtle = getZeroByteSubtle(backend) @@ -105,12 +92,8 @@ describe('_importCryptoKey', () => { ) const material = new WebCryptoDecryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } - material.setUnencryptedDataKey(udk, trace) + + material.setUnencryptedDataKey(udk) const backend = await getWebCryptoBackend() const subtle = getZeroByteSubtle(backend) @@ -127,12 +110,8 @@ describe('importCryptoKey', () => { ) const material = new WebCryptoEncryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - material.setUnencryptedDataKey(udk, trace) + + material.setUnencryptedDataKey(udk) const backend = await getWebCryptoBackend() const cryptoKey = await importCryptoKey(backend, material, ['encrypt']) @@ -146,12 +125,8 @@ describe('importCryptoKey', () => { ) const material = new WebCryptoEncryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - material.setUnencryptedDataKey(udk, trace) + + material.setUnencryptedDataKey(udk) const realBackend = await getWebCryptoBackend() const subtle = getZeroByteSubtle(realBackend) /* Insuring that the backend support is mixed is complicated. @@ -186,12 +161,8 @@ describe('WebCryptoKdf', () => { ) const material = new WebCryptoEncryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - material.setUnencryptedDataKey(udk, trace) + + material.setUnencryptedDataKey(udk) const backend = await getWebCryptoBackend() const subtle = getZeroByteSubtle(backend) @@ -215,12 +186,8 @@ describe('WebCryptoKdf', () => { ) const material = new WebCryptoEncryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - material.setUnencryptedDataKey(udk, trace) + + material.setUnencryptedDataKey(udk) const backend = await getWebCryptoBackend() const subtle = getZeroByteSubtle(backend) @@ -244,12 +211,8 @@ describe('WebCryptoKdf', () => { ) const material = new WebCryptoEncryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - material.setUnencryptedDataKey(udk, trace) + + material.setUnencryptedDataKey(udk) const backend = await getWebCryptoBackend() const subtle = getZeroByteSubtle(backend) @@ -265,12 +228,8 @@ describe('WebCryptoKdf', () => { ) const material = new WebCryptoEncryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - material.setUnencryptedDataKey(udk, trace) + + material.setUnencryptedDataKey(udk) const backend = await getWebCryptoBackend() const subtle = getZeroByteSubtle(backend) @@ -300,16 +259,12 @@ describe('getSubtleFunction', () => { ) const material = new WebCryptoEncryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - material.setUnencryptedDataKey(udk, trace) + + material.setUnencryptedDataKey(udk) const backend = await getWebCryptoBackend() const cryptoKey = await importCryptoKey(backend, material, ['encrypt']) - material.setCryptoKey(cryptoKey, trace) + material.setCryptoKey(cryptoKey) const testInfo = getSubtleFunction(material, backend, 'encrypt') expect(testInfo).to.be.a('function') @@ -329,12 +284,8 @@ describe('getSubtleFunction', () => { ) const material = new WebCryptoEncryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - material.setUnencryptedDataKey(udk, trace) + + material.setUnencryptedDataKey(udk) const backend = await getWebCryptoBackend() expect(() => getSubtleFunction(material, backend, 'encrypt')).to.throw() @@ -346,12 +297,8 @@ describe('getSubtleFunction', () => { ) const material = new WebCryptoEncryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - material.setUnencryptedDataKey(udk, trace) + + material.setUnencryptedDataKey(udk) const backend = await getWebCryptoBackend() const subtle = getZeroByteSubtle(backend) /* Insuring that the backend support is mixed is complicated. @@ -364,7 +311,7 @@ describe('getSubtleFunction', () => { /* I always want the cryptoKey to not match the backend. */ const cryptoKey = await _importCryptoKey(subtle, material, ['encrypt']) - material.setCryptoKey(cryptoKey, trace) + material.setCryptoKey(cryptoKey) expect(() => getSubtleFunction(mixedSupportBackend, backend, 'encrypt') @@ -377,16 +324,12 @@ describe('getSubtleFunction', () => { ) const material = new WebCryptoEncryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - material.setUnencryptedDataKey(udk, trace) + + material.setUnencryptedDataKey(udk) const backend = await getWebCryptoBackend() const cryptoKey = await importCryptoKey(backend, material, ['encrypt']) - material.setCryptoKey(cryptoKey, trace) + material.setCryptoKey(cryptoKey) const testInfo = getSubtleFunction(material, backend, 'encrypt') expect(testInfo).to.be.a('function') @@ -403,12 +346,8 @@ describe('getSubtleFunction', () => { ) const material = new WebCryptoEncryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - material.setUnencryptedDataKey(udk, trace) + + material.setUnencryptedDataKey(udk) const backend = await getWebCryptoBackend() /* All of this _only_ matters in the case of a mixed backend. @@ -424,7 +363,7 @@ describe('getSubtleFunction', () => { 'encrypt', 'decrypt', ]) - material.setCryptoKey(cryptoKey, trace) + material.setCryptoKey(cryptoKey) const iv = new Uint8Array(suite.ivLength) const aad = new Uint8Array(1) @@ -456,12 +395,8 @@ describe('getSubtleFunction', () => { ) const material = new WebCryptoEncryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const trace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - material.setUnencryptedDataKey(udk, trace) + + material.setUnencryptedDataKey(udk) const backend = await getWebCryptoBackend() /* All of this _only_ matters in the case of a mixed backend. @@ -477,7 +412,7 @@ describe('getSubtleFunction', () => { 'encrypt', 'decrypt', ]) - material.setCryptoKey(cryptoKey, trace) + material.setCryptoKey(cryptoKey) const iv = new Uint8Array(suite.ivLength) const aad = new Uint8Array(1) @@ -511,17 +446,8 @@ describe('getSubtleFunction', () => { const encryptionMaterial = new WebCryptoEncryptionMaterial(suite, {}) const decryptionMaterial = new WebCryptoDecryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const encryptTrace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - const decryptTrace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } - encryptionMaterial.setUnencryptedDataKey(udk, encryptTrace) + + encryptionMaterial.setUnencryptedDataKey(udk) const backend = await getWebCryptoBackend() const subtle = getZeroByteSubtle(backend) @@ -530,8 +456,8 @@ describe('getSubtleFunction', () => { 'decrypt', ]) - encryptionMaterial.setCryptoKey(cryptoKey, encryptTrace) - decryptionMaterial.setCryptoKey(cryptoKey, decryptTrace) + encryptionMaterial.setCryptoKey(cryptoKey) + decryptionMaterial.setCryptoKey(cryptoKey) const info = synchronousRandomValues(5) const iv = synchronousRandomValues(suite.ivLength) @@ -565,17 +491,8 @@ describe('getSubtleFunction', () => { const encryptionMaterial = new WebCryptoEncryptionMaterial(suite, {}) const decryptionMaterial = new WebCryptoDecryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const encryptTrace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - const decryptTrace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } - encryptionMaterial.setUnencryptedDataKey(udk, encryptTrace) + + encryptionMaterial.setUnencryptedDataKey(udk) const backend = await getWebCryptoBackend() const subtle = getZeroByteSubtle(backend) @@ -583,8 +500,8 @@ describe('getSubtleFunction', () => { 'deriveKey', ]) - encryptionMaterial.setCryptoKey(cryptoKey, encryptTrace) - decryptionMaterial.setCryptoKey(cryptoKey, decryptTrace) + encryptionMaterial.setCryptoKey(cryptoKey) + decryptionMaterial.setCryptoKey(cryptoKey) const info = synchronousRandomValues(5) const iv = synchronousRandomValues(suite.ivLength) @@ -618,17 +535,8 @@ describe('getSubtleFunction', () => { const encryptionMaterial = new WebCryptoEncryptionMaterial(suite, {}) const decryptionMaterial = new WebCryptoDecryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const encryptTrace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - const decryptTrace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } - encryptionMaterial.setUnencryptedDataKey(udk, encryptTrace) + + encryptionMaterial.setUnencryptedDataKey(udk) const backend = await getWebCryptoBackend() const subtle = getZeroByteSubtle(backend) @@ -647,8 +555,8 @@ describe('getSubtleFunction', () => { ['encrypt', 'decrypt'] ) - encryptionMaterial.setCryptoKey(cryptoKey, encryptTrace) - decryptionMaterial.setCryptoKey(cryptoKey, decryptTrace) + encryptionMaterial.setCryptoKey(cryptoKey) + decryptionMaterial.setCryptoKey(cryptoKey) const info = synchronousRandomValues(5) const iv = synchronousRandomValues(suite.ivLength) @@ -703,17 +611,8 @@ describe('getSubtleFunction', () => { const encryptionMaterial = new WebCryptoEncryptionMaterial(suite, {}) const decryptionMaterial = new WebCryptoDecryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const encryptTrace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - const decryptTrace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } - encryptionMaterial.setUnencryptedDataKey(udk, encryptTrace) + + encryptionMaterial.setUnencryptedDataKey(udk) const backend = await getWebCryptoBackend() const subtle = getZeroByteSubtle(backend) @@ -732,8 +631,8 @@ describe('getSubtleFunction', () => { ['deriveKey'] ) - encryptionMaterial.setCryptoKey(cryptoKey, encryptTrace) - decryptionMaterial.setCryptoKey(cryptoKey, decryptTrace) + encryptionMaterial.setCryptoKey(cryptoKey) + decryptionMaterial.setCryptoKey(cryptoKey) const info = synchronousRandomValues(5) const iv = synchronousRandomValues(suite.ivLength) @@ -792,19 +691,15 @@ describe('getEncryptHelper/getDecryptionHelper', () => { ) const encryptionMaterial = new WebCryptoEncryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const encryptTrace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - encryptionMaterial.setUnencryptedDataKey(udk, encryptTrace) + + encryptionMaterial.setUnencryptedDataKey(udk) const backend = await getWebCryptoBackend() const subtle = getZeroByteSubtle(backend) const cryptoKey = await _importCryptoKey(subtle, encryptionMaterial, [ 'deriveKey', ]) - encryptionMaterial.setCryptoKey(cryptoKey, encryptTrace) + encryptionMaterial.setCryptoKey(cryptoKey) const test = await getEncryptHelper(encryptionMaterial) expect(test.kdfGetSubtleEncrypt).to.be.a('function') @@ -818,19 +713,14 @@ describe('getEncryptHelper/getDecryptionHelper', () => { ) const decryptionMaterial = new WebCryptoDecryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) - const encryptTrace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } - decryptionMaterial.setUnencryptedDataKey(udk, encryptTrace) + decryptionMaterial.setUnencryptedDataKey(udk) const backend = await getWebCryptoBackend() const subtle = getZeroByteSubtle(backend) const cryptoKey = await _importCryptoKey(subtle, decryptionMaterial, [ 'deriveKey', ]) - decryptionMaterial.setCryptoKey(cryptoKey, encryptTrace) + decryptionMaterial.setCryptoKey(cryptoKey) const test = await getDecryptionHelper(decryptionMaterial) expect(test.kdfGetSubtleDecrypt).to.be.a('function') @@ -845,21 +735,15 @@ describe('getEncryptHelper/getDecryptionHelper', () => { const encryptionMaterial = new WebCryptoEncryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) const { signatureKey } = await sigKeys(suite) - const encryptTrace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - encryptionMaterial - .setUnencryptedDataKey(udk, encryptTrace) - .setSignatureKey(signatureKey) + + encryptionMaterial.setUnencryptedDataKey(udk).setSignatureKey(signatureKey) const backend = await getWebCryptoBackend() const subtle = getZeroByteSubtle(backend) const cryptoKey = await _importCryptoKey(subtle, encryptionMaterial, [ 'deriveKey', ]) - encryptionMaterial.setCryptoKey(cryptoKey, encryptTrace) + encryptionMaterial.setCryptoKey(cryptoKey) const test = await getEncryptHelper(encryptionMaterial) expect(test.kdfGetSubtleEncrypt).to.be.a('function') @@ -874,13 +758,9 @@ describe('getEncryptHelper/getDecryptionHelper', () => { const decryptionMaterial = new WebCryptoDecryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) const { verificationKey } = await sigKeys(suite) - const decryptionTrace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } + decryptionMaterial - .setUnencryptedDataKey(udk, decryptionTrace) + .setUnencryptedDataKey(udk) .setVerificationKey(verificationKey) const backend = await getWebCryptoBackend() @@ -888,7 +768,7 @@ describe('getEncryptHelper/getDecryptionHelper', () => { const cryptoKey = await _importCryptoKey(subtle, decryptionMaterial, [ 'deriveKey', ]) - decryptionMaterial.setCryptoKey(cryptoKey, decryptionTrace) + decryptionMaterial.setCryptoKey(cryptoKey) const test = await getDecryptionHelper(decryptionMaterial) expect(test.kdfGetSubtleDecrypt).to.be.a('function') @@ -922,22 +802,11 @@ describe('getEncryptHelper/getDecryptionHelper', () => { const encryptionMaterial = new WebCryptoEncryptionMaterial(suite, {}) const udk = synchronousRandomValues(suite.keyLengthBytes) const { signatureKey, verificationKey } = await sigKeys(suite) - const encryptTrace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - const decryptionTrace = { - keyName: 'keyName', - keyNamespace: 'keyNamespace', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } + decryptionMaterial - .setUnencryptedDataKey(udk, decryptionTrace) + .setUnencryptedDataKey(udk) .setVerificationKey(verificationKey) - encryptionMaterial - .setUnencryptedDataKey(udk, encryptTrace) - .setSignatureKey(signatureKey) + encryptionMaterial.setUnencryptedDataKey(udk).setSignatureKey(signatureKey) const backend = await getWebCryptoBackend() const subtle = getZeroByteSubtle(backend) @@ -945,8 +814,8 @@ describe('getEncryptHelper/getDecryptionHelper', () => { 'deriveKey', ]) - encryptionMaterial.setCryptoKey(cryptoKey, encryptTrace) - decryptionMaterial.setCryptoKey(cryptoKey, decryptionTrace) + encryptionMaterial.setCryptoKey(cryptoKey) + decryptionMaterial.setCryptoKey(cryptoKey) const { subtleSign } = await getEncryptHelper(encryptionMaterial) const { subtleVerify } = await getDecryptionHelper(decryptionMaterial) diff --git a/modules/material-management-node/src/index.ts b/modules/material-management-node/src/index.ts index 469113614..f432df530 100644 --- a/modules/material-management-node/src/index.ts +++ b/modules/material-management-node/src/index.ts @@ -19,8 +19,6 @@ export { AlgorithmSuiteIdentifier, EncryptionContext, EncryptedDataKey, - KeyringTrace, - KeyringTraceFlag, needs, KeyringNode, MultiKeyringNode, diff --git a/modules/material-management-node/test/material_helpers.test.ts b/modules/material-management-node/test/material_helpers.test.ts index 2b5b6da9f..807531b0f 100644 --- a/modules/material-management-node/test/material_helpers.test.ts +++ b/modules/material-management-node/test/material_helpers.test.ts @@ -9,7 +9,6 @@ import { NodeEncryptionMaterial, NodeAlgorithmSuite, AlgorithmSuiteIdentifier, - KeyringTraceFlag, SignatureKey, VerificationKey, unwrapDataKey, @@ -30,12 +29,8 @@ describe('nodeKdf', () => { ) const material = new NodeEncryptionMaterial(suite, {}) const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - material.setUnencryptedDataKey(new Uint8Array(dataKey), trace) + + material.setUnencryptedDataKey(new Uint8Array(dataKey)) const test = unwrapDataKey(nodeKdf(material, new Uint8Array(5))) expect(test).to.deep.equal(dataKey) @@ -47,12 +42,8 @@ describe('nodeKdf', () => { ) const material = new NodeEncryptionMaterial(suite, {}) const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - material.setUnencryptedDataKey(new Uint8Array(dataKey), trace) + + material.setUnencryptedDataKey(new Uint8Array(dataKey)) const test = unwrapDataKey(nodeKdf(material, new Uint8Array(5))) expect(test).to.not.deep.equal(dataKey) @@ -65,12 +56,8 @@ describe('nodeKdf', () => { ) const material = new NodeEncryptionMaterial(suite, {}) const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - material.setUnencryptedDataKey(new Uint8Array(dataKey), trace) + + material.setUnencryptedDataKey(new Uint8Array(dataKey)) const test = unwrapDataKey(nodeKdf(material, new Uint8Array(5))) expect(test).to.not.deep.equal(dataKey) @@ -126,12 +113,8 @@ describe('getCryptoStream', () => { ) const material = new NodeEncryptionMaterial(suite, {}) const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - material.setUnencryptedDataKey(new Uint8Array(dataKey), trace) + + material.setUnencryptedDataKey(new Uint8Array(dataKey)) const test = getCryptoStream(material)() const iv = new Uint8Array(12) @@ -145,12 +128,8 @@ describe('getCryptoStream', () => { ) const material = new NodeDecryptionMaterial(suite, {}) const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } - material.setUnencryptedDataKey(new Uint8Array(dataKey), trace) + + material.setUnencryptedDataKey(new Uint8Array(dataKey)) const test = getCryptoStream(material)() const iv = new Uint8Array(12) @@ -173,12 +152,8 @@ describe('getCryptoStream', () => { ) const material = new NodeEncryptionMaterial(suite, {}) const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - material.setUnencryptedDataKey(new Uint8Array(dataKey), trace) + + material.setUnencryptedDataKey(new Uint8Array(dataKey)) const test = getCryptoStream(material)() const iv = new Uint8Array(1) @@ -191,12 +166,8 @@ describe('getCryptoStream', () => { ) const material = new NodeEncryptionMaterial(suite, {}) const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - material.setUnencryptedDataKey(new Uint8Array(dataKey), trace) + + material.setUnencryptedDataKey(new Uint8Array(dataKey)) const test = getCryptoStream(material)() material.zeroUnencryptedDataKey() @@ -212,12 +183,8 @@ describe('getEncryptHelper', () => { ) const material = new NodeEncryptionMaterial(suite, {}) const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - material.setUnencryptedDataKey(new Uint8Array(dataKey), trace) + + material.setUnencryptedDataKey(new Uint8Array(dataKey)) const helper = getEncryptHelper(material) expect(helper).to.haveOwnProperty('kdfGetCipher').and.to.be.a('function') @@ -238,11 +205,6 @@ describe('getEncryptHelper', () => { ) const material = new NodeEncryptionMaterial(suite, {}) const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } const ecdh = createECDH(suite.signatureCurve || '') ecdh.generateKeys() @@ -252,7 +214,7 @@ describe('getEncryptHelper', () => { suite ) - material.setUnencryptedDataKey(dataKey, trace).setSignatureKey(sigKey) + material.setUnencryptedDataKey(dataKey).setSignatureKey(sigKey) const helper = getEncryptHelper(material) if (typeof helper.getSigner !== 'function') throw new Error('bad') @@ -286,11 +248,6 @@ describe('getEncryptHelper', () => { ) const material = new NodeEncryptionMaterial(suite, {}) const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } const ecdh = createECDH(suite.signatureCurve || '') ecdh.generateKeys() @@ -300,7 +257,7 @@ describe('getEncryptHelper', () => { suite ) - material.setUnencryptedDataKey(dataKey, trace).setSignatureKey(sigKey) + material.setUnencryptedDataKey(dataKey).setSignatureKey(sigKey) const helper = getEncryptHelper(material) material.zeroUnencryptedDataKey() @@ -319,12 +276,8 @@ describe('getDecryptionHelper', () => { ) const material = new NodeDecryptionMaterial(suite, {}) const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } - material.setUnencryptedDataKey(new Uint8Array(dataKey), trace) + + material.setUnencryptedDataKey(new Uint8Array(dataKey)) const helper = getDecryptionHelper(material) expect(helper).to.haveOwnProperty('kdfGetDecipher').and.to.be.a('function') @@ -345,19 +298,12 @@ describe('getDecryptionHelper', () => { ) const material = new NodeDecryptionMaterial(suite, {}) const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } const ecdh = createECDH(suite.signatureCurve || '') ecdh.generateKeys() const verificationKey = new VerificationKey(ecdh.getPublicKey(), suite) - material - .setUnencryptedDataKey(dataKey, trace) - .setVerificationKey(verificationKey) + material.setUnencryptedDataKey(dataKey).setVerificationKey(verificationKey) const helper = getDecryptionHelper(material) if (typeof helper.getVerify !== 'function') throw new Error('bad') diff --git a/modules/material-management-node/test/node_cryptographic_materials_manager.test.ts b/modules/material-management-node/test/node_cryptographic_materials_manager.test.ts index a53d9271f..98f606d31 100644 --- a/modules/material-management-node/test/node_cryptographic_materials_manager.test.ts +++ b/modules/material-management-node/test/node_cryptographic_materials_manager.test.ts @@ -12,7 +12,6 @@ import { NodeDecryptionMaterial, NodeAlgorithmSuite, AlgorithmSuiteIdentifier, - KeyringTraceFlag, EncryptedDataKey, } from '../src/index' import { ENCODED_SIGNER_KEY } from '@aws-crypto/serialize' @@ -241,12 +240,8 @@ describe('NodeDefaultCryptographicMaterialsManager', () => { material: NodeEncryptionMaterial ): Promise { const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } - return material.setUnencryptedDataKey(dataKey, trace) + + return material.setUnencryptedDataKey(dataKey) } async _onDecrypt(): Promise { throw new Error('never') @@ -303,12 +298,8 @@ describe('NodeDefaultCryptographicMaterialsManager', () => { material: NodeDecryptionMaterial ): Promise { const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } - return material.setUnencryptedDataKey(dataKey, trace) + + return material.setUnencryptedDataKey(dataKey) } } const keyring = new TestKeyring() diff --git a/modules/material-management/src/clone_cryptographic_material.ts b/modules/material-management/src/clone_cryptographic_material.ts index f9e15c92a..0371098fe 100644 --- a/modules/material-management/src/clone_cryptographic_material.ts +++ b/modules/material-management/src/clone_cryptographic_material.ts @@ -11,7 +11,6 @@ import { } from './cryptographic_material' import { NodeAlgorithmSuite } from './node_algorithms' import { AwsEsdkKeyObject } from './types' -import { needs } from './needs' type Material = | NodeEncryptionMaterial @@ -30,54 +29,24 @@ export function cloneMaterial(source: M): M { ? new WebCryptoEncryptionMaterial(suite, encryptionContext) : new WebCryptoDecryptionMaterial(suite, encryptionContext)) as M - /* The setTrace _must_ be the first trace, - * If the material is an EncryptionMaterial - * then the data key *must* have been generated. - * If the material is DecryptionMaterial - * then the data key *must* have been decrypted. - * i.e. the required flags are: - * WRAPPING_KEY_GENERATED_DATA_KEY, WRAPPING_KEY_DECRYPTED_DATA_KEY - * These are controlled by the material itself. - * Furthermore, subsequent trace entries, - * *must* be in the same order as the added encrypted data keys. - * See cryptographic_materials.ts `decorateCryptographicMaterial`, `decorateWebCryptoMaterial`. - */ - const [setTrace, ...traces] = source.keyringTrace.slice() - if (source.hasUnencryptedDataKey) { const udk = cloneUnencryptedDataKey(source.getUnencryptedDataKey()) - clone.setUnencryptedDataKey(udk, setTrace) + clone.setUnencryptedDataKey(udk) } if ((source as WebCryptoDecryptionMaterial).hasCryptoKey) { const cryptoKey = (source as WebCryptoDecryptionMaterial).getCryptoKey() - ;(clone as WebCryptoDecryptionMaterial).setCryptoKey(cryptoKey, setTrace) + ;(clone as WebCryptoDecryptionMaterial).setCryptoKey(cryptoKey) } if (isEncryptionMaterial(source) && isEncryptionMaterial(clone)) { const encryptedDataKeys = source.encryptedDataKeys - /* Precondition: For each encrypted data key, there must be a trace. */ - needs( - encryptedDataKeys.length === traces.length, - 'KeyringTrace length does not match encrypted data keys.' - ) - encryptedDataKeys.forEach((edk, i) => { - const { providerInfo, providerId } = edk - const { keyNamespace, keyName, flags } = traces[i] - /* Precondition: The traces must be in the same order as the encrypted data keys. */ - needs( - keyName === providerInfo && keyNamespace === providerId, - 'Keyring trace does not match encrypted data key.' - ) - clone.addEncryptedDataKey(edk, flags) - }) + encryptedDataKeys.forEach((edk) => clone.addEncryptedDataKey(edk)) if (source.suite.signatureCurve && source.signatureKey) { clone.setSignatureKey(source.signatureKey) } } else if (isDecryptionMaterial(source) && isDecryptionMaterial(clone)) { - /* Precondition: On Decrypt there must not be any additional traces other than the setTrace. */ - needs(!traces.length, 'Only 1 trace is valid on DecryptionMaterials.') if (source.suite.signatureCurve && source.verificationKey) { clone.setVerificationKey(source.verificationKey) } diff --git a/modules/material-management/src/cryptographic_material.ts b/modules/material-management/src/cryptographic_material.ts index 955b6f362..e96188532 100644 --- a/modules/material-management/src/cryptographic_material.ts +++ b/modules/material-management/src/cryptographic_material.ts @@ -13,7 +13,6 @@ import { import { EncryptedDataKey } from './encrypted_data_key' import { SignatureKey, VerificationKey } from './signature_key' import { frozenClass, readOnlyProperty } from './immutable_class' -import { KeyringTrace, KeyringTraceFlag } from './keyring_trace' import { NodeAlgorithmSuite } from './node_algorithms' import { WebCryptoAlgorithmSuite } from './web_crypto_algorithms' import { needs } from './needs' @@ -106,21 +105,17 @@ export interface FunctionalCryptographicMaterial { export interface CryptographicMaterial> { suite: SupportedAlgorithmSuites - setUnencryptedDataKey: ( - dataKey: Uint8Array | AwsEsdkKeyObject, - trace: KeyringTrace - ) => T + setUnencryptedDataKey: (dataKey: Uint8Array | AwsEsdkKeyObject) => T getUnencryptedDataKey: () => Uint8Array | AwsEsdkKeyObject zeroUnencryptedDataKey: () => T hasUnencryptedDataKey: boolean - keyringTrace: KeyringTrace[] encryptionContext: Readonly } export interface EncryptionMaterial> extends CryptographicMaterial { encryptedDataKeys: EncryptedDataKey[] - addEncryptedDataKey: (edk: EncryptedDataKey, flags: KeyringTraceFlag) => T + addEncryptedDataKey: (edk: EncryptedDataKey) => T setSignatureKey: (key: SignatureKey) => T signatureKey?: SignatureKey } @@ -133,10 +128,7 @@ export interface DecryptionMaterial> export interface WebCryptoMaterial> extends CryptographicMaterial { - setCryptoKey: ( - dataKey: AwsEsdkJsCryptoKey | MixedBackendCryptoKey, - trace: KeyringTrace - ) => T + setCryptoKey: (dataKey: AwsEsdkJsCryptoKey | MixedBackendCryptoKey) => T getCryptoKey: () => AwsEsdkJsCryptoKey | MixedBackendCryptoKey hasCryptoKey: boolean validUsages: ReadonlyArray @@ -148,18 +140,13 @@ export class NodeEncryptionMaterial FunctionalCryptographicMaterial { suite: NodeAlgorithmSuite setUnencryptedDataKey!: ( - dataKey: Uint8Array | AwsEsdkKeyObject, - trace: KeyringTrace + dataKey: Uint8Array | AwsEsdkKeyObject ) => NodeEncryptionMaterial getUnencryptedDataKey!: () => Uint8Array | AwsEsdkKeyObject zeroUnencryptedDataKey!: () => NodeEncryptionMaterial hasUnencryptedDataKey!: boolean - keyringTrace: KeyringTrace[] = [] encryptedDataKeys!: EncryptedDataKey[] - addEncryptedDataKey!: ( - edk: EncryptedDataKey, - flags: KeyringTraceFlag - ) => NodeEncryptionMaterial + addEncryptedDataKey!: (edk: EncryptedDataKey) => NodeEncryptionMaterial setSignatureKey!: (key: SignatureKey) => NodeEncryptionMaterial signatureKey?: SignatureKey encryptionContext: Readonly @@ -176,9 +163,7 @@ export class NodeEncryptionMaterial 'Encryption context must be set' ) this.encryptionContext = Object.freeze({ ...encryptionContext }) - // EncryptionMaterial have generated a data key on setUnencryptedDataKey - const setFlags = KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY - decorateCryptographicMaterial(this, setFlags) + decorateCryptographicMaterial(this) decorateEncryptionMaterial(this) Object.setPrototypeOf(this, NodeEncryptionMaterial.prototype) Object.freeze(this) @@ -195,13 +180,11 @@ export class NodeDecryptionMaterial FunctionalCryptographicMaterial { suite: NodeAlgorithmSuite setUnencryptedDataKey!: ( - dataKey: Uint8Array | AwsEsdkKeyObject, - trace: KeyringTrace + dataKey: Uint8Array | AwsEsdkKeyObject ) => NodeDecryptionMaterial getUnencryptedDataKey!: () => Uint8Array | AwsEsdkKeyObject zeroUnencryptedDataKey!: () => NodeDecryptionMaterial hasUnencryptedDataKey!: boolean - keyringTrace: KeyringTrace[] = [] setVerificationKey!: (key: VerificationKey) => NodeDecryptionMaterial verificationKey?: VerificationKey encryptionContext: Readonly @@ -218,9 +201,7 @@ export class NodeDecryptionMaterial 'Encryption context must be set' ) this.encryptionContext = Object.freeze({ ...encryptionContext }) - // DecryptionMaterial have decrypted a data key on setUnencryptedDataKey - const setFlags = KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY - decorateCryptographicMaterial(this, setFlags) + decorateCryptographicMaterial(this) decorateDecryptionMaterial(this) Object.setPrototypeOf(this, NodeDecryptionMaterial.prototype) Object.freeze(this) @@ -238,23 +219,17 @@ export class WebCryptoEncryptionMaterial FunctionalCryptographicMaterial { suite: WebCryptoAlgorithmSuite setUnencryptedDataKey!: ( - dataKey: Uint8Array | AwsEsdkKeyObject, - trace: KeyringTrace + dataKey: Uint8Array | AwsEsdkKeyObject ) => WebCryptoEncryptionMaterial getUnencryptedDataKey!: () => Uint8Array | AwsEsdkKeyObject zeroUnencryptedDataKey!: () => WebCryptoEncryptionMaterial hasUnencryptedDataKey!: boolean - keyringTrace: KeyringTrace[] = [] encryptedDataKeys!: EncryptedDataKey[] - addEncryptedDataKey!: ( - edk: EncryptedDataKey, - flags: KeyringTraceFlag - ) => WebCryptoEncryptionMaterial + addEncryptedDataKey!: (edk: EncryptedDataKey) => WebCryptoEncryptionMaterial setSignatureKey!: (key: SignatureKey) => WebCryptoEncryptionMaterial signatureKey?: SignatureKey setCryptoKey!: ( - dataKey: AwsEsdkJsCryptoKey | MixedBackendCryptoKey, - trace: KeyringTrace + dataKey: AwsEsdkJsCryptoKey | MixedBackendCryptoKey ) => WebCryptoEncryptionMaterial getCryptoKey!: () => AwsEsdkJsCryptoKey | MixedBackendCryptoKey hasCryptoKey!: boolean @@ -280,11 +255,9 @@ export class WebCryptoEncryptionMaterial 'Encryption context must be set' ) this.encryptionContext = Object.freeze({ ...encryptionContext }) - // EncryptionMaterial have generated a data key on setUnencryptedDataKey - const setFlag = KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY - decorateCryptographicMaterial(this, setFlag) + decorateCryptographicMaterial(this) decorateEncryptionMaterial(this) - decorateWebCryptoMaterial(this, setFlag) + decorateWebCryptoMaterial(this) Object.setPrototypeOf(this, WebCryptoEncryptionMaterial.prototype) Object.freeze(this) } @@ -301,18 +274,15 @@ export class WebCryptoDecryptionMaterial FunctionalCryptographicMaterial { suite: WebCryptoAlgorithmSuite setUnencryptedDataKey!: ( - dataKey: Uint8Array | AwsEsdkKeyObject, - trace: KeyringTrace + dataKey: Uint8Array | AwsEsdkKeyObject ) => WebCryptoDecryptionMaterial getUnencryptedDataKey!: () => Uint8Array | AwsEsdkKeyObject zeroUnencryptedDataKey!: () => WebCryptoDecryptionMaterial hasUnencryptedDataKey!: boolean - keyringTrace: KeyringTrace[] = [] setVerificationKey!: (key: VerificationKey) => WebCryptoDecryptionMaterial verificationKey?: VerificationKey setCryptoKey!: ( - dataKey: AwsEsdkJsCryptoKey | MixedBackendCryptoKey, - trace: KeyringTrace + dataKey: AwsEsdkJsCryptoKey | MixedBackendCryptoKey ) => WebCryptoDecryptionMaterial getCryptoKey!: () => AwsEsdkJsCryptoKey | MixedBackendCryptoKey hasCryptoKey!: boolean @@ -338,11 +308,9 @@ export class WebCryptoDecryptionMaterial 'Encryption context must be set' ) this.encryptionContext = Object.freeze({ ...encryptionContext }) - // DecryptionMaterial have decrypted a data key on setUnencryptedDataKey - const setFlag = KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY - decorateCryptographicMaterial(this, setFlag) + decorateCryptographicMaterial(this) decorateDecryptionMaterial(this) - decorateWebCryptoMaterial(this, setFlag) + decorateWebCryptoMaterial(this) Object.setPrototypeOf(this, WebCryptoDecryptionMaterial.prototype) Object.freeze(this) } @@ -372,21 +340,7 @@ export function isDecryptionMaterial( export function decorateCryptographicMaterial< T extends CryptographicMaterial ->(material: T, setFlag: KeyringTraceFlag) { - /* Precondition: setFlag must be in the set of KeyringTraceFlag.SET_FLAGS. */ - needs(setFlag & KeyringTraceFlag.SET_FLAGS, 'Invalid setFlag') - /* When a KeyringTraceFlag is passed to setUnencryptedDataKey, - * it must be valid for the type of material. - * It is invalid to claim that EncryptionMaterial were decrypted. - */ - const deniedSetFlags = - (KeyringTraceFlag.SET_FLAGS ^ setFlag) | - (setFlag === KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY - ? KeyringTraceFlag.DECRYPT_FLAGS - : setFlag === KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY - ? KeyringTraceFlag.ENCRYPT_FLAGS - : 0) - +>(material: T) { let unencryptedDataKeyZeroed = false let unencryptedDataKey: AwsEsdkKeyObject | Uint8Array // This copy of the unencryptedDataKey is stored to insure that the @@ -395,18 +349,14 @@ export function decorateCryptographicMaterial< // to it would be propagated to any cached versions. let udkForVerification: Uint8Array - const setUnencryptedDataKey = ( - dataKey: Uint8Array | AwsEsdkKeyObject, - trace: KeyringTrace - ) => { + const setUnencryptedDataKey = (dataKey: Uint8Array | AwsEsdkKeyObject) => { /* Avoid making unnecessary copies of the dataKey. */ const tempUdk = dataKey instanceof Uint8Array ? dataKey : unwrapDataKey(dataKey) /* All security conditions are tested here and failures will throw. */ - verifyUnencryptedDataKeyForSet(tempUdk, trace) + verifyUnencryptedDataKeyForSet(tempUdk) unencryptedDataKey = wrapWithKeyObjectIfSupported(dataKey) udkForVerification = new Uint8Array(tempUdk) - material.keyringTrace.push(trace) return material } @@ -480,10 +430,7 @@ export function decorateCryptographicMaterial< return material - function verifyUnencryptedDataKeyForSet( - dataKey: Uint8Array, - trace: KeyringTrace - ) { + function verifyUnencryptedDataKeyForSet(dataKey: Uint8Array) { /* Precondition: unencryptedDataKey must not be set. Modifying the unencryptedDataKey is denied */ needs(!unencryptedDataKey, 'unencryptedDataKey has already been set') /* Precondition: dataKey must be Binary Data */ @@ -505,33 +452,16 @@ export function decorateCryptographicMaterial< dataKey.byteLength === material.suite.keyLengthBytes, 'Key length does not agree with the algorithm specification.' ) - - /* Precondition: Trace must be set, and the flag must indicate that the data key was generated. */ - needs( - trace && trace.keyName && trace.keyNamespace, - 'Malformed KeyringTrace' - ) - /* Precondition: On set the required KeyringTraceFlag must be set. */ - needs(trace.flags & setFlag, 'Required KeyringTraceFlag not set') - /* Precondition: Only valid flags are allowed. - * An unencrypted data key can not be both generated and decrypted. - */ - needs(!(trace.flags & deniedSetFlags), 'Invalid KeyringTraceFlags set.') } } export function decorateEncryptionMaterial>( material: T ) { - const deniedEncryptFlags = - KeyringTraceFlag.SET_FLAGS | KeyringTraceFlag.DECRYPT_FLAGS const encryptedDataKeys: EncryptedDataKey[] = [] let signatureKey: Readonly | undefined - const addEncryptedDataKey = ( - edk: EncryptedDataKey, - flags: KeyringTraceFlag - ) => { + const addEncryptedDataKey = (edk: EncryptedDataKey) => { /* Precondition: If a data key has not already been generated, there must be no EDKs. * Pushing EDKs on the list before the data key has been generated may cause the list of * EDKs to be inconsistent. (i.e., they would decrypt to different data keys.) @@ -546,28 +476,6 @@ export function decorateEncryptionMaterial>( 'Unsupported instance of encryptedDataKey' ) - /* Precondition: flags must indicate that the key was encrypted. */ - needs( - flags & KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY, - 'Encrypted data key flag must be set.' - ) - - /* Precondition: flags must not include a setFlag or a decrypt flag. - * The setFlag is reserved for setting the unencrypted data key - * and must only occur once in the set of KeyringTrace flags. - * The two setFlags in use are: - * KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY - * KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY - * - * KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX is reserved for the decrypt path - */ - needs(!(flags & deniedEncryptFlags), 'Invalid flag for EncryptedDataKey.') - material.keyringTrace.push({ - keyName: edk.providerInfo, - keyNamespace: edk.providerId, - flags, - }) - encryptedDataKeys.push(edk) return material } @@ -655,16 +563,14 @@ export function decorateDecryptionMaterial>( } export function decorateWebCryptoMaterial>( - material: T, - setFlags: KeyringTraceFlag + material: T ) { let cryptoKey: | Readonly | undefined const setCryptoKey = ( - dataKey: AwsEsdkJsCryptoKey | MixedBackendCryptoKey, - trace: KeyringTrace + dataKey: AwsEsdkJsCryptoKey | MixedBackendCryptoKey ) => { /* Precondition: cryptoKey must not be set. Modifying the cryptoKey is denied */ needs(!cryptoKey, 'cryptoKey is already set.') @@ -680,16 +586,9 @@ export function decorateWebCryptoMaterial>( ) /* If the material does not have an unencrypted data key, - * then we are setting the crypto key here and need a keyring trace . + * then we are setting the crypto key here. */ if (!material.hasUnencryptedDataKey) { - /* Precondition: If the CryptoKey is the only version, the trace information must be set here. */ - needs( - trace && trace.keyName && trace.keyNamespace, - 'Malformed KeyringTrace' - ) - /* Precondition: On setting the CryptoKey the required KeyringTraceFlag must be set. */ - needs(trace.flags & setFlags, 'Required KeyringTraceFlag not set') /* If I a setting a cryptoKey without an unencrypted data key, * an unencrypted data should never be set. * The expectation is if you are setting the cryptoKey *first* then @@ -697,7 +596,6 @@ export function decorateWebCryptoMaterial>( * This ensures that a cryptoKey and an unencrypted data key always match. */ material.zeroUnencryptedDataKey() - material.keyringTrace.push(trace) } if (isCryptoKey(dataKey)) { diff --git a/modules/material-management/src/index.ts b/modules/material-management/src/index.ts index d98611c60..6581454be 100644 --- a/modules/material-management/src/index.ts +++ b/modules/material-management/src/index.ts @@ -23,7 +23,6 @@ export { WebCryptoAlgorithmSuite } from './web_crypto_algorithms' export { NodeAlgorithmSuite } from './node_algorithms' export { Keyring, KeyringNode, KeyringWebCrypto } from './keyring' -export { KeyringTrace, KeyringTraceFlag } from './keyring_trace' export { MultiKeyringNode, MultiKeyringWebCrypto } from './multi_keyring' export * from './materials_manager' diff --git a/modules/material-management/src/keyring_trace.ts b/modules/material-management/src/keyring_trace.ts deleted file mode 100644 index 1e6617903..000000000 --- a/modules/material-management/src/keyring_trace.ts +++ /dev/null @@ -1,86 +0,0 @@ -// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -/** - * When a keyring is called it produces a trace of what actions it took with the - * different wrapping keys it manages. The trace is a list of these records. - * - * The flags argument uses bit flags to indicate which actions were taken. - * - * The other arguments are identifiers which indicate which wrapping key was used - * to do data key encryption by a keyring. Most keyring implementations write - * the wrapping key namespace into the provider ID field of EDKs and the - * wrapping key name into the provider info field of EDKs, and all new keyring - * implementations should follow this practice. For legacy reasons, the raw AES - * keyring includes other data in the provider ID field, but only the first part - * of that field corresponds to what is stored in the name field here. - * - * Note: "Master Key (MK)" is used as a class name in the Java and Python - * implementations of the AWS Encryption SDK, where it is an abstraction of a - * single wrapping key, and "Master Key Provider (MKP)" is a class that provides - * multiple wrapping keys. In newer implementations of AWS Encryption SDK, the keyring - * replaces both of these concepts. It handles one or multiple wrapping keys, - * which makes it similar to an MKP, but from an API perspective it is in some - * ways closer to an MK. In order to avoid confusion with the MK class of the - * Java and Python SDKs, we always refer to a single entity used by a keyring - * for data key encryption as a wrapping key. - * - * The motivating example of a wrapping key is a KMS CMK, for which the - * namespace is "aws-kms" and the name is the key ARN. - */ - -export interface KeyringTrace { - readonly keyNamespace: string - readonly keyName: string - flags: KeyringTraceFlag -} - -export enum KeyringTraceFlag { - /** - * Bit flag indicating this wrapping key generated the data key. - */ - WRAPPING_KEY_GENERATED_DATA_KEY = 1, - - /** - * Bit flag indicating this wrapping key encrypted the data key. - */ - WRAPPING_KEY_ENCRYPTED_DATA_KEY = 1 << 1, - - /** - * Bit flag indicating this wrapping key decrypted the data key. - */ - WRAPPING_KEY_DECRYPTED_DATA_KEY = 1 << 2, - - /** - * Bit flag indicating this wrapping key signed the encryption context. - */ - WRAPPING_KEY_SIGNED_ENC_CTX = 1 << 3, - - /** - * Bit flag indicating this wrapping key verified the signature of the encryption context. - */ - WRAPPING_KEY_VERIFIED_ENC_CTX = 1 << 4, - - /* KeyringTraceFlags are organized here. - * The three groupings are set, encrypt, and decrypt. - * An unencrypted data key is set and is required to have a SET_FLAG. - * For the encrypt path, the unencrypted data key must be generated. - * For the decrypt path, the unencrypted data key must be decrypted. - * - * A encrypted data key must be encrypted - * and the encryption context may be signed. - * - * When an encrypted data key is decrypted, - * the encryption context may be verified. - * - * This organization is to keep a KeyringTrace for an encrypted data key - * for listing the WRAPPING_KEY_VERIFIED_ENC_CTX flag. - */ - - ENCRYPT_FLAGS = WRAPPING_KEY_ENCRYPTED_DATA_KEY | WRAPPING_KEY_SIGNED_ENC_CTX, - - SET_FLAGS = WRAPPING_KEY_GENERATED_DATA_KEY | WRAPPING_KEY_DECRYPTED_DATA_KEY, - - DECRYPT_FLAGS = WRAPPING_KEY_DECRYPTED_DATA_KEY | - WRAPPING_KEY_VERIFIED_ENC_CTX, -} diff --git a/modules/material-management/test/clone_cryptographic_material.test.ts b/modules/material-management/test/clone_cryptographic_material.test.ts index cae98ab8d..b67eb6d84 100644 --- a/modules/material-management/test/clone_cryptographic_material.test.ts +++ b/modules/material-management/test/clone_cryptographic_material.test.ts @@ -13,7 +13,6 @@ import { NodeAlgorithmSuite, WebCryptoAlgorithmSuite, AlgorithmSuiteIdentifier, - KeyringTraceFlag, EncryptedDataKey, unwrapDataKey, } from '../src/index' @@ -42,16 +41,6 @@ const udk128 = new Uint8Array([ 15, 16, ]) -const encryptTrace = { - keyNamespace: 'keyNamespace', - keyName: 'keyName', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, -} -const decryptTrace = { - keyNamespace: 'keyNamespace', - keyName: 'keyName', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, -} const edk1 = new EncryptedDataKey({ providerId: 'keyNamespace', @@ -77,20 +66,14 @@ const cryptoKey: any = { describe('cloneMaterial', () => { it('clone NodeEncryptionMaterial', () => { const material = new NodeEncryptionMaterial(nodeSuite, { some: 'context' }) - .setUnencryptedDataKey(new Uint8Array(udk128), encryptTrace) - .addEncryptedDataKey( - edk1, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) - .addEncryptedDataKey( - edk2, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) + .setUnencryptedDataKey(new Uint8Array(udk128)) + .addEncryptedDataKey(edk1) + .addEncryptedDataKey(edk2) const test = cloneMaterial(material) expect(test).to.be.instanceOf(NodeEncryptionMaterial) expect(unwrapDataKey(test.getUnencryptedDataKey())).to.deep.equal(udk128) - expect(test.keyringTrace).to.deep.equal(material.keyringTrace) + expect(test.encryptedDataKeys).to.deep.equal(material.encryptedDataKeys) expect(test.encryptionContext).to.deep.equal(material.encryptionContext) }) @@ -98,12 +81,12 @@ describe('cloneMaterial', () => { it('clone NodeDecryptionMaterial', () => { const material = new NodeDecryptionMaterial(nodeSuite, { some: 'context', - }).setUnencryptedDataKey(new Uint8Array(udk128), decryptTrace) + }).setUnencryptedDataKey(new Uint8Array(udk128)) const test = cloneMaterial(material) expect(test).to.be.instanceOf(NodeDecryptionMaterial) expect(unwrapDataKey(test.getUnencryptedDataKey())).to.deep.equal(udk128) - expect(test.keyringTrace).to.deep.equal(material.keyringTrace) + expect(test.encryptionContext).to.deep.equal(material.encryptionContext) }) @@ -111,22 +94,16 @@ describe('cloneMaterial', () => { const material = new WebCryptoEncryptionMaterial(webCryptoSuite, { some: 'context', }) - .setUnencryptedDataKey(new Uint8Array(udk128), encryptTrace) - .setCryptoKey(cryptoKey, encryptTrace) - .addEncryptedDataKey( - edk1, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) - .addEncryptedDataKey( - edk2, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) + .setUnencryptedDataKey(new Uint8Array(udk128)) + .setCryptoKey(cryptoKey) + .addEncryptedDataKey(edk1) + .addEncryptedDataKey(edk2) const test = cloneMaterial(material) expect(test).to.be.instanceOf(WebCryptoEncryptionMaterial) expect(unwrapDataKey(test.getUnencryptedDataKey())).to.deep.equal(udk128) expect(test.getCryptoKey()).to.deep.equal(cryptoKey) - expect(test.keyringTrace).to.deep.equal(material.keyringTrace) + expect(test.encryptedDataKeys).to.deep.equal(material.encryptedDataKeys) expect(test.encryptionContext).to.deep.equal(material.encryptionContext) }) @@ -135,65 +112,12 @@ describe('cloneMaterial', () => { /* WebCryptoDecryptionMaterial do not have an unencrypted data key. */ const material = new WebCryptoDecryptionMaterial(webCryptoSuite, { some: 'context', - }).setCryptoKey(cryptoKey, decryptTrace) + }).setCryptoKey(cryptoKey) const test = cloneMaterial(material) expect(test).to.be.instanceOf(WebCryptoDecryptionMaterial) expect(test.getCryptoKey()).to.deep.equal(cryptoKey) - expect(test.keyringTrace).to.deep.equal(material.keyringTrace) - expect(test.encryptionContext).to.deep.equal(material.encryptionContext) - }) - - it('Precondition: For each encrypted data key, there must be a trace.', () => { - const material = new NodeEncryptionMaterial(nodeSuite, { some: 'context' }) - .setUnencryptedDataKey(new Uint8Array(udk128), encryptTrace) - .addEncryptedDataKey( - edk1, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) - .addEncryptedDataKey( - edk2, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) - - // remove a trace... - material.keyringTrace.pop() - expect(() => cloneMaterial(material)).to.throw( - Error, - 'KeyringTrace length does not match encrypted data keys.' - ) - }) - - it('Precondition: The traces must be in the same order as the encrypted data keys.', () => { - const material = new NodeEncryptionMaterial(nodeSuite, { some: 'context' }) - .setUnencryptedDataKey(new Uint8Array(udk128), encryptTrace) - .addEncryptedDataKey( - edk1, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) - .addEncryptedDataKey( - edk2, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) - - // @ts-ignore Typescript is trying to save us... - material.keyringTrace[1].keyName = 'does not exist' - expect(() => cloneMaterial(material)).to.throw( - Error, - 'Keyring trace does not match encrypted data key.' - ) - }) - it('Precondition: On Decrypt there must not be any additional traces other than the setTrace.', () => { - const material = new NodeDecryptionMaterial(nodeSuite, { - some: 'context', - }).setUnencryptedDataKey(new Uint8Array(udk128), decryptTrace) - - // Just push _something_ on - material.keyringTrace.push({} as any) - expect(() => cloneMaterial(material)).to.throw( - Error, - 'Only 1 trace is valid on DecryptionMaterials.' - ) + expect(test.encryptionContext).to.deep.equal(material.encryptionContext) }) }) diff --git a/modules/material-management/test/cryptographic_material.test.ts b/modules/material-management/test/cryptographic_material.test.ts index b0e7e110a..f8bdf8e90 100644 --- a/modules/material-management/test/cryptographic_material.test.ts +++ b/modules/material-management/test/cryptographic_material.test.ts @@ -11,7 +11,6 @@ import { SignatureKey, VerificationKey, WebCryptoAlgorithmSuite, - KeyringTraceFlag, } from '../src' import { decorateCryptographicMaterial, @@ -35,10 +34,7 @@ import { createSecretKey } from 'crypto' describe('decorateCryptographicMaterial', () => { it('will decorate', () => { - const test = decorateCryptographicMaterial( - {} as any, - KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY - ) + const test = decorateCryptographicMaterial({} as any) expect(test) .to.haveOwnProperty('setUnencryptedDataKey') .and.to.be.a('function') @@ -51,28 +47,15 @@ describe('decorateCryptographicMaterial', () => { expect(test).to.haveOwnProperty('hasUnencryptedDataKey').and.to.equal(false) }) - it('Precondition: setFlag must be in the set of KeyringTraceFlag.SET_FLAGS.', () => { - expect(() => - decorateCryptographicMaterial( - {} as any, - KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX - ) - ).to.throw('') - }) - it('set, inspect, get works', () => { const suite = new NodeAlgorithmSuite( AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) - const test = decorateCryptographicMaterial( - { suite, keyringTrace: [] } as any, - KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY - ) + const test = decorateCryptographicMaterial({ suite } as any) const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) test.setUnencryptedDataKey(new Uint8Array(dataKey), { keyNamespace: 'k', keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, }) expect(test.hasUnencryptedDataKey).to.equal(true) const udk = unwrapDataKey(test.getUnencryptedDataKey()) @@ -83,10 +66,7 @@ describe('decorateCryptographicMaterial', () => { const suite = new NodeAlgorithmSuite( AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) - const test = decorateCryptographicMaterial( - { suite, keyringTrace: [] } as any, - KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY - ) + const test = decorateCryptographicMaterial({ suite } as any) const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) /* This is complicated. * Now that I support KeyObjects it is good to pass a copy, @@ -97,7 +77,6 @@ describe('decorateCryptographicMaterial', () => { test.setUnencryptedDataKey(dataKey, { keyNamespace: 'k', keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, }) test.zeroUnencryptedDataKey() expect(test.hasUnencryptedDataKey).to.equal(false) @@ -115,10 +94,7 @@ describe('decorateCryptographicMaterial', () => { const suite = new NodeAlgorithmSuite( AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) - const test = decorateCryptographicMaterial( - { suite, keyringTrace: [] } as any, - KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY - ) + const test = decorateCryptographicMaterial({ suite } as any) const dataKey = new Uint8Array(suite.keyLengthBytes - 1).fill(1) expect(() => test.setUnencryptedDataKey(new Uint8Array(dataKey))).to.throw() }) @@ -127,25 +103,18 @@ describe('decorateCryptographicMaterial', () => { const suite = new NodeAlgorithmSuite( AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) - const test = decorateCryptographicMaterial( - { suite, keyringTrace: [] } as any, - KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY - ) + const test = decorateCryptographicMaterial({ suite } as any) const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) test.setUnencryptedDataKey(new Uint8Array(dataKey), { keyNamespace: 'k', keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, }) test.zeroUnencryptedDataKey() expect(() => test.getUnencryptedDataKey()).to.throw() }) it('Precondition: unencryptedDataKey must be set before we can return it.', () => { - const test: any = decorateCryptographicMaterial( - {} as any, - KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY - ) + const test: any = decorateCryptographicMaterial({} as any) expect(() => test.getUnencryptedDataKey()).to.throw() }) @@ -154,16 +123,12 @@ describe('decorateCryptographicMaterial', () => { const suite = new NodeAlgorithmSuite( AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) - const test = decorateCryptographicMaterial( - { suite, keyringTrace: [] } as any, - KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY - ) + const test = decorateCryptographicMaterial({ suite } as any) test.zeroUnencryptedDataKey() const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) const trace = { keyNamespace: 'k', keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, } // It is very hard to test this perfectly. However, this tests the spirit. expect(() => @@ -175,10 +140,7 @@ describe('decorateCryptographicMaterial', () => { const suite = new NodeAlgorithmSuite( AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) - const test = decorateCryptographicMaterial( - { suite, keyringTrace: [] } as any, - KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY - ) + const test = decorateCryptographicMaterial({ suite } as any) expect(() => test.setUnencryptedDataKey('')).to.throw() }) @@ -186,15 +148,11 @@ describe('decorateCryptographicMaterial', () => { const suite = new NodeAlgorithmSuite( AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) - const test = decorateCryptographicMaterial( - { suite, keyringTrace: [] } as any, - KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY - ) + const test = decorateCryptographicMaterial({ suite } as any) const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) const trace = { keyNamespace: 'k', keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, } test.setUnencryptedDataKey(new Uint8Array(dataKey), trace) expect(() => @@ -206,10 +164,7 @@ describe('decorateCryptographicMaterial', () => { const suite = new NodeAlgorithmSuite( AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) - const test = decorateCryptographicMaterial( - { suite, keyringTrace: [] } as any, - KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY - ) + const test = decorateCryptographicMaterial({ suite } as any) const dataKey = new Uint8Array( new ArrayBuffer(suite.keyLengthBytes + 10), 5, @@ -218,80 +173,21 @@ describe('decorateCryptographicMaterial', () => { const trace = { keyNamespace: 'k', keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, } expect(() => test.setUnencryptedDataKey(dataKey, trace)).to.throw( 'Unencrypted Master Key must be an isolated buffer.' ) }) - it('Precondition: Trace must be set, and the flag must indicate that the data key was generated.', () => { - const suite = new NodeAlgorithmSuite( - AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 - ) - const test = decorateCryptographicMaterial( - { suite, keyringTrace: [] } as any, - KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY - ) - const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - expect(() => - test.setUnencryptedDataKey(new Uint8Array(dataKey), {} as any) - ).to.throw('Malformed KeyringTrace') - }) - - it('Precondition: On set the required KeyringTraceFlag must be set.', () => { - const suite = new NodeAlgorithmSuite( - AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 - ) - const test = decorateCryptographicMaterial( - { suite, keyringTrace: [] } as any, - KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY - ) - const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX, - } - expect(() => - test.setUnencryptedDataKey(new Uint8Array(dataKey), trace) - ).to.throw('Required KeyringTraceFlag not set') - }) - - it('Precondition: Only valid flags are allowed.', () => { - const suite = new NodeAlgorithmSuite( - AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 - ) - const test = decorateCryptographicMaterial( - { suite, keyringTrace: [] } as any, - KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY - ) - const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: - KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY | - KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } - expect(() => - test.setUnencryptedDataKey(new Uint8Array(dataKey), trace) - ).to.throw('Invalid KeyringTraceFlags set.') - }) - it('Precondition: The unencryptedDataKey must not have been modified.', () => { const suite = new NodeAlgorithmSuite( AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) - const material = decorateCryptographicMaterial( - { suite, keyringTrace: [] } as any, - KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY - ) + const material = decorateCryptographicMaterial({ suite } as any) const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) material.setUnencryptedDataKey(dataKey, { keyNamespace: 'k', keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, }) const test = material.getUnencryptedDataKey() test[0] = 12 @@ -315,7 +211,6 @@ describe('decorateEncryptionMaterial', () => { ) const test: any = decorateEncryptionMaterial({ suite, - keyringTrace: [], } as any) expect(test) .to.haveOwnProperty('addEncryptedDataKey') @@ -334,7 +229,7 @@ describe('decorateEncryptionMaterial', () => { ) const test: any = decorateEncryptionMaterial({ suite, - keyringTrace: [], + hasUnencryptedDataKey: true, } as any) const edk = new EncryptedDataKey({ @@ -342,10 +237,7 @@ describe('decorateEncryptionMaterial', () => { providerInfo: 'p', encryptedDataKey: new Uint8Array(3), }) - test.addEncryptedDataKey( - edk, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) + test.addEncryptedDataKey(edk) expect(test.encryptedDataKeys).to.have.length(1) expect(test.encryptedDataKeys[0] === edk).to.equal(true) }) @@ -356,7 +248,6 @@ describe('decorateEncryptionMaterial', () => { ) const test: any = decorateEncryptionMaterial({ suite, - keyringTrace: [], } as any) const key = new SignatureKey(new Uint8Array(3), new Uint8Array(3), suite) test.setSignatureKey(key) @@ -374,15 +265,10 @@ describe('decorateEncryptionMaterial', () => { }) const test: any = decorateEncryptionMaterial({ suite, - keyringTrace: [], + hasUnencryptedDataKey: false, } as any) - expect(() => - test.addEncryptedDataKey( - edk, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) - ).to.throw() + expect(() => test.addEncryptedDataKey(edk)).to.throw() }) it('Precondition: Edk must be EncryptedDataKey', () => { @@ -392,59 +278,8 @@ describe('decorateEncryptionMaterial', () => { const edk: any = {} const test: any = decorateEncryptionMaterial({ suite, - keyringTrace: [], - } as any) - expect(() => - test.addEncryptedDataKey( - edk, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) - ).to.throw() - }) - - it('Precondition: flags must indicate that the key was encrypted.', () => { - const suite = new NodeAlgorithmSuite( - AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 - ) - const test: any = decorateEncryptionMaterial({ - suite, - keyringTrace: [], - hasUnencryptedDataKey: true, - } as any) - const edk = new EncryptedDataKey({ - providerId: 'p', - providerInfo: 'p', - encryptedDataKey: new Uint8Array(3), - }) - expect(() => - test.addEncryptedDataKey( - edk, - KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX - ) - ).to.throw('Encrypted data key flag must be set.') - }) - - it('Precondition: flags must not include a setFlag or a decrypt flag.', () => { - const suite = new NodeAlgorithmSuite( - AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 - ) - const test: any = decorateEncryptionMaterial({ - suite, - keyringTrace: [], - hasUnencryptedDataKey: true, } as any) - const edk = new EncryptedDataKey({ - providerId: 'p', - providerInfo: 'p', - encryptedDataKey: new Uint8Array(3), - }) - expect(() => - test.addEncryptedDataKey( - edk, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY | - KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX - ) - ).to.throw('Invalid flag for EncryptedDataKey.') + expect(() => test.addEncryptedDataKey(edk)).to.throw() }) it('Precondition: The SignatureKey stored must agree with the algorithm specification.', () => { @@ -461,7 +296,6 @@ describe('decorateEncryptionMaterial', () => { ) const test: any = decorateEncryptionMaterial({ suite, - keyringTrace: [], } as any) expect(() => test.setSignatureKey(key)).to.throw() }) @@ -473,7 +307,6 @@ describe('decorateEncryptionMaterial', () => { const key = new SignatureKey(new Uint8Array(3), new Uint8Array(3), suite) const test: any = decorateEncryptionMaterial({ suite, - keyringTrace: [], } as any) test.setSignatureKey(key) expect(() => test.setSignatureKey(key)).to.throw() @@ -486,7 +319,6 @@ describe('decorateEncryptionMaterial', () => { const key: any = {} const test: any = decorateEncryptionMaterial({ suite, - keyringTrace: [], } as any) expect(() => test.setSignatureKey(key)).to.throw() }) @@ -497,7 +329,6 @@ describe('decorateEncryptionMaterial', () => { ) const test: any = decorateEncryptionMaterial({ suite, - keyringTrace: [], } as any) expect(() => test.signatureKey).to.throw() }) @@ -510,7 +341,6 @@ describe('decorateDecryptionMaterial', () => { ) const test: any = decorateDecryptionMaterial({ suite, - keyringTrace: [], } as any) expect(test) .to.haveOwnProperty('setVerificationKey') @@ -524,7 +354,6 @@ describe('decorateDecryptionMaterial', () => { ) const test: any = decorateDecryptionMaterial({ suite, - keyringTrace: [], } as any) const key = new VerificationKey(new Uint8Array(3), suite) test.setVerificationKey(key) @@ -541,7 +370,6 @@ describe('decorateDecryptionMaterial', () => { const key = new VerificationKey(new Uint8Array(3), suiteWithSig) const test: any = decorateDecryptionMaterial({ suite, - keyringTrace: [], } as any) expect(() => test.setVerificationKey(key)).to.throw() }) @@ -553,7 +381,6 @@ describe('decorateDecryptionMaterial', () => { const key = new VerificationKey(new Uint8Array(3), suite) const test: any = decorateDecryptionMaterial({ suite, - keyringTrace: [], } as any) test.setVerificationKey(key) expect(() => test.setVerificationKey(key)).to.throw() @@ -566,7 +393,6 @@ describe('decorateDecryptionMaterial', () => { const key: any = {} const test: any = decorateDecryptionMaterial({ suite, - keyringTrace: [], } as any) expect(() => test.setVerificationKey(key)).to.throw() }) @@ -577,7 +403,6 @@ describe('decorateDecryptionMaterial', () => { ) const test: any = decorateDecryptionMaterial({ suite, - keyringTrace: [], } as any) expect(() => test.verificationKey).to.throw() }) @@ -588,15 +413,9 @@ describe('decorateWebCryptoMaterial', () => { const suite = new WebCryptoAlgorithmSuite( AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16_HKDF_SHA256_ECDSA_P256 ) - const test: any = decorateWebCryptoMaterial( - { suite, keyringTrace: [] } as any, - KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY - ) + const test: any = decorateWebCryptoMaterial({ suite } as any) // setCryptoKey uses `zeroUnencryptedDataKey` when setting a cryptoKey *without* a unencrypted data key - decorateCryptographicMaterial( - test, - KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY - ) + decorateCryptographicMaterial(test) test.validUsages = ['deriveKey'] const key: any = { type: 'secret', @@ -607,7 +426,6 @@ describe('decorateWebCryptoMaterial', () => { const trace = { keyNamespace: 'k', keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, } test.setCryptoKey(key, trace) expect(test.getCryptoKey() === key).to.equal(true) @@ -619,16 +437,10 @@ describe('decorateWebCryptoMaterial', () => { const suite = new WebCryptoAlgorithmSuite( AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16_HKDF_SHA256_ECDSA_P256 ) - const test: any = decorateWebCryptoMaterial( - { suite, keyringTrace: [] } as any, - KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY - ) + const test: any = decorateWebCryptoMaterial({ suite } as any) test.validUsages = ['deriveKey'] // setCryptoKey uses `zeroUnencryptedDataKey` when setting a cryptoKey *without* a unencrypted data key - decorateCryptographicMaterial( - test, - KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY - ) + decorateCryptographicMaterial(test) const key: any = { type: 'secret', algorithm: { name: 'HKDF' }, @@ -639,7 +451,6 @@ describe('decorateWebCryptoMaterial', () => { const trace = { keyNamespace: 'k', keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, } test.setCryptoKey(mixedKey, trace) expect(test.getCryptoKey() !== mixedKey).to.equal(true) @@ -655,10 +466,7 @@ describe('decorateWebCryptoMaterial', () => { }) it('Precondition: The cryptoKey must be set before we can return it.', () => { - const test: any = decorateWebCryptoMaterial( - {} as any, - KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY - ) + const test: any = decorateWebCryptoMaterial({} as any) expect(() => test.getCryptoKey()).to.throw() }) @@ -666,16 +474,10 @@ describe('decorateWebCryptoMaterial', () => { const suite = new WebCryptoAlgorithmSuite( AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16_HKDF_SHA256_ECDSA_P256 ) - const test: any = decorateWebCryptoMaterial( - { suite, keyringTrace: [] } as any, - KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY - ) + const test: any = decorateWebCryptoMaterial({ suite } as any) test.validUsages = ['deriveKey'] // setCryptoKey uses `zeroUnencryptedDataKey` when setting a cryptoKey *without* a unencrypted data key - decorateCryptographicMaterial( - test, - KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY - ) + decorateCryptographicMaterial(test) const key: any = { type: 'secret', algorithm: { name: 'HKDF' }, @@ -685,17 +487,13 @@ describe('decorateWebCryptoMaterial', () => { const trace = { keyNamespace: 'k', keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, } test.setCryptoKey(key, trace) expect(() => test.setCryptoKey(key, trace)).to.throw() }) it('Precondition: The CryptoKey must match the algorithm suite specification.', () => { - const test: any = decorateWebCryptoMaterial( - {} as any, - KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY - ) + const test: any = decorateWebCryptoMaterial({} as any) const key: any = { type: 'secret', algorithm: { name: 'HKDF' }, @@ -733,86 +531,18 @@ describe('decorateWebCryptoMaterial', () => { const trace = { keyNamespace: 'k', keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, } expect(() => test.setCryptoKey(key, trace)).to.throw() expect(() => test.setCryptoKey(key1, trace)).to.throw() expect(() => test.setCryptoKey(key2, trace)).to.throw() }) - it('Precondition: If the CryptoKey is the only version, the trace information must be set here.', () => { - const suite = new NodeAlgorithmSuite( - AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16_HKDF_SHA256_ECDSA_P256 - ) - const test: any = decorateWebCryptoMaterial( - { suite, validUsages: ['deriveKey'], keyringTrace: [] } as any, - KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY - ) - decorateCryptographicMaterial( - test, - KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY - ) - - const key: any = { - type: 'secret', - algorithm: { name: 'HKDF' }, - usages: ['deriveKey'], - extractable: false, - } - expect(() => - test.setCryptoKey(key, { - keyNamespace: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - }) - ).to.throw('Malformed KeyringTrace') - expect(() => - test.setCryptoKey(key, { - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - }) - ).to.throw('Malformed KeyringTrace') - expect(() => test.setCryptoKey(key)).to.throw('Malformed KeyringTrace') - }) - - it('Precondition: On setting the CryptoKey the required KeyringTraceFlag must be set.', () => { - const suite = new NodeAlgorithmSuite( - AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16_HKDF_SHA256_ECDSA_P256 - ) - const test: any = decorateWebCryptoMaterial( - { suite, validUsages: ['deriveKey'], keyringTrace: [] } as any, - KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY - ) - decorateCryptographicMaterial( - test, - KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY - ) - - const key: any = { - type: 'secret', - algorithm: { name: 'HKDF' }, - usages: ['deriveKey'], - extractable: false, - } - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX, - } - expect(() => test.setCryptoKey(key, trace)).to.throw( - 'Required KeyringTraceFlag not set' - ) - }) - it('Precondition: dataKey must be a supported type.', () => { - const test: any = decorateWebCryptoMaterial( - {} as any, - KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY - ) + const test: any = decorateWebCryptoMaterial({} as any) const key: any = {} const trace = { keyNamespace: 'k', keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, } expect(() => test.setCryptoKey(key, trace)).to.throw() }) diff --git a/modules/material-management/test/keyring.test.ts b/modules/material-management/test/keyring.test.ts index 523db718c..26a4985a5 100644 --- a/modules/material-management/test/keyring.test.ts +++ b/modules/material-management/test/keyring.test.ts @@ -13,7 +13,6 @@ import { AlgorithmSuiteIdentifier } from '../src/algorithm_suites' import { NodeAlgorithmSuite } from '../src/node_algorithms' import { EncryptedDataKey } from '../src/encrypted_data_key' import { Keyring } from '../src/keyring' -import { KeyringTraceFlag } from '../src' chai.use(chaiAsPromised) const { expect } = chai const never = () => { @@ -46,13 +45,8 @@ describe('Keyring', () => { async _onEncrypt(material: NodeEncryptionMaterial) { expect(material.suite === suite).to.equal(true) expect(material.hasUnencryptedDataKey).to.equal(false) - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } assertCount += 1 - return material.setUnencryptedDataKey(unencryptedDataKey, trace) + return material.setUnencryptedDataKey(unencryptedDataKey) } async _onDecrypt(material: NodeDecryptionMaterial) { never() @@ -172,12 +166,8 @@ describe('Keyring: onDecrypt', () => { ) const material = new NodeDecryptionMaterial(suite, {}) const unencryptedDataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - const trace = { - keyNamespace: 'k', - keyName: 'k', - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } - material.setUnencryptedDataKey(unencryptedDataKey, trace) + + material.setUnencryptedDataKey(unencryptedDataKey) const edk = new EncryptedDataKey({ providerId: 'p', providerInfo: 'i', diff --git a/modules/material-management/test/multi_keyring.test.ts b/modules/material-management/test/multi_keyring.test.ts index f4c7e7cbd..b3252decf 100644 --- a/modules/material-management/test/multi_keyring.test.ts +++ b/modules/material-management/test/multi_keyring.test.ts @@ -15,7 +15,6 @@ import { import { NodeAlgorithmSuite } from '../src/node_algorithms' import { AlgorithmSuiteIdentifier } from '../src/algorithm_suites' import { EncryptedDataKey } from '../src/encrypted_data_key' -import { KeyringTraceFlag, KeyringTrace } from '../src/keyring_trace' chai.use(chaiAsPromised) const { expect } = chai @@ -112,18 +111,12 @@ describe('MultiKeyring: onEncrypt', () => { AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) const unencryptedDataKey = new Uint8Array(suite.keyLengthBytes) - const [edk0, keyringTrace0] = makeEDKandTraceForEncrypt(0) + const [edk0] = makeEDKandTraceForEncrypt(0) const generator = keyRingFactory({ async onEncrypt(material: NodeEncryptionMaterial) { return material - .setUnencryptedDataKey( - new Uint8Array(unencryptedDataKey), - keyringTrace0 - ) - .addEncryptedDataKey( - edk0, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) + .setUnencryptedDataKey(new Uint8Array(unencryptedDataKey)) + .addEncryptedDataKey(edk0) }, onDecrypt: never, }) @@ -136,8 +129,6 @@ describe('MultiKeyring: onEncrypt', () => { const edks = test.encryptedDataKeys expect(edks).to.be.an('Array').with.lengthOf(1) expect(edks[0] === edk0).to.equal(true) - expect(test.keyringTrace).to.be.an('Array').with.lengthOf(2) - expect(test.keyringTrace[0] === keyringTrace0).to.equal(true) // Make sure the unencrypted data key match expect(unwrapDataKey(test.getUnencryptedDataKey())).to.deep.equal( @@ -150,29 +141,20 @@ describe('MultiKeyring: onEncrypt', () => { AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) const unencryptedDataKey = new Uint8Array(suite.keyLengthBytes) - const [edk0, keyringTrace0] = makeEDKandTraceForEncrypt(0) + const [edk0] = makeEDKandTraceForEncrypt(0) const [edk1] = makeEDKandTraceForEncrypt(1) const generator = keyRingFactory({ async onEncrypt(material: NodeEncryptionMaterial) { return material - .setUnencryptedDataKey( - new Uint8Array(unencryptedDataKey), - keyringTrace0 - ) - .addEncryptedDataKey( - edk0, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) + .setUnencryptedDataKey(new Uint8Array(unencryptedDataKey)) + .addEncryptedDataKey(edk0) }, onDecrypt: never, }) const children = [ keyRingFactory({ async onEncrypt(material: NodeEncryptionMaterial) { - return material.addEncryptedDataKey( - edk1, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) + return material.addEncryptedDataKey(edk1) }, onDecrypt: never, }), @@ -187,7 +169,6 @@ describe('MultiKeyring: onEncrypt', () => { expect(edks).to.be.an('Array').with.lengthOf(2) expect(edks[0] === edk0).to.equal(true) expect(edks[1] === edk1).to.equal(true) - expect(test.keyringTrace).to.be.an('Array').with.lengthOf(3) // Make sure the unencrypted data key match expect(unwrapDataKey(test.getUnencryptedDataKey())).to.deep.equal( @@ -199,10 +180,9 @@ describe('MultiKeyring: onEncrypt', () => { const suite = new NodeAlgorithmSuite( AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) - const [, keyringTrace0] = makeEDKandTraceForEncrypt(0) + const [,] = makeEDKandTraceForEncrypt(0) const generator = keyRingFactory({ async onEncrypt(material: NodeEncryptionMaterial) { - material.keyringTrace.push(keyringTrace0) return material }, onDecrypt: never, @@ -241,13 +221,10 @@ describe('MultiKeyring: onEncrypt', () => { AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) const unencryptedDataKey = new Uint8Array(suite.keyLengthBytes) - const [edk0, keyringTrace0] = makeEDKandTraceForEncrypt(0) + const [edk0] = makeEDKandTraceForEncrypt(0) const generator = keyRingFactory({ async onEncrypt(material: NodeEncryptionMaterial) { - return material.addEncryptedDataKey( - edk0, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) + return material.addEncryptedDataKey(edk0) }, onDecrypt: never, }) @@ -256,7 +233,7 @@ describe('MultiKeyring: onEncrypt', () => { const material = new NodeEncryptionMaterial( suite, {} - ).setUnencryptedDataKey(new Uint8Array(unencryptedDataKey), keyringTrace0) + ).setUnencryptedDataKey(new Uint8Array(unencryptedDataKey)) await mkeyring.onEncrypt(material) }) @@ -266,13 +243,10 @@ describe('MultiKeyring: onEncrypt', () => { AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) const unencryptedDataKey = new Uint8Array(suite.keyLengthBytes) - const [edk0, keyringTrace0] = makeEDKandTraceForEncrypt(0) + const [edk0] = makeEDKandTraceForEncrypt(0) const child = keyRingFactory({ async onEncrypt(material: NodeEncryptionMaterial) { - return material.addEncryptedDataKey( - edk0, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) + return material.addEncryptedDataKey(edk0) }, onDecrypt: never, }) @@ -281,7 +255,7 @@ describe('MultiKeyring: onEncrypt', () => { const material = new NodeEncryptionMaterial( suite, {} - ).setUnencryptedDataKey(new Uint8Array(unencryptedDataKey), keyringTrace0) + ).setUnencryptedDataKey(new Uint8Array(unencryptedDataKey)) await mkeyring.onEncrypt(material) }) @@ -293,7 +267,7 @@ describe('MultiKeyring: onDecrypt', () => { AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) const unencryptedDataKey = new Uint8Array(suite.keyLengthBytes) - const [edk0, keyringTrace0] = makeEDKandTraceForDecrypt(0) + const [edk0] = makeEDKandTraceForDecrypt(0) const material = new NodeDecryptionMaterial(suite, {}) const generator = keyRingFactory({ @@ -301,8 +275,7 @@ describe('MultiKeyring: onDecrypt', () => { material: NodeDecryptionMaterial /*, encryptedDataKeys: EncryptedDataKey[] */ ) { return material.setUnencryptedDataKey( - new Uint8Array(unencryptedDataKey), - keyringTrace0 + new Uint8Array(unencryptedDataKey) ) }, onEncrypt: never, @@ -312,8 +285,6 @@ describe('MultiKeyring: onDecrypt', () => { const test: any = await mkeyring.onDecrypt(material, [edk0]) expect(test === material).to.equal(true) - expect(test.keyringTrace).to.be.an('Array').with.lengthOf(1) - expect(test.keyringTrace[0] === keyringTrace0).to.equal(true) // Make sure the unencrypted data key match expect(unwrapDataKey(test.getUnencryptedDataKey())).to.deep.equal( @@ -326,7 +297,7 @@ describe('MultiKeyring: onDecrypt', () => { AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) const unencryptedDataKey = new Uint8Array(suite.keyLengthBytes) - const [edk0, keyringTrace0] = makeEDKandTraceForDecrypt(0) + const [edk0] = makeEDKandTraceForDecrypt(0) const material = new NodeDecryptionMaterial(suite, {}) const child = keyRingFactory({ @@ -334,8 +305,7 @@ describe('MultiKeyring: onDecrypt', () => { material: NodeDecryptionMaterial /*, encryptedDataKeys: EncryptedDataKey[] */ ) { return material.setUnencryptedDataKey( - new Uint8Array(unencryptedDataKey), - keyringTrace0 + new Uint8Array(unencryptedDataKey) ) }, onEncrypt: never, @@ -345,8 +315,6 @@ describe('MultiKeyring: onDecrypt', () => { const test: any = await mkeyring.onDecrypt(material, [edk0]) expect(test === material).to.equal(true) - expect(test.keyringTrace).to.be.an('Array').with.lengthOf(1) - expect(test.keyringTrace[0] === keyringTrace0).to.equal(true) // Make sure the unencrypted data key match expect(unwrapDataKey(test.getUnencryptedDataKey())).to.deep.equal( @@ -359,7 +327,7 @@ describe('MultiKeyring: onDecrypt', () => { AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) const unencryptedDataKey = new Uint8Array(suite.keyLengthBytes) - const [edk0, keyringTrace0] = makeEDKandTraceForDecrypt(0) + const [edk0] = makeEDKandTraceForDecrypt(0) const material = new NodeDecryptionMaterial(suite, {}) const child = keyRingFactory({ @@ -367,8 +335,7 @@ describe('MultiKeyring: onDecrypt', () => { material: NodeDecryptionMaterial /*, encryptedDataKeys: EncryptedDataKey[] */ ) { return material.setUnencryptedDataKey( - new Uint8Array(unencryptedDataKey), - keyringTrace0 + new Uint8Array(unencryptedDataKey) ) }, onEncrypt: never, @@ -387,8 +354,6 @@ describe('MultiKeyring: onDecrypt', () => { const test: any = await mkeyring.onDecrypt(material, [edk0]) expect(test === material).to.equal(true) - expect(test.keyringTrace).to.be.an('Array').with.lengthOf(1) - expect(test.keyringTrace[0] === keyringTrace0).to.equal(true) // Make sure the unencrypted data key match expect(unwrapDataKey(test.getUnencryptedDataKey())).to.deep.equal( @@ -402,7 +367,7 @@ describe('MultiKeyring: onDecrypt', () => { AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) const unencryptedDataKey = new Uint8Array(suite.keyLengthBytes) - const [edk0, keyringTrace0] = makeEDKandTraceForDecrypt(0) + const [edk0] = makeEDKandTraceForDecrypt(0) const material = new NodeDecryptionMaterial(suite, {}) const child = keyRingFactory({ @@ -410,8 +375,7 @@ describe('MultiKeyring: onDecrypt', () => { material: NodeDecryptionMaterial /*, encryptedDataKeys: EncryptedDataKey[] */ ) { return material.setUnencryptedDataKey( - new Uint8Array(unencryptedDataKey), - keyringTrace0 + new Uint8Array(unencryptedDataKey) ) }, onEncrypt: never, @@ -431,8 +395,6 @@ describe('MultiKeyring: onDecrypt', () => { const test: any = await mkeyring.onDecrypt(material, [edk0]) expect(test === material).to.equal(true) - expect(test.keyringTrace).to.be.an('Array').with.lengthOf(1) - expect(test.keyringTrace[0] === keyringTrace0).to.equal(true) // Make sure the unencrypted data key match expect(unwrapDataKey(test.getUnencryptedDataKey())).to.deep.equal( @@ -484,22 +446,15 @@ describe('MultiKeyring: onDecrypt', () => { }) }) -function makeEDKandTraceForEncrypt( - num: number -): [EncryptedDataKey, KeyringTrace] { - return makeEDKandTrace(num, KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY) +function makeEDKandTraceForEncrypt(num: number): [EncryptedDataKey] { + return makeEDKandTrace(num) } -function makeEDKandTraceForDecrypt( - num: number -): [EncryptedDataKey, KeyringTrace] { - return makeEDKandTrace(num, KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY) +function makeEDKandTraceForDecrypt(num: number): [EncryptedDataKey] { + return makeEDKandTrace(num) } -function makeEDKandTrace( - num: number, - flags: KeyringTraceFlag -): [EncryptedDataKey, KeyringTrace] { +function makeEDKandTrace(num: number): [EncryptedDataKey] { const providerId = 'providerId' + num const providerInfo = 'providerInfo' + num const encryptedDataKey = new Uint8Array([0, 0, 0]).fill(num) @@ -508,12 +463,8 @@ function makeEDKandTrace( providerInfo, encryptedDataKey, }) - const keyringTrace = { - keyNamespace: providerId, - keyName: providerInfo, - flags, - } - return [edk, keyringTrace] + + return [edk] } type factoryOp = { onEncrypt: any; onDecrypt: any } diff --git a/modules/raw-aes-keyring-browser/src/raw_aes_keyring_browser.ts b/modules/raw-aes-keyring-browser/src/raw_aes_keyring_browser.ts index 39201f296..2ca354b44 100644 --- a/modules/raw-aes-keyring-browser/src/raw_aes_keyring_browser.ts +++ b/modules/raw-aes-keyring-browser/src/raw_aes_keyring_browser.ts @@ -7,7 +7,6 @@ import { WebCryptoEncryptionMaterial, WebCryptoDecryptionMaterial, EncryptedDataKey, - KeyringTraceFlag, immutableClass, readOnlyProperty, WebCryptoAlgorithmSuite, @@ -41,12 +40,6 @@ const { rawAesEncryptedDataKey } = rawAesEncryptedDataKeyFactory( fromUtf8 ) const { rawAesEncryptedParts } = rawAesEncryptedPartsFactory(fromUtf8) -const encryptFlags = - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY | - KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX -const decryptFlags = - KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY | - KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX export type RawAesKeyringWebCryptoInput = { keyNamespace: string @@ -68,15 +61,8 @@ export class RawAesKeyringWebCrypto extends KeyringWebCrypto { needs(keyName && keyNamespace, 'Identifying information must be defined.') /* Precondition: RawAesKeyringWebCrypto requires a wrappingSuite to be a valid RawAesWrappingSuite. */ const wrappingMaterial = new WebCryptoRawAesMaterial(wrappingSuite) - /* Precondition: unencryptedMasterKey must correspond to the WebCryptoAlgorithmSuite specification. - * Note: the KeyringTrace and flag are _only_ set because I am reusing an existing implementation. - * See: raw_aes_material.ts in @aws-crypto/raw-keyring for details - */ - .setCryptoKey(masterKey, { - keyNamespace, - keyName, - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - }) + /* Precondition: unencryptedMasterKey must correspond to the WebCryptoAlgorithmSuite specification. */ + .setCryptoKey(masterKey) const _wrapKey = async (material: WebCryptoEncryptionMaterial) => { /* The AAD section is uInt16BE(length) + AAD @@ -110,16 +96,9 @@ export class RawAesKeyringWebCrypto extends KeyringWebCrypto { const aad = serializeEncryptionContext(material.encryptionContext).slice( 2 ) - const { keyNamespace, keyName } = this + const { keyName } = this - return aesGcmUnwrapKey( - keyNamespace, - keyName, - material, - wrappingMaterial, - edk, - aad - ) + return aesGcmUnwrapKey(keyName, material, wrappingMaterial, edk, aad) } readOnlyProperty(this, 'keyName', keyName) @@ -153,15 +132,8 @@ export class RawAesKeyringWebCrypto extends KeyringWebCrypto { ): Promise { needs(masterKey instanceof Uint8Array, 'Unsupported master key type.') const material = new WebCryptoRawAesMaterial(wrappingSuite) - /* Precondition: masterKey must correspond to the algorithm suite specification. - * Note: the KeyringTrace and flag are _only_ set because I am reusing an existing implementation. - * See: raw_aes_material.ts in @aws-crypto/raw-keyring for details - */ - .setUnencryptedDataKey(masterKey, { - keyNamespace: 'importOnly', - keyName: 'importOnly', - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - }) + /* Precondition: masterKey must correspond to the algorithm suite specification. */ + .setUnencryptedDataKey(masterKey) return backendForRawAesMasterKey().then(async (backend) => _importCryptoKey(backend.subtle, material, ['encrypt', 'decrypt']) ) @@ -172,8 +144,8 @@ immutableClass(RawAesKeyringWebCrypto) /** * Uses aes-gcm to encrypt the data key and return the passed WebCryptoEncryptionMaterial with * an EncryptedDataKey added. - * @param keyNamespace [String] The keyring namespace (for KeyringTrace) - * @param keyName [String] The keyring name (for KeyringTrace and to extract the extra info stored in providerInfo) + * @param keyNamespace [String] The keyring namespace + * @param keyName [String] The keyring name (to extract the extra info stored in providerInfo) * @param material [WebCryptoEncryptionMaterial] The target material to which the EncryptedDataKey will be added * @param aad [Uint8Array] The serialized aad (EncryptionContext) * @param wrappingMaterial [WebCryptoRawAesMaterial] The material used to decrypt the EncryptedDataKey @@ -214,14 +186,13 @@ async function aesGcmWrapKey( ciphertext, authTag ) - return material.addEncryptedDataKey(edk, encryptFlags) + return material.addEncryptedDataKey(edk) } /** * Uses aes-gcm to decrypt the encrypted data key and return the passed WebCryptoDecryptionMaterial with * the unencrypted data key set. - * @param keyNamespace [String] The keyring namespace (for KeyringTrace) - * @param keyName [String] The keyring name (for KeyringTrace and to extract the extra info stored in providerInfo) + * @param keyName [String] The keyring name (to extract the extra info stored in providerInfo) * @param material [WebCryptoDecryptionMaterial] The target material to which the decrypted data key will be added * @param wrappingMaterial [WebCryptoRawAesMaterial] The material used to decrypt the EncryptedDataKey * @param edk [EncryptedDataKey] The EncryptedDataKey on which to operate @@ -229,7 +200,6 @@ async function aesGcmWrapKey( * @returns [WebCryptoDecryptionMaterial] Mutates and returns the same WebCryptoDecryptionMaterial that was passed but with the unencrypted data key set */ async function aesGcmUnwrapKey( - keyNamespace: string, keyName: string, material: WebCryptoDecryptionMaterial, wrappingMaterial: WebCryptoRawAesMaterial, @@ -250,8 +220,8 @@ async function aesGcmUnwrapKey( const buffer = await KdfGetSubtleDecrypt(info)(iv, aad)( concatBuffers(ciphertext, authTag) ) - const trace = { keyNamespace, keyName, flags: decryptFlags } - material.setUnencryptedDataKey(new Uint8Array(buffer), trace) + + material.setUnencryptedDataKey(new Uint8Array(buffer)) return importForWebCryptoDecryptionMaterial(material) } diff --git a/modules/raw-aes-keyring-node/src/raw_aes_keyring_node.ts b/modules/raw-aes-keyring-node/src/raw_aes_keyring_node.ts index c499b3281..fe02b783d 100644 --- a/modules/raw-aes-keyring-node/src/raw_aes_keyring_node.ts +++ b/modules/raw-aes-keyring-node/src/raw_aes_keyring_node.ts @@ -7,7 +7,6 @@ import { NodeEncryptionMaterial, NodeDecryptionMaterial, EncryptedDataKey, - KeyringTraceFlag, immutableClass, readOnlyProperty, unwrapDataKey, @@ -56,15 +55,8 @@ export class RawAesKeyringNode extends KeyringNode { needs(keyName && keyNamespace, 'Identifying information must be defined.') /* Precondition: RawAesKeyringNode requires wrappingSuite to be a valid RawAesWrappingSuite. */ const wrappingMaterial = new NodeRawAesMaterial(wrappingSuite) - /* Precondition: unencryptedMasterKey must correspond to the NodeAlgorithmSuite specification. - * Note: the KeyringTrace and flag are _only_ set because I am reusing an existing implementation. - * See: raw_aes_material.ts in @aws-crypto/raw-keyring for details - */ - .setUnencryptedDataKey(unencryptedMasterKey, { - keyNamespace, - keyName, - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - }) + /* Precondition: unencryptedMasterKey must correspond to the NodeAlgorithmSuite specification. */ + .setUnencryptedDataKey(unencryptedMasterKey) const _wrapKey = async (material: NodeEncryptionMaterial) => { /* The AAD section is uInt16BE(length) + AAD @@ -91,7 +83,7 @@ export class RawAesKeyringNode extends KeyringNode { material: NodeDecryptionMaterial, edk: EncryptedDataKey ) => { - const { keyNamespace, keyName } = this + const { keyName } = this /* The AAD section is uInt16BE(length) + AAD * see: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/message-format.html#header-aad * However, the RAW Keyring wants _only_ the ADD. @@ -103,14 +95,7 @@ export class RawAesKeyringNode extends KeyringNode { const aad = Buffer.from(buffer, byteOffset, byteLength) // const aad = Buffer.concat(encodeEncryptionContext(context || {})) - return aesGcmUnwrapKey( - keyNamespace, - keyName, - material, - wrappingMaterial, - edk, - aad - ) + return aesGcmUnwrapKey(keyName, material, wrappingMaterial, edk, aad) } readOnlyProperty(this, 'keyName', keyName) @@ -131,18 +116,11 @@ export class RawAesKeyringNode extends KeyringNode { } immutableClass(RawAesKeyringNode) -const encryptFlags = - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY | - KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX -const decryptFlags = - KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY | - KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX - /** * Uses aes-gcm to encrypt the data key and return the passed NodeEncryptionMaterial with * an EncryptedDataKey added. - * @param keyNamespace [String] The keyring namespace (for KeyringTrace) - * @param keyName [String] The keyring name (for KeyringTrace and to extract the extra info stored in providerInfo) + * @param keyNamespace [String] The keyring namespace + * @param keyName [String] The keyring name (to extract the extra info stored in providerInfo) * @param material [NodeEncryptionMaterial] The target material to which the EncryptedDataKey will be added * @param aad [Buffer] The serialized aad (EncryptionContext) * @param wrappingMaterial [NodeRawAesMaterial] The material used to decrypt the EncryptedDataKey @@ -174,14 +152,14 @@ function aesGcmWrapKey( authTag ) - return material.addEncryptedDataKey(edk, encryptFlags) + return material.addEncryptedDataKey(edk) } /** * Uses aes-gcm to decrypt the encrypted data key and return the passed NodeDecryptionMaterial with * the unencrypted data key set. - * @param keyNamespace [String] The keyring namespace (for KeyringTrace) - * @param keyName [String] The keyring name (for KeyringTrace and to extract the extra info stored in providerInfo) + * @param keyNamespace [String] The keyring namespace + * @param keyName [String] The keyring name (to extract the extra info stored in providerInfo) * @param material [NodeDecryptionMaterial] The target material to which the decrypted data key will be added * @param wrappingMaterial [NodeRawAesMaterial] The material used to decrypt the EncryptedDataKey * @param edk [EncryptedDataKey] The EncryptedDataKey on which to operate @@ -189,7 +167,6 @@ function aesGcmWrapKey( * @returns [NodeDecryptionMaterial] Mutates and returns the same NodeDecryptionMaterial that was passed but with the unencrypted data key set */ function aesGcmUnwrapKey( - keyNamespace: string, keyName: string, material: NodeDecryptionMaterial, wrappingMaterial: NodeRawAesMaterial, @@ -216,8 +193,7 @@ function aesGcmUnwrapKey( decipher.update(ciphertext), decipher.final() ) - const trace = { keyNamespace, keyName, flags: decryptFlags } - return material.setUnencryptedDataKey(unencryptedDataKey, trace) + return material.setUnencryptedDataKey(unencryptedDataKey) } async function randomBytesAsync(size: number): Promise { diff --git a/modules/raw-keyring/src/raw_aes_material.ts b/modules/raw-keyring/src/raw_aes_material.ts index 458f4e75c..892536a8e 100644 --- a/modules/raw-keyring/src/raw_aes_material.ts +++ b/modules/raw-keyring/src/raw_aes_material.ts @@ -4,8 +4,6 @@ /* Here I am reusing the Material implementation and interface from material-management. * This is because there are many security guarantees that this implementations offer * that map to the current implementation of raw AES keyrings. - * The KeyringTrace is an unfortunate case because there is no mapping. - * However the trade off seems worth it and the convolutions to make it work seem minimal. */ import { @@ -20,8 +18,6 @@ import { AwsEsdkJsCryptoKey, AwsEsdkJsKeyUsage, AwsEsdkKeyObject, - KeyringTrace, - KeyringTraceFlag, needs, EncryptionContext, } from '@aws-crypto/material-management' @@ -35,24 +31,17 @@ export class NodeRawAesMaterial implements Readonly> { suite: NodeAlgorithmSuite setUnencryptedDataKey!: ( - dataKey: Uint8Array | AwsEsdkKeyObject, - trace: KeyringTrace + dataKey: Uint8Array | AwsEsdkKeyObject ) => NodeRawAesMaterial getUnencryptedDataKey!: () => Uint8Array | AwsEsdkKeyObject zeroUnencryptedDataKey!: () => NodeRawAesMaterial hasUnencryptedDataKey!: boolean - keyringTrace: KeyringTrace[] = [] encryptionContext: EncryptionContext = Object.freeze({}) constructor(suiteId: WrappingSuiteIdentifier) { /* Precondition: NodeRawAesMaterial suiteId must be RawAesWrappingSuiteIdentifier. */ needs(RawAesWrappingSuiteIdentifier[suiteId], 'suiteId not supported.') this.suite = new NodeAlgorithmSuite(suiteId) - /* NodeRawAesMaterial need to set a flag, this is an abuse of TraceFlags - * because the material is not generated. - * but CryptographicMaterial force a flag to be set. - */ - const setFlags = KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY - decorateCryptographicMaterial(this, setFlags) + decorateCryptographicMaterial(this) Object.setPrototypeOf(this, NodeRawAesMaterial.prototype) Object.freeze(this) } @@ -68,16 +57,13 @@ export class WebCryptoRawAesMaterial Readonly> { suite: WebCryptoAlgorithmSuite setUnencryptedDataKey!: ( - dataKey: Uint8Array | AwsEsdkKeyObject, - trace: KeyringTrace + dataKey: Uint8Array | AwsEsdkKeyObject ) => WebCryptoRawAesMaterial getUnencryptedDataKey!: () => Uint8Array | AwsEsdkKeyObject zeroUnencryptedDataKey!: () => WebCryptoRawAesMaterial hasUnencryptedDataKey!: boolean - keyringTrace: KeyringTrace[] = [] setCryptoKey!: ( - dataKey: AwsEsdkJsCryptoKey | MixedBackendCryptoKey, - trace: KeyringTrace + dataKey: AwsEsdkJsCryptoKey | MixedBackendCryptoKey ) => WebCryptoRawAesMaterial getCryptoKey!: () => AwsEsdkJsCryptoKey | MixedBackendCryptoKey hasCryptoKey!: boolean @@ -91,13 +77,8 @@ export class WebCryptoRawAesMaterial 'decrypt', 'encrypt', ] as AwsEsdkJsKeyUsage[]) - /* WebCryptoRawAesMaterial need to set a flag, this is an abuse of TraceFlags - * because the material is not generated. - * but CryptographicMaterial force a flag to be set. - */ - const setFlag = KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY - decorateCryptographicMaterial(this, setFlag) - decorateWebCryptoMaterial(this, setFlag) + decorateCryptographicMaterial(this) + decorateWebCryptoMaterial(this) Object.setPrototypeOf(this, WebCryptoRawAesMaterial.prototype) Object.freeze(this) } diff --git a/modules/raw-keyring/src/raw_keyring_decorators.ts b/modules/raw-keyring/src/raw_keyring_decorators.ts index c3ecf50af..1c83e5b64 100644 --- a/modules/raw-keyring/src/raw_keyring_decorators.ts +++ b/modules/raw-keyring/src/raw_keyring_decorators.ts @@ -5,8 +5,6 @@ import { EncryptionMaterial, DecryptionMaterial, SupportedAlgorithmSuites, - KeyringTrace, - KeyringTraceFlag, EncryptedDataKey, } from '@aws-crypto/material-management' @@ -27,13 +25,8 @@ export function _onEncrypt< material: EncryptionMaterial ): Promise> { if (!material.hasUnencryptedDataKey) { - const trace: KeyringTrace = { - keyName: this.keyName, - keyNamespace: this.keyNamespace, - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - } const udk = await randomBytes(material.suite.keyLengthBytes) - material.setUnencryptedDataKey(udk, trace) + material.setUnencryptedDataKey(udk) } return this._wrapKey(material) } diff --git a/modules/raw-keyring/test/raw_keyring_decorators.test.ts b/modules/raw-keyring/test/raw_keyring_decorators.test.ts index 0f9a80528..717d83c62 100644 --- a/modules/raw-keyring/test/raw_keyring_decorators.test.ts +++ b/modules/raw-keyring/test/raw_keyring_decorators.test.ts @@ -9,7 +9,6 @@ import { AlgorithmSuiteIdentifier, NodeEncryptionMaterial, NodeAlgorithmSuite, - KeyringTraceFlag, NodeDecryptionMaterial, EncryptedDataKey, unwrapDataKey, @@ -42,12 +41,7 @@ describe('_onEncrypt', () => { expect(unwrapDataKey(test.getUnencryptedDataKey())).to.deep.equal( new Uint8Array(Array(suite.keyLengthBytes).fill(1)) ) - expect(test.keyringTrace).to.have.lengthOf(1) - expect(test.keyringTrace[0].keyName).to.equal(keyName) - expect(test.keyringTrace[0].keyNamespace).to.equal(keyNamespace) - expect(test.keyringTrace[0].flags).to.equal( - KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY - ) + expect(wrapCalled).to.equal(1) }) @@ -61,11 +55,7 @@ describe('_onEncrypt', () => { const material = new NodeEncryptionMaterial( suite, {} - ).setUnencryptedDataKey(new Uint8Array(udk), { - keyName, - keyNamespace, - flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY, - }) + ).setUnencryptedDataKey(new Uint8Array(udk)) let wrapCalled = 0 const notRandomBytes = async () => { throw new Error('never') @@ -112,11 +102,7 @@ describe('_onDecrypt', () => { } const _unwrapKey = (material: NodeDecryptionMaterial) => { unwrapCalled += 1 - return material.setUnencryptedDataKey(new Uint8Array(udk), { - keyName, - keyNamespace, - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - }) + return material.setUnencryptedDataKey(new Uint8Array(udk)) } const testKeyring = { @@ -129,12 +115,7 @@ describe('_onDecrypt', () => { const test = await testKeyring._onDecrypt(material, [edk]) expect(unwrapDataKey(test.getUnencryptedDataKey())).to.deep.equal(udk) - expect(test.keyringTrace).to.have.lengthOf(1) - expect(test.keyringTrace[0].keyName).to.equal(keyName) - expect(test.keyringTrace[0].keyNamespace).to.equal(keyNamespace) - expect(test.keyringTrace[0].flags).to.equal( - KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY - ) + expect(unwrapCalled).to.equal(1) expect(filterCalled).to.equal(1) }) @@ -149,11 +130,7 @@ describe('_onDecrypt', () => { const material = new NodeDecryptionMaterial( suite, {} - ).setUnencryptedDataKey(new Uint8Array(udk), { - keyName, - keyNamespace, - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - }) + ).setUnencryptedDataKey(new Uint8Array(udk)) const edk = new EncryptedDataKey({ providerId: keyName, diff --git a/modules/raw-rsa-keyring-browser/src/raw_rsa_keyring_web_crypto.ts b/modules/raw-rsa-keyring-browser/src/raw_rsa_keyring_web_crypto.ts index b9f6df46e..c1775adf5 100644 --- a/modules/raw-rsa-keyring-browser/src/raw_rsa_keyring_web_crypto.ts +++ b/modules/raw-rsa-keyring-browser/src/raw_rsa_keyring_web_crypto.ts @@ -7,8 +7,6 @@ import { WebCryptoEncryptionMaterial, WebCryptoDecryptionMaterial, EncryptedDataKey, - KeyringTrace, - KeyringTraceFlag, immutableClass, readOnlyProperty, bytes2JWK, @@ -97,10 +95,7 @@ export class RawRsaKeyringWebCrypto extends KeyringWebCrypto { encryptedDataKey: new Uint8Array(encryptedArrayBuffer), }) - return material.addEncryptedDataKey( - edk, - KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY - ) + return material.addEncryptedDataKey(edk) } /* returns either an array of 1 CryptoKey or an array of both from MixedBackendCryptoKey e.g. @@ -118,12 +113,6 @@ export class RawRsaKeyringWebCrypto extends KeyringWebCrypto { const backend = await getWebCryptoBackend() const { suite } = material - const trace: KeyringTrace = { - keyName: this.keyName, - keyNamespace: this.keyNamespace, - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } - const format = 'raw' const extractable = false const algorithm = suite.kdf ? suite.kdf : suite.encryption @@ -145,7 +134,7 @@ export class RawRsaKeyringWebCrypto extends KeyringWebCrypto { */ if (isFullSupportWebCryptoBackend(backend)) { const cryptoKey = await backend.subtle.unwrapKey(...importArgs) - return material.setCryptoKey(cryptoKey, trace) + return material.setCryptoKey(cryptoKey) } else { const importZeroBackend = [...importArgs] as Parameters< SubtleCrypto['unwrapKey'] @@ -158,7 +147,7 @@ export class RawRsaKeyringWebCrypto extends KeyringWebCrypto { nonZeroByteCryptoKey, zeroByteCryptoKey, })) - return material.setCryptoKey(mixedDataKey, trace) + return material.setCryptoKey(mixedDataKey) } } diff --git a/modules/raw-rsa-keyring-node/src/raw_rsa_keyring_node.ts b/modules/raw-rsa-keyring-node/src/raw_rsa_keyring_node.ts index 1353e7e78..1c3d73fda 100644 --- a/modules/raw-rsa-keyring-node/src/raw_rsa_keyring_node.ts +++ b/modules/raw-rsa-keyring-node/src/raw_rsa_keyring_node.ts @@ -7,8 +7,6 @@ import { NodeEncryptionMaterial, NodeDecryptionMaterial, EncryptedDataKey, - KeyringTrace, - KeyringTraceFlag, immutableClass, readOnlyProperty, unwrapDataKey, @@ -112,13 +110,12 @@ export class RawRsaKeyringNode extends KeyringNode { ) const providerInfo = this.keyName const providerId = this.keyNamespace - const flag = KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY const edk = new EncryptedDataKey({ encryptedDataKey, providerInfo, providerId, }) - return material.addEncryptedDataKey(edk, flag) + return material.addEncryptedDataKey(edk) } const _unwrapKey = async ( @@ -131,19 +128,13 @@ export class RawRsaKeyringNode extends KeyringNode { 'No private key defined in constructor. Decrypt disabled.' ) - const trace: KeyringTrace = { - keyName: this.keyName, - keyNamespace: this.keyNamespace, - flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, - } - const { buffer, byteOffset, byteLength } = edk.encryptedDataKey const encryptedDataKey = Buffer.from(buffer, byteOffset, byteLength) const unencryptedDataKey = privateDecrypt( { key: privateKey, padding, oaepHash } as RsaPrivateKey, encryptedDataKey ) - return material.setUnencryptedDataKey(unencryptedDataKey, trace) + return material.setUnencryptedDataKey(unencryptedDataKey) } readOnlyProperty(this, 'keyName', keyName) From 31c03a5b4e19e92c4823bb5955c5efa806666bdc Mon Sep 17 00:00:00 2001 From: seebees Date: Thu, 6 Aug 2020 12:18:26 -0700 Subject: [PATCH 2/4] Code review fixes --- .../test/cryptographic_material.test.ts | 131 +++++------------- .../test/multi_keyring.test.ts | 32 ++--- .../src/raw_aes_keyring_node.ts | 1 - 3 files changed, 47 insertions(+), 117 deletions(-) diff --git a/modules/material-management/test/cryptographic_material.test.ts b/modules/material-management/test/cryptographic_material.test.ts index f8bdf8e90..9daf94d6f 100644 --- a/modules/material-management/test/cryptographic_material.test.ts +++ b/modules/material-management/test/cryptographic_material.test.ts @@ -53,10 +53,7 @@ describe('decorateCryptographicMaterial', () => { ) const test = decorateCryptographicMaterial({ suite } as any) const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - test.setUnencryptedDataKey(new Uint8Array(dataKey), { - keyNamespace: 'k', - keyName: 'k', - }) + test.setUnencryptedDataKey(new Uint8Array(dataKey)) expect(test.hasUnencryptedDataKey).to.equal(true) const udk = unwrapDataKey(test.getUnencryptedDataKey()) expect(udk).to.deep.equal(dataKey) @@ -74,10 +71,7 @@ describe('decorateCryptographicMaterial', () => { * But in this case, if this is a version of Node.js that does not support KeyObjects * passing the dataKey lets me verify that the value memory is really zeroed. */ - test.setUnencryptedDataKey(dataKey, { - keyNamespace: 'k', - keyName: 'k', - }) + test.setUnencryptedDataKey(dataKey) test.zeroUnencryptedDataKey() expect(test.hasUnencryptedDataKey).to.equal(false) if (!supportsKeyObject) { @@ -105,10 +99,7 @@ describe('decorateCryptographicMaterial', () => { ) const test = decorateCryptographicMaterial({ suite } as any) const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - test.setUnencryptedDataKey(new Uint8Array(dataKey), { - keyNamespace: 'k', - keyName: 'k', - }) + test.setUnencryptedDataKey(new Uint8Array(dataKey)) test.zeroUnencryptedDataKey() expect(() => test.getUnencryptedDataKey()).to.throw() }) @@ -126,14 +117,11 @@ describe('decorateCryptographicMaterial', () => { const test = decorateCryptographicMaterial({ suite } as any) test.zeroUnencryptedDataKey() const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - const trace = { - keyNamespace: 'k', - keyName: 'k', - } - // It is very hard to test this perfectly. However, this tests the spirit. - expect(() => - test.setUnencryptedDataKey(new Uint8Array(dataKey), trace) - ).to.throw() + const trace = + // It is very hard to test this perfectly. However, this tests the spirit. + expect(() => + test.setUnencryptedDataKey(new Uint8Array(dataKey), trace) + ).to.throw() }) it('Precondition: dataKey must be Binary Data', () => { @@ -150,11 +138,7 @@ describe('decorateCryptographicMaterial', () => { ) const test = decorateCryptographicMaterial({ suite } as any) const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - const trace = { - keyNamespace: 'k', - keyName: 'k', - } - test.setUnencryptedDataKey(new Uint8Array(dataKey), trace) + const trace = test.setUnencryptedDataKey(new Uint8Array(dataKey), trace) expect(() => test.setUnencryptedDataKey(new Uint8Array(dataKey), trace) ).to.throw('unencryptedDataKey has already been set') @@ -170,13 +154,9 @@ describe('decorateCryptographicMaterial', () => { 5, suite.keyLengthBytes ).fill(1) - const trace = { - keyNamespace: 'k', - keyName: 'k', - } - expect(() => test.setUnencryptedDataKey(dataKey, trace)).to.throw( - 'Unencrypted Master Key must be an isolated buffer.' - ) + const trace = expect(() => + test.setUnencryptedDataKey(dataKey, trace) + ).to.throw('Unencrypted Master Key must be an isolated buffer.') }) it('Precondition: The unencryptedDataKey must not have been modified.', () => { @@ -185,10 +165,7 @@ describe('decorateCryptographicMaterial', () => { ) const material = decorateCryptographicMaterial({ suite } as any) const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - material.setUnencryptedDataKey(dataKey, { - keyNamespace: 'k', - keyName: 'k', - }) + material.setUnencryptedDataKey(dataKey) const test = material.getUnencryptedDataKey() test[0] = 12 expect(() => { @@ -209,9 +186,7 @@ describe('decorateEncryptionMaterial', () => { const suite = new NodeAlgorithmSuite( AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) - const test: any = decorateEncryptionMaterial({ - suite, - } as any) + const test: any = decorateEncryptionMaterial({ suite } as any) expect(test) .to.haveOwnProperty('addEncryptedDataKey') .and.to.be.a('function') @@ -246,9 +221,7 @@ describe('decorateEncryptionMaterial', () => { const suite = new NodeAlgorithmSuite( AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16_HKDF_SHA256_ECDSA_P256 ) - const test: any = decorateEncryptionMaterial({ - suite, - } as any) + const test: any = decorateEncryptionMaterial({ suite } as any) const key = new SignatureKey(new Uint8Array(3), new Uint8Array(3), suite) test.setSignatureKey(key) expect(test.signatureKey === key).to.equal(true) @@ -276,9 +249,7 @@ describe('decorateEncryptionMaterial', () => { AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) const edk: any = {} - const test: any = decorateEncryptionMaterial({ - suite, - } as any) + const test: any = decorateEncryptionMaterial({ suite } as any) expect(() => test.addEncryptedDataKey(edk)).to.throw() }) @@ -294,9 +265,7 @@ describe('decorateEncryptionMaterial', () => { new Uint8Array(3), suiteWithSig ) - const test: any = decorateEncryptionMaterial({ - suite, - } as any) + const test: any = decorateEncryptionMaterial({ suite } as any) expect(() => test.setSignatureKey(key)).to.throw() }) @@ -305,9 +274,7 @@ describe('decorateEncryptionMaterial', () => { AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16_HKDF_SHA256_ECDSA_P256 ) const key = new SignatureKey(new Uint8Array(3), new Uint8Array(3), suite) - const test: any = decorateEncryptionMaterial({ - suite, - } as any) + const test: any = decorateEncryptionMaterial({ suite } as any) test.setSignatureKey(key) expect(() => test.setSignatureKey(key)).to.throw() }) @@ -317,9 +284,7 @@ describe('decorateEncryptionMaterial', () => { AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16_HKDF_SHA256_ECDSA_P256 ) const key: any = {} - const test: any = decorateEncryptionMaterial({ - suite, - } as any) + const test: any = decorateEncryptionMaterial({ suite } as any) expect(() => test.setSignatureKey(key)).to.throw() }) @@ -327,9 +292,7 @@ describe('decorateEncryptionMaterial', () => { const suite = new NodeAlgorithmSuite( AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16_HKDF_SHA256_ECDSA_P256 ) - const test: any = decorateEncryptionMaterial({ - suite, - } as any) + const test: any = decorateEncryptionMaterial({ suite } as any) expect(() => test.signatureKey).to.throw() }) }) @@ -339,9 +302,7 @@ describe('decorateDecryptionMaterial', () => { const suite = new NodeAlgorithmSuite( AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) - const test: any = decorateDecryptionMaterial({ - suite, - } as any) + const test: any = decorateDecryptionMaterial({ suite } as any) expect(test) .to.haveOwnProperty('setVerificationKey') .and.to.be.a('function') @@ -352,9 +313,7 @@ describe('decorateDecryptionMaterial', () => { const suite = new NodeAlgorithmSuite( AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16_HKDF_SHA256_ECDSA_P256 ) - const test: any = decorateDecryptionMaterial({ - suite, - } as any) + const test: any = decorateDecryptionMaterial({ suite } as any) const key = new VerificationKey(new Uint8Array(3), suite) test.setVerificationKey(key) expect(test.verificationKey === key).to.equal(true) @@ -368,9 +327,7 @@ describe('decorateDecryptionMaterial', () => { AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) const key = new VerificationKey(new Uint8Array(3), suiteWithSig) - const test: any = decorateDecryptionMaterial({ - suite, - } as any) + const test: any = decorateDecryptionMaterial({ suite } as any) expect(() => test.setVerificationKey(key)).to.throw() }) @@ -379,9 +336,7 @@ describe('decorateDecryptionMaterial', () => { AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16_HKDF_SHA256_ECDSA_P256 ) const key = new VerificationKey(new Uint8Array(3), suite) - const test: any = decorateDecryptionMaterial({ - suite, - } as any) + const test: any = decorateDecryptionMaterial({ suite } as any) test.setVerificationKey(key) expect(() => test.setVerificationKey(key)).to.throw() }) @@ -391,9 +346,7 @@ describe('decorateDecryptionMaterial', () => { AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16_HKDF_SHA256_ECDSA_P256 ) const key: any = {} - const test: any = decorateDecryptionMaterial({ - suite, - } as any) + const test: any = decorateDecryptionMaterial({ suite } as any) expect(() => test.setVerificationKey(key)).to.throw() }) @@ -401,9 +354,7 @@ describe('decorateDecryptionMaterial', () => { const suite = new NodeAlgorithmSuite( AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16_HKDF_SHA256_ECDSA_P256 ) - const test: any = decorateDecryptionMaterial({ - suite, - } as any) + const test: any = decorateDecryptionMaterial({ suite } as any) expect(() => test.verificationKey).to.throw() }) }) @@ -423,11 +374,7 @@ describe('decorateWebCryptoMaterial', () => { usages: ['deriveKey'], extractable: false, } - const trace = { - keyNamespace: 'k', - keyName: 'k', - } - test.setCryptoKey(key, trace) + const trace = test.setCryptoKey(key, trace) expect(test.getCryptoKey() === key).to.equal(true) expect(test.hasCryptoKey).to.equal(true) expect(test.hasUnencryptedDataKey).to.equal(false) @@ -448,11 +395,7 @@ describe('decorateWebCryptoMaterial', () => { extractable: false, } const mixedKey: any = { zeroByteCryptoKey: key, nonZeroByteCryptoKey: key } - const trace = { - keyNamespace: 'k', - keyName: 'k', - } - test.setCryptoKey(mixedKey, trace) + const trace = test.setCryptoKey(mixedKey, trace) expect(test.getCryptoKey() !== mixedKey).to.equal(true) expect(test.hasCryptoKey).to.equal(true) expect(test.hasUnencryptedDataKey).to.equal(false) @@ -484,11 +427,7 @@ describe('decorateWebCryptoMaterial', () => { usages: ['deriveKey'], extractable: false, } - const trace = { - keyNamespace: 'k', - keyName: 'k', - } - test.setCryptoKey(key, trace) + const trace = test.setCryptoKey(key, trace) expect(() => test.setCryptoKey(key, trace)).to.throw() }) @@ -528,11 +467,7 @@ describe('decorateWebCryptoMaterial', () => { extractable: true, }, } - const trace = { - keyNamespace: 'k', - keyName: 'k', - } - expect(() => test.setCryptoKey(key, trace)).to.throw() + const trace = expect(() => test.setCryptoKey(key, trace)).to.throw() expect(() => test.setCryptoKey(key1, trace)).to.throw() expect(() => test.setCryptoKey(key2, trace)).to.throw() }) @@ -540,11 +475,7 @@ describe('decorateWebCryptoMaterial', () => { it('Precondition: dataKey must be a supported type.', () => { const test: any = decorateWebCryptoMaterial({} as any) const key: any = {} - const trace = { - keyNamespace: 'k', - keyName: 'k', - } - expect(() => test.setCryptoKey(key, trace)).to.throw() + const trace = expect(() => test.setCryptoKey(key, trace)).to.throw() }) }) diff --git a/modules/material-management/test/multi_keyring.test.ts b/modules/material-management/test/multi_keyring.test.ts index b3252decf..1b64beaed 100644 --- a/modules/material-management/test/multi_keyring.test.ts +++ b/modules/material-management/test/multi_keyring.test.ts @@ -111,7 +111,7 @@ describe('MultiKeyring: onEncrypt', () => { AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) const unencryptedDataKey = new Uint8Array(suite.keyLengthBytes) - const [edk0] = makeEDKandTraceForEncrypt(0) + const [edk0] = makeEDKForEncrypt(0) const generator = keyRingFactory({ async onEncrypt(material: NodeEncryptionMaterial) { return material @@ -141,8 +141,8 @@ describe('MultiKeyring: onEncrypt', () => { AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) const unencryptedDataKey = new Uint8Array(suite.keyLengthBytes) - const [edk0] = makeEDKandTraceForEncrypt(0) - const [edk1] = makeEDKandTraceForEncrypt(1) + const [edk0] = makeEDKForEncrypt(0) + const [edk1] = makeEDKForEncrypt(1) const generator = keyRingFactory({ async onEncrypt(material: NodeEncryptionMaterial) { return material @@ -180,7 +180,7 @@ describe('MultiKeyring: onEncrypt', () => { const suite = new NodeAlgorithmSuite( AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) - const [,] = makeEDKandTraceForEncrypt(0) + const [,] = makeEDKForEncrypt(0) const generator = keyRingFactory({ async onEncrypt(material: NodeEncryptionMaterial) { return material @@ -221,7 +221,7 @@ describe('MultiKeyring: onEncrypt', () => { AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) const unencryptedDataKey = new Uint8Array(suite.keyLengthBytes) - const [edk0] = makeEDKandTraceForEncrypt(0) + const [edk0] = makeEDKForEncrypt(0) const generator = keyRingFactory({ async onEncrypt(material: NodeEncryptionMaterial) { return material.addEncryptedDataKey(edk0) @@ -243,7 +243,7 @@ describe('MultiKeyring: onEncrypt', () => { AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) const unencryptedDataKey = new Uint8Array(suite.keyLengthBytes) - const [edk0] = makeEDKandTraceForEncrypt(0) + const [edk0] = makeEDKForEncrypt(0) const child = keyRingFactory({ async onEncrypt(material: NodeEncryptionMaterial) { return material.addEncryptedDataKey(edk0) @@ -267,7 +267,7 @@ describe('MultiKeyring: onDecrypt', () => { AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) const unencryptedDataKey = new Uint8Array(suite.keyLengthBytes) - const [edk0] = makeEDKandTraceForDecrypt(0) + const [edk0] = makeEDKForDecrypt(0) const material = new NodeDecryptionMaterial(suite, {}) const generator = keyRingFactory({ @@ -297,7 +297,7 @@ describe('MultiKeyring: onDecrypt', () => { AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) const unencryptedDataKey = new Uint8Array(suite.keyLengthBytes) - const [edk0] = makeEDKandTraceForDecrypt(0) + const [edk0] = makeEDKForDecrypt(0) const material = new NodeDecryptionMaterial(suite, {}) const child = keyRingFactory({ @@ -327,7 +327,7 @@ describe('MultiKeyring: onDecrypt', () => { AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) const unencryptedDataKey = new Uint8Array(suite.keyLengthBytes) - const [edk0] = makeEDKandTraceForDecrypt(0) + const [edk0] = makeEDKForDecrypt(0) const material = new NodeDecryptionMaterial(suite, {}) const child = keyRingFactory({ @@ -367,7 +367,7 @@ describe('MultiKeyring: onDecrypt', () => { AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) const unencryptedDataKey = new Uint8Array(suite.keyLengthBytes) - const [edk0] = makeEDKandTraceForDecrypt(0) + const [edk0] = makeEDKForDecrypt(0) const material = new NodeDecryptionMaterial(suite, {}) const child = keyRingFactory({ @@ -407,7 +407,7 @@ describe('MultiKeyring: onDecrypt', () => { const suite = new NodeAlgorithmSuite( AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 ) - const [edk0] = makeEDKandTraceForDecrypt(0) + const [edk0] = makeEDKForDecrypt(0) const material = new NodeDecryptionMaterial(suite, {}) const childNotSucceeded = keyRingFactory({ async onDecrypt() { @@ -446,15 +446,15 @@ describe('MultiKeyring: onDecrypt', () => { }) }) -function makeEDKandTraceForEncrypt(num: number): [EncryptedDataKey] { - return makeEDKandTrace(num) +function makeEDKForEncrypt(num: number): [EncryptedDataKey] { + return makeEDK(num) } -function makeEDKandTraceForDecrypt(num: number): [EncryptedDataKey] { - return makeEDKandTrace(num) +function makeEDKForDecrypt(num: number): [EncryptedDataKey] { + return makeEDK(num) } -function makeEDKandTrace(num: number): [EncryptedDataKey] { +function makeEDK(num: number): [EncryptedDataKey] { const providerId = 'providerId' + num const providerInfo = 'providerInfo' + num const encryptedDataKey = new Uint8Array([0, 0, 0]).fill(num) diff --git a/modules/raw-aes-keyring-node/src/raw_aes_keyring_node.ts b/modules/raw-aes-keyring-node/src/raw_aes_keyring_node.ts index fe02b783d..1930884fa 100644 --- a/modules/raw-aes-keyring-node/src/raw_aes_keyring_node.ts +++ b/modules/raw-aes-keyring-node/src/raw_aes_keyring_node.ts @@ -158,7 +158,6 @@ function aesGcmWrapKey( /** * Uses aes-gcm to decrypt the encrypted data key and return the passed NodeDecryptionMaterial with * the unencrypted data key set. - * @param keyNamespace [String] The keyring namespace * @param keyName [String] The keyring name (to extract the extra info stored in providerInfo) * @param material [NodeDecryptionMaterial] The target material to which the decrypted data key will be added * @param wrappingMaterial [NodeRawAesMaterial] The material used to decrypt the EncryptedDataKey From 99710ebf06ad005d16658f5875de986eb296dffa Mon Sep 17 00:00:00 2001 From: seebees Date: Thu, 6 Aug 2020 12:38:34 -0700 Subject: [PATCH 3/4] Better lint --- .../test/cryptographic_material.test.ts | 38 +++++++++---------- 1 file changed, 18 insertions(+), 20 deletions(-) diff --git a/modules/material-management/test/cryptographic_material.test.ts b/modules/material-management/test/cryptographic_material.test.ts index 9daf94d6f..4e179d7cd 100644 --- a/modules/material-management/test/cryptographic_material.test.ts +++ b/modules/material-management/test/cryptographic_material.test.ts @@ -117,11 +117,9 @@ describe('decorateCryptographicMaterial', () => { const test = decorateCryptographicMaterial({ suite } as any) test.zeroUnencryptedDataKey() const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - const trace = - // It is very hard to test this perfectly. However, this tests the spirit. - expect(() => - test.setUnencryptedDataKey(new Uint8Array(dataKey), trace) - ).to.throw() + + // It is very hard to test this perfectly. However, this tests the spirit. + expect(() => test.setUnencryptedDataKey(new Uint8Array(dataKey))).to.throw() }) it('Precondition: dataKey must be Binary Data', () => { @@ -138,10 +136,10 @@ describe('decorateCryptographicMaterial', () => { ) const test = decorateCryptographicMaterial({ suite } as any) const dataKey = new Uint8Array(suite.keyLengthBytes).fill(1) - const trace = test.setUnencryptedDataKey(new Uint8Array(dataKey), trace) - expect(() => - test.setUnencryptedDataKey(new Uint8Array(dataKey), trace) - ).to.throw('unencryptedDataKey has already been set') + test.setUnencryptedDataKey(new Uint8Array(dataKey)) + expect(() => test.setUnencryptedDataKey(new Uint8Array(dataKey))).to.throw( + 'unencryptedDataKey has already been set' + ) }) it('Precondition: dataKey should have an ArrayBuffer that *only* stores the key.', () => { @@ -154,9 +152,9 @@ describe('decorateCryptographicMaterial', () => { 5, suite.keyLengthBytes ).fill(1) - const trace = expect(() => - test.setUnencryptedDataKey(dataKey, trace) - ).to.throw('Unencrypted Master Key must be an isolated buffer.') + expect(() => test.setUnencryptedDataKey(dataKey)).to.throw( + 'Unencrypted Master Key must be an isolated buffer.' + ) }) it('Precondition: The unencryptedDataKey must not have been modified.', () => { @@ -374,7 +372,7 @@ describe('decorateWebCryptoMaterial', () => { usages: ['deriveKey'], extractable: false, } - const trace = test.setCryptoKey(key, trace) + test.setCryptoKey(key) expect(test.getCryptoKey() === key).to.equal(true) expect(test.hasCryptoKey).to.equal(true) expect(test.hasUnencryptedDataKey).to.equal(false) @@ -395,7 +393,7 @@ describe('decorateWebCryptoMaterial', () => { extractable: false, } const mixedKey: any = { zeroByteCryptoKey: key, nonZeroByteCryptoKey: key } - const trace = test.setCryptoKey(mixedKey, trace) + test.setCryptoKey(mixedKey) expect(test.getCryptoKey() !== mixedKey).to.equal(true) expect(test.hasCryptoKey).to.equal(true) expect(test.hasUnencryptedDataKey).to.equal(false) @@ -427,8 +425,8 @@ describe('decorateWebCryptoMaterial', () => { usages: ['deriveKey'], extractable: false, } - const trace = test.setCryptoKey(key, trace) - expect(() => test.setCryptoKey(key, trace)).to.throw() + test.setCryptoKey(key) + expect(() => test.setCryptoKey(key)).to.throw() }) it('Precondition: The CryptoKey must match the algorithm suite specification.', () => { @@ -467,15 +465,15 @@ describe('decorateWebCryptoMaterial', () => { extractable: true, }, } - const trace = expect(() => test.setCryptoKey(key, trace)).to.throw() - expect(() => test.setCryptoKey(key1, trace)).to.throw() - expect(() => test.setCryptoKey(key2, trace)).to.throw() + expect(() => test.setCryptoKey(key)).to.throw() + expect(() => test.setCryptoKey(key1)).to.throw() + expect(() => test.setCryptoKey(key2)).to.throw() }) it('Precondition: dataKey must be a supported type.', () => { const test: any = decorateWebCryptoMaterial({} as any) const key: any = {} - const trace = expect(() => test.setCryptoKey(key, trace)).to.throw() + expect(() => test.setCryptoKey(key)).to.throw() }) }) From c5aba56cd1da559722d46ca98a23d59f3ee40dc3 Mon Sep 17 00:00:00 2001 From: seebees Date: Thu, 6 Aug 2020 14:57:07 -0700 Subject: [PATCH 4/4] Fixed --- modules/material-management/test/cryptographic_material.test.ts | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/material-management/test/cryptographic_material.test.ts b/modules/material-management/test/cryptographic_material.test.ts index 4e179d7cd..b89323dea 100644 --- a/modules/material-management/test/cryptographic_material.test.ts +++ b/modules/material-management/test/cryptographic_material.test.ts @@ -202,7 +202,6 @@ describe('decorateEncryptionMaterial', () => { ) const test: any = decorateEncryptionMaterial({ suite, - hasUnencryptedDataKey: true, } as any) const edk = new EncryptedDataKey({ @@ -236,7 +235,6 @@ describe('decorateEncryptionMaterial', () => { }) const test: any = decorateEncryptionMaterial({ suite, - hasUnencryptedDataKey: false, } as any) expect(() => test.addEncryptedDataKey(edk)).to.throw()