Skip to content

fix!: Remove Keyring Trace #402

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Aug 6, 2020
Merged

fix!: Remove Keyring Trace #402

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7be9c65
fix!: Remove Keyring Trace
seebees Aug 5, 2020
31c03a5
Code review fixes
seebees Aug 6, 2020
99710eb
Better lint
seebees Aug 6, 2020
c5aba56
Fixed
seebees Aug 6, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 11 additions & 49 deletions modules/cache-material/test/caching_cryptographic_materials_decorators.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ import { createHash } from 'crypto'
import {
NodeAlgorithmSuite,
AlgorithmSuiteIdentifier,
KeyringTraceFlag,
EncryptedDataKey,
NodeEncryptionMaterial,
NodeDecryptionMaterial,
Expand Down Expand Up @@ -202,37 +201,22 @@ describe('Cryptographic Material Functions', () => {
15,
16,
])
const encryptTrace = {
keyNamespace: 'keyNamespace',
keyName: 'keyName',
flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY,
}
const decryptTrace = {
keyNamespace: 'keyNamespace',
keyName: 'keyName',
flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY,
}

const edk1 = new EncryptedDataKey({
providerId: 'keyNamespace',
providerInfo: 'keyName',
encryptedDataKey: new Uint8Array([1]),
})
const edk2 = new EncryptedDataKey({
providerId: 'p2',
providerInfo: 'pi2',
encryptedDataKey: new Uint8Array([2]),
})

const encryptionMaterial = new NodeEncryptionMaterial(nodeSuite, {})
.setUnencryptedDataKey(udk128, encryptTrace)
.addEncryptedDataKey(edk1, KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY)
.addEncryptedDataKey(edk2, KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY)
const encryptionMaterial = new NodeEncryptionMaterial(
nodeSuite,
{}
).setUnencryptedDataKey(udk128)

const decryptionMaterial = new NodeDecryptionMaterial(
nodeSuite,
{}
).setUnencryptedDataKey(udk128, decryptTrace)
).setUnencryptedDataKey(udk128)

const context = {}

Expand Down Expand Up @@ -392,11 +376,6 @@ describe('Cryptographic Material Functions', () => {
15,
16,
])
const encryptTrace = {
keyNamespace: 'keyNamespace',
keyName: 'keyName',
flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY,
}

const edk1 = new EncryptedDataKey({
providerId: 'keyNamespace',
Expand All @@ -410,15 +389,9 @@ describe('Cryptographic Material Functions', () => {
})

const encryptionMaterial = new NodeEncryptionMaterial(nodeSuite, {})
.setUnencryptedDataKey(udk128, encryptTrace)
.addEncryptedDataKey(
edk1,
KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
)
.addEncryptedDataKey(
edk2,
KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
)
.setUnencryptedDataKey(udk128)
.addEncryptedDataKey(edk1)
.addEncryptedDataKey(edk2)

const testCMM = {
_partition,
Expand Down Expand Up @@ -482,11 +455,6 @@ describe('Cryptographic Material Functions', () => {
15,
16,
])
const encryptTrace = {
keyNamespace: 'keyNamespace',
keyName: 'keyName',
flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY,
}

const edk1 = new EncryptedDataKey({
providerId: 'keyNamespace',
Expand All @@ -500,15 +468,9 @@ describe('Cryptographic Material Functions', () => {
})

const encryptionMaterial = new NodeEncryptionMaterial(nodeSuite, {})
.setUnencryptedDataKey(udk128, encryptTrace)
.addEncryptedDataKey(
edk1,
KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
)
.addEncryptedDataKey(
edk2,
KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
)
.setUnencryptedDataKey(udk128)
.addEncryptedDataKey(edk1)
.addEncryptedDataKey(edk2)

const testCMM = {
_partition,
Expand Down
8 changes: 1 addition & 7 deletions modules/decrypt-browser/test/fixtures.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ import {
WebCryptoDecryptionMaterial,
WebCryptoEncryptionMaterial,
KeyringWebCrypto,
KeyringTraceFlag,
importForWebCryptoDecryptionMaterial,
} from '@aws-crypto/material-management-browser'

Expand Down Expand Up @@ -6359,13 +6358,8 @@ class TestKeyring extends KeyringWebCrypto {
const unencryptedDataKey = new Uint8Array(
material.suite.keyLengthBytes
).fill(0)
const trace = {
keyNamespace: 'k',
keyName: 'k',
flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY,
}
return importForWebCryptoDecryptionMaterial(
material.setUnencryptedDataKey(unencryptedDataKey, trace)
material.setUnencryptedDataKey(unencryptedDataKey)
)
}
}
Expand Down
9 changes: 2 additions & 7 deletions modules/decrypt-node/test/fixtures.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ import {
NodeDecryptionMaterial,
NodeEncryptionMaterial,
KeyringNode,
KeyringTraceFlag,
} from '@aws-crypto/material-management-node'

export function base64CiphertextAlgAes256GcmIv12Tag16HkdfSha384EcdsaP384() {
Expand Down Expand Up @@ -71,12 +70,8 @@ export function decryptKeyring() {
const unencryptedDataKey = new Uint8Array(
material.suite.keyLengthBytes
).fill(0)
const trace = {
keyNamespace: 'k',
keyName: 'k',
flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY,
}
return material.setUnencryptedDataKey(unencryptedDataKey, trace)

return material.setUnencryptedDataKey(unencryptedDataKey)
}
}

Expand Down
14 changes: 3 additions & 11 deletions modules/encrypt-browser/test/encrypt.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ import {
WebCryptoEncryptionMaterial,
KeyringWebCrypto,
EncryptedDataKey,
KeyringTraceFlag,
WebCryptoAlgorithmSuite,
importForWebCryptoEncryptionMaterial,
} from '@aws-crypto/material-management-browser'
Expand Down Expand Up @@ -50,17 +49,10 @@ describe('encrypt structural testing', () => {
const unencryptedDataKey = new Uint8Array(
material.suite.keyLengthBytes
).fill(0)
const trace = {
keyNamespace: 'k',
keyName: 'k',
flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY,
}

material
.setUnencryptedDataKey(unencryptedDataKey, trace)
.addEncryptedDataKey(
edk,
KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
)
.setUnencryptedDataKey(unencryptedDataKey)
.addEncryptedDataKey(edk)
return importForWebCryptoEncryptionMaterial(material)
}
async _onDecrypt(): Promise<WebCryptoDecryptionMaterial> {
Expand Down
14 changes: 3 additions & 11 deletions modules/encrypt-node/test/encrypt.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ import {
NodeEncryptionMaterial,
KeyringNode,
EncryptedDataKey,
KeyringTraceFlag,
AlgorithmSuiteIdentifier,
NodeAlgorithmSuite,
} from '@aws-crypto/material-management-node'
Expand Down Expand Up @@ -56,17 +55,10 @@ describe('encrypt structural testing', () => {
const unencryptedDataKey = new Uint8Array(
material.suite.keyLengthBytes
).fill(0)
const trace = {
keyNamespace: 'k',
keyName: 'k',
flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY,
}

return material
.setUnencryptedDataKey(unencryptedDataKey, trace)
.addEncryptedDataKey(
edk,
KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
)
.setUnencryptedDataKey(unencryptedDataKey)
.addEncryptedDataKey(edk)
}
async _onDecrypt(): Promise<NodeDecryptionMaterial> {
throw new Error('I should never see this error')
Expand Down
39 changes: 4 additions & 35 deletions modules/kms-keyring/src/kms_keyring.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,6 @@ import {
EncryptionMaterial,
DecryptionMaterial,
SupportedAlgorithmSuites,
KeyringTrace,
KeyringTraceFlag,
EncryptedDataKey,
immutableClass,
readOnlyProperty,
Expand Down Expand Up @@ -136,26 +134,12 @@ export function KmsKeyringClass<
if (!dataKey)
throw new Error('Generator KMS key did not generate a data key')

const flags =
KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY |
KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX |
KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
const trace: KeyringTrace = {
keyNamespace: KMS_PROVIDER_ID,
keyName: dataKey.KeyId,
flags,
}

material
/* Postcondition: The generated unencryptedDataKey length must match the algorithm specification.
* See cryptographic_materials as setUnencryptedDataKey will throw in this case.
*/
.setUnencryptedDataKey(dataKey.Plaintext, trace)
.addEncryptedDataKey(
kmsResponseToEncryptedDataKey(dataKey),
KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY |
KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX
)
.setUnencryptedDataKey(dataKey.Plaintext)
.addEncryptedDataKey(kmsResponseToEncryptedDataKey(dataKey))
} else if (generatorKeyId) {
keyIds.unshift(generatorKeyId)
}
Expand All @@ -166,9 +150,6 @@ export function KmsKeyringClass<
*/
const unencryptedDataKey = unwrapDataKey(material.getUnencryptedDataKey())

const flags =
KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY |
KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX
for (const kmsKey of keyIds) {
const kmsEDK = await encrypt(
clientProvider,
Expand All @@ -180,10 +161,7 @@ export function KmsKeyringClass<

/* clientProvider may not return a client, in this case there is not an EDK to add */
if (kmsEDK)
material.addEncryptedDataKey(
kmsResponseToEncryptedDataKey(kmsEDK),
flags
)
material.addEncryptedDataKey(kmsResponseToEncryptedDataKey(kmsEDK))
}

return material
Expand Down Expand Up @@ -241,19 +219,10 @@ export function KmsKeyringClass<
'KMS Decryption key does not match serialized provider.'
)

const flags =
KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY |
KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX
const trace: KeyringTrace = {
keyNamespace: KMS_PROVIDER_ID,
keyName: dataKey.KeyId,
flags,
}

/* Postcondition: The decrypted unencryptedDataKey length must match the algorithm specification.
* See cryptographic_materials as setUnencryptedDataKey will throw in this case.
*/
material.setUnencryptedDataKey(dataKey.Plaintext, trace)
material.setUnencryptedDataKey(dataKey.Plaintext)
return material
}

Expand Down
25 changes: 0 additions & 25 deletions modules/kms-keyring/test/kms_keyring.ondecrypt.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ import { KmsKeyringClass, KeyRingConstructible } from '../src/kms_keyring'
import {
NodeAlgorithmSuite,
AlgorithmSuiteIdentifier,
KeyringTraceFlag,
NodeDecryptionMaterial,
EncryptedDataKey,
Keyring,
Expand Down Expand Up @@ -68,17 +67,6 @@ describe('KmsKeyring: _onDecrypt', () => {
)

expect(material.hasUnencryptedDataKey).to.equal(true)

expect(material.keyringTrace).to.have.lengthOf(1)
const [traceDecrypt] = material.keyringTrace
expect(traceDecrypt.keyNamespace).to.equal('aws-kms')
expect(traceDecrypt.keyName).to.equal(generatorKeyId)
expect(
traceDecrypt.flags & KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY
).to.equal(KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY)
expect(
traceDecrypt.flags & KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX
).to.equal(KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX)
})

it('discovery keyring should return material', async () => {
Expand Down Expand Up @@ -128,17 +116,6 @@ describe('KmsKeyring: _onDecrypt', () => {
)

expect(material.hasUnencryptedDataKey).to.equal(true)

expect(material.keyringTrace).to.have.lengthOf(1)
const [traceDecrypt] = material.keyringTrace
expect(traceDecrypt.keyNamespace).to.equal('aws-kms')
expect(traceDecrypt.keyName).to.equal(generatorKeyId)
expect(
traceDecrypt.flags & KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY
).to.equal(KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY)
expect(
traceDecrypt.flags & KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX
).to.equal(KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX)
})

it('decrypt errors should not halt', async () => {
Expand Down Expand Up @@ -193,7 +170,6 @@ describe('KmsKeyring: _onDecrypt', () => {
)

expect(material.hasUnencryptedDataKey).to.equal(true)
expect(material.keyringTrace).to.have.lengthOf(1)
})

it('Check for early return (Postcondition): clientProvider may not return a client.', async () => {
Expand Down Expand Up @@ -232,7 +208,6 @@ describe('KmsKeyring: _onDecrypt', () => {
)

expect(material.hasUnencryptedDataKey).to.equal(false)
expect(material.keyringTrace).to.have.lengthOf(0)
})

it('Postcondition: The KeyId from KMS must match the encoded KeyID.', async () => {
Expand Down
Loading