feat(node): support node v16 (#741)

Regenerated the Package lock with Node 16, NPM 8.
Added CI testing for Node 16.
Encapsulated Crypto's Sign(er) and Verify to prevent breaking changes.
Implemented and used Catchable to catch unkown.
TS upgrade introduced TS bug when recognizing arguments to
SubtleCrypto's ImportKey. Introduced function and note to help it
resolve the issue.

Co-authored-by: seebees <[email protected]>

Author: texastony

buildspec.yml

@@ -9,14 +9,24 @@ batch:
         image: aws/codebuild/standard:5.0
     - identifier: testNodejs12
       buildspec: codebuild/nodejs12.yml
+      env:
+        image: aws/codebuild/standard:5.0
     - identifier: testNodejs14
       buildspec: codebuild/nodejs14.yml
       env:
         image: aws/codebuild/standard:5.0
+    - identifier: testNodejs16
+      buildspec: codebuild/nodejs16.yml
+      env:
+        image: aws/codebuild/standard:5.0
     - identifier: testBrowser
       buildspec: codebuild/browser.yml
+      env:
+        image: aws/codebuild/standard:5.0
     - identifier: compliance
       buildspec: codebuild/compliance.yml
+      env:
+        image: aws/codebuild/standard:5.0
     - identifier: testVectorsNodejsLatest
       buildspec: codebuild/test_vectors/nodejs_latest.yml
       env:
@@ -25,10 +35,16 @@ batch:
         image: aws/codebuild/standard:5.0
     - identifier: testVectorsNodejs12
       buildspec: codebuild/test_vectors/nodejs12.yml
+      env:
+        image: aws/codebuild/standard:5.0
     - identifier: testVectorsNodejs14
       buildspec: codebuild/test_vectors/nodejs14.yml
       env:
         image: aws/codebuild/standard:5.0
+    - identifier: testVectorsNodejs16
+      buildspec: codebuild/test_vectors/nodejs16.yml
+      env:
+        image: aws/codebuild/standard:5.0
     - identifier: testVectorsBrowser
       buildspec: codebuild/test_vectors/browser.yml
       env:

codebuild/nodejs16.yml

@@ -0,0 +1,19 @@
+version: 0.2
+
+env:
+  variables:
+    NODE_OPTIONS: "--max-old-space-size=4096"
+
+phases:
+  install:
+    commands:
+      - n 16
+      - node -v
+      - npm -v
+      - npm ci --unsafe-perm
+      - npm run build
+  build:
+    commands:
+      - npm -v
+      - node -v
+      - npm run coverage-node

codebuild/test_vectors/nodejs16.yml

@@ -0,0 +1,22 @@
+version: 0.2
+
+env:
+  variables:
+    NODE_OPTIONS: "--max-old-space-size=4096"
+    NPM_CONFIG_UNSAFE_PERM: true
+
+phases:
+  install:
+    commands:
+      - n 16
+      - node -v
+      - npm -v
+      - npm ci --unsafe-perm
+      - npm run build
+  build:
+    commands:
+      - npm -v
+      - node -v
+      - npm run verdaccio-publish
+      - npm run verdaccio-node-decrypt
+      - npm run verdaccio-node-encrypt

modules/decrypt-node/src/verify_stream.ts

@@ -80,9 +80,9 @@ export class VerifyStream extends PortableTransformWithType {
         if (verify) {
           const { rawHeader, headerAuth, messageHeader } = headerInfo
           const { headerIv, headerAuthTag } = headerAuth
-          verify.update(rawHeader)
+          verify.update(<Buffer>rawHeader)
           verify.update(
-            serializeMessageHeaderAuth({
+            <Buffer>serializeMessageHeaderAuth({
               headerIv,
               headerAuthTag,
               messageHeader,
@@ -263,7 +263,7 @@ export class VerifyStream extends PortableTransformWithType {
     return super.push(chunk, encoding)
   }
 
-  _flush(callback: (err?: Error) => void) {
+  _flush(callback: (err?: Error | any | unknown) => void) {
     const { finalAuthTagReceived } = this._verifyState
     /* Precondition: All ciphertext MUST have been received.
      * The verify stream has ended,

modules/example-browser/package.json

@@ -34,12 +34,12 @@
     "karma-chrome-launcher": "^3.1.0",
     "karma-coverage-istanbul-reporter": "^3.0.3",
     "karma-mocha": "2.0.1",
-    "karma-webpack": "^4.0.2",
+    "karma-webpack": "^5.0.0",
     "ts-loader": "9.2.5",
     "ts-node": "^10.2.1",
     "tslib": "^2.2.0",
     "typescript": "^4.0.2",
-    "webpack": "^4.42.1",
+    "webpack": "^5.42.0",
     "webpack-cli": "4.6.0"
   },
   "main": "./build/main/src/index.js",

modules/integration-browser/src/integration.encrypt.test.ts

@@ -59,8 +59,15 @@ function aTest(testName: string, decryptOracle: string) {
       const body = await response.arrayBuffer()
       needs(response.ok, `Failed to decrypt: ${toUtf8(body)}`)
       expect(plainText).toEqual(new Uint8Array(body))
-    } catch (e) {
-      if (!notSupportedMessages.includes(e.message)) throw e
+    } catch (err) {
+      needs(
+        err instanceof Error,
+        `Thrown object must be an error but was ${typeof err}`
+      )
+      needs(
+        notSupportedMessages.includes(err.message),
+        `Error message should be in notSupportedMessages but was ${err.message}`
+      )
     }
   })
 }

modules/integration-browser/src/testDecryptFixture.ts

@@ -6,6 +6,7 @@ import {
   MultiKeyringWebCrypto,
   WebCryptoMaterialsManager,
   DecryptResult,
+  needs,
 } from '@aws-crypto/client-browser'
 import {
   DecryptionFixture,
@@ -69,14 +70,17 @@ export async function testPositiveDecryptFixture(
     ) {
       return { result: true, name }
     }
-    // noinspection ExceptionCaughtLocallyJS
+    /* If the actual plaintext does not match the expected plaintext,*/
     throw new Error(
       expectedNotActualPlaintextMessage +
         `\n expected plaintext: ${expectedPlainText}` +
         `\n actual plaintext: ${decryptResult.plaintext}`
     )
   } catch (err) {
+    /* it FAILED with err.message as expectedNotActualPlaintextMessage */
     return { result: false, name, err }
+    //By catching the err and returning it above, we also satisfy:
+    /* If the decryption is NOT supported,  FAILED with err.message in notSupportedDecryptMessages */
   }
 }
 
@@ -96,10 +100,18 @@ export async function testNegativeDecryptFixture(
     const cmm = await _getCmm(keyInfos)
     decryptResult = await _decrypt(cmm, cipher)
   } catch (err) {
-    if (notSupportedDecryptMessages.includes(err.message))
+    needs(
+      err instanceof Error,
+      `Thrown object must be an error but was ${typeof err}`
+    )
+    if (notSupportedDecryptMessages.includes(err.message)) {
+      /* If the decryption is NOT supported,  FAILED with err.message in notSupportedDecryptMessages */
       return { result: false, name, err: err }
+    }
+    /* If it is a negative test, and it throws an error outside of notSupportedDecryptMessages, it PASSED.*/
     return { result: true, name }
   }
+  /* If it is a negative test, and it does not throw an error, it FAILED */
   return {
     result: false,
     name,

modules/integration-node/package.json

@@ -20,11 +20,11 @@
     "@aws-crypto/integration-vectors": "file:../integration-vectors",
     "@types/got": "^9.6.9",
     "@types/stream-to-promise": "^2.2.0",
-    "@types/yargs": "^15.0.3",
+    "@types/yargs": "^17.0.1",
     "got": "^11.8.0",
     "stream-to-promise": "^3.0.0",
     "tslib": "^2.3.0",
-    "yargs": "^17.1.0"
+    "yargs": "^17.0.1"
   },
   "sideEffects": false,
   "main": "./build/main/src/index.js",

modules/integration-node/src/cli.ts

@@ -80,7 +80,7 @@ const cli = yargs
     tolerateFailures,
     testName,
     concurrency,
-  } = argv
+  } = await argv
   /* I set the result to 1 so that if I fall through the exit condition is a failure */
   let result = 1
   if (command === 'decrypt') {

modules/integration-node/src/decrypt_materials_manager_node.ts

@@ -2,29 +2,29 @@
 // SPDX-License-Identifier: Apache-2.0
 
 import {
-  needs,
+  buildAwsKmsMrkAwareDiscoveryMultiKeyringNode,
+  buildAwsKmsMrkAwareStrictMultiKeyringNode,
   KeyringNode,
-  MultiKeyringNode,
   KmsKeyringNode,
+  MultiKeyringNode,
+  needs,
+  oaepHashSupported,
   RawAesKeyringNode,
-  WrappingSuiteIdentifier,
   RawAesWrappingSuiteIdentifier,
   RawRsaKeyringNode,
-  oaepHashSupported,
-  buildAwsKmsMrkAwareStrictMultiKeyringNode,
-  buildAwsKmsMrkAwareDiscoveryMultiKeyringNode,
+  WrappingSuiteIdentifier,
 } from '@aws-crypto/client-node'
 import {
-  RsaKeyInfo,
+  AESKey,
   AesKeyInfo,
+  buildGetKeyring,
+  KeyInfoTuple,
+  KMSKey,
   KmsKeyInfo,
-  KmsMrkAwareKeyInfo,
   KmsMrkAwareDiscoveryKeyInfo,
+  KmsMrkAwareKeyInfo,
   RSAKey,
-  AESKey,
-  KMSKey,
-  KeyInfoTuple,
-  buildGetKeyring,
+  RsaKeyInfo,
 } from '@aws-crypto/integration-vectors'
 import { constants } from 'crypto'
 
@@ -117,12 +117,3 @@ export function rsaPadding(keyInfo: RsaKeyInfo) {
   needs(oaepHashSupported || oaepHash === 'sha1', 'Not supported at this time.')
   return { padding, oaepHash }
 }
-
-export class NotSupported extends Error {
-  code: string
-  constructor(message?: string) {
-    super(message)
-    Object.setPrototypeOf(this, NotSupported.prototype)
-    this.code = 'NOT_SUPPORTED'
-  }
-}

modules/integration-vectors/src/types.ts

@@ -61,7 +61,7 @@ export interface TestVectorResult {
   name: string
   result: boolean
   description?: string
-  err?: Error
+  err?: Error | string | any
 }
 
 export interface StreamEntry extends Entry {

modules/kms-keyring/src/kms_keyring.ts

@@ -16,6 +16,7 @@ import {
   readOnlyProperty,
   unwrapDataKey,
   Newable,
+  Catchable,
 } from '@aws-crypto/material-management'
 import {
   KMS_PROVIDER_ID,
@@ -243,7 +244,7 @@ export function KmsKeyringClass<
        */
       const decryptableEDKs = encryptedDataKeys.filter(filterEDKs(keyIds, this))
 
-      const cmkErrors: Error[] = []
+      const cmkErrors: Catchable[] = []
 
       for (const edk of decryptableEDKs) {
         let dataKey: RequiredDecryptResponse | false = false
@@ -259,7 +260,7 @@ export function KmsKeyringClass<
            * If the caller does not have access they may have access
            * through another Keyring.
            */
-          cmkErrors.push(e)
+          cmkErrors.push({ errPlus: e })
         }
 
         /* Check for early return (Postcondition): clientProvider may not return a client. */
@@ -300,7 +301,7 @@ export function KmsKeyringClass<
         material.hasValidKey() ||
           (!material.hasValidKey() && !cmkErrors.length),
         cmkErrors.reduce(
-          (m, e, i) => `${m} Error #${i + 1} \n ${e.stack} \n`,
+          (m, e, i) => `${m} Error #${i + 1} \n ${e.errPlus.stack} \n`,
           'Unable to decrypt data key and one or more KMS CMKs had an error. \n '
         )
       )

modules/kms-keyring/src/kms_mrk_discovery_keyring.ts

@@ -13,6 +13,7 @@ import {
   readOnlyProperty,
   SupportedAlgorithmSuites,
   Newable,
+  Catchable,
 } from '@aws-crypto/material-management'
 import {
   constructArnInOtherRegion,
@@ -170,7 +171,7 @@ export function AwsKmsMrkAwareSymmetricDiscoveryKeyringClass<
       //# The set of encrypted data keys MUST first be filtered to match this
       //# keyring's configuration.
       const decryptableEDKs = encryptedDataKeys.filter(filterEDKs(this))
-      const cmkErrors: Error[] = []
+      const cmkErrors: Catchable[] = []
 
       //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-region-discovery-keyring.txt#2.8
       //# For each encrypted data key in the filtered set, one at a time, the
@@ -253,7 +254,7 @@ export function AwsKmsMrkAwareSymmetricDiscoveryKeyringClass<
           //# If the response does not satisfies these requirements then an error
           //# is collected and the next encrypted data key in the filtered set MUST
           //# be attempted.
-          cmkErrors.push(e)
+          cmkErrors.push({ errPlus: e })
         }
       }
       //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-region-discovery-keyring.txt#2.8
@@ -266,7 +267,7 @@ export function AwsKmsMrkAwareSymmetricDiscoveryKeyringClass<
           `Unable to decrypt data key${
             !decryptableEDKs.length ? ': No EDKs supplied' : ''
           }.`,
-          ...cmkErrors.map((e, i) => `Error #${i + 1}  \n${e.stack}`),
+          ...cmkErrors.map((e, i) => `Error #${i + 1}  \n${e.errPlus.stack}`),
         ].join('\n')
       )
       return material

modules/kms-keyring/src/kms_mrk_keyring.ts

@@ -15,6 +15,7 @@ import {
   readOnlyProperty,
   unwrapDataKey,
   Newable,
+  Catchable,
 } from '@aws-crypto/material-management'
 import {
   KMS_PROVIDER_ID,
@@ -274,7 +275,7 @@ export function AwsKmsMrkAwareSymmetricKeyringClass<
       //# keyring's configuration.
       const decryptableEDKs = encryptedDataKeys.filter(filterEDKs(keyId))
 
-      const cmkErrors: Error[] = []
+      const cmkErrors: Catchable[] = []
 
       //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.8
       //# For each encrypted data key in the filtered set, one at a time, the
@@ -344,7 +345,7 @@ export function AwsKmsMrkAwareSymmetricKeyringClass<
           //# If the response does not satisfies these requirements then an error
           //# MUST be collected and the next encrypted data key in the filtered set
           //# MUST be attempted.
-          cmkErrors.push(e)
+          cmkErrors.push({ errPlus: e })
         }
       }
 
@@ -358,7 +359,7 @@ export function AwsKmsMrkAwareSymmetricKeyringClass<
           `Unable to decrypt data key${
             !decryptableEDKs.length ? ': No EDKs supplied' : ''
           }.`,
-          ...cmkErrors.map((e, i) => `Error #${i + 1}  \n${e.stack}`),
+          ...cmkErrors.map((e, i) => `Error #${i + 1}  \n${e.errPlus.stack}`),
         ].join('\n')
       )
 

modules/material-management-node/src/index.ts

@@ -22,6 +22,7 @@ export {
   KeyringTrace,
   KeyringTraceFlag,
   needs,
+  NotSupported,
   KeyringNode,
   MultiKeyringNode,
   immutableBaseClass,

modules/material-management-node/src/material_helpers.ts

@@ -11,8 +11,6 @@ import {
   NodeHash,
 } from '@aws-crypto/material-management'
 import {
-  Signer,
-  Verify,
   createCipheriv,
   createDecipheriv,
   createSign,
@@ -21,6 +19,7 @@ import {
 } from 'crypto'
 import { HKDF } from '@aws-crypto/hkdf-node'
 import { kdfInfo, kdfCommitKeyInfo } from '@aws-crypto/serialize'
+import { AwsESDKSigner, AwsESDKVerify } from './types'
 
 export interface AwsEsdkJsCipherGCM {
   update(data: Buffer): Buffer
@@ -55,7 +54,7 @@ export interface GetCipherInfo {
 }
 
 export interface GetSigner {
-  (): Signer & { awsCryptoSign: () => Buffer }
+  (): AwsESDKSigner & { awsCryptoSign: () => Buffer }
 }
 
 export interface NodeEncryptionMaterialHelper {
@@ -128,7 +127,7 @@ export interface GetDecipherInfo {
 }
 
 export interface GetVerify {
-  (): Verify & { awsCryptoVerify: (signature: Buffer) => boolean }
+  (): AwsESDKVerify & { awsCryptoVerify: (signature: Buffer) => boolean }
 }
 
 export interface NodeDecryptionMaterialHelper {

modules/material-management-node/src/types.ts

@@ -0,0 +1,16 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import * as stream from 'stream'
+
+// noinspection JSAnnotator
+export interface AwsESDKSigner extends stream.Writable {
+  update(data: Buffer): AwsESDKSigner
+  sign(privateKey: string): Buffer
+}
+
+// noinspection JSAnnotator
+export interface AwsESDKVerify extends stream.Writable {
+  update(data: Buffer): AwsESDKVerify
+  verify(publicKey: string, signature: Buffer): boolean
+}

modules/material-management-node/test/material_helpers.test.ts

@@ -429,7 +429,7 @@ describe('getEncryptHelper', () => {
 
     const signer = helper.getSigner()
     expect(signer).to.haveOwnProperty('awsCryptoSign').and.to.be.a('function')
-    signer.update('data')
+    signer.update(Buffer.from('data'))
     const sig = signer.awsCryptoSign()
     expect(sig).instanceOf(Buffer)
   })
@@ -564,7 +564,7 @@ describe('getDecryptionHelper', () => {
 
     const verify = helper.getVerify()
     expect(verify).to.haveOwnProperty('awsCryptoVerify').and.to.be.a('function')
-    verify.update('data')
+    verify.update(Buffer.from('data'))
     const isValid = verify.awsCryptoVerify(Buffer.alloc(5))
     expect(isValid).to.equal(false)
   })

modules/material-management/src/error.ts

@@ -0,0 +1,11 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+export class NotSupported extends Error {
+  code: string
+
+  constructor(message?: string) {
+    super(message)
+    Object.setPrototypeOf(this, NotSupported.prototype)
+    this.code = 'NOT_SUPPORTED'
+  }
+}

modules/material-management/src/index.ts

@@ -80,3 +80,4 @@ export { needs } from './needs'
 export { cloneMaterial } from './clone_cryptographic_material'
 
 export * from './types'
+export { NotSupported } from './error'

modules/material-management/src/multi_keyring.ts

@@ -7,6 +7,7 @@ import {
   SupportedAlgorithmSuites,
   EncryptionMaterial,
   DecryptionMaterial,
+  Catchable,
 } from './types'
 import { needs } from './needs'
 import { EncryptedDataKey } from './encrypted_data_key'
@@ -119,7 +120,7 @@ function buildPrivateOnDecrypt<S extends SupportedAlgorithmSuites>() {
     const children = this.children.slice()
     if (this.generator) children.unshift(this.generator)
 
-    const childKeyringErrors: Error[] = []
+    const childKeyringErrors: Catchable[] = []
 
     for (const keyring of children) {
       /* Check for early return (Postcondition): Do not attempt to decrypt once I have a valid key. */
@@ -132,7 +133,7 @@ function buildPrivateOnDecrypt<S extends SupportedAlgorithmSuites>() {
          * If the caller does not have access they may have access
          * through another Keyring.
          */
-        childKeyringErrors.push(e)
+        childKeyringErrors.push({ errPlus: e })
       }
     }
 
@@ -149,7 +150,7 @@ function buildPrivateOnDecrypt<S extends SupportedAlgorithmSuites>() {
       material.hasValidKey() ||
         (!material.hasValidKey() && !childKeyringErrors.length),
       childKeyringErrors.reduce(
-        (m, e, i) => `${m} Error #${i + 1} \n ${e.stack} \n`,
+        (m, e, i) => `${m} Error #${i + 1} \n ${e.errPlus.stack} \n`,
         'Unable to decrypt data key and one or more child keyrings had an error. \n '
       )
     )

modules/material-management/src/node_algorithms.ts

@@ -226,9 +226,9 @@ const nodeAlgAes256GcmHkdfSha512CommittingEcdsaP384: NodeAlgCommittedSigned = {
   saltLengthBytes: 32,
 }
 
-type NodeAlgorithms = Readonly<
-  { [id in AlgorithmSuiteIdentifier]: NodeAlgUnion }
->
+type NodeAlgorithms = Readonly<{
+  [id in AlgorithmSuiteIdentifier]: NodeAlgUnion
+}>
 const nodeAlgorithms: NodeAlgorithms = Object.freeze({
   [AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16]: Object.freeze(
     nodeAlgAes128GcmIv12Tag16

modules/material-management/src/types.ts

@@ -5,10 +5,10 @@ import { NodeAlgorithmSuite } from './node_algorithms'
 import { WebCryptoAlgorithmSuite } from './web_crypto_algorithms'
 import { EncryptedDataKey } from './encrypted_data_key'
 import {
-  NodeEncryptionMaterial,
-  WebCryptoEncryptionMaterial,
   NodeDecryptionMaterial,
+  NodeEncryptionMaterial,
   WebCryptoDecryptionMaterial,
+  WebCryptoEncryptionMaterial,
 } from './cryptographic_material'
 import { CommitmentPolicy } from './algorithm_suites'
 
@@ -156,3 +156,7 @@ export interface AwsEsdkAsymmetricKeyDetails {
    */
   namedCurve?: string
 }
+
+export interface Catchable {
+  errPlus?: Error | string | any
+}

modules/material-management/src/web_crypto_algorithms.ts

@@ -233,9 +233,9 @@ const webCryptoAlgAes256GcmHkdfSha512CommittingEcdsaP384: WebCryptoAlgCommittedS
     saltLengthBytes: 32,
   }
 
-type WebCryptoAlgorithms = Readonly<
-  { [id in AlgorithmSuiteIdentifier]: WebCryptoAlgUnion }
->
+type WebCryptoAlgorithms = Readonly<{
+  [id in AlgorithmSuiteIdentifier]: WebCryptoAlgUnion
+}>
 const webCryptoAlgorithms: WebCryptoAlgorithms = Object.freeze({
   [AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16]: Object.freeze(
     webCryptoAlgAes128GcmIv12Tag16
@@ -279,9 +279,9 @@ type WebCryptoAlgorithmSuiteIdentifier = Exclude<
   >,
   AlgorithmSuiteIdentifier.ALG_AES192_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384
 >
-type SupportedWebCryptoAlgorithms = Readonly<
-  { [id in WebCryptoAlgorithmSuiteIdentifier]: WebCryptoAlgUnion }
->
+type SupportedWebCryptoAlgorithms = Readonly<{
+  [id in WebCryptoAlgorithmSuiteIdentifier]: WebCryptoAlgUnion
+}>
 const supportedWebCryptoAlgorithms: SupportedWebCryptoAlgorithms =
   Object.freeze({
     [AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16]: Object.freeze(

modules/raw-rsa-keyring-browser/src/get_import_options.ts

@@ -64,7 +64,17 @@ const RsaPaddingMap: {
   [RsaPadding.OAEP_SHA512_MFG1]: OAEP_SHA512_MFG1,
 })
 
-export function getImportOptions(keyInfo: RsaImportableKey) {
+export function getImportOptions(keyInfo: RsaImportableKey):
+  | {
+      format: 'jwk'
+      wrappingAlgorithm: RsaWrappingKeyAlgorithm
+      key: RsaJsonWebKey
+    }
+  | {
+      format: 'raw' | 'pkcs8' | 'spki'
+      wrappingAlgorithm: RsaWrappingKeyAlgorithm
+      key: Uint8Array
+    } {
   const { alg } = keyInfo as RsaJsonWebKey
   const { padding } = keyInfo as BinaryKey
   if (JsonWebKeyMap[alg]) {

modules/raw-rsa-keyring-browser/src/raw_rsa_keyring_web_crypto.ts

@@ -39,6 +39,7 @@ import {
   flattenMixedCryptoKey,
 } from './get_import_options'
 
+// noinspection TypeScriptValidateTypes
 export class RawRsaKeyringWebCrypto extends KeyringWebCrypto {
   public declare keyNamespace: string
   public declare keyName: string
@@ -190,38 +191,25 @@ export class RawRsaKeyringWebCrypto extends KeyringWebCrypto {
   static async importPublicKey(
     publicKey: RsaImportableKey
   ): Promise<AwsEsdkJsCryptoKey> {
-    const { wrappingAlgorithm, format, key } = getImportOptions(publicKey)
+    const op = getImportOptions(publicKey)
     const backend = await getWebCryptoBackend()
     const subtle = getNonZeroByteBackend(backend)
-    return subtle.importKey(format, key, wrappingAlgorithm, false, ['wrapKey'])
+
+    return ImportKeyTypeOverload(op, subtle, ['wrapKey'])
   }
 
   static async importPrivateKey(
     privateKey: RsaImportableKey
   ): Promise<AwsEsdkJsCryptoKey | MixedBackendCryptoKey> {
-    const { wrappingAlgorithm, format, key } = getImportOptions(privateKey)
+    const op = getImportOptions(privateKey)
     const backend = await getWebCryptoBackend()
 
     if (isFullSupportWebCryptoBackend(backend)) {
-      return backend.subtle.importKey(format, key, wrappingAlgorithm, false, [
-        'unwrapKey',
-      ])
+      return ImportKeyTypeOverload(op, backend.subtle, ['unwrapKey'])
     } else {
       return Promise.all([
-        backend.nonZeroByteSubtle.importKey(
-          format,
-          key,
-          wrappingAlgorithm,
-          false,
-          ['unwrapKey']
-        ),
-        backend.zeroByteSubtle.importKey(
-          format,
-          key,
-          wrappingAlgorithm,
-          false,
-          ['unwrapKey']
-        ),
+        ImportKeyTypeOverload(op, backend.nonZeroByteSubtle, ['unwrapKey']),
+        ImportKeyTypeOverload(op, backend.zeroByteSubtle, ['unwrapKey']),
       ]).then(([nonZeroByteCryptoKey, zeroByteCryptoKey]) => ({
         nonZeroByteCryptoKey,
         zeroByteCryptoKey,
@@ -230,3 +218,47 @@ export class RawRsaKeyringWebCrypto extends KeyringWebCrypto {
   }
 }
 immutableClass(RawRsaKeyringWebCrypto)
+
+// TS2769 Note:
+// TS2769 is "No overload matches this call".
+// Above and below, TS is incorrect.
+// `importKey` has two overrides,
+// They are abbreviated below:
+// ```
+// importKey(format: "jwk", keyData: JsonWebKey, algorithm: AlgorithmIdentifier | ... , extractable: boolean, keyUsages: KeyUsage[]): Promise<CryptoKey>;
+// importKey(format:  "raw" | "pkcs8" | "spki", keyData: BufferSource, algorithm: AlgorithmIdentifier | ..., extractable: boolean, keyUsages: KeyUsage[]): Promise<CryptoKey>;
+// ```
+// The method getImportOptions explicitly
+// returns format & key that match
+// these overrides.
+// However, TS is unable to recognize this easily.
+// The following ugly function does the disambiguation.
+// There are 2 problems that TS is having.
+// First when format key and wrappingAlgorithm are independent,
+// TS does not _remember_ the relationship between format and key.
+// The second issue is related,
+// when trying to select the proper overload,
+// it is collapsing the definition of format.
+// Thus discriminating the union by `format`
+// helps TS understand all the arguments.
+async function ImportKeyTypeOverload(
+  op: ReturnType<typeof getImportOptions>,
+  subtle: SubtleCrypto,
+  keyUsages: KeyUsage[]
+): Promise<AwsEsdkJsCryptoKey> {
+  return op.format == 'jwk'
+    ? subtle.importKey(
+        op.format,
+        op.key,
+        op.wrappingAlgorithm,
+        false,
+        keyUsages
+      )
+    : subtle.importKey(
+        op.format,
+        op.key,
+        op.wrappingAlgorithm,
+        false,
+        keyUsages
+      )
+}

modules/raw-rsa-keyring-node/src/oaep_hash_supported.ts

@@ -11,7 +11,7 @@
  * But sending an invalid hash to a version that does not support oaepHash will be ignored.
  */
 
-import { needs } from '@aws-crypto/material-management-node'
+import { needs, NotSupported } from '@aws-crypto/material-management-node'
 
 import { constants, publicEncrypt } from 'crypto'
 
@@ -32,10 +32,13 @@ export const oaepHashSupported = (function () {
      */
     return false
   } catch (ex) {
-    needs(
-      ex.code === 'ERR_OSSL_EVP_INVALID_DIGEST',
-      'Unexpected error testing oaepHash.'
-    )
-    return true
+    if (ex instanceof NotSupported) {
+      needs(
+        ex.code === 'ERR_OSSL_EVP_INVALID_DIGEST',
+        'Unexpected error testing oaepHash.'
+      )
+      return true
+    }
+    return Error('Unexpected error testing oaepHash.')
   }
 })()

modules/web-crypto-backend/package.json

@@ -21,7 +21,7 @@
   "dependencies": {
     "@aws-crypto/ie11-detection": "1.0.0",
     "@aws-crypto/supports-web-crypto": "1.0.0",
-    "@aws-sdk/util-locate-window": "3.23.0",
+    "@aws-sdk/util-locate-window": "3.29.0",
     "tslib": "^2.2.0"
   },
   "sideEffects": false,

package-lock.json

@@ -105,17 +105,17 @@
     "@types/chai-as-promised": "^7.1.3",
     "@types/from2": "^2.3.0",
     "@types/mocha": "^9.0.0",
-    "@types/node": "^15.12.5",
-    "@typescript-eslint/eslint-plugin": "^4.1.0",
-    "@typescript-eslint/parser": "^4.1.0",
+    "@types/node": "^16.9.1",
+    "@typescript-eslint/eslint-plugin": "^4.31.1",
+    "@typescript-eslint/parser": "^4.31.1",
     "buffer": "^6.0.3",
     "chai": "^4.2.0",
     "chai-as-promised": "^7.1.1",
     "eslint": "^7.8.1",
     "eslint-config-prettier": "^8.3.0",
     "from2": "^2.3.0",
     "genversion": "^3.0.0",
-    "husky": "^7.0.0",
+    "husky": "^7.0.2",
     "karma": "^6.3.4",
     "karma-chai": "^0.1.0",
     "karma-chrome-launcher": "^3.1.0",
@@ -133,7 +133,7 @@
     "rimraf": "^3.0.2",
     "source-map-support": "^0.5.19",
     "tslib": "^2.3.0",
-    "typescript": "^4.0.2",
+    "typescript": "^4.4.3",
     "verdaccio": "^5.1.1",
     "webpack": "^5.41.1",
     "webpack-cli": "^4.7.2"