|
15 | 15 |
|
16 | 16 | import { |
17 | 17 | KmsKeyring, |
18 | | - KmsKeyringInput, |
19 | | - KMSConstructible, |
20 | | - KmsClientSupplier, |
| 18 | + KmsKeyringInput, // eslint-disable-line no-unused-vars |
| 19 | + KMSConstructible, // eslint-disable-line no-unused-vars |
| 20 | + KmsClientSupplier, // eslint-disable-line no-unused-vars |
21 | 21 | getClient, |
22 | 22 | limitRegions, |
23 | 23 | excludeRegions, |
24 | 24 | cacheClients |
25 | 25 | } from '@aws-crypto/kms-keyring' |
26 | 26 | import { |
27 | | - WebCryptoAlgorithmSuite, |
28 | | - immutableClass |
| 27 | + WebCryptoAlgorithmSuite, // eslint-disable-line no-unused-vars |
| 28 | + WebCryptoEncryptionMaterial, // eslint-disable-line no-unused-vars |
| 29 | + WebCryptoDecryptionMaterial, // eslint-disable-line no-unused-vars |
| 30 | + EncryptionContext, // eslint-disable-line no-unused-vars |
| 31 | + EncryptedDataKey, // eslint-disable-line no-unused-vars |
| 32 | + immutableClass, |
| 33 | + importCryptoKey |
29 | 34 | } from '@aws-crypto/material-management-browser' |
30 | | -import {KMS, KMSConfiguration} from '@aws-sdk/client-kms-browser' |
| 35 | +import { getWebCryptoBackend } from '@aws-crypto/web-crypto-backend' |
| 36 | +import { KMS, KMSConfiguration } from '@aws-sdk/client-kms-browser' // eslint-disable-line no-unused-vars |
31 | 37 |
|
32 | 38 | export type KmsKeyringWebCryptoInput = KmsKeyringInput<KMS> |
33 | 39 | export type KMSWebCryptoConstructible = KMSConstructible<KMS, KMSConfiguration> |
34 | 40 | export type KmsWebCryptoClientSupplier = KmsClientSupplier<KMS> |
35 | 41 |
|
36 | 42 | export class KmsKeyringNode extends KmsKeyring<WebCryptoAlgorithmSuite, KMS> { |
37 | | - constructor(input: KmsKeyringWebCryptoInput){ |
38 | | - super(input) |
| 43 | + async _onEncrypt (material: WebCryptoEncryptionMaterial, context?: EncryptionContext) { |
| 44 | + const _material = await super._onEncrypt(material, context) |
| 45 | + |
| 46 | + /* Check for early return (Postcondition): If a cryptoKey has already been imported, return. */ |
| 47 | + if (_material.hasUnencryptedDataKey && _material.hasCryptoKey) { |
| 48 | + return _material |
| 49 | + } |
| 50 | + |
| 51 | + const backend = await getWebCryptoBackend() |
| 52 | + const cryptoKey = await importCryptoKey(backend, _material) |
| 53 | + // The trace is only set when the material does not already have |
| 54 | + // an hasUnencryptedDataKey. This is an implementation detail :( |
| 55 | + const [trace] = _material.keyringTrace |
| 56 | + |
| 57 | + return _material.setCryptoKey(cryptoKey, trace) |
| 58 | + } |
| 59 | + |
| 60 | + async _onDecrypt (material: WebCryptoDecryptionMaterial, encryptedDataKeys: EncryptedDataKey[], context?: EncryptionContext) { |
| 61 | + const _material = await super._onDecrypt(material, encryptedDataKeys, context) |
| 62 | + |
| 63 | + /* Check for early return (Postcondition): If a cryptoKey has already been imported, return. */ |
| 64 | + if (_material.hasUnencryptedDataKey && _material.hasCryptoKey) { |
| 65 | + return _material |
| 66 | + } |
| 67 | + |
| 68 | + const backend = await getWebCryptoBackend() |
| 69 | + const cryptoKey = await importCryptoKey(backend, _material) |
| 70 | + // Now that a cryptoKey has been imported, the unencrypted data key can be zeroed. |
| 71 | + _material.zeroUnencryptedDataKey() |
| 72 | + // The trace is only set when the material does not already have |
| 73 | + // an hasUnencryptedDataKey. This is an implementation detail :( |
| 74 | + const [trace] = _material.keyringTrace |
| 75 | + |
| 76 | + return _material.setCryptoKey(cryptoKey, trace) |
39 | 77 | } |
40 | 78 | } |
41 | 79 | immutableClass(KmsKeyringNode) |
42 | 80 |
|
43 | | -export {getClient, limitRegions, excludeRegions, cacheClients} |
| 81 | +export { getClient, limitRegions, excludeRegions, cacheClients } |
0 commit comments