kms-keyring

Author: seebees

modules/kms-keyring/src/kms_client_supplier.ts

@@ -76,7 +76,7 @@ export function cacheClients<Client extends KMS> (
 }
 
 type KMSOperations = keyof KMS
-/* It is possible that a malicious user can attempt a local resource 
+/* It is possible that a malicious user can attempt a local resource
  * DOS by sending ciphertext with a large number of spurious regions.
  * This will fill the cache with regions and exhaust resources.
  * To avoid this, a call succeeds in contacting KMS.
@@ -88,6 +88,7 @@ function deferCache<Client extends KMS> (
   region: string,
   client: Client|false
 ): Client|false {
+  /* Check for early return (Postcondition): No client, then I cache false and move on. */
   if (!client) {
     clientsCache[region] = false
     return false
@@ -96,6 +97,7 @@ function deferCache<Client extends KMS> (
 
   return (<KMSOperations[]>['encrypt', 'decrypt', 'generateDataKey']).reduce(wrapOperation, client)
 
+  /* Wrap each of the operations to cache the client on response */
   function wrapOperation (client: Client, name: KMSOperations): Client {
     type params = Parameters<KMS[typeof name]>
     type retValue = ReturnType<KMS[typeof name]>

modules/kms-keyring/src/kms_keyring.ts

@@ -16,7 +16,7 @@
 import { KmsClientSupplier } from './kms_client_supplier' // eslint-disable-line no-unused-vars
 import {
   needs,
-  Keyring,
+  Keyring, // eslint-disable-line no-unused-vars
   EncryptionMaterial, // eslint-disable-line no-unused-vars
   DecryptionMaterial, // eslint-disable-line no-unused-vars
   SupportedAlgorithmSuites, // eslint-disable-line no-unused-vars
@@ -34,123 +34,147 @@ import { regionFromKmsKeyArn } from './region_from_kms_key_arn'
 
 export interface KmsKeyringInput<Client extends KMS> {
   clientProvider: KmsClientSupplier<Client>
-  kmsKeys?: string[]
-  generatorKmsKey?: string
+  keyIds?: string[]
+  generatorKeyId?: string
   grantTokens?: string
 }
 
-export abstract class KmsKeyring<S extends SupportedAlgorithmSuites, Client extends KMS> extends Keyring<S> {
-  public kmsKeys!: string[]
-  public generatorKmsKey?: string
-  public clientProvider!: KmsClientSupplier<Client>
-  public grantTokens?: string
-
-  constructor ({ clientProvider, generatorKmsKey, kmsKeys = [], grantTokens }: KmsKeyringInput<Client>) {
-    super()
-    /* Precondition: All KMS key arns must be valid. */
-    needs(!generatorKmsKey || !!regionFromKmsKeyArn(generatorKmsKey), 'Malformed arn.')
-    needs(kmsKeys.every(keyarn => !!regionFromKmsKeyArn(keyarn)), 'Malformed arn.')
-    /* Precondition: clientProvider needs to be a callable function. */
-    needs(typeof clientProvider === 'function', '')
-
-    readOnlyProperty(this, 'clientProvider', clientProvider)
-    readOnlyProperty(this, 'kmsKeys', kmsKeys)
-    readOnlyProperty(this, 'generatorKmsKey', generatorKmsKey)
-    readOnlyProperty(this, 'grantTokens', grantTokens)
-  }
-
-  /* Keyrings *must* preserve the order of EDK's.  The generatorKmsKey is the first on this list. */
-  async _onEncrypt (material: EncryptionMaterial<S>, context?: EncryptionContext) {
-    const kmsKeys = this.kmsKeys.slice()
-    const { clientProvider, generatorKmsKey, grantTokens } = this
-    if (generatorKmsKey && !material.hasUnencryptedDataKey) {
-      const dataKey = await generateDataKey(clientProvider, material.suite.keyLengthBytes, generatorKmsKey, context, grantTokens)
-      /* Precondition: A generatorKmsKey must generate if we do not have an unencrypted data key.
-       * Client supplier is allowed to return undefined if, for example, user wants to exclude particular
-       * regions. But if we are here it means that user configured keyring with a KMS key that was
-       * incompatible with the client supplier in use.
-       */
-      if (!dataKey) throw new Error('Generator KMS key did not generate a data key')
-
-      const flags = KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY |
-        KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX |
-        KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
-      const trace: KeyringTrace = { keyNamespace: KMS_PROVIDER_ID, keyName: dataKey.KeyId, flags }
-
-      material
-        /* Postcondition: The unencryptedDataKey length must match the algorithm specification.
-         * See cryptographic_materials as setUnencryptedDataKey will throw in this case.
-         */
-        .setUnencryptedDataKey(dataKey.Plaintext, trace)
-        .addEncryptedDataKey(kms2EncryptedDataKey(dataKey), KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY)
-    } else if (generatorKmsKey) {
-      kmsKeys.unshift(generatorKmsKey)
-    }
+export interface KeyRing<S extends SupportedAlgorithmSuites, Client extends KMS> extends Keyring<S> {
+  keyIds: string[]
+  generatorKeyId?: string
+  clientProvider: KmsClientSupplier<Client>
+  grantTokens?: string
+  _onEncrypt(material: EncryptionMaterial<S>, context?: EncryptionContext): Promise<EncryptionMaterial<S>>
+  _onDecrypt(material: DecryptionMaterial<S>, encryptedDataKeys: EncryptedDataKey[], context?: EncryptionContext): Promise<DecryptionMaterial<S>>
+}
 
-    /* Precondition: If a generator does not exist, an unencryptedDataKey *must* already exist.
-     * Furthermore *only* CMK's explicitly designated as generators can generate data keys.
-     * See cryptographic_materials as getUnencryptedDataKey will throw in this case.
-     */
-    const unencryptedDataKey = material.getUnencryptedDataKey()
+export interface KmsKeyRingConstructible<S extends SupportedAlgorithmSuites, Client extends KMS> {
+  new(input: KmsKeyringInput<Client>): KeyRing<S, Client>
+}
 
-    const flags = KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY | KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX
-    for (const kmsKey of kmsKeys) {
-      const kmsEDK = await encrypt(clientProvider, unencryptedDataKey, kmsKey, context, grantTokens)
+export interface KeyRingConstructible<S extends SupportedAlgorithmSuites> {
+  new(): Keyring<S>
+}
 
-      /* clientProvider may not return a client, in this case there is not an EDK to add */
-      if (kmsEDK) material.addEncryptedDataKey(kms2EncryptedDataKey(kmsEDK), flags)
+export function KmsKeyringClass<S extends SupportedAlgorithmSuites, Client extends KMS> (
+  BaseKeyring: KeyRingConstructible<S>
+): KmsKeyRingConstructible<S, Client> {
+  class KmsKeyring extends BaseKeyring implements KeyRing<S, Client> {
+    public keyIds!: string[]
+    public generatorKeyId?: string
+    public clientProvider!: KmsClientSupplier<Client>
+    public grantTokens?: string
+
+    constructor ({ clientProvider, generatorKeyId, keyIds = [], grantTokens }: KmsKeyringInput<Client>) {
+      super()
+      /* Precondition: This is an abstract class. (But TypeScript does not have a clean way to model this) */
+      needs(this.constructor !== KmsKeyring, 'new KmsKeyring is not allowed')
+      /* Precondition: All KMS key arns must be valid. */
+      needs(!generatorKeyId || !!regionFromKmsKeyArn(generatorKeyId), 'Malformed arn.')
+      needs(keyIds.every(keyarn => !!regionFromKmsKeyArn(keyarn)), 'Malformed arn.')
+      /* Precondition: clientProvider needs to be a callable function. */
+      needs(typeof clientProvider === 'function', '')
+
+      readOnlyProperty(this, 'clientProvider', clientProvider)
+      readOnlyProperty(this, 'keyIds', keyIds)
+      readOnlyProperty(this, 'generatorKeyId', generatorKeyId)
+      readOnlyProperty(this, 'grantTokens', grantTokens)
     }
 
-    return material
-  }
-
-  async _onDecrypt (material: DecryptionMaterial<S>, encryptedDataKeys: EncryptedDataKey[], context?: EncryptionContext) {
-    const kmsKeys = this.kmsKeys.slice()
-    const { clientProvider, generatorKmsKey, grantTokens } = this
-    if (generatorKmsKey) kmsKeys.unshift(generatorKmsKey)
-
-    /* If there are no key IDs in the list, keyring is in "discovery" mode and will attempt KMS calls with
-     * every ARN it comes across in the message. If there are key IDs in the list, it will cross check the
-     * ARN it reads with that list before attempting KMS calls. Note that if caller provided key IDs in
-     * anything other than a CMK ARN format, the SDK will not attempt to decrypt those data keys, because
-     * the EDK data format always specifies the CMK with the full (non-alias) ARN.
-     */
-    const decryptableEDKs = encryptedDataKeys
-      .filter(({ providerId, providerInfo }) => {
-        if (providerId !== KMS_PROVIDER_ID) return false
-        return kmsKeys.length
-          ? kmsKeys.includes(providerInfo)
-          : true
-      })
-
-    for (const edk of decryptableEDKs) {
-      let dataKey: Required<DecryptOutput>|false = false
-      try {
-        dataKey = await decrypt(clientProvider, edk, context, grantTokens)
-      } catch (e) {
-        // there should be some debug here?  or wrap?
-        // Failures decrypt should not short-circuit the process
-        // If the caller does not have access they may have access
-        // through another Keyring.
+    /* Keyrings *must* preserve the order of EDK's.  The generatorKeyId is the first on this list. */
+    async _onEncrypt (material: EncryptionMaterial<S>, context?: EncryptionContext) {
+      const keyIds = this.keyIds.slice()
+      const { clientProvider, generatorKeyId, grantTokens } = this
+      if (generatorKeyId && !material.hasUnencryptedDataKey) {
+        const dataKey = await generateDataKey(clientProvider, material.suite.keyLengthBytes, generatorKeyId, context, grantTokens)
+        /* Precondition: A generatorKeyId must generate if we do not have an unencrypted data key.
+        * Client supplier is allowed to return undefined if, for example, user wants to exclude particular
+        * regions. But if we are here it means that user configured keyring with a KMS key that was
+        * incompatible with the client supplier in use.
+        */
+        if (!dataKey) throw new Error('Generator KMS key did not generate a data key')
+
+        const flags = KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY |
+          KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX |
+          KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
+        const trace: KeyringTrace = { keyNamespace: KMS_PROVIDER_ID, keyName: dataKey.KeyId, flags }
+
+        material
+          /* Postcondition: The unencryptedDataKey length must match the algorithm specification.
+          * See cryptographic_materials as setUnencryptedDataKey will throw in this case.
+          */
+          .setUnencryptedDataKey(dataKey.Plaintext, trace)
+          .addEncryptedDataKey(kms2EncryptedDataKey(dataKey), KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY)
+      } else if (generatorKeyId) {
+        keyIds.unshift(generatorKeyId)
       }
 
-      /* Check for early return (Postcondition): clientProvider may not return a client. */
-      if (!dataKey) continue
+      /* Precondition: If a generator does not exist, an unencryptedDataKey *must* already exist.
+      * Furthermore *only* CMK's explicitly designated as generators can generate data keys.
+      * See cryptographic_materials as getUnencryptedDataKey will throw in this case.
+      */
+      const unencryptedDataKey = material.getUnencryptedDataKey()
 
-      /* Postcondition: The KeyId from KMS must match the encoded KeyID. */
-      needs(dataKey.KeyId === edk.providerInfo, 'KMS Decryption key does not match serialized provider.')
+      const flags = KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY | KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX
+      for (const kmsKey of keyIds) {
+        const kmsEDK = await encrypt(clientProvider, unencryptedDataKey, kmsKey, context, grantTokens)
 
-      const flags = KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY | KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX
-      const trace: KeyringTrace = { keyNamespace: KMS_PROVIDER_ID, keyName: dataKey.KeyId, flags }
+        /* clientProvider may not return a client, in this case there is not an EDK to add */
+        if (kmsEDK) material.addEncryptedDataKey(kms2EncryptedDataKey(kmsEDK), flags)
+      }
 
-      /* Postcondition: The unencryptedDataKey length must match the algorithm specification.
-        * See cryptographic_materials as setUnencryptedDataKey will throw in this case.
-        */
-      material.setUnencryptedDataKey(dataKey.Plaintext, trace)
       return material
     }
 
-    return material
+    async _onDecrypt (material: DecryptionMaterial<S>, encryptedDataKeys: EncryptedDataKey[], context?: EncryptionContext) {
+      const keyIds = this.keyIds.slice()
+      const { clientProvider, generatorKeyId, grantTokens } = this
+      if (generatorKeyId) keyIds.unshift(generatorKeyId)
+
+      /* If there are no key IDs in the list, keyring is in "discovery" mode and will attempt KMS calls with
+      * every ARN it comes across in the message. If there are key IDs in the list, it will cross check the
+      * ARN it reads with that list before attempting KMS calls. Note that if caller provided key IDs in
+      * anything other than a CMK ARN format, the SDK will not attempt to decrypt those data keys, because
+      * the EDK data format always specifies the CMK with the full (non-alias) ARN.
+      */
+      const decryptableEDKs = encryptedDataKeys
+        .filter(({ providerId, providerInfo }) => {
+          if (providerId !== KMS_PROVIDER_ID) return false
+          return keyIds.length
+            ? keyIds.includes(providerInfo)
+            : true
+        })
+
+      for (const edk of decryptableEDKs) {
+        let dataKey: Required<DecryptOutput>|false = false
+        try {
+          dataKey = await decrypt(clientProvider, edk, context, grantTokens)
+        } catch (e) {
+          // there should be some debug here?  or wrap?
+          // Failures decrypt should not short-circuit the process
+          // If the caller does not have access they may have access
+          // through another Keyring.
+        }
+
+        /* Check for early return (Postcondition): clientProvider may not return a client. */
+        if (!dataKey) continue
+
+        /* Postcondition: The KeyId from KMS must match the encoded KeyID. */
+        needs(dataKey.KeyId === edk.providerInfo, 'KMS Decryption key does not match serialized provider.')
+
+        const flags = KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY | KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX
+        const trace: KeyringTrace = { keyNamespace: KMS_PROVIDER_ID, keyName: dataKey.KeyId, flags }
+
+        /* Postcondition: The unencryptedDataKey length must match the algorithm specification.
+          * See cryptographic_materials as setUnencryptedDataKey will throw in this case.
+          */
+        material.setUnencryptedDataKey(dataKey.Plaintext, trace)
+        return material
+      }
+
+      return material
+    }
   }
+  immutableClass(KmsKeyring)
+  return KmsKeyring
 }
-immutableClass(KmsKeyring)

modules/kms-keyring/test/kms_client_supplier.test.ts

@@ -142,6 +142,46 @@ describe('cacheClients', () => {
     const test = getKmsClient(region)
     expect(test).instanceOf(TestKMS)
     expect(assertCount).to.equal(1)
+  })
+
+  it('does not cache the client until KMS has been contacted', () => {
+    const region = 'us-west-2'
+    let assertCount = 0
+    const TestKMS: any = class {
+      constructor (config: KMSConfiguration) {
+        expect(config.region).to.equal(region)
+        assertCount++
+      }
+    }
+    const getKmsClient = cacheClients(getClient(TestKMS))
+    const test = getKmsClient(region)
+    expect(test).instanceOf(TestKMS)
+    expect(assertCount).to.equal(1)
+
+    const test2 = getKmsClient(region)
+    expect(test === test2).to.equal(false)
+    expect(assertCount).to.equal(2)
+  })
+
+  it('cache the client after KMS has been contacted', async () => {
+    const region = 'us-west-2'
+    let assertCount = 0
+    const TestKMS: any = class {
+      constructor (config: KMSConfiguration) {
+        expect(config.region).to.equal(region)
+        assertCount++
+      }
+      async decrypt () {
+
+      }
+    }
+    const getKmsClient = cacheClients(getClient(TestKMS))
+    const test = getKmsClient(region)
+    if (!test) throw new Error('never')
+    expect(test).instanceOf(TestKMS)
+    expect(assertCount).to.equal(1)
+
+    await test.decrypt({} as any)
 
     const test2 = getKmsClient(region)
     expect(test === test2).to.equal(true)

modules/kms-keyring/test/kms_keyring.constructor.test.ts

@@ -17,48 +17,50 @@
 
 import { expect } from 'chai'
 import 'mocha'
-import { KmsKeyring } from '../src/kms_keyring'
-import { NodeAlgorithmSuite } from '@aws-crypto/material-management' // eslint-disable-line no-unused-vars
-import { KMS } from '../src/kms_types/KMS' // eslint-disable-line no-unused-vars
+import {
+  KmsKeyringClass,
+  KeyRingConstructible // eslint-disable-line no-unused-vars
+} from '../src/kms_keyring'
+import { NodeAlgorithmSuite, Keyring } from '@aws-crypto/material-management' // eslint-disable-line no-unused-vars
 
 describe('KmsKeyring: constructor', () => {
   it('set properties', () => {
     const clientProvider: any = () => {}
-    const generatorKmsKey = 'arn:aws:kms:us-east-1:123456789012:alias/example-alias'
-    const kmsKeys = ['arn:aws:kms:us-east-1:123456789012:alias/example-alias']
+    const generatorKeyId = 'arn:aws:kms:us-east-1:123456789012:alias/example-alias'
+    const keyIds = ['arn:aws:kms:us-east-1:123456789012:alias/example-alias']
     const grantTokens = 'grant'
 
-    class TestKmsKeyring extends KmsKeyring<NodeAlgorithmSuite, KMS> {}
+    class TestKmsKeyring extends KmsKeyringClass(Keyring as KeyRingConstructible<NodeAlgorithmSuite>) {}
 
-    const test = new TestKmsKeyring({ clientProvider, generatorKmsKey, kmsKeys, grantTokens })
+    const test = new TestKmsKeyring({ clientProvider, generatorKeyId, keyIds, grantTokens })
     expect(test.clientProvider).to.equal(clientProvider)
-    expect(test.generatorKmsKey).to.equal(generatorKmsKey)
-    expect(test.kmsKeys).to.equal(kmsKeys)
+    expect(test.generatorKeyId).to.equal(generatorKeyId)
+    expect(test.keyIds).to.equal(keyIds)
     expect(test.grantTokens).to.equal(grantTokens)
   })
 
   it('Precondition: All KMS key arns must be valid.', () => {
     const clientProvider: any = () => {}
-    class TestKmsKeyring extends KmsKeyring<NodeAlgorithmSuite, KMS> {}
+    class TestKmsKeyring extends KmsKeyringClass(Keyring as KeyRingConstructible<NodeAlgorithmSuite>) {}
 
     expect(() => new TestKmsKeyring({
       clientProvider,
-      generatorKmsKey: 'Not arn'
+      generatorKeyId: 'Not arn'
     })).to.throw()
 
     expect(() => new TestKmsKeyring({
       clientProvider,
-      kmsKeys: ['Not arn']
+      keyIds: ['Not arn']
     })).to.throw()
 
     expect(() => new TestKmsKeyring({
       clientProvider,
-      kmsKeys: ['arn:aws:kms:us-east-1:123456789012:alias/example-alias', 'Not arn']
+      keyIds: ['arn:aws:kms:us-east-1:123456789012:alias/example-alias', 'Not arn']
     })).to.throw()
   })
 
   it('Precondition: clientProvider needs to be a callable function.', () => {
-    class TestKmsKeyring extends KmsKeyring<NodeAlgorithmSuite, KMS> {}
+    class TestKmsKeyring extends KmsKeyringClass(Keyring as KeyRingConstructible<NodeAlgorithmSuite>) {}
     const clientProvider: any = 'not function'
     expect(() => new TestKmsKeyring({ clientProvider })).to.throw()
   })