From 4c6d703d570e19dd2ae741f934f1a664a2136b79 Mon Sep 17 00:00:00 2001 From: seebees Date: Tue, 5 Mar 2019 19:56:20 -0800 Subject: [PATCH 01/15] encrypt-node initial commit --- modules/encrypt-node/.gitignore | 3 + modules/encrypt-node/.npmignore | 3 + modules/encrypt-node/LICENSE | 202 ++++++++++++++++++ modules/encrypt-node/NOTICE | 2 + modules/encrypt-node/package.json | 49 +++++ modules/encrypt-node/src/encrypt.ts | 44 ++++ modules/encrypt-node/src/encrypt_stream.ts | 104 +++++++++ .../encrypt-node/src/framed_encrypt_stream.ts | 180 ++++++++++++++++ modules/encrypt-node/src/index.ts | 17 ++ modules/encrypt-node/src/signature_stream.ts | 40 ++++ modules/encrypt-node/test/encrypt.test.ts | 135 ++++++++++++ modules/encrypt-node/tsconfig.json | 13 ++ modules/encrypt-node/tsconfig.module.json | 12 ++ modules/tsconfig.settings.json | 3 - 14 files changed, 804 insertions(+), 3 deletions(-) create mode 100644 modules/encrypt-node/.gitignore create mode 100644 modules/encrypt-node/.npmignore create mode 100644 modules/encrypt-node/LICENSE create mode 100644 modules/encrypt-node/NOTICE create mode 100644 modules/encrypt-node/package.json create mode 100644 modules/encrypt-node/src/encrypt.ts create mode 100644 modules/encrypt-node/src/encrypt_stream.ts create mode 100644 modules/encrypt-node/src/framed_encrypt_stream.ts create mode 100644 modules/encrypt-node/src/index.ts create mode 100644 modules/encrypt-node/src/signature_stream.ts create mode 100644 modules/encrypt-node/test/encrypt.test.ts create mode 100644 modules/encrypt-node/tsconfig.json create mode 100644 modules/encrypt-node/tsconfig.module.json diff --git a/modules/encrypt-node/.gitignore b/modules/encrypt-node/.gitignore new file mode 100644 index 000000000..6498d2c9d --- /dev/null +++ b/modules/encrypt-node/.gitignore @@ -0,0 +1,3 @@ +/node_modules/ +/build/ +/.nyc_output \ No newline at end of file diff --git a/modules/encrypt-node/.npmignore b/modules/encrypt-node/.npmignore new file mode 100644 index 000000000..f39dee960 --- /dev/null +++ b/modules/encrypt-node/.npmignore @@ -0,0 +1,3 @@ +/src/ +/coverage/ +/test/ \ No newline at end of file diff --git a/modules/encrypt-node/LICENSE b/modules/encrypt-node/LICENSE new file mode 100644 index 000000000..d64569567 --- /dev/null +++ b/modules/encrypt-node/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/modules/encrypt-node/NOTICE b/modules/encrypt-node/NOTICE new file mode 100644 index 000000000..a95284f35 --- /dev/null +++ b/modules/encrypt-node/NOTICE @@ -0,0 +1,2 @@ +AWS Encryption SDK for Javascript +Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. diff --git a/modules/encrypt-node/package.json b/modules/encrypt-node/package.json new file mode 100644 index 000000000..9fc306840 --- /dev/null +++ b/modules/encrypt-node/package.json @@ -0,0 +1,49 @@ +{ + "name": "@aws-crypto/encrypt-node", + "private": true, + "version": "0.0.1", + "scripts": { + "prepublishOnly": "tsc -p tsconfig.json && tsc -p tsconfig.module.json", + "lint": "standard src/*.ts test/**/*.ts", + "mocha": "mocha --require ts-node/register test/**/*test.ts", + "test": "npm run lint && npm run coverage", + "coverage": "nyc -e .ts npm run mocha" + }, + "author": { + "name": "AWS Crypto Tools Team", + "email": "aws-crypto-tools-team@amazon.com", + "url": "https://github.com/awslabs/aws-encryption-sdk-javascript" + }, + "license": "Apache-2.0", + "dependencies": { + "@aws-crypto/material-management-node": "^0.0.1", + "@aws-crypto/serialize": "^0.0.1", + "@types/duplexify": "^3.6.0", + "duplexify": "^4.0.0", + "readable-stream": "^3.2.0", + "tslib": "^1.9.3" + }, + "devDependencies": { + "@types/chai": "^4.1.4", + "@types/mocha": "^5.2.5", + "@types/node": "^8.10.40", + "@typescript-eslint/eslint-plugin": "^1.4.2", + "@typescript-eslint/parser": "^1.4.2", + "chai": "^4.1.2", + "mocha": "^5.2.0", + "nyc": "^12.0.2", + "standard": "^12.0.1", + "ts-node": "^7.0.1", + "typescript": "^3.2.0" + }, + "sideEffects": false, + "main": "./build/main/index.js", + "module": "./build/module/index.js", + "types": "./build/main/index.d.ts", + "standard": { + "parser": "@typescript-eslint/parser", + "plugins": [ + "@typescript-eslint" + ] + } +} diff --git a/modules/encrypt-node/src/encrypt.ts b/modules/encrypt-node/src/encrypt.ts new file mode 100644 index 000000000..0ac7fc037 --- /dev/null +++ b/modules/encrypt-node/src/encrypt.ts @@ -0,0 +1,44 @@ +import { + NodeCryptographicMaterialsManager // eslint-disable-line no-unused-vars +} from '@aws-crypto/material-management-node' +import { + encryptStream, + EncryptStreamInput // eslint-disable-line no-unused-vars +} from './encrypt_stream' + +// @ts-ignore +import { finished } from 'readable-stream' +import { Readable } from 'stream' // eslint-disable-line no-unused-vars +import { promisify } from 'util' +const finishedAsync = promisify(finished) + +interface EncryptInput extends EncryptStreamInput { + encoding?: string +} + +export async function encrypt ( + cmm: NodeCryptographicMaterialsManager, + plaintext: Buffer|Uint8Array|Readable|string, + op: EncryptInput = {} +) { + const stream = encryptStream(cmm, op) + const { encoding } = op + + const ciphertext: Buffer[] = [] + stream.on('data', (chunk: Buffer) => ciphertext.push(chunk)) + + // This will check both Uint8Array|Buffer + if (plaintext instanceof Uint8Array) { + stream.end(plaintext) + } else if (typeof plaintext === 'string') { + stream.end(Buffer.from(plaintext, encoding)) + } else if (plaintext.readable) { + plaintext.pipe(stream) + } else { + throw new Error('Unsupported plaintext') + } + + await finishedAsync(stream) + + return Buffer.concat(ciphertext) +} diff --git a/modules/encrypt-node/src/encrypt_stream.ts b/modules/encrypt-node/src/encrypt_stream.ts new file mode 100644 index 000000000..4b8aa7528 --- /dev/null +++ b/modules/encrypt-node/src/encrypt_stream.ts @@ -0,0 +1,104 @@ +/* + * Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use + * this file except in compliance with the License. A copy of the License is + * located at + * + * http://aws.amazon.com/apache2.0/ + * + * or in the "license" file accompanying this file. This file is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing permissions and + * limitations under the License. + */ + +import { + NodeCryptographicMaterialsManager, NodeAlgorithmSuite, AlgorithmSuiteIdentifier, // eslint-disable-line no-unused-vars + NodeEncryptionMaterial, getEncryptHelper, EncryptionContext // eslint-disable-line no-unused-vars +} from '@aws-crypto/material-management-node' +import { getFramedEncryptStream } from './framed_encrypt_stream' +import { SignatureStream } from './signature_stream' +import Duplexify from 'duplexify' +import { randomBytes } from 'crypto' +import { + MessageHeader, // eslint-disable-line no-unused-vars + serializeFactory, kdfInfo, ContentType, SerializationVersion, ObjectType +} from '@aws-crypto/serialize' + +// @ts-ignore +import { pipeline } from 'readable-stream' + +const fromUtf8 = (input: string) => Buffer.from(input) +const { serializeMessageHeader, headerAuthIv } = serializeFactory(fromUtf8) + +export interface EncryptStreamInput { + suiteId?: AlgorithmSuiteIdentifier + context?: EncryptionContext + frameLength?: number + plaintextLength?: number +} + +export function encryptStream (cmm: NodeCryptographicMaterialsManager, op: EncryptStreamInput = {}) { + const { suiteId, context, frameLength = 10 } = op + const suite = suiteId && new NodeAlgorithmSuite(suiteId) + + const wrappingStream = new Duplexify() + + cmm.getEncryptionMaterials({ suite, encryptionContext: context, frameLength }) + .then(async ({ material, context }) => { + const { dispose, getSigner } = getEncryptHelper(material) + + const { getCipher, messageHeader, rawHeader } = getEncryptionInfo(material, frameLength, context) + + const encryptStream = getFramedEncryptStream(getCipher, messageHeader, dispose) + const signatureStream = new SignatureStream(getSigner) + + pipeline(encryptStream, signatureStream) + + wrappingStream.setReadable(signatureStream) + // Flush the rawHeader through the signatureStream + rawHeader.forEach(buff => signatureStream.push(buff)) + + // @ts-ignore until readable-stream exports v3 types... + wrappingStream.setWritable(encryptStream) + }) + .catch(err => wrappingStream.emit('error', err)) + + return wrappingStream +} + +export function getEncryptionInfo (material : NodeEncryptionMaterial, frameLength: number, context: EncryptionContext) { + const { kdfGetCipher } = getEncryptHelper(material) + + const messageId = randomBytes(16) + const { id, ivLength } = material.suite + const messageHeader: MessageHeader = Object.freeze({ + version: SerializationVersion.V1, + type: ObjectType.CUSTOMER_AE_DATA, + algorithmId: id, + messageId, + encryptionContext: context, + encryptedDataKeys: material.encryptedDataKeys, // freeze me please + contentType: ContentType.FRAMED_DATA, + headerIvLength: ivLength, + frameLength + }) + + const headerBytes = serializeMessageHeader(messageHeader) + const headerBuffer = Buffer.from(headerBytes.buffer) + const info = kdfInfo(messageHeader.algorithmId, messageHeader.messageId) + const getCipher = kdfGetCipher(info) + const headerIv = headerAuthIv(ivLength) + const validateHeader = getCipher(headerIv) + validateHeader.setAAD(headerBuffer) + validateHeader.update(Buffer.alloc(0)) + validateHeader.final() + const headerAuth = validateHeader.getAuthTag() + + return { + getCipher, + messageHeader, + rawHeader: [headerBuffer, headerIv, headerAuth] + } +} diff --git a/modules/encrypt-node/src/framed_encrypt_stream.ts b/modules/encrypt-node/src/framed_encrypt_stream.ts new file mode 100644 index 000000000..b6bb86cf7 --- /dev/null +++ b/modules/encrypt-node/src/framed_encrypt_stream.ts @@ -0,0 +1,180 @@ +/* + * Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use + * this file except in compliance with the License. A copy of the License is + * located at + * + * http://aws.amazon.com/apache2.0/ + * + * or in the "license" file accompanying this file. This file is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing permissions and + * limitations under the License. + */ + +import { + serializeFactory, aadFactory, + MessageHeader // eslint-disable-line no-unused-vars +} from '@aws-crypto/serialize' +// @ts-ignore +import { Transform as PortableTransform } from 'readable-stream' +import { Cipher } from 'crypto' // eslint-disable-line no-unused-vars +import { Transform } from 'stream' // eslint-disable-line no-unused-vars +import { needs } from '@aws-crypto/material-management-node' + +const fromUtf8 = (input: string) => Buffer.from(input) +const serialize = serializeFactory(fromUtf8) +const { finalFrameHeader, frameHeader } = serialize +const aadUtility = aadFactory(fromUtf8) + +interface AccumulatingFrame { + contentLength: number + content: Buffer[] + sequenceNumber: number +} + +interface EncryptFrame { + content: Buffer[] + bodyHeader: Buffer + headerSent?: boolean + cipher: Cipher, + isFinalFrame: boolean +} + +const ioTick = () => new Promise(resolve => setImmediate(resolve)) +type ErrBack = (err?: Error) => void + +export function getFramedEncryptStream (getCipher: GetCipher, messageHeader: MessageHeader, dispose: Function) { + let accumulatingFrame: AccumulatingFrame = { contentLength: 0, content: [], sequenceNumber: 1 } + let pathologicalDrain: Function|false = false + const { frameLength } = messageHeader + + return new (class FramedEncryptStream extends ( Transform>PortableTransform) { + _transform (chunk: Buffer, encoding: string, callback: ErrBack) { + const contentLeft = frameLength - accumulatingFrame.contentLength + if (contentLeft > chunk.length) { + // eat more + accumulatingFrame.contentLength += chunk.length + accumulatingFrame.content.push(chunk) + return callback() + } + + accumulatingFrame.contentLength += contentLeft + accumulatingFrame.content.push(chunk.slice(0, contentLeft)) + + // grab the tail + const tail = chunk.slice(contentLeft) + + const encryptFrame = getEncryptFrame({ + pendingFrame: accumulatingFrame, + messageHeader, + getCipher, + isFinalFrame: false + }) + + // Reset frame state for next frame + const { sequenceNumber } = accumulatingFrame + accumulatingFrame = { + contentLength: 0, + content: [], + sequenceNumber: sequenceNumber + 1 + } + + this._flushEncryptFrame(encryptFrame) + .then(() => this._transform(tail, encoding, callback)) + .catch(callback) + } + + _flush (callback: ErrBack) { + const encryptFrame = getEncryptFrame({ + pendingFrame: accumulatingFrame, + messageHeader, + getCipher, + isFinalFrame: true + }) + + this._flushEncryptFrame(encryptFrame) + .then(() => callback()) + .catch(callback) + } + + _destroy () { + dispose() + } + + _read (size: number) { + super._read(size) + /* The _flushEncryptFrame encrypts and pushes the frame. + * If this.push returns false then this stream + * should wait until the destination stream calls read. + * This means that _flushEncryptFrame needs to wait for some + * indeterminate time. I create a closure around + * the resolution function for a promise that + * is created in _flushEncryptFrame. This way + * here in _read (the implementation of read) + * if a frame is being pushed, we can release + * it. + */ + if (pathologicalDrain) { + pathologicalDrain() + pathologicalDrain = false + } + } + + async _flushEncryptFrame (encryptingFrame: EncryptFrame) { + const { content, cipher, bodyHeader, isFinalFrame } = encryptingFrame + + this.push(bodyHeader) + + let frameSize = 0 + const cipherContent: Buffer[] = [] + for (const clearChunk of content) { + const cipherText = cipher.update(clearChunk) + frameSize += cipherText.length + cipherContent.push(cipherText) + await ioTick() + } + + needs(frameSize === frameLength || isFinalFrame, 'Malformed frame') + + for (const cipherText of cipherContent) { + if (!this.push(cipherText)) { + /* back pressure: if push returns false, wait until _read + * has been called. + */ + await new Promise(resolve => { pathologicalDrain = resolve }) + } + } + + this.push(cipher.final()) + this.push(cipher.getAuthTag()) + if (isFinalFrame) this.push(null) + } + })() +} + +type GetCipher = (iv: Uint8Array) => Cipher + +type EncryptFrameInput = { + pendingFrame: AccumulatingFrame, + messageHeader: MessageHeader, + getCipher: GetCipher, + isFinalFrame: boolean +} + +export function getEncryptFrame (input: EncryptFrameInput): EncryptFrame { + const { pendingFrame, messageHeader, getCipher, isFinalFrame } = input + const { sequenceNumber, contentLength, content } = pendingFrame + const frameIv = serialize.frameIv(messageHeader.headerIvLength, sequenceNumber) + const bodyHeader = Buffer.from(isFinalFrame + ? finalFrameHeader(sequenceNumber, frameIv, contentLength) + : frameHeader(sequenceNumber, frameIv)) + const { contentType, messageId } = messageHeader + const contentString = aadUtility.messageAADContentString({ contentType, isFinalFrame }) + const messageAAD = aadUtility.messageAAD(messageId, contentString, sequenceNumber, contentLength) + const cipher = getCipher(frameIv) + cipher.setAAD(Buffer.from(messageAAD.buffer)) + + return { content, cipher, bodyHeader, isFinalFrame } +} diff --git a/modules/encrypt-node/src/index.ts b/modules/encrypt-node/src/index.ts new file mode 100644 index 000000000..f59edc16a --- /dev/null +++ b/modules/encrypt-node/src/index.ts @@ -0,0 +1,17 @@ +/* + * Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use + * this file except in compliance with the License. A copy of the License is + * located at + * + * http://aws.amazon.com/apache2.0/ + * + * or in the "license" file accompanying this file. This file is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing permissions and + * limitations under the License. + */ + +export { encryptStream } from './encrypt_stream' +export { encrypt } from './encrypt' diff --git a/modules/encrypt-node/src/signature_stream.ts b/modules/encrypt-node/src/signature_stream.ts new file mode 100644 index 000000000..b3addf58e --- /dev/null +++ b/modules/encrypt-node/src/signature_stream.ts @@ -0,0 +1,40 @@ +/* + * Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use + * this file except in compliance with the License. A copy of the License is + * located at + * + * http://aws.amazon.com/apache2.0/ + * + * or in the "license" file accompanying this file. This file is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing permissions and + * limitations under the License. + */ + +import { Transform } from 'stream' +import { Signer } from 'crypto' // eslint-disable-line no-unused-vars + +type GetSigner = () => Signer +export class SignatureStream extends Transform { + private _signer!: Signer|undefined + constructor (getSigner?: GetSigner) { + super() + const value = getSigner && getSigner() + Object.defineProperty(this, '_signer', { value, enumerable: true }) + } + + _transform (chunk: any, _encoding: string, callback: Function) { + // If we have a signer, push the data to it + this._signer && this._signer.update(chunk) + // forward the data on + callback(null, chunk) + } + + _flush (callback: Function) { + // @ts-ignore The private key is already bound. Emit the signature + this._signer && this.push(this._signer.sign()) + callback() + } +} diff --git a/modules/encrypt-node/test/encrypt.test.ts b/modules/encrypt-node/test/encrypt.test.ts new file mode 100644 index 000000000..353deed51 --- /dev/null +++ b/modules/encrypt-node/test/encrypt.test.ts @@ -0,0 +1,135 @@ +/* + * Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use + * this file except in compliance with the License. A copy of the License is + * located at + * + * http://aws.amazon.com/apache2.0/ + * + * or in the "license" file accompanying this file. This file is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* eslint-env mocha */ + +// import { expect } from 'chai' +import 'mocha' +import { + NodeDecryptionMaterial, // eslint-disable-line no-unused-vars + NodeAlgorithmSuite, NodeEncryptionMaterial, NodeCryptographicMaterialsManager, NodeKeyring, EncryptedDataKey, + KeyringTraceFlag, AlgorithmSuiteIdentifier +} from '@aws-crypto/material-management-node' + +import * as fs from 'fs' + +import { encryptStream, getEncryptionInfo } from '../src/encrypt_stream' + +import { getFramedEncryptStream } from '../src/framed_encrypt_stream' +import { SignatureStream } from '../src/signature_stream' +import { encrypt } from '../src/encrypt' + +const never = () => { throw new Error('never') } + +describe('asdf', () => { + it('encrypt', async () => { + class TestKeyring extends NodeKeyring { + async _onEncrypt (material: NodeEncryptionMaterial) { + const unencryptedDataKey = new Uint8Array(material.suite.keyLengthBytes).fill(1) + const trace = { keyNamespace: 'k', keyName: 'k', flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY } + const edk = new EncryptedDataKey({ providerId: 'k', providerInfo: 'k', encryptedDataKey: new Uint8Array(3) }) + return material + .setUnencryptedDataKey(unencryptedDataKey, trace) + .addEncryptedDataKey(edk, KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY) + } + async _onDecrypt (material: NodeDecryptionMaterial) { + never() + return material + } + } + const keyRing = new TestKeyring() + const cmm = new NodeCryptographicMaterialsManager(keyRing) + const suiteId = AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 + + const plaintext = 'asdf' + const ciphertext = await encrypt(cmm, plaintext, { suiteId }) + console.log(ciphertext) + }) + + it('getFramedEncryptStream', (done) => { + const suiteId = AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 + const suite = new NodeAlgorithmSuite(suiteId) + const material = new NodeEncryptionMaterial(suite) + + const unencryptedDataKey = new Uint8Array(material.suite.keyLengthBytes).fill(1) + const trace = { keyNamespace: 'k', keyName: 'k', flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY } + const edk = new EncryptedDataKey({ providerId: 'k', providerInfo: 'k', encryptedDataKey: new Uint8Array(3) }) + material + .setUnencryptedDataKey(unencryptedDataKey, trace) + .addEncryptedDataKey(edk, KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY) + + const { getCipher, messageHeader } = getEncryptionInfo(material, 1048, {}) + + const stream = getFramedEncryptStream(getCipher, messageHeader, () => {}) + + // 1048576 + + const stats = { + rawFile: 0, + encrypt: 0, + sig: 0 + } + + fs.createReadStream('/Users/ryanemer/aws-encryption-sdk-javascript/modules/encrypt-node/20190124_213050.jpg') + .on('data', ({ length }) => { stats.rawFile += length }) + .pipe(stream) + .on('data', ({ length }) => { stats.encrypt += length }) + .pipe(new SignatureStream()) + .on('data', ({ length }) => { stats.sig += length }) + .pipe(fs.createWriteStream('/Users/ryanemer/aws-encryption-sdk-javascript/modules/encrypt-node/stream_only')) + .on('finish', () => { + console.log('Stream: ', stats) + done() + }) + }) + + it('duplex', (done) => { + class TestKeyring extends NodeKeyring { + async _onEncrypt (material: NodeEncryptionMaterial) { + const unencryptedDataKey = new Uint8Array(material.suite.keyLengthBytes).fill(1) + const trace = { keyNamespace: 'k', keyName: 'k', flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY } + const edk = new EncryptedDataKey({ providerId: 'k', providerInfo: 'k', encryptedDataKey: new Uint8Array(3) }) + return material + .setUnencryptedDataKey(unencryptedDataKey, trace) + .addEncryptedDataKey(edk, KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY) + } + async _onDecrypt (material: NodeDecryptionMaterial) { + never() + return material + } + } + const keyRing = new TestKeyring() + const cmm = new NodeCryptographicMaterialsManager(keyRing) + const suiteId = AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 + + // 1048576 + const stream = encryptStream(cmm, { suiteId, frameLength: 1048 }) + + const stats = { + rawFile: 0, + encrypt: 0, + sig: 0 + } + fs.createReadStream('/Users/ryanemer/aws-encryption-sdk-javascript/modules/encrypt-node/20190124_213050.jpg') + .on('data', ({ length }) => { stats.rawFile += length }) + .pipe(stream) + .on('data', ({ length }) => { stats.encrypt += length }) + .pipe(fs.createWriteStream('/Users/ryanemer/aws-encryption-sdk-javascript/modules/encrypt-node/stream_duplex')) + .on('finish', () => { + console.log('Duplex:', stats) + done() + }) + }) +}) diff --git a/modules/encrypt-node/tsconfig.json b/modules/encrypt-node/tsconfig.json new file mode 100644 index 000000000..542835b87 --- /dev/null +++ b/modules/encrypt-node/tsconfig.json @@ -0,0 +1,13 @@ +{ + "extends": "../tsconfig.settings.json", + "compilerOptions": { + "outDir": "build/main", + "rootDir": "./src" + }, + "include": ["src/**/*.ts"], + "exclude": ["node_modules/**"], + "references": [ + { "path": "../material-management-node" }, + { "path": "../serialize" } + ] +} \ No newline at end of file diff --git a/modules/encrypt-node/tsconfig.module.json b/modules/encrypt-node/tsconfig.module.json new file mode 100644 index 000000000..50bf04db4 --- /dev/null +++ b/modules/encrypt-node/tsconfig.module.json @@ -0,0 +1,12 @@ +{ + "extends": "./tsconfig", + "compilerOptions": { + "target": "esnext", + "outDir": "build/module", + "module": "esnext", + "allowSyntheticDefaultImports": true + }, + "exclude": [ + "node_modules/**" + ] +} \ No newline at end of file diff --git a/modules/tsconfig.settings.json b/modules/tsconfig.settings.json index 0923458ef..179848215 100644 --- a/modules/tsconfig.settings.json +++ b/modules/tsconfig.settings.json @@ -22,9 +22,6 @@ "lib": ["es2017", "dom"], - "typeRoots": [ - "node_modules/@types" - ], "composite": true } } \ No newline at end of file From 2f3e865560107e3296cebfc66d97e08adf86b9c3 Mon Sep 17 00:00:00 2001 From: seebees Date: Thu, 21 Mar 2019 21:25:09 -0700 Subject: [PATCH 02/15] encrypt-node node v11 types --- modules/encrypt-node/package.json | 2 +- modules/encrypt-node/src/framed_encrypt_stream.ts | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/encrypt-node/package.json b/modules/encrypt-node/package.json index 9fc306840..f5ce7983b 100644 --- a/modules/encrypt-node/package.json +++ b/modules/encrypt-node/package.json @@ -26,7 +26,7 @@ "devDependencies": { "@types/chai": "^4.1.4", "@types/mocha": "^5.2.5", - "@types/node": "^8.10.40", + "@types/node": "^11.11.4", "@typescript-eslint/eslint-plugin": "^1.4.2", "@typescript-eslint/parser": "^1.4.2", "chai": "^4.1.2", diff --git a/modules/encrypt-node/src/framed_encrypt_stream.ts b/modules/encrypt-node/src/framed_encrypt_stream.ts index b6bb86cf7..f62da0dab 100644 --- a/modules/encrypt-node/src/framed_encrypt_stream.ts +++ b/modules/encrypt-node/src/framed_encrypt_stream.ts @@ -19,7 +19,7 @@ import { } from '@aws-crypto/serialize' // @ts-ignore import { Transform as PortableTransform } from 'readable-stream' -import { Cipher } from 'crypto' // eslint-disable-line no-unused-vars +import { CipherGCM } from 'crypto' // eslint-disable-line no-unused-vars import { Transform } from 'stream' // eslint-disable-line no-unused-vars import { needs } from '@aws-crypto/material-management-node' @@ -38,7 +38,7 @@ interface EncryptFrame { content: Buffer[] bodyHeader: Buffer headerSent?: boolean - cipher: Cipher, + cipher: CipherGCM, isFinalFrame: boolean } @@ -154,7 +154,7 @@ export function getFramedEncryptStream (getCipher: GetCipher, messageHeader: Mes })() } -type GetCipher = (iv: Uint8Array) => Cipher +type GetCipher = (iv: Uint8Array) => CipherGCM type EncryptFrameInput = { pendingFrame: AccumulatingFrame, From b515a7aea636a76661e8c058926fa5b5d38562e2 Mon Sep 17 00:00:00 2001 From: seebees Date: Fri, 22 Mar 2019 08:46:33 -0700 Subject: [PATCH 03/15] default params comments, and a little clean up --- modules/encrypt-node/src/encrypt_stream.ts | 25 +++++++++++++++++-- .../encrypt-node/src/framed_encrypt_stream.ts | 11 ++++++-- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/modules/encrypt-node/src/encrypt_stream.ts b/modules/encrypt-node/src/encrypt_stream.ts index 4b8aa7528..cc9f31b3d 100644 --- a/modules/encrypt-node/src/encrypt_stream.ts +++ b/modules/encrypt-node/src/encrypt_stream.ts @@ -15,7 +15,7 @@ import { NodeCryptographicMaterialsManager, NodeAlgorithmSuite, AlgorithmSuiteIdentifier, // eslint-disable-line no-unused-vars - NodeEncryptionMaterial, getEncryptHelper, EncryptionContext // eslint-disable-line no-unused-vars + NodeKeyring, NodeEncryptionMaterial, getEncryptHelper, EncryptionContext // eslint-disable-line no-unused-vars } from '@aws-crypto/material-management-node' import { getFramedEncryptStream } from './framed_encrypt_stream' import { SignatureStream } from './signature_stream' @@ -39,8 +39,27 @@ export interface EncryptStreamInput { plaintextLength?: number } -export function encryptStream (cmm: NodeCryptographicMaterialsManager, op: EncryptStreamInput = {}) { +/** + * Takes a NodeCryptographicMaterialsManager or a NodeKeyring that will + * be wrapped in a NodeCryptographicMaterialsManager and returns a stream. + * + * @param cmm NodeCryptographicMaterialsManager|NodeKeyring + * @param op EncryptStreamInput + */ +export function encryptStream ( + cmm: NodeCryptographicMaterialsManager|NodeKeyring, + op: EncryptStreamInput = {} +) { const { suiteId, context, frameLength = 10 } = op + + /* If the cmm is not a MaterialsManager, wrap in one. + * I am expecting the NodeCryptographicMaterialsManager to + * handle non-keyring parameters. + */ + cmm = cmm instanceof NodeCryptographicMaterialsManager + ? cmm + : new NodeCryptographicMaterialsManager(cmm) + const suite = suiteId && new NodeAlgorithmSuite(suiteId) const wrappingStream = new Duplexify() @@ -51,6 +70,8 @@ export function encryptStream (cmm: NodeCryptographicMaterialsManager, op: Encry const { getCipher, messageHeader, rawHeader } = getEncryptionInfo(material, frameLength, context) + wrappingStream.emit('MessageHeader', messageHeader) + const encryptStream = getFramedEncryptStream(getCipher, messageHeader, dispose) const signatureStream = new SignatureStream(getSigner) diff --git a/modules/encrypt-node/src/framed_encrypt_stream.ts b/modules/encrypt-node/src/framed_encrypt_stream.ts index f62da0dab..6e375d8b8 100644 --- a/modules/encrypt-node/src/framed_encrypt_stream.ts +++ b/modules/encrypt-node/src/framed_encrypt_stream.ts @@ -53,6 +53,8 @@ export function getFramedEncryptStream (getCipher: GetCipher, messageHeader: Mes return new (class FramedEncryptStream extends ( Transform>PortableTransform) { _transform (chunk: Buffer, encoding: string, callback: ErrBack) { const contentLeft = frameLength - accumulatingFrame.contentLength + + /* Check for early return (Postcondition): Have not accumulated a frame. */ if (contentLeft > chunk.length) { // eat more accumulatingFrame.contentLength += chunk.length @@ -136,6 +138,13 @@ export function getFramedEncryptStream (getCipher: GetCipher, messageHeader: Mes await ioTick() } + /* Finalize the cipher and handle any tail. */ + const tail = cipher.final() + frameSize += tail.length + cipherContent.push(tail) + /* Push the authTag onto the end. Yes, I am abusing the name. */ + cipherContent.push(cipher.getAuthTag()) + needs(frameSize === frameLength || isFinalFrame, 'Malformed frame') for (const cipherText of cipherContent) { @@ -147,8 +156,6 @@ export function getFramedEncryptStream (getCipher: GetCipher, messageHeader: Mes } } - this.push(cipher.final()) - this.push(cipher.getAuthTag()) if (isFinalFrame) this.push(null) } })() From af04407dc3c92eb313f5777707f75239681df9bd Mon Sep 17 00:00:00 2001 From: seebees Date: Fri, 22 Mar 2019 15:24:21 -0700 Subject: [PATCH 04/15] expliciate utf8 --- modules/encrypt-node/src/encrypt_stream.ts | 2 +- modules/encrypt-node/src/framed_encrypt_stream.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/encrypt-node/src/encrypt_stream.ts b/modules/encrypt-node/src/encrypt_stream.ts index cc9f31b3d..897bf89b3 100644 --- a/modules/encrypt-node/src/encrypt_stream.ts +++ b/modules/encrypt-node/src/encrypt_stream.ts @@ -29,7 +29,7 @@ import { // @ts-ignore import { pipeline } from 'readable-stream' -const fromUtf8 = (input: string) => Buffer.from(input) +const fromUtf8 = (input: string) => Buffer.from(input, 'utf8') const { serializeMessageHeader, headerAuthIv } = serializeFactory(fromUtf8) export interface EncryptStreamInput { diff --git a/modules/encrypt-node/src/framed_encrypt_stream.ts b/modules/encrypt-node/src/framed_encrypt_stream.ts index 6e375d8b8..f7d3c7d5f 100644 --- a/modules/encrypt-node/src/framed_encrypt_stream.ts +++ b/modules/encrypt-node/src/framed_encrypt_stream.ts @@ -23,7 +23,7 @@ import { CipherGCM } from 'crypto' // eslint-disable-line no-unused-vars import { Transform } from 'stream' // eslint-disable-line no-unused-vars import { needs } from '@aws-crypto/material-management-node' -const fromUtf8 = (input: string) => Buffer.from(input) +const fromUtf8 = (input: string) => Buffer.from(input, 'utf8') const serialize = serializeFactory(fromUtf8) const { finalFrameHeader, frameHeader } = serialize const aadUtility = aadFactory(fromUtf8) From 0a2f3f9548e9facfb8463a22954900a26e8f1155 Mon Sep 17 00:00:00 2001 From: seebees Date: Sat, 23 Mar 2019 15:09:15 -0700 Subject: [PATCH 05/15] encrypt-node lint suiteId --- modules/encrypt-node/src/encrypt_stream.ts | 8 ++++---- modules/encrypt-node/test/encrypt.test.ts | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/encrypt-node/src/encrypt_stream.ts b/modules/encrypt-node/src/encrypt_stream.ts index 897bf89b3..bee9c2764 100644 --- a/modules/encrypt-node/src/encrypt_stream.ts +++ b/modules/encrypt-node/src/encrypt_stream.ts @@ -42,7 +42,7 @@ export interface EncryptStreamInput { /** * Takes a NodeCryptographicMaterialsManager or a NodeKeyring that will * be wrapped in a NodeCryptographicMaterialsManager and returns a stream. - * + * * @param cmm NodeCryptographicMaterialsManager|NodeKeyring * @param op EncryptStreamInput */ @@ -97,10 +97,10 @@ export function getEncryptionInfo (material : NodeEncryptionMaterial, frameLengt const messageHeader: MessageHeader = Object.freeze({ version: SerializationVersion.V1, type: ObjectType.CUSTOMER_AE_DATA, - algorithmId: id, + suiteId: id, messageId, encryptionContext: context, - encryptedDataKeys: material.encryptedDataKeys, // freeze me please + encryptedDataKeys: Object.freeze(material.encryptedDataKeys), // freeze me please contentType: ContentType.FRAMED_DATA, headerIvLength: ivLength, frameLength @@ -108,7 +108,7 @@ export function getEncryptionInfo (material : NodeEncryptionMaterial, frameLengt const headerBytes = serializeMessageHeader(messageHeader) const headerBuffer = Buffer.from(headerBytes.buffer) - const info = kdfInfo(messageHeader.algorithmId, messageHeader.messageId) + const info = kdfInfo(messageHeader.suiteId, messageHeader.messageId) const getCipher = kdfGetCipher(info) const headerIv = headerAuthIv(ivLength) const validateHeader = getCipher(headerIv) diff --git a/modules/encrypt-node/test/encrypt.test.ts b/modules/encrypt-node/test/encrypt.test.ts index 353deed51..338842bf9 100644 --- a/modules/encrypt-node/test/encrypt.test.ts +++ b/modules/encrypt-node/test/encrypt.test.ts @@ -34,7 +34,7 @@ import { encrypt } from '../src/encrypt' const never = () => { throw new Error('never') } describe('asdf', () => { - it('encrypt', async () => { + it.skip('encrypt', async () => { class TestKeyring extends NodeKeyring { async _onEncrypt (material: NodeEncryptionMaterial) { const unencryptedDataKey = new Uint8Array(material.suite.keyLengthBytes).fill(1) @@ -58,7 +58,7 @@ describe('asdf', () => { console.log(ciphertext) }) - it('getFramedEncryptStream', (done) => { + it.skip('getFramedEncryptStream', (done) => { const suiteId = AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 const suite = new NodeAlgorithmSuite(suiteId) const material = new NodeEncryptionMaterial(suite) @@ -95,7 +95,7 @@ describe('asdf', () => { }) }) - it('duplex', (done) => { + it.skip('duplex', (done) => { class TestKeyring extends NodeKeyring { async _onEncrypt (material: NodeEncryptionMaterial) { const unencryptedDataKey = new Uint8Array(material.suite.keyLengthBytes).fill(1) From c2ba994a400fcac5e1cd429ef6fdcb12aa20bac9 Mon Sep 17 00:00:00 2001 From: seebees Date: Wed, 27 Mar 2019 11:00:40 -0700 Subject: [PATCH 06/15] encrypt-node --- modules/encrypt-node/src/encrypt.ts | 28 ++++++++++++++++++---- modules/encrypt-node/src/encrypt_stream.ts | 5 ++-- 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/modules/encrypt-node/src/encrypt.ts b/modules/encrypt-node/src/encrypt.ts index 0ac7fc037..933c038aa 100644 --- a/modules/encrypt-node/src/encrypt.ts +++ b/modules/encrypt-node/src/encrypt.ts @@ -9,23 +9,31 @@ import { // @ts-ignore import { finished } from 'readable-stream' import { Readable } from 'stream' // eslint-disable-line no-unused-vars -import { promisify } from 'util' -const finishedAsync = promisify(finished) +import { Duplexify } from 'duplexify' // eslint-disable-line no-unused-vars +import { MessageHeader } from '@aws-crypto/serialize'; interface EncryptInput extends EncryptStreamInput { encoding?: string } +export interface EncryptOutput { + ciphertext: Buffer + messageHeader: MessageHeader +} + export async function encrypt ( cmm: NodeCryptographicMaterialsManager, plaintext: Buffer|Uint8Array|Readable|string, op: EncryptInput = {} -) { +): Promise { const stream = encryptStream(cmm, op) const { encoding } = op const ciphertext: Buffer[] = [] - stream.on('data', (chunk: Buffer) => ciphertext.push(chunk)) + const messageHeader: MessageHeader|false = false + stream + .once('MessageHeader', header => stream.emit('MessageHeader', header)) + .on('data', (chunk: Buffer) => ciphertext.push(chunk)) // This will check both Uint8Array|Buffer if (plaintext instanceof Uint8Array) { @@ -39,6 +47,16 @@ export async function encrypt ( } await finishedAsync(stream) + if (!messageHeader) throw new Error('Unknown format') + + return { + ciphertext: Buffer.concat(ciphertext), + messageHeader + } +} - return Buffer.concat(ciphertext) +function finishedAsync(stream: Duplexify) { + return new Promise((resolve, reject) => { + finished(stream, (err: Error) => err ? reject(err) : resolve()) + }) } diff --git a/modules/encrypt-node/src/encrypt_stream.ts b/modules/encrypt-node/src/encrypt_stream.ts index bee9c2764..a5562b934 100644 --- a/modules/encrypt-node/src/encrypt_stream.ts +++ b/modules/encrypt-node/src/encrypt_stream.ts @@ -22,12 +22,13 @@ import { SignatureStream } from './signature_stream' import Duplexify from 'duplexify' import { randomBytes } from 'crypto' import { - MessageHeader, // eslint-disable-line no-unused-vars + MessageHeader, serializeFactory, kdfInfo, ContentType, SerializationVersion, ObjectType } from '@aws-crypto/serialize' // @ts-ignore import { pipeline } from 'readable-stream' +import { Duplex } from 'stream' // eslint-disable-line no-unused-vars const fromUtf8 = (input: string) => Buffer.from(input, 'utf8') const { serializeMessageHeader, headerAuthIv } = serializeFactory(fromUtf8) @@ -49,7 +50,7 @@ export interface EncryptStreamInput { export function encryptStream ( cmm: NodeCryptographicMaterialsManager|NodeKeyring, op: EncryptStreamInput = {} -) { +): Duplex { const { suiteId, context, frameLength = 10 } = op /* If the cmm is not a MaterialsManager, wrap in one. From 61745df93b9055acc158b4b836b4f8ab7d18b934 Mon Sep 17 00:00:00 2001 From: seebees Date: Wed, 27 Mar 2019 14:23:22 -0700 Subject: [PATCH 07/15] encrypt-node lint --- modules/encrypt-node/src/encrypt.ts | 4 ++-- modules/encrypt-node/src/encrypt_stream.ts | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/encrypt-node/src/encrypt.ts b/modules/encrypt-node/src/encrypt.ts index 933c038aa..1dfd2c3d6 100644 --- a/modules/encrypt-node/src/encrypt.ts +++ b/modules/encrypt-node/src/encrypt.ts @@ -10,7 +10,7 @@ import { import { finished } from 'readable-stream' import { Readable } from 'stream' // eslint-disable-line no-unused-vars import { Duplexify } from 'duplexify' // eslint-disable-line no-unused-vars -import { MessageHeader } from '@aws-crypto/serialize'; +import { MessageHeader } from '@aws-crypto/serialize' // eslint-disable-line no-unused-vars interface EncryptInput extends EncryptStreamInput { encoding?: string @@ -55,7 +55,7 @@ export async function encrypt ( } } -function finishedAsync(stream: Duplexify) { +function finishedAsync (stream: Duplexify) { return new Promise((resolve, reject) => { finished(stream, (err: Error) => err ? reject(err) : resolve()) }) diff --git a/modules/encrypt-node/src/encrypt_stream.ts b/modules/encrypt-node/src/encrypt_stream.ts index a5562b934..a52921da8 100644 --- a/modules/encrypt-node/src/encrypt_stream.ts +++ b/modules/encrypt-node/src/encrypt_stream.ts @@ -22,7 +22,7 @@ import { SignatureStream } from './signature_stream' import Duplexify from 'duplexify' import { randomBytes } from 'crypto' import { - MessageHeader, + MessageHeader, // eslint-disable-line no-unused-vars serializeFactory, kdfInfo, ContentType, SerializationVersion, ObjectType } from '@aws-crypto/serialize' From e82aa096137cfbda580f4cbe5cc643aacb7c3af8 Mon Sep 17 00:00:00 2001 From: seebees Date: Thu, 28 Mar 2019 14:15:01 -0700 Subject: [PATCH 08/15] encrypt-node --- modules/encrypt-node/src/encrypt.ts | 9 ++++----- modules/encrypt-node/src/encrypt_stream.ts | 8 ++++---- modules/encrypt-node/src/signature_stream.ts | 10 +++++----- 3 files changed, 13 insertions(+), 14 deletions(-) diff --git a/modules/encrypt-node/src/encrypt.ts b/modules/encrypt-node/src/encrypt.ts index 1dfd2c3d6..2cef7bde5 100644 --- a/modules/encrypt-node/src/encrypt.ts +++ b/modules/encrypt-node/src/encrypt.ts @@ -8,8 +8,7 @@ import { // @ts-ignore import { finished } from 'readable-stream' -import { Readable } from 'stream' // eslint-disable-line no-unused-vars -import { Duplexify } from 'duplexify' // eslint-disable-line no-unused-vars +import { Readable, Duplex } from 'stream' // eslint-disable-line no-unused-vars import { MessageHeader } from '@aws-crypto/serialize' // eslint-disable-line no-unused-vars interface EncryptInput extends EncryptStreamInput { @@ -30,9 +29,9 @@ export async function encrypt ( const { encoding } = op const ciphertext: Buffer[] = [] - const messageHeader: MessageHeader|false = false + let messageHeader: MessageHeader|false = false stream - .once('MessageHeader', header => stream.emit('MessageHeader', header)) + .once('MessageHeader', header => { messageHeader = header }) .on('data', (chunk: Buffer) => ciphertext.push(chunk)) // This will check both Uint8Array|Buffer @@ -55,7 +54,7 @@ export async function encrypt ( } } -function finishedAsync (stream: Duplexify) { +function finishedAsync (stream: Duplex) { return new Promise((resolve, reject) => { finished(stream, (err: Error) => err ? reject(err) : resolve()) }) diff --git a/modules/encrypt-node/src/encrypt_stream.ts b/modules/encrypt-node/src/encrypt_stream.ts index a52921da8..d023683b0 100644 --- a/modules/encrypt-node/src/encrypt_stream.ts +++ b/modules/encrypt-node/src/encrypt_stream.ts @@ -15,7 +15,7 @@ import { NodeCryptographicMaterialsManager, NodeAlgorithmSuite, AlgorithmSuiteIdentifier, // eslint-disable-line no-unused-vars - NodeKeyring, NodeEncryptionMaterial, getEncryptHelper, EncryptionContext // eslint-disable-line no-unused-vars + KeyringNode, NodeEncryptionMaterial, getEncryptHelper, EncryptionContext // eslint-disable-line no-unused-vars } from '@aws-crypto/material-management-node' import { getFramedEncryptStream } from './framed_encrypt_stream' import { SignatureStream } from './signature_stream' @@ -41,14 +41,14 @@ export interface EncryptStreamInput { } /** - * Takes a NodeCryptographicMaterialsManager or a NodeKeyring that will + * Takes a NodeCryptographicMaterialsManager or a KeyringNode that will * be wrapped in a NodeCryptographicMaterialsManager and returns a stream. * - * @param cmm NodeCryptographicMaterialsManager|NodeKeyring + * @param cmm NodeCryptographicMaterialsManager|KeyringNode * @param op EncryptStreamInput */ export function encryptStream ( - cmm: NodeCryptographicMaterialsManager|NodeKeyring, + cmm: NodeCryptographicMaterialsManager|KeyringNode, op: EncryptStreamInput = {} ): Duplex { const { suiteId, context, frameLength = 10 } = op diff --git a/modules/encrypt-node/src/signature_stream.ts b/modules/encrypt-node/src/signature_stream.ts index b3addf58e..07ff8d33f 100644 --- a/modules/encrypt-node/src/signature_stream.ts +++ b/modules/encrypt-node/src/signature_stream.ts @@ -14,11 +14,12 @@ */ import { Transform } from 'stream' -import { Signer } from 'crypto' // eslint-disable-line no-unused-vars +import { GetSigner } from '@aws-crypto/material-management-node' // eslint-disable-line no-unused-vars + +type AWSSigner = ReturnType -type GetSigner = () => Signer export class SignatureStream extends Transform { - private _signer!: Signer|undefined + private _signer!: AWSSigner|undefined constructor (getSigner?: GetSigner) { super() const value = getSigner && getSigner() @@ -33,8 +34,7 @@ export class SignatureStream extends Transform { } _flush (callback: Function) { - // @ts-ignore The private key is already bound. Emit the signature - this._signer && this.push(this._signer.sign()) + this._signer && this.push(this._signer.awsCryptoSign()) callback() } } From b229fcc9aac367e098f6e56a944b206c031f255e Mon Sep 17 00:00:00 2001 From: seebees Date: Fri, 29 Mar 2019 07:42:11 -0700 Subject: [PATCH 09/15] housekeeping --- modules/encrypt-node/.gitignore | 3 --- modules/encrypt-node/.npmignore | 3 --- modules/encrypt-node/NOTICE | 2 +- modules/encrypt-node/package.json | 1 + modules/encrypt-node/src/encrypt_stream.ts | 2 +- modules/encrypt-node/src/framed_encrypt_stream.ts | 2 +- modules/encrypt-node/src/index.ts | 2 +- modules/encrypt-node/src/signature_stream.ts | 2 +- modules/encrypt-node/test/encrypt.test.ts | 2 +- 9 files changed, 7 insertions(+), 12 deletions(-) delete mode 100644 modules/encrypt-node/.gitignore delete mode 100644 modules/encrypt-node/.npmignore diff --git a/modules/encrypt-node/.gitignore b/modules/encrypt-node/.gitignore deleted file mode 100644 index 6498d2c9d..000000000 --- a/modules/encrypt-node/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -/node_modules/ -/build/ -/.nyc_output \ No newline at end of file diff --git a/modules/encrypt-node/.npmignore b/modules/encrypt-node/.npmignore deleted file mode 100644 index f39dee960..000000000 --- a/modules/encrypt-node/.npmignore +++ /dev/null @@ -1,3 +0,0 @@ -/src/ -/coverage/ -/test/ \ No newline at end of file diff --git a/modules/encrypt-node/NOTICE b/modules/encrypt-node/NOTICE index a95284f35..88f7bea1e 100644 --- a/modules/encrypt-node/NOTICE +++ b/modules/encrypt-node/NOTICE @@ -1,2 +1,2 @@ AWS Encryption SDK for Javascript -Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. +Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. diff --git a/modules/encrypt-node/package.json b/modules/encrypt-node/package.json index f5ce7983b..7226a1158 100644 --- a/modules/encrypt-node/package.json +++ b/modules/encrypt-node/package.json @@ -40,6 +40,7 @@ "main": "./build/main/index.js", "module": "./build/module/index.js", "types": "./build/main/index.d.ts", + "files": ["./build/**/*"], "standard": { "parser": "@typescript-eslint/parser", "plugins": [ diff --git a/modules/encrypt-node/src/encrypt_stream.ts b/modules/encrypt-node/src/encrypt_stream.ts index d023683b0..6d2bdbca3 100644 --- a/modules/encrypt-node/src/encrypt_stream.ts +++ b/modules/encrypt-node/src/encrypt_stream.ts @@ -1,5 +1,5 @@ /* - * Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"). You may not use * this file except in compliance with the License. A copy of the License is diff --git a/modules/encrypt-node/src/framed_encrypt_stream.ts b/modules/encrypt-node/src/framed_encrypt_stream.ts index f7d3c7d5f..51d332df4 100644 --- a/modules/encrypt-node/src/framed_encrypt_stream.ts +++ b/modules/encrypt-node/src/framed_encrypt_stream.ts @@ -1,5 +1,5 @@ /* - * Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"). You may not use * this file except in compliance with the License. A copy of the License is diff --git a/modules/encrypt-node/src/index.ts b/modules/encrypt-node/src/index.ts index f59edc16a..f398b68c1 100644 --- a/modules/encrypt-node/src/index.ts +++ b/modules/encrypt-node/src/index.ts @@ -1,5 +1,5 @@ /* - * Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"). You may not use * this file except in compliance with the License. A copy of the License is diff --git a/modules/encrypt-node/src/signature_stream.ts b/modules/encrypt-node/src/signature_stream.ts index 07ff8d33f..2f7bf947a 100644 --- a/modules/encrypt-node/src/signature_stream.ts +++ b/modules/encrypt-node/src/signature_stream.ts @@ -1,5 +1,5 @@ /* - * Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"). You may not use * this file except in compliance with the License. A copy of the License is diff --git a/modules/encrypt-node/test/encrypt.test.ts b/modules/encrypt-node/test/encrypt.test.ts index 338842bf9..d44efd8f9 100644 --- a/modules/encrypt-node/test/encrypt.test.ts +++ b/modules/encrypt-node/test/encrypt.test.ts @@ -1,5 +1,5 @@ /* - * Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"). You may not use * this file except in compliance with the License. A copy of the License is From b85e9203526095dab8d9aa68db037a6e2610a22f Mon Sep 17 00:00:00 2001 From: seebees Date: Fri, 29 Mar 2019 14:01:33 -0700 Subject: [PATCH 10/15] encrypt-node --- modules/encrypt-node/test/encrypt.test.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/encrypt-node/test/encrypt.test.ts b/modules/encrypt-node/test/encrypt.test.ts index d44efd8f9..93a8e03f0 100644 --- a/modules/encrypt-node/test/encrypt.test.ts +++ b/modules/encrypt-node/test/encrypt.test.ts @@ -19,7 +19,7 @@ import 'mocha' import { NodeDecryptionMaterial, // eslint-disable-line no-unused-vars - NodeAlgorithmSuite, NodeEncryptionMaterial, NodeCryptographicMaterialsManager, NodeKeyring, EncryptedDataKey, + NodeAlgorithmSuite, NodeEncryptionMaterial, NodeCryptographicMaterialsManager, KeyringNode, EncryptedDataKey, KeyringTraceFlag, AlgorithmSuiteIdentifier } from '@aws-crypto/material-management-node' @@ -35,7 +35,7 @@ const never = () => { throw new Error('never') } describe('asdf', () => { it.skip('encrypt', async () => { - class TestKeyring extends NodeKeyring { + class TestKeyring extends KeyringNode { async _onEncrypt (material: NodeEncryptionMaterial) { const unencryptedDataKey = new Uint8Array(material.suite.keyLengthBytes).fill(1) const trace = { keyNamespace: 'k', keyName: 'k', flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY } @@ -96,7 +96,7 @@ describe('asdf', () => { }) it.skip('duplex', (done) => { - class TestKeyring extends NodeKeyring { + class TestKeyring extends KeyringNode { async _onEncrypt (material: NodeEncryptionMaterial) { const unencryptedDataKey = new Uint8Array(material.suite.keyLengthBytes).fill(1) const trace = { keyNamespace: 'k', keyName: 'k', flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY } From 66724d25ed99160d3959ed671484e2dbc4fd2291 Mon Sep 17 00:00:00 2001 From: seebees Date: Thu, 4 Apr 2019 09:11:30 -0700 Subject: [PATCH 11/15] encrypt-node --- modules/encrypt-node/src/encrypt_stream.ts | 4 ++-- modules/encrypt-node/src/framed_encrypt_stream.ts | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/encrypt-node/src/encrypt_stream.ts b/modules/encrypt-node/src/encrypt_stream.ts index 6d2bdbca3..885c4b037 100644 --- a/modules/encrypt-node/src/encrypt_stream.ts +++ b/modules/encrypt-node/src/encrypt_stream.ts @@ -107,8 +107,8 @@ export function getEncryptionInfo (material : NodeEncryptionMaterial, frameLengt frameLength }) - const headerBytes = serializeMessageHeader(messageHeader) - const headerBuffer = Buffer.from(headerBytes.buffer) + const {buffer, byteOffset, byteLength} = serializeMessageHeader(messageHeader) + const headerBuffer = Buffer.from(buffer, byteOffset, byteLength) const info = kdfInfo(messageHeader.suiteId, messageHeader.messageId) const getCipher = kdfGetCipher(info) const headerIv = headerAuthIv(ivLength) diff --git a/modules/encrypt-node/src/framed_encrypt_stream.ts b/modules/encrypt-node/src/framed_encrypt_stream.ts index 51d332df4..87294b23d 100644 --- a/modules/encrypt-node/src/framed_encrypt_stream.ts +++ b/modules/encrypt-node/src/framed_encrypt_stream.ts @@ -179,9 +179,9 @@ export function getEncryptFrame (input: EncryptFrameInput): EncryptFrame { : frameHeader(sequenceNumber, frameIv)) const { contentType, messageId } = messageHeader const contentString = aadUtility.messageAADContentString({ contentType, isFinalFrame }) - const messageAAD = aadUtility.messageAAD(messageId, contentString, sequenceNumber, contentLength) + const {buffer, byteOffset, byteLength} = aadUtility.messageAAD(messageId, contentString, sequenceNumber, contentLength) const cipher = getCipher(frameIv) - cipher.setAAD(Buffer.from(messageAAD.buffer)) + cipher.setAAD(Buffer.from(buffer, byteOffset, byteLength)) return { content, cipher, bodyHeader, isFinalFrame } } From 671655228e267915b42bfaa2a89972749c027f14 Mon Sep 17 00:00:00 2001 From: seebees Date: Thu, 4 Apr 2019 17:00:51 -0700 Subject: [PATCH 12/15] update email --- modules/encrypt-node/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/encrypt-node/package.json b/modules/encrypt-node/package.json index 7226a1158..57c9d4175 100644 --- a/modules/encrypt-node/package.json +++ b/modules/encrypt-node/package.json @@ -11,7 +11,7 @@ }, "author": { "name": "AWS Crypto Tools Team", - "email": "aws-crypto-tools-team@amazon.com", + "email": "aws-cryptools@amazon.com", "url": "https://github.com/awslabs/aws-encryption-sdk-javascript" }, "license": "Apache-2.0", From 11788fc26551d605d8b74d3139ff2f348d5dbaa9 Mon Sep 17 00:00:00 2001 From: seebees Date: Fri, 5 Apr 2019 08:26:01 -0700 Subject: [PATCH 13/15] encrypt-node lint --- modules/encrypt-node/src/encrypt_stream.ts | 2 +- modules/encrypt-node/src/framed_encrypt_stream.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/encrypt-node/src/encrypt_stream.ts b/modules/encrypt-node/src/encrypt_stream.ts index 885c4b037..24df8831b 100644 --- a/modules/encrypt-node/src/encrypt_stream.ts +++ b/modules/encrypt-node/src/encrypt_stream.ts @@ -107,7 +107,7 @@ export function getEncryptionInfo (material : NodeEncryptionMaterial, frameLengt frameLength }) - const {buffer, byteOffset, byteLength} = serializeMessageHeader(messageHeader) + const { buffer, byteOffset, byteLength } = serializeMessageHeader(messageHeader) const headerBuffer = Buffer.from(buffer, byteOffset, byteLength) const info = kdfInfo(messageHeader.suiteId, messageHeader.messageId) const getCipher = kdfGetCipher(info) diff --git a/modules/encrypt-node/src/framed_encrypt_stream.ts b/modules/encrypt-node/src/framed_encrypt_stream.ts index 87294b23d..e27be4f82 100644 --- a/modules/encrypt-node/src/framed_encrypt_stream.ts +++ b/modules/encrypt-node/src/framed_encrypt_stream.ts @@ -179,7 +179,7 @@ export function getEncryptFrame (input: EncryptFrameInput): EncryptFrame { : frameHeader(sequenceNumber, frameIv)) const { contentType, messageId } = messageHeader const contentString = aadUtility.messageAADContentString({ contentType, isFinalFrame }) - const {buffer, byteOffset, byteLength} = aadUtility.messageAAD(messageId, contentString, sequenceNumber, contentLength) + const { buffer, byteOffset, byteLength } = aadUtility.messageAAD(messageId, contentString, sequenceNumber, contentLength) const cipher = getCipher(frameIv) cipher.setAAD(Buffer.from(buffer, byteOffset, byteLength)) From 72927a81a9959fe8889831fcb964f57b6adce00e Mon Sep 17 00:00:00 2001 From: seebees Date: Fri, 5 Apr 2019 14:59:18 -0700 Subject: [PATCH 14/15] removing hack test in favor of decrypt --- modules/encrypt-node/test/encrypt.test.ts | 101 ---------------------- 1 file changed, 101 deletions(-) diff --git a/modules/encrypt-node/test/encrypt.test.ts b/modules/encrypt-node/test/encrypt.test.ts index 93a8e03f0..6da1ed960 100644 --- a/modules/encrypt-node/test/encrypt.test.ts +++ b/modules/encrypt-node/test/encrypt.test.ts @@ -32,104 +32,3 @@ import { SignatureStream } from '../src/signature_stream' import { encrypt } from '../src/encrypt' const never = () => { throw new Error('never') } - -describe('asdf', () => { - it.skip('encrypt', async () => { - class TestKeyring extends KeyringNode { - async _onEncrypt (material: NodeEncryptionMaterial) { - const unencryptedDataKey = new Uint8Array(material.suite.keyLengthBytes).fill(1) - const trace = { keyNamespace: 'k', keyName: 'k', flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY } - const edk = new EncryptedDataKey({ providerId: 'k', providerInfo: 'k', encryptedDataKey: new Uint8Array(3) }) - return material - .setUnencryptedDataKey(unencryptedDataKey, trace) - .addEncryptedDataKey(edk, KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY) - } - async _onDecrypt (material: NodeDecryptionMaterial) { - never() - return material - } - } - const keyRing = new TestKeyring() - const cmm = new NodeCryptographicMaterialsManager(keyRing) - const suiteId = AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 - - const plaintext = 'asdf' - const ciphertext = await encrypt(cmm, plaintext, { suiteId }) - console.log(ciphertext) - }) - - it.skip('getFramedEncryptStream', (done) => { - const suiteId = AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 - const suite = new NodeAlgorithmSuite(suiteId) - const material = new NodeEncryptionMaterial(suite) - - const unencryptedDataKey = new Uint8Array(material.suite.keyLengthBytes).fill(1) - const trace = { keyNamespace: 'k', keyName: 'k', flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY } - const edk = new EncryptedDataKey({ providerId: 'k', providerInfo: 'k', encryptedDataKey: new Uint8Array(3) }) - material - .setUnencryptedDataKey(unencryptedDataKey, trace) - .addEncryptedDataKey(edk, KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY) - - const { getCipher, messageHeader } = getEncryptionInfo(material, 1048, {}) - - const stream = getFramedEncryptStream(getCipher, messageHeader, () => {}) - - // 1048576 - - const stats = { - rawFile: 0, - encrypt: 0, - sig: 0 - } - - fs.createReadStream('/Users/ryanemer/aws-encryption-sdk-javascript/modules/encrypt-node/20190124_213050.jpg') - .on('data', ({ length }) => { stats.rawFile += length }) - .pipe(stream) - .on('data', ({ length }) => { stats.encrypt += length }) - .pipe(new SignatureStream()) - .on('data', ({ length }) => { stats.sig += length }) - .pipe(fs.createWriteStream('/Users/ryanemer/aws-encryption-sdk-javascript/modules/encrypt-node/stream_only')) - .on('finish', () => { - console.log('Stream: ', stats) - done() - }) - }) - - it.skip('duplex', (done) => { - class TestKeyring extends KeyringNode { - async _onEncrypt (material: NodeEncryptionMaterial) { - const unencryptedDataKey = new Uint8Array(material.suite.keyLengthBytes).fill(1) - const trace = { keyNamespace: 'k', keyName: 'k', flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY } - const edk = new EncryptedDataKey({ providerId: 'k', providerInfo: 'k', encryptedDataKey: new Uint8Array(3) }) - return material - .setUnencryptedDataKey(unencryptedDataKey, trace) - .addEncryptedDataKey(edk, KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY) - } - async _onDecrypt (material: NodeDecryptionMaterial) { - never() - return material - } - } - const keyRing = new TestKeyring() - const cmm = new NodeCryptographicMaterialsManager(keyRing) - const suiteId = AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16 - - // 1048576 - const stream = encryptStream(cmm, { suiteId, frameLength: 1048 }) - - const stats = { - rawFile: 0, - encrypt: 0, - sig: 0 - } - fs.createReadStream('/Users/ryanemer/aws-encryption-sdk-javascript/modules/encrypt-node/20190124_213050.jpg') - .on('data', ({ length }) => { stats.rawFile += length }) - .pipe(stream) - .on('data', ({ length }) => { stats.encrypt += length }) - .pipe(fs.createWriteStream('/Users/ryanemer/aws-encryption-sdk-javascript/modules/encrypt-node/stream_duplex')) - .on('finish', () => { - console.log('Duplex:', stats) - done() - }) - }) -}) From 34d2b1ff76f5044debbde8c076cd4fa0ace7ac7e Mon Sep 17 00:00:00 2001 From: seebees Date: Mon, 8 Apr 2019 18:50:29 -0700 Subject: [PATCH 15/15] comments and noop --- modules/encrypt-node/src/framed_encrypt_stream.ts | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/modules/encrypt-node/src/framed_encrypt_stream.ts b/modules/encrypt-node/src/framed_encrypt_stream.ts index e27be4f82..d16e79f2d 100644 --- a/modules/encrypt-node/src/framed_encrypt_stream.ts +++ b/modules/encrypt-node/src/framed_encrypt_stream.ts @@ -43,13 +43,19 @@ interface EncryptFrame { } const ioTick = () => new Promise(resolve => setImmediate(resolve)) +const noop = () => {} type ErrBack = (err?: Error) => void export function getFramedEncryptStream (getCipher: GetCipher, messageHeader: MessageHeader, dispose: Function) { let accumulatingFrame: AccumulatingFrame = { contentLength: 0, content: [], sequenceNumber: 1 } - let pathologicalDrain: Function|false = false + let pathologicalDrain: Function = noop const { frameLength } = messageHeader + /* Keeping the messageHeader, accumulatingFrame and pathologicalDrain private is the intention here. + * It is already unlikely that these values could be touched in the current composition of streams, + * but a different composition may change this. + * Since we are handling the plain text here, it seems prudent to take extra measures. + */ return new (class FramedEncryptStream extends ( Transform>PortableTransform) { _transform (chunk: Buffer, encoding: string, callback: ErrBack) { const contentLeft = frameLength - accumulatingFrame.contentLength @@ -118,10 +124,8 @@ export function getFramedEncryptStream (getCipher: GetCipher, messageHeader: Mes * if a frame is being pushed, we can release * it. */ - if (pathologicalDrain) { - pathologicalDrain() - pathologicalDrain = false - } + pathologicalDrain() + pathologicalDrain = noop } async _flushEncryptFrame (encryptingFrame: EncryptFrame) {