aws · seebees · Mar 27, 2020 · Jan 8, 2020 · Jan 8, 2020 · Jan 8, 2020
@@ -0,0 +1,15 @@
+<!DOCTYPE>
+
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Client Side AWS Encryption SDK with MSRCrypto as a fallback</title>
+    <script src="../build/fallback_bundle.js"></script>
+  </head>
+  <body>
+    <script>
+      // This is exported via the webpack library setting
+      test.testFallback()
+    </script>
+  </body>
+</html>
@@ -12,7 +12,8 @@
     "example-aes": "webpack -d --config webpack_configs/aes.webpack.config.js",
     "example-kms": "webpack -d --config webpack_configs/kms.webpack.config.js",
     "example-multi-keyring": "webpack -d --config webpack_configs/multi_keyring.webpack.config.js",
-    "example-caching-cmm": "webpack -d --config webpack_configs/caching_cmm.webpack.config.js"
+    "example-caching-cmm": "webpack -d --config webpack_configs/caching_cmm.webpack.config.js",
+    "example-fallback": "webpack -d --config webpack_configs/fallback.webpack.config.js"
   },
   "author": {
     "name": "AWS Crypto Tools Team",
@@ -22,9 +23,30 @@
   "license": "Apache-2.0",
   "dependencies": {
     "@aws-crypto/client-browser": "file:../client-browser",
+    "@aws-sdk/util-base64-browser": "0.1.0-preview.1",
+    "tslib": "^1.9.3",
     "@aws-sdk/util-base64-browser": "1.0.0-alpha.2",
-    "tslib": "^1.9.3"
+    "@types/chai": "^4.1.4",
+    "@types/mocha": "^5.2.5",
+    "@typescript-eslint/eslint-plugin": "^1.9.0",
+    "@typescript-eslint/parser": "^1.9.0",
+    "chai": "^4.1.2",
+    "karma": "^4.1.0",
+    "karma-chai": "^0.1.0",
+    "karma-chrome-launcher": "^2.2.0",
+    "karma-coverage-istanbul-reporter": "^2.0.4",
+    "karma-mocha": "^1.3.0",
+    "karma-webpack": "^3.0.5",
+    "mocha": "^5.2.0",
+    "nyc": "^14.0.0",
+    "standard": "^12.0.1",
+    "ts-loader": "^5.3.3",
+    "ts-node": "^7.0.1",
+    "typescript": "^3.5.0",
+    "webpack": "^4.30.0",
+    "webpack-cli": "^3.3.11"
   },
+  "devDependencies": {},
   "main": "./build/main/index.js",
   "module": "./build/module/index.js",
   "types": "./build/main/index.d.ts"

@@ -0,0 +1,126 @@
+/*
+ * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. A copy of the License is
+ * located at
+ *
+ *     http://aws.amazon.com/apache2.0/
+ *
+ * or in the "license" file accompanying this file. This file is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/* This is a simple example of configuring a fallback
+ * for the AWS Encryption SDK for Javascript
+ * in a browser.
+ */
+
+import {
+  RawAesWrappingSuiteIdentifier,
+  RawAesKeyringWebCrypto,
+  encrypt,
+  decrypt,
+  synchronousRandomValues,
+  configureFallback,
+  AlgorithmSuiteIdentifier
+} from '@aws-crypto/client-browser'
+import { toBase64 } from '@aws-sdk/util-base64-browser'
+
+/* In this example we use the JavaScript implementation
+ * of WebCrypto from MSRCrypto
+ * and configure it as a fallback for the AWS Encryption SDK.
+ * The implementation will only be used if it is needed.
+ * The AWS Encryption SDK will _always_ prefer the native browser implementation.
+ * The msrCrypto source file is included as a script tag in the HTML file.
+ * See fallback.html
+ */
+// @ts-ignore
+import { subtle } from './msrcrypto'
+configureFallback(subtle)
+
+/* This is done to facilitate testing. */
+export async function testFallback () {
+  /* You need to specify a name
+   * and a namespace for raw encryption key providers.
+   * The name and namespace that you use in the decryption keyring *must* be an exact,
+   * *case-sensitive* match for the name and namespace in the encryption keyring.
+   */
+  const keyName = 'aes-name'
+  const keyNamespace = 'aes-namespace'
+
+  /* The wrapping suite defines the AES-GCM algorithm suite to use. */
+  const wrappingSuite = RawAesWrappingSuiteIdentifier.AES256_GCM_IV12_TAG16_NO_PADDING
+
+  // Get your plaintext master key from wherever you store it.
+  const unencryptedMasterKey = synchronousRandomValues(32)
+
+  /* Import the plaintext master key into a WebCrypto CryptoKey. */
+  const masterKey = await RawAesKeyringWebCrypto.importCryptoKey(unencryptedMasterKey, wrappingSuite)
+
+  /* Configure the Raw AES keyring. */
+  const keyring = new RawAesKeyringWebCrypto({ keyName, keyNamespace, wrappingSuite, masterKey })
+
+  /* Encryption context is a *very* powerful tool for controlling and managing access.
+   * It is ***not*** secret!
+   * Encrypted data is opaque.
+   * You can use an encryption context to assert things about the encrypted data.
+   * Just because you can decrypt something does not mean it is what you expect.
+   * For example, if you are are only expecting data from 'us-west-2',
+   * the origin can identify a malicious actor.
+   * See: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
+   */
+  const context = {
+    stage: 'demo',
+    purpose: 'simple demonstration app',
+    origin: 'us-west-2'
+  }
+
+  /* Find data to encrypt. */
+  const plainText = new Uint8Array([1, 2, 3, 4, 5])
+
+  /* Encrypt the data. */
+  const { result } = await encrypt(keyring, plainText, { encryptionContext: context, suiteId: AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16 })
+
+  /* Log the plain text
+   * only for testing and to show that it works.
+   */
+  console.log('plainText:', plainText)
+  document.body.insertAdjacentHTML('beforeend', `<p>plainText:<p>${plainText}</p> </p>`)
+
+  /* Log the base64-encoded result
+   * so that you can try decrypting it with another AWS Encryption SDK implementation.
+   */
+  const resultBase64 = toBase64(result)
+  console.log(resultBase64)
+  document.body.insertAdjacentHTML('beforeend', `<p>${resultBase64}</p>`)
+
+  const { plaintext, messageHeader } = await decrypt(keyring, result)
+
+  /* Grab the encryption context so you can verify it. */
+  const { encryptionContext } = messageHeader
+
+  /* Verify the encryption context.
+   * If you use an algorithm suite with signing,
+   * the Encryption SDK adds a name-value pair to the encryption context that contains the public key.
+   * Because the encryption context might contain additional key-value pairs,
+   * do not add a test that requires that all key-value pairs match.
+   * Instead, verify that the key-value pairs you expect match.
+   */
+  Object
+    .entries(context)
+    .forEach(([key, value]) => {
+      if (encryptionContext[key] !== value) throw new Error('Encryption Context does not match expected values')
+    })
+
+  /* Log the clear message
+   * only for testing and to show that it works.
+   */
+  console.log(plaintext)
+  document.body.insertAdjacentHTML('beforeend', `<p>plainText:<p>${plaintext}</p> </p>`)
+
+  /* Return the values to make testing easy. */
+  return { plainText, plaintext }
+}