aws · seebees · Apr 9, 2019 · Apr 9, 2019
@@ -78,7 +78,7 @@ export class ParseHeaderStream extends PortableTransformWithType {
         const verify = getVerify ? getVerify() : void 0
         const verifyInfo: VerifyInfo = { headerInfo, getDecipher, verify, dispose }
         this.emit('VerifyInfo', verifyInfo)
-        this.emit('MessageHeader', headerInfo)
+        this.emit('MessageHeader', headerInfo.messageHeader)
 
         // The header is parsed, pass control
         const readPos = rawHeader.byteLength + headerIv.byteLength + headerAuthTag.byteLength

@@ -16,19 +16,19 @@
 /* eslint-env mocha */
 
 // import { expect } from 'chai'
-import 'mocha'
-import {
-  NodeDecryptionMaterial, // eslint-disable-line no-unused-vars
-  NodeAlgorithmSuite, NodeEncryptionMaterial, NodeCryptographicMaterialsManager, KeyringNode, EncryptedDataKey,
-  KeyringTraceFlag, AlgorithmSuiteIdentifier
-} from '@aws-crypto/material-management-node'
+// import 'mocha'
+// import {
+//   NodeDecryptionMaterial, // eslint-disable-line no-unused-vars
+//   NodeAlgorithmSuite, NodeEncryptionMaterial, NodeCryptographicMaterialsManager, KeyringNode, EncryptedDataKey,
+//   KeyringTraceFlag, AlgorithmSuiteIdentifier
+// } from '@aws-crypto/material-management-node'
 
-import * as fs from 'fs'
+// import * as fs from 'fs'
 
-import { encryptStream, getEncryptionInfo } from '../src/encrypt_stream'
+// import { encryptStream, getEncryptionInfo } from '../src/encrypt_stream'
 
-import { getFramedEncryptStream } from '../src/framed_encrypt_stream'
-import { SignatureStream } from '../src/signature_stream'
-import { encrypt } from '../src/encrypt'
+// import { getFramedEncryptStream } from '../src/framed_encrypt_stream'
+// import { SignatureStream } from '../src/signature_stream'
+// import { encrypt } from '../src/encrypt'
 
-const never = () => { throw new Error('never') }
+// const never = () => { throw new Error('never') }
@@ -73,9 +73,9 @@ export function KmsKeyringClass<S extends SupportedAlgorithmSuites, Client exten
       /* Precondition: This is an abstract class. (But TypeScript does not have a clean way to model this) */
       needs(this.constructor !== KmsKeyring, 'new KmsKeyring is not allowed')
       /* Precondition: A noop KmsKeyring is not allowed. */
-      needs(!discovery && !generatorKeyId && !keyIds.length, 'Noop keyring is not allowed: Set a keyId or discovery')
+      needs(!(!discovery && !generatorKeyId && !keyIds.length), 'Noop keyring is not allowed: Set a keyId or discovery')
       /* Precondition: A keyring can be either a Discovery or have keyIds configured. */
-      needs(discovery && (generatorKeyId || keyIds.length), 'A keyring can be either a Discovery or have keyIds configured.')
+      needs(!(discovery && (generatorKeyId || keyIds.length)), 'A keyring can be either a Discovery or have keyIds configured.')
       /* Precondition: All KMS key arns must be valid. */
       needs(!generatorKeyId || !!regionFromKmsKeyArn(generatorKeyId), 'Malformed arn.')
       needs(keyIds.every(keyarn => !!regionFromKmsKeyArn(keyarn)), 'Malformed arn.')

@@ -54,11 +54,15 @@ describe('KmsKeyring: constructor', () => {
     expect(test.isDiscovery).to.equal(true)
   })
 
-  it('Precondition: A noop KmsKeyring is not allowed.  You must explicitly set discovery or keyIds.', () => {
+  it('Precondition: A noop KmsKeyring is not allowed.', () => {
     class TestKmsKeyring extends KmsKeyringClass(Keyring as KeyRingConstructible<NodeAlgorithmSuite>) {}
     const clientProvider: any = () => {}
     expect(() => new TestKmsKeyring({ clientProvider })).to.throw()
+  })
 
+  it('Precondition: A keyring can be either a Discovery or have keyIds configured.', () => {
+    class TestKmsKeyring extends KmsKeyringClass(Keyring as KeyRingConstructible<NodeAlgorithmSuite>) {}
+    const clientProvider: any = () => {}
     const generatorKeyId = 'arn:aws:kms:us-east-1:123456789012:alias/example-alias'
     const keyIds = ['arn:aws:kms:us-east-1:123456789012:alias/example-alias']
     const discovery = true

@@ -26,73 +26,72 @@
   * The AAD (encryption context) is the same as the message.
   */
 
- import { concatBuffers, uInt32BE } from '@aws-crypto/serialize'
- import {
-   AlgorithmSuite, // eslint-disable-line no-unused-vars
-   EncryptedDataKey, // eslint-disable-line no-unused-vars
-   needs
- } from '@aws-crypto/material-management'
- 
- export function rawAesEncryptedDataKeyFactory (
-   toUtf8: (input: Uint8Array) => string,
-   fromUtf8: (input: any) => Uint8Array
- ) {
-   return { rawAesEncryptedDataKey }
- 
-   function rawAesEncryptedDataKey (
-     keyNamespace: string,
-     keyName: string,
-     iv: Uint8Array,
-     ciphertext: Uint8Array,
-     authTag: Uint8Array
-   ): EncryptedDataKey {
-     const ivLength = iv.byteLength
-     const authTagBitLength = authTag.byteLength * 8
-     const encryptedDataKey = concatBuffers(ciphertext, authTag)
-     const providerId = keyNamespace
-     const rawInfo =  concatBuffers(fromUtf8(keyName), uInt32BE(authTagBitLength), uInt32BE(ivLength), iv)
-     const providerInfo = toUtf8(rawInfo)
-     return new EncryptedDataKey({ encryptedDataKey, providerId, providerInfo, rawInfo })
-   }
- }
- 
- export function rawAesEncryptedPartsFactory (fromUtf8: (input: any) => Uint8Array) {
-   return { rawAesEncryptedParts }
- 
-   function rawAesEncryptedParts (suite: AlgorithmSuite, keyName: string, { encryptedDataKey, rawInfo }: EncryptedDataKey) {
-     if (!(rawInfo instanceof Uint8Array)) throw new Error('Malformed Encrypted Data Key.')
-     // see above for format, slice off the "string part"
-     rawInfo = rawInfo.slice(fromUtf8(keyName).byteLength)
-     /* Uint8Array is a view on top of the underlying ArrayBuffer.
+import { concatBuffers, uInt32BE } from '@aws-crypto/serialize'
+import {
+  AlgorithmSuite, // eslint-disable-line no-unused-vars
+  EncryptedDataKey, // eslint-disable-line no-unused-vars
+  needs
+} from '@aws-crypto/material-management'
+
+export function rawAesEncryptedDataKeyFactory (
+  toUtf8: (input: Uint8Array) => string,
+  fromUtf8: (input: any) => Uint8Array
+) {
+  return { rawAesEncryptedDataKey }
+
+  function rawAesEncryptedDataKey (
+    keyNamespace: string,
+    keyName: string,
+    iv: Uint8Array,
+    ciphertext: Uint8Array,
+    authTag: Uint8Array
+  ): EncryptedDataKey {
+    const ivLength = iv.byteLength
+    const authTagBitLength = authTag.byteLength * 8
+    const encryptedDataKey = concatBuffers(ciphertext, authTag)
+    const providerId = keyNamespace
+    const rawInfo = concatBuffers(fromUtf8(keyName), uInt32BE(authTagBitLength), uInt32BE(ivLength), iv)
+    const providerInfo = toUtf8(rawInfo)
+    return new EncryptedDataKey({ encryptedDataKey, providerId, providerInfo, rawInfo })
+  }
+}
+
+export function rawAesEncryptedPartsFactory (fromUtf8: (input: any) => Uint8Array) {
+  return { rawAesEncryptedParts }
+
+  function rawAesEncryptedParts (suite: AlgorithmSuite, keyName: string, { encryptedDataKey, rawInfo }: EncryptedDataKey) {
+    if (!(rawInfo instanceof Uint8Array)) throw new Error('Malformed Encrypted Data Key.')
+    // see above for format, slice off the "string part"
+    rawInfo = rawInfo.slice(fromUtf8(keyName).byteLength)
+    /* Uint8Array is a view on top of the underlying ArrayBuffer.
       * This means that raw underlying memory stored in the ArrayBuffer
       * may be larger than the Uint8Array.  This is especially true of
       * the Node.js Buffer object.  The offset and length *must* be
       * passed to the DataView otherwise I will get unexpected results.
       */
-     const dataView = new DataView(
-       rawInfo.buffer,
-       rawInfo.byteOffset,
-       rawInfo.byteLength
-     )
-     /* See above:
+    const dataView = new DataView(
+      rawInfo.buffer,
+      rawInfo.byteOffset,
+      rawInfo.byteLength
+    )
+    /* See above:
       * uInt32BE(authTagBitLength),uInt32BE(ivLength), iv
       */
-     const tagLengthBits = dataView.getUint32(0, false) // big endian
-     const ivLength = dataView.getUint32(4, false) // big endian
-     /* Precondition: The ivLength must match the algorith suite specification. */
-     needs(ivLength === suite.ivLength, 'Malformed providerInfo')
-     /* Precondition: The tagLength must match the algorith suite specification. */
-     needs(tagLengthBits === suite.tagLength, 'Malformed providerInfo')
-     /* Precondition: The byteLength of rawInfo should match the encoded length. */
-     needs(rawInfo.byteLength === 4 + 4 + ivLength, 'Malformed providerInfo')
-     const tagLength = tagLengthBits / 8
-     /* Precondition: The encryptedDataKey byteLength must match the algorith suite specification and encoded length. */
-     needs(encryptedDataKey.byteLength === tagLength + suite.keyLengthBytes, 'Malformed providerInfo')
-     const iv = rawInfo.slice(-ivLength)
-     const authTag = encryptedDataKey.slice(-tagLength)
-     const ciphertext = encryptedDataKey.slice(0, -tagLength)
-
-     return { authTag, ciphertext, iv }
-   }
- }
-
+    const tagLengthBits = dataView.getUint32(0, false) // big endian
+    const ivLength = dataView.getUint32(4, false) // big endian
+    /* Precondition: The ivLength must match the algorith suite specification. */
+    needs(ivLength === suite.ivLength, 'Malformed providerInfo')
+    /* Precondition: The tagLength must match the algorith suite specification. */
+    needs(tagLengthBits === suite.tagLength, 'Malformed providerInfo')
+    /* Precondition: The byteLength of rawInfo should match the encoded length. */
+    needs(rawInfo.byteLength === 4 + 4 + ivLength, 'Malformed providerInfo')
+    const tagLength = tagLengthBits / 8
+    /* Precondition: The encryptedDataKey byteLength must match the algorith suite specification and encoded length. */
+    needs(encryptedDataKey.byteLength === tagLength + suite.keyLengthBytes, 'Malformed providerInfo')
+    const iv = rawInfo.slice(-ivLength)
+    const authTag = encryptedDataKey.slice(-tagLength)
+    const ciphertext = encryptedDataKey.slice(0, -tagLength)
+
+    return { authTag, ciphertext, iv }
+  }
+}
@@ -13,7 +13,7 @@
  * limitations under the License.
  */
 
-/* Here I am reusing the Material implementation and interface from material-management. 
+/* Here I am reusing the Material implementation and interface from material-management.
  * This is because there are many security guarantees that this implementations offer
  * that map to the current implementation of raw AES keyrings.
  * The KeyringTrace is an unfortunate case because there is no mapping.
@@ -55,7 +55,7 @@ export class NodeRawAesMaterial implements
     /* NodeRawAesMaterial need to set a flag, this is an abuse of TraceFlags
      * because the material is not generated.
      * but CryptographicMaterial force a flag to be set.
-     */ 
+     */
     const setFlags = KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY
     decorateCryptographicMaterial<NodeRawAesMaterial>(this, setFlags)
     Object.setPrototypeOf(this, NodeRawAesMaterial.prototype)
@@ -87,7 +87,7 @@ export class WebCryptoRawAesMaterial implements
     /* WebCryptoRawAesMaterial need to set a flag, this is an abuse of TraceFlags
      * because the material is not generated.
      * but CryptographicMaterial force a flag to be set.
-     */ 
+     */
     const setFlag = KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY
     decorateCryptographicMaterial<WebCryptoRawAesMaterial>(this, setFlag)
     decorateWebCryptoMaterial<WebCryptoRawAesMaterial>(this, 0)