forked from aws/aws-encryption-sdk-javascript
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathencrypt_stream.ts
132 lines (111 loc) · 4.82 KB
/
encrypt_stream.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
/*
* Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License"). You may not use
* this file except in compliance with the License. A copy of the License is
* located at
*
* http://aws.amazon.com/apache2.0/
*
* or in the "license" file accompanying this file. This file is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing permissions and
* limitations under the License.
*/
import {
NodeDefaultCryptographicMaterialsManager, NodeAlgorithmSuite, AlgorithmSuiteIdentifier, // eslint-disable-line no-unused-vars
KeyringNode, NodeEncryptionMaterial, getEncryptHelper, EncryptionContext, // eslint-disable-line no-unused-vars
NodeMaterialsManager, // eslint-disable-line no-unused-vars
needs
} from '@aws-crypto/material-management-node'
import { getFramedEncryptStream } from './framed_encrypt_stream'
import { SignatureStream } from './signature_stream'
import Duplexify from 'duplexify'
import { randomBytes } from 'crypto'
import {
MessageHeader, // eslint-disable-line no-unused-vars
serializeFactory, kdfInfo, ContentType, SerializationVersion, ObjectType,
FRAME_LENGTH,
MESSAGE_ID_LENGTH,
Maximum
} from '@aws-crypto/serialize'
// @ts-ignore
import { pipeline } from 'readable-stream'
import { Duplex } from 'stream' // eslint-disable-line no-unused-vars
const fromUtf8 = (input: string) => Buffer.from(input, 'utf8')
const { serializeMessageHeader, headerAuthIv } = serializeFactory(fromUtf8)
export interface EncryptStreamInput {
suiteId?: AlgorithmSuiteIdentifier
encryptionContext?: EncryptionContext
frameLength?: number
plaintextLength?: number
}
/**
* Takes a NodeDefaultCryptographicMaterialsManager or a KeyringNode that will
* be wrapped in a NodeDefaultCryptographicMaterialsManager and returns a stream.
*
* @param cmm NodeMaterialsManager|KeyringNode
* @param op EncryptStreamInput
*/
export function encryptStream (
cmm: KeyringNode|NodeMaterialsManager,
op: EncryptStreamInput = {}
): Duplex {
const { suiteId, encryptionContext = {}, frameLength = FRAME_LENGTH, plaintextLength } = op
/* Precondition: The frameLength must be less than the maximum frame size Node.js stream. */
needs(frameLength > 0 && Maximum.FRAME_SIZE >= frameLength, `frameLength out of bounds: 0 > frameLength >= ${Maximum.FRAME_SIZE}`)
/* If the cmm is a Keyring, wrap it with NodeDefaultCryptographicMaterialsManager. */
cmm = cmm instanceof KeyringNode
? new NodeDefaultCryptographicMaterialsManager(cmm)
: cmm
const suite = suiteId && new NodeAlgorithmSuite(suiteId)
const wrappingStream = new Duplexify()
cmm.getEncryptionMaterials({ suite, encryptionContext, plaintextLength })
.then(async (material) => {
const { dispose, getSigner } = getEncryptHelper(material)
const { getCipher, messageHeader, rawHeader } = getEncryptionInfo(material, frameLength)
wrappingStream.emit('MessageHeader', messageHeader)
const encryptStream = getFramedEncryptStream(getCipher, messageHeader, dispose, plaintextLength)
const signatureStream = new SignatureStream(getSigner)
pipeline(encryptStream, signatureStream)
wrappingStream.setReadable(signatureStream)
// Flush the rawHeader through the signatureStream
rawHeader.forEach(buff => signatureStream.write(buff))
// @ts-ignore until readable-stream exports v3 types...
wrappingStream.setWritable(encryptStream)
})
.catch(err => wrappingStream.emit('error', err))
return wrappingStream
}
export function getEncryptionInfo (material : NodeEncryptionMaterial, frameLength: number) {
const { kdfGetCipher } = getEncryptHelper(material)
const { encryptionContext } = material
const messageId = randomBytes(MESSAGE_ID_LENGTH)
const { id, ivLength } = material.suite
const messageHeader: MessageHeader = Object.freeze({
version: SerializationVersion.V1,
type: ObjectType.CUSTOMER_AE_DATA,
suiteId: id,
messageId,
encryptionContext,
encryptedDataKeys: Object.freeze(material.encryptedDataKeys), // freeze me please
contentType: ContentType.FRAMED_DATA,
headerIvLength: ivLength,
frameLength
})
const { buffer, byteOffset, byteLength } = serializeMessageHeader(messageHeader)
const headerBuffer = Buffer.from(buffer, byteOffset, byteLength)
const info = kdfInfo(messageHeader.suiteId, messageHeader.messageId)
const getCipher = kdfGetCipher(info)
const headerIv = headerAuthIv(ivLength)
const validateHeader = getCipher(headerIv)
validateHeader.setAAD(headerBuffer)
validateHeader.update(Buffer.alloc(0))
validateHeader.final()
const headerAuth = validateHeader.getAuthTag()
return {
getCipher,
messageHeader,
rawHeader: [headerBuffer, headerIv, headerAuth]
}
}