fix: Encryption Context changes #148
Conversation
resolves aws#54 1. browser/node encrypt function public api should match 1. Encryption context should _only_ be optional in the public interface 1. Encryption context moved into cryptographic materials Internally, it is much more consistent to require an encryption context. Moving the encryption context onto the cryptographic materials brings them in line with the python keyring implementation. It also makes control of the encryption context in the CMM and **not** the keyrings very clear in the interface. NOTE: encrypt in encrypt-node now expects `encryptionContext` instead of `context`. This is **ONLY** done because the project is still in beta.
| if (!test.material.signatureKey) throw new Error('I should never see this error') | ||
| expect(test.context).to.have.haveOwnProperty(ENCODED_SIGNER_KEY).and.to.equal(toBase64(test.material.signatureKey.compressPoint)) | ||
| expect(test.context).to.have.haveOwnProperty('some').and.to.equal('context') | ||
| const { material } = await cmm.getEncryptionMaterials({ suite, encryptionContext }) |
There was a problem hiding this comment.
My position is that CMMs' getEncryptionMaterials should return encryption materials, not an object containing encryption materials. I know that makes it a bit difficult if we wanted to add something else in to this response later, but I would argue that as long as this function is named correctly, anything that's worth adding to the getEncryptionMaterials response should be added to the encryption materials.
There was a problem hiding this comment.
I know that makes it a bit difficult if we wanted to add something else in to this response later
For the record, this is exactly what the encryption materials structure is for. ;) That's what we need to modify if we want to return more things.
| * The functional data key (unencrypted or CryptoKey) is the most sensitive data and needs to | ||
| * be protected. The longer this data persists in memory the | ||
| * greater the opportunity to be invalidated. Because | ||
| * a Caching CMM exists is it important to insure that the |
There was a problem hiding this comment.
"a Caching CMM exists it is important to ensure that the"
Agreed, and I think this was the right call. Just calling out here, though, that even though we're in beta we will still need to update the version appropriately for a breaking change (so this will be |
modules/material-management-browser/src/browser_cryptographic_materials_manager.ts
Outdated
Show resolved
Hide resolved
| if (!test.material.signatureKey) throw new Error('I should never see this error') | ||
| expect(test.context).to.have.haveOwnProperty(ENCODED_SIGNER_KEY).and.to.equal(toBase64(test.material.signatureKey.compressPoint)) | ||
| expect(test.context).to.have.haveOwnProperty('some').and.to.equal('context') | ||
| const { material } = await cmm.getEncryptionMaterials({ suite, encryptionContext }) |
There was a problem hiding this comment.
I know that makes it a bit difficult if we wanted to add something else in to this response later
For the record, this is exactly what the encryption materials structure is for. ;) That's what we need to modify if we want to return more things.
modules/material-management-node/src/node_cryptographic_materials_manager.ts
Outdated
Show resolved
Hide resolved
Co-Authored-By: Matt Bullock <bullocm@amazon.com>
…als_manager.ts Co-Authored-By: Matt Bullock <bullocm@amazon.com>
…materials_manager.ts Co-Authored-By: Matt Bullock <bullocm@amazon.com>
To be clear, I'm using: https://www.conventionalcommits.org/en/v1.0.0-beta.4/ so if it was called out as breaking in the commit message, the MAJOR version would be bumped automatically |
| @@ -46,7 +46,7 @@ describe('KmsKeyring: _onDecrypt', | |||
| const clientProvider: any = () => { | |||
| return { decrypt } | |||
| function decrypt ({ CiphertextBlob, EncryptionContext, GrantTokens }: any) { | |||
| expect(EncryptionContext === context).to.equal(true) | |||
| expect(EncryptionContext).to.deep.equal(context) | |||
There was a problem hiding this comment.
Nitpick: Since you just ran around doing s/context/encryptionContext/ everywhere else, you might consider doing that here and in the other tests where it's still context. I don't think I normally would have even noticed but after reviewing that change in 26 files it stuck out. :P
There was a problem hiding this comment.
This is valid. The examples are another case of this.... Sigh. I agree, but I think I'll come back to this later. Since this is large enough it will be easier to change words after a stable position.
There was a problem hiding this comment.
+1, definitely not worth holding this up.
| @@ -46,7 +45,7 @@ describe('Keyring', () => { | |||
| it('onEncrypt calls _onEncrypt', async () => { | |||
| const suite = new NodeAlgorithmSuite(AlgorithmSuiteIdentifier.ALG_AES128_GCM_IV12_TAG16) | |||
| const { keyLengthBytes } = suite | |||
| const m = new NodeEncryptionMaterial(suite) | |||
| const m = new NodeEncryptionMaterial(suite, {}) | |||
There was a problem hiding this comment.
Nitpick: Would prefer a more descriptive name here.
There was a problem hiding this comment.
What are you looking for? Defining the variable as opposed to just passing an object lateral?
There was a problem hiding this comment.
Oh, sorry, I meant m not {}. Not a big deal.
|
|
||
| const generator = keyRingFactory({ | ||
| async onDecrypt (material: NodeDecryptionMaterial /*, encryptedDataKeys: EncryptedDataKey[], context?: EncryptionContext */) { | ||
| async onDecrypt (material: NodeDecryptionMaterial /*, encryptedDataKeys: EncryptedDataKey[] */) { |
There was a problem hiding this comment.
Not really feedback, just curious about this pattern with the commented out parameters; I've seen it in a couple of places. What's the story there?
There was a problem hiding this comment.
For me, this is similar to named parameters. Ideally the both the function declaration and the call site should be descriptive of intention.
In this case, the function is "cut off" because I'm only using some of the arguments. My Typescript config is relatively strict and wants every defined variable to be used. So I have to remove the arguments because they are not being used. However when copying this code around or trying to understand what/how it is used, it is useful to see the full definition.
resolves aws#232 Typescript 3.7 does a better job identifying declaration conflicts and so identifies the conflite between the type and the class import of the same name. e.g. `WebCryptoEncryptionMaterial` is defined as a type and imported. When aws#148 was the referance to the return type can go directly to the needed Material (WebCrypto or Node).
resolves aws#232 Typescript 3.7 does a better job identifying declaration conflicts and so identifies the conflict between the type and the class import of the same name. e.g. `WebCryptoEncryptionMaterial` is defined as a type and imported. When aws#148 was the reference to the return type can go directly to the needed Material (WebCrypto or Node).
resolves aws#232 Typescript 3.7 does a better job identifying declaration conflicts and so identifies the conflict between the type and the class import of the same name. e.g. `WebCryptoEncryptionMaterial` is defined as a type and imported. When aws#148 was written the reference to the return type should have gone directly to the needed Material (WebCrypto or Node).
resolves #232 Typescript 3.7 does a better job identifying declaration conflicts and so identifies the conflict between the type and the class import of the same name. e.g. `WebCryptoEncryptionMaterial` is defined as a type and imported. When #148 was written the reference to the return type should have gone directly to the needed Material (WebCrypto or Node).
resolves #54
Internally, it is much more consistent to require an encryption context.
Moving the encryption context onto the cryptographic materials
brings them in line with the python keyring implementation.
It also makes control of the encryption context in the CMM
and not the keyrings very clear in the interface.
NOTE: encrypt in encrypt-node now expects
encryptionContextinstead ofcontext.This is ONLY done because the project is still in beta.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.