aws
diff --git a/‎modules/kms-keyring-node/src/kms_hkeyring_node.ts
Lines changed: 110 additions & 54 deletions b/‎modules/kms-keyring-node/src/kms_hkeyring_node.ts
Lines changed: 110 additions & 54 deletions
@@ -51,12 +51,27 @@ import {
 import { randomBytes } from 'crypto'
 
 export interface KmsHierarchicalKeyRingNodeInput {
+  //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#initialization
+  //= type=implication
+  //# - MUST provide either a Branch Key Identifier or a [Branch Key Supplier](#branch-key-supplier)
   branchKeyId?: string
   branchKeyIdSupplier?: BranchKeyIdSupplier
+  //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#initialization
+  //= type=implication
+  //# - MUST provide a [Keystore](../branch-key-store.md)
   keyStore: BranchKeyStoreNode
+  //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#initialization
+  //= type=implication
+  //# - MUST provide a [cache limit TTL](#cache-limit-ttl)
   cacheLimitTtl: number
+  //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#initialization
+  //= type=exception
+  //# - MAY provide a [Cache Type](#cache-type)
   cache?: CryptographicMaterialsCache<NodeAlgorithmSuite>
   maxCacheSize?: number
+  //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#initialization
+  //= type=implication
+  //# - MAY provide a [Partition ID](#partition-id)
   partitionId?: string
 }
 
@@ -74,6 +89,9 @@ export interface IKmsHierarchicalKeyRingNode extends KeyringNode {
 
 export class KmsHierarchicalKeyRingNode
   extends KeyringNode
+  //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#interface
+  //= type=implication
+  //# MUST implement the [AWS Encryption SDK Keyring interface](../keyring-interface.md#interface)
   implements IKmsHierarchicalKeyRingNode
 {
   public declare branchKeyId?: string
@@ -96,8 +114,33 @@ export class KmsHierarchicalKeyRingNode
   }: KmsHierarchicalKeyRingNodeInput) {
     super()
 
-    needs(!partitionId || typeof partitionId === 'string', 'Partition id must be a string.')
-    readOnlyProperty(this, '_partition', partitionId ? stringToUtf8Bytes(partitionId) : randomBytes(64))
+    needs(
+      !partitionId || typeof partitionId === 'string',
+      'Partition id must be a string.'
+    )
+
+    //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#partition-id
+    //= type=implication
+    //# The Partition ID MUST NOT be changed after initialization.
+    readOnlyProperty(
+      this,
+      '_partition',
+
+      //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#partition-id-1
+      //# It can either be a String provided by the user, which MUST be interpreted as the bytes of
+      //# UTF-8 Encoding of the String, or a v4 UUID, which SHOULD be interpreted as the 16 byte representation of the UUID.
+
+      //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#partition-id-1
+      //# The constructor of the Hierarchical Keyring MUST record these bytes at construction time.
+
+      //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#partition-id
+      //# If provided, it MUST be interpreted as UTF8 bytes.
+
+      //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#partition-id
+      //= type=exception
+      //# If the PartitionId is NOT provided by the user, it MUST be set to the 16 byte representation of a v4 UUID.
+      partitionId ? stringToUtf8Bytes(partitionId) : randomBytes(64)
+    )
 
     /* Precondition: The branch key id must be a string */
     if (branchKeyId) {
@@ -128,6 +171,9 @@ export class KmsHierarchicalKeyRingNode
     readOnlyProperty(
       this,
       '_logicalKeyStoreName',
+      //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#logical-key-store-name
+      //# Logical Key Store Name MUST be converted to UTF8 Bytes to be used in
+      //# the cache identifiers.
       stringToUtf8Bytes(keyStore.getKeyStoreInfo().logicalKeyStoreName)
     )
 
@@ -179,9 +225,6 @@ export class KmsHierarchicalKeyRingNode
     if (cache) {
       needs(!maxCacheSize, 'Max cache size not supported when passing a cache.')
     } else {
-
-      console.log(maxCacheSize)
-
       /* Precondition: The max cache size must be a number */
       needs(
         // Order is important, 0 is a number but also false.
@@ -199,6 +242,13 @@ export class KmsHierarchicalKeyRingNode
         'Max cache size must be non-negative and less than or equal Number.MAX_SAFE_INTEGER'
       )
 
+      //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#initialization
+      //# On initialization the Hierarchical Keyring MUST initialize a [cryptographic-materials-cache](../local-cryptographic-materials-cache.md) with the configured cache limit TTL and the max cache size.
+
+      //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#initialization
+      //# If the Hierarchical Keyring does NOT get a `Shared` cache on initialization,
+      //# it MUST initialize a [cryptographic-materials-cache](../local-cryptographic-materials-cache.md)
+      //# with the user provided cache limit TTL and the entry capacity.
       cache = getLocalCryptographicMaterialsCache(maxCacheSize)
     }
     readOnlyProperty(this, 'maxCacheSize', maxCacheSize)
@@ -209,41 +259,25 @@ export class KmsHierarchicalKeyRingNode
   }
 
   async _onEncrypt(
+    //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#onencrypt
+    //= type=implication
+    //# OnEncrypt MUST take [encryption materials](../structures.md#encryption-materials) as input.
     encryptionMaterial: NodeEncryptionMaterial
   ): Promise<NodeEncryptionMaterial> {
     //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#onencrypt
     //# The `branchKeyId` used in this operation is either the configured branchKeyId, if supplied, or the result of the `branchKeySupplier`'s
     //# `getBranchKeyId` operation, using the encryption material's encryption context as input.
     const branchKeyId = getBranchKeyId(this, encryptionMaterial)
 
-    // compute the cache entry id for the active branch key material that we
-    // want
+    //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#onencrypt
+    //# The hierarchical keyring MUST use the formulas specified in [Appendix A](#appendix-a-cache-entry-identifier-formulas)
+    //# to compute the [cache entry identifier](../cryptographic-materials-cache.md#cache-identifier).
     const cacheEntryId = getCacheEntryId(
       this._logicalKeyStoreName,
       this._partition,
       branchKeyId
     )
 
-    //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#onencrypt
-    //# If a cache entry is found and the entry's TTL has not expired, the hierarchical keyring MUST use those branch key materials for key wrapping.
-
-    //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#onencrypt
-    //# If a cache entry is not found or the cache entry is expired, the hierarchical keyring MUST attempt to obtain the branch key materials
-    //# by querying the backing branch keystore specified in the [retrieve OnEncrypt branch key materials](#query-branch-keystore-onencrypt) section.
-    //# If the keyring is not able to retrieve [branch key materials](../structures.md#branch-key-materials)
-    //# through the underlying cryptographic materials cache or
-    //# it no longer has access to them through the backing keystore, OnEncrypt MUST fail.
-
-    //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#query-branch-keystore-onencrypt
-    //# The branch keystore persists [branch keys](#definitions) that are reused to derive unique data keys for envelope encryption to
-    //# reduce the number of calls to AWS KMS through the use of the
-    //# [cryptographic materials cache](../cryptographic-materials-cache.md).
-    //# OnEncrypt MUST call the Keystore's [GetActiveBranchKey](../branch-key-store.md#getactivebranchkey) operation with the following inputs:
-    //# - the `branchKeyId` used in this operation
-    //# If the Keystore's GetActiveBranchKey operation succeeds
-    //# the keyring MUST put the returned branch key materials in the cache using the
-    //# formula defined in [Appendix A](#appendix-a-cache-entry-identifier-formulas).
-    //# Otherwise, OnEncrypt MUST fail.
     const branchKeyMaterials = await getBranchKeyMaterials(
       this,
       this._cmc,
@@ -254,7 +288,12 @@ export class KmsHierarchicalKeyRingNode
     // get a pdk (generate it if not already set)
     const pdk = getPlaintextDataKey(encryptionMaterial)
 
-    // encrypt the pdk
+    //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#onencrypt
+    //# If the keyring is unable to wrap a plaintext data key, OnEncrypt MUST fail
+    //# and MUST NOT modify the [decryption materials](structures.md#decryption-materials).
+
+    //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#onencrypt
+    //# - MUST wrap a data key with the branch key materials according to the [branch key wrapping](#branch-key-wrapping) section.
     const edk = wrapPlaintextDataKey(
       pdk,
       branchKeyMaterials,
@@ -267,6 +306,9 @@ export class KmsHierarchicalKeyRingNode
   }
 
   async onDecrypt(
+    //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#ondecrypt
+    //= type=implication
+    //# OnDecrypt MUST take [decryption materials](../structures.md#decryption-materials) and a list of [encrypted data keys](../structures.md#encrypted-data-keys) as input.
     material: NodeDecryptionMaterial,
     encryptedDataKeys: EncryptedDataKey[]
   ): Promise<DecryptionMaterial<NodeAlgorithmSuite>> {
@@ -319,23 +361,30 @@ export class KmsHierarchicalKeyRingNode
     for (const { encryptedDataKey: ciphertext } of filteredEdkObjs) {
       let udk: Uint8Array | undefined = undefined
       try {
+        //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#getitem-branch-keystore-ondecrypt
+        //# - Deserialize the UUID string representation of the `version` from the [encrypted data key](../structures.md#encrypted-data-key) [ciphertext](#ciphertext).
         // get the branch key version (as compressed bytes) from the
         // destructured ciphertext of the edk
         const { branchKeyVersionAsBytesCompressed } = destructureCiphertext(
           ciphertext,
           decryptionMaterial.suite
         )
 
+        //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#getitem-branch-keystore-ondecrypt
+        //# - The deserialized UUID string representation of the `version`
         // uncompress the branch key version into regular utf8 bytes
         const branchKeyVersionAsBytes = stringToUtf8Bytes(
           decompressBytesToUuidv4(branchKeyVersionAsBytesCompressed)
         )
 
-        // compute the cache entry id for the versioned branch key material that we
-        // want
+        //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#ondecrypt
+        //# The hierarchical keyring MUST use the OnDecrypt formula specified in [Appendix A](#decryption-materials)
+        //# in order to compute the [cache entry identifier](cryptographic-materials-cache.md#cache-identifier).
         const cacheEntryId = getCacheEntryId(
           this._logicalKeyStoreName,
           this._partition,
+          //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#getitem-branch-keystore-ondecrypt
+          //# OnDecrypt MUST calculate the following values:
           branchKeyId,
           branchKeyVersionAsBytes
         )
@@ -346,29 +395,9 @@ export class KmsHierarchicalKeyRingNode
         )
 
         //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#ondecrypt
-        //# If a cache entry is found and the entry's TTL has not expired, the hierarchical keyring MUST use those branch key materials for key unwrapping.
-
-        //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#ondecrypt
-        //# If a cache entry is not found or the cache entry is expired, the hierarchical keyring
-        //# MUST attempt to obtain the branch key materials by calling the backing branch key
-        //# store specified in the [retrieve OnDecrypt branch key materials](#getitem-branch-keystore-ondecrypt) section.
-        //# If the keyring is not able to retrieve `branch key materials` from the backing keystore then OnDecrypt MUST fail.
-
-        //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#getitem-branch-keystore-ondecrypt
-        //# The branch keystore persists [branch keys](#definitions) that are reused to derive unique data keys for key wrapping to
-        //# reduce the number of calls to AWS KMS through the use of the
-        //# [cryptographic materials cache](../cryptographic-materials-cache.md).
-        //# OnDecrypt MUST calculate the following values:
-        //# - Deserialize the UTF8-Decoded `branch-key-id` from the [key provider info](../structures.md#key-provider-information) of the [encrypted data key](../structures.md#encrypted-data-key)
-        //#   and verify this is equal to the configured or supplied `branch-key-id`.
-        //# - Deserialize the UUID string representation of the `version` from the [encrypted data key](../structures.md#encrypted-data-key) [ciphertext](#ciphertext).
-        //# OnDecrypt MUST call the Keystore's [GetBranchKeyVersion](../branch-key-store.md#getbranchkeyversion) operation with the following inputs:
-        //# - The deserialized, UTF8-Decoded `branch-key-id`
-        //# - The deserialized UUID string representation of the `version`
-        //# If the Keystore's GetBranchKeyVersion operation succeeds
-        //# the keyring MUST put the returned branch key materials in the cache using the
-        //# formula defined in [Appendix A](#appendix-a-cache-entry-identifier-formulas).
-        //# Otherwise, OnDecrypt MUST fail.
+        //# To decrypt each encrypted data key in the filtered set, the hierarchical keyring MUST attempt
+        //# to find the corresponding [branch key materials](../structures.md#branch-key-materials)
+        //# from the underlying [cryptographic materials cache](../local-cryptographic-materials-cache.md).
         const branchKeyMaterials = await getBranchKeyMaterials(
           this,
           this._cmc,
@@ -377,7 +406,8 @@ export class KmsHierarchicalKeyRingNode
           branchKeyVersionAsString
         )
 
-        // unwrap the edk to get the udk/pdk
+        //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#ondecrypt
+        //# - MUST unwrap the encrypted data key with the branch key materials according to the [branch key unwrapping](#branch-key-unwrapping) section.
         udk = unwrapEncryptedDataKey(
           ciphertext,
           branchKeyMaterials,
@@ -412,3 +442,29 @@ export class KmsHierarchicalKeyRingNode
 }
 
 immutableClass(KmsHierarchicalKeyRingNode)
+
+// The JS version has not been released with a Storm Tracking CMC
+
+//= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#initialization
+//= type=exception
+//# If the cache to initialize is a [Storm Tracking Cryptographic Materials Cache](../storm-tracking-cryptographic-materials-cache.md#overview)
+//# then the [Grace Period](../storm-tracking-cryptographic-materials-cache.md#grace-period) MUST be less than the [cache limit TTL](#cache-limit-ttl).
+
+//= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#initialization
+//= type=exception
+//# If no `cache` is provided, a `DefaultCache` MUST be configured with entry capacity of 1000.
+
+// These are not something we can enforce
+
+//= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#logical-key-store-name
+//= type=exception
+//# > Note: Users MUST NEVER have two different physical Key Stores with the same Logical Key Store Name.
+
+//= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#shared-cache-considerations
+//= type=exception
+//# Any keyring that has access to the `Shared` cache MAY be able to use materials
+//# that it MAY or MAY NOT have direct access to.
+//#
+//# Users MUST make sure that all of Partition ID, Logical Key Store Name of the Key Store for the Hierarchical Keyring
+//# and Branch Key ID are set to be the same for two Hierarchical Keyrings if and only they want the keyrings to share
+//# cache entries.