aws
diff --git a/‎modules/cache-material/src/build_cryptographic_materials_cache_key_helpers.ts
Lines changed: 8 additions & 5 deletions b/‎modules/cache-material/src/build_cryptographic_materials_cache_key_helpers.ts
Lines changed: 8 additions & 5 deletions
diff --git a/‎modules/kms-keyring-node/src/kms_hkeyring_node.ts
Lines changed: 18 additions & 2 deletions b/‎modules/kms-keyring-node/src/kms_hkeyring_node.ts
Lines changed: 18 additions & 2 deletions
diff --git a/‎modules/kms-keyring-node/src/kms_hkeyring_node_helpers.ts
Lines changed: 15 additions & 16 deletions b/‎modules/kms-keyring-node/src/kms_hkeyring_node_helpers.ts
Lines changed: 15 additions & 16 deletions
diff --git a/‎modules/kms-keyring-node/test/kms_hkeyring_node.helpers.test.ts
Lines changed: 27 additions & 12 deletions b/‎modules/kms-keyring-node/test/kms_hkeyring_node.helpers.test.ts
Lines changed: 27 additions & 12 deletions
diff --git a/‎modules/raw-aes-keyring-browser/src/raw_aes_keyring_browser.ts
Lines changed: 11 additions & 10 deletions b/‎modules/raw-aes-keyring-browser/src/raw_aes_keyring_browser.ts
Lines changed: 11 additions & 10 deletions
@@ -8,7 +8,11 @@ import {
   EncryptedDataKey,
   EncryptionContext,
 } from '@aws-crypto/material-management'
-import { serializeFactory, uInt16BE } from '@aws-crypto/serialize'
+import {
+  serializeFactory,
+  uInt16BE,
+  SerializeOptions,
+} from '@aws-crypto/serialize'
 import { compare } from './portable_compare'
 
 //  512 bits of 0 for padding between hashes in decryption materials cache ID generation.
@@ -21,8 +25,9 @@ export function buildCryptographicMaterialsCacheKeyHelpers<
   toUtf8: (input: Uint8Array) => string,
   sha512: (...data: (Uint8Array | string)[]) => Promise<Uint8Array>
 ): CryptographicMaterialsCacheKeyHelpersInterface<S> {
+  const sorting: SerializeOptions = { utf8Sorting: true }
   const { serializeEncryptionContext, serializeEncryptedDataKey } =
-    serializeFactory(fromUtf8, { utf8Sorting: false })
+    serializeFactory(fromUtf8, sorting)
 
   return {
     buildEncryptionMaterialCacheKey,
@@ -80,9 +85,7 @@ export function buildCryptographicMaterialsCacheKeyHelpers<
      * However, the RAW Keyring wants _only_ the ADD.
      * So, I just slice off the length.
      */
-    const serializedContext = serializeEncryptionContext(context, {
-      utf8Sorting: false,
-    }).slice(2)
+    const serializedContext = serializeEncryptionContext(context).slice(2)
     return sha512(serializedContext)
   }
 }
 
@@ -74,6 +74,7 @@ export interface KmsHierarchicalKeyRingNodeInput {
   //= type=implication
   //# - MAY provide a [Partition ID](#partition-id)
   partitionId?: string
+  utf8Sorting?: boolean | true
 }
 
 export interface IKmsHierarchicalKeyRingNode extends KeyringNode {
@@ -104,6 +105,7 @@ export class KmsHierarchicalKeyRingNode
   public declare maxCacheSize?: number
   public declare _cmc: CryptographicMaterialsCache<NodeAlgorithmSuite>
   declare readonly _partition: Buffer
+  public declare utf8Sorting: boolean | true
 
   constructor({
     branchKeyId,
@@ -113,6 +115,7 @@ export class KmsHierarchicalKeyRingNode
     cache,
     maxCacheSize,
     partitionId,
+    utf8Sorting,
   }: KmsHierarchicalKeyRingNodeInput) {
     super()
 
@@ -256,6 +259,17 @@ export class KmsHierarchicalKeyRingNode
     readOnlyProperty(this, 'maxCacheSize', maxCacheSize)
     readOnlyProperty(this, '_cmc', cache)
 
+    if (utf8Sorting) {
+      needs(
+        typeof utf8Sorting === 'boolean',
+        'The branch key id must be a string'
+      )
+    } else {
+      utf8Sorting = true
+    }
+
+    readOnlyProperty(this, 'utf8Sorting', utf8Sorting)
+
     Object.freeze(this)
     /* Postcondition: The HKR object must be frozen */
   }
@@ -299,7 +313,8 @@ export class KmsHierarchicalKeyRingNode
     const edk = wrapPlaintextDataKey(
       pdk,
       branchKeyMaterials,
-      encryptionMaterial
+      encryptionMaterial,
+      this.utf8Sorting
     )
 
     // return the modified encryption material with the new edk and newly
@@ -428,7 +443,8 @@ export class KmsHierarchicalKeyRingNode
         udk = unwrapEncryptedDataKey(
           ciphertext,
           branchKeyMaterials,
-          decryptionMaterial
+          decryptionMaterial,
+          this.utf8Sorting
         )
       } catch (e) {
         //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#ondecrypt
 
@@ -33,11 +33,7 @@ import {
   PROVIDER_ID_HIERARCHY_AS_BYTES,
 } from './constants'
 import { BranchKeyIdSupplier } from '@aws-crypto/kms-keyring'
-import {
-  serializeFactory,
-  SerializeOptions,
-  uuidv4Factory,
-} from '@aws-crypto/serialize'
+import { serializeFactory, uuidv4Factory } from '@aws-crypto/serialize'
 
 export const stringToUtf8Bytes = (input: string): Buffer =>
   Buffer.from(input, 'utf-8')
@@ -49,11 +45,6 @@ const hexBytesToString = (input: Uint8Array): string =>
   Buffer.from(input).toString('hex')
 export const { uuidv4ToCompressedBytes, decompressBytesToUuidv4 } =
   uuidv4Factory(stringToHexBytes, hexBytesToString)
-export const utf8Sorting: SerializeOptions = { utf8Sorting: false }
-export const { serializeEncryptionContext } = serializeFactory(
-  stringToUtf8Bytes,
-  utf8Sorting
-)
 
 export function getBranchKeyId(
   { branchKeyId, branchKeyIdSupplier }: IKmsHierarchicalKeyRingNode,
@@ -297,7 +288,8 @@ export function getPlaintextDataKey(material: NodeEncryptionMaterial) {
 export function wrapPlaintextDataKey(
   pdk: Uint8Array,
   branchKeyMaterials: NodeBranchKeyMaterial,
-  { encryptionContext }: NodeEncryptionMaterial
+  { encryptionContext }: NodeEncryptionMaterial,
+  utf8Sorting: boolean
 ): Uint8Array {
   // get what we need from branch key material to wrap the pdk
   const branchKey = branchKeyMaterials.branchKey()
@@ -326,7 +318,8 @@ export function wrapPlaintextDataKey(
   const wrappedAad = wrapAad(
     branchKeyIdAsBytes,
     branchKeyVersionAsBytesCompressed,
-    encryptionContext
+    encryptionContext,
+    utf8Sorting
   )
 
   // encrypt the pdk into an edk
@@ -368,18 +361,22 @@ export function wrapPlaintextDataKey(
 export function wrapAad(
   branchKeyIdAsBytes: Buffer,
   version: Buffer,
-  encryptionContext: EncryptionContext
+  encryptionContext: EncryptionContext,
+  utf8Sorting: boolean
 ) {
   /* Precondition: Branch key version must be 16 bytes */
   needs(version.length === 16, 'Branch key version must be 16 bytes')
+  const { serializeEncryptionContext } = serializeFactory(stringToUtf8Bytes, {
+    utf8Sorting: utf8Sorting,
+  })
 
   /* The AAD section is uInt16BE(length) + AAD
    * see: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/message-format.html#header-aad
    * However, we  _only_ need the ADD.
    * So, I just slice off the length.
    */
   const aad = Buffer.from(
-    serializeEncryptionContext(encryptionContext, utf8Sorting).slice(2)
+    serializeEncryptionContext(encryptionContext).slice(2)
   )
 
   return Buffer.concat([
@@ -535,7 +532,8 @@ export function destructureCiphertext(
 export function unwrapEncryptedDataKey(
   ciphertext: Uint8Array,
   branchKeyMaterials: NodeBranchKeyMaterial,
-  { encryptionContext, suite }: NodeDecryptionMaterial
+  { encryptionContext, suite }: NodeDecryptionMaterial,
+  utf8Sorting: boolean
 ) {
   // get what we need from the branch key materials to unwrap the edk
   const branchKey = branchKeyMaterials.branchKey()
@@ -564,7 +562,8 @@ export function unwrapEncryptedDataKey(
   const wrappedAad = wrapAad(
     branchKeyIdAsBytes,
     branchKeyVersionAsBytesCompressed,
-    encryptionContext
+    encryptionContext,
+    utf8Sorting
   )
 
   // decipher the edk to get the udk/pdk
 
@@ -5,8 +5,6 @@ import { randomBytes } from 'crypto'
 import {
   wrapAad,
   destructureCiphertext,
-  serializeEncryptionContext,
-  utf8Sorting,
   unwrapEncryptedDataKey,
   wrapPlaintextDataKey,
 } from '../src/kms_hkeyring_node_helpers'
@@ -18,6 +16,7 @@ import {
   NodeDecryptionMaterial,
   NodeEncryptionMaterial,
 } from '@aws-crypto/material-management'
+import { serializeFactory, SerializeOptions } from '@aws-crypto/serialize'
 import { v4 } from 'uuid'
 
 describe('KmsHierarchicalKeyRingNode: helpers', () => {
@@ -110,11 +109,23 @@ describe('KmsHierarchicalKeyRingNode: helpers', () => {
     const encryptionContext = {
       key: 'value',
     }
+    const utf8Sorting: SerializeOptions = { utf8Sorting: false }
+    const stringToUtf8Bytes = (input: string): Buffer =>
+      Buffer.from(input, 'utf-8')
+    const { serializeEncryptionContext } = serializeFactory(
+      stringToUtf8Bytes,
+      utf8Sorting
+    )
 
     it('Precondition: Branch key version must be 16 bytes ', () => {
       const badVersion = randomBytes(15)
       expect(() =>
-        wrapAad(branchKeyIdAsBytes, badVersion, encryptionContext)
+        wrapAad(
+          branchKeyIdAsBytes,
+          badVersion,
+          encryptionContext,
+          utf8Sorting.utf8Sorting
+        )
       ).to.throw('Branch key version must be 16 bytes')
     })
 
@@ -129,7 +140,8 @@ describe('KmsHierarchicalKeyRingNode: helpers', () => {
         wrapAad(
           branchKeyIdAsBytes,
           branchKeyVersionAsBytes,
-          unserializeableEc as any
+          unserializeableEc as any,
+          utf8Sorting.utf8Sorting
         )
       ).to.throw()
     })
@@ -138,7 +150,8 @@ describe('KmsHierarchicalKeyRingNode: helpers', () => {
       const wrappedAad = wrapAad(
         branchKeyIdAsBytes,
         branchKeyVersionAsBytes,
-        encryptionContext
+        encryptionContext,
+        utf8Sorting.utf8Sorting
       )
 
       let startIdx = 0
@@ -157,10 +170,7 @@ describe('KmsHierarchicalKeyRingNode: helpers', () => {
       ).to.deep.equal(branchKeyVersionAsBytes)
 
       startIdx += branchKeyVersionAsBytes.length
-      const expectedAad = serializeEncryptionContext(
-        encryptionContext,
-        utf8Sorting
-      ).slice(2)
+      const expectedAad = serializeEncryptionContext(encryptionContext).slice(2)
       expect(wrappedAad.subarray(startIdx)).to.deep.equal(expectedAad)
     })
   })
@@ -204,15 +214,18 @@ describe('KmsHierarchicalKeyRingNode: helpers', () => {
           algSuite,
           encryptionContext
         )
+        const utf8Sorting: SerializeOptions = { utf8Sorting: false }
 
         const actualPdk = unwrapEncryptedDataKey(
           wrapPlaintextDataKey(
             expectedPdk,
             branchKeyMaterial,
-            encryptionMaterial
+            encryptionMaterial,
+            utf8Sorting.utf8Sorting
           ),
           branchKeyMaterial,
-          decryptionMaterial
+          decryptionMaterial,
+          utf8Sorting.utf8Sorting
         )
         expect(actualPdk).to.deep.equal(expectedPdk)
       }
@@ -259,12 +272,14 @@ describe('KmsHierarchicalKeyRingNode: helpers', () => {
           algSuite,
           encryptionContext
         )
+        const utf8Sorting: SerializeOptions = { utf8Sorting: false }
 
         expect(() =>
           unwrapEncryptedDataKey(
             ciphertext,
             branchKeyMaterial,
-            decryptionMaterial
+            decryptionMaterial,
+            utf8Sorting.utf8Sorting
           )
         ).to.throw('Unsupported state or unable to authenticate data')
       }
 
@@ -56,6 +56,7 @@ export type RawAesKeyringWebCryptoInput = {
   keyName: string
   masterKey: AwsEsdkJsCryptoKey
   wrappingSuite: WrappingSuiteIdentifier
+  utf8Sorting?: boolean | true
 }
 
 export class RawAesKeyringWebCrypto extends KeyringWebCrypto {
@@ -66,7 +67,8 @@ export class RawAesKeyringWebCrypto extends KeyringWebCrypto {
 
   constructor(input: RawAesKeyringWebCryptoInput) {
     super()
-    const { keyName, keyNamespace, masterKey, wrappingSuite } = input
+    const { keyName, keyNamespace, masterKey, wrappingSuite, utf8Sorting } =
+      input
     /* Precondition: AesKeyringWebCrypto needs identifying information for encrypt and decrypt. */
     needs(keyName && keyNamespace, 'Identifying information must be defined.')
     /* Precondition: RawAesKeyringWebCrypto requires a wrappingSuite to be a valid RawAesWrappingSuite. */
@@ -81,7 +83,8 @@ export class RawAesKeyringWebCrypto extends KeyringWebCrypto {
         flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY,
       })
 
-    const serializeOptions: SerializeOptions = { utf8Sorting: false }
+    const maybeUtf8Sorting = utf8Sorting ?? true
+    const serializeOptions: SerializeOptions = { utf8Sorting: maybeUtf8Sorting }
     const { serializeEncryptionContext } = serializeFactory(
       fromUtf8,
       serializeOptions
@@ -92,10 +95,9 @@ export class RawAesKeyringWebCrypto extends KeyringWebCrypto {
        * However, the RAW Keyring wants _only_ the ADD.
        * So, I just slice off the length.
        */
-      const aad = serializeEncryptionContext(
-        material.encryptionContext,
-        serializeOptions
-      ).slice(2)
+      const aad = serializeEncryptionContext(material.encryptionContext).slice(
+        2
+      )
       const { keyNamespace, keyName } = this
 
       return aesGcmWrapKey(
@@ -116,10 +118,9 @@ export class RawAesKeyringWebCrypto extends KeyringWebCrypto {
        * However, the RAW Keyring wants _only_ the ADD.
        * So, I just slice off the length.
        */
-      const aad = serializeEncryptionContext(
-        material.encryptionContext,
-        serializeOptions
-      ).slice(2)
+      const aad = serializeEncryptionContext(material.encryptionContext).slice(
+        2
+      )
       const { keyNamespace, keyName } = this
 
       return aesGcmUnwrapKey(