Updates to H-Keyring

Author: seebees

modules/branch-keystore-node/src/branch_keystore.ts

@@ -26,17 +26,23 @@ interface IBranchKeyStoreNode {
     branchKeyId: string,
     branchKeyVersion: string
   ): Promise<NodeBranchKeyMaterial>
+  getKeyStoreInfo(): KeyStoreInfoOutput
+}
+
+export interface KeyStoreInfoOutput {
+  keystoreId: string
+  keystoreTableName: string
+  logicalKeyStoreName: string
+  grantTokens: string[]
+  kmsConfiguration: KmsConfig
 }
 
 export class BranchKeyStoreNode implements IBranchKeyStoreNode {
-  // public declare ddbTableName: string
   public declare logicalKeyStoreName: string
   public declare kmsConfiguration: Readonly<KmsConfig>
   public declare kmsClient: KMSClient
-  // public declare ddbClient: DynamoDBClient
   public declare keyStoreId: string
   public declare grantTokens?: ReadonlyArray<string>
-
   public declare storage: IBranchKeyStorage
 
   constructor({
@@ -87,6 +93,8 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
     }
     readOnlyProperty(this, 'storage', this.storage)
 
+    needs(logicalKeyStoreName == this.storage.getKeyStorageInfo().logicalName, 'TODO Error')
+
     /* Precondition: Keystore id must be a string */
     if (keyStoreId) {
       needs(typeof keyStoreId === 'string', 'Keystore id must be a string')
@@ -267,6 +275,17 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
     )
     return branchKeyMaterials
   }
+
+  getKeyStoreInfo(): KeyStoreInfoOutput
+  {
+    return {
+      keystoreId: this.keyStoreId,
+      keystoreTableName: this.storage.getKeyStorageInfo().name,
+      logicalKeyStoreName: this.logicalKeyStoreName,
+      grantTokens: !!this.grantTokens ? this.grantTokens.slice() : [],
+      kmsConfiguration: this.kmsConfiguration
+    }
+  }
 }
 
 immutableClass(BranchKeyStoreNode)

modules/branch-keystore-node/src/dynamodb_key_storage.ts

@@ -109,6 +109,13 @@ export class DynamoDBKeyStorage implements IBranchKeyStorage {
       ddbBranchKeyRecord[BRANCH_KEY_FIELD]
     )
   }
+
+  getKeyStorageInfo() {
+    return {
+      name: this.ddbTableName,
+      logicalName: this.logicalKeyStoreName
+    }
+  }
 }
 
 immutableClass(DynamoDBKeyStorage)

modules/branch-keystore-node/src/types.ts

@@ -181,6 +181,12 @@ export interface IBranchKeyStorage {
     branchKeyId: string,
     branchKeyVersion: string
   ): Promise<EncryptedHierarchicalKey>
+
+  //= aws-encryption-sdk-specification/framework/key-store/key-storage.md#interface
+  //= type=implication
+  //# - [GetKeyStorageInfo](#getkeystorageinfo)
+
+  getKeyStorageInfo(): { name: string, logicalName: string }
 }
 
 //= aws-encryption-sdk-specification/framework/key-store/key-storage.md#type
@@ -247,5 +253,4 @@ export interface BranchKeyStoreNodeInput {
 
 //= aws-encryption-sdk-specification/framework/key-store/key-storage.md#interface
 //= type=exception
-//# - [GetEncryptedBeaconKey](#getencryptedbeaconkey)
-//# - [GetKeyStorageInfo](#getkeystorageinfo)
+//# - [GetEncryptedBeaconKey](#getencryptedbeaconkey)

modules/caching-materials-manager-node/src/caching_materials_manager_node.ts

@@ -67,3 +67,7 @@ export class NodeCachingMaterialsManager
   _cacheEntryHasExceededLimits =
     cacheEntryHasExceededLimits<NodeAlgorithmSuite>()
 }
+//= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#appendix-a-cache-entry-identifier-formulas
+//# When accessing the underlying cryptographic materials cache,
+//# the hierarchical keyring MUST use the formulas specified in this appendix
+//# in order to compute the [cache entry identifier](../cryptographic-materials-cache.md#cache-identifier).

modules/kms-keyring-node/src/constants.ts

@@ -4,7 +4,7 @@
 import { KeyringTraceFlag } from '@aws-crypto/material-management'
 
 export const ACTIVE_AS_BYTES = Buffer.from('ACTIVE', 'utf-8')
-export const CACHE_ENTRY_ID_DIGEST_ALGORITHM = 'sha512'
+export const CACHE_ENTRY_ID_DIGEST_ALGORITHM = 'sha384'
 export const KDF_DIGEST_ALGORITHM_SHA_256 = 'sha256'
 export const ENCRYPT_FLAGS =
   KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY |
@@ -18,7 +18,7 @@ export const PROVIDER_ID_HIERARCHY_AS_BYTES = Buffer.from(
   'utf-8'
 )
 export const DERIVED_BRANCH_KEY_LENGTH = 32
-export const CACHE_ENTRY_ID_LENGTH = 32
+// export const CACHE_ENTRY_ID_LENGTH = 32
 export const KEY_DERIVATION_LABEL = Buffer.from(PROVIDER_ID_HIERARCHY, 'utf-8')
 export const CIPHERTEXT_STRUCTURE = {
   saltLength: 16,

modules/kms-keyring-node/src/kms_hkeyring_node.ts

@@ -41,26 +41,27 @@ import {
   stringToUtf8Bytes,
 } from './kms_hkeyring_node_helpers'
 import {
-  IBranchKeyStoreNode,
+  BranchKeyStoreNode,
   isIBranchKeyStoreNode,
 } from '@aws-crypto/branch-keystore-node'
 import {
   BranchKeyIdSupplier,
   isBranchKeyIdSupplier,
 } from '@aws-crypto/kms-keyring'
+import { randomBytes } from 'crypto'
 
 export interface KmsHierarchicalKeyRingNodeInput {
   branchKeyId?: string
   branchKeyIdSupplier?: BranchKeyIdSupplier
-  keyStore: IBranchKeyStoreNode
+  keyStore: BranchKeyStoreNode
   cacheLimitTtl: number
   maxCacheSize?: number
 }
 
 export interface IKmsHierarchicalKeyRingNode extends KeyringNode {
   branchKeyId?: string
   branchKeyIdSupplier?: Readonly<BranchKeyIdSupplier>
-  keyStore: Readonly<IBranchKeyStoreNode>
+  keyStore: Readonly<BranchKeyStoreNode>
   cacheLimitTtl: number
   maxCacheSize: number
   _onEncrypt(material: NodeEncryptionMaterial): Promise<NodeEncryptionMaterial>
@@ -76,10 +77,12 @@ export class KmsHierarchicalKeyRingNode
 {
   public declare branchKeyId?: string
   public declare branchKeyIdSupplier?: Readonly<BranchKeyIdSupplier>
-  public declare keyStore: Readonly<IBranchKeyStoreNode>
+  public declare keyStore: Readonly<BranchKeyStoreNode>
+  public declare _logicalKeyStoreName: Buffer 
   public declare cacheLimitTtl: number
   public declare maxCacheSize: number
   private _cmc: CryptographicMaterialsCache<NodeAlgorithmSuite>
+  declare readonly _partition: Buffer
 
   constructor({
     branchKeyId,
@@ -90,6 +93,10 @@ export class KmsHierarchicalKeyRingNode
   }: KmsHierarchicalKeyRingNodeInput) {
     super()
 
+    const partition = randomBytes(64)
+    readOnlyProperty(this, '_partition', partition)
+    readOnlyProperty(this, '_logicalKeyStoreName', stringToUtf8Bytes(keyStore.logicalKeyStoreName))    
+
     /* Precondition: The branch key id must be a string */
     if (branchKeyId) {
       needs(
@@ -205,7 +212,11 @@ export class KmsHierarchicalKeyRingNode
 
     // compute the cache entry id for the active branch key material that we
     // want
-    const cacheEntryId = getCacheEntryId(branchKeyId)
+    const cacheEntryId = getCacheEntryId(
+      this._logicalKeyStoreName,
+      this._partition,
+      branchKeyId
+    )
 
     //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#onencrypt
     //# If a cache entry is found and the entry's TTL has not expired, the hierarchical keyring MUST use those branch key materials for key wrapping.
@@ -317,6 +328,8 @@ export class KmsHierarchicalKeyRingNode
         // compute the cache entry id for the versioned branch key material that we
         // want
         const cacheEntryId = getCacheEntryId(
+          this._logicalKeyStoreName,
+          this._partition,
           branchKeyId,
           branchKeyVersionAsBytes
         )

modules/kms-keyring-node/src/kms_hkeyring_node_helpers.ts

@@ -19,13 +19,13 @@ import {
   createHash,
   randomBytes,
 } from 'crypto'
-import { uInt32BE } from '@aws-crypto/serialize'
+// import { uInt32BE } from '@aws-crypto/serialize'
 import { CryptographicMaterialsCache } from '@aws-crypto/cache-material'
 import { kdfCounterMode } from '@aws-crypto/kdf-ctr-mode-node'
 import {
-  ACTIVE_AS_BYTES,
+  // ACTIVE_AS_BYTES,
   CACHE_ENTRY_ID_DIGEST_ALGORITHM,
-  CACHE_ENTRY_ID_LENGTH,
+  // CACHE_ENTRY_ID_LENGTH,
   CIPHERTEXT_STRUCTURE,
   DECRYPT_FLAGS,
   DERIVED_BRANCH_KEY_LENGTH,
@@ -50,8 +50,8 @@ export const { uuidv4ToCompressedBytes, decompressBytesToUuidv4 } =
   uuidv4Factory(stringToHexBytes, hexBytesToString)
 export const { serializeEncryptionContext } =
   serializeFactory(stringToUtf8Bytes)
-const stringToAsciiBytes = (input: string): Buffer =>
-  Buffer.from(input, 'ascii')
+// const stringToAsciiBytes = (input: string): Buffer =>
+//   Buffer.from(input, 'ascii')
 
 export function getBranchKeyId(
   { branchKeyId, branchKeyIdSupplier }: IKmsHierarchicalKeyRingNode,
@@ -68,45 +68,51 @@ export function getBranchKeyId(
   )
 }
 
+const RESOURCE_ID = new Uint8Array([0x02])
+const NULL_BYTE = new Uint8Array([0x00])
+const DECRYPTION_SCOPE = new Uint8Array([0x02])
+const ENCRYPTION_SCOPE = new Uint8Array([0x01])
+
 export function getCacheEntryId(
+  logicalKeyStoreName: Buffer,
+  partitionId: Buffer,
   branchKeyId: string,
   versionAsBytes?: Buffer
 ): string {
   // get branch key id as a byte array
   const branchKeyIdAsBytes = stringToUtf8Bytes(branchKeyId)
 
-  // convert version to ascii bytes if supplied
-  let versionAsAsciiBytes: Buffer | undefined = undefined
-  if (versionAsBytes) {
-    const versionAsString = utf8BytesToString(versionAsBytes)
-    // conversion will always work because version is a uuid
-    versionAsAsciiBytes = stringToAsciiBytes(versionAsString)
-  }
-
-  // get the length of the branch key id buffer as a byte array
-  const lengthAsBytes = uInt32BE(branchKeyId.length)
-
-  // encrypt the branch key id buffer with sha512
-  const branchKeyDigest = createHash(CACHE_ENTRY_ID_DIGEST_ALGORITHM)
-    .update(branchKeyIdAsBytes)
-    .digest()
-
-  // form a buffer for the cache entry id
-  const identifier = Buffer.concat([
-    lengthAsBytes,
-    branchKeyDigest,
-    new Uint8Array([0x00]),
-    versionAsAsciiBytes || ACTIVE_AS_BYTES,
+  const entryInfo = versionAsBytes
+  ? Buffer.concat([
+    RESOURCE_ID,
+    NULL_BYTE,
+    DECRYPTION_SCOPE,
+    NULL_BYTE,
+    partitionId,
+    NULL_BYTE,
+    logicalKeyStoreName,
+    NULL_BYTE,
+    branchKeyIdAsBytes,
+    NULL_BYTE,
+    versionAsBytes
   ])
+  : Buffer.concat([
+    RESOURCE_ID,
+    NULL_BYTE,
+    ENCRYPTION_SCOPE,
+    NULL_BYTE,
+    partitionId,
+    NULL_BYTE,
+    logicalKeyStoreName,
+    NULL_BYTE,
+    branchKeyIdAsBytes
+  ]) 
 
-  // encrypt the cache entry id buffer with sha512
-  const cacheDigest = createHash(CACHE_ENTRY_ID_DIGEST_ALGORITHM)
-    .update(identifier)
+  // encrypt the branch key id buffer with sha512
+  return createHash(CACHE_ENTRY_ID_DIGEST_ALGORITHM)
+    .update(entryInfo)
     .digest()
-
-  // get the first 32 bytes of the digest
-  // get the cache entry id as a string
-  return cacheDigest.subarray(0, CACHE_ENTRY_ID_LENGTH).toString()
+    .toString()
 }
 
 export async function getBranchKeyMaterials(

modules/kms-keyring-node/test/fixtures.ts

@@ -27,7 +27,7 @@ export const TEST_ESDK_ALG_SUITE = new NodeAlgorithmSuite(
 )
 export const TTL = 1 * 60000 * 10
 export const KEYSTORE = new BranchKeyStoreNode({
-  ddbTableName: DDB_TABLE_NAME,
+  storage: {ddbTableName: DDB_TABLE_NAME},
   logicalKeyStoreName: LOGICAL_KEYSTORE_NAME,
   kmsConfiguration: new SrkCompatibilityKmsConfig(KEY_ARN),
 })

modules/kms-keyring-node/test/kms_hkeyring_node.constructor.test.ts

@@ -27,7 +27,7 @@ const branchKeyId = BRANCH_KEY_ID
 const cacheLimitTtl = TTL
 const maxCacheSize = 1000
 const keyStore = new BranchKeyStoreNode({
-  ddbTableName: DDB_TABLE_NAME,
+  storage: {ddbTableName: DDB_TABLE_NAME},
   logicalKeyStoreName: LOGICAL_KEYSTORE_NAME,
   kmsConfiguration: new SrkCompatibilityKmsConfig(KEY_ARN),
 })