Add expiration

Author: seebees

modules/cache-material/src/cryptographic_materials_cache.ts

@@ -63,4 +63,5 @@ export interface DecryptionMaterialEntry<S extends SupportedAlgorithmSuites>
 
 export interface BranchKeyMaterialEntry {
   readonly response: BranchKeyMaterial
+  readonly now: number
 }

modules/cache-material/src/get_local_cryptographic_materials_cache.ts

@@ -121,6 +121,7 @@ export function getLocalCryptographicMaterialsCache<
 
       const entry = Object.seal({
         response: material,
+        now: Date.now(),
       })
 
       cache.set(key, entry, maxAge)

modules/kms-keyring-node/src/kms_hkeyring_node.ts

@@ -23,6 +23,7 @@ import {
   isDecryptionMaterial,
 } from '@aws-crypto/material-management'
 import {
+  BranchKeyMaterialEntry,
   CryptographicMaterialsCache,
   getLocalCryptographicMaterialsCache,
 } from '@aws-crypto/cache-material'
@@ -85,6 +86,7 @@ export interface IKmsHierarchicalKeyRingNode extends KeyringNode {
     material: NodeDecryptionMaterial,
     encryptedDataKeys: EncryptedDataKey[]
   ): Promise<NodeDecryptionMaterial>
+  cacheEntryHasExceededLimits(entry: BranchKeyMaterialEntry): boolean
 }
 
 export class KmsHierarchicalKeyRingNode
@@ -337,6 +339,21 @@ export class KmsHierarchicalKeyRingNode
     return material
   }
 
+  cacheEntryHasExceededLimits({ now }: BranchKeyMaterialEntry): boolean {
+    //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#onencrypt
+    //# There MUST be a check (cacheEntryWithinLimits) to make sure that for the cache entry found, who's TTL has NOT expired,
+    //# `time.now() - cacheEntryCreationTime <= ttlSeconds` is true and
+    //# valid for TTL of the Hierarchical Keyring getting the cache entry.
+
+    //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#ondecrypt
+    //# There MUST be a check (cacheEntryWithinLimits) to make sure that for the cache entry found, who's TTL has NOT expired,
+    //# `time.now() - cacheEntryCreationTime <= ttlSeconds` is true and
+    //# valid for TTL of the Hierarchical Keyring getting the cache entry.
+
+    const age = Date.now() - now
+    return age > this.cacheLimitTtl
+  }
+
   async _onDecrypt(
     decryptionMaterial: NodeDecryptionMaterial,
     encryptedDataKeyObjs: EncryptedDataKey[]

modules/kms-keyring-node/src/kms_hkeyring_node_helpers.ts

@@ -219,19 +219,27 @@ export function getCacheEntryId(
 }
 
 export async function getBranchKeyMaterials(
-  { keyStore, cacheLimitTtl }: IKmsHierarchicalKeyRingNode,
+  hKeyring: IKmsHierarchicalKeyRingNode,
   cmc: CryptographicMaterialsCache<NodeAlgorithmSuite>,
   branchKeyId: string,
   cacheEntryId: string,
   branchKeyVersion?: string
 ): Promise<NodeBranchKeyMaterial> {
+  const { keyStore, cacheLimitTtl } = hKeyring
+
   //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#onencrypt
   //# The hierarchical keyring MUST attempt to find [branch key materials](../structures.md#branch-key-materials)
   //# from the underlying [cryptographic materials cache](../local-cryptographic-materials-cache.md).
   const cacheEntry = cmc.getBranchKeyMaterial(cacheEntryId)
   let branchKeyMaterials: NodeBranchKeyMaterial
   // if the cache entry is false, branch key materials were not found
-  if (!cacheEntry) {
+  if (!cacheEntry || hKeyring.cacheEntryHasExceededLimits(cacheEntry)) {
+    //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#onencrypt
+    //# If this is NOT true, then we MUST treat the cache entry as expired.
+
+    //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#ondecrypt
+    //# If this is NOT true, then we MUST treat the cache entry as expired.
+
     //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#onencrypt
     //# If a cache entry is not found or the cache entry is expired, the hierarchical keyring MUST attempt to obtain the branch key materials
     //# by querying the backing branch keystore specified in the [retrieve OnEncrypt branch key materials](#query-branch-keystore-onencrypt) section.
@@ -245,8 +253,8 @@ export async function getBranchKeyMaterials(
     //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#getitem-branch-keystore-ondecrypt
     //# Otherwise, OnDecrypt MUST fail.
 
-    // get them from the keystore, whether we need the active or versioned
-    // material
+    //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#query-branch-keystore-onencrypt
+    //# OnEncrypt MUST call the Keystore's [GetActiveBranchKey](../branch-key-store.md#getactivebranchkey) operation with the following inputs:
 
     //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#getitem-branch-keystore-ondecrypt
     //# OnDecrypt MUST call the Keystore's [GetBranchKeyVersion](../branch-key-store.md#getbranchkeyversion) operation with the following inputs: