texastony
diff --git a/‎.gitmodules‎
Lines changed: 2 additions & 1 deletion b/‎.gitmodules‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎aws-encryption-sdk-test-vectors‎ b/‎aws-encryption-sdk-test-vectors‎
diff --git a/‎modules/client-browser/src/index.ts‎
Lines changed: 7 additions & 4 deletions b/‎modules/client-browser/src/index.ts‎
Lines changed: 7 additions & 4 deletions
diff --git a/‎modules/client-node/src/index.ts‎
Lines changed: 7 additions & 4 deletions b/‎modules/client-node/src/index.ts‎
Lines changed: 7 additions & 4 deletions
diff --git a/‎modules/decrypt-browser/src/decrypt.ts‎
Lines changed: 12 additions & 2 deletions b/‎modules/decrypt-browser/src/decrypt.ts‎
Lines changed: 12 additions & 2 deletions
diff --git a/‎modules/decrypt-browser/src/decrypt_client.ts‎
Lines changed: 18 additions & 2 deletions b/‎modules/decrypt-browser/src/decrypt_client.ts‎
Lines changed: 18 additions & 2 deletions
diff --git a/‎modules/decrypt-browser/src/index.ts‎
Lines changed: 1 addition & 0 deletions b/‎modules/decrypt-browser/src/index.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎modules/decrypt-browser/test/decrypt.test.ts‎
Lines changed: 61 additions & 3 deletions b/‎modules/decrypt-browser/test/decrypt.test.ts‎
Lines changed: 61 additions & 3 deletions
diff --git a/‎modules/decrypt-browser/test/decrypt_client.test.ts‎
Lines changed: 25 additions & 1 deletion b/‎modules/decrypt-browser/test/decrypt_client.test.ts‎
Lines changed: 25 additions & 1 deletion
@@ -1,3 +1,4 @@
 [submodule "aws-encryption-sdk-test-vectors"]
 path = aws-encryption-sdk-test-vectors
-url = https://github.com/awslabs/aws-encryption-sdk-test-vectors.git
+url = https://github.com/awslabs/private-aws-encryption-sdk-test-vectors-staging.git
+branch = known-invalid-test-vectors
@@ -63,7 +63,7 @@ A multi keyring can be used to compose keyrings together.
 ### Wrapping Keys
 
 Wrapping keys are used to protect data keys.
-An example of a wrapping key is a `KMS customer master key (CMK)`_.
+An example of a wrapping key is a `KMS customer master key (CMK)`.
 
 ### Data Keys
 
 
@@ -10,16 +10,19 @@ export * from '@aws-crypto/raw-aes-keyring-browser'
 export * from '@aws-crypto/raw-rsa-keyring-browser'
 export * from '@aws-crypto/web-crypto-backend'
 
-import { CommitmentPolicy } from '@aws-crypto/material-management-browser'
+import {
+ CommitmentPolicy,
+ ClientOptions,
+} from '@aws-crypto/material-management-browser'
 
 import { buildEncrypt } from '@aws-crypto/encrypt-browser'
 import { buildDecrypt } from '@aws-crypto/decrypt-browser'
 
 export function buildClient(
- commitmentPolicy: CommitmentPolicy = CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT
+ options?: CommitmentPolicy | ClientOptions
 ): ReturnType<typeof buildEncrypt> & ReturnType<typeof buildDecrypt> {
  return {
- ...buildEncrypt(commitmentPolicy),
- ...buildDecrypt(commitmentPolicy),
+ ...buildEncrypt(options),
+ ...buildDecrypt(options),
  }
 }
@@ -9,16 +9,19 @@ export * from '@aws-crypto/kms-keyring-node'
 export * from '@aws-crypto/raw-aes-keyring-node'
 export * from '@aws-crypto/raw-rsa-keyring-node'
 
-import { CommitmentPolicy } from '@aws-crypto/material-management-node'
+import {
+ CommitmentPolicy,
+ ClientOptions,
+} from '@aws-crypto/material-management-node'
 
 import { buildEncrypt } from '@aws-crypto/encrypt-node'
 import { buildDecrypt } from '@aws-crypto/decrypt-node'
 
 export function buildClient(
- commitmentPolicy: CommitmentPolicy = CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT
+ options?: CommitmentPolicy | ClientOptions
 ): ReturnType<typeof buildEncrypt> & ReturnType<typeof buildDecrypt> {
  return {
- ...buildEncrypt(commitmentPolicy),
- ...buildDecrypt(commitmentPolicy),
+ ...buildEncrypt(options),
+ ...buildDecrypt(options),
  }
 }
@@ -11,6 +11,7 @@ import {
  WebCryptoMaterialsManager,
  CommitmentPolicy,
  CommitmentPolicySuites,
+ ClientOptions,
 } from '@aws-crypto/material-management-browser'
 import {
  deserializeSignature,
@@ -34,20 +35,29 @@ export interface DecryptResult {
 }
 
 export async function _decrypt(
- commitmentPolicy: CommitmentPolicy,
+ { commitmentPolicy, maxEncryptedDataKeys }: ClientOptions,
  cmm: KeyringWebCrypto | WebCryptoMaterialsManager,
  ciphertext: Uint8Array
 ): Promise<DecryptResult> {
  /* Precondition: _decrypt needs a valid commitmentPolicy. */
  needs(CommitmentPolicy[commitmentPolicy], 'Invalid commitment policy.')
 
+ // buildDecrypt defaults this to false for backwards compatibility, so this is satisfied
+ /* Precondition: _decrypt needs a valid maxEncryptedDataKeys. */
+ needs(
+ maxEncryptedDataKeys === false || maxEncryptedDataKeys >= 1,
+ 'Invalid maxEncryptedDataKeys value.'
+ )
+
  /* If the cmm is a Keyring, wrap it with WebCryptoDefaultCryptographicMaterialsManager. */
  cmm =
  cmm instanceof KeyringWebCrypto
  ? new WebCryptoDefaultCryptographicMaterialsManager(cmm)
  : cmm
 
- const headerInfo = deserialize.deserializeMessageHeader(ciphertext)
+ const headerInfo = deserialize.deserializeMessageHeader(ciphertext, {
+ maxEncryptedDataKeys,
+ })
  if (headerInfo === false) throw new Error('Unable to parse Header')
  const { messageHeader, algorithmSuite } = headerInfo
  const { rawHeader, headerAuth } = headerInfo
 
@@ -4,6 +4,7 @@
 import { _decrypt } from './decrypt'
 import {
  CommitmentPolicy,
+ ClientOptions,
  needs,
 } from '@aws-crypto/material-management-browser'
 
@@ -15,13 +16,28 @@ type CurryFirst<fn extends (...a: any[]) => any> = fn extends (
  : []
 
 export function buildDecrypt(
- commitmentPolicy: CommitmentPolicy = CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT
+ options: CommitmentPolicy | Partial<ClientOptions> = {}
 ): {
  decrypt: (...args: CurryFirst<typeof _decrypt>) => ReturnType<typeof _decrypt>
 } {
+ const {
+ commitmentPolicy = CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT,
+ maxEncryptedDataKeys = false,
+ } = typeof options === 'string' ? { commitmentPolicy: options } : options
+
  /* Precondition: browser buildDecrypt needs a valid commitmentPolicy. */
  needs(CommitmentPolicy[commitmentPolicy], 'Invalid commitment policy.')
+ /* Precondition: browser buildDecrypt needs a valid maxEncryptedDataKeys. */
+ needs(
+ maxEncryptedDataKeys === false || maxEncryptedDataKeys >= 1,
+ 'Invalid maxEncryptedDataKeys value.'
+ )
+
+ const clientOptions: ClientOptions = {
+ commitmentPolicy,
+ maxEncryptedDataKeys,
+ }
  return {
- decrypt: _decrypt.bind({}, commitmentPolicy),
+ decrypt: _decrypt.bind({}, clientOptions),
  }
 }
@@ -2,4 +2,5 @@
 // SPDX-License-Identifier: Apache-2.0
 
 export { buildDecrypt } from './decrypt_client'
+export { DecryptResult } from './decrypt'
 export { MessageHeader } from '@aws-crypto/serialize'
@@ -4,6 +4,7 @@
 /* eslint-env mocha */
 
 import * as chai from 'chai'
+// @ts-ignore
 import chaiAsPromised from 'chai-as-promised'
 import { buildDecrypt } from '../src/index'
 import { _decrypt } from '../src/decrypt'
@@ -44,14 +45,34 @@ describe('decrypt', () => {
 
  it('Precondition: _decrypt needs a valid commitmentPolicy.', async () => {
  await expect(
- _decrypt('fake_policy' as any, {} as any, {} as any)
+ _decrypt(
+ { commitmentPolicy: 'fake_policy' as any, maxEncryptedDataKeys: false },
+ {} as any,
+ {} as any
+ )
  ).to.rejectedWith(Error, 'Invalid commitment policy.')
  })
 
+ it('Precondition: _decrypt needs a valid maxEncryptedDataKeys.', async () => {
+ await expect(
+ _decrypt(
+ {
+ commitmentPolicy: CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT,
+ maxEncryptedDataKeys: 0,
+ },
+ {} as any,
+ {} as any
+ )
+ ).to.rejectedWith(Error, 'Invalid maxEncryptedDataKeys value.')
+ })
+
  it('Precondition: The parsed header algorithmSuite in _decrypt must be supported by the commitmentPolicy.', async () => {
  await expect(
  _decrypt(
- CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT,
+ {
+ commitmentPolicy: CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT,
+ maxEncryptedDataKeys: false,
+ },
  fixtures.decryptKeyring(),
  fixtures.base64CiphertextAlgAes256GcmIv12Tag16HkdfSha384EcdsaP384With4Frames()
  )
@@ -74,7 +95,10 @@ describe('decrypt', () => {
  } as any
  await expect(
  _decrypt(
- CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT,
+ {
+ commitmentPolicy: CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT,
+ maxEncryptedDataKeys: false,
+ },
  cmm,
  fromBase64(fixtures.compatibilityVectors().tests[0].ciphertext)
  )
@@ -142,6 +166,40 @@ describe('decrypt', () => {
  await expect(decrypt(keyring, data.slice(0, i))).to.rejectedWith(Error)
  }
  })
+
+ it('can decrypt data with less than maxEncryptedDataKeys', async () => {
+ const { decrypt } = buildDecrypt({
+ commitmentPolicy: CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT,
+ maxEncryptedDataKeys: 3,
+ })
+ const { plaintext } = await decrypt(
+ fixtures.decryptKeyring(),
+ fixtures.twoEdksMessage()
+ )
+ expect(plaintext).to.deep.equal(Buffer.from('asdf'))
+ })
+
+ it('can decrypt data with exactly maxEncryptedDataKeys', async () => {
+ const { decrypt } = buildDecrypt({
+ commitmentPolicy: CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT,
+ maxEncryptedDataKeys: 3,
+ })
+ const { plaintext } = await decrypt(
+ fixtures.decryptKeyring(),
+ fixtures.threeEdksMessage()
+ )
+ expect(plaintext).to.deep.equal(Buffer.from('asdf'))
+ })
+
+ it('will not decrypt data with more than maxEncryptedDataKeys', async () => {
+ const { decrypt } = buildDecrypt({
+ commitmentPolicy: CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT,
+ maxEncryptedDataKeys: 3,
+ })
+ await expect(
+ decrypt(fixtures.decryptKeyring(), fixtures.fourEdksMessage())
+ ).to.rejectedWith(Error, 'maxEncryptedDataKeys exceeded.')
+ })
 })
 
 // prettier-ignore
 
@@ -4,6 +4,7 @@
 /* eslint-env mocha */
 
 import * as chai from 'chai'
+// @ts-ignore
 import chaiAsPromised from 'chai-as-promised'
 import { CommitmentPolicy } from '@aws-crypto/material-management-node'
 import { buildDecrypt } from '../src/index'
@@ -13,11 +14,34 @@ const { expect } = chai
 
 describe('buildDecrypt', () => {
  it('can build a client', () => {
+ const test = buildDecrypt()
+ expect(test).to.have.property('decrypt').and.to.be.a('function')
+ })
+
+ it('can build a client with a commitment policy', () => {
  const test = buildDecrypt(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)
  expect(test).to.have.property('decrypt').and.to.be.a('function')
  })
 
+ it('can build a client with max encrypted data keys', () => {
+ for (const numKeys of [1, 10, Math.pow(2, 16) - 1, Math.pow(2, 16)]) {
+ const test = buildDecrypt({ maxEncryptedDataKeys: numKeys })
+ expect(test).to.have.property('decrypt').and.to.be.a('function')
+ }
+ })
+
  it('Precondition: browser buildDecrypt needs a valid commitmentPolicy.', () => {
- expect(() => buildDecrypt({} as any)).to.throw('Invalid commitment policy.')
+ expect(() => buildDecrypt('BAD_POLICY' as any)).to.throw(
+ 'Invalid commitment policy.'
+ )
+ })
+
+ it('Precondition: browser buildDecrypt needs a valid maxEncryptedDataKeys.', () => {
+ expect(() => buildDecrypt({ maxEncryptedDataKeys: 0 })).to.throw(
+ 'Invalid maxEncryptedDataKeys value.'
+ )
+ expect(() => buildDecrypt({ maxEncryptedDataKeys: -1 })).to.throw(
+ 'Invalid maxEncryptedDataKeys value.'
+ )
  })
 })