Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
} from '@aws-crypto/client-node'
import {
RsaKeyInfo, // eslint-disable-line no-unused-vars
AesKeyInfo, // eslint-disable-line no-unused-vars
KmsKeyInfo, // eslint-disable-line no-unused-vars
RSAKey, // eslint-disable-line no-unused-vars
AESKey, // eslint-disable-line no-unused-vars
KMSKey, // eslint-disable-line no-unused-vars
KeyInfoTuple // eslint-disable-line no-unused-vars
} from './types'
import { constants } from 'crypto'
const Bits2RawAesWrappingSuiteIdentifier: {[key: number]: WrappingSuiteIdentifier} = {
128: RawAesWrappingSuiteIdentifier.AES128_GCM_IV12_TAG16_NO_PADDING,
192: RawAesWrappingSuiteIdentifier.AES192_GCM_IV12_TAG16_NO_PADDING,
256: RawAesWrappingSuiteIdentifier.AES256_GCM_IV12_TAG16_NO_PADDING
}
export function encryptMaterialsManagerNode (keyInfos: KeyInfoTuple[]) {
const [generator, ...children] = keyInfos.map(keyringNode)
return new MultiKeyringNode({ generator, children })
}
export function decryptMaterialsManagerNode (keyInfos: KeyInfoTuple[]) {
const children = keyInfos.map(keyringNode)
return new MultiKeyringNode({ children })
}
export function keyringNode ([ info, key ]: KeyInfoTuple) {
if (info.type === 'aws-kms' && key.type === 'aws-kms') {
return kmsKeyring(info, key)
}
* This is *only* to demonstrate how the CMK ARNs are configured.
*/
const keyIds = ['arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f']
/* The KMS keyring must be configured with the desired CMKs */
const kmsKeyring = new KmsKeyringNode({ generatorKeyId, keyIds })
/* You need to specify a name
* and a namespace for raw encryption key providers.
* The name and namespace that you use in the decryption keyring *must* be an exact,
* *case-sensitive* match for the name and namespace in the encryption keyring.
*/
const keyName = 'aes-name'
const keyNamespace = 'aes-namespace'
/* The wrapping suite defines the AES-GCM algorithm suite to use. */
const wrappingSuite = RawAesWrappingSuiteIdentifier.AES256_GCM_IV12_TAG16_NO_PADDING
// Get your plaintext master key from wherever you store it.
const unencryptedMasterKey = randomBytes(32)
/* Configure the Raw AES Keyring. */
const aesKeyring = new RawAesKeyringNode({ keyName, keyNamespace, unencryptedMasterKey, wrappingSuite })
/* Combine the two keyrings with a MultiKeyring. */
const keyring = new MultiKeyringNode({ generator: kmsKeyring, children: [ aesKeyring ] })
/* Encryption context is a *very* powerful tool for controlling and managing access.
* It is ***not*** secret!
* Encrypted data is opaque.
* You can use an encryption context to assert things about the encrypted data.
* Just because you can decrypt something does not mean it is what you expect.
* For example, if you are are only expecting data from 'us-west-2',
* the origin can identify a malicious actor.
export async function aesTest () {
/* You need to specify a name
* and a namespace for raw encryption key providers.
* The name and namespace that you use in the decryption keyring *must* be an exact,
* *case-sensitive* match for the name and namespace in the encryption keyring.
*/
const keyName = 'aes-name'
const keyNamespace = 'aes-namespace'
/* The wrapping suite defines the AES-GCM algorithm suite to use. */
const wrappingSuite = RawAesWrappingSuiteIdentifier.AES256_GCM_IV12_TAG16_NO_PADDING
// Get your plaintext master key from wherever you store it.
const unencryptedMasterKey = randomBytes(32)
/* Configure the Raw AES keyring. */
const keyring = new RawAesKeyringNode({ keyName, keyNamespace, unencryptedMasterKey, wrappingSuite })
/* Encryption context is a *very* powerful tool for controlling and managing access.
* It is ***not*** secret!
* Encrypted data is opaque.
* You can use an encryption context to assert things about the encrypted data.
* Just because you can decrypt something does not mean it is what you expect.
* For example, if you are are only expecting data from 'us-west-2',
* the origin can identify a malicious actor.
* See: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
*/