diff --git a/modules/branch-keystore-node/src/branch_keystore.ts b/modules/branch-keystore-node/src/branch_keystore.ts index 8dcd37975..13cfcc5c4 100644 --- a/modules/branch-keystore-node/src/branch_keystore.ts +++ b/modules/branch-keystore-node/src/branch_keystore.ts @@ -45,8 +45,11 @@ interface IBranchKeyStoreNode { //= type=implication //# - [GetKeyStoreInfo](#getkeystoreinfo) getKeyStoreInfo(): KeyStoreInfoOutput + //= aws-encryption-sdk-specification/framework/branch-key-store.md#operations + //= type=implication + //# - [VersionKey](#versionkey) + versionKey(input: VersionKeyInput): Promise } - //= aws-encryption-sdk-specification/framework/branch-key-store.md#getkeystoreinfo //= type=implication //# This MUST include: @@ -64,6 +67,10 @@ export interface KeyStoreInfoOutput { kmsConfiguration: KmsConfig } +export interface VersionKeyInput { + branchKeyIdentifier: string +} + export class BranchKeyStoreNode implements IBranchKeyStoreNode { public declare readonly logicalKeyStoreName: string public declare readonly kmsConfiguration: Readonly @@ -383,6 +390,35 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode { return branchKeyMaterials } + //= aws-encryption-sdk-specification/framework/branch-key-store.md#versionkey + //# On invocation, the caller: + //# - MUST supply a `branch-key-id` + async versionKey(input: VersionKeyInput): Promise { + needs(input.branchKeyIdentifier, 'MUST supply a branch-key-id') + + //= aws-encryption-sdk-specification/framework/branch-key-store.md#versionkey + //# If the Keystore's KMS Configuration is `Discovery` or `MRDiscovery`, + //# this operation MUST immediately fail. + needs( + typeof this.kmsConfiguration._config === 'object' && + ('identifier' in this.kmsConfiguration._config || + 'mrkIdentifier' in this.kmsConfiguration._config), + 'VersionKey is not supported with Discovery or MRDiscovery KMS Configuration' + ) + + const { versionActiveBranchKey } = await import('./key_helpers') + await versionActiveBranchKey({ + branchKeyIdentifier: input.branchKeyIdentifier, + logicalKeyStoreName: this.logicalKeyStoreName, + kmsConfiguration: this.kmsConfiguration, + grantTokens: this.grantTokens, + kmsClient: this.kmsClient, + ddbClient: (this.storage as any).ddbClient, + ddbTableName: (this.storage as any).ddbTableName, + storage: this.storage, + }) + } + //= aws-encryption-sdk-specification/framework/branch-key-store.md#getkeystoreinfo //= type=implication //# This operation MUST return the keystore information in this keystore configuration. diff --git a/modules/branch-keystore-node/src/key_helpers.ts b/modules/branch-keystore-node/src/key_helpers.ts new file mode 100644 index 000000000..43f613c58 --- /dev/null +++ b/modules/branch-keystore-node/src/key_helpers.ts @@ -0,0 +1,268 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +import { + KMSClient, + GenerateDataKeyWithoutPlaintextCommand, + ReEncryptCommand, +} from '@aws-sdk/client-kms' +import { + DynamoDBClient, + TransactWriteItemsCommand, +} from '@aws-sdk/client-dynamodb' +import { v4 } from 'uuid' +import { needs } from '@aws-crypto/material-management' +import { KmsKeyConfig } from './kms_config' +import { + BRANCH_KEY_IDENTIFIER_FIELD, + TYPE_FIELD, + BRANCH_KEY_FIELD, + KEY_CREATE_TIME_FIELD, + HIERARCHY_VERSION_FIELD, + TABLE_FIELD, + BRANCH_KEY_TYPE_PREFIX, + BRANCH_KEY_ACTIVE_TYPE, + BRANCH_KEY_ACTIVE_VERSION_FIELD, +} from './constants' +import { IBranchKeyStorage } from './types' + +interface VersionKeyParams { + branchKeyIdentifier: string + logicalKeyStoreName: string + kmsConfiguration: Readonly + grantTokens?: ReadonlyArray + kmsClient: KMSClient + ddbClient: DynamoDBClient + ddbTableName: string + storage: IBranchKeyStorage +} + +//= aws-encryption-sdk-specification/framework/branch-key-store.md#branch-key-and-beacon-key-creation +//# - `timestamp`: a timestamp for the current time. +//# This timestamp MUST be in ISO 8601 format in UTC, to microsecond precision +//# (e.g. "YYYY-MM-DDTHH:mm:ss.ssssssZ") +function getCurrentTimestamp(): string { + const now = new Date() + return now.toISOString().replace('Z', '000Z') +} + +//= aws-encryption-sdk-specification/framework/branch-key-store.md#active-encryption-context +//# The ACTIVE encryption context value of the `type` attribute MUST equal to `"branch:ACTIVE"`. +//# The ACTIVE encryption context MUST have a `version` attribute. +//# The `version` attribute MUST store the branch key version formatted like `"branch:version:"` + `version`. +function buildActiveEncryptionContext(decryptOnlyContext: { + [key: string]: string +}): { [key: string]: string } { + const activeContext = { ...decryptOnlyContext } + activeContext[BRANCH_KEY_ACTIVE_VERSION_FIELD] = activeContext[TYPE_FIELD] + activeContext[TYPE_FIELD] = BRANCH_KEY_ACTIVE_TYPE + return activeContext +} + +function toAttributeMap( + encryptionContext: { [key: string]: string }, + ciphertextBlob: Uint8Array +): { [key: string]: any } { + const item: { [key: string]: any } = {} + + for (const [key, value] of Object.entries(encryptionContext)) { + if (key === TABLE_FIELD) continue + //= aws-encryption-sdk-specification/framework/branch-key-store.md#writing-branch-key-and-beacon-key-to-keystore + //# - "hierarchy-version" (N): 1 + if (key === HIERARCHY_VERSION_FIELD) { + item[key] = { N: value } + } else { + item[key] = { S: value } + } + } + + //= aws-encryption-sdk-specification/framework/branch-key-store.md#writing-branch-key-and-beacon-key-to-keystore + //# - "enc" (B): the wrapped DECRYPT_ONLY Branch Key `CiphertextBlob` from the KMS operation + item[BRANCH_KEY_FIELD] = { B: ciphertextBlob } + + return item +} + +function getKmsKeyArn( + kmsConfiguration: Readonly +): string | undefined { + return typeof kmsConfiguration._config === 'object' && + 'identifier' in kmsConfiguration._config + ? kmsConfiguration._config.identifier + : typeof kmsConfiguration._config === 'object' && + 'mrkIdentifier' in kmsConfiguration._config + ? kmsConfiguration._config.mrkIdentifier + : undefined +} + +//= aws-encryption-sdk-specification/framework/branch-key-store.md#versionkey +//# On invocation, the caller: +//# - MUST supply a `branch-key-id` +export async function versionActiveBranchKey( + params: VersionKeyParams +): Promise { + const { + branchKeyIdentifier, + logicalKeyStoreName, + kmsConfiguration, + grantTokens, + kmsClient, + ddbClient, + ddbTableName, + storage, + } = params + + //= aws-encryption-sdk-specification/framework/branch-key-store.md#versionkey + //# VersionKey MUST first get the active version for the branch key from the keystore + //# by calling AWS DDB `GetItem` using the `branch-key-id` as the Partition Key + //# and `"branch:ACTIVE"` value as the Sort Key. + const activeKey = await storage.getEncryptedActiveBranchKey( + branchKeyIdentifier + ) + + needs( + activeKey.branchKeyId === branchKeyIdentifier, + 'Unexpected branch key id' + ) + + needs( + activeKey.encryptionContext[TABLE_FIELD] === logicalKeyStoreName, + 'Unexpected logical table name' + ) + + const kmsKeyArn = getKmsKeyArn(kmsConfiguration) + needs(kmsKeyArn, 'KMS Key ARN is required') + + //= aws-encryption-sdk-specification/framework/branch-key-store.md#versionkey + //# The `kms-arn` field of DDB response item MUST be compatible with + //# the configured `KMS ARN` in the AWS KMS Configuration for this keystore. + const oldActiveContext = activeKey.encryptionContext + + //= aws-encryption-sdk-specification/framework/branch-key-store.md#authenticating-a-keystore-item + //# The operation MUST call AWS KMS API ReEncrypt with a request constructed as follows: + //# - `SourceEncryptionContext` MUST be the encryption context constructed above + //# - `SourceKeyId` MUST be compatible with the configured KMS Key in the AWS KMS Configuration for this keystore. + //# - `CiphertextBlob` MUST be the `enc` attribute value on the AWS DDB response item + //# - `GrantTokens` MUST be the configured grant tokens. + //# - `DestinationKeyId` MUST be compatible with the configured KMS Key in the AWS KMS Configuration for this keystore. + //# - `DestinationEncryptionContext` MUST be the encryption context constructed above + await kmsClient.send( + new ReEncryptCommand({ + SourceKeyId: kmsKeyArn, + SourceEncryptionContext: oldActiveContext, + CiphertextBlob: activeKey.ciphertextBlob, + DestinationKeyId: kmsKeyArn, + DestinationEncryptionContext: oldActiveContext, + GrantTokens: grantTokens ? [...grantTokens] : undefined, + }) + ) + + //= aws-encryption-sdk-specification/framework/branch-key-store.md#branch-key-and-beacon-key-creation + //# - `version`: a new guid. This guid MUST be version 4 UUID + const branchKeyVersion = v4() + const timestamp = getCurrentTimestamp() + + //= aws-encryption-sdk-specification/framework/branch-key-store.md#versionkey + //# The wrapped Branch Keys, DECRYPT_ONLY and ACTIVE, + //# MUST be created according to Wrapped Branch Key Creation. + const decryptOnlyContext: { [key: string]: string } = { + ...oldActiveContext, + [TYPE_FIELD]: `${BRANCH_KEY_TYPE_PREFIX}${branchKeyVersion}`, + [KEY_CREATE_TIME_FIELD]: timestamp, + } + delete decryptOnlyContext[BRANCH_KEY_ACTIVE_VERSION_FIELD] + + //= aws-encryption-sdk-specification/framework/branch-key-store.md#wrapped-branch-key-creation + //# The operation MUST call AWS KMS API GenerateDataKeyWithoutPlaintext + //# with a request constructed as follows: + //# - `KeyId` MUST be the configured `AWS KMS Key ARN` in the AWS KMS Configuration for this keystore. + //# - `NumberOfBytes` MUST be 32. + //# - `EncryptionContext` MUST be the DECRYPT_ONLY encryption context for branch keys. + //# - GenerateDataKeyWithoutPlaintext `GrantTokens` MUST be this keystore's grant tokens. + const decryptOnlyResponse = await kmsClient.send( + new GenerateDataKeyWithoutPlaintextCommand({ + KeyId: kmsKeyArn, + NumberOfBytes: 32, + EncryptionContext: decryptOnlyContext, + GrantTokens: grantTokens ? [...grantTokens] : undefined, + }) + ) + + needs( + decryptOnlyResponse.CiphertextBlob, + 'Failed to generate new DECRYPT_ONLY branch key' + ) + + const newActiveContext = buildActiveEncryptionContext(decryptOnlyContext) + + //= aws-encryption-sdk-specification/framework/branch-key-store.md#wrapped-branch-key-creation + //# The operation MUST call AWS KMS API ReEncrypt with a request constructed as follows: + //# - `SourceEncryptionContext` MUST be the DECRYPT_ONLY encryption context for branch keys. + //# - `SourceKeyId` MUST be the configured `AWS KMS Key ARN` in the AWS KMS Configuration for this keystore. + //# - `CiphertextBlob` MUST be the wrapped DECRYPT_ONLY Branch Key. + //# - `DestinationKeyId` MUST be the configured `AWS KMS Key ARN` in the AWS KMS Configuration for this keystore. + //# - `DestinationEncryptionContext` MUST be the ACTIVE encryption context for branch keys. + const activeResponse = await kmsClient.send( + new ReEncryptCommand({ + SourceKeyId: kmsKeyArn, + SourceEncryptionContext: decryptOnlyContext, + CiphertextBlob: decryptOnlyResponse.CiphertextBlob, + DestinationKeyId: kmsKeyArn, + DestinationEncryptionContext: newActiveContext, + GrantTokens: grantTokens ? [...grantTokens] : undefined, + }) + ) + + needs( + activeResponse.CiphertextBlob, + 'Failed to generate new ACTIVE branch key' + ) + + //= aws-encryption-sdk-specification/framework/branch-key-store.md#versionkey + //# To add the new branch key to the keystore, + //# the operation MUST call Amazon DynamoDB API TransactWriteItems. + //# The call to Amazon DynamoDB TransactWriteItems MUST use the configured Amazon DynamoDB Client to make the call. + await ddbClient.send( + new TransactWriteItemsCommand({ + TransactItems: [ + { + //= aws-encryption-sdk-specification/framework/branch-key-store.md#versionkey + //# - PUT: + //# - ConditionExpression: `attribute_not_exists(branch-key-id)` + Put: { + TableName: ddbTableName, + Item: toAttributeMap( + decryptOnlyContext, + decryptOnlyResponse.CiphertextBlob + ), + ConditionExpression: 'attribute_not_exists(#bkid)', + ExpressionAttributeNames: { + '#bkid': BRANCH_KEY_IDENTIFIER_FIELD, + }, + }, + }, + { + //= aws-encryption-sdk-specification/framework/branch-key-store.md#versionkey + //# - PUT: + //# - ConditionExpression: `attribute_exists(branch-key-id) AND enc = :encOld` + //# - ExpressionAttributeValues: `{":encOld" := DDB.AttributeValue.B(oldCiphertextBlob)}` + Put: { + TableName: ddbTableName, + Item: toAttributeMap( + newActiveContext, + activeResponse.CiphertextBlob + ), + ConditionExpression: 'attribute_exists(#bkid) AND #enc = :encOld', + ExpressionAttributeNames: { + '#bkid': BRANCH_KEY_IDENTIFIER_FIELD, + '#enc': BRANCH_KEY_FIELD, + }, + ExpressionAttributeValues: { + ':encOld': { B: activeKey.ciphertextBlob }, + }, + }, + }, + ], + }) + ) +} diff --git a/modules/branch-keystore-node/test/branch_keystore.test.ts b/modules/branch-keystore-node/test/branch_keystore.test.ts index d581d8e3a..d4add7bfe 100644 --- a/modules/branch-keystore-node/test/branch_keystore.test.ts +++ b/modules/branch-keystore-node/test/branch_keystore.test.ts @@ -20,6 +20,7 @@ import { BRANCH_KEY_ACTIVE_VERSION, BRANCH_KEY_ACTIVE_VERSION_UTF8_BYTES, BRANCH_KEY_ID, + BRANCH_KEY_ID_WITH_EC, DDB_TABLE_NAME, INCORRECT_LOGICAL_NAME, KEY_ARN, @@ -750,4 +751,124 @@ describe('Test Branch keystore', () => { ) ).to.be.rejectedWith(IncorrectKeyException)) }) + + describe('VersionKey', () => { + //= aws-encryption-sdk-specification/framework/branch-key-store.md#versionkey + //= type=test + //# On invocation, the caller: + //# - MUST supply a `branch-key-id` + it('MUST fail if no branch-key-id is provided', async () => { + const keyStore = new BranchKeyStoreNode({ + kmsConfiguration: { identifier: KEY_ARN }, + logicalKeyStoreName: LOGICAL_KEYSTORE_NAME, + storage: { ddbTableName: DDB_TABLE_NAME }, + }) + + await expect( + keyStore.versionKey({ branchKeyIdentifier: '' }) + ).to.be.rejectedWith('MUST supply a branch-key-id') + + await expect( + keyStore.versionKey({ branchKeyIdentifier: undefined as any }) + ).to.be.rejectedWith('MUST supply a branch-key-id') + + await expect( + keyStore.versionKey({ branchKeyIdentifier: null as any }) + ).to.be.rejectedWith('MUST supply a branch-key-id') + }) + + //= aws-encryption-sdk-specification/framework/branch-key-store.md#versionkey + //= type=test + //# If the Keystore's KMS Configuration is `Discovery` or `MRDiscovery`, + //# this operation MUST immediately fail. + it('MUST fail with Discovery KMS Configuration', async () => { + const keyStore = new BranchKeyStoreNode({ + kmsConfiguration: 'discovery', + logicalKeyStoreName: LOGICAL_KEYSTORE_NAME, + storage: { ddbTableName: DDB_TABLE_NAME }, + }) + + await expect( + keyStore.versionKey({ branchKeyIdentifier: BRANCH_KEY_ID }) + ).to.be.rejectedWith( + 'VersionKey is not supported with Discovery or MRDiscovery KMS Configuration' + ) + }) + + it('MUST fail with MRDiscovery KMS Configuration', async () => { + const keyStore = new BranchKeyStoreNode({ + kmsConfiguration: { region: 'us-west-2' }, + logicalKeyStoreName: LOGICAL_KEYSTORE_NAME, + storage: { ddbTableName: DDB_TABLE_NAME }, + }) + + await expect( + keyStore.versionKey({ branchKeyIdentifier: BRANCH_KEY_ID }) + ).to.be.rejectedWith( + 'VersionKey is not supported with Discovery or MRDiscovery KMS Configuration' + ) + }) + + it('MUST fail if branch key does not exist', async () => { + const kmsClient = new KMSClient({}) + const ddbClient = new DynamoDBClient({}) + const keyStore = new BranchKeyStoreNode({ + kmsConfiguration: { identifier: KEY_ARN }, + logicalKeyStoreName: LOGICAL_KEYSTORE_NAME, + storage: { ddbTableName: DDB_TABLE_NAME, ddbClient }, + keyManagement: { kmsClient }, + }) + + await expect( + keyStore.versionKey({ + branchKeyIdentifier: 'non-existent-branch-key-id', + }) + ).to.be.rejectedWith('was not found') + }) + + it('Test version key for existing branch key', async () => { + const kmsClient = new KMSClient({}) + const ddbClient = new DynamoDBClient({}) + const keyStore = new BranchKeyStoreNode({ + kmsConfiguration: { identifier: KEY_ARN }, + logicalKeyStoreName: LOGICAL_KEYSTORE_NAME, + storage: { ddbTableName: DDB_TABLE_NAME, ddbClient }, + keyManagement: { kmsClient }, + }) + + // Get active key before versioning + const before = await keyStore.getActiveBranchKey(BRANCH_KEY_ID_WITH_EC) + const oldVersion = before.branchKeyVersion.toString('utf8') + + // Version the key + await keyStore.versionKey({ + branchKeyIdentifier: BRANCH_KEY_ID_WITH_EC, // Use BRANCH_KEY_ID_WITH_EC to avoid mutating the primary test fixture. + }) + + // Get active key after versioning + const after = await keyStore.getActiveBranchKey(BRANCH_KEY_ID_WITH_EC) + const newVersion = after.branchKeyVersion.toString('utf8') + + // New version must differ from old + expect(newVersion).to.not.equal(oldVersion) + + // New version must be a valid UUID + expect(validate(newVersion)).to.be.true + expect(version(newVersion)).to.equal(4) + + // Branch key ID unchanged + expect(after.branchKeyIdentifier).to.equal(BRANCH_KEY_ID_WITH_EC) + + // Decrypted key is 32 bytes + expect(after.branchKey().length).to.equal(32) + + // Old version is still retrievable + const oldMaterial = await keyStore.getBranchKeyVersion( + BRANCH_KEY_ID_WITH_EC, + oldVersion + ) + expect(oldMaterial.branchKey().length).to.equal(32) + expect(oldMaterial.branchKeyIdentifier).to.equal(BRANCH_KEY_ID_WITH_EC) + }) + }) }) diff --git a/modules/branch-keystore-node/test/fixtures.ts b/modules/branch-keystore-node/test/fixtures.ts index 79c7b374b..53980b4c0 100644 --- a/modules/branch-keystore-node/test/fixtures.ts +++ b/modules/branch-keystore-node/test/fixtures.ts @@ -18,7 +18,7 @@ import { export const DDB_TABLE_NAME = 'KeyStoreDdbTable' export const LOGICAL_KEYSTORE_NAME = DDB_TABLE_NAME export const BRANCH_KEY_ID = '3f43a9af-08c5-4317-b694-3d3e883dcaef' -export const BRANCH_KEY_ACTIVE_VERSION = 'a4905627-4b7f-4272-a847-f50dae245737' +export const BRANCH_KEY_ACTIVE_VERSION = 'caf0c508-e64d-4b6c-bffe-381cbc546c02' export const BRANCH_KEY_ID_WITH_EC = '4bb57643-07c1-419e-92ad-0df0df149d7c' export const BRANCH_KEY_ACTIVE_VERSION_UTF8_BYTES = Buffer.from( BRANCH_KEY_ACTIVE_VERSION, @@ -39,7 +39,7 @@ export const LYING_BRANCH_KEY_DECRYPT_ONLY_VERSION = // may not be active currently, but serves structural purpose const ENCRYPTED_ACTIVE_BRANCH_KEY_CIPHERTEXT_BASE64 = - 'AQICAHhTIzkciiF5TDB8qaCjctFmv6Dx+AQICAHhTIzkciiF5TDB8qaCjctFmv6Dx+4yjarauOA4MtH0jwgFHXGFS6janEEbpRnd0qbBJAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMQLI9FLotey+qbs/CAgEQgDtqHnL1epEEpixeJCOG16V4cozeww9wMc82h7SSvXHP9PHTycAScLYZi2YICMka+QnZmPj4qP/9mb1xWQ==/7VWpSPAgEQgDuxKdGTboqxDhxBV1FQUVia8OFaQsLlPkuhwgc82tMhH9T2vAvsHGZPyPoK8zCG2xEjo3KIos8N1YK7mA==' + 'AQICAHhTIzkciiF5TDB8qaCjctFmv6Dx+4yjarauOA4MtH0jwgFrAysFMwuTXIlzPuKZBKlPAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMPOLzNZ+AMDyjR071AgEQgDvqeTDjLIQknoIIXMr3Q3/HepXoFcbGIzT8zhJYUlEFYm5P972/EWbYRlMQdsftQ4SUkLpL0+R3PS+7FA==' const ENCRYPTED_ACTIVE_BRANCH_KEY_CIPHERTEXT = new Uint8Array( // @ts-ignore Buffer.from(ENCRYPTED_ACTIVE_BRANCH_KEY_CIPHERTEXT_BASE64, 'base64') @@ -51,7 +51,7 @@ export const ENCRYPTED_ACTIVE_BRANCH_KEY = new EncryptedHierarchicalKey( [TYPE_FIELD]: BRANCH_KEY_ACTIVE_TYPE, [BRANCH_KEY_ACTIVE_VERSION_FIELD]: `branch:version:${BRANCH_KEY_ACTIVE_VERSION}` as BranchKeyVersionType, - [KEY_CREATE_TIME_FIELD]: '2025-04-04T22:29:59.000549Z', + [KEY_CREATE_TIME_FIELD]: '2026-03-09T22:46:57.871000Z', [HIERARCHY_VERSION_FIELD]: '1', [KMS_FIELD]: KEY_ARN, [TABLE_FIELD]: LOGICAL_KEYSTORE_NAME, @@ -60,7 +60,7 @@ export const ENCRYPTED_ACTIVE_BRANCH_KEY = new EncryptedHierarchicalKey( ) const ENCRYPTED_VERSION_BRANCH_KEY_CIPHERTEXT_BASE64 = - 'AQIBAHhTIzkciiF5TDB8qaCjctFmv6Dx+4yjarauOA4MtH0jwgHZhG1KfZ/k1VQMBZzo0X+GAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMG5wDTuB2qzfR/mOKAgEQgDtbcAO39/bHj6BGaqgZTd3DSKHmpORsoaHLilWhAHryOlSjAiXK1NZxil7hOLcxjBzKE0QsMAaWJVtwag==' + 'AQIBAHhTIzkciiF5TDB8qaCjctFmv6Dx+4yjarauOA4MtH0jwgElsc+vieODk1/lpgx33YonAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMxajcxtSzD9dRiQK7AgEQgDs2f+mmWMql5NujKIPdvBX/zxNiOlUQAJcZfMZfqVyLWdPE+g9qbHJu0fs7nIY3xDglQvwE1MCaw+vsNQ==' const ENCRYPTED_VERSION_BRANCH_KEY_CIPHERTEXT = new Uint8Array( // @ts-ignore Buffer.from(ENCRYPTED_VERSION_BRANCH_KEY_CIPHERTEXT_BASE64, 'base64') @@ -71,7 +71,7 @@ export const ENCRYPTED_VERSION_BRANCH_KEY = new EncryptedHierarchicalKey( [BRANCH_KEY_IDENTIFIER_FIELD]: BRANCH_KEY_ID, [TYPE_FIELD]: `branch:version:${BRANCH_KEY_ACTIVE_VERSION}` as BranchKeyVersionType, - [KEY_CREATE_TIME_FIELD]: '2025-04-04T22:29:59.000549Z', + [KEY_CREATE_TIME_FIELD]: '2026-03-09T22:46:57.871000Z', [HIERARCHY_VERSION_FIELD]: '1', [KMS_FIELD]: KEY_ARN, [TABLE_FIELD]: LOGICAL_KEYSTORE_NAME, @@ -84,7 +84,7 @@ export const ACTIVE_BRANCH_KEY: BranchKeyRecord = { [TYPE_FIELD]: BRANCH_KEY_ACTIVE_TYPE, [BRANCH_KEY_ACTIVE_VERSION_FIELD]: `branch:version:${BRANCH_KEY_ACTIVE_VERSION}` as BranchKeyVersionType, - [KEY_CREATE_TIME_FIELD]: '2025-04-04T22:29:59.000549Z', + [KEY_CREATE_TIME_FIELD]: '2026-03-09T22:46:57.871000Z', [HIERARCHY_VERSION_FIELD]: 1, [KMS_FIELD]: KEY_ARN, [BRANCH_KEY_FIELD]: ENCRYPTED_ACTIVE_BRANCH_KEY_CIPHERTEXT, @@ -94,7 +94,7 @@ export const VERSION_BRANCH_KEY: BranchKeyRecord = { [BRANCH_KEY_IDENTIFIER_FIELD]: BRANCH_KEY_ID, [TYPE_FIELD]: `branch:version:${BRANCH_KEY_ACTIVE_VERSION}` as BranchKeyVersionType, - [KEY_CREATE_TIME_FIELD]: '2025-04-04T22:29:59.000549Z', + [KEY_CREATE_TIME_FIELD]: '2026-03-09T22:46:57.871000Z', [HIERARCHY_VERSION_FIELD]: 1, [KMS_FIELD]: KEY_ARN, [BRANCH_KEY_FIELD]: ENCRYPTED_VERSION_BRANCH_KEY_CIPHERTEXT, diff --git a/modules/kms-keyring-node/test/fixtures.ts b/modules/kms-keyring-node/test/fixtures.ts index 264498ff2..dd671ecaf 100644 --- a/modules/kms-keyring-node/test/fixtures.ts +++ b/modules/kms-keyring-node/test/fixtures.ts @@ -11,7 +11,7 @@ import { export const DDB_TABLE_NAME = 'KeyStoreDdbTable' export const LOGICAL_KEYSTORE_NAME = DDB_TABLE_NAME export const BRANCH_KEY_ID = '3f43a9af-08c5-4317-b694-3d3e883dcaef' -export const BRANCH_KEY_ACTIVE_VERSION = 'a4905627-4b7f-4272-a847-f50dae245737' +export const BRANCH_KEY_ACTIVE_VERSION = 'caf0c508-e64d-4b6c-bffe-381cbc546c02' export const BRANCH_KEY_ID_WITH_EC = '4bb57643-07c1-419e-92ad-0df0df149d7c' export const KEY_ARN =