@@ -9,42 +9,27 @@ import {
9
9
} from '@aws-crypto/kms-keyring'
10
10
import { needs } from '@aws-crypto/material-management'
11
11
12
- //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-kms-configuration
13
- //# This configures the Keystore's KMS Key ARN restrictions, which determines
14
- //# which KMS Key(s) is used to wrap and unwrap the keys stored in Amazon DynamoDB.
15
- //# There are four (4) options:
16
- // an enumerated type to represent the type of option selected by the config
17
12
enum KmsConfigurationType {
18
13
Discovery ,
19
14
MrDiscovery ,
20
15
KmsKeyArn ,
21
16
KmsMrKeyArn ,
22
17
}
23
18
24
- //# Discovery
25
19
export const Discovery = KmsConfigurationType . Discovery
26
- //# MRDiscovery
27
20
export const MrDiscovery = KmsConfigurationType . MrDiscovery
28
- //# Single Region Key Compatibility, denoted as `KMS Key ARN`
29
21
export const KmsKeyArn = KmsConfigurationType . KmsKeyArn
30
- //# Multi Region Key Compatibility, denoted as `KMS MRKey ARN`
31
22
export const KmsMrKeyArn = KmsConfigurationType . KmsMrKeyArn
32
23
33
- //# `Discovery` does not take an additional argument.
34
24
export interface DiscoveryKmsConfiguration {
35
25
type : KmsConfigurationType . Discovery
36
26
}
37
27
38
- //# `MRDiscovery` MUST take an additional argument, which is a region.
39
- //# Any MRK ARN discovered will be changed to this region before use.
40
28
export interface MrDiscoveryKmsConfiguration {
41
29
type : KmsConfigurationType . MrDiscovery
42
30
region : string
43
31
}
44
32
45
- //# `KMS Key ARN` and `KMS MRKey ARN` MUST take an additional argument
46
- //# that is a KMS ARN. This ARN MUST NOT be an Alias. This ARN MUST be a valid
47
- //# [AWS KMS Key ARN](./aws-kms/aws-kms-key-arn.md#a-valid-aws-kms-arn).
48
33
export interface KmsKeyArnConfiguration {
49
34
type : KmsConfigurationType . KmsKeyArn
50
35
kmsArn : string
@@ -214,30 +199,21 @@ export class KeyStoreKmsConfiguration {
214
199
* @thows "Configuration has no KMS ARN" - if option is not set to SRK/MRK
215
200
*/
216
201
isArnCompatibleWith ( otherArn : string ) : boolean {
217
- //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-key-arn-compatibility
218
- //# If the [AWS KMS Configuration](#aws-kms-configuration) is Discovery or MRDiscovery,
219
- //# no comparison is ever made between ARNs.
220
202
const thisArn : string = this . getArn ( ) // this will error out if option is set to Discovery or MRDiscovery
221
- //# If the [AWS KMS Configuration](#aws-kms-configuration) designates single region ARN compatibility,
222
- //# then two ARNs are compatible if they are exactly equal.
223
203
if ( thisArn === otherArn ) return true
224
204
225
205
const thisParsedArn : ParsedAwsKmsKeyArn =
226
206
this . _getParsedAwsKmsKeyArn ( thisArn )
227
207
const otherParsedArn : ParsedAwsKmsKeyArn =
228
208
this . _getParsedAwsKmsKeyArn ( otherArn )
229
209
230
- //# If the [AWS KMS Configuration](#aws-kms-configuration) designates MRK ARN compatibility,
231
210
if (
232
211
! isMultiRegionAwsKmsArn ( thisParsedArn ) ||
233
212
! isMultiRegionAwsKmsArn ( otherParsedArn )
234
213
) {
235
214
return false
236
215
}
237
216
238
- //# If the [AWS KMS Configuration](#aws-kms-configuration) designates MRK ARN compatibility,
239
- //# then two ARNs are compatible if they are equal in all parts other than the region.
240
- //# That is, they are compatible if [AWS KMS MRK Match for Decrypt](aws-kms/aws-kms-mrk-match-for-decrypt.md#implementation) returns true.
241
217
return (
242
218
thisParsedArn . Partition === otherParsedArn . Partition &&
243
219
thisParsedArn . AccountId === otherParsedArn . AccountId &&
0 commit comments