@@ -9,42 +9,27 @@ import {
99} from '@aws-crypto/kms-keyring'
1010import { needs } from '@aws-crypto/material-management'
1111
12- //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-kms-configuration
13- //# This configures the Keystore's KMS Key ARN restrictions, which determines
14- //# which KMS Key(s) is used to wrap and unwrap the keys stored in Amazon DynamoDB.
15- //# There are four (4) options:
16- // an enumerated type to represent the type of option selected by the config
1712enum KmsConfigurationType {
1813 Discovery ,
1914 MrDiscovery ,
2015 KmsKeyArn ,
2116 KmsMrKeyArn ,
2217}
2318
24- //# Discovery
2519export const Discovery = KmsConfigurationType . Discovery
26- //# MRDiscovery
2720export const MrDiscovery = KmsConfigurationType . MrDiscovery
28- //# Single Region Key Compatibility, denoted as `KMS Key ARN`
2921export const KmsKeyArn = KmsConfigurationType . KmsKeyArn
30- //# Multi Region Key Compatibility, denoted as `KMS MRKey ARN`
3122export const KmsMrKeyArn = KmsConfigurationType . KmsMrKeyArn
3223
33- //# `Discovery` does not take an additional argument.
3424export interface DiscoveryKmsConfiguration {
3525 type : KmsConfigurationType . Discovery
3626}
3727
38- //# `MRDiscovery` MUST take an additional argument, which is a region.
39- //# Any MRK ARN discovered will be changed to this region before use.
4028export interface MrDiscoveryKmsConfiguration {
4129 type : KmsConfigurationType . MrDiscovery
4230 region : string
4331}
4432
45- //# `KMS Key ARN` and `KMS MRKey ARN` MUST take an additional argument
46- //# that is a KMS ARN. This ARN MUST NOT be an Alias. This ARN MUST be a valid
47- //# [AWS KMS Key ARN](./aws-kms/aws-kms-key-arn.md#a-valid-aws-kms-arn).
4833export interface KmsKeyArnConfiguration {
4934 type : KmsConfigurationType . KmsKeyArn
5035 kmsArn : string
@@ -214,30 +199,21 @@ export class KeyStoreKmsConfiguration {
214199 * @thows "Configuration has no KMS ARN" - if option is not set to SRK/MRK
215200 */
216201 isArnCompatibleWith ( otherArn : string ) : boolean {
217- //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-key-arn-compatibility
218- //# If the [AWS KMS Configuration](#aws-kms-configuration) is Discovery or MRDiscovery,
219- //# no comparison is ever made between ARNs.
220202 const thisArn : string = this . getArn ( ) // this will error out if option is set to Discovery or MRDiscovery
221- //# If the [AWS KMS Configuration](#aws-kms-configuration) designates single region ARN compatibility,
222- //# then two ARNs are compatible if they are exactly equal.
223203 if ( thisArn === otherArn ) return true
224204
225205 const thisParsedArn : ParsedAwsKmsKeyArn =
226206 this . _getParsedAwsKmsKeyArn ( thisArn )
227207 const otherParsedArn : ParsedAwsKmsKeyArn =
228208 this . _getParsedAwsKmsKeyArn ( otherArn )
229209
230- //# If the [AWS KMS Configuration](#aws-kms-configuration) designates MRK ARN compatibility,
231210 if (
232211 ! isMultiRegionAwsKmsArn ( thisParsedArn ) ||
233212 ! isMultiRegionAwsKmsArn ( otherParsedArn )
234213 ) {
235214 return false
236215 }
237216
238- //# If the [AWS KMS Configuration](#aws-kms-configuration) designates MRK ARN compatibility,
239- //# then two ARNs are compatible if they are equal in all parts other than the region.
240- //# That is, they are compatible if [AWS KMS MRK Match for Decrypt](aws-kms/aws-kms-mrk-match-for-decrypt.md#implementation) returns true.
241217 return (
242218 thisParsedArn . Partition === otherParsedArn . Partition &&
243219 thisParsedArn . AccountId === otherParsedArn . AccountId &&
0 commit comments