fix!: Remove Keyring Trace (aws#402)

resolves: aws#351

As outlined the intention of
the keyring trace
is better satisfied
by constructing correct keyrings and CMMs.

BREAKING CHANGE:

- Remove trace from all cryptographic materials.
- Remove KeyringTrace exports

Author: seebees

modules/cache-material/test/caching_cryptographic_materials_decorators.test.ts

@@ -17,7 +17,6 @@ import { createHash } from 'crypto'
 import {
   NodeAlgorithmSuite,
   AlgorithmSuiteIdentifier,
-  KeyringTraceFlag,
   EncryptedDataKey,
   NodeEncryptionMaterial,
   NodeDecryptionMaterial,
@@ -202,37 +201,22 @@ describe('Cryptographic Material Functions', () => {
     15,
     16,
   ])
-  const encryptTrace = {
-    keyNamespace: 'keyNamespace',
-    keyName: 'keyName',
-    flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY,
-  }
-  const decryptTrace = {
-    keyNamespace: 'keyNamespace',
-    keyName: 'keyName',
-    flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY,
-  }
 
   const edk1 = new EncryptedDataKey({
     providerId: 'keyNamespace',
     providerInfo: 'keyName',
     encryptedDataKey: new Uint8Array([1]),
   })
-  const edk2 = new EncryptedDataKey({
-    providerId: 'p2',
-    providerInfo: 'pi2',
-    encryptedDataKey: new Uint8Array([2]),
-  })
 
-  const encryptionMaterial = new NodeEncryptionMaterial(nodeSuite, {})
-    .setUnencryptedDataKey(udk128, encryptTrace)
-    .addEncryptedDataKey(edk1, KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY)
-    .addEncryptedDataKey(edk2, KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY)
+  const encryptionMaterial = new NodeEncryptionMaterial(
+    nodeSuite,
+    {}
+  ).setUnencryptedDataKey(udk128)
 
   const decryptionMaterial = new NodeDecryptionMaterial(
     nodeSuite,
     {}
-  ).setUnencryptedDataKey(udk128, decryptTrace)
+  ).setUnencryptedDataKey(udk128)
 
   const context = {}
 
@@ -392,11 +376,6 @@ describe('Cryptographic Material Functions', () => {
         15,
         16,
       ])
-      const encryptTrace = {
-        keyNamespace: 'keyNamespace',
-        keyName: 'keyName',
-        flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY,
-      }
 
       const edk1 = new EncryptedDataKey({
         providerId: 'keyNamespace',
@@ -410,15 +389,9 @@ describe('Cryptographic Material Functions', () => {
       })
 
       const encryptionMaterial = new NodeEncryptionMaterial(nodeSuite, {})
-        .setUnencryptedDataKey(udk128, encryptTrace)
-        .addEncryptedDataKey(
-          edk1,
-          KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
-        )
-        .addEncryptedDataKey(
-          edk2,
-          KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
-        )
+        .setUnencryptedDataKey(udk128)
+        .addEncryptedDataKey(edk1)
+        .addEncryptedDataKey(edk2)
 
       const testCMM = {
         _partition,
@@ -482,11 +455,6 @@ describe('Cryptographic Material Functions', () => {
         15,
         16,
       ])
-      const encryptTrace = {
-        keyNamespace: 'keyNamespace',
-        keyName: 'keyName',
-        flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY,
-      }
 
       const edk1 = new EncryptedDataKey({
         providerId: 'keyNamespace',
@@ -500,15 +468,9 @@ describe('Cryptographic Material Functions', () => {
       })
 
       const encryptionMaterial = new NodeEncryptionMaterial(nodeSuite, {})
-        .setUnencryptedDataKey(udk128, encryptTrace)
-        .addEncryptedDataKey(
-          edk1,
-          KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
-        )
-        .addEncryptedDataKey(
-          edk2,
-          KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
-        )
+        .setUnencryptedDataKey(udk128)
+        .addEncryptedDataKey(edk1)
+        .addEncryptedDataKey(edk2)
 
       const testCMM = {
         _partition,

modules/decrypt-browser/test/fixtures.ts

@@ -7,7 +7,6 @@ import {
   WebCryptoDecryptionMaterial,
   WebCryptoEncryptionMaterial,
   KeyringWebCrypto,
-  KeyringTraceFlag,
   importForWebCryptoDecryptionMaterial,
 } from '@aws-crypto/material-management-browser'
 
@@ -6359,13 +6358,8 @@ class TestKeyring extends KeyringWebCrypto {
     const unencryptedDataKey = new Uint8Array(
       material.suite.keyLengthBytes
     ).fill(0)
-    const trace = {
-      keyNamespace: 'k',
-      keyName: 'k',
-      flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY,
-    }
     return importForWebCryptoDecryptionMaterial(
-      material.setUnencryptedDataKey(unencryptedDataKey, trace)
+      material.setUnencryptedDataKey(unencryptedDataKey)
     )
   }
 }

modules/decrypt-node/test/fixtures.ts

@@ -7,7 +7,6 @@ import {
   NodeDecryptionMaterial,
   NodeEncryptionMaterial,
   KeyringNode,
-  KeyringTraceFlag,
 } from '@aws-crypto/material-management-node'
 
 export function base64CiphertextAlgAes256GcmIv12Tag16HkdfSha384EcdsaP384() {
@@ -71,12 +70,8 @@ export function decryptKeyring() {
       const unencryptedDataKey = new Uint8Array(
         material.suite.keyLengthBytes
       ).fill(0)
-      const trace = {
-        keyNamespace: 'k',
-        keyName: 'k',
-        flags: KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY,
-      }
-      return material.setUnencryptedDataKey(unencryptedDataKey, trace)
+
+      return material.setUnencryptedDataKey(unencryptedDataKey)
     }
   }
 

modules/encrypt-browser/test/encrypt.test.ts

@@ -10,7 +10,6 @@ import {
   WebCryptoEncryptionMaterial,
   KeyringWebCrypto,
   EncryptedDataKey,
-  KeyringTraceFlag,
   WebCryptoAlgorithmSuite,
   importForWebCryptoEncryptionMaterial,
 } from '@aws-crypto/material-management-browser'
@@ -50,17 +49,10 @@ describe('encrypt structural testing', () => {
       const unencryptedDataKey = new Uint8Array(
         material.suite.keyLengthBytes
       ).fill(0)
-      const trace = {
-        keyNamespace: 'k',
-        keyName: 'k',
-        flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY,
-      }
+
       material
-        .setUnencryptedDataKey(unencryptedDataKey, trace)
-        .addEncryptedDataKey(
-          edk,
-          KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
-        )
+        .setUnencryptedDataKey(unencryptedDataKey)
+        .addEncryptedDataKey(edk)
       return importForWebCryptoEncryptionMaterial(material)
     }
     async _onDecrypt(): Promise<WebCryptoDecryptionMaterial> {

modules/encrypt-node/test/encrypt.test.ts

@@ -10,7 +10,6 @@ import {
   NodeEncryptionMaterial,
   KeyringNode,
   EncryptedDataKey,
-  KeyringTraceFlag,
   AlgorithmSuiteIdentifier,
   NodeAlgorithmSuite,
 } from '@aws-crypto/material-management-node'
@@ -56,17 +55,10 @@ describe('encrypt structural testing', () => {
       const unencryptedDataKey = new Uint8Array(
         material.suite.keyLengthBytes
       ).fill(0)
-      const trace = {
-        keyNamespace: 'k',
-        keyName: 'k',
-        flags: KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY,
-      }
+
       return material
-        .setUnencryptedDataKey(unencryptedDataKey, trace)
-        .addEncryptedDataKey(
-          edk,
-          KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
-        )
+        .setUnencryptedDataKey(unencryptedDataKey)
+        .addEncryptedDataKey(edk)
     }
     async _onDecrypt(): Promise<NodeDecryptionMaterial> {
       throw new Error('I should never see this error')

modules/kms-keyring/src/kms_keyring.ts

@@ -9,8 +9,6 @@ import {
   EncryptionMaterial,
   DecryptionMaterial,
   SupportedAlgorithmSuites,
-  KeyringTrace,
-  KeyringTraceFlag,
   EncryptedDataKey,
   immutableClass,
   readOnlyProperty,
@@ -136,26 +134,12 @@ export function KmsKeyringClass<
         if (!dataKey)
           throw new Error('Generator KMS key did not generate a data key')
 
-        const flags =
-          KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY |
-          KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX |
-          KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY
-        const trace: KeyringTrace = {
-          keyNamespace: KMS_PROVIDER_ID,
-          keyName: dataKey.KeyId,
-          flags,
-        }
-
         material
           /* Postcondition: The generated unencryptedDataKey length must match the algorithm specification.
            * See cryptographic_materials as setUnencryptedDataKey will throw in this case.
            */
-          .setUnencryptedDataKey(dataKey.Plaintext, trace)
-          .addEncryptedDataKey(
-            kmsResponseToEncryptedDataKey(dataKey),
-            KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY |
-              KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX
-          )
+          .setUnencryptedDataKey(dataKey.Plaintext)
+          .addEncryptedDataKey(kmsResponseToEncryptedDataKey(dataKey))
       } else if (generatorKeyId) {
         keyIds.unshift(generatorKeyId)
       }
@@ -166,9 +150,6 @@ export function KmsKeyringClass<
        */
       const unencryptedDataKey = unwrapDataKey(material.getUnencryptedDataKey())
 
-      const flags =
-        KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY |
-        KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX
       for (const kmsKey of keyIds) {
         const kmsEDK = await encrypt(
           clientProvider,
@@ -180,10 +161,7 @@ export function KmsKeyringClass<
 
         /* clientProvider may not return a client, in this case there is not an EDK to add */
         if (kmsEDK)
-          material.addEncryptedDataKey(
-            kmsResponseToEncryptedDataKey(kmsEDK),
-            flags
-          )
+          material.addEncryptedDataKey(kmsResponseToEncryptedDataKey(kmsEDK))
       }
 
       return material
@@ -241,19 +219,10 @@ export function KmsKeyringClass<
           'KMS Decryption key does not match serialized provider.'
         )
 
-        const flags =
-          KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY |
-          KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX
-        const trace: KeyringTrace = {
-          keyNamespace: KMS_PROVIDER_ID,
-          keyName: dataKey.KeyId,
-          flags,
-        }
-
         /* Postcondition: The decrypted unencryptedDataKey length must match the algorithm specification.
          * See cryptographic_materials as setUnencryptedDataKey will throw in this case.
          */
-        material.setUnencryptedDataKey(dataKey.Plaintext, trace)
+        material.setUnencryptedDataKey(dataKey.Plaintext)
         return material
       }
 

modules/kms-keyring/test/kms_keyring.ondecrypt.test.ts

@@ -9,7 +9,6 @@ import { KmsKeyringClass, KeyRingConstructible } from '../src/kms_keyring'
 import {
   NodeAlgorithmSuite,
   AlgorithmSuiteIdentifier,
-  KeyringTraceFlag,
   NodeDecryptionMaterial,
   EncryptedDataKey,
   Keyring,
@@ -68,17 +67,6 @@ describe('KmsKeyring: _onDecrypt', () => {
     )
 
     expect(material.hasUnencryptedDataKey).to.equal(true)
-
-    expect(material.keyringTrace).to.have.lengthOf(1)
-    const [traceDecrypt] = material.keyringTrace
-    expect(traceDecrypt.keyNamespace).to.equal('aws-kms')
-    expect(traceDecrypt.keyName).to.equal(generatorKeyId)
-    expect(
-      traceDecrypt.flags & KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY
-    ).to.equal(KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY)
-    expect(
-      traceDecrypt.flags & KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX
-    ).to.equal(KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX)
   })
 
   it('discovery keyring should return material', async () => {
@@ -128,17 +116,6 @@ describe('KmsKeyring: _onDecrypt', () => {
     )
 
     expect(material.hasUnencryptedDataKey).to.equal(true)
-
-    expect(material.keyringTrace).to.have.lengthOf(1)
-    const [traceDecrypt] = material.keyringTrace
-    expect(traceDecrypt.keyNamespace).to.equal('aws-kms')
-    expect(traceDecrypt.keyName).to.equal(generatorKeyId)
-    expect(
-      traceDecrypt.flags & KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY
-    ).to.equal(KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY)
-    expect(
-      traceDecrypt.flags & KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX
-    ).to.equal(KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX)
   })
 
   it('decrypt errors should not halt', async () => {
@@ -193,7 +170,6 @@ describe('KmsKeyring: _onDecrypt', () => {
     )
 
     expect(material.hasUnencryptedDataKey).to.equal(true)
-    expect(material.keyringTrace).to.have.lengthOf(1)
   })
 
   it('Check for early return (Postcondition): clientProvider may not return a client.', async () => {
@@ -232,7 +208,6 @@ describe('KmsKeyring: _onDecrypt', () => {
     )
 
     expect(material.hasUnencryptedDataKey).to.equal(false)
-    expect(material.keyringTrace).to.have.lengthOf(0)
   })
 
   it('Postcondition: The KeyId from KMS must match the encoded KeyID.', async () => {