fix? integration node

Author: josecorella

modules/integration-node/src/integration_tests.ts

@@ -22,15 +22,12 @@ import {
   MessageHeader,
   needs,
   DecryptOutput,
+  getCompatibleCommitmentPolicy,
 } from '@aws-crypto/client-node'
 import { version } from './version'
 import { URL } from 'url'
 import got from 'got'
 import streamToPromise from 'stream-to-promise'
-const { encrypt, decrypt, decryptUnsignedMessageStream } = buildClient({
-  commitmentPolicy: CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT,
-  maxEncryptedDataKeys: false,
-})
 import { ZipFile } from 'yazl'
 import { createWriteStream } from 'fs'
 import { v4 } from 'uuid'
@@ -59,6 +56,9 @@ async function runDecryption(
   testVectorInfo: TestVectorInfo
 ): Promise<DecryptOutput> {
   const cmm = decryptMaterialsManagerNode(testVectorInfo.keysInfo)
+  const { decrypt, decryptUnsignedMessageStream } = buildClient(
+    CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT
+  )
   if (testVectorInfo.decryptionMethod == 'streaming-unsigned-only') {
     const plaintext: Buffer[] = []
     let messageHeader: MessageHeader | false = false
@@ -148,6 +148,8 @@ export async function testEncryptVector(
   handleEncryptResult: HandleEncryptResult
 ): Promise<TestVectorResult> {
   const { name, keysInfo, encryptOp, plainTextData } = info
+  const commitmentPolicy = getCompatibleCommitmentPolicy(encryptOp.suiteId)
+  const { encrypt } = buildClient(commitmentPolicy)
   try {
     const cmm = encryptMaterialsManagerNode(keysInfo)
     const { result: encryptResult } = await encrypt(

modules/material-management-node/src/index.ts

@@ -39,4 +39,5 @@ export {
   MessageFormat,
   ClientOptions,
   Newable,
+  getCompatibleCommitmentPolicy,
 } from '@aws-crypto/material-management'

modules/material-management/src/algorithm_suites.ts

@@ -250,6 +250,19 @@ export const CommitmentPolicySuites = Object.freeze({
   }),
 })
 
+export function getCompatibleCommitmentPolicy(
+  suiteId: AlgorithmSuiteIdentifier
+) {
+  // If it is a algorithm suite with no key commitment
+  // we use FORBID_ENCRYPT_ALLOW_DECRYPT
+  // otherwise we use REQUIRE_ENCRYPT_REQUIRE_DECRYPT
+  if (CommittingAlgorithmSuiteIdentifier[suiteId]) {
+    return CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT
+  } else {
+    return CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT
+  }
+}
+
 export type AlgorithmSuiteName = keyof typeof AlgorithmSuiteIdentifier
 export type AlgorithmSuiteTypeNode = 'node'
 export type AlgorithmSuiteTypeWebCrypto = 'webCrypto'

modules/material-management/src/index.ts

@@ -24,6 +24,7 @@ export {
   MessageFormat,
   NonCommittingAlgorithmSuiteIdentifier,
   CommittingAlgorithmSuiteIdentifier,
+  getCompatibleCommitmentPolicy,
 } from './algorithm_suites'
 
 export { WebCryptoAlgorithmSuite } from './web_crypto_algorithms'

modules/material-management/test/algorithm_suites.test.ts

@@ -13,12 +13,23 @@ import {
   NonSigningAlgorithmSuiteIdentifier,
   SignaturePolicy,
   SignaturePolicySuites,
+  getCompatibleCommitmentPolicy,
 } from '../src/algorithm_suites'
 
 describe('AlgorithmSuiteIdentifier', () => {
   it('should be frozen', () => {
     expect(Object.isFrozen(AlgorithmSuiteIdentifier)).to.eql(true)
   })
+  it('get compatible commitment policy', () => {
+    // 0x0014 is a non-commiting algorithm suite
+    expect(getCompatibleCommitmentPolicy(0x0014)).to.eql(
+      CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT
+    )
+    // 0x0478 is a commiting algorithm suite
+    expect(getCompatibleCommitmentPolicy(0x0478)).to.eql(
+      CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT
+    )
+  })
 })
 
 describe('AlgorithmSuite', () => {