feat(node): support node v16 (aws#741)

Regenerated the Package lock with Node 16, NPM 8.
Added CI testing for Node 16.
Encapsulated Crypto's Sign(er) and Verify to prevent breaking changes.
Implemented and used Catchable to catch unkown.
TS upgrade introduced TS bug when recognizing arguments to
SubtleCrypto's ImportKey. Introduced function and note to help it
resolve the issue.

Co-authored-by: seebees <ryanemer@amazon.com>

buildspec.yml

@@ -9,14 +9,24 @@ batch:
         image: aws/codebuild/standard:5.0
     - identifier: testNodejs12
       buildspec: codebuild/nodejs12.yml
+      env:
+        image: aws/codebuild/standard:5.0
     - identifier: testNodejs14
       buildspec: codebuild/nodejs14.yml
       env:
         image: aws/codebuild/standard:5.0
+    - identifier: testNodejs16
+      buildspec: codebuild/nodejs16.yml
+      env:
+        image: aws/codebuild/standard:5.0
     - identifier: testBrowser
       buildspec: codebuild/browser.yml
+      env:
+        image: aws/codebuild/standard:5.0
     - identifier: compliance
       buildspec: codebuild/compliance.yml
+      env:
+        image: aws/codebuild/standard:5.0
     - identifier: testVectorsNodejsLatest
       buildspec: codebuild/test_vectors/nodejs_latest.yml
       env:
@@ -25,10 +35,16 @@ batch:
         image: aws/codebuild/standard:5.0
     - identifier: testVectorsNodejs12
       buildspec: codebuild/test_vectors/nodejs12.yml
+      env:
+        image: aws/codebuild/standard:5.0
     - identifier: testVectorsNodejs14
       buildspec: codebuild/test_vectors/nodejs14.yml
       env:
         image: aws/codebuild/standard:5.0
+    - identifier: testVectorsNodejs16
+      buildspec: codebuild/test_vectors/nodejs16.yml
+      env:
+        image: aws/codebuild/standard:5.0
     - identifier: testVectorsBrowser
       buildspec: codebuild/test_vectors/browser.yml
       env:

codebuild/nodejs16.yml

@@ -0,0 +1,19 @@
+version: 0.2
+
+env:
+  variables:
+    NODE_OPTIONS: "--max-old-space-size=4096"
+
+phases:
+  install:
+    commands:
+      - n 16
+      - node -v
+      - npm -v
+      - npm ci --unsafe-perm
+      - npm run build
+  build:
+    commands:
+      - npm -v
+      - node -v
+      - npm run coverage-node

codebuild/test_vectors/nodejs16.yml

@@ -0,0 +1,22 @@
+version: 0.2
+
+env:
+  variables:
+    NODE_OPTIONS: "--max-old-space-size=4096"
+    NPM_CONFIG_UNSAFE_PERM: true
+
+phases:
+  install:
+    commands:
+      - n 16
+      - node -v
+      - npm -v
+      - npm ci --unsafe-perm
+      - npm run build
+  build:
+    commands:
+      - npm -v
+      - node -v
+      - npm run verdaccio-publish
+      - npm run verdaccio-node-decrypt
+      - npm run verdaccio-node-encrypt

modules/decrypt-node/src/verify_stream.ts

@@ -80,9 +80,9 @@ export class VerifyStream extends PortableTransformWithType {
         if (verify) {
           const { rawHeader, headerAuth, messageHeader } = headerInfo
           const { headerIv, headerAuthTag } = headerAuth
-          verify.update(rawHeader)
+          verify.update(<Buffer>rawHeader)
           verify.update(
-            serializeMessageHeaderAuth({
+            <Buffer>serializeMessageHeaderAuth({
               headerIv,
               headerAuthTag,
               messageHeader,
@@ -263,7 +263,7 @@ export class VerifyStream extends PortableTransformWithType {
     return super.push(chunk, encoding)
   }
 
-  _flush(callback: (err?: Error) => void) {
+  _flush(callback: (err?: Error | any | unknown) => void) {
     const { finalAuthTagReceived } = this._verifyState
     /* Precondition: All ciphertext MUST have been received.
      * The verify stream has ended,

modules/example-browser/package.json

@@ -34,12 +34,12 @@
     "karma-chrome-launcher": "^3.1.0",
     "karma-coverage-istanbul-reporter": "^3.0.3",
     "karma-mocha": "2.0.1",
-    "karma-webpack": "^4.0.2",
+    "karma-webpack": "^5.0.0",
     "ts-loader": "9.2.5",
     "ts-node": "^10.2.1",
     "tslib": "^2.2.0",
     "typescript": "^4.0.2",
-    "webpack": "^4.42.1",
+    "webpack": "^5.42.0",
     "webpack-cli": "4.6.0"
   },
   "main": "./build/main/src/index.js",

modules/integration-browser/src/integration.encrypt.test.ts

@@ -59,8 +59,15 @@ function aTest(testName: string, decryptOracle: string) {
       const body = await response.arrayBuffer()
       needs(response.ok, `Failed to decrypt: ${toUtf8(body)}`)
       expect(plainText).toEqual(new Uint8Array(body))
-    } catch (e) {
-      if (!notSupportedMessages.includes(e.message)) throw e
+    } catch (err) {
+      needs(
+        err instanceof Error,
+        `Thrown object must be an error but was ${typeof err}`
+      )
+      needs(
+        notSupportedMessages.includes(err.message),
+        `Error message should be in notSupportedMessages but was ${err.message}`
+      )
     }
   })
 }

modules/integration-browser/src/testDecryptFixture.ts

@@ -6,6 +6,7 @@ import {
   MultiKeyringWebCrypto,
   WebCryptoMaterialsManager,
   DecryptResult,
+  needs,
 } from '@aws-crypto/client-browser'
 import {
   DecryptionFixture,
@@ -69,14 +70,17 @@ export async function testPositiveDecryptFixture(
     ) {
       return { result: true, name }
     }
-    // noinspection ExceptionCaughtLocallyJS
+    /* If the actual plaintext does not match the expected plaintext,*/
     throw new Error(
       expectedNotActualPlaintextMessage +
         `\n expected plaintext: ${expectedPlainText}` +
         `\n actual plaintext: ${decryptResult.plaintext}`
     )
   } catch (err) {
+    /* it FAILED with err.message as expectedNotActualPlaintextMessage */
     return { result: false, name, err }
+    //By catching the err and returning it above, we also satisfy:
+    /* If the decryption is NOT supported,  FAILED with err.message in notSupportedDecryptMessages */
   }
 }
 
@@ -96,10 +100,18 @@ export async function testNegativeDecryptFixture(
     const cmm = await _getCmm(keyInfos)
     decryptResult = await _decrypt(cmm, cipher)
   } catch (err) {
-    if (notSupportedDecryptMessages.includes(err.message))
+    needs(
+      err instanceof Error,
+      `Thrown object must be an error but was ${typeof err}`
+    )
+    if (notSupportedDecryptMessages.includes(err.message)) {
+      /* If the decryption is NOT supported,  FAILED with err.message in notSupportedDecryptMessages */
       return { result: false, name, err: err }
+    }
+    /* If it is a negative test, and it throws an error outside of notSupportedDecryptMessages, it PASSED.*/
     return { result: true, name }
   }
+  /* If it is a negative test, and it does not throw an error, it FAILED */
   return {
     result: false,
     name,

modules/integration-node/package.json

@@ -20,11 +20,11 @@
     "@aws-crypto/integration-vectors": "file:../integration-vectors",
     "@types/got": "^9.6.9",
     "@types/stream-to-promise": "^2.2.0",
-    "@types/yargs": "^15.0.3",
+    "@types/yargs": "^17.0.1",
     "got": "^11.8.0",
     "stream-to-promise": "^3.0.0",
     "tslib": "^2.3.0",
-    "yargs": "^17.1.0"
+    "yargs": "^17.0.1"
   },
   "sideEffects": false,
   "main": "./build/main/src/index.js",

modules/integration-node/src/cli.ts

@@ -80,7 +80,7 @@ const cli = yargs
     tolerateFailures,
     testName,
     concurrency,
-  } = argv
+  } = await argv
   /* I set the result to 1 so that if I fall through the exit condition is a failure */
   let result = 1
   if (command === 'decrypt') {

modules/integration-node/src/decrypt_materials_manager_node.ts

@@ -2,29 +2,29 @@
 // SPDX-License-Identifier: Apache-2.0
 
 import {
-  needs,
+  buildAwsKmsMrkAwareDiscoveryMultiKeyringNode,
+  buildAwsKmsMrkAwareStrictMultiKeyringNode,
   KeyringNode,
-  MultiKeyringNode,
   KmsKeyringNode,
+  MultiKeyringNode,
+  needs,
+  oaepHashSupported,
   RawAesKeyringNode,
-  WrappingSuiteIdentifier,
   RawAesWrappingSuiteIdentifier,
   RawRsaKeyringNode,
-  oaepHashSupported,
-  buildAwsKmsMrkAwareStrictMultiKeyringNode,
-  buildAwsKmsMrkAwareDiscoveryMultiKeyringNode,
+  WrappingSuiteIdentifier,
 } from '@aws-crypto/client-node'
 import {
-  RsaKeyInfo,
+  AESKey,
   AesKeyInfo,
+  buildGetKeyring,
+  KeyInfoTuple,
+  KMSKey,
   KmsKeyInfo,
-  KmsMrkAwareKeyInfo,
   KmsMrkAwareDiscoveryKeyInfo,
+  KmsMrkAwareKeyInfo,
   RSAKey,
-  AESKey,
-  KMSKey,
-  KeyInfoTuple,
-  buildGetKeyring,
+  RsaKeyInfo,
 } from '@aws-crypto/integration-vectors'
 import { constants } from 'crypto'
 
@@ -117,12 +117,3 @@ export function rsaPadding(keyInfo: RsaKeyInfo) {
   needs(oaepHashSupported || oaepHash === 'sha1', 'Not supported at this time.')
   return { padding, oaepHash }
 }
-
-export class NotSupported extends Error {
-  code: string
-  constructor(message?: string) {
-    super(message)
-    Object.setPrototypeOf(this, NotSupported.prototype)
-    this.code = 'NOT_SUPPORTED'
-  }
-}

modules/integration-vectors/src/types.ts

@@ -61,7 +61,7 @@ export interface TestVectorResult {
   name: string
   result: boolean
   description?: string
-  err?: Error
+  err?: Error | string | any
 }
 
 export interface StreamEntry extends Entry {

modules/kms-keyring/src/kms_keyring.ts

@@ -16,6 +16,7 @@ import {
   readOnlyProperty,
   unwrapDataKey,
   Newable,
+  Catchable,
 } from '@aws-crypto/material-management'
 import {
   KMS_PROVIDER_ID,
@@ -243,7 +244,7 @@ export function KmsKeyringClass<
        */
       const decryptableEDKs = encryptedDataKeys.filter(filterEDKs(keyIds, this))
 
-      const cmkErrors: Error[] = []
+      const cmkErrors: Catchable[] = []
 
       for (const edk of decryptableEDKs) {
         let dataKey: RequiredDecryptResponse | false = false
@@ -259,7 +260,7 @@ export function KmsKeyringClass<
            * If the caller does not have access they may have access
            * through another Keyring.
            */
-          cmkErrors.push(e)
+          cmkErrors.push({ errPlus: e })
         }
 
         /* Check for early return (Postcondition): clientProvider may not return a client. */
@@ -300,7 +301,7 @@ export function KmsKeyringClass<
         material.hasValidKey() ||
           (!material.hasValidKey() && !cmkErrors.length),
         cmkErrors.reduce(
-          (m, e, i) => `${m} Error #${i + 1} \n ${e.stack} \n`,
+          (m, e, i) => `${m} Error #${i + 1} \n ${e.errPlus.stack} \n`,
           'Unable to decrypt data key and one or more KMS CMKs had an error. \n '
         )
       )

modules/kms-keyring/src/kms_mrk_discovery_keyring.ts

@@ -13,6 +13,7 @@ import {
   readOnlyProperty,
   SupportedAlgorithmSuites,
   Newable,
+  Catchable,
 } from '@aws-crypto/material-management'
 import {
   constructArnInOtherRegion,
@@ -170,7 +171,7 @@ export function AwsKmsMrkAwareSymmetricDiscoveryKeyringClass<
       //# The set of encrypted data keys MUST first be filtered to match this
       //# keyring's configuration.
       const decryptableEDKs = encryptedDataKeys.filter(filterEDKs(this))
-      const cmkErrors: Error[] = []
+      const cmkErrors: Catchable[] = []
 
       //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-region-discovery-keyring.txt#2.8
       //# For each encrypted data key in the filtered set, one at a time, the
@@ -253,7 +254,7 @@ export function AwsKmsMrkAwareSymmetricDiscoveryKeyringClass<
           //# If the response does not satisfies these requirements then an error
           //# is collected and the next encrypted data key in the filtered set MUST
           //# be attempted.
-          cmkErrors.push(e)
+          cmkErrors.push({ errPlus: e })
         }
       }
       //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-region-discovery-keyring.txt#2.8
@@ -266,7 +267,7 @@ export function AwsKmsMrkAwareSymmetricDiscoveryKeyringClass<
           `Unable to decrypt data key${
             !decryptableEDKs.length ? ': No EDKs supplied' : ''
           }.`,
-          ...cmkErrors.map((e, i) => `Error #${i + 1}  \n${e.stack}`),
+          ...cmkErrors.map((e, i) => `Error #${i + 1}  \n${e.errPlus.stack}`),
         ].join('\n')
       )
       return material

modules/kms-keyring/src/kms_mrk_keyring.ts

@@ -15,6 +15,7 @@ import {
   readOnlyProperty,
   unwrapDataKey,
   Newable,
+  Catchable,
 } from '@aws-crypto/material-management'
 import {
   KMS_PROVIDER_ID,
@@ -274,7 +275,7 @@ export function AwsKmsMrkAwareSymmetricKeyringClass<
       //# keyring's configuration.
       const decryptableEDKs = encryptedDataKeys.filter(filterEDKs(keyId))
 
-      const cmkErrors: Error[] = []
+      const cmkErrors: Catchable[] = []
 
       //= compliance/framework/aws-kms/aws-kms-mrk-aware-symmetric-keyring.txt#2.8
       //# For each encrypted data key in the filtered set, one at a time, the
@@ -344,7 +345,7 @@ export function AwsKmsMrkAwareSymmetricKeyringClass<
           //# If the response does not satisfies these requirements then an error
           //# MUST be collected and the next encrypted data key in the filtered set
           //# MUST be attempted.
-          cmkErrors.push(e)
+          cmkErrors.push({ errPlus: e })
         }
       }
 
@@ -358,7 +359,7 @@ export function AwsKmsMrkAwareSymmetricKeyringClass<
           `Unable to decrypt data key${
             !decryptableEDKs.length ? ': No EDKs supplied' : ''
           }.`,
-          ...cmkErrors.map((e, i) => `Error #${i + 1}  \n${e.stack}`),
+          ...cmkErrors.map((e, i) => `Error #${i + 1}  \n${e.errPlus.stack}`),
         ].join('\n')
       )
 

modules/material-management-node/src/index.ts

@@ -22,6 +22,7 @@ export {
   KeyringTrace,
   KeyringTraceFlag,
   needs,
+  NotSupported,
   KeyringNode,
   MultiKeyringNode,
   immutableBaseClass,