Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
* Encrypted data is opaque.
* You can use an encryption context to assert things about the encrypted data.
* Just because you can decrypt something does not mean it is what you expect.
* For example, if you are are only expecting data from 'us-west-2',
* the origin can identify a malicious actor.
* See: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
*/
const context = {
stage: 'demo',
purpose: 'simple demonstration app',
origin: 'us-west-2'
}
/* Create a simple pipeline to encrypt the package.json for this project. */
const stream = createReadStream(filename)
.pipe(encryptStream(keyring, { encryptionContext: context }))
.pipe(decryptStream(new KmsKeyringNode({ discovery: true })))
.on('MessageHeader', ({ encryptionContext }: MessageHeader) => {
/* Verify the encryption context.
* Depending on the Algorithm Suite, the `encryptionContext` _may_ contain additional values.
* In Signing Algorithm Suites the public verification key is serialized into the `encryptionContext`.
* Because the encryption context might contain additional key-value pairs,
* do not add a test that requires that all key-value pairs match.
* Instead, verify that the key-value pairs you expect match.
*/
Object
.entries(context)
.forEach(([key, value]) => {
if (encryptionContext[key] !== value) throw new Error('Encryption Context does not match expected values')
})
})