Skip to content

feat: Adds CreateKey API to create a branch key#1645

Closed
sharmabikram wants to merge 11 commits intoshbikram/create-version-keyfrom
shbikram/create-key
Closed

feat: Adds CreateKey API to create a branch key#1645
sharmabikram wants to merge 11 commits intoshbikram/create-version-keyfrom
shbikram/create-key

Conversation

@sharmabikram
Copy link
Contributor

@sharmabikram sharmabikram commented Mar 11, 2026

Issue #, if available:

Description of changes:
This change adds createKey API which creates a branch key following the spec: https://github.com/awslabs/aws-encryption-sdk-specification/blob/6fd8f886f708afeb89bcfb2a618ca57bb2bd48cd/framework/branch-key-store.md#createkey

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Check any applicable:

  • Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files.

@sharmabikram sharmabikram requested a review from a team as a code owner March 11, 2026 06:39
texastony
texastony requested changes Mar 16, 2026
View reviewed changes
modules/branch-keystore-node/test/branch_keystore.test.ts Outdated
})

describe('CreateKey + VersionKey lifecycle', () => {
it('Create, retrieve, version, retrieve new, retrieve old', async () => {
Copy link
Contributor

@texastony texastony Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocking: do this test with custom EC and assert that EC is preserved by version.

Copy link
Contributor Author

@sharmabikram sharmabikram Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding test in next revision. However, the EC will have a prefix "aws-crypto-ec:". This is due to fact that JS implementation of getActiveBranchKey never stripped this prefix as we do in our Dafny implementation.

@sharmabikram sharmabikram requested a review from texastony March 16, 2026 22:05
texastony
texastony reviewed Mar 17, 2026
View reviewed changes
modules/branch-keystore-node/src/branch_keystore_helpers.ts Outdated
Comment on lines +352 to +353
// NOTE: The Dafny implementation strips the `aws-crypto-ec:` prefix
// from keys before returning (see ExtractCustomEncryptionContext in Structure.dfy).
Copy link
Contributor

@texastony texastony Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// NOTE: The Dafny implementation strips the `aws-crypto-ec:` prefix
// from keys before returning (see ExtractCustomEncryptionContext in Structure.dfy).
// NOTE: The Dafny implementation strips the `aws-crypto-ec:` prefix
// from keys before returning (see ExtractCustomEncryptionContext in Structure.dfy).
// This implementation DOES NOT strip the `aws-crypto-ec:` prefix;
// the initial "read-only" implementation in JS made this choice and it is a breaking change
// to address it now.

texastony
texastony approved these changes Mar 17, 2026
View reviewed changes
Copy link
Contributor

@texastony texastony left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sharmabikram José is back tomorrow and I would like to talk to him about the EC treatment.

I am approving this PR, but can we hold off on merging until we talk to @josecorella ?

lucasmcdonald3 and others added 9 commits March 17, 2026 13:00
@lucasmcdonald3
chore(release): Use lerna >=9 and OIDC to publish (#1647)
870faf0
@lucasmcdonald3
chore: revert recent breaking IE11 changes (#1648)
e35a0fb
@sharmabikram
fix: Removes the internal added prefix from custom encryption context…
9907b1b 
… before creating the branch key material node object (#1650)
@lucasmcdonald3
feat!: Drop IE11 support (#1651)
f11b277 
BREAKING CHANGE: The AWS Encryption SDK for JavaScript no longer supports Internet Explorer 11 (IE11). The msCrypto shim and related IE11 detection code have been removed from the web-crypto-backend module.

Co-authored-by: Lucas McDonald <lucmcdon@amazon.com>
@sharmabikram
feat: Adds VersionKey API to version the branch key (#1642)
723dbb6 
* feat: Adds VersionKey API to version the branch key

* fix: removes console log which caused the lint failures

---------

Co-authored-by: Bikram Sharma <shbikram@amazon.com>
@sharmabikram
feat: Adds CreateKey API to create a branch key
9c48665
@sharmabikram
test: update test cases to ensure EC is preserved when creating and v…
283a405 
…ersioning a branch key
@sharmabikram
test: Adds comment about EC prefix behavior difference between dafny …
f9433af 
…and JavaScript implementation
@sharmabikram
test: Updates the test to ensure EC we get in branch key doesn't cont…
08154ba 
…ain internal prefix
@sharmabikram
Copy link
Contributor Author

sharmabikram commented Mar 19, 2026

Will create a new branch and raise another PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@texastony texastony texastony approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sharmabikram @texastony @kessplas @lucasmcdonald3