in modules/kms-keyring-node/src/kms_hkeyring_node_helpers.ts [73:186]
export function getCacheEntryId(
logicalKeyStoreName: Buffer,
partitionId: Buffer,
branchKeyId: string,
versionAsBytes?: Buffer
): string {
// get branch key id as a byte array
const branchKeyIdAsBytes = stringToUtf8Bytes(branchKeyId)
let entryInfo
//= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#resource-suffix
//# The aforementioned 4 definitions ([Resource Identifier](#resource-identifier),
//# [Scope Identifier](#scope-identifier), [Partition ID](#partition-id-1), and
//# [Resource Suffix](#resource-suffix)) MUST be appended together with the null byte, 0x00,
//# and the SHA384 of the result should be taken as the final cache identifier.
if (versionAsBytes) {
//= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#decryption-materials
//# When the hierarchical keyring receives an OnDecrypt request,
//# it MUST calculate the cache entry identifier as the
//# SHA-384 hash of the following byte strings, in the order listed:
//= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#decryption-materials
//# All the above fields must be separated by a single NULL_BYTE `0x00`.
//#
//# | Field | Length (bytes) | Interpreted as |
//# | ---------------------- | -------------- | ------------------- |
//# | Resource ID | 1 | bytes |
//# | Null Byte | 1 | `0x00` |
//# | Scope ID | 1 | bytes |
//# | Null Byte | 1 | `0x00` |
//# | Partition ID | Variable | bytes |
//# | Null Byte | 1 | `0x00` |
//# | Logical Key Store Name | Variable | UTF-8 Encoded Bytes |
//# | Null Byte | 1 | `0x00` |
//# | Branch Key ID | Variable | UTF-8 Encoded Bytes |
//# | Null Byte | 1 | `0x00` |
//# | branch-key-version | 36 | UTF-8 Encoded Bytes |
entryInfo = Buffer.concat([
//= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#decryption-materials
//# - MUST be the Resource ID for the Hierarchical Keyring (0x02)
RESOURCE_ID,
NULL_BYTE,
//= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#decryption-materials
//# - MUST be the Scope ID for Decrypt (0x02)
DECRYPTION_SCOPE,
NULL_BYTE,
//= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#decryption-materials
//# - MUST be the Partition ID for the Hierarchical Keyring
partitionId,
NULL_BYTE,
//= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#decryption-materials
//# - MUST be the UTF8 encoded Logical Key Store Name of the keystore for the Hierarchical Keyring
logicalKeyStoreName,
NULL_BYTE,
//= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#decryption-materials
//# - MUST be the UTF8 encoded branch-key-id
branchKeyIdAsBytes,
NULL_BYTE,
//= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#decryption-materials
//# - MUST be the UTF8 encoded branch-key-version
versionAsBytes,
])
} else {
//= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#encryption-materials
//# When the hierarchical keyring receives an OnEncrypt request,
//# the cache entry identifier MUST be calculated as the
//# SHA-384 hash of the following byte strings, in the order listed:
//= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#encryption-materials
//# All the above fields must be separated by a single NULL_BYTE `0x00`.
//#
//# | Field | Length (bytes) | Interpreted as |
//# | ---------------------- | -------------- | ------------------- |
//# | Resource ID | 1 | bytes |
//# | Null Byte | 1 | `0x00` |
//# | Scope ID | 1 | bytes |
//# | Null Byte | 1 | `0x00` |
//# | Partition ID | Variable | bytes |
//# | Null Byte | 1 | `0x00` |
//# | Logical Key Store Name | Variable | UTF-8 Encoded Bytes |
//# | Null Byte | 1 | `0x00` |
//# | Branch Key ID | Variable | UTF-8 Encoded Bytes |
entryInfo = Buffer.concat([
//= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#encryption-materials
//# - MUST be the Resource ID for the Hierarchical Keyring (0x02)
RESOURCE_ID,
NULL_BYTE,
//= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#encryption-materials
//# - MUST be the Scope ID for Encrypt (0x01)
ENCRYPTION_SCOPE,
NULL_BYTE,
//= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#encryption-materials
//# - MUST be the Partition ID for the Hierarchical Keyring
partitionId,
NULL_BYTE,
//= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#encryption-materials
//# - MUST be the UTF8 encoded Logical Key Store Name of the keystore for the Hierarchical Keyring
logicalKeyStoreName,
NULL_BYTE,
//= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-hierarchical-keyring.md#encryption-materials
//# - MUST be the UTF8 encoded branch-key-id
branchKeyIdAsBytes,
])
}
// hash the branch key id buffer with sha512
return createHash(CACHE_ENTRY_ID_DIGEST_ALGORITHM)
.update(entryInfo)
.digest()
.toString()
}