in modules/branch-keystore-node/src/branch_keystore.ts [308:384]
async getBranchKeyVersion(
branchKeyId: string,
branchKeyVersion: string
): Promise<NodeBranchKeyMaterial> {
//= aws-encryption-sdk-specification/framework/branch-key-store.md#getbranchkeyversion
//# On invocation, the caller:
//#
//# - MUST supply a `branch-key-id`
//# - MUST supply a `branchKeyVersion`
needs(
branchKeyId && typeof branchKeyId === 'string',
'MUST supply a string branch key id'
)
needs(
branchKeyVersion && typeof branchKeyVersion === 'string',
'MUST supply a string branch key version'
)
//= aws-encryption-sdk-specification/framework/branch-key-store.md#getbranchkeyversion
//= type=implication
//# GetBranchKeyVersion MUST get the requested version for the branch key id from the keystore
//# by calling the configured [KeyStorage interface's](./key-store/key-storage.md#interface)
//# [GetEncryptedActiveBranchKey](./key-store/key-storage.md#getencryptedbranchkeyversion)
//# using the supplied `branch-key-id`.
const encryptedBranchKey = await this.storage.getEncryptedBranchKeyVersion(
branchKeyId,
branchKeyVersion
)
//= aws-encryption-sdk-specification/framework/branch-key-store.md#getbranchkeyversion
//# GetBranchKeyVersion MUST verify that the returned EncryptedHierarchicalKey MUST have the requested `branch-key-id`.
needs(
encryptedBranchKey.branchKeyId == branchKeyId,
'Unexpected branch key id.'
)
//= aws-encryption-sdk-specification/framework/branch-key-store.md#getbranchkeyversion
//# GetBranchKeyVersion MUST verify that the returned EncryptedHierarchicalKey MUST have the requested `branchKeyVersion`.
needs(
encryptedBranchKey.type.version == branchKeyVersion,
'Unexpected branch key id.'
)
//= aws-encryption-sdk-specification/framework/branch-key-store.md#getbranchkeyversion
//# GetActiveBranchKey MUST verify that the returned EncryptedHierarchicalKey is an HierarchicalSymmetricVersion.
needs(
encryptedBranchKey.type instanceof HierarchicalSymmetricVersion,
'Unexpected type. Not a version record.'
)
//= aws-encryption-sdk-specification/framework/branch-key-store.md#getbranchkeyversion
//# GetBranchKeyVersion MUST verify that the returned EncryptedHierarchicalKey MUST have a logical table name equal to the configured logical table name.
needs(
encryptedBranchKey.encryptionContext[TABLE_FIELD] ==
this.logicalKeyStoreName,
'Unexpected logical table name. Expected ${this.logicalKeyStoreName}, found ${encryptedBranchKey.encryptionContext[TABLE_FIELD}.'
)
//= aws-encryption-sdk-specification/framework/branch-key-store.md#getbranchkeyversion
//# If the branch key fails to decrypt, this operation MUST fail.
//= aws-encryption-sdk-specification/framework/branch-key-store.md#getbranchkeyversion
//# The operation MUST decrypt the branch key according to the [AWS KMS Branch Key Decryption](#aws-kms-branch-key-decryption) section.
const branchKey = await decryptBranchKey(this, encryptedBranchKey)
//= aws-encryption-sdk-specification/framework/branch-key-store.md#getbranchkeyversion
//# This GetBranchKeyVersion MUST construct [branch key materials](./structures.md#branch-key-materials)
//# according to [Branch Key Materials From Authenticated Encryption Context](#branch-key-materials-from-authenticated-encryption-context).
const branchKeyMaterials = constructBranchKeyMaterials(
branchKey,
encryptedBranchKey
)
//= aws-encryption-sdk-specification/framework/branch-key-store.md#getbranchkeyversion
//# This operation MUST return the constructed [branch key materials](./structures.md#branch-key-materials).
return branchKeyMaterials
}