feat: make encryption algo as param

trustbloc · Mar 28, 2023 · 07d3fe2 · 07d3fe2
1 parent 4d8c3c0
commit 07d3fe2
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 5 deletions.
diff --git a/pkg/aws/opts.go b/pkg/aws/opts.go
@@ -8,19 +8,23 @@ package aws
 
 import (
 	"os"
+
+	"github.com/aws/aws-sdk-go-v2/service/kms/types"
 )
 
 type opts struct {
-	keyAliasPrefix string
-	awsClient      awsClient
+	keyAliasPrefix      string
+	awsClient           awsClient
+	encryptionAlgorithm string
 }
 
 // NewOpts create new opts populated with environment variable.
 func newOpts() *opts {
 	value, _ := os.LookupEnv("AWS_KEY_ALIAS_PREFIX")
 
 	return &opts{
-		keyAliasPrefix: value,
+		keyAliasPrefix:      value,
+		encryptionAlgorithm: string(types.EncryptionAlgorithmSpecSymmetricDefault),
 	}
 }
 
@@ -36,6 +40,11 @@ func WithKeyAliasPrefix(prefix string) Opts {
 	return func(opts *opts) { opts.keyAliasPrefix = prefix }
 }
 
+// WithEncryptionAlgorithm sets the encryption\decryption algorithm Opts.
+func WithEncryptionAlgorithm(algo string) Opts {
+	return func(opts *opts) { opts.encryptionAlgorithm = algo }
+}
+
 // WithAWSClient sets custom AWS client.
 func WithAWSClient(client awsClient) Opts {
 	return func(opts *opts) { opts.awsClient = client }

diff --git a/pkg/aws/service.go b/pkg/aws/service.go
@@ -112,12 +112,17 @@ func New(
 		client = kms.NewFromConfig(*awsConfig)
 	}
 
+	algo := types.EncryptionAlgorithmSpecSymmetricDefault
+	if options.encryptionAlgorithm != "" {
+		algo = types.EncryptionAlgorithmSpec(options.encryptionAlgorithm)
+	}
+
 	return &Service{
 		options:          options,
 		client:           client,
 		metrics:          metrics,
 		healthCheckKeyID: healthCheckKeyID,
-		encryptionAlgo:   types.EncryptionAlgorithmSpecRsaesOaepSha256,
+		encryptionAlgo:   algo,
 		nonceLength:      defaultNonceLength,
 	}
 }

diff --git a/pkg/aws/service_test.go b/pkg/aws/service_test.go
@@ -381,7 +381,10 @@ func TestDecrypt(t *testing.T) {
 
 		client := NewMockawsClient(gomock.NewController(t))
 
-		svc := New(awsConfig, metric, "", WithAWSClient(client))
+		svc := New(awsConfig, metric, "",
+			WithAWSClient(client),
+			WithEncryptionAlgorithm("RSAES_OAEP_SHA_256"),
+		)
 		encrypted := generateNonce(64)
 		decrypted := generateNonce(128)
 
@@ -391,6 +394,7 @@ func TestDecrypt(t *testing.T) {
 				params *kms.DecryptInput,
 				optFns ...func(*kms.Options),
 			) (*kms.DecryptOutput, error) {
+				assert.Equal(t, params.EncryptionAlgorithm, types.EncryptionAlgorithmSpec("RSAES_OAEP_SHA_256"))
 				assert.Equal(t, "alias/800d5768-3fd7-4edd-a4b8-4c81c3e4c147", *params.KeyId)
 				assert.Equal(t, encrypted, params.CiphertextBlob)
 				assert.Equal(t, svc.encryptionAlgo, params.EncryptionAlgorithm)
@@ -427,6 +431,7 @@ func TestDecrypt(t *testing.T) {
 				params *kms.DecryptInput,
 				optFns ...func(*kms.Options),
 			) (*kms.DecryptOutput, error) {
+				assert.Equal(t, params.EncryptionAlgorithm, types.EncryptionAlgorithmSpec("SYMMETRIC_DEFAULT"))
 				return nil, errors.New("encryption err")
 			})