Skip to content

Instantly share code, notes, and snippets.

@renatoargh

renatoargh/kms-public-key-encryption-example.ts

Created April 13, 2023 13:48
Show Gist options
  • Save renatoargh/901bf9289ce65683f77aa898d0c77146 to your computer and use it in GitHub Desktop.
Save renatoargh/901bf9289ce65683f77aa898d0c77146 to your computer and use it in GitHub Desktop.
Download ZIP
Shows how to retrieve a public key from KMS, encrypt a random string outside of AWS, decrypt using the Decrypt command and to format the key as JWK
Raw
kms-public-key-encryption-example.ts
const { createPublicKey, publicEncrypt } = require('crypto')
import {
KMSClient,
DecryptCommand,
GetPublicKeyCommand,
} from '@aws-sdk/client-kms'
// Change the next 2 lines
const keyId = '00000000-0000-0000-0000-000000000000';
const region = 'us-east-1';
const plaintext = 'potato'
async function main() {
const client = new KMSClient({ region })
const getPublicKeyCommand = new GetPublicKeyCommand({ KeyId: keyId })
const { PublicKey: publicKeyBuffer } = await client.send(getPublicKeyCommand);
if (!publicKeyBuffer) {
throw new Error('Public key data was not returned')
}
const publicKey = createPublicKey({
key: Buffer.from(publicKeyBuffer),
format: 'der',
type: 'spki'
})
console.log('ORIGINAL PLAIN TEXT:', plaintext, '\n')
const nodeEncrypted = publicEncrypt(publicKey, Buffer.from(plaintext))
console.log('NODEJS ENCRYPTED:', nodeEncrypted.toString('base64'), '\n')
const decryptCommand = new DecryptCommand({
KeyId: keyId,
CiphertextBlob: nodeEncrypted,
EncryptionAlgorithm: 'RSAES_OAEP_SHA_1',
})
const { Plaintext: awsDecryptedBuffer } = await client.send(decryptCommand);
if (!awsDecryptedBuffer) {
throw new Error('No plantext returned from decryption')
}
const awsDecrypted = Buffer.from(awsDecryptedBuffer).toString()
console.log('AWS DECRYPTED:', awsDecrypted, '\n')
console.log('ENCRYPTION-DECRYPTION WORKS:', plaintext === awsDecrypted, '\n')
const jwk = publicKey.export({ format: 'jwk' })
console.log('JWK ENCODED PUBLIC KEY:', JSON.stringify(jwk, null, 2))
}
main()
@renatoargh
Copy link
Author

Example Output:

ORIGINAL PLAIN TEXT: potato 

NODEJS ENCRYPTED: ZRKQ9Uh8W9DXRDkQmm2mAV2Zk1mwnlAMX5RNAXOPc312ruISr0wbeyVWV5MBBGvlf+VulUoudiEjBDOp6ScFWG0i8n2IIJa3CGmm7ONSrmwk3fMKOl4g/jfF3bgWqRYIyUthSH+dGjKcKD6/oZ2BOEMPFzy06IAcSiA9KD+dTQhEai9ZxtFd8+WhzFESRmFi6Dxzl08KrkHJe+Uf0/jcyFUfwvRT1XmXAjdqLvve0jhjlAGDRQF+k208/ZWxDXQ3TtZWSNWnnZXExU/4GFnHiGddYyEmHyO3NHDVR4TIKM10t863FAOYtcgR67PSxJunhht5NTgz8Lt0AMIvabJC41irKBhXGaxZq6LznaLB42HAKiSlFUCrq9PrUKcc6oYTU+KNsLfyuzldz3E5Q/j/1d0Tt4xJO0peRqKMVbRFGNnMj6E+sBitHdwFTDrL3Al/zV0WlEZ8jKoiOAGizLLMWFj93Ek0+NSW+LhgTvSrc+5IPJK1/d6BhTC5kMftO3m3JgnQWwe/JthjnIQeT4Pzme6GlERzNq0R9sNuYhz8qHGixyEdPlU3QzYEfCmRz8oO2ly44iZ8LUzYVI6y6Enqd6PMuff0D2hEGaixm0dJpgJyYkJKOSGxpw0cwA7yGarXOMCalRYom9GouYcKrpG7AgeMbPPuY6u8qhF6p+Efd/Q= 

AWS DECRYPTED: potato 

ENCRYPTION-DECRYPTION WORKS: true 

JWK: {
  "kty": "RSA",
  "n": "ssH_rIhmrreI9Cz-KJoCYvhrUDQA-UlIv1BjWzXjhe3FZLsdpN8dWGlhYVSdMZzBkBojwvYlbulKKa1meqU1INGCWzJIrA8owBrjtranCy3yisEwwlIiT08TUr_17qrn-9XEnvAPo1GiaUk1mi964rvghMc7v0oDG4ULZqAqeILvAaeEX4Lc2DXeEq94eqofIVO-RdQpAhXYqaEZnpzu2Ghh4W7kTcsXgsxRCkAG_fc1YvXlHhKIda6GV7Nw4D6uomMZZ53545qcP90zBROZYchzW4Z6qNyeCRoHk_d9ndqSy-KYs2WDopmiAnyoYKxfJuZmvblwjg-d6fEP8CQyzomdUbXgBJDk7kh5FlwS0YcaAxMapDMkaFm4GSx_QJC0HFRmw7R1EBAO1MpQ91dJZgUrWW6Pn0y2cijCyBZLzMQp6f1bugAG7peAxsRjXGfCzD1FML3U1fksotTu_XH5NcUCOFGs-Ogk4sBZPYymSLvVw3zkIN6iGcGRGyLFqOdZq9WQEOcvJ9gMuJpa_OAYYWWFjZdRTEdMd4ZFpAVJ3ulotCZp25mg4ppZDddeQz81EyIkchmmTdvN9k1u979CpN5sw-1rhY3tvr1B2BKD1JomhEwAhYAwdKe_a93fT8XR--Vk8Rtf-TD-OSOKheK8wekS0bYcCSrVyQzhfq7r-eU",
  "e": "AQAB"
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment