jstink 1.0.0

package/.github/workflows/node.js.yml

@@ -0,0 +1,31 @@
+# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs
+
+name: Node.js CI
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [14.x, 16.x, 18.x]
+        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v3
+      with:
+        node-version: ${{ matrix.node-version }}
+        cache: 'npm'
+    - run: npm ci
+    - run: npm run build --if-present
+    - run: npm test

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 andycaine
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,68 @@
+# jstink
+
+A simple, easy-to-use Javascript crytopgraphy library.
+
+## Description
+
+Google's excellent [Tink cryptographic library](https://developers.google.com/tink/what-is) exists to help developers without cryptographic backgrounds safely implement common cryptographic tasks.
+
+Unfortunately for Javascript developers, [there is no production-ready Javascript version](https://github.com/tink-crypto/tink/issues/689) available.
+
+jstink was built to fill this gap. It provides a very simple API that is hard to misuse, and is compatible with Tink ciphertexts and with [Tinkey](https://developers.google.com/tink/tinkey-overview) encrypted keysets.
+
+jstink currently only supports the Authenticated Encryption with Associated Data (AEAD) encryption primitive with AES256_GCM key types envelope encrypted with AWS KMS keys.
+
+## Getting Started
+
+Let's walk through setting up a simple project that can encrypt and decrypt data using an AES256_GCM key that has been encrypted with a master key stored in AWS KMS. These steps assume you have Node.js and npm already installed.
+
+1. Create a new Node.js project
+
+2. Inside of the project, install jstink using npm:
+```
+npm install jstink
+```
+
+3. Create a new symmetric key in AWS KMS that will be used to encrypt our Tinkey data encryption key. This step assumes you have the [AWS CLI](https://aws.amazon.com/cli/) installed and configured:
+```
+aws kms create-key --description "Key for jstink encryption"
+```
+Make a note of the key ARN as you'll need it later.
+
+4. [Install Tinkey](https://developers.google.com/tink/install-tinkey).
+
+5. Create a new Tinkey key, envelope encrypted with your newly created AWS KMS key:
+```
+tinkey create-keyset --key-template AES256_GCM --out keyset.json --master-key-uri aws-kms://${MASTER_KEY_ARN}
+```
+Because this key is envelope encrypted with the AWS KMS key you can store it with the data or with the application.
+
+6. Now you can encrypt and decrypt data:
+```javascript
+const { Aead } = require('jstink');
+const fs = require('fs');
+
+const keyset = JSON.parse(fs.readFileSync('./keyset.json'));
+const aead = new Aead(keyset);
+
+const ciphertext = await aead.encrypt('Hello World!', 'associatedData');
+const plaintext = await aead.decrypt(ciphertext, 'associatedData');
+```
+
+7. At some point, as determined by your cryptoperiod, you'll want to rotate your keys. Tinkey makes this nice and easy. First, create a new key:
+
+```
+tinkey add-key --key-template AES256_GCM --in keyset.json --out keysetv2.json --master-key-uri aws-kms://${MASTER_KEY_ARN}
+```
+
+Once you've deployed this keyset, you can make it the default for encryption:
+
+```
+tinkey promote-key --key-id <new-key-id> --key-template AES256_GCM --in keysetv2.json --out keysetv3.json --master-key-uri aws-kms://${MASTER_KEY_ARN}
+```
+
+Decrypt operations will still use the key that was used for encryption (the encryption key ID is stored as part of the Tink wire format). To completely remove the old key (e.g. in the event of a compromise) you'll need to run a process to re-encrypt all data encrypted with the old key, then you can delete the old key:
+
+```
+tinkey delete-key --key-template AES256_GCM --in keysetv3.json --out keysetv4.json --master-key-uri aws-kms://${MASTER_KEY_ARN}
+```

package/package.json

@@ -0,0 +1,26 @@
+{
+    "name": "jstink",
+    "version": "1.0.0",
+    "description": "",
+    "main": "src/index.js",
+    "scripts": {
+        "test": "jest",
+        "prepublish": "npm test"
+    },
+    "author": "Andy Caine",
+    "license": "MIT",
+    "devDependencies": {
+        "jest": "^29.7.0"
+    },
+    "jest": {
+        "testEnvironment": "node"
+    },
+    "dependencies": {
+        "@aws-sdk/client-kms": "^3.555.0",
+        "google-protobuf": "^3.21.2"
+    },
+    "repository": {
+        "type": "git",
+        "url": "https://github.com/andycaine/jstink"
+    }
+}

package/src/aes_gcm.js

@@ -0,0 +1,30 @@
+const crypto = require('crypto');
+
+const algorithm = 'aes-256-gcm';
+
+function encrypt(plaintext, associatedData, key) {
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv(algorithm, key, iv);
+
+    cipher.setAAD(Buffer.from(associatedData));
+    const encrypted = cipher.update(plaintext);
+    const remaining = cipher.final();
+    const tag = cipher.getAuthTag();
+    return {
+        ciphertext: Buffer.concat([encrypted, remaining]),
+        tag,
+        iv,
+        tag
+    };
+}
+
+function decrypt(ciphertext, associatedData, key, iv, tag) {
+    const decipher = crypto.createDecipheriv(algorithm, key, iv);
+    decipher.setAAD(Buffer.from(associatedData));
+    decipher.setAuthTag(Buffer.from(tag));
+    let decrypted = decipher.update(ciphertext);
+    decrypted += decipher.final();
+    return decrypted;
+}
+
+module.exports = { encrypt, decrypt };

package/src/aes_gcm.proto

@@ -0,0 +1,67 @@
+// Copyright 2017 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+syntax = "proto3";
+
+package google.crypto.tink;
+
+option java_package = "com.google.crypto.tink.proto";
+option java_multiple_files = true;
+option go_package = "github.com/tink-crypto/tink-go/v2/proto/aes_gcm_go_proto";
+option objc_class_prefix = "TINKPB";
+
+message AesGcmKeyFormat {
+  uint32 key_size = 2;
+  uint32 version = 3;
+}
+
+// key_type: type.googleapis.com/google.crypto.tink.AesGcmKey
+//
+// A AesGcmKey is an AEAD key. Mathematically, it represents the functions
+// Encrypt and Decrypt which we define in the following.
+//
+// First, Tink computes a "output prefix" OP by considering the
+// "OutputPrefixType" message in Keyset.Key and the ID of the key using the
+// Tink function "AEAD-OutputPrefix": (AesGcmKeys must always be stored in a
+// keyset).
+//
+// AEAD-OutputPrefix(output_prefix_type, id):
+//     if output_prefix_type == RAW:
+//       return "";
+//     if output_prefix_type == TINK:
+//       return 0x01 + BigEndian(id)
+//     if output_prefix_type == CRUNCHY:
+//       return 0x00 + BigEndian(id)
+//
+// Then, the function defined by this is defined as:
+// [GCM], Section 5.2.1:
+//  * "Encrypt" maps a plaintext P and associated data A to a ciphertext given
+//    by the concatenation OP || IV || C || T. In addition to [GCM], Tink
+//    has the following restriction: IV is a uniformly random initialization
+//    vector of length 12 bytes and T is restricted to 16 bytes.
+//
+//  * If OP matches the result of AEAD-OutputPrefix, then "Decrypt" maps the
+//    input OP || IV || C || T and A to the the output P in the manner as
+//    described in [GCM], Section 5.2.2. If OP does not match, then "Decrypt"
+//    returns an error.
+// [GCM]: NIST Special Publication 800-38D: Recommendation for Block Cipher
+// Modes of Operation: Galois/Counter Mode (GCM) and GMAC.
+// http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf.
+
+message AesGcmKey {
+  uint32 version = 1;
+  bytes key_value = 3;
+}

package/src/aes_gcm_pb.js

@@ -0,0 +1,412 @@
+// source: aes_gcm.proto
+/**
+ * @fileoverview
+ * @enhanceable
+ * @suppress {missingRequire} reports error on implicit type usages.
+ * @suppress {messageConventions} JS Compiler reports an error if a variable or
+ *     field starts with 'MSG_' and isn't a translatable message.
+ * @public
+ */
+// GENERATED CODE -- DO NOT EDIT!
+/* eslint-disable */
+// @ts-nocheck
+
+var jspb = require('google-protobuf');
+var goog = jspb;
+var global =
+    (typeof globalThis !== 'undefined' && globalThis) ||
+    (typeof window !== 'undefined' && window) ||
+    (typeof global !== 'undefined' && global) ||
+    (typeof self !== 'undefined' && self) ||
+    (function () { return this; }).call(null) ||
+    Function('return this')();
+
+goog.exportSymbol('proto.google.crypto.tink.AesGcmKey', null, global);
+goog.exportSymbol('proto.google.crypto.tink.AesGcmKeyFormat', null, global);
+/**
+ * Generated by JsPbCodeGenerator.
+ * @param {Array=} opt_data Optional initial data array, typically from a
+ * server response, or constructed directly in Javascript. The array is used
+ * in place and becomes part of the constructed object. It is not cloned.
+ * If no data is provided, the constructed object will be empty, but still
+ * valid.
+ * @extends {jspb.Message}
+ * @constructor
+ */
+proto.google.crypto.tink.AesGcmKeyFormat = function(opt_data) {
+  jspb.Message.initialize(this, opt_data, 0, -1, null, null);
+};
+goog.inherits(proto.google.crypto.tink.AesGcmKeyFormat, jspb.Message);
+if (goog.DEBUG && !COMPILED) {
+  /**
+   * @public
+   * @override
+   */
+  proto.google.crypto.tink.AesGcmKeyFormat.displayName = 'proto.google.crypto.tink.AesGcmKeyFormat';
+}
+/**
+ * Generated by JsPbCodeGenerator.
+ * @param {Array=} opt_data Optional initial data array, typically from a
+ * server response, or constructed directly in Javascript. The array is used
+ * in place and becomes part of the constructed object. It is not cloned.
+ * If no data is provided, the constructed object will be empty, but still
+ * valid.
+ * @extends {jspb.Message}
+ * @constructor
+ */
+proto.google.crypto.tink.AesGcmKey = function(opt_data) {
+  jspb.Message.initialize(this, opt_data, 0, -1, null, null);
+};
+goog.inherits(proto.google.crypto.tink.AesGcmKey, jspb.Message);
+if (goog.DEBUG && !COMPILED) {
+  /**
+   * @public
+   * @override
+   */
+  proto.google.crypto.tink.AesGcmKey.displayName = 'proto.google.crypto.tink.AesGcmKey';
+}
+
+
+
+if (jspb.Message.GENERATE_TO_OBJECT) {
+/**
+ * Creates an object representation of this proto.
+ * Field names that are reserved in JavaScript and will be renamed to pb_name.
+ * Optional fields that are not set will be set to undefined.
+ * To access a reserved field use, foo.pb_<name>, eg, foo.pb_default.
+ * For the list of reserved names please see:
+ *     net/proto2/compiler/js/internal/generator.cc#kKeyword.
+ * @param {boolean=} opt_includeInstance Deprecated. whether to include the
+ *     JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @return {!Object}
+ */
+proto.google.crypto.tink.AesGcmKeyFormat.prototype.toObject = function(opt_includeInstance) {
+  return proto.google.crypto.tink.AesGcmKeyFormat.toObject(opt_includeInstance, this);
+};
+
+
+/**
+ * Static version of the {@see toObject} method.
+ * @param {boolean|undefined} includeInstance Deprecated. Whether to include
+ *     the JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @param {!proto.google.crypto.tink.AesGcmKeyFormat} msg The msg instance to transform.
+ * @return {!Object}
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.google.crypto.tink.AesGcmKeyFormat.toObject = function(includeInstance, msg) {
+  var f, obj = {
+    keySize: jspb.Message.getFieldWithDefault(msg, 2, 0),
+    version: jspb.Message.getFieldWithDefault(msg, 3, 0)
+  };
+
+  if (includeInstance) {
+    obj.$jspbMessageInstance = msg;
+  }
+  return obj;
+};
+}
+
+
+/**
+ * Deserializes binary data (in protobuf wire format).
+ * @param {jspb.ByteSource} bytes The bytes to deserialize.
+ * @return {!proto.google.crypto.tink.AesGcmKeyFormat}
+ */
+proto.google.crypto.tink.AesGcmKeyFormat.deserializeBinary = function(bytes) {
+  var reader = new jspb.BinaryReader(bytes);
+  var msg = new proto.google.crypto.tink.AesGcmKeyFormat;
+  return proto.google.crypto.tink.AesGcmKeyFormat.deserializeBinaryFromReader(msg, reader);
+};
+
+
+/**
+ * Deserializes binary data (in protobuf wire format) from the
+ * given reader into the given message object.
+ * @param {!proto.google.crypto.tink.AesGcmKeyFormat} msg The message object to deserialize into.
+ * @param {!jspb.BinaryReader} reader The BinaryReader to use.
+ * @return {!proto.google.crypto.tink.AesGcmKeyFormat}
+ */
+proto.google.crypto.tink.AesGcmKeyFormat.deserializeBinaryFromReader = function(msg, reader) {
+  while (reader.nextField()) {
+    if (reader.isEndGroup()) {
+      break;
+    }
+    var field = reader.getFieldNumber();
+    switch (field) {
+    case 2:
+      var value = /** @type {number} */ (reader.readUint32());
+      msg.setKeySize(value);
+      break;
+    case 3:
+      var value = /** @type {number} */ (reader.readUint32());
+      msg.setVersion(value);
+      break;
+    default:
+      reader.skipField();
+      break;
+    }
+  }
+  return msg;
+};
+
+
+/**
+ * Serializes the message to binary data (in protobuf wire format).
+ * @return {!Uint8Array}
+ */
+proto.google.crypto.tink.AesGcmKeyFormat.prototype.serializeBinary = function() {
+  var writer = new jspb.BinaryWriter();
+  proto.google.crypto.tink.AesGcmKeyFormat.serializeBinaryToWriter(this, writer);
+  return writer.getResultBuffer();
+};
+
+
+/**
+ * Serializes the given message to binary data (in protobuf wire
+ * format), writing to the given BinaryWriter.
+ * @param {!proto.google.crypto.tink.AesGcmKeyFormat} message
+ * @param {!jspb.BinaryWriter} writer
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.google.crypto.tink.AesGcmKeyFormat.serializeBinaryToWriter = function(message, writer) {
+  var f = undefined;
+  f = message.getKeySize();
+  if (f !== 0) {
+    writer.writeUint32(
+      2,
+      f
+    );
+  }
+  f = message.getVersion();
+  if (f !== 0) {
+    writer.writeUint32(
+      3,
+      f
+    );
+  }
+};
+
+
+/**
+ * optional uint32 key_size = 2;
+ * @return {number}
+ */
+proto.google.crypto.tink.AesGcmKeyFormat.prototype.getKeySize = function() {
+  return /** @type {number} */ (jspb.Message.getFieldWithDefault(this, 2, 0));
+};
+
+
+/**
+ * @param {number} value
+ * @return {!proto.google.crypto.tink.AesGcmKeyFormat} returns this
+ */
+proto.google.crypto.tink.AesGcmKeyFormat.prototype.setKeySize = function(value) {
+  return jspb.Message.setProto3IntField(this, 2, value);
+};
+
+
+/**
+ * optional uint32 version = 3;
+ * @return {number}
+ */
+proto.google.crypto.tink.AesGcmKeyFormat.prototype.getVersion = function() {
+  return /** @type {number} */ (jspb.Message.getFieldWithDefault(this, 3, 0));
+};
+
+
+/**
+ * @param {number} value
+ * @return {!proto.google.crypto.tink.AesGcmKeyFormat} returns this
+ */
+proto.google.crypto.tink.AesGcmKeyFormat.prototype.setVersion = function(value) {
+  return jspb.Message.setProto3IntField(this, 3, value);
+};
+
+
+
+
+
+if (jspb.Message.GENERATE_TO_OBJECT) {
+/**
+ * Creates an object representation of this proto.
+ * Field names that are reserved in JavaScript and will be renamed to pb_name.
+ * Optional fields that are not set will be set to undefined.
+ * To access a reserved field use, foo.pb_<name>, eg, foo.pb_default.
+ * For the list of reserved names please see:
+ *     net/proto2/compiler/js/internal/generator.cc#kKeyword.
+ * @param {boolean=} opt_includeInstance Deprecated. whether to include the
+ *     JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @return {!Object}
+ */
+proto.google.crypto.tink.AesGcmKey.prototype.toObject = function(opt_includeInstance) {
+  return proto.google.crypto.tink.AesGcmKey.toObject(opt_includeInstance, this);
+};
+
+
+/**
+ * Static version of the {@see toObject} method.
+ * @param {boolean|undefined} includeInstance Deprecated. Whether to include
+ *     the JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @param {!proto.google.crypto.tink.AesGcmKey} msg The msg instance to transform.
+ * @return {!Object}
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.google.crypto.tink.AesGcmKey.toObject = function(includeInstance, msg) {
+  var f, obj = {
+    version: jspb.Message.getFieldWithDefault(msg, 1, 0),
+    keyValue: msg.getKeyValue_asB64()
+  };
+
+  if (includeInstance) {
+    obj.$jspbMessageInstance = msg;
+  }
+  return obj;
+};
+}
+
+
+/**
+ * Deserializes binary data (in protobuf wire format).
+ * @param {jspb.ByteSource} bytes The bytes to deserialize.
+ * @return {!proto.google.crypto.tink.AesGcmKey}
+ */
+proto.google.crypto.tink.AesGcmKey.deserializeBinary = function(bytes) {
+  var reader = new jspb.BinaryReader(bytes);
+  var msg = new proto.google.crypto.tink.AesGcmKey;
+  return proto.google.crypto.tink.AesGcmKey.deserializeBinaryFromReader(msg, reader);
+};
+
+
+/**
+ * Deserializes binary data (in protobuf wire format) from the
+ * given reader into the given message object.
+ * @param {!proto.google.crypto.tink.AesGcmKey} msg The message object to deserialize into.
+ * @param {!jspb.BinaryReader} reader The BinaryReader to use.
+ * @return {!proto.google.crypto.tink.AesGcmKey}
+ */
+proto.google.crypto.tink.AesGcmKey.deserializeBinaryFromReader = function(msg, reader) {
+  while (reader.nextField()) {
+    if (reader.isEndGroup()) {
+      break;
+    }
+    var field = reader.getFieldNumber();
+    switch (field) {
+    case 1:
+      var value = /** @type {number} */ (reader.readUint32());
+      msg.setVersion(value);
+      break;
+    case 3:
+      var value = /** @type {!Uint8Array} */ (reader.readBytes());
+      msg.setKeyValue(value);
+      break;
+    default:
+      reader.skipField();
+      break;
+    }
+  }
+  return msg;
+};
+
+
+/**
+ * Serializes the message to binary data (in protobuf wire format).
+ * @return {!Uint8Array}
+ */
+proto.google.crypto.tink.AesGcmKey.prototype.serializeBinary = function() {
+  var writer = new jspb.BinaryWriter();
+  proto.google.crypto.tink.AesGcmKey.serializeBinaryToWriter(this, writer);
+  return writer.getResultBuffer();
+};
+
+
+/**
+ * Serializes the given message to binary data (in protobuf wire
+ * format), writing to the given BinaryWriter.
+ * @param {!proto.google.crypto.tink.AesGcmKey} message
+ * @param {!jspb.BinaryWriter} writer
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.google.crypto.tink.AesGcmKey.serializeBinaryToWriter = function(message, writer) {
+  var f = undefined;
+  f = message.getVersion();
+  if (f !== 0) {
+    writer.writeUint32(
+      1,
+      f
+    );
+  }
+  f = message.getKeyValue_asU8();
+  if (f.length > 0) {
+    writer.writeBytes(
+      3,
+      f
+    );
+  }
+};
+
+
+/**
+ * optional uint32 version = 1;
+ * @return {number}
+ */
+proto.google.crypto.tink.AesGcmKey.prototype.getVersion = function() {
+  return /** @type {number} */ (jspb.Message.getFieldWithDefault(this, 1, 0));
+};
+
+
+/**
+ * @param {number} value
+ * @return {!proto.google.crypto.tink.AesGcmKey} returns this
+ */
+proto.google.crypto.tink.AesGcmKey.prototype.setVersion = function(value) {
+  return jspb.Message.setProto3IntField(this, 1, value);
+};
+
+
+/**
+ * optional bytes key_value = 3;
+ * @return {!(string|Uint8Array)}
+ */
+proto.google.crypto.tink.AesGcmKey.prototype.getKeyValue = function() {
+  return /** @type {!(string|Uint8Array)} */ (jspb.Message.getFieldWithDefault(this, 3, ""));
+};
+
+
+/**
+ * optional bytes key_value = 3;
+ * This is a type-conversion wrapper around `getKeyValue()`
+ * @return {string}
+ */
+proto.google.crypto.tink.AesGcmKey.prototype.getKeyValue_asB64 = function() {
+  return /** @type {string} */ (jspb.Message.bytesAsB64(
+      this.getKeyValue()));
+};
+
+
+/**
+ * optional bytes key_value = 3;
+ * Note that Uint8Array is not supported on all browsers.
+ * @see http://caniuse.com/Uint8Array
+ * This is a type-conversion wrapper around `getKeyValue()`
+ * @return {!Uint8Array}
+ */
+proto.google.crypto.tink.AesGcmKey.prototype.getKeyValue_asU8 = function() {
+  return /** @type {!Uint8Array} */ (jspb.Message.bytesAsU8(
+      this.getKeyValue()));
+};
+
+
+/**
+ * @param {!(string|Uint8Array)} value
+ * @return {!proto.google.crypto.tink.AesGcmKey} returns this
+ */
+proto.google.crypto.tink.AesGcmKey.prototype.setKeyValue = function(value) {
+  return jspb.Message.setProto3BytesField(this, 3, value);
+};
+
+
+goog.object.extend(exports, proto.google.crypto.tink);

package/src/awskms.js

@@ -0,0 +1,14 @@
+const { KMSClient, DecryptCommand } = require("@aws-sdk/client-kms");
+
+const client = new KMSClient();
+
+async function decrypt(data) {
+    const command = new DecryptCommand({
+        CiphertextBlob: data
+    });
+
+    const { Plaintext } = await client.send(command);
+    return Plaintext;
+}
+
+module.exports = { decrypt };