bug: Removes the internal added prefix from custom encryption context before creating the branch key material node object

sharmabikram · sharmabikram · commit 601889ac9803 · 2026-03-18T11:10:05.000-07:00
diff --git a/modules/branch-keystore-node/src/branch_keystore_helpers.ts b/modules/branch-keystore-node/src/branch_keystore_helpers.ts
@@ -351,7 +351,9 @@ function constructCustomEncryptionContext(
   //# for the constructed key.
   for (const [key, value] of Object.entries(authenticatedEncryptionContext)) {
     if (key.startsWith(CUSTOM_ENCRYPTION_CONTEXT_FIELD_PREFIX)) {
-      customEncryptionContext[key] = value
+      customEncryptionContext[
+        key.slice(CUSTOM_ENCRYPTION_CONTEXT_FIELD_PREFIX.length)
+      ] = value
     }
   }
 
diff --git a/modules/branch-keystore-node/test/branch_keystore_helpers.test.ts b/modules/branch-keystore-node/test/branch_keystore_helpers.test.ts
@@ -37,6 +37,7 @@ import {
   TYPE_FIELD,
   PARTITION_KEY,
   SORT_KEY,
+  CUSTOM_ENCRYPTION_CONTEXT_FIELD_PREFIX,
 } from '../src/constants'
 import { DynamoDBKeyStorage } from '../src/dynamodb_key_storage'
 import { EncryptedHierarchicalKey } from '../src/types'
@@ -53,6 +54,16 @@ const VALID_CUSTOM_ENCRYPTION_CONTEXT = Object.fromEntries(
   )
 )
 
+// Expected output after stripping the `aws-crypto-ec:` prefix
+const EXPECTED_CUSTOM_ENCRYPTION_CONTEXT = Object.fromEntries(
+  Object.entries({ ...VALID_CUSTOM_ENCRYPTION_CONTEXT_KV_PAIRS }).map(
+    ([key, value]) => [
+      key.slice(CUSTOM_ENCRYPTION_CONTEXT_FIELD_PREFIX.length),
+      value.toString(),
+    ]
+  )
+)
+
 const INVALID_CUSTOM_ENCRYPTION_CONTEXT_KV_PAIRS = {
   'awz-crypto-ec:key1': 'value 1',
   key2: 'value 2',
@@ -650,7 +661,7 @@ describe('Test keystore helpers', () => {
         Buffer.from(ENCRYPTED_ACTIVE_BRANCH_KEY.type.version, 'utf-8')
       )
       expect(activeBranchKeyMaterials.encryptionContext).deep.equals(
-        VALID_CUSTOM_ENCRYPTION_CONTEXT
+        EXPECTED_CUSTOM_ENCRYPTION_CONTEXT
       )
 
       const versionedBranchKeyMaterials = constructBranchKeyMaterials(
@@ -671,7 +682,7 @@ describe('Test keystore helpers', () => {
         Buffer.from(ENCRYPTED_VERSION_BRANCH_KEY.type.version, 'utf-8')
       )
       expect(versionedBranchKeyMaterials.encryptionContext).deep.equals(
-        VALID_CUSTOM_ENCRYPTION_CONTEXT
+        EXPECTED_CUSTOM_ENCRYPTION_CONTEXT
       )
     })
   })

Original file line number	Diff line number	Diff line change
`@@ -351,7 +351,9 @@ function constructCustomEncryptionContext(`
`351`	`351`	`//# for the constructed key.`
`352`	`352`	`for (const [key, value] of Object.entries(authenticatedEncryptionContext)) {`
`353`	`353`	`if (key.startsWith(CUSTOM_ENCRYPTION_CONTEXT_FIELD_PREFIX)) {`
`354`		`- customEncryptionContext[key] = value`
	`354`	`+ customEncryptionContext[`
	`355`	`+ key.slice(CUSTOM_ENCRYPTION_CONTEXT_FIELD_PREFIX.length)`
	`356`	`+ ] = value`
`355`	`357`	`}`
`356`	`358`	`}`
`357`	`359`