aws · texastony · Mar 24, 2026 · Mar 24, 2026 · Mar 24, 2026 · Mar 24, 2026
@@ -23,7 +23,7 @@
     "@aws-crypto/serialize": "file:../serialize",
     "@aws-crypto/web-crypto-backend": "file:../web-crypto-backend",
     "@aws-sdk/util-base64": "^3.374.0",
-    "@aws-sdk/util-utf8-browser": "3.259.0",
+    "@smithy/util-utf8": "^4.0.0",
     "tslib": "^2.2.0"
   },
   "sideEffects": false,

@@ -19,8 +19,8 @@ import {
   WebCryptoGetEncryptionMaterials,
   WebCryptoGetDecryptMaterials,
 } from '@aws-crypto/material-management-browser'
-import { fromUtf8, toUtf8 } from '@aws-sdk/util-utf8-browser'
-import { toBase64 } from '@aws-sdk/util-base64-browser'
+import { fromUtf8, toUtf8 } from '@smithy/util-utf8'
+import { toBase64 } from '@aws-sdk/util-base64'
 import { synchronousRandomValues } from '@aws-crypto/web-crypto-backend'
 import { sha512 } from './sha512'
 

@@ -1,7 +1,7 @@
 // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-import { fromUtf8 } from '@aws-sdk/util-utf8-browser'
+import { fromUtf8 } from '@smithy/util-utf8'
 import {
   getWebCryptoBackend,
   getNonZeroByteBackend,

@@ -19,7 +19,7 @@
   "dependencies": {
     "@aws-crypto/material-management-browser": "file:../material-management-browser",
     "@aws-crypto/serialize": "file:../serialize",
-    "@aws-sdk/util-utf8-browser": "3.259.0",
+    "@smithy/util-utf8": "^4.0.0",
     "tslib": "^2.2.0"
   },
   "sideEffects": false,

@@ -24,7 +24,7 @@ import {
   HeaderInfo,
   MessageHeaderV2,
 } from '@aws-crypto/serialize'
-import { fromUtf8, toUtf8 } from '@aws-sdk/util-utf8-browser'
+import { fromUtf8, toUtf8 } from '@smithy/util-utf8'
 
 const deserialize = deserializeFactory(toUtf8, WebCryptoAlgorithmSuite)
 const { messageAADContentString, messageAAD } = aadFactory(fromUtf8)

@@ -24,8 +24,8 @@ import {
   KMS,
   getClient,
 } from '@aws-crypto/kms-keyring-browser'
-import { fromBase64, toBase64 } from '@aws-sdk/util-base64-browser'
-import { toUtf8 } from '@aws-sdk/util-utf8-browser'
+import { fromBase64, toBase64 } from '@aws-sdk/util-base64'
+import { toUtf8 } from '@smithy/util-utf8'
 chai.use(chaiAsPromised)
 const { expect } = chai
 

@@ -22,7 +22,7 @@ import {
   MessageFormat,
   WebCryptoAlgorithmSuite,
 } from '@aws-crypto/material-management'
-import { fromBase64 } from '@aws-sdk/util-base64-browser'
+import { fromBase64 } from '@aws-sdk/util-base64'
 chai.use(chaiAsPromised)
 const { expect } = chai
 const { decrypt } = buildDecrypt(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)

@@ -20,7 +20,7 @@
     "@aws-crypto/material-management-browser": "file:../material-management-browser",
     "@aws-crypto/serialize": "file:../serialize",
     "@aws-crypto/web-crypto-backend": "file:../web-crypto-backend",
-    "@aws-sdk/util-utf8-browser": "3.259.0",
+    "@smithy/util-utf8": "^4.0.0",
     "tslib": "^2.2.0"
   },
   "sideEffects": false,

@@ -28,7 +28,7 @@ import {
   MessageIdLength,
   serializeMessageHeaderAuth,
 } from '@aws-crypto/serialize'
-import { fromUtf8 } from '@aws-sdk/util-utf8-browser'
+import { fromUtf8 } from '@smithy/util-utf8'
 import { getWebCryptoBackend } from '@aws-crypto/web-crypto-backend'
 
 const serialize = serializeFactory(fromUtf8, { utf8Sorting: true })

@@ -24,7 +24,7 @@ import {
 } from '@aws-crypto/serialize'
 import { buildEncrypt } from '../src/index'
 import { _encrypt } from '../src/encrypt'
-import { toUtf8, fromUtf8 } from '@aws-sdk/util-utf8-browser'
+import { toUtf8, fromUtf8 } from '@smithy/util-utf8'
 const { encrypt } = buildEncrypt(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)
 
 chai.use(chaiAsPromised)

@@ -13,7 +13,7 @@ import {
   buildClient,
   CommitmentPolicy,
 } from '@aws-crypto/client-browser'
-import { toBase64 } from '@aws-sdk/util-base64-browser'
+import { toBase64 } from '@aws-sdk/util-base64'
 
 /* This builds the client with the REQUIRE_ENCRYPT_REQUIRE_DECRYPT commitment policy,
  * which enforces that this client only encrypts using committing algorithm suites

@@ -14,7 +14,7 @@ import {
   WebCryptoCachingMaterialsManager,
   getLocalCryptographicMaterialsCache,
 } from '@aws-crypto/client-browser'
-import { toBase64 } from '@aws-sdk/util-base64-browser'
+import { toBase64 } from '@aws-sdk/util-base64'
 
 /* This builds the client with the REQUIRE_ENCRYPT_REQUIRE_DECRYPT commitment policy,
  * which enforces that this client only encrypts using committing algorithm suites

@@ -12,7 +12,7 @@ import {
   buildClient,
   CommitmentPolicy,
 } from '@aws-crypto/client-browser'
-import { toBase64 } from '@aws-sdk/util-base64-browser'
+import { toBase64 } from '@aws-sdk/util-base64'
 
 /* This is injected by webpack.
  * The webpack.DefinePlugin will replace the values when bundling.

@@ -15,7 +15,7 @@ import {
   configureFallback,
   AlgorithmSuiteIdentifier,
 } from '@aws-crypto/client-browser'
-import { toBase64 } from '@aws-sdk/util-base64-browser'
+import { toBase64 } from '@aws-sdk/util-base64'
 
 /* This builds the client with the FORBID_ENCRYPT_ALLOW_DECRYPT commitment policy.
  * This is because the current version of `msrcrypto`

@@ -12,7 +12,7 @@ import {
   buildClient,
   CommitmentPolicy,
 } from '@aws-crypto/client-browser'
-import { toBase64 } from '@aws-sdk/util-base64-browser'
+import { toBase64 } from '@aws-sdk/util-base64'
 
 /* This builds the client with the REQUIRE_ENCRYPT_REQUIRE_DECRYPT commitment policy,
  * which enforces that this client only encrypts using committing algorithm suites

@@ -17,7 +17,7 @@ import {
   CommitmentPolicy,
   synchronousRandomValues,
 } from '@aws-crypto/client-browser'
-import { toBase64 } from '@aws-sdk/util-base64-browser'
+import { toBase64 } from '@aws-sdk/util-base64'
 
 /* This builds the client with the REQUIRE_ENCRYPT_REQUIRE_DECRYPT commitment policy,
  * which enforces that this client only encrypts using committing algorithm suites

@@ -12,7 +12,7 @@ import {
   buildClient,
   CommitmentPolicy,
 } from '@aws-crypto/client-browser'
-import { toBase64 } from '@aws-sdk/util-base64-browser'
+import { toBase64 } from '@aws-sdk/util-base64'
 
 /* This builds the client with the REQUIRE_ENCRYPT_REQUIRE_DECRYPT commitment policy,
  * which enforces that this client only encrypts using committing algorithm suites

@@ -20,8 +20,8 @@
     "@aws-crypto/client-browser": "file:../client-browser",
     "@aws-crypto/integration-vectors": "file:../integration-vectors",
     "@aws-sdk/credential-provider-node": "^3.362.0",
-    "@aws-sdk/util-base64-browser": "^3.209.0",
-    "@aws-sdk/util-utf8-browser": "^3.23.0",
+    "@aws-sdk/util-base64": "^3.374.0",
+    "@smithy/util-utf8": "^4.0.0",
     "@trust/keyto": "^1.0.1",
     "@types/got": "^9.6.9",
     "@types/stream-to-promise": "^2.2.0",

@@ -28,7 +28,7 @@ import {
   buildGetKeyring,
 } from '@aws-crypto/integration-vectors'
 
-import { fromBase64 } from '@aws-sdk/util-base64-browser'
+import { fromBase64 } from '@aws-sdk/util-base64'
 // @ts-ignore
 import keyto from '@trust/keyto'
 // credentials is from '@aws-sdk/karma-credential-loader'

@@ -4,13 +4,13 @@
 /* eslint-env jasmine */
 
 import { encryptMaterialsManagerWebCrypto } from './decrypt_materials_manager_web_crypto'
-import { fromBase64 } from '@aws-sdk/util-base64-browser'
+import { fromBase64 } from '@aws-sdk/util-base64'
 import {
   buildClient,
   CommitmentPolicy,
   needs,
 } from '@aws-crypto/client-browser'
-import { toUtf8 } from '@aws-sdk/util-utf8-browser'
+import { toUtf8 } from '@smithy/util-utf8'
 const { encrypt } = buildClient(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)
 declare const expect: any
 declare const __fixtures__: any
@@ -57,7 +57,7 @@ function aTest(testName: string, decryptOracle: string) {
         body: result,
       })
       const body = await response.arrayBuffer()
-      needs(response.ok, `Failed to decrypt: ${toUtf8(body)}`)
+      needs(response.ok, `Failed to decrypt: ${toUtf8(new Uint8Array(body))}`)
       expect(plainText).toEqual(new Uint8Array(body))
     } catch (err) {
       needs(

@@ -14,7 +14,7 @@ import {
   TestVectorResult,
 } from '@aws-crypto/integration-vectors'
 import { decryptMaterialsManagerWebCrypto } from './decrypt_materials_manager_web_crypto'
-import { fromBase64 } from '@aws-sdk/util-base64-browser'
+import { fromBase64 } from '@aws-sdk/util-base64'
 
 export const expectedNotActualPlaintextMessage = `Decrypted plaintext did not match expected plaintext`
 

@@ -6,7 +6,7 @@
 /* eslint-env mocha */
 
 import { expect } from 'chai'
-import { fromBase64 } from '@aws-sdk/util-base64-browser'
+import { fromBase64 } from '@aws-sdk/util-base64'
 import { KeyInfoTuple, TestVectorResult } from '@aws-crypto/integration-vectors'
 import {
   KeyringWebCrypto,

@@ -6,7 +6,6 @@
 import * as chai from 'chai'
 import chaiAsPromised from 'chai-as-promised'
 import { KmsKeyringBrowser, getClient } from '../src/index'
-import { KMS as V2KMS } from 'aws-sdk'
 import { KMS as V3KMS } from '@aws-sdk/client-kms'
 import {
   KeyringWebCrypto,
@@ -30,7 +29,7 @@ describe('KmsKeyringBrowser::constructor', () => {
     const keyArn =
       'arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f'
     const keyIds = [keyArn]
-    const clientProvider = getClient(V2KMS, { credentials })
+    const clientProvider = getClient(V3KMS, { credentials })
 
     const test = new KmsKeyringBrowser({
       clientProvider,
@@ -51,46 +50,6 @@ describe('KmsKeyringBrowser::constructor', () => {
   })
 })
 
-describe('KmsKeyringBrowser can encrypt/decrypt with AWS SDK v2 client', () => {
-  const generatorKeyId =
-    'arn:aws:kms:us-west-2:658956600833:alias/EncryptDecrypt'
-  const keyArn =
-    'arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f'
-  const keyIds = [keyArn]
-  const clientProvider = getClient(V2KMS, { credentials })
-  const keyring = new KmsKeyringBrowser({
-    clientProvider,
-    generatorKeyId,
-    keyIds,
-  })
-  let encryptedDataKey: EncryptedDataKey
-
-  it('can encrypt and create unencrypted data key', async () => {
-    const suite = new WebCryptoAlgorithmSuite(
-      AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA256
-    )
-    const material = new WebCryptoEncryptionMaterial(suite, {})
-    const test = await keyring.onEncrypt(material)
-    expect(test.hasValidKey()).to.equal(true)
-    const udk = test.getUnencryptedDataKey()
-    expect(udk).to.have.lengthOf(suite.keyLengthBytes)
-    expect(test.encryptedDataKeys).to.have.lengthOf(2)
-    const [edk] = test.encryptedDataKeys
-    encryptedDataKey = edk
-  })
-
-  it('can decrypt an EncryptedDataKey', async () => {
-    const suite = new WebCryptoAlgorithmSuite(
-      AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA256
-    )
-    const material = new WebCryptoDecryptionMaterial(suite, {})
-    const test = await keyring.onDecrypt(material, [encryptedDataKey])
-    expect(test.hasValidKey()).to.equal(true)
-    // The UnencryptedDataKey should be zeroed, because the cryptoKey has been set
-    expect(() => test.getUnencryptedDataKey()).to.throw()
-  })
-})
-
 describe('KmsKeyringBrowser can encrypt/decrypt with AWS SDK v3 client', () => {
   const generatorKeyId =
     'arn:aws:kms:us-west-2:658956600833:alias/EncryptDecrypt'

@@ -16,7 +16,6 @@ import {
   AlgorithmSuiteIdentifier,
   WebCryptoDecryptionMaterial,
 } from '@aws-crypto/material-management-browser'
-import { KMS as V2KMS } from 'aws-sdk'
 import { KMS as V3KMS } from '@aws-sdk/client-kms'
 
 chai.use(chaiAsPromised)
@@ -57,54 +56,6 @@ describe('AwsKmsMrkAwareSymmetricDiscoveryKeyringBrowser::constructor', () => {
 /* Injected from @aws-sdk/karma-credential-loader. */
 declare const credentials: any
 
-describe('AwsKmsMrkAwareSymmetricKeyringBrowser can encrypt/decrypt with AWS SDK v2 client', () => {
-  const discoveryFilter = { accountIDs: ['658956600833'], partition: 'aws' }
-
-  const eastKeyId =
-    'arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7'
-  const grantTokens = ['grant']
-  const encryptionContext = { some: 'context' }
-  const suite = new WebCryptoAlgorithmSuite(
-    AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA256
-  )
-
-  const keyring = new AwsKmsMrkAwareSymmetricDiscoveryKeyringBrowser({
-    // Note the difference in the region from the keyId
-    client: new V2KMS({ region: 'us-west-2', credentials }),
-    discoveryFilter,
-    grantTokens,
-  })
-
-  it('throws an error on encrypt', async () => {
-    const material = new WebCryptoEncryptionMaterial(suite, encryptionContext)
-    return expect(keyring.onEncrypt(material)).to.rejectedWith(
-      Error,
-      'AwsKmsMrkAwareSymmetricDiscoveryKeyring cannot be used to encrypt'
-    )
-  })
-
-  it('can decrypt an EncryptedDataKey', async () => {
-    const encryptKeyring = new AwsKmsMrkAwareSymmetricKeyringBrowser({
-      client: new V2KMS({ region: 'us-east-1', credentials }),
-      keyId: eastKeyId,
-      grantTokens,
-    })
-    const encryptMaterial = await encryptKeyring.onEncrypt(
-      new WebCryptoEncryptionMaterial(suite, encryptionContext)
-    )
-    const [edk] = encryptMaterial.encryptedDataKeys
-
-    const material = await keyring.onDecrypt(
-      new WebCryptoDecryptionMaterial(suite, encryptionContext),
-      [edk]
-    )
-    const test = await keyring.onDecrypt(material, [edk])
-    expect(test.hasValidKey()).to.equal(true)
-    // The UnencryptedDataKey should be zeroed, because the cryptoKey has been set
-    expect(() => test.getUnencryptedDataKey()).to.throw()
-  })
-})
-
 describe('AwsKmsMrkAwareSymmetricKeyringBrowser can encrypt/decrypt with AWS SDK v3 client', () => {
   const discoveryFilter = { accountIDs: ['658956600833'], partition: 'aws' }