address comments

Author: RitvikKapila

DynamoDbEncryption/dafny/DynamoDbEncryption/Model/DynamoDbEncryption.smithy

@@ -719,7 +719,7 @@ structure SingleKeyStore {
   @required
   @javadoc("How long (in seconds) the beacon key material is cached locally before it is re-retrieved from DynamoDB and re-authed with AWS KMS.")
   cacheTTL: Integer,
-  @documentation("Provide the Shared Cache for Searchable Encryption.")
+  @documentation("Which type of local cache to use. Please see the [spec](https://github.com/aws/aws-database-encryption-sdk-dynamodb/blob/main/specification/searchable-encryption/search-config.md#key-store-cache) on how to provide a cache for a SingleKeyStore.")
   cache : CacheType,
   @documentation("Partition ID to distinguish Beacon Key Sources writing to a Shared cache. If the Partition ID is the same for two Beacon Key Sources, they can share the same cache entries in the Shared cache.")
   partitionId: String

DynamoDbEncryption/dafny/DynamoDbEncryption/src/ConfigToInfo.dfy

@@ -40,6 +40,7 @@ module SearchConfigToInfo {
     requires ValidSearchConfig(outer.search)
     requires outer.search.Some? ==> ValidSharedCache(outer.search.value.versions[0].keySource)
     modifies if outer.search.Some? then outer.search.value.versions[0].keyStore.Modifies else {}
+    ensures outer.search.Some? ==> ValidSharedCache(outer.search.value.versions[0].keySource)
     ensures output.Success? && output.value.Some? ==>
               && output.value.value.ValidState()
               && fresh(output.value.value.versions[0].keySource.client)
@@ -120,6 +121,7 @@ module SearchConfigToInfo {
     modifies keyStore.Modifies
     requires client.ValidState()
     requires ValidSharedCache(config)
+    ensures ValidSharedCache(config)
     ensures client.ValidState()
     ensures output.Success? ==>
               && output.value.ValidState()
@@ -148,9 +150,10 @@ module SearchConfigToInfo {
     //= specification/searchable-encryption/search-config.md#key-store-cache
     //# For a Beacon Key Source a [CMC](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/cryptographic-materials-cache.md)
     //# MUST be created.
-    //# For a [Single Key Store](#single-key-store-initialization), either the customer provides a cache, or we create a cache that MUST have [Entry Capacity](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/cryptographic-materials-cache.md#entry-capacity)
-    //# equal to 1.
-    //# For a [Multi Key Store](#multi-key-store-initialization), either the customer provides a cache, or we create a cache that MUST have [Entry Capacity](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/cryptographic-materials-cache.md#entry-capacity)
+    //# For a [Single Key Store](#single-key-store-initialization), either the user provides a cache, or we create a cache that MUST have [Entry Capacity](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/cryptographic-materials-cache.md#entry-capacity)
+    //# equal to 1. If the user provides a cache which is not `Shared`, they SHOULD set the [Entry Capacity](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/cryptographic-materials-cache.md#entry-capacity)
+    //# of the provided `CacheType` to 1, because the [Single Key Store](#single-key-store-initialization) only ever caches one entry. Even if the user provides an entryCapacity > 1, the [Single Key Store](#single-key-store-initialization) will only cache one entry.
+    //# For a [Multi Key Store](#multi-key-store-initialization), either the user provides a cache, or we create a cache that MUST have [Entry Capacity](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/cryptographic-materials-cache.md#entry-capacity)
     //# equal to 1000.
     var cacheType : MPT.CacheType :=
       if config.multi? then
@@ -160,8 +163,9 @@ module SearchConfigToInfo {
           MPT.Default(Default := MPT.DefaultCache(entryCapacity := 1000))
       else
       if config.single.cache.Some? then
-        // Ideally, we only want to pass a cache here with entryCapacity = 1
-        // because the SingleKeyStore caches only one value.
+        // If the user provides a CacheType, and it is NOT Shared,
+        // we SHOULD only allow an entryCapacity = 1
+        // because the SingleKeyStore only ever caches one value.
         // That is, we SHOULD add a check here for entryCapacity = 1.
         // However, that requires us to write an if block for each CacheType.
         // Also, it does NOT matter what the entryCapacity is, because the cache
@@ -174,10 +178,6 @@ module SearchConfigToInfo {
     if cacheType.Shared? {
       cache := cacheType.Shared;
       reveal ValidSharedCache(config);
-
-      // This axiom is important because it is not easy to prove
-      // keyStore.Modifies !! cache.Modifies for a shared cache.
-      assume {:axiom} keyStore.Modifies !! cache.Modifies;
     } else {
       //= specification/searchable-encryption/search-config.md#key-store-cache
       //# For a Beacon Key Source a [CMC](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/cryptographic-materials-cache.md)
@@ -228,6 +228,11 @@ module SearchConfigToInfo {
       :- Need(0 < config.single.cacheTTL, E("Beacon Cache TTL must be at least 1."));
       output := Success(I.KeySource(client, keyStore, I.SingleLoc(config.single.keyId), cache, config.single.cacheTTL as uint32, partitionIdBytes, logicalKeyStoreNameBytes));
     }
+    assert output.value.ValidState() by {
+      // This axiom is important because it is not easy to prove
+      // keyStore.Modifies !! cache.Modifies for a shared cache.
+      assume {:axiom} keyStore.Modifies !! cache.Modifies;
+    }
   }
 
   // convert configured BeaconVersion to internal BeaconVersion
@@ -236,6 +241,7 @@ module SearchConfigToInfo {
     requires ValidBeaconVersion(config)
     requires ValidSharedCache(config.keySource)
     modifies config.keyStore.Modifies
+    ensures ValidSharedCache(config.keySource)
     ensures output.Success? ==>
               && output.value.ValidState()
               && fresh(output.value.keySource.client)

DynamoDbEncryption/dafny/DynamoDbEncryption/src/SearchInfo.dfy

@@ -138,10 +138,8 @@ module SearchableEncryptionInfo {
     var uuid :- uuid?
     .MapFailure(e => Error.DynamoDbEncryptionException(message := e));
 
-    var uuidBytes: seq<uint8> :- UUID.ToByteArray(uuid)
-    .MapFailure(e => Error.DynamoDbEncryptionException(message := e));
-
-    output := Success(uuidBytes);
+    output := UUID.ToByteArray(uuid)
+      .MapFailure(e => Error.DynamoDbEncryptionException(message := e));
   }
 
   datatype KeyLocation =
@@ -176,7 +174,15 @@ module SearchableEncryptionInfo {
       if keyLoc.SingleLoc? {
         :- Need(keyId.DontUseKeyId?, E("KeyID should not be supplied with a SingleKeyStore"));
         var now := Time.GetCurrent();
-        var theMap :- getKeysCache(client, stdNames, keyLoc.keyId, cacheTTL as MP.PositiveLong, partitionIdBytes, logicalKeyStoreNameBytes, now as MP.PositiveLong);
+        var theMap :- getKeysCache(
+          client,
+          stdNames,
+          keyLoc.keyId,
+          cacheTTL as MP.PositiveLong,
+          partitionIdBytes,
+          logicalKeyStoreNameBytes,
+          now as MP.PositiveLong
+        );
         return Success(Keys(theMap));
       } else if keyLoc.LiteralLoc? {
         :- Need(keyId.DontUseKeyId?, E("KeyID should not be supplied with a LiteralKeyStore"));
@@ -186,7 +192,18 @@ module SearchableEncryptionInfo {
         match keyId {
           case DontUseKeyId => return Failure(E("KeyID must be supplied with a MultiKeyStore"));
           case ShouldHaveKeyId => return Success(ShouldHaveKeys);
-          case KeyId(id) => var now := Time.GetCurrent(); var theMap :- getKeysCache(client, stdNames, id, cacheTTL as MP.PositiveLong, partitionIdBytes, logicalKeyStoreNameBytes, now as MP.PositiveLong); return Success(Keys(theMap));
+          case KeyId(id) =>
+            var now := Time.GetCurrent();
+            var theMap :- getKeysCache(
+              client,
+              stdNames,
+              id,
+              cacheTTL as MP.PositiveLong,
+              partitionIdBytes,
+              logicalKeyStoreNameBytes,
+              now as MP.PositiveLong
+            );
+            return Success(Keys(theMap));
         }
       }
     }
@@ -227,37 +244,40 @@ module SearchableEncryptionInfo {
       returns (output : Result<HmacKeyMap, Error>)
       requires Seq.HasNoDuplicates(stdNames)
       requires ValidState()
+      requires client.ValidState()
       modifies Modifies()
+      modifies client.Modifies
       ensures ValidState()
+      ensures client.ValidState()
 
       //= specification/searchable-encryption/search-config.md#get-beacon-key-materials
       //= type=implication
       //# Get beacon key MUST Call the associated [Key Store Cache](#key-store-cache)
       //# [Get Cache Entry](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/local-cryptographic-materials-cache.md#get-cache-entry)
-      //# with the `beacon key id`.
+      //# with the cache identifier defined in the [Searchable Encryption Cache Identifier](#searchable-encryption-cache-identifier) section.
       ensures output.Success? ==>
-                && var oldHistory := old(cache.History.GetCacheEntry);
-                && var newHistory := cache.History.GetCacheEntry;
-                && |newHistory| == |oldHistory|+1
-                && var cacheInput := Seq.Last(newHistory).input;
-                && var cacheOutput := Seq.Last(newHistory).output;
+                && var oldGetCacheHistory := old(cache.History.GetCacheEntry);
+                && var newGetCacheHistory := cache.History.GetCacheEntry;
+                && |newGetCacheHistory| == |oldGetCacheHistory|+1
+                && var getCacheInput := Seq.Last(newGetCacheHistory).input;
+                && var getCacheOutput := Seq.Last(newGetCacheHistory).output;
                 && UTF8.Encode(keyId).Success?
 
                 //= specification/searchable-encryption/search-config.md#get-beacon-key-materials
                 //= type=implication
                 //# If a [cache entry](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/cryptographic-materials-cache.md#cache-entry)
                 //# exists, get beacon key MUST return the [entry materials](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/cryptographic-materials-cache.md#materials).
-                && (cacheOutput.Success? && cacheEntryWithinLimits(
-                      creationTime := cacheOutput.value.creationTime,
+                && (getCacheOutput.Success? && cacheEntryWithinLimits(
+                      creationTime := getCacheOutput.value.creationTime,
                       now := now,
                       ttlSeconds := cacheTTL
                     ) ==>
-                      && cacheOutput.value.materials.BeaconKey?
-                      && cacheOutput.value.materials.BeaconKey.hmacKeys.Some?
-                      && output.value == cacheOutput.value.materials.BeaconKey.hmacKeys.value)
+                      && getCacheOutput.value.materials.BeaconKey?
+                      && getCacheOutput.value.materials.BeaconKey.hmacKeys.Some?
+                      && output.value == getCacheOutput.value.materials.BeaconKey.hmacKeys.value)
 
-                && (cacheOutput.Failure? || !cacheEntryWithinLimits(
-                      creationTime := cacheOutput.value.creationTime,
+                && (getCacheOutput.Failure? || !cacheEntryWithinLimits(
+                      creationTime := getCacheOutput.value.creationTime,
                       now := now,
                       ttlSeconds := cacheTTL
                     ) ==>
@@ -274,20 +294,30 @@ module SearchableEncryptionInfo {
                       //= type=implication
                       //# The `beacon key id` MUST be passed to the configured `KeyStore`'s `GetBeaconKey` operation.
                       && storeInput.branchKeyIdentifier == keyId
-                      && var oldPutHistory := old(cache.History.PutCacheEntry);
-                      && var newPutHistory := cache.History.PutCacheEntry;
-                      && |newPutHistory| == |oldPutHistory|+1
+                      && var oldPutCacheHistory := old(cache.History.PutCacheEntry);
+                      && var newPutCacheHistory := cache.History.PutCacheEntry;
+                      && |newPutCacheHistory| == |oldPutCacheHistory|+1
                       && (
-                           var storeOutput := Seq.Last(newPutHistory).output;
-                           || storeOutput.Success?
-                           || storeOutput.error.EntryAlreadyExists?
+                           var putCacheOutput := Seq.Last(newPutCacheHistory).output;
+                           || putCacheOutput.Success?
+                           || putCacheOutput.error.EntryAlreadyExists?
                          )
-                      && var storeInput := Seq.Last(newPutHistory).input;
-                      && var storeOutput := Seq.Last(newPutHistory).output;
+                      && var putCacheInput := Seq.Last(newPutCacheHistory).input;
+                      && var putCacheOutput := Seq.Last(newPutCacheHistory).output;
+
+                      //= specification/searchable-encryption/search-config.md#get-beacon-key-materials
+                      //# The Searchable Encryption cache identifier for [Key Store Cache](#key-store-cache)
+                      //# [Get Cache Entry](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/local-cryptographic-materials-cache.md#get-cache-entry)
+                      //# and the [Key Store Cache](#key-store-cache)
+                      //# [Put Cache Entry](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/local-cryptographic-materials-cache.md#put-cache-entry)
+                      //# MUST be the same.
+                      && putCacheInput.identifier == getCacheInput.identifier
+
                       //= specification/searchable-encryption/search-config.md#get-beacon-key-materials
                       //= type=implication
                       //# These cached materials MUST be returned.
-                      && storeInput.materials.BeaconKey? ==> storeInput.materials.BeaconKey.hmacKeys == Some(output.value)
+                      && putCacheInput.materials.BeaconKey?
+                      && putCacheInput.materials.BeaconKey.hmacKeys == Some(output.value)
                    )
     {
 
@@ -311,15 +341,9 @@ module SearchableEncryptionInfo {
       var identifierDigestInput := Prim.DigestInput(
         digestAlgorithm := hashAlgorithm, message := identifier
       );
-      var maybeCacheDigest := Digest.Digest(identifierDigestInput);
+      var maybeCacheDigest := client.Digest(identifierDigestInput); 
       var cacheDigest :- maybeCacheDigest.MapFailure(e => AwsCryptographyPrimitives(e));
 
-      :- Need(
-        |cacheDigest| == Digest.Length(hashAlgorithm),
-        Error.DynamoDbEncryptionException(
-          message := "Digest generated a message not equal to the expected length.")
-      );
-
       // Use the SHA384 of the identifier as the cache identifier
       var getCacheInput := MP.GetCacheEntryInput(identifier := cacheDigest, bytesUsed := None);
       verifyValidStateCache(cache);

DynamoDbEncryption/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/dbencryptionsdk/dynamodb/model/SingleKeyStore.java

@@ -22,7 +22,7 @@ public class SingleKeyStore {
   private final Integer cacheTTL;
 
   /**
-   * Provide the Shared Cache for Searchable Encryption.
+   * Which type of local cache to use. Please see the [spec](https://github.com/aws/aws-database-encryption-sdk-dynamodb/blob/main/specification/searchable-encryption/search-config.md#key-store-cache) on how to provide a cache for a SingleKeyStore.
    */
   private final CacheType cache;
 
@@ -53,7 +53,7 @@ public Integer cacheTTL() {
   }
 
   /**
-   * @return Provide the Shared Cache for Searchable Encryption.
+   * @return Which type of local cache to use. Please see the [spec](https://github.com/aws/aws-database-encryption-sdk-dynamodb/blob/main/specification/searchable-encryption/search-config.md#key-store-cache) on how to provide a cache for a SingleKeyStore.
    */
   public CacheType cache() {
     return this.cache;
@@ -96,12 +96,12 @@ public interface Builder {
     Integer cacheTTL();
 
     /**
-     * @param cache Provide the Shared Cache for Searchable Encryption.
+     * @param cache Which type of local cache to use. Please see the [spec](https://github.com/aws/aws-database-encryption-sdk-dynamodb/blob/main/specification/searchable-encryption/search-config.md#key-store-cache) on how to provide a cache for a SingleKeyStore.
      */
     Builder cache(CacheType cache);
 
     /**
-     * @return Provide the Shared Cache for Searchable Encryption.
+     * @return Which type of local cache to use. Please see the [spec](https://github.com/aws/aws-database-encryption-sdk-dynamodb/blob/main/specification/searchable-encryption/search-config.md#key-store-cache) on how to provide a cache for a SingleKeyStore.
      */
     CacheType cache();