Merge branch 'main' of github.com:aws/aws-database-encryption-sdk-dynamodb-java into robin-aws/fix-nightly-build-2024-05-15

# Conflicts:
#	DynamoDbEncryption/runtimes/net/DynamoDbEncryption.csproj
#	project.properties

Author: robin-aws

.github/workflows/ci_verification.yml

@@ -50,7 +50,7 @@ jobs:
         uses: dafny-lang/[email protected]
         with:
           # A && B || C is the closest thing to an if .. then ... else ... or ?: expression the GitHub Actions syntax supports.
-          dafny-version: ${{ (github.event_name == 'schedule' || inputs.nightly) && 'nightly-latest' || '4.2.0' }}
+          dafny-version: ${{ (github.event_name == 'schedule' || inputs.nightly) && 'nightly-latest' || '4.6.0' }}
 
       - name: Regenerate code using smithy-dafny if necessary
         if: ${{ github.event_name == 'schedule' || inputs.nightly }}

CHANGELOG.md

@@ -1,5 +1,21 @@
 # Changelog
 
+## [3.5.0](https://github.com/aws/aws-database-encryption-sdk-dynamodb/compare/v3.4.0...v3.5.0) (2024-05-30)
+
+### Features
+
+- **DynamoDbEncryption:** Add GetEncryptedDataKeyDescription operation ([#856](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/856)) ([8f8471a](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/8f8471a479d9e7526dd8aaa6f34c906d2a0e2dbb))
+- Bump MPL to 1.4 ([#1067](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1067)) ([51bbab5](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/51bbab5589a5db611a3b7564a1c9703fb0de1a23)). This provides three new KMSConfiguration options when constructing a KeyStore (see https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-hierarchical-keyring.html). To KmsKeyArn are added KmsMRKeyArn, Discovery and MrDiscovery.
+
+### Maintenance
+
+- improve verification ([#1020](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1020)) ([cbde4ef](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/cbde4efbd83c57bbbfb96358219dd421141f1da3))
+- simplify structured encryption ([#866](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/866)) ([a70a569](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/a70a569d632d051710cfeb37ce27c8785bdba7c2))
+- allow Legacy to use subclass of DynamoDBEncryptor ([#1073](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1073)) ([135acd9](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/135acd9871698e76228d6c3ce925bcf589df39c6))
+- **Java-Release:** update release commands and use SNAPSHOT builds ([#995](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/995)) ([ac9b79e](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/ac9b79eb18e1904962223e6add153fd49a0f188e))
+- reformat and enforce formatting ([#1035](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1035)) ([8a76a9d](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/8a76a9db2e6427b46748b07e654edaf855cd4338))
+- verify with Dafny 4.6 ([#1072](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1072)) ([9db6e78](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/9db6e78ee01583dd04238252c939277636fc06ad))
+
 ## [3.4.0](https://github.com/aws/aws-database-encryption-sdk-dynamodb/compare/v3.3.0...v3.4.0) (2024-04-30)
 
 ### Notes

DynamoDbEncryption/dafny/DynamoDbEncryption/src/DynamoToStruct.dfy

@@ -357,6 +357,9 @@ module DynamoToStruct {
               && U32ToBigEndian(|a.L|).Success?
               && |ret.value| >= PREFIX_LEN + LENGTH_LEN
               && ret.value[0..TYPEID_LEN] == SE.LIST
+              && ListAttrToBytes(a.L, depth).Success?
+              && ret.value[PREFIX_LEN..] == ListAttrToBytes(a.L, depth).value
+              && ListAttrToBytes(a.L, depth).value[..LENGTH_LEN] == U32ToBigEndian(|a.L|).value
               && ret.value[PREFIX_LEN..PREFIX_LEN+LENGTH_LEN] == U32ToBigEndian(|a.L|).value
               && (|a.L| == 0 ==> |ret.value| == PREFIX_LEN + LENGTH_LEN)
 
@@ -492,6 +495,10 @@ module DynamoToStruct {
   }
 
   function method ListAttrToBytes(l: ListAttributeValue, depth : nat): (ret: Result<seq<uint8>, string>)
+    ensures ret.Success? ==>
+              && U32ToBigEndian(|l|).Success?
+              && LENGTH_LEN <= |ret.value|
+              && ret.value[..LENGTH_LEN] == U32ToBigEndian(|l|).value
   {
     var count :- U32ToBigEndian(|l|);
     var body :- CollectList(l, depth);

DynamoDbEncryption/dafny/DynamoDbEncryption/test/DynamoDbEncryptionBranchKeyIdSupplierTest.dfy

@@ -43,8 +43,10 @@ module DynamoDbEncryptionBranchKeyIdSupplierTest {
   const BRANCH_KEY_ID_B := ALTERNATE_BRANCH_KEY_ID
   const EC_PARTITION_NAME := UTF8.EncodeAscii("aws-crypto-partition-name")
   const RESERVED_PREFIX := "aws-crypto-attr."
+  const KEY_ATTR_NAME := UTF8.EncodeAscii(RESERVED_PREFIX + BRANCH_KEY)
+  const BRANCH_KEY_NAME := UTF8.EncodeAscii(BRANCH_KEY)
 
-  method {:test} TestHappyCase()
+  method {:test} {:vcs_split_on_every_assert} TestHappyCase()
   {
     var ddbKeyToBranchKeyId: Types.IDynamoDbKeyBranchKeyIdSupplier := new TestBranchKeyIdSupplier();
     var ddbEncResources :- expect DynamoDbEncryption.DynamoDbEncryption();
@@ -80,27 +82,26 @@ module DynamoDbEncryptionBranchKeyIdSupplierTest {
       )
     );
 
-    var keyAttrName := UTF8.EncodeAscii(RESERVED_PREFIX + BRANCH_KEY);
 
     // Test Encryption Context with Case A
     var materials :- expect mpl.InitializeEncryptionMaterials(
       MPL.InitializeEncryptionMaterialsInput(
         algorithmSuiteId := TEST_DBE_ALG_SUITE_ID,
-        encryptionContext := map[EC_PARTITION_NAME := UTF8.EncodeAscii(BRANCH_KEY)],
+        encryptionContext := map[EC_PARTITION_NAME := BRANCH_KEY_NAME],
         requiredEncryptionContextKeys := [],
         signingKey := None,
         verificationKey := None
       )
     );
 
     var caseA :- expect UTF8.Encode(Base64.Encode(CASE_A_BYTES));
-    var contextCaseA := materials.encryptionContext[keyAttrName := caseA];
+    var contextCaseA := materials.encryptionContext[KEY_ATTR_NAME := caseA];
     var materialsA := materials.(encryptionContext := contextCaseA);
     TestRoundtrip(hierarchyKeyring, materialsA, TEST_DBE_ALG_SUITE_ID, BRANCH_KEY_ID_A);
 
     // Test Encryption Context with Case B
     var caseB :- expect UTF8.Encode(Base64.Encode(CASE_B_BYTES));
-    var contextCaseB := materials.encryptionContext[keyAttrName := caseB];
+    var contextCaseB := materials.encryptionContext[KEY_ATTR_NAME := caseB];
     var materialsB := materials.(encryptionContext := contextCaseB);
     TestRoundtrip(hierarchyKeyring, materialsB, TEST_DBE_ALG_SUITE_ID, BRANCH_KEY_ID_B);
   }

DynamoDbEncryption/dafny/StructuredEncryption/src/Canonize.dfy

@@ -667,6 +667,7 @@ module {:options "/functionSyntax:4" } Canonize {
     forall i | 0 <= i < |input| ensures exists x :: x in origData && Updated2(x, input[i], DoDecrypt) {
       var x :| x in origData && Updated2(x, input[i], DoDecrypt);
     }
+    assert forall i | 0 <= i < |input| :: exists x :: x in origData && Updated2(x, input[i], DoDecrypt);
   }
 
   // command line tools that say /vcsSplitOnEveryAssert fail without the {:vcs_split_on_every_assert false}
@@ -678,6 +679,7 @@ module {:options "/functionSyntax:4" } Canonize {
     forall i | 0 <= i < |input| ensures exists x :: x in origData && Updated5(x, input[i], DoEncrypt) {
       var x :| x in origData && Updated5(x, input[i], DoEncrypt);
     }
+    assert forall i | 0 <= i < |input| :: exists x :: x in origData && Updated5(x, input[i], DoEncrypt);
   }
 
   lemma CryptoUpdatedAuthMaps(origData : AuthList, input : CanonCryptoList, output : CryptoList)

DynamoDbEncryption/dafny/StructuredEncryption/src/SortCanon.dfy

@@ -222,6 +222,7 @@ module SortCanon {
     ensures multiset(x) == multiset(result)
     ensures SortedBy(result, AuthBelow)
     ensures CanonAuthListHasNoDuplicates(result)
+    ensures |result| == |x|
   {
     AuthBelowIsTotal();
     var ret := MergeSortBy(x, AuthBelow);
@@ -236,6 +237,7 @@ module SortCanon {
     ensures multiset(result) == multiset(x)
     ensures SortedBy(result, CryptoBelow)
     ensures CanonCryptoListHasNoDuplicates(result)
+    ensures |result| == |x|
   {
     CryptoBelowIsTotal();
     var ret := MergeSortBy(x, CryptoBelow);

DynamoDbEncryption/runtimes/java/src/main/java/software/amazon/cryptography/dbencryptionsdk/dynamodb/itemencryptor/internaldafny/legacy/InternalLegacyOverride.java

@@ -235,8 +235,7 @@ public static Error createError(String message) {
   public static boolean isDynamoDBEncryptor(
     software.amazon.cryptography.dbencryptionsdk.dynamodb.ILegacyDynamoDbEncryptor maybe
   ) {
-    System.out.println(maybe.getClass());
-    return maybe.getClass().equals(DynamoDBEncryptor.class);
+    return maybe instanceof DynamoDBEncryptor;
   }
 
   public static String ToNativeString(DafnySequence<? extends Character> s) {

DynamoDbEncryption/runtimes/net/AssemblyInfo.cs

@@ -3,5 +3,5 @@
 [assembly: AssemblyTitle("AWS.Cryptography.DbEncryptionSDK.DynamoDb")]
 
 // This should be kept in sync with the version number in MPL.csproj
-[assembly: AssemblyVersion("3.4.0")]
+[assembly: AssemblyVersion("3.5.0")]
 

DynamoDbEncryption/runtimes/net/DynamoDbEncryption.csproj

@@ -5,7 +5,7 @@
     <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
     <IsPackable>true</IsPackable>
 
-    <Version>3.4.0</Version>
+    <Version>3.5.0</Version>
 
     <AssemblyName>AWS.Cryptography.DbEncryptionSDK.DynamoDb</AssemblyName>
     <PackageId>AWS.Cryptography.DbEncryptionSDK.DynamoDb</PackageId>
@@ -57,8 +57,8 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="AWSSDK.DynamoDBv2" Version="3.7.304.2"/>
-    <PackageReference Include="AWSSDK.Core" Version="3.7.304.2"/>
+    <PackageReference Include="AWSSDK.DynamoDBv2" Version="3.7.303.14"/>
+    <PackageReference Include="AWSSDK.Core" Version="3.7.304.7"/>
     <PackageReference Include="DafnyRuntime" Version="$(DafnyVersion)" />
     <ProjectReference Include="../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/runtimes/net/MPL.csproj"/>
     <!--

Makefile

@@ -77,7 +77,7 @@ generate_properties_file:
 	";
 
 setup_semantic_release:
-	npm i --no-save semantic-release @semantic-release/changelog semantic-release-replace-plugin conventional-changelog-conventionalcommits @semantic-release/git
+	npm i --no-save semantic-release @semantic-release/changelog semantic-release-replace-plugin conventional-changelog-conventionalcommits@7.0.2 @semantic-release/git
 
 run_semantic_release:
 	npx semantic-release --no-ci

TestVectors/runtimes/net/DbEsdkTestVectors.csproj

@@ -11,8 +11,8 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="AWSSDK.DynamoDBv2" Version="3.7.300.2"/>
-    <PackageReference Include="AWSSDK.Core" Version="3.7.300.2"/>
+    <PackageReference Include="AWSSDK.DynamoDBv2" Version="3.7.303.14"/>
+    <PackageReference Include="AWSSDK.Core" Version="3.7.304.7"/>
     <ProjectReference Include="../../../DynamoDbEncryption/runtimes/net/DynamoDbEncryption.csproj" />
     <ProjectReference Include="../../../submodules/MaterialProviders/TestVectorsAwsCryptographicMaterialProviders/runtimes/net/TestVectors.csproj" />
     <Compile Include="*.cs"/>

project.properties

@@ -1,5 +1,5 @@
-projectJavaVersion=3.4.0-SNAPSHOT
-mplDependencyJavaVersion=1.3.0-SNAPSHOT
+projectJavaVersion=3.5.0
+mplDependencyJavaVersion=1.4.0
 dafnyVersion=4.2.0
 dafnyRuntimeJavaVersion=4.2.0
 smithyDafnyJavaConversionVersion=0.1