feedback

Author: imabhichow

Examples/runtimes/python/DynamoDBEncryption/src/keyring/hierarchical_keyring_example.py

@@ -1,7 +1,7 @@
 # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 """
-Example demonstrates DynamoDb Encryption using a Hierarchical Keyring.
+Example demonstrating DynamoDb Encryption using a Hierarchical Keyring.
 
 This example sets up DynamoDb Encryption for the AWS SDK client
 using the Hierarchical Keyring, which establishes a key hierarchy

Examples/runtimes/python/DynamoDBEncryption/src/keyring/kms_ecdh_keyring_example.py

@@ -30,6 +30,7 @@
     KmsPublicKeyDiscoveryInput,
 )
 from aws_cryptographic_material_providers.mpl.references import IKeyring
+from aws_cryptography_primitives.smithygenerated.aws_cryptography_primitives.models import ECDHCurveSpec
 from aws_dbesdk_dynamodb.encrypted.client import EncryptedClient
 from aws_dbesdk_dynamodb.structures.dynamodb import (
     DynamoDbTableEncryptionConfig,
@@ -125,12 +126,7 @@ def kms_ecdh_keyring_get_item_put_item(
 
     keyring_input = CreateAwsKmsEcdhKeyringInput(
         kms_client=boto3.client("kms"),
-        # Supported curve specifications:
-        # - ECC_NIST_P256
-        # - ECC_NIST_P384
-        # - ECC_NIST_P521
-        # - SM2
-        curve_spec="ECC_NIST_P256",
+        curve_spec=ECDHCurveSpec.ECC_NIST_P256,
         key_agreement_scheme=KmsEcdhStaticConfigurationsKmsPrivateKeyToStaticPublicKey(
             KmsPrivateKeyToStaticPublicKeyInput(
                 sender_kms_identifier=ecc_key_arn,
@@ -190,7 +186,7 @@ def kms_ecdh_discovery_get_item(ddb_table_name: str, ecc_recipient_key_arn: str)
 
     keyring_input = CreateAwsKmsEcdhKeyringInput(
         kms_client=boto3.client("kms"),
-        curve_spec="ECC_NIST_P256",
+        curve_spec=ECDHCurveSpec.ECC_NIST_P256,
         key_agreement_scheme=KmsEcdhStaticConfigurationsKmsPublicKeyDiscovery(
             KmsPublicKeyDiscoveryInput(recipient_kms_identifier=ecc_recipient_key_arn)
         ),

Examples/runtimes/python/DynamoDBEncryption/src/keyring/raw_ecdh_keyring_example.py

@@ -106,11 +106,6 @@ def raw_ecdh_keyring_get_item_put_item(ddb_table_name: str, curve_spec: str):
     mat_prov = AwsCryptographicMaterialProviders(config=MaterialProvidersConfig())
 
     keyring_input = CreateRawEcdhKeyringInput(
-        # Supported curve specifications:
-        # - ECC_NIST_P256
-        # - ECC_NIST_P384
-        # - ECC_NIST_P521
-        # - SM2
         curve_spec=curve_spec,
         key_agreement_scheme=RawEcdhStaticConfigurationsRawPrivateKeyToStaticPublicKey(
             RawPrivateKeyToStaticPublicKeyInput(
@@ -166,11 +161,6 @@ def ephemeral_raw_ecdh_keyring_put_item(ddb_table_name: str, curve_spec: str):
     mat_prov = AwsCryptographicMaterialProviders(config=MaterialProvidersConfig())
 
     keyring_input = CreateRawEcdhKeyringInput(
-        # Supported curve specifications:
-        # - ECC_NIST_P256
-        # - ECC_NIST_P384
-        # - ECC_NIST_P521
-        # - SM2
         curve_spec=curve_spec,
         key_agreement_scheme=RawEcdhStaticConfigurationsEphemeralPrivateKeyToStaticPublicKey(
             EphemeralPrivateKeyToStaticPublicKeyInput(recipient_public_key=public_key_bytes)
@@ -220,11 +210,6 @@ def discovery_raw_ecdh_keyring_get_item(ddb_table_name: str, curve_spec: str):
     mat_prov = AwsCryptographicMaterialProviders(config=MaterialProvidersConfig())
 
     keyring_input = CreateRawEcdhKeyringInput(
-        # Supported curve specifications:
-        # - ECC_NIST_P256
-        # - ECC_NIST_P384
-        # - ECC_NIST_P521
-        # - SM2
         curve_spec=curve_spec,
         key_agreement_scheme=RawEcdhStaticConfigurationsPublicKeyDiscovery(
             PublicKeyDiscoveryInput(recipient_static_private_key=private_key_utf8_encoded)

Examples/runtimes/python/DynamoDBEncryption/test/cleanup.py

@@ -4,8 +4,14 @@
 Test cleanup utilities for DynamoDB Encryption SDK.
 
 This module provides utilities for cleaning up resources after running tests.
-NOTE: This is only a test utility and should not be used in production code.
+
+WARNING: Please be careful. This is only a test utility and should NOT be used in production code.
 It is specifically designed for cleaning up test resources after test execution.
+- Running this code on production resources or any data you want to keep could result
+  in cryptographic shredding (permanent loss of access to encrypted data).
+- Only use this on test resources that you are willing to permanently delete.
+- Never run this against any production DynamoDB tables. Ensure you have backups
+  of any important data before running cleanup operations.
 """
 import boto3
 

Examples/runtimes/python/DynamoDBEncryption/test/keyring/test_raw_ecdh_keyring_example.py

@@ -2,6 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 """Test raw ECDH keyring examples."""
 import pytest
+from aws_cryptography_primitives.smithygenerated.aws_cryptography_primitives.models import ECDHCurveSpec
 
 from ...src.keyring.raw_ecdh_keyring_example import (
     discovery_raw_ecdh_keyring_get_item,
@@ -28,7 +29,7 @@ def test_static_raw_ecdh_keyring_example():
 
     # Part of using these keyrings is knowing which curve the keys used in the key agreement
     # lie on. The keyring will fail if the keys do not lie on the configured curve.
-    raw_ecdh_keyring_get_item_put_item(TEST_DDB_TABLE_NAME, "ECC_NIST_P256")
+    raw_ecdh_keyring_get_item_put_item(TEST_DDB_TABLE_NAME, ECDHCurveSpec.ECC_NIST_P256)
 
 
 def test_ephemeral_raw_ecdh_keyring_example():
@@ -43,7 +44,7 @@ def test_ephemeral_raw_ecdh_keyring_example():
 
     # Part of using these keyrings is knowing which curve the keys used in the key agreement
     # lie on. The keyring will fail if the keys do not lie on the configured curve.
-    ephemeral_raw_ecdh_keyring_put_item(TEST_DDB_TABLE_NAME, "ECC_NIST_P256")
+    ephemeral_raw_ecdh_keyring_put_item(TEST_DDB_TABLE_NAME, ECDHCurveSpec.ECC_NIST_P256)
 
 
 def test_discovery_raw_ecdh_keyring_example():
@@ -65,9 +66,9 @@ def test_discovery_raw_ecdh_keyring_example():
 
     # In this call we are writing a record that is written with an ephemeral sender key pair.
     # The recipient will be able to decrypt the message
-    ephemeral_raw_ecdh_keyring_put_item(TEST_DDB_TABLE_NAME, "ECC_NIST_P256")
+    ephemeral_raw_ecdh_keyring_put_item(TEST_DDB_TABLE_NAME, ECDHCurveSpec.ECC_NIST_P256)
 
     # In this call we are reading a record that was written with the recipient's public key.
     # It will use the recipient's private key and the sender's public key stored in the message to
     # calculate the appropriate shared secret to successfully decrypt the message.
-    discovery_raw_ecdh_keyring_get_item(TEST_DDB_TABLE_NAME, "ECC_NIST_P256")
+    discovery_raw_ecdh_keyring_get_item(TEST_DDB_TABLE_NAME, ECDHCurveSpec.ECC_NIST_P256)