m

Author: ajewellamz

DynamoDbEncryption/runtimes/rust/src/bin/example/keyring/mod.rs

@@ -2,7 +2,7 @@ pub mod branch_key_id_supplier;
 pub mod hierarchical_keyring;
 pub mod kms_rsa_keyring;
 // pub mod mrk_discovery_multi_keyring;
-// pub mod multi_keyring;
-// pub mod multi_mrk_keyring;
-// pub mod raw_aes_keyring;
+pub mod multi_keyring;
+pub mod multi_mrk_keyring;
+pub mod raw_aes_keyring;
 pub mod raw_rsa_keyring;

DynamoDbEncryption/runtimes/rust/src/bin/example/keyring/multi_keyring.rs

@@ -6,174 +6,180 @@ use aws_db_esdk::aws_cryptography_dbEncryptionSdk_dynamoDb::types::DynamoDbTable
 use aws_db_esdk::aws_cryptography_dbEncryptionSdk_structuredEncryption::types::CryptoAction;
 use aws_db_esdk::aws_cryptography_materialProviders::client as mpl_client;
 use aws_db_esdk::aws_cryptography_materialProviders::types::material_providers_config::MaterialProvidersConfig;
-use aws_db_esdk::aws_cryptography_materialProviders::types::PaddingScheme;
+use aws_db_esdk::aws_cryptography_materialProviders::types::AesWrappingAlg;
 use aws_db_esdk::intercept::DbEsdkInterceptor;
 use aws_db_esdk::DynamoDbTablesEncryptionConfig;
 use aws_sdk_dynamodb::types::AttributeValue;
 use std::collections::HashMap;
-use std::fs::File;
-use std::io::Read;
-use std::io::Write;
-use std::path::Path;
 
 /*
-  This example sets up DynamoDb Encryption for the AWS SDK client
-  using the raw AES Keyring. This keyring takes in an AES key
-  and uses that key to protect the data keys that encrypt and
-  decrypt DynamoDb table items.
-
-  This example takes in an `aesKeyBytes` parameter. This parameter
-  should be a ByteBuffer representing a 256-bit AES key. If this example
-  is run through the class' main method, it will create a new key.
-  In practice, users of this library should not randomly generate a key,
-  and should instead retrieve an existing key from a secure key
-  management system (e.g. an HSM).
-
-  This example encrypts a test item using the provided AES key and puts the
-  encrypted item to the provided DynamoDb table. Then, it gets the
-  item from the table and decrypts it.
-
-  Running this example requires access to the DDB Table whose name
-  is provided in CLI arguments.
-  This table must be configured with the following
-  primary key configuration:
-    - Partition key is named "partition_key" with type (S)
-    - Sort key is named "sort_key" with type (S)
- */
-
- pub async fn RawAesKeyringGetItemPutItem()
-    {
-      /*
-        var ddbTableName = TestUtils.TEST_DDB_TABLE_NAME;
-        var aesKeyBytes = GenerateAesKeyBytes();
-
-        // 1. Create the keyring.
-        //    The DynamoDb encryption client uses this to encrypt and decrypt items.
-        var keyringInput = new CreateRawAesKeyringInput
-        {
-            KeyName = "my-aes-key-name",
-            KeyNamespace = "my-key-namespace",
-            WrappingKey = aesKeyBytes,
-            WrappingAlg = AesWrappingAlg.ALG_AES256_GCM_IV12_TAG16
-        };
-        var matProv = new MaterialProviders(new MaterialProvidersConfig());
-        IKeyring rawAesKeyring = matProv.CreateRawAesKeyring(keyringInput);
-
-        // 2. Configure which attributes are encrypted and/or signed when writing new items.
-        //    For each attribute that may exist on the items we plan to write to our DynamoDbTable,
-        //    we must explicitly configure how they should be treated during item encryption:
-        //      - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
-        //      - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
-        //      - DO_NOTHING: The attribute is not encrypted and not included in the signature
-        var attributeActionsOnEncrypt = new Dictionary<String, CryptoAction>
-        {
-            ["partition_key"] = CryptoAction.SIGN_ONLY, // Our partition attribute must be SIGN_ONLY
-            ["sort_key"] = CryptoAction.SIGN_ONLY, // Our sort attribute must be SIGN_ONLY
-            ["sensitive_data"] = CryptoAction.ENCRYPT_AND_SIGN
-        };
-
-        // 3. Configure which attributes we expect to be included in the signature
-        //    when reading items. There are two options for configuring this:
-        //
-        //    - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
-        //      When defining your DynamoDb schema and deciding on attribute names,
-        //      choose a distinguishing prefix (such as ":") for all attributes that
-        //      you do not want to include in the signature.
-        //      This has two main benefits:
-        //      - It is easier to reason about the security and authenticity of data within your item
-        //        when all unauthenticated data is easily distinguishable by their attribute name.
-        //      - If you need to add new unauthenticated attributes in the future,
-        //        you can easily make the corresponding update to your `attributeActionsOnEncrypt`
-        //        and immediately start writing to that new attribute, without
-        //        any other configuration update needed.
-        //      Once you configure this field, it is not safe to update it.
-        //
-        //    - Configure `allowedUnsignedAttributes`: You may also explicitly list
-        //      a set of attributes that should be considered unauthenticated when encountered
-        //      on read. Be careful if you use this configuration. Do not remove an attribute
-        //      name from this configuration, even if you are no longer writing with that attribute,
-        //      as old items may still include this attribute, and our configuration needs to know
-        //      to continue to exclude this attribute from the signature scope.
-        //      If you add new attribute names to this field, you must first deploy the update to this
-        //      field to all readers in your host fleet before deploying the update to start writing
-        //      with that new attribute.
-        //
-        //   For this example, we currently authenticate all attributes. To make it easier to
-        //   add unauthenticated attributes in the future, we define a prefix ":" for such attributes.
-        const String unsignAttrPrefix = ":";
-
-        // 4. Create the DynamoDb Encryption configuration for the table we will be writing to.
-        var tableConfigs = new Dictionary<String, DynamoDbTableEncryptionConfig>
-        {
-            [ddbTableName] = new DynamoDbTableEncryptionConfig
-            {
-                LogicalTableName = ddbTableName,
-                PartitionKeyName = "partition_key",
-                SortKeyName = "sort_key",
-                AttributeActionsOnEncrypt = attributeActionsOnEncrypt,
-                Keyring = rawAesKeyring,
-                AllowedUnsignedAttributePrefix = unsignAttrPrefix
-            }
-        };
-
-        // 5. Create a new AWS SDK DynamoDb client using the Config above
-        var ddb = new Client.DynamoDbClient(
-            new DynamoDbTablesEncryptionConfig { TableEncryptionConfigs = tableConfigs });
-
-        // 7. Put an item into our table using the above client.
-        //    Before the item gets sent to DynamoDb, it will be encrypted
-        //    client-side, according to our configuration.
-        var item = new Dictionary<String, AttributeValue>
-        {
-            ["partition_key"] = new AttributeValue("rawAesKeyringItem"),
-            ["sort_key"] = new AttributeValue { N = "0" },
-            ["sensitive_data"] = new AttributeValue("encrypt and sign me!")
-        };
-
-        var putRequest = new PutItemRequest
-        {
-            TableName = ddbTableName,
-            Item = item
-        };
-
-        var putResponse = await ddb.PutItemAsync(putRequest);
-
-        // Demonstrate that PutItem succeeded
-        Debug.Assert(putResponse.HttpStatusCode == HttpStatusCode.OK);
-
-        // 8. Get the item back from our table using the same client.
-        //    The client will decrypt the item client-side, and return
-        //    back the original item.
-        var keyToGet = new Dictionary<String, AttributeValue>
-        {
-            ["partition_key"] = new AttributeValue("rawAesKeyringItem"),
-            ["sort_key"] = new AttributeValue { N = "0" }
-        };
-
-        var getRequest = new GetItemRequest
-        {
-            Key = keyToGet,
-            TableName = ddbTableName
-        };
-
-        var getResponse = await ddb.GetItemAsync(getRequest);
-
-        // Demonstrate that GetItem succeeded and returned the decrypted item
-        Debug.Assert(getResponse.HttpStatusCode == HttpStatusCode.OK);
-        var returnedItem = getResponse.Item;
-        Debug.Assert(returnedItem["sensitive_data"].S.Equals("encrypt and sign me!"));
+ This example sets up DynamoDb Encryption for the AWS SDK client
+ using the raw AES Keyring. This keyring takes in an AES key
+ and uses that key to protect the data keys that encrypt and
+ decrypt DynamoDb table items.
+
+ This example takes in an `aesKeyBytes` parameter. This parameter
+ should be a ByteBuffer representing a 256-bit AES key. If this example
+ is run through the class' main method, it will create a new key.
+ In practice, users of this library should not randomly generate a key,
+ and should instead retrieve an existing key from a secure key
+ management system (e.g. an HSM).
+
+ This example encrypts a test item using the provided AES key and puts the
+ encrypted item to the provided DynamoDb table. Then, it gets the
+ item from the table and decrypts it.
+
+ Running this example requires access to the DDB Table whose name
+ is provided in CLI arguments.
+ This table must be configured with the following
+ primary key configuration:
+   - Partition key is named "partition_key" with type (S)
+   - Sort key is named "sort_key" with type (S)
 */
-println!("raw_aes_keyring successful.");
-    }
-/*
-    public static MemoryStream GenerateAesKeyBytes()
-    {
-        // This example uses AES's KeyGenerator to generate the key bytes.
-        // In practice, you should not generate this key in your code, and should instead
-        //     retrieve this key from a secure key management system (e.g. HSM).
-        // This key is created here for example purposes only and should not be used for any other purpose.
-        var aes = Aes.Create();
-        aes.GenerateKey();
-        return new MemoryStream(aes.Key);
-    }
-        */
+
+pub async fn put_item_get_item() {
+    let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
+    let aes_key_bytes = generate_aes_key_bytes();
+
+    // 1. Create the keyring.
+    //    The DynamoDb encryption client uses this to encrypt and decrypt items.
+    let mpl_config = MaterialProvidersConfig::builder().build().unwrap();
+    let mpl = mpl_client::Client::from_conf(mpl_config).unwrap();
+    let raw_aes_keyring = mpl
+        .create_raw_aes_keyring()
+        .key_name("my-aes-key-name")
+        .key_namespace("my-key-namespace")
+        .wrapping_key(aws_smithy_types::Blob::new(aes_key_bytes))
+        .wrapping_alg(AesWrappingAlg::AlgAes256GcmIv12Tag16)
+        .send()
+        .await
+        .unwrap();
+
+    // 2. Configure which attributes are encrypted and/or signed when writing new items.
+    //    For each attribute that may exist on the items we plan to write to our DynamoDbTable,
+    //    we must explicitly configure how they should be treated during item encryption:
+    //      - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
+    //      - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
+    //      - DO_NOTHING: The attribute is not encrypted and not included in the signature
+    let attribute_actions_on_encrypt = HashMap::from([
+        ("partition_key".to_string(), CryptoAction::SignOnly), // Our partition attribute must be SIGN_ONLY
+        ("sort_key".to_string(), CryptoAction::SignOnly), // Our sort attribute must be SIGN_ONLY
+        ("sensitive_data".to_string(), CryptoAction::EncryptAndSign),
+    ]);
+
+    // 3. Configure which attributes we expect to be included in the signature
+    //    when reading items. There are two options for configuring this:
+    //
+    //    - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
+    //      When defining your DynamoDb schema and deciding on attribute names,
+    //      choose a distinguishing prefix (such as ":") for all attributes that
+    //      you do not want to include in the signature.
+    //      This has two main benefits:
+    //      - It is easier to reason about the security and authenticity of data within your item
+    //        when all unauthenticated data is easily distinguishable by their attribute name.
+    //      - If you need to add new unauthenticated attributes in the future,
+    //        you can easily make the corresponding update to your `attributeActionsOnEncrypt`
+    //        and immediately start writing to that new attribute, without
+    //        any other configuration update needed.
+    //      Once you configure this field, it is not safe to update it.
+    //
+    //    - Configure `allowedUnsignedAttributes`: You may also explicitly list
+    //      a set of attributes that should be considered unauthenticated when encountered
+    //      on read. Be careful if you use this configuration. Do not remove an attribute
+    //      name from this configuration, even if you are no longer writing with that attribute,
+    //      as old items may still include this attribute, and our configuration needs to know
+    //      to continue to exclude this attribute from the signature scope.
+    //      If you add new attribute names to this field, you must first deploy the update to this
+    //      field to all readers in your host fleet before deploying the update to start writing
+    //      with that new attribute.
+    //
+    //   For this example, we currently authenticate all attributes. To make it easier to
+    //   add unauthenticated attributes in the future, we define a prefix ":" for such attributes.
+    const UNSIGNED_ATTR_PREFIX: &str = ":";
+
+    // 4. Create the DynamoDb Encryption configuration for the table we will be writing to.
+    let table_config = DynamoDbTableEncryptionConfig::builder()
+        .logical_table_name(ddb_table_name)
+        .partition_key_name("partition_key")
+        .sort_key_name("sort_key")
+        .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
+        .keyring(raw_aes_keyring)
+        .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
+        .build()
+        .unwrap();
+
+    let table_configs = DynamoDbTablesEncryptionConfig::builder()
+        .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
+        .build()
+        .unwrap();
+
+    // 5. Create a new AWS SDK DynamoDb client using the Config above
+    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
+    let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
+        .interceptor(DbEsdkInterceptor::new(table_configs))
+        .build();
+    let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
+
+    // 6. Put an item into our table using the above client.
+    //    Before the item gets sent to DynamoDb, it will be encrypted
+    //    client-side, according to our configuration.
+    let item = HashMap::from([
+        (
+            "partition_key".to_string(),
+            AttributeValue::S("rawAesKeyringItem".to_string()),
+        ),
+        ("sort_key".to_string(), AttributeValue::N("0".to_string())),
+        (
+            "sensitive_data".to_string(),
+            AttributeValue::S("encrypt and sign me!".to_string()),
+        ),
+    ]);
+
+    let _resp = ddb
+        .put_item()
+        .table_name(ddb_table_name)
+        .set_item(Some(item.clone()))
+        .send()
+        .await
+        .unwrap();
+
+    // 7. Get the item back from our table using the same client.
+    //    The client will decrypt the item client-side, and return
+    //    back the original item.
+    let key_to_get = HashMap::from([
+        (
+            "partition_key".to_string(),
+            AttributeValue::S("rawAesKeyringItem".to_string()),
+        ),
+        ("sort_key".to_string(), AttributeValue::N("0".to_string())),
+    ]);
+
+    let resp = ddb
+        .get_item()
+        .table_name(ddb_table_name)
+        .set_key(Some(key_to_get))
+        // In this example we configure a strongly consistent read
+        // because we perform a read immediately after a write (for demonstrative purposes).
+        // By default, reads are only eventually consistent.
+        // Read our docs to determine which read consistency to use for your application:
+        // https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadConsistency.html
+        .consistent_read(true)
+        .send()
+        .await
+        .unwrap();
+
+    assert_eq!(resp.item, Some(item));
+
+    println!("raw_aes_keyring successful.");
+}
+
+fn generate_aes_key_bytes() -> Vec<u8> {
+    // This example returns a static key.
+    // In practice, you should not generate this key in your code, and should instead
+    //     retrieve this key from a secure key management system (e.g. HSM).
+    // This key is created here for example purposes only and should not be used for any other purpose.
+    vec![
+        1u8, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24,
+        25, 26, 27, 28, 29, 30, 31, 32,
+    ]
+}

DynamoDbEncryption/runtimes/rust/src/bin/example/keyring/multi_mrk_keyring.rs

@@ -80,8 +80,8 @@ pub async fn put_item_get_item() {
 
     // 2. Create the keyring.
     //    The DynamoDb encryption client uses this to encrypt and decrypt items.
-    let provider_config = MaterialProvidersConfig::builder().build().unwrap();
-    let mpl = mpl_client::Client::from_conf(provider_config).unwrap();
+    let mpl_config = MaterialProvidersConfig::builder().build().unwrap();
+    let mpl = mpl_client::Client::from_conf(mpl_config).unwrap();
     let raw_rsa_keyring = mpl
         .create_raw_rsa_keyring()
         .key_name("my-rsa-key-name")

DynamoDbEncryption/runtimes/rust/src/bin/example/keyring/raw_aes_keyring.rs

@@ -22,12 +22,15 @@ pub async fn main() {
     multi_get_put_example::multi_put_get().await;
     keyring::raw_rsa_keyring::put_item_get_item().await;
     keyring::kms_rsa_keyring::put_item_get_item().await;
+    keyring::multi_mrk_keyring::put_item_get_item().await;
+    keyring::raw_aes_keyring::put_item_get_item().await;
+    keyring::multi_keyring::put_item_get_item().await;
 
     let key_id = create_keystore_key::keystore_create_key().await;
     let key_id2 = create_keystore_key::keystore_create_key().await;
     // Key creation is eventually consistent, so wait 5 seconds to decrease the likelihood
     // our test fails due to eventual consistency issues.
-    println!("Key Store Keys created. Waiting 5 seconds for consistency.\n");
+    println!("Key Store Keys created. Waiting 5 seconds for consistency.");
     std::thread::sleep(std::time::Duration::from_secs(5));
 
     searchableencryption::basic_searchable_encryption::put_and_query_with_beacon(&key_id).await;
@@ -36,11 +39,8 @@ pub async fn main() {
 
     /*
     await ClientSupplierExample.ClientSupplierPutItemGetItem();
-    await MultiMrkKeyringExample.MultiMrkKeyringGetItemPutItem();
-    await RawAesKeyringExample.RawAesKeyringGetItemPutItem();
     await MrkDiscoveryMultiKeyringExample.MultiMrkDiscoveryKeyringGetItemPutItem();
     await MultiKeyringExample.MultiKeyringGetItemPutItem();
-    await RawRsaKeyringExample.RawRsaKeyringGetItemPutItem();
 
     await CompoundBeaconSearchableEncryptionExample.PutItemQueryItemWithCompoundBeacon(keyId);
     await VirtualBeaconSearchableEncryptionExample.PutItemQueryItemWithVirtualBeacon(keyId);