Add keyring base class (#176)

* Adding Keyring API

* Delete __init__.py

* Delete raw_keyring.py

* Added docstring to public class

* Edited docstring

* Edited docstring again

* Changes in docstring statements

* Docstring changes

* Changes in docstring

* Raw keyring initial

* Raw keyring encrypt commit

* Encrypt functions for Raw RSA and AES

* Raw RSA and AES initial

* Changes in raw keyrings according to new keyring materials

* Updated with autoformat

* Modified base

* Corrected tox and flake errors

* Docstring error correction

* Added docstrings and corrected errors

* Some more changes in docstrings

* Updating base API

* Made all suggested changes

* Corrected tox and flake8 errors

* Minor change in raw-keyrings

* Adding Keyring API

* Delete __init__.py

* Delete raw_keyring.py

* Added docstring to public class

* Edited docstring

* Edited docstring again

* Changes in docstring statements

* Docstring changes

* Changes in docstring

* Raw keyring initial

* Raw keyring encrypt commit

* Encrypt functions for Raw RSA and AES

* Raw RSA and AES initial

* bump attrs to 19.1.0

* add keyring trace and integrate into updated encrytion/decryption materials

* s/KeyRing/Keyring/g

* align cryptographic materials and add write-only interface

* encrypted_data_keys must only contain EncryptedDataKey

* fix test to be Python 2 compatible

* Changes in raw keyrings according to new keyring materials

* Updated with autoformat

* Modified base

* data encryption key must be set before encrypted data keys can be added to EncryptionMaterials

* Corrected tox and flake errors

* Docstring error correction

* Added docstrings and corrected errors

* Some more changes in docstrings

* Updating base API

* add signing/verification key checks to Encryption/DecryptionMaterials

* DecryptionMaterials.algorithm must be set before DecryptionMaterials.add_data_encryption_key can be called

* update materials docs and typehints

* Made all suggested changes

* EncryptionMaterials must not be initialized with encrypted_data_keys but no data_encryption_key

* add is_complete properties to EncryptionMaterials and DecryptionMaterials

* Corrected tox and flake8 errors

* Minor change in raw-keyrings

* change KeyringTraceFlag values to bitshifted ints to match other implementations

* normalize EncryptionMaterials._encrypted_data_keys to list and encrypted_data_keys to tuple

* temporarily pin pydocstyle at <4.0.0 to avoid issue breaking flake8-docstrings

* temporarily cap pydocstyle at <4.0.0 for decrypt oracle

* Changes to keyring trace in raw keyrings

* Adding test files

* Adding tests

* Changed data encryption key type to RawDataKey

* Added keyring trace to pytest encryption materials

* Changed value of keyring_trace.wrapping_key

* Few changes to match new API

* Tox errors

* Functional tests pass

* Formatting errors corrected and functional tests pass

* Corrected too broad exception error and deleted empty return statement from tests

* Changed Exeception to BaseException to solve broad exception error

* Added suppress broad exception

* Added pylint disable broad exception

* Changed wrapping keys for RSA keyrings from WrappingKey to cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey/RSAPublicKey

* Fixed tox errors

* More tox errors

* Moved code for generation of plaintext to be before the check for key being private or public

* Tox errors

* Added metaclass to base API and unit tests for base API

* Changed metaclass to six.add_metaclass in base API

* Fixed pylint errors

* Fixed more pylint errors

* Removed RawAESKeyring instance

* Changed on_encrypt_helper to generate_data_key and removed on_decrypt_helper. Renamed base API unit test file

* Changed docstring for generate_data_key

* Changed decryption_materials.data_key to decryption_materials.data_encryption_key and fixed pylint errors

* Fixed pylint errors

* Changed raw keyrings to have class methods for PEM and DER encoded keys

* Unit tests for raw keyrings

* Changes for PEM encoding

* Changed base API to remove metaclass and modified tests

* Delete raw_keyring.py

* Delete test_f_keyring_raw_aes.py

* Delete test_f_keyring_raw_rsa.py

* Delete test_keyring_raw_aes.py

* Delete test_keyring_raw_rsa.py

* Suggested changes

* Made suggested changes to base API and tests

* Made suggested changes to base API tests

* Ignore commit

* Corrected tox and pylint errors in base API unit tests

* Removed try except for Iterable

* Removed try except for Iterable from test_utils

* Added try except for Iterable in base API

* Resolved isort errors

Author: MeghaShetty

requirements.txt

@@ -1,3 +1,4 @@
+six
 boto3>=1.4.4
 cryptography>=1.8.1
 attrs>=19.1.0

src/aws_encryption_sdk/keyring/__init__.py

@@ -0,0 +1,13 @@
+# Copyright 2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+"""All provided Keyrings."""

src/aws_encryption_sdk/materials_managers/__init__.py

@@ -191,7 +191,7 @@ class EncryptionMaterials(CryptographicMaterials):
         Most parameters are now optional.
 
     :param Algorithm algorithm: Algorithm to use for encrypting message
-    :param DataKey data_encryption_key: Plaintext data key to use for encrypting message (optional)
+    :param RawDataKey data_encryption_key: Plaintext data key to use for encrypting message (optional)
     :param encrypted_data_keys: List of encrypted data keys (optional)
     :type encrypted_data_keys: list of :class:`EncryptedDataKey`
     :param dict encryption_context: Encryption context tied to `encrypted_data_keys`
@@ -370,7 +370,7 @@ class DecryptionMaterials(CryptographicMaterials):
         All parameters are now optional.
 
     :param Algorithm algorithm: Algorithm to use for encrypting message (optional)
-    :param DataKey data_encryption_key: Plaintext data key to use for encrypting message (optional)
+    :param RawDataKey data_encryption_key: Plaintext data key to use for encrypting message (optional)
     :param dict encryption_context: Encryption context tied to `encrypted_data_keys` (optional)
     :param bytes verification_key: Raw signature verification key (optional)
     :param keyring_trace: Any KeyRing trace entries (optional)

test/unit/test_keyring_base.py

@@ -0,0 +1,45 @@
+# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+"""Unit tests for base keyring."""
+
+import pytest
+
+from aws_encryption_sdk.identifiers import Algorithm
+from aws_encryption_sdk.keyring.base import Keyring
+from aws_encryption_sdk.materials_managers import DecryptionMaterials, EncryptionMaterials
+
+pytestmark = [pytest.mark.unit, pytest.mark.local]
+
+_encryption_materials = EncryptionMaterials(
+    algorithm=Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384,
+    encryption_context={"encryption": "context", "values": "here"},
+    signing_key=b"aws-crypto-public-key",
+)
+
+_decryption_materials = DecryptionMaterials(
+    algorithm=Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, verification_key=b"ex_verification_key"
+)
+
+_encrypted_data_keys = []
+
+
+def test_keyring_no_encrypt():
+    with pytest.raises(NotImplementedError) as exc_info:
+        Keyring().on_encrypt(encryption_materials=_encryption_materials)
+    assert exc_info.match("Keyring does not implement on_encrypt function")
+
+
+def test_keyring_no_decrypt():
+    with pytest.raises(NotImplementedError) as exc_info:
+        Keyring().on_decrypt(decryption_materials=_decryption_materials, encrypted_data_keys=_encrypted_data_keys)
+    assert exc_info.match("Keyring does not implement on_decrypt function")

test/unit/test_values.py

@@ -187,6 +187,55 @@ def array_byte(source):
         "\xff\x8fn\x95\xf0\xf0E\x91Uj\xb0E3=\x0e\x1a\xf1'4\xf6"
     ),
     "signature_len": b"\x00h",
+    "private_rsa_key_bytes": [
+        (
+            b"-----BEGIN RSA PRIVATE KEY-----"
+            b"MIICXgIBAAKBgQCUjhI8YRPXV8Gfofbg/"
+            b"PLjWw2AzowQTPErLU2z3+xGqElMdzdiC4Ta43DFWZg34Eg0X8kQPAeoe8h3cRSMo"
+            b"77eSOHt2dPo7OfTfZqsH8766fivHIKVxBYPX8SZYIUhMtRnlg3uqch9BksfRop+h"
+            b"f8h/H3lfervJoevS2CXYB9/iwIDAQABAoGBAIqeGzQOHbaGI51yQ2zjez1dPDdiB"
+            b"F49fZideHEM1GuGIodgguRQ/VJGgncUSC5zcMy2SGaGrVqwznltohAtxy4rZp0eh"
+            b"2O3aHYi9Wehd0SPLh+qwu7mJDuh0z15hmCOue070FnUtyuSwhXLwDrbot2+5HbmF"
+            b"9clJLI5tv92gvIpAkEA+Bv5i8XJNPN1rao31aQFoi9bFIOEclk3b1RbLX6mpZBFS"
+            b"U9CNUy0RQNC0+H3KZ5CTvsyFGpMfTdiFc/Qdesk3QJBAJlHjrvoadP+PU3zXYrWR"
+            b"D5EryyTxaP1bOjrp9xLuQBeU8x7EVJdpoul9OmwcT3NrAqvxDE9okjha2tjCI6O2"
+            b"4cCQQDMyOJPYL/zaaPO5LlTKB/SPv4RT4BplYPw6xKa2XeZHhxiJv5B2f7NG6T0G"
+            b"AWWn16hrCoouZhKngTidfXc7motAkA/KiTgvKr3yHp86AAxWZDv1CAYD6FPqrDB3"
+            b"3LiLnZDd5uy1ThTJ/Kc87vUnXhdDqeKE9qWrB53SCWbMElzbd17AkEA4DMp+6ngM"
+            b"o6sS0dY1X6nTLqgvK3B0z5GCAdSEy3Y8jh995Lrl+hy88HzuwUkQwwPlZkFhUNCx"
+            b"edrC6cTKE5xLA=="
+            b"-----END RSA PRIVATE KEY-----"
+        ),
+        (
+            b"-----BEGIN RSA PRIVATE KEY-----\n"
+            b"MIIEowIBAAKCAQEAo8uCyhiO4JUGZV+rtNq5DBA9Lm4xkw5kTA3v6EPybs8bVXL2\n"
+            b"ZE6jkbo+xT4Jg/bKzUpnp1fE+T1ruGPtsPdoEmhY/P64LDNIs3sRq5U4QV9IETU1\n"
+            b"vIcbNNkgGhRjV8J87YNY0tV0H7tuWuZRpqnS+gjV6V9lUMkbvjMCc5IBqQc3heut\n"
+            b"/+fH4JwpGlGxOVXI8QAapnSy1XpCr3+PT29kydVJnIMuAoFrurojRpOQbOuVvhtA\n"
+            b"gARhst1Ji4nfROGYkj6eZhvkz2Bkud4/+3lGvVU5LO1vD8oY7WoGtpin3h50VcWe\n"
+            b"aBT4kejx4s9/G9C4R24lTH09J9HO2UUsuCqZYQIDAQABAoIBAQCfC90bCk+qaWqF\n"
+            b"gymC+qOWwCn4bM28gswHQb1D5r6AtKBRD8mKywVvWs7azguFVV3Fi8sspkBA2FBC\n"
+            b"At5p6ULoJOTL/TauzLl6djVJTCMM701WUDm2r+ZOIctXJ5bzP4n5Q4I7b0NMEL7u\n"
+            b"ixib4elYGr5D1vrVQAKtZHCr8gmkqyx8Mz7wkJepzBP9EeVzETCHsmiQDd5WYlO1\n"
+            b"C2IQYgw6MJzgM4entJ0V/GPytkodblGY95ORVK7ZhyNtda+r5BZ6/jeMW+hA3VoK\n"
+            b"tHSWjHt06ueVCCieZIATmYzBNt+zEz5UA2l7ksg3eWfVORJQS7a6Ef4VvbJLM9Ca\n"
+            b"m1kdsjelAoGBANKgvRf39i3bSuvm5VoyJuqinSb/23IH3Zo7XOZ5G164vh49E9Cq\n"
+            b"dOXXVxox74ppj/kbGUoOk+AvaB48zzfzNvac0a7lRHExykPH2kVrI/NwH/1OcT/x\n"
+            b"2e2DnFYocXcb4gbdZQ+m6X3zkxOYcONRzPVW1uMrFTWHcJveMUm4PGx7AoGBAMcU\n"
+            b"IRvrT6ye5se0s27gHnPweV+3xjsNtXZcK82N7duXyHmNjxrwOAv0SOhUmTkRXArM\n"
+            b"6aN5D8vyZBSWma2TgUKwpQYFTI+4Sp7sdkkyojGAEixJ+c5TZJNxZFrUe0FwAoic\n"
+            b"c2kb7ntaiEj5G+qHvykJJro5hy6uLnjiMVbAiJDTAoGAKb67241EmHAXGEwp9sdr\n"
+            b"2SMjnIAnQSF39UKAthkYqJxa6elXDQtLoeYdGE7/V+J2K3wIdhoPiuY6b4vD0iX9\n"
+            b"JcGM+WntN7YTjX2FsC588JmvbWfnoDHR7HYiPR1E58N597xXdFOzgUgORVr4PMWQ\n"
+            b"pqtwaZO3X2WZlvrhr+e46hMCgYBfdIdrm6jYXFjL6RkgUNZJQUTxYGzsY+ZemlNm\n"
+            b"fGdQo7a8kePMRuKY2MkcnXPaqTg49YgRmjq4z8CtHokRcWjJUWnPOTs8rmEZUshk\n"
+            b"0KJ0mbQdCFt/Uv0mtXgpFTkEZ3DPkDTGcV4oR4CRfOCl0/EU/A5VvL/U4i/mRo7h\n"
+            b"ye+xgQKBgD58b+9z+PR5LAJm1tZHIwb4tnyczP28PzwknxFd2qylR4ZNgvAUqGtU\n"
+            b"xvpUDpzMioz6zUH9YV43YNtt+5Xnzkqj+u9Mr27/H2v9XPwORGfwQ5XPwRJz/2oC\n"
+            b"EnPmP1SZoY9lXKUpQXHXSpDZ2rE2Klt3RHMUMHt8Zpy36E8Vwx8o\n"
+            b"-----END RSA PRIVATE KEY-----\n"
+        ),
+    ],
 }
 VALUES["updated_encryption_context"] = copy.deepcopy(VALUES["encryption_context"])
 VALUES["updated_encryption_context"]["aws-crypto-public-key"] = VALUES["encoded_curve_point"]