cleanup

Author: lucasmcdonald3

examples/src/aws_kms_discovery_keyring_example.py

@@ -156,8 +156,7 @@ def encrypt_and_decrypt_with_keyring(
     plaintext_bytes, _ = client.decrypt(
         source=ciphertext,
         keyring=discovery_keyring,
-        # Verify that the encryption context in the result contains the
-        # encryption context supplied to the encrypt method
+        # Provide the encryption context that was supplied to the encrypt method
         encryption_context=encryption_context,
     )
 

examples/src/aws_kms_discovery_multi_keyring_example.py

@@ -154,8 +154,7 @@ def encrypt_and_decrypt_with_keyring(
     plaintext_bytes, _ = client.decrypt(
         source=ciphertext,
         keyring=discovery_multi_keyring,
-        # Verify that the encryption context in the result contains the
-        # encryption context supplied to the encrypt method
+        # Provide the encryption context that was supplied to the encrypt method
         encryption_context=encryption_context,
     )
 

examples/src/aws_kms_keyring_example.py

@@ -100,8 +100,7 @@ def encrypt_and_decrypt_with_keyring(
     plaintext_bytes, _ = client.decrypt(
         source=ciphertext,
         keyring=kms_keyring,
-        # Verify that the encryption context in the result contains the
-        # encryption context supplied to the encrypt method
+        # Provide the encryption context that was supplied to the encrypt method
         encryption_context=encryption_context,
     )
 

examples/src/aws_kms_mrk_discovery_keyring_example.py

@@ -166,8 +166,7 @@ def encrypt_and_decrypt_with_keyring(
     plaintext_bytes, _ = client.decrypt(
         source=ciphertext,
         keyring=decrypt_discovery_keyring,
-        # Verify that the encryption context in the result contains the
-        # encryption context supplied to the encrypt method
+        # Provide the encryption context that was supplied to the encrypt method
         encryption_context=encryption_context,
     )
 

examples/src/aws_kms_mrk_discovery_multi_keyring_example.py

@@ -175,8 +175,7 @@ def encrypt_and_decrypt_with_keyring(
     plaintext_bytes, _ = client.decrypt(
         source=ciphertext,
         keyring=decrypt_discovery_keyring,
-        # Verify that the encryption context in the result contains the
-        # encryption context supplied to the encrypt method
+        # Provide the encryption context that was supplied to the encrypt method
         encryption_context=encryption_context,
     )
 

examples/src/aws_kms_mrk_keyring_example.py

@@ -135,8 +135,7 @@ def encrypt_and_decrypt_with_keyring(
     plaintext_bytes, _ = client.decrypt(
         source=ciphertext,
         keyring=decrypt_keyring,
-        # Verify that the encryption context in the result contains the
-        # encryption context supplied to the encrypt method
+        # Provide the encryption context that was supplied to the encrypt method
         encryption_context=encryption_context,
     )
 

examples/src/aws_kms_mrk_multi_keyring_example.py

@@ -127,8 +127,7 @@ def encrypt_and_decrypt_with_keyring(
     plaintext_bytes, _ = client.decrypt(
         source=ciphertext,
         keyring=kms_mrk_multi_keyring,
-        # Verify that the encryption context in the result contains the
-        # encryption context supplied to the encrypt method
+        # Provide the encryption context that was supplied to the encrypt method
         encryption_context=encryption_context,
     )
 
@@ -159,8 +158,7 @@ def encrypt_and_decrypt_with_keyring(
     plaintext_bytes_second_region, _ = client.decrypt(
         source=ciphertext,
         keyring=second_region_mrk_keyring,
-        # Verify that the encryption context in the result contains the
-        # encryption context supplied to the encrypt method
+        # Provide the encryption context that was supplied to the encrypt method
         encryption_context=encryption_context,
     )
 

examples/src/aws_kms_multi_keyring_example.py

@@ -134,8 +134,7 @@ def encrypt_and_decrypt_with_keyring(
     plaintext_bytes_multi_keyring, _ = client.decrypt(
         source=ciphertext,
         keyring=kms_multi_keyring,
-        # Verify that the encryption context in the result contains the
-        # encryption context supplied to the encrypt method
+        # Provide the encryption context that was supplied to the encrypt method
         encryption_context=encryption_context,
     )
 
@@ -168,8 +167,7 @@ def encrypt_and_decrypt_with_keyring(
     plaintext_bytes_default_region_kms_keyring, _ = client.decrypt(
         source=ciphertext,
         keyring=default_region_kms_keyring,
-        # Verify that the encryption context in the result contains the
-        # encryption context supplied to the encrypt method
+        # Provide the encryption context that was supplied to the encrypt method
         encryption_context=encryption_context,
     )
 
@@ -199,8 +197,7 @@ def encrypt_and_decrypt_with_keyring(
     plaintext_bytes_second_region_kms_keyring, _ = client.decrypt(
         source=ciphertext,
         keyring=second_region_kms_keyring,
-        # Verify that the encryption context in the result contains the
-        # encryption context supplied to the encrypt method
+        # Provide the encryption context that was supplied to the encrypt method
         encryption_context=encryption_context,
     )
 

examples/src/aws_kms_rsa_keyring_example.py

@@ -106,8 +106,7 @@ def encrypt_and_decrypt_with_keyring(
     plaintext_bytes, _ = client.decrypt(
         source=ciphertext,
         keyring=kms_rsa_keyring,
-        # Verify that the encryption context in the result contains the
-        # encryption context supplied to the encrypt method
+        # Provide the encryption context that was supplied to the encrypt method
         encryption_context=encryption_context,
     )
 

examples/src/default_cryptographic_materials_manager_example.py

@@ -112,8 +112,7 @@ def encrypt_and_decrypt_with_default_cmm(
     plaintext_bytes, _ = client.decrypt(
         source=ciphertext,
         materials_manager=cmm,
-        # Verify that the encryption context in the result contains the
-        # encryption context supplied to the encrypt method
+        # Provide the encryption context that was supplied to the encrypt method
         encryption_context=encryption_context,
     )
 

examples/src/hierarchical_keyring_example.py

@@ -226,8 +226,7 @@ def encrypt_and_decrypt_with_keyring(
     plaintext_bytes_a, _ = client.decrypt(
         source=ciphertext_a,
         keyring=hierarchical_keyring_a,
-        # Verify that the encryption context in the result contains the
-        # encryption context supplied to the encrypt method
+        # Provide the encryption context that was supplied to the encrypt method
         encryption_context=encryption_context_a,
     )
     assert plaintext_bytes_a == EXAMPLE_DATA, \
@@ -236,8 +235,7 @@ def encrypt_and_decrypt_with_keyring(
     plaintext_bytes_b, _ = client.decrypt(
         source=ciphertext_b,
         keyring=hierarchical_keyring_b,
-        # Verify that the encryption context in the result contains the
-        # encryption context supplied to the encrypt method
+        # Provide the encryption context that was supplied to the encrypt method
         encryption_context=encryption_context_b,
     )
     assert plaintext_bytes_b == EXAMPLE_DATA, \

examples/src/migration/migration_aws_kms_key_example.py

@@ -115,14 +115,14 @@ def migration_aws_kms_key(
     aws_kms_master_key_provider = create_key_provider(kms_key_id=kms_key_id)
 
     # 2a. Encrypt EXAMPLE_DATA using AWS KMS Keyring
-    ciphertext_keyring, _ = client.encrypt(
+    ciphertext_keyring, enc_header_keyring = client.encrypt(
         source=EXAMPLE_DATA,
         keyring=aws_kms_keyring,
         encryption_context=DEFAULT_ENCRYPTION_CONTEXT
     )
 
     # 2b. Encrypt EXAMPLE_DATA using AWS KMS Master Key Provider
-    ciphertext_mkp, _ = client.encrypt(
+    ciphertext_mkp, enc_header_mkp = client.encrypt(
         source=EXAMPLE_DATA,
         key_provider=aws_kms_master_key_provider,
         encryption_context=DEFAULT_ENCRYPTION_CONTEXT
@@ -137,14 +137,24 @@ def migration_aws_kms_key(
     # resulting plaintext is the same and also equal to EXAMPLE_DATA
     decrypted_ciphertext_keyring_using_keyring, _ = client.decrypt(
         source=ciphertext_keyring,
-        keyring=aws_kms_keyring
+        keyring=aws_kms_keyring,
+        # Provide the encryption context that was supplied to the encrypt method
+        encryption_context=DEFAULT_ENCRYPTION_CONTEXT,
     )
 
-    decrypted_ciphertext_keyring_using_mkp, _ = client.decrypt(
+    decrypted_ciphertext_keyring_using_mkp, decrypted_header_keyring_using_mkp = client.decrypt(
         source=ciphertext_keyring,
         key_provider=aws_kms_master_key_provider
     )
 
+    # Legacy MasterKeyProviders do not support providing encryption context on decrypt.
+    # If decrypting with a legacy MasterKeyProvider, you should manually verify
+    # that the encryption context used in the decrypt operation
+    # includes all key pairs from the encrypt operation. (The SDK can add pairs, so don't require an exact match.)
+    assert all(
+        pair in decrypted_header_keyring_using_mkp.encryption_context.items() for pair in enc_header_keyring.encryption_context.items()
+    )
+
     assert decrypted_ciphertext_keyring_using_keyring == decrypted_ciphertext_keyring_using_mkp \
         and decrypted_ciphertext_keyring_using_keyring == EXAMPLE_DATA, \
         "Decrypted outputs using keyring and master key provider are not the same"
@@ -153,14 +163,24 @@ def migration_aws_kms_key(
     # resulting plaintext is the same and also equal to EXAMPLE_DATA
     decrypted_ciphertext_mkp_using_keyring, _ = client.decrypt(
         source=ciphertext_mkp,
-        keyring=aws_kms_keyring
+        keyring=aws_kms_keyring,
+        # Provide the encryption context that was supplied to the encrypt method
+        encryption_context=DEFAULT_ENCRYPTION_CONTEXT,
     )
 
-    decrypted_ciphertext_mkp_using_mkp, _ = client.decrypt(
+    decrypted_ciphertext_mkp_using_mkp, decrypted_header_mkp_using_mkp = client.decrypt(
         source=ciphertext_mkp,
         key_provider=aws_kms_master_key_provider
     )
 
+    # Legacy MasterKeyProviders do not support providing encryption context on decrypt.
+    # If decrypting with a legacy MasterKeyProvider, you should manually verify
+    # that the encryption context used in the decrypt operation
+    # includes all key pairs from the encrypt operation. (The SDK can add pairs, so don't require an exact match.)
+    assert all(
+        pair in decrypted_header_mkp_using_mkp.encryption_context.items() for pair in enc_header_mkp.encryption_context.items()
+    )
+
     assert decrypted_ciphertext_mkp_using_keyring == decrypted_ciphertext_mkp_using_mkp \
         and decrypted_ciphertext_mkp_using_keyring == EXAMPLE_DATA, \
         "Decrypted outputs using keyring and master key provider are not the same"

examples/src/migration/migration_raw_aes_key_example.py

@@ -156,14 +156,14 @@ def migration_raw_aes_key():
     raw_aes_master_key_provider = create_key_provider()
 
     # 2a. Encrypt EXAMPLE_DATA using Raw AES Keyring
-    ciphertext_keyring, _ = client.encrypt(
+    ciphertext_keyring, enc_header_keyring = client.encrypt(
         source=EXAMPLE_DATA,
         keyring=raw_aes_keyring,
         encryption_context=DEFAULT_ENCRYPTION_CONTEXT
     )
 
     # 2b. Encrypt EXAMPLE_DATA using Raw AES Master Key Provider
-    ciphertext_mkp, _ = client.encrypt(
+    ciphertext_mkp, enc_header_mkp = client.encrypt(
         source=EXAMPLE_DATA,
         key_provider=raw_aes_master_key_provider,
         encryption_context=DEFAULT_ENCRYPTION_CONTEXT
@@ -178,14 +178,24 @@ def migration_raw_aes_key():
     # resulting plaintext is the same and also equal to EXAMPLE_DATA
     decrypted_ciphertext_keyring_using_keyring, _ = client.decrypt(
         source=ciphertext_keyring,
-        keyring=raw_aes_keyring
+        keyring=raw_aes_keyring,
+        # Provide the encryption context that was supplied to the encrypt method
+        encryption_context=DEFAULT_ENCRYPTION_CONTEXT,
     )
 
-    decrypted_ciphertext_keyring_using_mkp, _ = client.decrypt(
+    decrypted_ciphertext_keyring_using_mkp, decrypted_header_keyring_using_mkp = client.decrypt(
         source=ciphertext_keyring,
         key_provider=raw_aes_master_key_provider
     )
 
+    # Legacy MasterKeyProviders do not support providing encryption context on decrypt.
+    # If decrypting with a legacy MasterKeyProvider, you should manually verify
+    # that the encryption context used in the decrypt operation
+    # includes all key pairs from the encrypt operation. (The SDK can add pairs, so don't require an exact match.)
+    assert all(
+        pair in decrypted_header_keyring_using_mkp.encryption_context.items() for pair in enc_header_keyring.encryption_context.items()
+    )
+
     assert decrypted_ciphertext_keyring_using_keyring == decrypted_ciphertext_keyring_using_mkp \
         and decrypted_ciphertext_keyring_using_keyring == EXAMPLE_DATA, \
         "Decrypted outputs using keyring and master key provider are not the same"
@@ -194,14 +204,24 @@ def migration_raw_aes_key():
     # resulting plaintext is the same and also equal to EXAMPLE_DATA
     decrypted_ciphertext_mkp_using_keyring, _ = client.decrypt(
         source=ciphertext_mkp,
-        keyring=raw_aes_keyring
+        keyring=raw_aes_keyring,
+        # Provide the encryption context that was supplied to the encrypt method
+        encryption_context=DEFAULT_ENCRYPTION_CONTEXT,
     )
 
-    decrypted_ciphertext_mkp_using_mkp, _ = client.decrypt(
+    decrypted_ciphertext_mkp_using_mkp, decrypted_header_mkp_using_mkp = client.decrypt(
         source=ciphertext_mkp,
         key_provider=raw_aes_master_key_provider
     )
 
+    # Legacy MasterKeyProviders do not support providing encryption context on decrypt.
+    # If decrypting with a legacy MasterKeyProvider, you should manually verify
+    # that the encryption context used in the decrypt operation
+    # includes all key pairs from the encrypt operation. (The SDK can add pairs, so don't require an exact match.)
+    assert all(
+        pair in decrypted_header_mkp_using_mkp.encryption_context.items() for pair in enc_header_mkp.encryption_context.items()
+    )
+
     assert decrypted_ciphertext_mkp_using_keyring == decrypted_ciphertext_mkp_using_mkp \
         and decrypted_ciphertext_mkp_using_keyring == EXAMPLE_DATA, \
         "Decrypted outputs using keyring and master key provider are not the same"

examples/src/migration/migration_raw_rsa_key_example.py

@@ -208,14 +208,14 @@ def migration_raw_rsa_key(
     raw_rsa_master_key_provider = create_key_provider()
 
     # 2a. Encrypt EXAMPLE_DATA using Raw RSA Keyring
-    ciphertext_keyring, _ = client.encrypt(
+    ciphertext_keyring, enc_header_keyring = client.encrypt(
         source=EXAMPLE_DATA,
         keyring=raw_rsa_keyring,
         encryption_context=DEFAULT_ENCRYPTION_CONTEXT
     )
 
     # 2b. Encrypt EXAMPLE_DATA using Raw RSA Master Key Provider
-    ciphertext_mkp, _ = client.encrypt(
+    ciphertext_mkp, enc_header_mkp = client.encrypt(
         source=EXAMPLE_DATA,
         key_provider=raw_rsa_master_key_provider,
         encryption_context=DEFAULT_ENCRYPTION_CONTEXT
@@ -230,14 +230,24 @@ def migration_raw_rsa_key(
     # resulting plaintext is the same and also equal to EXAMPLE_DATA
     decrypted_ciphertext_keyring_using_keyring, _ = client.decrypt(
         source=ciphertext_keyring,
-        keyring=raw_rsa_keyring
+        keyring=raw_rsa_keyring,
+        # Provide the encryption context that was supplied to the encrypt method
+        encryption_context=DEFAULT_ENCRYPTION_CONTEXT,
     )
 
-    decrypted_ciphertext_keyring_using_mkp, _ = client.decrypt(
+    decrypted_ciphertext_keyring_using_mkp, decrypted_header_keyring_using_mkp = client.decrypt(
         source=ciphertext_keyring,
         key_provider=raw_rsa_master_key_provider
     )
 
+    # Legacy MasterKeyProviders do not support providing encryption context on decrypt.
+    # If decrypting with a legacy MasterKeyProvider, you should manually verify
+    # that the encryption context used in the decrypt operation
+    # includes all key pairs from the encrypt operation. (The SDK can add pairs, so don't require an exact match.)
+    assert all(
+        pair in decrypted_header_keyring_using_mkp.encryption_context.items() for pair in enc_header_keyring.encryption_context.items()
+    )
+
     assert decrypted_ciphertext_keyring_using_keyring == decrypted_ciphertext_keyring_using_mkp \
         and decrypted_ciphertext_keyring_using_keyring == EXAMPLE_DATA, \
         "Decrypted outputs using keyring and master key provider are not the same"
@@ -246,14 +256,24 @@ def migration_raw_rsa_key(
     # resulting plaintext is the same and also equal to EXAMPLE_DATA
     decrypted_ciphertext_mkp_using_keyring, _ = client.decrypt(
         source=ciphertext_mkp,
-        keyring=raw_rsa_keyring
+        keyring=raw_rsa_keyring,
+        # Provide the encryption context that was supplied to the encrypt method
+        encryption_context=DEFAULT_ENCRYPTION_CONTEXT,
     )
 
-    decrypted_ciphertext_mkp_using_mkp, _ = client.decrypt(
+    decrypted_ciphertext_mkp_using_mkp, decrypted_header_mkp_using_mkp = client.decrypt(
         source=ciphertext_mkp,
         key_provider=raw_rsa_master_key_provider
     )
 
+    # Legacy MasterKeyProviders do not support providing encryption context on decrypt.
+    # If decrypting with a legacy MasterKeyProvider, you should manually verify
+    # that the encryption context used in the decrypt operation
+    # includes all key pairs from the encrypt operation. (The SDK can add pairs, so don't require an exact match.)
+    assert all(
+        pair in decrypted_header_mkp_using_mkp.encryption_context.items() for pair in enc_header_mkp.encryption_context.items()
+    )
+
     assert decrypted_ciphertext_mkp_using_keyring == decrypted_ciphertext_mkp_using_mkp \
         and decrypted_ciphertext_mkp_using_keyring == EXAMPLE_DATA, \
         "Decrypted outputs using keyring and master key provider are not the same"

examples/src/migration/migration_set_commitment_policy_example.py

@@ -108,8 +108,7 @@ def encrypt_and_decrypt_with_keyring(
     plaintext_bytes, _ = client.decrypt(
         source=ciphertext,
         keyring=kms_keyring,
-        # Verify that the encryption context in the result contains the
-        # encryption context supplied to the encrypt method
+        # Provide the encryption context that was supplied to the encrypt method
         encryption_context=encryption_context,
     )