fix: raw RSA keyring must raise an error on encrypt if public key is not available

Author: mattsb42-aws

src/aws_encryption_sdk/keyrings/raw.py

@@ -380,7 +380,7 @@ def on_encrypt(self, encryption_materials):
         new_materials = encryption_materials
 
         if self._public_wrapping_key is None:
-            return encryption_materials
+            raise EncryptKeyError("A public key is required to encrypt")
 
         if new_materials.data_encryption_key is None:
             new_materials = _generate_data_key(encryption_materials=new_materials, key_provider=self._key_provider)

test/functional/keyrings/raw/test_raw_rsa.py

@@ -17,6 +17,7 @@
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
 
+from aws_encryption_sdk.exceptions import EncryptKeyError
 from aws_encryption_sdk.identifiers import (
     Algorithm,
     EncryptionKeyType,
@@ -307,7 +308,7 @@ def test_public_key_only_cannot_decrypt():
     assert test_materials is initial_decryption_materials
 
 
-def test_private_key_only_can_decrypt():
+def test_private_key_can_decrypt():
     complete_keyring = RawRSAKeyring(
         key_namespace=_PROVIDER_ID,
         key_name=_KEY_ID,
@@ -339,7 +340,7 @@ def test_private_key_only_can_decrypt():
     assert test_materials.data_encryption_key is not None
 
 
-def test_private_key_only_cannot_encrypt():
+def test_private_key_cannot_encrypt():
     test_keyring = RawRSAKeyring(
         key_namespace=_PROVIDER_ID,
         key_name=_KEY_ID,
@@ -350,11 +351,10 @@ def test_private_key_only_cannot_encrypt():
         algorithm=Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, encryption_context=_ENCRYPTION_CONTEXT
     )
 
-    test_materials = test_keyring.on_encrypt(initial_materials)
+    with pytest.raises(EncryptKeyError) as excinfo:
+        test_keyring.on_encrypt(initial_materials)
 
-    assert test_materials is initial_materials
-    assert test_materials.data_encryption_key is None
-    assert not test_materials.encrypted_data_keys
+    excinfo.match("A public key is required to encrypt")
 
 
 def test_keypair_must_match():

test/unit/keyrings/raw/test_raw_rsa.py

@@ -19,6 +19,7 @@
 
 import aws_encryption_sdk.key_providers.raw
 import aws_encryption_sdk.keyrings.raw
+from aws_encryption_sdk.exceptions import EncryptKeyError
 from aws_encryption_sdk.identifiers import KeyringTraceFlag, WrappingAlgorithm
 from aws_encryption_sdk.internal.crypto.wrapping_keys import WrappingKey
 from aws_encryption_sdk.keyrings.base import Keyring
@@ -148,14 +149,20 @@ def test_on_encrypt_when_data_encryption_key_given(raw_rsa_keyring, patch_genera
 
 
 def test_on_encrypt_no_public_key(raw_rsa_keyring):
-    raw_rsa_keyring._public_wrapping_key = None
+    private_key = raw_rsa_private_key()
+    test_keyring = RawRSAKeyring(
+        key_namespace=_PROVIDER_ID,
+        key_name=_KEY_ID,
+        wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1,
+        private_wrapping_key=private_key,
+    )
 
-    intial_materials = get_encryption_materials_without_data_encryption_key()
+    initial_materials = get_encryption_materials_without_data_encryption_key()
 
-    test_materials = raw_rsa_keyring.on_encrypt(encryption_materials=intial_materials)
+    with pytest.raises(EncryptKeyError) as excinfo:
+        test_keyring.on_encrypt(encryption_materials=initial_materials)
 
-    assert test_materials is intial_materials
-    assert intial_materials.data_encryption_key is None
+    excinfo.match("A public key is required to encrypt")
 
 
 def test_on_encrypt_keyring_trace_when_data_encryption_key_given(raw_rsa_keyring):