feat: Add support for negative test vectors (#340)

Co-authored-by: Robin Salkeld <[email protected]>

Author: github-actions[bot]

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "test_vector_handlers/test/aws-crypto-tools-test-vector-framework"]
+	path = test_vector_handlers/test/aws-crypto-tools-test-vector-framework
+	url = https://github.com/awslabs/aws-crypto-tools-test-vector-framework.git

test_vector_handlers/README.rst

@@ -24,21 +24,40 @@ processing of common test manifest types.
 Full Message Encrypt
 --------------------
 
-Used to process an AWS Encryption SDK Full Message Encrypt manifest and produce
+Used to process an AWS Encryption SDK Full Message Encrypt manifest.
+
+.. code::
+
+    usage: awses-full-message-encrypt [-h] --input INPUT
+
+    Build ciphertexts and decrypt manifest from keys and encrypt manifests
+
+    optional arguments:
+      -h, --help       show this help message and exit
+      --input INPUT    Existing full message encrypt manifest
+
+Full Message Decrypt Manifest Generate
+----------------------------------------
+
+Used to process an AWS Encryption SDK Full Message Decrypt Generation manifest and produce
 a Full Message Decrypt manifest along with all corresponding plaintexts and ciphertexts.
 
 .. code::
 
-    usage: awses-full-message-encrypt [-h] --output OUTPUT --input INPUT [--human]
+    usage: awses-full-message-decrypt-generate [-h] --output OUTPUT --input INPUT [--human]
 
     Build ciphertexts and decrypt manifest from keys and encrypt manifests
 
     optional arguments:
       -h, --help       show this help message and exit
       --output OUTPUT  Directory in which to store results
-      --input INPUT    Existing full message encrypt manifest
+      --input INPUT    Existing full message decrypt generation manifest
       --human          Output human-readable JSON
 
+The output of this command can be used to produce a zip file to be added to the
+`shared test vectors repository`_.
+Make sure that the individual contents of the output directory are top-level entries in
+the zip file; it is easy to add an additional top-level folder by accident!
 
 Full Message Decrypt
 --------------------
@@ -55,3 +74,5 @@ decrypt and verify all referenced ciphertexts.
     optional arguments:
       -h, --help     show this help message and exit
       --input INPUT  Existing full message decrypt manifest
+
+.. _shared test vectors repository: https://github.com/awslabs/aws-encryption-sdk-test-vectors

test_vector_handlers/requirements.txt

@@ -1,3 +1,4 @@
 attrs >= 17.4.0
-aws-encryption-sdk
+aws-encryption-sdk>=2.0.0
+pytest>=3.3.1
 six

test_vector_handlers/setup.py

@@ -59,6 +59,7 @@ def get_requirements():
     entry_points={
         "console_scripts": [
             "awses-full-message-encrypt=awses_test_vectors.commands.full_message_encrypt:cli",
+            "awses-full-message-decrypt-generate=awses_test_vectors.commands.full_message_decrypt_generate:cli",
             "awses-full-message-decrypt=awses_test_vectors.commands.full_message_decrypt:cli",
         ]
     },

test_vector_handlers/src/awses_test_vectors/__init__.py

@@ -11,4 +11,4 @@
 # ANY KIND, either express or implied. See the License for the specific
 # language governing permissions and limitations under the License.
 """Static test vector handling logic for the AWS Encyrption SDK."""
-__version__ = "1.0.0"
+__version__ = "2.0.0"

test_vector_handlers/src/awses_test_vectors/commands/full_message_decrypt.py

@@ -10,7 +10,7 @@
 # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
 # ANY KIND, either express or implied. See the License for the specific
 # language governing permissions and limitations under the License.
-"""AWS Encryption SDK full message decrypt command."""
+"""Command to test AWS Encryption SDK full message decryption vectors."""
 import argparse
 
 from awses_test_vectors.manifests.full_message.decrypt import MessageDecryptionManifest
@@ -25,7 +25,7 @@
 def cli(args=None):
     # type: (Optional[Iterable[str]]) -> None
     """CLI entry point for processing AWS Encryption SDK Decrypt Message manifests."""
-    parser = argparse.ArgumentParser(description="Decrypt ciphertexts generated by awses-full-message-encrypt")
+    parser = argparse.ArgumentParser(description="Decrypt ciphertexts from keys and decrypt manifests")
     parser.add_argument(
         "--input", required=True, type=argparse.FileType("r"), help="Existing full message decrypt manifest"
     )

test_vector_handlers/src/awses_test_vectors/commands/full_message_decrypt_generate.py

@@ -0,0 +1,49 @@
+# Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+"""Command to generate AWS Encryption SDK full message decryption vectors."""
+import argparse
+
+from awses_test_vectors.manifests.full_message.decrypt_generation import MessageDecryptionGenerationManifest
+
+try:  # Python 3.5.0 and 3.5.1 have incompatible typing modules
+    from typing import Iterable, Optional  # noqa pylint: disable=unused-import
+except ImportError:  # pragma: no cover
+    # We only actually need these imports when running the mypy checks
+    pass
+
+
+def cli(args=None):
+    # type: (Optional[Iterable[str]]) -> None
+    """CLI entry point for generating AWS Encryption SDK Decrypt Message manifests."""
+    parser = argparse.ArgumentParser(
+        description="Build a decrypt manifest from keys and decrypt generation manifests"
+    )
+    parser.add_argument("--output", required=True, help="Directory in which to store results")
+    parser.add_argument(
+        "--input", required=True, type=argparse.FileType("r"), help="Existing full message decrypt generation manifest"
+    )
+    parser.add_argument(
+        "--human",
+        required=False,
+        default=None,
+        action="store_const",
+        const=4,
+        dest="json_indent",
+        help="Output human-readable JSON",
+    )
+
+    parsed = parser.parse_args(args)
+
+    encrypt_manifest = MessageDecryptionGenerationManifest.from_file(parsed.input)
+
+    encrypt_manifest.run_and_write_to_dir(target_directory=parsed.output, json_indent=parsed.json_indent)

test_vector_handlers/src/awses_test_vectors/commands/full_message_encrypt.py

@@ -10,7 +10,7 @@
 # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
 # ANY KIND, either express or implied. See the License for the specific
 # language governing permissions and limitations under the License.
-"""AWS Encryption SDK full message encrypt command."""
+"""Command to test AWS Encryption SDK full message encryption vectors."""
 import argparse
 
 from awses_test_vectors.manifests.full_message.encrypt import MessageEncryptionManifest
@@ -26,24 +26,14 @@ def cli(args=None):
     # type: (Optional[Iterable[str]]) -> None
     """CLI entry point for processing AWS Encryption SDK Encrypt Message manifests."""
     parser = argparse.ArgumentParser(
-        description="Build ciphertexts and decrypt manifest from keys and encrypt manifests"
+        description="Build ciphertexts from keys and encrypt manifests"
     )
-    parser.add_argument("--output", required=True, help="Directory in which to store results")
     parser.add_argument(
         "--input", required=True, type=argparse.FileType("r"), help="Existing full message encrypt manifest"
     )
-    parser.add_argument(
-        "--human",
-        required=False,
-        default=None,
-        action="store_const",
-        const=4,
-        dest="json_indent",
-        help="Output human-readable JSON",
-    )
 
     parsed = parser.parse_args(args)
 
     encrypt_manifest = MessageEncryptionManifest.from_file(parsed.input)
 
-    encrypt_manifest.run_and_write_to_dir(target_directory=parsed.output, json_indent=parsed.json_indent)
+    encrypt_manifest.run()