chore: updated raw rsa and aes keyrings

RitvikKapila · RitvikKapila · commit 7799a57a66d1 · 2024-04-24T17:14:30.000-07:00
diff --git a/examples/src/keyrings/raw_aes_keyring_example.py b/examples/src/keyrings/raw_aes_keyring_example.py
@@ -27,7 +27,7 @@
 
 from aws_cryptographic_materialproviders.mpl import AwsCryptographicMaterialProviders
 from aws_cryptographic_materialproviders.mpl.config import MaterialProvidersConfig
-from aws_cryptographic_materialproviders.mpl.models import CreateRawAesKeyringInput
+from aws_cryptographic_materialproviders.mpl.models import AesWrappingAlg, CreateRawAesKeyringInput
 from aws_cryptographic_materialproviders.mpl.references import IKeyring
 from typing import Dict
 
@@ -91,7 +91,7 @@ def encrypt_and_decrypt_with_keyring():
         key_namespace=key_name_space,
         key_name=key_name,
         wrapping_key=static_key,
-        wrapping_alg="ALG_AES256_GCM_IV12_TAG16"
+        wrapping_alg=AesWrappingAlg.ALG_AES256_GCM_IV12_TAG16
     )
 
     raw_aes_keyring: IKeyring = mat_prov.create_raw_aes_keyring(
diff --git a/examples/src/keyrings/raw_rsa_keyring_example.py b/examples/src/keyrings/raw_rsa_keyring_example.py
@@ -17,6 +17,9 @@
 1. Ciphertext and plaintext data are not the same
 2. Encryption context is correct in the decrypted message header
 3. Decrypted plaintext value matches EXAMPLE_DATA
+4. After verifying that the encrypt and decrypt works, this example also demonstrates
+that the original ciphertext should not be decrypted using a new Raw RSA keyring generated by
+another user, let's say Bob (Points 9 and 10).
 These sanity checks are for demonstration in the example only. You do not need these in your code.
 
 A Raw RSA keyring that encrypts and decrypts must include an asymmetric public key and private
@@ -34,8 +37,11 @@
 
 from aws_cryptographic_materialproviders.mpl import AwsCryptographicMaterialProviders
 from aws_cryptographic_materialproviders.mpl.config import MaterialProvidersConfig
-from aws_cryptographic_materialproviders.mpl.models import CreateRawRsaKeyringInput
+from aws_cryptographic_materialproviders.mpl.models import CreateRawRsaKeyringInput, PaddingScheme
 from aws_cryptographic_materialproviders.mpl.references import IKeyring
+from aws_cryptographic_materialproviders.smithygenerated.aws_cryptography_materialproviders.errors import (
+    CollectionOfErrors,
+)
 from cryptography.hazmat.backends import default_backend as crypto_default_backend
 from cryptography.hazmat.primitives import serialization as crypto_serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
@@ -52,42 +58,20 @@
 EXAMPLE_DATA: bytes = b"Hello World"
 
 
-def encrypt_and_decrypt_with_keyring():
-    """Demonstrate an encrypt/decrypt cycle using a Raw RSA keyring.
+def generate_rsa_keyring():
+    """Generates new public and private keys to create a Raw RSA keyring and
+    then generates the keyring
 
-    Usage: encrypt_and_decrypt_with_keyring()
+    Usage: generate_rsa_keyring()
     """
-    # 1. Instantiate the encryption SDK client.
-    # This builds the client with the REQUIRE_ENCRYPT_REQUIRE_DECRYPT commitment policy,
-    # which enforces that this client only encrypts using committing algorithm suites and enforces
-    # that this client will only decrypt encrypted messages that were created with a committing
-    # algorithm suite.
-    # This is the default commitment policy if you were to build the client as
-    # `client = aws_encryption_sdk.EncryptionSDKClient()`.
-    client = aws_encryption_sdk.EncryptionSDKClient(
-        commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT
-    )
-
-    # 2. Create encryption context.
-    # Remember that your encryption context is NOT SECRET.
-    # For more information, see
-    # https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
-    encryption_context: Dict[str, str] = {
-        "encryption": "context",
-        "is not": "secret",
-        "but adds": "useful metadata",
-        "that can help you": "be confident that",
-        "the data you are handling": "is what you think it is",
-    }
-
-    # 3. The key namespace and key name are defined by you.
+    # 1. The key namespace and key name are defined by you.
     # and are used by the Raw RSA keyring
     # For more information, see
     # https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-rsa-keyring.html
     key_name_space = "Some managed raw keys"
     key_name = "My 4096-bit RSA wrapping key"
 
-    # 4. Generate a 4096-bit RSA key to use with your keyring.
+    # 2. Generate a 4096-bit RSA key to use with your keyring.
     ssh_rsa_exponent = 65537
     bit_strength = 4096
     key = rsa.generate_private_key(
@@ -109,15 +93,15 @@ def encrypt_and_decrypt_with_keyring():
         format=crypto_serialization.PublicFormat.SubjectPublicKeyInfo
     )
 
-    # 5. Create a Raw RSA keyring
+    # 3. Create a Raw RSA keyring
     mat_prov: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders(
         config=MaterialProvidersConfig()
     )
 
     keyring_input: CreateRawRsaKeyringInput = CreateRawRsaKeyringInput(
         key_namespace=key_name_space,
         key_name=key_name,
-        padding_scheme="OAEP_SHA256_MGF1",
+        padding_scheme=PaddingScheme.OAEP_SHA256_MGF1,
         public_key=public_key,
         private_key=private_key
     )
@@ -126,30 +110,82 @@ def encrypt_and_decrypt_with_keyring():
         input=keyring_input
     )
 
-    # 6. Encrypt the data for the encryptionContext
+    return raw_rsa_keyring
+
+
+def encrypt_and_decrypt_with_keyring():
+    """Demonstrate an encrypt/decrypt cycle using a Raw RSA keyring.
+
+    Usage: encrypt_and_decrypt_with_keyring()
+    """
+    # 1. Instantiate the encryption SDK client.
+    # This builds the client with the REQUIRE_ENCRYPT_REQUIRE_DECRYPT commitment policy,
+    # which enforces that this client only encrypts using committing algorithm suites and enforces
+    # that this client will only decrypt encrypted messages that were created with a committing
+    # algorithm suite.
+    # This is the default commitment policy if you were to build the client as
+    # `client = aws_encryption_sdk.EncryptionSDKClient()`.
+    client = aws_encryption_sdk.EncryptionSDKClient(
+        commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT
+    )
+
+    # 2. Create encryption context.
+    # Remember that your encryption context is NOT SECRET.
+    # For more information, see
+    # https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
+    encryption_context: Dict[str, str] = {
+        "encryption": "context",
+        "is not": "secret",
+        "but adds": "useful metadata",
+        "that can help you": "be confident that",
+        "the data you are handling": "is what you think it is",
+    }
+
+    # 3. Create a Raw RSA keyring
+    raw_rsa_keyring = generate_rsa_keyring()
+
+    # 4. Encrypt the data for the encryptionContext
     ciphertext, _ = client.encrypt(
         source=EXAMPLE_DATA,
         keyring=raw_rsa_keyring,
         encryption_context=encryption_context
     )
 
-    # 7. Demonstrate that the ciphertext and plaintext are different.
+    # 5. Demonstrate that the ciphertext and plaintext are different.
     # (This is an example for demonstration; you do not need to do this in your own code.)
     assert ciphertext != EXAMPLE_DATA, \
         "Ciphertext and plaintext data are the same. Invalid encryption"
 
-    # 8. Decrypt your encrypted data using the same keyring you used on encrypt.
+    # 6. Decrypt your encrypted data using the same keyring you used on encrypt.
     plaintext_bytes, dec_header = client.decrypt(
         source=ciphertext,
         keyring=raw_rsa_keyring
     )
 
-    # 9. Demonstrate that the encryption context is correct in the decrypted message header
+    # 7. Demonstrate that the encryption context is correct in the decrypted message header
     # (This is an example for demonstration; you do not need to do this in your own code.)
     for k, v in encryption_context.items():
         assert v == dec_header.encryption_context[k], \
             "Encryption context does not match expected values"
 
-    # 10. Demonstrate that the decrypted plaintext is identical to the original plaintext.
+    # 8. Demonstrate that the decrypted plaintext is identical to the original plaintext.
     # (This is an example for demonstration; you do not need to do this in your own code.)
     assert plaintext_bytes == EXAMPLE_DATA
+
+    # The next part of the example creates a new RSA keyring (for Bob) to demonstrate that
+    # decryption of the original ciphertext is not possible with a different keyring (Bob's)
+    # (This is an example for demonstration; you do not need to do this in your own code.)
+
+    # 9. Generate a new Raw RSA keyring for Bob
+    raw_rsa_keyring_bob = generate_rsa_keyring()
+
+    # 10. Test decrypt for the original ciphertext using raw_rsa_keyring_bob
+    try:
+        plaintext_bytes_bob, dec_header_bob = client.decrypt(
+            source=ciphertext,
+            keyring=raw_rsa_keyring_bob
+        )
+
+        assert False, "client.decrypt should throw a error of type CollectionOfErrors!"
+    except CollectionOfErrors:
+        pass
