docs: add CMM examples

Author: mattsb42-aws

examples/src/crypto_materials_manager/__init__.py

@@ -0,0 +1,7 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""
+Cryptographic materials manager examples.
+
+These examples show how to create and use cryptographic materials managers.
+"""

examples/src/crypto_materials_manager/caching/__init__.py

@@ -0,0 +1,7 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""
+Caching cryptographic materials manager examples.
+
+These examples show how to configure and use the caching cryptographic materials manager.
+"""

examples/src/crypto_materials_manager/caching/simple_cache.py

@@ -0,0 +1,94 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""
+The default cryptographic materials manager (CMM)
+creates new encryption and decryption materials
+on every call.
+This means every encrypted message is protected by a unique data key,
+but it also means that you need to interact with your key management system
+in order to process any message.
+If this causes performance, operations, or cost issues for you,
+you might benefit from data key caching.
+
+https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/data-key-caching.html
+
+This examples shows how to configure the caching CMM
+to reuse data keys across multiple encrypted messages.
+
+In this example, we use an AWS KMS customer master key (CMK),
+but you can use other key management options with the AWS Encryption SDK.
+For examples that demonstrate how to use other key management configurations,
+see the ``keyring`` and ``master_key_provider`` directories.
+
+In this example, we use the one-step encrypt and decrypt APIs.
+"""
+import aws_encryption_sdk
+from aws_encryption_sdk.caches.local import LocalCryptoMaterialsCache
+from aws_encryption_sdk.keyrings.aws_kms import KmsKeyring
+from aws_encryption_sdk.materials_managers.caching import CachingCryptoMaterialsManager
+
+
+def run(aws_kms_cmk, source_plaintext):
+    # type: (str, bytes) -> None
+    """Demonstrate an encrypt/decrypt cycle using a KMS keyring with a single CMK.
+
+    :param str aws_kms_cmk: The ARN of an AWS KMS CMK that protects data keys
+    :param bytes source_plaintext: Plaintext to encrypt
+    """
+    # Prepare your encryption context.
+    # https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
+    encryption_context = {
+        "encryption": "context",
+        "is not": "secret",
+        "but adds": "useful metadata",
+        "that can help you": "be confident that",
+        "the data you are handling": "is what you think it is",
+    }
+
+    # Create the keyring that determines how your data keys are protected.
+    keyring = KmsKeyring(generator_key_id=aws_kms_cmk)
+
+    # Create the caching cryptographic materials manager using your keyring.
+    cmm = CachingCryptoMaterialsManager(
+        keyring=keyring,
+        # The cache is where the caching CMM stores the materials.
+        #
+        # LocalCryptoMaterialsCache gives you a local, in-memory, cache.
+        cache=LocalCryptoMaterialsCache(capacity=100),
+        # max_age determines how long the caching CMM will reuse materials.
+        #
+        # This example uses two minutes.
+        # In production, always choose as small a value as possible
+        # that works for your requirements.
+        max_age=120.0,
+        # max_messages_encrypted determines how many messages
+        # the caching CMM will protect with the same materials.
+        #
+        # In production, always choose as small a value as possible
+        # that works for your requirements.
+        max_messages_encrypted=10,
+    )
+
+    # Encrypt your plaintext data.
+    ciphertext, _encrypt_header = aws_encryption_sdk.encrypt(
+        source=source_plaintext, encryption_context=encryption_context, materials_manager=cmm
+    )
+
+    # Demonstrate that the ciphertext and plaintext are different.
+    assert ciphertext != source_plaintext
+
+    # Decrypt your encrypted data using the same cryptographic materials manager you used on encrypt.
+    #
+    # You do not need to specify the encryption context on decrypt
+    # because the header of the encrypted message includes the encryption context.
+    decrypted, decrypt_header = aws_encryption_sdk.decrypt(source=ciphertext, materials_manager=cmm)
+
+    # Demonstrate that the decrypted plaintext is identical to the original plaintext.
+    assert decrypted == source_plaintext
+
+    # Verify that the encryption context used in the decrypt operation includes
+    # the encryption context that you specified when encrypting.
+    # The AWS Encryption SDK can add pairs, so don't require an exact match.
+    #
+    # In production, always use a meaningful encryption context.
+    assert set(encryption_context.items()) <= set(decrypt_header.encryption_context.items())

examples/src/crypto_materials_manager/custom_cmm/__init__.py

@@ -0,0 +1,10 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""
+Cuystom cryptographic materials manager (CMM) examples.
+
+The AWS Encryption SDK includes CMMs for common use cases,
+but you might need to do something else.
+
+These examples show how you could create your own CMM for some specific requirements.
+"""

examples/src/crypto_materials_manager/custom_cmm/algorithm_suite_enforcement.py

@@ -0,0 +1,119 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""
+The AWS Encryption SDK supports several different algorithm suites
+that offer different security properties.
+
+https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/supported-algorithms.html
+
+By default, the AWS Encryption SDK will let you use any of these,
+but you might want to restrict that further.
+We do not recommend using the algorithm suites without key derivation,
+so for this example we will show how to make a custom CMM
+that will not allow you to use those algorithm suites.
+"""
+import aws_encryption_sdk
+from aws_encryption_sdk.identifiers import AlgorithmSuite, KDFSuite
+from aws_encryption_sdk.keyrings.aws_kms import KmsKeyring
+from aws_encryption_sdk.keyrings.base import Keyring
+from aws_encryption_sdk.materials_managers import (
+    DecryptionMaterials,
+    DecryptionMaterialsRequest,
+    EncryptionMaterials,
+    EncryptionMaterialsRequest,
+)
+from aws_encryption_sdk.materials_managers.base import CryptoMaterialsManager
+from aws_encryption_sdk.materials_managers.default import DefaultCryptoMaterialsManager
+
+
+class UnsupportedAlgorithmSuite(Exception):
+    """Indicate that an unsupported algorithm suite was requested."""
+
+
+class OnlyKdfAlgorithmSuitesCryptoMaterialsManager(CryptoMaterialsManager):
+    """Only allow encryption requests for algorithm suites with a KDF."""
+
+    def __init__(self, keyring):
+        # type: (Keyring) -> None
+        """Set up the inner cryptographic materials manager using the provided keyring.
+
+        :param Keyring keyring: Keyring to use in the inner cryptographic materials manager
+        """
+        self._cmm = DefaultCryptoMaterialsManager(keyring=keyring)
+
+    def get_encryption_materials(self, request):
+        # type: (EncryptionMaterialsRequest) -> EncryptionMaterials
+        """Block any requests that include an algorithm suite without a KDF."""
+        if request.algorithm is not None and request.algorithm.kdf is KDFSuite.NONE:
+            raise UnsupportedAlgorithmSuite("Non-KDF algorithm suites are not allowed!")
+
+        return self._cmm.get_encryption_materials(request)
+
+    def decrypt_materials(self, request):
+        # type: (DecryptionMaterialsRequest) -> DecryptionMaterials
+        """Be more permissive on decrypt and just pass through."""
+        return self._cmm.decrypt_materials(request)
+
+
+def run(aws_kms_cmk, source_plaintext):
+    # type: (str, bytes) -> None
+    """Demonstrate an encrypt/decrypt cycle using a KMS keyring with a single CMK.
+
+    :param str aws_kms_cmk: The ARN of an AWS KMS CMK that protects data keys
+    :param bytes source_plaintext: Plaintext to encrypt
+    """
+    # Prepare your encryption context.
+    # https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
+    encryption_context = {
+        "encryption": "context",
+        "is not": "secret",
+        "but adds": "useful metadata",
+        "that can help you": "be confident that",
+        "the data you are handling": "is what you think it is",
+    }
+
+    # Create the keyring that determines how your data keys are protected.
+    keyring = KmsKeyring(generator_key_id=aws_kms_cmk)
+
+    # Create the filtering cryptographic materials manager using your keyring.
+    cmm = OnlyKdfAlgorithmSuitesCryptoMaterialsManager(keyring=keyring)
+
+    # Demonstrate that the filtering CMM will not let you use non-KDF algorithm suites.
+    try:
+        aws_encryption_sdk.encrypt(
+            source=source_plaintext,
+            encryption_context=encryption_context,
+            materials_manager=cmm,
+            algorithm=AlgorithmSuite.AES_256_GCM_IV12_TAG16,
+        )
+    except UnsupportedAlgorithmSuite:
+        # You asked for a non-KDF algorithm suite.
+        # Reaching this point means everything is working as expected.
+        pass
+    else:
+        # The filtering CMM keeps this from happening.
+        raise AssertionError("The filtering CMM does not let this happen!")
+
+    # Encrypt your plaintext data.
+    ciphertext, _encrypt_header = aws_encryption_sdk.encrypt(
+        source=source_plaintext, encryption_context=encryption_context, materials_manager=cmm
+    )
+
+    # Demonstrate that the ciphertext and plaintext are different.
+    assert ciphertext != source_plaintext
+
+    # Decrypt your encrypted data using the same cryptographic materials manager you used on encrypt.
+    #
+    # You do not need to specify the encryption context on decrypt
+    # because the header of the encrypted message includes the encryption context.
+    decrypted, decrypt_header = aws_encryption_sdk.decrypt(source=ciphertext, materials_manager=cmm)
+
+    # Demonstrate that the decrypted plaintext is identical to the original plaintext.
+    assert decrypted == source_plaintext
+
+    # Verify that the encryption context used in the decrypt operation includes
+    # the encryption context that you specified when encrypting.
+    # The AWS Encryption SDK can add pairs, so don't require an exact match.
+    #
+    # In production, always use a meaningful encryption context.
+    assert set(encryption_context.items()) <= set(decrypt_header.encryption_context.items())

examples/src/crypto_materials_manager/custom_cmm/requiring_encryption_context_fields.py

@@ -0,0 +1,144 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""
+Encryption context is a powerful tool for access and audit controls
+because it lets you tie *non-secret* metadata about a plaintext value to the encrypted message.
+This is especially powerful when you use the AWS Encryption SDK with AWS KMS,
+but within the context of the AWS Encryption SDK alone
+you can use cryptographic materials managers to analyse the encryption context
+to provide logical controls and additional metadata.
+
+https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
+https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+
+This example shows how to create a custom cryptographic materials manager (CMM)
+that requires a particular field in any encryption context.
+"""
+import aws_encryption_sdk
+from aws_encryption_sdk.keyrings.aws_kms import KmsKeyring
+from aws_encryption_sdk.keyrings.base import Keyring
+from aws_encryption_sdk.materials_managers import (
+    DecryptionMaterials,
+    DecryptionMaterialsRequest,
+    EncryptionMaterials,
+    EncryptionMaterialsRequest,
+)
+from aws_encryption_sdk.materials_managers.base import CryptoMaterialsManager
+from aws_encryption_sdk.materials_managers.default import DefaultCryptoMaterialsManager
+
+
+class MissingClassificationError(Exception):
+    """Indicates that an encryption context was found that lacked a classification identifier."""
+
+
+class ClassificationRequiringCryptoMaterialsManager(CryptoMaterialsManager):
+    """Only allow requests when the encryption context contains a classification identifier."""
+
+    def __init__(self, keyring):
+        # type: (Keyring) -> None
+        """Set up the inner cryptographic materials manager using the provided keyring.
+
+        :param Keyring keyring: Keyring to use in the inner cryptographic materials manager
+        """
+        self._classification_field = "classification"
+        self._classification_error = MissingClassificationError("Encryption context does not contain classification!")
+        self._cmm = DefaultCryptoMaterialsManager(keyring=keyring)
+
+    def get_encryption_materials(self, request):
+        # type: (EncryptionMaterialsRequest) -> EncryptionMaterials
+        """Block any requests that do not contain a classification identifier in the encryption context."""
+        if self._classification_field not in request.encryption_context:
+            raise self._classification_error
+
+        return self._cmm.get_encryption_materials(request)
+
+    def decrypt_materials(self, request):
+        # type: (DecryptionMaterialsRequest) -> DecryptionMaterials
+        """Block any requests that do not contain a classification identifier in the encryption context."""
+        if self._classification_field not in request.encryption_context:
+            raise self._classification_error
+
+        return self._cmm.decrypt_materials(request)
+
+
+def run(aws_kms_cmk, source_plaintext):
+    # type: (str, bytes) -> None
+    """Demonstrate an encrypt/decrypt cycle using a KMS keyring with a single CMK.
+
+    :param str aws_kms_cmk: The ARN of an AWS KMS CMK that protects data keys
+    :param bytes source_plaintext: Plaintext to encrypt
+    """
+    # Prepare your encryption context.
+    # https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
+    encryption_context = {
+        "encryption": "context",
+        "is not": "secret",
+        "but adds": "useful metadata",
+        "that can help you": "be confident that",
+        "the data you are handling": "is what you think it is",
+    }
+
+    # Create the keyring that determines how your data keys are protected.
+    keyring = KmsKeyring(generator_key_id=aws_kms_cmk)
+
+    # Create the filtering cryptographic materials manager using your keyring.
+    cmm = ClassificationRequiringCryptoMaterialsManager(keyring=keyring)
+
+    # Demonstrate that the filtering CMM will not let you encrypt without a classification identifier.
+    try:
+        aws_encryption_sdk.encrypt(
+            source=source_plaintext, encryption_context=encryption_context, materials_manager=cmm,
+        )
+    except MissingClassificationError:
+        # Your encryption context did not contain a classification identifier.
+        # Reaching this point means everything is working as expected.
+        pass
+    else:
+        # The filtering CMM keeps this from happening.
+        raise AssertionError("The filtering CMM does not let this happen!")
+
+    # Encrypt your plaintext data.
+    classified_ciphertext, _encrypt_header = aws_encryption_sdk.encrypt(
+        source=source_plaintext,
+        encryption_context=dict(classification="secret", **encryption_context),
+        materials_manager=cmm,
+    )
+
+    # Demonstrate that the ciphertext and plaintext are different.
+    assert classified_ciphertext != source_plaintext
+
+    # Decrypt your encrypted data using the same cryptographic materials manager you used on encrypt.
+    #
+    # You do not need to specify the encryption context on decrypt
+    # because the header of the encrypted message includes the encryption context.
+    decrypted, decrypt_header = aws_encryption_sdk.decrypt(source=classified_ciphertext, materials_manager=cmm)
+
+    # Demonstrate that the decrypted plaintext is identical to the original plaintext.
+    assert decrypted == source_plaintext
+
+    # Verify that the encryption context used in the decrypt operation includes
+    # the encryption context that you specified when encrypting.
+    # The AWS Encryption SDK can add pairs, so don't require an exact match.
+    #
+    # In production, always use a meaningful encryption context.
+    assert set(encryption_context.items()) <= set(decrypt_header.encryption_context.items())
+
+    # Now demonstrate the decrypt path of the filtering cryptographic materials manager.
+
+    # Encrypt your plaintext using the keyring and do not include a classification identifier.
+    unclassified_ciphertext, encrypt_header = aws_encryption_sdk.encrypt(
+        source=source_plaintext, encryption_context=encryption_context, keyring=keyring
+    )
+
+    assert "classification" not in encrypt_header.encryption_context
+
+    # Demonstrate that the filtering CMM will not let you decrypt messages without classification identifiers.
+    try:
+        aws_encryption_sdk.decrypt(source=unclassified_ciphertext, materials_manager=cmm)
+    except MissingClassificationError:
+        # Your encryption context did not contain a classification identifier.
+        # Reaching this point means everything is working as expected.
+        pass
+    else:
+        # The filtering CMM keeps this from happening.
+        raise AssertionError("The filtering CMM does not let this happen!")