Keyring materials #163
Keyring materials #163
Conversation
|
@seebees @lizroth Something that occurred to me working through this: The way I am maintaining the keyring trace currently is via a list containing I'm inclined to say now that it would be better to instead maintain this as a map of Thoughts? |
| algorithm=None, | ||
| data_encryption_key=None, | ||
| encrypted_data_keys=None, | ||
| encryption_context=None, |
There was a problem hiding this comment.
I chose not to include the Encryption Context in the material. I did this because the top level caller must have the encryption context. I'm not saying we should remove it, just that it is slightly different.
There was a problem hiding this comment.
IMO we should include the encryption context so that it is more directly bound.
Specifically, the encryption context that needs to be used as part of these encryption materials, as possibly distinct from the encryption context that was written in the encrypted message.
There was a problem hiding this comment.
encryption context that needs to be used as part of these encryption materials
That is the part that convinces me :)
I can get down with this. The part I don't like is that the material is created by the CMM, when is the encryption context set? The best time would be when the material is created. Otherwise I have to work to distinguish between "no encryption context" and "encryption context has not yet been set so these material are not yet valid"
There was a problem hiding this comment.
The part I don't like is that the material is created by the CMM
This is explicitly part of the CMM contract: any CMM MAY modify the encryption context in either direction.
when is the encryption context set?
On initial creation of materials. The keyring MUST not modify the encryption context.
There was a problem hiding this comment.
Good, I'm cool with "initial creation of materials". But once a CMM creates materials, downstream CMM's can ~not change the Encryption Context... Or they have to re-create materials and clone things over.
i.e. this make is tedious to send an encryption context to the KMS keyring, but not return that encryption context to be serialized into the message format.
There was a problem hiding this comment.
Or they have to re-create materials and clone things over.
This. CMMs MAY modify the encryption context. They also MAY return whatever encryption/decryption materials that they deem appropriate. That MAY include a CMM layer that creates new materials based in part, whole, or not at all, on the materials returned from an underlying CMM.
…ed to EncryptionMaterials
| @@ -328,3 +328,13 @@ class ContentAADString(Enum): | |||
| FRAME_STRING_ID = b"AWSKMSEncryptionClient Frame" | |||
| FINAL_FRAME_STRING_ID = b"AWSKMSEncryptionClient Final Frame" | |||
| NON_FRAMED_STRING_ID = b"AWSKMSEncryptionClient Single Block" | |||
|
|
|||
|
|
|||
| class KeyringTraceFlag(Enum): | |||
There was a problem hiding this comment.
My spidey sense is tingling that we're going to hit an assumption impedance mismatch down the road between this being an incrementing integer enum here and bit fields in C https://github.com/aws/aws-encryption-sdk-c/blob/969c71d7b48a9c48e00a3ec8bc420c245681bab9/include/aws/cryptosdk/keyring_trace.h#L56
Have we hashed this out in the specification yet? Is there a good reason not to keep consistent keyring trace definition and value mappings across implementations?
There was a problem hiding this comment.
JS does the bit flag thing because I copied C. I don't much like the bit flag because people will not understand it.
While I can get behind your "specification" point, I'm not sure that this is strictly a specification thing. Knowing what wrapping key did what should be, but how this is recorded?
There was a problem hiding this comment.
We haven't touched on this yet in the spec, no.
My general take on this is that we have not really been defining this as a thing that should be passed around between implementations, but instead have been defining it as a thing that is used as a unique reference within an implementation.
Talking with the folks who worked on the C client, the reason for using the bitshift values was for simple storage and comparison in a world where you lack things like sets.
I guess it wouldn't hurt anything to set the values to those bit-shift values just in case we want to use them later, and make the decision on if we do or not when we get to that point with the spec.
There was a problem hiding this comment.
While I can get behind your "specification" point, I'm not sure that this is strictly a specification thing. Knowing what wrapping key did what should be, but how this is recorded?
I think the question is more: "is this a value that we want to expose in any artifact that might cross implementations?"
We have precedent for values like this in, for example, the cache entry identifier and encryption context sorting order.
There was a problem hiding this comment.
We have precedent for values like this...
Then I vote bit flags all the way down.
| def keyring_trace(self): | ||
| """Return a read-only version of the keyring trace. | ||
|
|
||
| :rtype: tuple |
There was a problem hiding this comment.
Is this for immutability only? What are we trying to protect against? The return below is a shallow copy, right?
There was a problem hiding this comment.
What I'm trying to do here (and with Encryptionmaterials.encrypted_data_keys) is to remove the easy path for people to modify the encrypted data keys or keyring trace directly without going through the add_ methods.
The reason for this is to make it harder for people to add one without the other.
…add_data_encryption_key can be called
…but no data_encryption_key
I agree. |
|
|
||
| return True | ||
|
|
||
| def add_data_encryption_key(self, data_encryption_key, keyring_trace): |
There was a problem hiding this comment.
Re: #163 (comment)
I think a comment about why the keyring trace is here? Maybe it will resolve the other convo?
I've actually been oscillating the other way on this. Mainly because: if a keyring does the same action twice, how should that be recorded in the trace? We can leave this for resolution after this PR; the write API on the materials will not change, just the read API, which will not affect the other ongoing keyring development. |
|
Looks like something in |
…ted_data_keys to tuple
|
Per offline conversation, changing |
|
AppVeyor is failing install on 2.7 and 3.4, but that looks unrelated to these changes to me so since this is not going into master yet anyway I'm inclined to merge this now to unblock the rest of the keyring work. |
Description of changes:
Update Encryption/Decryption materials and create Keyring traces in preparation for Keyring work.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.