Skip to content

Keyring materials #163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 16 commits into from
Jul 11, 2019
Merged

Keyring materials #163

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
a3d947d
bump attrs to 19.1.0
mattsb42-aws Jun 21, 2019
daaacba
add keyring trace and integrate into updated encrytion/decryption mat…
mattsb42-aws Jun 21, 2019
f254e73
s/KeyRing/Keyring/g
mattsb42-aws Jun 21, 2019
f9aa29d
align cryptographic materials and add write-only interface
mattsb42-aws Jun 27, 2019
01759b9
encrypted_data_keys must only contain EncryptedDataKey
mattsb42-aws Jun 27, 2019
e8e5b82
fix test to be Python 2 compatible
mattsb42-aws Jun 27, 2019
469600c
data encryption key must be set before encrypted data keys can be add…
mattsb42-aws Jun 28, 2019
a27ff74
add signing/verification key checks to Encryption/DecryptionMaterials
mattsb42-aws Jul 2, 2019
b311cda
DecryptionMaterials.algorithm must be set before DecryptionMaterials.…
mattsb42-aws Jul 2, 2019
10ded57
update materials docs and typehints
mattsb42-aws Jul 2, 2019
4f95e53
EncryptionMaterials must not be initialized with encrypted_data_keys …
mattsb42-aws Jul 3, 2019
7302775
add is_complete properties to EncryptionMaterials and DecryptionMater…
mattsb42-aws Jul 3, 2019
f1e7f2f
change KeyringTraceFlag values to bitshifted ints to match other impl…
mattsb42-aws Jul 9, 2019
524d847
normalize EncryptionMaterials._encrypted_data_keys to list and encryp…
mattsb42-aws Jul 9, 2019
d786409
temporarily pin pydocstyle at <4.0.0 to avoid issue breaking flake8-d…
mattsb42-aws Jul 9, 2019
888fc17
temporarily cap pydocstyle at <4.0.0 for decrypt oracle
mattsb42-aws Jul 10, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions decrypt_oracle/tox.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,7 @@ basepython = python3
deps =
flake8
flake8-docstrings
pydocstyle < 4.0.0
# https://github.com/JBKahn/flake8-print/pull/30
flake8-print>=3.1.0
commands =
Expand Down
2 changes: 1 addition & 1 deletion requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
boto3>=1.4.4
cryptography>=1.8.1
attrs>=17.4.0
attrs>=19.1.0
wrapt>=1.10.11
14 changes: 14 additions & 0 deletions src/aws_encryption_sdk/exceptions.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,13 @@ class InvalidDataKeyError(AWSEncryptionSDKClientError):
"""Exception class for Invalid Data Keys."""


class InvalidKeyringTraceError(AWSEncryptionSDKClientError):
"""Exception class for invalid Keyring Traces.

.. versionadded:: 1.5.0
"""


class InvalidProviderIdError(AWSEncryptionSDKClientError):
"""Exception class for Invalid Provider IDs."""

Expand All @@ -73,6 +80,13 @@ class DecryptKeyError(AWSEncryptionSDKClientError):
"""Exception class for errors encountered when MasterKeys try to decrypt data keys."""


class SignatureKeyError(AWSEncryptionSDKClientError):
"""Exception class for errors encountered with signing or verification keys.

.. versionadded:: 1.5.0
"""


class ActionNotAllowedError(AWSEncryptionSDKClientError):
"""Exception class for errors encountered when attempting to perform unallowed actions."""

Expand Down
10 changes: 10 additions & 0 deletions src/aws_encryption_sdk/identifiers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -328,3 +328,13 @@ class ContentAADString(Enum):
FRAME_STRING_ID = b"AWSKMSEncryptionClient Frame"
FINAL_FRAME_STRING_ID = b"AWSKMSEncryptionClient Final Frame"
NON_FRAMED_STRING_ID = b"AWSKMSEncryptionClient Single Block"


class KeyringTraceFlag(Enum):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My spidey sense is tingling that we're going to hit an assumption impedance mismatch down the road between this being an incrementing integer enum here and bit fields in C https://github.com/aws/aws-encryption-sdk-c/blob/969c71d7b48a9c48e00a3ec8bc420c245681bab9/include/aws/cryptosdk/keyring_trace.h#L56

Have we hashed this out in the specification yet? Is there a good reason not to keep consistent keyring trace definition and value mappings across implementations?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

JS does the bit flag thing because I copied C. I don't much like the bit flag because people will not understand it.
While I can get behind your "specification" point, I'm not sure that this is strictly a specification thing. Knowing what wrapping key did what should be, but how this is recorded?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We haven't touched on this yet in the spec, no.

My general take on this is that we have not really been defining this as a thing that should be passed around between implementations, but instead have been defining it as a thing that is used as a unique reference within an implementation.

Talking with the folks who worked on the C client, the reason for using the bitshift values was for simple storage and comparison in a world where you lack things like sets.

I guess it wouldn't hurt anything to set the values to those bit-shift values just in case we want to use them later, and make the decision on if we do or not when we get to that point with the spec.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While I can get behind your "specification" point, I'm not sure that this is strictly a specification thing. Knowing what wrapping key did what should be, but how this is recorded?

I think the question is more: "is this a value that we want to expose in any artifact that might cross implementations?"

We have precedent for values like this in, for example, the cache entry identifier and encryption context sorting order.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have precedent for values like this...

Then I vote bit flags all the way down.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

"""KeyRing Trace actions."""

WRAPPING_KEY_GENERATED_DATA_KEY = 1
WRAPPING_KEY_ENCRYPTED_DATA_KEY = 1 << 1
WRAPPING_KEY_DECRYPTED_DATA_KEY = 1 << 2
WRAPPING_KEY_SIGNED_ENC_CTX = 1 << 3
WRAPPING_KEY_VERIFIED_ENC_CTX = 1 << 4
Loading