fix(Examples): Validate EC on decrypt #697
Conversation
There was a problem hiding this comment.
This looks good overall.
Two things:
First, do we not want to make the changes of providing the encryption context during decrypt in other migration examples? For instance:
- migration_raw_rsa_key_example.py
- migration_raw_aes_key_example.py
- migration_aws_kms_key_example.py
I think we should, to point out explicitly that they should provide the encryption context while calling decrypt.
Second, I left another comment about the wording of the comment when providing encryption context.
| # Verify that the encryption context in the result contains the | ||
| # encryption context supplied to the encrypt method |
There was a problem hiding this comment.
According to Ryan, we want to tell the customer to always provide the encryption context during decrypt. I wonder if it'll be better if we remove the word "Verify" and just say "Enter the encryption context supplied to the encrypt method".
Same goes for Line #192 in this file and all other examples.
There was a problem hiding this comment.
Updated, I slightly preferred "Provide" instead of "Enter"
Good catch on migration examples, I updated those to supply EC on decrypt if decrypting with keyring.
I also added manual EC validation if decrypting with MKP since MKPs don't support EC validation on decrypt.
There was a problem hiding this comment.
very small nit: I would change the name of the encrypted header, e.g., enc_header_mkp to encrypted_header_mkp just because we have the decrypted header variable as decrypted_header_keyring_using_mkp. However, it's not a big thing if we keep this as is.
Otherwise this LGTM. Approved.
Issue #, if available:
Description of changes:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Check any applicable: