From 8ec55d209350f00e36bf6ec94fc861ad77b0c34a Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Mon, 7 Oct 2024 13:59:59 -0700 Subject: [PATCH 1/3] chore(examples): fix comments --- examples/src/aws_kms_discovery_keyring_example.py | 5 ++--- examples/src/aws_kms_discovery_multi_keyring_example.py | 3 +-- examples/src/aws_kms_keyring_example.py | 3 +-- examples/src/aws_kms_mrk_discovery_keyring_example.py | 3 +-- examples/src/aws_kms_mrk_discovery_multi_keyring_example.py | 3 +-- examples/src/aws_kms_mrk_keyring_example.py | 3 +-- examples/src/aws_kms_mrk_multi_keyring_example.py | 5 ++--- examples/src/aws_kms_rsa_keyring_example.py | 3 +-- .../src/default_cryptographic_materials_manager_example.py | 3 +-- examples/src/file_streaming_example.py | 3 +-- .../src/migration/migration_set_commitment_policy_example.py | 3 +-- examples/src/raw_aes_keyring_example.py | 3 +-- examples/src/raw_rsa_keyring_example.py | 5 ++--- examples/src/set_encryption_algorithm_suite_example.py | 3 +-- 14 files changed, 17 insertions(+), 31 deletions(-) diff --git a/examples/src/aws_kms_discovery_keyring_example.py b/examples/src/aws_kms_discovery_keyring_example.py index cef894360..0ab2eea59 100644 --- a/examples/src/aws_kms_discovery_keyring_example.py +++ b/examples/src/aws_kms_discovery_keyring_example.py @@ -23,9 +23,8 @@ with an encryption context. This encrypted ciphertext is then decrypted using the Discovery keyring. This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same -2. Encryption context is correct in the decrypted message header -3. Decrypted plaintext value matches EXAMPLE_DATA -4. Decryption is only possible if the Discovery Keyring contains the correct AWS Account ID's to +2. Decrypted plaintext value matches EXAMPLE_DATA +3. Decryption is only possible if the Discovery Keyring contains the correct AWS Account ID's to which the KMS key used for encryption belongs These sanity checks are for demonstration in the example only. You do not need these in your code. diff --git a/examples/src/aws_kms_discovery_multi_keyring_example.py b/examples/src/aws_kms_discovery_multi_keyring_example.py index 82454cc34..d07d499b2 100644 --- a/examples/src/aws_kms_discovery_multi_keyring_example.py +++ b/examples/src/aws_kms_discovery_multi_keyring_example.py @@ -22,8 +22,7 @@ with an encryption context. This encrypted ciphertext is then decrypted using the Discovery Multi keyring. This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same -2. Encryption context is correct in the decrypted message header -3. Decrypted plaintext value matches EXAMPLE_DATA +2. Decrypted plaintext value matches EXAMPLE_DATA These sanity checks are for demonstration in the example only. You do not need these in your code. For more information on how to use KMS Discovery keyrings, see diff --git a/examples/src/aws_kms_keyring_example.py b/examples/src/aws_kms_keyring_example.py index 5b07e5210..dc18dadc2 100644 --- a/examples/src/aws_kms_keyring_example.py +++ b/examples/src/aws_kms_keyring_example.py @@ -7,8 +7,7 @@ decrypt data keys. This example creates a KMS Keyring and then encrypts a custom input EXAMPLE_DATA with an encryption context. This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same -2. Encryption context is correct in the decrypted message header -3. Decrypted plaintext value matches EXAMPLE_DATA +2. Decrypted plaintext value matches EXAMPLE_DATA These sanity checks are for demonstration in the example only. You do not need these in your code. AWS KMS keyrings can be used independently or in a multi-keyring with other keyrings diff --git a/examples/src/aws_kms_mrk_discovery_keyring_example.py b/examples/src/aws_kms_mrk_discovery_keyring_example.py index fecc332f9..a93552532 100644 --- a/examples/src/aws_kms_mrk_discovery_keyring_example.py +++ b/examples/src/aws_kms_mrk_discovery_keyring_example.py @@ -21,8 +21,7 @@ with an encryption context. This encrypted ciphertext is then decrypted using an MRK Discovery keyring. This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same -2. Encryption context is correct in the decrypted message header -3. Decrypted plaintext value matches EXAMPLE_DATA +2. Decrypted plaintext value matches EXAMPLE_DATA These sanity checks are for demonstration in the example only. You do not need these in your code. For information about using multi-Region keys with the AWS Encryption SDK, see diff --git a/examples/src/aws_kms_mrk_discovery_multi_keyring_example.py b/examples/src/aws_kms_mrk_discovery_multi_keyring_example.py index ef02caa61..958683a19 100644 --- a/examples/src/aws_kms_mrk_discovery_multi_keyring_example.py +++ b/examples/src/aws_kms_mrk_discovery_multi_keyring_example.py @@ -23,8 +23,7 @@ with an encryption context. This encrypted ciphertext is then decrypted using an MRK Discovery Multi keyring. This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same -2. Encryption context is correct in the decrypted message header -3. Decrypted plaintext value matches EXAMPLE_DATA +2. Decrypted plaintext value matches EXAMPLE_DATA These sanity checks are for demonstration in the example only. You do not need these in your code. For information about using multi-Region keys with the AWS Encryption SDK, see diff --git a/examples/src/aws_kms_mrk_keyring_example.py b/examples/src/aws_kms_mrk_keyring_example.py index ee7f570f0..8611a6120 100644 --- a/examples/src/aws_kms_mrk_keyring_example.py +++ b/examples/src/aws_kms_mrk_keyring_example.py @@ -8,8 +8,7 @@ This example creates a KMS MRK Keyring and then encrypts a custom input EXAMPLE_DATA with an encryption context. This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same -2. Encryption context is correct in the decrypted message header -3. Decrypted plaintext value matches EXAMPLE_DATA +2. Decrypted plaintext value matches EXAMPLE_DATA These sanity checks are for demonstration in the example only. You do not need these in your code. AWS KMS MRK keyrings can be used independently or in a multi-keyring with other keyrings diff --git a/examples/src/aws_kms_mrk_multi_keyring_example.py b/examples/src/aws_kms_mrk_multi_keyring_example.py index 71ee0f00b..9c32affb8 100644 --- a/examples/src/aws_kms_mrk_multi_keyring_example.py +++ b/examples/src/aws_kms_mrk_multi_keyring_example.py @@ -14,9 +14,8 @@ Either KMS Key individually is capable of decrypting data encrypted under this keyring. This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same -2. Encryption context is correct in the decrypted message header -3. Decrypted plaintext value matches EXAMPLE_DATA -4. Ciphertext can be decrypted using an AwsKmsMrkKeyring containing a replica of the +2. Decrypted plaintext value matches EXAMPLE_DATA +3. Ciphertext can be decrypted using an AwsKmsMrkKeyring containing a replica of the MRK (from the multi-keyring used for encryption) copied from the first region into the second region These sanity checks are for demonstration in the example only. You do not need these in your code. diff --git a/examples/src/aws_kms_rsa_keyring_example.py b/examples/src/aws_kms_rsa_keyring_example.py index 81c613c99..e86ea6973 100644 --- a/examples/src/aws_kms_rsa_keyring_example.py +++ b/examples/src/aws_kms_rsa_keyring_example.py @@ -7,8 +7,7 @@ EXAMPLE_DATA with an encryption context. This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same -2. Encryption context is correct in the decrypted message header -3. Decrypted plaintext value matches EXAMPLE_DATA +2. Decrypted plaintext value matches EXAMPLE_DATA These sanity checks are for demonstration in the example only. You do not need these in your code. # For more information on how to use KMS keyrings, see diff --git a/examples/src/default_cryptographic_materials_manager_example.py b/examples/src/default_cryptographic_materials_manager_example.py index f6312e208..091e79ada 100644 --- a/examples/src/default_cryptographic_materials_manager_example.py +++ b/examples/src/default_cryptographic_materials_manager_example.py @@ -11,8 +11,7 @@ and we use an AWS KMS Keyring for this example. This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same -2. Encryption context is correct in the decrypted message header -3. Decrypted plaintext value matches EXAMPLE_DATA +2. Decrypted plaintext value matches EXAMPLE_DATA These sanity checks are for demonstration in the example only. You do not need these in your code. For more information on Cryptographic Material Managers, see diff --git a/examples/src/file_streaming_example.py b/examples/src/file_streaming_example.py index c7c3cff05..debbb6859 100644 --- a/examples/src/file_streaming_example.py +++ b/examples/src/file_streaming_example.py @@ -13,8 +13,7 @@ It then decrypts the ciphertext from `ciphertext_filename` to a new file `decrypted_filename`. This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same -2. Encryption context is correct in the decrypted message header -3. Decrypted plaintext value matches EXAMPLE_DATA +2. Decrypted plaintext value matches EXAMPLE_DATA These sanity checks are for demonstration in the example only. You do not need these in your code. For more information on how to use Raw AES keyrings, see diff --git a/examples/src/migration/migration_set_commitment_policy_example.py b/examples/src/migration/migration_set_commitment_policy_example.py index 5598e9575..81506e710 100644 --- a/examples/src/migration/migration_set_commitment_policy_example.py +++ b/examples/src/migration/migration_set_commitment_policy_example.py @@ -13,8 +13,7 @@ with an encryption context for the commitment policy FORBID_ENCRYPT_ALLOW_DECRYPT. This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same -2. Encryption context is correct in the decrypted message header -3. Decrypted plaintext value matches EXAMPLE_DATA +2. Decrypted plaintext value matches EXAMPLE_DATA These sanity checks are for demonstration in the example only. You do not need these in your code. For more information on setting your commitment policy, see diff --git a/examples/src/raw_aes_keyring_example.py b/examples/src/raw_aes_keyring_example.py index 8d6dd9513..a28c350ff 100644 --- a/examples/src/raw_aes_keyring_example.py +++ b/examples/src/raw_aes_keyring_example.py @@ -11,8 +11,7 @@ This example creates a Raw AES Keyring and then encrypts a custom input EXAMPLE_DATA with an encryption context. This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same -2. Encryption context is correct in the decrypted message header -3. Decrypted plaintext value matches EXAMPLE_DATA +2. Decrypted plaintext value matches EXAMPLE_DATA These sanity checks are for demonstration in the example only. You do not need these in your code. The Raw AES keyring encrypts data by using the AES-GCM algorithm and a wrapping key that diff --git a/examples/src/raw_rsa_keyring_example.py b/examples/src/raw_rsa_keyring_example.py index 3a47dfe8e..22101bb57 100644 --- a/examples/src/raw_rsa_keyring_example.py +++ b/examples/src/raw_rsa_keyring_example.py @@ -15,9 +15,8 @@ This example creates a Raw RSA Keyring and then encrypts a custom input EXAMPLE_DATA with an encryption context. This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same -2. Encryption context is correct in the decrypted message header -3. Decrypted plaintext value matches EXAMPLE_DATA -4. The original ciphertext is not decryptable using a keyring with a different RSA key pair +2. Decrypted plaintext value matches EXAMPLE_DATA +3. The original ciphertext is not decryptable using a keyring with a different RSA key pair These sanity checks are for demonstration in the example only. You do not need these in your code. A Raw RSA keyring that encrypts and decrypts must include an asymmetric public key and private diff --git a/examples/src/set_encryption_algorithm_suite_example.py b/examples/src/set_encryption_algorithm_suite_example.py index bbe5be58a..95c7a0938 100644 --- a/examples/src/set_encryption_algorithm_suite_example.py +++ b/examples/src/set_encryption_algorithm_suite_example.py @@ -31,8 +31,7 @@ with an encryption context and the algorithm suite AES_256_GCM_HKDF_SHA512_COMMIT_KEY. This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same -2. Encryption context is correct in the decrypted message header -3. Decrypted plaintext value matches EXAMPLE_DATA +2. Decrypted plaintext value matches EXAMPLE_DATA These sanity checks are for demonstration in the example only. You do not need these in your code. For more information on how to use Raw AES keyrings, see From 40b5707d84b8ab7b33df434e7dd0b045520a7353 Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Mon, 7 Oct 2024 15:25:41 -0700 Subject: [PATCH 2/3] fix --- examples/src/aws_kms_discovery_keyring_example.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/src/aws_kms_discovery_keyring_example.py b/examples/src/aws_kms_discovery_keyring_example.py index 0ab2eea59..8f41bab5c 100644 --- a/examples/src/aws_kms_discovery_keyring_example.py +++ b/examples/src/aws_kms_discovery_keyring_example.py @@ -164,7 +164,7 @@ def encrypt_and_decrypt_with_keyring( assert plaintext_bytes == EXAMPLE_DATA, \ "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" - # 11. Demonstrate that if a discovery keyring (Bob's) doesn't have the correct AWS Account ID's, + # 10. Demonstrate that if a discovery keyring (Bob's) doesn't have the correct AWS Account ID's, # the decrypt will fail with an error message # Note that this assumes Account ID used here ('888888888888') is different than the one used # during encryption From 4e6a532556bf11ae6348aae6e9d39e7891ddee3f Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Mon, 7 Oct 2024 15:27:43 -0700 Subject: [PATCH 3/3] fix --- examples/src/aws_kms_discovery_keyring_example.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/src/aws_kms_discovery_keyring_example.py b/examples/src/aws_kms_discovery_keyring_example.py index 8f41bab5c..3baa668d4 100644 --- a/examples/src/aws_kms_discovery_keyring_example.py +++ b/examples/src/aws_kms_discovery_keyring_example.py @@ -164,8 +164,8 @@ def encrypt_and_decrypt_with_keyring( assert plaintext_bytes == EXAMPLE_DATA, \ "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" - # 10. Demonstrate that if a discovery keyring (Bob's) doesn't have the correct AWS Account ID's, - # the decrypt will fail with an error message + # 10. Demonstrate that if a different discovery keyring (Bob's) doesn't have the correct + # AWS Account ID's, the decrypt will fail with an error message # Note that this assumes Account ID used here ('888888888888') is different than the one used # during encryption discovery_keyring_input_bob: CreateAwsKmsDiscoveryKeyringInput = \