Skip to content

Commit 0d21816

Browse files
refactor: Remove keyring trace (#291)
* refactor: Remove keyring trace * chore: run autoformat * chore: Make linters happy * Update src/aws_encryption_sdk/__init__.py Co-authored-by: Matt Bullock <bullocm@amazon.com> * Update src/aws_encryption_sdk/__init__.py Co-authored-by: Matt Bullock <bullocm@amazon.com> * Update src/aws_encryption_sdk/keyrings/aws_kms/__init__.py Co-authored-by: Matt Bullock <bullocm@amazon.com> * Update src/aws_encryption_sdk/keyrings/aws_kms/__init__.py Co-authored-by: Matt Bullock <bullocm@amazon.com> * Apply suggestions from code review Co-authored-by: Matt Bullock <bullocm@amazon.com> Co-authored-by: Matt Bullock <bullocm@amazon.com>
1 parent 4705fa5 commit 0d21816

File tree

19 files changed

+98
-667
lines changed

19 files changed

+98
-667
lines changed

src/aws_encryption_sdk/__init__.py

Lines changed: 8 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -28,10 +28,10 @@ def encrypt(**kwargs):
2828
When using this function, the entire ciphertext message is encrypted into memory before returning
2929
any data. If streaming is desired, see :class:`aws_encryption_sdk.stream`.
3030
31-
.. versionadded:: 1.5.0
31+
.. versionadded:: 2.0.0
3232
The *keyring* parameter.
3333
34-
.. versionadded:: 1.5.0
34+
.. versionadded:: 2.0.0
3535
3636
For backwards compatibility,
3737
the new :class:`CryptoResult` return value also unpacks like a 2-member tuple.
@@ -80,16 +80,15 @@ def encrypt(**kwargs):
8080
:param algorithm: Algorithm to use for encryption
8181
:type algorithm: aws_encryption_sdk.identifiers.Algorithm
8282
:param int frame_length: Frame length in bytes
83-
:returns: Encrypted message, message metadata (header), and keyring trace
83+
:returns: Encrypted message and message metadata (header)
8484
:rtype: CryptoResult
8585
"""
8686
with StreamEncryptor(**kwargs) as encryptor:
8787
ciphertext = encryptor.read()
8888

8989
header_copy = copy.deepcopy(encryptor.header)
90-
keyring_trace_copy = copy.deepcopy(encryptor.keyring_trace)
9190

92-
return CryptoResult(result=ciphertext, header=header_copy, keyring_trace=keyring_trace_copy)
91+
return CryptoResult(result=ciphertext, header=header_copy)
9392

9493

9594
def decrypt(**kwargs):
@@ -99,10 +98,10 @@ def decrypt(**kwargs):
9998
When using this function, the entire ciphertext message is decrypted into memory before returning
10099
any data. If streaming is desired, see :class:`aws_encryption_sdk.stream`.
101100
102-
.. versionadded:: 1.5.0
101+
.. versionadded:: 2.0.0
103102
The *keyring* parameter.
104103
105-
.. versionadded:: 1.5.0
104+
.. versionadded:: 2.0.0
106105
107106
For backwards compatibility,
108107
the new :class:`CryptoResult` return value also unpacks like a 2-member tuple.
@@ -142,16 +141,15 @@ def decrypt(**kwargs):
142141
143142
:param int max_body_length: Maximum frame size (or content length for non-framed messages)
144143
in bytes to read from ciphertext message.
145-
:returns: Decrypted plaintext, message metadata (header), and keyring trace
144+
:returns: Decrypted plaintext and message metadata (header)
146145
:rtype: CryptoResult
147146
"""
148147
with StreamDecryptor(**kwargs) as decryptor:
149148
plaintext = decryptor.read()
150149

151150
header_copy = copy.deepcopy(decryptor.header)
152-
keyring_trace_copy = copy.deepcopy(decryptor.keyring_trace)
153151

154-
return CryptoResult(result=plaintext, header=header_copy, keyring_trace=keyring_trace_copy)
152+
return CryptoResult(result=plaintext, header=header_copy)
155153

156154

157155
def stream(**kwargs):

src/aws_encryption_sdk/exceptions.py

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -43,13 +43,6 @@ class InvalidDataKeyError(AWSEncryptionSDKClientError):
4343
"""Exception class for Invalid Data Keys."""
4444

4545

46-
class InvalidKeyringTraceError(AWSEncryptionSDKClientError):
47-
"""Exception class for invalid Keyring Traces.
48-
49-
.. versionadded:: 1.5.0
50-
"""
51-
52-
5346
class InvalidProviderIdError(AWSEncryptionSDKClientError):
5447
"""Exception class for Invalid Provider IDs."""
5548

src/aws_encryption_sdk/identifiers.py

Lines changed: 0 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,6 @@
1414
import struct
1515
from enum import Enum
1616

17-
import attr
1817
from cryptography.hazmat.primitives import hashes
1918
from cryptography.hazmat.primitives.asymmetric import ec, padding, rsa
2019
from cryptography.hazmat.primitives.ciphers import algorithms, modes
@@ -329,27 +328,3 @@ class ContentAADString(Enum):
329328
FRAME_STRING_ID = b"AWSKMSEncryptionClient Frame"
330329
FINAL_FRAME_STRING_ID = b"AWSKMSEncryptionClient Final Frame"
331330
NON_FRAMED_STRING_ID = b"AWSKMSEncryptionClient Single Block"
332-
333-
334-
class KeyringTraceFlag(Enum):
335-
"""KeyRing Trace actions."""
336-
337-
@attr.s
338-
class KeyringTraceFlagValue(object):
339-
"""Keyring trace flags do not have defined serializable values."""
340-
341-
name = attr.ib()
342-
343-
#: A flag to represent that a keyring has generated a plaintext data key.
344-
GENERATED_DATA_KEY = KeyringTraceFlagValue("GENERATED_DATA_KEY")
345-
#: A flag to represent that a keyring has created an encrypted data key.
346-
ENCRYPTED_DATA_KEY = KeyringTraceFlagValue("ENCRYPTED_DATA_KEY")
347-
#: A flag to represent that a keyring has obtained
348-
#: the corresponding plaintext data key from an encrypted data key.
349-
DECRYPTED_DATA_KEY = KeyringTraceFlagValue("DECRYPTED_DATA_KEY")
350-
#: A flag to represent that the keyring has cryptographically
351-
#: bound the encryption context to a newly created encrypted data key.
352-
SIGNED_ENCRYPTION_CONTEXT = KeyringTraceFlagValue("SIGNED_ENCRYPTION_CONTEXT")
353-
#: A flag to represent that the keyring has verified that an encrypted
354-
#: data key was originally created with a particular encryption context.
355-
VERIFIED_ENCRYPTION_CONTEXT = KeyringTraceFlagValue("VERIFIED_ENCRYPTION_CONTEXT")

src/aws_encryption_sdk/keyrings/aws_kms/__init__.py

Lines changed: 15 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
# SPDX-License-Identifier: Apache-2.0
33
"""Keyring for use with AWS Key Management Service (KMS).
44
5-
.. versionadded:: 1.5.0
5+
.. versionadded:: 2.0.0
66
77
"""
88
import logging
@@ -17,7 +17,7 @@
1717
from aws_encryption_sdk.keyrings.base import Keyring
1818
from aws_encryption_sdk.keyrings.multi import MultiKeyring
1919
from aws_encryption_sdk.materials_managers import DecryptionMaterials, EncryptionMaterials
20-
from aws_encryption_sdk.structures import EncryptedDataKey, KeyringTrace, KeyringTraceFlag, MasterKeyInfo, RawDataKey
20+
from aws_encryption_sdk.structures import EncryptedDataKey, MasterKeyInfo, RawDataKey
2121

2222
from .client_suppliers import DefaultClientSupplier
2323

@@ -34,9 +34,6 @@
3434
__all__ = ("AwsKmsKeyring", "KEY_NAMESPACE")
3535

3636
_LOGGER = logging.getLogger(__name__)
37-
_GENERATE_FLAGS = {KeyringTraceFlag.GENERATED_DATA_KEY}
38-
_ENCRYPT_FLAGS = {KeyringTraceFlag.ENCRYPTED_DATA_KEY, KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT}
39-
_DECRYPT_FLAGS = {KeyringTraceFlag.DECRYPTED_DATA_KEY, KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT}
4037

4138
#: Key namespace used for all encrypted data keys created by the KMS keyring.
4239
KEY_NAMESPACE = "aws-kms"
@@ -78,7 +75,7 @@ class AwsKmsKeyring(Keyring):
7875
.. _discovery mode:
7976
https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/choose-keyring.html#kms-keyring-discovery
8077
81-
.. versionadded:: 1.5.0
78+
.. versionadded:: 2.0.0
8279
8380
:param ClientSupplier client_supplier: Client supplier that provides AWS KMS clients (optional)
8481
:param bool is_discovery: Should this be a discovery keyring (optional)
@@ -166,7 +163,7 @@ class _AwsKmsSingleCmkKeyring(Keyring):
166163
This keyring should never be used directly.
167164
It should only ever be used internally by :class:`AwsKmsKeyring`.
168165
169-
.. versionadded:: 1.5.0
166+
.. versionadded:: 2.0.0
170167
171168
:param str key_id: CMK key ID
172169
:param ClientSupplier client_supplier: Client supplier to use when asking for clients
@@ -182,7 +179,6 @@ class _AwsKmsSingleCmkKeyring(Keyring):
182179

183180
def on_encrypt(self, encryption_materials):
184181
# type: (EncryptionMaterials) -> EncryptionMaterials
185-
trace_info = MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=self._key_id)
186182
new_materials = encryption_materials
187183
try:
188184
if new_materials.data_encryption_key is None:
@@ -193,10 +189,7 @@ def on_encrypt(self, encryption_materials):
193189
algorithm=new_materials.algorithm,
194190
grant_tokens=self._grant_tokens,
195191
)
196-
new_materials = new_materials.with_data_encryption_key(
197-
data_encryption_key=plaintext_key,
198-
keyring_trace=KeyringTrace(wrapping_key=trace_info, flags=_GENERATE_FLAGS),
199-
)
192+
new_materials = new_materials.with_data_encryption_key(data_encryption_key=plaintext_key)
200193
else:
201194
encrypted_key = _do_aws_kms_encrypt(
202195
client_supplier=self._client_supplier,
@@ -207,13 +200,13 @@ def on_encrypt(self, encryption_materials):
207200
)
208201
except Exception: # pylint: disable=broad-except
209202
# We intentionally WANT to catch all exceptions here
210-
message = "Unable to generate or encrypt data key using {}".format(trace_info)
203+
message = "Unable to generate or encrypt data key using {}".format(
204+
MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=self._key_id)
205+
)
211206
_LOGGER.exception(message)
212207
raise EncryptKeyError(message)
213208

214-
return new_materials.with_encrypted_data_key(
215-
encrypted_data_key=encrypted_key, keyring_trace=KeyringTrace(wrapping_key=trace_info, flags=_ENCRYPT_FLAGS)
216-
)
209+
return new_materials.with_encrypted_data_key(encrypted_data_key=encrypted_key)
217210

218211
def on_decrypt(self, decryption_materials, encrypted_data_keys):
219212
# type: (DecryptionMaterials, Iterable[EncryptedDataKey]) -> DecryptionMaterials
@@ -244,7 +237,7 @@ class _AwsKmsDiscoveryKeyring(Keyring):
244237
This keyring should never be used directly.
245238
It should only ever be used internally by :class:`AwsKmsKeyring`.
246239
247-
.. versionadded:: 1.5.0
240+
.. versionadded:: 2.0.0
248241
249242
:param ClientSupplier client_supplier: Client supplier to use when asking for clients
250243
:param List[str] grant_tokens: AWS KMS grant tokens to include in requests (optional)
@@ -285,7 +278,7 @@ def _try_aws_kms_decrypt(client_supplier, decryption_materials, grant_tokens, en
285278
286279
Any errors encountered are caught and logged.
287280
288-
.. versionadded:: 1.5.0
281+
.. versionadded:: 2.0.0
289282
290283
"""
291284
try:
@@ -301,10 +294,7 @@ def _try_aws_kms_decrypt(client_supplier, decryption_materials, grant_tokens, en
301294
_LOGGER.exception("Unable to decrypt encrypted data key from %s", encrypted_data_key.key_provider)
302295
return decryption_materials
303296

304-
return decryption_materials.with_data_encryption_key(
305-
data_encryption_key=plaintext_key,
306-
keyring_trace=KeyringTrace(wrapping_key=encrypted_data_key.key_provider, flags=_DECRYPT_FLAGS),
307-
)
297+
return decryption_materials.with_data_encryption_key(data_encryption_key=plaintext_key)
308298

309299

310300
def _do_aws_kms_decrypt(client_supplier, key_name, encrypted_data_key, encryption_context, grant_tokens):
@@ -313,7 +303,7 @@ def _do_aws_kms_decrypt(client_supplier, key_name, encrypted_data_key, encryptio
313303
314304
Any errors encountered are passed up the chain without comment.
315305
316-
.. versionadded:: 1.5.0
306+
.. versionadded:: 2.0.0
317307
318308
"""
319309
region = _region_from_key_id(encrypted_data_key.key_provider.key_info.decode("utf-8"))
@@ -360,7 +350,7 @@ def _do_aws_kms_generate_data_key(client_supplier, key_name, encryption_context,
360350
361351
Any errors encountered are passed up the chain without comment.
362352
363-
.. versionadded:: 1.5.0
353+
.. versionadded:: 2.0.0
364354
365355
"""
366356
region = _region_from_key_id(key_name)
@@ -383,7 +373,7 @@ def _region_from_key_id(key_id):
383373
384374
If the region cannot be found, ``None`` is returned instead.
385375
386-
.. versionadded:: 1.5.0
376+
.. versionadded:: 2.0.0
387377
388378
"""
389379
parts = key_id.split(":", 4)

src/aws_encryption_sdk/keyrings/raw.py

Lines changed: 9 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -12,14 +12,14 @@
1212
from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey, RSAPublicKey
1313

1414
from aws_encryption_sdk.exceptions import EncryptKeyError, GenerateKeyError
15-
from aws_encryption_sdk.identifiers import EncryptionKeyType, KeyringTraceFlag, WrappingAlgorithm
15+
from aws_encryption_sdk.identifiers import EncryptionKeyType, WrappingAlgorithm
1616
from aws_encryption_sdk.internal.crypto.wrapping_keys import EncryptedData, WrappingKey
1717
from aws_encryption_sdk.internal.formatting.deserialize import deserialize_wrapped_key
1818
from aws_encryption_sdk.internal.formatting.serialize import serialize_raw_master_key_prefix, serialize_wrapped_key
1919
from aws_encryption_sdk.key_providers.raw import RawMasterKey
2020
from aws_encryption_sdk.keyrings.base import Keyring
2121
from aws_encryption_sdk.materials_managers import DecryptionMaterials, EncryptionMaterials
22-
from aws_encryption_sdk.structures import EncryptedDataKey, KeyringTrace, MasterKeyInfo, RawDataKey
22+
from aws_encryption_sdk.structures import EncryptedDataKey, MasterKeyInfo, RawDataKey
2323

2424
try: # Python 3.5.0 and 3.5.1 have incompatible typing modules
2525
from typing import Iterable # noqa pylint: disable=unused-import
@@ -55,23 +55,18 @@ def _generate_data_key(
5555
_LOGGER.exception(error_message)
5656
raise GenerateKeyError("Unable to generate data encryption key.")
5757

58-
# Create a keyring trace
59-
keyring_trace = KeyringTrace(wrapping_key=key_provider, flags={KeyringTraceFlag.GENERATED_DATA_KEY})
60-
6158
# plaintext_data_key to RawDataKey
6259
data_encryption_key = RawDataKey(key_provider=key_provider, data_key=plaintext_data_key)
6360

64-
return encryption_materials.with_data_encryption_key(
65-
data_encryption_key=data_encryption_key, keyring_trace=keyring_trace
66-
)
61+
return encryption_materials.with_data_encryption_key(data_encryption_key=data_encryption_key,)
6762

6863

6964
@attr.s
7065
class RawAESKeyring(Keyring):
7166
"""Generate an instance of Raw AES Keyring which encrypts using AES-GCM algorithm using wrapping key provided as a
7267
byte array
7368
74-
.. versionadded:: 1.5.0
69+
.. versionadded:: 2.0.0
7570
7671
:param str key_namespace: String defining the keyring.
7772
@@ -175,13 +170,7 @@ def on_encrypt(self, encryption_materials):
175170
_LOGGER.exception(error_message)
176171
raise EncryptKeyError(error_message)
177172

178-
# Update Keyring Trace
179-
keyring_trace = KeyringTrace(
180-
wrapping_key=self._key_provider,
181-
flags={KeyringTraceFlag.ENCRYPTED_DATA_KEY, KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT},
182-
)
183-
184-
return new_materials.with_encrypted_data_key(encrypted_data_key=encrypted_data_key, keyring_trace=keyring_trace)
173+
return new_materials.with_encrypted_data_key(encrypted_data_key=encrypted_data_key)
185174

186175
def on_decrypt(self, decryption_materials, encrypted_data_keys):
187176
# type: (DecryptionMaterials, Iterable[EncryptedDataKey]) -> DecryptionMaterials
@@ -228,18 +217,10 @@ def on_decrypt(self, decryption_materials, encrypted_data_keys):
228217
# until it either succeeds or runs out of encrypted data keys.
229218
continue
230219

231-
# Create a keyring trace
232-
keyring_trace = KeyringTrace(
233-
wrapping_key=self._key_provider,
234-
flags={KeyringTraceFlag.DECRYPTED_DATA_KEY, KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT},
235-
)
236-
237220
# Update decryption materials
238221
data_encryption_key = RawDataKey(key_provider=self._key_provider, data_key=plaintext_data_key)
239222

240-
return new_materials.with_data_encryption_key(
241-
data_encryption_key=data_encryption_key, keyring_trace=keyring_trace
242-
)
223+
return new_materials.with_data_encryption_key(data_encryption_key=data_encryption_key)
243224

244225
return new_materials
245226

@@ -249,7 +230,7 @@ class RawRSAKeyring(Keyring):
249230
"""Generate an instance of Raw RSA Keyring which performs asymmetric encryption and decryption using public
250231
and private keys provided
251232
252-
.. versionadded:: 1.5.0
233+
.. versionadded:: 2.0.0
253234
254235
:param str key_namespace: String defining the keyring ID
255236
@@ -421,11 +402,8 @@ def on_encrypt(self, encryption_materials):
421402
_LOGGER.exception(error_message)
422403
raise EncryptKeyError(error_message)
423404

424-
# Update Keyring Trace
425-
keyring_trace = KeyringTrace(wrapping_key=self._key_provider, flags={KeyringTraceFlag.ENCRYPTED_DATA_KEY})
426-
427405
# Add encrypted data key to encryption_materials
428-
return new_materials.with_encrypted_data_key(encrypted_data_key=encrypted_data_key, keyring_trace=keyring_trace)
406+
return new_materials.with_encrypted_data_key(encrypted_data_key=encrypted_data_key)
429407

430408
def on_decrypt(self, decryption_materials, encrypted_data_keys):
431409
# type: (DecryptionMaterials, Iterable[EncryptedDataKey]) -> DecryptionMaterials
@@ -465,14 +443,9 @@ def on_decrypt(self, decryption_materials, encrypted_data_keys):
465443
# until it either succeeds or runs out of encrypted data keys.
466444
continue
467445

468-
# Create a keyring trace
469-
keyring_trace = KeyringTrace(wrapping_key=self._key_provider, flags={KeyringTraceFlag.DECRYPTED_DATA_KEY})
470-
471446
# Update decryption materials
472447
data_encryption_key = RawDataKey(key_provider=self._key_provider, data_key=plaintext_data_key)
473448

474-
return new_materials.with_data_encryption_key(
475-
data_encryption_key=data_encryption_key, keyring_trace=keyring_trace
476-
)
449+
return new_materials.with_data_encryption_key(data_encryption_key=data_encryption_key)
477450

478451
return new_materials

0 commit comments

Comments
 (0)