update key manifest to v3 and master key manifest to v2

* awslabs/aws-crypto-tools-test-vector-framework#13

Author: mattsb42-aws

test_vector_handlers/src/awses_test_vectors/manifests/keys.py

@@ -24,7 +24,6 @@
 from awses_test_vectors.internal.defaults import ENCODING
 from awses_test_vectors.internal.util import (
     dictionary_validator,
-    iterable_validator,
     membership_validator,
     validate_manifest_type,
 )
@@ -60,14 +59,16 @@ class KeySpec(object):
 
     encrypt = attr.ib(validator=attr.validators.instance_of(bool))
     decrypt = attr.ib(validator=attr.validators.instance_of(bool))
+    key_id = attr.ib(validator=attr.validators.instance_of(six.string_types))
 
-    def __init__(self, encrypt, decrypt):  # noqa=D107
-        # type: (bool, bool) -> None
+    def __init__(self, encrypt, decrypt, key_id):  # noqa=D107
+        # type: (bool, bool, str) -> None
         # Workaround pending resolution of attrs/mypy interaction.
         # https://github.com/python/mypy/issues/2088
         # https://github.com/python-attrs/attrs/issues/215
         self.encrypt = encrypt
         self.decrypt = decrypt
+        self.key_id = key_id
         attr.validate(self)
 
 
@@ -84,16 +85,14 @@ class AwsKmsKeySpec(KeySpec):
     # pylint: disable=too-few-public-methods
 
     type_name = attr.ib(validator=membership_validator(("aws-kms",)))
-    key_id = attr.ib(validator=attr.validators.instance_of(six.string_types))
 
     def __init__(self, encrypt, decrypt, type_name, key_id):  # noqa=D107
         # type: (bool, bool, str, str) -> None
         # Workaround pending resolution of attrs/mypy interaction.
         # https://github.com/python/mypy/issues/2088
         # https://github.com/python-attrs/attrs/issues/215
         self.type_name = type_name
-        self.key_id = key_id
-        super(AwsKmsKeySpec, self).__init__(encrypt, decrypt)
+        super(AwsKmsKeySpec, self).__init__(encrypt, decrypt, key_id)
 
     @property
     def manifest_spec(self):
@@ -117,6 +116,7 @@ class ManualKeySpec(KeySpec):
 
     Allowed values described in AWS Crypto Tools Test Vector Framework feature #0002 Keys Manifest.
 
+    :param str key_id: Master key ID
     :param bool encrypt: Key can be used to encrypt
     :param bool decrypt: Key can be used to decrypt
     :param str algorithm: Algorithm to use with key
@@ -134,6 +134,7 @@ class ManualKeySpec(KeySpec):
 
     def __init__(
         self,
+        key_id,  # type: str
         encrypt,  # type: bool
         decrypt,  # type: bool
         algorithm,  # type: str
@@ -151,7 +152,7 @@ def __init__(
         self.bits = bits
         self.encoding = encoding
         self.material = material
-        super(ManualKeySpec, self).__init__(encrypt, decrypt)
+        super(ManualKeySpec, self).__init__(encrypt, decrypt, key_id)
 
     @property
     def raw_material(self):
@@ -183,6 +184,7 @@ def manifest_spec(self):
             "bits": self.bits,
             "encoding": self.encoding,
             "material": self.material,
+            "key-id": self.key_id
         }
 
 
@@ -194,6 +196,7 @@ def key_from_manifest_spec(key_spec):
     :return: Loaded key
     :rtype: KeySpec
     """
+    key_id = key_spec["key-id"]  # type: str
     decrypt = key_spec["decrypt"]  # type: bool
     encrypt = key_spec["encrypt"]  # type: bool
     type_name = key_spec["type"]  # type: str
@@ -206,6 +209,7 @@ def key_from_manifest_spec(key_spec):
     encoding = key_spec["encoding"]  # type: str
     material = key_spec["material"]  # type: str
     return ManualKeySpec(
+        key_id=key_id,
         encrypt=encrypt,
         decrypt=decrypt,
         type_name=type_name,

test_vector_handlers/src/awses_test_vectors/manifests/master_key.py

@@ -50,11 +50,15 @@
     "rsa/pkcs1": WrappingAlgorithm.RSA_PKCS1,
     "rsa/oaep-mgf1/sha1": WrappingAlgorithm.RSA_OAEP_SHA1_MGF1,
     "rsa/oaep-mgf1/sha256": WrappingAlgorithm.RSA_OAEP_SHA256_MGF1,
-    # \/ not yet implemented \/
-    # 'rsa/oaep-mgf1/sha384': WrappingAlgorithm.RSA_OAEP_SHA384_MGF1,
-    # 'rsa/oaep-mgf1/sha512': WrappingAlgorithm.RSA_OAEP_SHA512_MGF1,
 }
-_NOT_YET_IMPLEMENTED = {"rsa/oaep-mgf1/sha384", "rsa/oaep-mgf1/sha512"}
+try:
+    _RAW_WRAPPING_KEY_ALGORITHMS.update({
+        'rsa/oaep-mgf1/sha384': WrappingAlgorithm.RSA_OAEP_SHA384_MGF1,
+        'rsa/oaep-mgf1/sha512': WrappingAlgorithm.RSA_OAEP_SHA512_MGF1,
+    })
+    _NOT_YET_IMPLEMENTED = {}
+except AttributeError:
+    _NOT_YET_IMPLEMENTED = {"rsa/oaep-mgf1/sha384", "rsa/oaep-mgf1/sha512"}
 _RAW_ENCRYPTION_KEY_TYPE = {
     "symmetric": EncryptionKeyType.SYMMETRIC,
     "private": EncryptionKeyType.PRIVATE,
@@ -68,18 +72,16 @@ class MasterKeySpec(object):
 
     Described in AWS Crypto Tools Test Vector Framework features #0003 and #0004.
 
-    :param str type_name:
-    :param str key_name:
-    :param str key_id:
-    :param str provider_id:
-    :param str encryption_algorithm:
-    :param str padding_algorithm:
-    :param str padding_hash:
+    :param str type_name: Master key type name
+    :param str key_name: Name of key in keys spec
+    :param str provider_id: Master key provider ID
+    :param str encryption_algorithm: Wrapping key encryption algorithm (required for raw master keys)
+    :param str padding_algorithm: Wrapping key padding algorithm (required for raw master keys)
+    :param str padding_hash: Wrapping key padding hash (required for raw master keys)
     """
 
     type_name = attr.ib(validator=membership_validator(KNOWN_TYPES))
     key_name = attr.ib(validator=attr.validators.instance_of(six.string_types))
-    key_id = attr.ib(validator=attr.validators.optional(attr.validators.instance_of(six.string_types)))
     provider_id = attr.ib(validator=attr.validators.optional(attr.validators.instance_of(six.string_types)))
     encryption_algorithm = attr.ib(validator=attr.validators.optional(membership_validator(KNOWN_ALGORITHMS)))
     padding_algorithm = attr.ib(validator=attr.validators.optional(membership_validator(KNOWN_PADDING)))
@@ -113,7 +115,6 @@ def from_scenario(cls, spec):
         return cls(
             type_name=spec["type"],
             key_name=spec["key"],
-            key_id=spec.get("key-id"),
             provider_id=spec.get("provider-id"),
             encryption_algorithm=spec.get("encryption-algorithm"),
             padding_algorithm=spec.get("padding-algorithm"),
@@ -166,19 +167,6 @@ def _wrapping_key(self, key_spec):
         key_type = _RAW_ENCRYPTION_KEY_TYPE[key_spec.type_name]
         return WrappingKey(wrapping_algorithm=algorithm, wrapping_key=material, wrapping_key_type=key_type)
 
-    def _raw_key_id(self):
-        # type: () -> str
-        """Determine the key ID value if this is a raw master key.
-
-        :returns: Correct key ID
-        :rtype: str
-        :raises TypeError: if this is not a raw master key specification
-        """
-        if not self.type_name == "raw":
-            raise TypeError("This is not a raw master key")
-
-        return self.key_id if self.key_id is not None else self.key_name
-
     def _raw_master_key_from_spec(self, key_spec):
         # type: (KeySpec) -> RawMasterKey
         """Build a raw master key using this specification.
@@ -192,8 +180,7 @@ def _raw_master_key_from_spec(self, key_spec):
             raise TypeError("This is not a raw master key")
 
         wrapping_key = self._wrapping_key(key_spec)
-        key_id = self._raw_key_id()
-        return RawMasterKey(provider_id=self.provider_id, key_id=key_id, wrapping_key=wrapping_key)
+        return RawMasterKey(provider_id=self.provider_id, key_id=key_spec.key_id, wrapping_key=wrapping_key)
 
     def _kms_master_key_from_spec(self, key_spec):
         # type: (KeySpec) -> KMSMasterKey
@@ -207,9 +194,6 @@ def _kms_master_key_from_spec(self, key_spec):
         if not self.type_name == "aws-kms":
             raise TypeError("This is not an AWS KMS master key")
 
-        if self.key_id is not None and self.key_id != key_spec.key_id:
-            raise ValueError("AWS KMS key IDs must match between master key spec and key spec")
-
         return KMS_MASTER_KEY_PROVIDER.master_key(key_id=key_spec.key_id)
 
     _MASTER_KEY_LOADERS = {"aws-kms": _kms_master_key_from_spec, "raw": _raw_master_key_from_spec}
@@ -237,7 +221,6 @@ def scenario_spec(self):
         if self.type_name != "aws-kms":
             spec.update(
                 {
-                    "key-id": self.key_id,
                     "provider-id": self.provider_id,
                     "encryption-algorithm": self.encryption_algorithm,
                     "padding-algorithm": self.padding_algorithm,