fix(raw-keyrings): Raise when passed a key_namespace of "aws-kms"

src/aws_encryption_sdk/keyrings/raw.py

@@ -74,6 +74,10 @@ class RawAESKeyring(Keyring):
     .. versionadded:: 1.5.0
 
     :param str key_namespace: String defining the keyring.
+
+    .. note::
+        key_namespace MUST NOT equal "aws-kms".
+
     :param bytes key_name: Key ID
     :param bytes wrapping_key: Encryption key with which to wrap plaintext data key.
 
@@ -98,6 +102,9 @@ def __attrs_post_init__(self):
             )
         }
 
+        if self.key_namespace == "aws-kms":
+            raise ValueError('Key namespace MUST NOT be "aws-kms"')
+
         try:
             self._wrapping_algorithm = key_size_to_wrapping_algorithm[len(self._wrapping_key)]
         except KeyError:
@@ -245,6 +252,10 @@ class RawRSAKeyring(Keyring):
     .. versionadded:: 1.5.0
 
     :param str key_namespace: String defining the keyring ID
+
+    .. note::
+        key_namespace MUST NOT equal "aws-kms".
+
     :param bytes key_name: Key ID
     :param cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey private_wrapping_key:
         Private encryption key with which to wrap plaintext data key (optional)
@@ -280,6 +291,9 @@ def __attrs_post_init__(self):
         """Prepares initial values not handled by attrs."""
         self._key_provider = MasterKeyInfo(provider_id=self.key_namespace, key_info=self.key_name)
 
+        if self.key_namespace == "aws-kms":
+            raise ValueError('Key namespace MUST NOT be "aws-kms"')
+
         if self._public_wrapping_key is None and self._private_wrapping_key is None:
             raise TypeError("At least one of public key or private key must be provided.")
 

test/functional/keyrings/raw/test_raw_aes.py

@@ -179,3 +179,19 @@ def test_key_info_prefix_vectors(wrapping_algorithm):
         )
         == _KEY_ID + b"\x00\x00\x00\x80\x00\x00\x00\x0c"
     )
+
+
+def test_must_not_accept_aws_kms():
+
+    # Initializing attributes
+    key_namespace = "aws-kms"
+    key_name = _KEY_ID
+
+    # Attempt to instantiate a raw AES keyring
+    with pytest.raises(ValueError) as excinfo:
+        RawAESKeyring(
+            key_namespace=key_namespace, key_name=key_name, wrapping_key=_WRAPPING_KEY,
+        )
+
+    # Check the error message
+    excinfo.match('Key namespace MUST NOT be "aws-kms"')

test/functional/keyrings/raw/test_raw_rsa.py

@@ -371,3 +371,18 @@ def test_keypair_must_match():
         )
 
     excinfo.match("Private and public wrapping keys MUST be from the same keypair.")
+
+
+def test_must_not_accept_aws_kms():
+    bad_key_namespace = "aws-kms"
+
+    with pytest.raises(ValueError) as excinfo:
+        RawRSAKeyring(
+            key_namespace=bad_key_namespace,
+            key_name=_KEY_ID,
+            wrapping_algorithm=_WRAPPING_ALGORITHM,
+            private_wrapping_key=_PRIVATE_WRAPPING_KEY,
+            public_wrapping_key=_PUBLIC_WRAPPING_KEY,
+        )
+
+    excinfo.match('Key namespace MUST NOT be "aws-kms"')