From 048a7993796a192b4090f2cfd0dc1a87a0d38ad5 Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Mon, 6 May 2024 10:01:36 -0700 Subject: [PATCH 01/16] first commit --- .../set_encryption_algorithm_example.py | 131 ++++++++++++++++++ ...test_i_set_encryption_algorithm_example.py | 13 ++ 2 files changed, 144 insertions(+) create mode 100644 examples/src/keyrings/set_encryption_algorithm_example.py create mode 100644 examples/test/keyrings/test_i_set_encryption_algorithm_example.py diff --git a/examples/src/keyrings/set_encryption_algorithm_example.py b/examples/src/keyrings/set_encryption_algorithm_example.py new file mode 100644 index 000000000..80ba924a5 --- /dev/null +++ b/examples/src/keyrings/set_encryption_algorithm_example.py @@ -0,0 +1,131 @@ +# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +""" +This example demonstrates how to set an encryption algorithm while using the Raw AES Keyring +Encryption algorithms can be set in a similar manner in other keyrings as well. However, +please make sure that you're using a logical encryption algorithm that is compatible with your +keyring. For example, AWS KMS RSA Keyring does not support use with an algorithm suite +containing an asymmetric signature. + +This example creates a Raw AES Keyring and then encrypts a custom input EXAMPLE_DATA +with an encryption context and the algorithm AES_256_GCM_HKDF_SHA512_COMMIT_KEY. +This example also includes some sanity checks for demonstration: +1. Ciphertext and plaintext data are not the same +2. Encryption context is correct in the decrypted message header +3. Decrypted plaintext value matches EXAMPLE_DATA +These sanity checks are for demonstration in the example only. You do not need these in your code. + +The Raw AES keyring encrypts data by using the AES-GCM algorithm and a wrapping key that +you specify as a byte array. You can specify only one wrapping key in each Raw AES keyring, +but you can include multiple Raw AES keyrings, alone or with other keyrings, in a multi-keyring. + +For more information on how to use Raw AES keyrings, see +https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html +""" +import secrets +import sys + +from aws_cryptographic_materialproviders.mpl import AwsCryptographicMaterialProviders +from aws_cryptographic_materialproviders.mpl.config import MaterialProvidersConfig +from aws_cryptographic_materialproviders.mpl.models import AesWrappingAlg, CreateRawAesKeyringInput +from aws_cryptographic_materialproviders.mpl.references import IKeyring +from typing import Dict + +import aws_encryption_sdk +from aws_encryption_sdk import CommitmentPolicy +from aws_encryption_sdk.identifiers import AlgorithmSuite + +# TODO-MPL: Remove this as part of removing PYTHONPATH hacks. +MODULE_ROOT_DIR = '/'.join(__file__.split("/")[:-1]) + +sys.path.append(MODULE_ROOT_DIR) + +EXAMPLE_DATA: bytes = b"Hello World" + + +def encrypt_and_decrypt_with_keyring(): + """Demonstrate an encrypt/decrypt cycle using a Raw AES keyring. + + Usage: encrypt_and_decrypt_with_keyring() + """ + # 1. Instantiate the encryption SDK client. + # This builds the client with the REQUIRE_ENCRYPT_REQUIRE_DECRYPT commitment policy, + # which enforces that this client only encrypts using committing algorithm suites and enforces + # that this client will only decrypt encrypted messages that were created with a committing + # algorithm suite. + # This is the default commitment policy if you were to build the client as + # `client = aws_encryption_sdk.EncryptionSDKClient()`. + client = aws_encryption_sdk.EncryptionSDKClient( + commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT + ) + + # 2. The key namespace and key name are defined by you. + # and are used by the Raw AES keyring to determine + # whether it should attempt to decrypt an encrypted data key. + # For more information, see + # https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html + key_name_space = "Some managed raw keys" + key_name = "My 256-bit AES wrapping key" + + # 3. Create encryption context. + # Remember that your encryption context is NOT SECRET. + # For more information, see + # https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context + encryption_context: Dict[str, str] = { + "encryption": "context", + "is not": "secret", + "but adds": "useful metadata", + "that can help you": "be confident that", + "the data you are handling": "is what you think it is", + } + + # 4. Generate a 256-bit AES key to use with your keyring. + # In practice, you should get this key from a secure key management system such as an HSM. + + # Here, the input to secrets.token_bytes() = 32 bytes = 256 bits + static_key = secrets.token_bytes(32) + + # 5. Create a Raw AES keyring + mat_prov: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders( + config=MaterialProvidersConfig() + ) + + keyring_input: CreateRawAesKeyringInput = CreateRawAesKeyringInput( + key_namespace=key_name_space, + key_name=key_name, + wrapping_key=static_key, + wrapping_alg=AesWrappingAlg.ALG_AES256_GCM_IV12_TAG16 + ) + + raw_aes_keyring: IKeyring = mat_prov.create_raw_aes_keyring( + input=keyring_input + ) + + # 6. Encrypt the data with the encryptionContext + ciphertext, _ = client.encrypt( + source=EXAMPLE_DATA, + keyring=raw_aes_keyring, + encryption_context=encryption_context, + algorithm=AlgorithmSuite.AES_256_GCM_HKDF_SHA512_COMMIT_KEY + ) + + # 7. Demonstrate that the ciphertext and plaintext are different. + # (This is an example for demonstration; you do not need to do this in your own code.) + assert ciphertext != EXAMPLE_DATA, \ + "Ciphertext and plaintext data are the same. Invalid encryption" + + # 8. Decrypt your encrypted data using the same keyring you used on encrypt. + plaintext_bytes, dec_header = client.decrypt( + source=ciphertext, + keyring=raw_aes_keyring + ) + + # 9. Demonstrate that the encryption context is correct in the decrypted message header + # (This is an example for demonstration; you do not need to do this in your own code.) + for k, v in encryption_context.items(): + assert v == dec_header.encryption_context[k], \ + "Encryption context does not match expected values" + + # 10. Demonstrate that the decrypted plaintext is identical to the original plaintext. + # (This is an example for demonstration; you do not need to do this in your own code.) + assert plaintext_bytes == EXAMPLE_DATA diff --git a/examples/test/keyrings/test_i_set_encryption_algorithm_example.py b/examples/test/keyrings/test_i_set_encryption_algorithm_example.py new file mode 100644 index 000000000..e07316a42 --- /dev/null +++ b/examples/test/keyrings/test_i_set_encryption_algorithm_example.py @@ -0,0 +1,13 @@ +# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +"""Test suite for the Set Encryption Algorithm example for a Raw AES keyring.""" +import pytest + +from ...src.keyrings.set_encryption_algorithm_example import encrypt_and_decrypt_with_keyring + +pytestmark = [pytest.mark.examples] + + +def test_encrypt_and_decrypt_with_keyring(): + """Test function for setting an encryption algorithm in a Raw AES Keyring.""" + encrypt_and_decrypt_with_keyring() From 385edf21b6e4a0be337c0bab74de070db27e64a7 Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Mon, 6 May 2024 13:12:32 -0700 Subject: [PATCH 02/16] added file streaming example; updated assertion error message in all keyrings; fixed nomenclature in hierarchical and requiredec keyring examples --- .gitignore | 5 +- .../aws_kms_discovery_keyring_example.py | 3 +- ...aws_kms_discovery_multi_keyring_example.py | 3 +- .../src/keyrings/aws_kms_keyring_example.py | 3 +- .../keyrings/aws_kms_mrk_keyring_example.py | 3 +- .../aws_kms_mrk_multi_keyring_example.py | 3 +- .../keyrings/aws_kms_multi_keyring_example.py | 9 +- .../keyrings/aws_kms_rsa_keyring_example.py | 3 +- .../src/keyrings/file_streaming_example.py | 144 ++++++++++++++++++ examples/src/keyrings/hierarchical_keyring.py | 62 ++++---- .../src/keyrings/multi_keyring_example.py | 9 +- .../src/keyrings/raw_aes_keyring_example.py | 3 +- .../src/keyrings/raw_rsa_keyring_example.py | 3 +- .../required_encryption_context_cmm.py | 14 +- .../set_encryption_algorithm_example.py | 28 +++- .../keyrings/test_i_file_streaming_example.py | 18 +++ .../test_i_raw_rsa_keyring_example.py | 24 ++- .../test_keyrings/my-decrypted-data.dat | 26 ++++ .../test_keyrings/my-encrypted-data.ct | Bin 0 -> 2782 bytes .../keyrings/test_keyrings/my-secret-data.dat | 26 ++++ .../user_private_key_file_name.pem | 51 +++++++ .../user_public_key_file_name.pem | 14 ++ 22 files changed, 382 insertions(+), 72 deletions(-) create mode 100644 examples/src/keyrings/file_streaming_example.py create mode 100644 examples/test/keyrings/test_i_file_streaming_example.py create mode 100644 examples/test/keyrings/test_keyrings/my-decrypted-data.dat create mode 100644 examples/test/keyrings/test_keyrings/my-encrypted-data.ct create mode 100644 examples/test/keyrings/test_keyrings/my-secret-data.dat create mode 100644 examples/test/keyrings/test_keyrings/user_private_key_file_name.pem create mode 100644 examples/test/keyrings/test_keyrings/user_public_key_file_name.pem diff --git a/.gitignore b/.gitignore index 78bc3d5b8..31e2fe66a 100644 --- a/.gitignore +++ b/.gitignore @@ -32,7 +32,10 @@ __pycache__ # PyTest .pytest_cache # Ignore key materials generated by examples or tests -test_keys/ +test_keyrings/user_public_key_file_name.pem +test_keyrings/user_private_key_file_name.pem +test_keyrings/my-encrypted-data.ct +test_keyrings/my-decrypted-data.dat # PyCharm .idea/ diff --git a/examples/src/keyrings/aws_kms_discovery_keyring_example.py b/examples/src/keyrings/aws_kms_discovery_keyring_example.py index 24dc111f1..53d9cf1e4 100644 --- a/examples/src/keyrings/aws_kms_discovery_keyring_example.py +++ b/examples/src/keyrings/aws_kms_discovery_keyring_example.py @@ -172,7 +172,8 @@ def encrypt_and_decrypt_with_keyring( # 10. Demonstrate that the decrypted plaintext is identical to the original plaintext. # (This is an example for demonstration; you do not need to do this in your own code.) - assert plaintext_bytes == EXAMPLE_DATA + assert plaintext_bytes == EXAMPLE_DATA, \ + "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" # 11. Demonstrate that if a discovery keyring (Bob's) doesn't have the correct AWS Account ID's, # the decrypt will fail with an error message diff --git a/examples/src/keyrings/aws_kms_discovery_multi_keyring_example.py b/examples/src/keyrings/aws_kms_discovery_multi_keyring_example.py index 0830ecb58..adfadec37 100644 --- a/examples/src/keyrings/aws_kms_discovery_multi_keyring_example.py +++ b/examples/src/keyrings/aws_kms_discovery_multi_keyring_example.py @@ -170,4 +170,5 @@ def encrypt_and_decrypt_with_keyring( # 10. Demonstrate that the decrypted plaintext is identical to the original plaintext. # (This is an example for demonstration; you do not need to do this in your own code.) - assert plaintext_bytes == EXAMPLE_DATA + assert plaintext_bytes == EXAMPLE_DATA, \ + "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" diff --git a/examples/src/keyrings/aws_kms_keyring_example.py b/examples/src/keyrings/aws_kms_keyring_example.py index fa7ffd12f..4d04ba538 100644 --- a/examples/src/keyrings/aws_kms_keyring_example.py +++ b/examples/src/keyrings/aws_kms_keyring_example.py @@ -116,4 +116,5 @@ def encrypt_and_decrypt_with_keyring( # 9. Demonstrate that the decrypted plaintext is identical to the original plaintext. # (This is an example for demonstration; you do not need to do this in your own code.) - assert plaintext_bytes == EXAMPLE_DATA + assert plaintext_bytes == EXAMPLE_DATA, \ + "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" diff --git a/examples/src/keyrings/aws_kms_mrk_keyring_example.py b/examples/src/keyrings/aws_kms_mrk_keyring_example.py index b82748cf9..d5342ba64 100644 --- a/examples/src/keyrings/aws_kms_mrk_keyring_example.py +++ b/examples/src/keyrings/aws_kms_mrk_keyring_example.py @@ -151,4 +151,5 @@ def encrypt_and_decrypt_with_keyring( # 9. Demonstrate that the decrypted plaintext is identical to the original plaintext. # (This is an example for demonstration; you do not need to do this in your own code.) - assert plaintext_bytes == EXAMPLE_DATA + assert plaintext_bytes == EXAMPLE_DATA, \ + "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" diff --git a/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py b/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py index 38c5b1232..e5445a87c 100644 --- a/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py +++ b/examples/src/keyrings/aws_kms_mrk_multi_keyring_example.py @@ -143,7 +143,8 @@ def encrypt_and_decrypt_with_keyring( # 8. Demonstrate that the decrypted plaintext is identical to the original plaintext. # (This is an example for demonstration; you do not need to do this in your own code.) - assert plaintext_bytes == EXAMPLE_DATA + assert plaintext_bytes == EXAMPLE_DATA, \ + "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" # Demonstrate that a single AwsKmsMrkKeyring configured with a replica of the MRK from the # multi-keyring used to encrypt the data is also capable of decrypting the data. diff --git a/examples/src/keyrings/aws_kms_multi_keyring_example.py b/examples/src/keyrings/aws_kms_multi_keyring_example.py index 0e556f5e3..9662405d6 100644 --- a/examples/src/keyrings/aws_kms_multi_keyring_example.py +++ b/examples/src/keyrings/aws_kms_multi_keyring_example.py @@ -144,7 +144,8 @@ def encrypt_and_decrypt_with_keyring( # 6b. Demonstrate that the decrypted plaintext is identical to the original plaintext. # (This is an example for demonstration; you do not need to do this in your own code.) - assert plaintext_bytes_multi_keyring == EXAMPLE_DATA + assert plaintext_bytes_multi_keyring == EXAMPLE_DATA, \ + "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" # Because you used a multi_keyring on Encrypt, you can use either of the two # kms keyrings individually to decrypt the data. @@ -174,7 +175,8 @@ def encrypt_and_decrypt_with_keyring( # 7d. Demonstrate that the decrypted plaintext is identical to the original plaintext. # (This is an example for demonstration; you do not need to do this in your own code.) - assert plaintext_bytes_default_region_kms_keyring == EXAMPLE_DATA + assert plaintext_bytes_default_region_kms_keyring == EXAMPLE_DATA, \ + "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" # 8. Demonstrate that you can also successfully decrypt data using a KMS keyring with just the # `second_region_kms_key_id` directly. @@ -201,4 +203,5 @@ def encrypt_and_decrypt_with_keyring( # 8d. Demonstrate that the decrypted plaintext is identical to the original plaintext. # (This is an example for demonstration; you do not need to do this in your own code.) - assert plaintext_bytes_second_region_kms_keyring == EXAMPLE_DATA + assert plaintext_bytes_second_region_kms_keyring == EXAMPLE_DATA, \ + "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" diff --git a/examples/src/keyrings/aws_kms_rsa_keyring_example.py b/examples/src/keyrings/aws_kms_rsa_keyring_example.py index 5c0bbe736..536581eb8 100644 --- a/examples/src/keyrings/aws_kms_rsa_keyring_example.py +++ b/examples/src/keyrings/aws_kms_rsa_keyring_example.py @@ -122,4 +122,5 @@ def encrypt_and_decrypt_with_keyring( # 9. Demonstrate that the decrypted plaintext is identical to the original plaintext. # (This is an example for demonstration; you do not need to do this in your own code.) - assert plaintext_bytes == EXAMPLE_DATA + assert plaintext_bytes == EXAMPLE_DATA, \ + "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" diff --git a/examples/src/keyrings/file_streaming_example.py b/examples/src/keyrings/file_streaming_example.py new file mode 100644 index 000000000..4628b16d3 --- /dev/null +++ b/examples/src/keyrings/file_streaming_example.py @@ -0,0 +1,144 @@ +# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +""" +This example demonstrates file streaming for encryption and decryption using a Raw AES keyring + +The Raw AES keyring lets you use an AES symmetric key that you provide as a wrapping key that +protects your data key. You need to generate, store, and protect the key material, +preferably in a hardware security module (HSM) or key management system. Use a Raw AES keyring +when you need to provide the wrapping key and encrypt the data keys locally or offline. + +This example creates a Raw AES Keyring and then encrypts an input stream from the file +`plaintext_filename` with an encryption context to an output (encrypted) file `ciphertext_filename`. +It then decrypts the ciphertext from `ciphertext_filename` to a new file `new_plaintext_filename`. +This example also includes some sanity checks for demonstration: +1. Ciphertext and plaintext data are not the same +2. Encryption context is correct in the decrypted message header +3. Decrypted plaintext value matches EXAMPLE_DATA +These sanity checks are for demonstration in the example only. You do not need these in your code. + +The Raw AES keyring encrypts data by using the AES-GCM algorithm and a wrapping key that +you specify as a byte array. You can specify only one wrapping key in each Raw AES keyring, +but you can include multiple Raw AES keyrings, alone or with other keyrings, in a multi-keyring. + +For more information on how to use Raw AES keyrings, see +https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html +""" +import secrets +import sys +import filecmp + +from aws_cryptographic_materialproviders.mpl import AwsCryptographicMaterialProviders +from aws_cryptographic_materialproviders.mpl.config import MaterialProvidersConfig +from aws_cryptographic_materialproviders.mpl.models import AesWrappingAlg, CreateRawAesKeyringInput +from aws_cryptographic_materialproviders.mpl.references import IKeyring +from typing import Dict + +import aws_encryption_sdk +from aws_encryption_sdk import CommitmentPolicy + +# TODO-MPL: Remove this as part of removing PYTHONPATH hacks. +MODULE_ROOT_DIR = '/'.join(__file__.split("/")[:-1]) + +sys.path.append(MODULE_ROOT_DIR) + + +def encrypt_and_decrypt_with_keyring( + plaintext_filename: str, + ciphertext_filename: str, + new_plaintext_filename: str +): + """Demonstrate a streaming encrypt/decrypt cycle using a Raw AES keyring. + + Usage: encrypt_and_decrypt_with_keyring() + """ + # 1. Instantiate the encryption SDK client. + # This builds the client with the REQUIRE_ENCRYPT_REQUIRE_DECRYPT commitment policy, + # which enforces that this client only encrypts using committing algorithm suites and enforces + # that this client will only decrypt encrypted messages that were created with a committing + # algorithm suite. + # This is the default commitment policy if you were to build the client as + # `client = aws_encryption_sdk.EncryptionSDKClient()`. + client = aws_encryption_sdk.EncryptionSDKClient( + commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT + ) + + # 2. The key namespace and key name are defined by you. + # and are used by the Raw AES keyring to determine + # whether it should attempt to decrypt an encrypted data key. + # For more information, see + # https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html + key_name_space = "Some managed raw keys" + key_name = "My 256-bit AES wrapping key" + + # 3. Create encryption context. + # Remember that your encryption context is NOT SECRET. + # For more information, see + # https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context + encryption_context: Dict[str, str] = { + "encryption": "context", + "is not": "secret", + "but adds": "useful metadata", + "that can help you": "be confident that", + "the data you are handling": "is what you think it is", + } + + # 4. Generate a 256-bit AES key to use with your keyring. + # In practice, you should get this key from a secure key management system such as an HSM. + + # Here, the input to secrets.token_bytes() = 32 bytes = 256 bits + static_key = secrets.token_bytes(32) + + # 5. Create a Raw AES keyring + mat_prov: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders( + config=MaterialProvidersConfig() + ) + + keyring_input: CreateRawAesKeyringInput = CreateRawAesKeyringInput( + key_namespace=key_name_space, + key_name=key_name, + wrapping_key=static_key, + wrapping_alg=AesWrappingAlg.ALG_AES256_GCM_IV12_TAG16 + ) + + raw_aes_keyring: IKeyring = mat_prov.create_raw_aes_keyring( + input=keyring_input + ) + + # 6. Encrypt the data stream with the encryptionContext + with open(plaintext_filename, 'rb') as pt_file, open(ciphertext_filename, 'wb') as ct_file: + with client.stream( + mode='e', + source=pt_file, + keyring=raw_aes_keyring, + encryption_context=encryption_context + ) as encryptor: + for chunk in encryptor: + ct_file.write(chunk) + + # 7. Demonstrate that the ciphertext and plaintext are different. + # (This is an example for demonstration; you do not need to do this in your own code.) + assert not filecmp.cmp(plaintext_filename, ciphertext_filename), \ + "Ciphertext and plaintext data are the same. Invalid encryption" + + # 8. Decrypt your encrypted data using the same keyring you used on encrypt. + with open(ciphertext_filename, 'rb') as ct_file, open(new_plaintext_filename, 'wb') as pt_file: + with client.stream( + mode='d', + source=ct_file, + keyring=raw_aes_keyring, + encryption_context=encryption_context + ) as decryptor: + for chunk in decryptor: + pt_file.write(chunk) + + # 9. Demonstrate that the encryption context is correct in the decrypted message header + # (This is an example for demonstration; you do not need to do this in your own code.) + for k, v in encryption_context.items(): + assert v == decryptor.header.encryption_context[k], \ + "Encryption context does not match expected values" + + # 10. Demonstrate that the decrypted plaintext is identical to the original plaintext. + # (This is an example for demonstration; you do not need to do this in your own code.) + assert filecmp.cmp(plaintext_filename, new_plaintext_filename), \ + "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" diff --git a/examples/src/keyrings/hierarchical_keyring.py b/examples/src/keyrings/hierarchical_keyring.py index 5642a0b71..15b4df122 100644 --- a/examples/src/keyrings/hierarchical_keyring.py +++ b/examples/src/keyrings/hierarchical_keyring.py @@ -101,13 +101,13 @@ def encrypt_and_decrypt_with_keyring( ) # 4. Call CreateKey to create two new active branch keys - branch_key_id_A: str = keystore.create_key(input=CreateKeyInput()).branch_key_identifier - branch_key_id_B: str = keystore.create_key(input=CreateKeyInput()).branch_key_identifier + branch_key_id_a: str = keystore.create_key(input=CreateKeyInput()).branch_key_identifier + branch_key_id_b: str = keystore.create_key(input=CreateKeyInput()).branch_key_identifier # 5. Create a branch key supplier that maps the branch key id to a more readable format branch_key_id_supplier: IBranchKeyIdSupplier = ExampleBranchKeyIdSupplier( - tenant_1_id=branch_key_id_A, - tenant_2_id=branch_key_id_B, + tenant_1_id=branch_key_id_a, + tenant_2_id=branch_key_id_b, ) # 6. Create the Hierarchical Keyring. @@ -135,7 +135,7 @@ def encrypt_and_decrypt_with_keyring( # be used to encrypt data. # Create encryption context for TenantA - encryption_context_A: Dict[str, str] = { + encryption_context_a: Dict[str, str] = { "tenant": "TenantA", "encryption": "context", "is not": "secret", @@ -145,7 +145,7 @@ def encrypt_and_decrypt_with_keyring( } # Create encryption context for TenantB - encryption_context_B: Dict[str, str] = { + encryption_context_b: Dict[str, str] = { "tenant": "TenantB", "encryption": "context", "is not": "secret", @@ -155,22 +155,22 @@ def encrypt_and_decrypt_with_keyring( } # 8. Encrypt the data with encryptionContextA & encryptionContextB - ciphertext_A, _ = client.encrypt( + ciphertext_a, _ = client.encrypt( source=EXAMPLE_DATA, keyring=hierarchical_keyring, - encryption_context=encryption_context_A + encryption_context=encryption_context_a ) - ciphertext_B, _ = client.encrypt( + ciphertext_b, _ = client.encrypt( source=EXAMPLE_DATA, keyring=hierarchical_keyring, - encryption_context=encryption_context_B + encryption_context=encryption_context_b ) # 9. To attest that TenantKeyB cannot decrypt a message written by TenantKeyA, # let's construct more restrictive hierarchical keyrings. - keyring_input_A: CreateAwsKmsHierarchicalKeyringInput = CreateAwsKmsHierarchicalKeyringInput( + keyring_input_a: CreateAwsKmsHierarchicalKeyringInput = CreateAwsKmsHierarchicalKeyringInput( key_store=keystore, - branch_key_id=branch_key_id_A, + branch_key_id=branch_key_id_a, ttl_seconds=600, cache=CacheTypeDefault( value=DefaultCache( @@ -179,13 +179,13 @@ def encrypt_and_decrypt_with_keyring( ), ) - hierarchical_keyring_A: IKeyring = mat_prov.create_aws_kms_hierarchical_keyring( - input=keyring_input_A + hierarchical_keyring_a: IKeyring = mat_prov.create_aws_kms_hierarchical_keyring( + input=keyring_input_a ) - keyring_input_B: CreateAwsKmsHierarchicalKeyringInput = CreateAwsKmsHierarchicalKeyringInput( + keyring_input_b: CreateAwsKmsHierarchicalKeyringInput = CreateAwsKmsHierarchicalKeyringInput( key_store=keystore, - branch_key_id=branch_key_id_B, + branch_key_id=branch_key_id_b, ttl_seconds=600, cache=CacheTypeDefault( value=DefaultCache( @@ -194,8 +194,8 @@ def encrypt_and_decrypt_with_keyring( ), ) - hierarchical_keyring_B: IKeyring = mat_prov.create_aws_kms_hierarchical_keyring( - input=keyring_input_B + hierarchical_keyring_b: IKeyring = mat_prov.create_aws_kms_hierarchical_keyring( + input=keyring_input_b ) # 10. Demonstrate that data encrypted by one tenant's key @@ -205,8 +205,8 @@ def encrypt_and_decrypt_with_keyring( # This will fail and raise a AWSEncryptionSDKClientError, which we swallow ONLY for demonstration purposes. try: client.decrypt( - source=ciphertext_A, - keyring=hierarchical_keyring_B + source=ciphertext_a, + keyring=hierarchical_keyring_b ) except AWSEncryptionSDKClientError: pass @@ -215,21 +215,23 @@ def encrypt_and_decrypt_with_keyring( # This will fail and raise a AWSEncryptionSDKClientError, which we swallow ONLY for demonstration purposes. try: client.decrypt( - source=ciphertext_B, - keyring=hierarchical_keyring_A + source=ciphertext_b, + keyring=hierarchical_keyring_a ) except AWSEncryptionSDKClientError: pass # 10. Demonstrate that data encrypted by one tenant's branch key can be decrypted by that tenant, # and that the decrypted data matches the input data. - plaintext_bytes_A, _ = client.decrypt( - source=ciphertext_A, - keyring=hierarchical_keyring_A + plaintext_bytes_a, _ = client.decrypt( + source=ciphertext_a, + keyring=hierarchical_keyring_a ) - assert plaintext_bytes_A == EXAMPLE_DATA - plaintext_bytes_B, _ = client.decrypt( - source=ciphertext_B, - keyring=hierarchical_keyring_B + assert plaintext_bytes_a == EXAMPLE_DATA, \ + "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" + plaintext_bytes_b, _ = client.decrypt( + source=ciphertext_b, + keyring=hierarchical_keyring_b ) - assert plaintext_bytes_B == EXAMPLE_DATA + assert plaintext_bytes_b == EXAMPLE_DATA, \ + "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" diff --git a/examples/src/keyrings/multi_keyring_example.py b/examples/src/keyrings/multi_keyring_example.py index 58e4839ac..fd9968f59 100644 --- a/examples/src/keyrings/multi_keyring_example.py +++ b/examples/src/keyrings/multi_keyring_example.py @@ -175,7 +175,8 @@ def encrypt_and_decrypt_with_keyring( # 10b. Demonstrate that the decrypted plaintext is identical to the original plaintext. # (This is an example for demonstration; you do not need to do this in your own code.) - assert plaintext_bytes_multi_keyring == EXAMPLE_DATA + assert plaintext_bytes_multi_keyring == EXAMPLE_DATA, \ + "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" # Because you used a multi_keyring on Encrypt, you can use either the # `kms_keyring` or `raw_aes_keyring` individually to decrypt the data. @@ -192,7 +193,8 @@ def encrypt_and_decrypt_with_keyring( # 11b. Demonstrate that the decrypted plaintext is identical to the original plaintext. # (This is an example for demonstration; you do not need to do this in your own code.) - assert plaintext_bytes_kms_keyring == EXAMPLE_DATA + assert plaintext_bytes_kms_keyring == EXAMPLE_DATA, \ + "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" # 12. Demonstrate that you can also successfully decrypt data using the `raw_aes_keyring` # directly. @@ -206,4 +208,5 @@ def encrypt_and_decrypt_with_keyring( # 12b. Demonstrate that the decrypted plaintext is identical to the original plaintext. # (This is an example for demonstration; you do not need to do this in your own code.) - assert plaintext_bytes_raw_aes_keyring == EXAMPLE_DATA + assert plaintext_bytes_raw_aes_keyring == EXAMPLE_DATA, \ + "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" diff --git a/examples/src/keyrings/raw_aes_keyring_example.py b/examples/src/keyrings/raw_aes_keyring_example.py index ee0ab7618..be37886da 100644 --- a/examples/src/keyrings/raw_aes_keyring_example.py +++ b/examples/src/keyrings/raw_aes_keyring_example.py @@ -126,4 +126,5 @@ def encrypt_and_decrypt_with_keyring(): # 10. Demonstrate that the decrypted plaintext is identical to the original plaintext. # (This is an example for demonstration; you do not need to do this in your own code.) - assert plaintext_bytes == EXAMPLE_DATA + assert plaintext_bytes == EXAMPLE_DATA, \ + "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" diff --git a/examples/src/keyrings/raw_rsa_keyring_example.py b/examples/src/keyrings/raw_rsa_keyring_example.py index 49d868a86..faf617209 100644 --- a/examples/src/keyrings/raw_rsa_keyring_example.py +++ b/examples/src/keyrings/raw_rsa_keyring_example.py @@ -224,7 +224,8 @@ def encrypt_and_decrypt_with_keyring(public_key_file_name=None, private_key_file # 8. Demonstrate that the decrypted plaintext is identical to the original plaintext. # (This is an example for demonstration; you do not need to do this in your own code.) - assert plaintext_bytes == EXAMPLE_DATA + assert plaintext_bytes == EXAMPLE_DATA, \ + "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" # The next part of the example creates a new RSA keyring (for Bob) to demonstrate that # decryption of the original ciphertext is not possible with a different keyring (Bob's). diff --git a/examples/src/keyrings/required_encryption_context_cmm.py b/examples/src/keyrings/required_encryption_context_cmm.py index e0c19697c..3f106c5ee 100644 --- a/examples/src/keyrings/required_encryption_context_cmm.py +++ b/examples/src/keyrings/required_encryption_context_cmm.py @@ -108,26 +108,28 @@ def encrypt_and_decrypt_with_keyring( } # 8. Decrypt the data - plaintext_bytes_A, _ = client.decrypt( + plaintext_bytes_a, _ = client.decrypt( source=ciphertext, materials_manager=required_ec_cmm, encryption_context=reproduced_encryption_context ) - assert plaintext_bytes_A == EXAMPLE_DATA + assert plaintext_bytes_a == EXAMPLE_DATA, \ + "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" # We can also decrypt using the underlying CMM, # but must also provide the reproduced encryption context - plaintext_bytes_A, _ = client.decrypt( + plaintext_bytes_a, _ = client.decrypt( source=ciphertext, materials_manager=underlying_cmm, encryption_context=reproduced_encryption_context ) - assert plaintext_bytes_A == EXAMPLE_DATA + assert plaintext_bytes_a == EXAMPLE_DATA, \ + "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" # 9. Extra: Demonstrate that if we don't provide the reproduced encryption context, # decryption will fail. try: - plaintext_bytes_A, _ = client.decrypt( + plaintext_bytes_a, _ = client.decrypt( source=ciphertext, materials_manager=required_ec_cmm, # No reproduced encryption context for required EC CMM-produced message makes decryption fail. @@ -143,7 +145,7 @@ def encrypt_and_decrypt_with_keyring( # Same for the default CMM; # If we don't provide the reproduced encryption context, decryption will fail. try: - plaintext_bytes_A, _ = client.decrypt( + plaintext_bytes_a, _ = client.decrypt( source=ciphertext, materials_manager=required_ec_cmm, # No reproduced encryption context for required EC CMM-produced message makes decryption fail. diff --git a/examples/src/keyrings/set_encryption_algorithm_example.py b/examples/src/keyrings/set_encryption_algorithm_example.py index 80ba924a5..535c5f12d 100644 --- a/examples/src/keyrings/set_encryption_algorithm_example.py +++ b/examples/src/keyrings/set_encryption_algorithm_example.py @@ -2,23 +2,33 @@ # SPDX-License-Identifier: Apache-2.0 """ This example demonstrates how to set an encryption algorithm while using the Raw AES Keyring +in the AWS Encryption SDK. + Encryption algorithms can be set in a similar manner in other keyrings as well. However, please make sure that you're using a logical encryption algorithm that is compatible with your keyring. For example, AWS KMS RSA Keyring does not support use with an algorithm suite containing an asymmetric signature. +The Raw AES keyring encrypts data by using the AES-GCM algorithm and a wrapping key that +you specify as a byte array. You can specify only one wrapping key in each Raw AES keyring, +but you can include multiple Raw AES keyrings, alone or with other keyrings, in a multi-keyring. + +The AES wrapping algorithm (AesWrappingAlg.ALG_AES256_GCM_IV12_TAG16) protects your data key using +the user-provided wrapping key. The encryption algorithm used in the encrypt() method for a Raw +AES keyring is the algorithm used to protect your data using the data key. This example +demonstrates setting the latter, which is the encryption algorithm for protecting your data. +The default algorithm used in encrypt method is AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384 +which is a committing and signing algorithm. This example sets the encryption algorithm as +AES_256_GCM_HKDF_SHA512_COMMIT_KEY which is a committing but non-signing algorithm. + This example creates a Raw AES Keyring and then encrypts a custom input EXAMPLE_DATA -with an encryption context and the algorithm AES_256_GCM_HKDF_SHA512_COMMIT_KEY. +with an encryption context and the encryption algorithm AES_256_GCM_HKDF_SHA512_COMMIT_KEY. This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same 2. Encryption context is correct in the decrypted message header 3. Decrypted plaintext value matches EXAMPLE_DATA These sanity checks are for demonstration in the example only. You do not need these in your code. -The Raw AES keyring encrypts data by using the AES-GCM algorithm and a wrapping key that -you specify as a byte array. You can specify only one wrapping key in each Raw AES keyring, -but you can include multiple Raw AES keyrings, alone or with other keyrings, in a multi-keyring. - For more information on how to use Raw AES keyrings, see https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html """ @@ -79,7 +89,7 @@ def encrypt_and_decrypt_with_keyring(): "the data you are handling": "is what you think it is", } - # 4. Generate a 256-bit AES key to use with your keyring. + # 4. Generate a 256-bit AES wrapping key to use with your keyring. # In practice, you should get this key from a secure key management system such as an HSM. # Here, the input to secrets.token_bytes() = 32 bytes = 256 bits @@ -101,7 +111,8 @@ def encrypt_and_decrypt_with_keyring(): input=keyring_input ) - # 6. Encrypt the data with the encryptionContext + # 6. Encrypt the data with the encryptionContext. + # Specify the encryption algorithm you want to use for encrypting your data here ciphertext, _ = client.encrypt( source=EXAMPLE_DATA, keyring=raw_aes_keyring, @@ -128,4 +139,5 @@ def encrypt_and_decrypt_with_keyring(): # 10. Demonstrate that the decrypted plaintext is identical to the original plaintext. # (This is an example for demonstration; you do not need to do this in your own code.) - assert plaintext_bytes == EXAMPLE_DATA + assert plaintext_bytes == EXAMPLE_DATA, \ + "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" diff --git a/examples/test/keyrings/test_i_file_streaming_example.py b/examples/test/keyrings/test_i_file_streaming_example.py new file mode 100644 index 000000000..10429a819 --- /dev/null +++ b/examples/test/keyrings/test_i_file_streaming_example.py @@ -0,0 +1,18 @@ +# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +"""Test suite for the file streaming keyring example.""" +import pytest + +from ...src.keyrings.file_streaming_example import encrypt_and_decrypt_with_keyring + +pytestmark = [pytest.mark.examples] + + +def test_encrypt_and_decrypt_with_keyring(): + """Test function for encrypt and decrypt for file streaming example using Raw AES keyring.""" + plaintext_filename = "test_keyrings/my-secret-data.dat" + ciphertext_filename = 'test_keyrings/my-encrypted-data.ct' + new_plaintext_filename = 'test_keyrings/my-decrypted-data.dat' + encrypt_and_decrypt_with_keyring(plaintext_filename, + ciphertext_filename, + new_plaintext_filename) diff --git a/examples/test/keyrings/test_i_raw_rsa_keyring_example.py b/examples/test/keyrings/test_i_raw_rsa_keyring_example.py index e036eb0b0..c52f68ae0 100644 --- a/examples/test/keyrings/test_i_raw_rsa_keyring_example.py +++ b/examples/test/keyrings/test_i_raw_rsa_keyring_example.py @@ -32,13 +32,11 @@ def test_encrypt_and_decrypt_with_keyring_with_user_defined_keys(): user_public_key = user_public_key.decode('utf-8') user_private_key = user_private_key.decode('utf-8') - test_keys_directory = 'test_keys' - if not os.path.exists(test_keys_directory): - os.makedirs(test_keys_directory) + test_keyrings_directory = 'test_keyrings' # Define the file names for the keys - user_public_key_file_name = test_keys_directory + '/user_public_key_file_name.pem' - user_private_key_file_name = test_keys_directory + '/user_private_key_file_name.pem' + user_public_key_file_name = test_keyrings_directory + '/user_public_key_file_name.pem' + user_private_key_file_name = test_keyrings_directory + '/user_private_key_file_name.pem' # Write the public key to the file with open(user_public_key_file_name, "w", encoding="utf-8") as f: @@ -65,12 +63,12 @@ def test_encrypt_and_decrypt_fails_if_user_provides_only_public_key(): # Convert the public key to string user_public_key = user_public_key.decode('utf-8') - test_keys_directory = 'test_keys' - if not os.path.exists(test_keys_directory): - os.makedirs(test_keys_directory) + test_keyrings_directory = 'test_keyrings' + if not os.path.exists(test_keyrings_directory): + os.makedirs(test_keyrings_directory) # Define the file name for the public key - user_public_key_file_name = test_keys_directory + '/user_public_key_file_name.pem' + user_public_key_file_name = test_keyrings_directory + '/user_public_key_file_name.pem' # Write the public key to the file with open(user_public_key_file_name, "w", encoding="utf-8") as f: @@ -97,12 +95,12 @@ def test_encrypt_and_decrypt_fails_if_user_provides_only_private_key(): # Convert the private key to string user_private_key = user_private_key.decode('utf-8') - test_keys_directory = 'test_keys' - if not os.path.exists(test_keys_directory): - os.makedirs(test_keys_directory) + test_keyrings_directory = 'test_keyrings' + if not os.path.exists(test_keyrings_directory): + os.makedirs(test_keyrings_directory) # Define the file name for the private key - user_private_key_file_name = test_keys_directory + '/user_private_key_file_name.pem' + user_private_key_file_name = test_keyrings_directory + '/user_private_key_file_name.pem' # Write the private key to the file with open(user_private_key_file_name, "w", encoding="utf-8") as f: diff --git a/examples/test/keyrings/test_keyrings/my-decrypted-data.dat b/examples/test/keyrings/test_keyrings/my-decrypted-data.dat new file mode 100644 index 000000000..2d22c2d64 --- /dev/null +++ b/examples/test/keyrings/test_keyrings/my-decrypted-data.dat @@ -0,0 +1,26 @@ +Lorem ipsum dolor sit amet, consectetur adipiscing elit. +Praesent non feugiat leo. Aenean iaculis tellus ut velit consectetur, +quis convallis orci eleifend. Sed eu dictum sapien. Nulla facilisi. Suspendisse potenti. +Proin vehicula vehicula maximus. Donec varius et elit vel rutrum. Nulla lacinia neque turpis +quis consequat orci pharetra et. Etiam consequat ullamcorper mauris. Vivamus molestie mollis +mauris a gravida. Curabitur sed bibendum nisl. Cras varius tortor non erat sodales, quis congu +tellus laoreet. Etiam fermentum purus eu diam sagittis, vitae commodo est vehicula. +Nulla feugiat viverra orci vel interdum. Quisque pulvinar elit eget nulla facilisis varius. +Mauris at suscipit sem. Aliquam in purus ut velit fringilla volutpat id non mi. +Curabitur quis nunc eleifend, ornare lectus non, fringilla quam. Nam maximus volutpat placerat. +Nulla ullamcorper lorem velit, nec sagittis ex tristique posuere. Aliquam fringilla magna commod +libero faucibus tempor. Vestibulum non ligula tincidunt, finibus sapien in, sollicitudin +ex. Pellentesque congue laoreet mi in condimentum. Cras convallis nisi ac nunc tincidunt +venenatis. Suspendisse urna elit, cursus eu lacus a, aliquet porttitor mi. +Nulla vel congue nibh, sed condimentum dui. Ut ante ligula, blandit eu finibus nec, +scelerisque quis eros. Maecenas gravida odio eget nibh dictum, dictum varius lacus interdum. +Integer quis nulla vulputate, rhoncus diam vitae, mollis mauris. Sed ut porttitor dolor. +Fusce ut justo a ex bibendum imperdiet nec sit amet magna. Sed ullamcorper luctus augue, +tempor viverra elit interdum sed. Cras sit amet arcu eu turpis molestie sollicitudin. +Curabitur fermentum varius nibh, ut aliquet nisi. Aliquam id tempus tellus. +Nulla porttitor nulla at nibh interdum, quis sollicitudin erat egestas. +Ut blandit mauris quis efficitur efficitur. Morbi neque sapien, posuere ut aliquam eget, +aliquam at velit. Morbi sit amet rhoncus felis, et hendrerit sem. Nulla porta dictum ligula +eget iaculis. Cras lacinia ligula quis risus ultrices, sed consectetur metus imperdiet. +Nullam id enim vestibulum nibh ultricies auctor. Morbi neque lacus, faucibus vitae commodo quis, +malesuada sed velit. \ No newline at end of file diff --git a/examples/test/keyrings/test_keyrings/my-encrypted-data.ct b/examples/test/keyrings/test_keyrings/my-encrypted-data.ct new file mode 100644 index 0000000000000000000000000000000000000000..d524458572d070fa186451317d0432e73a2cbeb9 GIT binary patch literal 2782 zcmV<43L*6Z1$cT$vle2bMx^a~5K~H8FJ|qPItK){L_QCXS6Kom9J2uV00saRVRv&a zV{&qK~c`IvLYe!5=Syw`NP&qPfPg*czIZtbBS8zl!dQ3%9 zN@{aiW>z(8QcFfia%*cxF)MgPM`Tu6V@XJPFmFOnQ9V5X2x4_~AYo)=a{v!@b7f|A zY#?oAbYWy+bYTDrWo~0~d2n=TZ*BkwV{dMBWq5P|25EC3Zf|q|26JU&a%FS?5p-x_ zbRc74ZXjr7Y;YiXZ*>3>Vr3v>Z*FF3WMyu2AarP9bO0H2Xk{Q|VRT_2d2e+fVRB_4 zXkl(-Y-w(102gUMyEX>=fIa{vJV6;p3*Wgu-~ZeeF-WFT^3 zcOYwJd2;|SO?e=e#MN=Sma$#_AX>MmAYh`%=004jh000an4|P|qokI+$ z1G!EBFnOpVN&l=Nz*D$m^n{45iGYO5>oyr4|) zDE6m`a{;_{NdIl~4gBM6~T z2f}Lsg}>WXsAp#GrNg*8qI`s!4t|OoiWJ+5tr7US8X6`~U~#|V;+N_s2PclE z=+dpA^jg0UN{Zr^YH0i5N~Jr~$6^f}w*i*BjoNg{l$7H%E7=lLw^!E;O5Uqb@Sq5R zc5&zW@In;mD{^NsGRt5tOzr&=#bgunjR2|R%UGtFUy8{%N8%BEdNH|5`=E zl;>fEVPjDXjn6L{K)@(ftvkpV$LXrgyNOlRViTzbk2U^!B12wBw`xFB*2Hk>MJWo! zW-SYOD+Nzs8;l;A);oqj#2xf{L;O8b4A;j6^P*a?x8qBeV%Mm=w6LoSCHZ?DAaMsC zSX!&DLojpPluBfA5-DtlPzfSIi0T*_a9uGJG^$yXOirO0dAL$RL@6Dg8QdG30G3+; zUv(R%(a|K=rY=cYeO=@}`7QiWwU9P)!V7dCaw4K{hSyJ?$+k$k)y`Q60+$!@l5vCX zW{(Ntc`F-?L&S1*Gv+iAAf2OPB^jQjc)1ABsxLP0esTEjO3fU5rjVkfU7IQD(=3l; z-a(yA<>D9q`$-n?@x0D@rJ?+u_~#2xXiwiS{RucHjO|*lvpC~kUNc0doDwswG=A_~ z-d1)hzoWU=u`m~a^}ol%O8ee}FCSI^_x3)+FwtP(o@89FNlU_lTgq%Yf+ zCk6`IdhsiYB*W9^mDe0JBJwjE)bbw zxwP`X;U4Yv9Uyh2%SaAuDUsU4u@OZi*Ls>41e4XD}ND@1QkCnZr&l~Pxhi_Oo!(vGq z+FTuOTreAMSwT`{Kt!<8_kUuX`q!fvDC5Z5<||CVsdlc+9@o$0F%*j^Ud03y`L;;s zH47f8JA3MYwYprlGy0RXipZf8K_-f#J*rVrA@%MtW`hSIiZ6bU;a`35Kd`s{-PaWM zXRD&k2^QfpbewO?)XQ+SE_r6Bm;qYXY3I3ZW*#(4`F zln~_pcHJ7FhsD7l3$;@gl4G(;359W3mo28pW=5m4F$6Tci-NS<3BrPvQ@xPF21{R_drZUJtb@`Ae3=+-~e9M zzZ4q_3qBTb0kJf|Dr@C*!Rf^X{A{71IoDxY`dsC61mgAxLN@r7Q)ITUZu{xcXu5?V^N|4?=oRtxq zyEKvgyM|H>(h(6T*_y`k{z<7SjkbZohK}iD6DMFgkkN2YO$)nDI`1|<>ieH5bFH)x zbt`X*k@N?C>F(VWu|_016%#79IYeQ;ro`imWY0AxWiYNB#OzOG__cD{4iPv7))5t7 z(jJUvo5`CXddCgrLT2%{L2RM7ox&exdnWu9A&VFwrawjS%odt*ndC(HbWVbhS%i-r zF9o1Dpw+AlY0!mf^o2wGiz5l4_v)xJ!dASti13*K@cZHCE0BsV&X`70*Z6N!rKlns zvP~F0Xdq4t@{|U2_0hz++}%N2oM8zNA}dZ&?Y1TwnZQ;gr^r=DYGg^>0Rg?|Rpz5a zoa+t*z;4=Wh^<%Lt-Lqpo&^{(wGNzOd0kJJ(^dA^`_SQBMC1Wj%<95<^NyK~B*Dk@ z;Hx|SyPSXE`j_0R{ve>o!-ynwNX!^>7}96f>HcWOKTpyM5`XX7wO`9Z8ZXq;cngY^ zw(z4YJls-RXZ9oZ5Wg(C_`MB_t$uqH5`!=f{9y>f5CwC7h-vIl3e|jZ&=0^b548kG zyU%)OD`Xu4TnRGo=3j7wGNdaR@m5lYG^ILLz4W~aYt#o0UKT53a9zoiTX)B{>ez$$ zmC)WSYI8a{(v|j>?Hp6LZ4w8tJ43v4eRM`0nd0J{P?uc&-~bJ?IZL{ZAetGYrY{>> zR6jyI;#{6l3taUHbwt0P^`l#nPIG7mX#b&of!A k2yw8u$@Gm?T~yN0ZFbT^@Bv2N)fOC0y-z!Fg&1bywxcfw>i_@% literal 0 HcmV?d00001 diff --git a/examples/test/keyrings/test_keyrings/my-secret-data.dat b/examples/test/keyrings/test_keyrings/my-secret-data.dat new file mode 100644 index 000000000..2d22c2d64 --- /dev/null +++ b/examples/test/keyrings/test_keyrings/my-secret-data.dat @@ -0,0 +1,26 @@ +Lorem ipsum dolor sit amet, consectetur adipiscing elit. +Praesent non feugiat leo. Aenean iaculis tellus ut velit consectetur, +quis convallis orci eleifend. Sed eu dictum sapien. Nulla facilisi. Suspendisse potenti. +Proin vehicula vehicula maximus. Donec varius et elit vel rutrum. Nulla lacinia neque turpis +quis consequat orci pharetra et. Etiam consequat ullamcorper mauris. Vivamus molestie mollis +mauris a gravida. Curabitur sed bibendum nisl. Cras varius tortor non erat sodales, quis congu +tellus laoreet. Etiam fermentum purus eu diam sagittis, vitae commodo est vehicula. +Nulla feugiat viverra orci vel interdum. Quisque pulvinar elit eget nulla facilisis varius. +Mauris at suscipit sem. Aliquam in purus ut velit fringilla volutpat id non mi. +Curabitur quis nunc eleifend, ornare lectus non, fringilla quam. Nam maximus volutpat placerat. +Nulla ullamcorper lorem velit, nec sagittis ex tristique posuere. Aliquam fringilla magna commod +libero faucibus tempor. Vestibulum non ligula tincidunt, finibus sapien in, sollicitudin +ex. Pellentesque congue laoreet mi in condimentum. Cras convallis nisi ac nunc tincidunt +venenatis. Suspendisse urna elit, cursus eu lacus a, aliquet porttitor mi. +Nulla vel congue nibh, sed condimentum dui. Ut ante ligula, blandit eu finibus nec, +scelerisque quis eros. Maecenas gravida odio eget nibh dictum, dictum varius lacus interdum. +Integer quis nulla vulputate, rhoncus diam vitae, mollis mauris. Sed ut porttitor dolor. +Fusce ut justo a ex bibendum imperdiet nec sit amet magna. Sed ullamcorper luctus augue, +tempor viverra elit interdum sed. Cras sit amet arcu eu turpis molestie sollicitudin. +Curabitur fermentum varius nibh, ut aliquet nisi. Aliquam id tempus tellus. +Nulla porttitor nulla at nibh interdum, quis sollicitudin erat egestas. +Ut blandit mauris quis efficitur efficitur. Morbi neque sapien, posuere ut aliquam eget, +aliquam at velit. Morbi sit amet rhoncus felis, et hendrerit sem. Nulla porta dictum ligula +eget iaculis. Cras lacinia ligula quis risus ultrices, sed consectetur metus imperdiet. +Nullam id enim vestibulum nibh ultricies auctor. Morbi neque lacus, faucibus vitae commodo quis, +malesuada sed velit. \ No newline at end of file diff --git a/examples/test/keyrings/test_keyrings/user_private_key_file_name.pem b/examples/test/keyrings/test_keyrings/user_private_key_file_name.pem new file mode 100644 index 000000000..95333f87c --- /dev/null +++ b/examples/test/keyrings/test_keyrings/user_private_key_file_name.pem @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKgIBAAKCAgEAzWQ6X1wBYZkjBWTxYB6OlK4EhGcqPyUreE/t+p28n8Gkc2E7 +fniO1jLRz3hGWWHf5e62S8Az/XH4upA+be34L0sz92nrBvKBOvxakddRyZnYuV9E +Z2cxXfFHkNguGrYNnxEXsT1NMaeyta9p1vJ/qlmT8wutsvNruCZWiGKoxz4dZNgk +uUtHKZ5kWha6YWNQKqzuZcONXNY53t1BTkvqvpwIbE99QEA0NS4IG56zaGjc8XzO +7PrCp7nOIck1pLhDZlFdSUMRAwoHAWYnpIUN0Z0mYJNezhlK6zfa0Dwakh+rTe59 +wIQKvc6vqkhsbGE2OES9UscC7lruSUshzxCozpxKa3BS5pa3bpDWS9c9FQxqMNi/ +vZEPBfnXxeN88yT9UIj5DvXvrlGvJZvcrLaNOzJHxCFP7LgDUSF+GlAAKyoW4Df9 +M7yQ7/JQJKF4znomAA9JAJc4oD3pu3yyVDxGrc5Jkm5LHVNaCGFhwy1Y8IFZs3KP +uJQgI96qZiw97D3kOhla2aCscytIJdC2/nFdhJDofz7JI4xEKGQtlS6/MTcOz8zK +zHgyGZ+1CljmvQGcopyHzz95R9ae6qX9X1d7TVPmFlC87nG4oGkxNah6wNalOT9M +x4gtKzzGKDqmDRV5bCSbHSxcmuM/ROjVOQCAloN6pQflXtnVC9KkthRrQEECAwEA +AQKCAgACaN398ymBfH9Sj4D88pLT5/g92OuAFuasCE0Hkwzs12PfZilBZjbvyKQZ +QeUaZJlwvESXfitl+m2ze6B93+w42tIi4ZNcLyFowJ/r5Nms6rEGGLnn2Cg2PM/N +AVpGHjNp9bSAU/KpRdlFBCgy2UC57gfcMruAlVZC0HFUs4qdHsuPvLDumxVcRcNR +4sEgRh7hR0rbNwh8Kbe/V3tuCJo6DwDSy3px0+cA5je6Yjni3FMWQrN3SIha2SVT +1GVcl7xTsZntc3vaPCaBo9IMfjKfrk8uVCBJPPb57Dt1FLVvmC9FcGo5hVsOZ8O8 +FNIv0dKl5ZmOhG7yfq7bvYXJpP2D/J+4Y+DkMd8Cdt1wv+U9irhSPzU9l9yHjSE6 +hratzXXXtLWLV9XVaoo3P6DfNdy+Y3Tc99dWT08XCgXfmbt/OQAkF1nUheVCAsl0 +yHDjiRdzWFf6G2cUHIv+GT3gdLW446VaPD+epF8NbtiV+piLFdXZpvLpsn9QnWBG +hASGJ6PXRdd3+ry5QRfq4ImWYHuA5G8GdvMY4u7Qe20/cIXnj6IrIwVNDQtobtd+ +NCtlfeDplwliznJgW90jVUdFhP1ht+MOAiTMC+/0Qu6/STCNEOvXZ2m59ipdIZz7 +sVjfxQxFKJGZ34XyDntsHzWrd9QXncPIIcYcgBelejNkL1PYAQKCAQEA+LwXDBcR +yq0/pBVSAj+8MnGhfTFJ5tfGycfJdpBjcG9quqJ4JMS22aiyLA2My0RJI+glX+M3 +c21y4wHoqeHKxmprAPkdkqsAIKjyQ4TeH1tLAy6CYBu17yWN8e+sA/BdbLueHuxD +x4KpTFxvnGGuonHYEScNiFEsvG/lX3lIfx+/LWSex0qtgmzTguU04vJGLqUw6rVS +764aIVMHcNZnAJxX+nJLKA1ts13EeEudKbBb9thJKmKlME7AK3Bt3DfHq1k6acEE +wRPv+v39/QLeum3yjBPcDLtSHvLiGvX4oAneWiGmxFZvPRgu/jUXU5et0fX0nNXp +KS2Ls/sO/jWvQQKCAQEA02QKMXKekB+MEZ5aJuZPlWLofw/UOq1O3eVmMwFISCvJ +kigf6MpTh/aKISZ0NAz40KbQbCuGEI2YSUCDL/iEmVMcxtYuT5hOcjsr6JzWbrDC +BIvhWc2gOawde3PjqkXiDPyo0hpsLIKTLnxKeXGOvYHE48fC1zKbLMDNiAqgnFmM +N1ZOF4j685beHjgIYM1sb4Z4vy9L62NEU9dPbk1QYWeukjsuatW6Mt5al11EIInw +rcSNVpPusPf+DqN8Jy8kg0sYBIPnHWTnZ9RWCAAkizQhMx3Ta7AC/j1iZes5PAeP +15968W2RWVSfwdMjodGphXo8SC+KQ/AFBPGxK0JRAQKCAQEAsS1yEVehgci1C5Fw +UE/MI/aTPNVOOhQ78uHQXRdu7dk/omA2yqIhSZwEBqNERkqG+v/TF6GHjz5IVvG2 +JMTEp1+IhzHsYdxTA/C0WWocuyNRpJuNnR5AE3Ch0tORqWCfe+ONN6O+iDBHnjA+ +BJwERIxph5ZU6mRARJ5EOiTvgjY//Pquq3FDdSNF6viQGpTPb0yWMqokwLw4usIl +C7h9uI6lkK23YXlnShwh5jqeYeLRL11TiNCpsGZ4NrkoWHSXUzQFCu3GEC6+hABG +2uIfe5bz7dn7pkoMriT+8IuDpaRB8dwEqdiT9mXym3t/+TiTRXs42jr5ki5yVCsi +u+vLwQKCAQEAhUdFxfdmUagSP+l/HZeIBb/epn3saTJrzyubS/06/YXeCPCTbcpi +8A5Y+J2uFkM3fRYvwoOOe1FK+qRaEhy2PZVRR2wytqxoiU0VWgvIhvGa4hLvehdT +Ngl2bSecGvcElvuV1SIjocyRz3U932Phg0oWQSbpiZS2kXjeHS/WI72x0hHwGpaa +4on0cUkSvzXFcGtwJdpEG5zyr4nI4tqMG12rizcVBPbL9taKd3SuR3Ww8V5DXprW +m21AGSqqVGo8syrdcbtYNAgyfhw6QcEVSU8Mv5XGftbyjClXqLqt01NRNbmvYhia +05+vOh1NEfGG2ElBSKHwovTptTxNX+DoAQKCAQEArhoKvATs/0McJSK+TOvR4hMn +TWFDFk7vMugkre4PzePpsUmFl4tyvbgcxk6/VBiarsGuOd9he66l9l2FjbNdJmly +0hihl5H2njwNz8qCoFjmGIzKMgfvI0gcnUJLpClz6cNjDrm89BqfeJETqaQixGVa +f7IxEVpA6koJbu5Y5JsfhK7fZa6pn3kuJlz4S7zA2WZN5JJyLDGkdh/7wpb/SPm8 +JMl6DF+zRcTs35mDTMr99P1f8CYQEGl6nrpjDbcTta+ZUt8+VY7eIShbokZVT+4P +ET2e876l0xYXnvJegARnX3PTnjR6n9nNOVrmJ75NoXgKL4Wh/I+Pwj+BPeybKA== +-----END RSA PRIVATE KEY----- diff --git a/examples/test/keyrings/test_keyrings/user_public_key_file_name.pem b/examples/test/keyrings/test_keyrings/user_public_key_file_name.pem new file mode 100644 index 000000000..d0e6dcf7f --- /dev/null +++ b/examples/test/keyrings/test_keyrings/user_public_key_file_name.pem @@ -0,0 +1,14 @@ +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAi5dtNWWtkBfbYdBBq00P +ZjubS1cO6iCfJLxY0LHHIL1F+BmVrhQcV8+JwIuawg2hDze57t531h6qNeYEizsI +BZc9TrUHuo8pc59stGciWvGMH5YSt4mxpi/rHMdIj7QzYEZHSK3h+Zzkv3+L3mLD +R2tjgOtxHrZ3bJ1bKGF7kjQMPycx37Wutvil6YnB6jHevbXu3x8aVvhYYihX1fh5 +yVh9XcuxIUZvDQXJ3nFOApuX4nfkEwRE4yaDJOC2WwjiKFdeoGx5v2SX0M9owMZ0 +Rlx3YBGkO5bXsKP1qzq+p7nR46ygiQjNxp8oIpWCugo0m1FtPKyhDkN8J6Xz8v/x +0zsfHzd0HRmOYfzgxirdZqxLVeOXKXXAgiSHxzIE1R0gngZeg4HvqktYlunecgcg +z4wyNY1wshBmAcvyeoDqwzGpnlKEdeg3D4ZLpg7j8U4tVN4oJPAKxlxhkQUe8DVE +yCLNUUoYVCZG01JlwPNHa4/xkJwruuoZKq3W2iAGU/b/FzFFIxNRF5KlSdjvxMXK +G+XW0LDnFnrwAx/xd4iojcmBOjJYJn1rYy0R5aOwwxzccFr152wZ5SJhcgWYTHRQ +hcXCFnMLqcxotT2GNspxhiZR/KBPtvqzNeALFQLOEZC/omtIOQl5Zy4BCLUIH59N +z8jNY8TEt7xP4WE3liNA9EECAwEAAQ== +-----END PUBLIC KEY----- From 7f65d221e06833dace4bceb60204eb3a09791a4b Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Mon, 6 May 2024 14:16:03 -0700 Subject: [PATCH 03/16] fix gitignore --- .gitignore | 5 +- .../test_keyrings/my-decrypted-data.dat | 26 --------- .../test_keyrings/my-encrypted-data.ct | Bin 2782 -> 0 bytes .../user_private_key_file_name.pem | 51 ------------------ .../user_public_key_file_name.pem | 14 ----- 5 files changed, 1 insertion(+), 95 deletions(-) delete mode 100644 examples/test/keyrings/test_keyrings/my-decrypted-data.dat delete mode 100644 examples/test/keyrings/test_keyrings/my-encrypted-data.ct delete mode 100644 examples/test/keyrings/test_keyrings/user_private_key_file_name.pem delete mode 100644 examples/test/keyrings/test_keyrings/user_public_key_file_name.pem diff --git a/.gitignore b/.gitignore index 31e2fe66a..602b26a91 100644 --- a/.gitignore +++ b/.gitignore @@ -32,10 +32,7 @@ __pycache__ # PyTest .pytest_cache # Ignore key materials generated by examples or tests -test_keyrings/user_public_key_file_name.pem -test_keyrings/user_private_key_file_name.pem -test_keyrings/my-encrypted-data.ct -test_keyrings/my-decrypted-data.dat +test_keyrings # PyCharm .idea/ diff --git a/examples/test/keyrings/test_keyrings/my-decrypted-data.dat b/examples/test/keyrings/test_keyrings/my-decrypted-data.dat deleted file mode 100644 index 2d22c2d64..000000000 --- a/examples/test/keyrings/test_keyrings/my-decrypted-data.dat +++ /dev/null @@ -1,26 +0,0 @@ -Lorem ipsum dolor sit amet, consectetur adipiscing elit. -Praesent non feugiat leo. Aenean iaculis tellus ut velit consectetur, -quis convallis orci eleifend. Sed eu dictum sapien. Nulla facilisi. Suspendisse potenti. -Proin vehicula vehicula maximus. Donec varius et elit vel rutrum. Nulla lacinia neque turpis -quis consequat orci pharetra et. Etiam consequat ullamcorper mauris. Vivamus molestie mollis -mauris a gravida. Curabitur sed bibendum nisl. Cras varius tortor non erat sodales, quis congu -tellus laoreet. Etiam fermentum purus eu diam sagittis, vitae commodo est vehicula. -Nulla feugiat viverra orci vel interdum. Quisque pulvinar elit eget nulla facilisis varius. -Mauris at suscipit sem. Aliquam in purus ut velit fringilla volutpat id non mi. -Curabitur quis nunc eleifend, ornare lectus non, fringilla quam. Nam maximus volutpat placerat. -Nulla ullamcorper lorem velit, nec sagittis ex tristique posuere. Aliquam fringilla magna commod -libero faucibus tempor. Vestibulum non ligula tincidunt, finibus sapien in, sollicitudin -ex. Pellentesque congue laoreet mi in condimentum. Cras convallis nisi ac nunc tincidunt -venenatis. Suspendisse urna elit, cursus eu lacus a, aliquet porttitor mi. -Nulla vel congue nibh, sed condimentum dui. Ut ante ligula, blandit eu finibus nec, -scelerisque quis eros. Maecenas gravida odio eget nibh dictum, dictum varius lacus interdum. -Integer quis nulla vulputate, rhoncus diam vitae, mollis mauris. Sed ut porttitor dolor. -Fusce ut justo a ex bibendum imperdiet nec sit amet magna. Sed ullamcorper luctus augue, -tempor viverra elit interdum sed. Cras sit amet arcu eu turpis molestie sollicitudin. -Curabitur fermentum varius nibh, ut aliquet nisi. Aliquam id tempus tellus. -Nulla porttitor nulla at nibh interdum, quis sollicitudin erat egestas. -Ut blandit mauris quis efficitur efficitur. Morbi neque sapien, posuere ut aliquam eget, -aliquam at velit. Morbi sit amet rhoncus felis, et hendrerit sem. Nulla porta dictum ligula -eget iaculis. Cras lacinia ligula quis risus ultrices, sed consectetur metus imperdiet. -Nullam id enim vestibulum nibh ultricies auctor. Morbi neque lacus, faucibus vitae commodo quis, -malesuada sed velit. \ No newline at end of file diff --git a/examples/test/keyrings/test_keyrings/my-encrypted-data.ct b/examples/test/keyrings/test_keyrings/my-encrypted-data.ct deleted file mode 100644 index d524458572d070fa186451317d0432e73a2cbeb9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2782 zcmV<43L*6Z1$cT$vle2bMx^a~5K~H8FJ|qPItK){L_QCXS6Kom9J2uV00saRVRv&a zV{&qK~c`IvLYe!5=Syw`NP&qPfPg*czIZtbBS8zl!dQ3%9 zN@{aiW>z(8QcFfia%*cxF)MgPM`Tu6V@XJPFmFOnQ9V5X2x4_~AYo)=a{v!@b7f|A zY#?oAbYWy+bYTDrWo~0~d2n=TZ*BkwV{dMBWq5P|25EC3Zf|q|26JU&a%FS?5p-x_ zbRc74ZXjr7Y;YiXZ*>3>Vr3v>Z*FF3WMyu2AarP9bO0H2Xk{Q|VRT_2d2e+fVRB_4 zXkl(-Y-w(102gUMyEX>=fIa{vJV6;p3*Wgu-~ZeeF-WFT^3 zcOYwJd2;|SO?e=e#MN=Sma$#_AX>MmAYh`%=004jh000an4|P|qokI+$ z1G!EBFnOpVN&l=Nz*D$m^n{45iGYO5>oyr4|) zDE6m`a{;_{NdIl~4gBM6~T z2f}Lsg}>WXsAp#GrNg*8qI`s!4t|OoiWJ+5tr7US8X6`~U~#|V;+N_s2PclE z=+dpA^jg0UN{Zr^YH0i5N~Jr~$6^f}w*i*BjoNg{l$7H%E7=lLw^!E;O5Uqb@Sq5R zc5&zW@In;mD{^NsGRt5tOzr&=#bgunjR2|R%UGtFUy8{%N8%BEdNH|5`=E zl;>fEVPjDXjn6L{K)@(ftvkpV$LXrgyNOlRViTzbk2U^!B12wBw`xFB*2Hk>MJWo! zW-SYOD+Nzs8;l;A);oqj#2xf{L;O8b4A;j6^P*a?x8qBeV%Mm=w6LoSCHZ?DAaMsC zSX!&DLojpPluBfA5-DtlPzfSIi0T*_a9uGJG^$yXOirO0dAL$RL@6Dg8QdG30G3+; zUv(R%(a|K=rY=cYeO=@}`7QiWwU9P)!V7dCaw4K{hSyJ?$+k$k)y`Q60+$!@l5vCX zW{(Ntc`F-?L&S1*Gv+iAAf2OPB^jQjc)1ABsxLP0esTEjO3fU5rjVkfU7IQD(=3l; z-a(yA<>D9q`$-n?@x0D@rJ?+u_~#2xXiwiS{RucHjO|*lvpC~kUNc0doDwswG=A_~ z-d1)hzoWU=u`m~a^}ol%O8ee}FCSI^_x3)+FwtP(o@89FNlU_lTgq%Yf+ zCk6`IdhsiYB*W9^mDe0JBJwjE)bbw zxwP`X;U4Yv9Uyh2%SaAuDUsU4u@OZi*Ls>41e4XD}ND@1QkCnZr&l~Pxhi_Oo!(vGq z+FTuOTreAMSwT`{Kt!<8_kUuX`q!fvDC5Z5<||CVsdlc+9@o$0F%*j^Ud03y`L;;s zH47f8JA3MYwYprlGy0RXipZf8K_-f#J*rVrA@%MtW`hSIiZ6bU;a`35Kd`s{-PaWM zXRD&k2^QfpbewO?)XQ+SE_r6Bm;qYXY3I3ZW*#(4`F zln~_pcHJ7FhsD7l3$;@gl4G(;359W3mo28pW=5m4F$6Tci-NS<3BrPvQ@xPF21{R_drZUJtb@`Ae3=+-~e9M zzZ4q_3qBTb0kJf|Dr@C*!Rf^X{A{71IoDxY`dsC61mgAxLN@r7Q)ITUZu{xcXu5?V^N|4?=oRtxq zyEKvgyM|H>(h(6T*_y`k{z<7SjkbZohK}iD6DMFgkkN2YO$)nDI`1|<>ieH5bFH)x zbt`X*k@N?C>F(VWu|_016%#79IYeQ;ro`imWY0AxWiYNB#OzOG__cD{4iPv7))5t7 z(jJUvo5`CXddCgrLT2%{L2RM7ox&exdnWu9A&VFwrawjS%odt*ndC(HbWVbhS%i-r zF9o1Dpw+AlY0!mf^o2wGiz5l4_v)xJ!dASti13*K@cZHCE0BsV&X`70*Z6N!rKlns zvP~F0Xdq4t@{|U2_0hz++}%N2oM8zNA}dZ&?Y1TwnZQ;gr^r=DYGg^>0Rg?|Rpz5a zoa+t*z;4=Wh^<%Lt-Lqpo&^{(wGNzOd0kJJ(^dA^`_SQBMC1Wj%<95<^NyK~B*Dk@ z;Hx|SyPSXE`j_0R{ve>o!-ynwNX!^>7}96f>HcWOKTpyM5`XX7wO`9Z8ZXq;cngY^ zw(z4YJls-RXZ9oZ5Wg(C_`MB_t$uqH5`!=f{9y>f5CwC7h-vIl3e|jZ&=0^b548kG zyU%)OD`Xu4TnRGo=3j7wGNdaR@m5lYG^ILLz4W~aYt#o0UKT53a9zoiTX)B{>ez$$ zmC)WSYI8a{(v|j>?Hp6LZ4w8tJ43v4eRM`0nd0J{P?uc&-~bJ?IZL{ZAetGYrY{>> zR6jyI;#{6l3taUHbwt0P^`l#nPIG7mX#b&of!A k2yw8u$@Gm?T~yN0ZFbT^@Bv2N)fOC0y-z!Fg&1bywxcfw>i_@% diff --git a/examples/test/keyrings/test_keyrings/user_private_key_file_name.pem b/examples/test/keyrings/test_keyrings/user_private_key_file_name.pem deleted file mode 100644 index 95333f87c..000000000 --- a/examples/test/keyrings/test_keyrings/user_private_key_file_name.pem +++ /dev/null @@ -1,51 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIJKgIBAAKCAgEAzWQ6X1wBYZkjBWTxYB6OlK4EhGcqPyUreE/t+p28n8Gkc2E7 -fniO1jLRz3hGWWHf5e62S8Az/XH4upA+be34L0sz92nrBvKBOvxakddRyZnYuV9E -Z2cxXfFHkNguGrYNnxEXsT1NMaeyta9p1vJ/qlmT8wutsvNruCZWiGKoxz4dZNgk -uUtHKZ5kWha6YWNQKqzuZcONXNY53t1BTkvqvpwIbE99QEA0NS4IG56zaGjc8XzO -7PrCp7nOIck1pLhDZlFdSUMRAwoHAWYnpIUN0Z0mYJNezhlK6zfa0Dwakh+rTe59 -wIQKvc6vqkhsbGE2OES9UscC7lruSUshzxCozpxKa3BS5pa3bpDWS9c9FQxqMNi/ -vZEPBfnXxeN88yT9UIj5DvXvrlGvJZvcrLaNOzJHxCFP7LgDUSF+GlAAKyoW4Df9 -M7yQ7/JQJKF4znomAA9JAJc4oD3pu3yyVDxGrc5Jkm5LHVNaCGFhwy1Y8IFZs3KP -uJQgI96qZiw97D3kOhla2aCscytIJdC2/nFdhJDofz7JI4xEKGQtlS6/MTcOz8zK -zHgyGZ+1CljmvQGcopyHzz95R9ae6qX9X1d7TVPmFlC87nG4oGkxNah6wNalOT9M -x4gtKzzGKDqmDRV5bCSbHSxcmuM/ROjVOQCAloN6pQflXtnVC9KkthRrQEECAwEA -AQKCAgACaN398ymBfH9Sj4D88pLT5/g92OuAFuasCE0Hkwzs12PfZilBZjbvyKQZ -QeUaZJlwvESXfitl+m2ze6B93+w42tIi4ZNcLyFowJ/r5Nms6rEGGLnn2Cg2PM/N -AVpGHjNp9bSAU/KpRdlFBCgy2UC57gfcMruAlVZC0HFUs4qdHsuPvLDumxVcRcNR -4sEgRh7hR0rbNwh8Kbe/V3tuCJo6DwDSy3px0+cA5je6Yjni3FMWQrN3SIha2SVT -1GVcl7xTsZntc3vaPCaBo9IMfjKfrk8uVCBJPPb57Dt1FLVvmC9FcGo5hVsOZ8O8 -FNIv0dKl5ZmOhG7yfq7bvYXJpP2D/J+4Y+DkMd8Cdt1wv+U9irhSPzU9l9yHjSE6 -hratzXXXtLWLV9XVaoo3P6DfNdy+Y3Tc99dWT08XCgXfmbt/OQAkF1nUheVCAsl0 -yHDjiRdzWFf6G2cUHIv+GT3gdLW446VaPD+epF8NbtiV+piLFdXZpvLpsn9QnWBG -hASGJ6PXRdd3+ry5QRfq4ImWYHuA5G8GdvMY4u7Qe20/cIXnj6IrIwVNDQtobtd+ -NCtlfeDplwliznJgW90jVUdFhP1ht+MOAiTMC+/0Qu6/STCNEOvXZ2m59ipdIZz7 -sVjfxQxFKJGZ34XyDntsHzWrd9QXncPIIcYcgBelejNkL1PYAQKCAQEA+LwXDBcR -yq0/pBVSAj+8MnGhfTFJ5tfGycfJdpBjcG9quqJ4JMS22aiyLA2My0RJI+glX+M3 -c21y4wHoqeHKxmprAPkdkqsAIKjyQ4TeH1tLAy6CYBu17yWN8e+sA/BdbLueHuxD -x4KpTFxvnGGuonHYEScNiFEsvG/lX3lIfx+/LWSex0qtgmzTguU04vJGLqUw6rVS -764aIVMHcNZnAJxX+nJLKA1ts13EeEudKbBb9thJKmKlME7AK3Bt3DfHq1k6acEE -wRPv+v39/QLeum3yjBPcDLtSHvLiGvX4oAneWiGmxFZvPRgu/jUXU5et0fX0nNXp -KS2Ls/sO/jWvQQKCAQEA02QKMXKekB+MEZ5aJuZPlWLofw/UOq1O3eVmMwFISCvJ -kigf6MpTh/aKISZ0NAz40KbQbCuGEI2YSUCDL/iEmVMcxtYuT5hOcjsr6JzWbrDC -BIvhWc2gOawde3PjqkXiDPyo0hpsLIKTLnxKeXGOvYHE48fC1zKbLMDNiAqgnFmM -N1ZOF4j685beHjgIYM1sb4Z4vy9L62NEU9dPbk1QYWeukjsuatW6Mt5al11EIInw -rcSNVpPusPf+DqN8Jy8kg0sYBIPnHWTnZ9RWCAAkizQhMx3Ta7AC/j1iZes5PAeP -15968W2RWVSfwdMjodGphXo8SC+KQ/AFBPGxK0JRAQKCAQEAsS1yEVehgci1C5Fw -UE/MI/aTPNVOOhQ78uHQXRdu7dk/omA2yqIhSZwEBqNERkqG+v/TF6GHjz5IVvG2 -JMTEp1+IhzHsYdxTA/C0WWocuyNRpJuNnR5AE3Ch0tORqWCfe+ONN6O+iDBHnjA+ -BJwERIxph5ZU6mRARJ5EOiTvgjY//Pquq3FDdSNF6viQGpTPb0yWMqokwLw4usIl -C7h9uI6lkK23YXlnShwh5jqeYeLRL11TiNCpsGZ4NrkoWHSXUzQFCu3GEC6+hABG -2uIfe5bz7dn7pkoMriT+8IuDpaRB8dwEqdiT9mXym3t/+TiTRXs42jr5ki5yVCsi -u+vLwQKCAQEAhUdFxfdmUagSP+l/HZeIBb/epn3saTJrzyubS/06/YXeCPCTbcpi -8A5Y+J2uFkM3fRYvwoOOe1FK+qRaEhy2PZVRR2wytqxoiU0VWgvIhvGa4hLvehdT -Ngl2bSecGvcElvuV1SIjocyRz3U932Phg0oWQSbpiZS2kXjeHS/WI72x0hHwGpaa -4on0cUkSvzXFcGtwJdpEG5zyr4nI4tqMG12rizcVBPbL9taKd3SuR3Ww8V5DXprW -m21AGSqqVGo8syrdcbtYNAgyfhw6QcEVSU8Mv5XGftbyjClXqLqt01NRNbmvYhia -05+vOh1NEfGG2ElBSKHwovTptTxNX+DoAQKCAQEArhoKvATs/0McJSK+TOvR4hMn -TWFDFk7vMugkre4PzePpsUmFl4tyvbgcxk6/VBiarsGuOd9he66l9l2FjbNdJmly -0hihl5H2njwNz8qCoFjmGIzKMgfvI0gcnUJLpClz6cNjDrm89BqfeJETqaQixGVa -f7IxEVpA6koJbu5Y5JsfhK7fZa6pn3kuJlz4S7zA2WZN5JJyLDGkdh/7wpb/SPm8 -JMl6DF+zRcTs35mDTMr99P1f8CYQEGl6nrpjDbcTta+ZUt8+VY7eIShbokZVT+4P -ET2e876l0xYXnvJegARnX3PTnjR6n9nNOVrmJ75NoXgKL4Wh/I+Pwj+BPeybKA== ------END RSA PRIVATE KEY----- diff --git a/examples/test/keyrings/test_keyrings/user_public_key_file_name.pem b/examples/test/keyrings/test_keyrings/user_public_key_file_name.pem deleted file mode 100644 index d0e6dcf7f..000000000 --- a/examples/test/keyrings/test_keyrings/user_public_key_file_name.pem +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PUBLIC KEY----- -MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAi5dtNWWtkBfbYdBBq00P -ZjubS1cO6iCfJLxY0LHHIL1F+BmVrhQcV8+JwIuawg2hDze57t531h6qNeYEizsI -BZc9TrUHuo8pc59stGciWvGMH5YSt4mxpi/rHMdIj7QzYEZHSK3h+Zzkv3+L3mLD -R2tjgOtxHrZ3bJ1bKGF7kjQMPycx37Wutvil6YnB6jHevbXu3x8aVvhYYihX1fh5 -yVh9XcuxIUZvDQXJ3nFOApuX4nfkEwRE4yaDJOC2WwjiKFdeoGx5v2SX0M9owMZ0 -Rlx3YBGkO5bXsKP1qzq+p7nR46ygiQjNxp8oIpWCugo0m1FtPKyhDkN8J6Xz8v/x -0zsfHzd0HRmOYfzgxirdZqxLVeOXKXXAgiSHxzIE1R0gngZeg4HvqktYlunecgcg -z4wyNY1wshBmAcvyeoDqwzGpnlKEdeg3D4ZLpg7j8U4tVN4oJPAKxlxhkQUe8DVE -yCLNUUoYVCZG01JlwPNHa4/xkJwruuoZKq3W2iAGU/b/FzFFIxNRF5KlSdjvxMXK -G+XW0LDnFnrwAx/xd4iojcmBOjJYJn1rYy0R5aOwwxzccFr152wZ5SJhcgWYTHRQ -hcXCFnMLqcxotT2GNspxhiZR/KBPtvqzNeALFQLOEZC/omtIOQl5Zy4BCLUIH59N -z8jNY8TEt7xP4WE3liNA9EECAwEAAQ== ------END PUBLIC KEY----- From d8e20f12e22420e69619215e157e4909ecaec37a Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Mon, 6 May 2024 14:20:01 -0700 Subject: [PATCH 04/16] fix flake8; gitignore --- .gitignore | 5 ++++- examples/src/keyrings/file_streaming_example.py | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 602b26a91..4e2f38e5b 100644 --- a/.gitignore +++ b/.gitignore @@ -32,7 +32,10 @@ __pycache__ # PyTest .pytest_cache # Ignore key materials generated by examples or tests -test_keyrings +user_public_key_file_name.pem +user_private_key_file_name.pem +my-encrypted-data.ct +my-decrypted-data.dat # PyCharm .idea/ diff --git a/examples/src/keyrings/file_streaming_example.py b/examples/src/keyrings/file_streaming_example.py index 4628b16d3..7d1cc0b11 100644 --- a/examples/src/keyrings/file_streaming_example.py +++ b/examples/src/keyrings/file_streaming_example.py @@ -24,9 +24,9 @@ For more information on how to use Raw AES keyrings, see https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html """ +import filecmp import secrets import sys -import filecmp from aws_cryptographic_materialproviders.mpl import AwsCryptographicMaterialProviders from aws_cryptographic_materialproviders.mpl.config import MaterialProvidersConfig From 121b73ebf9bd22bacdc1c1d9d58b6dcde2941c3c Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Mon, 6 May 2024 16:13:38 -0700 Subject: [PATCH 05/16] added migration example --- ...migration_set_commitment_policy_example.py | 125 ++++++++++++++++++ ...migration_set_commitment_policy_example.py | 14 ++ 2 files changed, 139 insertions(+) create mode 100644 examples/src/keyrings/migration_set_commitment_policy_example.py create mode 100644 examples/test/keyrings/test_i_migration_set_commitment_policy_example.py diff --git a/examples/src/keyrings/migration_set_commitment_policy_example.py b/examples/src/keyrings/migration_set_commitment_policy_example.py new file mode 100644 index 000000000..286e6ce1d --- /dev/null +++ b/examples/src/keyrings/migration_set_commitment_policy_example.py @@ -0,0 +1,125 @@ +# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +""" +This example configures a client with a specific commitment policy for the +AWS Encryption SDK client, then encrypts and decrypts data using an AWS KMS Keyring. + +This configuration should only be used as part of a migration from version 1.x to 2.x, or for +advanced users with specialized requirements. We recommend that AWS Encryption SDK users use the +default commitment policy whenever possible. + +This example creates a KMS Keyring and then encrypts a custom input EXAMPLE_DATA +with an encryption context. This example also includes some sanity checks for demonstration: +1. Ciphertext and plaintext data are not the same +2. Encryption context is correct in the decrypted message header +3. Decrypted plaintext value matches EXAMPLE_DATA +These sanity checks are for demonstration in the example only. You do not need these in your code. + +For more information on setting your commitment policy, see +https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/migrate-commitment-policy.html +""" +import sys + +import boto3 +from aws_cryptographic_materialproviders.mpl import AwsCryptographicMaterialProviders +from aws_cryptographic_materialproviders.mpl.config import MaterialProvidersConfig +from aws_cryptographic_materialproviders.mpl.models import CreateAwsKmsKeyringInput +from aws_cryptographic_materialproviders.mpl.references import IKeyring +from typing import Dict + +import aws_encryption_sdk +from aws_encryption_sdk import CommitmentPolicy +from aws_encryption_sdk.identifiers import AlgorithmSuite + +# TODO-MPL: Remove this as part of removing PYTHONPATH hacks. +MODULE_ROOT_DIR = '/'.join(__file__.split("/")[:-1]) + +sys.path.append(MODULE_ROOT_DIR) + +EXAMPLE_DATA: bytes = b"Hello World" + + +def encrypt_and_decrypt_with_keyring( + kms_key_id: str +): + """Demonstrate how to set your commitment policy for migration. + + Usage: encrypt_and_decrypt_with_keyring(kms_key_id) + :param kms_key_id: KMS Key identifier for the KMS key you want to use for encryption and + decryption of your data keys. + :type kms_key_id: string + + For more information on KMS Key identifiers, see + https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id + """ + # 1. Instantiate the encryption SDK client. + # This builds the client with the FORBID_ENCRYPT_ALLOW_DECRYPT commitment policy, + # which enforces that this client cannot encrypt with key commitment. + # It can decrypt ciphertexts encrypted with or without key commitment. + # The default commitment policy if you were to build the client as + # `client = aws_encryption_sdk.EncryptionSDKClient()` is REQUIRE_ENCRYPT_REQUIRE_DECRYPT. + client = aws_encryption_sdk.EncryptionSDKClient( + commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT + ) + + # 2. Create a boto3 client for KMS. + kms_client = boto3.client('kms', region_name="us-west-2") + + # 3. Create encryption context. + # Remember that your encryption context is NOT SECRET. + # For more information, see + # https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context + encryption_context: Dict[str, str] = { + "encryption": "context", + "is not": "secret", + "but adds": "useful metadata", + "that can help you": "be confident that", + "the data you are handling": "is what you think it is", + } + + # 4. Create a KMS keyring + mat_prov: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders( + config=MaterialProvidersConfig() + ) + + keyring_input: CreateAwsKmsKeyringInput = CreateAwsKmsKeyringInput( + kms_key_id=kms_key_id, + kms_client=kms_client + ) + + kms_keyring: IKeyring = mat_prov.create_aws_kms_keyring( + input=keyring_input + ) + + # 5. Encrypt the data with the encryptionContext. Make sure you use a non-committing algorithm + # with the commitment policy FORBID_ENCRYPT_ALLOW_DECRYPT. Otherwise client.encrypt() will throw + # aws_encryption_sdk.exceptions.ActionNotAllowedError. By default for + # FORBID_ENCRYPT_ALLOW_DECRYPT, + # the algorithm used is AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384 + ciphertext, _ = client.encrypt( + source=EXAMPLE_DATA, + keyring=kms_keyring, + encryption_context=encryption_context + ) + + # 6. Demonstrate that the ciphertext and plaintext are different. + # (This is an example for demonstration; you do not need to do this in your own code.) + assert ciphertext != EXAMPLE_DATA, \ + "Ciphertext and plaintext data are the same. Invalid encryption" + + # 7. Decrypt your encrypted data using the same keyring you used on encrypt. + plaintext_bytes, dec_header = client.decrypt( + source=ciphertext, + keyring=kms_keyring + ) + + # 8. Demonstrate that the encryption context is correct in the decrypted message header + # (This is an example for demonstration; you do not need to do this in your own code.) + for k, v in encryption_context.items(): + assert v == dec_header.encryption_context[k], \ + "Encryption context does not match expected values" + + # 9. Demonstrate that the decrypted plaintext is identical to the original plaintext. + # (This is an example for demonstration; you do not need to do this in your own code.) + assert plaintext_bytes == EXAMPLE_DATA, \ + "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" diff --git a/examples/test/keyrings/test_i_migration_set_commitment_policy_example.py b/examples/test/keyrings/test_i_migration_set_commitment_policy_example.py new file mode 100644 index 000000000..a14cd33d6 --- /dev/null +++ b/examples/test/keyrings/test_i_migration_set_commitment_policy_example.py @@ -0,0 +1,14 @@ +# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +"""Test suite for the set commitment policy example for migration.""" +import pytest + +from ...src.keyrings.migration_set_commitment_policy_example import encrypt_and_decrypt_with_keyring + +pytestmark = [pytest.mark.examples] + + +def test_encrypt_and_decrypt_with_keyring(): + """Test function for setting commitment policy using the AWS KMS Keyring example.""" + kms_key_id = "arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f" + encrypt_and_decrypt_with_keyring(kms_key_id) From 7018577f2914345f38a18dd91e746698c40cd1a2 Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Mon, 6 May 2024 16:18:33 -0700 Subject: [PATCH 06/16] fix flake8 --- examples/src/keyrings/migration_set_commitment_policy_example.py | 1 - 1 file changed, 1 deletion(-) diff --git a/examples/src/keyrings/migration_set_commitment_policy_example.py b/examples/src/keyrings/migration_set_commitment_policy_example.py index 286e6ce1d..8c880e9ea 100644 --- a/examples/src/keyrings/migration_set_commitment_policy_example.py +++ b/examples/src/keyrings/migration_set_commitment_policy_example.py @@ -29,7 +29,6 @@ import aws_encryption_sdk from aws_encryption_sdk import CommitmentPolicy -from aws_encryption_sdk.identifiers import AlgorithmSuite # TODO-MPL: Remove this as part of removing PYTHONPATH hacks. MODULE_ROOT_DIR = '/'.join(__file__.split("/")[:-1]) From c82fc2f5403538313f852dc0d4b297425a9cd07e Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Mon, 6 May 2024 16:27:46 -0700 Subject: [PATCH 07/16] fix codebuild tests --- .gitignore | 5 +-- .../keyrings/test_i_file_streaming_example.py | 43 +++++++++++++++++-- .../test_i_raw_rsa_keyring_example.py | 2 + .../keyrings/test_keyrings/my-secret-data.dat | 26 ----------- 4 files changed, 43 insertions(+), 33 deletions(-) delete mode 100644 examples/test/keyrings/test_keyrings/my-secret-data.dat diff --git a/.gitignore b/.gitignore index 4e2f38e5b..24df397ed 100644 --- a/.gitignore +++ b/.gitignore @@ -32,10 +32,7 @@ __pycache__ # PyTest .pytest_cache # Ignore key materials generated by examples or tests -user_public_key_file_name.pem -user_private_key_file_name.pem -my-encrypted-data.ct -my-decrypted-data.dat +test_keyrings/ # PyCharm .idea/ diff --git a/examples/test/keyrings/test_i_file_streaming_example.py b/examples/test/keyrings/test_i_file_streaming_example.py index 10429a819..b8ee51027 100644 --- a/examples/test/keyrings/test_i_file_streaming_example.py +++ b/examples/test/keyrings/test_i_file_streaming_example.py @@ -1,6 +1,8 @@ # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 """Test suite for the file streaming keyring example.""" +import os + import pytest from ...src.keyrings.file_streaming_example import encrypt_and_decrypt_with_keyring @@ -10,9 +12,44 @@ def test_encrypt_and_decrypt_with_keyring(): """Test function for encrypt and decrypt for file streaming example using Raw AES keyring.""" - plaintext_filename = "test_keyrings/my-secret-data.dat" - ciphertext_filename = 'test_keyrings/my-encrypted-data.ct' - new_plaintext_filename = 'test_keyrings/my-decrypted-data.dat' + test_keyrings_directory = 'test_keyrings' + if not os.path.exists(test_keyrings_directory): + os.makedirs(test_keyrings_directory) + + plaintext_filename = test_keyrings_directory + '/my-secret-data.dat' + + plaintext_data = '''Lorem ipsum dolor sit amet, consectetur adipiscing elit. +Praesent non feugiat leo. Aenean iaculis tellus ut velit consectetur, +quis convallis orci eleifend. Sed eu dictum sapien. Nulla facilisi. Suspendisse potenti. +Proin vehicula vehicula maximus. Donec varius et elit vel rutrum. Nulla lacinia neque turpis +quis consequat orci pharetra et. Etiam consequat ullamcorper mauris. Vivamus molestie mollis +mauris a gravida. Curabitur sed bibendum nisl. Cras varius tortor non erat sodales, quis congu +tellus laoreet. Etiam fermentum purus eu diam sagittis, vitae commodo est vehicula. +Nulla feugiat viverra orci vel interdum. Quisque pulvinar elit eget nulla facilisis varius. +Mauris at suscipit sem. Aliquam in purus ut velit fringilla volutpat id non mi. +Curabitur quis nunc eleifend, ornare lectus non, fringilla quam. Nam maximus volutpat placerat. +Nulla ullamcorper lorem velit, nec sagittis ex tristique posuere. Aliquam fringilla magna commod +libero faucibus tempor. Vestibulum non ligula tincidunt, finibus sapien in, sollicitudin +ex. Pellentesque congue laoreet mi in condimentum. Cras convallis nisi ac nunc tincidunt +venenatis. Suspendisse urna elit, cursus eu lacus a, aliquet porttitor mi. +Nulla vel congue nibh, sed condimentum dui. Ut ante ligula, blandit eu finibus nec, +scelerisque quis eros. Maecenas gravida odio eget nibh dictum, dictum varius lacus interdum. +Integer quis nulla vulputate, rhoncus diam vitae, mollis mauris. Sed ut porttitor dolor. +Fusce ut justo a ex bibendum imperdiet nec sit amet magna. Sed ullamcorper luctus augue, +tempor viverra elit interdum sed. Cras sit amet arcu eu turpis molestie sollicitudin. +Curabitur fermentum varius nibh, ut aliquet nisi. Aliquam id tempus tellus. +Nulla porttitor nulla at nibh interdum, quis sollicitudin erat egestas. +Ut blandit mauris quis efficitur efficitur. Morbi neque sapien, posuere ut aliquam eget, +aliquam at velit. Morbi sit amet rhoncus felis, et hendrerit sem. Nulla porta dictum ligula +eget iaculis. Cras lacinia ligula quis risus ultrices, sed consectetur metus imperdiet. +Nullam id enim vestibulum nibh ultricies auctor. Morbi neque lacus, faucibus vitae commodo quis, +malesuada sed velit.''' + + with open(plaintext_filename, "w", encoding="utf-8") as f: + f.write(plaintext_data) + + ciphertext_filename = test_keyrings_directory + '/my-encrypted-data.ct' + new_plaintext_filename = test_keyrings_directory + '/my-decrypted-data.dat' encrypt_and_decrypt_with_keyring(plaintext_filename, ciphertext_filename, new_plaintext_filename) diff --git a/examples/test/keyrings/test_i_raw_rsa_keyring_example.py b/examples/test/keyrings/test_i_raw_rsa_keyring_example.py index c52f68ae0..87786b4b3 100644 --- a/examples/test/keyrings/test_i_raw_rsa_keyring_example.py +++ b/examples/test/keyrings/test_i_raw_rsa_keyring_example.py @@ -33,6 +33,8 @@ def test_encrypt_and_decrypt_with_keyring_with_user_defined_keys(): user_private_key = user_private_key.decode('utf-8') test_keyrings_directory = 'test_keyrings' + if not os.path.exists(test_keyrings_directory): + os.makedirs(test_keyrings_directory) # Define the file names for the keys user_public_key_file_name = test_keyrings_directory + '/user_public_key_file_name.pem' diff --git a/examples/test/keyrings/test_keyrings/my-secret-data.dat b/examples/test/keyrings/test_keyrings/my-secret-data.dat deleted file mode 100644 index 2d22c2d64..000000000 --- a/examples/test/keyrings/test_keyrings/my-secret-data.dat +++ /dev/null @@ -1,26 +0,0 @@ -Lorem ipsum dolor sit amet, consectetur adipiscing elit. -Praesent non feugiat leo. Aenean iaculis tellus ut velit consectetur, -quis convallis orci eleifend. Sed eu dictum sapien. Nulla facilisi. Suspendisse potenti. -Proin vehicula vehicula maximus. Donec varius et elit vel rutrum. Nulla lacinia neque turpis -quis consequat orci pharetra et. Etiam consequat ullamcorper mauris. Vivamus molestie mollis -mauris a gravida. Curabitur sed bibendum nisl. Cras varius tortor non erat sodales, quis congu -tellus laoreet. Etiam fermentum purus eu diam sagittis, vitae commodo est vehicula. -Nulla feugiat viverra orci vel interdum. Quisque pulvinar elit eget nulla facilisis varius. -Mauris at suscipit sem. Aliquam in purus ut velit fringilla volutpat id non mi. -Curabitur quis nunc eleifend, ornare lectus non, fringilla quam. Nam maximus volutpat placerat. -Nulla ullamcorper lorem velit, nec sagittis ex tristique posuere. Aliquam fringilla magna commod -libero faucibus tempor. Vestibulum non ligula tincidunt, finibus sapien in, sollicitudin -ex. Pellentesque congue laoreet mi in condimentum. Cras convallis nisi ac nunc tincidunt -venenatis. Suspendisse urna elit, cursus eu lacus a, aliquet porttitor mi. -Nulla vel congue nibh, sed condimentum dui. Ut ante ligula, blandit eu finibus nec, -scelerisque quis eros. Maecenas gravida odio eget nibh dictum, dictum varius lacus interdum. -Integer quis nulla vulputate, rhoncus diam vitae, mollis mauris. Sed ut porttitor dolor. -Fusce ut justo a ex bibendum imperdiet nec sit amet magna. Sed ullamcorper luctus augue, -tempor viverra elit interdum sed. Cras sit amet arcu eu turpis molestie sollicitudin. -Curabitur fermentum varius nibh, ut aliquet nisi. Aliquam id tempus tellus. -Nulla porttitor nulla at nibh interdum, quis sollicitudin erat egestas. -Ut blandit mauris quis efficitur efficitur. Morbi neque sapien, posuere ut aliquam eget, -aliquam at velit. Morbi sit amet rhoncus felis, et hendrerit sem. Nulla porta dictum ligula -eget iaculis. Cras lacinia ligula quis risus ultrices, sed consectetur metus imperdiet. -Nullam id enim vestibulum nibh ultricies auctor. Morbi neque lacus, faucibus vitae commodo quis, -malesuada sed velit. \ No newline at end of file From 6617db7e1fac37ce9ea3736a2c00d2842ceeb72c Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Mon, 6 May 2024 16:32:43 -0700 Subject: [PATCH 08/16] fix --- examples/test/keyrings/test_i_file_streaming_example.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/examples/test/keyrings/test_i_file_streaming_example.py b/examples/test/keyrings/test_i_file_streaming_example.py index b8ee51027..84aae1465 100644 --- a/examples/test/keyrings/test_i_file_streaming_example.py +++ b/examples/test/keyrings/test_i_file_streaming_example.py @@ -16,8 +16,10 @@ def test_encrypt_and_decrypt_with_keyring(): if not os.path.exists(test_keyrings_directory): os.makedirs(test_keyrings_directory) + # Define the filename of the plaintext data. plaintext_filename = test_keyrings_directory + '/my-secret-data.dat' + # Define the plaintext data to be encrypted and decrypted. plaintext_data = '''Lorem ipsum dolor sit amet, consectetur adipiscing elit. Praesent non feugiat leo. Aenean iaculis tellus ut velit consectetur, quis convallis orci eleifend. Sed eu dictum sapien. Nulla facilisi. Suspendisse potenti. @@ -45,11 +47,16 @@ def test_encrypt_and_decrypt_with_keyring(): Nullam id enim vestibulum nibh ultricies auctor. Morbi neque lacus, faucibus vitae commodo quis, malesuada sed velit.''' + # Write plaintext data to file with open(plaintext_filename, "w", encoding="utf-8") as f: f.write(plaintext_data) + # Define the filename of the encrypted data. ciphertext_filename = test_keyrings_directory + '/my-encrypted-data.ct' + + # Define the filename of the decrypted data. new_plaintext_filename = test_keyrings_directory + '/my-decrypted-data.dat' + encrypt_and_decrypt_with_keyring(plaintext_filename, ciphertext_filename, new_plaintext_filename) From cf4b3a94745f8875b185cfa36548720847f11aec Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Mon, 6 May 2024 16:40:08 -0700 Subject: [PATCH 09/16] fix --- .../src/keyrings/file_streaming_example.py | 18 +++++++++++++----- .../keyrings/test_i_file_streaming_example.py | 4 ++-- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/examples/src/keyrings/file_streaming_example.py b/examples/src/keyrings/file_streaming_example.py index 7d1cc0b11..bb64f79d6 100644 --- a/examples/src/keyrings/file_streaming_example.py +++ b/examples/src/keyrings/file_streaming_example.py @@ -10,7 +10,7 @@ This example creates a Raw AES Keyring and then encrypts an input stream from the file `plaintext_filename` with an encryption context to an output (encrypted) file `ciphertext_filename`. -It then decrypts the ciphertext from `ciphertext_filename` to a new file `new_plaintext_filename`. +It then decrypts the ciphertext from `ciphertext_filename` to a new file `decrypted_filename`. This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same 2. Encryption context is correct in the decrypted message header @@ -46,11 +46,19 @@ def encrypt_and_decrypt_with_keyring( plaintext_filename: str, ciphertext_filename: str, - new_plaintext_filename: str + decrypted_filename: str ): """Demonstrate a streaming encrypt/decrypt cycle using a Raw AES keyring. - Usage: encrypt_and_decrypt_with_keyring() + Usage: encrypt_and_decrypt_with_keyring(plaintext_filename + ciphertext_filename + decrypted_filename) + :param plaintext_filename: filename of the plaintext data + :type plaintext_filename: string + :param ciphertext_filename: filename of the ciphertext data + :type ciphertext_filename: string + :param decrypted_filename: filename of the decrypted data + :type decrypted_filename: string """ # 1. Instantiate the encryption SDK client. # This builds the client with the REQUIRE_ENCRYPT_REQUIRE_DECRYPT commitment policy, @@ -122,7 +130,7 @@ def encrypt_and_decrypt_with_keyring( "Ciphertext and plaintext data are the same. Invalid encryption" # 8. Decrypt your encrypted data using the same keyring you used on encrypt. - with open(ciphertext_filename, 'rb') as ct_file, open(new_plaintext_filename, 'wb') as pt_file: + with open(ciphertext_filename, 'rb') as ct_file, open(decrypted_filename, 'wb') as pt_file: with client.stream( mode='d', source=ct_file, @@ -140,5 +148,5 @@ def encrypt_and_decrypt_with_keyring( # 10. Demonstrate that the decrypted plaintext is identical to the original plaintext. # (This is an example for demonstration; you do not need to do this in your own code.) - assert filecmp.cmp(plaintext_filename, new_plaintext_filename), \ + assert filecmp.cmp(plaintext_filename, decrypted_filename), \ "Decrypted plaintext should be identical to the original plaintext. Invalid decryption" diff --git a/examples/test/keyrings/test_i_file_streaming_example.py b/examples/test/keyrings/test_i_file_streaming_example.py index 84aae1465..1a05c2631 100644 --- a/examples/test/keyrings/test_i_file_streaming_example.py +++ b/examples/test/keyrings/test_i_file_streaming_example.py @@ -55,8 +55,8 @@ def test_encrypt_and_decrypt_with_keyring(): ciphertext_filename = test_keyrings_directory + '/my-encrypted-data.ct' # Define the filename of the decrypted data. - new_plaintext_filename = test_keyrings_directory + '/my-decrypted-data.dat' + decrypted_filename = test_keyrings_directory + '/my-decrypted-data.dat' encrypt_and_decrypt_with_keyring(plaintext_filename, ciphertext_filename, - new_plaintext_filename) + decrypted_filename) From 863c898b89715121b258ac3374a25d449b93692e Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Mon, 6 May 2024 17:04:19 -0700 Subject: [PATCH 10/16] final editing --- .../src/keyrings/file_streaming_example.py | 2 +- ...migration_set_commitment_policy_example.py | 22 +++++++++++-------- .../set_encryption_algorithm_example.py | 13 ++++++----- .../keyrings/test_i_file_streaming_example.py | 4 ++-- ...migration_set_commitment_policy_example.py | 2 +- 5 files changed, 24 insertions(+), 19 deletions(-) diff --git a/examples/src/keyrings/file_streaming_example.py b/examples/src/keyrings/file_streaming_example.py index bb64f79d6..afc144939 100644 --- a/examples/src/keyrings/file_streaming_example.py +++ b/examples/src/keyrings/file_streaming_example.py @@ -129,7 +129,7 @@ def encrypt_and_decrypt_with_keyring( assert not filecmp.cmp(plaintext_filename, ciphertext_filename), \ "Ciphertext and plaintext data are the same. Invalid encryption" - # 8. Decrypt your encrypted data using the same keyring you used on encrypt. + # 8. Decrypt your encrypted data stream using the same keyring you used on encrypt. with open(ciphertext_filename, 'rb') as ct_file, open(decrypted_filename, 'wb') as pt_file: with client.stream( mode='d', diff --git a/examples/src/keyrings/migration_set_commitment_policy_example.py b/examples/src/keyrings/migration_set_commitment_policy_example.py index 8c880e9ea..2c422052a 100644 --- a/examples/src/keyrings/migration_set_commitment_policy_example.py +++ b/examples/src/keyrings/migration_set_commitment_policy_example.py @@ -4,12 +4,14 @@ This example configures a client with a specific commitment policy for the AWS Encryption SDK client, then encrypts and decrypts data using an AWS KMS Keyring. -This configuration should only be used as part of a migration from version 1.x to 2.x, or for -advanced users with specialized requirements. We recommend that AWS Encryption SDK users use the -default commitment policy whenever possible. +The commitment policy in this example (FORBID_ENCRYPT_ALLOW_DECRYPT) should only be used as part +of a migration from version 1.x to 2.x, or for advanced users with specialized requirements. +We recommend that AWS Encryption SDK users use the default commitment policy +(REQUIRE_ENCRYPT_REQUIRE_DECRYPT) whenever possible. This example creates a KMS Keyring and then encrypts a custom input EXAMPLE_DATA -with an encryption context. This example also includes some sanity checks for demonstration: +with an encryption context for the commitment policy FORBID_ENCRYPT_ALLOW_DECRYPT. +This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same 2. Encryption context is correct in the decrypted message header 3. Decrypted plaintext value matches EXAMPLE_DATA @@ -52,11 +54,13 @@ def encrypt_and_decrypt_with_keyring( https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id """ # 1. Instantiate the encryption SDK client. - # This builds the client with the FORBID_ENCRYPT_ALLOW_DECRYPT commitment policy, - # which enforces that this client cannot encrypt with key commitment. - # It can decrypt ciphertexts encrypted with or without key commitment. + # This example builds the client with the FORBID_ENCRYPT_ALLOW_DECRYPT commitment policy, + # which enforces that this client cannot encrypt with key commitment + # and it can decrypt ciphertexts encrypted with or without key commitment. # The default commitment policy if you were to build the client as # `client = aws_encryption_sdk.EncryptionSDKClient()` is REQUIRE_ENCRYPT_REQUIRE_DECRYPT. + # We recommend that AWS Encryption SDK users use the default commitment policy + # (REQUIRE_ENCRYPT_REQUIRE_DECRYPT) whenever possible. client = aws_encryption_sdk.EncryptionSDKClient( commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT ) @@ -93,8 +97,8 @@ def encrypt_and_decrypt_with_keyring( # 5. Encrypt the data with the encryptionContext. Make sure you use a non-committing algorithm # with the commitment policy FORBID_ENCRYPT_ALLOW_DECRYPT. Otherwise client.encrypt() will throw # aws_encryption_sdk.exceptions.ActionNotAllowedError. By default for - # FORBID_ENCRYPT_ALLOW_DECRYPT, - # the algorithm used is AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384 + # FORBID_ENCRYPT_ALLOW_DECRYPT, the algorithm used is + # AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384 which is a non-committing algorithm. ciphertext, _ = client.encrypt( source=EXAMPLE_DATA, keyring=kms_keyring, diff --git a/examples/src/keyrings/set_encryption_algorithm_example.py b/examples/src/keyrings/set_encryption_algorithm_example.py index 535c5f12d..76ea58b96 100644 --- a/examples/src/keyrings/set_encryption_algorithm_example.py +++ b/examples/src/keyrings/set_encryption_algorithm_example.py @@ -14,12 +14,13 @@ but you can include multiple Raw AES keyrings, alone or with other keyrings, in a multi-keyring. The AES wrapping algorithm (AesWrappingAlg.ALG_AES256_GCM_IV12_TAG16) protects your data key using -the user-provided wrapping key. The encryption algorithm used in the encrypt() method for a Raw -AES keyring is the algorithm used to protect your data using the data key. This example -demonstrates setting the latter, which is the encryption algorithm for protecting your data. -The default algorithm used in encrypt method is AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384 -which is a committing and signing algorithm. This example sets the encryption algorithm as -AES_256_GCM_HKDF_SHA512_COMMIT_KEY which is a committing but non-signing algorithm. +the user-provided wrapping key. The encryption algorithm used in the encrypt() method is the +algorithm used to protect your data using the data key. This example demonstrates setting the +latter, which is the encryption algorithm for protecting your data. The default algorithm used +in encrypt method is AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384 when the commitment policy is +REQUIRE_ENCRYPT_REQUIRE_DECRYPT which is a committing and signing algorithm. This example sets +the encryption algorithm as AES_256_GCM_HKDF_SHA512_COMMIT_KEY which is a committing but +non-signing algorithm. This example creates a Raw AES Keyring and then encrypts a custom input EXAMPLE_DATA with an encryption context and the encryption algorithm AES_256_GCM_HKDF_SHA512_COMMIT_KEY. diff --git a/examples/test/keyrings/test_i_file_streaming_example.py b/examples/test/keyrings/test_i_file_streaming_example.py index 1a05c2631..2e502f185 100644 --- a/examples/test/keyrings/test_i_file_streaming_example.py +++ b/examples/test/keyrings/test_i_file_streaming_example.py @@ -16,7 +16,7 @@ def test_encrypt_and_decrypt_with_keyring(): if not os.path.exists(test_keyrings_directory): os.makedirs(test_keyrings_directory) - # Define the filename of the plaintext data. + # Define the filename of the input plaintext data. plaintext_filename = test_keyrings_directory + '/my-secret-data.dat' # Define the plaintext data to be encrypted and decrypted. @@ -47,7 +47,7 @@ def test_encrypt_and_decrypt_with_keyring(): Nullam id enim vestibulum nibh ultricies auctor. Morbi neque lacus, faucibus vitae commodo quis, malesuada sed velit.''' - # Write plaintext data to file + # Write plaintext data to plaintext_filename file with open(plaintext_filename, "w", encoding="utf-8") as f: f.write(plaintext_data) diff --git a/examples/test/keyrings/test_i_migration_set_commitment_policy_example.py b/examples/test/keyrings/test_i_migration_set_commitment_policy_example.py index a14cd33d6..7580ed670 100644 --- a/examples/test/keyrings/test_i_migration_set_commitment_policy_example.py +++ b/examples/test/keyrings/test_i_migration_set_commitment_policy_example.py @@ -1,6 +1,6 @@ # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 -"""Test suite for the set commitment policy example for migration.""" +"""Test suite for the migration_set_commitment_policy_example.""" import pytest from ...src.keyrings.migration_set_commitment_policy_example import encrypt_and_decrypt_with_keyring From 0721a43286225c24c2f0a2b3f7644a2d2121451b Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Mon, 6 May 2024 17:06:59 -0700 Subject: [PATCH 11/16] updating commitment policy link --- .../src/keyrings/migration_set_commitment_policy_example.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/src/keyrings/migration_set_commitment_policy_example.py b/examples/src/keyrings/migration_set_commitment_policy_example.py index 2c422052a..e2ff5e032 100644 --- a/examples/src/keyrings/migration_set_commitment_policy_example.py +++ b/examples/src/keyrings/migration_set_commitment_policy_example.py @@ -18,7 +18,7 @@ These sanity checks are for demonstration in the example only. You do not need these in your code. For more information on setting your commitment policy, see -https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/migrate-commitment-policy.html +https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#commitment-policy """ import sys From 04c37465bad6743d8a4180ec551af9ec30f59d10 Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Tue, 7 May 2024 13:33:31 -0700 Subject: [PATCH 12/16] minor edits --- .../src/keyrings/file_streaming_example.py | 19 +++++++----- ...migration_set_commitment_policy_example.py | 8 ++--- .../set_encryption_algorithm_example.py | 31 ++++++++++++------- 3 files changed, 34 insertions(+), 24 deletions(-) diff --git a/examples/src/keyrings/file_streaming_example.py b/examples/src/keyrings/file_streaming_example.py index afc144939..6d8b1bbd3 100644 --- a/examples/src/keyrings/file_streaming_example.py +++ b/examples/src/keyrings/file_streaming_example.py @@ -1,12 +1,16 @@ # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 """ -This example demonstrates file streaming for encryption and decryption using a Raw AES keyring +This example demonstrates file streaming for encryption and decryption. -The Raw AES keyring lets you use an AES symmetric key that you provide as a wrapping key that -protects your data key. You need to generate, store, and protect the key material, -preferably in a hardware security module (HSM) or key management system. Use a Raw AES keyring -when you need to provide the wrapping key and encrypt the data keys locally or offline. +File streaming is useful when the plaintext or ciphertext file/data is too large to load into +memory. Therefore, the AWS Encryption SDK allows users to stream the data, instead of loading it +all at once in memory. In this example, we demonstrate file streaming for encryption and decryption +using a Raw AES keyring. However, you can use any keyring for encryption/decryption with streaming. + +For more information on how to use Raw AES keyrings, see +https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html +To look at a Raw AES keyring example, checkout out raw_aes_keyring_example.py This example creates a Raw AES Keyring and then encrypts an input stream from the file `plaintext_filename` with an encryption context to an output (encrypted) file `ciphertext_filename`. @@ -21,8 +25,6 @@ you specify as a byte array. You can specify only one wrapping key in each Raw AES keyring, but you can include multiple Raw AES keyrings, alone or with other keyrings, in a multi-keyring. -For more information on how to use Raw AES keyrings, see -https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html """ import filecmp import secrets @@ -48,7 +50,7 @@ def encrypt_and_decrypt_with_keyring( ciphertext_filename: str, decrypted_filename: str ): - """Demonstrate a streaming encrypt/decrypt cycle using a Raw AES keyring. + """Demonstrate a streaming encrypt/decrypt cycle. Usage: encrypt_and_decrypt_with_keyring(plaintext_filename ciphertext_filename @@ -98,6 +100,7 @@ def encrypt_and_decrypt_with_keyring( static_key = secrets.token_bytes(32) # 5. Create a Raw AES keyring + # We choose to use a raw AES keyring, but any keyring can be used with streaming. mat_prov: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders( config=MaterialProvidersConfig() ) diff --git a/examples/src/keyrings/migration_set_commitment_policy_example.py b/examples/src/keyrings/migration_set_commitment_policy_example.py index e2ff5e032..0a9e6a3a6 100644 --- a/examples/src/keyrings/migration_set_commitment_policy_example.py +++ b/examples/src/keyrings/migration_set_commitment_policy_example.py @@ -4,10 +4,10 @@ This example configures a client with a specific commitment policy for the AWS Encryption SDK client, then encrypts and decrypts data using an AWS KMS Keyring. -The commitment policy in this example (FORBID_ENCRYPT_ALLOW_DECRYPT) should only be used as part -of a migration from version 1.x to 2.x, or for advanced users with specialized requirements. -We recommend that AWS Encryption SDK users use the default commitment policy -(REQUIRE_ENCRYPT_REQUIRE_DECRYPT) whenever possible. +The commitment policy in this example (FORBID_ENCRYPT_ALLOW_DECRYPT) should only be +used as part of a migration from version 1.x to 2.x, or for advanced users with +specialized requirements. Most AWS Encryption SDK users should use the default +commitment policy (REQUIRE_ENCRYPT_REQUIRE_DECRYPT). This example creates a KMS Keyring and then encrypts a custom input EXAMPLE_DATA with an encryption context for the commitment policy FORBID_ENCRYPT_ALLOW_DECRYPT. diff --git a/examples/src/keyrings/set_encryption_algorithm_example.py b/examples/src/keyrings/set_encryption_algorithm_example.py index 76ea58b96..592d776b3 100644 --- a/examples/src/keyrings/set_encryption_algorithm_example.py +++ b/examples/src/keyrings/set_encryption_algorithm_example.py @@ -4,23 +4,28 @@ This example demonstrates how to set an encryption algorithm while using the Raw AES Keyring in the AWS Encryption SDK. +The encryption algorithm used in the encrypt() method is the algorithm used to protect your +data using the data key. By setting this algorithm, you can configure the algorithm used +to encrypt and decrypt your data. + Encryption algorithms can be set in a similar manner in other keyrings as well. However, please make sure that you're using a logical encryption algorithm that is compatible with your -keyring. For example, AWS KMS RSA Keyring does not support use with an algorithm suite -containing an asymmetric signature. - -The Raw AES keyring encrypts data by using the AES-GCM algorithm and a wrapping key that -you specify as a byte array. You can specify only one wrapping key in each Raw AES keyring, -but you can include multiple Raw AES keyrings, alone or with other keyrings, in a multi-keyring. +keyring. For more information on encryption algorithms supported by the AWS Encryption SDK, see +https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/supported-algorithms.html The AES wrapping algorithm (AesWrappingAlg.ALG_AES256_GCM_IV12_TAG16) protects your data key using the user-provided wrapping key. The encryption algorithm used in the encrypt() method is the algorithm used to protect your data using the data key. This example demonstrates setting the -latter, which is the encryption algorithm for protecting your data. The default algorithm used -in encrypt method is AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384 when the commitment policy is -REQUIRE_ENCRYPT_REQUIRE_DECRYPT which is a committing and signing algorithm. This example sets -the encryption algorithm as AES_256_GCM_HKDF_SHA512_COMMIT_KEY which is a committing but -non-signing algorithm. +latter, which is the encryption algorithm for protecting your data. When the commitment policy is +REQUIRE_ENCRYPT_REQUIRE_DECRYPT, the default algorithm used in the encrypt method is +AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384, which is a committing and signing algorithm. +Signature verification is extremely useful to ensure the integrity of a digital message as it +goes between systems. However, signature verification adds a significant performance cost on +decryption. If the users encrypting data and the users decrypting data are equally trusted, we can +consider using an algorithm suite that does not include signing. This example sets the encryption +algorithm as AES_256_GCM_HKDF_SHA512_COMMIT_KEY which is a committing but non-signing algorithm. +For more information on digital signatures, see +https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#digital-sigs This example creates a Raw AES Keyring and then encrypts a custom input EXAMPLE_DATA with an encryption context and the encryption algorithm AES_256_GCM_HKDF_SHA512_COMMIT_KEY. @@ -101,6 +106,7 @@ def encrypt_and_decrypt_with_keyring(): config=MaterialProvidersConfig() ) + # The wrapping algorithm here is NOT the encryption algorithm we set in this example. keyring_input: CreateRawAesKeyringInput = CreateRawAesKeyringInput( key_namespace=key_name_space, key_name=key_name, @@ -113,7 +119,8 @@ def encrypt_and_decrypt_with_keyring(): ) # 6. Encrypt the data with the encryptionContext. - # Specify the encryption algorithm you want to use for encrypting your data here + # This is the important step in this example where we specify the encryption algorithm + # you want to use for encrypting your data here ciphertext, _ = client.encrypt( source=EXAMPLE_DATA, keyring=raw_aes_keyring, From f028aac479590f1c784fc733addbe19cee8240ec Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Tue, 7 May 2024 14:03:10 -0700 Subject: [PATCH 13/16] refactor set_encryption_algorithm_example to set_encryption_algorithm_suite_example --- .../src/keyrings/file_streaming_example.py | 11 +++---- ...set_encryption_algorithm_suite_example.py} | 33 ++++++++++--------- ...test_i_set_encryption_algorithm_example.py | 13 -------- ..._set_encryption_algorithm_suite_example.py | 13 ++++++++ 4 files changed, 34 insertions(+), 36 deletions(-) rename examples/src/keyrings/{set_encryption_algorithm_example.py => set_encryption_algorithm_suite_example.py} (82%) delete mode 100644 examples/test/keyrings/test_i_set_encryption_algorithm_example.py create mode 100644 examples/test/keyrings/test_i_set_encryption_algorithm_suite_example.py diff --git a/examples/src/keyrings/file_streaming_example.py b/examples/src/keyrings/file_streaming_example.py index 6d8b1bbd3..cc3cb0ca6 100644 --- a/examples/src/keyrings/file_streaming_example.py +++ b/examples/src/keyrings/file_streaming_example.py @@ -8,10 +8,6 @@ all at once in memory. In this example, we demonstrate file streaming for encryption and decryption using a Raw AES keyring. However, you can use any keyring for encryption/decryption with streaming. -For more information on how to use Raw AES keyrings, see -https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html -To look at a Raw AES keyring example, checkout out raw_aes_keyring_example.py - This example creates a Raw AES Keyring and then encrypts an input stream from the file `plaintext_filename` with an encryption context to an output (encrypted) file `ciphertext_filename`. It then decrypts the ciphertext from `ciphertext_filename` to a new file `decrypted_filename`. @@ -21,10 +17,11 @@ 3. Decrypted plaintext value matches EXAMPLE_DATA These sanity checks are for demonstration in the example only. You do not need these in your code. -The Raw AES keyring encrypts data by using the AES-GCM algorithm and a wrapping key that -you specify as a byte array. You can specify only one wrapping key in each Raw AES keyring, -but you can include multiple Raw AES keyrings, alone or with other keyrings, in a multi-keyring. +For more information on how to use Raw AES keyrings, see +https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html +See raw_aes_keyring_example.py in the same directory for another raw AES keyring example +in the AWS Encryption SDK for Python. """ import filecmp import secrets diff --git a/examples/src/keyrings/set_encryption_algorithm_example.py b/examples/src/keyrings/set_encryption_algorithm_suite_example.py similarity index 82% rename from examples/src/keyrings/set_encryption_algorithm_example.py rename to examples/src/keyrings/set_encryption_algorithm_suite_example.py index 592d776b3..77b17da1c 100644 --- a/examples/src/keyrings/set_encryption_algorithm_example.py +++ b/examples/src/keyrings/set_encryption_algorithm_suite_example.py @@ -1,34 +1,34 @@ # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 """ -This example demonstrates how to set an encryption algorithm while using the Raw AES Keyring +This example demonstrates how to set an algorithm suite while using the Raw AES Keyring in the AWS Encryption SDK. -The encryption algorithm used in the encrypt() method is the algorithm used to protect your +The algorithm suite used in the encrypt() method is the algorithm used to protect your data using the data key. By setting this algorithm, you can configure the algorithm used to encrypt and decrypt your data. Encryption algorithms can be set in a similar manner in other keyrings as well. However, -please make sure that you're using a logical encryption algorithm that is compatible with your -keyring. For more information on encryption algorithms supported by the AWS Encryption SDK, see +please make sure that you're using a logical algorithm suite that is compatible with your +keyring. For more information on algorithm suites supported by the AWS Encryption SDK, see https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/supported-algorithms.html The AES wrapping algorithm (AesWrappingAlg.ALG_AES256_GCM_IV12_TAG16) protects your data key using -the user-provided wrapping key. The encryption algorithm used in the encrypt() method is the -algorithm used to protect your data using the data key. This example demonstrates setting the -latter, which is the encryption algorithm for protecting your data. When the commitment policy is +the user-provided wrapping key. In contrast, the algorithm suite used in the encrypt() method +is the algorithm used to protect your data using the data key. This example demonstrates setting the +latter, which is the algorithm suite for protecting your data. When the commitment policy is REQUIRE_ENCRYPT_REQUIRE_DECRYPT, the default algorithm used in the encrypt method is AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384, which is a committing and signing algorithm. -Signature verification is extremely useful to ensure the integrity of a digital message as it -goes between systems. However, signature verification adds a significant performance cost on -decryption. If the users encrypting data and the users decrypting data are equally trusted, we can -consider using an algorithm suite that does not include signing. This example sets the encryption -algorithm as AES_256_GCM_HKDF_SHA512_COMMIT_KEY which is a committing but non-signing algorithm. +Signature verification is extremely useful to ensure the integrity of a digital message as it goes +between systems. However, signature verification adds a significant performance cost to encryption +and decryption. If encryptors and decryptors are equally trusted, we can consider using an algorithm +suite that does not include signing. This example sets the algorithm suite as +AES_256_GCM_HKDF_SHA512_COMMIT_KEY, which is a committing but non-signing algorithm. For more information on digital signatures, see https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#digital-sigs This example creates a Raw AES Keyring and then encrypts a custom input EXAMPLE_DATA -with an encryption context and the encryption algorithm AES_256_GCM_HKDF_SHA512_COMMIT_KEY. +with an encryption context and the algorithm suite AES_256_GCM_HKDF_SHA512_COMMIT_KEY. This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same 2. Encryption context is correct in the decrypted message header @@ -39,6 +39,7 @@ https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html """ import secrets + import sys from aws_cryptographic_materialproviders.mpl import AwsCryptographicMaterialProviders @@ -106,7 +107,7 @@ def encrypt_and_decrypt_with_keyring(): config=MaterialProvidersConfig() ) - # The wrapping algorithm here is NOT the encryption algorithm we set in this example. + # The wrapping algorithm here is NOT the algorithm suite we set in this example. keyring_input: CreateRawAesKeyringInput = CreateRawAesKeyringInput( key_namespace=key_name_space, key_name=key_name, @@ -119,8 +120,8 @@ def encrypt_and_decrypt_with_keyring(): ) # 6. Encrypt the data with the encryptionContext. - # This is the important step in this example where we specify the encryption algorithm - # you want to use for encrypting your data here + # This is the important step in this example where we specify the algorithm suite + # you want to use for encrypting your data ciphertext, _ = client.encrypt( source=EXAMPLE_DATA, keyring=raw_aes_keyring, diff --git a/examples/test/keyrings/test_i_set_encryption_algorithm_example.py b/examples/test/keyrings/test_i_set_encryption_algorithm_example.py deleted file mode 100644 index e07316a42..000000000 --- a/examples/test/keyrings/test_i_set_encryption_algorithm_example.py +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. -# SPDX-License-Identifier: Apache-2.0 -"""Test suite for the Set Encryption Algorithm example for a Raw AES keyring.""" -import pytest - -from ...src.keyrings.set_encryption_algorithm_example import encrypt_and_decrypt_with_keyring - -pytestmark = [pytest.mark.examples] - - -def test_encrypt_and_decrypt_with_keyring(): - """Test function for setting an encryption algorithm in a Raw AES Keyring.""" - encrypt_and_decrypt_with_keyring() diff --git a/examples/test/keyrings/test_i_set_encryption_algorithm_suite_example.py b/examples/test/keyrings/test_i_set_encryption_algorithm_suite_example.py new file mode 100644 index 000000000..7e3c1f572 --- /dev/null +++ b/examples/test/keyrings/test_i_set_encryption_algorithm_suite_example.py @@ -0,0 +1,13 @@ +# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +"""Test suite for the Set Encryption Algorithm Suite example for a Raw AES keyring.""" +import pytest + +from ...src.keyrings.set_encryption_algorithm_suite_example import encrypt_and_decrypt_with_keyring + +pytestmark = [pytest.mark.examples] + + +def test_encrypt_and_decrypt_with_keyring(): + """Test function for setting an encryption algorithm suite in a Raw AES Keyring.""" + encrypt_and_decrypt_with_keyring() From 6ff24fda92c4e181d2ef5d1d7906c64319e83513 Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Tue, 7 May 2024 14:05:49 -0700 Subject: [PATCH 14/16] fix isort --- examples/src/keyrings/set_encryption_algorithm_suite_example.py | 1 - 1 file changed, 1 deletion(-) diff --git a/examples/src/keyrings/set_encryption_algorithm_suite_example.py b/examples/src/keyrings/set_encryption_algorithm_suite_example.py index 77b17da1c..53f62818b 100644 --- a/examples/src/keyrings/set_encryption_algorithm_suite_example.py +++ b/examples/src/keyrings/set_encryption_algorithm_suite_example.py @@ -39,7 +39,6 @@ https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-raw-aes-keyring.html """ import secrets - import sys from aws_cryptographic_materialproviders.mpl import AwsCryptographicMaterialProviders From 23246f6fec40a33171b3f217c0da8a2b496ea81d Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Tue, 7 May 2024 14:51:19 -0700 Subject: [PATCH 15/16] fix --- .../src/keyrings/set_encryption_algorithm_suite_example.py | 6 +++--- .../test_i_set_encryption_algorithm_suite_example.py | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/examples/src/keyrings/set_encryption_algorithm_suite_example.py b/examples/src/keyrings/set_encryption_algorithm_suite_example.py index 53f62818b..c14eb4bb3 100644 --- a/examples/src/keyrings/set_encryption_algorithm_suite_example.py +++ b/examples/src/keyrings/set_encryption_algorithm_suite_example.py @@ -8,7 +8,7 @@ data using the data key. By setting this algorithm, you can configure the algorithm used to encrypt and decrypt your data. -Encryption algorithms can be set in a similar manner in other keyrings as well. However, +Algorithm suites can be set in a similar manner in other keyrings as well. However, please make sure that you're using a logical algorithm suite that is compatible with your keyring. For more information on algorithm suites supported by the AWS Encryption SDK, see https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/supported-algorithms.html @@ -19,8 +19,8 @@ latter, which is the algorithm suite for protecting your data. When the commitment policy is REQUIRE_ENCRYPT_REQUIRE_DECRYPT, the default algorithm used in the encrypt method is AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384, which is a committing and signing algorithm. -Signature verification is extremely useful to ensure the integrity of a digital message as it goes -between systems. However, signature verification adds a significant performance cost to encryption +Signature verification ensures the integrity of a digital message as it goes across trust +boundaries. However, signature verification adds a significant performance cost to encryption and decryption. If encryptors and decryptors are equally trusted, we can consider using an algorithm suite that does not include signing. This example sets the algorithm suite as AES_256_GCM_HKDF_SHA512_COMMIT_KEY, which is a committing but non-signing algorithm. diff --git a/examples/test/keyrings/test_i_set_encryption_algorithm_suite_example.py b/examples/test/keyrings/test_i_set_encryption_algorithm_suite_example.py index 7e3c1f572..0703bc961 100644 --- a/examples/test/keyrings/test_i_set_encryption_algorithm_suite_example.py +++ b/examples/test/keyrings/test_i_set_encryption_algorithm_suite_example.py @@ -1,6 +1,6 @@ # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 -"""Test suite for the Set Encryption Algorithm Suite example for a Raw AES keyring.""" +"""Test suite for the Set Algorithm Suite example for a Raw AES keyring.""" import pytest from ...src.keyrings.set_encryption_algorithm_suite_example import encrypt_and_decrypt_with_keyring @@ -9,5 +9,5 @@ def test_encrypt_and_decrypt_with_keyring(): - """Test function for setting an encryption algorithm suite in a Raw AES Keyring.""" + """Test function for setting an algorithm suite in a Raw AES Keyring.""" encrypt_and_decrypt_with_keyring() From a9065e016228931322b99595a8445b045d42b967 Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Tue, 7 May 2024 14:53:47 -0700 Subject: [PATCH 16/16] m --- examples/src/keyrings/file_streaming_example.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/src/keyrings/file_streaming_example.py b/examples/src/keyrings/file_streaming_example.py index cc3cb0ca6..b7352ba0e 100644 --- a/examples/src/keyrings/file_streaming_example.py +++ b/examples/src/keyrings/file_streaming_example.py @@ -6,7 +6,7 @@ File streaming is useful when the plaintext or ciphertext file/data is too large to load into memory. Therefore, the AWS Encryption SDK allows users to stream the data, instead of loading it all at once in memory. In this example, we demonstrate file streaming for encryption and decryption -using a Raw AES keyring. However, you can use any keyring for encryption/decryption with streaming. +using a Raw AES keyring. However, you can use any keyring with streaming. This example creates a Raw AES Keyring and then encrypts an input stream from the file `plaintext_filename` with an encryption context to an output (encrypted) file `ciphertext_filename`.