From 82691fc356775a49ad1fddca1ab2c24258e91212 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 23 Oct 2024 15:07:32 -0700 Subject: [PATCH 1/8] chore: Update changelog, bump version --- CHANGELOG.rst | 21 +++++++++++++++++++++ src/aws_encryption_sdk/identifiers.py | 2 +- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 609b58c73..8cfe687dc 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -2,6 +2,27 @@ Changelog ********* +4.0.0 -- 2024-10-28 +=================== + +Features +-------- +* Add support for constructs from the [AWS Cryptographic Material Providers Library (MPL)](https://github.com/aws/aws-cryptographic-material-providers-library). + The MPL contains new constructs for encrypting and decrypting your data. + We highly recommend installing the MPL. See [Installing](https://github.com/aws/aws-encryption-sdk-python/tree/master?tab=readme-ov-file#installation) for instructions. + +Breaking Changes +^^^^^^^^^^^^^^^^ +* Messages constructed with the MPL's Required Encryption Context Cryptographic Materials Manager ("required EC CMM") will not be readable from versions of the ESDK <4.0.0. + The MPL introduces the "required EC CMM" as a new construct for protecting your data. + It requires that, for a specified set of encryption context keys, a decryptor must supply the same encryption context pairs that were used to encrypt the message. + No version of ESDK < 4.0.0 supports reading messages encrypted with the required EC CMM. + A message that is encrypted with the required EC CMM must be decrypted with a CMM from the MPL. + +Fixes +----------- +* fix: MKPs attempt to decrypt with remaining keys if a preceding raw RSA key failed to decrypt (#707 (https://github.com/aws/aws-encryption-sdk-python/pull/707)) + 3.3.0 -- 2024-05-20 =================== diff --git a/src/aws_encryption_sdk/identifiers.py b/src/aws_encryption_sdk/identifiers.py index a06030889..3e5a9940b 100644 --- a/src/aws_encryption_sdk/identifiers.py +++ b/src/aws_encryption_sdk/identifiers.py @@ -17,7 +17,7 @@ # We only actually need these imports when running the mypy checks pass -__version__ = "3.3.0" +__version__ = "4.0.0" USER_AGENT_SUFFIX = "AwsEncryptionSdkPython/{}".format(__version__) From 15afdae4e5eee57512e1a0b5b5972d16cd0049c2 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 23 Oct 2024 15:51:05 -0700 Subject: [PATCH 2/8] m --- CHANGELOG.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 8cfe687dc..0879dddf1 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -15,9 +15,9 @@ Breaking Changes ^^^^^^^^^^^^^^^^ * Messages constructed with the MPL's Required Encryption Context Cryptographic Materials Manager ("required EC CMM") will not be readable from versions of the ESDK <4.0.0. The MPL introduces the "required EC CMM" as a new construct for protecting your data. - It requires that, for a specified set of encryption context keys, a decryptor must supply the same encryption context pairs that were used to encrypt the message. + It requires that, for a specified set of encryption context keys, a decryptor must supply the same encryption context pairs that were used when encrypting the message. No version of ESDK < 4.0.0 supports reading messages encrypted with the required EC CMM. - A message that is encrypted with the required EC CMM must be decrypted with a CMM from the MPL. + A message that is encrypted with the required EC CMM from the MPL must be decrypted with a CMM from the MPL. Fixes ----------- From 3cd979495f5bb1f719087dad35d3ca465648b2df Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 23 Oct 2024 15:53:44 -0700 Subject: [PATCH 3/8] rst --- CHANGELOG.rst | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 0879dddf1..f1b943785 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -7,9 +7,9 @@ Changelog Features -------- -* Add support for constructs from the [AWS Cryptographic Material Providers Library (MPL)](https://github.com/aws/aws-cryptographic-material-providers-library). +* Add support for constructs from the `AWS Cryptographic Material Providers Library (MPL) `_. The MPL contains new constructs for encrypting and decrypting your data. - We highly recommend installing the MPL. See [Installing](https://github.com/aws/aws-encryption-sdk-python/tree/master?tab=readme-ov-file#installation) for instructions. + We highly recommend installing the MPL. See `Installing `_ for instructions. Breaking Changes ^^^^^^^^^^^^^^^^ @@ -21,7 +21,8 @@ Breaking Changes Fixes ----------- -* fix: MKPs attempt to decrypt with remaining keys if a preceding raw RSA key failed to decrypt (#707 (https://github.com/aws/aws-encryption-sdk-python/pull/707)) +* fix: MKPs attempt to decrypt with remaining keys if a preceding raw RSA key failed to decrypt + `#707 `_ 3.3.0 -- 2024-05-20 =================== From edb7c2565077f108bef1221956cb456929b4b69c Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 23 Oct 2024 15:55:58 -0700 Subject: [PATCH 4/8] rst --- CHANGELOG.rst | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index f1b943785..d013dfe82 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -13,9 +13,11 @@ Features Breaking Changes ^^^^^^^^^^^^^^^^ -* Messages constructed with the MPL's Required Encryption Context Cryptographic Materials Manager ("required EC CMM") will not be readable from versions of the ESDK <4.0.0. +* Messages constructed with the MPL's Required Encryption Context Cryptographic Materials Manager ("required EC CMM") + will not be readable from versions of the ESDK <4.0.0. The MPL introduces the "required EC CMM" as a new construct for protecting your data. - It requires that, for a specified set of encryption context keys, a decryptor must supply the same encryption context pairs that were used when encrypting the message. + It requires that, for a specified set of encryption context keys, + a decryptor must supply the same encryption context pairs that were used when encrypting the message. No version of ESDK < 4.0.0 supports reading messages encrypted with the required EC CMM. A message that is encrypted with the required EC CMM from the MPL must be decrypted with a CMM from the MPL. From 93d53c6e18b9e68596dcf9cba6ba445dd167888f Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Mon, 28 Oct 2024 09:25:32 -0700 Subject: [PATCH 5/8] update --- CHANGELOG.rst | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index d013dfe82..46d576424 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -13,11 +13,13 @@ Features Breaking Changes ^^^^^^^^^^^^^^^^ -* Messages constructed with the MPL's Required Encryption Context Cryptographic Materials Manager ("required EC CMM") - will not be readable from versions of the ESDK <4.0.0. - The MPL introduces the "required EC CMM" as a new construct for protecting your data. - It requires that, for a specified set of encryption context keys, - a decryptor must supply the same encryption context pairs that were used when encrypting the message. +* The MPL introduces the Required Encryption Context Cryptographic Materials Manager + ("required EC CMM") as a new construct for protecting your data. + On encrypt, the required EC CMM will use specific configured encryption context key-value pairs to calculate the message signature, + but will not store those pairs in the ESDK message. + On decrypt, decryptors must supply these same pairs that were used when encrypting the message. + All messages that have been encrypted with versions of the ESDK <4.0.0 are forward compatible with this change. + However, messages that are constructed with the required EC CMM are not backward compatbile with ESDK <4.0.0. No version of ESDK < 4.0.0 supports reading messages encrypted with the required EC CMM. A message that is encrypted with the required EC CMM from the MPL must be decrypted with a CMM from the MPL. From e725659e8ca80f5b8f05373ef0ea6ab0041458d5 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Mon, 28 Oct 2024 09:26:33 -0700 Subject: [PATCH 6/8] update --- CHANGELOG.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 46d576424..1acbc7f84 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -19,8 +19,8 @@ Breaking Changes but will not store those pairs in the ESDK message. On decrypt, decryptors must supply these same pairs that were used when encrypting the message. All messages that have been encrypted with versions of the ESDK <4.0.0 are forward compatible with this change. - However, messages that are constructed with the required EC CMM are not backward compatbile with ESDK <4.0.0. - No version of ESDK < 4.0.0 supports reading messages encrypted with the required EC CMM. + However, messages that are constructed with the required EC CMM are not backward compatbile with ESDK <4.0.0, + as no version of ESDK <4.0.0 supports reading messages encrypted with the required EC CMM. A message that is encrypted with the required EC CMM from the MPL must be decrypted with a CMM from the MPL. Fixes From ae31b75d256d625eba4483bb499fa5108532a935 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Mon, 28 Oct 2024 09:26:58 -0700 Subject: [PATCH 7/8] update --- CHANGELOG.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 1acbc7f84..c5a183bc3 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -2,7 +2,7 @@ Changelog ********* -4.0.0 -- 2024-10-28 +4.0.0 -- 2024-10-29 =================== Features From 397cc2b3f5787e0d066ebc4bb3178a2adc8b8774 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Mon, 28 Oct 2024 09:42:38 -0700 Subject: [PATCH 8/8] update --- CHANGELOG.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index c5a183bc3..56cba75a2 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -15,11 +15,12 @@ Breaking Changes ^^^^^^^^^^^^^^^^ * The MPL introduces the Required Encryption Context Cryptographic Materials Manager ("required EC CMM") as a new construct for protecting your data. - On encrypt, the required EC CMM will use specific configured encryption context key-value pairs to calculate the message signature, + On encrypt, the required EC CMM will use specific configured + encryption context key-value pairs to calculate the message signature, but will not store those pairs in the ESDK message. On decrypt, decryptors must supply these same pairs that were used when encrypting the message. All messages that have been encrypted with versions of the ESDK <4.0.0 are forward compatible with this change. - However, messages that are constructed with the required EC CMM are not backward compatbile with ESDK <4.0.0, + However, messages that are constructed with the required EC CMM are not backward compatible with ESDK <4.0.0, as no version of ESDK <4.0.0 supports reading messages encrypted with the required EC CMM. A message that is encrypted with the required EC CMM from the MPL must be decrypted with a CMM from the MPL.