Base keyrings

examples/src/sample_aes.py

@@ -0,0 +1,78 @@
+# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+"""Functional tests for Raw AES keyring encryption decryption path."""
+
+import pytest
+
+from aws_encryption_sdk.identifiers import Algorithm, WrappingAlgorithm
+from aws_encryption_sdk.keyring.raw_keyring import RawAESKeyring
+from aws_encryption_sdk.materials_managers import DecryptionMaterials, EncryptionMaterials
+
+pytestmark = [pytest.mark.functional, pytest.mark.local]
+
+_ENCRYPTION_CONTEXT = {"key_a": "value_a", "key_b": "value_b", "key_c": "value_c"}
+_PROVIDER_ID = "Random Raw Keys"
+_KEY_ID = b"5325b043-5843-4629-869c-64794af77ada"
+_WRAPPING_KEY = b"12345678901234567890123456789012"
+_SIGNING_KEY = b"aws-crypto-public-key"
+
+_ENCRYPTION_MATERIALS = EncryptionMaterials(
+        algorithm=Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384,
+        encryption_context=_ENCRYPTION_CONTEXT,
+        signing_key=_SIGNING_KEY,
+    )
+
+
+def sample_aes_encryption_decryption():
+
+    # Initializing attributes
+    key_namespace = _PROVIDER_ID
+    key_name = _KEY_ID
+    _wrapping_algorithm = WrappingAlgorithm.AES_256_GCM_IV12_TAG16_NO_PADDING
+
+    # Creating an instance of a raw AES keyring
+    fake_raw_aes_keyring = RawAESKeyring(
+        key_namespace=key_namespace,
+        key_name=key_name,
+        wrapping_key=_WRAPPING_KEY,
+        wrapping_algorithm=_wrapping_algorithm,
+    )
+
+    # Call on_encrypt function for the keyring
+    encryption_materials = fake_raw_aes_keyring.on_encrypt(encryption_materials=_ENCRYPTION_MATERIALS)
+
+    print("PLAINTEXT DATA KEY")
+    print(encryption_materials.data_encryption_key.data_key)
+
+    print("ENCRYPTED DATA KEY")
+    print(encryption_materials.encrypted_data_keys)
+
+    # Generate decryption materials
+    decryption_materials = DecryptionMaterials(
+        algorithm=Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, verification_key=b"ex_verification_key"
+    )
+
+    # Call on_decrypt function for the keyring
+    decryption_materials = fake_raw_aes_keyring.on_decrypt(
+        decryption_materials=decryption_materials, encrypted_data_keys=encryption_materials.encrypted_data_keys
+    )
+
+    print("DECRYPTED DATA KEY")
+    print(decryption_materials.data_encryption_key.data_key)
+
+    if decryption_materials.data_encryption_key:
+        # Check if the data keys match
+        assert encryption_materials.data_encryption_key == decryption_materials.data_encryption_key
+
+
+sample_aes_encryption_decryption()

requirements.txt

@@ -1,3 +1,4 @@
+six
 boto3>=1.4.4
 cryptography>=1.8.1
 attrs>=19.1.0

src/aws_encryption_sdk/keyring/__init__.py

@@ -0,0 +1,13 @@
+# Copyright 2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+"""All provided Keyrings."""

src/aws_encryption_sdk/materials_managers/__init__.py

@@ -191,7 +191,7 @@ class EncryptionMaterials(CryptographicMaterials):
         Most parameters are now optional.
 
     :param Algorithm algorithm: Algorithm to use for encrypting message
-    :param DataKey data_encryption_key: Plaintext data key to use for encrypting message (optional)
+    :param RawDataKey data_encryption_key: Plaintext data key to use for encrypting message (optional)
     :param encrypted_data_keys: List of encrypted data keys (optional)
     :type encrypted_data_keys: list of :class:`EncryptedDataKey`
     :param dict encryption_context: Encryption context tied to `encrypted_data_keys`
@@ -370,7 +370,7 @@ class DecryptionMaterials(CryptographicMaterials):
         All parameters are now optional.
 
     :param Algorithm algorithm: Algorithm to use for encrypting message (optional)
-    :param DataKey data_encryption_key: Plaintext data key to use for encrypting message (optional)
+    :param RawDataKey data_encryption_key: Plaintext data key to use for encrypting message (optional)
     :param dict encryption_context: Encryption context tied to `encrypted_data_keys` (optional)
     :param bytes verification_key: Raw signature verification key (optional)
     :param keyring_trace: Any KeyRing trace entries (optional)

test/unit/test_keyring_base.py

@@ -0,0 +1,73 @@
+# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+"""Unit tests for base keyring."""
+
+import pytest
+import six
+
+from aws_encryption_sdk.identifiers import Algorithm
+from aws_encryption_sdk.keyring.base import EncryptedDataKey, Keyring
+from aws_encryption_sdk.materials_managers import DecryptionMaterials, EncryptionMaterials
+from aws_encryption_sdk.structures import MasterKeyInfo
+
+try:  # Python 3.5.0 and 3.5.1 have incompatible typing modules
+    from typing import Iterable  # noqa pylint: disable=unused-import
+except ImportError:  # pragma: no cover
+    # We only actually need these imports when running the mypy checks
+    pass
+
+pytestmark = [pytest.mark.unit, pytest.mark.local]
+
+_encryption_materials = EncryptionMaterials(
+    algorithm=Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384,
+    encryption_context={"encryption": "context", "values": "here"},
+    signing_key=b"aws-crypto-public-key",
+)
+
+_decryption_materials = DecryptionMaterials(
+    algorithm=Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, verification_key=b"ex_verification_key"
+)
+
+_encrypted_data_keys = [
+    EncryptedDataKey(
+        key_provider=MasterKeyInfo(provider_id="Random Raw Keys", key_info=b"5325b043-5843-4629-869c-64794af77ada"),
+        encrypted_data_key=six.b(
+            "\n \x8b\xc6\xfd\x91\xc7\xd5\xdc+S\x15n\xd9P\x99n\x1d\xb2\xdd\x15\xeaW"
+            "\xc3\x13k2\xf6\x02\xd0\x0f\x85\xec\x9e\x12\xa7\x01\x01\x01\x01\x00x"
+            "\x8b\xc6\xfd\x91\xc7\xd5\xdc+S\x15n\xd9P\x99n\x1d\xb2\xdd\x15\xeaW"
+            "\xc3\x13k2\xf6\x02\xd0\x0f\x85\xec\x9e\x00\x00\x00~0|\x06\t*\x86H"
+            "\x86\xf7\r\x01\x07\x06\xa0o0m\x02\x01\x000h\x06\t*\x86H\x86\xf7\r"
+            "\x01\x07\x010\x1e\x06\t`\x86H\x01e\x03\x04\x01.0\x11\x04\x0c\xc9rP"
+            "\xa1\x08t6{\xf2\xfd\xf1\xb3\x02\x01\x10\x80;D\xa4\xed`qP~c\x0f\xa0d"
+            "\xd5\xa2Kj\xc7\xb2\xc6\x1e\xec\xfb\x0fK\xb2*\xd5\t2\x81pR\xee\xd1"
+            '\x1a\xde<"\x1b\x98\x88\x8b\xf4&\xdaB\x95I\xd2\xff\x10\x13\xfc\x1aX'
+            "\x08,/\x8b\x8b"
+        ),
+    )
+]
+
+
+def test_keyring_no_encrypt():
+    class KeyringNoEncrypt(Keyring):
+        def on_decrypt(self, _decryption_materials, _encrypted_data_keys):
+            return
+
+    assert pytest.raises(NotImplementedError)
+
+
+def test_keyring_no_decrypt():
+    class KeyringNoDecrypt(Keyring):
+        def on_encrypt(self, _encryption_materials):
+            return
+
+    assert pytest.raises(NotImplementedError)

test/unit/test_utils.py

@@ -21,11 +21,19 @@
 import aws_encryption_sdk.internal.utils
 from aws_encryption_sdk.exceptions import InvalidDataKeyError, SerializationError, UnknownIdentityError
 from aws_encryption_sdk.internal.defaults import MAX_FRAME_SIZE, MESSAGE_ID_LENGTH
+from aws_encryption_sdk.materials_managers import EncryptionMaterials, DecryptionMaterials, EncryptedDataKey
 from aws_encryption_sdk.structures import DataKey, EncryptedDataKey, MasterKeyInfo, RawDataKey
+from aws_encryption_sdk.keyring.raw_keyring import RawRSAKeyring, RawAESKeyring
 
 from .test_values import VALUES
 from .unit_test_utils import assert_prepped_stream_identity
 
+try:  # Python 3.5.0 and 3.5.1 have incompatible typing modules
+    from typing import Iterable, Union  # noqa pylint: disable=unused-import
+except ImportError:  # pragma: no cover
+    # We only actually need these imports when running the mypy checks
+    pass
+
 pytestmark = [pytest.mark.unit, pytest.mark.local]
 
 
@@ -42,6 +50,24 @@ def test_prep_stream_data_wrap(source):
     assert_prepped_stream_identity(test, io.BytesIO)
 
 
+class NullRawRSAKeyring(RawRSAKeyring):
+    def on_encrypt(self, encryption_materials):
+        # type: (EncryptionMaterials) -> EncryptionMaterials
+        return encryption_materials
+
+    def on_decrypt(self, decryption_materials, encrypted_data_keys):
+        # type: (DecryptionMaterials, Iterable[EncryptedDataKey]) -> DecryptionMaterials
+        return decryption_materials
+
+
+class NullRawAESKeyring(RawAESKeyring):
+    def on_encrypt(self):
+        return
+
+    def on_decrypt(self):
+        return
+
+
 class TestUtils(object):
     @pytest.fixture(autouse=True)
     def apply_fixtures(self):
@@ -265,3 +291,4 @@ def test_source_data_key_length_check_invalid(self):
                 source_data_key=mock_data_key, algorithm=mock_algorithm
             )
         excinfo.match("Invalid Source Data Key length 4 for algorithm required: 5")
+

test/unit/test_values.py

@@ -187,6 +187,54 @@ def array_byte(source):
         "\xff\x8fn\x95\xf0\xf0E\x91Uj\xb0E3=\x0e\x1a\xf1'4\xf6"
     ),
     "signature_len": b"\x00h",
+    "private_rsa_key_bytes": [
+        (
+            b"-----BEGIN RSA PRIVATE KEY-----"b"MIICXgIBAAKBgQCUjhI8YRPXV8Gfofbg/"
+            b"PLjWw2AzowQTPErLU2z3+xGqElMdzdiC4Ta43DFWZg34Eg0X8kQPAeoe8h3cRSMo"
+            b"77eSOHt2dPo7OfTfZqsH8766fivHIKVxBYPX8SZYIUhMtRnlg3uqch9BksfRop+h"
+            b"f8h/H3lfervJoevS2CXYB9/iwIDAQABAoGBAIqeGzQOHbaGI51yQ2zjez1dPDdiB"
+            b"F49fZideHEM1GuGIodgguRQ/VJGgncUSC5zcMy2SGaGrVqwznltohAtxy4rZp0eh"
+            b"2O3aHYi9Wehd0SPLh+qwu7mJDuh0z15hmCOue070FnUtyuSwhXLwDrbot2+5HbmF"
+            b"9clJLI5tv92gvIpAkEA+Bv5i8XJNPN1rao31aQFoi9bFIOEclk3b1RbLX6mpZBFS"
+            b"U9CNUy0RQNC0+H3KZ5CTvsyFGpMfTdiFc/Qdesk3QJBAJlHjrvoadP+PU3zXYrWR"
+            b"D5EryyTxaP1bOjrp9xLuQBeU8x7EVJdpoul9OmwcT3NrAqvxDE9okjha2tjCI6O2"
+            b"4cCQQDMyOJPYL/zaaPO5LlTKB/SPv4RT4BplYPw6xKa2XeZHhxiJv5B2f7NG6T0G"
+            b"AWWn16hrCoouZhKngTidfXc7motAkA/KiTgvKr3yHp86AAxWZDv1CAYD6FPqrDB3"
+            b"3LiLnZDd5uy1ThTJ/Kc87vUnXhdDqeKE9qWrB53SCWbMElzbd17AkEA4DMp+6ngM"
+            b"o6sS0dY1X6nTLqgvK3B0z5GCAdSEy3Y8jh995Lrl+hy88HzuwUkQwwPlZkFhUNCx"
+            b"edrC6cTKE5xLA=="
+            b"-----END RSA PRIVATE KEY-----"
+        ),
+        (
+            b"-----BEGIN RSA PRIVATE KEY-----\n"
+            b"MIIEowIBAAKCAQEAo8uCyhiO4JUGZV+rtNq5DBA9Lm4xkw5kTA3v6EPybs8bVXL2\n"
+            b"ZE6jkbo+xT4Jg/bKzUpnp1fE+T1ruGPtsPdoEmhY/P64LDNIs3sRq5U4QV9IETU1\n"
+            b"vIcbNNkgGhRjV8J87YNY0tV0H7tuWuZRpqnS+gjV6V9lUMkbvjMCc5IBqQc3heut\n"
+            b"/+fH4JwpGlGxOVXI8QAapnSy1XpCr3+PT29kydVJnIMuAoFrurojRpOQbOuVvhtA\n"
+            b"gARhst1Ji4nfROGYkj6eZhvkz2Bkud4/+3lGvVU5LO1vD8oY7WoGtpin3h50VcWe\n"
+            b"aBT4kejx4s9/G9C4R24lTH09J9HO2UUsuCqZYQIDAQABAoIBAQCfC90bCk+qaWqF\n"
+            b"gymC+qOWwCn4bM28gswHQb1D5r6AtKBRD8mKywVvWs7azguFVV3Fi8sspkBA2FBC\n"
+            b"At5p6ULoJOTL/TauzLl6djVJTCMM701WUDm2r+ZOIctXJ5bzP4n5Q4I7b0NMEL7u\n"
+            b"ixib4elYGr5D1vrVQAKtZHCr8gmkqyx8Mz7wkJepzBP9EeVzETCHsmiQDd5WYlO1\n"
+            b"C2IQYgw6MJzgM4entJ0V/GPytkodblGY95ORVK7ZhyNtda+r5BZ6/jeMW+hA3VoK\n"
+            b"tHSWjHt06ueVCCieZIATmYzBNt+zEz5UA2l7ksg3eWfVORJQS7a6Ef4VvbJLM9Ca\n"
+            b"m1kdsjelAoGBANKgvRf39i3bSuvm5VoyJuqinSb/23IH3Zo7XOZ5G164vh49E9Cq\n"
+            b"dOXXVxox74ppj/kbGUoOk+AvaB48zzfzNvac0a7lRHExykPH2kVrI/NwH/1OcT/x\n"
+            b"2e2DnFYocXcb4gbdZQ+m6X3zkxOYcONRzPVW1uMrFTWHcJveMUm4PGx7AoGBAMcU\n"
+            b"IRvrT6ye5se0s27gHnPweV+3xjsNtXZcK82N7duXyHmNjxrwOAv0SOhUmTkRXArM\n"
+            b"6aN5D8vyZBSWma2TgUKwpQYFTI+4Sp7sdkkyojGAEixJ+c5TZJNxZFrUe0FwAoic\n"
+            b"c2kb7ntaiEj5G+qHvykJJro5hy6uLnjiMVbAiJDTAoGAKb67241EmHAXGEwp9sdr\n"
+            b"2SMjnIAnQSF39UKAthkYqJxa6elXDQtLoeYdGE7/V+J2K3wIdhoPiuY6b4vD0iX9\n"
+            b"JcGM+WntN7YTjX2FsC588JmvbWfnoDHR7HYiPR1E58N597xXdFOzgUgORVr4PMWQ\n"
+            b"pqtwaZO3X2WZlvrhr+e46hMCgYBfdIdrm6jYXFjL6RkgUNZJQUTxYGzsY+ZemlNm\n"
+            b"fGdQo7a8kePMRuKY2MkcnXPaqTg49YgRmjq4z8CtHokRcWjJUWnPOTs8rmEZUshk\n"
+            b"0KJ0mbQdCFt/Uv0mtXgpFTkEZ3DPkDTGcV4oR4CRfOCl0/EU/A5VvL/U4i/mRo7h\n"
+            b"ye+xgQKBgD58b+9z+PR5LAJm1tZHIwb4tnyczP28PzwknxFd2qylR4ZNgvAUqGtU\n"
+            b"xvpUDpzMioz6zUH9YV43YNtt+5Xnzkqj+u9Mr27/H2v9XPwORGfwQ5XPwRJz/2oC\n"
+            b"EnPmP1SZoY9lXKUpQXHXSpDZ2rE2Klt3RHMUMHt8Zpy36E8Vwx8o\n"
+            b"-----END RSA PRIVATE KEY-----\n"
+        )
+    ]
 }
 VALUES["updated_encryption_context"] = copy.deepcopy(VALUES["encryption_context"])
 VALUES["updated_encryption_context"]["aws-crypto-public-key"] = VALUES["encoded_curve_point"]