From baf1164c13f5231f3532cc2b6e2b59f163357cca Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Fri, 2 Aug 2019 11:49:05 -0700 Subject: [PATCH 1/4] Wrote example and test for using one kms cmk with an unsigned algorithm --- examples/src/one_kms_cmk_unsigned.py | 51 ++++++++++++++++++++ examples/test/test_i_one_kms_cmk_unsigned.py | 29 +++++++++++ 2 files changed, 80 insertions(+) create mode 100644 examples/src/one_kms_cmk_unsigned.py create mode 100644 examples/test/test_i_one_kms_cmk_unsigned.py diff --git a/examples/src/one_kms_cmk_unsigned.py b/examples/src/one_kms_cmk_unsigned.py new file mode 100644 index 000000000..235a8ac06 --- /dev/null +++ b/examples/src/one_kms_cmk_unsigned.py @@ -0,0 +1,51 @@ +# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"). You +# may not use this file except in compliance with the License. A copy of +# the License is located at +# +# http://aws.amazon.com/apache2.0/ +# +# or in the "license" file accompanying this file. This file is +# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF +# ANY KIND, either express or implied. See the License for the specific +# language governing permissions and limitations under the License. +"""Example showing basic encryption and decryption of a value already in memory +using one KMS CMK with an unsigned algorithm. +""" +import aws_encryption_sdk +from aws_encryption_sdk.identifiers import Algorithm + + +def encrypt_decrypt(key_arn, source_plaintext, botocore_session=None): + """Encrypts and then decrypts a string under one KMS customer master key (CMK) with an unsigned algorithm. + + :param str key_arn: Amazon Resource Name (ARN) of the KMS CMK + :param bytes source_plaintext: Data to encrypt + :param botocore_session: existing botocore session instance + :type botocore_session: botocore.session.Session + """ + kwargs = dict(key_ids=[key_arn]) + + if botocore_session is not None: + kwargs["botocore_session"] = botocore_session + + # Create master key provider using the ARN of the key and the session (botocore_session) + kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kwargs) + + # Encrypt the plaintext using the AWS Encryption SDK. It returns the encrypted message and the header + ciphertext, encrypted_message_header = aws_encryption_sdk.encrypt( + algorithm=Algorithm.AES_256_GCM_IV12_TAG16, source=source_plaintext, key_provider=kms_key_provider + ) + + # Decrypt the encrypted message using the AWS Encryption SDK. It returns the decrypted message and the header + plaintext, decrypted_message_header = aws_encryption_sdk.decrypt(source=ciphertext, key_provider=kms_key_provider) + + # Check if the original message and the decrypted message are the same + assert source_plaintext == plaintext + + # Check if the headers of the encrypted message and decrypted message match + assert all( + pair in encrypted_message_header.encryption_context.items() + for pair in decrypted_message_header.encryption_context.items() + ) diff --git a/examples/test/test_i_one_kms_cmk_unsigned.py b/examples/test/test_i_one_kms_cmk_unsigned.py new file mode 100644 index 000000000..8a2758c96 --- /dev/null +++ b/examples/test/test_i_one_kms_cmk_unsigned.py @@ -0,0 +1,29 @@ +# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"). You +# may not use this file except in compliance with the License. A copy of +# the License is located at +# +# http://aws.amazon.com/apache2.0/ +# +# or in the "license" file accompanying this file. This file is +# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF +# ANY KIND, either express or implied. See the License for the specific +# language governing permissions and limitations under the License. +"""Unit test suite for the encryption and decryption using one KMS CMK with an unsigned algorithm example.""" + +import botocore.session +import pytest + +from ..src.one_kms_cmk_unsigned import encrypt_decrypt +from .examples_test_utils import get_cmk_arn +from .examples_test_utils import static_plaintext + + +pytestmark = [pytest.mark.examples] + + +def test_one_kms_cmk_unsigned(): + plaintext = static_plaintext + cmk_arn = get_cmk_arn() + encrypt_decrypt(key_arn=cmk_arn, source_plaintext=plaintext, botocore_session=botocore.session.Session()) From a7fcb4a01b6c14628eabcd1c18b9c4112c556b48 Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Tue, 6 Aug 2019 14:45:05 -0700 Subject: [PATCH 2/4] Update one_kms_cmk_unsigned.py --- examples/src/one_kms_cmk_unsigned.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/examples/src/one_kms_cmk_unsigned.py b/examples/src/one_kms_cmk_unsigned.py index 235a8ac06..4c4e737bd 100644 --- a/examples/src/one_kms_cmk_unsigned.py +++ b/examples/src/one_kms_cmk_unsigned.py @@ -14,6 +14,7 @@ using one KMS CMK with an unsigned algorithm. """ import aws_encryption_sdk +from aws_encryption_sdk import encrypt, decrypt from aws_encryption_sdk.identifiers import Algorithm @@ -34,12 +35,12 @@ def encrypt_decrypt(key_arn, source_plaintext, botocore_session=None): kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kwargs) # Encrypt the plaintext using the AWS Encryption SDK. It returns the encrypted message and the header - ciphertext, encrypted_message_header = aws_encryption_sdk.encrypt( + ciphertext, encrypted_message_header = encrypt( algorithm=Algorithm.AES_256_GCM_IV12_TAG16, source=source_plaintext, key_provider=kms_key_provider ) # Decrypt the encrypted message using the AWS Encryption SDK. It returns the decrypted message and the header - plaintext, decrypted_message_header = aws_encryption_sdk.decrypt(source=ciphertext, key_provider=kms_key_provider) + plaintext, decrypted_message_header = decrypt(source=ciphertext, key_provider=kms_key_provider) # Check if the original message and the decrypted message are the same assert source_plaintext == plaintext From 862734a027059dd34d16e89d76e8b85b66aa0653 Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Tue, 6 Aug 2019 14:45:27 -0700 Subject: [PATCH 3/4] Update examples/src/one_kms_cmk_unsigned.py Co-Authored-By: Matt Bullock --- examples/src/one_kms_cmk_unsigned.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/src/one_kms_cmk_unsigned.py b/examples/src/one_kms_cmk_unsigned.py index 4c4e737bd..1b7a24533 100644 --- a/examples/src/one_kms_cmk_unsigned.py +++ b/examples/src/one_kms_cmk_unsigned.py @@ -36,7 +36,7 @@ def encrypt_decrypt(key_arn, source_plaintext, botocore_session=None): # Encrypt the plaintext using the AWS Encryption SDK. It returns the encrypted message and the header ciphertext, encrypted_message_header = encrypt( - algorithm=Algorithm.AES_256_GCM_IV12_TAG16, source=source_plaintext, key_provider=kms_key_provider + algorithm=Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA256, source=source_plaintext, key_provider=kms_key_provider ) # Decrypt the encrypted message using the AWS Encryption SDK. It returns the decrypted message and the header From 4def8ba64a4ac9ce692dab4a30b7a6aca1ab6b30 Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Wed, 7 Aug 2019 09:40:14 -0700 Subject: [PATCH 4/4] isort-check now succeeds --- examples/src/one_kms_cmk_unsigned.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/examples/src/one_kms_cmk_unsigned.py b/examples/src/one_kms_cmk_unsigned.py index 1b7a24533..df2f4373d 100644 --- a/examples/src/one_kms_cmk_unsigned.py +++ b/examples/src/one_kms_cmk_unsigned.py @@ -13,8 +13,7 @@ """Example showing basic encryption and decryption of a value already in memory using one KMS CMK with an unsigned algorithm. """ -import aws_encryption_sdk -from aws_encryption_sdk import encrypt, decrypt +from aws_encryption_sdk import KMSMasterKeyProvider, decrypt, encrypt from aws_encryption_sdk.identifiers import Algorithm @@ -32,7 +31,7 @@ def encrypt_decrypt(key_arn, source_plaintext, botocore_session=None): kwargs["botocore_session"] = botocore_session # Create master key provider using the ARN of the key and the session (botocore_session) - kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kwargs) + kms_key_provider = KMSMasterKeyProvider(**kwargs) # Encrypt the plaintext using the AWS Encryption SDK. It returns the encrypted message and the header ciphertext, encrypted_message_header = encrypt(