m

Author: ajewellamz

AwsEncryptionSDK/runtimes/rust/esdk_rust/esdk/Cargo.toml

@@ -35,9 +35,17 @@ name = "main"
 [[bin]]
 name = "test_vector"
 path = "src/bin/test_vector/main.rs"
-required-features = ["test_vectors"]  # Only build binary when cli feature is enabled
+required-features = ["test_vectors"]  # Only build binary when test_vectors feature is enabled
+
+[package.metadata.docs.rs]
+features = ["test_vectors"]
+rustdoc-args = [
+    "--generate-link-to-definition",
+    "--generate-macro-expansion",
+]
 
 [features]
 # default = []
 default = ["test_vectors"]
 test_vectors = ["clap", "serde_json", "anyhow", "base64", "aws-sdk-kms",  "aws-config"]  # Users can enable with --features test_vectors
+fips = ["aws-mpl-primitives/fips"]

AwsEncryptionSDK/runtimes/rust/esdk_rust/esdk/examples/client_supplier/client_supplier_example.rs

@@ -16,7 +16,6 @@
 */
 
 use super::regional_role_client_supplier::RegionalRoleClientSupplier;
-use aws_esdk::Client as EsdkClient;
 use aws_esdk::*;
 use aws_mpl_rs::client as mpl_client;
 use aws_mpl_rs::types::DiscoveryFilter;
@@ -29,14 +28,6 @@ pub async fn encrypt_and_decrypt_with_keyring(
     aws_account_id: &str,
     aws_regions: Vec<String>,
 ) -> Result<(), crate::BoxError> {
-    // 1. Instantiate the encryption SDK client.
-    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
-    // which enforces that this client only encrypts using committing algorithm suites and enforces
-    // that this client will only decrypt encrypted messages that were created with a committing
-    // algorithm suite.
-    let esdk_config = AwsEncryptionSdkConfig::default();
-    let esdk_client = EsdkClient::from_conf(esdk_config)?;
-
     // 2. Create encryption context.
     // Remember that your encryption context is NOT SECRET.
     // For more information, see
@@ -84,7 +75,7 @@ pub async fn encrypt_and_decrypt_with_keyring(
         .keyring(mrk_keyring_with_client_supplier)
         .encryption_context(&encryption_context)
         .build()?;
-    let encryption_response = esdk_client.encrypt(&encrypt_input).await?;
+    let encryption_response = encrypt(&encrypt_input).await?;
 
     let ciphertext = encryption_response.ciphertext;
 
@@ -134,7 +125,7 @@ pub async fn encrypt_and_decrypt_with_keyring(
         // Provide the encryption context that was supplied to the encrypt method
         .encryption_context(&encryption_context)
         .build()?;
-    let decryption_response = esdk_client.decrypt(&decrypt_input).await?;
+    let decryption_response = decrypt(&decrypt_input).await?;
 
     let decrypted_plaintext = decryption_response.plaintext;
 

AwsEncryptionSDK/runtimes/rust/esdk_rust/esdk/examples/cryptographic_materials_manager/required_encryption_context/required_encryption_context_example.rs

@@ -8,7 +8,6 @@ on encrypt such that they will not be stored on the message, but WILL be include
 On decrypt, the client MUST supply the key/value pair(s) that were not stored to successfully decrypt the message.
 */
 
-use aws_esdk::Client as EsdkClient;
 use aws_esdk::*;
 use aws_mpl_rs::client as mpl_client;
 use aws_mpl_rs::types::material_providers_config::MaterialProvidersConfig;
@@ -18,14 +17,6 @@ pub async fn encrypt_and_decrypt_with_cmm(
     example_data: &str,
     kms_key_id: &str,
 ) -> Result<(), crate::BoxError> {
-    // 1. Instantiate the encryption SDK client.
-    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
-    // which enforces that this client only encrypts using committing algorithm suites and enforces
-    // that this client will only decrypt encrypted messages that were created with a committing
-    // algorithm suite.
-    let esdk_config = AwsEncryptionSdkConfig::default();
-    let esdk_client = EsdkClient::from_conf(esdk_config)?;
-
     // 2. Create a KMS client.
     let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
     let kms_client = aws_sdk_kms::Client::new(&sdk_config);
@@ -93,7 +84,7 @@ pub async fn encrypt_and_decrypt_with_cmm(
         .materials_manager(required_ec_cmm.clone())
         .encryption_context(&encryption_context)
         .build()?;
-    let encryption_response = esdk_client.encrypt(&encrypt_input).await?;
+    let encryption_response = encrypt(&encrypt_input).await?;
 
     let ciphertext = encryption_response.ciphertext;
 
@@ -111,7 +102,7 @@ pub async fn encrypt_and_decrypt_with_cmm(
         // Provide the encryption context that was supplied to the encrypt method
         .encryption_context(&encryption_context)
         .build()?;
-    let decryption_response = esdk_client.decrypt(&decrypt_input).await?;
+    let decryption_response = decrypt(&decrypt_input).await?;
 
     let decrypted_plaintext = decryption_response.plaintext;
 
@@ -126,8 +117,8 @@ pub async fn encrypt_and_decrypt_with_cmm(
     // you used on encrypt, but we won't pass the encryption context we DID NOT store on the message.
     // This will fail
     decrypt_input.materials_manager = Some(required_ec_cmm.clone());
-    decrypt_input.encryption_context = None;
-    let decryption_response_without_ec = esdk_client.decrypt(&decrypt_input).await;
+    decrypt_input.encryption_context = empty_ec();
+    let decryption_response_without_ec = decrypt(&decrypt_input).await;
 
     if decryption_response_without_ec.is_ok() {
         panic!(
@@ -144,9 +135,9 @@ pub async fn encrypt_and_decrypt_with_cmm(
     ]);
 
     decrypt_input.materials_manager = Some(required_ec_cmm);
-    decrypt_input.encryption_context = Some(&reproduced_encryption_context);
+    decrypt_input.encryption_context = &reproduced_encryption_context;
 
-    let decryption_response_with_reproduced_ec = esdk_client.decrypt(&decrypt_input).await?;
+    let decryption_response_with_reproduced_ec = decrypt(&decrypt_input).await?;
 
     let decrypted_plaintext_with_reproduced_ec = decryption_response_with_reproduced_ec.plaintext;
 
@@ -162,8 +153,8 @@ pub async fn encrypt_and_decrypt_with_cmm(
 
     // This will pass
     decrypt_input.materials_manager = Some(underlying_cmm);
-    decrypt_input.encryption_context = Some(&encryption_context);
-    let decryption_response_with_ec_underlying_cmm = esdk_client.decrypt(&decrypt_input).await?;
+    decrypt_input.encryption_context = &encryption_context;
+    let decryption_response_with_ec_underlying_cmm = decrypt(&decrypt_input).await?;
 
     let decrypted_plaintext_with_ec_underlying_cmm =
         decryption_response_with_ec_underlying_cmm.plaintext;
@@ -176,8 +167,8 @@ pub async fn encrypt_and_decrypt_with_cmm(
     );
 
     // This will fail
-    decrypt_input.encryption_context = None;
-    let decryption_response_without_ec_underlying_cmm = esdk_client.decrypt(&decrypt_input).await;
+    decrypt_input.encryption_context = empty_ec();
+    let decryption_response_without_ec_underlying_cmm = decrypt(&decrypt_input).await;
 
     if decryption_response_without_ec_underlying_cmm.is_ok() {
         panic!(

AwsEncryptionSDK/runtimes/rust/esdk_rust/esdk/examples/cryptographic_materials_manager/restrict_algorithm_suite/signing_only_example.rs

@@ -7,7 +7,6 @@
 */
 
 use super::signing_suite_only_cmm::SigningSuiteOnlyCMM;
-use aws_esdk::Client as EsdkClient;
 use aws_esdk::*;
 use aws_mpl_rs::client as mpl_client;
 use aws_mpl_rs::types::EsdkAlgorithmSuiteId;
@@ -18,14 +17,6 @@ pub async fn encrypt_and_decrypt_with_cmm(
     example_data: &str,
     kms_key_id: &str,
 ) -> Result<(), crate::BoxError> {
-    // 1. Instantiate the encryption SDK client.
-    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
-    // which enforces that this client only encrypts using committing algorithm suites and enforces
-    // that this client will only decrypt encrypted messages that were created with a committing
-    // algorithm suite.
-    let esdk_config = AwsEncryptionSdkConfig::default();
-    let esdk_client = EsdkClient::from_conf(esdk_config)?;
-
     // 2. Create a KMS client.
     let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
     let kms_client = aws_sdk_kms::Client::new(&sdk_config);
@@ -75,7 +66,7 @@ pub async fn encrypt_and_decrypt_with_cmm(
         .encryption_context(&encryption_context)
         .algorithm_suite_id(EsdkAlgorithmSuiteId::AlgAes256GcmHkdfSha512CommitKeyEcdsaP384)
         .build()?;
-    let encryption_response = esdk_client.encrypt(&encrypt_input).await?;
+    let encryption_response = encrypt(&encrypt_input).await?;
 
     let ciphertext = encryption_response.ciphertext;
 
@@ -93,7 +84,7 @@ pub async fn encrypt_and_decrypt_with_cmm(
         // Provide the encryption context that was supplied to the encrypt method
         .encryption_context(&encryption_context)
         .build()?;
-    let decryption_response = esdk_client.decrypt(&decrypt_input).await?;
+    let decryption_response = decrypt(&decrypt_input).await?;
 
     let decrypted_plaintext = decryption_response.plaintext;
 
@@ -107,7 +98,7 @@ pub async fn encrypt_and_decrypt_with_cmm(
     // 9. Demonstrate that a Non Signing Algorithm Suite will be rejected
     // by the CMM.
     encrypt_input.algorithm_suite_id = Some(EsdkAlgorithmSuiteId::AlgAes256GcmHkdfSha512CommitKey);
-    let encryption_response_non_signing = esdk_client.encrypt(&encrypt_input).await;
+    let encryption_response_non_signing = encrypt(&encrypt_input).await;
 
     if encryption_response_non_signing.is_ok() {
         panic!(

AwsEncryptionSDK/runtimes/rust/esdk_rust/esdk/examples/keyring/aws_kms_discovery_keyring_example.rs

@@ -36,7 +36,6 @@ For more information on KMS Key identifiers, see
 https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id
 */
 
-use aws_esdk::Client as EsdkClient;
 use aws_esdk::*;
 use aws_mpl_rs::types::DiscoveryFilter;
 
@@ -46,13 +45,6 @@ pub async fn encrypt_and_decrypt_with_keyring(
     aws_account_id: &str,
     // ) -> Result<(), crate::BoxError> {
 ) -> Result<(), Error> {
-    // 1. Instantiate the encryption SDK client.
-    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
-    // which enforces that this client only encrypts using committing algorithm suites and enforces
-    // that this client will only decrypt encrypted messages that were created with a committing
-    // algorithm suite.
-    let esdk_client = EsdkClient::default();
-
     // 2. Create a KMS client.
     let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
     let kms_client = aws_sdk_kms::Client::new(&sdk_config);
@@ -78,7 +70,7 @@ pub async fn encrypt_and_decrypt_with_keyring(
     // 4. Create the keyring that determines how your data keys are protected.
     //    Although this example highlights Discovery keyrings, Discovery keyrings cannot
     //    be used to encrypt, so for encryption we create a KMS keyring without discovery mode.
-    let mpl = EsdkClient::mpl()?;
+    let mpl = mpl()?;
 
     let encrypt_kms_keyring = mpl
         .create_aws_kms_keyring()
@@ -95,7 +87,7 @@ pub async fn encrypt_and_decrypt_with_keyring(
         .keyring(encrypt_kms_keyring)
         .encryption_context(&encryption_context)
         .build()?;
-    let encryption_response = esdk_client.encrypt(&encrypt_input).await?;
+    let encryption_response = encrypt(&encrypt_input).await?;
 
     let ciphertext = encryption_response.ciphertext;
 
@@ -139,7 +131,7 @@ pub async fn encrypt_and_decrypt_with_keyring(
         .keyring(discovery_keyring)
         .encryption_context(&encryption_context)
         .build()?;
-    let decryption_response = esdk_client.decrypt(&decrypt_input).await?;
+    let decryption_response = decrypt(&decrypt_input).await?;
 
     let decrypted_plaintext = decryption_response.plaintext;
 
@@ -170,7 +162,7 @@ pub async fn encrypt_and_decrypt_with_keyring(
     // Account ID's for the KMS keyring used for encryption.
     // This should throw an AwsCryptographicMaterialProvidersError exception
     decrypt_input.keyring = Some(discovery_keyring_bob);
-    let decryption_response_bob = esdk_client.decrypt(&decrypt_input).await;
+    let decryption_response_bob = decrypt(&decrypt_input).await;
 
     if decryption_response_bob.is_ok() {
         panic!(

AwsEncryptionSDK/runtimes/rust/esdk_rust/esdk/examples/keyring/aws_kms_discovery_multi_keyring_example.rs

@@ -33,7 +33,6 @@ For more information on KMS Key identifiers, see
 https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id
 */
 
-use aws_esdk::Client as EsdkClient;
 use aws_esdk::*;
 use aws_mpl_rs::client as mpl_client;
 use aws_mpl_rs::types::DiscoveryFilter;
@@ -46,13 +45,6 @@ pub async fn encrypt_and_decrypt_with_keyring(
     aws_account_id: &str,
     aws_regions: Vec<String>,
 ) -> Result<(), crate::BoxError> {
-    // 1. Instantiate the encryption SDK client.
-    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
-    // which enforces that this client only encrypts using committing algorithm suites and enforces
-    // that this client will only decrypt encrypted messages that were created with a committing
-    // algorithm suite.
-    let esdk_client = EsdkClient::default();
-
     // 2. Create a KMS client.
     let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
     let kms_client = aws_sdk_kms::Client::new(&sdk_config);
@@ -96,7 +88,7 @@ pub async fn encrypt_and_decrypt_with_keyring(
         .keyring(encrypt_kms_keyring)
         .encryption_context(&encryption_context)
         .build()?;
-    let encryption_response = esdk_client.encrypt(&encrypt_input).await?;
+    let encryption_response = encrypt(&encrypt_input).await?;
 
     let ciphertext = encryption_response.ciphertext;
 
@@ -143,7 +135,7 @@ pub async fn encrypt_and_decrypt_with_keyring(
         // Provide the encryption context that was supplied to the encrypt method
         .encryption_context(&encryption_context)
         .build()?;
-    let decryption_response = esdk_client.decrypt(&decrypt_input).await?;
+    let decryption_response = decrypt(&decrypt_input).await?;
 
     let decrypted_plaintext = decryption_response.plaintext;
 

AwsEncryptionSDK/runtimes/rust/esdk_rust/esdk/examples/keyring/aws_kms_hierarchical/aws_kms_hierarchical_keyring_example.rs

@@ -39,7 +39,6 @@
 
 use super::create_branch_key_id::create_branch_key_id;
 use super::example_branch_key_id_supplier::ExampleBranchKeyIdSupplier;
-use aws_esdk::Client as EsdkClient;
 use aws_esdk::*;
 use aws_mpl_rs::aws_cryptography_keyStore::client as keystore_client;
 use aws_mpl_rs::aws_cryptography_keyStore::types::KmsConfiguration;
@@ -53,14 +52,6 @@ pub async fn encrypt_and_decrypt_with_keyring(
     logical_key_store_name: &str,
     key_store_kms_key_id: &str,
 ) -> Result<(), crate::BoxError> {
-    // 1. Instantiate the encryption SDK client.
-    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
-    // which enforces that this client only encrypts using committing algorithm suites and enforces
-    // that this client will only decrypt encrypted messages that were created with a committing
-    // algorithm suite.
-    let esdk_config = AwsEncryptionSdkConfig::default();
-    let esdk_client = EsdkClient::from_conf(esdk_config)?;
-
     // 2. Create a KMS client and DynamoDB client.
     let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
     let kms_client = aws_sdk_kms::Client::new(&sdk_config);
@@ -158,12 +149,12 @@ pub async fn encrypt_and_decrypt_with_keyring(
         .keyring(hierarchical_keyring.clone())
         .encryption_context(&encryption_context_a)
         .build()?;
-    let encryption_response_a = esdk_client.encrypt(&encrypt_input).await?;
+    let encryption_response_a = encrypt(&encrypt_input).await?;
 
     let ciphertext_a = encryption_response_a.ciphertext;
 
-    encrypt_input.encryption_context = Some(&encryption_context_b);
-    let encryption_response_b = esdk_client.encrypt(&encrypt_input).await?;
+    encrypt_input.encryption_context = &encryption_context_b;
+    let encryption_response_b = encrypt(&encrypt_input).await?;
 
     let ciphertext_b = encryption_response_b.ciphertext;
 
@@ -209,7 +200,7 @@ pub async fn encrypt_and_decrypt_with_keyring(
         // Provide the encryption context that was supplied to the encrypt method
         .encryption_context(&encryption_context_a)
         .build()?;
-    let decryption_response_mismatch_1 = esdk_client.decrypt(&decrypt_input).await;
+    let decryption_response_mismatch_1 = decrypt(&decrypt_input).await;
 
     if decryption_response_mismatch_1.is_ok() {
         panic!(
@@ -222,8 +213,8 @@ pub async fn encrypt_and_decrypt_with_keyring(
     // which we swallow ONLY for demonstration purposes.
     decrypt_input.ciphertext = &ciphertext_b;
     decrypt_input.keyring = Some(hierarchical_keyring_a.clone());
-    decrypt_input.encryption_context = Some(&encryption_context_b);
-    let decryption_response_mismatch_2 = esdk_client.decrypt(&decrypt_input).await;
+    decrypt_input.encryption_context = &encryption_context_b;
+    let decryption_response_mismatch_2 = decrypt(&decrypt_input).await;
 
     if decryption_response_mismatch_2.is_ok() {
         panic!(
@@ -234,8 +225,8 @@ pub async fn encrypt_and_decrypt_with_keyring(
     // 12. Demonstrate that data encrypted by one tenant's branch key can be decrypted by that tenant,
     //     and that the decrypted data matches the input data.
     decrypt_input.ciphertext = &ciphertext_a;
-    decrypt_input.encryption_context = Some(&encryption_context_a);
-    let decryption_response_a = esdk_client.decrypt(&decrypt_input).await?;
+    decrypt_input.encryption_context = &encryption_context_a;
+    let decryption_response_a = decrypt(&decrypt_input).await?;
 
     let decrypted_plaintext_a = decryption_response_a.plaintext;
 
@@ -248,9 +239,9 @@ pub async fn encrypt_and_decrypt_with_keyring(
 
     // Similarly for TenantB
     decrypt_input.ciphertext = &ciphertext_b;
-    decrypt_input.encryption_context = Some(&encryption_context_b);
+    decrypt_input.encryption_context = &encryption_context_b;
     decrypt_input.keyring = Some(hierarchical_keyring_b.clone());
-    let decryption_response_b = esdk_client.decrypt(&decrypt_input).await?;
+    let decryption_response_b = decrypt(&decrypt_input).await?;
     let decrypted_plaintext_b = decryption_response_b.plaintext;
 
     // Demonstrate that the decrypted plaintext is identical to the original plaintext.