backup

Author: ajewellamz

AwsEncryptionSDK/runtimes/rust/esdk_rust/esdk/.gitignore

@@ -0,0 +1,3 @@
+/target
+*.pem
+

AwsEncryptionSDK/runtimes/rust/esdk_rust/esdk/Cargo.toml

@@ -0,0 +1,42 @@
+
+[package]
+name = "aws-esdk"
+version = "0.1.0"
+edition = "2024"
+autoexamples = false
+
+[dependencies]
+aws-mpl-rs = { path = "/Users/ajewell/h2/aws-cryptographic-material-providers-library/AwsCryptographicMaterialProviders/runtimes/rust" }
+aws-smithy-types = "1.3.3"
+tokio = "1.48.0"
+aws-mpl-primitives = { path = "/Users/ajewell/esdk_rust/prim" }
+derivative = "2.2.0"
+derive_builder = "0.20.2"
+
+clap = { version = "4.5.49", features = ["derive"], optional = true }
+serde_json = { version = "1.0.145", optional = true }
+anyhow = { version = "1.0.100", optional = true }
+base64 = { version = "0.22.1", optional = true }
+aws-sdk-kms = { version = "1.90.0", optional = true }
+aws-config = { version = "1.8.8", optional = true }
+
+# Necessary for examples
+[dev-dependencies]
+pem = "3.0.6"
+aws-config = "1.8.8"
+aws-sdk-kms = "1.90.0"
+aws-sdk-dynamodb = "1.95.0"
+aws-lc-rs = {version = "1.14.1"}
+rand = "0.9.2"
+
+[[example]]
+name = "main"
+
+[[bin]]
+name = "test_vector"
+path = "src/bin/test_vector/main.rs"
+required-features = ["test_vectors"]  # Only build binary when cli feature is enabled
+
+[features]
+default = []
+test_vectors = ["clap", "serde_json", "anyhow", "base64", "aws-sdk-kms",  "aws-config"]  # Users can enable with --features test_vectors

AwsEncryptionSDK/runtimes/rust/esdk_rust/esdk/examples/README.md

@@ -0,0 +1,92 @@
+# AWS Encryption SDK for Rust Examples
+
+This section features examples that show you
+how to use the AWS Encryption SDK.
+We demonstrate how to use the encryption and decryption APIs
+and how to set up some common configuration patterns.
+
+## APIs
+
+The AWS Encryption SDK provides a high-level,
+one-step API that processes encryption
+and decryption operations entirely in memory.
+
+You can find examples that demonstrate these APIs
+in the [`examples/`](./) directory.
+
+- [How to encrypt and decrypt](./keyring/aws_kms_keyring_example.rs)
+- [How to change the algorithm suite](./set_encryption_algorithm_suite_example.rs)
+- [How to set the commitment policy](./set_commitment_policy_example.rs)
+- [How to limit the number of encrypted data keys (EDKs)](./limit_encrypted_data_keys_example.rs)
+
+## Configuration
+
+To use the encryption and decryption APIs,
+you need to describe how you want the library to protect your data keys.
+You can do this by configuring
+[keyrings](#keyrings) or [cryptographic materials managers](#cryptographic-materials-managers).
+These examples will show you how to use the configuration tools that we include for you
+and how to create some of your own.
+We start with AWS KMS examples, then show how to use other wrapping keys.
+
+- Using AWS Key Management Service (AWS KMS)
+  - [How to use one AWS KMS key](./keyring/aws_kms_keyring_example.rs)
+  - [How to use multiple AWS KMS keys in different regions](./keyring/aws_kms_mrk_discovery_multi_keyring_example.rs)
+  - [How to decrypt when you don't know the AWS KMS key](./keyring/aws_kms_discovery_keyring_example.rs)
+  - [How to limit decryption to a single region](./keyring/aws_kms_mrk_discovery_keyring_example.rs)
+  - [How to decrypt with a preferred region but failover to others](./keyring/aws_kms_mrk_discovery_multi_keyring_example.rs)
+  - [How to reproduce the behavior of an AWS KMS master key provider](./keyring/aws_kms_multi_keyring_example.rs)
+- Using raw wrapping keys
+  - [How to use a raw AES wrapping key](./keyring/raw_aes_keyring_example.rs)
+  - [How to use a raw RSA wrapping key](./keyring/raw_rsa_keyring_example.rs)
+- Combining wrapping keys
+  - [How to combine AWS KMS with an offline escrow key](./keyring/multi_keyring_example.rs)
+- How to restrict algorithm suites
+  - [with a custom cryptographic materials manager](./cryptographic_materials_manager/restrict_algorithm_suite/signing_suite_only_cmm.rs)
+
+### Keyrings
+
+Keyrings are the most common way for you to configure the AWS Encryption SDK.
+They determine how the AWS Encryption SDK protects your data.
+For more information about keyrings, see the [AWS Developer Guide on using Keyrings](https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/choose-keyring.html).
+You can find these examples in [`examples/keyring`](./keyring).
+
+### Cryptographic Materials Managers
+
+Keyrings define how your data keys are protected,
+but there is more going on here than just protecting data keys.
+
+Cryptographic materials managers give you higher-level controls
+over how the AWS Encryption SDK protects your data.
+This can include things like
+enforcing the use of certain algorithm suites or encryption context settings,
+reusing data keys across messages,
+or changing how you interact with keyrings.
+For more information about cryptographic materials managers, see the [AWS Developer Guide on cryptographic materials managers](https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#crypt-materials-manager).
+You can find these examples in
+[`examples/cryptographic_materials_manager`](./cryptographic_materials_manager).
+
+### Client Supplier
+
+The AWS Encryption SDK creates AWS KMS clients when interacting with AWS KMS.
+In case the default AWS KMS client configuration doesn't suit your needs,
+you can configure clients by defining a custom Client Supplier.
+For example, your Client Supplier could tune
+the retry and timeout settings on the client, or use different credentials
+based on which region is being called. In our
+[regional_role_client_supplier](./client_supplier/regional_role_client_supplier.rs)
+example, we show how you can build a custom Client Supplier which
+creates clients by assuming different IAM roles for different regions.
+
+# Writing Examples
+
+If you want to contribute a new example, that's awesome!
+To make sure that your example is tested in our CI,
+please make sure that it meets the following requirements:
+
+1. The example MUST be a distinct subdirectory or file in the [`examples/`](./) directory.
+1. The example MAY be nested arbitrarily deeply. However, each example file MUST be added to the `mod.rs` files appropriately according to the directory structure. If the example is in the root directory [`examples/`](./), you MUST also add the module to the [`main.rs`](./main.rs) file. For instance, `pub mod set_commitment_policy_example;`.
+1. Each example file MUST contain exactly one example.
+1. Each example filename MUST be descriptive.
+1. Each example file MUST contain a testing function with the attribute `#[tokio::test(flavor = "multi_thread")]` just like the one at the end of the [KMS Keyring](./keyring/aws_kms_keyring_example.rs).
+1. Each example MUST also be called inside the `main` function of [main.rs](./main.rs).

AwsEncryptionSDK/runtimes/rust/esdk_rust/esdk/examples/client_supplier/client_supplier_example.rs

@@ -0,0 +1,194 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+/*
+ This example sets up an MRK multi-keyring and an MRK discovery
+ multi-keyring using a custom client supplier.
+ A custom client supplier grants users access to more granular
+ configuration aspects of their authentication details and KMS
+ client. In this example, we create a simple custom client supplier
+ that authenticates with a different IAM role based on the
+ region of the KMS key.
+
+ This example creates a MRK multi-keyring configured with a custom
+ client supplier using a single MRK and encrypts the example_data with it.
+ Then, it creates a MRK discovery multi-keyring to decrypt the ciphertext.
+*/
+
+use super::regional_role_client_supplier::RegionalRoleClientSupplier;
+use aws_esdk::client as esdk_client;
+use aws_esdk::material_providers::client as mpl_client;
+use aws_esdk::material_providers::types::DiscoveryFilter;
+use aws_esdk::material_providers::types::error::Error::AwsCryptographicMaterialProvidersException;
+use aws_esdk::material_providers::types::material_providers_config::MaterialProvidersConfig;
+use aws_esdk::types::*;
+
+pub async fn encrypt_and_decrypt_with_keyring(
+    example_data: &str,
+    mrk_key_id_encrypt: &str,
+    aws_account_id: &str,
+    aws_regions: Vec<String>,
+) -> Result<(), crate::BoxError> {
+    // 1. Instantiate the encryption SDK client.
+    // This builds the default client with the RequireEncryptRequireDecrypt commitment policy,
+    // which enforces that this client only encrypts using committing algorithm suites and enforces
+    // that this client will only decrypt encrypted messages that were created with a committing
+    // algorithm suite.
+    let esdk_config = AwsEncryptionSdkConfig::default();
+    let esdk_client = esdk_client::Client::from_conf(esdk_config)?;
+
+    // 2. Create encryption context.
+    // Remember that your encryption context is NOT SECRET.
+    // For more information, see
+    // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
+    let encryption_context = EncryptionContext::from([
+        ("encryption".to_string(), "context".to_string()),
+        ("is not".to_string(), "secret".to_string()),
+        ("but adds".to_string(), "useful metadata".to_string()),
+        (
+            "that can help you".to_string(),
+            "be confident that".to_string(),
+        ),
+        (
+            "the data you are handling".to_string(),
+            "is what you think it is".to_string(),
+        ),
+    ]);
+
+    // 3. Create a single MRK multi-keyring.
+    //    This can be either a single-region KMS key or an MRK.
+    //    For this example to succeed, the key's region must either
+    //    1) be in the regions list, or
+    //    2) the key must be an MRK with a replica defined
+    //    in a region in the regions list, and the client
+    //    must have the correct permissions to access the replica.
+    let mpl_config = MaterialProvidersConfig::builder().build()?;
+    let mpl = mpl_client::Client::from_conf(mpl_config)?;
+
+    // Create the multi-keyring using our custom client supplier
+    // defined in the RegionalRoleClientSupplier class in this directory.
+    // Note: RegionalRoleClientSupplier will internally use the key_arn's region
+    // to retrieve the correct IAM role.
+    let mrk_keyring_with_client_supplier = mpl
+        .create_aws_kms_mrk_multi_keyring()
+        .client_supplier(RegionalRoleClientSupplier {})
+        .generator(mrk_key_id_encrypt)
+        .send()
+        .await?;
+
+    // 4. Encrypt the data with the encryption_context using the encrypt_keyring.
+    let plaintext = example_data.as_bytes();
+
+    let encrypt_input = EncryptInputBuilder::default()
+        .plaintext(plaintext)
+        .keyring(mrk_keyring_with_client_supplier)
+        .encryption_context(&encryption_context)
+        .build()?;
+    let encryption_response = esdk_client.encrypt(&encrypt_input).await?;
+
+    let ciphertext = encryption_response.ciphertext;
+
+    // 5. Demonstrate that the ciphertext and plaintext are different.
+    // (This is an example for demonstration; you do not need to do this in your own code.)
+    assert_ne!(
+        ciphertext, plaintext,
+        "Ciphertext and plaintext data are the same. Invalid encryption"
+    );
+
+    // 6. Create a MRK discovery multi-keyring with a custom client supplier.
+    //    A discovery MRK multi-keyring will be composed of
+    //    multiple discovery MRK keyrings, one for each region.
+    //    Each component keyring has its own KMS client in a particular region.
+    //    When we provide a client supplier to the multi-keyring, all component
+    //    keyrings will use that client supplier configuration.
+    //    In our tests, we make `mrk_key_id_encrypt` an MRK with a replica, and
+    //    provide only the replica region in our discovery filter.
+    let discovery_filter = DiscoveryFilter::builder()
+        .account_ids(vec![aws_account_id.to_string()])
+        .partition("aws".to_string())
+        .build()?;
+
+    let mrk_discovery_client_supplier_keyring = mpl
+        .create_aws_kms_mrk_discovery_multi_keyring()
+        .client_supplier(RegionalRoleClientSupplier {})
+        .discovery_filter(discovery_filter.clone())
+        .regions(aws_regions)
+        .send()
+        .await?;
+
+    // 7. Decrypt your encrypted data using the discovery multi keyring.
+    // On Decrypt, the header of the encrypted message (ciphertext) will be parsed.
+    // The header contains the Encrypted Data Keys (EDKs), which, if the EDK
+    // was encrypted by a KMS Keyring, includes the KMS Key ARN.
+    // For each member of the Multi Keyring, every EDK will try to be decrypted until a decryption
+    // is successful.
+    // Since every member of the Multi Keyring is a Discovery Keyring:
+    //   Each Keyring will filter the EDKs by the Discovery Filter and the Keyring's region.
+    //      For each filtered EDK, the keyring will attempt decryption with the keyring's client.
+    // All of this is done serially, until a success occurs or all keyrings have failed
+    // all (filtered) EDKs. KMS MRK Discovery Keyrings will attempt to decrypt
+    // Multi Region Keys (MRKs) and regular KMS Keys.
+    let decrypt_input = DecryptInputBuilder::default()
+        .ciphertext(&ciphertext)
+        .keyring(mrk_discovery_client_supplier_keyring)
+        // Provide the encryption context that was supplied to the encrypt method
+        .encryption_context(&encryption_context)
+        .build()?;
+    let decryption_response = esdk_client.decrypt(&decrypt_input).await?;
+
+    let decrypted_plaintext = decryption_response.plaintext;
+
+    // 8. Demonstrate that the decrypted plaintext is identical to the original plaintext.
+    // (This is an example for demonstration; you do not need to do this in your own code.)
+    assert_eq!(
+        decrypted_plaintext, plaintext,
+        "Decrypted plaintext should be identical to the original plaintext. Invalid decryption"
+    );
+
+    // 9. Test the Missing Region Exception
+    // (This is an example for demonstration; you do not need to do this in your own code.)
+    let mrk_discovery_client_supplier_keyring_missing_region = mpl
+        .create_aws_kms_mrk_discovery_multi_keyring()
+        .client_supplier(RegionalRoleClientSupplier {})
+        .discovery_filter(discovery_filter)
+        .regions(vec!["fake-region".to_string()])
+        .send()
+        .await;
+
+    // Swallow the exception
+    // (This is an example for demonstration; you do not need to do this in your own code.)
+    match mrk_discovery_client_supplier_keyring_missing_region {
+        Ok(_) => panic!(
+            "Decryption using discovery keyring with missing region MUST \
+                            raise AwsCryptographicMaterialProvidersException"
+        ),
+        Err(AwsCryptographicMaterialProvidersException { message: _e }) => (),
+        _ => panic!("Unexpected error type"),
+    }
+
+    println!("Client Supplier Example Completed Successfully");
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "multi_thread")]
+pub async fn test_encrypt_and_decrypt_with_keyring() -> Result<(), crate::BoxError2> {
+    // Test function for encrypt and decrypt using the Client Supplier example
+    use crate::example_utils::utils;
+
+    // Note that we pass in an MRK in us-east-1. The RegionalRoleClientSupplier
+    // will internally use the key_arn's region (us-east-1)
+    // to retrieve the correct IAM role.
+    // and access its replica in eu-west-1
+    let aws_regions: Vec<String> = vec!["eu-west-1".to_string()];
+
+    encrypt_and_decrypt_with_keyring(
+        utils::TEST_EXAMPLE_DATA,
+        utils::TEST_MRK_KEY_ID_US_EAST_1,
+        utils::TEST_DEFAULT_KMS_KEY_ACCOUNT_ID,
+        aws_regions,
+    )
+    .await?;
+
+    Ok(())
+}

AwsEncryptionSDK/runtimes/rust/esdk_rust/esdk/examples/client_supplier/mod.rs

@@ -0,0 +1,6 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+pub mod client_supplier_example;
+pub mod regional_role_client_supplier;
+pub mod regional_role_client_supplier_config;