m

Author: ajewellamz

AwsEncryptionSDK/runtimes/rust/esdk_rust/esdk/src/bin/test_vector/main.rs

@@ -30,21 +30,35 @@ enum Commands {
         test_name: String,
     },
 }
- #[tokio::main]
- async fn main() -> Result<()> {
+#[tokio::main]
+async fn main() -> Result<()> {
     let cli = Cli::parse();
 
     match &cli.command {
         Commands::Encrypt {
             manifest_path,
             decrypt_manifest_path,
             test_name,
-        } => aws_esdk::test_vectors::run_tests::encrypt_test_vectors(manifest_path, decrypt_manifest_path, test_name).await,
+        } => {
+            aws_esdk::test_vectors::run_tests::encrypt_test_vectors(
+                manifest_path,
+                decrypt_manifest_path,
+                test_name,
+            )
+            .await
+        }
         Commands::Decrypt {
             manifest_path,
             manifest_name,
             test_name,
-        } => aws_esdk::test_vectors::run_tests::decrypt_test_vectors(manifest_path, manifest_name, test_name).await,
+        } => {
+            aws_esdk::test_vectors::run_tests::decrypt_test_vectors(
+                manifest_path,
+                manifest_name,
+                test_name,
+            )
+            .await
+        }
     }
 }
 

AwsEncryptionSDK/runtimes/rust/esdk_rust/esdk/src/encrypt_decrypt.rs

@@ -15,19 +15,16 @@ use crate::types::EncryptionContext;
 use crate::types::{SafeRead, SafeWrite};
 
 use aws_mpl_primitives::ecdsa_verify_context;
-use aws_mpl_primitives::{
-    EcdsaSignatureAlgorithm, aes_encrypt, ecdsa_verify, generate_random_bytes,
-};
+use aws_mpl_primitives::{EcdsaSignatureAlgorithm, aes_encrypt, generate_random_bytes};
 use aws_mpl_rs::types::AlgorithmSuiteInfo;
 use aws_mpl_rs::types::cryptographic_materials_manager::CryptographicMaterialsManagerRef;
 
 //= compliance/client-apis/encrypt.txt#2.4.6
 //= type=implication
 //# This
 //# value MUST default to 4096 bytes.
-pub(crate) const DEFAULT_FRAME_LENGTH: usize = 4096;
+pub(crate) const DEFAULT_FRAME_LENGTH: u32 = 4096;
 
-// UTF-8 encoded "aws-crypto-"
 const RESERVED_ENCRYPTION_CONTEXT: &str = "aws-crypto-";
 
 pub(crate) fn encrypt_and_serialize(
@@ -38,33 +35,34 @@ pub(crate) fn encrypt_and_serialize(
     dw: &mut DigestWriter,
 ) -> Result<(), Error> {
     let frame_length = header.body.frame_length() as usize;
-    // let frames = plaintext.len().div_ceil(frame_length);
     let iv_len = get_iv_length(&header.suite) as usize;
     let auth_len = get_tag_length(&header.suite) as usize;
     let frame_len = frame_length + iv_len + auth_len + 4;
-    // let total_size = frames * frame_len + header.raw_header.len() + iv_len + auth_len + 128;
     let mut w = Vec::with_capacity(frame_len);
     write_bytes(&mut w, &header.raw_header)?;
     write_header_auth_tag(&mut w, &header.header_auth, &header.suite)?;
     write_bytes(out, &w)?;
     write_bytes(dw, &w)?;
 
-    // let mut n: usize = 0;
     let mut sequence_number = START_SEQUENCE_NUMBER;
     let alg = get_aes_alg(&header.suite);
 
     let mut iv = vec![0; iv_len];
     let mut plaintext_frame = vec![0; frame_length];
     let mut aad = Vec::new();
     let mut in_size: usize;
-    // let mut foo = 0u8;
+    let mut next_char: Option<u8> = None;
+
     loop {
         w.clear();
-        // in_size = read_up_to(plaintext, &mut [foo])?;
-        in_size = read_up_to(plaintext, &mut plaintext_frame)?;
+        in_size = read_up_to_peek(plaintext, &mut plaintext_frame, next_char)?;
         if in_size != frame_length {
             break;
         }
+        next_char = read_opt_u8(plaintext)?;
+        if next_char.is_none() {
+            break;
+        }
         if sequence_number == ENDFRAME_SEQUENCE_NUMBER {
             return Err("too many frames".into());
         }
@@ -133,59 +131,7 @@ pub(crate) const fn ecdsa_alg(
     }
 }
 
-// consume and verify signature
-#[allow(dead_code)]
 pub(crate) fn verify_signature(
-    r: &mut dyn SafeRead,
-    msg: &[u8],
-    dec_mat: aws_mpl_rs::types::DecryptionMaterials,
-    raw: &mut dyn SafeWrite,
-) -> Result<(), Error> {
-    //= compliance/client-apis/decrypt.txt#2.7
-    //= type=implication
-    //# Otherwise this operation MUST NOT perform this
-    //# step.
-    if dec_mat.verification_key.is_none() {
-        return Ok(());
-    }
-
-    //= compliance/client-apis/decrypt.txt#2.7.5
-    //# If the algorithm suite has a signature algorithm, this operation MUST
-    //# verify the message footer using the specified signature algorithm.
-
-    //= compliance/client-apis/decrypt.txt#2.7
-    //# ./framework/algorithm-
-    //# suites.md#signature-algorithm), this operation MUST perform
-    //# this step.
-
-    //= compliance/client-apis/decrypt.txt#2.7.5
-    //# After deserializing the body, this operation MUST deserialize the
-    //# next encrypted message bytes as the message footer (../data-format/
-    //# message-footer.md).
-
-    let signature = read_seq_u16(r, raw)?;
-    let ecdsa_params = get_ecdsa_alg(&dec_mat.algorithm_suite.unwrap().signature.unwrap())?;
-    let data_to_sign = &msg[0..msg.len() - signature.len() - 2];
-    //= compliance/client-apis/decrypt.txt#2.7.5
-    //# Once the message footer is deserialized, this operation MUST use the
-    //# signature algorithm (../framework/algorithm-suites.md#signature-
-    //# algorithm) from the algorithm suite (../framework/algorithm-
-    //# suites.md) in the decryption materials to verify the encrypted
-    //# message, with the following inputs:
-    let valid = ecdsa_verify(
-        ecdsa_alg(ecdsa_params),
-        dec_mat.verification_key.unwrap().as_ref(),
-        data_to_sign,
-        &signature,
-    )?;
-
-    if !valid {
-        return Err("InvalidSignature".into());
-    }
-    Ok(())
-}
-
-pub(crate) fn verify_signature2(
     r: &mut dyn SafeRead,
     context: aws_mpl_primitives::DigestContext,
     dec_mat: aws_mpl_rs::types::DecryptionMaterials,
@@ -215,7 +161,6 @@ pub(crate) fn verify_signature2(
 
     let signature = read_seq_u16(r, raw)?;
     let ecdsa_params = get_ecdsa_alg(&dec_mat.algorithm_suite.unwrap().signature.unwrap())?;
-    // let data_to_sign = &msg[0..msg.len() - signature.len() - 2];
     //= compliance/client-apis/decrypt.txt#2.7.5
     //# Once the message footer is deserialized, this operation MUST use the
     //# signature algorithm (../framework/algorithm-suites.md#signature-
@@ -308,14 +253,6 @@ pub(crate) fn build_header_for_encrypt(
     frame_length: u32,
     derived_data_keys: &key_derivation::ExpandedKeyMaterial,
 ) -> Result<HeaderInfo, Error> {
-    // requires !suite.commitment.IDENTITY?
-    // requires SerializableTypes.IsESDKEncryptionContext(encryptionContext)
-    //     requires suite.commitment.HKDF? ==>
-    //            && derivedDataKeys.commitmentKey.Some?
-    //            && |derivedDataKeys.commitmentKey.value| == suite.commitment.HKDF.outputKeyLength as int
-
-    // requires frameLength > 0
-
     //= aws-encryption-sdk-specification/client-apis/encrypt.md#construct-the-header
     //# - [AAD](../data-format/message-header.md#aad): MUST be the serialization of the [encryption context](../framework/structures.md#encryption-context)
     //#  in the [encryption materials](../framework/structures.md#encryption-materials),
@@ -607,8 +544,6 @@ pub(crate) fn validate_suite_data(
     header: &HeaderBody,
     expected_suite_data: &[u8],
 ) -> Result<(), Error> {
-    //     requires suite.commitment.HKDF?
-
     //= compliance/client-apis/decrypt.txt#2.7.2
     //# The derived commit key MUST equal the commit key stored in the message
     //# header.
@@ -632,23 +567,6 @@ pub(crate) fn validate_suite_data(
     Ok(())
 }
 
-// pub(crate) fn read_and_decrypt_framed_message_body(
-//     r: &mut dyn SafeRead,
-//     header: &header::HeaderInfo,
-//     key: &[u8],
-//     raw: &mut dyn SafeWrite,
-// ) -> Result<Vec<u8>, Error> {
-//     //= compliance/client-apis/decrypt.txt#2.7.3
-//     //# The message header MUST be read and parsed as follows.
-//     let message_body = read_framed_message_body(r, header, raw)?;
-
-//     //= compliance/client-apis/decrypt.txt#2.7.3
-//     //# The message body MUST be read and decrypted as follows.
-//     let plaintext = decrypt_framed_message_body(&message_body, key)?;
-
-//     Ok(plaintext)
-// }
-
 pub(crate) fn read_and_decrypt_non_framed_message_body(
     r: &mut dyn SafeRead,
     header: &HeaderInfo,

AwsEncryptionSDK/runtimes/rust/esdk_rust/esdk/src/esdk_operations.rs

@@ -50,10 +50,11 @@ impl Client {
         let frame_length = input
             .frame_length
             .unwrap_or(encrypt_decrypt::DEFAULT_FRAME_LENGTH);
-        let frames = input.plaintext.len().div_ceil(frame_length);
+        let frame_length_usize = frame_length as usize;
+        let frames = input.plaintext.len().div_ceil(frame_length_usize);
         let iv_len = 12_usize;
         let auth_len = 16_usize;
-        let frame_len = frame_length + iv_len + auth_len + 4;
+        let frame_len = frame_length_usize + iv_len + auth_len + 4;
         let header_overhead = 1024_usize;
         let total_size = frames * frame_len + header_overhead;
 
@@ -110,14 +111,14 @@ async fn internal_encrypt(
     input_keyring: Option<aws_mpl_rs::types::keyring::KeyringRef>,
     input_encryption_context: Option<&EncryptionContext>,
     algorithm_suite_id: Option<aws_mpl_rs::types::EsdkAlgorithmSuiteId>,
-    frame_length: Option<usize>,
+    frame_length: Option<u32>,
 ) -> Result<EncryptStreamOutput, Error> {
     //= compliance/client-apis/encrypt.txt#2.4.6
     //# This value
     //# MUST be greater than 0 and MUST NOT exceed the value 2^32 - 1.
     let frame_length = if let Some(in_len) = frame_length {
         #[allow(clippy::checked_conversions)] // u32::MAX fits in a usize in real life
-        if in_len > 0 && in_len <= u32::MAX as usize {
+        if in_len != 0 {
             in_len
         } else {
             return Err("FrameLength must be greater than 0 and less than 2^32".into());
@@ -234,7 +235,7 @@ async fn internal_encrypt(
         materials.encryption_context.as_ref().unwrap(),
         materials.required_encryption_context_keys.as_ref().unwrap(),
         encrypted_data_keys,
-        frame_length as u32,
+        frame_length,
         &derived_data_keys,
     )?;
     let mut dw = DigestWriter::from_old_ecdsa(suite.signature.as_ref().unwrap())?;
@@ -330,10 +331,6 @@ impl Client {
     }
 }
 
-// pub encryption_context: Option<&'a EncryptionContext>,
-// pub keyring: Option<KeyringRef>,
-// pub materials_manager: Option<CryptographicMaterialsManagerRef>,
-
 async fn internal_decrypt(
     config: &Config,
     ciphertext: &mut dyn SafeRead,
@@ -557,16 +554,18 @@ async fn internal_decrypt(
             )?
         }
         ContentType::Framed => {
-            // if dec_mat.verification_key.is_some() && safety_needed.yes() {
-            //     return Err("Streaming Interface can return data before signature has been validated. Set `i_accept_the_danger` in the DecryptStreamInput struct if this is ok.".into());
-            // }
             let fail_if_multi_frame = dec_mat.verification_key.is_some() && safety_needed.yes();
 
             //= compliance/client-apis/decrypt.txt#2.7.4
             //# If this decryption fails, this operation MUST immediately halt and
             //# fail.
             message_body::read_and_decrypt_framed_message_body(
-                ciphertext, plaintext, &header, &key, &mut dw, fail_if_multi_frame
+                ciphertext,
+                plaintext,
+                &header,
+                &key,
+                &mut dw,
+                fail_if_multi_frame,
             )?
         }
     };
@@ -576,7 +575,7 @@ async fn internal_decrypt(
         //# If this verification is not successful, this operation MUST
         //# immediately halt and fail.
         let mut noop = NoopWriter;
-        encrypt_decrypt::verify_signature2(ciphertext, dw.context.unwrap(), dec_mat, &mut noop)?;
+        encrypt_decrypt::verify_signature(ciphertext, dw.context.unwrap(), dec_mat, &mut noop)?;
     }
     // now that we have verified the signature, we can write the last frame of data
     serialize_functions::write_bytes(plaintext, &last_frame)?;

AwsEncryptionSDK/runtimes/rust/esdk_rust/esdk/src/key_derivation.rs

@@ -14,13 +14,6 @@ pub(crate) struct ExpandedKeyMaterial {
     pub(crate) data_key: Vec<u8>,
     pub(crate) commitment_key: Option<Vec<u8>>,
 }
-/*
-    requires suite.kdf.HKDF?
-             ==>
-               && |plaintextDataKey| == suite.kdf.HKDF.inputKeyLength as nat
-               && suite.kdf.HKDF.outputKeyLength == SerializableTypes.GetEncryptKeyLength(suite)
-
-*/
 
 fn get_kdf_outlen(suite: &AlgorithmSuiteInfo) -> Result<i32, Error> {
     match suite.kdf.as_ref().unwrap() {
@@ -61,19 +54,10 @@ pub(crate) async fn derive_key(
     if suite.message_version.unwrap() != 1 {
         return Err("Validation Error 5".into());
     }
-    // if suite.commitment.is_some() {
-    //     return Err("Validation Error 6".into());
-    // }
     if !valid_derivation_alg(suite.kdf.as_ref().unwrap(), suite, plaintext_data_key.len()) {
         return Err("Validation Error 7".into());
     }
 
-    // ensures res.Success? ==> |res.value.dataKey| == SerializableTypes.GetEncryptKeyLength(suite) as nat
-    // ensures res.Success? ==> IsDerivedKey(res.value.dataKey)
-    // ensures res.Success? ==> res.value.commitmentKey.None?
-    // ensures res.Success? ==> suite.kdf.IDENTITY? || suite.kdf.HKDF?
-    // ensures suite.kdf.None? ==> res.Failure?
-
     //= compliance/client-apis/encrypt.txt#2.6.1
     //# The algorithm used to derive a data key from the
     //# plaintext data key MUST be the key derivation algorithm
@@ -93,7 +77,6 @@ pub(crate) async fn derive_key(
             commitment_key: None,
         }),
         DerivationAlgorithm::Hkdf(hkdf) => {
-            // let hkdf_input_builder: aws_mpl_rs::aws_cryptography_primitives::types::builders::HkdfInputBuilder = aws_mpl_rs::deps::aws_cryptography_primitives::types::HkdfInput::builder()
             let hkdf_builder = crypto
                 .hkdf()
                 .digest_algorithm(hkdf.hmac.unwrap())
@@ -174,11 +157,6 @@ pub(crate) async fn expand_key_material(
     //# algorithm-suites.md#commit-key) MUST be derived from the plaintext
     //# data key using the commit key derivation (../framework/algorithm-
     //# suites.md#algorithm-suites-commit-key-derivation-settings).
-    // ensures res.Success? ==>
-    //           && res.value.commitmentKey.Some?
-    //           && |res.value.commitmentKey.value| == suite.commitment.HKDF.outputKeyLength as nat
-
-    // ensures res.Success? ==> |res.value.dataKey|  == SerializableTypes.GetEncryptKeyLength(suite) as nat
 
     let (digest, commit_len) = match &suite.commitment.as_ref().unwrap() {
         DerivationAlgorithm::Hkdf(hkdf) => (hkdf.hmac.unwrap(), hkdf.output_key_length.unwrap()),

AwsEncryptionSDK/runtimes/rust/esdk_rust/esdk/src/message_body.rs

@@ -151,8 +151,9 @@ pub(crate) fn read_and_decrypt_framed_message_body(
                 enc_content.len() as u64,
                 &mut aad,
             );
+            #[allow(clippy::redundant_else)]
             if enc_content.is_empty() {
-                // final frame is empty, to return last full frame
+                // final frame is empty, so return last full frame
                 let mut empty_result = Vec::new();
                 aes_decrypt(
                     alg,
@@ -163,7 +164,6 @@ pub(crate) fn read_and_decrypt_framed_message_body(
                     &aad,
                     &mut empty_result[..],
                 )?;
-                return Ok(result);
             } else {
                 // write previous frame's data, now that we know we have another frame.
                 if expected_frame != START_SEQUENCE_NUMBER {
@@ -182,8 +182,8 @@ pub(crate) fn read_and_decrypt_framed_message_body(
                     &mut result[0..enc_content.len()],
                 )?;
                 result.resize(enc_content.len(), 0);
-                return Ok(result);
             }
+            return Ok(result);
         }
         if seq_num != expected_frame {
             return Err("Sequence number out of order.".into());