aws · mattsb42-aws · Jul 11, 2019 · Jun 21, 2019 · Jun 21, 2019 · Jun 21, 2019
diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,4 @@
 boto3>=1.4.4
 cryptography>=1.8.1
-attrs>=17.4.0
+attrs>=19.1.0
 wrapt>=1.10.11
diff --git a/src/aws_encryption_sdk/exceptions.py b/src/aws_encryption_sdk/exceptions.py
@@ -53,6 +53,13 @@ class InvalidDataKeyError(AWSEncryptionSDKClientError):
     """Exception class for Invalid Data Keys."""
 
 
+class InvalidKeyringTraceError(AWSEncryptionSDKClientError):
+    """Exception class for invalid Keyring Traces.
+
+    .. versionadded:: 1.5.0
+    """
+
+
 class InvalidProviderIdError(AWSEncryptionSDKClientError):
     """Exception class for Invalid Provider IDs."""
 
@@ -73,6 +80,13 @@ class DecryptKeyError(AWSEncryptionSDKClientError):
     """Exception class for errors encountered when MasterKeys try to decrypt data keys."""
 
 
+class SignatureKeyError(AWSEncryptionSDKClientError):
+    """Exception class for errors encountered with signing or verification keys.
+
+    .. versionadded:: 1.5.0
+    """
+
+
 class ActionNotAllowedError(AWSEncryptionSDKClientError):
     """Exception class for errors encountered when attempting to perform unallowed actions."""
 

diff --git a/src/aws_encryption_sdk/identifiers.py b/src/aws_encryption_sdk/identifiers.py
@@ -328,3 +328,13 @@ class ContentAADString(Enum):
     FRAME_STRING_ID = b"AWSKMSEncryptionClient Frame"
     FINAL_FRAME_STRING_ID = b"AWSKMSEncryptionClient Final Frame"
     NON_FRAMED_STRING_ID = b"AWSKMSEncryptionClient Single Block"
+
+
+class KeyringTraceFlag(Enum):
+    """KeyRing Trace actions."""
+
+    WRAPPING_KEY_GENERATED_DATA_KEY = 1
+    WRAPPING_KEY_ENCRYPTED_DATA_KEY = 2
+    WRAPPING_KEY_DECRYPTED_DATA_KEY = 3
+    WRAPPING_KEY_SIGNED_ENC_CTX = 4
+    WRAPPING_KEY_VERIFIED_ENC_CTX = 5
diff --git a/src/aws_encryption_sdk/materials_managers/__init__.py b/src/aws_encryption_sdk/materials_managers/__init__.py
diff --git a/src/aws_encryption_sdk/structures.py b/src/aws_encryption_sdk/structures.py
@@ -11,48 +11,16 @@
 # ANY KIND, either express or implied. See the License for the specific
 # language governing permissions and limitations under the License.
 """Public data structures for aws_encryption_sdk."""
+import copy
+
 import attr
 import six
+from attr.validators import deep_iterable, deep_mapping, instance_of
 
-import aws_encryption_sdk.identifiers
+from aws_encryption_sdk.identifiers import Algorithm, ContentType, KeyringTraceFlag, ObjectType, SerializationVersion
 from aws_encryption_sdk.internal.str_ops import to_bytes, to_str
 
 
-@attr.s(hash=True)
-class MessageHeader(object):
-    """Deserialized message header object.
-
-    :param version: Message format version, per spec
-    :type version: aws_encryption_sdk.identifiers.SerializationVersion
-    :param type: Message content type, per spec
-    :type type: aws_encryption_sdk.identifiers.ObjectType
-    :param algorithm: Algorithm to use for encryption
-    :type algorithm: aws_encryption_sdk.identifiers.Algorithm
-    :param bytes message_id: Message ID
-    :param dict encryption_context: Dictionary defining encryption context
-    :param encrypted_data_keys: Encrypted data keys
-    :type encrypted_data_keys: set of :class:`aws_encryption_sdk.structures.EncryptedDataKey`
-    :param content_type: Message content framing type (framed/non-framed)
-    :type content_type: aws_encryption_sdk.identifiers.ContentType
-    :param bytes content_aad_length: empty
-    :param int header_iv_length: Bytes in Initialization Vector value found in header
-    :param int frame_length: Length of message frame in bytes
-    """
-
-    version = attr.ib(
-        hash=True, validator=attr.validators.instance_of(aws_encryption_sdk.identifiers.SerializationVersion)
-    )
-    type = attr.ib(hash=True, validator=attr.validators.instance_of(aws_encryption_sdk.identifiers.ObjectType))
-    algorithm = attr.ib(hash=True, validator=attr.validators.instance_of(aws_encryption_sdk.identifiers.Algorithm))
-    message_id = attr.ib(hash=True, validator=attr.validators.instance_of(bytes))
-    encryption_context = attr.ib(hash=True, validator=attr.validators.instance_of(dict))
-    encrypted_data_keys = attr.ib(hash=True, validator=attr.validators.instance_of(set))
-    content_type = attr.ib(hash=True, validator=attr.validators.instance_of(aws_encryption_sdk.identifiers.ContentType))
-    content_aad_length = attr.ib(hash=True, validator=attr.validators.instance_of(six.integer_types))
-    header_iv_length = attr.ib(hash=True, validator=attr.validators.instance_of(six.integer_types))
-    frame_length = attr.ib(hash=True, validator=attr.validators.instance_of(six.integer_types))
-
-
 @attr.s(hash=True)
 class MasterKeyInfo(object):
     """Contains information necessary to identify a Master Key.
@@ -61,8 +29,8 @@ class MasterKeyInfo(object):
     :param bytes key_info: MasterKey key_info value
     """
 
-    provider_id = attr.ib(hash=True, validator=attr.validators.instance_of((six.string_types, bytes)), converter=to_str)
-    key_info = attr.ib(hash=True, validator=attr.validators.instance_of((six.string_types, bytes)), converter=to_bytes)
+    provider_id = attr.ib(hash=True, validator=instance_of((six.string_types, bytes)), converter=to_str)
+    key_info = attr.ib(hash=True, validator=instance_of((six.string_types, bytes)), converter=to_bytes)
 
 
 @attr.s(hash=True)
@@ -74,8 +42,20 @@ class RawDataKey(object):
     :param bytes data_key: Plaintext data key
     """
 
-    key_provider = attr.ib(hash=True, validator=attr.validators.instance_of(MasterKeyInfo))
-    data_key = attr.ib(hash=True, repr=False, validator=attr.validators.instance_of(bytes))
+    key_provider = attr.ib(hash=True, validator=instance_of(MasterKeyInfo))
+    data_key = attr.ib(hash=True, repr=False, validator=instance_of(bytes))
+
+    @classmethod
+    def from_data_key(cls, data_key):
+        # type: (DataKey) -> RawDataKey
+        """Build an :class:`RawDataKey` from a :class:`DataKey`.
+
+        .. versionadded:: 1.5.0
+        """
+        if not isinstance(data_key, DataKey):
+            raise TypeError("data_key must be type DataKey not {}".format(type(data_key).__name__))
+
+        return RawDataKey(key_provider=copy.copy(data_key.key_provider), data_key=copy.copy(data_key.data_key))
 
 
 @attr.s(hash=True)
@@ -88,9 +68,9 @@ class DataKey(object):
     :param bytes encrypted_data_key: Encrypted data key
     """
 
-    key_provider = attr.ib(hash=True, validator=attr.validators.instance_of(MasterKeyInfo))
-    data_key = attr.ib(hash=True, repr=False, validator=attr.validators.instance_of(bytes))
-    encrypted_data_key = attr.ib(hash=True, validator=attr.validators.instance_of(bytes))
+    key_provider = attr.ib(hash=True, validator=instance_of(MasterKeyInfo))
+    data_key = attr.ib(hash=True, repr=False, validator=instance_of(bytes))
+    encrypted_data_key = attr.ib(hash=True, validator=instance_of(bytes))
 
 
 @attr.s(hash=True)
@@ -102,5 +82,72 @@ class EncryptedDataKey(object):
     :param bytes encrypted_data_key: Encrypted data key
     """
 
-    key_provider = attr.ib(hash=True, validator=attr.validators.instance_of(MasterKeyInfo))
-    encrypted_data_key = attr.ib(hash=True, validator=attr.validators.instance_of(bytes))
+    key_provider = attr.ib(hash=True, validator=instance_of(MasterKeyInfo))
+    encrypted_data_key = attr.ib(hash=True, validator=instance_of(bytes))
+
+    @classmethod
+    def from_data_key(cls, data_key):
+        # type: (DataKey) -> EncryptedDataKey
+        """Build an :class:`EncryptedDataKey` from a :class:`DataKey`.
+
+        .. versionadded:: 1.5.0
+        """
+        if not isinstance(data_key, DataKey):
+            raise TypeError("data_key must be type DataKey not {}".format(type(data_key).__name__))
+
+        return EncryptedDataKey(
+            key_provider=copy.copy(data_key.key_provider), encrypted_data_key=copy.copy(data_key.encrypted_data_key)
+        )
+
+
+@attr.s
+class KeyringTrace(object):
+    """Record of all actions that a KeyRing performed with a wrapping key.
+
+    .. versionadded:: 1.5.0
+
+    :param MasterKeyInfo wrapping_key: Wrapping key used
+    :param flags: Actions performed
+    :type flags: set of :class:`KeyringTraceFlag`
+    """
+
+    wrapping_key = attr.ib(validator=instance_of(MasterKeyInfo))
+    flags = attr.ib(validator=deep_iterable(member_validator=instance_of(KeyringTraceFlag)))
+
+
+@attr.s(hash=True)
+class MessageHeader(object):
+    """Deserialized message header object.
+
+    :param version: Message format version, per spec
+    :type version: SerializationVersion
+    :param type: Message content type, per spec
+    :type type: ObjectType
+    :param algorithm: Algorithm to use for encryption
+    :type algorithm: Algorithm
+    :param bytes message_id: Message ID
+    :param dict encryption_context: Dictionary defining encryption context
+    :param encrypted_data_keys: Encrypted data keys
+    :type encrypted_data_keys: set of :class:`aws_encryption_sdk.structures.EncryptedDataKey`
+    :param content_type: Message content framing type (framed/non-framed)
+    :type content_type: ContentType
+    :param bytes content_aad_length: empty
+    :param int header_iv_length: Bytes in Initialization Vector value found in header
+    :param int frame_length: Length of message frame in bytes
+    """
+
+    version = attr.ib(hash=True, validator=instance_of(SerializationVersion))
+    type = attr.ib(hash=True, validator=instance_of(ObjectType))
+    algorithm = attr.ib(hash=True, validator=instance_of(Algorithm))
+    message_id = attr.ib(hash=True, validator=instance_of(bytes))
+    encryption_context = attr.ib(
+        hash=True,
+        validator=deep_mapping(
+            key_validator=instance_of(six.string_types), value_validator=instance_of(six.string_types)
+        ),
+    )
+    encrypted_data_keys = attr.ib(hash=True, validator=deep_iterable(member_validator=instance_of(EncryptedDataKey)))
+    content_type = attr.ib(hash=True, validator=instance_of(ContentType))
+    content_aad_length = attr.ib(hash=True, validator=instance_of(six.integer_types))
+    header_iv_length = attr.ib(hash=True, validator=instance_of(six.integer_types))
+    frame_length = attr.ib(hash=True, validator=instance_of(six.integer_types))
diff --git a/test/unit/test_caches.py b/test/unit/test_caches.py
@@ -27,7 +27,7 @@
 )
 from aws_encryption_sdk.identifiers import Algorithm
 from aws_encryption_sdk.materials_managers import DecryptionMaterialsRequest, EncryptionMaterialsRequest
-from aws_encryption_sdk.structures import DataKey, MasterKeyInfo
+from aws_encryption_sdk.structures import EncryptedDataKey, MasterKeyInfo
 
 pytestmark = [pytest.mark.unit, pytest.mark.local]
 
@@ -47,19 +47,17 @@
         },
         "encrypted_data_keys": [
             {
-                "key": DataKey(
+                "key": EncryptedDataKey(
                     key_provider=MasterKeyInfo(provider_id="this is a provider ID", key_info=b"this is some key info"),
-                    data_key=b"super secret key!",
                     encrypted_data_key=b"super secret key, now with encryption!",
                 ),
                 "hash": b"TYoFeYuxns/FBlaw4dsRDOv25OCEKuZG9iXt5iEdJ8LU7n5glgkDAVxWUEYC4JKKykJdHkaVpxcDvNqS6UswiQ==",
             },
             {
-                "key": DataKey(
+                "key": EncryptedDataKey(
                     key_provider=MasterKeyInfo(
                         provider_id="another provider ID!", key_info=b"this is some different key info"
                     ),
-                    data_key=b"better super secret key!",
                     encrypted_data_key=b"better super secret key, now with encryption!",
                 ),
                 "hash": b"wSrDlPM2ocIj9MAtD94ULSR0Qrt1muBovBDRL+DsSTNphJEM3CZ/h3OyvYL8BR2EIXx0m7GYwv8dGtyZL2D87w==",