chore(testvector): Make testvectors run with MKP (#281)

rishav-karanjit · web-flow · commit f0205ebee60e · 2025-02-19T16:10:53.000-08:00
diff --git a/.github/workflows/library_interop_test_vectors.yml b/.github/workflows/library_interop_test_vectors.yml
@@ -25,7 +25,7 @@ jobs:
             ubuntu-22.04,
             macos-13,
           ]
-        language: [java, net, rust, python]
+        language: [java_mkp, java_keyrings, net, rust, python_mkp, python_keyrings]
         # https://taskei.amazon.dev/tasks/CrypTool-5284
         dotnet-version: ["6.0.x"]
     runs-on: ${{ matrix.os }}
@@ -63,14 +63,14 @@ jobs:
 
       # Setup Java in Rust is needed for running polymorph
       - name: Setup Java 17
-        if: matrix.language == 'java' || matrix.language == 'rust'
+        if: matrix.language == 'java_mkp' || matrix.language == 'java_keyrings' || matrix.language == 'rust'
         uses: actions/setup-java@v3
         with:
           distribution: "corretto"
           java-version: 17
 
       - name: Setup Python for running tests
-        if: matrix.language == 'python'
+        if: matrix.language == 'python_mkp' || matrix.language == 'python_keyrings'
         uses: actions/setup-python@v4
         with:
           python-version: 3.11
@@ -121,7 +121,7 @@ jobs:
 
       # Build implementation for each runtime
       - name: Build ${{ matrix.library }} implementation in Java
-        if: matrix.language == 'java'
+        if: matrix.language == 'java_mkp' || matrix.language == 'java_keyrings'
         shell: bash
         working-directory: ./${{ matrix.library }}
         run: |
@@ -158,7 +158,7 @@ jobs:
           make transpile_rust CORES=$CORES
 
       - name: Build ${{ matrix.library }} implementation in Python
-        if: matrix.language == 'python'
+        if: matrix.language == 'python_keyrings' || matrix.language == 'python_mkp'
         shell: bash
         working-directory: ./${{ matrix.library }}
         run: |
@@ -184,7 +184,7 @@ jobs:
           make purge_polymorph_code
 
       - name: Setup gradle
-        if: matrix.language == 'java'
+        if: matrix.language == 'java_mkp' || matrix.language == 'java_keyrings'
         uses: gradle/gradle-build-action@v2
         with:
           gradle-version: 7.2
@@ -218,8 +218,8 @@ jobs:
             ubuntu-22.04,
             macos-13,
           ]
-        encrypting_language: [java, net, rust, python]
-        decrypting_language: [java, net, rust, python]
+        encrypting_language: [java_mkp, java_keyrings, net, rust, python_mkp, python_keyrings]
+        decrypting_language: [java_mkp, java_keyrings, net, rust, python_mkp, python_keyrings]
         # https://taskei.amazon.dev/tasks/CrypTool-5284
         dotnet-version: ["6.0.x"]
     runs-on: ${{ matrix.os }}
@@ -258,14 +258,14 @@ jobs:
 
       # Setup Java in Rust is needed for running polymorph
       - name: Setup Java 17
-        if: matrix.decrypting_language == 'java' || matrix.decrypting_language == 'rust'
+        if: matrix.decrypting_language == 'java_mkp' || matrix.decrypting_language == 'java_keyrings' || matrix.decrypting_language == 'rust'
         uses: actions/setup-java@v3
         with:
           distribution: "corretto"
           java-version: 17
 
       - name: Setup Python for running tests
-        if: matrix.decrypting_language == 'python'
+        if: matrix.decrypting_language == 'python_mkp' || matrix.decrypting_language == 'python_keyrings'
         uses: actions/setup-python@v4
         with:
           python-version: 3.11
@@ -316,7 +316,7 @@ jobs:
 
       # Build implementation for each runtime
       - name: Build ${{ matrix.library }} implementation in Java
-        if: matrix.decrypting_language == 'java'
+        if: matrix.decrypting_language == 'java_mkp' || matrix.decrypting_language == 'java_keyrings'
         working-directory: ./${{ matrix.library }}
         shell: bash
         run: |
@@ -370,7 +370,7 @@ jobs:
           make purge_polymorph_code
 
       - name: Build ${{ matrix.library }} implementation in Python
-        if: matrix.decrypting_language == 'python'
+        if: matrix.decrypting_language == 'python_mkp' || matrix.decrypting_language == 'python_keyrings'
         shell: bash
         working-directory: ./${{ matrix.library }}
         run: |
@@ -385,4 +385,4 @@ jobs:
 
       - name: Decrypt Encrypt Manifest
         working-directory: ./${{ matrix.library }}
-        run: make test_decrypt_encrypt_vectors_${{matrix.decrypting_language}}
+        run: make test_decrypt_encrypt_vectors_${{matrix.decrypting_language}}
diff --git a/TestVectors/Makefile b/TestVectors/Makefile
@@ -177,6 +177,10 @@ test_generate_vectors_java:
 	gradle -p runtimes/java run --args="encrypt-manifest --encrypt-manifest-output ."
 	gradle -p runtimes/java copyKeysJSONCurr
 
+test_generate_vectors_java_mkp: test_generate_vectors_java
+
+test_generate_vectors_java_keyrings: test_generate_vectors_java
+
 test_generate_vectors_net: FRAMEWORK=net6.0
 test_generate_vectors_net:
 	dotnet restore runtimes/net
@@ -199,7 +203,14 @@ test_generate_vectors_python:
 	python3 -m tox -c runtimes/python --verbose -e cli -- encrypt-manifest --encrypt-manifest-output runtimes/python
 	cp dafny/TestVectors/test/keys.json runtimes/python
 
-test_encrypt_vectors_java:
+test_generate_vectors_python_mkp: test_generate_vectors_python
+
+test_generate_vectors_python_keyrings: test_generate_vectors_python
+
+test_encrypt_vectors_java_mkp:
+	gradle -p runtimes/java run --args="encrypt --manifest-path . --decrypt-manifest-path ."
+
+test_encrypt_vectors_java_keyrings:
 	gradle -p runtimes/java run --args="encrypt --manifest-path . --decrypt-manifest-path ."
 
 test_encrypt_vectors_net: FRAMEWORK=net6.0
@@ -216,11 +227,18 @@ test_encrypt_vectors_rust:
 test_encrypt_vectors_go:
 	go -C runtimes/go/ImplementationFromDafny-go run ImplementationFromDafny.go encrypt --manifest-path=.. --decrypt-manifest-path=..
 
-test_encrypt_vectors_python:
+test_encrypt_vectors_python_keyrings:
 	rm -rf runtimes/python/.tox
 	python3 -m tox -c runtimes/python --verbose -e cli -- encrypt --manifest-path runtimes/python --decrypt-manifest-path runtimes/python
 
-test_decrypt_encrypt_vectors_java:
+test_encrypt_vectors_python_mkp:
+	rm -rf runtimes/python/.tox
+	python3 -m tox -c runtimes/python --verbose -e cli -- encrypt --manifest-path runtimes/python --decrypt-manifest-path runtimes/python MASTERKEY
+
+test_decrypt_encrypt_vectors_java_mkp:
+	gradle -p runtimes/java run --args="decrypt --manifest-path . --manifest-name decrypt-manifest.json"
+
+test_decrypt_encrypt_vectors_java_keyrings:
 	gradle -p runtimes/java run --args="decrypt --manifest-path . --manifest-name decrypt-manifest.json"
 
 test_decrypt_encrypt_vectors_net: FRAMEWORK=net6.0
@@ -247,10 +265,14 @@ test_decrypt_encrypt_vectors_rust:
 test_decrypt_encrypt_vectors_go:
 	go -C runtimes/go/ImplementationFromDafny-go run ImplementationFromDafny.go decrypt --manifest-path=.. --manifest-name=decrypt-manifest.json
 
-test_decrypt_encrypt_vectors_python:
+test_decrypt_encrypt_vectors_python_keyrings:
 	rm -rf runtimes/python/.tox
 	python3 -m tox -c runtimes/python --verbose -e cli -- decrypt --manifest-path runtimes/python --manifest-name decrypt-manifest.json
 
+test_decrypt_encrypt_vectors_python_mkp:
+	rm -rf runtimes/python/.tox
+	python3 -m tox -c runtimes/python --verbose -e cli -- decrypt --manifest-path runtimes/python --manifest-name decrypt-manifest.json MASTERKEY
+
 _polymorph_dependencies:
 	@echo "No polymorphing of dependency"
 
@@ -285,4 +307,4 @@ PYTHON_DEPENDENCY_MODULE_NAMES := \
         --dependency-library-name=aws.cryptography.keyStore=aws_cryptographic_material_providers \
         --dependency-library-name=smithy.api=aws_cryptographic_material_providers \
         --dependency-library-name=aws.cryptography.materialProvidersTestVectorKeys=aws_cryptographic_material_providers_test_vectors \
-        --dependency-library-name=aws.cryptography.encryptionSdk=aws_encryption_sdk_dafny
+        --dependency-library-name=aws.cryptography.encryptionSdk=aws_encryption_sdk_dafny
diff --git a/TestVectors/runtimes/python/src/aws_encryption_sdk_test_vectors/internaldafny/extern/keyring_to_mkp.py b/TestVectors/runtimes/python/src/aws_encryption_sdk_test_vectors/internaldafny/extern/keyring_to_mkp.py
@@ -0,0 +1,140 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+from aws_encryption_sdk.key_providers.raw import RawMasterKeyProvider
+from aws_encryption_sdk.identifiers import EncryptionKeyType, WrappingAlgorithm
+from aws_encryption_sdk.internal.crypto.wrapping_keys import WrappingKey
+from aws_encryption_sdk.internal.str_ops import to_str
+from aws_cryptographic_material_providers.internaldafny.generated.RawAESKeyring import RawAESKeyring
+from aws_cryptographic_material_providers.internaldafny.generated.AwsKmsKeyring import AwsKmsKeyring
+from aws_cryptographic_material_providers.internaldafny.generated.AwsKmsMrkKeyring import AwsKmsMrkKeyring
+from aws_cryptographic_material_providers.internaldafny.generated.AwsKmsDiscoveryKeyring import AwsKmsDiscoveryKeyring
+from aws_cryptographic_material_providers.internaldafny.generated.AwsKmsMrkDiscoveryKeyring import AwsKmsMrkDiscoveryKeyring
+from aws_encryption_sdk.key_providers.kms import (
+    MRKAwareDiscoveryAwsKmsMasterKeyProvider,
+    MRKAwareStrictAwsKmsMasterKeyProvider,
+)
+import aws_cryptographic_material_providers.smithygenerated.aws_cryptography_materialproviders.dafny_to_smithy
+import aws_encryption_sdk
+class StaticMasterKeyProvider(RawMasterKeyProvider):
+    """Generates 256-bit keys for each unique key ID."""
+
+    def __init__(self, **kwargs):  # pylint: disable=unused-argument
+        """Initialize empty map of keys."""
+        self._static_keys = {}
+        self.provider_id = ""
+
+    @property
+    def static_keys(self):
+        return self._static_keys
+    
+    # The key namespace in the Raw keyrings is equivalent to Provider ID (or Provider) field
+    # in the Raw Master Key Providers
+    @property
+    def provider_id(self):
+        return self._provider_id
+    
+    @property
+    def wrapping_key_type(self):
+        return self._wrapping_key_type
+    
+    @property
+    def wrapping_algorithm(self):
+        return self._wrapping_algorithm
+    
+    @provider_id.setter
+    def provider_id(self, value):
+        self._provider_id = value
+    
+    @static_keys.setter
+    def static_keys(self, static_key_dict):
+        self._static_keys = static_key_dict
+        
+    @wrapping_key_type.setter
+    def wrapping_key_type(self, wrapping_key_type):
+        self._wrapping_key_type = wrapping_key_type
+
+    @wrapping_key_type.setter
+    def wrapping_algorithm(self, wrapping_algorithm):
+        self._wrapping_algorithm = wrapping_algorithm
+
+    def _get_raw_key(self, key_id):
+        """Returns a static, symmetric key for the specified key ID.
+
+        :param str key_id: Key ID
+        :returns: Wrapping key that contains the specified static key
+        :rtype: :class:`aws_encryption_sdk.internal.crypto.WrappingKey`
+        """
+        static_key = self._static_keys[to_str(key_id)] # add_master_key changes it to bytes and we have to use internal to_str
+        return WrappingKey(
+            wrapping_algorithm=self._wrapping_algorithm,
+            wrapping_key=static_key,
+            wrapping_key_type=self._wrapping_key_type,
+        )
+    
+def create_raw_aes_key_provider(key_name, key_namespace, key):
+    # Create a Raw AES master key provider.
+
+    # The key name in the Raw keyrings is equivalent to the Key ID field
+    # in the Raw Master Key Providers
+    key_id = key_name
+    static_key_map = {key_id: key} 
+    key_provider = StaticMasterKeyProvider()
+    key_provider.static_keys = static_key_map
+    key_provider.provider_id = key_namespace
+    key_provider.wrapping_key_type = EncryptionKeyType.SYMMETRIC
+    key_provider.wrapping_algorithm = WrappingAlgorithm.AES_256_GCM_IV12_TAG16_NO_PADDING
+    key_provider.add_master_key(key_name)
+
+    return key_provider
+
+def keyring_to_mkp(keyring):
+    if (isinstance(keyring, RawAESKeyring)):
+        mkp_key_id = bytes(keyring.wrappingKey)
+        # The key name in the Raw keyrings is equivalent to the Key ID field
+        # in the Raw Master Key Providers
+        mkp_key = b"".join(
+                ord(chr(c)).to_bytes(2, "big") for c in keyring.keyName
+            ).decode("utf-16-be")
+        mkpProvider_id = b"".join(
+            ord(chr(c)).to_bytes(2, "big") for c in keyring.keyNamespace
+        ).decode("utf-16-be")
+        return create_raw_aes_key_provider(mkp_key, mkpProvider_id, mkp_key_id)
+    
+    if (isinstance(keyring, AwsKmsKeyring)):
+        aws_kms_arn = string_to_native(keyring.awsKmsKey)
+        return aws_encryption_sdk.StrictAwsKmsMasterKeyProvider(key_ids=[
+            aws_kms_arn,
+        ])
+    
+    if (isinstance(keyring, AwsKmsMrkKeyring)):
+        aws_kms_arn = string_to_native(keyring.awsKmsKey)
+        kwargs = dict(key_ids=[aws_kms_arn])
+        return MRKAwareStrictAwsKmsMasterKeyProvider(**kwargs)
+    
+    if (isinstance(keyring, AwsKmsDiscoveryKeyring)):
+        if keyring.discoveryFilter.is_Some:
+            discovery_filter = aws_cryptographic_material_providers.smithygenerated.aws_cryptography_materialproviders.dafny_to_smithy.aws_cryptography_materialproviders_DiscoveryFilter(
+                keyring.discoveryFilter.UnwrapOr(None)
+            )
+            kwargs = dict(discovery_filter=discovery_filter)
+            aws_encryption_sdk.DiscoveryAwsKmsMasterKeyProvider(**kwargs)
+        return aws_encryption_sdk.DiscoveryAwsKmsMasterKeyProvider()
+    
+    if (isinstance(keyring, AwsKmsMrkDiscoveryKeyring)):
+        region = string_to_native(keyring.region)
+        if keyring.discoveryFilter.is_Some:
+            discovery_filter = aws_cryptographic_material_providers.smithygenerated.aws_cryptography_materialproviders.dafny_to_smithy.aws_cryptography_materialproviders_DiscoveryFilter(
+                keyring.discoveryFilter.UnwrapOr(None)
+            )
+            kwargs = dict(discovery_filter=discovery_filter, discovery_region=region)
+            aws_encryption_sdk.MRKAwareDiscoveryAwsKmsMasterKeyProvider(**kwargs)
+        kwargs = dict(discovery_region=region)
+        return MRKAwareDiscoveryAwsKmsMasterKeyProvider(**kwargs)
+    raise ValueError("No keyring matched to convert to MKP. Input keyring type: "+ str(type(keyring)))
+    
+
+def string_to_native(arn):
+    return b"".join(
+        ord(c).to_bytes(2, "big") for c in arn
+    ).decode("utf-16-be")
diff --git a/TestVectors/runtimes/python/src/aws_encryption_sdk_test_vectors/internaldafny/extern/wrapped_esdk.py b/TestVectors/runtimes/python/src/aws_encryption_sdk_test_vectors/internaldafny/extern/wrapped_esdk.py
