fix(KeyStoreAdmin): Exceptions for Mutations when KMS Key is Disabled (#1235)

This addresses KMS Exceptions when the KMS Key is disabled OR when the caller does not have permission to call GenerateDataKeyWithoutPlaintext on the terminal KMS Key.

Author: texastony

AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore/src/KMSKeystoreOperations.dfy

@@ -102,7 +102,7 @@ module {:options "/functionSyntax:4" } KMSKeystoreOperations {
     grantTokens: KMS.GrantTokenList,
     kmsClient: KMS.IKMSClient
   )
-    returns (res: Result<KMS.GenerateDataKeyWithoutPlaintextResponse, Types.Error>)
+    returns (res: Result<KMS.GenerateDataKeyWithoutPlaintextResponse, KmsError>)
     requires kmsClient.ValidState()
     requires HasKeyId(kmsConfiguration) && KmsArn.ValidKmsArn?(GetKeyId(kmsConfiguration))
     requires AttemptKmsOperation?(kmsConfiguration, encryptionContext)
@@ -145,14 +145,14 @@ module {:options "/functionSyntax:4" } KMSKeystoreOperations {
 
     :- Need(
       && generateResponse.KeyId.Some?,
-      Types.KeyStoreException(
-        message := "Invalid response from KMS GenerateDataKey:: Invalid Key Id")
+      Types.KeyManagementException(
+        message := "Invalid response from AWS KMS GenerateDataKey: Invalid Key Id")
     );
 
     :- Need(
       && generateResponse.CiphertextBlob.Some?
       && KMS.IsValid_CiphertextType(generateResponse.CiphertextBlob.value),
-      Types.KeyStoreException(
+      Types.KeyManagementException(
         message := "Invalid response from AWS KMS GenerateDataKey: Invalid ciphertext")
     );
 
@@ -278,7 +278,7 @@ module {:options "/functionSyntax:4" } KMSKeystoreOperations {
       && reEncryptResponse.SourceKeyId.value == kmsKeyArn
       && reEncryptResponse.KeyId.value == kmsKeyArn,
       Types.KeyManagementException(
-        message := "Invalid response from AWS KMS ReEncrypt:: Invalid KMS Key Id")
+        message := "Invalid response from AWS KMS ReEncrypt: Invalid KMS Key Id")
     );
 
     :- Need(
@@ -353,113 +353,12 @@ module {:options "/functionSyntax:4" } KMSKeystoreOperations {
       && decryptResponse.KeyId.Some?
       && decryptResponse.KeyId.value == kmsKeyArn,
       Types.KeyManagementException(
-        message := "Invalid response from AWS KMS Decrypt :: Invalid KMS Key Id"
+        message := "Invalid response from AWS KMS Decrypt: Invalid KMS Key Id"
       ));
 
     return Success(decryptResponse);
   }
 
-  method MutateViaDecryptEncrypt(
-    ciphertext: seq<uint8>,
-    sourceEncryptionContext: Structure.BranchKeyContext,
-    destinationEncryptionContext: Structure.BranchKeyContext,
-    sourceKmsArn: string,
-    destinationKmsArn: string,
-    decryptGrantTokens: KMS.GrantTokenList,
-    decryptKmsClient: KMS.IKMSClient,
-    encryptGrantTokens: KMS.GrantTokenList,
-    encryptKmsClient: KMS.IKMSClient
-  )
-    returns (res: Result<KMS.CiphertextType, KmsError>)
-    requires
-      && Structure.BranchKeyContext?(sourceEncryptionContext)
-      && Structure.BranchKeyContext?(destinationEncryptionContext)
-    requires AttemptReEncrypt?(sourceEncryptionContext, destinationEncryptionContext)
-    requires KmsArn.ValidKmsArn?(sourceKmsArn) && KmsArn.ValidKmsArn?(destinationKmsArn)
-    requires decryptKmsClient.Modifies !! encryptKmsClient.Modifies
-    requires decryptKmsClient.ValidState() && encryptKmsClient.ValidState()
-    modifies decryptKmsClient.Modifies + encryptKmsClient.Modifies
-    ensures  decryptKmsClient.ValidState() && encryptKmsClient.ValidState()
-    ensures
-      res.Success?
-      ==>
-        && KMS.IsValid_CiphertextType(ciphertext)
-        && |decryptKmsClient.History.Decrypt| == |old(decryptKmsClient.History.Decrypt)| + 1
-        && var decryptInput := Seq.Last(decryptKmsClient.History.Decrypt).input;
-        && var decryptOutput := Seq.Last(decryptKmsClient.History.Decrypt).output;
-        && KMS.DecryptRequest(
-             CiphertextBlob := ciphertext,
-             EncryptionContext := Some(sourceEncryptionContext),
-             GrantTokens := Some(decryptGrantTokens),
-             KeyId := Some(sourceKmsArn)
-           ) == decryptInput
-        && decryptOutput.Success? && decryptOutput.value.Plaintext.Some? && decryptOutput.value.KeyId.Some?
-        && decryptOutput.value.KeyId.value == sourceKmsArn
-        && |encryptKmsClient.History.Encrypt| == |old(encryptKmsClient.History.Encrypt)| + 1
-        && var encryptInput := Seq.Last(encryptKmsClient.History.Encrypt).input;
-        && var encryptResponse := Seq.Last(encryptKmsClient.History.Encrypt).output;
-        && KMS.EncryptRequest(
-             KeyId := destinationKmsArn,
-             Plaintext := decryptOutput.value.Plaintext.value,
-             EncryptionContext := Some(destinationEncryptionContext),
-             GrantTokens := Some(encryptGrantTokens)
-           ) == encryptInput
-        && old(encryptKmsClient.History.Encrypt) < encryptKmsClient.History.Encrypt
-        && encryptResponse.Success?
-        && encryptResponse.value.CiphertextBlob.Some?
-        && encryptResponse.value.KeyId.Some?
-        && encryptResponse.value.KeyId.value ==  destinationKmsArn // kmsKeyArn
-        && KMS.IsValid_CiphertextType(encryptResponse.value.CiphertextBlob.value)
-        && encryptResponse.value.CiphertextBlob.value == res.value
-  {
-    :- Need(
-      KMS.IsValid_CiphertextType(ciphertext),
-      Types.KeyManagementException(
-        message := "Invalid KMS ciphertext.")
-    );
-
-    var kmsDecryptRequest := KMS.DecryptRequest(
-      CiphertextBlob := ciphertext,
-      EncryptionContext := Some(sourceEncryptionContext),
-      GrantTokens := Some(decryptGrantTokens),
-      KeyId := Some(sourceKmsArn)
-    );
-
-    var decryptResponse? := decryptKmsClient.Decrypt(kmsDecryptRequest);
-    var decryptResponse :- decryptResponse?
-    .MapFailure(e => Types.ComAmazonawsKms(ComAmazonawsKms := e));
-
-    :- Need(
-      && decryptResponse.Plaintext.Some?
-      && decryptResponse.KeyId.Some?
-      && decryptResponse.KeyId.value == sourceKmsArn,
-      Types.KeyManagementException(
-        message := "Invalid response from AWS KMS Decrypt :: Invalid KMS Key Id"
-      ));
-
-    var kmsEncryptRequest := KMS.EncryptRequest(
-      KeyId := destinationKmsArn,
-      Plaintext := decryptResponse.Plaintext.value,
-      EncryptionContext := Some(destinationEncryptionContext),
-      GrantTokens := Some(encryptGrantTokens)
-    );
-
-    var encryptResponse? := encryptKmsClient.Encrypt(kmsEncryptRequest);
-    var encryptResponse :- encryptResponse?
-    .MapFailure(e => Types.ComAmazonawsKms(ComAmazonawsKms := e));
-
-    :- Need(
-      && encryptResponse.CiphertextBlob.Some?
-      && KMS.IsValid_CiphertextType(encryptResponse.CiphertextBlob.value)
-      && encryptResponse.KeyId.Some?
-      && encryptResponse.KeyId.value == destinationKmsArn,
-      Types.KeyManagementException(
-        message := "Invalid response from AWS KMS Encrypt :: Invalid KMS Key Id"
-      ));
-
-    return Success(encryptResponse.CiphertextBlob.value);
-  }
-
   method MutateViaDecryptEncryptOnInitializeMutation(
     ciphertext: seq<uint8>,
     sourceEncryptionContext: Structure.BranchKeyContext,
@@ -532,7 +431,7 @@ module {:options "/functionSyntax:4" } KMSKeystoreOperations {
       && decryptResponse.KeyId.Some?
       && decryptResponse.KeyId.value == sourceKmsArn,
       Types.KeyManagementException(
-        message := "Invalid response from AWS KMS Decrypt :: Invalid KMS Key Id"
+        message := "Invalid response from AWS KMS Decrypt: Invalid KMS Key Id"
       ));
 
     var kmsEncryptRequest := KMS.EncryptRequest(
@@ -552,7 +451,7 @@ module {:options "/functionSyntax:4" } KMSKeystoreOperations {
       && encryptResponse.KeyId.Some?
       && encryptResponse.KeyId.value == destinationKmsArn,
       Types.KeyManagementException(
-        message := "Invalid response from AWS KMS Encrypt :: Invalid KMS Key Id"
+        message := "Invalid response from AWS KMS Encrypt: Invalid KMS Key Id"
       ));
 
     return Success(encryptResponse.CiphertextBlob.value);
@@ -640,13 +539,13 @@ module {:options "/functionSyntax:4" } KMSKeystoreOperations {
       && reEncryptResponse.SourceKeyId.Some?
       && reEncryptResponse.SourceKeyId.value == sourceKmsArn,  //kmsKeyArn
       Types.KeyManagementException(
-        message := "Invalid response from KMS ReEncrypt:: Invalid Source Key Id")
+        message := "Invalid response from KMS ReEncrypt: Invalid Source Key Id")
     );
     :- Need(
       && reEncryptResponse.KeyId.Some?
       && reEncryptResponse.KeyId.value == destinationKmsArn, // kmsKeyArn,
       Types.KeyManagementException(
-        message := "Invalid response from KMS ReEncrypt:: Invalid Destination Key Id")
+        message := "Invalid response from KMS ReEncrypt: Invalid Destination Key Id")
     );
 
     :- Need(

AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStoreAdmin/src/InitializeMutation.dfy

@@ -7,6 +7,7 @@ include "KmsUtils.dfy"
 include "MutationIndexUtils.dfy"
 include "SystemKey/Handler.dfy"
 include "Mutations.dfy"
+include "MutationErrorRefinement.dfy"
 
 module {:options "/functionSyntax:4" } InternalInitializeMutation {
   // StandardLibrary Imports
@@ -33,6 +34,7 @@ module {:options "/functionSyntax:4" } InternalInitializeMutation {
   import MutationIndexUtils
   import SystemKeyHandler = SystemKey.Handler
   import Mutations
+  import MutationErrorRefinement
 
   datatype InternalInitializeMutationInput = | InternalInitializeMutationInput (
     nameonly Identifier: string ,
@@ -417,12 +419,18 @@ module {:options "/functionSyntax:4" } InternalInitializeMutation {
       grantTokens := grantTokens,
       kmsClient := kmsClient
     );
-    var wrappedDecryptOnlyBranchKey :- wrappedDecryptOnlyBranchKey?
-    .MapFailure(e => Types.Error.AwsCryptographyKeyStore(e));
+
+    if (wrappedDecryptOnlyBranchKey?.Failure?) {
+      var error := MutationErrorRefinement.GenerateNewActiveException(
+        identifier := decryptOnlyEncryptionContext[Structure.BRANCH_KEY_IDENTIFIER_FIELD],
+        kmsArn := mutationToApply.Terminal.kmsArn,
+        error := wrappedDecryptOnlyBranchKey?.error);
+      return Failure(error);
+    }
 
     var newDecryptOnly := Structure.ConstructEncryptedHierarchicalKey(
       decryptOnlyEncryptionContext,
-      wrappedDecryptOnlyBranchKey.CiphertextBlob.value
+      wrappedDecryptOnlyBranchKey?.value.CiphertextBlob.value
     );
 
     :- Need(

AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStoreAdmin/src/MutateViaDecryptEncrypt.dfy

@@ -0,0 +1,134 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+include "../Model/AwsCryptographyKeyStoreAdminTypes.dfy"
+
+module {:options "/functionSyntax:4" } MutateViaDecryptEncrypt {
+  import opened Wrappers
+  import opened UInt = StandardLibrary.UInt
+  import opened Seq
+
+  import KeyStoreTypes = AwsCryptographyKeyStoreAdminTypes.AwsCryptographyKeyStoreTypes
+  import Structure
+  import KMSKeystoreOperations
+
+  method Decrypt(
+    ciphertext: seq<uint8>,
+    encryptionContext: Structure.BranchKeyContext,
+    kmsArn: string,
+    grantTokens: KMSKeystoreOperations.KMS.GrantTokenList,
+    kmsClient: KMSKeystoreOperations.KMS.IKMSClient
+  ) returns (res: Result<KMSKeystoreOperations.KMS.PlaintextType, KMSKeystoreOperations.KmsError>)
+    requires Structure.BranchKeyContext?(encryptionContext)
+    requires KMSKeystoreOperations.KmsArn.ValidKmsArn?(kmsArn)
+    requires kmsClient.ValidState()
+    modifies kmsClient.Modifies
+    ensures kmsClient.ValidState()
+    ensures
+      res.Success?
+      ==>
+        && KMSKeystoreOperations.KMS.IsValid_CiphertextType(ciphertext)
+        && |kmsClient.History.Decrypt| == |old(kmsClient.History.Decrypt)| + 1
+        && var decryptInput := Seq.Last(kmsClient.History.Decrypt).input;
+        && var decryptOutput := Seq.Last(kmsClient.History.Decrypt).output;
+        && KMSKeystoreOperations.KMS.DecryptRequest(
+             CiphertextBlob := ciphertext,
+             EncryptionContext := Some(encryptionContext),
+             GrantTokens := Some(grantTokens),
+             KeyId := Some(kmsArn)
+           ) == decryptInput
+        && decryptOutput.Success? && decryptOutput.value.Plaintext.Some? && decryptOutput.value.KeyId.Some?
+        && decryptOutput.value.KeyId.value == kmsArn
+        && res.value == decryptOutput.value.Plaintext.value
+  {
+    :- Need(
+      KMSKeystoreOperations.KMS.IsValid_CiphertextType(ciphertext),
+      KMSKeystoreOperations.Types.KeyManagementException(
+        message := "The Branch Key's `enc` or ciphertext field is invalid."
+        + " Something must have tampered with the stored item, or the read was bad.")
+    );
+
+    var kmsDecryptRequest := KMSKeystoreOperations.KMS.DecryptRequest(
+      CiphertextBlob := ciphertext,
+      EncryptionContext := Some(encryptionContext),
+      GrantTokens := Some(grantTokens),
+      KeyId := Some(kmsArn)
+    );
+
+    var decryptResponse? := kmsClient.Decrypt(kmsDecryptRequest);
+    var decryptResponse :- decryptResponse?
+    .MapFailure(e => KMSKeystoreOperations.Types.ComAmazonawsKms(ComAmazonawsKms := e));
+
+    :- Need(
+      && decryptResponse.KeyId.Some?
+      && decryptResponse.KeyId.value == kmsArn,
+      KMSKeystoreOperations.Types.KeyManagementException(
+        message := "Invalid response from AWS KMS Decrypt: KMS Key ID of response did not match request."
+      ));
+    :- Need(
+      && decryptResponse.Plaintext.Some?
+      && KMSKeystoreOperations.KMS.IsValid_PlaintextType(decryptResponse.Plaintext.value),
+      KMSKeystoreOperations.Types.KeyManagementException(
+        message := "Invalid response from AWS KMS Decrypt: KMS response did not include plaintext."
+      ));
+    return Success(decryptResponse.Plaintext.value);
+  }
+
+  method Encrypt(
+    plaintext: KMSKeystoreOperations.KMS.PlaintextType,
+    encryptionContext: Structure.BranchKeyContext,
+    kmsArn: string,
+    grantTokens: KMSKeystoreOperations.KMS.GrantTokenList,
+    kmsClient: KMSKeystoreOperations.KMS.IKMSClient
+  ) returns (res: Result<KMSKeystoreOperations.KMS.CiphertextType, KMSKeystoreOperations.KmsError>)
+    requires Structure.BranchKeyContext?(encryptionContext)
+    requires KMSKeystoreOperations.KmsArn.ValidKmsArn?(kmsArn)
+    requires kmsClient.ValidState()
+    modifies kmsClient.Modifies
+    ensures kmsClient.ValidState()
+    ensures
+      res.Success?
+      ==>
+        && |kmsClient.History.Encrypt| == |old(kmsClient.History.Encrypt)| + 1
+        && var encryptInput := Seq.Last(kmsClient.History.Encrypt).input;
+        && var encryptResponse := Seq.Last(kmsClient.History.Encrypt).output;
+        && KMSKeystoreOperations.KMS.EncryptRequest(
+             KeyId := kmsArn,
+             Plaintext := plaintext,
+             EncryptionContext := Some(encryptionContext),
+             GrantTokens := Some(grantTokens)
+           ) == encryptInput
+        && encryptResponse.Success?
+        && encryptResponse.value.CiphertextBlob.Some?
+        && encryptResponse.value.KeyId.Some?
+        && encryptResponse.value.KeyId.value == kmsArn
+        && KMSKeystoreOperations.KMS.IsValid_CiphertextType(encryptResponse.value.CiphertextBlob.value)
+        && encryptResponse.value.CiphertextBlob.value == res.value
+  {
+    var kmsEncryptRequest := KMSKeystoreOperations.KMS.EncryptRequest(
+      KeyId := kmsArn,
+      Plaintext := plaintext,
+      EncryptionContext := Some(encryptionContext),
+      GrantTokens := Some(grantTokens)
+    );
+
+    var encryptResponse? := kmsClient.Encrypt(kmsEncryptRequest);
+    var encryptResponse :- encryptResponse?
+    .MapFailure(e => KMSKeystoreOperations.Types.ComAmazonawsKms(ComAmazonawsKms := e));
+
+    :- Need(
+      && encryptResponse.CiphertextBlob.Some?
+      && KMSKeystoreOperations.KMS.IsValid_CiphertextType(encryptResponse.CiphertextBlob.value),
+      KMSKeystoreOperations.Types.KeyManagementException(
+        message := "Invalid response from AWS KMS Encrypt: KMS response's Ciphertext is invalid."
+      )
+    );
+    :- Need(
+      && encryptResponse.KeyId.Some?
+      && encryptResponse.KeyId.value == kmsArn,
+      KMSKeystoreOperations.Types.KeyManagementException(
+        message := "Invalid response from AWS KMS Encrypt: KMS Key ID of response did not match request."
+      )
+    );
+    return Success(encryptResponse.CiphertextBlob.value);
+  }
+}