(WIP)feat(HV-2): CreateKey #1349
Conversation
This reverts commit 53abc2c.
This reverts commit 35333e1.
…orHV1?" This reverts commit 1aa9758.
…e/src/ErrorMessages.dfy Co-authored-by: Tony Knapp <[email protected]>
…ow/hv-2-smithy-changes # Conflicts: # AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore/src/GetKeys.dfy # AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore/src/HierarchicalVersionUtils.dfy
There was a problem hiding this comment.
I think this is great progress;
we need to get some consolidation going on Monday between the various PRs to make our mile-stone.
It is too hard for me to review 48 commits of code at once;
the three of us need to work together to collapse our efforts/changes.
| @@ -57,6 +57,9 @@ module {:options "/functionSyntax:4" } KeyStoreErrorMessages { | |||
| const INVALID_HIERARCHY_VERSION := | |||
| "Invalid hierarchy version. Expected version 1 or 2." | |||
|
|
|||
| const BRANCH_KEY_MD_DIGEST_SHA_INCORRECT_LENGTH := | |||
| "Branch key + md digest sha is of incorrect length." | |||
There was a problem hiding this comment.
Blocking: No customer will know what this means.
Look at this comment on made on Rishav's PR:
#1342 (comment)
| } | ||
| var branchKeyMaterials :- Structure.ToBranchKeyMaterials( | ||
| branchKeyItemFromStorage, | ||
| plaintextBranchKey | ||
| branchKey.Plaintext.value[Structure.MD_DIGEST_LENGTH..] |
There was a problem hiding this comment.
Blocking: We need to validate the PDK is the right length before returning it.
Break the PDK out before calling Structure.ToBranchKeyMaterials.
I get that other logic in the current code path
ensures that the PDK is the right length today;
but it is fragile to assume that will always be the case.
There was a problem hiding this comment.
We need to validate the PDK is the right length before returning it.
This is done inside ValidateMdDigest because we also need valid length to validate MD Digest
There was a problem hiding this comment.
Break the PDK out before calling Structure.ToBranchKeyMaterials.
Added a TODO
There was a problem hiding this comment.
| // branchKeyItemFromStorage.EncryptionContext comes from storage is not the actual EC. | ||
| // branchKeyItemFromStorage.EncryptionContext contains all the items in the dynamodb table and table name. | ||
| var hv2EC := HierarchicalVersionUtils.GetHV2EC(branchKeyItemFromStorage.EncryptionContext); | ||
| var hv2BranchKey := Types.EncryptedHierarchicalKey( | ||
| Identifier := branchKeyItemFromStorage.Identifier, | ||
| Type := branchKeyItemFromStorage.Type, | ||
| CreateTime := branchKeyItemFromStorage.CreateTime, | ||
| KmsArn := branchKeyItemFromStorage.KmsArn, | ||
| EncryptionContext := hv2EC, | ||
| CiphertextBlob := branchKeyItemFromStorage.CiphertextBlob | ||
| ); | ||
| var branchKey: KMS.DecryptResponse :- KMSKeystoreOperations.DecryptKeyForHV2( | ||
| hv2BranchKey, | ||
| kmsConfiguration, | ||
| grantTokens, | ||
| kmsClient | ||
| ); | ||
| var validateResult := HierarchicalVersionUtils.ValidateMdDigest(branchKey.Plaintext.value, branchKeyItemFromStorage); | ||
| if (validateResult.Failure?) { | ||
| return Failure(validateResult.error); | ||
| } | ||
| var branchKeyMaterials :- Structure.ToBranchKeyMaterials( | ||
| branchKeyItemFromStorage, | ||
| branchKey.Plaintext.value[0..Structure.AES_256_LENGTH] | ||
| ); | ||
| return Success( | ||
| Types.GetBranchKeyVersionOutput( | ||
| branchKeyMaterials := branchKeyMaterials | ||
| )); |
There was a problem hiding this comment.
Blocking: This looks a lot like copy-and-paste/code duplication...
Can we make a helper method in HierarchicalVersionUtils that can be used to consolidate this?
| branchKeyItemFromStorage: Types.EncryptedHierarchicalKey | ||
| ) | ||
| returns (output: Result<(), Types.Error>) | ||
| // The plaintext should be large enough to contain both AES key and MD digest |
There was a problem hiding this comment.
| // The plaintext should be large enough to contain both AES key and MD digest | |
| // The plaintext-tuple MUST be large enough to contain both AES key and MD digest |
There was a problem hiding this comment.
| @@ -111,4 +126,59 @@ module HierarchicalVersionUtils { | |||
| assume {:axiom} fresh(Crypto) && fresh(Crypto.Modifies); | |||
| return Success(Crypto); | |||
| } | |||
|
|
|||
| method ValidateMdDigest ( | |||
| plainText: KMS.PlaintextType, | |||
There was a problem hiding this comment.
Suggestion: There are so many plain-texts in our lives;
plain-text messages/content,
plain-text data keys,
plain-text wrapping keys...
let's give this variable a little distinctiveness by calling it plainTextTuple;
we know it is the concatenation of the PDK + protected-MD-Digest;
we could call that concatenation a tuple for short (
it sort of is, sort of isn't, but I think tuple is good enough and better than plainText).
| plainText: KMS.PlaintextType, | |
| plainTextTuple: KMS.PlaintextType, |
There was a problem hiding this comment.
| @@ -111,4 +126,59 @@ module HierarchicalVersionUtils { | |||
| assume {:axiom} fresh(Crypto) && fresh(Crypto.Modifies); | |||
| return Success(Crypto); | |||
| } | |||
|
|
|||
| method ValidateMdDigest ( | |||
There was a problem hiding this comment.
OK. I think see where you are going;
you are going to replace the duplicated code in GetKeys with this method,
yes?
| @@ -718,8 +723,82 @@ module {:options "/functionSyntax:4" } KMSKeystoreOperations { | |||
|
|
|||
| } | |||
|
|
|||
| ghost predicate AwsKmsBranchKeyHV2Decryption?( | |||
| versionItem: Types.EncryptedHierarchicalKey, | |||
There was a problem hiding this comment.
Blocking/Question: I think just call this a branchKeyItem;
I do not see any reason to restrict it to just version types, as compared to branch:ACTIVE or beacon:ACTIVE.
There was a problem hiding this comment.
Need predicate needs more update. A verification is also failing. So, I just added TODO for now.
https://github.com/aws/aws-cryptographic-material-providers-library/pull/1354/files#r2011026081
Issue #, if available:
Description of changes:
Squash/merge commit message, if applicable:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.