Skip to content

refactor(dafny): BKS KMS GenerateKey to GDKWP #1463

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
texastony wants to merge 77 commits into
base: hv-2/hv-2
Choose a base branch
from
Draft

refactor(dafny): BKS KMS GenerateKey to GDKWP #1463

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
77 commits
Select commit Hold shift + click to select a range
1eaef91
chore(Java): version by properties file only
texastony Nov 14, 2024
ace69c3
fix
josecorella Mar 31, 2025
22b9ddb
m
josecorella Mar 31, 2025
e04b615
comment out rust and go
josecorella Mar 31, 2025
292a8cc
feat: Adding a storage option to the KeyStore (#594)
seebees Sep 18, 2024
f8b8ca5
polymorph
josecorella Mar 31, 2025
7179454
python poly
josecorella Mar 31, 2025
4931023
repoly correctly
josecorella Mar 31, 2025
fd58386
these dang formatters
josecorella Mar 31, 2025
459916e
chore(KSA-Model): more Mutation Operation changes (#955)
texastony Sep 18, 2024
4305f2f
fix(Mutations): KMS Exception improvements
texastony Nov 12, 2024
0bc88a2
feat(KSA): Describe Mutation
texastony Nov 13, 2024
9860108
feat(KSA): KMS Decrypt/Encrypt Strategy (#1020)
texastony Nov 25, 2024
1ec7acc
feat(KSA): System Key (#1021) (#1055)
texastony Nov 25, 2024
2c092ef
chore: percolate changes from HEAD to mutations branch
texastony Nov 26, 2024
5999314
fix(KS-Smithy): explicit error for tampered Branch Key (#1058)
texastony Nov 26, 2024
2e54e7c
chore: fix decrypt encrypt strategy (#1059)
josecorella Nov 26, 2024
30120f7
fix(KSA): Describe Mutation bugs (#1062)
texastony Nov 27, 2024
cd55b04
chore: error refinement improvements decrypt/encrypt strategy (#1061)
josecorella Nov 27, 2024
4aa0eae
fix(KSA-Dafny): break up Mutations, other fixes, more tests (#1069)
texastony Dec 2, 2024
746f5a6
fix: use correct client depending on operation (#1084)
josecorella Dec 4, 2024
413058e
test(KSA-Java): assert deletion of Index/Commitment at end of Mutatio…
texastony Dec 4, 2024
45bffda
docs: update documentation for Key Store Admin Errors (#1086)
josecorella Dec 5, 2024
fff0a99
test(KSA): Utilize Limit KMS Clients in Mutation D/E test (#1089)
texastony Dec 5, 2024
793fef9
feat(KSA): DoNotVersion for Initialize Mutation (#1082)
texastony Dec 6, 2024
adc061f
feat(KSA): require System Key + doc polish + tests (#1092)
texastony Dec 9, 2024
3dcdfdb
fix(MPL): remove un-used imports (#1103)
texastony Dec 10, 2024
a5a368d
docs(KSA): clarify mutation behvior (#1112)
texastony Dec 12, 2024
e1d7248
chore(Smithy): remove Smithy trait un-supported by Smithy-Dafny (#1134)
texastony Dec 17, 2024
84c8e5f
test: add concurrency testing for storage operations (#1132)
josecorella Dec 23, 2024
6d7da51
fix(GHW): Library Example (#1269)
texastony Jan 31, 2025
2c43f9e
fix(KeyStoreAdmin): Exceptions for Mutations when KMS Key is Disabled…
texastony Feb 16, 2025
b3157eb
chore: bring in latest main changes
josecorella Mar 31, 2025
e17db6f
chore: fix CI for HV-2 (#1353)
imabhichow Mar 25, 2025
51c7198
chore: move ProvideCryptoClient to HierarchicalVersionUtils in KeySto…
rishav-karanjit Mar 25, 2025
5e55f9c
ci(Go, Rust): disable for current HV-2 work (#1360)
texastony Mar 25, 2025
faf9622
feat(BKS & BKSA)!: Smithy Model for HV-2 (#1350)
texastony Mar 25, 2025
db67136
chore(BKS): pack & unpack plainTextTuple (#1362)
texastony Mar 26, 2025
1328a4e
chore(BKS): Add Helper functions to select KMS Encryption Context for…
imabhichow Mar 26, 2025
c35f991
chore: refactor hv1 functions and methods (#1367)
rishav-karanjit Mar 26, 2025
de7ef56
chore(bks): Add createMdDigest in hvutils (#1361)
rishav-karanjit Mar 27, 2025
9274827
chore(BKS): add decrypt hook For Hv2 (#1368)
rishav-karanjit Mar 28, 2025
18e1075
chore(dafny): Add todo for test (#1377)
rishav-karanjit Mar 31, 2025
f378730
chore(dafny): BranchKeyContext for HV-2 (#1381)
imabhichow Mar 31, 2025
b8802b9
chore(dafny): KS Refactor KeyStoreException (#1383)
imabhichow Mar 31, 2025
95c62f8
chore(dafny): BKS Encrypt Key for HV-1 & HV-2 (#1372)
imabhichow Apr 1, 2025
ef37253
chore(dafny): wire get keys with the decrypt hook (#1376)
rishav-karanjit Apr 1, 2025
8bd469d
chore(dafny): BKS Refactor GetKeys (#1389)
imabhichow Apr 2, 2025
29f7b9f
chore(dafny): add test for get keys (#1388)
rishav-karanjit Apr 3, 2025
73bb512
chore(dafny): add VerifyGetKeysFromStorage to test (#1392)
rishav-karanjit Apr 3, 2025
c5f51ab
chore(dafny): Add helper function to VerifyGetKeys (#1396)
rishav-karanjit Apr 4, 2025
545885f
feat(dafny): KSA Create Key Operation for HV-2 (#1374)
imabhichow Apr 4, 2025
8ea5cbe
test(dafny): no touching the static branch-key-id in the dev branch (…
texastony Apr 4, 2025
83211d8
test(dafny): restore static test branch key id (#1403)
texastony Apr 4, 2025
63b6409
chore(dafny): refactor HV1 MRK test to use helper methods (#1399)
rishav-karanjit Apr 5, 2025
f5f1de3
chore(dafny): KSA Add test coverage for creating a hv-2 branch key. (…
imabhichow Apr 8, 2025
6d1db95
chore: disable duvet (#1414)
texastony Apr 9, 2025
8d61b10
chore(java): create key example for HV-2 branch key (#1425)
imabhichow Apr 11, 2025
be086cd
refactor(dafny): rename BKS Error Messages class for legibility (#1429)
texastony Apr 14, 2025
999ae15
chore(dafny): Add helper method to decrypt branch key item (#1439)
rishav-karanjit Apr 14, 2025
cad6d00
chore(dafny): add checks and tests to fail on EC collision on init mu…
rishav-karanjit Apr 14, 2025
43a87ba
fix(dafny): BKSA CreateKey formal verification (#1427)
texastony Apr 15, 2025
a10d064
refactor(java): Move examples to new project to depend on ESDK (#1441)
texastony Apr 15, 2025
5fee8f0
chore(dafny): BKS HierarchyVersionToString (#1430)
texastony Apr 15, 2025
df977d3
refactor(dafny): prepare MutateItem for wiring of hv1 and hv2 (#1446)
rishav-karanjit Apr 15, 2025
e7f880c
test(dafny): BKSA errors if terminal HV is 1 (#1431)
texastony Apr 16, 2025
4d85523
feat(dafny): BKSA Mutation Commitment includes HV (#1432)
texastony Apr 16, 2025
c5d6038
chore(dafny): verify branch key item when terminal hv is 2 (#1442)
rishav-karanjit Apr 16, 2025
1b5be56
chore(dafny): add method to Mutate to HV2 without wiring (#1445)
rishav-karanjit Apr 16, 2025
354bca2
chore(dafny): refactor VersionActiveBranchKey to support multiple hi…
josecorella Apr 17, 2025
8939be9
fix(dafny): BKS Mutation Items treat `hierarchy-version` as schema ve…
texastony Apr 17, 2025
500b96d
test(dafny): ensures lying branch keys throws exception (#1422)
imabhichow Apr 17, 2025
ae81599
chore(dafny): BKSA Mutate from HV-1 to HV-2 only Simple (#1458)
texastony Apr 21, 2025
20cfd18
chore(dafny): BKSA test pre-HV-2 static branch keys for in-flight mut…
imabhichow Apr 21, 2025
49bb228
chore(dafny): move static branch keys to static key store table (#1459)
imabhichow Apr 21, 2025
4f5ed29
refactor(dafny): BKS KMS GenerateKey to GDKWP
texastony Apr 22, 2025
e0e7d99
feat(dafny): BKS KMS GenerateDataKey
texastony Apr 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
11 changes: 6 additions & 5 deletions .github/workflows/duvet.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,12 @@
# with respect to the specification
name: Duvet report

on:
pull_request:
push:
branches:
- main
# TODO-HV-2 : Re-Enable Duvet once mutations/mutations Duvet is healthy
# on:
# pull_request:
# push:
# branches:
# - main

jobs:
duvet:
Expand Down
116 changes: 116 additions & 0 deletions .github/workflows/library_concurrency_tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
# This workflow performs Concurrency tests of the MPL in Java.
name: Library Concurrency Tests

on:
workflow_call:
inputs:
dafny:
description: "The Dafny version to run"
required: true
type: string
regenerate-code:
description: "Regenerate code using smithy-dafny"
required: false
default: false
type: boolean

jobs:
generateEncryptVectors:
strategy:
matrix:
library: [AwsCryptographicMaterialProviders]
os: [
# https://taskei.amazon.dev/tasks/CrypTool-5283
# windows-latest,
ubuntu-latest,
macos-13,
]
language: [
java,
# net,
# python,
# rust
]
# https://taskei.amazon.dev/tasks/CrypTool-5284
java-versions: [8, 17]
runs-on: ${{ matrix.os }}
permissions:
id-token: write
contents: read
steps:
- name: Support longpaths on Git checkout
run: |
git config --global core.longpaths true

# Test Vectors need to call KMS
- name: Configure AWS Credentials for Tests
uses: aws-actions/configure-aws-credentials@v2
with:
aws-region: us-west-2
role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2
role-session-name: ConcurrencyTests

- uses: actions/checkout@v3
# Not all submodules are needed.
# We manually pull the submodule we DO need.
- run: git submodule update --init libraries
- run: git submodule update --init --recursive smithy-dafny

# Setup Java in Rust is needed for running polymorph
- name: Setup Java 17
if: matrix.language == 'java' || matrix.language == 'rust'
uses: actions/setup-java@v3
with:
distribution: "corretto"
java-version: 17

- name: Setup .NET Core SDK '6.0.x'
uses: actions/setup-dotnet@v3
with:
dotnet-version: "6.0.x"

- name: Setup Dafny
uses: dafny-lang/[email protected]
with:
dafny-version: ${{ inputs.dafny }}

- name: Regenerate code using smithy-dafny if necessary
if: ${{ inputs.regenerate-code }}
uses: ./.github/actions/polymorph_codegen
with:
dafny: ${{ inputs.dafny }}
library: ${{ matrix.library }}
diff-generated-code: false

# Build implementation for each runtime
- name: Build ${{ matrix.library }} implementation in Java
shell: bash
working-directory: ./${{ matrix.library }}
run: |
# This works because `node` is installed by default on GHA runners
CORES=$(node -e 'console.log(os.cpus().length)')
make build_java CORES=$CORES

- name: Setup gradle
if: matrix.language == 'java'
uses: gradle/gradle-build-action@v2
with:
gradle-version: 7.2

- name: Setup Java ${{matrix.java-versions}}
uses: actions/setup-java@v3
with:
distribution: "corretto"
java-version: ${{matrix.java-versions}}

- name: Compile Java
uses: gradle/gradle-build-action@v3
with:
arguments: build
build-root-directory: ./${{ matrix.library }}/runtimes/java

- name: Test Java
uses: gradle/gradle-build-action@v3
with:
arguments: testConcurrentExamples
build-root-directory: ./${{ matrix.library }}/runtimes/java
66 changes: 66 additions & 0 deletions .github/workflows/library_examples.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
# "Copyright Amazon.com Inc. or its affiliates. All Rights Reserved."
# "SPDX-License-Identifier: CC-BY-SA-4.0"
# This workflow runs any examples.
name: Library Examples
on:
workflow_call:
inputs:
dafny:
description: "The Dafny version to run"
required: true
type: string

jobs:
java:
runs-on: ubuntu-22.04
permissions:
id-token: write
contents: read
defaults:
run:
shell: bash
steps:
- name: Support longpaths on Git checkout
run: |
git config --global core.longpaths true
- name: Configure AWS Credentials for Tests
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-west-2
role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-MPL-Dafny-Role-us-west-2
role-session-name: JavaExampleTests

- uses: actions/checkout@v4
- run: git submodule update --init libraries
- run: git submodule update --init smithy-dafny

- name: Setup Dafny
uses: dafny-lang/[email protected]
with:
dafny-version: ${{ inputs.dafny }}

- name: Setup Java 8
uses: actions/setup-java@v3
with:
distribution: "corretto"
java-version: 8

- name: Build AwsCryptographicMaterialProviders Java implementation
working-directory: ./AwsCryptographicMaterialProviders
run: |
# This works because `node` is installed by default on GHA runners
CORES=$(node -e 'console.log(os.cpus().length)')
make build_java CORES=$CORES
make mvn_local_deploy

- name: Test AwsCryptographicMaterialProviders Java Examples
working-directory: ./Examples
run: |
make test_java

# These tests are "flacky" and not really neccessary,
# we created them in re-action to a user error with local caches and DDB
# - name: Test AwsCryptographicMaterialProviders Java Concurrent
# working-directory: ./Examples
# run: |
# make test_java_concurrent
11 changes: 7 additions & 4 deletions .github/workflows/library_interop_tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,15 @@ jobs:
strategy:
matrix:
library: [TestVectorsAwsCryptographicMaterialProviders]
os: [
os:
[
# https://taskei.amazon.dev/tasks/CrypTool-5283
# windows-latest,
ubuntu-22.04,
macos-13,
]
language: [java, net, rust, python, go]
#TODO add back rust and go after figuring out build failures
language: [java, net, python]
# https://taskei.amazon.dev/tasks/CrypTool-5284
dotnet-version: ["6.0.x"]
runs-on: ${{ matrix.os }}
Expand Down Expand Up @@ -214,8 +216,9 @@ jobs:
ubuntu-22.04,
macos-13,
]
encrypting_language: [java, net, rust, python, go]
decrypting_language: [java, net, rust, python, go]
#TODO add back rust and go after figuring out build failures
encrypting_language: [java, net, python]
decrypting_language: [java, net, python]
dotnet-version: ["6.0.x"]
runs-on: ${{ matrix.os }}
permissions:
Expand Down
22 changes: 12 additions & 10 deletions .github/workflows/manual.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,21 +37,23 @@ jobs:
with:
dafny: ${{ inputs.dafny }}
regenerate-code: ${{ inputs.regenerate-code }}
manual-ci-rust:
uses: ./.github/workflows/library_rust_tests.yml
with:
dafny: ${{ inputs.dafny }}
regenerate-code: ${{ inputs.regenerate-code }}
# TODO-HV-2-Rust: Removing Rust Runtimes until the underlying issue resolved.
# manual-ci-rust:
# uses: ./.github/workflows/library_rust_tests.yml
# with:
# dafny: ${{ inputs.dafny }}
# regenerate-code: ${{ inputs.regenerate-code }}
manual-ci-python:
uses: ./.github/workflows/library_python_tests.yml
with:
dafny: ${{ inputs.dafny }}
regenerate-code: ${{ inputs.regenerate-code }}
manual-ci-go:
uses: ./.github/workflows/library_go_tests.yml
with:
dafny: ${{ inputs.dafny }}
regenerate-code: ${{ inputs.regenerate-code }}
# TODO-HV-2-Go: Removing Go CI until we rebase or need it
# manual-ci-go:
# uses: ./.github/workflows/library_go_tests.yml
# with:
# dafny: ${{ inputs.dafny }}
# regenerate-code: ${{ inputs.regenerate-code }}
manual-interop-test:
uses: ./.github/workflows/library_interop_tests.yml
with:
Expand Down
32 changes: 21 additions & 11 deletions .github/workflows/pull.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,26 +29,33 @@ jobs:
uses: ./.github/workflows/library_java_tests.yml
with:
dafny: ${{needs.getVersion.outputs.version}}
pr-ci-net:
pr-ci-examples:
needs: getVersion
uses: ./.github/workflows/library_net_tests.yml
uses: ./.github/workflows/library_examples.yml
with:
dafny: ${{needs.getVersion.outputs.version}}
pr-ci-rust:
pr-ci-net:
needs: getVersion
uses: ./.github/workflows/library_rust_tests.yml
uses: ./.github/workflows/library_net_tests.yml
with:
dafny: ${{needs.getVersion.outputs.version}}
# TODO-HV-2-Rust: Removing Rust until we rebase or need it
# pr-ci-rust:
# needs: getVersion
# uses: ./.github/workflows/library_rust_tests.yml
# with:
# dafny: ${{needs.getVersion.outputs.version}}
pr-ci-python:
needs: getVersion
uses: ./.github/workflows/library_python_tests.yml
with:
dafny: ${{needs.getVersion.outputs.version}}
pr-ci-go:
needs: getVersion
uses: ./.github/workflows/library_go_tests.yml
with:
dafny: ${{needs.getVersion.outputs.version}}
# TODO-HV-2-Go: Removing Go CI until we rebase or need it
# pr-ci-go:
# needs: getVersion
# uses: ./.github/workflows/library_go_tests.yml
# with:
# dafny: ${{needs.getVersion.outputs.version}}
pr-interop-test:
needs: getVersion
uses: ./.github/workflows/library_interop_tests.yml
Expand All @@ -66,9 +73,12 @@ jobs:
- pr-ci-java
- pr-ci-net
- pr-ci-python
- pr-ci-go
- pr-ci-rust
# TODO-HV-2-Go: Removing Go CI until we rebase or need it
# - pr-ci-go
# TODO-HV-2-Rust: Removing Rust until we rebase or need it
# - pr-ci-rust
- pr-interop-test
- pr-ci-examples
runs-on: ubuntu-22.04
steps:
- name: Verify all required jobs passed
Expand Down
22 changes: 12 additions & 10 deletions .github/workflows/push.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,21 +36,23 @@ jobs:
uses: ./.github/workflows/library_net_tests.yml
with:
dafny: ${{needs.getVersion.outputs.version}}
push-ci-rust:
needs: getVersion
uses: ./.github/workflows/library_rust_tests.yml
with:
dafny: ${{needs.getVersion.outputs.version}}
# TODO-HV-2-Rust: Removing Rust until we rebase or need it.
# push-ci-rust:
# needs: getVersion
# uses: ./.github/workflows/library_rust_tests.yml
# with:
# dafny: ${{needs.getVersion.outputs.version}}
push-ci-python:
needs: getVersion
uses: ./.github/workflows/library_python_tests.yml
with:
dafny: ${{needs.getVersion.outputs.version}}
push-ci-go:
needs: getVersion
uses: ./.github/workflows/library_go_tests.yml
with:
dafny: ${{needs.getVersion.outputs.version}}
# TODO-HV-2-Go: Removing Go CI until we rebase or need it
# push-ci-go:
# needs: getVersion
# uses: ./.github/workflows/library_go_tests.yml
# with:
# dafny: ${{needs.getVersion.outputs.version}}
pr-interop-test:
needs: getVersion
uses: ./.github/workflows/library_interop_tests.yml
Expand Down
Loading
Loading