Skip to content

chore(java): demo hv-2 does not send prefixed EC in examples #1529

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: hv-2/hv-2
Choose a base branch
from
Open

chore(java): demo hv-2 does not send prefixed EC in examples #1529

wants to merge 11 commits into from

Conversation

rishav-karanjit
Copy link
Member

Issue #, if available:

Description of changes:

  • This is also like a test

Squash/merge commit message, if applicable:

<type>(dafny/java/python/dotnet/go/rust): <description>

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@rishav-karanjit rishav-karanjit marked this pull request as ready for review May 19, 2025 23:59
@rishav-karanjit rishav-karanjit requested a review from a team as a code owner May 19, 2025 23:59
texastony
texastony requested changes May 20, 2025
View reviewed changes
Copy link
Contributor

@texastony texastony left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is really good, but let's simplify the CreateKey example and retain this integ test, by moving the integ test to the test directory.

...ples/java/src/main/java/software/amazon/cryptography/example/hierarchy/CreateKeyExample.java Outdated
Comment on lines 104 to 134
// HV2 sends the encryption context without any transformation.
// We have a kms key `Fixtures.KMS_KEY_FOR_HV2_ONLY`, that requires EC to be exactly {"Robbie": "Is a Dog."} in its key policy.
// For demostration, we will create a key with a different EC then the one that is expected and see it fail.
final Map<String, String> encryptionContextFailingCase =
Collections.singletonMap("I", "am not a Dog.");
boolean exceptionThrown = false;
try {
_admin
.CreateKey(
CreateKeyInput
.builder()
// This is the KMS ARN that will be used to protect the Branch Key.
// It is a required argument.
.KmsArn(KmsSymmetricKeyArn.builder().KmsKeyArn(kmsKeyArn).build())
// If you need to specify the Identifier for a Branch Key, you may.
// This is an optional argument.
.Identifier(branchKeyId)
// If a branch key Identifier is provided,
// custom encryption context MUST be provided as well.
.EncryptionContext(encryptionContextFailingCase)
// The Branch Key Store Admin can create HV-1 or HV-2 Branch Keys
.HierarchyVersion(_hierarchyVersion)
// But the Strategy MUST support the Hierarchy Version
.Strategy(strategy)
.build()
)
.Identifier();
} catch (KmsException e) {
exceptionThrown = true;
}
assert exceptionThrown;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocking: Just move all of this to a Test.
Do not keep it in line with the examples, that confuses customers, and complicates this CreateKey method that we use through out the Example Testing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@texastony texastony texastony requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rishav-karanjit @texastony