refactor(dafny): Use a Data class (Dafny Datatype) for BKs instead of a Hash map

Author: texastony

AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore/src/PrefixUtils.dfy

@@ -0,0 +1,48 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+module {:options "/functionSyntax:4" } PrefixUtils {
+  // import opened Structure
+
+  function AddingPrefixToKeysOfMapDoesNotCreateCollisions(
+    nameonly prefix: string,
+    nameonly aMap: map<string, string>
+  ): (output: map<string, string>)
+    ensures forall k <- aMap
+              ::
+                && prefix + k in output
+                && output[prefix + k] == aMap[k]
+  {
+    // Dafny needs some help.
+    // Adding a fixed string
+    // will not make any of the keys collide.
+    // However, this leaks a lot of complexity.
+    // This is why the function is now opaque.
+    // Otherwise things timeout
+    assert forall k <- aMap.Keys
+        ::
+          k == (prefix + k)[|prefix|..];
+
+    map k <- aMap :: prefix + k := aMap[k]
+  }
+
+  opaque function FilterMapForKeysThatDoNotBeginWithPrefix (
+    nameonly prefix: string,
+    nameonly aMap: map<string, string>
+  ): (output: map<string, string>)
+    ensures forall k <- output
+              ::
+                && !( prefix < k)
+                && k in aMap
+                && output[k] == aMap[k]
+  {
+    var filteredKeys
+      :=
+      set k <- aMap
+          | !(prefix < k)
+        ::
+          k;
+    map i <- filteredKeys :: i := aMap[i]
+  }
+
+}

AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore/src/Structure.dfy

@@ -3,6 +3,7 @@
 
 include "../Model/AwsCryptographyKeyStoreTypes.dfy"
 include "../../../dafny/AwsCryptographicMaterialProviders/src/AwsArnParsing.dfy"
+include "./PrefixUtils.dfy"
 
 module {:options "/functionSyntax:4" } Structure {
   import opened Wrappers
@@ -14,27 +15,135 @@ module {:options "/functionSyntax:4" } Structure {
   import UTF8
   import AwsArnParsing
   import KmsArn
+  import PrefixUtils
 
   const BRANCH_KEY_IDENTIFIER_FIELD := "branch-key-id"
   const TYPE_FIELD := "type"
   const KEY_CREATE_TIME := "create-time"
   const HIERARCHY_VERSION := "hierarchy-version"
   const TABLE_FIELD := "tablename"
   const KMS_FIELD := "kms-arn"
-
   const BRANCH_KEY_FIELD := "enc"
   const BRANCH_KEY_ACTIVE_VERSION_FIELD := "version"
 
+  const BRANCH_KEY_RESTRICTED_FIELD_NAMES := {
+    BRANCH_KEY_IDENTIFIER_FIELD,
+    TYPE_FIELD,
+    KEY_CREATE_TIME,
+    HIERARCHY_VERSION,
+    TABLE_FIELD,
+    KMS_FIELD,
+    BRANCH_KEY_FIELD,
+    BRANCH_KEY_ACTIVE_VERSION_FIELD
+  }
+
   const BRANCH_KEY_TYPE_PREFIX := "branch:version:"
   const BRANCH_KEY_ACTIVE_TYPE := "branch:ACTIVE"
   const BEACON_KEY_TYPE_VALUE := "beacon:ACTIVE"
   const ENCRYPTION_CONTEXT_PREFIX := "aws-crypto-ec:"
+  const HIERARCHY_VERSION_VALUE_1 := "1"
+
+  type ValidBKType = s: string | ValidBKType?(s) witness *
+  predicate ValidBKType?(s: string) {
+    || BRANCH_KEY_TYPE_PREFIX < s
+    || s == BRANCH_KEY_ACTIVE_TYPE
+    || s == BEACON_KEY_TYPE_VALUE
+  }
+
+  lemma NoRestrictedAttributeNameStartsWithPrefix()
+    ensures (
+              forall
+                reserved <- BRANCH_KEY_RESTRICTED_FIELD_NAMES
+                ::
+                  !( ENCRYPTION_CONTEXT_PREFIX <= reserved) //&& !(ENCRYPTION_CONTEXT_PREFIX < reserved)
+            )
+  {
+    HierarchyVersionIsNotPrefixed();
+  }
+
+  lemma HierarchyVersionIsNotPrefixed()
+    ensures ENCRYPTION_CONTEXT_PREFIX[0] == 'a'
+            && HIERARCHY_VERSION[0] == 'h'
+            && "a" != "h"
+  {}
+
+  type PrefixedEncryptionContext = m: map<string, string> | PrefixedEncryptionContext?(m) witness *
+  predicate PrefixedEncryptionContext?(
+    m: map<string, string>
+  ): (output: bool)
+    ensures output ==> m.Keys !! BRANCH_KEY_RESTRICTED_FIELD_NAMES
+  {
+    NoRestrictedAttributeNameStartsWithPrefix();
+    && forall k :: k in m.Keys ==> ENCRYPTION_CONTEXT_PREFIX <= k
+  }
+
+  predicate StringIsValidHierarchyVersion?(version: string)
+  {
+    version == HIERARCHY_VERSION_VALUE_1
+  }
+
+  function HierarchyVersionToString(
+    version: Types.HierarchyVersion
+  ): (output: string)
+    ensures StringIsValidHierarchyVersion?(output)
+    ensures StringToHierarchyVersion(output) == version
+  {
+    match version {
+      case v1 => HIERARCHY_VERSION_VALUE_1
+    }
+  }
+
+  function StringToHierarchyVersion(
+    version: string
+  ): (output: Types.HierarchyVersion)
+    requires StringIsValidHierarchyVersion?(version)
+    ensures version == HIERARCHY_VERSION_VALUE_1 ==> output.v1?
+  {
+    Types.HierarchyVersion.v1
+  }
+
+  lemma HierarchyVersionRoundTrip(version: Types.HierarchyVersion)
+    ensures StringToHierarchyVersion(HierarchyVersionToString(version)) == version
+  {}
 
   //= aws-encryption-sdk-specification/framework/branch-key-store.md#custom-encryption-context
   //= type=exception
   //# Across all versions of a Branch Key, the custom encryption context MUST be equal.
   // At this time, we have no operation that reads all the records of a Branch Key ID.
 
+  datatype BranchKey = | BranchKeyContext (
+    nameonly branchKeyId: Types.BranchKeyIdentifier,
+    nameonly version: Types.Utf8Bytes,
+    nameonly encryptionContext: Types.EncryptionContext,
+    nameonly prefixedEncryptionContext: PrefixedEncryptionContext,
+    nameonly kmsArn: KMS.KeyIdType,
+    nameonly createTime: Types.CreateTime,
+    nameonly hierarchyVersion: Types.HierarchyVersion,
+    nameonly bkType: ValidBKType
+  ) {
+    predicate IsValid()
+    {
+      && KMS.IsValid_KeyIdType(kmsArn)
+      && (SequenceIsSafeBecauseItIsInMemory(branchKeyId); 0 < |branchKeyId| as uint64)
+      && (SequenceIsSafeBecauseItIsInMemory(bkType); 0 < |bkType| as uint64)
+         // TODO: Timestamp length is deterministic, we should require the length be exact
+      && (SequenceIsSafeBecauseItIsInMemory(createTime); 0 < |createTime| as uint64)
+      && ValidBKType?(bkType)
+    }
+    predicate IsDecryptOnly()
+      requires IsValid()
+    {
+      BRANCH_KEY_TYPE_PREFIX < bkType
+    }
+    predicate IsActive()
+      requires IsValid()
+    {
+      BRANCH_KEY_ACTIVE_TYPE == bkType
+    }
+    /* function AsStringMap(): (bkc: map<string, string>)
+      requires IsValid() */
+  }
+
   type BranchKeyContext = m: map<string, string> | BranchKeyContext?(m) witness *
   predicate BranchKeyContext?(m: map<string, string>) {
     //= aws-encryption-sdk-specification/framework/branch-key-store.md#encryption-context
@@ -52,7 +161,7 @@ module {:options "/functionSyntax:4" } Structure {
        //= aws-encryption-sdk-specification/framework/branch-key-store.md#encryption-context
        //= type=implication
        //# - MUST have a `hierarchy-version`
-    && (HIERARCHY_VERSION in m)
+    && (HIERARCHY_VERSION in m && StringIsValidHierarchyVersion?(m[HIERARCHY_VERSION]))
        //= aws-encryption-sdk-specification/framework/branch-key-store.md#encryption-context
        //= type=implication
        //# - MUST have a `tablename` attribute to store the logicalKeyStoreName
@@ -239,7 +348,7 @@ module {:options "/functionSyntax:4" } Structure {
         encryptionContext := customEncryptionContext,
         kmsArn := branchKeyContext[KMS_FIELD],
         createTime := branchKeyContext[KEY_CREATE_TIME],
-        hierarchyVersion := branchKeyContext[HIERARCHY_VERSION]
+        hierarchyVersion := StringToHierarchyVersion(branchKeyContext[HIERARCHY_VERSION])
       ))
   }
 
@@ -306,7 +415,7 @@ module {:options "/functionSyntax:4" } Structure {
     Success(map i <- encodedEncryptionContext :: i.0.value := i.1.value)
   }
 
-  opaque function DecryptOnlyBranchKeyEncryptionContext(
+  function DecryptOnlyBranchKeyEncryptionContext(
     branchKeyId: string,
     branchKeyVersion: string,
     timestamp: string,
@@ -416,6 +525,7 @@ module {:options "/functionSyntax:4" } Structure {
     && TYPE_FIELD in m && m[TYPE_FIELD].S?
     && KEY_CREATE_TIME in m && m[KEY_CREATE_TIME].S?
     && HIERARCHY_VERSION in m && m[HIERARCHY_VERSION].N?
+    && StringIsValidHierarchyVersion?(m[HIERARCHY_VERSION].N)
     && TABLE_FIELD !in m
     && KMS_FIELD in m && m[KMS_FIELD].S? && KMS.IsValid_KeyIdType(m[KMS_FIELD].S)
     && BRANCH_KEY_FIELD in m && m[BRANCH_KEY_FIELD].B?