Skip to content

Commit 8cf61b7

Browse files
texastonytexastony
committed
feat(Dafny): Include KMS ARN, Create Time, and Hierarchy Version in Materials
1 parent 9845399 commit 8cf61b7

File tree

1 file changed

+26
-22
lines changed
  • AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore/src

1 file changed

+26
-22
lines changed

AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore/src/Structure.dfy

Lines changed: 26 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -160,16 +160,16 @@ module {:options "/functionSyntax:4" } Structure {
160160
}
161161

162162
function ToBranchKeyMaterials(
163-
encryptionContext: BranchKeyContext,
163+
branchKeyContext: BranchKeyContext,
164164
plaintextKey: seq<uint8>
165165
): (output: Result<Types.BranchKeyMaterials, Types.Error>)
166166

167167
//= aws-encryption-sdk-specification/framework/branch-key-store.md#branch-key-materials-from-authenticated-encryption-context
168168
//= type=implication
169169
//# The `type` attribute MUST either be equal to `"branch:ACTIVE"` or start with `"branch:version:"`.
170170
requires
171-
|| encryptionContext[TYPE_FIELD] == BRANCH_KEY_ACTIVE_TYPE
172-
|| BRANCH_KEY_TYPE_PREFIX < encryptionContext[TYPE_FIELD]
171+
|| branchKeyContext[TYPE_FIELD] == BRANCH_KEY_ACTIVE_TYPE
172+
|| BRANCH_KEY_TYPE_PREFIX < branchKeyContext[TYPE_FIELD]
173173

174174
ensures output.Success?
175175
==>
@@ -180,21 +180,21 @@ module {:options "/functionSyntax:4" } Structure {
180180
//= aws-encryption-sdk-specification/framework/branch-key-store.md#branch-key-materials-from-authenticated-encryption-context
181181
//= type=implication
182182
//# - [Branch Key Id](./structures.md#branch-key-id) MUST be the `branch-key-id`
183-
&& output.value.branchKeyIdentifier == encryptionContext[BRANCH_KEY_IDENTIFIER_FIELD]
183+
&& output.value.branchKeyIdentifier == branchKeyContext[BRANCH_KEY_IDENTIFIER_FIELD]
184184

185185
&& var versionInformation
186-
:= if BRANCH_KEY_ACTIVE_VERSION_FIELD in encryptionContext then
186+
:= if BRANCH_KEY_ACTIVE_VERSION_FIELD in branchKeyContext then
187187
//= aws-encryption-sdk-specification/framework/branch-key-store.md#branch-key-materials-from-authenticated-encryption-context
188188
//= type=implication
189189
//# If the `type` attribute is equal to `"branch:ACTIVE"`
190190
//# then the authenticated encryption context MUST have a `version` attribute
191191
//# and the version string is this value.
192-
encryptionContext[BRANCH_KEY_ACTIVE_VERSION_FIELD]
192+
branchKeyContext[BRANCH_KEY_ACTIVE_VERSION_FIELD]
193193
else
194194
//= aws-encryption-sdk-specification/framework/branch-key-store.md#branch-key-materials-from-authenticated-encryption-context
195195
//= type=implication
196196
//# If the `type` attribute start with `"branch:version:"` then the version string MUST be equal to this value.
197-
encryptionContext[TYPE_FIELD];
197+
branchKeyContext[TYPE_FIELD];
198198
//= aws-encryption-sdk-specification/framework/branch-key-store.md#branch-key-materials-from-authenticated-encryption-context
199199
//= type=implication
200200
//# - [Branch Key Version](./structures.md#branch-key-version)
@@ -210,33 +210,37 @@ module {:options "/functionSyntax:4" } Structure {
210210
//= type=implication
211211
//# - [Encryption Context](./structures.md#encryption-context-3) MUST be constructed by
212212
//# [Custom Encryption Context From Authenticated Encryption Context](#custom-encryption-context-from-authenticated-encryption-context)
213-
&& ExtractCustomEncryptionContext(encryptionContext).Success?
214-
&& output.value.encryptionContext == ExtractCustomEncryptionContext(encryptionContext).value
213+
&& ExtractCustomEncryptionContext(branchKeyContext).Success?
214+
&& output.value.encryptionContext == ExtractCustomEncryptionContext(branchKeyContext).value
215215

216216
&& (forall k <- output.value.encryptionContext
217217
::
218218
&& UTF8.Decode(k).Success?
219219
&& UTF8.Decode(output.value.encryptionContext[k]).Success?
220-
&& (ENCRYPTION_CONTEXT_PREFIX + UTF8.Decode(k).value in encryptionContext)
221-
&& encryptionContext[ENCRYPTION_CONTEXT_PREFIX + UTF8.Decode(k).value] == UTF8.Decode(output.value.encryptionContext[k]).value)
220+
&& (ENCRYPTION_CONTEXT_PREFIX + UTF8.Decode(k).value in branchKeyContext)
221+
&& branchKeyContext[ENCRYPTION_CONTEXT_PREFIX + UTF8.Decode(k).value] == UTF8.Decode(output.value.encryptionContext[k]).value)
222222

223223
{
224-
var versionInformation := if BRANCH_KEY_ACTIVE_VERSION_FIELD in encryptionContext then
225-
encryptionContext[BRANCH_KEY_ACTIVE_VERSION_FIELD]
224+
var versionInformation := if BRANCH_KEY_ACTIVE_VERSION_FIELD in branchKeyContext then
225+
branchKeyContext[BRANCH_KEY_ACTIVE_VERSION_FIELD]
226226
else
227-
encryptionContext[TYPE_FIELD];
227+
branchKeyContext[TYPE_FIELD];
228228
var branchKeyVersion := versionInformation[|BRANCH_KEY_TYPE_PREFIX| as uint32..];
229229
var branchKeyVersionUtf8 :- UTF8.Encode(branchKeyVersion)
230230
.MapFailure(e => Types.KeyStoreException( message := e ));
231231

232-
var customEncryptionContext :- ExtractCustomEncryptionContext(encryptionContext);
233-
234-
Success(Types.BranchKeyMaterials(
235-
branchKeyIdentifier := encryptionContext[BRANCH_KEY_IDENTIFIER_FIELD],
236-
branchKeyVersion := branchKeyVersionUtf8,
237-
branchKey := plaintextKey,
238-
encryptionContext := customEncryptionContext
239-
))
232+
var customEncryptionContext :- ExtractCustomEncryptionContext(branchKeyContext);
233+
234+
Success(
235+
Types.BranchKeyMaterials(
236+
branchKeyIdentifier := branchKeyContext[BRANCH_KEY_IDENTIFIER_FIELD],
237+
branchKeyVersion := branchKeyVersionUtf8,
238+
branchKey := plaintextKey,
239+
encryptionContext := customEncryptionContext,
240+
kmsArn := branchKeyContext[KMS_FIELD],
241+
createTime := branchKeyContext[KEY_CREATE_TIME],
242+
hierarchyVersion := branchKeyContext[HIERARCHY_VERSION]
243+
))
240244
}
241245

242246
function ToBeaconKeyMaterials(

0 commit comments

Comments
 (0)