chore(rust): prepare release of 1.2.0

DynamoDbEncryption/runtimes/rust/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "aws-db-esdk"
-version = "1.1.1"
+version = "1.2.0"
 edition = "2021"
 rust-version = "1.86.0"
 keywords = ["cryptography", "security", "dynamodb", "encryption", "client-side"]

DynamoDbEncryption/runtimes/rust/start_release.sh

@@ -25,8 +25,10 @@ echo
 echo
 sleep 2
 
+VERSION=$1
+
 # Update the version in Cargo.toml
-perl -pe "s/^version = .*$/version = \"$1\"/" < Cargo.toml > new_Cargo.toml
+perl -pe "s/^version = .*$/version = \"$VERSION\"/" < Cargo.toml > new_Cargo.toml
 mv new_Cargo.toml Cargo.toml
 
 set -v
@@ -78,3 +80,13 @@ cargo run --example main
 
 # Remove Cargo.lock and .pem files after testing the examples
 rm -f Cargo.lock *.pem
+
+set +v
+
+echo
+echo Next Steps:
+echo cd $(realpath ${PWD}/../../../releases/rust/db_esdk)
+echo Make a PR
+echo Get it merged
+echo cargo publish
+echo

releases/rust/db_esdk/Cargo.toml

@@ -1,8 +1,8 @@
 [package]
 name = "aws-db-esdk"
-version = "1.1.1"
+version = "1.2.0"
 edition = "2021"
-rust-version = "1.81.0"
+rust-version = "1.86.0"
 keywords = ["cryptography", "security", "dynamodb", "encryption", "client-side"]
 license = "ISC AND (Apache-2.0 OR ISC)"
 description = "aws-db-esdk is a library for implementing client side encryption with DynamoDB."
@@ -16,20 +16,26 @@ readme = "README.md"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-aws-config = "1.6.3"
-aws-lc-rs = "1.13.1"
-aws-lc-sys = "0.29.0"
-aws-sdk-dynamodb = "1.73.0"
-aws-sdk-kms = "1.67.0"
-aws-smithy-runtime-api = {version = "1.8.0", features = ["client"] }
-aws-smithy-types = "1.3.1"
+aws-config = "1.8.5"
+aws-lc-rs = {version = "1.13.3"}
+aws-lc-sys = { version = "0.30", optional = true }
+aws-lc-fips-sys = { version = "0.13", optional = true }
+aws-sdk-dynamodb = "1.90.0"
+aws-sdk-kms = "1.84.0"
+aws-smithy-runtime-api = {version = "1.9.0", features = ["client"] }
+aws-smithy-types = "1.3.2"
 chrono = "0.4.41"
 cpu-time = "1.0.0"
-dafny-runtime = { version = "0.3.1", features = ["sync", "small-int"] }
 dashmap = "6.1.0"
 pem = "3.0.5"
-tokio = {version = "1.45.1", features = ["full"] }
-uuid = { version = "1.17.0", features = ["v4"] }
+tokio = {version = "1.47.1", features = ["full"] }
+uuid = { version = "1.18.0", features = ["v4"] }
+dafny-runtime = { version = "0.3.1", features = ["sync", "small-int"] }
 
 [[example]]
 name = "main"
+
+[features]
+fips = ["aws-lc-rs/fips", "dep:aws-lc-fips-sys"]
+non-fips = ["aws-lc-rs/aws-lc-sys", "dep:aws-lc-sys"]
+default = ["non-fips"]

releases/rust/db_esdk/src/aes_gcm.rs

@@ -73,13 +73,13 @@ impl AES_GCM {
     ) -> Result<DoAESEncryptOutput, String> {
         let alg = self.get_alg()?;
         let mut in_out_buffer = Vec::from(msg);
-        let key = UnboundKey::new(alg, key).map_err(|e| format!("new {:?}", e))?;
+        let key = UnboundKey::new(alg, key).map_err(|e| format!("new {e:?}"))?;
         let nonce = Nonce::assume_unique_for_key(iv.try_into().unwrap());
         let key = LessSafeKey::new(key);
         let aad = Aad::from(aad);
         let tag = key
             .seal_in_place_separate_tag(nonce, aad, &mut in_out_buffer)
-            .map_err(|e| format!("Seal {:?}", e))?;
+            .map_err(|e| format!("Seal {e:?}"))?;
         Ok(DoAESEncryptOutput {
             cipher_text: in_out_buffer,
             auth_tag: Vec::from(tag.as_ref()),
@@ -96,12 +96,12 @@ impl AES_GCM {
     ) -> Result<Vec<u8>, String> {
         let alg = self.get_alg()?;
         let mut out_buffer = Vec::from(cipher_text);
-        let key = UnboundKey::new(alg, key).map_err(|e| format!("new {:?}", e))?;
+        let key = UnboundKey::new(alg, key).map_err(|e| format!("new {e:?}"))?;
         let nonce = Nonce::assume_unique_for_key(iv.try_into().unwrap());
         let key = LessSafeKey::new(key);
         let aad = Aad::from(aad);
         key.open_separate_gather(nonce, aad, cipher_text, auth_tag, &mut out_buffer)
-            .map_err(|e| format!("gather {:?}", e))?;
+            .map_err(|e| format!("gather {e:?}"))?;
         Ok(out_buffer)
     }
 
@@ -143,7 +143,7 @@ impl AES_GCM {
                 }),
             }),
             Err(e) => {
-                let msg = format!("AES Encrypt : {}", e);
+                let msg = format!("AES Encrypt : {e}");
                 enc_result(&msg)
             }
         }
@@ -196,7 +196,7 @@ impl AES_GCM {
                 value: dafny_runtime::Sequence::from_array_owned(x),
             }),
             Err(e) => {
-                let msg = format!("AES Decrypt : {}", e);
+                let msg = format!("AES Decrypt : {e}");
                 dec_result(&msg)
             }
         }
@@ -229,7 +229,7 @@ mod tests {
         let cipher = match &*alg.AESEncryptExtern(&iv, &key, &msg, &aad) {
             _Wrappers_Compile::Result::Success { value } => value.clone(),
             _Wrappers_Compile::Result::Failure { error } => {
-                panic!("AESEncryptExtern Failed : {:?}", error);
+                panic!("AESEncryptExtern Failed : {error:?}");
             }
         };
 
@@ -240,10 +240,10 @@ mod tests {
             } => (cipherText, authTag),
         };
 
-        let output = match &*alg.AESDecryptExtern(&key, &cipher_text, &auth_tag, &iv, &aad) {
+        let output = match &*alg.AESDecryptExtern(&key, cipher_text, auth_tag, &iv, &aad) {
             _Wrappers_Compile::Result::Success { value } => value.clone(),
             _Wrappers_Compile::Result::Failure { error } => {
-                panic!("AESEncryptExtern Failed : {:?}", error);
+                panic!("AESEncryptExtern Failed : {error:?}");
             }
         };
 

releases/rust/db_esdk/src/aes_kdf_ctr.rs

@@ -36,13 +36,13 @@ pub mod AesKdfCtr {
 
         let mut in_out_buffer = vec![0; length as usize];
 
-        let key = UnboundCipherKey::new(&AES_256, key).map_err(|e| format!("new {:?}", e))?;
-        let encrypting_key = EncryptingKey::ctr(key).map_err(|e| format!("new {:?}", e))?;
+        let key = UnboundCipherKey::new(&AES_256, key).map_err(|e| format!("new {e:?}"))?;
+        let encrypting_key = EncryptingKey::ctr(key).map_err(|e| format!("new {e:?}"))?;
         let nonce = aws_lc_rs::iv::FixedLength::<16>::from(as_array(nonce));
         let context = EncryptionContext::Iv128(nonce);
         encrypting_key
             .less_safe_encrypt(&mut in_out_buffer, context)
-            .map_err(|e| format!("new {:?}", e))?;
+            .map_err(|e| format!("new {e:?}"))?;
         Ok(in_out_buffer)
     }
 
@@ -65,7 +65,7 @@ pub mod AesKdfCtr {
                     value: dafny_runtime::Sequence::from_array_owned(x),
                 }),
                 Err(e) => {
-                    let msg = format!("Aes Kdf Ctr : {}", e);
+                    let msg = format!("Aes Kdf Ctr : {e}");
                     Rc::new(_Wrappers_Compile::Result::Failure { error: error(&msg) })
                 }
             }

releases/rust/db_esdk/src/dafny_libraries.rs

@@ -17,7 +17,9 @@ pub mod DafnyLibraries {
     }
 
     impl<K: ::dafny_runtime::DafnyTypeEq, V: ::dafny_runtime::DafnyTypeEq> MutableMap<K, V> {
-        pub fn _allocate_object() -> ::dafny_runtime::Object<Self> {
+        // bytesKeys should be set using ctor but it does not because of Dafny bug
+        // https://github.com/dafny-lang/dafny/issues/6333
+        pub fn _allocate_object(_bytes_keys: bool) -> ::dafny_runtime::Object<Self> {
             ::dafny_runtime::Object::new(MutableMap {
                 map: DashMap::new(),
             })

releases/rust/db_esdk/src/deps/aws_cryptography_materialProviders/validation.rs

@@ -1706,119 +1706,119 @@ pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput
     ))?;
     Ok(())
 }
-pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateAwsKmsHierarchicalKeyring(
+pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateRawEcdhKeyring(
     input: &crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef,
 ) -> ::std::result::Result<(), ::aws_smithy_types::error::operation::BuildError> {
     validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_Dkeyring(&Some(
         input.clone(),
     ))?;
     Ok(())
 }
-pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateRawAesKeyring(
+pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateAwsKmsKeyring(
     input: &crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef,
 ) -> ::std::result::Result<(), ::aws_smithy_types::error::operation::BuildError> {
     validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_Dkeyring(&Some(
         input.clone(),
     ))?;
     Ok(())
 }
-pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateAwsKmsKeyring(
+pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateAwsKmsHierarchicalKeyring(
     input: &crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef,
 ) -> ::std::result::Result<(), ::aws_smithy_types::error::operation::BuildError> {
     validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_Dkeyring(&Some(
         input.clone(),
     ))?;
     Ok(())
 }
-pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateAwsKmsMrkDiscoveryKeyring(
+pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateRawRsaKeyring(
     input: &crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef,
 ) -> ::std::result::Result<(), ::aws_smithy_types::error::operation::BuildError> {
     validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_Dkeyring(&Some(
         input.clone(),
     ))?;
     Ok(())
 }
-pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateRawRsaKeyring(
+pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateAwsKmsMrkDiscoveryKeyring(
     input: &crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef,
 ) -> ::std::result::Result<(), ::aws_smithy_types::error::operation::BuildError> {
     validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_Dkeyring(&Some(
         input.clone(),
     ))?;
     Ok(())
 }
-pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateRawEcdhKeyring(
+pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateRawAesKeyring(
     input: &crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef,
 ) -> ::std::result::Result<(), ::aws_smithy_types::error::operation::BuildError> {
     validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_Dkeyring(&Some(
         input.clone(),
     ))?;
     Ok(())
 }
-pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateAwsKmsMrkMultiKeyring(
+pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateAwsKmsMrkKeyring(
     input: &crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef,
 ) -> ::std::result::Result<(), ::aws_smithy_types::error::operation::BuildError> {
     validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_Dkeyring(&Some(
         input.clone(),
     ))?;
     Ok(())
 }
-pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateAwsKmsMrkKeyring(
+pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateAwsKmsRsaKeyring(
     input: &crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef,
 ) -> ::std::result::Result<(), ::aws_smithy_types::error::operation::BuildError> {
     validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_Dkeyring(&Some(
         input.clone(),
     ))?;
     Ok(())
 }
-pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateAwsKmsDiscoveryMultiKeyring(
+pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateAwsKmsDiscoveryKeyring(
     input: &crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef,
 ) -> ::std::result::Result<(), ::aws_smithy_types::error::operation::BuildError> {
     validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_Dkeyring(&Some(
         input.clone(),
     ))?;
     Ok(())
 }
-pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateMultiKeyring(
+pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateAwsKmsMrkMultiKeyring(
     input: &crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef,
 ) -> ::std::result::Result<(), ::aws_smithy_types::error::operation::BuildError> {
     validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_Dkeyring(&Some(
         input.clone(),
     ))?;
     Ok(())
 }
-pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateAwsKmsMrkDiscoveryMultiKeyring(
+pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateAwsKmsDiscoveryMultiKeyring(
     input: &crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef,
 ) -> ::std::result::Result<(), ::aws_smithy_types::error::operation::BuildError> {
     validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_Dkeyring(&Some(
         input.clone(),
     ))?;
     Ok(())
 }
-pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateAwsKmsRsaKeyring(
+pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateAwsKmsEcdhKeyring(
     input: &crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef,
 ) -> ::std::result::Result<(), ::aws_smithy_types::error::operation::BuildError> {
     validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_Dkeyring(&Some(
         input.clone(),
     ))?;
     Ok(())
 }
-pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateAwsKmsDiscoveryKeyring(
+pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateAwsKmsMultiKeyring(
     input: &crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef,
 ) -> ::std::result::Result<(), ::aws_smithy_types::error::operation::BuildError> {
     validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_Dkeyring(&Some(
         input.clone(),
     ))?;
     Ok(())
 }
-pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateAwsKmsMultiKeyring(
+pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateMultiKeyring(
     input: &crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef,
 ) -> ::std::result::Result<(), ::aws_smithy_types::error::operation::BuildError> {
     validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_Dkeyring(&Some(
         input.clone(),
     ))?;
     Ok(())
 }
-pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateAwsKmsEcdhKeyring(
+pub(crate) fn validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_for_AwsCryptographicMaterialProviders_CreateAwsKmsMrkDiscoveryMultiKeyring(
     input: &crate::deps::aws_cryptography_materialProviders::types::keyring::KeyringRef,
 ) -> ::std::result::Result<(), ::aws_smithy_types::error::operation::BuildError> {
     validate_aws_Pcryptography_PmaterialProviders_HCreateKeyringOutput_Dkeyring(&Some(