m

Lucas McDonald · Lucas McDonald · commit 1ad14de24af2 · 2025-03-24T11:18:15.000-07:00
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -2,6 +2,22 @@
 Changelog
 *********
 
+4.0.1 -- 2025-03-XX
+
+Fixes
+-----------
+* fix: Improve header serialization
+  `#TODO <https://github.com/aws/aws-encryption-sdk-python/pull/TODO>`_
+  ESDK-Python <4.0.1 would truncate non-ASCII key provider IDs it wrote to message headers.
+  If a Raw or Custom MasterKeyProvider or Keyring supplied a non-ASCII key provider ID / key namespace, 
+  ESDK-Python would truncate the the key provider ID it wrote to the message's header.
+  The message can be decrypted by replacing the truncated provider ID with the expected provider ID in decryption code.
+  Contact AWS for any questions about this approach.
+
+Maintenance
+-----------
+* deps: Extend supported `MPL`_ version to include 1.9.1
+
 4.0.0 -- 2024-10-29
 ===================
 
@@ -425,6 +441,7 @@ Minor
 ===================
 * Initial public release
 
+.. _MPL: https://github.com/aws/aws-cryptographic-material-providers-library
 .. _breaking changes in attrs 17.1.0: https://attrs.readthedocs.io/en/stable/changelog.html
 .. _tox: https://tox.readthedocs.io/en/latest/
 .. _pylint: https://www.pylint.org/
diff --git a/README.rst b/README.rst
@@ -42,7 +42,7 @@ Required Prerequisites
 Recommended Prerequisites
 =========================
 
-* aws-cryptographic-material-providers: == 1.7.4
+* aws-cryptographic-material-providers: >=1.7.4
     * Requires Python 3.11+.
 
 Installation
diff --git a/performance_tests/README.rst b/performance_tests/README.rst
@@ -49,7 +49,7 @@ Required Prerequisites
 Recommended Prerequisites
 =========================
 
-* aws-cryptographic-material-providers: == 1.7.4
+* aws-cryptographic-material-providers: >= 1.7.4
   * Requires Python 3.11+.
 
 *****
diff --git a/performance_tests/requirements_mpl.txt b/performance_tests/requirements_mpl.txt
@@ -1 +1 @@
-aws-cryptographic-material-providers==1.7.4
+aws-cryptographic-material-providers>=1.7.4,<=1.9.1
diff --git a/requirements_mpl.txt b/requirements_mpl.txt
@@ -1 +1 @@
-aws-cryptographic-material-providers==1.7.4
+aws-cryptographic-material-providers>=1.7.4,<=1.9.1
diff --git a/setup.py b/setup.py
@@ -39,11 +39,8 @@ def get_requirements():
     keywords="aws-encryption-sdk aws kms encryption",
     license="Apache License 2.0",
     install_requires=get_requirements(),
-    # pylint: disable=fixme
-    # TODO-MPL: Point at PyPI once MPL is released.
-    # This blocks releasing ESDK-Python MPL integration.
     extras_require={
-        "MPL": ["aws-cryptographic-material-providers==1.7.4"],
+        "MPL": ["aws-cryptographic-material-providers<=1.9.1"],
     },
     classifiers=[
         "Development Status :: 5 - Production/Stable",
diff --git a/src/aws_encryption_sdk/internal/formatting/deserialize.py b/src/aws_encryption_sdk/internal/formatting/deserialize.py
@@ -145,6 +145,17 @@ def deserialize_encrypted_data_keys(stream, max_encrypted_data_keys=None):
         (key_provider_information,) = unpack_values(">{}s".format(key_provider_information_length), stream)
         (encrypted_data_key_length,) = unpack_values(">H", stream)
         encrypted_data_key = stream.read(encrypted_data_key_length)
+        # ESDK-Python <4.0.1 incorrectly computed the key provider length for non-ASCII key provider IDs.
+        # The length in the header was computed as the length of the key provider ID as a string instead of
+        #   the length of the key provider ID as UTF-8 bytes.
+        # If a non-ASCII key provider ID were supplied, the key provider ID's UTF-8 bytes written to the header
+        #   would be truncated, and attempting to decrypt the message would result in a deserialization error.
+        # That error would be raised when calling `to_str(key_provider_identifier)` below.
+        # An impacted message can be decrypted by replacing the truncated provider ID with the expected provider ID
+        #   in decryption code.
+        # Contact AWS for any questions about this approach.
+        # ESDK-Python >=4.0.1 corrects the serialization logic and writes the correct length and expected bytes
+        #   to the message header.
         encrypted_data_keys.add(
             EncryptedDataKey(
                 key_provider=MasterKeyInfo(
diff --git a/src/aws_encryption_sdk/internal/formatting/serialize.py b/src/aws_encryption_sdk/internal/formatting/serialize.py
@@ -35,16 +35,30 @@ def serialize_encrypted_data_key(encrypted_data_key):
         "H"  # encrypted data key length
         "{enc_data_key_len}s"  # encrypted data key
     )
+    # ESDK-Python <4.0.1 incorrectly computed len_key_provider_id_bytes for non-ASCII key provider IDs.
+    # len_key_provider_id_bytes was computed as the length of the key provider ID as a string instead of
+    #   the length of the key provider ID as UTF-8 bytes.
+    # If a non-ASCII key provider ID were supplied, the key provider ID as UTF-8 bytes written to the header
+    #   would be truncated, and attempting to decrypt the message would result in a deserialization error.
+    # The message can be decrypted by replacing the truncated provider ID with the expected provider ID
+    #   in decryption code.
+    # Contact AWS for any questions about this approach.
+    # ESDK-Python >=4.0.1 corrects the serialization logic and writes the correct length and expected bytes
+    #   to the message header.
+    key_provider_id_bytes = to_bytes(encrypted_data_key.key_provider.provider_id)
+    len_key_provider_id_bytes = len(key_provider_id_bytes)
+    key_info_bytes = to_bytes(encrypted_data_key.key_provider.key_info)
+    len_key_info_bytes = len(key_info_bytes)
     return struct.pack(
         encrypted_data_key_format.format(
-            provider_id_len=len(encrypted_data_key.key_provider.provider_id),
-            provider_info_len=len(encrypted_data_key.key_provider.key_info),
+            provider_id_len=len_key_provider_id_bytes,
+            provider_info_len=len_key_info_bytes,
             enc_data_key_len=len(encrypted_data_key.encrypted_data_key),
         ),
-        len(encrypted_data_key.key_provider.provider_id),
-        to_bytes(encrypted_data_key.key_provider.provider_id),
-        len(encrypted_data_key.key_provider.key_info),
-        to_bytes(encrypted_data_key.key_provider.key_info),
+        len_key_provider_id_bytes,
+        key_provider_id_bytes,
+        len_key_info_bytes,
+        key_info_bytes,
         len(encrypted_data_key.encrypted_data_key),
         encrypted_data_key.encrypted_data_key,
     )
diff --git a/test/unit/test_deserialize.py b/test/unit/test_deserialize.py
@@ -265,6 +265,16 @@ def test_deserialize_body_frame_final(self):
         assert test_body == VALUES["deserialized_body_final_frame_single"]
         assert test_final
 
+    def test_GIVEN_final_frame_content_length_equals_header_frame_length_WHEN_deserialize_header_THEN_no_error(self):
+        """Validate that the deserialize_body_frame function
+        behaves as expected for a valid final body frame
+        where the final frame length equals the header frame length.
+        """
+        stream = io.BytesIO(VALUES["serialized_final_frame_512_length"])
+        aws_encryption_sdk.internal.formatting.deserialize.deserialize_frame(
+            stream=stream, header=VALUES["deserialized_header_frame_512_frame"]
+        )
+
     def test_deserialize_body_frame_final_invalid_final_frame_length(self):
         """Validate that the deserialize_body_frame function
         behaves as expected for a valid final body frame.
diff --git a/test/unit/test_serialize.py b/test/unit/test_serialize.py
@@ -1,9 +1,13 @@
 # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 """Unit test suite for aws_encryption_sdk.internal.formatting.serialize"""
+import io
+import struct
+
 import pytest
 from mock import MagicMock, patch, sentinel
 
+import aws_encryption_sdk.internal.formatting.deserialize
 import aws_encryption_sdk.internal.formatting.serialize
 from aws_encryption_sdk.exceptions import SerializationError
 from aws_encryption_sdk.identifiers import ContentAADString, SerializationVersion
@@ -15,6 +19,8 @@
 
 pytestmark = [pytest.mark.unit, pytest.mark.local]
 
+provider_input_strings = ["", "abc", "𐀂", "abc𐀂", "𐀂abc", "秘密代码", "abc秘密代码", "秘密代码abc", "秘密代码abc𐀂", "𐀂abc秘密代码123𐀂"]
+
 
 @pytest.mark.parametrize(
     "sequence_number, error_message",
@@ -80,6 +86,146 @@ def apply_fixtures(self):
         self.mock_encrypt_patcher.stop()
         self.mock_valid_frame_length_patcher.stop()
 
+    @pytest.mark.parametrize("provider_id", provider_input_strings)
+    @pytest.mark.parametrize("provider_info", provider_input_strings)
+    def test_GIVEN_valid_encrypted_data_key_WHEN_serialize_encrypted_data_key_THEN_deserialize_equals_input(
+        self,
+        provider_id,
+        provider_info,
+    ):
+        # Given: Some valid encrypted data key
+        key_provider = MasterKeyInfo(provider_id=provider_id, key_info=provider_info)
+        encrypted_data_key = EncryptedDataKey(
+            key_provider=key_provider, encrypted_data_key=VALUES["encrypted_data_key"]
+        )
+
+        # When: serialize_encrypted_data_key
+        serialized_edk = aws_encryption_sdk.internal.formatting.serialize.serialize_encrypted_data_key(
+            encrypted_data_key=encrypted_data_key
+        )
+
+        # Then: Can deserialize the value
+        serialized_edks = bytes()
+        # Hardcode to have only 1 EDK
+        serialized_edks += struct.pack(">H", 1)
+        serialized_edks += serialized_edk
+        # Deserialization must not raise exception
+        deserialized = aws_encryption_sdk.internal.formatting.deserialize.deserialize_encrypted_data_keys(
+            stream=io.BytesIO(serialized_edks)
+        )
+        assert deserialized == {encrypted_data_key}
+        assert len(deserialized) == 1
+        deserialized_edk = list(deserialized)[0]
+        assert deserialized_edk.key_provider == encrypted_data_key.key_provider
+        assert deserialized_edk.key_provider.provider_id == encrypted_data_key.key_provider.provider_id
+        assert deserialized_edk.key_provider.key_info == encrypted_data_key.key_provider.key_info
+        assert deserialized_edk.encrypted_data_key == encrypted_data_key.encrypted_data_key
+
+    @pytest.mark.parametrize("edk_1_provider_id", provider_input_strings)
+    @pytest.mark.parametrize("edk_1_provider_info", provider_input_strings)
+    @pytest.mark.parametrize("edk_2_provider_id", provider_input_strings)
+    @pytest.mark.parametrize("edk_2_provider_info", provider_input_strings)
+    def test_GIVEN_two_distinct_valid_encrypted_data_keys_WHEN_serialize_encrypted_data_keys_THEN_deserialize_equals_inputs(  # noqa pylint: disable=line-too-long
+        self,
+        edk_1_provider_id,
+        edk_1_provider_info,
+        edk_2_provider_id,
+        edk_2_provider_info,
+    ):
+        # pylint: disable=too-many-locals
+        # Given: Two distinct valid encrypted data keys
+        edk_1_key_provider = MasterKeyInfo(provider_id=edk_1_provider_id, key_info=edk_1_provider_info)
+        encrypted_data_key_1 = EncryptedDataKey(
+            key_provider=edk_1_key_provider, encrypted_data_key=VALUES["encrypted_data_key"]
+        )
+
+        edk_2_key_provider = MasterKeyInfo(provider_id=edk_2_provider_id, key_info=edk_2_provider_info)
+        encrypted_data_key_2 = EncryptedDataKey(
+            key_provider=edk_2_key_provider, encrypted_data_key=VALUES["encrypted_data_key"]
+        )
+
+        # Must be distinct
+        if encrypted_data_key_1 == encrypted_data_key_2:
+            return
+
+        # When: serialize_encrypted_data_key
+        serialized_edk_1 = aws_encryption_sdk.internal.formatting.serialize.serialize_encrypted_data_key(
+            encrypted_data_key=encrypted_data_key_1
+        )
+        serialized_edk_2 = aws_encryption_sdk.internal.formatting.serialize.serialize_encrypted_data_key(
+            encrypted_data_key=encrypted_data_key_2
+        )
+
+        # Then: Can deserialize the value
+        serialized_edks = bytes()
+        # Hardcode to have only 2 EDKs
+        serialized_edks += struct.pack(">H", 2)
+        serialized_edks += serialized_edk_1
+        serialized_edks += serialized_edk_2
+        # Deserialization must not raise exception
+        deserialized = aws_encryption_sdk.internal.formatting.deserialize.deserialize_encrypted_data_keys(
+            stream=io.BytesIO(serialized_edks)
+        )
+        assert deserialized == {encrypted_data_key_1, encrypted_data_key_2}
+        assert len(deserialized) == 2
+        deserialized_edk_list = list(deserialized)
+
+        deserialized_edk_some = deserialized_edk_list[0]
+        deserialized_edk_other = deserialized_edk_list[1]
+
+        assert (
+            (deserialized_edk_some == encrypted_data_key_1 and deserialized_edk_other == encrypted_data_key_2)
+            or (deserialized_edk_some == encrypted_data_key_2 and deserialized_edk_other == encrypted_data_key_1)
+        )
+
+    def test_GIVEN_invalid_encrypted_data_key_WHEN_serialize_THEN_raises_UnicodeEncodeError(
+        self,
+    ):
+        # Given: Some invalid encrypted data key
+
+        # This is invalid because "\ud800\udc02" cannot be encoded to UTF-8.
+        # This value MUST be able to be encoded to UTF-8, or serialization will fail.
+        invalid_provider_string = "\ud800\udc02"
+
+        # Then: raises UnicodeEncodeError
+        with pytest.raises(UnicodeEncodeError):
+            key_provider = MasterKeyInfo(provider_id=invalid_provider_string, key_info=invalid_provider_string)
+
+            encrypted_data_key = EncryptedDataKey(
+                key_provider=key_provider, encrypted_data_key=VALUES["encrypted_data_key"]
+            )
+
+            # When: serialize_encrypted_data_key
+            aws_encryption_sdk.internal.formatting.serialize.serialize_encrypted_data_key(
+                encrypted_data_key=encrypted_data_key
+            )
+
+        # Then: raises UnicodeEncodeError
+        with pytest.raises(UnicodeEncodeError):
+            key_provider = MasterKeyInfo(provider_id=invalid_provider_string, key_info="abc")
+
+            encrypted_data_key = EncryptedDataKey(
+                key_provider=key_provider, encrypted_data_key=VALUES["encrypted_data_key"]
+            )
+
+            # When: serialize_encrypted_data_key
+            aws_encryption_sdk.internal.formatting.serialize.serialize_encrypted_data_key(
+                encrypted_data_key=encrypted_data_key
+            )
+
+        # Then: raises UnicodeEncodeError
+        with pytest.raises(UnicodeEncodeError):
+            key_provider = MasterKeyInfo(provider_id="abc", key_info=invalid_provider_string)
+
+            encrypted_data_key = EncryptedDataKey(
+                key_provider=key_provider, encrypted_data_key=VALUES["encrypted_data_key"]
+            )
+
+            # When: serialize_encrypted_data_key
+            aws_encryption_sdk.internal.formatting.serialize.serialize_encrypted_data_key(
+                encrypted_data_key=encrypted_data_key
+            )
+
     def test_serialize_header_v1(self):
         """Validate that the _serialize_header function
         behaves as expected.
diff --git a/test/unit/test_values.py b/test/unit/test_values.py
@@ -230,6 +230,49 @@ def array_byte(source):
         VALUES["final_frame_base"].tag,
     ]
 )
+# This is a valid frame from a ESDK-.NET-encrypted message.
+# ESDK Python versions before v4.0.0 would raise a SerializationError when deserializing this frame
+# because its frame length (512; the b"\x00\x00\x02\x00" string)
+# equals the configured frame length.
+# In other ESDK implementations, the final frame length would never equal the frame length
+# because they would append an empty final frame.
+# Both are valid implementations of the ESDK specification,
+# and the ESDK-Python must support this case.
+VALUES["serialized_final_frame_512_length"] = b"".join(
+    [
+        b"\xff\xff\xff\xff",
+        b"\x00\x00\x00\x14",
+        b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14',
+        b"\x00\x00\x02\x00",
+        b'''\x87r+k7 \xc7\xc3\xbf)T.8,}\xc5a.H]\x16/08k2
+        )\xb5QB\xccP\xc2\xc6\xeanf\x06Z7\xbb\xcd\x87L\xa6
+        ~~\xdc\xab~\x0e\xf6\x05\n\xa9\x94X[\xb8En?x$\x11
+        \x10\x84g0i\xeai\xf9\x8c\xe6}\xc3\xa1Gig\xbdA\x1an
+        \x1b\x9d\xf1\rW\xc8\xad|\x04hSt\x10\xc7\x0e\'\x8f
+        \xe8\x94\x9d\xdb\x82\xdb"\x95\xbc\xf5\xc5\xd0\xddQ
+        \xba\xaa\xbf6\x1e\xd8\xffB\xed\xee\xda1\x15\xf6=x
+        \xe14\xe7\xf5\xb7t\x10\x11\xa4!,!\xfa\xc7\xf1\t\xf7
+        \xc3X?eI\xcdk\xf3\xb5\x80b\xdd;*\xe9\x9c\xd5\x83[\xc4c
+        \xe4[mA\x87\xd9\x94g\xd6\\<\xd1\xff\xcc<\xef\xe2\xbc\xda>
+        \xda|\xa1L\xd1\xf4u\x07Y\x13\xa3\xd4\x15\x1fS\x98\x00^
+        \x1d^\xcdu\x17\xc8.\xfb\x9d\xaaU\xbf\x8f\xa96%YPX\xe6
+        \xf5\\\x141\xe5\xdd\x9a,\xc7d\xca\xffQ\x02:\xd87s:\x9a
+        \xdf\xd5\'\xf0!\x13\xafuU\xf7w\x15\xbd\xecS \xf2h\xa4
+        \xdd\xfb9\xbb\xb3\xd7?3\xc0\xeed\x0e\x17\x1b\xccN\xf9)s
+        \xd1\x97\x84\xb6\xce5\xca\x9b\xde\xa9\x0e$>x\xd9\x9cD=
+        \xd5\xa3\xa1qb#\x8c\xc1\x81Nv\x8dA0\'{~\x1c\xf1?\n\x7fAX\x9f,
+        \xe1\xe6d\xc5\xed\x9e\xa9o\x1bpp\xac\x1b\x03P\xd8\xae\xd6\xf6
+        \xaca;N\xd6C\x08\x99!\x0bU8\x85(g\xe6\x8fD\xf7\x19\xb0]4
+        \x19hB\x15\xa7\xee\xd8\xc0\xe9D\x850\xb6\x05\xd1\xa3`%\xcb
+        \xfb\x88&"\xdfnm\xa6\xf1X\xc4\x84\x1c\xc3\xe8]\x05mh$\xff]=
+        \xab\xa2p\x8e\x82:U\xef\xf3\x86X\xe16\x1f\xc7\x7f\x8dv\x1a
+        \xe4\r5\x8a\xea\x90\xb2\x1cA(\x9b\xedyT0\xd4h\tJ\xa4<\x07C9
+        \xa3a]\x7f\x17Ak\x1d\xb9gA\x04\xbaq\xe5(y-\xc4!\x87\xa83
+        \xdd\xf3\xea\xa7\x12X\xb6l\x98\xdf,\xc8\xe6\x9f7\xb0\xcd
+        \xb3\x9a\xf4\xe7a"H\xd9L\xd7.\x0f\x7f1W''',
+        b'XK#8\xb3\xab\x07\x11\x94\xf7\xac\xea\xd0g\x9b#',
+    ]
+)
 VALUES["serialized_final_frame_bad_length"] = b"".join(
     [
         b"\xff\xff\xff\xff",
@@ -361,6 +404,25 @@ def array_byte(source):
     header_iv_length=Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384.iv_len,
     frame_length=2 ** 16,
 )
+VALUES["deserialized_header_frame_512_frame"] = MessageHeader(
+    version=SerializationVersion.V1,
+    type=ObjectType.CUSTOMER_AE_DATA,
+    algorithm=Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384,
+    message_id=VALUES["message_id"],
+    encryption_context=VALUES["updated_encryption_context"],
+    encrypted_data_keys=set(
+        [
+            EncryptedDataKey(
+                key_provider=VALUES["data_keys"][0].key_provider,
+                encrypted_data_key=VALUES["data_keys"][0].encrypted_data_key,
+            )
+        ]
+    ),
+    content_type=ContentType.FRAMED_DATA,
+    content_aad_length=0,
+    header_iv_length=Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384.iv_len,
+    frame_length=512,
+)
 VALUES["deserialized_header_small_frame"] = MessageHeader(
     version=SerializationVersion.V1,
     type=ObjectType.CUSTOMER_AE_DATA,
diff --git a/test_vector_handlers/requirements_mpl.txt b/test_vector_handlers/requirements_mpl.txt
@@ -1 +1 @@
-aws-cryptographic-material-providers==1.7.4
+aws-cryptographic-material-providers==1.7.4,<=1.9.1

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-aws-cryptographic-material-providers==1.7.4`
	`1`	`+aws-cryptographic-material-providers>=1.7.4,<=1.9.1`