Skip to content

Commit

Permalink
feat: Adding a storage option to the KeyStore (#594)
Browse files Browse the repository at this point in the history
The key store now allows for both a default DynamoDB table,
or any custom storage system.

The important aspect about the key store
is the fact that branch keys can be versioned easily,
and are cryptographically safe to use.
The actual storage medium is not important.

See: https://github.com/awslabs/aws-encryption-sdk-specification/blob/master/changes/2024-6-17_key-store-persistance/background.md#background
  • Loading branch information
seebees authored and texastony committed Dec 9, 2024
1 parent 72765d5 commit aebf397
Show file tree
Hide file tree
Showing 82 changed files with 11,112 additions and 1,660 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
diff --git b/AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore/Model/AwsCryptographyKeyStoreTypes.dfy a/AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore/Model/AwsCryptographyKeyStoreTypes.dfy
index 25bd45838..3ddedde75 100644
--- b/AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore/Model/AwsCryptographyKeyStoreTypes.dfy
+++ a/AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore/Model/AwsCryptographyKeyStoreTypes.dfy
@@ -611,7 +611,7 @@ abstract module AbstractAwsCryptographyKeyStoreService
import opened Types = AwsCryptographyKeyStoreTypes
import Operations : AbstractAwsCryptographyKeyStoreOperations
function method DefaultKeyStoreConfig(): KeyStoreConfig
- method KeyStore(config: KeyStoreConfig := DefaultKeyStoreConfig())
+ method {:isoluate_asserations} {:resource_limit 94000000 } KeyStore(config: KeyStoreConfig := DefaultKeyStoreConfig())
returns (res: Result<KeyStoreClient, Error>)
requires config.ddbClient.Some? ==>
config.ddbClient.value.ValidState()
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ module TestAwsKmsHierarchicalKeyring {
return encryptionMaterialsIn;
}

method {:test} TestHierarchyClientESDKSuite()
method {:test} {:vcs_split_on_every_assert} TestHierarchyClientESDKSuite()
{
var branchKeyId := BRANCH_KEY_ID;
// TTL = 166.67 hours
Expand All @@ -84,10 +84,17 @@ module TestAwsKmsHierarchicalKeyring {
id := None,
kmsConfiguration := kmsConfig,
logicalKeyStoreName := logicalKeyStoreName,
grantTokens := None,
ddbTableName := branchKeyStoreName,
ddbClient := Some(ddbClient),
kmsClient := Some(kmsClient)
storage := Some(
KeyStoreTypes.ddb(
KeyStoreTypes.DynamoDBTable(
ddbTableName := branchKeyStoreName,
ddbClient := Some(ddbClient)
))),
keyManagement := Some(
KeyStoreTypes.kms(
KeyStoreTypes.AwsKms(
kmsClient := Some(kmsClient)
)))
);

var keyStore :- expect KeyStore.KeyStore(keyStoreConfig);
Expand All @@ -113,7 +120,7 @@ module TestAwsKmsHierarchicalKeyring {
TestRoundtrip(hierarchyKeyring, materials, TEST_ESDK_ALG_SUITE_ID, branchKeyId);
}

method {:test} TestHierarchyClientDBESuite() {
method {:test} {:vcs_split_on_every_assert} TestHierarchyClientDBESuite() {
var branchKeyId := BRANCH_KEY_ID;
// TTL = 166.67 hours
var ttl : Types.PositiveLong := (1 * 60000) * 10;
Expand All @@ -127,10 +134,17 @@ module TestAwsKmsHierarchicalKeyring {
id := None,
kmsConfiguration := kmsConfig,
logicalKeyStoreName := logicalKeyStoreName,
grantTokens := None,
ddbTableName := branchKeyStoreName,
ddbClient := Some(ddbClient),
kmsClient := Some(kmsClient)
storage := Some(
KeyStoreTypes.ddb(
KeyStoreTypes.DynamoDBTable(
ddbTableName := branchKeyStoreName,
ddbClient := Some(ddbClient)
))),
keyManagement := Some(
KeyStoreTypes.kms(
KeyStoreTypes.AwsKms(
kmsClient := Some(kmsClient)
)))
);

var keyStore :- expect KeyStore.KeyStore(keyStoreConfig);
Expand All @@ -156,7 +170,7 @@ module TestAwsKmsHierarchicalKeyring {
TestRoundtrip(hierarchyKeyring, materials, TEST_DBE_ALG_SUITE_ID, branchKeyId);
}

method {:test} TestBranchKeyIdSupplier()
method {:test} {:vcs_split_on_every_assert} TestBranchKeyIdSupplier()
{
var branchKeyIdSupplier: Types.IBranchKeyIdSupplier := new DummyBranchKeyIdSupplier();
// TTL = 166.67 hours
Expand All @@ -171,10 +185,17 @@ module TestAwsKmsHierarchicalKeyring {
id := None,
kmsConfiguration := kmsConfig,
logicalKeyStoreName := logicalKeyStoreName,
grantTokens := None,
ddbTableName := branchKeyStoreName,
ddbClient := Some(ddbClient),
kmsClient := Some(kmsClient)
storage := Some(
KeyStoreTypes.ddb(
KeyStoreTypes.DynamoDBTable(
ddbTableName := branchKeyStoreName,
ddbClient := Some(ddbClient)
))),
keyManagement := Some(
KeyStoreTypes.kms(
KeyStoreTypes.AwsKms(
kmsClient := Some(kmsClient)
)))
);

var keyStore :- expect KeyStore.KeyStore(keyStoreConfig);
Expand Down Expand Up @@ -202,7 +223,7 @@ module TestAwsKmsHierarchicalKeyring {
TestRoundtrip(hierarchyKeyring, materials, TEST_DBE_ALG_SUITE_ID, BRANCH_KEY_ID_B);
}

method {:test} TestInvalidDataKeyError()
method {:test} {:vcs_split_on_every_assert} TestInvalidDataKeyError()
{
var branchKeyIdSupplier: Types.IBranchKeyIdSupplier := new DummyBranchKeyIdSupplier();
// TTL = 166.67 hours
Expand All @@ -215,10 +236,17 @@ module TestAwsKmsHierarchicalKeyring {
id := None,
kmsConfiguration := kmsConfig,
logicalKeyStoreName := logicalKeyStoreName,
grantTokens := None,
ddbTableName := branchKeyStoreName,
ddbClient := Some(ddbClient),
kmsClient := Some(kmsClient)
storage := Some(
KeyStoreTypes.ddb(
KeyStoreTypes.DynamoDBTable(
ddbTableName := branchKeyStoreName,
ddbClient := Some(ddbClient)
))),
keyManagement := Some(
KeyStoreTypes.kms(
KeyStoreTypes.AwsKms(
kmsClient := Some(kmsClient)
)))
);
var keyStore :- expect KeyStore.KeyStore(keyStoreConfig);
var hierarchyKeyring :- expect mpl.CreateAwsKmsHierarchicalKeyring(
Expand Down Expand Up @@ -341,6 +369,13 @@ module TestAwsKmsHierarchicalKeyring {
var kmsClientWest :- expect KMS.KMSClientForRegion(regionWest);
var kmsClientEast :- expect KMS.KMSClientForRegion(regionEast);
var ddbClient :- expect DDB.DynamoDBClient();
// Recommend commenting the assume out while developing this method,
// and just ignore the modifies exeptions,
// and then re-enabling it once everything is safe
assume {:axiom} && kmsClientWest.Modifies == {}
&& kmsClientEast.Modifies == {}
&& ddbClient.Modifies == {};

var kmsConfig := KeyStoreTypes.KMSConfiguration.kmsKeyArn(keyArn);

// Create a Key Store with the a KMS configuration and
Expand All @@ -351,7 +386,7 @@ module TestAwsKmsHierarchicalKeyring {
kmsConfiguration := kmsConfig,
logicalKeyStoreName := logicalKeyStoreName,
grantTokens := None,
ddbTableName := branchKeyStoreName,
ddbTableName := Some(branchKeyStoreName),
ddbClient := Some(ddbClient),
kmsClient := Some(kmsClientWest)
);
Expand All @@ -367,7 +402,7 @@ module TestAwsKmsHierarchicalKeyring {
kmsConfiguration := kmsConfig,
logicalKeyStoreName := logicalKeyStoreName,
grantTokens := None,
ddbTableName := branchKeyStoreName,
ddbTableName := Some(branchKeyStoreName),
ddbClient := Some(ddbClient),
kmsClient := Some(kmsClientEast)
);
Expand Down Expand Up @@ -481,6 +516,13 @@ module TestAwsKmsHierarchicalKeyring {
var kmsClientWest :- expect KMS.KMSClientForRegion(regionWest);
var kmsClientEast :- expect KMS.KMSClientForRegion(regionEast);
var ddbClient :- expect DDB.DynamoDBClient();
// Recommend commenting the assume out while developing this method,
// and just ignore the modifies exeptions,
// and then re-enabling it once everything is safe
assume {:axiom} && kmsClientWest.Modifies == {}
&& kmsClientEast.Modifies == {}
&& ddbClient.Modifies == {};

var kmsConfig := KeyStoreTypes.KMSConfiguration.kmsKeyArn(keyArn);

// Create a Key Store with the a KMS configuration and
Expand All @@ -491,7 +533,7 @@ module TestAwsKmsHierarchicalKeyring {
kmsConfiguration := kmsConfig,
logicalKeyStoreName := logicalKeyStoreName,
grantTokens := None,
ddbTableName := branchKeyStoreName,
ddbTableName := Some(branchKeyStoreName),
ddbClient := Some(ddbClient),
kmsClient := Some(kmsClientWest)
);
Expand All @@ -507,7 +549,7 @@ module TestAwsKmsHierarchicalKeyring {
kmsConfiguration := kmsConfig,
logicalKeyStoreName := logicalKeyStoreName,
grantTokens := None,
ddbTableName := branchKeyStoreName,
ddbTableName := Some(branchKeyStoreName),
ddbClient := Some(ddbClient),
kmsClient := Some(kmsClientEast)
);
Expand Down Expand Up @@ -601,6 +643,13 @@ module TestAwsKmsHierarchicalKeyring {
var kmsClientWest :- expect KMS.KMSClientForRegion(regionWest);
var kmsClientEast :- expect KMS.KMSClientForRegion(regionEast);
var ddbClient :- expect DDB.DynamoDBClient();
// Recommend commenting the assume out while developing this method,
// and just ignore the modifies exeptions,
// and then re-enabling it once everything is safe
assume {:axiom} && kmsClientWest.Modifies == {}
&& kmsClientEast.Modifies == {}
&& ddbClient.Modifies == {};

var kmsConfig := KeyStoreTypes.KMSConfiguration.kmsKeyArn(keyArn);

// Create a Key Store with the a KMS configuration and
Expand All @@ -611,7 +660,7 @@ module TestAwsKmsHierarchicalKeyring {
kmsConfiguration := kmsConfig,
logicalKeyStoreName := logicalKeyStoreName,
grantTokens := None,
ddbTableName := branchKeyStoreName,
ddbTableName := Some(branchKeyStoreName),
ddbClient := Some(ddbClient),
kmsClient := Some(kmsClientWest)
);
Expand All @@ -627,7 +676,7 @@ module TestAwsKmsHierarchicalKeyring {
kmsConfiguration := kmsConfig,
logicalKeyStoreName := logicalKeyStoreName,
grantTokens := None,
ddbTableName := branchKeyStoreName,
ddbTableName := Some(branchKeyStoreName),
ddbClient := Some(ddbClient),
kmsClient := Some(kmsClientEast)
);
Expand Down Expand Up @@ -719,6 +768,13 @@ module TestAwsKmsHierarchicalKeyring {
var kmsClientWest :- expect KMS.KMSClientForRegion(regionWest);
var kmsClientEast :- expect KMS.KMSClientForRegion(regionEast);
var ddbClient :- expect DDB.DynamoDBClient();

// Recommend commenting the assume out while developing this method,
// and just ignore the modifies exeptions,
// and then re-enabling it once everything is safe
assume {:axiom} && kmsClientWest.Modifies == {}
&& kmsClientEast.Modifies == {}
&& ddbClient.Modifies == {};
var kmsConfig := KeyStoreTypes.KMSConfiguration.kmsKeyArn(keyArn);

// Different logical key store names for both Key Stores
Expand All @@ -733,7 +789,7 @@ module TestAwsKmsHierarchicalKeyring {
kmsConfiguration := kmsConfig,
logicalKeyStoreName := logicalKeyStoreName,
grantTokens := None,
ddbTableName := branchKeyStoreName,
ddbTableName := Some(branchKeyStoreName),
ddbClient := Some(ddbClient),
kmsClient := Some(kmsClientWest)
);
Expand All @@ -750,7 +806,7 @@ module TestAwsKmsHierarchicalKeyring {
kmsConfiguration := kmsConfig,
logicalKeyStoreName := logicalKeyStoreNameNew,
grantTokens := None,
ddbTableName := branchKeyStoreName,
ddbTableName := Some(branchKeyStoreName),
ddbClient := Some(ddbClient),
kmsClient := Some(kmsClientEast)
);
Expand Down
Loading

0 comments on commit aebf397

Please sign in to comment.