feat: Adding a storage option to the KeyStore (#594)

The key store now allows for both a default DynamoDB table, or any custom storage system. The important aspect about the key store is the fact that branch keys can be versioned easily, and are cryptographically safe to use. The actual storage medium is not important. See: https://github.com/awslabs/aws-encryption-sdk-specification/blob/master/changes/2024-6-17_key-store-persistance/background.md#background
aws · Sep 18, 2024 · 0f79e74 · 0f79e74
1 parent 9c61e8b
commit 0f79e74
Show file tree

Hide file tree

Showing 76 changed files with 8,525 additions and 1,560 deletions.
diff --git a/...roviders/test/Keyrings/AwsKms/AwsKmsHierarchicalKeyring/TestAwsKmsHierarchicalKeyring.dfy b/...roviders/test/Keyrings/AwsKms/AwsKmsHierarchicalKeyring/TestAwsKmsHierarchicalKeyring.dfy
@@ -69,7 +69,7 @@ module TestAwsKmsHierarchicalKeyring {
     return encryptionMaterialsIn;
   }
 
-  method {:test} TestHierarchyClientESDKSuite()
+  method {:test} {:vcs_split_on_every_assert} TestHierarchyClientESDKSuite()
   {
     var branchKeyId := BRANCH_KEY_ID;
     // TTL = 166.67 hours
@@ -84,10 +84,17 @@ module TestAwsKmsHierarchicalKeyring {
       id := None,
       kmsConfiguration := kmsConfig,
       logicalKeyStoreName := logicalKeyStoreName,
-      grantTokens := None,
-      ddbTableName := branchKeyStoreName,
-      ddbClient := Some(ddbClient),
-      kmsClient := Some(kmsClient)
+      storage := Some(
+        KeyStoreTypes.ddb(
+          KeyStoreTypes.DynamoDBTable(
+            ddbTableName := branchKeyStoreName,
+            ddbClient := Some(ddbClient)
+          ))),
+      keyManagement := Some(
+        KeyStoreTypes.kms(
+          KeyStoreTypes.AwsKms(
+            kmsClient := Some(kmsClient)
+          )))
     );
 
     var keyStore :- expect KeyStore.KeyStore(keyStoreConfig);
@@ -113,7 +120,7 @@ module TestAwsKmsHierarchicalKeyring {
     TestRoundtrip(hierarchyKeyring, materials, TEST_ESDK_ALG_SUITE_ID, branchKeyId);
   }
 
-  method {:test} TestHierarchyClientDBESuite() {
+  method {:test} {:vcs_split_on_every_assert} TestHierarchyClientDBESuite() {
     var branchKeyId := BRANCH_KEY_ID;
     // TTL = 166.67 hours
     var ttl : Types.PositiveLong := (1 * 60000) * 10;
@@ -127,10 +134,17 @@ module TestAwsKmsHierarchicalKeyring {
       id := None,
       kmsConfiguration := kmsConfig,
       logicalKeyStoreName := logicalKeyStoreName,
-      grantTokens := None,
-      ddbTableName := branchKeyStoreName,
-      ddbClient := Some(ddbClient),
-      kmsClient := Some(kmsClient)
+      storage := Some(
+        KeyStoreTypes.ddb(
+          KeyStoreTypes.DynamoDBTable(
+            ddbTableName := branchKeyStoreName,
+            ddbClient := Some(ddbClient)
+          ))),
+      keyManagement := Some(
+        KeyStoreTypes.kms(
+          KeyStoreTypes.AwsKms(
+            kmsClient := Some(kmsClient)
+          )))
     );
 
     var keyStore :- expect KeyStore.KeyStore(keyStoreConfig);
@@ -156,7 +170,7 @@ module TestAwsKmsHierarchicalKeyring {
     TestRoundtrip(hierarchyKeyring, materials, TEST_DBE_ALG_SUITE_ID, branchKeyId);
   }
 
-  method {:test} TestBranchKeyIdSupplier()
+  method {:test} {:vcs_split_on_every_assert} TestBranchKeyIdSupplier()
   {
     var branchKeyIdSupplier: Types.IBranchKeyIdSupplier := new DummyBranchKeyIdSupplier();
     // TTL = 166.67 hours
@@ -171,10 +185,17 @@ module TestAwsKmsHierarchicalKeyring {
       id := None,
       kmsConfiguration := kmsConfig,
       logicalKeyStoreName := logicalKeyStoreName,
-      grantTokens := None,
-      ddbTableName := branchKeyStoreName,
-      ddbClient := Some(ddbClient),
-      kmsClient := Some(kmsClient)
+      storage := Some(
+        KeyStoreTypes.ddb(
+          KeyStoreTypes.DynamoDBTable(
+            ddbTableName := branchKeyStoreName,
+            ddbClient := Some(ddbClient)
+          ))),
+      keyManagement := Some(
+        KeyStoreTypes.kms(
+          KeyStoreTypes.AwsKms(
+            kmsClient := Some(kmsClient)
+          )))
     );
 
     var keyStore :- expect KeyStore.KeyStore(keyStoreConfig);
@@ -202,7 +223,7 @@ module TestAwsKmsHierarchicalKeyring {
     TestRoundtrip(hierarchyKeyring, materials, TEST_DBE_ALG_SUITE_ID, BRANCH_KEY_ID_B);
   }
 
-  method {:test} TestInvalidDataKeyError()
+  method {:test} {:vcs_split_on_every_assert} TestInvalidDataKeyError()
   {
     var branchKeyIdSupplier: Types.IBranchKeyIdSupplier := new DummyBranchKeyIdSupplier();
     // TTL = 166.67 hours
@@ -215,10 +236,17 @@ module TestAwsKmsHierarchicalKeyring {
       id := None,
       kmsConfiguration := kmsConfig,
       logicalKeyStoreName := logicalKeyStoreName,
-      grantTokens := None,
-      ddbTableName := branchKeyStoreName,
-      ddbClient := Some(ddbClient),
-      kmsClient := Some(kmsClient)
+      storage := Some(
+        KeyStoreTypes.ddb(
+          KeyStoreTypes.DynamoDBTable(
+            ddbTableName := branchKeyStoreName,
+            ddbClient := Some(ddbClient)
+          ))),
+      keyManagement := Some(
+        KeyStoreTypes.kms(
+          KeyStoreTypes.AwsKms(
+            kmsClient := Some(kmsClient)
+          )))
     );
     var keyStore :- expect KeyStore.KeyStore(keyStoreConfig);
     var hierarchyKeyring :- expect mpl.CreateAwsKmsHierarchicalKeyring(