Remove client-side decryption key ID verification in Python.

This isn't necessary since it duplicates the server side check done when the KeyID is included in the decryption request. This also enables support for using key aliases. PiperOrigin-RevId: 538511498 Change-Id: Ida2b6571ce9670f929afdec423ca85cb01395bdb
tink-crypto · Jun 7, 2023 · a66c167 · a66c167
1 parent 4d91813
commit a66c167
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 5 deletions.
diff --git a/tink/integration/awskms/_aws_kms_client.py b/tink/integration/awskms/_aws_kms_client.py
@@ -63,11 +63,6 @@ def decrypt(self, ciphertext: bytes, associated_data: bytes) -> bytes:
           CiphertextBlob=ciphertext,
           EncryptionContext=_encryption_context(associated_data),
       )
-      if response['KeyId'] != self.key_arn:
-        raise tink.TinkError(
-            'invalid key id: got %s, want %s'
-            % (self.key_arn, response['KeyId'])
-        )
       return response['Plaintext']
     except exceptions.ClientError as e:
       raise tink.TinkError(e)

diff --git a/tink/integration/awskms/_aws_kms_client_test.py b/tink/integration/awskms/_aws_kms_client_test.py
@@ -27,10 +27,17 @@
 
 CREDENTIAL_PATH = os.path.join(helper.tink_py_testdata_path(),
                                'aws/credentials.ini')
+
 KEY_URI = ('aws-kms://arn:aws:kms:us-east-2:235739564943:key/'
            '3ee50705-5a82-4f5b-9753-05c4f473922f')
+
+# An alias for KEY_URI.
+KEY_ALIAS_URI = ('aws-kms://arn:aws:kms:us-east-2:235739564943:alias/'
+                 'unit-and-integration-testing')
+
 KEY_URI_2 = ('aws-kms://arn:aws:kms:us-east-2:235739564943:key/'
              'b3ca2efd-a8fb-47f2-b541-7e20f8c5cd11')
+
 GCP_KEY_URI = ('gcp-kms://projects/tink-test-infrastructure/locations/global/'
                'keyRings/unit-and-integration-testing/cryptoKeys/aead-key')
 
@@ -41,13 +48,15 @@ def test_client_bound_to_key_uri(self):
     aws_client = awskms.AwsKmsClient(KEY_URI, CREDENTIAL_PATH)
 
     self.assertEqual(aws_client.does_support(KEY_URI), True)
+    self.assertEqual(aws_client.does_support(KEY_ALIAS_URI), False)
     self.assertEqual(aws_client.does_support(KEY_URI_2), False)
     self.assertEqual(aws_client.does_support(GCP_KEY_URI), False)
 
   def test_client_not_bound_to_key_uri(self):
     aws_client = awskms.AwsKmsClient('', CREDENTIAL_PATH)
 
     self.assertEqual(aws_client.does_support(KEY_URI), True)
+    self.assertEqual(aws_client.does_support(KEY_ALIAS_URI), True)
     self.assertEqual(aws_client.does_support(KEY_URI_2), True)
     self.assertEqual(aws_client.does_support(GCP_KEY_URI), False)
 

diff --git a/tink/integration/awskms/_aws_kms_integration_test.py b/tink/integration/awskms/_aws_kms_integration_test.py
@@ -69,6 +69,19 @@ def test_encrypt_decrypt(self):
     ciphertext = aws_aead.encrypt(plaintext, b'')
     self.assertEqual(plaintext, aws_aead.decrypt(ciphertext, b''))
 
+  def test_encrypt_decrypt_with_key_alias(self):
+    aws_client = awskms.AwsKmsClient(KEY_ALIAS_URI, CREDENTIAL_PATH)
+    aws_aead = aws_client.get_aead(KEY_ALIAS_URI)
+
+    plaintext = b'hello'
+    associated_data = b'world'
+    ciphertext = aws_aead.encrypt(plaintext, associated_data)
+    self.assertEqual(plaintext, aws_aead.decrypt(ciphertext, associated_data))
+
+    plaintext = b'hello'
+    ciphertext = aws_aead.encrypt(plaintext, b'')
+    self.assertEqual(plaintext, aws_aead.decrypt(ciphertext, b''))
+
   def test_corrupted_ciphertext(self):
     aws_client = awskms.AwsKmsClient(KEY_URI, CREDENTIAL_PATH)
     aws_aead = aws_client.get_aead(KEY_URI)