From 0946a7ed801a6269565651cfe2ef17831d89d99c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Corella?= <39066999+josecorella@users.noreply.github.com> Date: Mon, 17 Jun 2024 12:45:49 -0700 Subject: [PATCH] feat(MPL): Add Raw ECDH and AWS KMS ECDH Keyrings (#419) Co-authored-by: Andrew Jewell <107044381+ajewellamz@users.noreply.github.com> Co-authored-by: Lucas McDonald Co-authored-by: seebees --- .github/workflows/library_net_tests.yml | 2 + .gitmodules | 6 +- .../AwsCryptographyMaterialProvidersTypes.dfy | 269 +- .../Model/key-agreement-scheme.smithy | 72 + .../Model/keyrings.smithy | 43 + .../Model/material-provider.smithy | 4 +- ...ryptographyMaterialProvidersOperations.dfy | 204 + .../src/ErrorMessages.dfy | 4 + .../src/KeyWrapping/EcdhEdkWrapping.dfy | 583 +++ .../src/Keyrings/AwsKms/AwsKmsEcdhKeyring.dfy | 704 ++++ .../src/Keyrings/AwsKms/AwsKmsKeyring.dfy | 9 + .../src/Keyrings/AwsKms/AwsKmsUtils.dfy | 52 +- .../src/Keyrings/AwsKms/Constants.dfy | 51 + .../src/Keyrings/RawECDHKeyring.dfy | 854 +++++ .../src/Utils.dfy | 41 + .../Keyrings/AwsKms/TestAwsKmsEcdhKeyring.dfy | 1101 ++++++ .../test/Keyrings/TesRawECDHKeyring.dfy | 790 ++++ .../test/TestEcdhCalculation.dfy | 119 + .../test/TestUtils.dfy | 73 + .../AwsCryptographyKeyStore/src/GetKeys.dfy | 2 +- .../runtimes/java/build.gradle.kts | 2 +- .../materialproviders/MaterialProviders.java | 40 + .../materialproviders/ToDafny.java | 225 ++ .../materialproviders/ToNative.java | 213 ++ .../model/CreateAwsKmsEcdhKeyringInput.java | 199 + .../model/CreateRawEcdhKeyringInput.java | 122 + .../materialproviders/model/EccCurveSpec.java | 24 + ...meralPrivateKeyToStaticPublicKeyInput.java | 80 + ...EphemeralSenderToStaticRecipientInput.java | 80 + .../model/KeyAgreementScheme.java | 95 + .../model/KmsEcdhConfigurations.java | 139 + .../model/KmsEcdhStaticConfigurations.java | 141 + .../KmsPrivateKeyToStaticPublicKeyInput.java | 155 + .../model/KmsPublicKeyDiscoveryInput.java | 79 + .../model/KmsRecipientConfiguration.java | 102 + .../KmsSenderToStaticRecipientInput.java | 123 + .../model/PublicKeyDiscoveryInput.java | 82 + .../model/RawEcdhConfigurations.java | 182 + .../model/RawEcdhStaticConfigurations.java | 182 + .../RawPrivateKeyToStaticPublicKeyInput.java | 120 + .../model/RecipientDiscoverySchemeInput.java | 79 + .../model/StaticConfigurations.java | 128 + .../model/StaticDiscoveryRecipientInput.java | 80 + .../StaticSenderStaticRecipientInput.java | 120 + .../StaticUnifiedModelConfigurations.java | 128 + .../CreateAwsKmsEcdhKeyringInput.cs | 58 + .../CreateRawEcdhKeyringInput.cs | 37 + .../EccCurveSpec.cs | 25 + ...hemeralPrivateKeyToStaticPublicKeyInput.cs | 26 + .../EphemeralSenderToStaticRecipientInput.cs | 26 + .../KeyAgreementScheme.cs | 29 + .../KmsEcdhConfigurations.cs | 40 + .../KmsEcdhStaticConfigurations.cs | 40 + .../KmsPrivateKeyToStaticPublicKeyInput.cs | 47 + .../KmsPublicKeyDiscoveryInput.cs | 26 + .../KmsRecipientConfiguration.cs | 40 + .../KmsSenderToStaticRecipientInput.cs | 37 + .../MaterialProviders.cs | 20 +- .../PublicKeyDiscoveryInput.cs | 26 + .../RawEcdhConfigurations.cs | 51 + .../RawEcdhStaticConfigurations.cs | 51 + .../RawPrivateKeyToStaticPublicKeyInput.cs | 37 + .../RecipientDiscoverySchemeInput.cs | 26 + .../StaticConfigurations.cs | 40 + .../StaticDiscoveryRecipientInput.cs | 26 + .../StaticSenderStaticRecipientInput.cs | 37 + .../StaticUnifiedModelConfigurations.cs | 40 + .../TypeConversion.cs | 377 ++ .../runtimes/net/MPL.csproj | 1 - .../Model/AwsCryptographyPrimitivesTypes.dfy | 434 +++ AwsCryptographyPrimitives/Model/ecdh.smithy | 163 + .../Model/primitives.smithy | 7 + .../main/java/ECDH/DeriveSharedSecret.java | 81 + .../java/src/main/java/ECDH/ECCAlgorithm.java | 65 + .../java/src/main/java/ECDH/ECCUtils.java | 381 ++ .../src/main/java/ECDH/KeyGeneration.java | 114 + .../java/src/main/java/ECDH/__default.java | 3 + .../main/java/Signature/PublicKeyUtils.java | 6 +- .../primitives/AtomicPrimitives.java | 117 + .../cryptography/primitives/ToDafny.java | 224 ++ .../cryptography/primitives/ToNative.java | 228 ++ .../model/CompressPublicKeyInput.java | 92 + .../model/CompressPublicKeyOutput.java | 65 + .../model/DecompressPublicKeyInput.java | 93 + .../model/DecompressPublicKeyOutput.java | 64 + .../model/DeriveSharedSecretInput.java | 120 + .../model/DeriveSharedSecretOutput.java | 65 + .../primitives/model/ECCPrivateKey.java | 65 + .../primitives/model/ECCPublicKey.java | 65 + .../primitives/model/ECDHCurveSpec.java | 24 + .../model/GenerateECCKeyPairInput.java | 64 + .../model/GenerateECCKeyPairOutput.java | 120 + .../GetPublicKeyFromPrivateKeyInput.java | 92 + .../GetPublicKeyFromPrivateKeyOutput.java | 121 + .../primitives/model/ParsePublicKeyInput.java | 65 + .../model/ParsePublicKeyOutput.java | 64 + .../model/ValidatePublicKeyInput.java | 93 + .../model/ValidatePublicKeyOutput.java | 64 + .../runtimes/net/Extern/ECDH.cs | 376 ++ .../net/Generated/AtomicPrimitives.cs | 49 + .../net/Generated/CompressPublicKeyInput.cs | 37 + .../net/Generated/CompressPublicKeyOutput.cs | 26 + .../net/Generated/DecompressPublicKeyInput.cs | 37 + .../Generated/DecompressPublicKeyOutput.cs | 26 + .../net/Generated/DeriveSharedSecretInput.cs | 48 + .../net/Generated/DeriveSharedSecretOutput.cs | 26 + .../runtimes/net/Generated/ECCPrivateKey.cs | 26 + .../runtimes/net/Generated/ECCPublicKey.cs | 26 + .../runtimes/net/Generated/ECDHCurveSpec.cs | 25 + .../net/Generated/GenerateECCKeyPairInput.cs | 26 + .../net/Generated/GenerateECCKeyPairOutput.cs | 48 + .../GetPublicKeyFromPrivateKeyInput.cs | 37 + .../GetPublicKeyFromPrivateKeyOutput.cs | 48 + .../net/Generated/ParsePublicKeyInput.cs | 26 + .../net/Generated/ParsePublicKeyOutput.cs | 26 + .../runtimes/net/Generated/TypeConversion.cs | 394 ++ .../net/Generated/ValidatePublicKeyInput.cs | 37 + .../net/Generated/ValidatePublicKeyOutput.cs | 26 + .../AwsCryptographyPrimitivesOperations.dfy | 65 + AwsCryptographyPrimitives/src/ECDH.dfy | 200 + AwsCryptographyPrimitives/src/KDF/KdfCtr.dfy | 29 +- AwsCryptographyPrimitives/test/TestECDH.dfy | 384 ++ AwsCryptographyPrimitives/test/TestKDF.dfy | 13 +- .../test/TestKDF_TestVectors.dfy | 76 +- .../runtimes/java/build.gradle.kts | 2 +- .../runtimes/net/ComAmazonawsDynamodb.csproj | 2 +- .../test/TestComAmazonawsDynamodb.dfy | 9 + .../Model/ComAmazonawsKmsTypes.dfy | 522 ++- ComAmazonawsKms/Model/kms/model.json | 3360 +++++++++++++++-- .../codegen-patches/java/dafny-4.2.0.patch | 154 +- .../runtimes/java/build.gradle.kts | 6 +- .../services/kms/internaldafny/__default.java | 5 + .../services/kms/internaldafny/Shim.java | 293 ++ .../services/kms/internaldafny/ToDafny.java | 1704 ++++++++- .../services/kms/internaldafny/ToNative.java | 1361 ++++++- ComAmazonawsKms/runtimes/net/AWS-KMS.csproj | 4 +- .../runtimes/net/Extern/KMSClient.cs | 1 + .../net/Generated/KeyManagementServiceShim.cs | 108 + .../runtimes/net/Generated/TypeConversion.cs | 2002 +++++++++- ComAmazonawsKms/test/TestComAmazonawsKms.dfy | 95 +- ...hyMaterialProvidersTestVectorKeysTypes.dfy | 15 + .../dafny/KeyVectors/Model/key-vectors.smithy | 26 + .../dafny/KeyVectors/src/KeyDescription.dfy | 84 + .../dafny/KeyVectors/src/KeyMaterial.dfy | 51 + .../src/KeyringFromKeyDescription.dfy | 237 ++ .../src/CompleteVectors.dfy | 6 + .../src/VectorsComposition/AllKmsEcdh.dfy | 72 + .../src/VectorsComposition/AllRawECDH.dfy | 114 + .../test/RunMain.dfy | 2 +- .../test/keys.json | 60 + .../runtimes/java/build.gradle.kts | 2 +- .../wrapped/TestMaterialProviders.java | 32 + .../ToDafny.java | 78 + .../ToNative.java | 67 + .../model/KeyDescription.java | 48 + .../model/KmsEcdhKeyring.java | 148 + .../model/RawEcdh.java | 176 + .../Generated/KeyVectors/KeyDescription.cs | 22 + .../Generated/KeyVectors/KmsEcdhKeyring.cs | 59 + .../net/Generated/KeyVectors/RawEcdh.cs | 70 + .../Generated/KeyVectors/TypeConversion.cs | 133 + .../AwsCryptographicMaterialProvidersShim.cs | 36 +- .../TypeConversion.cs | 377 ++ .../runtimes/net/TestVectors.csproj | 1 + aws-encryption-sdk-specification | 2 +- 165 files changed, 25249 insertions(+), 659 deletions(-) create mode 100644 AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/Model/key-agreement-scheme.smithy create mode 100644 AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/KeyWrapping/EcdhEdkWrapping.dfy create mode 100644 AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Keyrings/AwsKms/AwsKmsEcdhKeyring.dfy create mode 100644 AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Keyrings/RawECDHKeyring.dfy create mode 100644 AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Utils.dfy create mode 100644 AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/test/Keyrings/AwsKms/TestAwsKmsEcdhKeyring.dfy create mode 100644 AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/test/Keyrings/TesRawECDHKeyring.dfy create mode 100644 AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/test/TestEcdhCalculation.dfy create mode 100644 AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/CreateAwsKmsEcdhKeyringInput.java create mode 100644 AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/CreateRawEcdhKeyringInput.java create mode 100644 AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/EccCurveSpec.java create mode 100644 AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/EphemeralPrivateKeyToStaticPublicKeyInput.java create mode 100644 AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/EphemeralSenderToStaticRecipientInput.java create mode 100644 AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KeyAgreementScheme.java create mode 100644 AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsEcdhConfigurations.java create mode 100644 AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsEcdhStaticConfigurations.java create mode 100644 AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsPrivateKeyToStaticPublicKeyInput.java create mode 100644 AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsPublicKeyDiscoveryInput.java create mode 100644 AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsRecipientConfiguration.java create mode 100644 AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsSenderToStaticRecipientInput.java create mode 100644 AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/PublicKeyDiscoveryInput.java create mode 100644 AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/RawEcdhConfigurations.java create mode 100644 AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/RawEcdhStaticConfigurations.java create mode 100644 AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/RawPrivateKeyToStaticPublicKeyInput.java create mode 100644 AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/RecipientDiscoverySchemeInput.java create mode 100644 AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/StaticConfigurations.java create mode 100644 AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/StaticDiscoveryRecipientInput.java create mode 100644 AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/StaticSenderStaticRecipientInput.java create mode 100644 AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/StaticUnifiedModelConfigurations.java create mode 100644 AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/CreateAwsKmsEcdhKeyringInput.cs create mode 100644 AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/CreateRawEcdhKeyringInput.cs create mode 100644 AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/EccCurveSpec.cs create mode 100644 AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/EphemeralPrivateKeyToStaticPublicKeyInput.cs create mode 100644 AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/EphemeralSenderToStaticRecipientInput.cs create mode 100644 AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KeyAgreementScheme.cs create mode 100644 AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsEcdhConfigurations.cs create mode 100644 AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsEcdhStaticConfigurations.cs create mode 100644 AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsPrivateKeyToStaticPublicKeyInput.cs create mode 100644 AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsPublicKeyDiscoveryInput.cs create mode 100644 AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsRecipientConfiguration.cs create mode 100644 AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsSenderToStaticRecipientInput.cs create mode 100644 AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/PublicKeyDiscoveryInput.cs create mode 100644 AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/RawEcdhConfigurations.cs create mode 100644 AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/RawEcdhStaticConfigurations.cs create mode 100644 AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/RawPrivateKeyToStaticPublicKeyInput.cs create mode 100644 AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/RecipientDiscoverySchemeInput.cs create mode 100644 AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/StaticConfigurations.cs create mode 100644 AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/StaticDiscoveryRecipientInput.cs create mode 100644 AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/StaticSenderStaticRecipientInput.cs create mode 100644 AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/StaticUnifiedModelConfigurations.cs create mode 100644 AwsCryptographyPrimitives/Model/ecdh.smithy create mode 100644 AwsCryptographyPrimitives/runtimes/java/src/main/java/ECDH/DeriveSharedSecret.java create mode 100644 AwsCryptographyPrimitives/runtimes/java/src/main/java/ECDH/ECCAlgorithm.java create mode 100644 AwsCryptographyPrimitives/runtimes/java/src/main/java/ECDH/ECCUtils.java create mode 100644 AwsCryptographyPrimitives/runtimes/java/src/main/java/ECDH/KeyGeneration.java create mode 100644 AwsCryptographyPrimitives/runtimes/java/src/main/java/ECDH/__default.java create mode 100644 AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/CompressPublicKeyInput.java create mode 100644 AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/CompressPublicKeyOutput.java create mode 100644 AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/DecompressPublicKeyInput.java create mode 100644 AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/DecompressPublicKeyOutput.java create mode 100644 AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/DeriveSharedSecretInput.java create mode 100644 AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/DeriveSharedSecretOutput.java create mode 100644 AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ECCPrivateKey.java create mode 100644 AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ECCPublicKey.java create mode 100644 AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ECDHCurveSpec.java create mode 100644 AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/GenerateECCKeyPairInput.java create mode 100644 AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/GenerateECCKeyPairOutput.java create mode 100644 AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/GetPublicKeyFromPrivateKeyInput.java create mode 100644 AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/GetPublicKeyFromPrivateKeyOutput.java create mode 100644 AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ParsePublicKeyInput.java create mode 100644 AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ParsePublicKeyOutput.java create mode 100644 AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ValidatePublicKeyInput.java create mode 100644 AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ValidatePublicKeyOutput.java create mode 100644 AwsCryptographyPrimitives/runtimes/net/Extern/ECDH.cs create mode 100644 AwsCryptographyPrimitives/runtimes/net/Generated/CompressPublicKeyInput.cs create mode 100644 AwsCryptographyPrimitives/runtimes/net/Generated/CompressPublicKeyOutput.cs create mode 100644 AwsCryptographyPrimitives/runtimes/net/Generated/DecompressPublicKeyInput.cs create mode 100644 AwsCryptographyPrimitives/runtimes/net/Generated/DecompressPublicKeyOutput.cs create mode 100644 AwsCryptographyPrimitives/runtimes/net/Generated/DeriveSharedSecretInput.cs create mode 100644 AwsCryptographyPrimitives/runtimes/net/Generated/DeriveSharedSecretOutput.cs create mode 100644 AwsCryptographyPrimitives/runtimes/net/Generated/ECCPrivateKey.cs create mode 100644 AwsCryptographyPrimitives/runtimes/net/Generated/ECCPublicKey.cs create mode 100644 AwsCryptographyPrimitives/runtimes/net/Generated/ECDHCurveSpec.cs create mode 100644 AwsCryptographyPrimitives/runtimes/net/Generated/GenerateECCKeyPairInput.cs create mode 100644 AwsCryptographyPrimitives/runtimes/net/Generated/GenerateECCKeyPairOutput.cs create mode 100644 AwsCryptographyPrimitives/runtimes/net/Generated/GetPublicKeyFromPrivateKeyInput.cs create mode 100644 AwsCryptographyPrimitives/runtimes/net/Generated/GetPublicKeyFromPrivateKeyOutput.cs create mode 100644 AwsCryptographyPrimitives/runtimes/net/Generated/ParsePublicKeyInput.cs create mode 100644 AwsCryptographyPrimitives/runtimes/net/Generated/ParsePublicKeyOutput.cs create mode 100644 AwsCryptographyPrimitives/runtimes/net/Generated/ValidatePublicKeyInput.cs create mode 100644 AwsCryptographyPrimitives/runtimes/net/Generated/ValidatePublicKeyOutput.cs create mode 100644 AwsCryptographyPrimitives/src/ECDH.dfy create mode 100644 AwsCryptographyPrimitives/test/TestECDH.dfy create mode 100644 TestVectorsAwsCryptographicMaterialProviders/dafny/TestVectorsAwsCryptographicMaterialProviders/src/VectorsComposition/AllKmsEcdh.dfy create mode 100644 TestVectorsAwsCryptographicMaterialProviders/dafny/TestVectorsAwsCryptographicMaterialProviders/src/VectorsComposition/AllRawECDH.dfy create mode 100644 TestVectorsAwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviderstestvectorkeys/model/KmsEcdhKeyring.java create mode 100644 TestVectorsAwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviderstestvectorkeys/model/RawEcdh.java create mode 100644 TestVectorsAwsCryptographicMaterialProviders/runtimes/net/Generated/KeyVectors/KmsEcdhKeyring.cs create mode 100644 TestVectorsAwsCryptographicMaterialProviders/runtimes/net/Generated/KeyVectors/RawEcdh.cs diff --git a/.github/workflows/library_net_tests.yml b/.github/workflows/library_net_tests.yml index 06bd185ac..f8d92fa4b 100644 --- a/.github/workflows/library_net_tests.yml +++ b/.github/workflows/library_net_tests.yml @@ -95,6 +95,8 @@ jobs: working-directory: ./${{ matrix.library }} shell: bash run: | + nuget locals all -clear + dotnet restore runtimes/net make test_net FRAMEWORK=net48 - name: Test ${{ matrix.library }} .NET net6.0 diff --git a/.gitmodules b/.gitmodules index 4f9803431..a8da5e29e 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,9 +1,9 @@ [submodule "libraries"] path = libraries url = https://github.com/dafny-lang/libraries.git -[submodule "aws-encryption-sdk-specification"] - path = aws-encryption-sdk-specification - url = https://github.com/awslabs/aws-encryption-sdk-specification.git [submodule "smithy-dafny"] path = smithy-dafny url = https://robin-aws@github.com/smithy-lang/smithy-dafny.git +[submodule "aws-encryption-sdk-specification"] + path = aws-encryption-sdk-specification + url = git@github.com:awslabs/aws-encryption-sdk-specification.git diff --git a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/Model/AwsCryptographyMaterialProvidersTypes.dfy b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/Model/AwsCryptographyMaterialProvidersTypes.dfy index d34f7de3c..f5b262f67 100644 --- a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/Model/AwsCryptographyMaterialProvidersTypes.dfy +++ b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/Model/AwsCryptographyMaterialProvidersTypes.dfy @@ -51,10 +51,12 @@ module {:extern "software.amazon.cryptography.materialproviders.internaldafny.ty CreateAwsKmsMrkDiscoveryKeyring := []; CreateAwsKmsMrkDiscoveryMultiKeyring := []; CreateAwsKmsHierarchicalKeyring := []; + CreateAwsKmsRsaKeyring := []; + CreateAwsKmsEcdhKeyring := []; CreateMultiKeyring := []; CreateRawAesKeyring := []; CreateRawRsaKeyring := []; - CreateAwsKmsRsaKeyring := []; + CreateRawEcdhKeyring := []; CreateDefaultCryptographicMaterialsManager := []; CreateRequiredEncryptionContextCMM := []; CreateCryptographicMaterialsCache := []; @@ -79,10 +81,12 @@ module {:extern "software.amazon.cryptography.materialproviders.internaldafny.ty ghost var CreateAwsKmsMrkDiscoveryKeyring: seq>> ghost var CreateAwsKmsMrkDiscoveryMultiKeyring: seq>> ghost var CreateAwsKmsHierarchicalKeyring: seq>> + ghost var CreateAwsKmsRsaKeyring: seq>> + ghost var CreateAwsKmsEcdhKeyring: seq>> ghost var CreateMultiKeyring: seq>> ghost var CreateRawAesKeyring: seq>> ghost var CreateRawRsaKeyring: seq>> - ghost var CreateAwsKmsRsaKeyring: seq>> + ghost var CreateRawEcdhKeyring: seq>> ghost var CreateDefaultCryptographicMaterialsManager: seq>> ghost var CreateRequiredEncryptionContextCMM: seq>> ghost var CreateCryptographicMaterialsCache: seq>> @@ -350,6 +354,55 @@ module {:extern "software.amazon.cryptography.materialproviders.internaldafny.ty ensures CreateAwsKmsHierarchicalKeyringEnsuresPublicly(input, output) ensures History.CreateAwsKmsHierarchicalKeyring == old(History.CreateAwsKmsHierarchicalKeyring) + [DafnyCallEvent(input, output)] + predicate CreateAwsKmsRsaKeyringEnsuresPublicly(input: CreateAwsKmsRsaKeyringInput , output: Result) + // The public method to be called by library consumers + method CreateAwsKmsRsaKeyring ( input: CreateAwsKmsRsaKeyringInput ) + returns (output: Result) + requires + && ValidState() && ( input.kmsClient.Some? ==> + && input.kmsClient.value.ValidState() + && input.kmsClient.value.Modifies !! {History} + ) + modifies Modifies - {History} , + (if input.kmsClient.Some? then input.kmsClient.value.Modifies else {}) , + History`CreateAwsKmsRsaKeyring + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} , + (if input.kmsClient.Some? then input.kmsClient.value.Modifies else {}) + ensures + && ValidState() + && ( output.Success? ==> + && output.value.ValidState() + && output.value.Modifies !! {History} + && fresh(output.value) + && fresh ( output.value.Modifies - Modifies - {History} - (if input.kmsClient.Some? then input.kmsClient.value.Modifies else {}) ) ) + ensures CreateAwsKmsRsaKeyringEnsuresPublicly(input, output) + ensures History.CreateAwsKmsRsaKeyring == old(History.CreateAwsKmsRsaKeyring) + [DafnyCallEvent(input, output)] + + predicate CreateAwsKmsEcdhKeyringEnsuresPublicly(input: CreateAwsKmsEcdhKeyringInput , output: Result) + // The public method to be called by library consumers + method CreateAwsKmsEcdhKeyring ( input: CreateAwsKmsEcdhKeyringInput ) + returns (output: Result) + requires + && ValidState() + && input.kmsClient.ValidState() + && input.kmsClient.Modifies !! {History} + modifies Modifies - {History} , + input.kmsClient.Modifies , + History`CreateAwsKmsEcdhKeyring + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} , + input.kmsClient.Modifies + ensures + && ValidState() + && ( output.Success? ==> + && output.value.ValidState() + && output.value.Modifies !! {History} + && fresh(output.value) + && fresh ( output.value.Modifies - Modifies - {History} - input.kmsClient.Modifies ) ) + ensures CreateAwsKmsEcdhKeyringEnsuresPublicly(input, output) + ensures History.CreateAwsKmsEcdhKeyring == old(History.CreateAwsKmsEcdhKeyring) + [DafnyCallEvent(input, output)] + predicate CreateMultiKeyringEnsuresPublicly(input: CreateMultiKeyringInput , output: Result) // The public method to be called by library consumers method CreateMultiKeyring ( input: CreateMultiKeyringInput ) @@ -420,30 +473,25 @@ module {:extern "software.amazon.cryptography.materialproviders.internaldafny.ty ensures CreateRawRsaKeyringEnsuresPublicly(input, output) ensures History.CreateRawRsaKeyring == old(History.CreateRawRsaKeyring) + [DafnyCallEvent(input, output)] - predicate CreateAwsKmsRsaKeyringEnsuresPublicly(input: CreateAwsKmsRsaKeyringInput , output: Result) + predicate CreateRawEcdhKeyringEnsuresPublicly(input: CreateRawEcdhKeyringInput , output: Result) // The public method to be called by library consumers - method CreateAwsKmsRsaKeyring ( input: CreateAwsKmsRsaKeyringInput ) + method CreateRawEcdhKeyring ( input: CreateRawEcdhKeyringInput ) returns (output: Result) requires - && ValidState() && ( input.kmsClient.Some? ==> - && input.kmsClient.value.ValidState() - && input.kmsClient.value.Modifies !! {History} - ) + && ValidState() modifies Modifies - {History} , - (if input.kmsClient.Some? then input.kmsClient.value.Modifies else {}) , - History`CreateAwsKmsRsaKeyring + History`CreateRawEcdhKeyring // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} , - (if input.kmsClient.Some? then input.kmsClient.value.Modifies else {}) + decreases Modifies - {History} ensures && ValidState() && ( output.Success? ==> && output.value.ValidState() && output.value.Modifies !! {History} && fresh(output.value) - && fresh ( output.value.Modifies - Modifies - {History} - (if input.kmsClient.Some? then input.kmsClient.value.Modifies else {}) ) ) - ensures CreateAwsKmsRsaKeyringEnsuresPublicly(input, output) - ensures History.CreateAwsKmsRsaKeyring == old(History.CreateAwsKmsRsaKeyring) + [DafnyCallEvent(input, output)] + && fresh ( output.value.Modifies - Modifies - {History} ) ) + ensures CreateRawEcdhKeyringEnsuresPublicly(input, output) + ensures History.CreateRawEcdhKeyring == old(History.CreateRawEcdhKeyring) + [DafnyCallEvent(input, output)] predicate CreateDefaultCryptographicMaterialsManagerEnsuresPublicly(input: CreateDefaultCryptographicMaterialsManagerInput , output: Result) // The public method to be called by library consumers @@ -764,6 +812,12 @@ module {:extern "software.amazon.cryptography.materialproviders.internaldafny.ty nameonly clientSupplier: Option := Option.None , nameonly grantTokens: Option := Option.None ) + datatype CreateAwsKmsEcdhKeyringInput = | CreateAwsKmsEcdhKeyringInput ( + nameonly KeyAgreementScheme: KmsEcdhStaticConfigurations , + nameonly curveSpec: AwsCryptographyPrimitivesTypes.ECDHCurveSpec , + nameonly kmsClient: ComAmazonawsKmsTypes.IKMSClient , + nameonly grantTokens: Option := Option.None + ) datatype CreateAwsKmsHierarchicalKeyringInput = | CreateAwsKmsHierarchicalKeyringInput ( nameonly branchKeyId: Option := Option.None , nameonly branchKeyIdSupplier: Option := Option.None , @@ -831,6 +885,10 @@ module {:extern "software.amazon.cryptography.materialproviders.internaldafny.ty nameonly wrappingKey: seq , nameonly wrappingAlg: AesWrappingAlg ) + datatype CreateRawEcdhKeyringInput = | CreateRawEcdhKeyringInput ( + nameonly KeyAgreementScheme: RawEcdhStaticConfigurations , + nameonly curveSpec: AwsCryptographyPrimitivesTypes.ECDHCurveSpec + ) datatype CreateRawRsaKeyringInput = | CreateRawRsaKeyringInput ( nameonly keyNamespace: string , nameonly keyName: string , @@ -1184,6 +1242,9 @@ module {:extern "software.amazon.cryptography.materialproviders.internaldafny.ty nameonly signingKey: Option := Option.None , nameonly symmetricSigningKeys: Option := Option.None ) + datatype EphemeralPrivateKeyToStaticPublicKeyInput = | EphemeralPrivateKeyToStaticPublicKeyInput ( + nameonly recipientPublicKey: seq + ) datatype ESDKAlgorithmSuiteId = | ALG_AES_128_GCM_IV12_TAG16_NO_KDF | ALG_AES_192_GCM_IV12_TAG16_NO_KDF @@ -1257,6 +1318,8 @@ module {:extern "software.amazon.cryptography.materialproviders.internaldafny.ty nameonly macKeyKdf: DerivationAlgorithm , nameonly pdkEncryptAlgorithm: Encrypt ) + datatype KeyAgreementScheme = + | StaticConfiguration(StaticConfiguration: StaticConfigurations) type KeyringList = seq class IKeyringCallHistory { ghost constructor() { @@ -1356,8 +1419,19 @@ module {:extern "software.amazon.cryptography.materialproviders.internaldafny.ty ensures unchanged(History) } + datatype KmsEcdhStaticConfigurations = + | KmsPublicKeyDiscovery(KmsPublicKeyDiscovery: KmsPublicKeyDiscoveryInput) + | KmsPrivateKeyToStaticPublicKey(KmsPrivateKeyToStaticPublicKey: KmsPrivateKeyToStaticPublicKeyInput) type KmsKeyId = string type KmsKeyIdList = seq + datatype KmsPrivateKeyToStaticPublicKeyInput = | KmsPrivateKeyToStaticPublicKeyInput ( + nameonly senderKmsIdentifier: KmsKeyId , + nameonly senderPublicKey: Option> := Option.None , + nameonly recipientPublicKey: seq + ) + datatype KmsPublicKeyDiscoveryInput = | KmsPublicKeyDiscoveryInput ( + nameonly recipientKmsIdentifier: KmsKeyId + ) datatype MaterialProvidersConfig = | MaterialProvidersConfig ( ) @@ -1403,6 +1477,9 @@ module {:extern "software.amazon.cryptography.materialproviders.internaldafny.ty predicate method IsValid_PositiveLong(x: int64) { ( 0 <= x ) } + datatype PublicKeyDiscoveryInput = | PublicKeyDiscoveryInput ( + nameonly recipientStaticPrivateKey: seq + ) datatype PutCacheEntryInput = | PutCacheEntryInput ( nameonly identifier: seq , nameonly materials: Materials , @@ -1411,6 +1488,14 @@ module {:extern "software.amazon.cryptography.materialproviders.internaldafny.ty nameonly messagesUsed: Option := Option.None , nameonly bytesUsed: Option := Option.None ) + datatype RawEcdhStaticConfigurations = + | PublicKeyDiscovery(PublicKeyDiscovery: PublicKeyDiscoveryInput) + | RawPrivateKeyToStaticPublicKey(RawPrivateKeyToStaticPublicKey: RawPrivateKeyToStaticPublicKeyInput) + | EphemeralPrivateKeyToStaticPublicKey(EphemeralPrivateKeyToStaticPublicKey: EphemeralPrivateKeyToStaticPublicKeyInput) + datatype RawPrivateKeyToStaticPublicKeyInput = | RawPrivateKeyToStaticPublicKeyInput ( + nameonly senderStaticPrivateKey: seq , + nameonly recipientPublicKey: seq + ) type Region = string type RegionList = seq type Secret = seq @@ -1421,6 +1506,9 @@ module {:extern "software.amazon.cryptography.materialproviders.internaldafny.ty nameonly entryCapacity: CountingNumber , nameonly entryPruningTailSize: Option := Option.None ) + datatype StaticConfigurations = + | AWS_KMS_ECDH(AWS_KMS_ECDH: KmsEcdhStaticConfigurations) + | RAW_ECDH(RAW_ECDH: RawEcdhStaticConfigurations) datatype StormTrackingCache = | StormTrackingCache ( nameonly entryCapacity: CountingNumber , nameonly entryPruningTailSize: Option := Option.None , @@ -1827,6 +1915,65 @@ abstract module AbstractAwsCryptographyMaterialProvidersService History.CreateAwsKmsHierarchicalKeyring := History.CreateAwsKmsHierarchicalKeyring + [DafnyCallEvent(input, output)]; } + predicate CreateAwsKmsRsaKeyringEnsuresPublicly(input: CreateAwsKmsRsaKeyringInput , output: Result) + {Operations.CreateAwsKmsRsaKeyringEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method CreateAwsKmsRsaKeyring ( input: CreateAwsKmsRsaKeyringInput ) + returns (output: Result) + requires + && ValidState() && ( input.kmsClient.Some? ==> + && input.kmsClient.value.ValidState() + && input.kmsClient.value.Modifies !! {History} + ) + modifies Modifies - {History} , + (if input.kmsClient.Some? then input.kmsClient.value.Modifies else {}) , + History`CreateAwsKmsRsaKeyring + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} , + (if input.kmsClient.Some? then input.kmsClient.value.Modifies else {}) + ensures + && ValidState() + && ( output.Success? ==> + && output.value.ValidState() + && output.value.Modifies !! {History} + && fresh(output.value) + && fresh ( output.value.Modifies - Modifies - {History} - (if input.kmsClient.Some? then input.kmsClient.value.Modifies else {}) ) ) + ensures CreateAwsKmsRsaKeyringEnsuresPublicly(input, output) + ensures History.CreateAwsKmsRsaKeyring == old(History.CreateAwsKmsRsaKeyring) + [DafnyCallEvent(input, output)] + { + output := Operations.CreateAwsKmsRsaKeyring(config, input); + History.CreateAwsKmsRsaKeyring := History.CreateAwsKmsRsaKeyring + [DafnyCallEvent(input, output)]; + } + + predicate CreateAwsKmsEcdhKeyringEnsuresPublicly(input: CreateAwsKmsEcdhKeyringInput , output: Result) + {Operations.CreateAwsKmsEcdhKeyringEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method CreateAwsKmsEcdhKeyring ( input: CreateAwsKmsEcdhKeyringInput ) + returns (output: Result) + requires + && ValidState() + && input.kmsClient.ValidState() + && input.kmsClient.Modifies !! {History} + modifies Modifies - {History} , + input.kmsClient.Modifies , + History`CreateAwsKmsEcdhKeyring + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} , + input.kmsClient.Modifies + ensures + && ValidState() + && ( output.Success? ==> + && output.value.ValidState() + && output.value.Modifies !! {History} + && fresh(output.value) + && fresh ( output.value.Modifies - Modifies - {History} - input.kmsClient.Modifies ) ) + ensures CreateAwsKmsEcdhKeyringEnsuresPublicly(input, output) + ensures History.CreateAwsKmsEcdhKeyring == old(History.CreateAwsKmsEcdhKeyring) + [DafnyCallEvent(input, output)] + { + output := Operations.CreateAwsKmsEcdhKeyring(config, input); + History.CreateAwsKmsEcdhKeyring := History.CreateAwsKmsEcdhKeyring + [DafnyCallEvent(input, output)]; + } + predicate CreateMultiKeyringEnsuresPublicly(input: CreateMultiKeyringInput , output: Result) {Operations.CreateMultiKeyringEnsuresPublicly(input, output)} // The public method to be called by library consumers @@ -1912,34 +2059,29 @@ abstract module AbstractAwsCryptographyMaterialProvidersService History.CreateRawRsaKeyring := History.CreateRawRsaKeyring + [DafnyCallEvent(input, output)]; } - predicate CreateAwsKmsRsaKeyringEnsuresPublicly(input: CreateAwsKmsRsaKeyringInput , output: Result) - {Operations.CreateAwsKmsRsaKeyringEnsuresPublicly(input, output)} + predicate CreateRawEcdhKeyringEnsuresPublicly(input: CreateRawEcdhKeyringInput , output: Result) + {Operations.CreateRawEcdhKeyringEnsuresPublicly(input, output)} // The public method to be called by library consumers - method CreateAwsKmsRsaKeyring ( input: CreateAwsKmsRsaKeyringInput ) + method CreateRawEcdhKeyring ( input: CreateRawEcdhKeyringInput ) returns (output: Result) requires - && ValidState() && ( input.kmsClient.Some? ==> - && input.kmsClient.value.ValidState() - && input.kmsClient.value.Modifies !! {History} - ) + && ValidState() modifies Modifies - {History} , - (if input.kmsClient.Some? then input.kmsClient.value.Modifies else {}) , - History`CreateAwsKmsRsaKeyring + History`CreateRawEcdhKeyring // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} , - (if input.kmsClient.Some? then input.kmsClient.value.Modifies else {}) + decreases Modifies - {History} ensures && ValidState() && ( output.Success? ==> && output.value.ValidState() && output.value.Modifies !! {History} && fresh(output.value) - && fresh ( output.value.Modifies - Modifies - {History} - (if input.kmsClient.Some? then input.kmsClient.value.Modifies else {}) ) ) - ensures CreateAwsKmsRsaKeyringEnsuresPublicly(input, output) - ensures History.CreateAwsKmsRsaKeyring == old(History.CreateAwsKmsRsaKeyring) + [DafnyCallEvent(input, output)] + && fresh ( output.value.Modifies - Modifies - {History} ) ) + ensures CreateRawEcdhKeyringEnsuresPublicly(input, output) + ensures History.CreateRawEcdhKeyring == old(History.CreateRawEcdhKeyring) + [DafnyCallEvent(input, output)] { - output := Operations.CreateAwsKmsRsaKeyring(config, input); - History.CreateAwsKmsRsaKeyring := History.CreateAwsKmsRsaKeyring + [DafnyCallEvent(input, output)]; + output := Operations.CreateRawEcdhKeyring(config, input); + History.CreateRawEcdhKeyring := History.CreateRawEcdhKeyring + [DafnyCallEvent(input, output)]; } predicate CreateDefaultCryptographicMaterialsManagerEnsuresPublicly(input: CreateDefaultCryptographicMaterialsManagerInput , output: Result) @@ -2371,6 +2513,53 @@ abstract module AbstractAwsCryptographyMaterialProvidersOperations { ensures CreateAwsKmsHierarchicalKeyringEnsuresPublicly(input, output) + predicate CreateAwsKmsRsaKeyringEnsuresPublicly(input: CreateAwsKmsRsaKeyringInput , output: Result) + // The private method to be refined by the library developer + + + method CreateAwsKmsRsaKeyring ( config: InternalConfig , input: CreateAwsKmsRsaKeyringInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) && ( input.kmsClient.Some? ==> + && input.kmsClient.value.ValidState() + ) + modifies ModifiesInternalConfig(config) , + (if input.kmsClient.Some? then input.kmsClient.value.Modifies else {}) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) , + (if input.kmsClient.Some? then input.kmsClient.value.Modifies else {}) + ensures + && ValidInternalConfig?(config) + && ( output.Success? ==> + && output.value.ValidState() + && fresh(output.value) + && fresh ( output.value.Modifies - ModifiesInternalConfig(config) - (if input.kmsClient.Some? then input.kmsClient.value.Modifies else {}) ) ) + ensures CreateAwsKmsRsaKeyringEnsuresPublicly(input, output) + + + predicate CreateAwsKmsEcdhKeyringEnsuresPublicly(input: CreateAwsKmsEcdhKeyringInput , output: Result) + // The private method to be refined by the library developer + + + method CreateAwsKmsEcdhKeyring ( config: InternalConfig , input: CreateAwsKmsEcdhKeyringInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + && input.kmsClient.ValidState() + modifies ModifiesInternalConfig(config) , + input.kmsClient.Modifies + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) , + input.kmsClient.Modifies + ensures + && ValidInternalConfig?(config) + && ( output.Success? ==> + && output.value.ValidState() + && fresh(output.value) + && fresh ( output.value.Modifies - ModifiesInternalConfig(config) - input.kmsClient.Modifies ) ) + ensures CreateAwsKmsEcdhKeyringEnsuresPublicly(input, output) + + predicate CreateMultiKeyringEnsuresPublicly(input: CreateMultiKeyringInput , output: Result) // The private method to be refined by the library developer @@ -2439,28 +2628,24 @@ abstract module AbstractAwsCryptographyMaterialProvidersOperations { ensures CreateRawRsaKeyringEnsuresPublicly(input, output) - predicate CreateAwsKmsRsaKeyringEnsuresPublicly(input: CreateAwsKmsRsaKeyringInput , output: Result) + predicate CreateRawEcdhKeyringEnsuresPublicly(input: CreateRawEcdhKeyringInput , output: Result) // The private method to be refined by the library developer - method CreateAwsKmsRsaKeyring ( config: InternalConfig , input: CreateAwsKmsRsaKeyringInput ) + method CreateRawEcdhKeyring ( config: InternalConfig , input: CreateRawEcdhKeyringInput ) returns (output: Result) requires - && ValidInternalConfig?(config) && ( input.kmsClient.Some? ==> - && input.kmsClient.value.ValidState() - ) - modifies ModifiesInternalConfig(config) , - (if input.kmsClient.Some? then input.kmsClient.value.Modifies else {}) + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) , - (if input.kmsClient.Some? then input.kmsClient.value.Modifies else {}) + decreases ModifiesInternalConfig(config) ensures && ValidInternalConfig?(config) && ( output.Success? ==> && output.value.ValidState() && fresh(output.value) - && fresh ( output.value.Modifies - ModifiesInternalConfig(config) - (if input.kmsClient.Some? then input.kmsClient.value.Modifies else {}) ) ) - ensures CreateAwsKmsRsaKeyringEnsuresPublicly(input, output) + && fresh ( output.value.Modifies - ModifiesInternalConfig(config) ) ) + ensures CreateRawEcdhKeyringEnsuresPublicly(input, output) predicate CreateDefaultCryptographicMaterialsManagerEnsuresPublicly(input: CreateDefaultCryptographicMaterialsManagerInput , output: Result) diff --git a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/Model/key-agreement-scheme.smithy b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/Model/key-agreement-scheme.smithy new file mode 100644 index 000000000..7675dd109 --- /dev/null +++ b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/Model/key-agreement-scheme.smithy @@ -0,0 +1,72 @@ +namespace aws.cryptography.materialProviders + +use aws.polymorph#javadoc + +// Key Agreement Schemes +@javadoc("Supported ECDH Key Agreement Schemes.") +union KeyAgreementScheme { + StaticConfiguration: StaticConfigurations +} + +@javadoc("Supported configurations for the StaticConfiguration Key Agreement Scheme.") +union StaticConfigurations { + AWS_KMS_ECDH: KmsEcdhStaticConfigurations, + RAW_ECDH: RawEcdhStaticConfigurations +} + +@javadoc("Allowed configurations when using KmsEcdhStaticConfigurations.") +union KmsEcdhStaticConfigurations { + KmsPublicKeyDiscovery: KmsPublicKeyDiscoveryInput, + KmsPrivateKeyToStaticPublicKey: KmsPrivateKeyToStaticPublicKeyInput, +} + +@javadoc("List of configurations when using RawEcdhStaticConfigurations.") +union RawEcdhStaticConfigurations { + PublicKeyDiscovery: PublicKeyDiscoveryInput, + RawPrivateKeyToStaticPublicKey: RawPrivateKeyToStaticPublicKeyInput, + EphemeralPrivateKeyToStaticPublicKey: EphemeralPrivateKeyToStaticPublicKeyInput +} + + +@javadoc("Inputs for creating a KmsPublicKeyDiscovery Configuration. This is a DECRYPT ONLY configuration.") +structure KmsPublicKeyDiscoveryInput { + @required + @javadoc("AWS KMS key identifier belonging to the recipient.") + recipientKmsIdentifier: KmsKeyId +} + +@javadoc("Inputs for creating a KmsPrivateKeyToStaticPublicKey Configuration.") +structure KmsPrivateKeyToStaticPublicKeyInput { + @required + @javadoc("AWS KMS Key Identifier belonging to the sender.") + senderKmsIdentifier: KmsKeyId, + @javadoc("Sender Public Key. This is the raw public ECC key in DER format that belongs to the senderKmsIdentifier.") + senderPublicKey: Blob, + @required + @javadoc("Recipient Public Key. This MUST be a raw public ECC key in DER format.") + recipientPublicKey: Blob, +} + +@javadoc("Inputs for creating a EphemeralPrivateKeyToStaticPublicKey Configuration.") +structure EphemeralPrivateKeyToStaticPublicKeyInput { + @required + @javadoc("The recipient's public key. MUST be DER encoded.") + recipientPublicKey: Blob, +} + +@javadoc("Inputs for creating a PublicKeyDiscovery Configuration.") +structure PublicKeyDiscoveryInput { + @required + @javadoc("The sender's private key. MUST be PEM encoded.") + recipientStaticPrivateKey: Blob, +} + +@javadoc("Inputs for creating a RawPrivateKeyToStaticPublicKey Configuration.") +structure RawPrivateKeyToStaticPublicKeyInput { + @required + @javadoc("The sender's private key. MUST be PEM encoded.") + senderStaticPrivateKey: Blob, + @required + @javadoc("The recipient's public key. MUST be DER encoded.") + recipientPublicKey: Blob, +} diff --git a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/Model/keyrings.smithy b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/Model/keyrings.smithy index e43077222..d9903fa70 100644 --- a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/Model/keyrings.smithy +++ b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/Model/keyrings.smithy @@ -436,3 +436,46 @@ structure CreateRawAesKeyringInput { @javadoc("A list of grant tokens to be used when calling KMS.") grantTokens: GrantTokenList } + + @javadoc("Creates an AWS KMS ECDH Keyring, which wraps and unwraps data keys by deriving a shared data key from the established shared secret between parties through the ECDH protocol.") + operation CreateAwsKmsEcdhKeyring { + input: CreateAwsKmsEcdhKeyringInput, + output: CreateKeyringOutput + } + + @javadoc("Inputs for creating an AWS KMS ECDH Keyring.") + structure CreateAwsKmsEcdhKeyringInput { + + @required + @javadoc("The Key Agreement Scheme configuration that is responsible for how the shared secret is calculated.") + KeyAgreementScheme: KmsEcdhStaticConfigurations, + + @required + @javadoc("The named curve that corresponds to the curve on which the sender's private and recipient's public key lie.") + curveSpec: aws.cryptography.primitives#ECDHCurveSpec, + + @required + @javadoc("The KMS Client this Keyring will use to call KMS.") + kmsClient: KmsClientReference, + + @javadoc("A list of grant tokens to be used when calling KMS.") + grantTokens: GrantTokenList + } + + @javadoc("Creates a Raw ECDH Keyring, which wraps and unwraps data keys by deriving a shared data key from the established shared secret between parties through the ECDH protocol.") + operation CreateRawEcdhKeyring { + input: CreateRawEcdhKeyringInput, + output: CreateKeyringOutput + } + + @javadoc("Inputs for creating a raw ECDH Keyring.") + structure CreateRawEcdhKeyringInput { + + @required + @javadoc("The Key Agreement Scheme configuration that is responsible for how the shared secret is calculated.") + KeyAgreementScheme: RawEcdhStaticConfigurations, + + @required + @javadoc("The the curve on which the points for the sender's private and recipient's public key lie.") + curveSpec: aws.cryptography.primitives#ECDHCurveSpec, + } diff --git a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/Model/material-provider.smithy b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/Model/material-provider.smithy index 2d082ad90..844753c2e 100644 --- a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/Model/material-provider.smithy +++ b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/Model/material-provider.smithy @@ -41,10 +41,12 @@ service AwsCryptographicMaterialProviders { CreateAwsKmsMrkDiscoveryKeyring, CreateAwsKmsMrkDiscoveryMultiKeyring, CreateAwsKmsHierarchicalKeyring, + CreateAwsKmsRsaKeyring, + CreateAwsKmsEcdhKeyring, CreateMultiKeyring, CreateRawAesKeyring, CreateRawRsaKeyring, - CreateAwsKmsRsaKeyring, + CreateRawEcdhKeyring, // CMMs CreateDefaultCryptographicMaterialsManager, diff --git a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/AwsCryptographyMaterialProvidersOperations.dfy b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/AwsCryptographyMaterialProvidersOperations.dfy index c5086de9f..4cc747bac 100644 --- a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/AwsCryptographyMaterialProvidersOperations.dfy +++ b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/AwsCryptographyMaterialProvidersOperations.dfy @@ -4,6 +4,7 @@ include "../Model/AwsCryptographyMaterialProvidersTypes.dfy" include "Keyrings/AwsKms/StrictMultiKeyring.dfy" include "Keyrings/MultiKeyring.dfy" +include "Keyrings/AwsKms/AwsKmsEcdhKeyring.dfy" include "Keyrings/AwsKms/AwsKmsKeyring.dfy" include "Keyrings/AwsKms/AwsKmsHierarchicalKeyring.dfy" include "Keyrings/AwsKms/AwsKmsUtils.dfy" @@ -17,6 +18,7 @@ include "Keyrings/AwsKms/MrkAwareDiscoveryMultiKeyring.dfy" include "Keyrings/AwsKms/AwsKmsRsaKeyring.dfy" include "Keyrings/RawAESKeyring.dfy" include "Keyrings/RawRSAKeyring.dfy" +include "Keyrings/RawECDHKeyring.dfy" include "CMMs/DefaultCMM.dfy" include "CMCs/LocalCMC.dfy" include "CMCs/SynchronizedLocalCMC.dfy" @@ -28,6 +30,7 @@ include "Commitment.dfy" include "AwsArnParsing.dfy" include "AlgorithmSuites.dfy" include "CMMs/RequiredEncryptionContextCMM.dfy" +include "Utils.dfy" module AwsCryptographyMaterialProvidersOperations refines AbstractAwsCryptographyMaterialProvidersOperations { @@ -42,8 +45,10 @@ module AwsCryptographyMaterialProvidersOperations refines AbstractAwsCryptograph import AwsKmsDiscoveryKeyring import AwsKmsMrkDiscoveryKeyring import AwsKmsRsaKeyring + import AwsKmsEcdhKeyring import RawAESKeyring import RawRSAKeyring + import RawECDHKeyring import opened C = DefaultCMM import LocalCMC import SynchronizedLocalCMC @@ -57,6 +62,7 @@ module AwsCryptographyMaterialProvidersOperations refines AbstractAwsCryptograph import Commitment import AlgorithmSuites import opened AwsArnParsing + import opened Utils import Kms = Com.Amazonaws.Kms import Ddb = ComAmazonawsDynamodbTypes import RequiredEncryptionContextCMM @@ -286,6 +292,108 @@ module AwsCryptographyMaterialProvidersOperations refines AbstractAwsCryptograph return Success(keyring); } + predicate CreateAwsKmsEcdhKeyringEnsuresPublicly(input: CreateAwsKmsEcdhKeyringInput, output: Result) + {true} + + method CreateAwsKmsEcdhKeyring(config: InternalConfig, input: CreateAwsKmsEcdhKeyringInput) + returns (output: Result) + { + var grantTokens :- GetValidGrantTokens(input.grantTokens); + var recipientPublicKey: KMS.PublicKeyType; + var senderPublicKey: Option; + var compressedSenderPublicKey: Option>; + + if { + case input.KeyAgreementScheme.KmsPublicKeyDiscovery? => + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#kmspublickeydiscovery + //# - MUST provide the recipient's AWS KMS key identifier + var _ :- ValidateKmsKeyId(input.KeyAgreementScheme.KmsPublicKeyDiscovery.recipientKmsIdentifier); + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#kmspublickeydiscovery + //# the keyring MUST call + //# `kms:GetPublicKey` on the recipient's configured KMS key ID. + // (blank line for duvet) + //# If the keyring fails to retrieve the public key, the keyring MUST fail. + recipientPublicKey :- GetEcdhPublicKey(input.kmsClient, input.KeyAgreementScheme.KmsPublicKeyDiscovery.recipientKmsIdentifier); + senderPublicKey := Option.None(); + compressedSenderPublicKey := Option.None(); + case input.KeyAgreementScheme.KmsPrivateKeyToStaticPublicKey? => + if input.KeyAgreementScheme.KmsPrivateKeyToStaticPublicKey.senderPublicKey.Some? { + :- Need( + KMS.IsValid_PublicKeyType( + input.KeyAgreementScheme.KmsPrivateKeyToStaticPublicKey.senderPublicKey.value + ), + Types.AwsCryptographicMaterialProvidersException(message := "Invalid SenderPublicKey length.")); + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#kmsprivatekeytostaticpublickey + //# - MAY provide the sender's public key + //# - Public key MUST be DER-encoded [X.509 SubjectPublicKeyInfo](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1) + senderPublicKey := Some(input.KeyAgreementScheme.KmsPrivateKeyToStaticPublicKey.senderPublicKey.value); + var compressedPKU :- RawECDHKeyring.CompressPublicKey(Crypto.ECCPublicKey(der := senderPublicKey.value), input.curveSpec, config.crypto); + compressedSenderPublicKey := Some(compressedPKU); + } else { + var _ :- ValidateKmsKeyId(input.KeyAgreementScheme.KmsPrivateKeyToStaticPublicKey.senderKmsIdentifier); + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#kmsprivatekeytostaticpublickey + //# On initialization, if the keyring is not configured with + //# a sender public key, the keyring MUST call + //# `kms:GetPublicKey` on the sender's configured KMS key ID. + // (blank line for duvet) + //# If the keyring fails to retrieve the public key, the keyring MUST fail. + var senderPublicKeyResponse :- GetEcdhPublicKey(input.kmsClient, input.KeyAgreementScheme.KmsPrivateKeyToStaticPublicKey.senderKmsIdentifier); + var compressedPKU :- RawECDHKeyring.CompressPublicKey(Crypto.ECCPublicKey(der := senderPublicKeyResponse), input.curveSpec, config.crypto); + senderPublicKey := Some(senderPublicKeyResponse); + compressedSenderPublicKey := Some(compressedPKU); + } + + :- Need( + KMS.IsValid_PublicKeyType( + input.KeyAgreementScheme.KmsPrivateKeyToStaticPublicKey.recipientPublicKey + ), + Types.AwsCryptographicMaterialProvidersException(message := "Invalid RecipientPublicKey length.")); + recipientPublicKey := input.KeyAgreementScheme.KmsPrivateKeyToStaticPublicKey.recipientPublicKey; + } + + var _ :- RawECDHKeyring.ValidatePublicKey( + config.crypto, + input.curveSpec, + recipientPublicKey + ); + + var compressedRecipientPublicKey :- RawECDHKeyring.CompressPublicKey( + Crypto.ECCPublicKey(der := recipientPublicKey), + input.curveSpec, + config.crypto + ); + + var senderKmsKeyId := if input.KeyAgreementScheme.KmsPublicKeyDiscovery? then Option.None() + else Some(input.KeyAgreementScheme.KmsPrivateKeyToStaticPublicKey.senderKmsIdentifier); + + if senderKmsKeyId.Some? { + var _ :- ValidateKmsKeyId(senderKmsKeyId.value); + } + + if senderPublicKey.Some? { + var _ :- RawECDHKeyring.ValidatePublicKey( + config.crypto, + input.curveSpec, + senderPublicKey.value + ); + } + + var keyring := new AwsKmsEcdhKeyring.AwsKmsEcdhKeyring( + input.KeyAgreementScheme, + input.curveSpec, + input.kmsClient, + grantTokens, + senderKmsKeyId, + senderPublicKey, + recipientPublicKey, + compressedSenderPublicKey, + compressedRecipientPublicKey, + config.crypto + ); + + return Success(keyring); + } + predicate CreateMultiKeyringEnsuresPublicly(input: CreateMultiKeyringInput, output: Result) {true} @@ -402,6 +510,102 @@ module AwsCryptographyMaterialProvidersOperations refines AbstractAwsCryptograph return Success(keyring); } + predicate CreateRawEcdhKeyringEnsuresPublicly(input: CreateRawEcdhKeyringInput, output: Result) + {true} + + method CreateRawEcdhKeyring(config: InternalConfig, input: CreateRawEcdhKeyringInput) + returns (output: Result) + { + var recipientPublicKey: seq; + var senderPrivateKey: Option>; + var senderPublicKey: Option>; + var compressedSenderPublicKey: Option>; + + if { + case input.KeyAgreementScheme.RawPrivateKeyToStaticPublicKey? => + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#rawprivatekeytostaticpublickey + //# - MUST provide the recipient's public key + recipientPublicKey := input.KeyAgreementScheme.RawPrivateKeyToStaticPublicKey.recipientPublicKey; + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#rawprivatekeytostaticpublickey + //# - MUST provide the sender's static private key + senderPrivateKey := Option.Some(input.KeyAgreementScheme.RawPrivateKeyToStaticPublicKey.senderStaticPrivateKey); + var reproducedPublicKey :- GetPublicKey(input.curveSpec, Crypto.ECCPrivateKey(pem := senderPrivateKey.value), config.crypto); + var _ :- RawECDHKeyring.ValidatePublicKey( + config.crypto, + input.curveSpec, + reproducedPublicKey + ); + senderPublicKey := Some(reproducedPublicKey); + var compressedSenderPublicKey? :- RawECDHKeyring.CompressPublicKey( + Crypto.ECCPublicKey(der := reproducedPublicKey), + input.curveSpec, + config.crypto + ); + compressedSenderPublicKey := Some(compressedSenderPublicKey?); + case input.KeyAgreementScheme.EphemeralPrivateKeyToStaticPublicKey? => + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#ephemeralprivatekeytostaticpublickey + //# - MUST provide the recipient's public key + recipientPublicKey := input.KeyAgreementScheme.EphemeralPrivateKeyToStaticPublicKey.recipientPublicKey; + senderPrivateKey := Option.None(); + senderPublicKey := Option.None(); + compressedSenderPublicKey := Option.None(); + case input.KeyAgreementScheme.PublicKeyDiscovery? => + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#publickeydiscovery + //# - MUST provide the recipient's static private key + var reproducedPublicKey :- GetPublicKey(input.curveSpec, Crypto.ECCPrivateKey(pem := input.KeyAgreementScheme.PublicKeyDiscovery.recipientStaticPrivateKey), config.crypto); + recipientPublicKey := reproducedPublicKey; + senderPrivateKey := Option.None(); + senderPublicKey := Option.None(); + compressedSenderPublicKey := Option.None(); + } + + var compressedRecipientPublicKey :- RawECDHKeyring.CompressPublicKey( + Crypto.ECCPublicKey(der := recipientPublicKey), + input.curveSpec, + config.crypto + ); + + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#initialization + //# On initialization, the keyring MUST assert that the recipient's public key + //# and the sender's private key belong to the same ECC Curve, and that + //# the public key's ECC points are not the "points at infinity". + var _ :- RawECDHKeyring.ValidatePublicKey( + config.crypto, + input.curveSpec, + recipientPublicKey + ); + + if senderPublicKey.Some? { + var _ :- RawECDHKeyring.ValidatePublicKey( + config.crypto, + input.curveSpec, + senderPublicKey.value + ); + :- Need( + RawECDHKeyring.ValidPublicKeyLength(senderPublicKey.value), + Types.AwsCryptographicMaterialProvidersException(message := "Invalid sender public key length") + ); + } + + :- Need( + RawECDHKeyring.ValidPublicKeyLength(recipientPublicKey), + Types.AwsCryptographicMaterialProvidersException(message := "Invalid recipient public key length") + ); + + var keyring := new RawECDHKeyring.RawEcdhKeyring( + keyAgreementScheme := input.KeyAgreementScheme, + curveSpec := input.curveSpec, + senderPrivateKey := senderPrivateKey, + senderPublicKey := senderPublicKey, + recipientPublicKey := recipientPublicKey, + compressedSenderPublicKey := compressedSenderPublicKey, + compressedRecipientPublicKey := compressedRecipientPublicKey, + cryptoPrimitives := config.crypto + ); + + return Success(keyring); + } + predicate CreateAwsKmsRsaKeyringEnsuresPublicly(input: CreateAwsKmsRsaKeyringInput, output: Result) {true} diff --git a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/ErrorMessages.dfy b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/ErrorMessages.dfy index 2d8bcb050..b1b7bac35 100644 --- a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/ErrorMessages.dfy +++ b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/ErrorMessages.dfy @@ -14,6 +14,10 @@ module ErrorMessages { const IV_LENGTH := 12 const VERSION_LENGTH := 16 + const KMS_ECDH_DISCOVERY_ENCRYPT_ERROR := "KmsPublicKeyDiscovery Key Agreement Scheme is forbidden on encrypt." + const RAW_ECDH_DISCOVERY_ENCRYPT_ERROR := "PublicKeyDiscovery Key Agreement Scheme is forbidden on encrypt." + const RAW_ECDH_EPHEMERAL_DECRYPT_ERROR := "EphemeralPrivateKeyToStaticPublicKey Key Agreement Scheme is forbidden on decrypt." + function method IncorrectRawDataKeys(datakey: string, keyringName: string, keyProviderId: string) : string { diff --git a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/KeyWrapping/EcdhEdkWrapping.dfy b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/KeyWrapping/EcdhEdkWrapping.dfy new file mode 100644 index 000000000..6443b0d09 --- /dev/null +++ b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/KeyWrapping/EcdhEdkWrapping.dfy @@ -0,0 +1,583 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +include "../../Model/AwsCryptographyMaterialProvidersTypes.dfy" +include "../Materials.dfy" +include "MaterialWrapping.dfy" +include "IntermediateKeyWrapping.dfy" +include "../Keyrings/AwsKms/Constants.dfy" + +// Helpers for implementing EDK wrapping for the ECDH Keyrings +module {:options "/functionSyntax:4" } EcdhEdkWrapping { + import opened StandardLibrary + import opened UInt = StandardLibrary.UInt + import opened Actions + import opened Wrappers + import opened MaterialWrapping + import opened IntermediateKeyWrapping + import opened Constants + import opened Seq + import opened AlgorithmSuites + import PrimitiveTypes = AwsCryptographyPrimitivesTypes + import Types = AwsCryptographyMaterialProvidersTypes + import Aws.Cryptography.Primitives + import Materials + + datatype EcdhUnwrapInfo = EcdhUnwrapInfo() + datatype EcdhWrapInfo = EcdhWrapInfo() + + class EcdhUnwrap + extends MaterialWrapping.UnwrapMaterial + { + const senderPublicKey: seq + const recipientPublicKey: seq + const sharedSecret: seq + const keyringVersion: seq + const curveSpec: PrimitiveTypes.ECDHCurveSpec + const crypto: Primitives.AtomicPrimitivesClient + + constructor( + senderPublicKey: seq, + recipientPublicKey: seq, + sharedSecret: seq, + keyringVersion: seq, + curveSpec: PrimitiveTypes.ECDHCurveSpec, + crypto: Primitives.AtomicPrimitivesClient + ) + requires crypto.ValidState() + ensures + && this.senderPublicKey == senderPublicKey + && this.recipientPublicKey == recipientPublicKey + && this.sharedSecret == sharedSecret + && this.keyringVersion == keyringVersion + && this.curveSpec == curveSpec + && this.crypto == crypto + ensures Invariant() + { + this.senderPublicKey := senderPublicKey; + this.recipientPublicKey := recipientPublicKey; + this.sharedSecret := sharedSecret; + this.keyringVersion := keyringVersion; + this.curveSpec := curveSpec; + this.crypto := crypto; + Modifies := crypto.Modifies; + } + + ghost predicate Invariant() + reads Modifies + decreases Modifies + { + && crypto.ValidState() + && crypto.Modifies == Modifies + } + + ghost predicate Ensures( + input: MaterialWrapping.UnwrapInput, + res: Result, Types.Error>, + attemptsState: seq, Types.Error>>> + ) + reads Modifies + decreases Modifies + { + res.Success? + ==> + && Invariant() + } + + method {:vcs_split_on_every_assert} Invoke( + input: MaterialWrapping.UnwrapInput, + ghost attemptsState: seq, Types.Error>>> + ) returns (res: Result, Types.Error>) + requires Invariant() + modifies Modifies + decreases Modifies + ensures Invariant() + ensures Ensures(input, res, attemptsState) + ensures res.Success? ==> + |res.value.unwrappedMaterial| == AlgorithmSuites.GetEncryptKeyLength(input.algorithmSuite) as nat + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#ondecrypt + //= type=implication + //# If the keyring cannot + //# serialize the encryption context, OnDecrypt MUST fail. + ensures CanonicalEncryptionContext.EncryptionContextToAAD(input.encryptionContext).Failure? ==> res.Failure? + { + var suite := input.algorithmSuite; + var wrappedMaterial := input.wrappedMaterial; + var aad := input.encryptionContext; + + :- Need( + |wrappedMaterial| > CIPHERTEXT_WRAPPED_MATERIAL_INDEX, + E("Recieved ciphertext is shorter than expected.") + ); + + var KeyLength := AlgorithmSuites.GetEncryptKeyLength(suite) as int; + + :- Need ( + |wrappedMaterial| > ECDH_WRAPPED_KEY_MATERIAL_INDEX + KeyLength, + Types.AwsCryptographicMaterialProvidersException(message := "Received EDK Ciphertext of incorrect length.") + ); + + var kdfNonce := wrappedMaterial[0..ECDH_COMMITMENT_KEY_INDEX]; + var iv := seq(ECDH_AES_256_ENC_ALG.ivLength as nat, _ => 0); // IV is zero + var commitmentKey := wrappedMaterial[ECDH_COMMITMENT_KEY_INDEX..ECDH_WRAPPED_KEY_MATERIAL_INDEX]; + var wrappedKey := wrappedMaterial[ECDH_WRAPPED_KEY_MATERIAL_INDEX..ECDH_WRAPPED_KEY_MATERIAL_INDEX+KeyLength]; + var authTag := wrappedMaterial[ECDH_WRAPPED_KEY_MATERIAL_INDEX+KeyLength..]; + + var curveSpecUtf8 :- UTF8.Encode( + CurveSpecTypeToString(this.curveSpec) + ).MapFailure(E); + var canonicalizedEC :- CanonicalEncryptionContext.EncryptionContextToAAD(input.encryptionContext); + + var fixedInfo := SerializeFixedInfo( + ECDH_KDF_UTF8, + curveSpecUtf8, + senderPublicKey, + recipientPublicKey, + canonicalizedEC, + keyringVersion + ); + + + var derivedKeyingMaterial :- DeriveSharedKeyingMaterial( + this.sharedSecret, + fixedInfo, + kdfNonce, + crypto + ); + + var calculatedCommitmentKey: seq := derivedKeyingMaterial[0..32]; + var sharedKeyingMaterial: seq := derivedKeyingMaterial[32..]; + + :- Need( + |calculatedCommitmentKey| == |commitmentKey|, + E("Calculated commitment key length does NOT match expected commitment key length") + ); + + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#ondecrypt + //# The keyring MUST check that the calculated Commitment Key + //# from the key derivation step is equal to the deserialized commitment key + //# found in the encrypted data key. + var check?, _ := commitmentKeyCheck(calculatedCommitmentKey, commitmentKey); + :- Need( + check?, + E("Commitment keys do not match") + ); + + var maybeUnwrappedPdk := crypto.AESDecrypt( + PrimitiveTypes.AESDecryptInput( + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#data-key-unwrapping + //# The keyring MUST decrypt the encrypted data key with the shared wrapping key using `AES-GCM-256` with the following inputs: + encAlg := ECDH_AES_256_ENC_ALG, + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#data-key-unwrapping + //# - It MUST use the shared wrapping key as the AES-GCM cipher key. + key := sharedKeyingMaterial, + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#data-key-unwrapping + //# - It MUST use the `encrypted key` obtained from deserialization as the AES-GCM input ciphertext. + cipherTxt := wrappedKey, + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#data-key-unwrapping + //# - It MUST use the `authentication tag` obtained from deserialization as the AES-GCM input authentication tag. + authTag := authTag, + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#data-key-unwrapping + //# - It MUST use a zeroed out 12 byte IV + iv := iv, + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#data-key-unwrapping + //# - MUST use the serialized [AAD](#branch-key-wrapping-and-unwrapping-aad) concatenated + //# with the `FixedInfo` used as part of the key derivation step concatenated with the keyring version found + //# in the key provider information. + aad := fixedInfo + ) + ); + var unwrappedPdk :- maybeUnwrappedPdk.MapFailure(e => Types.AwsCryptographyPrimitives(AwsCryptographyPrimitives := e)); + + :- Need( + |unwrappedPdk| == AlgorithmSuites.GetEncryptKeyLength(input.algorithmSuite) as nat, + E("Invalid Key Length") + ); + + var output := MaterialWrapping.UnwrapOutput( + unwrappedMaterial := unwrappedPdk, + unwrapInfo := EcdhUnwrapInfo() + ); + + return Success(output); + } + + method commitmentKeyCheck( + calculatedCommitmentKey: seq, serializedCommitmentKey: seq + ) returns (res: bool, ghost collectedCommitmentKey: seq) + requires |calculatedCommitmentKey| == |serializedCommitmentKey| + ensures |collectedCommitmentKey| == |serializedCommitmentKey| + ensures forall j | 0 <= j < |collectedCommitmentKey| :: collectedCommitmentKey[j] == calculatedCommitmentKey[j] as bv8 ^ serializedCommitmentKey[j] as bv8 + { + collectedCommitmentKey := []; + var diff? := 0; + for i := 0 to |serializedCommitmentKey| + invariant |collectedCommitmentKey| == i + invariant forall j | 0 <= j < i :: collectedCommitmentKey[j] == calculatedCommitmentKey[j] as bv8 ^ serializedCommitmentKey[j] as bv8 + { + diff? := diff? | (calculatedCommitmentKey[i] as bv8 ^ serializedCommitmentKey[i] as bv8); + collectedCommitmentKey := collectedCommitmentKey + [calculatedCommitmentKey[i] as bv8 ^ serializedCommitmentKey[i] as bv8]; + } + + res := diff? == 0; + } + } + + class EcdhGenerateAndWrapKeyMaterial + extends MaterialWrapping.GenerateAndWrapMaterial + { + const sharedSecret: seq + const fixedInfo: seq + const crypto: Primitives.AtomicPrimitivesClient + + constructor( + sharedSecret: seq, + fixedInfo: seq, + crypto: Primitives.AtomicPrimitivesClient + ) + requires crypto.ValidState() + ensures + && this.sharedSecret == sharedSecret + && this.fixedInfo == fixedInfo + && this.crypto == crypto + ensures Invariant() + { + this.sharedSecret := sharedSecret; + this.fixedInfo := fixedInfo; + this.crypto := crypto; + Modifies := crypto.Modifies; + } + + ghost predicate Invariant() + reads Modifies + decreases Modifies + { + && crypto.ValidState() + && crypto.Modifies == Modifies + } + + ghost predicate Ensures( + input: MaterialWrapping.GenerateAndWrapInput, + res: Result, Types.Error>, + attemptsState: seq, Types.Error>>> + ) + reads Modifies + decreases Modifies + { + res.Success? + ==> + && Invariant() + } + + method {:vcs_split_on_every_assert} Invoke( + input: MaterialWrapping.GenerateAndWrapInput, + ghost attemptsState: seq, Types.Error>>> + ) returns (res: Result, Types.Error>) + requires Invariant() + modifies Modifies + decreases Modifies + ensures Invariant() + ensures Ensures(input, res, attemptsState) + ensures res.Success? ==> |res.value.plaintextMaterial| == input.algorithmSuite.encrypt.AES_GCM.keyLength as nat + { + var suite := input.algorithmSuite; + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#data-key-wrapping + //= type=implication + //# If the [encryption materials](structures.md#encryption-materials) do not contain a plaintext data key, + //# OnEncrypt MUST generate a random plaintext data key. + var pdkResult := crypto + .GenerateRandomBytes(PrimitiveTypes.GenerateRandomBytesInput(length := GetEncryptKeyLength(suite))); + var pdk :- pdkResult.MapFailure(e => Types.AwsCryptographyPrimitives(AwsCryptographyPrimitives := e)); + + var wrap := new EcdhWrapKeyMaterial( + sharedSecret, + fixedInfo, + crypto + ); + + var wrapOutput: MaterialWrapping.WrapOutput :- wrap.Invoke( + MaterialWrapping.WrapInput( + plaintextMaterial := pdk, + algorithmSuite := input.algorithmSuite, + encryptionContext := input.encryptionContext + ), []); + + var output := MaterialWrapping.GenerateAndWrapOutput( + plaintextMaterial := pdk, + wrappedMaterial := wrapOutput.wrappedMaterial, + wrapInfo := wrapOutput.wrapInfo + ); + return Success(output); + } + } + + class EcdhWrapKeyMaterial + extends MaterialWrapping.WrapMaterial + { + const sharedSecret: seq + const fixedInfo: seq + const crypto: Primitives.AtomicPrimitivesClient + + constructor( + sharedSecret: seq, + fixedInfo: seq, + crypto: Primitives.AtomicPrimitivesClient + ) + requires crypto.ValidState() + ensures + && this.sharedSecret == sharedSecret + && this.fixedInfo == fixedInfo + && this.crypto == crypto + ensures Invariant() + { + this.sharedSecret := sharedSecret; + this.fixedInfo := fixedInfo; + this.crypto := crypto; + Modifies := crypto.Modifies; + } + + ghost predicate Invariant() + reads Modifies + decreases Modifies + { + && crypto.ValidState() + && crypto.Modifies == Modifies + } + + ghost predicate Ensures( + input: MaterialWrapping.WrapInput, + res: Result, Types.Error>, + attemptsState: seq, Types.Error>>> + ) + reads Modifies + decreases Modifies + { + res.Success? + ==> + && Invariant() + && 0 < |crypto.History.AESEncrypt| + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#data-key-wrapping + //= type=implication + //# The keyring MUST encrypt the plaintext data key + //# using AES-GCM and use the shared wrapping key as the wrapping key. + && Seq.Last(crypto.History.AESEncrypt).output.Success? + && var AESEncryptInput := Seq.Last(crypto.History.AESEncrypt).input; + && var AESEncryptOutput := Seq.Last(crypto.History.AESEncrypt).output.value; + && var iv := seq(ECDH_AES_256_ENC_ALG.ivLength as nat, _ => 0); + && AESEncryptInput.encAlg == ECDH_AES_256_ENC_ALG + && AESEncryptInput.msg == input.plaintextMaterial + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#data-key-wrapping + //= type=implication + //# - It MUST use a zeroed out 12 byte IV + && AESEncryptInput.iv == iv + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#data-key-wrapping + //= type=implication + // - It MUST use the serialized [encryption context](structures.md#encryption-context-1) as the additional authenticated data (AAD). + && AESEncryptInput.aad == fixedInfo + && |res.value.wrappedMaterial| > |AESEncryptOutput.cipherText| + |AESEncryptOutput.authTag| + } + + method {:vcs_split_on_every_assert} Invoke( + input: MaterialWrapping.WrapInput, + ghost attemptsState: seq, Types.Error>>> + ) returns (res: Result, Types.Error>) + requires Invariant() + modifies Modifies + decreases Modifies + ensures Invariant() + ensures Ensures(input, res, attemptsState) + { + var suite := input.algorithmSuite; + var canonicalizedEC :- CanonicalEncryptionContext.EncryptionContextToAAD(input.encryptionContext); + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#key-derivation + //# Before deriving a shared wrapping key, the keyring MUST generate a 32 byte random salt value. + var maybeSalt := crypto.GenerateRandomBytes( + PrimitiveTypes.GenerateRandomBytesInput(length := KDF_SALT_LEN) + ); + + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#key-derivation + //# If the keyring fails to generate a random value, the operation MUST fail. + var salt :- maybeSalt.MapFailure(e => Types.AwsCryptographyPrimitives(AwsCryptographyPrimitives := e)); + + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#onencrypt + //# The keyring MUST derive a data key according to the construction + //# #outlined by the [key agreement schemas](./key-agreement-schemas.md#key-derivation) + // (blank line for duvet) + //# #If the Key Derivation step fails, the keyring MUST fail. + var derivedKeyingMaterial :- DeriveSharedKeyingMaterial( + sharedSecret, + fixedInfo, + salt, + crypto + ); + + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#onencrypt + //# The keyring MUST use the first 32 bytes as the Commitment Key. + var commitmentKey: seq := derivedKeyingMaterial[0..32]; + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#onencrypt + //# The keyring MUST use the last 32 bytes as the Shared Wrapping Key. + var sharedKeyingMaterial: seq := derivedKeyingMaterial[32..]; + + var iv := seq(ECDH_AES_256_ENC_ALG.ivLength as nat, _ => 0); // IV is zero + + var maybeWrappedPdk := crypto.AESEncrypt( + PrimitiveTypes.AESEncryptInput( + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#data-key-wrapping + //# The keyring MUST encrypt a plaintext data key + //# using `AES-GCM-256` with the following inputs: + encAlg := ECDH_AES_256_ENC_ALG, + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#data-key-wrapping + //# - It MUST use a zeroed out 12 byte IV + iv := iv, + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#data-key-wrapping + //# - MUST use the shared wrapping key as the AES-GCM cipher key. + key := sharedKeyingMaterial, + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#data-key-wrapping + //# - MUST use the plain text data key that will be wrapped by the shared wrapping key as the AES-GCM message. + msg := input.plaintextMaterial, + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#data-key-wrapping + //# - MUST use the serialized [AAD](#branch-key-wrapping-and-unwrapping-aad) concatenated + //# with the `FixedInfo` used as part of the key derivation step concatenated with the keyring version found + //# in the key provider information. + aad := fixedInfo + ) + ); + + var wrappedPdk :- maybeWrappedPdk.MapFailure(e => Types.AwsCryptographyPrimitives(AwsCryptographyPrimitives := e)); + + var output := MaterialWrapping.WrapOutput( + wrappedMaterial := salt + commitmentKey + wrappedPdk.cipherText + wrappedPdk.authTag, + wrapInfo := EcdhWrapInfo() + ); + return Success(output); + } + } + + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#onencrypt + //= type=implication + //# The keyring MUST derive a shared wrapping key according to the construction + //# outlined by the [key agreement schemes](./key-agreement-schemas.md#key-derivation) + method {:vcs_split_on_every_assert} DeriveSharedKeyingMaterial( + sharedSecret: seq, + fixedInfo: seq, + salt: seq, + crypto: Primitives.AtomicPrimitivesClient + ) returns (res :Result, Types.Error>) + requires crypto.ValidState() + modifies crypto.Modifies + ensures crypto.ValidState() + ensures |crypto.History.KdfCounterMode| > 0 + ensures Last(crypto.History.KdfCounterMode).input + == PrimitiveTypes.KdfCtrInput( + digestAlgorithm := PrimitiveTypes.DigestAlgorithm.SHA_384, + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#key-derivation + //= type=implication + //# - MUST use the derived shared secret, Z + ikm := sharedSecret, + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#key-derivation + //= type=implication + //# - L: MUST be a length of 512 bits + expectedLength := KDF_EXPECTED_LEN, + purpose := Some(fixedInfo), + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#key-derivation + //= type=implication + //# - salt: MUST be a random 32 byte string + nonce := Some(salt) + ) + ensures res.Success? ==> + && Last(crypto.History.KdfCounterMode).output.Success? + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#onencrypt + //= type=implication + //# If they Key Derivation step succeeds it MUST produce + //# keying material with a length of 64 bytes. + && |Last(crypto.History.KdfCounterMode).output.value| == KDF_EXPECTED_LEN as int + && |res.value| == |Last(crypto.History.KdfCounterMode).output.value| + { + var maybeDerivedKeyingMaterial := crypto.KdfCounterMode( + PrimitiveTypes.KdfCtrInput( + digestAlgorithm := PrimitiveTypes.DigestAlgorithm.SHA_384, + ikm := sharedSecret, + expectedLength := KDF_EXPECTED_LEN, + purpose := Some(fixedInfo), + nonce := Some(salt) + ) + ); + var derivedKeyingMaterial :- maybeDerivedKeyingMaterial.MapFailure(e => Types.AwsCryptographyPrimitives(AwsCryptographyPrimitives := e)); + res := Success(derivedKeyingMaterial); + } + + function SerializeFixedInfo( + ecdhKeyDerivationUtf8: UTF8.ValidUTF8Bytes, + curveSpecUtf8: UTF8.ValidUTF8Bytes, + senderPublicKey: seq, + recipientPublicKey: seq, + canonicalizedEC: seq, + keyringVersion: seq + ): (res: seq) + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#key-derivation + //= type=implication + //# The FixedInfo field MUST be serialized in the following order: + ensures res == + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#key-derivation + //= type=implication + //# - MUST be the UTF8 encoded string "ecdh-key-derivation" + ecdhKeyDerivationUtf8 + + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#key-derivation + //= type=implication + //# - MUST use a null byte concatenating all the fixed info fields. + ECDH_KDF_DELIMETER + + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#key-derivation + //= type=implication + //# - MUST be the UTF8 encoded string of the configured curve specification + curveSpecUtf8 + + ECDH_KDF_DELIMETER + + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#key-derivation + //= type=implication + //# - MUST be the UTF8 encoded string of the configured Key Derivation Method used + ECDH_KDF_PRF_NAME + + ECDH_KDF_DELIMETER + + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#key-derivation + //= type=implication + //# - MUST be A concatenation of the static public keys used by the parties + //# in the format of sender followed by receiver + senderPublicKey + + recipientPublicKey + + ECDH_KDF_DELIMETER + + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#key-derivation + //= type=implication + //# - MUST use the keyring version found in the key provider information. + keyringVersion + + ECDH_KDF_DELIMETER + + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#key-derivation + //= type=implication + //# - MUST be The canonicalized encryption context found in the [encryption materials](structures.md#encryption-materials) + canonicalizedEC + { + ecdhKeyDerivationUtf8 + + ECDH_KDF_DELIMETER + + curveSpecUtf8 + + ECDH_KDF_DELIMETER + + ECDH_KDF_PRF_NAME + + ECDH_KDF_DELIMETER + + senderPublicKey + + recipientPublicKey + + ECDH_KDF_DELIMETER + + keyringVersion + + ECDH_KDF_DELIMETER + + canonicalizedEC + } + + function CurveSpecTypeToString(c: PrimitiveTypes.ECDHCurveSpec): string + { + match c { + case ECC_NIST_P256 => "p256" + case ECC_NIST_P384 => "p384" + case ECC_NIST_P521 => "p521" + case SM2 => "sm2" + } + } + + function E(s : string) : Types.Error { + Types.AwsCryptographicMaterialProvidersException(message := s) + } +} \ No newline at end of file diff --git a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Keyrings/AwsKms/AwsKmsEcdhKeyring.dfy b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Keyrings/AwsKms/AwsKmsEcdhKeyring.dfy new file mode 100644 index 000000000..0ef44d1c0 --- /dev/null +++ b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Keyrings/AwsKms/AwsKmsEcdhKeyring.dfy @@ -0,0 +1,704 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +include "../../Keyring.dfy" +include "../../Materials.dfy" +include "../../AlgorithmSuites.dfy" +include "../../KeyWrapping/EdkWrapping.dfy" +include "../../KeyWrapping/EcdhEdkWrapping.dfy" +include "Constants.dfy" +include "../../CanonicalEncryptionContext.dfy" +include "AwsKmsMrkMatchForDecrypt.dfy" +include "../../AwsArnParsing.dfy" +include "AwsKmsUtils.dfy" +include "../../ErrorMessages.dfy" +include "../RawECDHKeyring.dfy" + +include "../../../Model/AwsCryptographyMaterialProvidersTypes.dfy" + +module {:options "/functionSyntax:4" } AwsKmsEcdhKeyring { + import opened StandardLibrary + import opened Wrappers + import opened UInt = StandardLibrary.UInt + import opened AwsArnParsing + import opened AwsKmsUtils + import opened Seq + import opened Actions + import opened Constants + import opened A = AwsKmsMrkMatchForDecrypt + import opened AlgorithmSuites + import RawECDHKeyring + import Keyring + import Materials + import Types = AwsCryptographyMaterialProvidersTypes + import PrimitiveTypes = AwsCryptographyPrimitivesTypes + import KMS = ComAmazonawsKmsTypes + import UTF8 + import UUID + import EdkWrapping + import MaterialWrapping + import EcdhEdkWrapping + import ErrorMessages + import Aws.Cryptography.Primitives + import CanonicalEncryptionContext + + const AWS_KMS_ECDH_KEYRING_VERSION := RawECDHKeyring.RAW_ECDH_KEYRING_VERSION + + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#interface + //= type=implication + //# MUST implement the [AWS Encryption SDK Keyring interface](../keyring-interface.md#interface) + class AwsKmsEcdhKeyring + extends Keyring.VerifiableInterface + { + const client: KMS.IKMSClient + const senderKmsKeyId: Option + const senderPublicKey: Option + const recipientPublicKey: KMS.PublicKeyType + const compressedSenderPublicKey: Option> + const compressedRecipientPublicKey: seq + const keyAgreementScheme: Types.KmsEcdhStaticConfigurations + const curveSpec: PrimitiveTypes.ECDHCurveSpec + const grantTokens: KMS.GrantTokenList + const cryptoPrimitives: Primitives.AtomicPrimitivesClient + + ghost predicate ValidState() + ensures ValidState() ==> History in Modifies + { + && History in Modifies + && client.ValidState() + && client.Modifies <= Modifies + && History !in client.Modifies + && cryptoPrimitives.ValidState() + && cryptoPrimitives.Modifies <= Modifies + && History !in cryptoPrimitives.Modifies + } + + constructor ( + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#initialization + //= type=implication + //# - MUST provide a [Key Agreement Schema](#key-agreement-schema) + KeyAgreementScheme: Types.KmsEcdhStaticConfigurations, + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#initialization + //= type=implication + //# - MUST provide a [Curve Specification](#curve-specification) + curveSpec: PrimitiveTypes.ECDHCurveSpec, + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#initialization + //= type=implication + //# - MUST provide an AWS KMS SDK client + client: KMS.IKMSClient, + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#initialization + //= type=implication + //# - MAY provide a list of Grant Tokens + grantTokens: KMS.GrantTokenList, + + senderKmsKeyId: Option, + senderPublicKey: Option, + recipientPublicKey: KMS.PublicKeyType, + compressedSenderPublicKey: Option>, + compressedRecipientPublicKey: seq, + cryptoPrimitives : Primitives.AtomicPrimitivesClient + ) + requires client.ValidState() + requires cryptoPrimitives.ValidState() + requires KMS.IsValid_PublicKeyType(recipientPublicKey) + requires senderPublicKey.Some? ==> KMS.IsValid_PublicKeyType(senderPublicKey.value) + requires |recipientPublicKey| < UINT32_LIMIT + ensures ValidState() && fresh(this) && fresh(History) + && fresh(Modifies - client.Modifies - cryptoPrimitives.Modifies) + { + this.keyAgreementScheme := KeyAgreementScheme; + this.curveSpec := curveSpec; + + this.client := client; + this.grantTokens := grantTokens; + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#initialization + //= type=implication + //# the keyring MUST set the recipient's public key on the keyring. + this.recipientPublicKey := recipientPublicKey; + this.senderPublicKey := senderPublicKey; + this.compressedSenderPublicKey := compressedSenderPublicKey; + this.compressedRecipientPublicKey := compressedRecipientPublicKey; + this.senderKmsKeyId := senderKmsKeyId; + this.cryptoPrimitives := cryptoPrimitives; + + History := new Types.IKeyringCallHistory(); + Modifies := {History}; + Modifies := Modifies + client.Modifies + cryptoPrimitives.Modifies; + } + + ghost predicate OnEncryptEnsuresPublicly ( input: Types.OnEncryptInput , output: Result ) {true} + + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#onencrypt + //= type=implication + //# OnEncrypt MUST take [encryption materials](structures.md#encryption-materials) as input. + method {:vcs_split_on_every_assert} OnEncrypt'(input: Types.OnEncryptInput) + returns (res: Result) + requires ValidState() + modifies Modifies - {History} + decreases Modifies - {History} + ensures ValidState() + ensures OnEncryptEnsuresPublicly(input, res) + ensures unchanged(History) + ensures res.Success? + ==> + && Materials.ValidEncryptionMaterialsTransition( + input.materials, + res.value.materials + ) + ensures StringifyEncryptionContext(input.materials.encryptionContext).Failure? + ==> + res.Failure? + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#onencrypt + //= type=implication + //# OnEncrypt MUST fail if configured with a + //# [KmsPublicKeyDiscovery Key Agreement Configuration](../key-agreement-schemas.md#kmspublickeydiscovery) + ensures this.keyAgreementScheme.KmsPublicKeyDiscovery? ==> res.Failure? + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#onencrypt + //= type=implication + //# If the keyring cannot serialize + //# the encryption context, OnEncrypt MUST fail. + ensures CanonicalEncryptionContext.EncryptionContextToAAD(input.materials.encryptionContext).Failure? ==> res.Failure? + { + :- Need( + !keyAgreementScheme.KmsPublicKeyDiscovery?, + E("KmsPublicKeyDiscovery Key Agreement Scheme is forbidden on encrypt.") + ); + + // Impossible to hit on encrypt, but dafny has a hard time inferring that if we are not discovery we + // will have senderKmsKeyId. + :- Need( + this.senderKmsKeyId.Some?, + E("Keyring MUST be configured with a sender KMS Key ID") + ); + // Impossible to hit on encrypt, but dafny has a hard time inferring that if we are not discovery we + // will have senderKmsKeyId. + :- Need( + this.senderPublicKey.Some?, + E("Keyring MUST be configured with a senderPublicKey") + ); + + var senderKmsKeyId := this.senderKmsKeyId.value; + + var materials := input.materials; + var suite := input.materials.algorithmSuite; + var stringifiedEncCtx :- StringifyEncryptionContext(input.materials.encryptionContext); + + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#onencrypt + //# If the call to KMS DeriveSharedSecret fails, the keyring MUST fail. + var sharedSecret :- DeriveSharedSecret( + client, + senderKmsKeyId, + recipientPublicKey, + grantTokens + ); + + var operationCompressedSenderPublicKey := if this.compressedSenderPublicKey.None? then [] + else this.compressedSenderPublicKey.value; + + var curveSpecUtf8 :- UTF8.Encode( + RawECDHKeyring.CurveSpecTypeToString(this.curveSpec) + ).MapFailure(WrapStringToError); + var canonicalizedEC :- CanonicalEncryptionContext.EncryptionContextToAAD(input.materials.encryptionContext); + + var fixedInfo := EcdhEdkWrapping.SerializeFixedInfo( + ECDH_KDF_UTF8, + curveSpecUtf8, + operationCompressedSenderPublicKey, + this.compressedRecipientPublicKey, + canonicalizedEC, + AWS_KMS_ECDH_KEYRING_VERSION + ); + + var ecdhGenerateAndWrap := new EcdhEdkWrapping.EcdhGenerateAndWrapKeyMaterial( + sharedSecret, + fixedInfo, + cryptoPrimitives + ); + + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#onencrypt + //# The keyring MUST perform data key wrapping according to the [Data Key Wrapping section](../raw-ecdh-keyring.md#data-key-wrapping). + var ecdhWrap := new EcdhEdkWrapping.EcdhWrapKeyMaterial( + sharedSecret, + fixedInfo, + cryptoPrimitives + ); + + var wrapOutput :- EdkWrapping.WrapEdkMaterial( + encryptionMaterials := materials, + wrap := ecdhWrap, + generateAndWrap := ecdhGenerateAndWrap + ); + + var symmetricSigningKeyList := + if wrapOutput.symmetricSigningKey.Some? then + Some([wrapOutput.symmetricSigningKey.value]) + else + None; + + // Impossible to hit but needed for verification. Come back and prove properly. + :- Need( + && RawECDHKeyring.ValidCompressedPublicKeyLength(operationCompressedSenderPublicKey) + && RawECDHKeyring.ValidCompressedPublicKeyLength(compressedRecipientPublicKey), + E("Invalid compressed public key length.") + ); + + var edk := Types.EncryptedDataKey( + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#onencrypt + //# - The [key provider id](../structures.md#key-provider-id) MUST be the UTF8 encoded string "aws-kms-ecdh". + keyProviderId := KMS_ECDH_PROVIDER_ID, + keyProviderInfo := RawECDHKeyring.SerializeProviderInfo(operationCompressedSenderPublicKey, compressedRecipientPublicKey), + ciphertext := wrapOutput.wrappedMaterial + ); + + if (wrapOutput.GenerateAndWrapEdkMaterialOutput?) { + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#onencrypt + //# OnEncrypt MUST append a new [encrypted data key](../structures.md#encrypted-data-key) + //# to the encrypted data key list in the [encryption materials](../structures.md#encryption-materials) + var result :- Materials.EncryptionMaterialAddDataKey( + materials, + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#data-key-wrapping + //# If the keyring successfully wraps the plaintext data key it MUST set it on the [encryption materials](structures.md#encryption-materials). + wrapOutput.plaintextDataKey, + [edk], + symmetricSigningKeyList + ); + return Success(Types.OnEncryptOutput( + materials := result + )); + } else if (wrapOutput.WrapOnlyEdkMaterialOutput?) { + var result :- Materials.EncryptionMaterialAddEncryptedDataKeys( + materials, + [edk], + symmetricSigningKeyList + ); + return Success(Types.OnEncryptOutput( + materials := result + )); + } + } + + ghost predicate OnDecryptEnsuresPublicly ( input: Types.OnDecryptInput , output: Result ) {true} + + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-keyring.md#ondecrypt + //= type=implication + //# OnDecrypt MUST take [decryption materials] + //# (../structures.md#decryption-materials) and a list of [encrypted data + //# keys](../structures.md#encrypted-data-key) as input. + method {:vcs_split_on_every_assert} OnDecrypt'( + input: Types.OnDecryptInput + ) + returns (res: Result) + requires ValidState() + modifies Modifies - {History} + decreases Modifies - {History} + ensures ValidState() + ensures OnDecryptEnsuresPublicly(input, res) + ensures unchanged(History) + ensures res.Success? + ==> + && Materials.DecryptionMaterialsTransitionIsValid( + input.materials, + res.value.materials + ) + { + var materials := input.materials; + var suite := input.materials.algorithmSuite; + + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#ondecrypt + //# If the decryption materials already contain a plaintext data key, + //# OnDecrypt MUST fail + //# and MUST NOT modify the [decryption materials](structures.md#decryption-materials). + :- Need( + Materials.DecryptionMaterialsWithoutPlaintextDataKey(materials), + E("Keyring received decryption materials that already contain a plaintext data key.") + ); + + var filter := new OnDecryptEcdhDataKeyFilter( + keyAgreementScheme, this.compressedRecipientPublicKey, this.compressedSenderPublicKey + ); + + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#ondecrypt + //# The set of encrypted data keys MUST first be filtered to match this keyring’s configuration. + //# For the encrypted data key to match: + var edksToAttempt :- FilterWithResult(filter, input.encryptedDataKeys); + + if (0 == |edksToAttempt|) { + var errorMessage :- ErrorMessages.IncorrectDataKeys(input.encryptedDataKeys, input.materials.algorithmSuite); + return Failure(E(errorMessage)); + } + + var decryptClosure := new DecryptSingleEncryptedDataKey( + materials, + cryptoPrimitives, + this.compressedRecipientPublicKey, + client, + grantTokens, + keyAgreementScheme, + curveSpec + ); + + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#ondecrypt + //# For each encrypted data key in the filtered set, one at a time, the OnDecrypt MUST attempt to decrypt the data key. + //# If this attempt results in an error, then these errors MUST be collected. + var outcome, attempts := ReduceToSuccess( + decryptClosure, + edksToAttempt + ); + + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#ondecrypt + //# If OnDecrypt fails to successfully decrypt any encrypted data key, + //# then it MUST yield an error that includes all the collected errors. + var SealedDecryptionMaterials :- outcome + .MapFailure(errors => Types.CollectionOfErrors( + list := errors, + message := "No Configured KMS Key was able to decrypt the Data Key. The list of encountered Exceptions is available via `list`." + ) + ); + + assert decryptClosure.Ensures(Last(attempts).input, Success(SealedDecryptionMaterials), DropLast(attempts)); + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#ondecrypt + //# If the response does satisfy these requirements then OnDecrypt: + // (blank line for duvet) + //# - MUST set the plaintext data key on the [decryption materials](./structures.md#decryption-materials) + //# - MUST immediately return the modified [decryption materials](../structures.md#decryption-materials). + return Success(Types.OnDecryptOutput( + materials := SealedDecryptionMaterials + )); + } + } + + method {:vcs_split_on_every_assert} DeriveSharedSecret( + client: KMS.IKMSClient, + senderAwsKmsKey: AwsKmsIdentifierString, + recipientPublicKey: seq, + grantTokens: KMS.GrantTokenList + ) + returns (res :Result, Types.Error>) + requires client.ValidState() + requires KMS.IsValid_PublicKeyType(recipientPublicKey) + modifies client.Modifies + ensures client.ValidState() + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#onencrypt + //= type=implication + //# To attempt to generate a shared secret, + //# OnEncrypt MUST call [AWS KMS DeriveSharedSecret]() + //# the keyring MUST call with a request constructed as follows: + ensures res.Success? ==> + && 0 < |client.History.DeriveSharedSecret| + && Last(client.History.DeriveSharedSecret).input + == KMS.DeriveSharedSecretRequest( + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#onencrypt + //= type=implication + //# - `KeyId` MUST be the configured AWS KMS key identifier in the schema + KeyId := senderAwsKmsKey, + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#onencrypt + //= type=implication + //# - `KeyAgreementAlgorithm` MUST be "ECDH" + KeyAgreementAlgorithm := KMS.KeyAgreementAlgorithmSpec.ECDH, + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#onencrypt + //= type=implication + //# - `PublicKey` MUST be the configured Recipient Public Key on the schema + PublicKey := recipientPublicKey, + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#onencrypt + //= type=implication + //# - `GrantTokens` MUST be this keyring's [grant tokens](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token). + GrantTokens := Some(grantTokens) + ) + { + var deriveSharedSecretRequest := KMS.DeriveSharedSecretRequest( + KeyId := senderAwsKmsKey, + KeyAgreementAlgorithm := KMS.KeyAgreementAlgorithmSpec.ECDH, + PublicKey := recipientPublicKey, + GrantTokens := Some(grantTokens) + ); + + var maybeDeriveSharedSecret := client.DeriveSharedSecret(deriveSharedSecretRequest); + + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#onencrypt + //= type=implication + //# If the call to KMS DeriveSharedSecret fails, the keyring MUST fail. + var deriveSharedSecretResponse :- maybeDeriveSharedSecret + .MapFailure(e => Types.ComAmazonawsKms( ComAmazonawsKms := e )); + + :- Need( + && deriveSharedSecretResponse.KeyId.Some? + && deriveSharedSecretResponse.SharedSecret.Some? + && deriveSharedSecretResponse.KeyAgreementAlgorithm.Some? + && deriveSharedSecretResponse.KeyId.value == senderAwsKmsKey + && deriveSharedSecretResponse.KeyAgreementAlgorithm.value == KMS.KeyAgreementAlgorithmSpec.ECDH, + E(s := "Invalid response from KMS DeriveSharedSecret") + ); + + return Success(deriveSharedSecretResponse.SharedSecret.value); + } + + class DecryptSingleEncryptedDataKey + extends ActionWithResult< + Types.EncryptedDataKey, + Materials.SealedDecryptionMaterials, + Types.Error> + { + const materials: Materials.DecryptionMaterialsPendingPlaintextDataKey + const cryptoPrimitives: Primitives.AtomicPrimitivesClient + const senderPublicKey: seq + const recipientPublicKey: seq + const client: KMS.IKMSClient + const grantTokens: KMS.GrantTokenList + const keyAgreementScheme: Types.KmsEcdhStaticConfigurations + const curveSpec: PrimitiveTypes.ECDHCurveSpec + + constructor( + materials: Materials.DecryptionMaterialsPendingPlaintextDataKey, + cryptoPrimitives: Primitives.AtomicPrimitivesClient, + recipientPublicKey: seq, + client: KMS.IKMSClient, + grantTokens: KMS.GrantTokenList, + keyAgreementScheme: Types.KmsEcdhStaticConfigurations, + curveSpec: PrimitiveTypes.ECDHCurveSpec + ) + requires cryptoPrimitives.ValidState() && client.ValidState() + ensures + && this.materials == materials + && this.cryptoPrimitives == cryptoPrimitives + && this.recipientPublicKey == recipientPublicKey + && this.keyAgreementScheme == keyAgreementScheme + && this.client == client + && this.curveSpec == curveSpec + && this.grantTokens == grantTokens + ensures Invariant() + { + this.materials := materials; + this.cryptoPrimitives := cryptoPrimitives; + this.recipientPublicKey := recipientPublicKey; + this.keyAgreementScheme := keyAgreementScheme; + this.client := client; + this.curveSpec := curveSpec; + this.grantTokens := grantTokens; + Modifies := cryptoPrimitives.Modifies + client.Modifies; + } + + ghost predicate Invariant() + reads Modifies + decreases Modifies + { + && cryptoPrimitives.ValidState() && client.ValidState() + && cryptoPrimitives.Modifies + client.Modifies == Modifies + } + + ghost predicate Ensures( + edk: Types.EncryptedDataKey, + res: Result, + attemptsState: seq>> + ) + reads Modifies + decreases Modifies + { + res.Success? + ==> + && Invariant() + && Materials.DecryptionMaterialsTransitionIsValid(materials, res.value) + + } + method {:vcs_split_on_every_assert} Invoke( + edk: Types.EncryptedDataKey, + ghost attemptsState: seq>> + ) returns (res: Result) + requires Invariant() + modifies Modifies + decreases Modifies + ensures Invariant() + ensures Ensures(edk, res, attemptsState) + { + :- Need ( + UTF8.ValidUTF8Seq(edk.keyProviderId), + Types.AwsCryptographicMaterialProvidersException(message := "Received invalid EDK provider id for AWS KMS ECDH Keyring") + ); + + var suite := materials.algorithmSuite; + var keyProviderId := edk.keyProviderId; + var providerInfo := edk.keyProviderInfo; + var ciphertext := edk.ciphertext; + + var providerWrappedMaterial :- EdkWrapping.GetProviderWrappedMaterial(ciphertext, suite); + + :- Need( + && |providerInfo| <= ECDH_PROVIDER_INFO_521_LEN as int + && RawECDHKeyring.ValidProviderInfoLength(providerInfo), + E("EDK ProviderInfo longer than expected") + ); + + var keyringVersion := providerInfo[0]; + :- Need( + [keyringVersion] == AWS_KMS_ECDH_KEYRING_VERSION, + E("Incorrect Keyring version found in provider info.") + ); + + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#ondecrypt + //# - The [ciphertext](#ciphertext) and [key provider information](#key-provider-information) MUST be successfully deserialized. + var recipientPublicKeyLength := SeqToUInt32(providerInfo[ECDH_PROVIDER_INFO_RPL_INDEX..ECDH_PROVIDER_INFO_RPK_INDEX]) as int; + var recipientPublicKeyLengthIndex := ECDH_PROVIDER_INFO_RPK_INDEX as int + recipientPublicKeyLength; + var senderPublicKeyIndex := recipientPublicKeyLengthIndex + ECDH_PROVIDER_INFO_PUBLIC_KEY_LEN as int; + :- Need( + recipientPublicKeyLengthIndex + 4 < |providerInfo|, + E("Key Provider Info Serialization Error. Serialized length less than expected.") + ); + var providerInfoRecipientPublicKey := providerInfo[ECDH_PROVIDER_INFO_RPK_INDEX..recipientPublicKeyLengthIndex]; + var providerInfoSenderPublicKey := providerInfo[senderPublicKeyIndex..]; + + var senderPublicKey :- RawECDHKeyring.DecompressPublicKey(providerInfoSenderPublicKey, this.curveSpec, this.cryptoPrimitives); + var recipientPublicKey :- RawECDHKeyring.DecompressPublicKey(providerInfoRecipientPublicKey, this.curveSpec, this.cryptoPrimitives); + + var _ :- RawECDHKeyring.ValidatePublicKey( + this.cryptoPrimitives, + this.curveSpec, + senderPublicKey + ); + + var _ :- RawECDHKeyring.ValidatePublicKey( + this.cryptoPrimitives, + this.curveSpec, + recipientPublicKey + ); + + :- Need( + && KMS.IsValid_PublicKeyType(senderPublicKey) + && KMS.IsValid_PublicKeyType(this.recipientPublicKey), + E("Received serialized sender public key of incorrect length") + ); + + var sharedSecretPublicKey: seq; + var sharedSecretKmsKeyId; + if { + case this.keyAgreementScheme.KmsPublicKeyDiscovery? => + var _ :- ValidateKmsKeyId(this.keyAgreementScheme.KmsPublicKeyDiscovery.recipientKmsIdentifier); + sharedSecretPublicKey := senderPublicKey; + sharedSecretKmsKeyId := this.keyAgreementScheme.KmsPublicKeyDiscovery.recipientKmsIdentifier; + case this.keyAgreementScheme.KmsPrivateKeyToStaticPublicKey? => + var _ :- ValidateKmsKeyId(this.keyAgreementScheme.KmsPrivateKeyToStaticPublicKey.senderKmsIdentifier); + sharedSecretKmsKeyId := this.keyAgreementScheme.KmsPrivateKeyToStaticPublicKey.senderKmsIdentifier; + if this.keyAgreementScheme.KmsPrivateKeyToStaticPublicKey.recipientPublicKey == recipientPublicKey { + sharedSecretPublicKey := recipientPublicKey; + } else { + sharedSecretPublicKey := senderPublicKey; + } + } + + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#ondecrypt + //# The keyring MUST derive the shared secret + //# by calling [AWS KMS DeriveSharedSecret]() + var sharedSecret :- DeriveSharedSecret( + client, sharedSecretKmsKeyId, sharedSecretPublicKey, grantTokens + ); + + var ecdhUnwrap := new EcdhEdkWrapping.EcdhUnwrap( + providerInfoSenderPublicKey, + providerInfoRecipientPublicKey, + sharedSecret, + AWS_KMS_ECDH_KEYRING_VERSION, + curveSpec, + cryptoPrimitives + ); + + var unwrapOutputRes := RawECDHKeyring.EdkWrapping.UnwrapEdkMaterial( + edk.ciphertext, + materials, + ecdhUnwrap + ); + + var unwrapOutput :- unwrapOutputRes; + + var result :- Materials.DecryptionMaterialsAddDataKey(materials, unwrapOutput.plaintextDataKey, unwrapOutput.symmetricSigningKey); + return Success(result); + } + } + + class OnDecryptEcdhDataKeyFilter + extends DeterministicActionWithResult + { + const keyAgreementScheme: Types.KmsEcdhStaticConfigurations + const compressedRecipientPublicKey: seq + const compressedSenderPublicKey: seq + + constructor( + keyAgreementScheme: Types.KmsEcdhStaticConfigurations, + compressedRecipientPublicKey: seq, + compressedSenderPublicKey: Option> + ) + { + this.keyAgreementScheme := keyAgreementScheme; + this.compressedRecipientPublicKey := compressedRecipientPublicKey; + if compressedSenderPublicKey.Some? { + this.compressedSenderPublicKey := compressedSenderPublicKey.value; + } else { + this.compressedSenderPublicKey := []; + } + } + + ghost predicate Ensures( + edk: Types.EncryptedDataKey, + res: Result + ) { + && ( + && res.Success? + && res.value + ==> + (edk.keyProviderId == KMS_ECDH_PROVIDER_ID || + edk.keyProviderId == RAW_ECDH_PROVIDER_ID) + ) + } + + method {:vcs_split_on_every_assert} Invoke(edk: Types.EncryptedDataKey) + returns (res: Result) + ensures Ensures(edk, res) + { + var providerInfo := edk.keyProviderInfo; + var providerId := edk.keyProviderId; + + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#ondecrypt + //# - The key provider ID of the encrypted data key MUST have a value equal to the UTF8 encoded strings `raw-ecdh` OR `aws-kms-ecdh`. + if ((providerId != RAW_ECDH_PROVIDER_ID) && (providerId != KMS_ECDH_PROVIDER_ID)) { + return Success(false); + } + + :- Need( + && |providerInfo| <= ECDH_PROVIDER_INFO_521_LEN as int + && RawECDHKeyring.ValidProviderInfoLength(providerInfo), + E("EDK ProviderInfo longer than expected") + ); + + var keyringVersion := providerInfo[0]; + :- Need( + [keyringVersion] == AWS_KMS_ECDH_KEYRING_VERSION, + E("Incorrect Keyring version found in provider info.") + ); + + var recipientPublicKeyLength := SeqToUInt32(providerInfo[ECDH_PROVIDER_INFO_RPL_INDEX..ECDH_PROVIDER_INFO_RPK_INDEX]) as int; + var recipientPublicKeyLengthIndex := ECDH_PROVIDER_INFO_RPK_INDEX as int + recipientPublicKeyLength; + var senderPublicKeyIndex := recipientPublicKeyLengthIndex + ECDH_PROVIDER_INFO_PUBLIC_KEY_LEN as int; + :- Need( + recipientPublicKeyLengthIndex + 4 < |providerInfo|, + E("Key Provider Info Serialization Error. Serialized length less than expected.") + ); + var providerInfoRecipientPublicKey := providerInfo[ECDH_PROVIDER_INFO_RPK_INDEX..recipientPublicKeyLengthIndex]; + var providerInfoSenderPublicKey := providerInfo[senderPublicKeyIndex..]; + + if this.keyAgreementScheme.KmsPublicKeyDiscovery? { + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#kmspublickeydiscovery + //# - MUST verify that the configured recipient's public key + //# matches the public key stored on the message ciphertext. + return Success(this.compressedRecipientPublicKey == providerInfoRecipientPublicKey); + } else { + return Success( + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#kmsprivatekeytostaticpublickey + //# - MUST verify that both the configured sender's and recipient's + //# public keys match the public keys stored on the message ciphertext. + (this.compressedSenderPublicKey == providerInfoSenderPublicKey && this.compressedRecipientPublicKey == providerInfoRecipientPublicKey) || + (this.compressedSenderPublicKey == providerInfoRecipientPublicKey && this.compressedRecipientPublicKey == providerInfoSenderPublicKey) + ); + } + } + } + + function E(s : string) : Types.Error { + Types.AwsCryptographicMaterialProvidersException(message := s) + } +} \ No newline at end of file diff --git a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Keyrings/AwsKms/AwsKmsKeyring.dfy b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Keyrings/AwsKms/AwsKmsKeyring.dfy index 65deeaff4..c4c3f0d4b 100644 --- a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Keyrings/AwsKms/AwsKmsKeyring.dfy +++ b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Keyrings/AwsKms/AwsKmsKeyring.dfy @@ -917,6 +917,8 @@ module AwsKmsKeyring { var maybeGenerateResponse := client.GenerateDataKey(generatorRequest); + + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-keyring.md#onencrypt //# If the call to [AWS KMS GenerateDataKey] //# (https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) @@ -949,6 +951,13 @@ module AwsKmsKeyring { message := "Invalid response from AWS KMS GeneratedDataKey: Invalid ciphertext") ); + :- Need( + && generateResponse.CiphertextForRecipient.None?, + Types.AwsCryptographicMaterialProvidersException( + message := "Invalid response from AWS KMS GeneratedDataKey: Invalid CiphertextForRecipient") + + ); + var output := MaterialWrapping.GenerateAndWrapOutput( plaintextMaterial := generateResponse.Plaintext.value, wrappedMaterial := generateResponse.CiphertextBlob.value, diff --git a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Keyrings/AwsKms/AwsKmsUtils.dfy b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Keyrings/AwsKms/AwsKmsUtils.dfy index 10573e304..6dd0a687b 100644 --- a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Keyrings/AwsKms/AwsKmsUtils.dfy +++ b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Keyrings/AwsKms/AwsKmsUtils.dfy @@ -10,9 +10,10 @@ module AwsKmsUtils { import opened UInt = StandardLibrary.UInt import opened Actions import opened A = AwsKmsMrkMatchForDecrypt + import opened AwsArnParsing + import opened Seq import Types = AwsCryptographyMaterialProvidersTypes import KMS = Types.ComAmazonawsKmsTypes - import AwsArnParsing import UTF8 function method StringifyEncryptionContext(utf8EncCtx: Types.EncryptionContext): @@ -91,6 +92,55 @@ module AwsKmsUtils { Success(tokens) } + method GetEcdhPublicKey( + client: KMS.IKMSClient, + awsKmsKey: AwsKmsIdentifierString + ) returns (res :Result) + requires client.ValidState() + modifies client.Modifies + ensures client.ValidState() + ensures res.Success? ==> + && 0 < |client.History.GetPublicKey| + && Last(client.History.GetPublicKey).input + == KMS.GetPublicKeyRequest( + KeyId := awsKmsKey, + GrantTokens := None + ) + && Last(client.History.GetPublicKey).output.Success? + && var getPublicKeyResponse := Last(client.History.GetPublicKey).output.value; + && getPublicKeyResponse.KeyId.Some? + && getPublicKeyResponse.KeyId.value == awsKmsKey + && getPublicKeyResponse.KeyUsage.Some? + && getPublicKeyResponse.KeyUsage.value == KMS.KeyUsageType.KEY_AGREEMENT + && getPublicKeyResponse.PublicKey.Some? + && var publicKey := getPublicKeyResponse.PublicKey.value; + && KMS.IsValid_PublicKeyType(publicKey); + { + var getPublicKeyRequest := KMS.GetPublicKeyRequest( + KeyId := awsKmsKey, + GrantTokens := None + ); + + var maybePublicKeyResponse := client.GetPublicKey( + getPublicKeyRequest + ); + + var getPublicKeyResponse :- maybePublicKeyResponse + .MapFailure(e => Types.ComAmazonawsKms( ComAmazonawsKms := e )); + + :- Need( + && getPublicKeyResponse.KeyId.Some? + && getPublicKeyResponse.KeyId.value == awsKmsKey + && getPublicKeyResponse.KeyUsage.Some? + && getPublicKeyResponse.KeyUsage.value == KMS.KeyUsageType.KEY_AGREEMENT + && getPublicKeyResponse.PublicKey.Some?, + Types.AwsCryptographicMaterialProvidersException( + message := "Invalid response from KMS GetPublicKey") + ); + + return Success(getPublicKeyResponse.PublicKey.value); + } + function method ParseKeyNamespaceAndName(keyNamespace: string, keyName: string) : (res: Result<(UTF8.ValidUTF8Bytes, UTF8.ValidUTF8Bytes), Types.Error>) ensures res.Success? ==> diff --git a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Keyrings/AwsKms/Constants.dfy b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Keyrings/AwsKms/Constants.dfy index 5a7afb79a..0743bdcec 100644 --- a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Keyrings/AwsKms/Constants.dfy +++ b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Keyrings/AwsKms/Constants.dfy @@ -8,6 +8,45 @@ module Constants { import UTF8 import Types = AwsCryptographyMaterialProvidersTypes import AwsArnParsing + import opened UInt = StandardLibrary.UInt + import PrimitiveTypes = AwsCryptographyPrimitivesTypes + + const UINT32_TO_SEQ_LEN := 4 + const KDF_SALT_LEN: int32 := 32 + const KDF_EXPECTED_LEN: int32 := 64 + const ECDH_COMMITMENT_KEY_LENGTH := 32 + const ECDH_COMMITMENT_KEY_INDEX := 32 + const ECDH_WRAPPED_KEY_MATERIAL_INDEX := 64 + const ECDH_KDF_STRING: string := "ecdh-key-derivation" + const ECDH_KDF_PRF_STRING: string := "HMAC_SHA384" + const ECDH_KDF_DELIMETER: seq := [0x00] + + const ECDH_PROVIDER_INFO_256_LEN :uint32 := 75 + const ECDH_PROVIDER_INFO_384_LEN :uint32 := 107 + const ECDH_PROVIDER_INFO_521_LEN :uint32 := 143 + const ECDH_PROVIDER_INFO_RPL_INDEX := 1 as uint32 + const ECDH_PROVIDER_INFO_RPK_INDEX := ECDH_PROVIDER_INFO_RPL_INDEX + ECDH_PROVIDER_INFO_PUBLIC_KEY_LEN as uint32 + const ECDH_PROVIDER_INFO_PUBLIC_KEY_LEN : int := 4 + const ECDH_PUBLIC_KEY_LEN_ECC_NIST_256 := 91 + const ECDH_PUBLIC_KEY_LEN_ECC_NIST_384 := 120 + const ECDH_PUBLIC_KEY_LEN_ECC_NIST_521 := 158 + + const ECDH_PUBLIC_KEY_COMPRESSED_LEN_ECC_NIST_256 := 33 + const ECDH_PUBLIC_KEY_COMPRESSED_LEN_ECC_NIST_384 := 49 + const ECDH_PUBLIC_KEY_COMPRESSED_LEN_ECC_NIST_521 := 67 + + const CIPHERTEXT_WRAPPED_MATERIAL_INDEX := 68 + const ECDH_AES_256_ENC_KEY_LENGTH: int32 := 32 + const ECDH_AES_256_ENC_TAG_LENGTH: int32 := 16 + const ECDH_AES_256_ENC_IV_LENGTH: int32 := 12 + const ECDH_AES_256_ENC_ALG := PrimitiveTypes.AES_GCM( + keyLength := ECDH_AES_256_ENC_KEY_LENGTH, + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#data-key-wrapping + //= type=implication + //# - MUST use an authentication tag byte of length 16. + tagLength := ECDH_AES_256_ENC_TAG_LENGTH, + ivLength := ECDH_AES_256_ENC_IV_LENGTH + ) // UTF-8 encoded "aws-kms" const PROVIDER_ID: UTF8.ValidUTF8Bytes := @@ -28,6 +67,18 @@ module Constants { assert UTF8.ValidUTF8Range(s, 0, 11); s + // UTF-8 Encoded "aws-kms-ecdh" + const KMS_ECDH_PROVIDER_ID: UTF8.ValidUTF8Bytes := UTF8.EncodeAscii("aws-kms-ecdh"); + + // UTF-8 Encoded "raw-ecdh" + const RAW_ECDH_PROVIDER_ID: UTF8.ValidUTF8Bytes := UTF8.EncodeAscii("raw-ecdh"); + + // UTF-8 Encoded "HMAC_SHA384" + const ECDH_KDF_PRF_NAME: UTF8.ValidUTF8Bytes := UTF8.EncodeAscii("HMAC_SHA384"); + + // UTF-8 Encoded "ecdh-key-derivation" + const ECDH_KDF_UTF8: UTF8.ValidUTF8Bytes := UTF8.EncodeAscii("ecdh-key-derivation"); + type AwsKmsEncryptedDataKey = edk: Types.EncryptedDataKey | && edk.keyProviderId == PROVIDER_ID && UTF8.ValidUTF8Seq(edk.keyProviderInfo) diff --git a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Keyrings/RawECDHKeyring.dfy b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Keyrings/RawECDHKeyring.dfy new file mode 100644 index 000000000..a6f276a39 --- /dev/null +++ b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Keyrings/RawECDHKeyring.dfy @@ -0,0 +1,854 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +include "../Keyring.dfy" +include "../Materials.dfy" +include "../AlgorithmSuites.dfy" +include "../Materials.dfy" +include "../KeyWrapping/MaterialWrapping.dfy" +include "../KeyWrapping/EdkWrapping.dfy" +include "../KeyWrapping/EcdhEdkWrapping.dfy" +include "../../Model/AwsCryptographyMaterialProvidersTypes.dfy" +include "../ErrorMessages.dfy" +include "../CanonicalEncryptionContext.dfy" +include "./AwsKms/Constants.dfy" + +module {:options "/functionSyntax:4" } RawECDHKeyring { + import opened StandardLibrary + import opened UInt = StandardLibrary.UInt + import opened String = StandardLibrary.String + import opened Actions + import opened Wrappers + import opened Constants + import Types = AwsCryptographyMaterialProvidersTypes + import PrimitiveTypes = AwsCryptographyPrimitivesTypes + import Aws.Cryptography.Primitives + import Keyring + import Materials + import opened AlgorithmSuites + import Random + import ECDH + import UTF8 + import opened Seq + import MaterialWrapping + import EdkWrapping + import EcdhEdkWrapping + import ErrorMessages + import CanonicalEncryptionContext + + const RAW_ECDH_KEYRING_VERSION: seq := [0x01] + + predicate ValidPublicKeyLength(p: seq) + { + && (|p| == ECDH_PUBLIC_KEY_LEN_ECC_NIST_256 || + |p| == ECDH_PUBLIC_KEY_LEN_ECC_NIST_384 || + |p| == ECDH_PUBLIC_KEY_LEN_ECC_NIST_521) + } + + predicate ValidCompressedPublicKeyLength(p: seq) + { + && (|p| == ECDH_PUBLIC_KEY_COMPRESSED_LEN_ECC_NIST_256 || + |p| == ECDH_PUBLIC_KEY_COMPRESSED_LEN_ECC_NIST_384 || + |p| == ECDH_PUBLIC_KEY_COMPRESSED_LEN_ECC_NIST_521) + } + + predicate ValidProviderInfoLength(p: seq) + { + (|p| == ECDH_PROVIDER_INFO_256_LEN as int || + |p| == ECDH_PROVIDER_INFO_384_LEN as int || + |p| == ECDH_PROVIDER_INFO_521_LEN as int + ) + } + + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#interface + //= type=implication + //# MUST implement the [AWS Encryption SDK Keyring interface](../keyring-interface.md#interface) + class RawEcdhKeyring + extends Keyring.VerifiableInterface + { + const senderPrivateKey: PrimitiveTypes.ECCPrivateKey + const senderPublicKey: PrimitiveTypes.ECCPublicKey + const recipientPublicKey: PrimitiveTypes.ECCPublicKey + const compressedSenderPublicKey: seq + const compressedRecipientPublicKey: seq + const keyAgreementScheme: Types.RawEcdhStaticConfigurations + const curveSpec: PrimitiveTypes.ECDHCurveSpec + const cryptoPrimitives: Primitives.AtomicPrimitivesClient + + ghost predicate ValidState() + ensures ValidState() ==> History in Modifies + { + && History in Modifies + && cryptoPrimitives.ValidState() + && cryptoPrimitives.Modifies <= Modifies + && History !in cryptoPrimitives.Modifies + } + + constructor( + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#initialization + //= type=implication + //# - MUST provide a [Key Agreement Schema](#key-agreement-schema) + keyAgreementScheme: Types.RawEcdhStaticConfigurations, + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#initialization + //= type=implication + //# - MUST provide a [Curve Specification](#curve-specification) + curveSpec: PrimitiveTypes.ECDHCurveSpec, + + senderPrivateKey: Option>, + senderPublicKey: Option>, + recipientPublicKey: seq, + compressedSenderPublicKey: Option>, + compressedRecipientPublicKey: seq, + cryptoPrimitives : Primitives.AtomicPrimitivesClient + ) + requires cryptoPrimitives.ValidState() + requires senderPublicKey.Some? ==> ValidPublicKeyLength(senderPublicKey.value) + requires ValidPublicKeyLength(recipientPublicKey) + ensures ValidState() && fresh(this) && fresh(History) + && fresh(Modifies - cryptoPrimitives.Modifies) + { + this.keyAgreementScheme := keyAgreementScheme; + this.curveSpec := curveSpec; + this.cryptoPrimitives := cryptoPrimitives; + + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#initialization + //= type=implication + //# The keyring MUST set the sender's public key + //# and the recipient's public key on the keyring. + this.recipientPublicKey := PrimitiveTypes.ECCPublicKey(der := recipientPublicKey); + this.compressedRecipientPublicKey := compressedRecipientPublicKey; + if senderPublicKey.Some? && senderPrivateKey.Some? && compressedSenderPublicKey.Some? { + this.senderPublicKey := PrimitiveTypes.ECCPublicKey(der := senderPublicKey.value); + this.senderPrivateKey := PrimitiveTypes.ECCPrivateKey(pem := senderPrivateKey.value); + this.compressedSenderPublicKey := compressedSenderPublicKey.value; + } else { + this.senderPublicKey := PrimitiveTypes.ECCPublicKey(der := []); + this.senderPrivateKey := PrimitiveTypes.ECCPrivateKey(pem := []); + this.compressedSenderPublicKey := []; + } + this.cryptoPrimitives := cryptoPrimitives; + + History := new Types.IKeyringCallHistory(); + Modifies := {History}; + Modifies := Modifies + cryptoPrimitives.Modifies; + } + + + ghost predicate OnEncryptEnsuresPublicly ( input: Types.OnEncryptInput , output: Result ) {true} + + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#onencrypt + //= type=implication + //# OnEncrypt MUST take [encryption materials](structures.md#encryption-materials) as input. + method {:vcs_split_on_every_assert} OnEncrypt'(input: Types.OnEncryptInput) + returns (res: Result) + requires ValidState() + modifies Modifies - {History} + decreases Modifies - {History} + ensures ValidState() + ensures OnEncryptEnsuresPublicly(input, res) + ensures unchanged(History) + ensures res.Success? + ==> + && Materials.ValidEncryptionMaterialsTransition( + input.materials, + res.value.materials + ) + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#onencrypt + //= type=implication + //# OnEncrypt MUST fail if configured with a + //# [PublicKeyDiscovery Key Agreement Configuration](./key-agreement-schemas.md#publickeydiscovery) + ensures this.keyAgreementScheme.PublicKeyDiscovery? ==> res.Failure? + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#onencrypt + //= type=implication + //# If the keyring cannot serialize + //# the encryption context, OnEncrypt MUST fail. + ensures CanonicalEncryptionContext.EncryptionContextToAAD(input.materials.encryptionContext).Failure? ==> res.Failure? + { + if this.keyAgreementScheme.PublicKeyDiscovery? { + return Failure(Types.AwsCryptographicMaterialProvidersException( + message := "PublicKeyDiscovery Key Agreement Scheme is forbidden on encrypt.")); + } + + var operationSenderPrivateKey: PrimitiveTypes.ECCPrivateKey; + var operationSenderPublicKey: PrimitiveTypes.ECCPublicKey; + var operationCompressedSenderPublicKey: seq; + + if this.keyAgreementScheme.EphemeralPrivateKeyToStaticPublicKey? { + var ephemeralKeyPair :- GenerateEphemeralEccKeyPair(this.curveSpec, this.cryptoPrimitives); + operationSenderPrivateKey := ephemeralKeyPair.privateKey; + operationSenderPublicKey := ephemeralKeyPair.publicKey; + var operationCompressedSenderPublicKey? :- CompressPublicKey( + PrimitiveTypes.ECCPublicKey(der := operationSenderPublicKey.der), + this.curveSpec, + this.cryptoPrimitives + ); + operationCompressedSenderPublicKey := operationCompressedSenderPublicKey?; + } else { + operationSenderPrivateKey := this.senderPrivateKey; + operationSenderPublicKey := this.senderPublicKey; + operationCompressedSenderPublicKey := this.compressedSenderPublicKey; + } + + var materials := input.materials; + var suite := input.materials.algorithmSuite; + + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#onencrypt + //# The keyring MUST derive the shared secret + //# according to the configured [Key Agreement Schema](#key-agreement-procedure). + // (blank line for duvet) + //# If the keyring fails to compute the shared secret, the keyring MUST fail. + var sharedSecret :- LocalDeriveSharedSecret( + operationSenderPrivateKey, + recipientPublicKey, + this.curveSpec, + this.cryptoPrimitives + ); + + var curveSpecUtf8 :- UTF8.Encode( + CurveSpecTypeToString(this.curveSpec) + ).MapFailure(E); + + var canonicalizedEC :- CanonicalEncryptionContext.EncryptionContextToAAD(input.materials.encryptionContext); + + var fixedInfo := EcdhEdkWrapping.SerializeFixedInfo( + ECDH_KDF_UTF8, + curveSpecUtf8, + operationCompressedSenderPublicKey, + this.compressedRecipientPublicKey, + canonicalizedEC, + RAW_ECDH_KEYRING_VERSION + ); + + var ecdhGenerateAndWrap := new EcdhEdkWrapping.EcdhGenerateAndWrapKeyMaterial( + sharedSecret, + fixedInfo, + cryptoPrimitives + ); + + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#onencrypt + //# The keyring MUST perform data key wrapping according to the [Data Key Wrapping section](#data-key-wrapping). + var ecdhWrap := new EcdhEdkWrapping.EcdhWrapKeyMaterial( + sharedSecret, + fixedInfo, + cryptoPrimitives + ); + + var wrapOutput :- EdkWrapping.WrapEdkMaterial( + encryptionMaterials := materials, + wrap := ecdhWrap, + generateAndWrap := ecdhGenerateAndWrap + ); + + var symmetricSigningKeyList := + if wrapOutput.symmetricSigningKey.Some? then + Some([wrapOutput.symmetricSigningKey.value]) + else + None; + + // Impossible to hit but needed for verification. Come back and prove properly. + :- Need( + && ValidCompressedPublicKeyLength(operationCompressedSenderPublicKey) + && ValidCompressedPublicKeyLength(this.compressedRecipientPublicKey), + E("Invalid compressed public key length.") + ); + + var edk := Types.EncryptedDataKey( + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#onencrypt + //# - The [key provider id](../structures.md#key-provider-id) MUST be the UTF8 encoded string "raw-ecdh". + keyProviderId := RAW_ECDH_PROVIDER_ID, + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#key-provider-information + //# Both the recipient and the sender public keys MUST be in their compressed formats. + keyProviderInfo := SerializeProviderInfo(operationCompressedSenderPublicKey, this.compressedRecipientPublicKey), + ciphertext := wrapOutput.wrappedMaterial + ); + + if (wrapOutput.GenerateAndWrapEdkMaterialOutput?) { + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#onencrypt + //# OnEncrypt MUST append a new [encrypted data key](../structures.md#encrypted-data-key) + //# to the encrypted data key list in the [encryption materials](../structures.md#encryption-materials) + var result :- Materials.EncryptionMaterialAddDataKey( + materials, + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#data-key-wrapping + //# If the keyring successfully wraps the plaintext data key it MUST set it on the [encryption materials](structures.md#encryption-materials). + wrapOutput.plaintextDataKey, + [edk], + symmetricSigningKeyList + ); + return Success(Types.OnEncryptOutput( + materials := result + )); + } else if (wrapOutput.WrapOnlyEdkMaterialOutput?) { + var result :- Materials.EncryptionMaterialAddEncryptedDataKeys( + materials, + [edk], + symmetricSigningKeyList + ); + return Success(Types.OnEncryptOutput( + materials := result + )); + } + } + + ghost predicate OnDecryptEnsuresPublicly ( input: Types.OnDecryptInput , output: Result ) {true} + + method {:vcs_split_on_every_assert} OnDecrypt'(input: Types.OnDecryptInput) + returns (res: Result) + requires ValidState() + modifies Modifies - {History} + decreases Modifies - {History} + ensures ValidState() + ensures OnDecryptEnsuresPublicly(input, res) + ensures unchanged(History) + ensures res.Success? + ==> + && Materials.DecryptionMaterialsTransitionIsValid( + input.materials, + res.value.materials + ) + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#ondecrypt + //= type=implication + //# OnDecrypt MUST fail if configured with a + //# [EphemeralPrivateKeyToStaticPublicKey Key Agreement Configuration](./key-agreement-schemas.md#ephemeralprivatekeytostaticpublickey) + ensures this.keyAgreementScheme.EphemeralPrivateKeyToStaticPublicKey? ==> res.Failure? + { + if this.keyAgreementScheme.EphemeralPrivateKeyToStaticPublicKey? { + return Failure(Types.AwsCryptographicMaterialProvidersException( + message := "EphemeralPrivateKeyToStaticPublicKey Key Agreement Scheme is forbidden on decrypt.")); + } + + var materials := input.materials; + var suite := input.materials.algorithmSuite; + + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#ondecrypt + //# If the decryption materials already contain a plaintext data key, + //# the keyring MUST fail + //# and MUST NOT modify the [decryption materials](structures.md#decryption-materials). + :- Need( + Materials.DecryptionMaterialsWithoutPlaintextDataKey(materials), + E("Keyring received decryption materials that already contain a plaintext data key.") + ); + + var operationCompressedSenderPublicKey := if this.compressedSenderPublicKey == [] then Option.None() + else Some(this.compressedSenderPublicKey); + + var filter := new OnDecryptEcdhDataKeyFilter(keyAgreementScheme, this.compressedRecipientPublicKey, operationCompressedSenderPublicKey); + + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#ondecrypt + //# The set of encrypted data keys MUST first be filtered to match this keyring’s configuration. + //# For the encrypted data key to match: + var edksToAttempt :- FilterWithResult(filter, input.encryptedDataKeys); + + if (0 == |edksToAttempt|) { + var errorMessage :- ErrorMessages.IncorrectDataKeys(input.encryptedDataKeys, input.materials.algorithmSuite); + return Failure(E(errorMessage)); + } + + var decryptClosure := new DecryptSingleEncryptedDataKey( + materials, + cryptoPrimitives, + this.compressedSenderPublicKey, + this.compressedRecipientPublicKey, + keyAgreementScheme, + curveSpec + ); + + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#ondecrypt + //# For each encrypted data key in the filtered set, one at a time, the OnDecrypt MUST attempt to decrypt the data key. + //# If this attempt results in an error, then these errors MUST be collected. + var outcome, attempts := ReduceToSuccess( + decryptClosure, + edksToAttempt + ); + + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#ondecrypt + //# If OnDecrypt fails to successfully decrypt any encrypted data key, + //# then it MUST yield an error that includes all the collected errors. + var SealedDecryptionMaterials :- outcome + .MapFailure(errors => Types.CollectionOfErrors( + list := errors, + message := "No Configured Key was able to decrypt the Data Key. The list of encountered Exceptions is available via `list`." + ) + ); + + assert decryptClosure.Ensures(Last(attempts).input, Success(SealedDecryptionMaterials), DropLast(attempts)); + //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-ecdh-keyring.md#ondecrypt + //# If the response does satisfy these requirements then OnDecrypt: + // (blank line for duvet) + //# - MUST set the plaintext data key on the [decryption materials](./structures.md#decryption-materials) + //# - MUST immediately return the modified [decryption materials](../structures.md#decryption-materials). + return Success(Types.OnDecryptOutput( + materials := SealedDecryptionMaterials + )); + } + } + + class OnDecryptEcdhDataKeyFilter + extends DeterministicActionWithResult + { + const keyAgreementScheme: Types.RawEcdhStaticConfigurations + const compressedRecipientPublicKey: seq + const compressedSenderPublicKey: seq + + constructor( + keyAgreementScheme: Types.RawEcdhStaticConfigurations, + compressedRecipientPublicKey: seq, + compressedSenderPublicKey: Option> + ) + { + this.keyAgreementScheme := keyAgreementScheme; + this.compressedRecipientPublicKey := compressedRecipientPublicKey; + if compressedSenderPublicKey.Some? { + this.compressedSenderPublicKey := compressedSenderPublicKey.value; + } else { + this.compressedSenderPublicKey := []; + } + } + + ghost predicate Ensures( + edk: Types.EncryptedDataKey, + res: Result + ) { + && ( + && res.Success? + && res.value + ==> + (edk.keyProviderId == KMS_ECDH_PROVIDER_ID || + edk.keyProviderId == RAW_ECDH_PROVIDER_ID) + ) + } + + method {:vcs_split_on_every_assert} Invoke(edk: Types.EncryptedDataKey) + returns (res: Result) + ensures Ensures(edk, res) + { + var providerInfo := edk.keyProviderInfo; + var providerId := edk.keyProviderId; + + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#ondecrypt + //# - The key provider ID of the encrypted data key MUST have a value equal to the UTF8 encoded strings `raw-ecdh` OR `aws-kms-ecdh`. + if ((providerId != RAW_ECDH_PROVIDER_ID) && (providerId != KMS_ECDH_PROVIDER_ID)) { + return Success(false); + } + + :- Need( + && |providerInfo| <= ECDH_PROVIDER_INFO_521_LEN as int + && ValidProviderInfoLength(providerInfo), + E("EDK ProviderInfo longer than expected") + ); + + var keyringVersion := providerInfo[0]; + :- Need( + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#ondecrypt + //# - The deserialized version value in the [key provider information](#key-provider-information) MUST match `0x01`. + [keyringVersion] == RAW_ECDH_KEYRING_VERSION, + E("Incorrect Keyring version found in provider info.") + ); + + var recipientPublicKeyLength := SeqToUInt32(providerInfo[ECDH_PROVIDER_INFO_RPL_INDEX..ECDH_PROVIDER_INFO_RPK_INDEX]) as int; + var recipientPublicKeyLengthIndex := ECDH_PROVIDER_INFO_RPK_INDEX as int + recipientPublicKeyLength; + var senderPublicKeyIndex := recipientPublicKeyLengthIndex + ECDH_PROVIDER_INFO_PUBLIC_KEY_LEN as int; + :- Need( + recipientPublicKeyLengthIndex + 4 < |providerInfo|, + E("Key Provider Info Serialization Error. Serialized length less than expected.") + ); + var providerInfoRecipientPublicKey := providerInfo[ECDH_PROVIDER_INFO_RPK_INDEX..recipientPublicKeyLengthIndex]; + var providerInfoSenderPublicKey := providerInfo[senderPublicKeyIndex..]; + + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#ondecrypt + //# - MUST first verify that the uncompressed deserialized sender public key + //# and the uncompressed deserialized recipient public key match the public + //# keys configured on the keyring. + if this.keyAgreementScheme.PublicKeyDiscovery? { + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#publickeydiscovery + //# - MUST verify that the recipient public key stored on + //# the message ciphertext matches the configured recipient's + //# public key. + return Success(this.compressedRecipientPublicKey == providerInfoRecipientPublicKey); + } else { + return Success( + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#rawprivatekeytostaticpublickey + //# - MUST verify that both the configured sender's and recipient's + //# public keys match the public keys stored on the message ciphertext. + (this.compressedSenderPublicKey == providerInfoSenderPublicKey && this.compressedRecipientPublicKey == providerInfoRecipientPublicKey) || + (this.compressedSenderPublicKey == providerInfoRecipientPublicKey && this.compressedRecipientPublicKey == providerInfoSenderPublicKey) + ); + } + } + } + + class DecryptSingleEncryptedDataKey + extends ActionWithResult< + Types.EncryptedDataKey, + Materials.SealedDecryptionMaterials, + Types.Error> + { + const materials: Materials.DecryptionMaterialsPendingPlaintextDataKey + const cryptoPrimitives: Primitives.AtomicPrimitivesClient + const senderPublicKey: seq + const recipientPublicKey: seq + const keyAgreementScheme: Types.RawEcdhStaticConfigurations + const curveSpec: PrimitiveTypes.ECDHCurveSpec + + constructor( + materials: Materials.DecryptionMaterialsPendingPlaintextDataKey, + cryptoPrimitives: Primitives.AtomicPrimitivesClient, + senderPublicKey: seq, + recipientPublicKey: seq, + keyAgreementScheme: Types.RawEcdhStaticConfigurations, + curveSpec: PrimitiveTypes.ECDHCurveSpec + ) + requires cryptoPrimitives.ValidState() + requires + && (keyAgreementScheme.PublicKeyDiscovery? || keyAgreementScheme.RawPrivateKeyToStaticPublicKey?) + ensures + && this.materials == materials + && this.cryptoPrimitives == cryptoPrimitives + && this.recipientPublicKey == recipientPublicKey + && this.senderPublicKey == senderPublicKey + && this.keyAgreementScheme == keyAgreementScheme + && this.curveSpec == curveSpec + ensures && (this.keyAgreementScheme.PublicKeyDiscovery? || this.keyAgreementScheme.RawPrivateKeyToStaticPublicKey?) + ensures Invariant() + { + this.materials := materials; + this.cryptoPrimitives := cryptoPrimitives; + this.recipientPublicKey := recipientPublicKey; + this.senderPublicKey := senderPublicKey; + this.keyAgreementScheme := keyAgreementScheme; + this.curveSpec := curveSpec; + Modifies := cryptoPrimitives.Modifies; + } + + ghost predicate Invariant() + reads Modifies + decreases Modifies + { + && cryptoPrimitives.ValidState() + && cryptoPrimitives.Modifies == Modifies + } + + ghost predicate Ensures( + edk: Types.EncryptedDataKey, + res: Result, + attemptsState: seq>> + ) + reads Modifies + decreases Modifies + { + res.Success? + ==> + && Invariant() + && Materials.DecryptionMaterialsTransitionIsValid(materials, res.value) + + } + method {:vcs_split_on_every_assert} {:only} Invoke( + edk: Types.EncryptedDataKey, + ghost attemptsState: seq>> + ) returns (res: Result) + requires Invariant() + modifies Modifies + decreases Modifies + ensures Invariant() + ensures Ensures(edk, res, attemptsState) + { + :- Need ( + UTF8.ValidUTF8Seq(edk.keyProviderId), + Types.AwsCryptographicMaterialProvidersException(message := "Received invalid EDK provider id for AWS KMS ECDH Keyring") + ); + + var suite := materials.algorithmSuite; + var keyProviderId := edk.keyProviderId; + var providerInfo := edk.keyProviderInfo; + var ciphertext := edk.ciphertext; + + var providerWrappedMaterial :- EdkWrapping.GetProviderWrappedMaterial(ciphertext, suite); + + :- Need( + && |providerInfo| <= ECDH_PROVIDER_INFO_521_LEN as int + && ValidProviderInfoLength(providerInfo), + E("EDK ProviderInfo longer than expected") + ); + + var keyringVersion := providerInfo[0]; + :- Need( + [keyringVersion] == RAW_ECDH_KEYRING_VERSION, + E("Incorrect Keyring version found in provider info.") + ); + + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#ondecrypt + //# - The [ciphertext](#ciphertext) and [key provider information](#key-provider-information) MUST be successfully deserialized. + var recipientPublicKeyLength := SeqToUInt32(providerInfo[ECDH_PROVIDER_INFO_RPL_INDEX..ECDH_PROVIDER_INFO_RPK_INDEX]) as int; + var recipientPublicKeyLengthIndex := ECDH_PROVIDER_INFO_RPK_INDEX as int + recipientPublicKeyLength; + var senderPublicKeyIndex := recipientPublicKeyLengthIndex + ECDH_PROVIDER_INFO_PUBLIC_KEY_LEN as int; + :- Need( + recipientPublicKeyLengthIndex + 4 < |providerInfo|, + E("Key Provider Info Serialization Error. Serialized length less than expected.") + ); + var providerInfoRecipientPublicKey := providerInfo[ECDH_PROVIDER_INFO_RPK_INDEX..recipientPublicKeyLengthIndex]; + var providerInfoSenderPublicKey := providerInfo[senderPublicKeyIndex..]; + + var senderPublicKey :- DecompressPublicKey(providerInfoSenderPublicKey, this.curveSpec, this.cryptoPrimitives); + var recipientPublicKey :- DecompressPublicKey(providerInfoRecipientPublicKey, this.curveSpec, this.cryptoPrimitives); + + var _ :- ValidatePublicKey( + this.cryptoPrimitives, + this.curveSpec, + senderPublicKey + ); + + var _ :- ValidatePublicKey( + this.cryptoPrimitives, + this.curveSpec, + recipientPublicKey + ); + + var sharedSecretPublicKey: seq; + var sharedSecretPrivateKey: seq; + if { + case this.keyAgreementScheme.PublicKeyDiscovery? => + sharedSecretPublicKey := senderPublicKey; + sharedSecretPrivateKey := this.keyAgreementScheme.PublicKeyDiscovery.recipientStaticPrivateKey; + case this.keyAgreementScheme.RawPrivateKeyToStaticPublicKey? => + sharedSecretPrivateKey := this.keyAgreementScheme.RawPrivateKeyToStaticPublicKey.senderStaticPrivateKey; + if this.keyAgreementScheme.RawPrivateKeyToStaticPublicKey.recipientPublicKey == recipientPublicKey { + sharedSecretPublicKey := recipientPublicKey; + } else { + sharedSecretPublicKey := senderPublicKey; + } + case this.keyAgreementScheme.EphemeralPrivateKeyToStaticPublicKey? => + //= aws-encryption-sdk-specification/framework/key-agreement-schemas.md#ephemeralprivatekeytostaticpublickey + //# On decrypt, the keyring MUST fail. + return Failure(E("EphemeralPrivateKeyToStaticPublicKey Not allowed on decrypt")); + } + + var _ :- ValidatePublicKey( + this.cryptoPrimitives, + this.curveSpec, + sharedSecretPublicKey + ); + + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#ondecrypt + //# The keyring MUST derive the shared secret + //# according to the configured [Key Agreement Schema](#key-agreement-procedure). + // (blank line for duvet) + //# If the Key Agreement step fails, then an error MUST be collected + //# and the next encrypted data key in the filtered set MUST be attempted. + var sharedSecret :- LocalDeriveSharedSecret( + PrimitiveTypes.ECCPrivateKey(pem := sharedSecretPrivateKey), + PrimitiveTypes.ECCPublicKey(der := sharedSecretPublicKey), + this.curveSpec, + this.cryptoPrimitives + ); + + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#ondecrypt + //# The keyring MUST perform data key unwrapping according to the [Data Key Unwrapping section](#data-key-unwrapping). + var ecdhUnwrap := new EcdhEdkWrapping.EcdhUnwrap( + providerInfoSenderPublicKey, + providerInfoRecipientPublicKey, + sharedSecret, + RAW_ECDH_KEYRING_VERSION, + curveSpec, + cryptoPrimitives + ); + + var unwrapOutputRes := EdkWrapping.UnwrapEdkMaterial( + edk.ciphertext, + materials, + ecdhUnwrap + ); + + var unwrapOutput :- unwrapOutputRes; + + //= aws-encryption-sdk-specification/framework/raw-ecdh-keyring.md#ondecrypt + //# If the response does satisfy these requirements then OnDecrypt: + // (blank line for duvet) + //# - MUST set the plaintext data key on the [decryption materials](./structures.md#decryption-materials) + //# - MUST immediately return the modified [decryption materials](../structures.md#decryption-materials). + var result :- Materials.DecryptionMaterialsAddDataKey(materials, unwrapOutput.plaintextDataKey, unwrapOutput.symmetricSigningKey); + return Success(result); + } + } + + method {:vcs_split_on_every_assert} LocalDeriveSharedSecret( + senderPrivateKey: PrimitiveTypes.ECCPrivateKey, + recipientPublicKey: PrimitiveTypes.ECCPublicKey, + curveSpec: PrimitiveTypes.ECDHCurveSpec, + crypto: Primitives.AtomicPrimitivesClient + ) returns (res: Result, Types.Error>) + requires crypto.ValidState() + modifies crypto.Modifies + ensures crypto.ValidState() + ensures res.Success? ==> + && |crypto.History.DeriveSharedSecret| > 0 + && Last(crypto.History.DeriveSharedSecret).output.Success? + && Last(crypto.History.DeriveSharedSecret).input + == PrimitiveTypes.DeriveSharedSecretInput( + eccCurve := curveSpec, + privateKey := senderPrivateKey, + publicKey := recipientPublicKey + ) + && Last(crypto.History.DeriveSharedSecret).output.value.sharedSecret == res.value + { + var maybeSharedSecret := crypto.DeriveSharedSecret( + PrimitiveTypes.DeriveSharedSecretInput( + eccCurve := curveSpec, + privateKey := senderPrivateKey, + publicKey := recipientPublicKey + ) + ); + + var sharedSecretOutput :- maybeSharedSecret + .MapFailure(e => Types.AwsCryptographyPrimitives( AwsCryptographyPrimitives := e)); + + return Success(sharedSecretOutput.sharedSecret); + } + + method {:vcs_split_on_every_assert} CompressPublicKey( + publicKey: PrimitiveTypes.ECCPublicKey, + curveSpec: PrimitiveTypes.ECDHCurveSpec, + crypto: Primitives.AtomicPrimitivesClient + ) returns (res: Result, Types.Error>) + requires crypto.ValidState() + modifies crypto.Modifies + ensures crypto.ValidState() + ensures res.Success? ==> + && |crypto.History.CompressPublicKey| > 0 + && Last(crypto.History.CompressPublicKey).output.Success? + && Last(crypto.History.CompressPublicKey).input + == PrimitiveTypes.CompressPublicKeyInput( + eccCurve := curveSpec, + publicKey := publicKey + ) + && Last(crypto.History.CompressPublicKey).output.value.compressedPublicKey == res.value + { + var maybeCompressedPublicKey := crypto.CompressPublicKey( + PrimitiveTypes.CompressPublicKeyInput( + publicKey := publicKey, + eccCurve := curveSpec + ) + ); + + var compresedPublicKey :- maybeCompressedPublicKey + .MapFailure(e => Types.AwsCryptographyPrimitives( AwsCryptographyPrimitives := e)); + + return Success(compresedPublicKey.compressedPublicKey); + } + + method {:vcs_split_on_every_assert} DecompressPublicKey( + publicKey: seq, + curveSpec: PrimitiveTypes.ECDHCurveSpec, + crypto: Primitives.AtomicPrimitivesClient + ) returns (res: Result, Types.Error>) + requires crypto.ValidState() + modifies crypto.Modifies + ensures crypto.ValidState() + ensures res.Success? ==> + && |crypto.History.DecompressPublicKey| > 0 + && Last(crypto.History.DecompressPublicKey).output.Success? + && Last(crypto.History.DecompressPublicKey).input + == PrimitiveTypes.DecompressPublicKeyInput( + eccCurve := curveSpec, + compressedPublicKey := publicKey + ) + && Last(crypto.History.DecompressPublicKey).output.value.publicKey.der == res.value + { + var maybePublicKey := crypto.DecompressPublicKey( + PrimitiveTypes.DecompressPublicKeyInput( + compressedPublicKey := publicKey, + eccCurve := curveSpec + ) + ); + + var publicKey :- maybePublicKey + .MapFailure(e => Types.AwsCryptographyPrimitives( AwsCryptographyPrimitives := e)); + + return Success(publicKey.publicKey.der); + } + + function SerializeProviderInfo( + senderPublicKey: seq, + recipientPublicKey: seq + ): (res: seq) + requires ValidCompressedPublicKeyLength(recipientPublicKey) + requires ValidCompressedPublicKeyLength(senderPublicKey) + ensures |res| == + |RAW_ECDH_KEYRING_VERSION| + + |UInt32ToSeq(|recipientPublicKey| as uint32)| + + |recipientPublicKey| + + |UInt32ToSeq(|senderPublicKey| as uint32)| + + |senderPublicKey| + { + RAW_ECDH_KEYRING_VERSION + + UInt32ToSeq(|recipientPublicKey| as uint32) + + recipientPublicKey + + UInt32ToSeq(|senderPublicKey| as uint32) + + senderPublicKey + } + + method {:vcs_split_on_every_assert} GenerateEphemeralEccKeyPair( + curveSpec: PrimitiveTypes.ECDHCurveSpec, + crypto: Primitives.AtomicPrimitivesClient + ) returns (res: Result) + requires crypto.ValidState() + modifies crypto.Modifies + ensures crypto.ValidState() + ensures res.Success? ==> + && |crypto.History.GenerateECCKeyPair| > 0 + && Last(crypto.History.GenerateECCKeyPair).output.Success? + && Last(crypto.History.GenerateECCKeyPair).input + == PrimitiveTypes.GenerateECCKeyPairInput( + eccCurve := curveSpec + ) + { + var maybeKeyPair := crypto.GenerateECCKeyPair( + PrimitiveTypes.GenerateECCKeyPairInput( + eccCurve := curveSpec + ) + ); + + var keyPair :- maybeKeyPair.MapFailure(e => Types.AwsCryptographyPrimitives(AwsCryptographyPrimitives := e)); + res := Success(keyPair); + } + + method ValidatePublicKey( + crypto: Primitives.AtomicPrimitivesClient, + curveSpec: PrimitiveTypes.ECDHCurveSpec, + publicKey: seq + ) returns (res: Result) + requires crypto.ValidState() + modifies crypto.Modifies + ensures crypto.ValidState() + ensures res.Success? ==> + && |crypto.History.ValidatePublicKey| > 0 + && Last(crypto.History.ValidatePublicKey).output.Success? + && Last(crypto.History.ValidatePublicKey).input + == PrimitiveTypes.ValidatePublicKeyInput( + eccCurve := curveSpec, + publicKey := publicKey + ) + { + var maybeValidate := crypto.ValidatePublicKey( + PrimitiveTypes.ValidatePublicKeyInput( + eccCurve := curveSpec, + publicKey := publicKey + ) + ); + + var validate :- maybeValidate.MapFailure(e => Types.AwsCryptographyPrimitives(AwsCryptographyPrimitives := e)); + res := Success(validate.success); + } + + function CurveSpecTypeToString(c: PrimitiveTypes.ECDHCurveSpec): string + { + match c { + case ECC_NIST_P256 => "p256" + case ECC_NIST_P384 => "p384" + case ECC_NIST_P521 => "p521" + case SM2 => "sm2" + } + } + + function E(s : string) : Types.Error { + Types.AwsCryptographicMaterialProvidersException(message := s) + } +} \ No newline at end of file diff --git a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Utils.dfy b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Utils.dfy new file mode 100644 index 000000000..70c1c20ad --- /dev/null +++ b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Utils.dfy @@ -0,0 +1,41 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +include "../Model/AwsCryptographyMaterialProvidersTypes.dfy" + +module {:options "/functionSyntax:4" } Utils { + import Crypto = AwsCryptographyPrimitivesTypes + import Aws.Cryptography.Primitives + import Types = AwsCryptographyMaterialProvidersTypes + import opened StandardLibrary + import opened UInt = StandardLibrary.UInt + import opened Seq + import opened Wrappers + + method {:vcs_split_on_every_assert} GetPublicKey( + curveSpec: Crypto.ECDHCurveSpec, + privateKey: Crypto.ECCPrivateKey, + crypto: Primitives.AtomicPrimitivesClient + ) returns (res: Result, Types.Error>) + requires crypto.ValidState() + modifies crypto.Modifies + ensures crypto.ValidState() + ensures res.Success? ==> + && |crypto.History.GetPublicKeyFromPrivateKey| > 0 + && Last(crypto.History.GetPublicKeyFromPrivateKey).output.Success? + && Last(crypto.History.GetPublicKeyFromPrivateKey).input + == Crypto.GetPublicKeyFromPrivateKeyInput( + eccCurve := curveSpec, + privateKey := privateKey + ) + { + var maybePublicKey := crypto.GetPublicKeyFromPrivateKey( + Crypto.GetPublicKeyFromPrivateKeyInput( + eccCurve := curveSpec, + privateKey := privateKey + ) + ); + + var keyPairOutput :- maybePublicKey.MapFailure(e => Types.AwsCryptographyPrimitives(AwsCryptographyPrimitives := e)); + res := Success(keyPairOutput.publicKey); + } +} \ No newline at end of file diff --git a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/test/Keyrings/AwsKms/TestAwsKmsEcdhKeyring.dfy b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/test/Keyrings/AwsKms/TestAwsKmsEcdhKeyring.dfy new file mode 100644 index 000000000..16f953db4 --- /dev/null +++ b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/test/Keyrings/AwsKms/TestAwsKmsEcdhKeyring.dfy @@ -0,0 +1,1101 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +include "../../../src/Index.dfy" +include "../../TestUtils.dfy" +include "../../../../../../ComAmazonawsKms/src/Index.dfy" +include "../../../src/ErrorMessages.dfy" + +module {:options "/functionSyntax:4" } TestAwsKmsEcdhKeyring { + import opened Wrappers + import opened UInt = StandardLibrary.UInt + import MaterialProviders + import Types = AwsCryptographyMaterialProvidersTypes + import Aws.Cryptography.Primitives + import PrimitiveTypes = AwsCryptographyPrimitivesTypes + import Com.Amazonaws.Kms + import AwsKmsRsaKeyring + import TestUtils + import Base64 + import ComAmazonawsKmsTypes + import AwsCryptographyPrimitivesTypes + import AlgorithmSuites + import UTF8 + import ErrorMessages + + const TEST_DBE_ALG_SUITE_ID := Types.AlgorithmSuiteId.DBE(Types.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_SYMSIG_HMAC_SHA384) + + const derKmsSenderPublicKeyStrings := [TestUtils.KMS_ECC_256_PUBLIC_KEY_S, TestUtils.KMS_ECC_384_PUBLIC_KEY_S, TestUtils.KMS_ECC_521_PUBLIC_KEY_S] + const senderKmsKeys := [TestUtils.KMS_ECC_256_KEY_ARN_S, TestUtils.KMS_ECC_384_KEY_ARN_S, TestUtils.KMS_ECC_521_KEY_ARN_S] + const derKmsRecipientPublicKeyStrings := [TestUtils.KMS_ECC_256_PUBLIC_KEY_R, TestUtils.KMS_ECC_384_PUBLIC_KEY_R, TestUtils.KMS_ECC_521_PUBLIC_KEY_R] + const recipientKmsKeys := [TestUtils.KMS_ECC_256_KEY_ARN_R, TestUtils.KMS_ECC_384_KEY_ARN_R, TestUtils.KMS_ECC_521_KEY_ARN_R] + + const rawEccPrivateKeys := [TestUtils.ECC_P256_PRIVATE, TestUtils.ECC_P384_PRIVATE, TestUtils.ECC_P521_PRIVATE] + const rawEccPublicKeysB64der := [TestUtils.ECC_P256_PUBLIC, TestUtils.ECC_P384_PUBLIC, TestUtils.ECC_P521_PUBLIC] + + const P256 := PrimitiveTypes.ECDHCurveSpec.ECC_NIST_P256 + const P384 := PrimitiveTypes.ECDHCurveSpec.ECC_NIST_P384 + const P521 := PrimitiveTypes.ECDHCurveSpec.ECC_NIST_P521 + + const CURVES := [P256, P384, P521] + + method GetTestMaterials(suiteId: Types.AlgorithmSuiteId) returns (out: Types.EncryptionMaterials) + { + var mpl :- expect MaterialProviders.MaterialProviders(); + + var encryptionContext := TestUtils.SmallEncryptionContext(TestUtils.SmallEncryptionContextVariation.A); + var suite := AlgorithmSuites.GetSuite(suiteId); + // Add data key to test the case where i have a pdk + var encryptionMaterialsIn :- expect mpl.InitializeEncryptionMaterials( + Types.InitializeEncryptionMaterialsInput( + algorithmSuiteId := suiteId, + encryptionContext := encryptionContext, + requiredEncryptionContextKeys := [], + signingKey := None, + verificationKey := None + ) + ); + + return encryptionMaterialsIn; + } + + method {:test} TestKmsEcdhConfigurationFailure() { + var mpl :- expect MaterialProviders.MaterialProviders(); + + var kmsClient :- expect Kms.KMSClient(); + + var kmsEcdhKeyringDiscoveryConfiguration :- expect mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPublicKeyDiscovery( + Types.KmsPublicKeyDiscoveryInput( + recipientKmsIdentifier := TestUtils.KMS_ECC_256_KEY_ARN_R + ) + ), + curveSpec := AwsCryptographyPrimitivesTypes.ECC_NIST_P256, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + + var encryptionContext := TestUtils.SmallEncryptionContext(TestUtils.SmallEncryptionContextVariation.A); + + var algorithmSuiteId := Types.AlgorithmSuiteId.ESDK(Types.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); + var encryptionMaterialsIn :- expect mpl.InitializeEncryptionMaterials( + Types.InitializeEncryptionMaterialsInput( + algorithmSuiteId := algorithmSuiteId, + encryptionContext := encryptionContext, + signingKey := None, + verificationKey := None, + requiredEncryptionContextKeys := [] + ) + ); + + var encryptionMaterialsOut := kmsEcdhKeyringDiscoveryConfiguration.OnEncrypt( + Types.OnEncryptInput(materials:=encryptionMaterialsIn) + ); + + expect encryptionMaterialsOut.IsFailure(); + expect encryptionMaterialsOut.error.AwsCryptographicMaterialProvidersException?; + + var expectedErrorMessage := ErrorMessages.KMS_ECDH_DISCOVERY_ENCRYPT_ERROR; + expect encryptionMaterialsOut.error.message == expectedErrorMessage; + } + + method {:test} TestKmsEcdhKeyringRecipientKmsKeyEncryptDecryptSuccess() { + var mpl :- expect MaterialProviders.MaterialProviders(); + + var kmsClient :- expect Kms.KMSClient(); + + var senderArns := [TestUtils.KMS_ECC_256_KEY_ARN_S, TestUtils.KMS_ECC_384_KEY_ARN_S, TestUtils.KMS_ECC_521_KEY_ARN_S]; + var recipientArns := [TestUtils.KMS_ECC_256_KEY_ARN_R, TestUtils.KMS_ECC_384_KEY_ARN_R, TestUtils.KMS_ECC_521_KEY_ARN_R]; + var curveSpecs := [AwsCryptographyPrimitivesTypes.ECC_NIST_P256, AwsCryptographyPrimitivesTypes.ECC_NIST_P384, AwsCryptographyPrimitivesTypes.ECC_NIST_P521]; + + for i := 0 to |senderArns| + { + var publicKeyResponse := kmsClient.GetPublicKey( + Kms.Types.GetPublicKeyRequest( + KeyId := recipientArns[i], + GrantTokens := None + ) + ); + expect(publicKeyResponse.Success?); + var GetPublicKeyResponse(_,PublicKey,_,_,_,_,_,_) := publicKeyResponse.value; + expect PublicKey.Some?; + + print "\nTest with sender: " + senderArns[i] + " and recipient: " + recipientArns[i] + "\n"; + var kmsEcdhKeyring :- expect mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderArns[i], + recipientPublicKey := PublicKey.value + ) + ), + curveSpec := curveSpecs[i], + kmsClient := kmsClient, + grantTokens := None() + ) + ); + + var encryptionContext := TestUtils.SmallEncryptionContext(TestUtils.SmallEncryptionContextVariation.A); + + var algorithmSuiteId := Types.AlgorithmSuiteId.ESDK(Types.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); + var suite := AlgorithmSuites.GetSuite(algorithmSuiteId); + var encryptionMaterialsIn :- expect mpl.InitializeEncryptionMaterials( + Types.InitializeEncryptionMaterialsInput( + algorithmSuiteId := algorithmSuiteId, + encryptionContext := encryptionContext, + requiredEncryptionContextKeys := [], + signingKey := None, + verificationKey := None + ) + ); + + var encryptionMaterialsOut :- expect kmsEcdhKeyring.OnEncrypt( + Types.OnEncryptInput(materials:=encryptionMaterialsIn) + ); + + var _ :- expect mpl.EncryptionMaterialsHasPlaintextDataKey(encryptionMaterialsOut.materials); + + expect |encryptionMaterialsOut.materials.encryptedDataKeys| == 1; + var edk := encryptionMaterialsOut.materials.encryptedDataKeys[0]; + + var decryptionMaterialsIn :- expect mpl.InitializeDecryptionMaterials( + Types.InitializeDecryptionMaterialsInput( + algorithmSuiteId := algorithmSuiteId, + encryptionContext := encryptionContext, + requiredEncryptionContextKeys := [] + ) + ); + var decryptionMaterialsOut :- expect kmsEcdhKeyring.OnDecrypt( + Types.OnDecryptInput( + materials:=decryptionMaterialsIn, + encryptedDataKeys:=[edk] + ) + ); + + expect encryptionMaterialsOut.materials.plaintextDataKey + == decryptionMaterialsOut.materials.plaintextDataKey; + } + } + + method {:test} TestKmsEcdhKeyringRecipientKmsKeyEncryptDecryptSuccessDBESDKSuite() { + var mpl :- expect MaterialProviders.MaterialProviders(); + + var kmsClient :- expect Kms.KMSClient(); + + var senderArns := [TestUtils.KMS_ECC_256_KEY_ARN_S, TestUtils.KMS_ECC_384_KEY_ARN_S, TestUtils.KMS_ECC_521_KEY_ARN_S]; + var recipientArns := [TestUtils.KMS_ECC_256_KEY_ARN_R, TestUtils.KMS_ECC_384_KEY_ARN_R, TestUtils.KMS_ECC_521_KEY_ARN_R]; + var curveSpecs := [AwsCryptographyPrimitivesTypes.ECC_NIST_P256, AwsCryptographyPrimitivesTypes.ECC_NIST_P384, AwsCryptographyPrimitivesTypes.ECC_NIST_P521]; + + for i := 0 to |senderArns| + { + var publicKeyResponse := kmsClient.GetPublicKey( + Kms.Types.GetPublicKeyRequest( + KeyId := recipientArns[i], + GrantTokens := None + ) + ); + expect(publicKeyResponse.Success?); + var GetPublicKeyResponse(_,PublicKey,_,_,_,_,_,_) := publicKeyResponse.value; + expect PublicKey.Some?; + + print "\nTest with sender: " + senderArns[i] + " and recipient: " + recipientArns[i] + "\n"; + var kmsEcdhKeyring :- expect mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderArns[i], + recipientPublicKey := PublicKey.value + ) + ), + curveSpec := curveSpecs[i], + kmsClient := kmsClient, + grantTokens := None() + ) + ); + + var encryptionContext := TestUtils.SmallEncryptionContext(TestUtils.SmallEncryptionContextVariation.A); + var materials := GetTestMaterials(TEST_DBE_ALG_SUITE_ID); + + var encryptionMaterialsOut :- expect kmsEcdhKeyring.OnEncrypt( + Types.OnEncryptInput(materials:=materials) + ); + + var _ :- expect mpl.EncryptionMaterialsHasPlaintextDataKey(encryptionMaterialsOut.materials); + + expect |encryptionMaterialsOut.materials.encryptedDataKeys| == 1; + var edk := encryptionMaterialsOut.materials.encryptedDataKeys[0]; + + var decryptionMaterialsIn :- expect mpl.InitializeDecryptionMaterials( + Types.InitializeDecryptionMaterialsInput( + algorithmSuiteId := TEST_DBE_ALG_SUITE_ID, + encryptionContext := encryptionContext, + requiredEncryptionContextKeys := [] + ) + ); + var decryptionMaterialsOut :- expect kmsEcdhKeyring.OnDecrypt( + Types.OnDecryptInput( + materials:=decryptionMaterialsIn, + encryptedDataKeys:=[edk] + ) + ); + + expect encryptionMaterialsOut.materials.plaintextDataKey + == decryptionMaterialsOut.materials.plaintextDataKey; + } + + } + + method {:test} TestKmsEcdhKeyringDiscoverySuccess() { + var mpl :- expect MaterialProviders.MaterialProviders(); + + var kmsClient :- expect Kms.KMSClient(); + + var senderArns := [TestUtils.KMS_ECC_256_KEY_ARN_S, TestUtils.KMS_ECC_384_KEY_ARN_S, TestUtils.KMS_ECC_521_KEY_ARN_S]; + var recipientArns := [TestUtils.KMS_ECC_256_KEY_ARN_R, TestUtils.KMS_ECC_384_KEY_ARN_R, TestUtils.KMS_ECC_521_KEY_ARN_R]; + var curveSpecs := [AwsCryptographyPrimitivesTypes.ECC_NIST_P256, AwsCryptographyPrimitivesTypes.ECC_NIST_P384, AwsCryptographyPrimitivesTypes.ECC_NIST_P521]; + + for i := 0 to |senderArns| + { + var publicKeyResponse := kmsClient.GetPublicKey( + Kms.Types.GetPublicKeyRequest( + KeyId := recipientArns[i], + GrantTokens := None + ) + ); + expect(publicKeyResponse.Success?); + var GetPublicKeyResponse(_,PublicKey,_,_,_,_,_,_) := publicKeyResponse.value; + expect PublicKey.Some?; + + var kmsEcdhKeyring :- expect mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderArns[i], + recipientPublicKey := PublicKey.value + ) + ), + curveSpec := curveSpecs[i], + kmsClient := kmsClient, + grantTokens := None() + ) + ); + + var kmsEcdhKeyringDiscovery :- expect mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPublicKeyDiscovery( + Types.KmsPublicKeyDiscoveryInput( + recipientKmsIdentifier := recipientArns[i] + ) + ), + curveSpec := curveSpecs[i], + kmsClient := kmsClient, + grantTokens := None() + ) + ); + + var encryptionContext := TestUtils.SmallEncryptionContext(TestUtils.SmallEncryptionContextVariation.A); + + var algorithmSuiteId := Types.AlgorithmSuiteId.ESDK(Types.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); + var suite := AlgorithmSuites.GetSuite(algorithmSuiteId); + var encryptionMaterialsIn :- expect mpl.InitializeEncryptionMaterials( + Types.InitializeEncryptionMaterialsInput( + algorithmSuiteId := algorithmSuiteId, + encryptionContext := encryptionContext, + requiredEncryptionContextKeys := [], + signingKey := None, + verificationKey := None + ) + ); + + var encryptionMaterialsOut :- expect kmsEcdhKeyring.OnEncrypt( + Types.OnEncryptInput(materials:=encryptionMaterialsIn) + ); + + var _ :- expect mpl.EncryptionMaterialsHasPlaintextDataKey(encryptionMaterialsOut.materials); + + expect |encryptionMaterialsOut.materials.encryptedDataKeys| == 1; + var edk := encryptionMaterialsOut.materials.encryptedDataKeys[0]; + + var decryptionMaterialsIn :- expect mpl.InitializeDecryptionMaterials( + Types.InitializeDecryptionMaterialsInput( + algorithmSuiteId := algorithmSuiteId, + encryptionContext := encryptionContext, + requiredEncryptionContextKeys := [] + ) + ); + print "\nDiscovery Test for: " + recipientArns[i] + "\n"; + var decryptionMaterialsOut :- expect kmsEcdhKeyringDiscovery.OnDecrypt( + Types.OnDecryptInput( + materials:=decryptionMaterialsIn, + encryptedDataKeys:=[edk] + ) + ); + + expect encryptionMaterialsOut.materials.plaintextDataKey + == decryptionMaterialsOut.materials.plaintextDataKey; + } + } + + method {:test} TestKmsEcdhKeyringRecipientRawKeyEncryptDecryptSuccessSetSenderPublicKey() + { + var mpl :- expect MaterialProviders.MaterialProviders(); + var primitives :- expect Primitives.AtomicPrimitives(); + + var recipientKeypair :- expect primitives.GenerateECCKeyPair( + PrimitiveTypes.GenerateECCKeyPairInput( + eccCurve := P256 + ) + ); + + var kmsClient :- expect Kms.KMSClient(); + var publicKeyResponse := kmsClient.GetPublicKey( + Kms.Types.GetPublicKeyRequest( + KeyId := TestUtils.KMS_ECC_256_KEY_ARN_S, + GrantTokens := None + ) + ); + expect(publicKeyResponse.Success?); + + var GetPublicKeyResponse(_,PublicKey,_,_,_,_,_,_) := publicKeyResponse.value; + expect PublicKey.Some?; + + var kmsEcdhKeyring :- expect mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := TestUtils.KMS_ECC_256_KEY_ARN_S, + senderPublicKey := Some(PublicKey.value), + recipientPublicKey := recipientKeypair.publicKey.der + ) + ), + curveSpec := AwsCryptographyPrimitivesTypes.ECC_NIST_P256, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + + var recipientKeyring :- expect mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := recipientKeypair.privateKey.pem, + recipientPublicKey := PublicKey.value + ) + ), + curveSpec := AwsCryptographyPrimitivesTypes.ECC_NIST_P256 + ) + ); + + var encryptionContext := TestUtils.SmallEncryptionContext(TestUtils.SmallEncryptionContextVariation.A); + + var algorithmSuiteId := Types.AlgorithmSuiteId.ESDK(Types.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); + var suite := AlgorithmSuites.GetSuite(algorithmSuiteId); + var encryptionMaterialsIn :- expect mpl.InitializeEncryptionMaterials( + Types.InitializeEncryptionMaterialsInput( + algorithmSuiteId := algorithmSuiteId, + encryptionContext := encryptionContext, + requiredEncryptionContextKeys := [], + signingKey := None, + verificationKey := None + ) + ); + + var encryptionMaterialsOut :- expect kmsEcdhKeyring.OnEncrypt( + Types.OnEncryptInput(materials:=encryptionMaterialsIn) + ); + + var _ :- expect mpl.EncryptionMaterialsHasPlaintextDataKey(encryptionMaterialsOut.materials); + + expect |encryptionMaterialsOut.materials.encryptedDataKeys| == 1; + var edk := encryptionMaterialsOut.materials.encryptedDataKeys[0]; + + var decryptionMaterialsIn :- expect mpl.InitializeDecryptionMaterials( + Types.InitializeDecryptionMaterialsInput( + algorithmSuiteId := algorithmSuiteId, + encryptionContext := encryptionContext, + requiredEncryptionContextKeys := [] + ) + ); + var decryptionMaterialsOut :- expect recipientKeyring.OnDecrypt( + Types.OnDecryptInput( + materials:=decryptionMaterialsIn, + encryptedDataKeys:=[edk] + ) + ); + + expect encryptionMaterialsOut.materials.plaintextDataKey + == decryptionMaterialsOut.materials.plaintextDataKey; + } + + method {:test} TestKmsEcdhKeyringWithDerPublicKeys() + { + var mpl :- expect MaterialProviders.MaterialProviders(); + + var kmsClient :- expect Kms.KMSClient(); + + for i := 0 to |CURVES| + { + var senderPublicKey :- expect Base64.Decode(derKmsSenderPublicKeyStrings[i]); + var recipientPublicKey :- expect Base64.Decode(derKmsRecipientPublicKeyStrings[i]); + + var senderKmsEcdhKeyring :- expect mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKeys[i], + senderPublicKey := Some(senderPublicKey), + recipientPublicKey := recipientPublicKey + ) + ), + curveSpec := CURVES[i], + kmsClient := kmsClient, + grantTokens := None() + ) + ); + + var recipientKmsEcdhKeyring :- expect mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := recipientKmsKeys[i], + senderPublicKey := Some(recipientPublicKey), + recipientPublicKey := senderPublicKey + ) + ), + curveSpec := CURVES[i], + kmsClient := kmsClient, + grantTokens := None() + ) + ); + + var encryptionContext := TestUtils.SmallEncryptionContext(TestUtils.SmallEncryptionContextVariation.A); + + var algorithmSuiteId := Types.AlgorithmSuiteId.ESDK(Types.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); + var suite := AlgorithmSuites.GetSuite(algorithmSuiteId); + var encryptionMaterialsIn :- expect mpl.InitializeEncryptionMaterials( + Types.InitializeEncryptionMaterialsInput( + algorithmSuiteId := algorithmSuiteId, + encryptionContext := encryptionContext, + requiredEncryptionContextKeys := [], + signingKey := None, + verificationKey := None + ) + ); + + var encryptionMaterialsOut :- expect senderKmsEcdhKeyring.OnEncrypt( + Types.OnEncryptInput(materials:=encryptionMaterialsIn) + ); + + var _ :- expect mpl.EncryptionMaterialsHasPlaintextDataKey(encryptionMaterialsOut.materials); + + expect |encryptionMaterialsOut.materials.encryptedDataKeys| == 1; + var edk := encryptionMaterialsOut.materials.encryptedDataKeys[0]; + + var decryptionMaterialsIn :- expect mpl.InitializeDecryptionMaterials( + Types.InitializeDecryptionMaterialsInput( + algorithmSuiteId := algorithmSuiteId, + encryptionContext := encryptionContext, + requiredEncryptionContextKeys := [] + ) + ); + var decryptionMaterialsOut :- expect recipientKmsEcdhKeyring.OnDecrypt( + Types.OnDecryptInput( + materials:=decryptionMaterialsIn, + encryptedDataKeys:=[edk] + ) + ); + + expect encryptionMaterialsOut.materials.plaintextDataKey + == decryptionMaterialsOut.materials.plaintextDataKey; + + } + } + + method {:test} TestKmsEcdhRawEcdhKeyringWithDerPublicKeys() + { + var mpl :- expect MaterialProviders.MaterialProviders(); + + var kmsClient :- expect Kms.KMSClient(); + + for i := 0 to |CURVES| + { + var senderKmsKey := senderKmsKeys[i]; + var senderPublicKey :- expect Base64.Decode(derKmsSenderPublicKeyStrings[i]); + var recipientPrivateKey :- expect UTF8.Encode(rawEccPrivateKeys[i]); + var recipientPublicKey :- expect Base64.Decode(rawEccPublicKeysB64der[i]); + var curve := CURVES[i]; + + var senderKmsEcdhKeyring :- expect mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey, + senderPublicKey := Some(senderPublicKey), + recipientPublicKey := recipientPublicKey + ) + ), + curveSpec := curve, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + + var recipientRawKeyring :- expect mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := recipientPrivateKey, + recipientPublicKey := senderPublicKey + ) + ), + curveSpec := curve + ) + ); + + var encryptionContext := TestUtils.SmallEncryptionContext(TestUtils.SmallEncryptionContextVariation.A); + + var algorithmSuiteId := Types.AlgorithmSuiteId.ESDK(Types.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); + var suite := AlgorithmSuites.GetSuite(algorithmSuiteId); + var encryptionMaterialsIn :- expect mpl.InitializeEncryptionMaterials( + Types.InitializeEncryptionMaterialsInput( + algorithmSuiteId := algorithmSuiteId, + encryptionContext := encryptionContext, + requiredEncryptionContextKeys := [], + signingKey := None, + verificationKey := None + ) + ); + + var encryptionMaterialsOut :- expect senderKmsEcdhKeyring.OnEncrypt( + Types.OnEncryptInput(materials:=encryptionMaterialsIn) + ); + + var _ :- expect mpl.EncryptionMaterialsHasPlaintextDataKey(encryptionMaterialsOut.materials); + + expect |encryptionMaterialsOut.materials.encryptedDataKeys| == 1; + var edk := encryptionMaterialsOut.materials.encryptedDataKeys[0]; + + var decryptionMaterialsIn :- expect mpl.InitializeDecryptionMaterials( + Types.InitializeDecryptionMaterialsInput( + algorithmSuiteId := algorithmSuiteId, + encryptionContext := encryptionContext, + requiredEncryptionContextKeys := [] + ) + ); + var decryptionMaterialsOut :- expect recipientRawKeyring.OnDecrypt( + Types.OnDecryptInput( + materials:=decryptionMaterialsIn, + encryptedDataKeys:=[edk] + ) + ); + + expect encryptionMaterialsOut.materials.plaintextDataKey + == decryptionMaterialsOut.materials.plaintextDataKey; + + } + + } + + method {:test} TestKmsEcdhKeyringWithIncorrectCurveConfigurationFailure() + { + var mpl :- expect MaterialProviders.MaterialProviders(); + + var kmsClient :- expect Kms.KMSClient(); + + var senderPublicKey :- expect Base64.Decode(TestUtils.KMS_ECC_256_PUBLIC_KEY_S); + var recipientPublicKey :- expect Base64.Decode(TestUtils.KMS_ECC_256_PUBLIC_KEY_R); + + var senderKmsEcdhKeyring := mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := TestUtils.KMS_ECC_256_KEY_ARN_S, + senderPublicKey := Some(senderPublicKey), + recipientPublicKey := recipientPublicKey + ) + ), + curveSpec := P384, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + + expect senderKmsEcdhKeyring.Failure?; + } + + method {:test} TestKmsEcdhKeyringWithIncorrectCurveConfigurationCombinationsFailure() + { + var mpl :- expect MaterialProviders.MaterialProviders(); + + var kmsClient :- expect Kms.KMSClient(); + + var senderKmsKey256 := TestUtils.KMS_ECC_256_KEY_ARN_S; + var senderPublicKey256 :- expect Base64.Decode(TestUtils.KMS_ECC_256_PUBLIC_KEY_S); + var recipientPublicKey256 :- expect Base64.Decode(TestUtils.ECC_P256_PUBLIC_R); + + var senderKmsKey384 := TestUtils.KMS_ECC_384_KEY_ARN_S; + var senderPublicKey384 :- expect Base64.Decode(TestUtils.KMS_ECC_384_PUBLIC_KEY_S); + var recipientPublicKey384 :- expect Base64.Decode(TestUtils.ECC_P384_PUBLIC_R); + + var senderKmsKey521 := TestUtils.KMS_ECC_521_KEY_ARN_S; + var senderPublicKey521 :- expect Base64.Decode(TestUtils.KMS_ECC_521_PUBLIC_KEY_S); + var recipientPublicKey521 :- expect Base64.Decode(TestUtils.ECC_P521_PUBLIC_R); + + // 1. Test that if keys are the same but if curvespec is diff construction MUST fail. +/// P256 tests + var senderKmsEcdhKeyring := mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey256, + senderPublicKey := Some(senderPublicKey256), + recipientPublicKey := recipientPublicKey256 + ) + ), + curveSpec := P384, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + expect senderKmsEcdhKeyring.Failure?; + + senderKmsEcdhKeyring := mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey256, + senderPublicKey := Some(senderPublicKey256), + recipientPublicKey := recipientPublicKey256 + ) + ), + curveSpec := P521, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + + //P384 Tests + senderKmsEcdhKeyring := mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey384, + senderPublicKey := Some(senderPublicKey384), + recipientPublicKey := recipientPublicKey384 + ) + ), + curveSpec := P256, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + expect senderKmsEcdhKeyring.Failure?; + + senderKmsEcdhKeyring := mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey384, + senderPublicKey := Some(senderPublicKey384), + recipientPublicKey := recipientPublicKey384 + ) + ), + curveSpec := P521, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + + //P521 + senderKmsEcdhKeyring := mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey521, + senderPublicKey := Some(senderPublicKey521), + recipientPublicKey := recipientPublicKey521 + ) + ), + curveSpec := P256, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + expect senderKmsEcdhKeyring.Failure?; + + senderKmsEcdhKeyring := mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey521, + senderPublicKey := Some(senderPublicKey521), + recipientPublicKey := recipientPublicKey521 + ) + ), + curveSpec := P384, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + + // 2. Test that if sender and curve spec are the same but public key diff, construction MUST fail + //P256 + senderKmsEcdhKeyring := mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey256, + senderPublicKey := Some(senderPublicKey256), + recipientPublicKey := recipientPublicKey384 + ) + ), + curveSpec := P256, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + expect senderKmsEcdhKeyring.Failure?; + + senderKmsEcdhKeyring := mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey256, + senderPublicKey := Some(senderPublicKey256), + recipientPublicKey := recipientPublicKey521 + ) + ), + curveSpec := P256, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + expect senderKmsEcdhKeyring.Failure?; + + //P384 + senderKmsEcdhKeyring := mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey384, + senderPublicKey := Some(senderPublicKey384), + recipientPublicKey := recipientPublicKey256 + ) + ), + curveSpec := P384, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + expect senderKmsEcdhKeyring.Failure?; + + senderKmsEcdhKeyring := mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey384, + senderPublicKey := Some(senderPublicKey384), + recipientPublicKey := recipientPublicKey521 + ) + ), + curveSpec := P384, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + expect senderKmsEcdhKeyring.Failure?; + + //P521 + senderKmsEcdhKeyring := mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey521, + senderPublicKey := Some(senderPublicKey521), + recipientPublicKey := recipientPublicKey256 + ) + ), + curveSpec := P521, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + expect senderKmsEcdhKeyring.Failure?; + + senderKmsEcdhKeyring := mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey521, + senderPublicKey := Some(senderPublicKey521), + recipientPublicKey := recipientPublicKey384 + ) + ), + curveSpec := P521, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + expect senderKmsEcdhKeyring.Failure?; + + // 3. Test that if recipient public key and curve spec are the same BUT if private + // is on different curve, construction MUST fail + //P256 + senderKmsEcdhKeyring := mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey384, + senderPublicKey := Some(senderPublicKey384), + recipientPublicKey := recipientPublicKey256 + ) + ), + curveSpec := P256, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + expect senderKmsEcdhKeyring.Failure?; + + senderKmsEcdhKeyring := mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey521, + senderPublicKey := Some(senderPublicKey521), + recipientPublicKey := recipientPublicKey256 + ) + ), + curveSpec := P256, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + expect senderKmsEcdhKeyring.Failure?; + + //P384 + senderKmsEcdhKeyring := mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey256, + senderPublicKey := Some(senderPublicKey256), + recipientPublicKey := recipientPublicKey384 + ) + ), + curveSpec := P384, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + expect senderKmsEcdhKeyring.Failure?; + + senderKmsEcdhKeyring := mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey521, + senderPublicKey := Some(senderPublicKey521), + recipientPublicKey := recipientPublicKey384 + ) + ), + curveSpec := P384, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + expect senderKmsEcdhKeyring.Failure?; + + //P521 + senderKmsEcdhKeyring := mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey256, + senderPublicKey := Some(senderPublicKey256), + recipientPublicKey := recipientPublicKey521 + ) + ), + curveSpec := P521, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + expect senderKmsEcdhKeyring.Failure?; + + senderKmsEcdhKeyring := mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey384, + senderPublicKey := Some(senderPublicKey384), + recipientPublicKey := recipientPublicKey521 + ) + ), + curveSpec := P521, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + expect senderKmsEcdhKeyring.Failure?; + } + + method {:test} TestLyingKmsKey() + { + var senderKmsKey256 := TestUtils.KMS_ECC_256_KEY_ARN_S; + var senderPublicKey256 :- expect Base64.Decode(TestUtils.KMS_ECC_256_PUBLIC_KEY_S); + var recipientPublicKey256 :- expect Base64.Decode(TestUtils.ECC_P256_PUBLIC_R); + + var senderKmsKey384 := TestUtils.KMS_ECC_384_KEY_ARN_S; + var senderPublicKey384 :- expect Base64.Decode(TestUtils.KMS_ECC_384_PUBLIC_KEY_S); + var recipientPublicKey384 :- expect Base64.Decode(TestUtils.ECC_P384_PUBLIC_R); + + var senderKmsKey521 := TestUtils.KMS_ECC_521_KEY_ARN_S; + var senderPublicKey521 :- expect Base64.Decode(TestUtils.KMS_ECC_521_PUBLIC_KEY_S); + var recipientPublicKey521 :- expect Base64.Decode(TestUtils.ECC_P521_PUBLIC_R); + + var mpl :- expect MaterialProviders.MaterialProviders(); + + var kmsClient :- expect Kms.KMSClient(); + + var encryptionContext := TestUtils.SmallEncryptionContext(TestUtils.SmallEncryptionContextVariation.A); + + var algorithmSuiteId := Types.AlgorithmSuiteId.ESDK(Types.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); + var suite := AlgorithmSuites.GetSuite(algorithmSuiteId); + var encryptionMaterialsIn :- expect mpl.InitializeEncryptionMaterials( + Types.InitializeEncryptionMaterialsInput( + algorithmSuiteId := algorithmSuiteId, + encryptionContext := encryptionContext, + requiredEncryptionContextKeys := [], + signingKey := None, + verificationKey := None + ) + ); + + // In the AWS KMS ECDH Keyring, we only have control of the 3/4 keys + // since the private sender key is in KMS. + // If someone constructs a keyring in such a way that the kms key is different + // than the rest of the keys, then construction should succeed but there + // will be a failure on encrypt as KMS will not allow a key in a different curve than + // the private key. + + //P256 + var kmsEcdhKeyring :- expect mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey384, + senderPublicKey := Some(senderPublicKey256), + recipientPublicKey := recipientPublicKey256 + ) + ), + curveSpec := P256, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + var encryptionMaterialsOut := kmsEcdhKeyring.OnEncrypt( + Types.OnEncryptInput(materials:=encryptionMaterialsIn) + ); + expect encryptionMaterialsOut.Failure?; + + kmsEcdhKeyring :- expect mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey521, + senderPublicKey := Some(senderPublicKey256), + recipientPublicKey := recipientPublicKey256 + ) + ), + curveSpec := P256, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + encryptionMaterialsOut := kmsEcdhKeyring.OnEncrypt( + Types.OnEncryptInput(materials:=encryptionMaterialsIn) + ); + expect encryptionMaterialsOut.Failure?; + + //P384 + kmsEcdhKeyring :- expect mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey256, + senderPublicKey := Some(senderPublicKey384), + recipientPublicKey := recipientPublicKey384 + ) + ), + curveSpec := P384, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + encryptionMaterialsOut := kmsEcdhKeyring.OnEncrypt( + Types.OnEncryptInput(materials:=encryptionMaterialsIn) + ); + expect encryptionMaterialsOut.Failure?; + + kmsEcdhKeyring :- expect mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey521, + senderPublicKey := Some(senderPublicKey384), + recipientPublicKey := recipientPublicKey384 + ) + ), + curveSpec := P384, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + encryptionMaterialsOut := kmsEcdhKeyring.OnEncrypt( + Types.OnEncryptInput(materials:=encryptionMaterialsIn) + ); + expect encryptionMaterialsOut.Failure?; + + //P521 + kmsEcdhKeyring :- expect mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey256, + senderPublicKey := Some(senderPublicKey521), + recipientPublicKey := recipientPublicKey521 + ) + ), + curveSpec := P521, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + encryptionMaterialsOut := kmsEcdhKeyring.OnEncrypt( + Types.OnEncryptInput(materials:=encryptionMaterialsIn) + ); + expect encryptionMaterialsOut.Failure?; + + kmsEcdhKeyring :- expect mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := senderKmsKey384, + senderPublicKey := Some(senderPublicKey521), + recipientPublicKey := recipientPublicKey521 + ) + ), + curveSpec := P521, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + encryptionMaterialsOut := kmsEcdhKeyring.OnEncrypt( + Types.OnEncryptInput(materials:=encryptionMaterialsIn) + ); + expect encryptionMaterialsOut.Failure?; + } +} \ No newline at end of file diff --git a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/test/Keyrings/TesRawECDHKeyring.dfy b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/test/Keyrings/TesRawECDHKeyring.dfy new file mode 100644 index 000000000..66f9055d5 --- /dev/null +++ b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/test/Keyrings/TesRawECDHKeyring.dfy @@ -0,0 +1,790 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +include "../../src/Index.dfy" +include "../TestUtils.dfy" +include "../../src/ErrorMessages.dfy" + +module {:options "/functionSyntax:4" } TestRawECDHKeyring { + import opened Wrappers + import TestUtils + import UTF8 + import ComAmazonawsKmsTypes + import Com.Amazonaws.Kms + import Aws.Cryptography.Primitives + import AwsCryptographyPrimitivesTypes + import MaterialProviders + import Types = AwsCryptographyMaterialProvidersTypes + import ErrorMessages + import AlgorithmSuites + import PrimitiveTypes = AwsCryptographyPrimitivesTypes + import Base64 + + const P256 := PrimitiveTypes.ECDHCurveSpec.ECC_NIST_P256 + const P384 := PrimitiveTypes.ECDHCurveSpec.ECC_NIST_P384 + const P521 := PrimitiveTypes.ECDHCurveSpec.ECC_NIST_P521 + + const TEST_DBE_ALG_SUITE_ID := Types.AlgorithmSuiteId.DBE(Types.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_SYMSIG_HMAC_SHA384) + + method {:test} TestRawEcdhDiscoveryOnEncryptFailure() { + var mpl :- expect MaterialProviders.MaterialProviders(); + var primitives :- expect Primitives.AtomicPrimitives(); + + var keypair :- expect primitives.GenerateECCKeyPair( + PrimitiveTypes.GenerateECCKeyPairInput( + eccCurve := P256 + ) + ); + + var keyring :- expect mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.PublicKeyDiscovery( + Types.PublicKeyDiscoveryInput(recipientStaticPrivateKey := keypair.privateKey.pem) + ), + curveSpec := AwsCryptographyPrimitivesTypes.ECC_NIST_P256 + ) + ); + + var encryptionContext := TestUtils.SmallEncryptionContext(TestUtils.SmallEncryptionContextVariation.A); + + var algorithmSuiteId := Types.AlgorithmSuiteId.ESDK(Types.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); + var encryptionMaterialsIn :- expect mpl.InitializeEncryptionMaterials( + Types.InitializeEncryptionMaterialsInput( + algorithmSuiteId := algorithmSuiteId, + encryptionContext := encryptionContext, + signingKey := None, + verificationKey := None, + requiredEncryptionContextKeys := [] + ) + ); + + var encryptionMaterialsOut := keyring.OnEncrypt( + Types.OnEncryptInput(materials:=encryptionMaterialsIn) + ); + + expect encryptionMaterialsOut.IsFailure(); + expect encryptionMaterialsOut.error.AwsCryptographicMaterialProvidersException?; + + var expectedErrorMessage := ErrorMessages.RAW_ECDH_DISCOVERY_ENCRYPT_ERROR; + expect encryptionMaterialsOut.error.message == expectedErrorMessage; + } + + method {:test} TestRawEcdhEphemeralOnDecryptFailure() { + var mpl :- expect MaterialProviders.MaterialProviders(); + var primitives :- expect Primitives.AtomicPrimitives(); + + var keypair :- expect primitives.GenerateECCKeyPair( + PrimitiveTypes.GenerateECCKeyPairInput( + eccCurve := P256 + ) + ); + + var keyring :- expect mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.EphemeralPrivateKeyToStaticPublicKey( + Types.EphemeralPrivateKeyToStaticPublicKeyInput( + recipientPublicKey := keypair.publicKey.der + ) + ), + curveSpec := AwsCryptographyPrimitivesTypes.ECC_NIST_P256 + ) + ); + + var encryptionContext := TestUtils.SmallEncryptionContext(TestUtils.SmallEncryptionContextVariation.A); + + var algorithmSuiteId := Types.AlgorithmSuiteId.ESDK(Types.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); + var decryptionMaterialsIn :- expect mpl.InitializeDecryptionMaterials( + Types.InitializeDecryptionMaterialsInput( + algorithmSuiteId := algorithmSuiteId, + encryptionContext := map[], + requiredEncryptionContextKeys := [] + ) + ); + + var decryptionMaterialsOutRes := keyring.OnDecrypt( + Types.OnDecryptInput( + materials:=decryptionMaterialsIn, + encryptedDataKeys:=[] + ) + ); + expect decryptionMaterialsOutRes.Failure?; + expect decryptionMaterialsOutRes.error.AwsCryptographicMaterialProvidersException?; + + expect decryptionMaterialsOutRes.error.message == ErrorMessages.RAW_ECDH_EPHEMERAL_DECRYPT_ERROR; + } + + method {:test} TestRawEcdhKeyringEphemeralDecryptOwnMessageFailure() { + var mpl :- expect MaterialProviders.MaterialProviders(); + var primitives :- expect Primitives.AtomicPrimitives(); + + var keypair :- expect primitives.GenerateECCKeyPair( + PrimitiveTypes.GenerateECCKeyPairInput( + eccCurve := P256 + ) + ); + + var keyring :- expect mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.EphemeralPrivateKeyToStaticPublicKey( + Types.EphemeralPrivateKeyToStaticPublicKeyInput( + recipientPublicKey := keypair.publicKey.der + ) + ), + curveSpec := AwsCryptographyPrimitivesTypes.ECC_NIST_P256 + ) + ); + + var encryptionContext := TestUtils.SmallEncryptionContext(TestUtils.SmallEncryptionContextVariation.A); + + var algorithmSuiteId := Types.AlgorithmSuiteId.ESDK(Types.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); + var encryptionMaterialsIn :- expect mpl.InitializeEncryptionMaterials( + Types.InitializeEncryptionMaterialsInput( + algorithmSuiteId := algorithmSuiteId, + encryptionContext := encryptionContext, + signingKey := None, + verificationKey := None, + requiredEncryptionContextKeys := [] + ) + ); + + var encryptionMaterialsOut :- expect keyring.OnEncrypt( + Types.OnEncryptInput(materials:=encryptionMaterialsIn) + ); + + var _ :- expect mpl.EncryptionMaterialsHasPlaintextDataKey(encryptionMaterialsOut.materials); + + expect |encryptionMaterialsOut.materials.encryptedDataKeys| == 1; + var edk := encryptionMaterialsOut.materials.encryptedDataKeys[0]; + + var decryptionMaterialsIn :- expect mpl.InitializeDecryptionMaterials( + Types.InitializeDecryptionMaterialsInput( + algorithmSuiteId := algorithmSuiteId, + encryptionContext := encryptionContext, + requiredEncryptionContextKeys := [] + ) + ); + var decryptionMaterialsOut := keyring.OnDecrypt( + Types.OnDecryptInput( + materials:=decryptionMaterialsIn, + encryptedDataKeys:=[edk] + ) + ); + + expect decryptionMaterialsOut.Failure?; + expect decryptionMaterialsOut.error.AwsCryptographicMaterialProvidersException?; + + var expectedErrorMessage := ErrorMessages.RAW_ECDH_EPHEMERAL_DECRYPT_ERROR; + expect decryptionMaterialsOut.error.message == expectedErrorMessage; + } + + method {:test} TestRawEcdhKeyringStaticSuccess() { + var mpl :- expect MaterialProviders.MaterialProviders(); + var primitives :- expect Primitives.AtomicPrimitives(); + + var senderKeypair :- expect primitives.GenerateECCKeyPair( + PrimitiveTypes.GenerateECCKeyPairInput( + eccCurve := P256 + ) + ); + + var recipientKeypair :- expect primitives.GenerateECCKeyPair( + PrimitiveTypes.GenerateECCKeyPairInput( + eccCurve := P256 + ) + ); + + var keyring :- expect mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderKeypair.privateKey.pem, + recipientPublicKey := recipientKeypair.publicKey.der + ) + ), + curveSpec := AwsCryptographyPrimitivesTypes.ECC_NIST_P256 + ) + ); + + var encryptionContext := TestUtils.SmallEncryptionContext(TestUtils.SmallEncryptionContextVariation.A); + + var algorithmSuiteId := Types.AlgorithmSuiteId.ESDK(Types.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); + var encryptionMaterialsIn :- expect mpl.InitializeEncryptionMaterials( + Types.InitializeEncryptionMaterialsInput( + algorithmSuiteId := algorithmSuiteId, + encryptionContext := encryptionContext, + signingKey := None, + verificationKey := None, + requiredEncryptionContextKeys := [] + ) + ); + + var encryptionMaterialsOut :- expect keyring.OnEncrypt( + Types.OnEncryptInput(materials:=encryptionMaterialsIn) + ); + + var _ :- expect mpl.EncryptionMaterialsHasPlaintextDataKey(encryptionMaterialsOut.materials); + + expect |encryptionMaterialsOut.materials.encryptedDataKeys| == 1; + var edk := encryptionMaterialsOut.materials.encryptedDataKeys[0]; + + var decryptionMaterialsIn :- expect mpl.InitializeDecryptionMaterials( + Types.InitializeDecryptionMaterialsInput( + algorithmSuiteId := algorithmSuiteId, + encryptionContext := encryptionContext, + requiredEncryptionContextKeys := [] + ) + ); + var decryptionMaterialsOut :- expect keyring.OnDecrypt( + Types.OnDecryptInput( + materials:=decryptionMaterialsIn, + encryptedDataKeys:=[edk] + ) + ); + + expect encryptionMaterialsOut.materials.plaintextDataKey + == decryptionMaterialsOut.materials.plaintextDataKey; + + } + + method {:test} TestTwoRawEcdhKeyringStaticSuccess() { + var mpl :- expect MaterialProviders.MaterialProviders(); + var primitives :- expect Primitives.AtomicPrimitives(); + + var senderKeypair :- expect primitives.GenerateECCKeyPair( + PrimitiveTypes.GenerateECCKeyPairInput( + eccCurve := P256 + ) + ); + + var recipientKeypair :- expect primitives.GenerateECCKeyPair( + PrimitiveTypes.GenerateECCKeyPairInput( + eccCurve := P256 + ) + ); + + var senderKeyring :- expect mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderKeypair.privateKey.pem, + recipientPublicKey := recipientKeypair.publicKey.der + ) + ), + curveSpec := AwsCryptographyPrimitivesTypes.ECC_NIST_P256 + ) + ); + + var recipientKeyring :- expect mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := recipientKeypair.privateKey.pem, + recipientPublicKey := senderKeypair.publicKey.der + ) + ), + curveSpec := AwsCryptographyPrimitivesTypes.ECC_NIST_P256 + ) + ); + + var encryptionContext := TestUtils.SmallEncryptionContext(TestUtils.SmallEncryptionContextVariation.A); + + var algorithmSuiteId := Types.AlgorithmSuiteId.ESDK(Types.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); + var encryptionMaterialsIn :- expect mpl.InitializeEncryptionMaterials( + Types.InitializeEncryptionMaterialsInput( + algorithmSuiteId := algorithmSuiteId, + encryptionContext := encryptionContext, + signingKey := None, + verificationKey := None, + requiredEncryptionContextKeys := [] + ) + ); + + var encryptionMaterialsOut :- expect senderKeyring.OnEncrypt( + Types.OnEncryptInput(materials:=encryptionMaterialsIn) + ); + + var _ :- expect mpl.EncryptionMaterialsHasPlaintextDataKey(encryptionMaterialsOut.materials); + + expect |encryptionMaterialsOut.materials.encryptedDataKeys| == 1; + var edk := encryptionMaterialsOut.materials.encryptedDataKeys[0]; + + var decryptionMaterialsIn :- expect mpl.InitializeDecryptionMaterials( + Types.InitializeDecryptionMaterialsInput( + algorithmSuiteId := algorithmSuiteId, + encryptionContext := encryptionContext, + requiredEncryptionContextKeys := [] + ) + ); + var decryptionMaterialsOut :- expect recipientKeyring.OnDecrypt( + Types.OnDecryptInput( + materials:=decryptionMaterialsIn, + encryptedDataKeys:=[edk] + ) + ); + + expect encryptionMaterialsOut.materials.plaintextDataKey + == decryptionMaterialsOut.materials.plaintextDataKey; + + } + + method {:test} TestTwoEcdhKeyringStaticSuccess() { + var mpl :- expect MaterialProviders.MaterialProviders(); + var primitives :- expect Primitives.AtomicPrimitives(); + + var senderKeypair :- expect primitives.GenerateECCKeyPair( + PrimitiveTypes.GenerateECCKeyPairInput( + eccCurve := P256 + ) + ); + + var kmsClient :- expect Kms.KMSClient(); + var publicKeyResponse := kmsClient.GetPublicKey( + Kms.Types.GetPublicKeyRequest( + KeyId := TestUtils.KMS_ECC_256_KEY_ARN_R, + GrantTokens := None + ) + ); + expect(publicKeyResponse.Success?); + + var GetPublicKeyResponse(_,PublicKey,_,_,_,_,_,_) := publicKeyResponse.value; + expect PublicKey.Some?; + + var senderKeyring :- expect mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderKeypair.privateKey.pem, + recipientPublicKey := PublicKey.value + ) + ), + curveSpec := AwsCryptographyPrimitivesTypes.ECC_NIST_P256 + ) + ); + + var recipientKmsEcdhKeyring :- expect mpl.CreateAwsKmsEcdhKeyring( + Types.CreateAwsKmsEcdhKeyringInput( + KeyAgreementScheme := Types.KmsEcdhStaticConfigurations.KmsPrivateKeyToStaticPublicKey( + Types.KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier := TestUtils.KMS_ECC_256_KEY_ARN_R, + recipientPublicKey := senderKeypair.publicKey.der + ) + ), + curveSpec := AwsCryptographyPrimitivesTypes.ECC_NIST_P256, + kmsClient := kmsClient, + grantTokens := None() + ) + ); + + var encryptionContext := TestUtils.SmallEncryptionContext(TestUtils.SmallEncryptionContextVariation.A); + + var algorithmSuiteId := Types.AlgorithmSuiteId.ESDK(Types.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); + var encryptionMaterialsIn :- expect mpl.InitializeEncryptionMaterials( + Types.InitializeEncryptionMaterialsInput( + algorithmSuiteId := algorithmSuiteId, + encryptionContext := encryptionContext, + signingKey := None, + verificationKey := None, + requiredEncryptionContextKeys := [] + ) + ); + + var encryptionMaterialsOut :- expect senderKeyring.OnEncrypt( + Types.OnEncryptInput(materials:=encryptionMaterialsIn) + ); + + var _ :- expect mpl.EncryptionMaterialsHasPlaintextDataKey(encryptionMaterialsOut.materials); + + expect |encryptionMaterialsOut.materials.encryptedDataKeys| == 1; + var edk := encryptionMaterialsOut.materials.encryptedDataKeys[0]; + + var decryptionMaterialsIn :- expect mpl.InitializeDecryptionMaterials( + Types.InitializeDecryptionMaterialsInput( + algorithmSuiteId := algorithmSuiteId, + encryptionContext := encryptionContext, + requiredEncryptionContextKeys := [] + ) + ); + var decryptionMaterialsOut :- expect recipientKmsEcdhKeyring.OnDecrypt( + Types.OnDecryptInput( + materials:=decryptionMaterialsIn, + encryptedDataKeys:=[edk] + ) + ); + + expect encryptionMaterialsOut.materials.plaintextDataKey + == decryptionMaterialsOut.materials.plaintextDataKey; + + } + + method {:test} TestRawEcdhKeyringEncryptDecryptSuccessDBESDKSuite() { + var mpl :- expect MaterialProviders.MaterialProviders(); + var primitives :- expect Primitives.AtomicPrimitives(); + + var senderKeypair :- expect primitives.GenerateECCKeyPair( + PrimitiveTypes.GenerateECCKeyPairInput( + eccCurve := P256 + ) + ); + + var recipientKeypair :- expect primitives.GenerateECCKeyPair( + PrimitiveTypes.GenerateECCKeyPairInput( + eccCurve := P256 + ) + ); + + var senderKeyring :- expect mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderKeypair.privateKey.pem, + recipientPublicKey := recipientKeypair.publicKey.der + ) + ), + curveSpec := AwsCryptographyPrimitivesTypes.ECC_NIST_P256 + ) + ); + + var recipientKeyring :- expect mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := recipientKeypair.privateKey.pem, + recipientPublicKey := senderKeypair.publicKey.der + ) + ), + curveSpec := AwsCryptographyPrimitivesTypes.ECC_NIST_P256 + ) + ); + + var encryptionContext := TestUtils.SmallEncryptionContext(TestUtils.SmallEncryptionContextVariation.A); + var materials := GetTestMaterials(TEST_DBE_ALG_SUITE_ID); + + + var encryptionMaterialsOut :- expect senderKeyring.OnEncrypt( + Types.OnEncryptInput(materials:=materials) + ); + + var _ :- expect mpl.EncryptionMaterialsHasPlaintextDataKey(encryptionMaterialsOut.materials); + + expect |encryptionMaterialsOut.materials.encryptedDataKeys| == 1; + var edk := encryptionMaterialsOut.materials.encryptedDataKeys[0]; + + var decryptionMaterialsIn :- expect mpl.InitializeDecryptionMaterials( + Types.InitializeDecryptionMaterialsInput( + algorithmSuiteId := TEST_DBE_ALG_SUITE_ID, + encryptionContext := encryptionContext, + requiredEncryptionContextKeys := [] + ) + ); + var decryptionMaterialsOut :- expect recipientKeyring.OnDecrypt( + Types.OnDecryptInput( + materials:=decryptionMaterialsIn, + encryptedDataKeys:=[edk] + ) + ); + + expect encryptionMaterialsOut.materials.plaintextDataKey + == decryptionMaterialsOut.materials.plaintextDataKey; + } + + method {:test} TestPrivateKeyandPublicKeySameCurveDiffCurveDefinitionConstructionFailure () + { + var mpl :- expect MaterialProviders.MaterialProviders(); + + var senderPrivateKey :- expect UTF8.Encode(TestUtils.ECC_P256_PRIVATE); + var recipientPrivateKey :- expect UTF8.Encode(TestUtils.ECC_P256_PRIVATE_R); + var recipientPublicKey :- expect Base64.Decode(TestUtils.ECC_P256_PUBLIC_R); + + var rawEcdhKeyring := mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderPrivateKey, + recipientPublicKey := recipientPublicKey + ) + ), + curveSpec := P384 + ) + ); + expect rawEcdhKeyring.Failure?; + } + + method {:test} TestPrivateKeyandPublicKeySameCurveDiffCurveDefinitionConstructionCombinationsFailure () + { + var mpl :- expect MaterialProviders.MaterialProviders(); + + var senderPrivateKey256 :- expect UTF8.Encode(TestUtils.ECC_P256_PRIVATE); + var recipientPrivateKey256 :- expect UTF8.Encode(TestUtils.ECC_P256_PRIVATE_R); + var recipientPublicKey256 :- expect Base64.Decode(TestUtils.ECC_P256_PUBLIC_R); + + var senderPrivateKey384 :- expect UTF8.Encode(TestUtils.ECC_P384_PRIVATE); + var recipientPrivateKey384 :- expect UTF8.Encode(TestUtils.ECC_P384_PRIVATE_R); + var recipientPublicKey384 :- expect Base64.Decode(TestUtils.ECC_P384_PUBLIC_R); + + var senderPrivateKey521 :- expect UTF8.Encode(TestUtils.ECC_P521_PRIVATE); + var recipientPrivateKey521 :- expect UTF8.Encode(TestUtils.ECC_P521_PRIVATE_R); + var recipientPublicKey521 :- expect Base64.Decode(TestUtils.ECC_P521_PUBLIC_R); + + + // 1. Test that if keys are the same but if curvespec is diff construction MUST fail. +/// P256 tests + var rawEcdhKeyring := mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderPrivateKey256, + recipientPublicKey := recipientPublicKey256 + ) + ), + curveSpec := P384 + ) + ); + expect rawEcdhKeyring.Failure?; + + rawEcdhKeyring := mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderPrivateKey256, + recipientPublicKey := recipientPublicKey256 + ) + ), + curveSpec := P521 + ) + ); + expect rawEcdhKeyring.Failure?; + + // P384 Tests + rawEcdhKeyring := mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderPrivateKey384, + recipientPublicKey := recipientPublicKey384 + ) + ), + curveSpec := P256 + ) + ); + expect rawEcdhKeyring.Failure?; + + rawEcdhKeyring := mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderPrivateKey384, + recipientPublicKey := recipientPublicKey384 + ) + ), + curveSpec := P521 + ) + ); + expect rawEcdhKeyring.Failure?; + + // P521 Tests + rawEcdhKeyring := mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderPrivateKey521, + recipientPublicKey := recipientPublicKey521 + ) + ), + curveSpec := P256 + ) + ); + expect rawEcdhKeyring.Failure?; + + rawEcdhKeyring := mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderPrivateKey521, + recipientPublicKey := recipientPublicKey521 + ) + ), + curveSpec := P384 + ) + ); + expect rawEcdhKeyring.Failure?; + + // 2. Test that if private and curve spec are the same but public key diff, construction MUST fail + var rawEcdhKeyringT2 := mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderPrivateKey256, + recipientPublicKey := recipientPublicKey384 + ) + ), + curveSpec := P256 + ) + ); + expect rawEcdhKeyringT2.Failure?; + + rawEcdhKeyringT2 := mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderPrivateKey256, + recipientPublicKey := recipientPublicKey521 + ) + ), + curveSpec := P256 + ) + ); + expect rawEcdhKeyringT2.Failure?; + + rawEcdhKeyringT2 := mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderPrivateKey384, + recipientPublicKey := recipientPublicKey256 + ) + ), + curveSpec := P384 + ) + ); + expect rawEcdhKeyringT2.Failure?; + + rawEcdhKeyringT2 := mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderPrivateKey384, + recipientPublicKey := recipientPublicKey521 + ) + ), + curveSpec := P384 + ) + ); + expect rawEcdhKeyringT2.Failure?; + + rawEcdhKeyringT2 := mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderPrivateKey521, + recipientPublicKey := recipientPublicKey256 + ) + ), + curveSpec := P521 + ) + ); + expect rawEcdhKeyringT2.Failure?; + + rawEcdhKeyringT2 := mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderPrivateKey521, + recipientPublicKey := recipientPublicKey384 + ) + ), + curveSpec := P521 + ) + ); + expect rawEcdhKeyringT2.Failure?; + + // 3. Test that if recipient public key and curve spec are the same BUT if private + // is on different curve, construction MUST fail + var rawEcdhKeyringT3 := mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderPrivateKey384, + recipientPublicKey := recipientPublicKey256 + ) + ), + curveSpec := P256 + ) + ); + expect rawEcdhKeyringT3.Failure?; + + rawEcdhKeyringT3 := mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderPrivateKey521, + recipientPublicKey := recipientPublicKey256 + ) + ), + curveSpec := P256 + ) + ); + expect rawEcdhKeyringT3.Failure?; + + rawEcdhKeyringT3 := mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderPrivateKey256, + recipientPublicKey := recipientPublicKey384 + ) + ), + curveSpec := P384 + ) + ); + expect rawEcdhKeyringT3.Failure?; + + rawEcdhKeyringT3 := mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderPrivateKey521, + recipientPublicKey := recipientPublicKey384 + ) + ), + curveSpec := P384 + ) + ); + expect rawEcdhKeyringT3.Failure?; + + rawEcdhKeyringT3 := mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderPrivateKey256, + recipientPublicKey := recipientPublicKey521 + ) + ), + curveSpec := P521 + ) + ); + expect rawEcdhKeyringT3.Failure?; + + rawEcdhKeyringT3 := mpl.CreateRawEcdhKeyring( + Types.CreateRawEcdhKeyringInput( + KeyAgreementScheme := Types.RawPrivateKeyToStaticPublicKey( + Types.RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey := senderPrivateKey384, + recipientPublicKey := recipientPublicKey521 + ) + ), + curveSpec := P521 + ) + ); + expect rawEcdhKeyringT3.Failure?; + } + + method GetTestMaterials(suiteId: Types.AlgorithmSuiteId) returns (out: Types.EncryptionMaterials) + { + var mpl :- expect MaterialProviders.MaterialProviders(); + + var encryptionContext := TestUtils.SmallEncryptionContext(TestUtils.SmallEncryptionContextVariation.A); + var suite := AlgorithmSuites.GetSuite(suiteId); + // Add data key to test the case where i have a pdk + var encryptionMaterialsIn :- expect mpl.InitializeEncryptionMaterials( + Types.InitializeEncryptionMaterialsInput( + algorithmSuiteId := suiteId, + encryptionContext := encryptionContext, + requiredEncryptionContextKeys := [], + signingKey := None, + verificationKey := None + ) + ); + + return encryptionMaterialsIn; + } +} diff --git a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/test/TestEcdhCalculation.dfy b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/test/TestEcdhCalculation.dfy new file mode 100644 index 000000000..349926c26 --- /dev/null +++ b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/test/TestEcdhCalculation.dfy @@ -0,0 +1,119 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +include "../src/Index.dfy" +include "../src/Keyrings/AwsKms/AwsKmsDiscoveryKeyring.dfy" +include "./TestUtils.dfy" +include "../../../../ComAmazonawsKms/src/Index.dfy" + +module TestEcdhCalculation { + import opened Wrappers + import opened UInt = StandardLibrary.UInt + import MaterialProviders + import Types = AwsCryptographyMaterialProvidersTypes + import Aws.Cryptography.Primitives + import Com.Amazonaws.Kms + import TestUtils + import PrimitiveTypes = AwsCryptographyPrimitivesTypes + import ComAmazonawsKmsTypes + import UTF8 + + // ECC Curve P256 Keys + const senderKmsKey := "arn:aws:kms:us-west-2:370957321024:key/eabdf483-6be2-4d2d-8ee4-8c2583d416e9"; + const recipientKmsKey := "arn:aws:kms:us-west-2:370957321024:key/0265c8e9-5b6a-4055-8f70-63719e09fda5"; + const senderArns := [TestUtils.KMS_ECC_256_KEY_ARN_S, TestUtils.KMS_ECC_384_KEY_ARN_S, TestUtils.KMS_ECC_521_KEY_ARN_S]; + const curveSpecs := [PrimitiveTypes.ECC_NIST_P256, PrimitiveTypes.ECC_NIST_P384, PrimitiveTypes.ECC_NIST_P521]; + + method {:test} TestKmsDeriveSharedSecretOfflineCalculation() { + var kmsClient :- expect Kms.KMSClient(); + var primitives :- expect Primitives.AtomicPrimitives(); + + var keyPair :- expect primitives.GenerateECCKeyPair( + PrimitiveTypes.GenerateECCKeyPairInput( + eccCurve := PrimitiveTypes.ECDHCurveSpec.ECC_NIST_P256 + ) + ); + + expect 1 <= |keyPair.publicKey.der| <= 8192; + + var kmsSharedSecret := kmsClient.DeriveSharedSecret( + input := Kms.Types.DeriveSharedSecretRequest( + KeyId := senderKmsKey, + KeyAgreementAlgorithm := Kms.Types.KeyAgreementAlgorithmSpec.ECDH, + PublicKey := keyPair.publicKey.der + ) + ); + expect kmsSharedSecret.Success?; + expect kmsSharedSecret.value.SharedSecret.Some?; + + var publicKeyResponse := kmsClient.GetPublicKey( + Kms.Types.GetPublicKeyRequest( + KeyId := senderKmsKey, + GrantTokens := None + ) + ); + expect(publicKeyResponse.Success?); + + var GetPublicKeyResponse(_,PublicKey,_,_,_,_,_,_) := publicKeyResponse.value; + expect PublicKey.Some?; + + var offlineSharedSecret :- expect primitives.DeriveSharedSecret( + PrimitiveTypes.DeriveSharedSecretInput( + eccCurve := PrimitiveTypes.ECDHCurveSpec.ECC_NIST_P256, + privateKey := keyPair.privateKey, + publicKey := PrimitiveTypes.ECCPublicKey(der := PublicKey.value) + ) + ); + + expect kmsSharedSecret.value.SharedSecret.value == offlineSharedSecret.sharedSecret; + + } + + method {:test} TestKmsDeriveSharedSecretOfflineCalculationCurves() { + var kmsClient :- expect Kms.KMSClient(); + var primitives :- expect Primitives.AtomicPrimitives(); + + for i := 0 to |senderArns| + { + var keyPair :- expect primitives.GenerateECCKeyPair( + PrimitiveTypes.GenerateECCKeyPairInput( + eccCurve := curveSpecs[i] + ) + ); + expect 1 <= |keyPair.publicKey.der| <= 8192; + + var kmsSharedSecret := kmsClient.DeriveSharedSecret( + input := Kms.Types.DeriveSharedSecretRequest( + KeyId := senderArns[i], + KeyAgreementAlgorithm := Kms.Types.KeyAgreementAlgorithmSpec.ECDH, + PublicKey := keyPair.publicKey.der + ) + ); + expect kmsSharedSecret.Success?; + expect kmsSharedSecret.value.SharedSecret.Some?; + + var publicKeyResponse := kmsClient.GetPublicKey( + Kms.Types.GetPublicKeyRequest( + KeyId := senderArns[i], + GrantTokens := None + ) + ); + expect(publicKeyResponse.Success?); + + var GetPublicKeyResponse(_,PublicKey,_,_,_,_,_,_) := publicKeyResponse.value; + expect PublicKey.Some?; + + var offlineSharedSecret :- expect primitives.DeriveSharedSecret( + PrimitiveTypes.DeriveSharedSecretInput( + eccCurve := curveSpecs[i], + privateKey := keyPair.privateKey, + publicKey := PrimitiveTypes.ECCPublicKey(der := PublicKey.value) + ) + ); + + expect kmsSharedSecret.value.SharedSecret.value == offlineSharedSecret.sharedSecret; + + } + } + +} diff --git a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/test/TestUtils.dfy b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/test/TestUtils.dfy index 0b024496a..2f1101195 100644 --- a/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/test/TestUtils.dfy +++ b/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/test/TestUtils.dfy @@ -31,6 +31,79 @@ module TestUtils { const PARTITION := "aws" + // These ECC Keys are only available in the KMS + const KMS_ECC_256_KEY_ARN_S := "arn:aws:kms:us-west-2:370957321024:key/eabdf483-6be2-4d2d-8ee4-8c2583d416e9" + const KMS_ECC_256_KEY_ARN_R := "arn:aws:kms:us-west-2:370957321024:key/0265c8e9-5b6a-4055-8f70-63719e09fda5" + + const KMS_ECC_384_KEY_ARN_S := "arn:aws:kms:us-west-2:370957321024:key/7f35a704-f4fb-469d-98b1-62a1fa2cc44e" + const KMS_ECC_384_KEY_ARN_R := "arn:aws:kms:us-west-2:370957321024:key/29f0bef9-1677-4e74-b67e-acefab1295ff" + + const KMS_ECC_521_KEY_ARN_S := "arn:aws:kms:us-west-2:370957321024:key/41b502e3-cc9d-442f-bd7b-d67faed0f22e" + const KMS_ECC_521_KEY_ARN_R := "arn:aws:kms:us-west-2:370957321024:key/c45f1043-53bb-4f37-adc5-4d25d4a84f9d" + + const KMS_ECC_256_PUBLIC_KEY_S := "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE18m54QsLUnhWU7gT8hkAceNbZ/WBGNUUSPCeIKqOyX5psiqyC1TXPOJXqKKaVv5Mg91WV9UjpboblOhNU35nRw==" + const KMS_ECC_256_PUBLIC_KEY_R := "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9istdPCuX9nF8EmA4tioe/k0TCa2M9VeBW1N9n0sxPA6uPVOfLtE4+KuYxAGT0dYoK6CY93nowUy1yS+R7A+wA==" + + const KMS_ECC_384_PUBLIC_KEY_S := "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEfQ0OHFvwskFVjQwfqV7jpo62I6uyGY+5SPRZb6CuJ96bVreLZXh485BcPv09O/DWnpTBm8LL+YcfsqM3ECvi2ee3bDGpH6xIdr28uvyG75t5wqBjYYtZQFDf/ydfG9mm" + const KMS_ECC_384_PUBLIC_KEY_R := "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEWgGNWQ+vEwlMxyMQkSsOAYGfT6IlgEkcanEOSjbeEpEnh8JHEiBHQ6QaROxJ7c3nEkbjbi0m+7ejBEGtkiqaY5Dsv5u1iV4fc/2v1RzPba1ZtudEmM16Eyy9LHswdJ7v" + + const KMS_ECC_521_PUBLIC_KEY_S := "MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAz86qnfp3s0cl+73PQhlUstfdg9EZDA/jtLjBTWYp/1EB7RHNm8q5hMg5kBfjRDUFhbRBMlUV1xBOTgqzoSWj4oAABnQKiXXGGyu6PMN4D9nVMDsOpJ1pWU7rQexWDahBrK+5hx3beFXUpvvFRQrGAt2icUXm18VO6Qwbp0da9jyGDSY=" + const KMS_ECC_521_PUBLIC_KEY_R := "MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAxLxcjtYfqc4+4oJZY0gGv2Ehu++CnVFea6uwXgEgLifq4eDSSVmQYvU8majsufpBXQwVjnDlQ7pGRw1j6K4FaLAAgYuMrmrwKtx/ZZtkbXzCwrqJY+sfCk8U5m89DX331cdBAhR2uVSPL2d5hp8up5v+EBpNArtdC5lZMx2ZrwKKYuQ=" + + // THESE ARE TESTING RESOURCES; DO NOT USE IN A PROD ENVIRONMENT + // RUN openssl ecparam -name secp256r1 -genkey -noout -out private.pem + const ECC_P256_PRIVATE := "-----BEGIN PRIVATE KEY-----\n" + + "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgw+7YSKEOEAh8/DFZ\n" + + "22oSTm/D3jo4nH5tN48IUp0WjyuhRANCAASnUgx7SrlHhPIn3McZfc3cEIs8+XFf\n" + + "7JvhcuV1wWELGZ8AjuwnKjE0ielEwSY5HYzWCF773FvJaWGYGYGhSba8\n" + + "-----END PRIVATE KEY-----" + // B64 Encoded DER REPRESENATION OF THE PUBLIC KEY + const ECC_P256_PUBLIC := "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEp1IMe0q5R4TyJ9zHGX3N3BCLPPlxX+yb4XLldcFhCxmfAI7sJyoxNInpRMEmOR2M1ghe+9xbyWlhmBmBoUm2vA==" + + const ECC_P256_PRIVATE_R := "-----BEGIN PRIVATE KEY-----\n" + + "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgxpnoWJBwDUkwvLHA\n" + + "YZgRRby9FdJtxAMvAcPPW6iaD+2hRANCAASihMmHeVwzccmYmFKPO5rlR+M3MBRH\n" + + "zdCaw8TGxfX25tCKkhQUm6kUlPqaCzirEYPbUt3wK8XJ6jF5iRzuGxad\n" + + "-----END PRIVATE KEY-----\n" + const ECC_P256_PUBLIC_R := "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEooTJh3lcM3HJmJhSjzua5UfjNzAUR83QmsPExsX19ubQipIUFJupFJT6mgs4qxGD21Ld8CvFyeoxeYkc7hsWnQ==" + + const ECC_P384_PRIVATE := "-----BEGIN PRIVATE KEY-----\n" + + "MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDAE/GcrZaGaZKKnWsbi\n" + + "6OiMB8HlhoyF1CQeaZHFdp1VFu7mSM2mUrSolCfpYRB50aahZANiAAQayPW6B3aV\n" + + "GKWFBbDH3SeuMhiY2GIPG+tBEHmMZ3QUaG6qNnQxXS+QpR95IWyQWZjInyDk2upe\n" + + "b1TivP0UYay+dIS8MrBFM7oLBsJIqxGiRQ1EPFIpBLv4mmteOma5qt8=\n" + + "-----END PRIVATE KEY-----" + const ECC_P384_PUBLIC := "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEGsj1ugd2lRilhQWwx90nrjIYmNhiDxvrQRB5jGd0FGhuqjZ0MV0vkKUfeSFskFmYyJ8g5NrqXm9U4rz9FGGsvnSEvDKwRTO6CwbCSKsRokUNRDxSKQS7+JprXjpmuarf" + + const ECC_P384_PRIVATE_R := "-----BEGIN PRIVATE KEY-----\n" + + "MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDBX0BpijAta/CndWCkA\n" + + "hl4fu2mIlnsh8umliaBBDHjA2T/3eeYWid5m96Bs2QxYIn6hZANiAAR/qhoNylqV\n" + + "2084hlZEXr8XWj9DuZ0WHgJ/rniicwqxXEFwPCkeh7VvpO7+tN8HxUoWpPLSdkCK\n" + + "nWeq6senikNb4RNp3Na43wPyF2SjQI/uzujHjlrVrea2zvJP7rsLdAI=\n" + + "-----END PRIVATE KEY-----\n" + const ECC_P384_PUBLIC_R := "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEf6oaDcpaldtPOIZWRF6/F1o/Q7mdFh4Cf654onMKsVxBcDwpHoe1b6Tu/rTfB8VKFqTy0nZAip1nqurHp4pDW+ETadzWuN8D8hdko0CP7s7ox45a1a3mts7yT+67C3QC" + + + const ECC_P521_PRIVATE := "-----BEGIN PRIVATE KEY-----\n" + + "MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIB3azBoPIuF7SY3Z7g\n" + + "xK/dEnSqoqBsHaoiI78Sfs9Ydxsd/3Ref4xZC0v58EwZjKxIMWwcqxSNzg8yLOAV\n" + + "oaRbwryhgYkDgYYABAHeMnMkadh2nketUTcDvKE4WCcdTdIFKaDqwtMIbq/y5N4E\n" + + "I77OxYwKP7IdGBC9n/GkcNIWx6R91zc3AId9a7VrOQF9+HitnblByL1u3N6kWhUf\n" + + "C3ury11T8dkNW+LbVkmX8B3+s6VaEQWKa+SYBemPV05aJhU0xaaF/MhsLGwKLpPp\n" + + "Qg==\n" + + "-----END PRIVATE KEY-----" + const ECC_P521_PUBLIC := "MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQB3jJzJGnYdp5HrVE3A7yhOFgnHU3SBSmg6sLTCG6v8uTeBCO+zsWMCj+yHRgQvZ/xpHDSFsekfdc3NwCHfWu1azkBffh4rZ25Qci9btzepFoVHwt7q8tdU/HZDVvi21ZJl/Ad/rOlWhEFimvkmAXpj1dOWiYVNMWmhfzIbCxsCi6T6UI=" + + const ECC_P521_PRIVATE_R := "-----BEGIN PRIVATE KEY-----\n" + + "MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIAGQrViOzSEfLFHdlp\n" + + "rFcl/iWrPt7vWyga71fnLOzj4nTWBJ/Pua+xOVfTGjgplH4t16sRl4qk113Zv8zY\n" + + "XfgTJvChgYkDgYYABACKN7raKlNTwzxw97HarkQB7+9cTvw1grfhwW6AkUIS8b6J\n" + + "7CgTTSKZ6M5XQ0leYOZMkqXgjlpUfki4G3XXa4hw0wBUw+x9qtoAlwJNYhUsYg7N\n" + + "bm7IF9TQSuAzWgrSfIjOJfjrHjBR0TLmtk26xxKZIw36JSl9qb9b8LqlLk8uW6eE\n" + + "Lw==\n" + + "-----END PRIVATE KEY-----" + const ECC_P521_PUBLIC_R := "MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAije62ipTU8M8cPex2q5EAe/vXE78NYK34cFugJFCEvG+iewoE00imejOV0NJXmDmTJKl4I5aVH5IuBt112uIcNMAVMPsfaraAJcCTWIVLGIOzW5uyBfU0ErgM1oK0nyIziX46x4wUdEy5rZNuscSmSMN+iUpfam/W/C6pS5PLlunhC8=" + // This axiom should only be used by tests to skip UTF8 verification of long sequences // long to be serialized in 16 bytes, in order to avoid a false negative for from verification. lemma {:axiom} AssumeLongSeqIsValidUTF8(s: seq) diff --git a/AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore/src/GetKeys.dfy b/AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore/src/GetKeys.dfy index 8d5ba06d6..8605e8efd 100644 --- a/AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore/src/GetKeys.dfy +++ b/AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore/src/GetKeys.dfy @@ -294,7 +294,7 @@ module GetKeys { )); } - method GetBeaconKeyAndUnwrap( + method {:vcs_split_on_every_assert} GetBeaconKeyAndUnwrap( input: Types.GetBeaconKeyInput, tableName: DDB.TableName, logicalKeyStoreName: string, diff --git a/AwsCryptographicMaterialProviders/runtimes/java/build.gradle.kts b/AwsCryptographicMaterialProviders/runtimes/java/build.gradle.kts index a96498c3d..3a6285f7e 100644 --- a/AwsCryptographicMaterialProviders/runtimes/java/build.gradle.kts +++ b/AwsCryptographicMaterialProviders/runtimes/java/build.gradle.kts @@ -74,7 +74,7 @@ dependencies { implementation("software.amazon.smithy.dafny:conversion:0.1") // sdk dependencies - implementation(platform("software.amazon.awssdk:bom:2.25.1")) + implementation(platform("software.amazon.awssdk:bom:2.26.3")) implementation("software.amazon.awssdk:dynamodb") implementation("software.amazon.awssdk:kms") diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/MaterialProviders.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/MaterialProviders.java index f0c9a3784..bf02de14e 100644 --- a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/MaterialProviders.java +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/MaterialProviders.java @@ -17,6 +17,7 @@ import software.amazon.cryptography.materialproviders.model.AlgorithmSuiteInfo; import software.amazon.cryptography.materialproviders.model.CreateAwsKmsDiscoveryKeyringInput; import software.amazon.cryptography.materialproviders.model.CreateAwsKmsDiscoveryMultiKeyringInput; +import software.amazon.cryptography.materialproviders.model.CreateAwsKmsEcdhKeyringInput; import software.amazon.cryptography.materialproviders.model.CreateAwsKmsHierarchicalKeyringInput; import software.amazon.cryptography.materialproviders.model.CreateAwsKmsKeyringInput; import software.amazon.cryptography.materialproviders.model.CreateAwsKmsMrkDiscoveryKeyringInput; @@ -30,6 +31,7 @@ import software.amazon.cryptography.materialproviders.model.CreateDefaultCryptographicMaterialsManagerInput; import software.amazon.cryptography.materialproviders.model.CreateMultiKeyringInput; import software.amazon.cryptography.materialproviders.model.CreateRawAesKeyringInput; +import software.amazon.cryptography.materialproviders.model.CreateRawEcdhKeyringInput; import software.amazon.cryptography.materialproviders.model.CreateRawRsaKeyringInput; import software.amazon.cryptography.materialproviders.model.CreateRequiredEncryptionContextCMMInput; import software.amazon.cryptography.materialproviders.model.DecryptionMaterials; @@ -109,6 +111,25 @@ public IKeyring CreateAwsKmsDiscoveryMultiKeyring( return Keyring.wrap(result.dtor_value()); } + /** + * Creates an AWS KMS ECDH Keyring, which wraps and unwraps data keys by deriving a shared data key from the established shared secret between parties through the ECDH protocol. + * + * @param input Inputs for creating an AWS KMS ECDH Keyring. + * @return Outputs for creating a Keyring. + */ + public IKeyring CreateAwsKmsEcdhKeyring(CreateAwsKmsEcdhKeyringInput input) { + software.amazon.cryptography.materialproviders.internaldafny.types.CreateAwsKmsEcdhKeyringInput dafnyValue = + ToDafny.CreateAwsKmsEcdhKeyringInput(input); + Result< + software.amazon.cryptography.materialproviders.internaldafny.types.IKeyring, + Error + > result = this._impl.CreateAwsKmsEcdhKeyring(dafnyValue); + if (result.is_Failure()) { + throw ToNative.Error(result.dtor_error()); + } + return Keyring.wrap(result.dtor_value()); + } + /** * Creates a Hierarchical Keyring, which supports wrapping and unwrapping data keys using Branch Keys persisted in DynamoDB and protected by a symmetric AWS KMS Key or AWS KMS Multi-Region Key. * @@ -361,6 +382,25 @@ public IKeyring CreateRawAesKeyring(CreateRawAesKeyringInput input) { return Keyring.wrap(result.dtor_value()); } + /** + * Creates a Raw ECDH Keyring, which wraps and unwraps data keys by deriving a shared data key from the established shared secret between parties through the ECDH protocol. + * + * @param input Inputs for creating a raw ECDH Keyring. + * @return Outputs for creating a Keyring. + */ + public IKeyring CreateRawEcdhKeyring(CreateRawEcdhKeyringInput input) { + software.amazon.cryptography.materialproviders.internaldafny.types.CreateRawEcdhKeyringInput dafnyValue = + ToDafny.CreateRawEcdhKeyringInput(input); + Result< + software.amazon.cryptography.materialproviders.internaldafny.types.IKeyring, + Error + > result = this._impl.CreateRawEcdhKeyring(dafnyValue); + if (result.is_Failure()) { + throw ToNative.Error(result.dtor_error()); + } + return Keyring.wrap(result.dtor_value()); + } + /** * Creates a Raw RSA Keyring, which wraps and unwraps data keys locally using RSA. * diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/ToDafny.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/ToDafny.java index 9d3c56d4f..245b3667c 100644 --- a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/ToDafny.java +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/ToDafny.java @@ -26,6 +26,7 @@ import software.amazon.cryptography.materialproviders.internaldafny.types.CommitmentPolicy; import software.amazon.cryptography.materialproviders.internaldafny.types.CreateAwsKmsDiscoveryKeyringInput; import software.amazon.cryptography.materialproviders.internaldafny.types.CreateAwsKmsDiscoveryMultiKeyringInput; +import software.amazon.cryptography.materialproviders.internaldafny.types.CreateAwsKmsEcdhKeyringInput; import software.amazon.cryptography.materialproviders.internaldafny.types.CreateAwsKmsHierarchicalKeyringInput; import software.amazon.cryptography.materialproviders.internaldafny.types.CreateAwsKmsKeyringInput; import software.amazon.cryptography.materialproviders.internaldafny.types.CreateAwsKmsMrkDiscoveryKeyringInput; @@ -39,6 +40,7 @@ import software.amazon.cryptography.materialproviders.internaldafny.types.CreateDefaultCryptographicMaterialsManagerInput; import software.amazon.cryptography.materialproviders.internaldafny.types.CreateMultiKeyringInput; import software.amazon.cryptography.materialproviders.internaldafny.types.CreateRawAesKeyringInput; +import software.amazon.cryptography.materialproviders.internaldafny.types.CreateRawEcdhKeyringInput; import software.amazon.cryptography.materialproviders.internaldafny.types.CreateRawRsaKeyringInput; import software.amazon.cryptography.materialproviders.internaldafny.types.CreateRequiredEncryptionContextCMMInput; import software.amazon.cryptography.materialproviders.internaldafny.types.DBEAlgorithmSuiteId; @@ -58,6 +60,7 @@ import software.amazon.cryptography.materialproviders.internaldafny.types.Encrypt; import software.amazon.cryptography.materialproviders.internaldafny.types.EncryptedDataKey; import software.amazon.cryptography.materialproviders.internaldafny.types.EncryptionMaterials; +import software.amazon.cryptography.materialproviders.internaldafny.types.EphemeralPrivateKeyToStaticPublicKeyInput; import software.amazon.cryptography.materialproviders.internaldafny.types.Error; import software.amazon.cryptography.materialproviders.internaldafny.types.Error_AwsCryptographicMaterialProvidersException; import software.amazon.cryptography.materialproviders.internaldafny.types.Error_EntryAlreadyExists; @@ -82,6 +85,10 @@ import software.amazon.cryptography.materialproviders.internaldafny.types.InitializeDecryptionMaterialsInput; import software.amazon.cryptography.materialproviders.internaldafny.types.InitializeEncryptionMaterialsInput; import software.amazon.cryptography.materialproviders.internaldafny.types.IntermediateKeyWrapping; +import software.amazon.cryptography.materialproviders.internaldafny.types.KeyAgreementScheme; +import software.amazon.cryptography.materialproviders.internaldafny.types.KmsEcdhStaticConfigurations; +import software.amazon.cryptography.materialproviders.internaldafny.types.KmsPrivateKeyToStaticPublicKeyInput; +import software.amazon.cryptography.materialproviders.internaldafny.types.KmsPublicKeyDiscoveryInput; import software.amazon.cryptography.materialproviders.internaldafny.types.MaterialProvidersConfig; import software.amazon.cryptography.materialproviders.internaldafny.types.Materials; import software.amazon.cryptography.materialproviders.internaldafny.types.MultiThreadedCache; @@ -92,9 +99,13 @@ import software.amazon.cryptography.materialproviders.internaldafny.types.OnEncryptInput; import software.amazon.cryptography.materialproviders.internaldafny.types.OnEncryptOutput; import software.amazon.cryptography.materialproviders.internaldafny.types.PaddingScheme; +import software.amazon.cryptography.materialproviders.internaldafny.types.PublicKeyDiscoveryInput; import software.amazon.cryptography.materialproviders.internaldafny.types.PutCacheEntryInput; +import software.amazon.cryptography.materialproviders.internaldafny.types.RawEcdhStaticConfigurations; +import software.amazon.cryptography.materialproviders.internaldafny.types.RawPrivateKeyToStaticPublicKeyInput; import software.amazon.cryptography.materialproviders.internaldafny.types.SignatureAlgorithm; import software.amazon.cryptography.materialproviders.internaldafny.types.SingleThreadedCache; +import software.amazon.cryptography.materialproviders.internaldafny.types.StaticConfigurations; import software.amazon.cryptography.materialproviders.internaldafny.types.StormTrackingCache; import software.amazon.cryptography.materialproviders.internaldafny.types.SymmetricSignatureAlgorithm; import software.amazon.cryptography.materialproviders.internaldafny.types.UpdateUsageMetadataInput; @@ -116,6 +127,7 @@ import software.amazon.cryptography.materialproviders.model.InvalidEncryptionMaterialsTransition; import software.amazon.cryptography.materialproviders.model.OpaqueError; import software.amazon.cryptography.primitives.internaldafny.types.DigestAlgorithm; +import software.amazon.cryptography.primitives.internaldafny.types.ECDHCurveSpec; import software.amazon.cryptography.primitives.internaldafny.types.ECDSASignatureAlgorithm; import software.amazon.cryptography.services.kms.internaldafny.types.EncryptionAlgorithmSpec; import software.amazon.cryptography.services.kms.internaldafny.types.IKMSClient; @@ -287,6 +299,38 @@ public static CreateAwsKmsDiscoveryMultiKeyringInput CreateAwsKmsDiscoveryMultiK ); } + public static CreateAwsKmsEcdhKeyringInput CreateAwsKmsEcdhKeyringInput( + software.amazon.cryptography.materialproviders.model.CreateAwsKmsEcdhKeyringInput nativeValue + ) { + KmsEcdhStaticConfigurations keyAgreementScheme; + keyAgreementScheme = + ToDafny.KmsEcdhStaticConfigurations(nativeValue.KeyAgreementScheme()); + ECDHCurveSpec curveSpec; + curveSpec = + software.amazon.cryptography.primitives.ToDafny.ECDHCurveSpec( + nativeValue.curveSpec() + ); + IKMSClient kmsClient; + kmsClient = + software.amazon.cryptography.services.kms.internaldafny.ToDafny.TrentService( + nativeValue.kmsClient() + ); + Option< + DafnySequence> + > grantTokens; + grantTokens = + (Objects.nonNull(nativeValue.grantTokens()) && + nativeValue.grantTokens().size() > 0) + ? Option.create_Some(ToDafny.GrantTokenList(nativeValue.grantTokens())) + : Option.create_None(); + return new CreateAwsKmsEcdhKeyringInput( + keyAgreementScheme, + curveSpec, + kmsClient, + grantTokens + ); + } + public static CreateAwsKmsHierarchicalKeyringInput CreateAwsKmsHierarchicalKeyringInput( software.amazon.cryptography.materialproviders.model.CreateAwsKmsHierarchicalKeyringInput nativeValue ) { @@ -655,6 +699,20 @@ public static CreateRawAesKeyringInput CreateRawAesKeyringInput( ); } + public static CreateRawEcdhKeyringInput CreateRawEcdhKeyringInput( + software.amazon.cryptography.materialproviders.model.CreateRawEcdhKeyringInput nativeValue + ) { + RawEcdhStaticConfigurations keyAgreementScheme; + keyAgreementScheme = + ToDafny.RawEcdhStaticConfigurations(nativeValue.KeyAgreementScheme()); + ECDHCurveSpec curveSpec; + curveSpec = + software.amazon.cryptography.primitives.ToDafny.ECDHCurveSpec( + nativeValue.curveSpec() + ); + return new CreateRawEcdhKeyringInput(keyAgreementScheme, curveSpec); + } + public static CreateRawRsaKeyringInput CreateRawRsaKeyringInput( software.amazon.cryptography.materialproviders.model.CreateRawRsaKeyringInput nativeValue ) { @@ -962,6 +1020,17 @@ public static EncryptionMaterials EncryptionMaterials( ); } + public static EphemeralPrivateKeyToStaticPublicKeyInput EphemeralPrivateKeyToStaticPublicKeyInput( + software.amazon.cryptography.materialproviders.model.EphemeralPrivateKeyToStaticPublicKeyInput nativeValue + ) { + DafnySequence recipientPublicKey; + recipientPublicKey = + software.amazon.smithy.dafny.conversion.ToDafny.Simple.ByteSequence( + nativeValue.recipientPublicKey() + ); + return new EphemeralPrivateKeyToStaticPublicKeyInput(recipientPublicKey); + } + public static DafnySequence GetAlgorithmSuiteInfoInput( ByteBuffer nativeValue ) { @@ -1208,6 +1277,46 @@ public static IntermediateKeyWrapping IntermediateKeyWrapping( ); } + public static KmsPrivateKeyToStaticPublicKeyInput KmsPrivateKeyToStaticPublicKeyInput( + software.amazon.cryptography.materialproviders.model.KmsPrivateKeyToStaticPublicKeyInput nativeValue + ) { + DafnySequence senderKmsIdentifier; + senderKmsIdentifier = + software.amazon.smithy.dafny.conversion.ToDafny.Simple.CharacterSequence( + nativeValue.senderKmsIdentifier() + ); + Option> senderPublicKey; + senderPublicKey = + Objects.nonNull(nativeValue.senderPublicKey()) + ? Option.create_Some( + software.amazon.smithy.dafny.conversion.ToDafny.Simple.ByteSequence( + nativeValue.senderPublicKey() + ) + ) + : Option.create_None(); + DafnySequence recipientPublicKey; + recipientPublicKey = + software.amazon.smithy.dafny.conversion.ToDafny.Simple.ByteSequence( + nativeValue.recipientPublicKey() + ); + return new KmsPrivateKeyToStaticPublicKeyInput( + senderKmsIdentifier, + senderPublicKey, + recipientPublicKey + ); + } + + public static KmsPublicKeyDiscoveryInput KmsPublicKeyDiscoveryInput( + software.amazon.cryptography.materialproviders.model.KmsPublicKeyDiscoveryInput nativeValue + ) { + DafnySequence recipientKmsIdentifier; + recipientKmsIdentifier = + software.amazon.smithy.dafny.conversion.ToDafny.Simple.CharacterSequence( + nativeValue.recipientKmsIdentifier() + ); + return new KmsPublicKeyDiscoveryInput(recipientKmsIdentifier); + } + public static MaterialProvidersConfig MaterialProvidersConfig( software.amazon.cryptography.materialproviders.model.MaterialProvidersConfig nativeValue ) { @@ -1274,6 +1383,17 @@ public static OnEncryptOutput OnEncryptOutput( return new OnEncryptOutput(materials); } + public static PublicKeyDiscoveryInput PublicKeyDiscoveryInput( + software.amazon.cryptography.materialproviders.model.PublicKeyDiscoveryInput nativeValue + ) { + DafnySequence recipientStaticPrivateKey; + recipientStaticPrivateKey = + software.amazon.smithy.dafny.conversion.ToDafny.Simple.ByteSequence( + nativeValue.recipientStaticPrivateKey() + ); + return new PublicKeyDiscoveryInput(recipientStaticPrivateKey); + } + public static PutCacheEntryInput PutCacheEntryInput( software.amazon.cryptography.materialproviders.model.PutCacheEntryInput nativeValue ) { @@ -1308,6 +1428,25 @@ public static PutCacheEntryInput PutCacheEntryInput( ); } + public static RawPrivateKeyToStaticPublicKeyInput RawPrivateKeyToStaticPublicKeyInput( + software.amazon.cryptography.materialproviders.model.RawPrivateKeyToStaticPublicKeyInput nativeValue + ) { + DafnySequence senderStaticPrivateKey; + senderStaticPrivateKey = + software.amazon.smithy.dafny.conversion.ToDafny.Simple.ByteSequence( + nativeValue.senderStaticPrivateKey() + ); + DafnySequence recipientPublicKey; + recipientPublicKey = + software.amazon.smithy.dafny.conversion.ToDafny.Simple.ByteSequence( + nativeValue.recipientPublicKey() + ); + return new RawPrivateKeyToStaticPublicKeyInput( + senderStaticPrivateKey, + recipientPublicKey + ); + } + public static SingleThreadedCache SingleThreadedCache( software.amazon.cryptography.materialproviders.model.SingleThreadedCache nativeValue ) { @@ -1824,6 +1963,43 @@ public static Encrypt Encrypt( ); } + public static KeyAgreementScheme KeyAgreementScheme( + software.amazon.cryptography.materialproviders.model.KeyAgreementScheme nativeValue + ) { + if (Objects.nonNull(nativeValue.StaticConfiguration())) { + return KeyAgreementScheme.create( + ToDafny.StaticConfigurations(nativeValue.StaticConfiguration()) + ); + } + throw new IllegalArgumentException( + "Cannot convert " + + nativeValue + + " to software.amazon.cryptography.materialproviders.internaldafny.types.KeyAgreementScheme." + ); + } + + public static KmsEcdhStaticConfigurations KmsEcdhStaticConfigurations( + software.amazon.cryptography.materialproviders.model.KmsEcdhStaticConfigurations nativeValue + ) { + if (Objects.nonNull(nativeValue.KmsPublicKeyDiscovery())) { + return KmsEcdhStaticConfigurations.create_KmsPublicKeyDiscovery( + ToDafny.KmsPublicKeyDiscoveryInput(nativeValue.KmsPublicKeyDiscovery()) + ); + } + if (Objects.nonNull(nativeValue.KmsPrivateKeyToStaticPublicKey())) { + return KmsEcdhStaticConfigurations.create_KmsPrivateKeyToStaticPublicKey( + ToDafny.KmsPrivateKeyToStaticPublicKeyInput( + nativeValue.KmsPrivateKeyToStaticPublicKey() + ) + ); + } + throw new IllegalArgumentException( + "Cannot convert " + + nativeValue + + " to software.amazon.cryptography.materialproviders.internaldafny.types.KmsEcdhStaticConfigurations." + ); + } + public static Materials Materials( software.amazon.cryptography.materialproviders.model.Materials nativeValue ) { @@ -1858,6 +2034,35 @@ public static Materials Materials( ); } + public static RawEcdhStaticConfigurations RawEcdhStaticConfigurations( + software.amazon.cryptography.materialproviders.model.RawEcdhStaticConfigurations nativeValue + ) { + if (Objects.nonNull(nativeValue.PublicKeyDiscovery())) { + return RawEcdhStaticConfigurations.create_PublicKeyDiscovery( + ToDafny.PublicKeyDiscoveryInput(nativeValue.PublicKeyDiscovery()) + ); + } + if (Objects.nonNull(nativeValue.RawPrivateKeyToStaticPublicKey())) { + return RawEcdhStaticConfigurations.create_RawPrivateKeyToStaticPublicKey( + ToDafny.RawPrivateKeyToStaticPublicKeyInput( + nativeValue.RawPrivateKeyToStaticPublicKey() + ) + ); + } + if (Objects.nonNull(nativeValue.EphemeralPrivateKeyToStaticPublicKey())) { + return RawEcdhStaticConfigurations.create_EphemeralPrivateKeyToStaticPublicKey( + ToDafny.EphemeralPrivateKeyToStaticPublicKeyInput( + nativeValue.EphemeralPrivateKeyToStaticPublicKey() + ) + ); + } + throw new IllegalArgumentException( + "Cannot convert " + + nativeValue + + " to software.amazon.cryptography.materialproviders.internaldafny.types.RawEcdhStaticConfigurations." + ); + } + public static SignatureAlgorithm SignatureAlgorithm( software.amazon.cryptography.materialproviders.model.SignatureAlgorithm nativeValue ) { @@ -1876,6 +2081,26 @@ public static SignatureAlgorithm SignatureAlgorithm( ); } + public static StaticConfigurations StaticConfigurations( + software.amazon.cryptography.materialproviders.model.StaticConfigurations nativeValue + ) { + if (Objects.nonNull(nativeValue.AWS_KMS_ECDH())) { + return StaticConfigurations.create_AWS__KMS__ECDH( + ToDafny.KmsEcdhStaticConfigurations(nativeValue.AWS_KMS_ECDH()) + ); + } + if (Objects.nonNull(nativeValue.RAW_ECDH())) { + return StaticConfigurations.create_RAW__ECDH( + ToDafny.RawEcdhStaticConfigurations(nativeValue.RAW_ECDH()) + ); + } + throw new IllegalArgumentException( + "Cannot convert " + + nativeValue + + " to software.amazon.cryptography.materialproviders.internaldafny.types.StaticConfigurations." + ); + } + public static SymmetricSignatureAlgorithm SymmetricSignatureAlgorithm( software.amazon.cryptography.materialproviders.model.SymmetricSignatureAlgorithm nativeValue ) { diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/ToNative.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/ToNative.java index ddc795f9d..790d62cc6 100644 --- a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/ToNative.java +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/ToNative.java @@ -37,6 +37,7 @@ import software.amazon.cryptography.materialproviders.model.CommitmentPolicy; import software.amazon.cryptography.materialproviders.model.CreateAwsKmsDiscoveryKeyringInput; import software.amazon.cryptography.materialproviders.model.CreateAwsKmsDiscoveryMultiKeyringInput; +import software.amazon.cryptography.materialproviders.model.CreateAwsKmsEcdhKeyringInput; import software.amazon.cryptography.materialproviders.model.CreateAwsKmsHierarchicalKeyringInput; import software.amazon.cryptography.materialproviders.model.CreateAwsKmsKeyringInput; import software.amazon.cryptography.materialproviders.model.CreateAwsKmsMrkDiscoveryKeyringInput; @@ -50,6 +51,7 @@ import software.amazon.cryptography.materialproviders.model.CreateDefaultCryptographicMaterialsManagerInput; import software.amazon.cryptography.materialproviders.model.CreateMultiKeyringInput; import software.amazon.cryptography.materialproviders.model.CreateRawAesKeyringInput; +import software.amazon.cryptography.materialproviders.model.CreateRawEcdhKeyringInput; import software.amazon.cryptography.materialproviders.model.CreateRawRsaKeyringInput; import software.amazon.cryptography.materialproviders.model.CreateRequiredEncryptionContextCMMInput; import software.amazon.cryptography.materialproviders.model.DBEAlgorithmSuiteId; @@ -71,6 +73,7 @@ import software.amazon.cryptography.materialproviders.model.EncryptionMaterials; import software.amazon.cryptography.materialproviders.model.EntryAlreadyExists; import software.amazon.cryptography.materialproviders.model.EntryDoesNotExist; +import software.amazon.cryptography.materialproviders.model.EphemeralPrivateKeyToStaticPublicKeyInput; import software.amazon.cryptography.materialproviders.model.GetBranchKeyIdInput; import software.amazon.cryptography.materialproviders.model.GetBranchKeyIdOutput; import software.amazon.cryptography.materialproviders.model.GetCacheEntryInput; @@ -90,6 +93,10 @@ import software.amazon.cryptography.materialproviders.model.InvalidDecryptionMaterialsTransition; import software.amazon.cryptography.materialproviders.model.InvalidEncryptionMaterials; import software.amazon.cryptography.materialproviders.model.InvalidEncryptionMaterialsTransition; +import software.amazon.cryptography.materialproviders.model.KeyAgreementScheme; +import software.amazon.cryptography.materialproviders.model.KmsEcdhStaticConfigurations; +import software.amazon.cryptography.materialproviders.model.KmsPrivateKeyToStaticPublicKeyInput; +import software.amazon.cryptography.materialproviders.model.KmsPublicKeyDiscoveryInput; import software.amazon.cryptography.materialproviders.model.MaterialProvidersConfig; import software.amazon.cryptography.materialproviders.model.Materials; import software.amazon.cryptography.materialproviders.model.MultiThreadedCache; @@ -101,9 +108,13 @@ import software.amazon.cryptography.materialproviders.model.OnEncryptOutput; import software.amazon.cryptography.materialproviders.model.OpaqueError; import software.amazon.cryptography.materialproviders.model.PaddingScheme; +import software.amazon.cryptography.materialproviders.model.PublicKeyDiscoveryInput; import software.amazon.cryptography.materialproviders.model.PutCacheEntryInput; +import software.amazon.cryptography.materialproviders.model.RawEcdhStaticConfigurations; +import software.amazon.cryptography.materialproviders.model.RawPrivateKeyToStaticPublicKeyInput; import software.amazon.cryptography.materialproviders.model.SignatureAlgorithm; import software.amazon.cryptography.materialproviders.model.SingleThreadedCache; +import software.amazon.cryptography.materialproviders.model.StaticConfigurations; import software.amazon.cryptography.materialproviders.model.StormTrackingCache; import software.amazon.cryptography.materialproviders.model.SymmetricSignatureAlgorithm; import software.amazon.cryptography.materialproviders.model.UpdateUsageMetadataInput; @@ -407,6 +418,32 @@ public static CreateAwsKmsDiscoveryMultiKeyringInput CreateAwsKmsDiscoveryMultiK return nativeBuilder.build(); } + public static CreateAwsKmsEcdhKeyringInput CreateAwsKmsEcdhKeyringInput( + software.amazon.cryptography.materialproviders.internaldafny.types.CreateAwsKmsEcdhKeyringInput dafnyValue + ) { + CreateAwsKmsEcdhKeyringInput.Builder nativeBuilder = + CreateAwsKmsEcdhKeyringInput.builder(); + nativeBuilder.KeyAgreementScheme( + ToNative.KmsEcdhStaticConfigurations(dafnyValue.dtor_KeyAgreementScheme()) + ); + nativeBuilder.curveSpec( + software.amazon.cryptography.primitives.ToNative.ECDHCurveSpec( + dafnyValue.dtor_curveSpec() + ) + ); + nativeBuilder.kmsClient( + software.amazon.cryptography.services.kms.internaldafny.ToNative.TrentService( + dafnyValue.dtor_kmsClient() + ) + ); + if (dafnyValue.dtor_grantTokens().is_Some()) { + nativeBuilder.grantTokens( + ToNative.GrantTokenList(dafnyValue.dtor_grantTokens().dtor_value()) + ); + } + return nativeBuilder.build(); + } + public static CreateAwsKmsHierarchicalKeyringInput CreateAwsKmsHierarchicalKeyringInput( software.amazon.cryptography.materialproviders.internaldafny.types.CreateAwsKmsHierarchicalKeyringInput dafnyValue ) { @@ -703,6 +740,22 @@ public static CreateRawAesKeyringInput CreateRawAesKeyringInput( return nativeBuilder.build(); } + public static CreateRawEcdhKeyringInput CreateRawEcdhKeyringInput( + software.amazon.cryptography.materialproviders.internaldafny.types.CreateRawEcdhKeyringInput dafnyValue + ) { + CreateRawEcdhKeyringInput.Builder nativeBuilder = + CreateRawEcdhKeyringInput.builder(); + nativeBuilder.KeyAgreementScheme( + ToNative.RawEcdhStaticConfigurations(dafnyValue.dtor_KeyAgreementScheme()) + ); + nativeBuilder.curveSpec( + software.amazon.cryptography.primitives.ToNative.ECDHCurveSpec( + dafnyValue.dtor_curveSpec() + ) + ); + return nativeBuilder.build(); + } + public static CreateRawRsaKeyringInput CreateRawRsaKeyringInput( software.amazon.cryptography.materialproviders.internaldafny.types.CreateRawRsaKeyringInput dafnyValue ) { @@ -959,6 +1012,19 @@ public static EncryptionMaterials EncryptionMaterials( return nativeBuilder.build(); } + public static EphemeralPrivateKeyToStaticPublicKeyInput EphemeralPrivateKeyToStaticPublicKeyInput( + software.amazon.cryptography.materialproviders.internaldafny.types.EphemeralPrivateKeyToStaticPublicKeyInput dafnyValue + ) { + EphemeralPrivateKeyToStaticPublicKeyInput.Builder nativeBuilder = + EphemeralPrivateKeyToStaticPublicKeyInput.builder(); + nativeBuilder.recipientPublicKey( + software.amazon.smithy.dafny.conversion.ToNative.Simple.ByteBuffer( + dafnyValue.dtor_recipientPublicKey() + ) + ); + return nativeBuilder.build(); + } + public static ByteBuffer GetAlgorithmSuiteInfoInput( DafnySequence dafnyValue ) { @@ -1163,6 +1229,44 @@ public static IntermediateKeyWrapping IntermediateKeyWrapping( return nativeBuilder.build(); } + public static KmsPrivateKeyToStaticPublicKeyInput KmsPrivateKeyToStaticPublicKeyInput( + software.amazon.cryptography.materialproviders.internaldafny.types.KmsPrivateKeyToStaticPublicKeyInput dafnyValue + ) { + KmsPrivateKeyToStaticPublicKeyInput.Builder nativeBuilder = + KmsPrivateKeyToStaticPublicKeyInput.builder(); + nativeBuilder.senderKmsIdentifier( + software.amazon.smithy.dafny.conversion.ToNative.Simple.String( + dafnyValue.dtor_senderKmsIdentifier() + ) + ); + if (dafnyValue.dtor_senderPublicKey().is_Some()) { + nativeBuilder.senderPublicKey( + software.amazon.smithy.dafny.conversion.ToNative.Simple.ByteBuffer( + dafnyValue.dtor_senderPublicKey().dtor_value() + ) + ); + } + nativeBuilder.recipientPublicKey( + software.amazon.smithy.dafny.conversion.ToNative.Simple.ByteBuffer( + dafnyValue.dtor_recipientPublicKey() + ) + ); + return nativeBuilder.build(); + } + + public static KmsPublicKeyDiscoveryInput KmsPublicKeyDiscoveryInput( + software.amazon.cryptography.materialproviders.internaldafny.types.KmsPublicKeyDiscoveryInput dafnyValue + ) { + KmsPublicKeyDiscoveryInput.Builder nativeBuilder = + KmsPublicKeyDiscoveryInput.builder(); + nativeBuilder.recipientKmsIdentifier( + software.amazon.smithy.dafny.conversion.ToNative.Simple.String( + dafnyValue.dtor_recipientKmsIdentifier() + ) + ); + return nativeBuilder.build(); + } + public static MaterialProvidersConfig MaterialProvidersConfig( software.amazon.cryptography.materialproviders.internaldafny.types.MaterialProvidersConfig dafnyValue ) { @@ -1241,6 +1345,19 @@ public static OnEncryptOutput OnEncryptOutput( return nativeBuilder.build(); } + public static PublicKeyDiscoveryInput PublicKeyDiscoveryInput( + software.amazon.cryptography.materialproviders.internaldafny.types.PublicKeyDiscoveryInput dafnyValue + ) { + PublicKeyDiscoveryInput.Builder nativeBuilder = + PublicKeyDiscoveryInput.builder(); + nativeBuilder.recipientStaticPrivateKey( + software.amazon.smithy.dafny.conversion.ToNative.Simple.ByteBuffer( + dafnyValue.dtor_recipientStaticPrivateKey() + ) + ); + return nativeBuilder.build(); + } + public static PutCacheEntryInput PutCacheEntryInput( software.amazon.cryptography.materialproviders.internaldafny.types.PutCacheEntryInput dafnyValue ) { @@ -1262,6 +1379,24 @@ public static PutCacheEntryInput PutCacheEntryInput( return nativeBuilder.build(); } + public static RawPrivateKeyToStaticPublicKeyInput RawPrivateKeyToStaticPublicKeyInput( + software.amazon.cryptography.materialproviders.internaldafny.types.RawPrivateKeyToStaticPublicKeyInput dafnyValue + ) { + RawPrivateKeyToStaticPublicKeyInput.Builder nativeBuilder = + RawPrivateKeyToStaticPublicKeyInput.builder(); + nativeBuilder.senderStaticPrivateKey( + software.amazon.smithy.dafny.conversion.ToNative.Simple.ByteBuffer( + dafnyValue.dtor_senderStaticPrivateKey() + ) + ); + nativeBuilder.recipientPublicKey( + software.amazon.smithy.dafny.conversion.ToNative.Simple.ByteBuffer( + dafnyValue.dtor_recipientPublicKey() + ) + ); + return nativeBuilder.build(); + } + public static SingleThreadedCache SingleThreadedCache( software.amazon.cryptography.materialproviders.internaldafny.types.SingleThreadedCache dafnyValue ) { @@ -1599,6 +1734,40 @@ public static Encrypt Encrypt( return nativeBuilder.build(); } + public static KeyAgreementScheme KeyAgreementScheme( + software.amazon.cryptography.materialproviders.internaldafny.types.KeyAgreementScheme dafnyValue + ) { + KeyAgreementScheme.Builder nativeBuilder = KeyAgreementScheme.builder(); + if (dafnyValue.is_StaticConfiguration()) { + nativeBuilder.StaticConfiguration( + ToNative.StaticConfigurations(dafnyValue.dtor_StaticConfiguration()) + ); + } + return nativeBuilder.build(); + } + + public static KmsEcdhStaticConfigurations KmsEcdhStaticConfigurations( + software.amazon.cryptography.materialproviders.internaldafny.types.KmsEcdhStaticConfigurations dafnyValue + ) { + KmsEcdhStaticConfigurations.Builder nativeBuilder = + KmsEcdhStaticConfigurations.builder(); + if (dafnyValue.is_KmsPublicKeyDiscovery()) { + nativeBuilder.KmsPublicKeyDiscovery( + ToNative.KmsPublicKeyDiscoveryInput( + dafnyValue.dtor_KmsPublicKeyDiscovery() + ) + ); + } + if (dafnyValue.is_KmsPrivateKeyToStaticPublicKey()) { + nativeBuilder.KmsPrivateKeyToStaticPublicKey( + ToNative.KmsPrivateKeyToStaticPublicKeyInput( + dafnyValue.dtor_KmsPrivateKeyToStaticPublicKey() + ) + ); + } + return nativeBuilder.build(); + } + public static Materials Materials( software.amazon.cryptography.materialproviders.internaldafny.types.Materials dafnyValue ) { @@ -1630,6 +1799,33 @@ public static Materials Materials( return nativeBuilder.build(); } + public static RawEcdhStaticConfigurations RawEcdhStaticConfigurations( + software.amazon.cryptography.materialproviders.internaldafny.types.RawEcdhStaticConfigurations dafnyValue + ) { + RawEcdhStaticConfigurations.Builder nativeBuilder = + RawEcdhStaticConfigurations.builder(); + if (dafnyValue.is_PublicKeyDiscovery()) { + nativeBuilder.PublicKeyDiscovery( + ToNative.PublicKeyDiscoveryInput(dafnyValue.dtor_PublicKeyDiscovery()) + ); + } + if (dafnyValue.is_RawPrivateKeyToStaticPublicKey()) { + nativeBuilder.RawPrivateKeyToStaticPublicKey( + ToNative.RawPrivateKeyToStaticPublicKeyInput( + dafnyValue.dtor_RawPrivateKeyToStaticPublicKey() + ) + ); + } + if (dafnyValue.is_EphemeralPrivateKeyToStaticPublicKey()) { + nativeBuilder.EphemeralPrivateKeyToStaticPublicKey( + ToNative.EphemeralPrivateKeyToStaticPublicKeyInput( + dafnyValue.dtor_EphemeralPrivateKeyToStaticPublicKey() + ) + ); + } + return nativeBuilder.build(); + } + public static SignatureAlgorithm SignatureAlgorithm( software.amazon.cryptography.materialproviders.internaldafny.types.SignatureAlgorithm dafnyValue ) { @@ -1643,6 +1839,23 @@ public static SignatureAlgorithm SignatureAlgorithm( return nativeBuilder.build(); } + public static StaticConfigurations StaticConfigurations( + software.amazon.cryptography.materialproviders.internaldafny.types.StaticConfigurations dafnyValue + ) { + StaticConfigurations.Builder nativeBuilder = StaticConfigurations.builder(); + if (dafnyValue.is_AWS__KMS__ECDH()) { + nativeBuilder.AWS_KMS_ECDH( + ToNative.KmsEcdhStaticConfigurations(dafnyValue.dtor_AWS__KMS__ECDH()) + ); + } + if (dafnyValue.is_RAW__ECDH()) { + nativeBuilder.RAW_ECDH( + ToNative.RawEcdhStaticConfigurations(dafnyValue.dtor_RAW__ECDH()) + ); + } + return nativeBuilder.build(); + } + public static SymmetricSignatureAlgorithm SymmetricSignatureAlgorithm( software.amazon.cryptography.materialproviders.internaldafny.types.SymmetricSignatureAlgorithm dafnyValue ) { diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/CreateAwsKmsEcdhKeyringInput.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/CreateAwsKmsEcdhKeyringInput.java new file mode 100644 index 000000000..4413e79a9 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/CreateAwsKmsEcdhKeyringInput.java @@ -0,0 +1,199 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.materialproviders.model; + +import java.util.List; +import java.util.Objects; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.cryptography.primitives.model.ECDHCurveSpec; + +/** + * Inputs for creating an AWS KMS ECDH Keyring. + */ +public class CreateAwsKmsEcdhKeyringInput { + + /** + * The Key Agreement Scheme configuration that is responsible for how the shared secret is calculated. + */ + private final KmsEcdhStaticConfigurations KeyAgreementScheme; + + /** + * The named curve that corresponds to the curve on which the sender's private and recipient's public key lie. + */ + private final ECDHCurveSpec curveSpec; + + /** + * The KMS Client this Keyring will use to call KMS. + */ + private final KmsClient kmsClient; + + /** + * A list of grant tokens to be used when calling KMS. + */ + private final List grantTokens; + + protected CreateAwsKmsEcdhKeyringInput(BuilderImpl builder) { + this.KeyAgreementScheme = builder.KeyAgreementScheme(); + this.curveSpec = builder.curveSpec(); + this.kmsClient = builder.kmsClient(); + this.grantTokens = builder.grantTokens(); + } + + /** + * @return The Key Agreement Scheme configuration that is responsible for how the shared secret is calculated. + */ + public KmsEcdhStaticConfigurations KeyAgreementScheme() { + return this.KeyAgreementScheme; + } + + /** + * @return The named curve that corresponds to the curve on which the sender's private and recipient's public key lie. + */ + public ECDHCurveSpec curveSpec() { + return this.curveSpec; + } + + /** + * @return The KMS Client this Keyring will use to call KMS. + */ + public KmsClient kmsClient() { + return this.kmsClient; + } + + /** + * @return A list of grant tokens to be used when calling KMS. + */ + public List grantTokens() { + return this.grantTokens; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + /** + * @param KeyAgreementScheme The Key Agreement Scheme configuration that is responsible for how the shared secret is calculated. + */ + Builder KeyAgreementScheme(KmsEcdhStaticConfigurations KeyAgreementScheme); + + /** + * @return The Key Agreement Scheme configuration that is responsible for how the shared secret is calculated. + */ + KmsEcdhStaticConfigurations KeyAgreementScheme(); + + /** + * @param curveSpec The named curve that corresponds to the curve on which the sender's private and recipient's public key lie. + */ + Builder curveSpec(ECDHCurveSpec curveSpec); + + /** + * @return The named curve that corresponds to the curve on which the sender's private and recipient's public key lie. + */ + ECDHCurveSpec curveSpec(); + + /** + * @param kmsClient The KMS Client this Keyring will use to call KMS. + */ + Builder kmsClient(KmsClient kmsClient); + + /** + * @return The KMS Client this Keyring will use to call KMS. + */ + KmsClient kmsClient(); + + /** + * @param grantTokens A list of grant tokens to be used when calling KMS. + */ + Builder grantTokens(List grantTokens); + + /** + * @return A list of grant tokens to be used when calling KMS. + */ + List grantTokens(); + + CreateAwsKmsEcdhKeyringInput build(); + } + + static class BuilderImpl implements Builder { + + protected KmsEcdhStaticConfigurations KeyAgreementScheme; + + protected ECDHCurveSpec curveSpec; + + protected KmsClient kmsClient; + + protected List grantTokens; + + protected BuilderImpl() {} + + protected BuilderImpl(CreateAwsKmsEcdhKeyringInput model) { + this.KeyAgreementScheme = model.KeyAgreementScheme(); + this.curveSpec = model.curveSpec(); + this.kmsClient = model.kmsClient(); + this.grantTokens = model.grantTokens(); + } + + public Builder KeyAgreementScheme( + KmsEcdhStaticConfigurations KeyAgreementScheme + ) { + this.KeyAgreementScheme = KeyAgreementScheme; + return this; + } + + public KmsEcdhStaticConfigurations KeyAgreementScheme() { + return this.KeyAgreementScheme; + } + + public Builder curveSpec(ECDHCurveSpec curveSpec) { + this.curveSpec = curveSpec; + return this; + } + + public ECDHCurveSpec curveSpec() { + return this.curveSpec; + } + + public Builder kmsClient(KmsClient kmsClient) { + this.kmsClient = kmsClient; + return this; + } + + public KmsClient kmsClient() { + return this.kmsClient; + } + + public Builder grantTokens(List grantTokens) { + this.grantTokens = grantTokens; + return this; + } + + public List grantTokens() { + return this.grantTokens; + } + + public CreateAwsKmsEcdhKeyringInput build() { + if (Objects.isNull(this.KeyAgreementScheme())) { + throw new IllegalArgumentException( + "Missing value for required field `KeyAgreementScheme`" + ); + } + if (Objects.isNull(this.curveSpec())) { + throw new IllegalArgumentException( + "Missing value for required field `curveSpec`" + ); + } + if (Objects.isNull(this.kmsClient())) { + throw new IllegalArgumentException( + "Missing value for required field `kmsClient`" + ); + } + return new CreateAwsKmsEcdhKeyringInput(this); + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/CreateRawEcdhKeyringInput.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/CreateRawEcdhKeyringInput.java new file mode 100644 index 000000000..7af58f526 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/CreateRawEcdhKeyringInput.java @@ -0,0 +1,122 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.materialproviders.model; + +import java.util.Objects; +import software.amazon.cryptography.primitives.model.ECDHCurveSpec; + +/** + * Inputs for creating a raw ECDH Keyring. + */ +public class CreateRawEcdhKeyringInput { + + /** + * The Key Agreement Scheme configuration that is responsible for how the shared secret is calculated. + */ + private final RawEcdhStaticConfigurations KeyAgreementScheme; + + /** + * The the curve on which the points for the sender's private and recipient's public key lie. + */ + private final ECDHCurveSpec curveSpec; + + protected CreateRawEcdhKeyringInput(BuilderImpl builder) { + this.KeyAgreementScheme = builder.KeyAgreementScheme(); + this.curveSpec = builder.curveSpec(); + } + + /** + * @return The Key Agreement Scheme configuration that is responsible for how the shared secret is calculated. + */ + public RawEcdhStaticConfigurations KeyAgreementScheme() { + return this.KeyAgreementScheme; + } + + /** + * @return The the curve on which the points for the sender's private and recipient's public key lie. + */ + public ECDHCurveSpec curveSpec() { + return this.curveSpec; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + /** + * @param KeyAgreementScheme The Key Agreement Scheme configuration that is responsible for how the shared secret is calculated. + */ + Builder KeyAgreementScheme(RawEcdhStaticConfigurations KeyAgreementScheme); + + /** + * @return The Key Agreement Scheme configuration that is responsible for how the shared secret is calculated. + */ + RawEcdhStaticConfigurations KeyAgreementScheme(); + + /** + * @param curveSpec The the curve on which the points for the sender's private and recipient's public key lie. + */ + Builder curveSpec(ECDHCurveSpec curveSpec); + + /** + * @return The the curve on which the points for the sender's private and recipient's public key lie. + */ + ECDHCurveSpec curveSpec(); + + CreateRawEcdhKeyringInput build(); + } + + static class BuilderImpl implements Builder { + + protected RawEcdhStaticConfigurations KeyAgreementScheme; + + protected ECDHCurveSpec curveSpec; + + protected BuilderImpl() {} + + protected BuilderImpl(CreateRawEcdhKeyringInput model) { + this.KeyAgreementScheme = model.KeyAgreementScheme(); + this.curveSpec = model.curveSpec(); + } + + public Builder KeyAgreementScheme( + RawEcdhStaticConfigurations KeyAgreementScheme + ) { + this.KeyAgreementScheme = KeyAgreementScheme; + return this; + } + + public RawEcdhStaticConfigurations KeyAgreementScheme() { + return this.KeyAgreementScheme; + } + + public Builder curveSpec(ECDHCurveSpec curveSpec) { + this.curveSpec = curveSpec; + return this; + } + + public ECDHCurveSpec curveSpec() { + return this.curveSpec; + } + + public CreateRawEcdhKeyringInput build() { + if (Objects.isNull(this.KeyAgreementScheme())) { + throw new IllegalArgumentException( + "Missing value for required field `KeyAgreementScheme`" + ); + } + if (Objects.isNull(this.curveSpec())) { + throw new IllegalArgumentException( + "Missing value for required field `curveSpec`" + ); + } + return new CreateRawEcdhKeyringInput(this); + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/EccCurveSpec.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/EccCurveSpec.java new file mode 100644 index 000000000..36e40af93 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/EccCurveSpec.java @@ -0,0 +1,24 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.materialproviders.model; + +public enum EccCurveSpec { + ECC_NIST_P256("secp256r1"), + + ECC_NIST_P384("secp384r1"), + + ECC_NIST_P521("secp521r1"), + + SM2("SM2PKE"); + + private final String value; + + private EccCurveSpec(String value) { + this.value = value; + } + + public String toString() { + return String.valueOf(value); + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/EphemeralPrivateKeyToStaticPublicKeyInput.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/EphemeralPrivateKeyToStaticPublicKeyInput.java new file mode 100644 index 000000000..71497dfaf --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/EphemeralPrivateKeyToStaticPublicKeyInput.java @@ -0,0 +1,80 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.materialproviders.model; + +import java.nio.ByteBuffer; +import java.util.Objects; + +/** + * Inputs for creating a EphemeralPrivateKeyToStaticPublicKey Configuration. + */ +public class EphemeralPrivateKeyToStaticPublicKeyInput { + + /** + * The recipient's public key. MUST be DER encoded. + */ + private final ByteBuffer recipientPublicKey; + + protected EphemeralPrivateKeyToStaticPublicKeyInput(BuilderImpl builder) { + this.recipientPublicKey = builder.recipientPublicKey(); + } + + /** + * @return The recipient's public key. MUST be DER encoded. + */ + public ByteBuffer recipientPublicKey() { + return this.recipientPublicKey; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + /** + * @param recipientPublicKey The recipient's public key. MUST be DER encoded. + */ + Builder recipientPublicKey(ByteBuffer recipientPublicKey); + + /** + * @return The recipient's public key. MUST be DER encoded. + */ + ByteBuffer recipientPublicKey(); + + EphemeralPrivateKeyToStaticPublicKeyInput build(); + } + + static class BuilderImpl implements Builder { + + protected ByteBuffer recipientPublicKey; + + protected BuilderImpl() {} + + protected BuilderImpl(EphemeralPrivateKeyToStaticPublicKeyInput model) { + this.recipientPublicKey = model.recipientPublicKey(); + } + + public Builder recipientPublicKey(ByteBuffer recipientPublicKey) { + this.recipientPublicKey = recipientPublicKey; + return this; + } + + public ByteBuffer recipientPublicKey() { + return this.recipientPublicKey; + } + + public EphemeralPrivateKeyToStaticPublicKeyInput build() { + if (Objects.isNull(this.recipientPublicKey())) { + throw new IllegalArgumentException( + "Missing value for required field `recipientPublicKey`" + ); + } + return new EphemeralPrivateKeyToStaticPublicKeyInput(this); + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/EphemeralSenderToStaticRecipientInput.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/EphemeralSenderToStaticRecipientInput.java new file mode 100644 index 000000000..cd1ebe91f --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/EphemeralSenderToStaticRecipientInput.java @@ -0,0 +1,80 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.materialproviders.model; + +import java.nio.ByteBuffer; +import java.util.Objects; + +/** + * Inputs for creating a EphemeralSenderToStaticRecipient Configuration. + */ +public class EphemeralSenderToStaticRecipientInput { + + /** + * The recipient's public key + */ + private final ByteBuffer recipientPublicKey; + + protected EphemeralSenderToStaticRecipientInput(BuilderImpl builder) { + this.recipientPublicKey = builder.recipientPublicKey(); + } + + /** + * @return The recipient's public key + */ + public ByteBuffer recipientPublicKey() { + return this.recipientPublicKey; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + /** + * @param recipientPublicKey The recipient's public key + */ + Builder recipientPublicKey(ByteBuffer recipientPublicKey); + + /** + * @return The recipient's public key + */ + ByteBuffer recipientPublicKey(); + + EphemeralSenderToStaticRecipientInput build(); + } + + static class BuilderImpl implements Builder { + + protected ByteBuffer recipientPublicKey; + + protected BuilderImpl() {} + + protected BuilderImpl(EphemeralSenderToStaticRecipientInput model) { + this.recipientPublicKey = model.recipientPublicKey(); + } + + public Builder recipientPublicKey(ByteBuffer recipientPublicKey) { + this.recipientPublicKey = recipientPublicKey; + return this; + } + + public ByteBuffer recipientPublicKey() { + return this.recipientPublicKey; + } + + public EphemeralSenderToStaticRecipientInput build() { + if (Objects.isNull(this.recipientPublicKey())) { + throw new IllegalArgumentException( + "Missing value for required field `recipientPublicKey`" + ); + } + return new EphemeralSenderToStaticRecipientInput(this); + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KeyAgreementScheme.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KeyAgreementScheme.java new file mode 100644 index 000000000..5deec68f5 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KeyAgreementScheme.java @@ -0,0 +1,95 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.materialproviders.model; + +import java.util.Objects; + +/** + * Supported ECDH Key Agreement Schemes. + */ +public class KeyAgreementScheme { + + /** + * Supported configurations for the StaticConfiguration Key Agreement Scheme. + */ + private final StaticConfigurations StaticConfiguration; + + protected KeyAgreementScheme(BuilderImpl builder) { + this.StaticConfiguration = builder.StaticConfiguration(); + } + + /** + * @return Supported configurations for the StaticConfiguration Key Agreement Scheme. + */ + public StaticConfigurations StaticConfiguration() { + return this.StaticConfiguration; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + /** + * @param StaticConfiguration Supported configurations for the StaticConfiguration Key Agreement Scheme. + */ + Builder StaticConfiguration(StaticConfigurations StaticConfiguration); + + /** + * @return Supported configurations for the StaticConfiguration Key Agreement Scheme. + */ + StaticConfigurations StaticConfiguration(); + + KeyAgreementScheme build(); + } + + static class BuilderImpl implements Builder { + + protected StaticConfigurations StaticConfiguration; + + protected BuilderImpl() {} + + protected BuilderImpl(KeyAgreementScheme model) { + this.StaticConfiguration = model.StaticConfiguration(); + } + + public Builder StaticConfiguration( + StaticConfigurations StaticConfiguration + ) { + this.StaticConfiguration = StaticConfiguration; + return this; + } + + public StaticConfigurations StaticConfiguration() { + return this.StaticConfiguration; + } + + public KeyAgreementScheme build() { + if (!onlyOneNonNull()) { + throw new IllegalArgumentException( + "`KeyAgreementScheme` is a Union. A Union MUST have one and only one value set." + ); + } + return new KeyAgreementScheme(this); + } + + private boolean onlyOneNonNull() { + Object[] allValues = { this.StaticConfiguration }; + boolean haveOneNonNull = false; + for (Object o : allValues) { + if (Objects.nonNull(o)) { + if (haveOneNonNull) { + return false; + } + haveOneNonNull = true; + } + } + return haveOneNonNull; + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsEcdhConfigurations.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsEcdhConfigurations.java new file mode 100644 index 000000000..a486fa381 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsEcdhConfigurations.java @@ -0,0 +1,139 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.materialproviders.model; + +import java.util.Objects; + +/** + * Allowed configurations when using a KmsEcdhConfiguration + */ +public class KmsEcdhConfigurations { + + /** + * Inputs for creating a RecipientDiscoveryScheme Configuration. This is a DECRYPT ONLY configuration + */ + private final RecipientDiscoverySchemeInput RecipientDiscoveryScheme; + + /** + * Inputs for creating a KmsSenderToStaticRecipient Configuration. + */ + private final KmsSenderToStaticRecipientInput KmsSenderToStaticRecipient; + + protected KmsEcdhConfigurations(BuilderImpl builder) { + this.RecipientDiscoveryScheme = builder.RecipientDiscoveryScheme(); + this.KmsSenderToStaticRecipient = builder.KmsSenderToStaticRecipient(); + } + + /** + * @return Inputs for creating a RecipientDiscoveryScheme Configuration. This is a DECRYPT ONLY configuration + */ + public RecipientDiscoverySchemeInput RecipientDiscoveryScheme() { + return this.RecipientDiscoveryScheme; + } + + /** + * @return Inputs for creating a KmsSenderToStaticRecipient Configuration. + */ + public KmsSenderToStaticRecipientInput KmsSenderToStaticRecipient() { + return this.KmsSenderToStaticRecipient; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + /** + * @param RecipientDiscoveryScheme Inputs for creating a RecipientDiscoveryScheme Configuration. This is a DECRYPT ONLY configuration + */ + Builder RecipientDiscoveryScheme( + RecipientDiscoverySchemeInput RecipientDiscoveryScheme + ); + + /** + * @return Inputs for creating a RecipientDiscoveryScheme Configuration. This is a DECRYPT ONLY configuration + */ + RecipientDiscoverySchemeInput RecipientDiscoveryScheme(); + + /** + * @param KmsSenderToStaticRecipient Inputs for creating a KmsSenderToStaticRecipient Configuration. + */ + Builder KmsSenderToStaticRecipient( + KmsSenderToStaticRecipientInput KmsSenderToStaticRecipient + ); + + /** + * @return Inputs for creating a KmsSenderToStaticRecipient Configuration. + */ + KmsSenderToStaticRecipientInput KmsSenderToStaticRecipient(); + + KmsEcdhConfigurations build(); + } + + static class BuilderImpl implements Builder { + + protected RecipientDiscoverySchemeInput RecipientDiscoveryScheme; + + protected KmsSenderToStaticRecipientInput KmsSenderToStaticRecipient; + + protected BuilderImpl() {} + + protected BuilderImpl(KmsEcdhConfigurations model) { + this.RecipientDiscoveryScheme = model.RecipientDiscoveryScheme(); + this.KmsSenderToStaticRecipient = model.KmsSenderToStaticRecipient(); + } + + public Builder RecipientDiscoveryScheme( + RecipientDiscoverySchemeInput RecipientDiscoveryScheme + ) { + this.RecipientDiscoveryScheme = RecipientDiscoveryScheme; + return this; + } + + public RecipientDiscoverySchemeInput RecipientDiscoveryScheme() { + return this.RecipientDiscoveryScheme; + } + + public Builder KmsSenderToStaticRecipient( + KmsSenderToStaticRecipientInput KmsSenderToStaticRecipient + ) { + this.KmsSenderToStaticRecipient = KmsSenderToStaticRecipient; + return this; + } + + public KmsSenderToStaticRecipientInput KmsSenderToStaticRecipient() { + return this.KmsSenderToStaticRecipient; + } + + public KmsEcdhConfigurations build() { + if (!onlyOneNonNull()) { + throw new IllegalArgumentException( + "`KmsEcdhConfigurations` is a Union. A Union MUST have one and only one value set." + ); + } + return new KmsEcdhConfigurations(this); + } + + private boolean onlyOneNonNull() { + Object[] allValues = { + this.RecipientDiscoveryScheme, + this.KmsSenderToStaticRecipient, + }; + boolean haveOneNonNull = false; + for (Object o : allValues) { + if (Objects.nonNull(o)) { + if (haveOneNonNull) { + return false; + } + haveOneNonNull = true; + } + } + return haveOneNonNull; + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsEcdhStaticConfigurations.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsEcdhStaticConfigurations.java new file mode 100644 index 000000000..57967a1b5 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsEcdhStaticConfigurations.java @@ -0,0 +1,141 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.materialproviders.model; + +import java.util.Objects; + +/** + * Allowed configurations when using KmsEcdhStaticConfigurations. + */ +public class KmsEcdhStaticConfigurations { + + /** + * Inputs for creating a KmsPublicKeyDiscovery Configuration. This is a DECRYPT ONLY configuration. + */ + private final KmsPublicKeyDiscoveryInput KmsPublicKeyDiscovery; + + /** + * Inputs for creating a KmsPrivateKeyToStaticPublicKey Configuration. + */ + private final KmsPrivateKeyToStaticPublicKeyInput KmsPrivateKeyToStaticPublicKey; + + protected KmsEcdhStaticConfigurations(BuilderImpl builder) { + this.KmsPublicKeyDiscovery = builder.KmsPublicKeyDiscovery(); + this.KmsPrivateKeyToStaticPublicKey = + builder.KmsPrivateKeyToStaticPublicKey(); + } + + /** + * @return Inputs for creating a KmsPublicKeyDiscovery Configuration. This is a DECRYPT ONLY configuration. + */ + public KmsPublicKeyDiscoveryInput KmsPublicKeyDiscovery() { + return this.KmsPublicKeyDiscovery; + } + + /** + * @return Inputs for creating a KmsPrivateKeyToStaticPublicKey Configuration. + */ + public KmsPrivateKeyToStaticPublicKeyInput KmsPrivateKeyToStaticPublicKey() { + return this.KmsPrivateKeyToStaticPublicKey; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + /** + * @param KmsPublicKeyDiscovery Inputs for creating a KmsPublicKeyDiscovery Configuration. This is a DECRYPT ONLY configuration. + */ + Builder KmsPublicKeyDiscovery( + KmsPublicKeyDiscoveryInput KmsPublicKeyDiscovery + ); + + /** + * @return Inputs for creating a KmsPublicKeyDiscovery Configuration. This is a DECRYPT ONLY configuration. + */ + KmsPublicKeyDiscoveryInput KmsPublicKeyDiscovery(); + + /** + * @param KmsPrivateKeyToStaticPublicKey Inputs for creating a KmsPrivateKeyToStaticPublicKey Configuration. + */ + Builder KmsPrivateKeyToStaticPublicKey( + KmsPrivateKeyToStaticPublicKeyInput KmsPrivateKeyToStaticPublicKey + ); + + /** + * @return Inputs for creating a KmsPrivateKeyToStaticPublicKey Configuration. + */ + KmsPrivateKeyToStaticPublicKeyInput KmsPrivateKeyToStaticPublicKey(); + + KmsEcdhStaticConfigurations build(); + } + + static class BuilderImpl implements Builder { + + protected KmsPublicKeyDiscoveryInput KmsPublicKeyDiscovery; + + protected KmsPrivateKeyToStaticPublicKeyInput KmsPrivateKeyToStaticPublicKey; + + protected BuilderImpl() {} + + protected BuilderImpl(KmsEcdhStaticConfigurations model) { + this.KmsPublicKeyDiscovery = model.KmsPublicKeyDiscovery(); + this.KmsPrivateKeyToStaticPublicKey = + model.KmsPrivateKeyToStaticPublicKey(); + } + + public Builder KmsPublicKeyDiscovery( + KmsPublicKeyDiscoveryInput KmsPublicKeyDiscovery + ) { + this.KmsPublicKeyDiscovery = KmsPublicKeyDiscovery; + return this; + } + + public KmsPublicKeyDiscoveryInput KmsPublicKeyDiscovery() { + return this.KmsPublicKeyDiscovery; + } + + public Builder KmsPrivateKeyToStaticPublicKey( + KmsPrivateKeyToStaticPublicKeyInput KmsPrivateKeyToStaticPublicKey + ) { + this.KmsPrivateKeyToStaticPublicKey = KmsPrivateKeyToStaticPublicKey; + return this; + } + + public KmsPrivateKeyToStaticPublicKeyInput KmsPrivateKeyToStaticPublicKey() { + return this.KmsPrivateKeyToStaticPublicKey; + } + + public KmsEcdhStaticConfigurations build() { + if (!onlyOneNonNull()) { + throw new IllegalArgumentException( + "`KmsEcdhStaticConfigurations` is a Union. A Union MUST have one and only one value set." + ); + } + return new KmsEcdhStaticConfigurations(this); + } + + private boolean onlyOneNonNull() { + Object[] allValues = { + this.KmsPublicKeyDiscovery, + this.KmsPrivateKeyToStaticPublicKey, + }; + boolean haveOneNonNull = false; + for (Object o : allValues) { + if (Objects.nonNull(o)) { + if (haveOneNonNull) { + return false; + } + haveOneNonNull = true; + } + } + return haveOneNonNull; + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsPrivateKeyToStaticPublicKeyInput.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsPrivateKeyToStaticPublicKeyInput.java new file mode 100644 index 000000000..bd5517d01 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsPrivateKeyToStaticPublicKeyInput.java @@ -0,0 +1,155 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.materialproviders.model; + +import java.nio.ByteBuffer; +import java.util.Objects; + +/** + * Inputs for creating a KmsPrivateKeyToStaticPublicKey Configuration. + */ +public class KmsPrivateKeyToStaticPublicKeyInput { + + /** + * AWS KMS Key Identifier belonging to the sender. + */ + private final String senderKmsIdentifier; + + /** + * Sender Public Key. This is the raw public ECC key in DER format that belongs to the senderKmsIdentifier. + */ + private final ByteBuffer senderPublicKey; + + /** + * Recipient Public Key. This MUST be a raw public ECC key in DER format. + */ + private final ByteBuffer recipientPublicKey; + + protected KmsPrivateKeyToStaticPublicKeyInput(BuilderImpl builder) { + this.senderKmsIdentifier = builder.senderKmsIdentifier(); + this.senderPublicKey = builder.senderPublicKey(); + this.recipientPublicKey = builder.recipientPublicKey(); + } + + /** + * @return AWS KMS Key Identifier belonging to the sender. + */ + public String senderKmsIdentifier() { + return this.senderKmsIdentifier; + } + + /** + * @return Sender Public Key. This is the raw public ECC key in DER format that belongs to the senderKmsIdentifier. + */ + public ByteBuffer senderPublicKey() { + return this.senderPublicKey; + } + + /** + * @return Recipient Public Key. This MUST be a raw public ECC key in DER format. + */ + public ByteBuffer recipientPublicKey() { + return this.recipientPublicKey; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + /** + * @param senderKmsIdentifier AWS KMS Key Identifier belonging to the sender. + */ + Builder senderKmsIdentifier(String senderKmsIdentifier); + + /** + * @return AWS KMS Key Identifier belonging to the sender. + */ + String senderKmsIdentifier(); + + /** + * @param senderPublicKey Sender Public Key. This is the raw public ECC key in DER format that belongs to the senderKmsIdentifier. + */ + Builder senderPublicKey(ByteBuffer senderPublicKey); + + /** + * @return Sender Public Key. This is the raw public ECC key in DER format that belongs to the senderKmsIdentifier. + */ + ByteBuffer senderPublicKey(); + + /** + * @param recipientPublicKey Recipient Public Key. This MUST be a raw public ECC key in DER format. + */ + Builder recipientPublicKey(ByteBuffer recipientPublicKey); + + /** + * @return Recipient Public Key. This MUST be a raw public ECC key in DER format. + */ + ByteBuffer recipientPublicKey(); + + KmsPrivateKeyToStaticPublicKeyInput build(); + } + + static class BuilderImpl implements Builder { + + protected String senderKmsIdentifier; + + protected ByteBuffer senderPublicKey; + + protected ByteBuffer recipientPublicKey; + + protected BuilderImpl() {} + + protected BuilderImpl(KmsPrivateKeyToStaticPublicKeyInput model) { + this.senderKmsIdentifier = model.senderKmsIdentifier(); + this.senderPublicKey = model.senderPublicKey(); + this.recipientPublicKey = model.recipientPublicKey(); + } + + public Builder senderKmsIdentifier(String senderKmsIdentifier) { + this.senderKmsIdentifier = senderKmsIdentifier; + return this; + } + + public String senderKmsIdentifier() { + return this.senderKmsIdentifier; + } + + public Builder senderPublicKey(ByteBuffer senderPublicKey) { + this.senderPublicKey = senderPublicKey; + return this; + } + + public ByteBuffer senderPublicKey() { + return this.senderPublicKey; + } + + public Builder recipientPublicKey(ByteBuffer recipientPublicKey) { + this.recipientPublicKey = recipientPublicKey; + return this; + } + + public ByteBuffer recipientPublicKey() { + return this.recipientPublicKey; + } + + public KmsPrivateKeyToStaticPublicKeyInput build() { + if (Objects.isNull(this.senderKmsIdentifier())) { + throw new IllegalArgumentException( + "Missing value for required field `senderKmsIdentifier`" + ); + } + if (Objects.isNull(this.recipientPublicKey())) { + throw new IllegalArgumentException( + "Missing value for required field `recipientPublicKey`" + ); + } + return new KmsPrivateKeyToStaticPublicKeyInput(this); + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsPublicKeyDiscoveryInput.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsPublicKeyDiscoveryInput.java new file mode 100644 index 000000000..608080d1a --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsPublicKeyDiscoveryInput.java @@ -0,0 +1,79 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.materialproviders.model; + +import java.util.Objects; + +/** + * Inputs for creating a KmsPublicKeyDiscovery Configuration. This is a DECRYPT ONLY configuration. + */ +public class KmsPublicKeyDiscoveryInput { + + /** + * AWS KMS key identifier belonging to the recipient. + */ + private final String recipientKmsIdentifier; + + protected KmsPublicKeyDiscoveryInput(BuilderImpl builder) { + this.recipientKmsIdentifier = builder.recipientKmsIdentifier(); + } + + /** + * @return AWS KMS key identifier belonging to the recipient. + */ + public String recipientKmsIdentifier() { + return this.recipientKmsIdentifier; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + /** + * @param recipientKmsIdentifier AWS KMS key identifier belonging to the recipient. + */ + Builder recipientKmsIdentifier(String recipientKmsIdentifier); + + /** + * @return AWS KMS key identifier belonging to the recipient. + */ + String recipientKmsIdentifier(); + + KmsPublicKeyDiscoveryInput build(); + } + + static class BuilderImpl implements Builder { + + protected String recipientKmsIdentifier; + + protected BuilderImpl() {} + + protected BuilderImpl(KmsPublicKeyDiscoveryInput model) { + this.recipientKmsIdentifier = model.recipientKmsIdentifier(); + } + + public Builder recipientKmsIdentifier(String recipientKmsIdentifier) { + this.recipientKmsIdentifier = recipientKmsIdentifier; + return this; + } + + public String recipientKmsIdentifier() { + return this.recipientKmsIdentifier; + } + + public KmsPublicKeyDiscoveryInput build() { + if (Objects.isNull(this.recipientKmsIdentifier())) { + throw new IllegalArgumentException( + "Missing value for required field `recipientKmsIdentifier`" + ); + } + return new KmsPublicKeyDiscoveryInput(this); + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsRecipientConfiguration.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsRecipientConfiguration.java new file mode 100644 index 000000000..52af66432 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsRecipientConfiguration.java @@ -0,0 +1,102 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.materialproviders.model; + +import java.nio.ByteBuffer; +import java.util.Objects; + +public class KmsRecipientConfiguration { + + private final String RecipientKmsKeyId; + + private final ByteBuffer RecipientPublicKey; + + protected KmsRecipientConfiguration(BuilderImpl builder) { + this.RecipientKmsKeyId = builder.RecipientKmsKeyId(); + this.RecipientPublicKey = builder.RecipientPublicKey(); + } + + public String RecipientKmsKeyId() { + return this.RecipientKmsKeyId; + } + + public ByteBuffer RecipientPublicKey() { + return this.RecipientPublicKey; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + Builder RecipientKmsKeyId(String RecipientKmsKeyId); + + String RecipientKmsKeyId(); + + Builder RecipientPublicKey(ByteBuffer RecipientPublicKey); + + ByteBuffer RecipientPublicKey(); + + KmsRecipientConfiguration build(); + } + + static class BuilderImpl implements Builder { + + protected String RecipientKmsKeyId; + + protected ByteBuffer RecipientPublicKey; + + protected BuilderImpl() {} + + protected BuilderImpl(KmsRecipientConfiguration model) { + this.RecipientKmsKeyId = model.RecipientKmsKeyId(); + this.RecipientPublicKey = model.RecipientPublicKey(); + } + + public Builder RecipientKmsKeyId(String RecipientKmsKeyId) { + this.RecipientKmsKeyId = RecipientKmsKeyId; + return this; + } + + public String RecipientKmsKeyId() { + return this.RecipientKmsKeyId; + } + + public Builder RecipientPublicKey(ByteBuffer RecipientPublicKey) { + this.RecipientPublicKey = RecipientPublicKey; + return this; + } + + public ByteBuffer RecipientPublicKey() { + return this.RecipientPublicKey; + } + + public KmsRecipientConfiguration build() { + if (!onlyOneNonNull()) { + throw new IllegalArgumentException( + "`KmsRecipientConfiguration` is a Union. A Union MUST have one and only one value set." + ); + } + return new KmsRecipientConfiguration(this); + } + + private boolean onlyOneNonNull() { + Object[] allValues = { this.RecipientKmsKeyId, this.RecipientPublicKey }; + boolean haveOneNonNull = false; + for (Object o : allValues) { + if (Objects.nonNull(o)) { + if (haveOneNonNull) { + return false; + } + haveOneNonNull = true; + } + } + return haveOneNonNull; + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsSenderToStaticRecipientInput.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsSenderToStaticRecipientInput.java new file mode 100644 index 000000000..779802eb8 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/KmsSenderToStaticRecipientInput.java @@ -0,0 +1,123 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.materialproviders.model; + +import java.util.Objects; + +/** + * Inputs for creating a KmsSenderToStaticRecipient Configuration. + */ +public class KmsSenderToStaticRecipientInput { + + /** + * AWS KMS Key Identifier belonging to the sender + */ + private final String senderKmsIdentifier; + + /** + * Recipient configuration. This can be either a KMS key identifier or a raw public key + */ + private final KmsRecipientConfiguration recipientConfiguration; + + protected KmsSenderToStaticRecipientInput(BuilderImpl builder) { + this.senderKmsIdentifier = builder.senderKmsIdentifier(); + this.recipientConfiguration = builder.recipientConfiguration(); + } + + /** + * @return AWS KMS Key Identifier belonging to the sender + */ + public String senderKmsIdentifier() { + return this.senderKmsIdentifier; + } + + /** + * @return Recipient configuration. This can be either a KMS key identifier or a raw public key + */ + public KmsRecipientConfiguration recipientConfiguration() { + return this.recipientConfiguration; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + /** + * @param senderKmsIdentifier AWS KMS Key Identifier belonging to the sender + */ + Builder senderKmsIdentifier(String senderKmsIdentifier); + + /** + * @return AWS KMS Key Identifier belonging to the sender + */ + String senderKmsIdentifier(); + + /** + * @param recipientConfiguration Recipient configuration. This can be either a KMS key identifier or a raw public key + */ + Builder recipientConfiguration( + KmsRecipientConfiguration recipientConfiguration + ); + + /** + * @return Recipient configuration. This can be either a KMS key identifier or a raw public key + */ + KmsRecipientConfiguration recipientConfiguration(); + + KmsSenderToStaticRecipientInput build(); + } + + static class BuilderImpl implements Builder { + + protected String senderKmsIdentifier; + + protected KmsRecipientConfiguration recipientConfiguration; + + protected BuilderImpl() {} + + protected BuilderImpl(KmsSenderToStaticRecipientInput model) { + this.senderKmsIdentifier = model.senderKmsIdentifier(); + this.recipientConfiguration = model.recipientConfiguration(); + } + + public Builder senderKmsIdentifier(String senderKmsIdentifier) { + this.senderKmsIdentifier = senderKmsIdentifier; + return this; + } + + public String senderKmsIdentifier() { + return this.senderKmsIdentifier; + } + + public Builder recipientConfiguration( + KmsRecipientConfiguration recipientConfiguration + ) { + this.recipientConfiguration = recipientConfiguration; + return this; + } + + public KmsRecipientConfiguration recipientConfiguration() { + return this.recipientConfiguration; + } + + public KmsSenderToStaticRecipientInput build() { + if (Objects.isNull(this.senderKmsIdentifier())) { + throw new IllegalArgumentException( + "Missing value for required field `senderKmsIdentifier`" + ); + } + if (Objects.isNull(this.recipientConfiguration())) { + throw new IllegalArgumentException( + "Missing value for required field `recipientConfiguration`" + ); + } + return new KmsSenderToStaticRecipientInput(this); + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/PublicKeyDiscoveryInput.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/PublicKeyDiscoveryInput.java new file mode 100644 index 000000000..14ed76f19 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/PublicKeyDiscoveryInput.java @@ -0,0 +1,82 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.materialproviders.model; + +import java.nio.ByteBuffer; +import java.util.Objects; + +/** + * Inputs for creating a PublicKeyDiscovery Configuration. + */ +public class PublicKeyDiscoveryInput { + + /** + * The sender's private key. MUST be PEM encoded. + */ + private final ByteBuffer recipientStaticPrivateKey; + + protected PublicKeyDiscoveryInput(BuilderImpl builder) { + this.recipientStaticPrivateKey = builder.recipientStaticPrivateKey(); + } + + /** + * @return The sender's private key. MUST be PEM encoded. + */ + public ByteBuffer recipientStaticPrivateKey() { + return this.recipientStaticPrivateKey; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + /** + * @param recipientStaticPrivateKey The sender's private key. MUST be PEM encoded. + */ + Builder recipientStaticPrivateKey(ByteBuffer recipientStaticPrivateKey); + + /** + * @return The sender's private key. MUST be PEM encoded. + */ + ByteBuffer recipientStaticPrivateKey(); + + PublicKeyDiscoveryInput build(); + } + + static class BuilderImpl implements Builder { + + protected ByteBuffer recipientStaticPrivateKey; + + protected BuilderImpl() {} + + protected BuilderImpl(PublicKeyDiscoveryInput model) { + this.recipientStaticPrivateKey = model.recipientStaticPrivateKey(); + } + + public Builder recipientStaticPrivateKey( + ByteBuffer recipientStaticPrivateKey + ) { + this.recipientStaticPrivateKey = recipientStaticPrivateKey; + return this; + } + + public ByteBuffer recipientStaticPrivateKey() { + return this.recipientStaticPrivateKey; + } + + public PublicKeyDiscoveryInput build() { + if (Objects.isNull(this.recipientStaticPrivateKey())) { + throw new IllegalArgumentException( + "Missing value for required field `recipientStaticPrivateKey`" + ); + } + return new PublicKeyDiscoveryInput(this); + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/RawEcdhConfigurations.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/RawEcdhConfigurations.java new file mode 100644 index 000000000..05d1e417e --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/RawEcdhConfigurations.java @@ -0,0 +1,182 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.materialproviders.model; + +import java.util.Objects; + +/** + * List of configurations when using a RawEcdhConfiguration + */ +public class RawEcdhConfigurations { + + /** + * Inputs for creating a StaticDiscoveryRecipient Configuration. + */ + private final StaticDiscoveryRecipientInput StaticDiscoveryRecipient; + + /** + * Inputs for creating a StaticSenderStaticRecipient Configuration. + */ + private final StaticSenderStaticRecipientInput StaticSenderStaticRecipient; + + /** + * Inputs for creating a EphemeralSenderToStaticRecipient Configuration. + */ + private final EphemeralSenderToStaticRecipientInput EphemeralSenderToStaticKmsRecipient; + + protected RawEcdhConfigurations(BuilderImpl builder) { + this.StaticDiscoveryRecipient = builder.StaticDiscoveryRecipient(); + this.StaticSenderStaticRecipient = builder.StaticSenderStaticRecipient(); + this.EphemeralSenderToStaticKmsRecipient = + builder.EphemeralSenderToStaticKmsRecipient(); + } + + /** + * @return Inputs for creating a StaticDiscoveryRecipient Configuration. + */ + public StaticDiscoveryRecipientInput StaticDiscoveryRecipient() { + return this.StaticDiscoveryRecipient; + } + + /** + * @return Inputs for creating a StaticSenderStaticRecipient Configuration. + */ + public StaticSenderStaticRecipientInput StaticSenderStaticRecipient() { + return this.StaticSenderStaticRecipient; + } + + /** + * @return Inputs for creating a EphemeralSenderToStaticRecipient Configuration. + */ + public EphemeralSenderToStaticRecipientInput EphemeralSenderToStaticKmsRecipient() { + return this.EphemeralSenderToStaticKmsRecipient; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + /** + * @param StaticDiscoveryRecipient Inputs for creating a StaticDiscoveryRecipient Configuration. + */ + Builder StaticDiscoveryRecipient( + StaticDiscoveryRecipientInput StaticDiscoveryRecipient + ); + + /** + * @return Inputs for creating a StaticDiscoveryRecipient Configuration. + */ + StaticDiscoveryRecipientInput StaticDiscoveryRecipient(); + + /** + * @param StaticSenderStaticRecipient Inputs for creating a StaticSenderStaticRecipient Configuration. + */ + Builder StaticSenderStaticRecipient( + StaticSenderStaticRecipientInput StaticSenderStaticRecipient + ); + + /** + * @return Inputs for creating a StaticSenderStaticRecipient Configuration. + */ + StaticSenderStaticRecipientInput StaticSenderStaticRecipient(); + + /** + * @param EphemeralSenderToStaticKmsRecipient Inputs for creating a EphemeralSenderToStaticRecipient Configuration. + */ + Builder EphemeralSenderToStaticKmsRecipient( + EphemeralSenderToStaticRecipientInput EphemeralSenderToStaticKmsRecipient + ); + + /** + * @return Inputs for creating a EphemeralSenderToStaticRecipient Configuration. + */ + EphemeralSenderToStaticRecipientInput EphemeralSenderToStaticKmsRecipient(); + + RawEcdhConfigurations build(); + } + + static class BuilderImpl implements Builder { + + protected StaticDiscoveryRecipientInput StaticDiscoveryRecipient; + + protected StaticSenderStaticRecipientInput StaticSenderStaticRecipient; + + protected EphemeralSenderToStaticRecipientInput EphemeralSenderToStaticKmsRecipient; + + protected BuilderImpl() {} + + protected BuilderImpl(RawEcdhConfigurations model) { + this.StaticDiscoveryRecipient = model.StaticDiscoveryRecipient(); + this.StaticSenderStaticRecipient = model.StaticSenderStaticRecipient(); + this.EphemeralSenderToStaticKmsRecipient = + model.EphemeralSenderToStaticKmsRecipient(); + } + + public Builder StaticDiscoveryRecipient( + StaticDiscoveryRecipientInput StaticDiscoveryRecipient + ) { + this.StaticDiscoveryRecipient = StaticDiscoveryRecipient; + return this; + } + + public StaticDiscoveryRecipientInput StaticDiscoveryRecipient() { + return this.StaticDiscoveryRecipient; + } + + public Builder StaticSenderStaticRecipient( + StaticSenderStaticRecipientInput StaticSenderStaticRecipient + ) { + this.StaticSenderStaticRecipient = StaticSenderStaticRecipient; + return this; + } + + public StaticSenderStaticRecipientInput StaticSenderStaticRecipient() { + return this.StaticSenderStaticRecipient; + } + + public Builder EphemeralSenderToStaticKmsRecipient( + EphemeralSenderToStaticRecipientInput EphemeralSenderToStaticKmsRecipient + ) { + this.EphemeralSenderToStaticKmsRecipient = + EphemeralSenderToStaticKmsRecipient; + return this; + } + + public EphemeralSenderToStaticRecipientInput EphemeralSenderToStaticKmsRecipient() { + return this.EphemeralSenderToStaticKmsRecipient; + } + + public RawEcdhConfigurations build() { + if (!onlyOneNonNull()) { + throw new IllegalArgumentException( + "`RawEcdhConfigurations` is a Union. A Union MUST have one and only one value set." + ); + } + return new RawEcdhConfigurations(this); + } + + private boolean onlyOneNonNull() { + Object[] allValues = { + this.StaticDiscoveryRecipient, + this.StaticSenderStaticRecipient, + this.EphemeralSenderToStaticKmsRecipient, + }; + boolean haveOneNonNull = false; + for (Object o : allValues) { + if (Objects.nonNull(o)) { + if (haveOneNonNull) { + return false; + } + haveOneNonNull = true; + } + } + return haveOneNonNull; + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/RawEcdhStaticConfigurations.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/RawEcdhStaticConfigurations.java new file mode 100644 index 000000000..046053a13 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/RawEcdhStaticConfigurations.java @@ -0,0 +1,182 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.materialproviders.model; + +import java.util.Objects; + +/** + * List of configurations when using RawEcdhStaticConfigurations. + */ +public class RawEcdhStaticConfigurations { + + /** + * Inputs for creating a PublicKeyDiscovery Configuration. + */ + private final PublicKeyDiscoveryInput PublicKeyDiscovery; + + /** + * Inputs for creating a RawPrivateKeyToStaticPublicKey Configuration. + */ + private final RawPrivateKeyToStaticPublicKeyInput RawPrivateKeyToStaticPublicKey; + + /** + * Inputs for creating a EphemeralPrivateKeyToStaticPublicKey Configuration. + */ + private final EphemeralPrivateKeyToStaticPublicKeyInput EphemeralPrivateKeyToStaticPublicKey; + + protected RawEcdhStaticConfigurations(BuilderImpl builder) { + this.PublicKeyDiscovery = builder.PublicKeyDiscovery(); + this.RawPrivateKeyToStaticPublicKey = + builder.RawPrivateKeyToStaticPublicKey(); + this.EphemeralPrivateKeyToStaticPublicKey = + builder.EphemeralPrivateKeyToStaticPublicKey(); + } + + /** + * @return Inputs for creating a PublicKeyDiscovery Configuration. + */ + public PublicKeyDiscoveryInput PublicKeyDiscovery() { + return this.PublicKeyDiscovery; + } + + /** + * @return Inputs for creating a RawPrivateKeyToStaticPublicKey Configuration. + */ + public RawPrivateKeyToStaticPublicKeyInput RawPrivateKeyToStaticPublicKey() { + return this.RawPrivateKeyToStaticPublicKey; + } + + /** + * @return Inputs for creating a EphemeralPrivateKeyToStaticPublicKey Configuration. + */ + public EphemeralPrivateKeyToStaticPublicKeyInput EphemeralPrivateKeyToStaticPublicKey() { + return this.EphemeralPrivateKeyToStaticPublicKey; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + /** + * @param PublicKeyDiscovery Inputs for creating a PublicKeyDiscovery Configuration. + */ + Builder PublicKeyDiscovery(PublicKeyDiscoveryInput PublicKeyDiscovery); + + /** + * @return Inputs for creating a PublicKeyDiscovery Configuration. + */ + PublicKeyDiscoveryInput PublicKeyDiscovery(); + + /** + * @param RawPrivateKeyToStaticPublicKey Inputs for creating a RawPrivateKeyToStaticPublicKey Configuration. + */ + Builder RawPrivateKeyToStaticPublicKey( + RawPrivateKeyToStaticPublicKeyInput RawPrivateKeyToStaticPublicKey + ); + + /** + * @return Inputs for creating a RawPrivateKeyToStaticPublicKey Configuration. + */ + RawPrivateKeyToStaticPublicKeyInput RawPrivateKeyToStaticPublicKey(); + + /** + * @param EphemeralPrivateKeyToStaticPublicKey Inputs for creating a EphemeralPrivateKeyToStaticPublicKey Configuration. + */ + Builder EphemeralPrivateKeyToStaticPublicKey( + EphemeralPrivateKeyToStaticPublicKeyInput EphemeralPrivateKeyToStaticPublicKey + ); + + /** + * @return Inputs for creating a EphemeralPrivateKeyToStaticPublicKey Configuration. + */ + EphemeralPrivateKeyToStaticPublicKeyInput EphemeralPrivateKeyToStaticPublicKey(); + + RawEcdhStaticConfigurations build(); + } + + static class BuilderImpl implements Builder { + + protected PublicKeyDiscoveryInput PublicKeyDiscovery; + + protected RawPrivateKeyToStaticPublicKeyInput RawPrivateKeyToStaticPublicKey; + + protected EphemeralPrivateKeyToStaticPublicKeyInput EphemeralPrivateKeyToStaticPublicKey; + + protected BuilderImpl() {} + + protected BuilderImpl(RawEcdhStaticConfigurations model) { + this.PublicKeyDiscovery = model.PublicKeyDiscovery(); + this.RawPrivateKeyToStaticPublicKey = + model.RawPrivateKeyToStaticPublicKey(); + this.EphemeralPrivateKeyToStaticPublicKey = + model.EphemeralPrivateKeyToStaticPublicKey(); + } + + public Builder PublicKeyDiscovery( + PublicKeyDiscoveryInput PublicKeyDiscovery + ) { + this.PublicKeyDiscovery = PublicKeyDiscovery; + return this; + } + + public PublicKeyDiscoveryInput PublicKeyDiscovery() { + return this.PublicKeyDiscovery; + } + + public Builder RawPrivateKeyToStaticPublicKey( + RawPrivateKeyToStaticPublicKeyInput RawPrivateKeyToStaticPublicKey + ) { + this.RawPrivateKeyToStaticPublicKey = RawPrivateKeyToStaticPublicKey; + return this; + } + + public RawPrivateKeyToStaticPublicKeyInput RawPrivateKeyToStaticPublicKey() { + return this.RawPrivateKeyToStaticPublicKey; + } + + public Builder EphemeralPrivateKeyToStaticPublicKey( + EphemeralPrivateKeyToStaticPublicKeyInput EphemeralPrivateKeyToStaticPublicKey + ) { + this.EphemeralPrivateKeyToStaticPublicKey = + EphemeralPrivateKeyToStaticPublicKey; + return this; + } + + public EphemeralPrivateKeyToStaticPublicKeyInput EphemeralPrivateKeyToStaticPublicKey() { + return this.EphemeralPrivateKeyToStaticPublicKey; + } + + public RawEcdhStaticConfigurations build() { + if (!onlyOneNonNull()) { + throw new IllegalArgumentException( + "`RawEcdhStaticConfigurations` is a Union. A Union MUST have one and only one value set." + ); + } + return new RawEcdhStaticConfigurations(this); + } + + private boolean onlyOneNonNull() { + Object[] allValues = { + this.PublicKeyDiscovery, + this.RawPrivateKeyToStaticPublicKey, + this.EphemeralPrivateKeyToStaticPublicKey, + }; + boolean haveOneNonNull = false; + for (Object o : allValues) { + if (Objects.nonNull(o)) { + if (haveOneNonNull) { + return false; + } + haveOneNonNull = true; + } + } + return haveOneNonNull; + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/RawPrivateKeyToStaticPublicKeyInput.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/RawPrivateKeyToStaticPublicKeyInput.java new file mode 100644 index 000000000..8ef6c4518 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/RawPrivateKeyToStaticPublicKeyInput.java @@ -0,0 +1,120 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.materialproviders.model; + +import java.nio.ByteBuffer; +import java.util.Objects; + +/** + * Inputs for creating a RawPrivateKeyToStaticPublicKey Configuration. + */ +public class RawPrivateKeyToStaticPublicKeyInput { + + /** + * The sender's private key. MUST be PEM encoded. + */ + private final ByteBuffer senderStaticPrivateKey; + + /** + * The recipient's public key. MUST be DER encoded. + */ + private final ByteBuffer recipientPublicKey; + + protected RawPrivateKeyToStaticPublicKeyInput(BuilderImpl builder) { + this.senderStaticPrivateKey = builder.senderStaticPrivateKey(); + this.recipientPublicKey = builder.recipientPublicKey(); + } + + /** + * @return The sender's private key. MUST be PEM encoded. + */ + public ByteBuffer senderStaticPrivateKey() { + return this.senderStaticPrivateKey; + } + + /** + * @return The recipient's public key. MUST be DER encoded. + */ + public ByteBuffer recipientPublicKey() { + return this.recipientPublicKey; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + /** + * @param senderStaticPrivateKey The sender's private key. MUST be PEM encoded. + */ + Builder senderStaticPrivateKey(ByteBuffer senderStaticPrivateKey); + + /** + * @return The sender's private key. MUST be PEM encoded. + */ + ByteBuffer senderStaticPrivateKey(); + + /** + * @param recipientPublicKey The recipient's public key. MUST be DER encoded. + */ + Builder recipientPublicKey(ByteBuffer recipientPublicKey); + + /** + * @return The recipient's public key. MUST be DER encoded. + */ + ByteBuffer recipientPublicKey(); + + RawPrivateKeyToStaticPublicKeyInput build(); + } + + static class BuilderImpl implements Builder { + + protected ByteBuffer senderStaticPrivateKey; + + protected ByteBuffer recipientPublicKey; + + protected BuilderImpl() {} + + protected BuilderImpl(RawPrivateKeyToStaticPublicKeyInput model) { + this.senderStaticPrivateKey = model.senderStaticPrivateKey(); + this.recipientPublicKey = model.recipientPublicKey(); + } + + public Builder senderStaticPrivateKey(ByteBuffer senderStaticPrivateKey) { + this.senderStaticPrivateKey = senderStaticPrivateKey; + return this; + } + + public ByteBuffer senderStaticPrivateKey() { + return this.senderStaticPrivateKey; + } + + public Builder recipientPublicKey(ByteBuffer recipientPublicKey) { + this.recipientPublicKey = recipientPublicKey; + return this; + } + + public ByteBuffer recipientPublicKey() { + return this.recipientPublicKey; + } + + public RawPrivateKeyToStaticPublicKeyInput build() { + if (Objects.isNull(this.senderStaticPrivateKey())) { + throw new IllegalArgumentException( + "Missing value for required field `senderStaticPrivateKey`" + ); + } + if (Objects.isNull(this.recipientPublicKey())) { + throw new IllegalArgumentException( + "Missing value for required field `recipientPublicKey`" + ); + } + return new RawPrivateKeyToStaticPublicKeyInput(this); + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/RecipientDiscoverySchemeInput.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/RecipientDiscoverySchemeInput.java new file mode 100644 index 000000000..827696ba7 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/RecipientDiscoverySchemeInput.java @@ -0,0 +1,79 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.materialproviders.model; + +import java.util.Objects; + +/** + * Inputs for creating a RecipientDiscoveryScheme Configuration. This is a DECRYPT ONLY configuration + */ +public class RecipientDiscoverySchemeInput { + + /** + * AWS KMS key identifier belonging to the recipient + */ + private final String recipientKmsIdentifier; + + protected RecipientDiscoverySchemeInput(BuilderImpl builder) { + this.recipientKmsIdentifier = builder.recipientKmsIdentifier(); + } + + /** + * @return AWS KMS key identifier belonging to the recipient + */ + public String recipientKmsIdentifier() { + return this.recipientKmsIdentifier; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + /** + * @param recipientKmsIdentifier AWS KMS key identifier belonging to the recipient + */ + Builder recipientKmsIdentifier(String recipientKmsIdentifier); + + /** + * @return AWS KMS key identifier belonging to the recipient + */ + String recipientKmsIdentifier(); + + RecipientDiscoverySchemeInput build(); + } + + static class BuilderImpl implements Builder { + + protected String recipientKmsIdentifier; + + protected BuilderImpl() {} + + protected BuilderImpl(RecipientDiscoverySchemeInput model) { + this.recipientKmsIdentifier = model.recipientKmsIdentifier(); + } + + public Builder recipientKmsIdentifier(String recipientKmsIdentifier) { + this.recipientKmsIdentifier = recipientKmsIdentifier; + return this; + } + + public String recipientKmsIdentifier() { + return this.recipientKmsIdentifier; + } + + public RecipientDiscoverySchemeInput build() { + if (Objects.isNull(this.recipientKmsIdentifier())) { + throw new IllegalArgumentException( + "Missing value for required field `recipientKmsIdentifier`" + ); + } + return new RecipientDiscoverySchemeInput(this); + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/StaticConfigurations.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/StaticConfigurations.java new file mode 100644 index 000000000..5bbcf1a33 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/StaticConfigurations.java @@ -0,0 +1,128 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.materialproviders.model; + +import java.util.Objects; + +/** + * Supported configurations for the StaticConfiguration Key Agreement Scheme. + */ +public class StaticConfigurations { + + /** + * Allowed configurations when using KmsEcdhStaticConfigurations. + */ + private final KmsEcdhStaticConfigurations AWS_KMS_ECDH; + + /** + * List of configurations when using RawEcdhStaticConfigurations. + */ + private final RawEcdhStaticConfigurations RAW_ECDH; + + protected StaticConfigurations(BuilderImpl builder) { + this.AWS_KMS_ECDH = builder.AWS_KMS_ECDH(); + this.RAW_ECDH = builder.RAW_ECDH(); + } + + /** + * @return Allowed configurations when using KmsEcdhStaticConfigurations. + */ + public KmsEcdhStaticConfigurations AWS_KMS_ECDH() { + return this.AWS_KMS_ECDH; + } + + /** + * @return List of configurations when using RawEcdhStaticConfigurations. + */ + public RawEcdhStaticConfigurations RAW_ECDH() { + return this.RAW_ECDH; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + /** + * @param AWS_KMS_ECDH Allowed configurations when using KmsEcdhStaticConfigurations. + */ + Builder AWS_KMS_ECDH(KmsEcdhStaticConfigurations AWS_KMS_ECDH); + + /** + * @return Allowed configurations when using KmsEcdhStaticConfigurations. + */ + KmsEcdhStaticConfigurations AWS_KMS_ECDH(); + + /** + * @param RAW_ECDH List of configurations when using RawEcdhStaticConfigurations. + */ + Builder RAW_ECDH(RawEcdhStaticConfigurations RAW_ECDH); + + /** + * @return List of configurations when using RawEcdhStaticConfigurations. + */ + RawEcdhStaticConfigurations RAW_ECDH(); + + StaticConfigurations build(); + } + + static class BuilderImpl implements Builder { + + protected KmsEcdhStaticConfigurations AWS_KMS_ECDH; + + protected RawEcdhStaticConfigurations RAW_ECDH; + + protected BuilderImpl() {} + + protected BuilderImpl(StaticConfigurations model) { + this.AWS_KMS_ECDH = model.AWS_KMS_ECDH(); + this.RAW_ECDH = model.RAW_ECDH(); + } + + public Builder AWS_KMS_ECDH(KmsEcdhStaticConfigurations AWS_KMS_ECDH) { + this.AWS_KMS_ECDH = AWS_KMS_ECDH; + return this; + } + + public KmsEcdhStaticConfigurations AWS_KMS_ECDH() { + return this.AWS_KMS_ECDH; + } + + public Builder RAW_ECDH(RawEcdhStaticConfigurations RAW_ECDH) { + this.RAW_ECDH = RAW_ECDH; + return this; + } + + public RawEcdhStaticConfigurations RAW_ECDH() { + return this.RAW_ECDH; + } + + public StaticConfigurations build() { + if (!onlyOneNonNull()) { + throw new IllegalArgumentException( + "`StaticConfigurations` is a Union. A Union MUST have one and only one value set." + ); + } + return new StaticConfigurations(this); + } + + private boolean onlyOneNonNull() { + Object[] allValues = { this.AWS_KMS_ECDH, this.RAW_ECDH }; + boolean haveOneNonNull = false; + for (Object o : allValues) { + if (Objects.nonNull(o)) { + if (haveOneNonNull) { + return false; + } + haveOneNonNull = true; + } + } + return haveOneNonNull; + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/StaticDiscoveryRecipientInput.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/StaticDiscoveryRecipientInput.java new file mode 100644 index 000000000..5fa1b912a --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/StaticDiscoveryRecipientInput.java @@ -0,0 +1,80 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.materialproviders.model; + +import java.nio.ByteBuffer; +import java.util.Objects; + +/** + * Inputs for creating a StaticDiscoveryRecipient Configuration. + */ +public class StaticDiscoveryRecipientInput { + + /** + * The sender's private key + */ + private final ByteBuffer senderStaticPrivateKey; + + protected StaticDiscoveryRecipientInput(BuilderImpl builder) { + this.senderStaticPrivateKey = builder.senderStaticPrivateKey(); + } + + /** + * @return The sender's private key + */ + public ByteBuffer senderStaticPrivateKey() { + return this.senderStaticPrivateKey; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + /** + * @param senderStaticPrivateKey The sender's private key + */ + Builder senderStaticPrivateKey(ByteBuffer senderStaticPrivateKey); + + /** + * @return The sender's private key + */ + ByteBuffer senderStaticPrivateKey(); + + StaticDiscoveryRecipientInput build(); + } + + static class BuilderImpl implements Builder { + + protected ByteBuffer senderStaticPrivateKey; + + protected BuilderImpl() {} + + protected BuilderImpl(StaticDiscoveryRecipientInput model) { + this.senderStaticPrivateKey = model.senderStaticPrivateKey(); + } + + public Builder senderStaticPrivateKey(ByteBuffer senderStaticPrivateKey) { + this.senderStaticPrivateKey = senderStaticPrivateKey; + return this; + } + + public ByteBuffer senderStaticPrivateKey() { + return this.senderStaticPrivateKey; + } + + public StaticDiscoveryRecipientInput build() { + if (Objects.isNull(this.senderStaticPrivateKey())) { + throw new IllegalArgumentException( + "Missing value for required field `senderStaticPrivateKey`" + ); + } + return new StaticDiscoveryRecipientInput(this); + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/StaticSenderStaticRecipientInput.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/StaticSenderStaticRecipientInput.java new file mode 100644 index 000000000..997b0db2e --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/StaticSenderStaticRecipientInput.java @@ -0,0 +1,120 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.materialproviders.model; + +import java.nio.ByteBuffer; +import java.util.Objects; + +/** + * Inputs for creating a StaticSenderStaticRecipient Configuration. + */ +public class StaticSenderStaticRecipientInput { + + /** + * The sender's private key + */ + private final ByteBuffer senderStaticPrivateKey; + + /** + * The recipient's public key + */ + private final ByteBuffer recipientPublicKey; + + protected StaticSenderStaticRecipientInput(BuilderImpl builder) { + this.senderStaticPrivateKey = builder.senderStaticPrivateKey(); + this.recipientPublicKey = builder.recipientPublicKey(); + } + + /** + * @return The sender's private key + */ + public ByteBuffer senderStaticPrivateKey() { + return this.senderStaticPrivateKey; + } + + /** + * @return The recipient's public key + */ + public ByteBuffer recipientPublicKey() { + return this.recipientPublicKey; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + /** + * @param senderStaticPrivateKey The sender's private key + */ + Builder senderStaticPrivateKey(ByteBuffer senderStaticPrivateKey); + + /** + * @return The sender's private key + */ + ByteBuffer senderStaticPrivateKey(); + + /** + * @param recipientPublicKey The recipient's public key + */ + Builder recipientPublicKey(ByteBuffer recipientPublicKey); + + /** + * @return The recipient's public key + */ + ByteBuffer recipientPublicKey(); + + StaticSenderStaticRecipientInput build(); + } + + static class BuilderImpl implements Builder { + + protected ByteBuffer senderStaticPrivateKey; + + protected ByteBuffer recipientPublicKey; + + protected BuilderImpl() {} + + protected BuilderImpl(StaticSenderStaticRecipientInput model) { + this.senderStaticPrivateKey = model.senderStaticPrivateKey(); + this.recipientPublicKey = model.recipientPublicKey(); + } + + public Builder senderStaticPrivateKey(ByteBuffer senderStaticPrivateKey) { + this.senderStaticPrivateKey = senderStaticPrivateKey; + return this; + } + + public ByteBuffer senderStaticPrivateKey() { + return this.senderStaticPrivateKey; + } + + public Builder recipientPublicKey(ByteBuffer recipientPublicKey) { + this.recipientPublicKey = recipientPublicKey; + return this; + } + + public ByteBuffer recipientPublicKey() { + return this.recipientPublicKey; + } + + public StaticSenderStaticRecipientInput build() { + if (Objects.isNull(this.senderStaticPrivateKey())) { + throw new IllegalArgumentException( + "Missing value for required field `senderStaticPrivateKey`" + ); + } + if (Objects.isNull(this.recipientPublicKey())) { + throw new IllegalArgumentException( + "Missing value for required field `recipientPublicKey`" + ); + } + return new StaticSenderStaticRecipientInput(this); + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/StaticUnifiedModelConfigurations.java b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/StaticUnifiedModelConfigurations.java new file mode 100644 index 000000000..8b8286ec2 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/materialproviders/model/StaticUnifiedModelConfigurations.java @@ -0,0 +1,128 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.materialproviders.model; + +import java.util.Objects; + +/** + * Supported configurations for the StaticUnifiedModel Key Agreement Scheme + */ +public class StaticUnifiedModelConfigurations { + + /** + * Allowed configurations when using a KmsEcdhConfiguration + */ + private final KmsEcdhConfigurations AWS_KMS_ECDH; + + /** + * List of configurations when using a RawEcdhConfiguration + */ + private final RawEcdhConfigurations RAW_ECDH; + + protected StaticUnifiedModelConfigurations(BuilderImpl builder) { + this.AWS_KMS_ECDH = builder.AWS_KMS_ECDH(); + this.RAW_ECDH = builder.RAW_ECDH(); + } + + /** + * @return Allowed configurations when using a KmsEcdhConfiguration + */ + public KmsEcdhConfigurations AWS_KMS_ECDH() { + return this.AWS_KMS_ECDH; + } + + /** + * @return List of configurations when using a RawEcdhConfiguration + */ + public RawEcdhConfigurations RAW_ECDH() { + return this.RAW_ECDH; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + /** + * @param AWS_KMS_ECDH Allowed configurations when using a KmsEcdhConfiguration + */ + Builder AWS_KMS_ECDH(KmsEcdhConfigurations AWS_KMS_ECDH); + + /** + * @return Allowed configurations when using a KmsEcdhConfiguration + */ + KmsEcdhConfigurations AWS_KMS_ECDH(); + + /** + * @param RAW_ECDH List of configurations when using a RawEcdhConfiguration + */ + Builder RAW_ECDH(RawEcdhConfigurations RAW_ECDH); + + /** + * @return List of configurations when using a RawEcdhConfiguration + */ + RawEcdhConfigurations RAW_ECDH(); + + StaticUnifiedModelConfigurations build(); + } + + static class BuilderImpl implements Builder { + + protected KmsEcdhConfigurations AWS_KMS_ECDH; + + protected RawEcdhConfigurations RAW_ECDH; + + protected BuilderImpl() {} + + protected BuilderImpl(StaticUnifiedModelConfigurations model) { + this.AWS_KMS_ECDH = model.AWS_KMS_ECDH(); + this.RAW_ECDH = model.RAW_ECDH(); + } + + public Builder AWS_KMS_ECDH(KmsEcdhConfigurations AWS_KMS_ECDH) { + this.AWS_KMS_ECDH = AWS_KMS_ECDH; + return this; + } + + public KmsEcdhConfigurations AWS_KMS_ECDH() { + return this.AWS_KMS_ECDH; + } + + public Builder RAW_ECDH(RawEcdhConfigurations RAW_ECDH) { + this.RAW_ECDH = RAW_ECDH; + return this; + } + + public RawEcdhConfigurations RAW_ECDH() { + return this.RAW_ECDH; + } + + public StaticUnifiedModelConfigurations build() { + if (!onlyOneNonNull()) { + throw new IllegalArgumentException( + "`StaticUnifiedModelConfigurations` is a Union. A Union MUST have one and only one value set." + ); + } + return new StaticUnifiedModelConfigurations(this); + } + + private boolean onlyOneNonNull() { + Object[] allValues = { this.AWS_KMS_ECDH, this.RAW_ECDH }; + boolean haveOneNonNull = false; + for (Object o : allValues) { + if (Objects.nonNull(o)) { + if (haveOneNonNull) { + return false; + } + haveOneNonNull = true; + } + } + return haveOneNonNull; + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/CreateAwsKmsEcdhKeyringInput.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/CreateAwsKmsEcdhKeyringInput.cs new file mode 100644 index 000000000..a4a08224b --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/CreateAwsKmsEcdhKeyringInput.cs @@ -0,0 +1,58 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.MaterialProviders; +namespace AWS.Cryptography.MaterialProviders +{ + public class CreateAwsKmsEcdhKeyringInput + { + private AWS.Cryptography.MaterialProviders.KmsEcdhStaticConfigurations _keyAgreementScheme; + private AWS.Cryptography.Primitives.ECDHCurveSpec _curveSpec; + private Amazon.KeyManagementService.IAmazonKeyManagementService _kmsClient; + private System.Collections.Generic.List _grantTokens; + public AWS.Cryptography.MaterialProviders.KmsEcdhStaticConfigurations KeyAgreementScheme + { + get { return this._keyAgreementScheme; } + set { this._keyAgreementScheme = value; } + } + public bool IsSetKeyAgreementScheme() + { + return this._keyAgreementScheme != null; + } + public AWS.Cryptography.Primitives.ECDHCurveSpec CurveSpec + { + get { return this._curveSpec; } + set { this._curveSpec = value; } + } + public bool IsSetCurveSpec() + { + return this._curveSpec != null; + } + public Amazon.KeyManagementService.IAmazonKeyManagementService KmsClient + { + get { return this._kmsClient; } + set { this._kmsClient = value; } + } + public bool IsSetKmsClient() + { + return this._kmsClient != null; + } + public System.Collections.Generic.List GrantTokens + { + get { return this._grantTokens; } + set { this._grantTokens = value; } + } + public bool IsSetGrantTokens() + { + return this._grantTokens != null; + } + public void Validate() + { + if (!IsSetKeyAgreementScheme()) throw new System.ArgumentException("Missing value for required property 'KeyAgreementScheme'"); + if (!IsSetCurveSpec()) throw new System.ArgumentException("Missing value for required property 'CurveSpec'"); + if (!IsSetKmsClient()) throw new System.ArgumentException("Missing value for required property 'KmsClient'"); + + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/CreateRawEcdhKeyringInput.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/CreateRawEcdhKeyringInput.cs new file mode 100644 index 000000000..679adf9d9 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/CreateRawEcdhKeyringInput.cs @@ -0,0 +1,37 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.MaterialProviders; +namespace AWS.Cryptography.MaterialProviders +{ + public class CreateRawEcdhKeyringInput + { + private AWS.Cryptography.MaterialProviders.RawEcdhStaticConfigurations _keyAgreementScheme; + private AWS.Cryptography.Primitives.ECDHCurveSpec _curveSpec; + public AWS.Cryptography.MaterialProviders.RawEcdhStaticConfigurations KeyAgreementScheme + { + get { return this._keyAgreementScheme; } + set { this._keyAgreementScheme = value; } + } + public bool IsSetKeyAgreementScheme() + { + return this._keyAgreementScheme != null; + } + public AWS.Cryptography.Primitives.ECDHCurveSpec CurveSpec + { + get { return this._curveSpec; } + set { this._curveSpec = value; } + } + public bool IsSetCurveSpec() + { + return this._curveSpec != null; + } + public void Validate() + { + if (!IsSetKeyAgreementScheme()) throw new System.ArgumentException("Missing value for required property 'KeyAgreementScheme'"); + if (!IsSetCurveSpec()) throw new System.ArgumentException("Missing value for required property 'CurveSpec'"); + + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/EccCurveSpec.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/EccCurveSpec.cs new file mode 100644 index 000000000..36198b34b --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/EccCurveSpec.cs @@ -0,0 +1,25 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.MaterialProviders; +namespace AWS.Cryptography.MaterialProviders +{ + using Amazon.Runtime; + public class EccCurveSpec : ConstantClass + { + + + public static readonly EccCurveSpec ECC_NIST_P256 = new EccCurveSpec("secp256r1"); + + public static readonly EccCurveSpec ECC_NIST_P384 = new EccCurveSpec("secp384r1"); + + public static readonly EccCurveSpec ECC_NIST_P521 = new EccCurveSpec("secp521r1"); + + public static readonly EccCurveSpec SM2 = new EccCurveSpec("SM2PKE"); + public static readonly EccCurveSpec[] Values = { + ECC_NIST_P256 , ECC_NIST_P384 , ECC_NIST_P521 , SM2 +}; + public EccCurveSpec(string value) : base(value) { } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/EphemeralPrivateKeyToStaticPublicKeyInput.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/EphemeralPrivateKeyToStaticPublicKeyInput.cs new file mode 100644 index 000000000..9541f9a5d --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/EphemeralPrivateKeyToStaticPublicKeyInput.cs @@ -0,0 +1,26 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.MaterialProviders; +namespace AWS.Cryptography.MaterialProviders +{ + public class EphemeralPrivateKeyToStaticPublicKeyInput + { + private System.IO.MemoryStream _recipientPublicKey; + public System.IO.MemoryStream RecipientPublicKey + { + get { return this._recipientPublicKey; } + set { this._recipientPublicKey = value; } + } + public bool IsSetRecipientPublicKey() + { + return this._recipientPublicKey != null; + } + public void Validate() + { + if (!IsSetRecipientPublicKey()) throw new System.ArgumentException("Missing value for required property 'RecipientPublicKey'"); + + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/EphemeralSenderToStaticRecipientInput.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/EphemeralSenderToStaticRecipientInput.cs new file mode 100644 index 000000000..86da333a0 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/EphemeralSenderToStaticRecipientInput.cs @@ -0,0 +1,26 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.MaterialProviders; +namespace AWS.Cryptography.MaterialProviders +{ + public class EphemeralSenderToStaticRecipientInput + { + private System.IO.MemoryStream _recipientPublicKey; + public System.IO.MemoryStream RecipientPublicKey + { + get { return this._recipientPublicKey; } + set { this._recipientPublicKey = value; } + } + public bool IsSetRecipientPublicKey() + { + return this._recipientPublicKey != null; + } + public void Validate() + { + if (!IsSetRecipientPublicKey()) throw new System.ArgumentException("Missing value for required property 'RecipientPublicKey'"); + + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KeyAgreementScheme.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KeyAgreementScheme.cs new file mode 100644 index 000000000..2eeb1fb95 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KeyAgreementScheme.cs @@ -0,0 +1,29 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.MaterialProviders; +namespace AWS.Cryptography.MaterialProviders +{ + public class KeyAgreementScheme + { + private AWS.Cryptography.MaterialProviders.StaticConfigurations _staticConfiguration; + public AWS.Cryptography.MaterialProviders.StaticConfigurations StaticConfiguration + { + get { return this._staticConfiguration; } + set { this._staticConfiguration = value; } + } + public bool IsSetStaticConfiguration() + { + return this._staticConfiguration != null; + } + public void Validate() + { + var numberOfPropertiesSet = Convert.ToUInt16(IsSetStaticConfiguration()); + if (numberOfPropertiesSet == 0) throw new System.ArgumentException("No union value set"); + + if (numberOfPropertiesSet > 1) throw new System.ArgumentException("Multiple union values set"); + + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsEcdhConfigurations.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsEcdhConfigurations.cs new file mode 100644 index 000000000..98a6e58b9 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsEcdhConfigurations.cs @@ -0,0 +1,40 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.MaterialProviders; +namespace AWS.Cryptography.MaterialProviders +{ + public class KmsEcdhConfigurations + { + private AWS.Cryptography.MaterialProviders.RecipientDiscoverySchemeInput _recipientDiscoveryScheme; + private AWS.Cryptography.MaterialProviders.KmsSenderToStaticRecipientInput _kmsSenderToStaticRecipient; + public AWS.Cryptography.MaterialProviders.RecipientDiscoverySchemeInput RecipientDiscoveryScheme + { + get { return this._recipientDiscoveryScheme; } + set { this._recipientDiscoveryScheme = value; } + } + public bool IsSetRecipientDiscoveryScheme() + { + return this._recipientDiscoveryScheme != null; + } + public AWS.Cryptography.MaterialProviders.KmsSenderToStaticRecipientInput KmsSenderToStaticRecipient + { + get { return this._kmsSenderToStaticRecipient; } + set { this._kmsSenderToStaticRecipient = value; } + } + public bool IsSetKmsSenderToStaticRecipient() + { + return this._kmsSenderToStaticRecipient != null; + } + public void Validate() + { + var numberOfPropertiesSet = Convert.ToUInt16(IsSetRecipientDiscoveryScheme()) + + Convert.ToUInt16(IsSetKmsSenderToStaticRecipient()); + if (numberOfPropertiesSet == 0) throw new System.ArgumentException("No union value set"); + + if (numberOfPropertiesSet > 1) throw new System.ArgumentException("Multiple union values set"); + + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsEcdhStaticConfigurations.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsEcdhStaticConfigurations.cs new file mode 100644 index 000000000..cc71b48c9 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsEcdhStaticConfigurations.cs @@ -0,0 +1,40 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.MaterialProviders; +namespace AWS.Cryptography.MaterialProviders +{ + public class KmsEcdhStaticConfigurations + { + private AWS.Cryptography.MaterialProviders.KmsPublicKeyDiscoveryInput _kmsPublicKeyDiscovery; + private AWS.Cryptography.MaterialProviders.KmsPrivateKeyToStaticPublicKeyInput _kmsPrivateKeyToStaticPublicKey; + public AWS.Cryptography.MaterialProviders.KmsPublicKeyDiscoveryInput KmsPublicKeyDiscovery + { + get { return this._kmsPublicKeyDiscovery; } + set { this._kmsPublicKeyDiscovery = value; } + } + public bool IsSetKmsPublicKeyDiscovery() + { + return this._kmsPublicKeyDiscovery != null; + } + public AWS.Cryptography.MaterialProviders.KmsPrivateKeyToStaticPublicKeyInput KmsPrivateKeyToStaticPublicKey + { + get { return this._kmsPrivateKeyToStaticPublicKey; } + set { this._kmsPrivateKeyToStaticPublicKey = value; } + } + public bool IsSetKmsPrivateKeyToStaticPublicKey() + { + return this._kmsPrivateKeyToStaticPublicKey != null; + } + public void Validate() + { + var numberOfPropertiesSet = Convert.ToUInt16(IsSetKmsPublicKeyDiscovery()) + + Convert.ToUInt16(IsSetKmsPrivateKeyToStaticPublicKey()); + if (numberOfPropertiesSet == 0) throw new System.ArgumentException("No union value set"); + + if (numberOfPropertiesSet > 1) throw new System.ArgumentException("Multiple union values set"); + + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsPrivateKeyToStaticPublicKeyInput.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsPrivateKeyToStaticPublicKeyInput.cs new file mode 100644 index 000000000..221938e24 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsPrivateKeyToStaticPublicKeyInput.cs @@ -0,0 +1,47 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.MaterialProviders; +namespace AWS.Cryptography.MaterialProviders +{ + public class KmsPrivateKeyToStaticPublicKeyInput + { + private string _senderKmsIdentifier; + private System.IO.MemoryStream _senderPublicKey; + private System.IO.MemoryStream _recipientPublicKey; + public string SenderKmsIdentifier + { + get { return this._senderKmsIdentifier; } + set { this._senderKmsIdentifier = value; } + } + public bool IsSetSenderKmsIdentifier() + { + return this._senderKmsIdentifier != null; + } + public System.IO.MemoryStream SenderPublicKey + { + get { return this._senderPublicKey; } + set { this._senderPublicKey = value; } + } + public bool IsSetSenderPublicKey() + { + return this._senderPublicKey != null; + } + public System.IO.MemoryStream RecipientPublicKey + { + get { return this._recipientPublicKey; } + set { this._recipientPublicKey = value; } + } + public bool IsSetRecipientPublicKey() + { + return this._recipientPublicKey != null; + } + public void Validate() + { + if (!IsSetSenderKmsIdentifier()) throw new System.ArgumentException("Missing value for required property 'SenderKmsIdentifier'"); + if (!IsSetRecipientPublicKey()) throw new System.ArgumentException("Missing value for required property 'RecipientPublicKey'"); + + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsPublicKeyDiscoveryInput.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsPublicKeyDiscoveryInput.cs new file mode 100644 index 000000000..61af1baf5 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsPublicKeyDiscoveryInput.cs @@ -0,0 +1,26 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.MaterialProviders; +namespace AWS.Cryptography.MaterialProviders +{ + public class KmsPublicKeyDiscoveryInput + { + private string _recipientKmsIdentifier; + public string RecipientKmsIdentifier + { + get { return this._recipientKmsIdentifier; } + set { this._recipientKmsIdentifier = value; } + } + public bool IsSetRecipientKmsIdentifier() + { + return this._recipientKmsIdentifier != null; + } + public void Validate() + { + if (!IsSetRecipientKmsIdentifier()) throw new System.ArgumentException("Missing value for required property 'RecipientKmsIdentifier'"); + + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsRecipientConfiguration.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsRecipientConfiguration.cs new file mode 100644 index 000000000..06be6c35e --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsRecipientConfiguration.cs @@ -0,0 +1,40 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.MaterialProviders; +namespace AWS.Cryptography.MaterialProviders +{ + public class KmsRecipientConfiguration + { + private string _recipientKmsKeyId; + private System.IO.MemoryStream _recipientPublicKey; + public string RecipientKmsKeyId + { + get { return this._recipientKmsKeyId; } + set { this._recipientKmsKeyId = value; } + } + public bool IsSetRecipientKmsKeyId() + { + return this._recipientKmsKeyId != null; + } + public System.IO.MemoryStream RecipientPublicKey + { + get { return this._recipientPublicKey; } + set { this._recipientPublicKey = value; } + } + public bool IsSetRecipientPublicKey() + { + return this._recipientPublicKey != null; + } + public void Validate() + { + var numberOfPropertiesSet = Convert.ToUInt16(IsSetRecipientKmsKeyId()) + + Convert.ToUInt16(IsSetRecipientPublicKey()); + if (numberOfPropertiesSet == 0) throw new System.ArgumentException("No union value set"); + + if (numberOfPropertiesSet > 1) throw new System.ArgumentException("Multiple union values set"); + + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsSenderToStaticRecipientInput.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsSenderToStaticRecipientInput.cs new file mode 100644 index 000000000..54b3028db --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/KmsSenderToStaticRecipientInput.cs @@ -0,0 +1,37 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.MaterialProviders; +namespace AWS.Cryptography.MaterialProviders +{ + public class KmsSenderToStaticRecipientInput + { + private string _senderKmsIdentifier; + private AWS.Cryptography.MaterialProviders.KmsRecipientConfiguration _recipientConfiguration; + public string SenderKmsIdentifier + { + get { return this._senderKmsIdentifier; } + set { this._senderKmsIdentifier = value; } + } + public bool IsSetSenderKmsIdentifier() + { + return this._senderKmsIdentifier != null; + } + public AWS.Cryptography.MaterialProviders.KmsRecipientConfiguration RecipientConfiguration + { + get { return this._recipientConfiguration; } + set { this._recipientConfiguration = value; } + } + public bool IsSetRecipientConfiguration() + { + return this._recipientConfiguration != null; + } + public void Validate() + { + if (!IsSetSenderKmsIdentifier()) throw new System.ArgumentException("Missing value for required property 'SenderKmsIdentifier'"); + if (!IsSetRecipientConfiguration()) throw new System.ArgumentException("Missing value for required property 'RecipientConfiguration'"); + + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/MaterialProviders.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/MaterialProviders.cs index ba09ab0d4..5abc49298 100644 --- a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/MaterialProviders.cs +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/MaterialProviders.cs @@ -89,6 +89,20 @@ public AWS.Cryptography.MaterialProviders.IKeyring CreateAwsKmsHierarchicalKeyri if (result.is_Failure) throw TypeConversion.FromDafny_CommonError(result.dtor_error); return TypeConversion.FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S19_CreateKeyringOutput(result.dtor_value); } + public AWS.Cryptography.MaterialProviders.IKeyring CreateAwsKmsRsaKeyring(AWS.Cryptography.MaterialProviders.CreateAwsKmsRsaKeyringInput input) + { + software.amazon.cryptography.materialproviders.internaldafny.types._ICreateAwsKmsRsaKeyringInput internalInput = TypeConversion.ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_CreateAwsKmsRsaKeyringInput(input); + Wrappers_Compile._IResult result = _impl.CreateAwsKmsRsaKeyring(internalInput); + if (result.is_Failure) throw TypeConversion.FromDafny_CommonError(result.dtor_error); + return TypeConversion.FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S19_CreateKeyringOutput(result.dtor_value); + } + public AWS.Cryptography.MaterialProviders.IKeyring CreateAwsKmsEcdhKeyring(AWS.Cryptography.MaterialProviders.CreateAwsKmsEcdhKeyringInput input) + { + software.amazon.cryptography.materialproviders.internaldafny.types._ICreateAwsKmsEcdhKeyringInput internalInput = TypeConversion.ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S28_CreateAwsKmsEcdhKeyringInput(input); + Wrappers_Compile._IResult result = _impl.CreateAwsKmsEcdhKeyring(internalInput); + if (result.is_Failure) throw TypeConversion.FromDafny_CommonError(result.dtor_error); + return TypeConversion.FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S19_CreateKeyringOutput(result.dtor_value); + } public AWS.Cryptography.MaterialProviders.IKeyring CreateMultiKeyring(AWS.Cryptography.MaterialProviders.CreateMultiKeyringInput input) { software.amazon.cryptography.materialproviders.internaldafny.types._ICreateMultiKeyringInput internalInput = TypeConversion.ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S23_CreateMultiKeyringInput(input); @@ -110,10 +124,10 @@ public AWS.Cryptography.MaterialProviders.IKeyring CreateRawRsaKeyring(AWS.Crypt if (result.is_Failure) throw TypeConversion.FromDafny_CommonError(result.dtor_error); return TypeConversion.FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S19_CreateKeyringOutput(result.dtor_value); } - public AWS.Cryptography.MaterialProviders.IKeyring CreateAwsKmsRsaKeyring(AWS.Cryptography.MaterialProviders.CreateAwsKmsRsaKeyringInput input) + public AWS.Cryptography.MaterialProviders.IKeyring CreateRawEcdhKeyring(AWS.Cryptography.MaterialProviders.CreateRawEcdhKeyringInput input) { - software.amazon.cryptography.materialproviders.internaldafny.types._ICreateAwsKmsRsaKeyringInput internalInput = TypeConversion.ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_CreateAwsKmsRsaKeyringInput(input); - Wrappers_Compile._IResult result = _impl.CreateAwsKmsRsaKeyring(internalInput); + software.amazon.cryptography.materialproviders.internaldafny.types._ICreateRawEcdhKeyringInput internalInput = TypeConversion.ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S25_CreateRawEcdhKeyringInput(input); + Wrappers_Compile._IResult result = _impl.CreateRawEcdhKeyring(internalInput); if (result.is_Failure) throw TypeConversion.FromDafny_CommonError(result.dtor_error); return TypeConversion.FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S19_CreateKeyringOutput(result.dtor_value); } diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/PublicKeyDiscoveryInput.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/PublicKeyDiscoveryInput.cs new file mode 100644 index 000000000..c0a84e704 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/PublicKeyDiscoveryInput.cs @@ -0,0 +1,26 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.MaterialProviders; +namespace AWS.Cryptography.MaterialProviders +{ + public class PublicKeyDiscoveryInput + { + private System.IO.MemoryStream _recipientStaticPrivateKey; + public System.IO.MemoryStream RecipientStaticPrivateKey + { + get { return this._recipientStaticPrivateKey; } + set { this._recipientStaticPrivateKey = value; } + } + public bool IsSetRecipientStaticPrivateKey() + { + return this._recipientStaticPrivateKey != null; + } + public void Validate() + { + if (!IsSetRecipientStaticPrivateKey()) throw new System.ArgumentException("Missing value for required property 'RecipientStaticPrivateKey'"); + + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/RawEcdhConfigurations.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/RawEcdhConfigurations.cs new file mode 100644 index 000000000..ee5281d08 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/RawEcdhConfigurations.cs @@ -0,0 +1,51 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.MaterialProviders; +namespace AWS.Cryptography.MaterialProviders +{ + public class RawEcdhConfigurations + { + private AWS.Cryptography.MaterialProviders.StaticDiscoveryRecipientInput _staticDiscoveryRecipient; + private AWS.Cryptography.MaterialProviders.StaticSenderStaticRecipientInput _staticSenderStaticRecipient; + private AWS.Cryptography.MaterialProviders.EphemeralSenderToStaticRecipientInput _ephemeralSenderToStaticKmsRecipient; + public AWS.Cryptography.MaterialProviders.StaticDiscoveryRecipientInput StaticDiscoveryRecipient + { + get { return this._staticDiscoveryRecipient; } + set { this._staticDiscoveryRecipient = value; } + } + public bool IsSetStaticDiscoveryRecipient() + { + return this._staticDiscoveryRecipient != null; + } + public AWS.Cryptography.MaterialProviders.StaticSenderStaticRecipientInput StaticSenderStaticRecipient + { + get { return this._staticSenderStaticRecipient; } + set { this._staticSenderStaticRecipient = value; } + } + public bool IsSetStaticSenderStaticRecipient() + { + return this._staticSenderStaticRecipient != null; + } + public AWS.Cryptography.MaterialProviders.EphemeralSenderToStaticRecipientInput EphemeralSenderToStaticKmsRecipient + { + get { return this._ephemeralSenderToStaticKmsRecipient; } + set { this._ephemeralSenderToStaticKmsRecipient = value; } + } + public bool IsSetEphemeralSenderToStaticKmsRecipient() + { + return this._ephemeralSenderToStaticKmsRecipient != null; + } + public void Validate() + { + var numberOfPropertiesSet = Convert.ToUInt16(IsSetStaticDiscoveryRecipient()) + + Convert.ToUInt16(IsSetStaticSenderStaticRecipient()) + + Convert.ToUInt16(IsSetEphemeralSenderToStaticKmsRecipient()); + if (numberOfPropertiesSet == 0) throw new System.ArgumentException("No union value set"); + + if (numberOfPropertiesSet > 1) throw new System.ArgumentException("Multiple union values set"); + + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/RawEcdhStaticConfigurations.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/RawEcdhStaticConfigurations.cs new file mode 100644 index 000000000..fb4343542 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/RawEcdhStaticConfigurations.cs @@ -0,0 +1,51 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.MaterialProviders; +namespace AWS.Cryptography.MaterialProviders +{ + public class RawEcdhStaticConfigurations + { + private AWS.Cryptography.MaterialProviders.PublicKeyDiscoveryInput _publicKeyDiscovery; + private AWS.Cryptography.MaterialProviders.RawPrivateKeyToStaticPublicKeyInput _rawPrivateKeyToStaticPublicKey; + private AWS.Cryptography.MaterialProviders.EphemeralPrivateKeyToStaticPublicKeyInput _ephemeralPrivateKeyToStaticPublicKey; + public AWS.Cryptography.MaterialProviders.PublicKeyDiscoveryInput PublicKeyDiscovery + { + get { return this._publicKeyDiscovery; } + set { this._publicKeyDiscovery = value; } + } + public bool IsSetPublicKeyDiscovery() + { + return this._publicKeyDiscovery != null; + } + public AWS.Cryptography.MaterialProviders.RawPrivateKeyToStaticPublicKeyInput RawPrivateKeyToStaticPublicKey + { + get { return this._rawPrivateKeyToStaticPublicKey; } + set { this._rawPrivateKeyToStaticPublicKey = value; } + } + public bool IsSetRawPrivateKeyToStaticPublicKey() + { + return this._rawPrivateKeyToStaticPublicKey != null; + } + public AWS.Cryptography.MaterialProviders.EphemeralPrivateKeyToStaticPublicKeyInput EphemeralPrivateKeyToStaticPublicKey + { + get { return this._ephemeralPrivateKeyToStaticPublicKey; } + set { this._ephemeralPrivateKeyToStaticPublicKey = value; } + } + public bool IsSetEphemeralPrivateKeyToStaticPublicKey() + { + return this._ephemeralPrivateKeyToStaticPublicKey != null; + } + public void Validate() + { + var numberOfPropertiesSet = Convert.ToUInt16(IsSetPublicKeyDiscovery()) + + Convert.ToUInt16(IsSetRawPrivateKeyToStaticPublicKey()) + + Convert.ToUInt16(IsSetEphemeralPrivateKeyToStaticPublicKey()); + if (numberOfPropertiesSet == 0) throw new System.ArgumentException("No union value set"); + + if (numberOfPropertiesSet > 1) throw new System.ArgumentException("Multiple union values set"); + + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/RawPrivateKeyToStaticPublicKeyInput.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/RawPrivateKeyToStaticPublicKeyInput.cs new file mode 100644 index 000000000..9a3a63d57 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/RawPrivateKeyToStaticPublicKeyInput.cs @@ -0,0 +1,37 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.MaterialProviders; +namespace AWS.Cryptography.MaterialProviders +{ + public class RawPrivateKeyToStaticPublicKeyInput + { + private System.IO.MemoryStream _senderStaticPrivateKey; + private System.IO.MemoryStream _recipientPublicKey; + public System.IO.MemoryStream SenderStaticPrivateKey + { + get { return this._senderStaticPrivateKey; } + set { this._senderStaticPrivateKey = value; } + } + public bool IsSetSenderStaticPrivateKey() + { + return this._senderStaticPrivateKey != null; + } + public System.IO.MemoryStream RecipientPublicKey + { + get { return this._recipientPublicKey; } + set { this._recipientPublicKey = value; } + } + public bool IsSetRecipientPublicKey() + { + return this._recipientPublicKey != null; + } + public void Validate() + { + if (!IsSetSenderStaticPrivateKey()) throw new System.ArgumentException("Missing value for required property 'SenderStaticPrivateKey'"); + if (!IsSetRecipientPublicKey()) throw new System.ArgumentException("Missing value for required property 'RecipientPublicKey'"); + + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/RecipientDiscoverySchemeInput.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/RecipientDiscoverySchemeInput.cs new file mode 100644 index 000000000..9880a5b41 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/RecipientDiscoverySchemeInput.cs @@ -0,0 +1,26 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.MaterialProviders; +namespace AWS.Cryptography.MaterialProviders +{ + public class RecipientDiscoverySchemeInput + { + private string _recipientKmsIdentifier; + public string RecipientKmsIdentifier + { + get { return this._recipientKmsIdentifier; } + set { this._recipientKmsIdentifier = value; } + } + public bool IsSetRecipientKmsIdentifier() + { + return this._recipientKmsIdentifier != null; + } + public void Validate() + { + if (!IsSetRecipientKmsIdentifier()) throw new System.ArgumentException("Missing value for required property 'RecipientKmsIdentifier'"); + + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/StaticConfigurations.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/StaticConfigurations.cs new file mode 100644 index 000000000..098f30907 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/StaticConfigurations.cs @@ -0,0 +1,40 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.MaterialProviders; +namespace AWS.Cryptography.MaterialProviders +{ + public class StaticConfigurations + { + private AWS.Cryptography.MaterialProviders.KmsEcdhStaticConfigurations _aWS_KMS_ECDH; + private AWS.Cryptography.MaterialProviders.RawEcdhStaticConfigurations _rAW_ECDH; + public AWS.Cryptography.MaterialProviders.KmsEcdhStaticConfigurations AWS__KMS__ECDH + { + get { return this._aWS_KMS_ECDH; } + set { this._aWS_KMS_ECDH = value; } + } + public bool IsSetAWS__KMS__ECDH() + { + return this._aWS_KMS_ECDH != null; + } + public AWS.Cryptography.MaterialProviders.RawEcdhStaticConfigurations RAW__ECDH + { + get { return this._rAW_ECDH; } + set { this._rAW_ECDH = value; } + } + public bool IsSetRAW__ECDH() + { + return this._rAW_ECDH != null; + } + public void Validate() + { + var numberOfPropertiesSet = Convert.ToUInt16(IsSetAWS__KMS__ECDH()) + + Convert.ToUInt16(IsSetRAW__ECDH()); + if (numberOfPropertiesSet == 0) throw new System.ArgumentException("No union value set"); + + if (numberOfPropertiesSet > 1) throw new System.ArgumentException("Multiple union values set"); + + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/StaticDiscoveryRecipientInput.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/StaticDiscoveryRecipientInput.cs new file mode 100644 index 000000000..d58dde237 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/StaticDiscoveryRecipientInput.cs @@ -0,0 +1,26 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.MaterialProviders; +namespace AWS.Cryptography.MaterialProviders +{ + public class StaticDiscoveryRecipientInput + { + private System.IO.MemoryStream _senderStaticPrivateKey; + public System.IO.MemoryStream SenderStaticPrivateKey + { + get { return this._senderStaticPrivateKey; } + set { this._senderStaticPrivateKey = value; } + } + public bool IsSetSenderStaticPrivateKey() + { + return this._senderStaticPrivateKey != null; + } + public void Validate() + { + if (!IsSetSenderStaticPrivateKey()) throw new System.ArgumentException("Missing value for required property 'SenderStaticPrivateKey'"); + + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/StaticSenderStaticRecipientInput.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/StaticSenderStaticRecipientInput.cs new file mode 100644 index 000000000..355596f50 --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/StaticSenderStaticRecipientInput.cs @@ -0,0 +1,37 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.MaterialProviders; +namespace AWS.Cryptography.MaterialProviders +{ + public class StaticSenderStaticRecipientInput + { + private System.IO.MemoryStream _senderStaticPrivateKey; + private System.IO.MemoryStream _recipientPublicKey; + public System.IO.MemoryStream SenderStaticPrivateKey + { + get { return this._senderStaticPrivateKey; } + set { this._senderStaticPrivateKey = value; } + } + public bool IsSetSenderStaticPrivateKey() + { + return this._senderStaticPrivateKey != null; + } + public System.IO.MemoryStream RecipientPublicKey + { + get { return this._recipientPublicKey; } + set { this._recipientPublicKey = value; } + } + public bool IsSetRecipientPublicKey() + { + return this._recipientPublicKey != null; + } + public void Validate() + { + if (!IsSetSenderStaticPrivateKey()) throw new System.ArgumentException("Missing value for required property 'SenderStaticPrivateKey'"); + if (!IsSetRecipientPublicKey()) throw new System.ArgumentException("Missing value for required property 'RecipientPublicKey'"); + + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/StaticUnifiedModelConfigurations.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/StaticUnifiedModelConfigurations.cs new file mode 100644 index 000000000..bf98eb4ef --- /dev/null +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/StaticUnifiedModelConfigurations.cs @@ -0,0 +1,40 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.MaterialProviders; +namespace AWS.Cryptography.MaterialProviders +{ + public class StaticUnifiedModelConfigurations + { + private AWS.Cryptography.MaterialProviders.KmsEcdhConfigurations _aWS_KMS_ECDH; + private AWS.Cryptography.MaterialProviders.RawEcdhConfigurations _rAW_ECDH; + public AWS.Cryptography.MaterialProviders.KmsEcdhConfigurations AWS__KMS__ECDH + { + get { return this._aWS_KMS_ECDH; } + set { this._aWS_KMS_ECDH = value; } + } + public bool IsSetAWS__KMS__ECDH() + { + return this._aWS_KMS_ECDH != null; + } + public AWS.Cryptography.MaterialProviders.RawEcdhConfigurations RAW__ECDH + { + get { return this._rAW_ECDH; } + set { this._rAW_ECDH = value; } + } + public bool IsSetRAW__ECDH() + { + return this._rAW_ECDH != null; + } + public void Validate() + { + var numberOfPropertiesSet = Convert.ToUInt16(IsSetAWS__KMS__ECDH()) + + Convert.ToUInt16(IsSetRAW__ECDH()); + if (numberOfPropertiesSet == 0) throw new System.ArgumentException("No union value set"); + + if (numberOfPropertiesSet > 1) throw new System.ArgumentException("Multiple union values set"); + + } + } +} diff --git a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/TypeConversion.cs b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/TypeConversion.cs index ab05c1eb7..7b6ad3a7d 100644 --- a/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/TypeConversion.cs +++ b/AwsCryptographicMaterialProviders/runtimes/net/Generated/AwsCryptographicMaterialProviders/TypeConversion.cs @@ -188,6 +188,19 @@ public static software.amazon.cryptography.materialproviders.internaldafny.types System.Collections.Generic.List var_grantTokens = value.IsSetGrantTokens() ? value.GrantTokens : (System.Collections.Generic.List)null; return new software.amazon.cryptography.materialproviders.internaldafny.types.CreateAwsKmsDiscoveryMultiKeyringInput(ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S38_CreateAwsKmsDiscoveryMultiKeyringInput__M7_regions(value.Regions), ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S38_CreateAwsKmsDiscoveryMultiKeyringInput__M15_discoveryFilter(var_discoveryFilter), ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S38_CreateAwsKmsDiscoveryMultiKeyringInput__M14_clientSupplier(var_clientSupplier), ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S38_CreateAwsKmsDiscoveryMultiKeyringInput__M11_grantTokens(var_grantTokens)); } + public static AWS.Cryptography.MaterialProviders.CreateAwsKmsEcdhKeyringInput FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S28_CreateAwsKmsEcdhKeyringInput(software.amazon.cryptography.materialproviders.internaldafny.types._ICreateAwsKmsEcdhKeyringInput value) + { + software.amazon.cryptography.materialproviders.internaldafny.types.CreateAwsKmsEcdhKeyringInput concrete = (software.amazon.cryptography.materialproviders.internaldafny.types.CreateAwsKmsEcdhKeyringInput)value; AWS.Cryptography.MaterialProviders.CreateAwsKmsEcdhKeyringInput converted = new AWS.Cryptography.MaterialProviders.CreateAwsKmsEcdhKeyringInput(); converted.KeyAgreementScheme = (AWS.Cryptography.MaterialProviders.KmsEcdhStaticConfigurations)FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S28_CreateAwsKmsEcdhKeyringInput__M18_KeyAgreementScheme(concrete._KeyAgreementScheme); + converted.CurveSpec = (AWS.Cryptography.Primitives.ECDHCurveSpec)FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S28_CreateAwsKmsEcdhKeyringInput__M9_curveSpec(concrete._curveSpec); + converted.KmsClient = (Amazon.KeyManagementService.IAmazonKeyManagementService)FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S28_CreateAwsKmsEcdhKeyringInput__M9_kmsClient(concrete._kmsClient); + if (concrete._grantTokens.is_Some) converted.GrantTokens = (System.Collections.Generic.List)FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S28_CreateAwsKmsEcdhKeyringInput__M11_grantTokens(concrete._grantTokens); return converted; + } + public static software.amazon.cryptography.materialproviders.internaldafny.types._ICreateAwsKmsEcdhKeyringInput ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S28_CreateAwsKmsEcdhKeyringInput(AWS.Cryptography.MaterialProviders.CreateAwsKmsEcdhKeyringInput value) + { + value.Validate(); + System.Collections.Generic.List var_grantTokens = value.IsSetGrantTokens() ? value.GrantTokens : (System.Collections.Generic.List)null; + return new software.amazon.cryptography.materialproviders.internaldafny.types.CreateAwsKmsEcdhKeyringInput(ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S28_CreateAwsKmsEcdhKeyringInput__M18_KeyAgreementScheme(value.KeyAgreementScheme), ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S28_CreateAwsKmsEcdhKeyringInput__M9_curveSpec(value.CurveSpec), ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S28_CreateAwsKmsEcdhKeyringInput__M9_kmsClient(value.KmsClient), ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S28_CreateAwsKmsEcdhKeyringInput__M11_grantTokens(var_grantTokens)); + } public static AWS.Cryptography.MaterialProviders.CreateAwsKmsHierarchicalKeyringInput FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S36_CreateAwsKmsHierarchicalKeyringInput(software.amazon.cryptography.materialproviders.internaldafny.types._ICreateAwsKmsHierarchicalKeyringInput value) { software.amazon.cryptography.materialproviders.internaldafny.types.CreateAwsKmsHierarchicalKeyringInput concrete = (software.amazon.cryptography.materialproviders.internaldafny.types.CreateAwsKmsHierarchicalKeyringInput)value; AWS.Cryptography.MaterialProviders.CreateAwsKmsHierarchicalKeyringInput converted = new AWS.Cryptography.MaterialProviders.CreateAwsKmsHierarchicalKeyringInput(); if (concrete._branchKeyId.is_Some) converted.BranchKeyId = (string)FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S36_CreateAwsKmsHierarchicalKeyringInput__M11_branchKeyId(concrete._branchKeyId); @@ -391,6 +404,17 @@ public static software.amazon.cryptography.materialproviders.internaldafny.types return new software.amazon.cryptography.materialproviders.internaldafny.types.CreateRawAesKeyringInput(ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S24_CreateRawAesKeyringInput__M12_keyNamespace(value.KeyNamespace), ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S24_CreateRawAesKeyringInput__M7_keyName(value.KeyName), ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S24_CreateRawAesKeyringInput__M11_wrappingKey(value.WrappingKey), ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S24_CreateRawAesKeyringInput__M11_wrappingAlg(value.WrappingAlg)); } + public static AWS.Cryptography.MaterialProviders.CreateRawEcdhKeyringInput FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S25_CreateRawEcdhKeyringInput(software.amazon.cryptography.materialproviders.internaldafny.types._ICreateRawEcdhKeyringInput value) + { + software.amazon.cryptography.materialproviders.internaldafny.types.CreateRawEcdhKeyringInput concrete = (software.amazon.cryptography.materialproviders.internaldafny.types.CreateRawEcdhKeyringInput)value; AWS.Cryptography.MaterialProviders.CreateRawEcdhKeyringInput converted = new AWS.Cryptography.MaterialProviders.CreateRawEcdhKeyringInput(); converted.KeyAgreementScheme = (AWS.Cryptography.MaterialProviders.RawEcdhStaticConfigurations)FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S25_CreateRawEcdhKeyringInput__M18_KeyAgreementScheme(concrete._KeyAgreementScheme); + converted.CurveSpec = (AWS.Cryptography.Primitives.ECDHCurveSpec)FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S25_CreateRawEcdhKeyringInput__M9_curveSpec(concrete._curveSpec); return converted; + } + public static software.amazon.cryptography.materialproviders.internaldafny.types._ICreateRawEcdhKeyringInput ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S25_CreateRawEcdhKeyringInput(AWS.Cryptography.MaterialProviders.CreateRawEcdhKeyringInput value) + { + value.Validate(); + + return new software.amazon.cryptography.materialproviders.internaldafny.types.CreateRawEcdhKeyringInput(ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S25_CreateRawEcdhKeyringInput__M18_KeyAgreementScheme(value.KeyAgreementScheme), ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S25_CreateRawEcdhKeyringInput__M9_curveSpec(value.CurveSpec)); + } public static AWS.Cryptography.MaterialProviders.CreateRawRsaKeyringInput FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S24_CreateRawRsaKeyringInput(software.amazon.cryptography.materialproviders.internaldafny.types._ICreateRawRsaKeyringInput value) { software.amazon.cryptography.materialproviders.internaldafny.types.CreateRawRsaKeyringInput concrete = (software.amazon.cryptography.materialproviders.internaldafny.types.CreateRawRsaKeyringInput)value; AWS.Cryptography.MaterialProviders.CreateRawRsaKeyringInput converted = new AWS.Cryptography.MaterialProviders.CreateRawRsaKeyringInput(); converted.KeyNamespace = (string)FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S24_CreateRawRsaKeyringInput__M12_keyNamespace(concrete._keyNamespace); @@ -884,6 +908,51 @@ public static software.amazon.cryptography.materialproviders.internaldafny.types ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S36_InvalidEncryptionMaterialsTransition__M7_message(value.getMessage()) ); } + public static AWS.Cryptography.MaterialProviders.KeyAgreementScheme FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S18_KeyAgreementScheme(software.amazon.cryptography.materialproviders.internaldafny.types._IKeyAgreementScheme value) + { + software.amazon.cryptography.materialproviders.internaldafny.types.KeyAgreementScheme concrete = (software.amazon.cryptography.materialproviders.internaldafny.types.KeyAgreementScheme)value; + var converted = new AWS.Cryptography.MaterialProviders.KeyAgreementScheme(); if (value.is_StaticConfiguration) + { + converted.StaticConfiguration = FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S18_KeyAgreementScheme__M19_StaticConfiguration(concrete.dtor_StaticConfiguration); + return converted; + } + throw new System.ArgumentException("Invalid AWS.Cryptography.MaterialProviders.KeyAgreementScheme state"); + } + public static software.amazon.cryptography.materialproviders.internaldafny.types._IKeyAgreementScheme ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S18_KeyAgreementScheme(AWS.Cryptography.MaterialProviders.KeyAgreementScheme value) + { + value.Validate(); if (value.IsSetStaticConfiguration()) + { + return software.amazon.cryptography.materialproviders.internaldafny.types.KeyAgreementScheme.create(ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S18_KeyAgreementScheme__M19_StaticConfiguration(value.StaticConfiguration)); + } + throw new System.ArgumentException("Invalid AWS.Cryptography.MaterialProviders.KeyAgreementScheme state"); + } + public static AWS.Cryptography.MaterialProviders.KmsEcdhStaticConfigurations FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_KmsEcdhStaticConfigurations(software.amazon.cryptography.materialproviders.internaldafny.types._IKmsEcdhStaticConfigurations value) + { + software.amazon.cryptography.materialproviders.internaldafny.types.KmsEcdhStaticConfigurations concrete = (software.amazon.cryptography.materialproviders.internaldafny.types.KmsEcdhStaticConfigurations)value; + var converted = new AWS.Cryptography.MaterialProviders.KmsEcdhStaticConfigurations(); if (value.is_KmsPublicKeyDiscovery) + { + converted.KmsPublicKeyDiscovery = FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_KmsEcdhStaticConfigurations__M21_KmsPublicKeyDiscovery(concrete.dtor_KmsPublicKeyDiscovery); + return converted; + } + if (value.is_KmsPrivateKeyToStaticPublicKey) + { + converted.KmsPrivateKeyToStaticPublicKey = FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_KmsEcdhStaticConfigurations__M30_KmsPrivateKeyToStaticPublicKey(concrete.dtor_KmsPrivateKeyToStaticPublicKey); + return converted; + } + throw new System.ArgumentException("Invalid AWS.Cryptography.MaterialProviders.KmsEcdhStaticConfigurations state"); + } + public static software.amazon.cryptography.materialproviders.internaldafny.types._IKmsEcdhStaticConfigurations ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_KmsEcdhStaticConfigurations(AWS.Cryptography.MaterialProviders.KmsEcdhStaticConfigurations value) + { + value.Validate(); if (value.IsSetKmsPublicKeyDiscovery()) + { + return software.amazon.cryptography.materialproviders.internaldafny.types.KmsEcdhStaticConfigurations.create_KmsPublicKeyDiscovery(ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_KmsEcdhStaticConfigurations__M21_KmsPublicKeyDiscovery(value.KmsPublicKeyDiscovery)); + } + if (value.IsSetKmsPrivateKeyToStaticPublicKey()) + { + return software.amazon.cryptography.materialproviders.internaldafny.types.KmsEcdhStaticConfigurations.create_KmsPrivateKeyToStaticPublicKey(ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_KmsEcdhStaticConfigurations__M30_KmsPrivateKeyToStaticPublicKey(value.KmsPrivateKeyToStaticPublicKey)); + } + throw new System.ArgumentException("Invalid AWS.Cryptography.MaterialProviders.KmsEcdhStaticConfigurations state"); + } public static AWS.Cryptography.MaterialProviders.MaterialProvidersConfig FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S23_MaterialProvidersConfig(software.amazon.cryptography.materialproviders.internaldafny.types._IMaterialProvidersConfig value) { software.amazon.cryptography.materialproviders.internaldafny.types.MaterialProvidersConfig concrete = (software.amazon.cryptography.materialproviders.internaldafny.types.MaterialProvidersConfig)value; AWS.Cryptography.MaterialProviders.MaterialProvidersConfig converted = new AWS.Cryptography.MaterialProviders.MaterialProvidersConfig(); return converted; @@ -1014,6 +1083,42 @@ public static software.amazon.cryptography.materialproviders.internaldafny.types int? var_bytesUsed = value.IsSetBytesUsed() ? value.BytesUsed : (int?)null; return new software.amazon.cryptography.materialproviders.internaldafny.types.PutCacheEntryInput(ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S18_PutCacheEntryInput__M10_identifier(value.Identifier), ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S18_PutCacheEntryInput__M9_materials(value.Materials), ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S18_PutCacheEntryInput__M12_creationTime(value.CreationTime), ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S18_PutCacheEntryInput__M10_expiryTime(value.ExpiryTime), ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S18_PutCacheEntryInput__M12_messagesUsed(var_messagesUsed), ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S18_PutCacheEntryInput__M9_bytesUsed(var_bytesUsed)); } + public static AWS.Cryptography.MaterialProviders.RawEcdhStaticConfigurations FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_RawEcdhStaticConfigurations(software.amazon.cryptography.materialproviders.internaldafny.types._IRawEcdhStaticConfigurations value) + { + software.amazon.cryptography.materialproviders.internaldafny.types.RawEcdhStaticConfigurations concrete = (software.amazon.cryptography.materialproviders.internaldafny.types.RawEcdhStaticConfigurations)value; + var converted = new AWS.Cryptography.MaterialProviders.RawEcdhStaticConfigurations(); if (value.is_PublicKeyDiscovery) + { + converted.PublicKeyDiscovery = FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_RawEcdhStaticConfigurations__M18_PublicKeyDiscovery(concrete.dtor_PublicKeyDiscovery); + return converted; + } + if (value.is_RawPrivateKeyToStaticPublicKey) + { + converted.RawPrivateKeyToStaticPublicKey = FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_RawEcdhStaticConfigurations__M30_RawPrivateKeyToStaticPublicKey(concrete.dtor_RawPrivateKeyToStaticPublicKey); + return converted; + } + if (value.is_EphemeralPrivateKeyToStaticPublicKey) + { + converted.EphemeralPrivateKeyToStaticPublicKey = FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_RawEcdhStaticConfigurations__M36_EphemeralPrivateKeyToStaticPublicKey(concrete.dtor_EphemeralPrivateKeyToStaticPublicKey); + return converted; + } + throw new System.ArgumentException("Invalid AWS.Cryptography.MaterialProviders.RawEcdhStaticConfigurations state"); + } + public static software.amazon.cryptography.materialproviders.internaldafny.types._IRawEcdhStaticConfigurations ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_RawEcdhStaticConfigurations(AWS.Cryptography.MaterialProviders.RawEcdhStaticConfigurations value) + { + value.Validate(); if (value.IsSetPublicKeyDiscovery()) + { + return software.amazon.cryptography.materialproviders.internaldafny.types.RawEcdhStaticConfigurations.create_PublicKeyDiscovery(ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_RawEcdhStaticConfigurations__M18_PublicKeyDiscovery(value.PublicKeyDiscovery)); + } + if (value.IsSetRawPrivateKeyToStaticPublicKey()) + { + return software.amazon.cryptography.materialproviders.internaldafny.types.RawEcdhStaticConfigurations.create_RawPrivateKeyToStaticPublicKey(ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_RawEcdhStaticConfigurations__M30_RawPrivateKeyToStaticPublicKey(value.RawPrivateKeyToStaticPublicKey)); + } + if (value.IsSetEphemeralPrivateKeyToStaticPublicKey()) + { + return software.amazon.cryptography.materialproviders.internaldafny.types.RawEcdhStaticConfigurations.create_EphemeralPrivateKeyToStaticPublicKey(ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_RawEcdhStaticConfigurations__M36_EphemeralPrivateKeyToStaticPublicKey(value.EphemeralPrivateKeyToStaticPublicKey)); + } + throw new System.ArgumentException("Invalid AWS.Cryptography.MaterialProviders.RawEcdhStaticConfigurations state"); + } public static AWS.Cryptography.MaterialProviders.SignatureAlgorithm FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S18_SignatureAlgorithm(software.amazon.cryptography.materialproviders.internaldafny.types._ISignatureAlgorithm value) { software.amazon.cryptography.materialproviders.internaldafny.types.SignatureAlgorithm concrete = (software.amazon.cryptography.materialproviders.internaldafny.types.SignatureAlgorithm)value; @@ -1041,6 +1146,33 @@ public static software.amazon.cryptography.materialproviders.internaldafny.types } throw new System.ArgumentException("Invalid AWS.Cryptography.MaterialProviders.SignatureAlgorithm state"); } + public static AWS.Cryptography.MaterialProviders.StaticConfigurations FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S20_StaticConfigurations(software.amazon.cryptography.materialproviders.internaldafny.types._IStaticConfigurations value) + { + software.amazon.cryptography.materialproviders.internaldafny.types.StaticConfigurations concrete = (software.amazon.cryptography.materialproviders.internaldafny.types.StaticConfigurations)value; + var converted = new AWS.Cryptography.MaterialProviders.StaticConfigurations(); if (value.is_AWS__KMS__ECDH) + { + converted.AWS__KMS__ECDH = FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S20_StaticConfigurations__M12_AWS_KMS_ECDH(concrete.dtor_AWS__KMS__ECDH); + return converted; + } + if (value.is_RAW__ECDH) + { + converted.RAW__ECDH = FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S20_StaticConfigurations__M8_RAW_ECDH(concrete.dtor_RAW__ECDH); + return converted; + } + throw new System.ArgumentException("Invalid AWS.Cryptography.MaterialProviders.StaticConfigurations state"); + } + public static software.amazon.cryptography.materialproviders.internaldafny.types._IStaticConfigurations ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S20_StaticConfigurations(AWS.Cryptography.MaterialProviders.StaticConfigurations value) + { + value.Validate(); if (value.IsSetAWS__KMS__ECDH()) + { + return software.amazon.cryptography.materialproviders.internaldafny.types.StaticConfigurations.create_AWS__KMS__ECDH(ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S20_StaticConfigurations__M12_AWS_KMS_ECDH(value.AWS__KMS__ECDH)); + } + if (value.IsSetRAW__ECDH()) + { + return software.amazon.cryptography.materialproviders.internaldafny.types.StaticConfigurations.create_RAW__ECDH(ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S20_StaticConfigurations__M8_RAW_ECDH(value.RAW__ECDH)); + } + throw new System.ArgumentException("Invalid AWS.Cryptography.MaterialProviders.StaticConfigurations state"); + } public static AWS.Cryptography.MaterialProviders.SymmetricSignatureAlgorithm FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_SymmetricSignatureAlgorithm(software.amazon.cryptography.materialproviders.internaldafny.types._ISymmetricSignatureAlgorithm value) { software.amazon.cryptography.materialproviders.internaldafny.types.SymmetricSignatureAlgorithm concrete = (software.amazon.cryptography.materialproviders.internaldafny.types.SymmetricSignatureAlgorithm)value; @@ -1331,6 +1463,38 @@ public static System.Collections.Generic.List FromDafny_N3_aws__N12_cryp { return value == null ? Wrappers_Compile.Option>>.create_None() : Wrappers_Compile.Option>>.create_Some(ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S14_GrantTokenList((System.Collections.Generic.List)value)); } + public static AWS.Cryptography.MaterialProviders.KmsEcdhStaticConfigurations FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S28_CreateAwsKmsEcdhKeyringInput__M18_KeyAgreementScheme(software.amazon.cryptography.materialproviders.internaldafny.types._IKmsEcdhStaticConfigurations value) + { + return FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_KmsEcdhStaticConfigurations(value); + } + public static software.amazon.cryptography.materialproviders.internaldafny.types._IKmsEcdhStaticConfigurations ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S28_CreateAwsKmsEcdhKeyringInput__M18_KeyAgreementScheme(AWS.Cryptography.MaterialProviders.KmsEcdhStaticConfigurations value) + { + return ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_KmsEcdhStaticConfigurations(value); + } + public static AWS.Cryptography.Primitives.ECDHCurveSpec FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S28_CreateAwsKmsEcdhKeyringInput__M9_curveSpec(software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec value) + { + return FromDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(value); + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S28_CreateAwsKmsEcdhKeyringInput__M9_curveSpec(AWS.Cryptography.Primitives.ECDHCurveSpec value) + { + return ToDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(value); + } + public static Amazon.KeyManagementService.IAmazonKeyManagementService FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S28_CreateAwsKmsEcdhKeyringInput__M9_kmsClient(software.amazon.cryptography.services.kms.internaldafny.types.IKMSClient value) + { + return FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S18_KmsClientReference(value); + } + public static software.amazon.cryptography.services.kms.internaldafny.types.IKMSClient ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S28_CreateAwsKmsEcdhKeyringInput__M9_kmsClient(Amazon.KeyManagementService.IAmazonKeyManagementService value) + { + return ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S18_KmsClientReference(value); + } + public static System.Collections.Generic.List FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S28_CreateAwsKmsEcdhKeyringInput__M11_grantTokens(Wrappers_Compile._IOption>> value) + { + return value.is_None ? (System.Collections.Generic.List)null : FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S14_GrantTokenList(value.Extract()); + } + public static Wrappers_Compile._IOption>> ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S28_CreateAwsKmsEcdhKeyringInput__M11_grantTokens(System.Collections.Generic.List value) + { + return value == null ? Wrappers_Compile.Option>>.create_None() : Wrappers_Compile.Option>>.create_Some(ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S14_GrantTokenList((System.Collections.Generic.List)value)); + } public static string FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S36_CreateAwsKmsHierarchicalKeyringInput__M11_branchKeyId(Wrappers_Compile._IOption> value) { return value.is_None ? (string)null : FromDafny_N6_smithy__N3_api__S6_String(value.Extract()); @@ -1683,6 +1847,22 @@ public static software.amazon.cryptography.materialproviders.internaldafny.types { return ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S14_AesWrappingAlg(value); } + public static AWS.Cryptography.MaterialProviders.RawEcdhStaticConfigurations FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S25_CreateRawEcdhKeyringInput__M18_KeyAgreementScheme(software.amazon.cryptography.materialproviders.internaldafny.types._IRawEcdhStaticConfigurations value) + { + return FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_RawEcdhStaticConfigurations(value); + } + public static software.amazon.cryptography.materialproviders.internaldafny.types._IRawEcdhStaticConfigurations ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S25_CreateRawEcdhKeyringInput__M18_KeyAgreementScheme(AWS.Cryptography.MaterialProviders.RawEcdhStaticConfigurations value) + { + return ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_RawEcdhStaticConfigurations(value); + } + public static AWS.Cryptography.Primitives.ECDHCurveSpec FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S25_CreateRawEcdhKeyringInput__M9_curveSpec(software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec value) + { + return FromDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(value); + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S25_CreateRawEcdhKeyringInput__M9_curveSpec(AWS.Cryptography.Primitives.ECDHCurveSpec value) + { + return ToDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(value); + } public static string FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S24_CreateRawRsaKeyringInput__M12_keyNamespace(Dafny.ISequence value) { return FromDafny_N6_smithy__N3_api__S6_String(value); @@ -2243,6 +2423,30 @@ public static Dafny.ISequence ToDafny_N3_aws__N12_cryptography__N17_materi { return ToDafny_N6_smithy__N3_api__S6_String(value); } + public static AWS.Cryptography.MaterialProviders.StaticConfigurations FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S18_KeyAgreementScheme__M19_StaticConfiguration(software.amazon.cryptography.materialproviders.internaldafny.types._IStaticConfigurations value) + { + return FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S20_StaticConfigurations(value); + } + public static software.amazon.cryptography.materialproviders.internaldafny.types._IStaticConfigurations ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S18_KeyAgreementScheme__M19_StaticConfiguration(AWS.Cryptography.MaterialProviders.StaticConfigurations value) + { + return ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S20_StaticConfigurations(value); + } + public static AWS.Cryptography.MaterialProviders.KmsPublicKeyDiscoveryInput FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_KmsEcdhStaticConfigurations__M21_KmsPublicKeyDiscovery(software.amazon.cryptography.materialproviders.internaldafny.types._IKmsPublicKeyDiscoveryInput value) + { + return FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S26_KmsPublicKeyDiscoveryInput(value); + } + public static software.amazon.cryptography.materialproviders.internaldafny.types._IKmsPublicKeyDiscoveryInput ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_KmsEcdhStaticConfigurations__M21_KmsPublicKeyDiscovery(AWS.Cryptography.MaterialProviders.KmsPublicKeyDiscoveryInput value) + { + return ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S26_KmsPublicKeyDiscoveryInput(value); + } + public static AWS.Cryptography.MaterialProviders.KmsPrivateKeyToStaticPublicKeyInput FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_KmsEcdhStaticConfigurations__M30_KmsPrivateKeyToStaticPublicKey(software.amazon.cryptography.materialproviders.internaldafny.types._IKmsPrivateKeyToStaticPublicKeyInput value) + { + return FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_KmsPrivateKeyToStaticPublicKeyInput(value); + } + public static software.amazon.cryptography.materialproviders.internaldafny.types._IKmsPrivateKeyToStaticPublicKeyInput ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_KmsEcdhStaticConfigurations__M30_KmsPrivateKeyToStaticPublicKey(AWS.Cryptography.MaterialProviders.KmsPrivateKeyToStaticPublicKeyInput value) + { + return ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_KmsPrivateKeyToStaticPublicKeyInput(value); + } public static AWS.Cryptography.MaterialProviders.EncryptionMaterials FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S9_Materials__M10_Encryption(software.amazon.cryptography.materialproviders.internaldafny.types._IEncryptionMaterials value) { return FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S19_EncryptionMaterials(value); @@ -2363,6 +2567,30 @@ public static Wrappers_Compile._IOption ToDafny_N3_aws__N12_cryptography__N { return value == null ? Wrappers_Compile.Option.create_None() : Wrappers_Compile.Option.create_Some(ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S15_PositiveInteger((int)value)); } + public static AWS.Cryptography.MaterialProviders.PublicKeyDiscoveryInput FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_RawEcdhStaticConfigurations__M18_PublicKeyDiscovery(software.amazon.cryptography.materialproviders.internaldafny.types._IPublicKeyDiscoveryInput value) + { + return FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S23_PublicKeyDiscoveryInput(value); + } + public static software.amazon.cryptography.materialproviders.internaldafny.types._IPublicKeyDiscoveryInput ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_RawEcdhStaticConfigurations__M18_PublicKeyDiscovery(AWS.Cryptography.MaterialProviders.PublicKeyDiscoveryInput value) + { + return ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S23_PublicKeyDiscoveryInput(value); + } + public static AWS.Cryptography.MaterialProviders.RawPrivateKeyToStaticPublicKeyInput FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_RawEcdhStaticConfigurations__M30_RawPrivateKeyToStaticPublicKey(software.amazon.cryptography.materialproviders.internaldafny.types._IRawPrivateKeyToStaticPublicKeyInput value) + { + return FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_RawPrivateKeyToStaticPublicKeyInput(value); + } + public static software.amazon.cryptography.materialproviders.internaldafny.types._IRawPrivateKeyToStaticPublicKeyInput ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_RawEcdhStaticConfigurations__M30_RawPrivateKeyToStaticPublicKey(AWS.Cryptography.MaterialProviders.RawPrivateKeyToStaticPublicKeyInput value) + { + return ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_RawPrivateKeyToStaticPublicKeyInput(value); + } + public static AWS.Cryptography.MaterialProviders.EphemeralPrivateKeyToStaticPublicKeyInput FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_RawEcdhStaticConfigurations__M36_EphemeralPrivateKeyToStaticPublicKey(software.amazon.cryptography.materialproviders.internaldafny.types._IEphemeralPrivateKeyToStaticPublicKeyInput value) + { + return FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S41_EphemeralPrivateKeyToStaticPublicKeyInput(value); + } + public static software.amazon.cryptography.materialproviders.internaldafny.types._IEphemeralPrivateKeyToStaticPublicKeyInput ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_RawEcdhStaticConfigurations__M36_EphemeralPrivateKeyToStaticPublicKey(AWS.Cryptography.MaterialProviders.EphemeralPrivateKeyToStaticPublicKeyInput value) + { + return ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S41_EphemeralPrivateKeyToStaticPublicKeyInput(value); + } public static AWS.Cryptography.MaterialProviders.ECDSA FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S18_SignatureAlgorithm__M5_ECDSA(software.amazon.cryptography.materialproviders.internaldafny.types._IECDSA value) { return FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S5_ECDSA(value); @@ -2379,6 +2607,22 @@ public static software.amazon.cryptography.materialproviders.internaldafny.types { return ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S4_None(value); } + public static AWS.Cryptography.MaterialProviders.KmsEcdhStaticConfigurations FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S20_StaticConfigurations__M12_AWS_KMS_ECDH(software.amazon.cryptography.materialproviders.internaldafny.types._IKmsEcdhStaticConfigurations value) + { + return FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_KmsEcdhStaticConfigurations(value); + } + public static software.amazon.cryptography.materialproviders.internaldafny.types._IKmsEcdhStaticConfigurations ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S20_StaticConfigurations__M12_AWS_KMS_ECDH(AWS.Cryptography.MaterialProviders.KmsEcdhStaticConfigurations value) + { + return ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_KmsEcdhStaticConfigurations(value); + } + public static AWS.Cryptography.MaterialProviders.RawEcdhStaticConfigurations FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S20_StaticConfigurations__M8_RAW_ECDH(software.amazon.cryptography.materialproviders.internaldafny.types._IRawEcdhStaticConfigurations value) + { + return FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_RawEcdhStaticConfigurations(value); + } + public static software.amazon.cryptography.materialproviders.internaldafny.types._IRawEcdhStaticConfigurations ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S20_StaticConfigurations__M8_RAW_ECDH(AWS.Cryptography.MaterialProviders.RawEcdhStaticConfigurations value) + { + return ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_RawEcdhStaticConfigurations(value); + } public static AWS.Cryptography.Primitives.DigestAlgorithm FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S27_SymmetricSignatureAlgorithm__M4_HMAC(software.amazon.cryptography.primitives.internaldafny.types._IDigestAlgorithm value) { return FromDafny_N3_aws__N12_cryptography__N10_primitives__S15_DigestAlgorithm(value); @@ -2618,6 +2862,22 @@ public static software.amazon.cryptography.materialproviders.internaldafny.types "Custom implementations of ClientSupplier must extend ClientSupplierBase."); } } + public static AWS.Cryptography.Primitives.ECDHCurveSpec FromDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec value) + { + if (value.is_ECC__NIST__P256) return AWS.Cryptography.Primitives.ECDHCurveSpec.ECC_NIST_P256; + if (value.is_ECC__NIST__P384) return AWS.Cryptography.Primitives.ECDHCurveSpec.ECC_NIST_P384; + if (value.is_ECC__NIST__P521) return AWS.Cryptography.Primitives.ECDHCurveSpec.ECC_NIST_P521; + if (value.is_SM2) return AWS.Cryptography.Primitives.ECDHCurveSpec.SM2; + throw new System.ArgumentException("Invalid AWS.Cryptography.Primitives.ECDHCurveSpec value"); + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec ToDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(AWS.Cryptography.Primitives.ECDHCurveSpec value) + { + if (AWS.Cryptography.Primitives.ECDHCurveSpec.ECC_NIST_P256.Equals(value)) return software.amazon.cryptography.primitives.internaldafny.types.ECDHCurveSpec.create_ECC__NIST__P256(); + if (AWS.Cryptography.Primitives.ECDHCurveSpec.ECC_NIST_P384.Equals(value)) return software.amazon.cryptography.primitives.internaldafny.types.ECDHCurveSpec.create_ECC__NIST__P384(); + if (AWS.Cryptography.Primitives.ECDHCurveSpec.ECC_NIST_P521.Equals(value)) return software.amazon.cryptography.primitives.internaldafny.types.ECDHCurveSpec.create_ECC__NIST__P521(); + if (AWS.Cryptography.Primitives.ECDHCurveSpec.SM2.Equals(value)) return software.amazon.cryptography.primitives.internaldafny.types.ECDHCurveSpec.create_SM2(); + throw new System.ArgumentException("Invalid AWS.Cryptography.Primitives.ECDHCurveSpec value"); + } public static AWS.Cryptography.MaterialProviders.IBranchKeyIdSupplier FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S28_BranchKeyIdSupplierReference(software.amazon.cryptography.materialproviders.internaldafny.types.IBranchKeyIdSupplier value) { if (value is NativeWrapper_BranchKeyIdSupplier nativeWrapper) return nativeWrapper._impl; @@ -2894,6 +3154,28 @@ public static int ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S15_P { return value; } + public static AWS.Cryptography.MaterialProviders.KmsPublicKeyDiscoveryInput FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S26_KmsPublicKeyDiscoveryInput(software.amazon.cryptography.materialproviders.internaldafny.types._IKmsPublicKeyDiscoveryInput value) + { + software.amazon.cryptography.materialproviders.internaldafny.types.KmsPublicKeyDiscoveryInput concrete = (software.amazon.cryptography.materialproviders.internaldafny.types.KmsPublicKeyDiscoveryInput)value; AWS.Cryptography.MaterialProviders.KmsPublicKeyDiscoveryInput converted = new AWS.Cryptography.MaterialProviders.KmsPublicKeyDiscoveryInput(); converted.RecipientKmsIdentifier = (string)FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S26_KmsPublicKeyDiscoveryInput__M22_recipientKmsIdentifier(concrete._recipientKmsIdentifier); return converted; + } + public static software.amazon.cryptography.materialproviders.internaldafny.types._IKmsPublicKeyDiscoveryInput ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S26_KmsPublicKeyDiscoveryInput(AWS.Cryptography.MaterialProviders.KmsPublicKeyDiscoveryInput value) + { + value.Validate(); + + return new software.amazon.cryptography.materialproviders.internaldafny.types.KmsPublicKeyDiscoveryInput(ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S26_KmsPublicKeyDiscoveryInput__M22_recipientKmsIdentifier(value.RecipientKmsIdentifier)); + } + public static AWS.Cryptography.MaterialProviders.KmsPrivateKeyToStaticPublicKeyInput FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_KmsPrivateKeyToStaticPublicKeyInput(software.amazon.cryptography.materialproviders.internaldafny.types._IKmsPrivateKeyToStaticPublicKeyInput value) + { + software.amazon.cryptography.materialproviders.internaldafny.types.KmsPrivateKeyToStaticPublicKeyInput concrete = (software.amazon.cryptography.materialproviders.internaldafny.types.KmsPrivateKeyToStaticPublicKeyInput)value; AWS.Cryptography.MaterialProviders.KmsPrivateKeyToStaticPublicKeyInput converted = new AWS.Cryptography.MaterialProviders.KmsPrivateKeyToStaticPublicKeyInput(); converted.SenderKmsIdentifier = (string)FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_KmsPrivateKeyToStaticPublicKeyInput__M19_senderKmsIdentifier(concrete._senderKmsIdentifier); + if (concrete._senderPublicKey.is_Some) converted.SenderPublicKey = (System.IO.MemoryStream)FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_KmsPrivateKeyToStaticPublicKeyInput__M15_senderPublicKey(concrete._senderPublicKey); + converted.RecipientPublicKey = (System.IO.MemoryStream)FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_KmsPrivateKeyToStaticPublicKeyInput__M18_recipientPublicKey(concrete._recipientPublicKey); return converted; + } + public static software.amazon.cryptography.materialproviders.internaldafny.types._IKmsPrivateKeyToStaticPublicKeyInput ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_KmsPrivateKeyToStaticPublicKeyInput(AWS.Cryptography.MaterialProviders.KmsPrivateKeyToStaticPublicKeyInput value) + { + value.Validate(); + System.IO.MemoryStream var_senderPublicKey = value.IsSetSenderPublicKey() ? value.SenderPublicKey : (System.IO.MemoryStream)null; + return new software.amazon.cryptography.materialproviders.internaldafny.types.KmsPrivateKeyToStaticPublicKeyInput(ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_KmsPrivateKeyToStaticPublicKeyInput__M19_senderKmsIdentifier(value.SenderKmsIdentifier), ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_KmsPrivateKeyToStaticPublicKeyInput__M15_senderPublicKey(var_senderPublicKey), ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_KmsPrivateKeyToStaticPublicKeyInput__M18_recipientPublicKey(value.RecipientPublicKey)); + } public static AWS.Cryptography.KeyStore.BranchKeyMaterials FromDafny_N3_aws__N12_cryptography__N8_keyStore__S18_BranchKeyMaterials(software.amazon.cryptography.keystore.internaldafny.types._IBranchKeyMaterials value) { software.amazon.cryptography.keystore.internaldafny.types.BranchKeyMaterials concrete = (software.amazon.cryptography.keystore.internaldafny.types.BranchKeyMaterials)value; AWS.Cryptography.KeyStore.BranchKeyMaterials converted = new AWS.Cryptography.KeyStore.BranchKeyMaterials(); converted.BranchKeyIdentifier = (string)FromDafny_N3_aws__N12_cryptography__N8_keyStore__S18_BranchKeyMaterials__M19_branchKeyIdentifier(concrete._branchKeyIdentifier); @@ -2921,6 +3203,37 @@ public static software.amazon.cryptography.keystore.internaldafny.types._IBeacon System.Collections.Generic.Dictionary var_hmacKeys = value.IsSetHmacKeys() ? value.HmacKeys : (System.Collections.Generic.Dictionary)null; return new software.amazon.cryptography.keystore.internaldafny.types.BeaconKeyMaterials(ToDafny_N3_aws__N12_cryptography__N8_keyStore__S18_BeaconKeyMaterials__M19_beaconKeyIdentifier(value.BeaconKeyIdentifier), ToDafny_N3_aws__N12_cryptography__N8_keyStore__S18_BeaconKeyMaterials__M17_encryptionContext(value.EncryptionContext), ToDafny_N3_aws__N12_cryptography__N8_keyStore__S18_BeaconKeyMaterials__M9_beaconKey(var_beaconKey), ToDafny_N3_aws__N12_cryptography__N8_keyStore__S18_BeaconKeyMaterials__M8_hmacKeys(var_hmacKeys)); } + public static AWS.Cryptography.MaterialProviders.PublicKeyDiscoveryInput FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S23_PublicKeyDiscoveryInput(software.amazon.cryptography.materialproviders.internaldafny.types._IPublicKeyDiscoveryInput value) + { + software.amazon.cryptography.materialproviders.internaldafny.types.PublicKeyDiscoveryInput concrete = (software.amazon.cryptography.materialproviders.internaldafny.types.PublicKeyDiscoveryInput)value; AWS.Cryptography.MaterialProviders.PublicKeyDiscoveryInput converted = new AWS.Cryptography.MaterialProviders.PublicKeyDiscoveryInput(); converted.RecipientStaticPrivateKey = (System.IO.MemoryStream)FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S23_PublicKeyDiscoveryInput__M25_recipientStaticPrivateKey(concrete._recipientStaticPrivateKey); return converted; + } + public static software.amazon.cryptography.materialproviders.internaldafny.types._IPublicKeyDiscoveryInput ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S23_PublicKeyDiscoveryInput(AWS.Cryptography.MaterialProviders.PublicKeyDiscoveryInput value) + { + value.Validate(); + + return new software.amazon.cryptography.materialproviders.internaldafny.types.PublicKeyDiscoveryInput(ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S23_PublicKeyDiscoveryInput__M25_recipientStaticPrivateKey(value.RecipientStaticPrivateKey)); + } + public static AWS.Cryptography.MaterialProviders.RawPrivateKeyToStaticPublicKeyInput FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_RawPrivateKeyToStaticPublicKeyInput(software.amazon.cryptography.materialproviders.internaldafny.types._IRawPrivateKeyToStaticPublicKeyInput value) + { + software.amazon.cryptography.materialproviders.internaldafny.types.RawPrivateKeyToStaticPublicKeyInput concrete = (software.amazon.cryptography.materialproviders.internaldafny.types.RawPrivateKeyToStaticPublicKeyInput)value; AWS.Cryptography.MaterialProviders.RawPrivateKeyToStaticPublicKeyInput converted = new AWS.Cryptography.MaterialProviders.RawPrivateKeyToStaticPublicKeyInput(); converted.SenderStaticPrivateKey = (System.IO.MemoryStream)FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_RawPrivateKeyToStaticPublicKeyInput__M22_senderStaticPrivateKey(concrete._senderStaticPrivateKey); + converted.RecipientPublicKey = (System.IO.MemoryStream)FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_RawPrivateKeyToStaticPublicKeyInput__M18_recipientPublicKey(concrete._recipientPublicKey); return converted; + } + public static software.amazon.cryptography.materialproviders.internaldafny.types._IRawPrivateKeyToStaticPublicKeyInput ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_RawPrivateKeyToStaticPublicKeyInput(AWS.Cryptography.MaterialProviders.RawPrivateKeyToStaticPublicKeyInput value) + { + value.Validate(); + + return new software.amazon.cryptography.materialproviders.internaldafny.types.RawPrivateKeyToStaticPublicKeyInput(ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_RawPrivateKeyToStaticPublicKeyInput__M22_senderStaticPrivateKey(value.SenderStaticPrivateKey), ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_RawPrivateKeyToStaticPublicKeyInput__M18_recipientPublicKey(value.RecipientPublicKey)); + } + public static AWS.Cryptography.MaterialProviders.EphemeralPrivateKeyToStaticPublicKeyInput FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S41_EphemeralPrivateKeyToStaticPublicKeyInput(software.amazon.cryptography.materialproviders.internaldafny.types._IEphemeralPrivateKeyToStaticPublicKeyInput value) + { + software.amazon.cryptography.materialproviders.internaldafny.types.EphemeralPrivateKeyToStaticPublicKeyInput concrete = (software.amazon.cryptography.materialproviders.internaldafny.types.EphemeralPrivateKeyToStaticPublicKeyInput)value; AWS.Cryptography.MaterialProviders.EphemeralPrivateKeyToStaticPublicKeyInput converted = new AWS.Cryptography.MaterialProviders.EphemeralPrivateKeyToStaticPublicKeyInput(); converted.RecipientPublicKey = (System.IO.MemoryStream)FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S41_EphemeralPrivateKeyToStaticPublicKeyInput__M18_recipientPublicKey(concrete._recipientPublicKey); return converted; + } + public static software.amazon.cryptography.materialproviders.internaldafny.types._IEphemeralPrivateKeyToStaticPublicKeyInput ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S41_EphemeralPrivateKeyToStaticPublicKeyInput(AWS.Cryptography.MaterialProviders.EphemeralPrivateKeyToStaticPublicKeyInput value) + { + value.Validate(); + + return new software.amazon.cryptography.materialproviders.internaldafny.types.EphemeralPrivateKeyToStaticPublicKeyInput(ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S41_EphemeralPrivateKeyToStaticPublicKeyInput__M18_recipientPublicKey(value.RecipientPublicKey)); + } public static AWS.Cryptography.MaterialProviders.ECDSA FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S5_ECDSA(software.amazon.cryptography.materialproviders.internaldafny.types._IECDSA value) { software.amazon.cryptography.materialproviders.internaldafny.types.ECDSA concrete = (software.amazon.cryptography.materialproviders.internaldafny.types.ECDSA)value; AWS.Cryptography.MaterialProviders.ECDSA converted = new AWS.Cryptography.MaterialProviders.ECDSA(); converted.Curve = (AWS.Cryptography.Primitives.ECDSASignatureAlgorithm)FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S5_ECDSA__M5_curve(concrete._curve); return converted; @@ -3209,6 +3522,38 @@ public static Dafny.ISequence ToDafny_N3_aws__N12_cryptography__N17_materi { return ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S6_Secret(value); } + public static string FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S26_KmsPublicKeyDiscoveryInput__M22_recipientKmsIdentifier(Dafny.ISequence value) + { + return FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S8_KmsKeyId(value); + } + public static Dafny.ISequence ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S26_KmsPublicKeyDiscoveryInput__M22_recipientKmsIdentifier(string value) + { + return ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S8_KmsKeyId(value); + } + public static string FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_KmsPrivateKeyToStaticPublicKeyInput__M19_senderKmsIdentifier(Dafny.ISequence value) + { + return FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S8_KmsKeyId(value); + } + public static Dafny.ISequence ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_KmsPrivateKeyToStaticPublicKeyInput__M19_senderKmsIdentifier(string value) + { + return ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S8_KmsKeyId(value); + } + public static System.IO.MemoryStream FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_KmsPrivateKeyToStaticPublicKeyInput__M15_senderPublicKey(Wrappers_Compile._IOption> value) + { + return value.is_None ? (System.IO.MemoryStream)null : FromDafny_N6_smithy__N3_api__S4_Blob(value.Extract()); + } + public static Wrappers_Compile._IOption> ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_KmsPrivateKeyToStaticPublicKeyInput__M15_senderPublicKey(System.IO.MemoryStream value) + { + return value == null ? Wrappers_Compile.Option>.create_None() : Wrappers_Compile.Option>.create_Some(ToDafny_N6_smithy__N3_api__S4_Blob((System.IO.MemoryStream)value)); + } + public static System.IO.MemoryStream FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_KmsPrivateKeyToStaticPublicKeyInput__M18_recipientPublicKey(Dafny.ISequence value) + { + return FromDafny_N6_smithy__N3_api__S4_Blob(value); + } + public static Dafny.ISequence ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_KmsPrivateKeyToStaticPublicKeyInput__M18_recipientPublicKey(System.IO.MemoryStream value) + { + return ToDafny_N6_smithy__N3_api__S4_Blob(value); + } public static string FromDafny_N3_aws__N12_cryptography__N8_keyStore__S18_BranchKeyMaterials__M19_branchKeyIdentifier(Dafny.ISequence value) { return FromDafny_N6_smithy__N3_api__S6_String(value); @@ -3273,6 +3618,38 @@ public static System.IO.MemoryStream FromDafny_N3_aws__N12_cryptography__N8_keyS { return value == null ? Wrappers_Compile.Option, Dafny.ISequence>>.create_None() : Wrappers_Compile.Option, Dafny.ISequence>>.create_Some(ToDafny_N3_aws__N12_cryptography__N8_keyStore__S10_HmacKeyMap((System.Collections.Generic.Dictionary)value)); } + public static System.IO.MemoryStream FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S23_PublicKeyDiscoveryInput__M25_recipientStaticPrivateKey(Dafny.ISequence value) + { + return FromDafny_N6_smithy__N3_api__S4_Blob(value); + } + public static Dafny.ISequence ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S23_PublicKeyDiscoveryInput__M25_recipientStaticPrivateKey(System.IO.MemoryStream value) + { + return ToDafny_N6_smithy__N3_api__S4_Blob(value); + } + public static System.IO.MemoryStream FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_RawPrivateKeyToStaticPublicKeyInput__M22_senderStaticPrivateKey(Dafny.ISequence value) + { + return FromDafny_N6_smithy__N3_api__S4_Blob(value); + } + public static Dafny.ISequence ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_RawPrivateKeyToStaticPublicKeyInput__M22_senderStaticPrivateKey(System.IO.MemoryStream value) + { + return ToDafny_N6_smithy__N3_api__S4_Blob(value); + } + public static System.IO.MemoryStream FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_RawPrivateKeyToStaticPublicKeyInput__M18_recipientPublicKey(Dafny.ISequence value) + { + return FromDafny_N6_smithy__N3_api__S4_Blob(value); + } + public static Dafny.ISequence ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S35_RawPrivateKeyToStaticPublicKeyInput__M18_recipientPublicKey(System.IO.MemoryStream value) + { + return ToDafny_N6_smithy__N3_api__S4_Blob(value); + } + public static System.IO.MemoryStream FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S41_EphemeralPrivateKeyToStaticPublicKeyInput__M18_recipientPublicKey(Dafny.ISequence value) + { + return FromDafny_N6_smithy__N3_api__S4_Blob(value); + } + public static Dafny.ISequence ToDafny_N3_aws__N12_cryptography__N17_materialProviders__S41_EphemeralPrivateKeyToStaticPublicKeyInput__M18_recipientPublicKey(System.IO.MemoryStream value) + { + return ToDafny_N6_smithy__N3_api__S4_Blob(value); + } public static AWS.Cryptography.Primitives.ECDSASignatureAlgorithm FromDafny_N3_aws__N12_cryptography__N17_materialProviders__S5_ECDSA__M5_curve(software.amazon.cryptography.primitives.internaldafny.types._IECDSASignatureAlgorithm value) { return FromDafny_N3_aws__N12_cryptography__N10_primitives__S23_ECDSASignatureAlgorithm(value); diff --git a/AwsCryptographicMaterialProviders/runtimes/net/MPL.csproj b/AwsCryptographicMaterialProviders/runtimes/net/MPL.csproj index 0e82f21fd..237f7670b 100644 --- a/AwsCryptographicMaterialProviders/runtimes/net/MPL.csproj +++ b/AwsCryptographicMaterialProviders/runtimes/net/MPL.csproj @@ -56,7 +56,6 @@ - diff --git a/AwsCryptographyPrimitives/Model/AwsCryptographyPrimitivesTypes.dfy b/AwsCryptographyPrimitives/Model/AwsCryptographyPrimitivesTypes.dfy index 609673e3e..35ad66284 100644 --- a/AwsCryptographyPrimitives/Model/AwsCryptographyPrimitivesTypes.dfy +++ b/AwsCryptographyPrimitives/Model/AwsCryptographyPrimitivesTypes.dfy @@ -64,6 +64,13 @@ module {:extern "software.amazon.cryptography.primitives.internaldafny.types" } GenerateECDSASignatureKey := []; ECDSASign := []; ECDSAVerify := []; + GenerateECCKeyPair := []; + GetPublicKeyFromPrivateKey := []; + ValidatePublicKey := []; + DeriveSharedSecret := []; + CompressPublicKey := []; + DecompressPublicKey := []; + ParsePublicKey := []; } ghost var GenerateRandomBytes: seq, Error>>> ghost var Digest: seq, Error>>> @@ -82,6 +89,13 @@ module {:extern "software.amazon.cryptography.primitives.internaldafny.types" } ghost var GenerateECDSASignatureKey: seq>> ghost var ECDSASign: seq, Error>>> ghost var ECDSAVerify: seq>> + ghost var GenerateECCKeyPair: seq>> + ghost var GetPublicKeyFromPrivateKey: seq>> + ghost var ValidatePublicKey: seq>> + ghost var DeriveSharedSecret: seq>> + ghost var CompressPublicKey: seq>> + ghost var DecompressPublicKey: seq>> + ghost var ParsePublicKey: seq>> } trait {:termination false} IAwsCryptographicPrimitivesClient { @@ -347,10 +361,137 @@ module {:extern "software.amazon.cryptography.primitives.internaldafny.types" } ensures ECDSAVerifyEnsuresPublicly(input, output) ensures History.ECDSAVerify == old(History.ECDSAVerify) + [DafnyCallEvent(input, output)] + predicate GenerateECCKeyPairEnsuresPublicly(input: GenerateECCKeyPairInput , output: Result) + // The public method to be called by library consumers + method GenerateECCKeyPair ( input: GenerateECCKeyPairInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`GenerateECCKeyPair + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures GenerateECCKeyPairEnsuresPublicly(input, output) + ensures History.GenerateECCKeyPair == old(History.GenerateECCKeyPair) + [DafnyCallEvent(input, output)] + + predicate GetPublicKeyFromPrivateKeyEnsuresPublicly(input: GetPublicKeyFromPrivateKeyInput , output: Result) + // The public method to be called by library consumers + method GetPublicKeyFromPrivateKey ( input: GetPublicKeyFromPrivateKeyInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`GetPublicKeyFromPrivateKey + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures GetPublicKeyFromPrivateKeyEnsuresPublicly(input, output) + ensures History.GetPublicKeyFromPrivateKey == old(History.GetPublicKeyFromPrivateKey) + [DafnyCallEvent(input, output)] + + predicate ValidatePublicKeyEnsuresPublicly(input: ValidatePublicKeyInput , output: Result) + // The public method to be called by library consumers + method ValidatePublicKey ( input: ValidatePublicKeyInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`ValidatePublicKey + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures ValidatePublicKeyEnsuresPublicly(input, output) + ensures History.ValidatePublicKey == old(History.ValidatePublicKey) + [DafnyCallEvent(input, output)] + + predicate DeriveSharedSecretEnsuresPublicly(input: DeriveSharedSecretInput , output: Result) + // The public method to be called by library consumers + method DeriveSharedSecret ( input: DeriveSharedSecretInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`DeriveSharedSecret + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures DeriveSharedSecretEnsuresPublicly(input, output) + ensures History.DeriveSharedSecret == old(History.DeriveSharedSecret) + [DafnyCallEvent(input, output)] + + predicate CompressPublicKeyEnsuresPublicly(input: CompressPublicKeyInput , output: Result) + // The public method to be called by library consumers + method CompressPublicKey ( input: CompressPublicKeyInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`CompressPublicKey + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures CompressPublicKeyEnsuresPublicly(input, output) + ensures History.CompressPublicKey == old(History.CompressPublicKey) + [DafnyCallEvent(input, output)] + + predicate DecompressPublicKeyEnsuresPublicly(input: DecompressPublicKeyInput , output: Result) + // The public method to be called by library consumers + method DecompressPublicKey ( input: DecompressPublicKeyInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`DecompressPublicKey + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures DecompressPublicKeyEnsuresPublicly(input, output) + ensures History.DecompressPublicKey == old(History.DecompressPublicKey) + [DafnyCallEvent(input, output)] + + predicate ParsePublicKeyEnsuresPublicly(input: ParsePublicKeyInput , output: Result) + // The public method to be called by library consumers + method ParsePublicKey ( input: ParsePublicKeyInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`ParsePublicKey + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures ParsePublicKeyEnsuresPublicly(input, output) + ensures History.ParsePublicKey == old(History.ParsePublicKey) + [DafnyCallEvent(input, output)] + } + datatype CompressPublicKeyInput = | CompressPublicKeyInput ( + nameonly publicKey: ECCPublicKey , + nameonly eccCurve: ECDHCurveSpec + ) + datatype CompressPublicKeyOutput = | CompressPublicKeyOutput ( + nameonly compressedPublicKey: seq + ) datatype CryptoConfig = | CryptoConfig ( ) + datatype DecompressPublicKeyInput = | DecompressPublicKeyInput ( + nameonly compressedPublicKey: seq , + nameonly eccCurve: ECDHCurveSpec + ) + datatype DecompressPublicKeyOutput = | DecompressPublicKeyOutput ( + nameonly publicKey: ECCPublicKey + ) + datatype DeriveSharedSecretInput = | DeriveSharedSecretInput ( + nameonly eccCurve: ECDHCurveSpec , + nameonly privateKey: ECCPrivateKey , + nameonly publicKey: ECCPublicKey + ) + datatype DeriveSharedSecretOutput = | DeriveSharedSecretOutput ( + nameonly sharedSecret: seq + ) datatype DigestAlgorithm = | SHA_512 | SHA_384 @@ -359,6 +500,17 @@ module {:extern "software.amazon.cryptography.primitives.internaldafny.types" } nameonly digestAlgorithm: DigestAlgorithm , nameonly message: seq ) + datatype ECCPrivateKey = | ECCPrivateKey ( + nameonly pem: seq + ) + datatype ECCPublicKey = | ECCPublicKey ( + nameonly der: seq + ) + datatype ECDHCurveSpec = + | ECC_NIST_P256 + | ECC_NIST_P384 + | ECC_NIST_P521 + | SM2 datatype ECDSASignatureAlgorithm = | ECDSA_P384 | ECDSA_P256 @@ -373,6 +525,14 @@ module {:extern "software.amazon.cryptography.primitives.internaldafny.types" } nameonly message: seq , nameonly signature: seq ) + datatype GenerateECCKeyPairInput = | GenerateECCKeyPairInput ( + nameonly eccCurve: ECDHCurveSpec + ) + datatype GenerateECCKeyPairOutput = | GenerateECCKeyPairOutput ( + nameonly eccCurve: ECDHCurveSpec , + nameonly privateKey: ECCPrivateKey , + nameonly publicKey: ECCPublicKey + ) datatype GenerateECDSASignatureKeyInput = | GenerateECDSASignatureKeyInput ( nameonly signatureAlgorithm: ECDSASignatureAlgorithm ) @@ -391,6 +551,15 @@ module {:extern "software.amazon.cryptography.primitives.internaldafny.types" } nameonly publicKey: RSAPublicKey , nameonly privateKey: RSAPrivateKey ) + datatype GetPublicKeyFromPrivateKeyInput = | GetPublicKeyFromPrivateKeyInput ( + nameonly eccCurve: ECDHCurveSpec , + nameonly privateKey: ECCPrivateKey + ) + datatype GetPublicKeyFromPrivateKeyOutput = | GetPublicKeyFromPrivateKeyOutput ( + nameonly eccCurve: ECDHCurveSpec , + nameonly privateKey: ECCPrivateKey , + nameonly publicKey: seq + ) datatype GetRSAKeyModulusLengthInput = | GetRSAKeyModulusLengthInput ( nameonly publicKey: seq ) @@ -427,6 +596,12 @@ module {:extern "software.amazon.cryptography.primitives.internaldafny.types" } nameonly purpose: Option> := Option.None , nameonly nonce: Option> := Option.None ) + datatype ParsePublicKeyInput = | ParsePublicKeyInput ( + nameonly publicKey: seq + ) + datatype ParsePublicKeyOutput = | ParsePublicKeyOutput ( + nameonly publicKey: ECCPublicKey + ) type PositiveInteger = x: int32 | IsValid_PositiveInteger(x) witness * predicate method IsValid_PositiveInteger(x: int32) { ( 0 <= x ) @@ -475,6 +650,13 @@ module {:extern "software.amazon.cryptography.primitives.internaldafny.types" } predicate method IsValid_Uint8Bytes(x: int32) { ( 0 <= x <= 32 ) } + datatype ValidatePublicKeyInput = | ValidatePublicKeyInput ( + nameonly eccCurve: ECDHCurveSpec , + nameonly publicKey: seq + ) + datatype ValidatePublicKeyOutput = | ValidatePublicKeyOutput ( + nameonly success: bool + ) datatype Error = // Local Error structures are listed here | AwsCryptographicPrimitivesError ( @@ -865,6 +1047,146 @@ abstract module AbstractAwsCryptographyPrimitivesService History.ECDSAVerify := History.ECDSAVerify + [DafnyCallEvent(input, output)]; } + predicate GenerateECCKeyPairEnsuresPublicly(input: GenerateECCKeyPairInput , output: Result) + {Operations.GenerateECCKeyPairEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method GenerateECCKeyPair ( input: GenerateECCKeyPairInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`GenerateECCKeyPair + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures GenerateECCKeyPairEnsuresPublicly(input, output) + ensures History.GenerateECCKeyPair == old(History.GenerateECCKeyPair) + [DafnyCallEvent(input, output)] + { + output := Operations.GenerateECCKeyPair(config, input); + History.GenerateECCKeyPair := History.GenerateECCKeyPair + [DafnyCallEvent(input, output)]; + } + + predicate GetPublicKeyFromPrivateKeyEnsuresPublicly(input: GetPublicKeyFromPrivateKeyInput , output: Result) + {Operations.GetPublicKeyFromPrivateKeyEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method GetPublicKeyFromPrivateKey ( input: GetPublicKeyFromPrivateKeyInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`GetPublicKeyFromPrivateKey + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures GetPublicKeyFromPrivateKeyEnsuresPublicly(input, output) + ensures History.GetPublicKeyFromPrivateKey == old(History.GetPublicKeyFromPrivateKey) + [DafnyCallEvent(input, output)] + { + output := Operations.GetPublicKeyFromPrivateKey(config, input); + History.GetPublicKeyFromPrivateKey := History.GetPublicKeyFromPrivateKey + [DafnyCallEvent(input, output)]; + } + + predicate ValidatePublicKeyEnsuresPublicly(input: ValidatePublicKeyInput , output: Result) + {Operations.ValidatePublicKeyEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method ValidatePublicKey ( input: ValidatePublicKeyInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`ValidatePublicKey + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures ValidatePublicKeyEnsuresPublicly(input, output) + ensures History.ValidatePublicKey == old(History.ValidatePublicKey) + [DafnyCallEvent(input, output)] + { + output := Operations.ValidatePublicKey(config, input); + History.ValidatePublicKey := History.ValidatePublicKey + [DafnyCallEvent(input, output)]; + } + + predicate DeriveSharedSecretEnsuresPublicly(input: DeriveSharedSecretInput , output: Result) + {Operations.DeriveSharedSecretEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method DeriveSharedSecret ( input: DeriveSharedSecretInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`DeriveSharedSecret + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures DeriveSharedSecretEnsuresPublicly(input, output) + ensures History.DeriveSharedSecret == old(History.DeriveSharedSecret) + [DafnyCallEvent(input, output)] + { + output := Operations.DeriveSharedSecret(config, input); + History.DeriveSharedSecret := History.DeriveSharedSecret + [DafnyCallEvent(input, output)]; + } + + predicate CompressPublicKeyEnsuresPublicly(input: CompressPublicKeyInput , output: Result) + {Operations.CompressPublicKeyEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method CompressPublicKey ( input: CompressPublicKeyInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`CompressPublicKey + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures CompressPublicKeyEnsuresPublicly(input, output) + ensures History.CompressPublicKey == old(History.CompressPublicKey) + [DafnyCallEvent(input, output)] + { + output := Operations.CompressPublicKey(config, input); + History.CompressPublicKey := History.CompressPublicKey + [DafnyCallEvent(input, output)]; + } + + predicate DecompressPublicKeyEnsuresPublicly(input: DecompressPublicKeyInput , output: Result) + {Operations.DecompressPublicKeyEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method DecompressPublicKey ( input: DecompressPublicKeyInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`DecompressPublicKey + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures DecompressPublicKeyEnsuresPublicly(input, output) + ensures History.DecompressPublicKey == old(History.DecompressPublicKey) + [DafnyCallEvent(input, output)] + { + output := Operations.DecompressPublicKey(config, input); + History.DecompressPublicKey := History.DecompressPublicKey + [DafnyCallEvent(input, output)]; + } + + predicate ParsePublicKeyEnsuresPublicly(input: ParsePublicKeyInput , output: Result) + {Operations.ParsePublicKeyEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method ParsePublicKey ( input: ParsePublicKeyInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`ParsePublicKey + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures ParsePublicKeyEnsuresPublicly(input, output) + ensures History.ParsePublicKey == old(History.ParsePublicKey) + [DafnyCallEvent(input, output)] + { + output := Operations.ParsePublicKey(config, input); + History.ParsePublicKey := History.ParsePublicKey + [DafnyCallEvent(input, output)]; + } + } } abstract module AbstractAwsCryptographyPrimitivesOperations { @@ -1131,4 +1453,116 @@ abstract module AbstractAwsCryptographyPrimitivesOperations { ensures && ValidInternalConfig?(config) ensures ECDSAVerifyEnsuresPublicly(input, output) + + + predicate GenerateECCKeyPairEnsuresPublicly(input: GenerateECCKeyPairInput , output: Result) + // The private method to be refined by the library developer + + + method GenerateECCKeyPair ( config: InternalConfig , input: GenerateECCKeyPairInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures GenerateECCKeyPairEnsuresPublicly(input, output) + + + predicate GetPublicKeyFromPrivateKeyEnsuresPublicly(input: GetPublicKeyFromPrivateKeyInput , output: Result) + // The private method to be refined by the library developer + + + method GetPublicKeyFromPrivateKey ( config: InternalConfig , input: GetPublicKeyFromPrivateKeyInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures GetPublicKeyFromPrivateKeyEnsuresPublicly(input, output) + + + predicate ValidatePublicKeyEnsuresPublicly(input: ValidatePublicKeyInput , output: Result) + // The private method to be refined by the library developer + + + method ValidatePublicKey ( config: InternalConfig , input: ValidatePublicKeyInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures ValidatePublicKeyEnsuresPublicly(input, output) + + + predicate DeriveSharedSecretEnsuresPublicly(input: DeriveSharedSecretInput , output: Result) + // The private method to be refined by the library developer + + + method DeriveSharedSecret ( config: InternalConfig , input: DeriveSharedSecretInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures DeriveSharedSecretEnsuresPublicly(input, output) + + + predicate CompressPublicKeyEnsuresPublicly(input: CompressPublicKeyInput , output: Result) + // The private method to be refined by the library developer + + + method CompressPublicKey ( config: InternalConfig , input: CompressPublicKeyInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures CompressPublicKeyEnsuresPublicly(input, output) + + + predicate DecompressPublicKeyEnsuresPublicly(input: DecompressPublicKeyInput , output: Result) + // The private method to be refined by the library developer + + + method DecompressPublicKey ( config: InternalConfig , input: DecompressPublicKeyInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures DecompressPublicKeyEnsuresPublicly(input, output) + + + predicate ParsePublicKeyEnsuresPublicly(input: ParsePublicKeyInput , output: Result) + // The private method to be refined by the library developer + + + method ParsePublicKey ( config: InternalConfig , input: ParsePublicKeyInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures ParsePublicKeyEnsuresPublicly(input, output) } diff --git a/AwsCryptographyPrimitives/Model/ecdh.smithy b/AwsCryptographyPrimitives/Model/ecdh.smithy new file mode 100644 index 000000000..47aebb684 --- /dev/null +++ b/AwsCryptographyPrimitives/Model/ecdh.smithy @@ -0,0 +1,163 @@ +namespace aws.cryptography.primitives + +@enum([ + { + name: "ECC_NIST_P256", + value: "ECC_NIST_P256", + }, + { + name: "ECC_NIST_P384", + value: "ECC_NIST_P384", + }, + { + name: "ECC_NIST_P521", + value: "ECC_NIST_P521", + }, + { + name: "SM2", + value: "SM2", + }, +]) +string ECDHCurveSpec + +operation GenerateECCKeyPair { + input: GenerateECCKeyPairInput, + output: GenerateECCKeyPairOutput, + errors: [] +} + +operation GetPublicKeyFromPrivateKey { + input: GetPublicKeyFromPrivateKeyInput, + output: GetPublicKeyFromPrivateKeyOutput, + errors: [] +} + +operation ValidatePublicKey { + input: ValidatePublicKeyInput, + output: ValidatePublicKeyOutput, + errors: [] +} + +operation DeriveSharedSecret { + input: DeriveSharedSecretInput, + output: DeriveSharedSecretOutput, + errors: [] +} + +operation CompressPublicKey { + input: CompressPublicKeyInput, + output: CompressPublicKeyOutput, + errors: [] +} + +operation DecompressPublicKey { + input: DecompressPublicKeyInput, + output: DecompressPublicKeyOutput, + errors: [] +} + +operation ParsePublicKey { + input: ParsePublicKeyInput, + output: ParsePublicKeyOutput, + errors: [] +} + +structure GenerateECCKeyPairInput { + @required + eccCurve: ECDHCurveSpec +} + +structure GenerateECCKeyPairOutput { + @required + eccCurve: ECDHCurveSpec, + @required + privateKey: ECCPrivateKey, + @required + publicKey: ECCPublicKey +} + +structure GetPublicKeyFromPrivateKeyInput { + @required + eccCurve: ECDHCurveSpec, + @required + privateKey: ECCPrivateKey, +} + +structure GetPublicKeyFromPrivateKeyOutput { + @required + eccCurve: ECDHCurveSpec, + @required + privateKey: ECCPrivateKey, + @required + publicKey: Blob +} + +structure ValidatePublicKeyInput { + @required + eccCurve: ECDHCurveSpec, + @required + publicKey: Blob +} + +structure ValidatePublicKeyOutput { + @required + success: Boolean, +} + +structure DeriveSharedSecretInput { + @required + eccCurve: ECDHCurveSpec, + @required + privateKey: ECCPrivateKey, + @required + publicKey: ECCPublicKey +} + +structure DeriveSharedSecretOutput { + @required + sharedSecret: Blob +} + +structure CompressPublicKeyInput { + @required + publicKey: ECCPublicKey, + @required + eccCurve: ECDHCurveSpec +} + +structure CompressPublicKeyOutput { + @required + compressedPublicKey: Blob +} + +structure DecompressPublicKeyInput { + @required + compressedPublicKey: Blob, + @required + eccCurve: ECDHCurveSpec +} + +structure DecompressPublicKeyOutput { + @required + publicKey: ECCPublicKey +} + +structure ECCPrivateKey { + @required + pem: Blob +} + +structure ECCPublicKey { + @required + der: Blob +} + +structure ParsePublicKeyInput { + @required + publicKey: Blob +} + +structure ParsePublicKeyOutput { + @required + publicKey: ECCPublicKey +} diff --git a/AwsCryptographyPrimitives/Model/primitives.smithy b/AwsCryptographyPrimitives/Model/primitives.smithy index d368bfc35..f433da9e9 100644 --- a/AwsCryptographyPrimitives/Model/primitives.smithy +++ b/AwsCryptographyPrimitives/Model/primitives.smithy @@ -27,6 +27,13 @@ service AwsCryptographicPrimitives { GenerateECDSASignatureKey, ECDSASign, ECDSAVerify, + GenerateECCKeyPair, + GetPublicKeyFromPrivateKey, + ValidatePublicKey, + DeriveSharedSecret, + CompressPublicKey, + DecompressPublicKey, + ParsePublicKey ], errors: [AwsCryptographicPrimitivesError] } diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/java/ECDH/DeriveSharedSecret.java b/AwsCryptographyPrimitives/runtimes/java/src/main/java/ECDH/DeriveSharedSecret.java new file mode 100644 index 000000000..9f5f4f537 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/java/ECDH/DeriveSharedSecret.java @@ -0,0 +1,81 @@ +package ECDH; + +import static ECDH.ECCAlgorithm.eccAlgorithm; +import static ECDH.ECCUtils.checkBCProvider; +import static ECDH.ECCUtils.dafnyArrayUnWrapper; + +import StandardLibraryInternal.InternalResult; +import Wrappers_Compile.Result; +import dafny.DafnySequence; +import java.security.KeyFactory; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.X509EncodedKeySpec; +import javax.crypto.KeyAgreement; +import software.amazon.cryptography.primitives.ToDafny; +import software.amazon.cryptography.primitives.internaldafny.types.ECCPrivateKey; +import software.amazon.cryptography.primitives.internaldafny.types.ECCPublicKey; +import software.amazon.cryptography.primitives.internaldafny.types.ECDHCurveSpec; +import software.amazon.cryptography.primitives.internaldafny.types.Error; +import software.amazon.cryptography.primitives.model.AwsCryptographicPrimitivesError; + +public class DeriveSharedSecret extends _ExternBase___default { + + public static Result< + DafnySequence, + Error + > CalculateSharedSecret( + ECDHCurveSpec dtor_eccAlgorithm, + ECCPrivateKey dtor_privateKey, + ECCPublicKey dtro_publicKey + ) { + checkBCProvider(); + final byte[] privateKeyBytes = dafnyArrayUnWrapper(dtor_privateKey._pem); + final byte[] publicKeyBytes = dafnyArrayUnWrapper(dtro_publicKey._der); + + final InternalResult maybeEccAlgorithm = eccAlgorithm( + dtor_eccAlgorithm + ); + if (maybeEccAlgorithm.isFailure()) { + return CreateExternDerivesharedSecretError(maybeEccAlgorithm.error()); + } + + if (!maybeEccAlgorithm.value().curve.equals("SM2PKE")) { + try { + KeyAgreement keyAgreement = KeyAgreement.getInstance("ECDH", "BC"); + keyAgreement.init( + ECCUtils.parsePrivateKeyEccPemBytesToPrivateKey(privateKeyBytes), + new SecureRandom() + ); + keyAgreement.doPhase(fromBytesPublicKey(publicKeyBytes), true); + byte[] sharedSecret = keyAgreement.generateSecret(); + + return CreateExternDerivesharedSecretSuccess( + DafnySequence.fromBytes(sharedSecret) + ); + } catch (Exception e) { + return CreateExternDerivesharedSecretError( + ToDafny.Error( + AwsCryptographicPrimitivesError + .builder() + .cause(e) + .message(e.getMessage()) + .build() + ) + ); + } + } + return CreateExternDerivesharedSecretError( + ToDafny.Error(new RuntimeException("SM2 Not yet Supported.")) + ); + } + + private static PublicKey fromBytesPublicKey(byte[] publicKeyBytes) + throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeySpecException { + KeyFactory keyFactory = KeyFactory.getInstance("EC", "BC"); + return keyFactory.generatePublic(new X509EncodedKeySpec(publicKeyBytes)); + } +} diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/java/ECDH/ECCAlgorithm.java b/AwsCryptographyPrimitives/runtimes/java/src/main/java/ECDH/ECCAlgorithm.java new file mode 100644 index 000000000..5e043ba9d --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/java/ECDH/ECCAlgorithm.java @@ -0,0 +1,65 @@ +package ECDH; + +import static ECDH.KeyGeneration.SEC_P256; +import static ECDH.KeyGeneration.SEC_P384; +import static ECDH.KeyGeneration.SEC_P521; +import static ECDH.KeyGeneration.SEC_PRIME_FIELD_PREFIX; +import static ECDH.KeyGeneration.SM2_KA; + +import StandardLibraryInternal.InternalResult; +import org.bouncycastle.jce.ECNamedCurveTable; +import org.bouncycastle.jce.spec.ECParameterSpec; +import software.amazon.cryptography.primitives.ToDafny; +import software.amazon.cryptography.primitives.internaldafny.types.ECDHCurveSpec; +import software.amazon.cryptography.primitives.internaldafny.types.Error; +import software.amazon.cryptography.primitives.model.AwsCryptographicPrimitivesError; + +// TODO; we cam probably refactor this enum and the SignatureAlgorithm enum in order +// to have shared functionality. We would do this by creating an ECC Curve Interface. +public enum ECCAlgorithm { + P256(SEC_PRIME_FIELD_PREFIX + SEC_P256), + P384(SEC_PRIME_FIELD_PREFIX + SEC_P384), + P521(SEC_PRIME_FIELD_PREFIX + SEC_P521), + SM2(SM2_KA); + + public final String curve; + + ECCAlgorithm(final String curve) { + this.curve = curve; + } + + static InternalResult eccAlgorithm( + ECDHCurveSpec dtor_eccAlgorithm + ) { + final ECCAlgorithm namedCurveAlgorithm; + + if (dtor_eccAlgorithm.is_ECC__NIST__P256()) { + namedCurveAlgorithm = P256; + } else if (dtor_eccAlgorithm.is_ECC__NIST__P384()) { + namedCurveAlgorithm = P384; + } else if (dtor_eccAlgorithm.is_ECC__NIST__P521()) { + namedCurveAlgorithm = P521; + } else if (dtor_eccAlgorithm.is_SM2()) { + namedCurveAlgorithm = SM2; + } else { + return InternalResult.failure( + ToDafny.Error( + AwsCryptographicPrimitivesError + .builder() + .message( + String.format( + "Requested Curve is not supported. Requested %s.", + dtor_eccAlgorithm + ) + ) + .build() + ) + ); + } + return InternalResult.success(namedCurveAlgorithm); + } + + static ECParameterSpec ecParameterSpec(ECCAlgorithm algorithm) { + return ECNamedCurveTable.getParameterSpec(algorithm.curve); + } +} diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/java/ECDH/ECCUtils.java b/AwsCryptographyPrimitives/runtimes/java/src/main/java/ECDH/ECCUtils.java new file mode 100644 index 000000000..1f0767f69 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/java/ECDH/ECCUtils.java @@ -0,0 +1,381 @@ +package ECDH; + +import static ECDH.ECCAlgorithm.eccAlgorithm; +import static software.amazon.smithy.dafny.conversion.ToDafny.Simple.ByteSequence; + +import Signature.PublicKeyUtils; +import Signature.PublicKeyUtils; +import Signature.SignatureAlgorithm; +import StandardLibraryInternal.InternalResult; +import StandardLibraryInternal.InternalResult; +import Wrappers_Compile.Result; +import dafny.Array; +import dafny.DafnySequence; +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStreamReader; +import java.io.StringWriter; +import java.math.BigInteger; +import java.nio.ByteBuffer; +import java.nio.charset.StandardCharsets; +import java.security.AlgorithmParameters; +import java.security.KeyFactory; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.Security; +import java.security.interfaces.ECPrivateKey; +import java.security.interfaces.ECPublicKey; +import java.security.spec.ECGenParameterSpec; +import java.security.spec.ECPrivateKeySpec; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.InvalidParameterSpecException; +import java.security.spec.PKCS8EncodedKeySpec; +import java.security.spec.X509EncodedKeySpec; +import java.util.Base64; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.crypto.params.ECDomainParameters; +import org.bouncycastle.crypto.params.ECPrivateKeyParameters; +import org.bouncycastle.crypto.util.PrivateKeyFactory; +import org.bouncycastle.crypto.util.PublicKeyFactory; +import org.bouncycastle.jce.ECNamedCurveTable; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jce.spec.ECParameterSpec; +import org.bouncycastle.jce.spec.ECPublicKeySpec; +import org.bouncycastle.math.ec.ECCurve; +import org.bouncycastle.math.ec.ECPoint; +import org.bouncycastle.util.io.pem.PemObject; +import org.bouncycastle.util.io.pem.PemReader; +import org.bouncycastle.util.io.pem.PemWriter; +import software.amazon.cryptography.primitives.ToDafny; +import software.amazon.cryptography.primitives.internaldafny.types.ECCPrivateKey; +import software.amazon.cryptography.primitives.internaldafny.types.ECDHCurveSpec; +import software.amazon.cryptography.primitives.internaldafny.types.Error; +import software.amazon.cryptography.primitives.model.AwsCryptographicPrimitivesError; + +public class ECCUtils extends _ExternBase___default { + + public static Result, Error> GetPublicKey( + ECDHCurveSpec dtor_eccAlgorithm, + ECCPrivateKey dtor_privateKey + ) { + checkBCProvider(); + final InternalResult maybeEccAlgorithm = eccAlgorithm( + dtor_eccAlgorithm + ); + if (maybeEccAlgorithm.isFailure()) { + return CreateExternGetPublicKeyFromPrivateError( + maybeEccAlgorithm.error() + ); + } + + if (!maybeEccAlgorithm.value().curve.equals("SM2PKE")) { + try { + final byte[] pem = dafnyArrayUnWrapper(dtor_privateKey._pem); + final ECPrivateKey privateKey = + (ECPrivateKey) parsePrivateKeyEccPemBytesToPrivateKey(pem); + + ECParameterSpec parameterSpec = ECNamedCurveTable.getParameterSpec( + maybeEccAlgorithm.value().curve + ); + BigInteger privateKeyOrder = privateKey.getParams().getOrder(); + BigInteger parameterSpecOrder = parameterSpec + .getG() + .getCurve() + .getOrder(); + + // Compare the encoded *Order* point in the parsed private key + // to the defined parameters we get from the parameter spec + // look up. This guarantees that we only ever derive the + // public key if these points are equal. + if (privateKeyOrder.compareTo(parameterSpecOrder) != 0) { + return CreateExternGetPublicKeyFromPrivateError( + ToDafny.Error( + AwsCryptographicPrimitivesError + .builder() + .message("Private Key NOT on configured curve spec.") + .build() + ) + ); + } + + ECPoint Q = parameterSpec.getG().multiply(privateKey.getS()); + ECPublicKeySpec publicKeySpec = new ECPublicKeySpec(Q, parameterSpec); + + final KeyFactory keyFactory = KeyFactory.getInstance("EC", "BC"); + PublicKey publicKey = keyFactory.generatePublic(publicKeySpec); + X509EncodedKeySpec encodedKeySpec = new X509EncodedKeySpec( + publicKey.getEncoded() + ); + + return CreateExternGetPublicKeyFromPrivateSuccess( + DafnySequence.fromBytes(encodedKeySpec.getEncoded()) + ); + } catch (Exception e) { + return CreateExternGetPublicKeyFromPrivateError( + ToDafny.Error( + AwsCryptographicPrimitivesError + .builder() + .cause(e) + .message(e.getMessage()) + .build() + ) + ); + } + } + // TODO SM2 + return CreateExternGetPublicKeyFromPrivateError( + ToDafny.Error(new RuntimeException("SM2 Not yet Supported.")) + ); + } + + public static PrivateKey parsePrivateKeyEccPemBytesToPrivateKey(byte[] pem) + throws NoSuchAlgorithmException, InvalidKeySpecException, IOException { + byte[] privateKeyBytes = parsePrivateKeyPemBytes(pem); + KeyFactory keyFactory = KeyFactory.getInstance("EC"); + return keyFactory.generatePrivate(new PKCS8EncodedKeySpec(privateKeyBytes)); + } + + public static Result ValidatePublicKey( + ECDHCurveSpec dtor_eccAlgorithm, + DafnySequence dtro_publicKey + ) { + checkBCProvider(); + final byte[] publicKeyBytes = dafnyArrayUnWrapper(dtro_publicKey); + + final InternalResult maybeEccAlgorithm = eccAlgorithm( + dtor_eccAlgorithm + ); + if (maybeEccAlgorithm.isFailure()) { + return CreateExternValidatePublicKeyError(maybeEccAlgorithm.error()); + } + + if (!maybeEccAlgorithm.value().curve.equals("SM2")) { + try { + final boolean validPublicKey = NistPublicKeyValidationCriteria( + publicKeyBytes, + maybeEccAlgorithm.value() + ); + return CreateExternValidatePublicKeySuccess(validPublicKey); + } catch (Exception e) { + return CreateExternValidatePublicKeyError( + ToDafny.Error( + AwsCryptographicPrimitivesError + .builder() + .cause(e) + .message(e.getMessage()) + .build() + ) + ); + } + } + return CreateExternValidatePublicKeyError( + ToDafny.Error(new RuntimeException("SM2 Not yet Supported.")) + ); + } + + // We are verifying the NIST requirements for ECC Public Keys + // https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf#page=55 + static boolean NistPublicKeyValidationCriteria( + byte[] publicKeyBytes, + ECCAlgorithm ecParameterSpec + ) + throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException, IllegalArgumentException { + KeyFactory keyFactory = KeyFactory.getInstance("EC", "BC"); + PublicKey publicKey = keyFactory.generatePublic( + new X509EncodedKeySpec(publicKeyBytes) + ); + ECParameterSpec spec = ECNamedCurveTable.getParameterSpec( + ecParameterSpec.curve + ); + ECCurve ecCurve = spec.getCurve(); + org.bouncycastle.jce.interfaces.ECPublicKey ecPublicKey = + (org.bouncycastle.jce.interfaces.ECPublicKey) publicKey; + + ECPoint ecPoint = ecPublicKey.getQ(); + ECPoint pointOnCurve = ecCurve.validatePoint( + ecPoint.getAffineXCoord().toBigInteger(), + ecPoint.getAffineYCoord().toBigInteger() + ); + return ( + ValidatePublicKeyIsNotInfinity(pointOnCurve) && + CoordinateBetween0AndP( + ecPoint.getAffineXCoord().toBigInteger(), + ecCurve + ) && + CoordinateBetween0AndP(ecPoint.getAffineYCoord().toBigInteger(), ecCurve) + ); + } + + private static boolean ValidatePublicKeyIsNotInfinity(ECPoint point) { + return !point.isInfinity(); + } + + private static boolean CoordinateBetween0AndP( + BigInteger coordinate, + ECCurve curve + ) { + return ( + coordinate.compareTo(BigInteger.ZERO) > 0 && + coordinate.compareTo(curve.getField().getCharacteristic()) < 0 + ); + } + + public static Result< + DafnySequence, + Error + > CompressPublicKey( + DafnySequence publicKeyDerBytes, + ECDHCurveSpec dtor_eccAlgorithm + ) { + try { + checkBCProvider(); + final byte[] publicKeyBytes = dafnyArrayUnWrapper(publicKeyDerBytes); + KeyFactory keyFactory = KeyFactory.getInstance("EC", "BC"); + org.bouncycastle.jce.interfaces.ECPublicKey publicKey = + (org.bouncycastle.jce.interfaces.ECPublicKey) keyFactory.generatePublic( + new X509EncodedKeySpec(publicKeyBytes) + ); + final byte[] compressedPublicKey = publicKey.getQ().getEncoded(true); + return CreateExternCompressPublicKeySuccess( + DafnySequence.fromBytes(compressedPublicKey) + ); + } catch (Exception e) { + return CreateExternCompressPublicKeyError( + ToDafny.Error( + AwsCryptographicPrimitivesError + .builder() + .message(e.getMessage()) + .build() + ) + ); + } + } + + public static Result< + DafnySequence, + Error + > DecompressPublicKey( + DafnySequence compressedPublicKey, + ECDHCurveSpec dtor_eccAlgorithm + ) { + try { + checkBCProvider(); + final InternalResult maybeEccAlgorithm = + eccAlgorithm(dtor_eccAlgorithm); + if (maybeEccAlgorithm.isFailure()) { + return CreateExternDecompressPublicKeyError(maybeEccAlgorithm.error()); + } + final java.security.spec.ECParameterSpec ecParameterSpec = + ecParameterSpec(maybeEccAlgorithm.value()); + final byte[] compressedPublicKeyBytes = dafnyArrayUnWrapper( + compressedPublicKey + ); + final java.security.spec.ECPoint point = + PublicKeyUtils.byteArrayToECPoint( + compressedPublicKeyBytes, + ecParameterSpec + ); + final java.security.spec.ECPublicKeySpec spec = + new java.security.spec.ECPublicKeySpec(point, ecParameterSpec); + final ECPublicKey publicKey = (ECPublicKey) KeyFactory + .getInstance("EC") + .generatePublic(spec); + return CreateExternDecompressPublicKeySuccess( + DafnySequence.fromBytes(publicKey.getEncoded()) + ); + } catch (Exception e) { + return CreateExternDecompressPublicKeyError( + ToDafny.Error( + AwsCryptographicPrimitivesError + .builder() + .message(e.getMessage()) + .build() + ) + ); + } + } + + public static Result< + DafnySequence, + Error + > ParsePublicKey(DafnySequence publicKey) { + try { + checkBCProvider(); + final byte[] publicKeyBytes = dafnyArrayUnWrapper(publicKey); + SubjectPublicKeyInfo subjectPublicKeyInfo = + SubjectPublicKeyInfo.getInstance(publicKeyBytes); + X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec( + subjectPublicKeyInfo.getEncoded() + ); + KeyFactory keyFactory = KeyFactory.getInstance("EC", "BC"); + + PublicKey ecPublicKey = keyFactory.generatePublic(x509KeySpec); + return CreateExternParsePublicKeySuccess( + DafnySequence.fromBytes(ecPublicKey.getEncoded()) + ); + } catch (Exception e) { + return CreateExternParsePublicKeyError( + ToDafny.Error( + AwsCryptographicPrimitivesError + .builder() + .message(e.getMessage()) + .build() + ) + ); + } + } + + static DafnySequence encodePrivateKey(final PrivateKey privateKey) + throws IOException { + PKCS8EncodedKeySpec pkcs8KeySpec = new PKCS8EncodedKeySpec( + privateKey.getEncoded() + ); + StringWriter stringWriter = new StringWriter(); + PemWriter pemWriter = new PemWriter(stringWriter); + pemWriter.writeObject( + new PemObject("PRIVATE KEY", pkcs8KeySpec.getEncoded()) + ); + pemWriter.close(); + ByteBuffer outBuffer = StandardCharsets.UTF_8.encode( + stringWriter.toString() + ); + return ByteSequence(outBuffer, 0, outBuffer.limit()); + } + + private static byte[] parsePrivateKeyPemBytes(byte[] pem) throws IOException { + PemReader pemReader = new PemReader( + new InputStreamReader(new ByteArrayInputStream(pem)) + ); + PemObject pemObject = pemReader.readPemObject(); + return pemObject.getContent(); + } + + public static byte[] dafnyArrayUnWrapper( + DafnySequence dafnyByteSequence + ) { + return (byte[]) Array.unwrap(dafnyByteSequence.toArray()); + } + + public static void checkBCProvider() { + if (Security.getProvider("BC") == null) { + Security.addProvider(new BouncyCastleProvider()); + } + } + + public static java.security.spec.ECParameterSpec ecParameterSpec( + ECCAlgorithm eccAlgorithm + ) throws NoSuchAlgorithmException, InvalidParameterSpecException { + final ECGenParameterSpec spec = new ECGenParameterSpec(eccAlgorithm.curve); + final AlgorithmParameters parameters = AlgorithmParameters.getInstance( + KeyGeneration.ELLIPTIC_CURVE_ALGORITHM + ); + parameters.init(spec); + return parameters.getParameterSpec( + java.security.spec.ECParameterSpec.class + ); + } +} diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/java/ECDH/KeyGeneration.java b/AwsCryptographyPrimitives/runtimes/java/src/main/java/ECDH/KeyGeneration.java new file mode 100644 index 000000000..138900d48 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/java/ECDH/KeyGeneration.java @@ -0,0 +1,114 @@ +package ECDH; + +import static ECDH.ECCAlgorithm.eccAlgorithm; +import static ECDH.ECCUtils.checkBCProvider; + +import Random_Compile.ExternRandom; +import StandardLibraryInternal.InternalResult; +import Wrappers_Compile.Result; +import dafny.DafnySequence; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.SecureRandom; +import java.security.interfaces.ECPublicKey; +import java.security.spec.ECGenParameterSpec; +import java.security.spec.X509EncodedKeySpec; +import org.bouncycastle.asn1.gm.GMNamedCurves; +import org.bouncycastle.asn1.x9.X9ECParameters; +import org.bouncycastle.crypto.AsymmetricCipherKeyPair; +import org.bouncycastle.crypto.generators.ECKeyPairGenerator; +import org.bouncycastle.crypto.params.ECDomainParameters; +import org.bouncycastle.crypto.params.ECKeyGenerationParameters; +import org.bouncycastle.crypto.params.ECPrivateKeyParameters; +import org.bouncycastle.crypto.params.ECPublicKeyParameters; +import software.amazon.cryptography.primitives.ToDafny; +import software.amazon.cryptography.primitives.internaldafny.types.ECDHCurveSpec; +import software.amazon.cryptography.primitives.internaldafny.types.Error; +import software.amazon.cryptography.primitives.model.AwsCryptographicPrimitivesError; + +public class KeyGeneration extends _ExternBase___default { + + static final String ELLIPTIC_CURVE_ALGORITHM = "EC"; + static final String SEC_PRIME_FIELD_PREFIX = "secp"; + static final String SEC_P256 = "256r1"; + static final String SEC_P384 = "384r1"; + static final String SEC_P521 = "521r1"; + static final String SM2_KA = "SM2"; + + public static Result GenerateKeyPair( + ECDHCurveSpec dtor_eccAlgorithm + ) { + checkBCProvider(); + final InternalResult maybeEccAlgorithm = eccAlgorithm( + dtor_eccAlgorithm + ); + if (maybeEccAlgorithm.isFailure()) { + return CreateExternEccKeyGenFailure(maybeEccAlgorithm.error()); + } + if (!maybeEccAlgorithm.value().curve.equals("SM2")) { + final ECGenParameterSpec genParameterSpec = new ECGenParameterSpec( + maybeEccAlgorithm.value().curve + ); + + final SecureRandom secureRandom = ExternRandom.getSecureRandom(); + final KeyPairGenerator keyGen; + try { + keyGen = KeyPairGenerator.getInstance(ELLIPTIC_CURVE_ALGORITHM, "BC"); + keyGen.initialize(genParameterSpec, secureRandom); + final KeyPair keyPair = keyGen.generateKeyPair(); + + final DafnySequence privateKey = ECCUtils.encodePrivateKey( + keyPair.getPrivate() + ); + final byte[] publicKey = encodePublicKeyDerFormat( + (ECPublicKey) keyPair.getPublic() + ); + + return CreateExternEccKeyGenSuccess( + EccKeyPair.create(privateKey, DafnySequence.fromBytes(publicKey)) + ); + } catch (Exception e) { + return CreateExternEccKeyGenFailure( + ToDafny.Error( + AwsCryptographicPrimitivesError + .builder() + .cause(e) + .message(e.getMessage()) + .build() + ) + ); + } + } else { + X9ECParameters SM2_X9EC_PARAMETERS = GMNamedCurves.getByName("sm2p256v1"); + ECDomainParameters domain = new ECDomainParameters( + SM2_X9EC_PARAMETERS.getCurve(), + SM2_X9EC_PARAMETERS.getG(), + SM2_X9EC_PARAMETERS.getN(), + SM2_X9EC_PARAMETERS.getH() + ); + ECKeyPairGenerator generator = new ECKeyPairGenerator(); + ECKeyGenerationParameters keygenParams = new ECKeyGenerationParameters( + domain, + new SecureRandom() + ); + generator.init(keygenParams); + AsymmetricCipherKeyPair keypair = generator.generateKeyPair(); + final byte[] privateKey = + ((ECPrivateKeyParameters) keypair.getPrivate()).getD().toByteArray(); + final byte[] publicKey = + ((ECPublicKeyParameters) keypair.getPublic()).getQ().getEncoded(false); + + return CreateExternEccKeyGenSuccess( + EccKeyPair.create( + DafnySequence.fromBytes(privateKey), + DafnySequence.fromBytes(publicKey) + ) + ); + } + } + + static byte[] encodePublicKeyDerFormat(final ECPublicKey publicKey) { + X509EncodedKeySpec spec = new X509EncodedKeySpec(publicKey.getEncoded()); + return spec.getEncoded(); + } +} diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/java/ECDH/__default.java b/AwsCryptographyPrimitives/runtimes/java/src/main/java/ECDH/__default.java new file mode 100644 index 000000000..f0918f778 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/java/ECDH/__default.java @@ -0,0 +1,3 @@ +package ECDH; + +public class __default extends ECDH._ExternBase___default {} diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/java/Signature/PublicKeyUtils.java b/AwsCryptographyPrimitives/runtimes/java/src/main/java/Signature/PublicKeyUtils.java index d8c60fac5..3c345bf33 100644 --- a/AwsCryptographyPrimitives/runtimes/java/src/main/java/Signature/PublicKeyUtils.java +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/java/Signature/PublicKeyUtils.java @@ -30,7 +30,7 @@ import software.amazon.cryptography.primitives.model.OpaqueError; /** Helper methods for encoding and decoding Elliptic Curve public keys. */ -class PublicKeyUtils { +public class PublicKeyUtils { /** * @param key The Elliptic Curve public key to encode and compress as described in SEC-1 v2 @@ -75,7 +75,7 @@ static byte[] encodeAndCompressPublicKey( * array without the sign byte * @return The byte array */ - static byte[] encodeAndCompressPublicKeyX( + public static byte[] encodeAndCompressPublicKeyX( final BigInteger bigInteger, final int length ) { @@ -171,7 +171,7 @@ static InternalResult decodePublicKey( * @return The Elliptic Curve point. * @see http://www.secg.org/sec1-v2.pdf */ - static ECPoint byteArrayToECPoint( + public static ECPoint byteArrayToECPoint( final byte[] keyAsBytes, final ECParameterSpec ecParameterSpec ) throws ECDecodingException { diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/AtomicPrimitives.java b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/AtomicPrimitives.java index cfc7f6902..1a43cc559 100644 --- a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/AtomicPrimitives.java +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/AtomicPrimitives.java @@ -18,15 +18,25 @@ import software.amazon.cryptography.primitives.model.AESEncryptInput; import software.amazon.cryptography.primitives.model.AESEncryptOutput; import software.amazon.cryptography.primitives.model.AesKdfCtrInput; +import software.amazon.cryptography.primitives.model.CompressPublicKeyInput; +import software.amazon.cryptography.primitives.model.CompressPublicKeyOutput; import software.amazon.cryptography.primitives.model.CryptoConfig; +import software.amazon.cryptography.primitives.model.DecompressPublicKeyInput; +import software.amazon.cryptography.primitives.model.DecompressPublicKeyOutput; +import software.amazon.cryptography.primitives.model.DeriveSharedSecretInput; +import software.amazon.cryptography.primitives.model.DeriveSharedSecretOutput; import software.amazon.cryptography.primitives.model.DigestInput; import software.amazon.cryptography.primitives.model.ECDSASignInput; import software.amazon.cryptography.primitives.model.ECDSAVerifyInput; +import software.amazon.cryptography.primitives.model.GenerateECCKeyPairInput; +import software.amazon.cryptography.primitives.model.GenerateECCKeyPairOutput; import software.amazon.cryptography.primitives.model.GenerateECDSASignatureKeyInput; import software.amazon.cryptography.primitives.model.GenerateECDSASignatureKeyOutput; import software.amazon.cryptography.primitives.model.GenerateRSAKeyPairInput; import software.amazon.cryptography.primitives.model.GenerateRSAKeyPairOutput; import software.amazon.cryptography.primitives.model.GenerateRandomBytesInput; +import software.amazon.cryptography.primitives.model.GetPublicKeyFromPrivateKeyInput; +import software.amazon.cryptography.primitives.model.GetPublicKeyFromPrivateKeyOutput; import software.amazon.cryptography.primitives.model.GetRSAKeyModulusLengthInput; import software.amazon.cryptography.primitives.model.GetRSAKeyModulusLengthOutput; import software.amazon.cryptography.primitives.model.HMacInput; @@ -34,8 +44,12 @@ import software.amazon.cryptography.primitives.model.HkdfExtractInput; import software.amazon.cryptography.primitives.model.HkdfInput; import software.amazon.cryptography.primitives.model.KdfCtrInput; +import software.amazon.cryptography.primitives.model.ParsePublicKeyInput; +import software.amazon.cryptography.primitives.model.ParsePublicKeyOutput; import software.amazon.cryptography.primitives.model.RSADecryptInput; import software.amazon.cryptography.primitives.model.RSAEncryptInput; +import software.amazon.cryptography.primitives.model.ValidatePublicKeyInput; +import software.amazon.cryptography.primitives.model.ValidatePublicKeyOutput; public class AtomicPrimitives { @@ -101,6 +115,51 @@ public ByteBuffer AesKdfCounterMode(AesKdfCtrInput input) { ); } + public CompressPublicKeyOutput CompressPublicKey( + CompressPublicKeyInput input + ) { + software.amazon.cryptography.primitives.internaldafny.types.CompressPublicKeyInput dafnyValue = + ToDafny.CompressPublicKeyInput(input); + Result< + software.amazon.cryptography.primitives.internaldafny.types.CompressPublicKeyOutput, + Error + > result = this._impl.CompressPublicKey(dafnyValue); + if (result.is_Failure()) { + throw ToNative.Error(result.dtor_error()); + } + return ToNative.CompressPublicKeyOutput(result.dtor_value()); + } + + public DecompressPublicKeyOutput DecompressPublicKey( + DecompressPublicKeyInput input + ) { + software.amazon.cryptography.primitives.internaldafny.types.DecompressPublicKeyInput dafnyValue = + ToDafny.DecompressPublicKeyInput(input); + Result< + software.amazon.cryptography.primitives.internaldafny.types.DecompressPublicKeyOutput, + Error + > result = this._impl.DecompressPublicKey(dafnyValue); + if (result.is_Failure()) { + throw ToNative.Error(result.dtor_error()); + } + return ToNative.DecompressPublicKeyOutput(result.dtor_value()); + } + + public DeriveSharedSecretOutput DeriveSharedSecret( + DeriveSharedSecretInput input + ) { + software.amazon.cryptography.primitives.internaldafny.types.DeriveSharedSecretInput dafnyValue = + ToDafny.DeriveSharedSecretInput(input); + Result< + software.amazon.cryptography.primitives.internaldafny.types.DeriveSharedSecretOutput, + Error + > result = this._impl.DeriveSharedSecret(dafnyValue); + if (result.is_Failure()) { + throw ToNative.Error(result.dtor_error()); + } + return ToNative.DeriveSharedSecretOutput(result.dtor_value()); + } + public ByteBuffer Digest(DigestInput input) { software.amazon.cryptography.primitives.internaldafny.types.DigestInput dafnyValue = ToDafny.DigestInput(input); @@ -137,6 +196,21 @@ public Boolean ECDSAVerify(ECDSAVerifyInput input) { return (result.dtor_value()); } + public GenerateECCKeyPairOutput GenerateECCKeyPair( + GenerateECCKeyPairInput input + ) { + software.amazon.cryptography.primitives.internaldafny.types.GenerateECCKeyPairInput dafnyValue = + ToDafny.GenerateECCKeyPairInput(input); + Result< + software.amazon.cryptography.primitives.internaldafny.types.GenerateECCKeyPairOutput, + Error + > result = this._impl.GenerateECCKeyPair(dafnyValue); + if (result.is_Failure()) { + throw ToNative.Error(result.dtor_error()); + } + return ToNative.GenerateECCKeyPairOutput(result.dtor_value()); + } + public GenerateECDSASignatureKeyOutput GenerateECDSASignatureKey( GenerateECDSASignatureKeyInput input ) { @@ -180,6 +254,21 @@ public GenerateRSAKeyPairOutput GenerateRSAKeyPair( return ToNative.GenerateRSAKeyPairOutput(result.dtor_value()); } + public GetPublicKeyFromPrivateKeyOutput GetPublicKeyFromPrivateKey( + GetPublicKeyFromPrivateKeyInput input + ) { + software.amazon.cryptography.primitives.internaldafny.types.GetPublicKeyFromPrivateKeyInput dafnyValue = + ToDafny.GetPublicKeyFromPrivateKeyInput(input); + Result< + software.amazon.cryptography.primitives.internaldafny.types.GetPublicKeyFromPrivateKeyOutput, + Error + > result = this._impl.GetPublicKeyFromPrivateKey(dafnyValue); + if (result.is_Failure()) { + throw ToNative.Error(result.dtor_error()); + } + return ToNative.GetPublicKeyFromPrivateKeyOutput(result.dtor_value()); + } + public GetRSAKeyModulusLengthOutput GetRSAKeyModulusLength( GetRSAKeyModulusLengthInput input ) { @@ -260,6 +349,19 @@ public ByteBuffer KdfCounterMode(KdfCtrInput input) { ); } + public ParsePublicKeyOutput ParsePublicKey(ParsePublicKeyInput input) { + software.amazon.cryptography.primitives.internaldafny.types.ParsePublicKeyInput dafnyValue = + ToDafny.ParsePublicKeyInput(input); + Result< + software.amazon.cryptography.primitives.internaldafny.types.ParsePublicKeyOutput, + Error + > result = this._impl.ParsePublicKey(dafnyValue); + if (result.is_Failure()) { + throw ToNative.Error(result.dtor_error()); + } + return ToNative.ParsePublicKeyOutput(result.dtor_value()); + } + public ByteBuffer RSADecrypt(RSADecryptInput input) { software.amazon.cryptography.primitives.internaldafny.types.RSADecryptInput dafnyValue = ToDafny.RSADecryptInput(input); @@ -286,6 +388,21 @@ public ByteBuffer RSAEncrypt(RSAEncryptInput input) { ); } + public ValidatePublicKeyOutput ValidatePublicKey( + ValidatePublicKeyInput input + ) { + software.amazon.cryptography.primitives.internaldafny.types.ValidatePublicKeyInput dafnyValue = + ToDafny.ValidatePublicKeyInput(input); + Result< + software.amazon.cryptography.primitives.internaldafny.types.ValidatePublicKeyOutput, + Error + > result = this._impl.ValidatePublicKey(dafnyValue); + if (result.is_Failure()) { + throw ToNative.Error(result.dtor_error()); + } + return ToNative.ValidatePublicKeyOutput(result.dtor_value()); + } + protected IAwsCryptographicPrimitivesClient impl() { return this._impl; } diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/ToDafny.java b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/ToDafny.java index 8d3ee40d8..d9b59deb9 100644 --- a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/ToDafny.java +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/ToDafny.java @@ -18,19 +18,32 @@ import software.amazon.cryptography.primitives.internaldafny.types.AES__CTR; import software.amazon.cryptography.primitives.internaldafny.types.AES__GCM; import software.amazon.cryptography.primitives.internaldafny.types.AesKdfCtrInput; +import software.amazon.cryptography.primitives.internaldafny.types.CompressPublicKeyInput; +import software.amazon.cryptography.primitives.internaldafny.types.CompressPublicKeyOutput; import software.amazon.cryptography.primitives.internaldafny.types.CryptoConfig; +import software.amazon.cryptography.primitives.internaldafny.types.DecompressPublicKeyInput; +import software.amazon.cryptography.primitives.internaldafny.types.DecompressPublicKeyOutput; +import software.amazon.cryptography.primitives.internaldafny.types.DeriveSharedSecretInput; +import software.amazon.cryptography.primitives.internaldafny.types.DeriveSharedSecretOutput; import software.amazon.cryptography.primitives.internaldafny.types.DigestAlgorithm; import software.amazon.cryptography.primitives.internaldafny.types.DigestInput; +import software.amazon.cryptography.primitives.internaldafny.types.ECCPrivateKey; +import software.amazon.cryptography.primitives.internaldafny.types.ECCPublicKey; +import software.amazon.cryptography.primitives.internaldafny.types.ECDHCurveSpec; import software.amazon.cryptography.primitives.internaldafny.types.ECDSASignInput; import software.amazon.cryptography.primitives.internaldafny.types.ECDSASignatureAlgorithm; import software.amazon.cryptography.primitives.internaldafny.types.ECDSAVerifyInput; import software.amazon.cryptography.primitives.internaldafny.types.Error; import software.amazon.cryptography.primitives.internaldafny.types.Error_AwsCryptographicPrimitivesError; +import software.amazon.cryptography.primitives.internaldafny.types.GenerateECCKeyPairInput; +import software.amazon.cryptography.primitives.internaldafny.types.GenerateECCKeyPairOutput; import software.amazon.cryptography.primitives.internaldafny.types.GenerateECDSASignatureKeyInput; import software.amazon.cryptography.primitives.internaldafny.types.GenerateECDSASignatureKeyOutput; import software.amazon.cryptography.primitives.internaldafny.types.GenerateRSAKeyPairInput; import software.amazon.cryptography.primitives.internaldafny.types.GenerateRSAKeyPairOutput; import software.amazon.cryptography.primitives.internaldafny.types.GenerateRandomBytesInput; +import software.amazon.cryptography.primitives.internaldafny.types.GetPublicKeyFromPrivateKeyInput; +import software.amazon.cryptography.primitives.internaldafny.types.GetPublicKeyFromPrivateKeyOutput; import software.amazon.cryptography.primitives.internaldafny.types.GetRSAKeyModulusLengthInput; import software.amazon.cryptography.primitives.internaldafny.types.GetRSAKeyModulusLengthOutput; import software.amazon.cryptography.primitives.internaldafny.types.HMacInput; @@ -39,11 +52,15 @@ import software.amazon.cryptography.primitives.internaldafny.types.HkdfInput; import software.amazon.cryptography.primitives.internaldafny.types.IAwsCryptographicPrimitivesClient; import software.amazon.cryptography.primitives.internaldafny.types.KdfCtrInput; +import software.amazon.cryptography.primitives.internaldafny.types.ParsePublicKeyInput; +import software.amazon.cryptography.primitives.internaldafny.types.ParsePublicKeyOutput; import software.amazon.cryptography.primitives.internaldafny.types.RSADecryptInput; import software.amazon.cryptography.primitives.internaldafny.types.RSAEncryptInput; import software.amazon.cryptography.primitives.internaldafny.types.RSAPaddingMode; import software.amazon.cryptography.primitives.internaldafny.types.RSAPrivateKey; import software.amazon.cryptography.primitives.internaldafny.types.RSAPublicKey; +import software.amazon.cryptography.primitives.internaldafny.types.ValidatePublicKeyInput; +import software.amazon.cryptography.primitives.internaldafny.types.ValidatePublicKeyOutput; import software.amazon.cryptography.primitives.model.AES_CTR; import software.amazon.cryptography.primitives.model.AES_GCM; import software.amazon.cryptography.primitives.model.AwsCryptographicPrimitivesError; @@ -222,12 +239,77 @@ public static DafnySequence AesKdfCtrOutput( return okm; } + public static CompressPublicKeyInput CompressPublicKeyInput( + software.amazon.cryptography.primitives.model.CompressPublicKeyInput nativeValue + ) { + ECCPublicKey publicKey; + publicKey = ToDafny.ECCPublicKey(nativeValue.publicKey()); + ECDHCurveSpec eccCurve; + eccCurve = ToDafny.ECDHCurveSpec(nativeValue.eccCurve()); + return new CompressPublicKeyInput(publicKey, eccCurve); + } + + public static CompressPublicKeyOutput CompressPublicKeyOutput( + software.amazon.cryptography.primitives.model.CompressPublicKeyOutput nativeValue + ) { + DafnySequence compressedPublicKey; + compressedPublicKey = + software.amazon.smithy.dafny.conversion.ToDafny.Simple.ByteSequence( + nativeValue.compressedPublicKey() + ); + return new CompressPublicKeyOutput(compressedPublicKey); + } + public static CryptoConfig CryptoConfig( software.amazon.cryptography.primitives.model.CryptoConfig nativeValue ) { return new CryptoConfig(); } + public static DecompressPublicKeyInput DecompressPublicKeyInput( + software.amazon.cryptography.primitives.model.DecompressPublicKeyInput nativeValue + ) { + DafnySequence compressedPublicKey; + compressedPublicKey = + software.amazon.smithy.dafny.conversion.ToDafny.Simple.ByteSequence( + nativeValue.compressedPublicKey() + ); + ECDHCurveSpec eccCurve; + eccCurve = ToDafny.ECDHCurveSpec(nativeValue.eccCurve()); + return new DecompressPublicKeyInput(compressedPublicKey, eccCurve); + } + + public static DecompressPublicKeyOutput DecompressPublicKeyOutput( + software.amazon.cryptography.primitives.model.DecompressPublicKeyOutput nativeValue + ) { + ECCPublicKey publicKey; + publicKey = ToDafny.ECCPublicKey(nativeValue.publicKey()); + return new DecompressPublicKeyOutput(publicKey); + } + + public static DeriveSharedSecretInput DeriveSharedSecretInput( + software.amazon.cryptography.primitives.model.DeriveSharedSecretInput nativeValue + ) { + ECDHCurveSpec eccCurve; + eccCurve = ToDafny.ECDHCurveSpec(nativeValue.eccCurve()); + ECCPrivateKey privateKey; + privateKey = ToDafny.ECCPrivateKey(nativeValue.privateKey()); + ECCPublicKey publicKey; + publicKey = ToDafny.ECCPublicKey(nativeValue.publicKey()); + return new DeriveSharedSecretInput(eccCurve, privateKey, publicKey); + } + + public static DeriveSharedSecretOutput DeriveSharedSecretOutput( + software.amazon.cryptography.primitives.model.DeriveSharedSecretOutput nativeValue + ) { + DafnySequence sharedSecret; + sharedSecret = + software.amazon.smithy.dafny.conversion.ToDafny.Simple.ByteSequence( + nativeValue.sharedSecret() + ); + return new DeriveSharedSecretOutput(sharedSecret); + } + public static DigestInput DigestInput( software.amazon.cryptography.primitives.model.DigestInput nativeValue ) { @@ -252,6 +334,28 @@ public static DafnySequence DigestOutput( return digest; } + public static ECCPrivateKey ECCPrivateKey( + software.amazon.cryptography.primitives.model.ECCPrivateKey nativeValue + ) { + DafnySequence pem; + pem = + software.amazon.smithy.dafny.conversion.ToDafny.Simple.ByteSequence( + nativeValue.pem() + ); + return new ECCPrivateKey(pem); + } + + public static ECCPublicKey ECCPublicKey( + software.amazon.cryptography.primitives.model.ECCPublicKey nativeValue + ) { + DafnySequence der; + der = + software.amazon.smithy.dafny.conversion.ToDafny.Simple.ByteSequence( + nativeValue.der() + ); + return new ECCPublicKey(der); + } + public static ECDSASignInput ECDSASignInput( software.amazon.cryptography.primitives.model.ECDSASignInput nativeValue ) { @@ -317,6 +421,26 @@ public static Boolean ECDSAVerifyOutput(Boolean nativeValue) { return success; } + public static GenerateECCKeyPairInput GenerateECCKeyPairInput( + software.amazon.cryptography.primitives.model.GenerateECCKeyPairInput nativeValue + ) { + ECDHCurveSpec eccCurve; + eccCurve = ToDafny.ECDHCurveSpec(nativeValue.eccCurve()); + return new GenerateECCKeyPairInput(eccCurve); + } + + public static GenerateECCKeyPairOutput GenerateECCKeyPairOutput( + software.amazon.cryptography.primitives.model.GenerateECCKeyPairOutput nativeValue + ) { + ECDHCurveSpec eccCurve; + eccCurve = ToDafny.ECDHCurveSpec(nativeValue.eccCurve()); + ECCPrivateKey privateKey; + privateKey = ToDafny.ECCPrivateKey(nativeValue.privateKey()); + ECCPublicKey publicKey; + publicKey = ToDafny.ECCPublicKey(nativeValue.publicKey()); + return new GenerateECCKeyPairOutput(eccCurve, privateKey, publicKey); + } + public static GenerateECDSASignatureKeyInput GenerateECDSASignatureKeyInput( software.amazon.cryptography.primitives.model.GenerateECDSASignatureKeyInput nativeValue ) { @@ -386,6 +510,35 @@ public static GenerateRSAKeyPairOutput GenerateRSAKeyPairOutput( return new GenerateRSAKeyPairOutput(publicKey, privateKey); } + public static GetPublicKeyFromPrivateKeyInput GetPublicKeyFromPrivateKeyInput( + software.amazon.cryptography.primitives.model.GetPublicKeyFromPrivateKeyInput nativeValue + ) { + ECDHCurveSpec eccCurve; + eccCurve = ToDafny.ECDHCurveSpec(nativeValue.eccCurve()); + ECCPrivateKey privateKey; + privateKey = ToDafny.ECCPrivateKey(nativeValue.privateKey()); + return new GetPublicKeyFromPrivateKeyInput(eccCurve, privateKey); + } + + public static GetPublicKeyFromPrivateKeyOutput GetPublicKeyFromPrivateKeyOutput( + software.amazon.cryptography.primitives.model.GetPublicKeyFromPrivateKeyOutput nativeValue + ) { + ECDHCurveSpec eccCurve; + eccCurve = ToDafny.ECDHCurveSpec(nativeValue.eccCurve()); + ECCPrivateKey privateKey; + privateKey = ToDafny.ECCPrivateKey(nativeValue.privateKey()); + DafnySequence publicKey; + publicKey = + software.amazon.smithy.dafny.conversion.ToDafny.Simple.ByteSequence( + nativeValue.publicKey() + ); + return new GetPublicKeyFromPrivateKeyOutput( + eccCurve, + privateKey, + publicKey + ); + } + public static GetRSAKeyModulusLengthInput GetRSAKeyModulusLengthInput( software.amazon.cryptography.primitives.model.GetRSAKeyModulusLengthInput nativeValue ) { @@ -588,6 +741,25 @@ public static DafnySequence KdfCtrOutput( return okm; } + public static ParsePublicKeyInput ParsePublicKeyInput( + software.amazon.cryptography.primitives.model.ParsePublicKeyInput nativeValue + ) { + DafnySequence publicKey; + publicKey = + software.amazon.smithy.dafny.conversion.ToDafny.Simple.ByteSequence( + nativeValue.publicKey() + ); + return new ParsePublicKeyInput(publicKey); + } + + public static ParsePublicKeyOutput ParsePublicKeyOutput( + software.amazon.cryptography.primitives.model.ParsePublicKeyOutput nativeValue + ) { + ECCPublicKey publicKey; + publicKey = ToDafny.ECCPublicKey(nativeValue.publicKey()); + return new ParsePublicKeyOutput(publicKey); + } + public static RSADecryptInput RSADecryptInput( software.amazon.cryptography.primitives.model.RSADecryptInput nativeValue ) { @@ -672,6 +844,27 @@ public static RSAPublicKey RSAPublicKey( return new RSAPublicKey(lengthBits, pem); } + public static ValidatePublicKeyInput ValidatePublicKeyInput( + software.amazon.cryptography.primitives.model.ValidatePublicKeyInput nativeValue + ) { + ECDHCurveSpec eccCurve; + eccCurve = ToDafny.ECDHCurveSpec(nativeValue.eccCurve()); + DafnySequence publicKey; + publicKey = + software.amazon.smithy.dafny.conversion.ToDafny.Simple.ByteSequence( + nativeValue.publicKey() + ); + return new ValidatePublicKeyInput(eccCurve, publicKey); + } + + public static ValidatePublicKeyOutput ValidatePublicKeyOutput( + software.amazon.cryptography.primitives.model.ValidatePublicKeyOutput nativeValue + ) { + Boolean success; + success = (nativeValue.success()); + return new ValidatePublicKeyOutput(success); + } + public static Error Error(AwsCryptographicPrimitivesError nativeValue) { DafnySequence message; message = @@ -708,6 +901,37 @@ public static DigestAlgorithm DigestAlgorithm( } } + public static ECDHCurveSpec ECDHCurveSpec( + software.amazon.cryptography.primitives.model.ECDHCurveSpec nativeValue + ) { + switch (nativeValue) { + case ECC_NIST_P256: + { + return ECDHCurveSpec.create_ECC__NIST__P256(); + } + case ECC_NIST_P384: + { + return ECDHCurveSpec.create_ECC__NIST__P384(); + } + case ECC_NIST_P521: + { + return ECDHCurveSpec.create_ECC__NIST__P521(); + } + case SM2: + { + return ECDHCurveSpec.create_SM2(); + } + default: + { + throw new RuntimeException( + "Cannot convert " + + nativeValue + + " to software.amazon.cryptography.primitives.internaldafny.types.ECDHCurveSpec." + ); + } + } + } + public static ECDSASignatureAlgorithm ECDSASignatureAlgorithm( software.amazon.cryptography.primitives.model.ECDSASignatureAlgorithm nativeValue ) { diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/ToNative.java b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/ToNative.java index 77e7cca8e..94bd292df 100644 --- a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/ToNative.java +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/ToNative.java @@ -24,17 +24,30 @@ import software.amazon.cryptography.primitives.model.AesKdfCtrInput; import software.amazon.cryptography.primitives.model.AwsCryptographicPrimitivesError; import software.amazon.cryptography.primitives.model.CollectionOfErrors; +import software.amazon.cryptography.primitives.model.CompressPublicKeyInput; +import software.amazon.cryptography.primitives.model.CompressPublicKeyOutput; import software.amazon.cryptography.primitives.model.CryptoConfig; +import software.amazon.cryptography.primitives.model.DecompressPublicKeyInput; +import software.amazon.cryptography.primitives.model.DecompressPublicKeyOutput; +import software.amazon.cryptography.primitives.model.DeriveSharedSecretInput; +import software.amazon.cryptography.primitives.model.DeriveSharedSecretOutput; import software.amazon.cryptography.primitives.model.DigestAlgorithm; import software.amazon.cryptography.primitives.model.DigestInput; +import software.amazon.cryptography.primitives.model.ECCPrivateKey; +import software.amazon.cryptography.primitives.model.ECCPublicKey; +import software.amazon.cryptography.primitives.model.ECDHCurveSpec; import software.amazon.cryptography.primitives.model.ECDSASignInput; import software.amazon.cryptography.primitives.model.ECDSASignatureAlgorithm; import software.amazon.cryptography.primitives.model.ECDSAVerifyInput; +import software.amazon.cryptography.primitives.model.GenerateECCKeyPairInput; +import software.amazon.cryptography.primitives.model.GenerateECCKeyPairOutput; import software.amazon.cryptography.primitives.model.GenerateECDSASignatureKeyInput; import software.amazon.cryptography.primitives.model.GenerateECDSASignatureKeyOutput; import software.amazon.cryptography.primitives.model.GenerateRSAKeyPairInput; import software.amazon.cryptography.primitives.model.GenerateRSAKeyPairOutput; import software.amazon.cryptography.primitives.model.GenerateRandomBytesInput; +import software.amazon.cryptography.primitives.model.GetPublicKeyFromPrivateKeyInput; +import software.amazon.cryptography.primitives.model.GetPublicKeyFromPrivateKeyOutput; import software.amazon.cryptography.primitives.model.GetRSAKeyModulusLengthInput; import software.amazon.cryptography.primitives.model.GetRSAKeyModulusLengthOutput; import software.amazon.cryptography.primitives.model.HMacInput; @@ -43,11 +56,15 @@ import software.amazon.cryptography.primitives.model.HkdfInput; import software.amazon.cryptography.primitives.model.KdfCtrInput; import software.amazon.cryptography.primitives.model.OpaqueError; +import software.amazon.cryptography.primitives.model.ParsePublicKeyInput; +import software.amazon.cryptography.primitives.model.ParsePublicKeyOutput; import software.amazon.cryptography.primitives.model.RSADecryptInput; import software.amazon.cryptography.primitives.model.RSAEncryptInput; import software.amazon.cryptography.primitives.model.RSAPaddingMode; import software.amazon.cryptography.primitives.model.RSAPrivateKey; import software.amazon.cryptography.primitives.model.RSAPublicKey; +import software.amazon.cryptography.primitives.model.ValidatePublicKeyInput; +import software.amazon.cryptography.primitives.model.ValidatePublicKeyOutput; public class ToNative { @@ -230,6 +247,29 @@ public static ByteBuffer AesKdfCtrOutput( ); } + public static CompressPublicKeyInput CompressPublicKeyInput( + software.amazon.cryptography.primitives.internaldafny.types.CompressPublicKeyInput dafnyValue + ) { + CompressPublicKeyInput.Builder nativeBuilder = + CompressPublicKeyInput.builder(); + nativeBuilder.publicKey(ToNative.ECCPublicKey(dafnyValue.dtor_publicKey())); + nativeBuilder.eccCurve(ToNative.ECDHCurveSpec(dafnyValue.dtor_eccCurve())); + return nativeBuilder.build(); + } + + public static CompressPublicKeyOutput CompressPublicKeyOutput( + software.amazon.cryptography.primitives.internaldafny.types.CompressPublicKeyOutput dafnyValue + ) { + CompressPublicKeyOutput.Builder nativeBuilder = + CompressPublicKeyOutput.builder(); + nativeBuilder.compressedPublicKey( + software.amazon.smithy.dafny.conversion.ToNative.Simple.ByteBuffer( + dafnyValue.dtor_compressedPublicKey() + ) + ); + return nativeBuilder.build(); + } + public static CryptoConfig CryptoConfig( software.amazon.cryptography.primitives.internaldafny.types.CryptoConfig dafnyValue ) { @@ -237,6 +277,55 @@ public static CryptoConfig CryptoConfig( return nativeBuilder.build(); } + public static DecompressPublicKeyInput DecompressPublicKeyInput( + software.amazon.cryptography.primitives.internaldafny.types.DecompressPublicKeyInput dafnyValue + ) { + DecompressPublicKeyInput.Builder nativeBuilder = + DecompressPublicKeyInput.builder(); + nativeBuilder.compressedPublicKey( + software.amazon.smithy.dafny.conversion.ToNative.Simple.ByteBuffer( + dafnyValue.dtor_compressedPublicKey() + ) + ); + nativeBuilder.eccCurve(ToNative.ECDHCurveSpec(dafnyValue.dtor_eccCurve())); + return nativeBuilder.build(); + } + + public static DecompressPublicKeyOutput DecompressPublicKeyOutput( + software.amazon.cryptography.primitives.internaldafny.types.DecompressPublicKeyOutput dafnyValue + ) { + DecompressPublicKeyOutput.Builder nativeBuilder = + DecompressPublicKeyOutput.builder(); + nativeBuilder.publicKey(ToNative.ECCPublicKey(dafnyValue.dtor_publicKey())); + return nativeBuilder.build(); + } + + public static DeriveSharedSecretInput DeriveSharedSecretInput( + software.amazon.cryptography.primitives.internaldafny.types.DeriveSharedSecretInput dafnyValue + ) { + DeriveSharedSecretInput.Builder nativeBuilder = + DeriveSharedSecretInput.builder(); + nativeBuilder.eccCurve(ToNative.ECDHCurveSpec(dafnyValue.dtor_eccCurve())); + nativeBuilder.privateKey( + ToNative.ECCPrivateKey(dafnyValue.dtor_privateKey()) + ); + nativeBuilder.publicKey(ToNative.ECCPublicKey(dafnyValue.dtor_publicKey())); + return nativeBuilder.build(); + } + + public static DeriveSharedSecretOutput DeriveSharedSecretOutput( + software.amazon.cryptography.primitives.internaldafny.types.DeriveSharedSecretOutput dafnyValue + ) { + DeriveSharedSecretOutput.Builder nativeBuilder = + DeriveSharedSecretOutput.builder(); + nativeBuilder.sharedSecret( + software.amazon.smithy.dafny.conversion.ToNative.Simple.ByteBuffer( + dafnyValue.dtor_sharedSecret() + ) + ); + return nativeBuilder.build(); + } + public static DigestInput DigestInput( software.amazon.cryptography.primitives.internaldafny.types.DigestInput dafnyValue ) { @@ -260,6 +349,30 @@ public static ByteBuffer DigestOutput( ); } + public static ECCPrivateKey ECCPrivateKey( + software.amazon.cryptography.primitives.internaldafny.types.ECCPrivateKey dafnyValue + ) { + ECCPrivateKey.Builder nativeBuilder = ECCPrivateKey.builder(); + nativeBuilder.pem( + software.amazon.smithy.dafny.conversion.ToNative.Simple.ByteBuffer( + dafnyValue.dtor_pem() + ) + ); + return nativeBuilder.build(); + } + + public static ECCPublicKey ECCPublicKey( + software.amazon.cryptography.primitives.internaldafny.types.ECCPublicKey dafnyValue + ) { + ECCPublicKey.Builder nativeBuilder = ECCPublicKey.builder(); + nativeBuilder.der( + software.amazon.smithy.dafny.conversion.ToNative.Simple.ByteBuffer( + dafnyValue.dtor_der() + ) + ); + return nativeBuilder.build(); + } + public static ECDSASignInput ECDSASignInput( software.amazon.cryptography.primitives.internaldafny.types.ECDSASignInput dafnyValue ) { @@ -317,6 +430,28 @@ public static Boolean ECDSAVerifyOutput(Boolean dafnyValue) { return (dafnyValue); } + public static GenerateECCKeyPairInput GenerateECCKeyPairInput( + software.amazon.cryptography.primitives.internaldafny.types.GenerateECCKeyPairInput dafnyValue + ) { + GenerateECCKeyPairInput.Builder nativeBuilder = + GenerateECCKeyPairInput.builder(); + nativeBuilder.eccCurve(ToNative.ECDHCurveSpec(dafnyValue.dtor_eccCurve())); + return nativeBuilder.build(); + } + + public static GenerateECCKeyPairOutput GenerateECCKeyPairOutput( + software.amazon.cryptography.primitives.internaldafny.types.GenerateECCKeyPairOutput dafnyValue + ) { + GenerateECCKeyPairOutput.Builder nativeBuilder = + GenerateECCKeyPairOutput.builder(); + nativeBuilder.eccCurve(ToNative.ECDHCurveSpec(dafnyValue.dtor_eccCurve())); + nativeBuilder.privateKey( + ToNative.ECCPrivateKey(dafnyValue.dtor_privateKey()) + ); + nativeBuilder.publicKey(ToNative.ECCPublicKey(dafnyValue.dtor_publicKey())); + return nativeBuilder.build(); + } + public static GenerateECDSASignatureKeyInput GenerateECDSASignatureKeyInput( software.amazon.cryptography.primitives.internaldafny.types.GenerateECDSASignatureKeyInput dafnyValue ) { @@ -387,6 +522,35 @@ public static GenerateRSAKeyPairOutput GenerateRSAKeyPairOutput( return nativeBuilder.build(); } + public static GetPublicKeyFromPrivateKeyInput GetPublicKeyFromPrivateKeyInput( + software.amazon.cryptography.primitives.internaldafny.types.GetPublicKeyFromPrivateKeyInput dafnyValue + ) { + GetPublicKeyFromPrivateKeyInput.Builder nativeBuilder = + GetPublicKeyFromPrivateKeyInput.builder(); + nativeBuilder.eccCurve(ToNative.ECDHCurveSpec(dafnyValue.dtor_eccCurve())); + nativeBuilder.privateKey( + ToNative.ECCPrivateKey(dafnyValue.dtor_privateKey()) + ); + return nativeBuilder.build(); + } + + public static GetPublicKeyFromPrivateKeyOutput GetPublicKeyFromPrivateKeyOutput( + software.amazon.cryptography.primitives.internaldafny.types.GetPublicKeyFromPrivateKeyOutput dafnyValue + ) { + GetPublicKeyFromPrivateKeyOutput.Builder nativeBuilder = + GetPublicKeyFromPrivateKeyOutput.builder(); + nativeBuilder.eccCurve(ToNative.ECDHCurveSpec(dafnyValue.dtor_eccCurve())); + nativeBuilder.privateKey( + ToNative.ECCPrivateKey(dafnyValue.dtor_privateKey()) + ); + nativeBuilder.publicKey( + software.amazon.smithy.dafny.conversion.ToNative.Simple.ByteBuffer( + dafnyValue.dtor_publicKey() + ) + ); + return nativeBuilder.build(); + } + public static GetRSAKeyModulusLengthInput GetRSAKeyModulusLengthInput( software.amazon.cryptography.primitives.internaldafny.types.GetRSAKeyModulusLengthInput dafnyValue ) { @@ -570,6 +734,26 @@ public static ByteBuffer KdfCtrOutput( ); } + public static ParsePublicKeyInput ParsePublicKeyInput( + software.amazon.cryptography.primitives.internaldafny.types.ParsePublicKeyInput dafnyValue + ) { + ParsePublicKeyInput.Builder nativeBuilder = ParsePublicKeyInput.builder(); + nativeBuilder.publicKey( + software.amazon.smithy.dafny.conversion.ToNative.Simple.ByteBuffer( + dafnyValue.dtor_publicKey() + ) + ); + return nativeBuilder.build(); + } + + public static ParsePublicKeyOutput ParsePublicKeyOutput( + software.amazon.cryptography.primitives.internaldafny.types.ParsePublicKeyOutput dafnyValue + ) { + ParsePublicKeyOutput.Builder nativeBuilder = ParsePublicKeyOutput.builder(); + nativeBuilder.publicKey(ToNative.ECCPublicKey(dafnyValue.dtor_publicKey())); + return nativeBuilder.build(); + } + public static RSADecryptInput RSADecryptInput( software.amazon.cryptography.primitives.internaldafny.types.RSADecryptInput dafnyValue ) { @@ -648,6 +832,29 @@ public static RSAPublicKey RSAPublicKey( return nativeBuilder.build(); } + public static ValidatePublicKeyInput ValidatePublicKeyInput( + software.amazon.cryptography.primitives.internaldafny.types.ValidatePublicKeyInput dafnyValue + ) { + ValidatePublicKeyInput.Builder nativeBuilder = + ValidatePublicKeyInput.builder(); + nativeBuilder.eccCurve(ToNative.ECDHCurveSpec(dafnyValue.dtor_eccCurve())); + nativeBuilder.publicKey( + software.amazon.smithy.dafny.conversion.ToNative.Simple.ByteBuffer( + dafnyValue.dtor_publicKey() + ) + ); + return nativeBuilder.build(); + } + + public static ValidatePublicKeyOutput ValidatePublicKeyOutput( + software.amazon.cryptography.primitives.internaldafny.types.ValidatePublicKeyOutput dafnyValue + ) { + ValidatePublicKeyOutput.Builder nativeBuilder = + ValidatePublicKeyOutput.builder(); + nativeBuilder.success((dafnyValue.dtor_success())); + return nativeBuilder.build(); + } + public static DigestAlgorithm DigestAlgorithm( software.amazon.cryptography.primitives.internaldafny.types.DigestAlgorithm dafnyValue ) { @@ -666,6 +873,27 @@ public static DigestAlgorithm DigestAlgorithm( ); } + public static ECDHCurveSpec ECDHCurveSpec( + software.amazon.cryptography.primitives.internaldafny.types.ECDHCurveSpec dafnyValue + ) { + if (dafnyValue.is_ECC__NIST__P256()) { + return ECDHCurveSpec.ECC_NIST_P256; + } + if (dafnyValue.is_ECC__NIST__P384()) { + return ECDHCurveSpec.ECC_NIST_P384; + } + if (dafnyValue.is_ECC__NIST__P521()) { + return ECDHCurveSpec.ECC_NIST_P521; + } + if (dafnyValue.is_SM2()) { + return ECDHCurveSpec.SM2; + } + throw new IllegalArgumentException( + "No entry of software.amazon.cryptography.primitives.model.ECDHCurveSpec matches the input : " + + dafnyValue + ); + } + public static ECDSASignatureAlgorithm ECDSASignatureAlgorithm( software.amazon.cryptography.primitives.internaldafny.types.ECDSASignatureAlgorithm dafnyValue ) { diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/CompressPublicKeyInput.java b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/CompressPublicKeyInput.java new file mode 100644 index 000000000..31228d358 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/CompressPublicKeyInput.java @@ -0,0 +1,92 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.primitives.model; + +import java.util.Objects; + +public class CompressPublicKeyInput { + + private final ECCPublicKey publicKey; + + private final ECDHCurveSpec eccCurve; + + protected CompressPublicKeyInput(BuilderImpl builder) { + this.publicKey = builder.publicKey(); + this.eccCurve = builder.eccCurve(); + } + + public ECCPublicKey publicKey() { + return this.publicKey; + } + + public ECDHCurveSpec eccCurve() { + return this.eccCurve; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + Builder publicKey(ECCPublicKey publicKey); + + ECCPublicKey publicKey(); + + Builder eccCurve(ECDHCurveSpec eccCurve); + + ECDHCurveSpec eccCurve(); + + CompressPublicKeyInput build(); + } + + static class BuilderImpl implements Builder { + + protected ECCPublicKey publicKey; + + protected ECDHCurveSpec eccCurve; + + protected BuilderImpl() {} + + protected BuilderImpl(CompressPublicKeyInput model) { + this.publicKey = model.publicKey(); + this.eccCurve = model.eccCurve(); + } + + public Builder publicKey(ECCPublicKey publicKey) { + this.publicKey = publicKey; + return this; + } + + public ECCPublicKey publicKey() { + return this.publicKey; + } + + public Builder eccCurve(ECDHCurveSpec eccCurve) { + this.eccCurve = eccCurve; + return this; + } + + public ECDHCurveSpec eccCurve() { + return this.eccCurve; + } + + public CompressPublicKeyInput build() { + if (Objects.isNull(this.publicKey())) { + throw new IllegalArgumentException( + "Missing value for required field `publicKey`" + ); + } + if (Objects.isNull(this.eccCurve())) { + throw new IllegalArgumentException( + "Missing value for required field `eccCurve`" + ); + } + return new CompressPublicKeyInput(this); + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/CompressPublicKeyOutput.java b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/CompressPublicKeyOutput.java new file mode 100644 index 000000000..3440118d5 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/CompressPublicKeyOutput.java @@ -0,0 +1,65 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.primitives.model; + +import java.nio.ByteBuffer; +import java.util.Objects; + +public class CompressPublicKeyOutput { + + private final ByteBuffer compressedPublicKey; + + protected CompressPublicKeyOutput(BuilderImpl builder) { + this.compressedPublicKey = builder.compressedPublicKey(); + } + + public ByteBuffer compressedPublicKey() { + return this.compressedPublicKey; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + Builder compressedPublicKey(ByteBuffer compressedPublicKey); + + ByteBuffer compressedPublicKey(); + + CompressPublicKeyOutput build(); + } + + static class BuilderImpl implements Builder { + + protected ByteBuffer compressedPublicKey; + + protected BuilderImpl() {} + + protected BuilderImpl(CompressPublicKeyOutput model) { + this.compressedPublicKey = model.compressedPublicKey(); + } + + public Builder compressedPublicKey(ByteBuffer compressedPublicKey) { + this.compressedPublicKey = compressedPublicKey; + return this; + } + + public ByteBuffer compressedPublicKey() { + return this.compressedPublicKey; + } + + public CompressPublicKeyOutput build() { + if (Objects.isNull(this.compressedPublicKey())) { + throw new IllegalArgumentException( + "Missing value for required field `compressedPublicKey`" + ); + } + return new CompressPublicKeyOutput(this); + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/DecompressPublicKeyInput.java b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/DecompressPublicKeyInput.java new file mode 100644 index 000000000..456c52489 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/DecompressPublicKeyInput.java @@ -0,0 +1,93 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.primitives.model; + +import java.nio.ByteBuffer; +import java.util.Objects; + +public class DecompressPublicKeyInput { + + private final ByteBuffer compressedPublicKey; + + private final ECDHCurveSpec eccCurve; + + protected DecompressPublicKeyInput(BuilderImpl builder) { + this.compressedPublicKey = builder.compressedPublicKey(); + this.eccCurve = builder.eccCurve(); + } + + public ByteBuffer compressedPublicKey() { + return this.compressedPublicKey; + } + + public ECDHCurveSpec eccCurve() { + return this.eccCurve; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + Builder compressedPublicKey(ByteBuffer compressedPublicKey); + + ByteBuffer compressedPublicKey(); + + Builder eccCurve(ECDHCurveSpec eccCurve); + + ECDHCurveSpec eccCurve(); + + DecompressPublicKeyInput build(); + } + + static class BuilderImpl implements Builder { + + protected ByteBuffer compressedPublicKey; + + protected ECDHCurveSpec eccCurve; + + protected BuilderImpl() {} + + protected BuilderImpl(DecompressPublicKeyInput model) { + this.compressedPublicKey = model.compressedPublicKey(); + this.eccCurve = model.eccCurve(); + } + + public Builder compressedPublicKey(ByteBuffer compressedPublicKey) { + this.compressedPublicKey = compressedPublicKey; + return this; + } + + public ByteBuffer compressedPublicKey() { + return this.compressedPublicKey; + } + + public Builder eccCurve(ECDHCurveSpec eccCurve) { + this.eccCurve = eccCurve; + return this; + } + + public ECDHCurveSpec eccCurve() { + return this.eccCurve; + } + + public DecompressPublicKeyInput build() { + if (Objects.isNull(this.compressedPublicKey())) { + throw new IllegalArgumentException( + "Missing value for required field `compressedPublicKey`" + ); + } + if (Objects.isNull(this.eccCurve())) { + throw new IllegalArgumentException( + "Missing value for required field `eccCurve`" + ); + } + return new DecompressPublicKeyInput(this); + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/DecompressPublicKeyOutput.java b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/DecompressPublicKeyOutput.java new file mode 100644 index 000000000..a3e671b42 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/DecompressPublicKeyOutput.java @@ -0,0 +1,64 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.primitives.model; + +import java.util.Objects; + +public class DecompressPublicKeyOutput { + + private final ECCPublicKey publicKey; + + protected DecompressPublicKeyOutput(BuilderImpl builder) { + this.publicKey = builder.publicKey(); + } + + public ECCPublicKey publicKey() { + return this.publicKey; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + Builder publicKey(ECCPublicKey publicKey); + + ECCPublicKey publicKey(); + + DecompressPublicKeyOutput build(); + } + + static class BuilderImpl implements Builder { + + protected ECCPublicKey publicKey; + + protected BuilderImpl() {} + + protected BuilderImpl(DecompressPublicKeyOutput model) { + this.publicKey = model.publicKey(); + } + + public Builder publicKey(ECCPublicKey publicKey) { + this.publicKey = publicKey; + return this; + } + + public ECCPublicKey publicKey() { + return this.publicKey; + } + + public DecompressPublicKeyOutput build() { + if (Objects.isNull(this.publicKey())) { + throw new IllegalArgumentException( + "Missing value for required field `publicKey`" + ); + } + return new DecompressPublicKeyOutput(this); + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/DeriveSharedSecretInput.java b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/DeriveSharedSecretInput.java new file mode 100644 index 000000000..a8d3dd585 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/DeriveSharedSecretInput.java @@ -0,0 +1,120 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.primitives.model; + +import java.util.Objects; + +public class DeriveSharedSecretInput { + + private final ECDHCurveSpec eccCurve; + + private final ECCPrivateKey privateKey; + + private final ECCPublicKey publicKey; + + protected DeriveSharedSecretInput(BuilderImpl builder) { + this.eccCurve = builder.eccCurve(); + this.privateKey = builder.privateKey(); + this.publicKey = builder.publicKey(); + } + + public ECDHCurveSpec eccCurve() { + return this.eccCurve; + } + + public ECCPrivateKey privateKey() { + return this.privateKey; + } + + public ECCPublicKey publicKey() { + return this.publicKey; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + Builder eccCurve(ECDHCurveSpec eccCurve); + + ECDHCurveSpec eccCurve(); + + Builder privateKey(ECCPrivateKey privateKey); + + ECCPrivateKey privateKey(); + + Builder publicKey(ECCPublicKey publicKey); + + ECCPublicKey publicKey(); + + DeriveSharedSecretInput build(); + } + + static class BuilderImpl implements Builder { + + protected ECDHCurveSpec eccCurve; + + protected ECCPrivateKey privateKey; + + protected ECCPublicKey publicKey; + + protected BuilderImpl() {} + + protected BuilderImpl(DeriveSharedSecretInput model) { + this.eccCurve = model.eccCurve(); + this.privateKey = model.privateKey(); + this.publicKey = model.publicKey(); + } + + public Builder eccCurve(ECDHCurveSpec eccCurve) { + this.eccCurve = eccCurve; + return this; + } + + public ECDHCurveSpec eccCurve() { + return this.eccCurve; + } + + public Builder privateKey(ECCPrivateKey privateKey) { + this.privateKey = privateKey; + return this; + } + + public ECCPrivateKey privateKey() { + return this.privateKey; + } + + public Builder publicKey(ECCPublicKey publicKey) { + this.publicKey = publicKey; + return this; + } + + public ECCPublicKey publicKey() { + return this.publicKey; + } + + public DeriveSharedSecretInput build() { + if (Objects.isNull(this.eccCurve())) { + throw new IllegalArgumentException( + "Missing value for required field `eccCurve`" + ); + } + if (Objects.isNull(this.privateKey())) { + throw new IllegalArgumentException( + "Missing value for required field `privateKey`" + ); + } + if (Objects.isNull(this.publicKey())) { + throw new IllegalArgumentException( + "Missing value for required field `publicKey`" + ); + } + return new DeriveSharedSecretInput(this); + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/DeriveSharedSecretOutput.java b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/DeriveSharedSecretOutput.java new file mode 100644 index 000000000..a57172fec --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/DeriveSharedSecretOutput.java @@ -0,0 +1,65 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.primitives.model; + +import java.nio.ByteBuffer; +import java.util.Objects; + +public class DeriveSharedSecretOutput { + + private final ByteBuffer sharedSecret; + + protected DeriveSharedSecretOutput(BuilderImpl builder) { + this.sharedSecret = builder.sharedSecret(); + } + + public ByteBuffer sharedSecret() { + return this.sharedSecret; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + Builder sharedSecret(ByteBuffer sharedSecret); + + ByteBuffer sharedSecret(); + + DeriveSharedSecretOutput build(); + } + + static class BuilderImpl implements Builder { + + protected ByteBuffer sharedSecret; + + protected BuilderImpl() {} + + protected BuilderImpl(DeriveSharedSecretOutput model) { + this.sharedSecret = model.sharedSecret(); + } + + public Builder sharedSecret(ByteBuffer sharedSecret) { + this.sharedSecret = sharedSecret; + return this; + } + + public ByteBuffer sharedSecret() { + return this.sharedSecret; + } + + public DeriveSharedSecretOutput build() { + if (Objects.isNull(this.sharedSecret())) { + throw new IllegalArgumentException( + "Missing value for required field `sharedSecret`" + ); + } + return new DeriveSharedSecretOutput(this); + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ECCPrivateKey.java b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ECCPrivateKey.java new file mode 100644 index 000000000..a8958f142 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ECCPrivateKey.java @@ -0,0 +1,65 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.primitives.model; + +import java.nio.ByteBuffer; +import java.util.Objects; + +public class ECCPrivateKey { + + private final ByteBuffer pem; + + protected ECCPrivateKey(BuilderImpl builder) { + this.pem = builder.pem(); + } + + public ByteBuffer pem() { + return this.pem; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + Builder pem(ByteBuffer pem); + + ByteBuffer pem(); + + ECCPrivateKey build(); + } + + static class BuilderImpl implements Builder { + + protected ByteBuffer pem; + + protected BuilderImpl() {} + + protected BuilderImpl(ECCPrivateKey model) { + this.pem = model.pem(); + } + + public Builder pem(ByteBuffer pem) { + this.pem = pem; + return this; + } + + public ByteBuffer pem() { + return this.pem; + } + + public ECCPrivateKey build() { + if (Objects.isNull(this.pem())) { + throw new IllegalArgumentException( + "Missing value for required field `pem`" + ); + } + return new ECCPrivateKey(this); + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ECCPublicKey.java b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ECCPublicKey.java new file mode 100644 index 000000000..3380af10e --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ECCPublicKey.java @@ -0,0 +1,65 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.primitives.model; + +import java.nio.ByteBuffer; +import java.util.Objects; + +public class ECCPublicKey { + + private final ByteBuffer der; + + protected ECCPublicKey(BuilderImpl builder) { + this.der = builder.der(); + } + + public ByteBuffer der() { + return this.der; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + Builder der(ByteBuffer der); + + ByteBuffer der(); + + ECCPublicKey build(); + } + + static class BuilderImpl implements Builder { + + protected ByteBuffer der; + + protected BuilderImpl() {} + + protected BuilderImpl(ECCPublicKey model) { + this.der = model.der(); + } + + public Builder der(ByteBuffer der) { + this.der = der; + return this; + } + + public ByteBuffer der() { + return this.der; + } + + public ECCPublicKey build() { + if (Objects.isNull(this.der())) { + throw new IllegalArgumentException( + "Missing value for required field `der`" + ); + } + return new ECCPublicKey(this); + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ECDHCurveSpec.java b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ECDHCurveSpec.java new file mode 100644 index 000000000..ea57ec9cd --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ECDHCurveSpec.java @@ -0,0 +1,24 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.primitives.model; + +public enum ECDHCurveSpec { + ECC_NIST_P256("ECC_NIST_P256"), + + ECC_NIST_P384("ECC_NIST_P384"), + + ECC_NIST_P521("ECC_NIST_P521"), + + SM2("SM2"); + + private final String value; + + private ECDHCurveSpec(String value) { + this.value = value; + } + + public String toString() { + return String.valueOf(value); + } +} diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/GenerateECCKeyPairInput.java b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/GenerateECCKeyPairInput.java new file mode 100644 index 000000000..58f730b59 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/GenerateECCKeyPairInput.java @@ -0,0 +1,64 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.primitives.model; + +import java.util.Objects; + +public class GenerateECCKeyPairInput { + + private final ECDHCurveSpec eccCurve; + + protected GenerateECCKeyPairInput(BuilderImpl builder) { + this.eccCurve = builder.eccCurve(); + } + + public ECDHCurveSpec eccCurve() { + return this.eccCurve; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + Builder eccCurve(ECDHCurveSpec eccCurve); + + ECDHCurveSpec eccCurve(); + + GenerateECCKeyPairInput build(); + } + + static class BuilderImpl implements Builder { + + protected ECDHCurveSpec eccCurve; + + protected BuilderImpl() {} + + protected BuilderImpl(GenerateECCKeyPairInput model) { + this.eccCurve = model.eccCurve(); + } + + public Builder eccCurve(ECDHCurveSpec eccCurve) { + this.eccCurve = eccCurve; + return this; + } + + public ECDHCurveSpec eccCurve() { + return this.eccCurve; + } + + public GenerateECCKeyPairInput build() { + if (Objects.isNull(this.eccCurve())) { + throw new IllegalArgumentException( + "Missing value for required field `eccCurve`" + ); + } + return new GenerateECCKeyPairInput(this); + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/GenerateECCKeyPairOutput.java b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/GenerateECCKeyPairOutput.java new file mode 100644 index 000000000..4bf540ed6 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/GenerateECCKeyPairOutput.java @@ -0,0 +1,120 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.primitives.model; + +import java.util.Objects; + +public class GenerateECCKeyPairOutput { + + private final ECDHCurveSpec eccCurve; + + private final ECCPrivateKey privateKey; + + private final ECCPublicKey publicKey; + + protected GenerateECCKeyPairOutput(BuilderImpl builder) { + this.eccCurve = builder.eccCurve(); + this.privateKey = builder.privateKey(); + this.publicKey = builder.publicKey(); + } + + public ECDHCurveSpec eccCurve() { + return this.eccCurve; + } + + public ECCPrivateKey privateKey() { + return this.privateKey; + } + + public ECCPublicKey publicKey() { + return this.publicKey; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + Builder eccCurve(ECDHCurveSpec eccCurve); + + ECDHCurveSpec eccCurve(); + + Builder privateKey(ECCPrivateKey privateKey); + + ECCPrivateKey privateKey(); + + Builder publicKey(ECCPublicKey publicKey); + + ECCPublicKey publicKey(); + + GenerateECCKeyPairOutput build(); + } + + static class BuilderImpl implements Builder { + + protected ECDHCurveSpec eccCurve; + + protected ECCPrivateKey privateKey; + + protected ECCPublicKey publicKey; + + protected BuilderImpl() {} + + protected BuilderImpl(GenerateECCKeyPairOutput model) { + this.eccCurve = model.eccCurve(); + this.privateKey = model.privateKey(); + this.publicKey = model.publicKey(); + } + + public Builder eccCurve(ECDHCurveSpec eccCurve) { + this.eccCurve = eccCurve; + return this; + } + + public ECDHCurveSpec eccCurve() { + return this.eccCurve; + } + + public Builder privateKey(ECCPrivateKey privateKey) { + this.privateKey = privateKey; + return this; + } + + public ECCPrivateKey privateKey() { + return this.privateKey; + } + + public Builder publicKey(ECCPublicKey publicKey) { + this.publicKey = publicKey; + return this; + } + + public ECCPublicKey publicKey() { + return this.publicKey; + } + + public GenerateECCKeyPairOutput build() { + if (Objects.isNull(this.eccCurve())) { + throw new IllegalArgumentException( + "Missing value for required field `eccCurve`" + ); + } + if (Objects.isNull(this.privateKey())) { + throw new IllegalArgumentException( + "Missing value for required field `privateKey`" + ); + } + if (Objects.isNull(this.publicKey())) { + throw new IllegalArgumentException( + "Missing value for required field `publicKey`" + ); + } + return new GenerateECCKeyPairOutput(this); + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/GetPublicKeyFromPrivateKeyInput.java b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/GetPublicKeyFromPrivateKeyInput.java new file mode 100644 index 000000000..81aca14c6 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/GetPublicKeyFromPrivateKeyInput.java @@ -0,0 +1,92 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.primitives.model; + +import java.util.Objects; + +public class GetPublicKeyFromPrivateKeyInput { + + private final ECDHCurveSpec eccCurve; + + private final ECCPrivateKey privateKey; + + protected GetPublicKeyFromPrivateKeyInput(BuilderImpl builder) { + this.eccCurve = builder.eccCurve(); + this.privateKey = builder.privateKey(); + } + + public ECDHCurveSpec eccCurve() { + return this.eccCurve; + } + + public ECCPrivateKey privateKey() { + return this.privateKey; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + Builder eccCurve(ECDHCurveSpec eccCurve); + + ECDHCurveSpec eccCurve(); + + Builder privateKey(ECCPrivateKey privateKey); + + ECCPrivateKey privateKey(); + + GetPublicKeyFromPrivateKeyInput build(); + } + + static class BuilderImpl implements Builder { + + protected ECDHCurveSpec eccCurve; + + protected ECCPrivateKey privateKey; + + protected BuilderImpl() {} + + protected BuilderImpl(GetPublicKeyFromPrivateKeyInput model) { + this.eccCurve = model.eccCurve(); + this.privateKey = model.privateKey(); + } + + public Builder eccCurve(ECDHCurveSpec eccCurve) { + this.eccCurve = eccCurve; + return this; + } + + public ECDHCurveSpec eccCurve() { + return this.eccCurve; + } + + public Builder privateKey(ECCPrivateKey privateKey) { + this.privateKey = privateKey; + return this; + } + + public ECCPrivateKey privateKey() { + return this.privateKey; + } + + public GetPublicKeyFromPrivateKeyInput build() { + if (Objects.isNull(this.eccCurve())) { + throw new IllegalArgumentException( + "Missing value for required field `eccCurve`" + ); + } + if (Objects.isNull(this.privateKey())) { + throw new IllegalArgumentException( + "Missing value for required field `privateKey`" + ); + } + return new GetPublicKeyFromPrivateKeyInput(this); + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/GetPublicKeyFromPrivateKeyOutput.java b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/GetPublicKeyFromPrivateKeyOutput.java new file mode 100644 index 000000000..1d6d1a4a7 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/GetPublicKeyFromPrivateKeyOutput.java @@ -0,0 +1,121 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.primitives.model; + +import java.nio.ByteBuffer; +import java.util.Objects; + +public class GetPublicKeyFromPrivateKeyOutput { + + private final ECDHCurveSpec eccCurve; + + private final ECCPrivateKey privateKey; + + private final ByteBuffer publicKey; + + protected GetPublicKeyFromPrivateKeyOutput(BuilderImpl builder) { + this.eccCurve = builder.eccCurve(); + this.privateKey = builder.privateKey(); + this.publicKey = builder.publicKey(); + } + + public ECDHCurveSpec eccCurve() { + return this.eccCurve; + } + + public ECCPrivateKey privateKey() { + return this.privateKey; + } + + public ByteBuffer publicKey() { + return this.publicKey; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + Builder eccCurve(ECDHCurveSpec eccCurve); + + ECDHCurveSpec eccCurve(); + + Builder privateKey(ECCPrivateKey privateKey); + + ECCPrivateKey privateKey(); + + Builder publicKey(ByteBuffer publicKey); + + ByteBuffer publicKey(); + + GetPublicKeyFromPrivateKeyOutput build(); + } + + static class BuilderImpl implements Builder { + + protected ECDHCurveSpec eccCurve; + + protected ECCPrivateKey privateKey; + + protected ByteBuffer publicKey; + + protected BuilderImpl() {} + + protected BuilderImpl(GetPublicKeyFromPrivateKeyOutput model) { + this.eccCurve = model.eccCurve(); + this.privateKey = model.privateKey(); + this.publicKey = model.publicKey(); + } + + public Builder eccCurve(ECDHCurveSpec eccCurve) { + this.eccCurve = eccCurve; + return this; + } + + public ECDHCurveSpec eccCurve() { + return this.eccCurve; + } + + public Builder privateKey(ECCPrivateKey privateKey) { + this.privateKey = privateKey; + return this; + } + + public ECCPrivateKey privateKey() { + return this.privateKey; + } + + public Builder publicKey(ByteBuffer publicKey) { + this.publicKey = publicKey; + return this; + } + + public ByteBuffer publicKey() { + return this.publicKey; + } + + public GetPublicKeyFromPrivateKeyOutput build() { + if (Objects.isNull(this.eccCurve())) { + throw new IllegalArgumentException( + "Missing value for required field `eccCurve`" + ); + } + if (Objects.isNull(this.privateKey())) { + throw new IllegalArgumentException( + "Missing value for required field `privateKey`" + ); + } + if (Objects.isNull(this.publicKey())) { + throw new IllegalArgumentException( + "Missing value for required field `publicKey`" + ); + } + return new GetPublicKeyFromPrivateKeyOutput(this); + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ParsePublicKeyInput.java b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ParsePublicKeyInput.java new file mode 100644 index 000000000..5d81f9760 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ParsePublicKeyInput.java @@ -0,0 +1,65 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.primitives.model; + +import java.nio.ByteBuffer; +import java.util.Objects; + +public class ParsePublicKeyInput { + + private final ByteBuffer publicKey; + + protected ParsePublicKeyInput(BuilderImpl builder) { + this.publicKey = builder.publicKey(); + } + + public ByteBuffer publicKey() { + return this.publicKey; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + Builder publicKey(ByteBuffer publicKey); + + ByteBuffer publicKey(); + + ParsePublicKeyInput build(); + } + + static class BuilderImpl implements Builder { + + protected ByteBuffer publicKey; + + protected BuilderImpl() {} + + protected BuilderImpl(ParsePublicKeyInput model) { + this.publicKey = model.publicKey(); + } + + public Builder publicKey(ByteBuffer publicKey) { + this.publicKey = publicKey; + return this; + } + + public ByteBuffer publicKey() { + return this.publicKey; + } + + public ParsePublicKeyInput build() { + if (Objects.isNull(this.publicKey())) { + throw new IllegalArgumentException( + "Missing value for required field `publicKey`" + ); + } + return new ParsePublicKeyInput(this); + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ParsePublicKeyOutput.java b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ParsePublicKeyOutput.java new file mode 100644 index 000000000..ae21333e7 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ParsePublicKeyOutput.java @@ -0,0 +1,64 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.primitives.model; + +import java.util.Objects; + +public class ParsePublicKeyOutput { + + private final ECCPublicKey publicKey; + + protected ParsePublicKeyOutput(BuilderImpl builder) { + this.publicKey = builder.publicKey(); + } + + public ECCPublicKey publicKey() { + return this.publicKey; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + Builder publicKey(ECCPublicKey publicKey); + + ECCPublicKey publicKey(); + + ParsePublicKeyOutput build(); + } + + static class BuilderImpl implements Builder { + + protected ECCPublicKey publicKey; + + protected BuilderImpl() {} + + protected BuilderImpl(ParsePublicKeyOutput model) { + this.publicKey = model.publicKey(); + } + + public Builder publicKey(ECCPublicKey publicKey) { + this.publicKey = publicKey; + return this; + } + + public ECCPublicKey publicKey() { + return this.publicKey; + } + + public ParsePublicKeyOutput build() { + if (Objects.isNull(this.publicKey())) { + throw new IllegalArgumentException( + "Missing value for required field `publicKey`" + ); + } + return new ParsePublicKeyOutput(this); + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ValidatePublicKeyInput.java b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ValidatePublicKeyInput.java new file mode 100644 index 000000000..8ab52bca5 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ValidatePublicKeyInput.java @@ -0,0 +1,93 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.primitives.model; + +import java.nio.ByteBuffer; +import java.util.Objects; + +public class ValidatePublicKeyInput { + + private final ECDHCurveSpec eccCurve; + + private final ByteBuffer publicKey; + + protected ValidatePublicKeyInput(BuilderImpl builder) { + this.eccCurve = builder.eccCurve(); + this.publicKey = builder.publicKey(); + } + + public ECDHCurveSpec eccCurve() { + return this.eccCurve; + } + + public ByteBuffer publicKey() { + return this.publicKey; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + Builder eccCurve(ECDHCurveSpec eccCurve); + + ECDHCurveSpec eccCurve(); + + Builder publicKey(ByteBuffer publicKey); + + ByteBuffer publicKey(); + + ValidatePublicKeyInput build(); + } + + static class BuilderImpl implements Builder { + + protected ECDHCurveSpec eccCurve; + + protected ByteBuffer publicKey; + + protected BuilderImpl() {} + + protected BuilderImpl(ValidatePublicKeyInput model) { + this.eccCurve = model.eccCurve(); + this.publicKey = model.publicKey(); + } + + public Builder eccCurve(ECDHCurveSpec eccCurve) { + this.eccCurve = eccCurve; + return this; + } + + public ECDHCurveSpec eccCurve() { + return this.eccCurve; + } + + public Builder publicKey(ByteBuffer publicKey) { + this.publicKey = publicKey; + return this; + } + + public ByteBuffer publicKey() { + return this.publicKey; + } + + public ValidatePublicKeyInput build() { + if (Objects.isNull(this.eccCurve())) { + throw new IllegalArgumentException( + "Missing value for required field `eccCurve`" + ); + } + if (Objects.isNull(this.publicKey())) { + throw new IllegalArgumentException( + "Missing value for required field `publicKey`" + ); + } + return new ValidatePublicKeyInput(this); + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ValidatePublicKeyOutput.java b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ValidatePublicKeyOutput.java new file mode 100644 index 000000000..dc2113edd --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/primitives/model/ValidatePublicKeyOutput.java @@ -0,0 +1,64 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +package software.amazon.cryptography.primitives.model; + +import java.util.Objects; + +public class ValidatePublicKeyOutput { + + private final Boolean success; + + protected ValidatePublicKeyOutput(BuilderImpl builder) { + this.success = builder.success(); + } + + public Boolean success() { + return this.success; + } + + public Builder toBuilder() { + return new BuilderImpl(this); + } + + public static Builder builder() { + return new BuilderImpl(); + } + + public interface Builder { + Builder success(Boolean success); + + Boolean success(); + + ValidatePublicKeyOutput build(); + } + + static class BuilderImpl implements Builder { + + protected Boolean success; + + protected BuilderImpl() {} + + protected BuilderImpl(ValidatePublicKeyOutput model) { + this.success = model.success(); + } + + public Builder success(Boolean success) { + this.success = success; + return this; + } + + public Boolean success() { + return this.success; + } + + public ValidatePublicKeyOutput build() { + if (Objects.isNull(this.success())) { + throw new IllegalArgumentException( + "Missing value for required field `success`" + ); + } + return new ValidatePublicKeyOutput(this); + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/net/Extern/ECDH.cs b/AwsCryptographyPrimitives/runtimes/net/Extern/ECDH.cs new file mode 100644 index 000000000..bf2f42f5c --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/net/Extern/ECDH.cs @@ -0,0 +1,376 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + + +using System.Security.Cryptography; +using System.Text; +using Dafny; +using Org.BouncyCastle.Asn1; +using Org.BouncyCastle.Asn1.Pkcs; +using Org.BouncyCastle.Asn1.Sec; +using Org.BouncyCastle.Asn1.X509; +using Org.BouncyCastle.Asn1.X9; +using Org.BouncyCastle.Crypto; +using Org.BouncyCastle.Crypto.Agreement; +using Org.BouncyCastle.Crypto.Generators; +using Org.BouncyCastle.Crypto.Parameters; +using Org.BouncyCastle.Crypto.Signers; +using Org.BouncyCastle.Math; +using Org.BouncyCastle.OpenSsl; +using Org.BouncyCastle.Security; +using Org.BouncyCastle.Utilities; +using Org.BouncyCastle.Utilities.IO.Pem; +using Org.BouncyCastle.X509; +using software.amazon.cryptography.primitives.internaldafny.types; +using Wrappers_Compile; +using icharseq = Dafny.ISequence; +using ibyteseq = Dafny.ISequence; +using byteseq = Dafny.Sequence; +using _IError = software.amazon.cryptography.primitives.internaldafny.types._IError; +using Asn1Object = ThirdParty.BouncyCastle.Asn1.Asn1Object; +using ECCurve = Org.BouncyCastle.Math.EC.ECCurve; +using ECPoint = Org.BouncyCastle.Math.EC.ECPoint; +using Error_Opaque = software.amazon.cryptography.primitives.internaldafny.types.Error_Opaque; +using PemReader = Org.BouncyCastle.OpenSsl.PemReader; +using PemWriter = Org.BouncyCastle.OpenSsl.PemWriter; +using X509Certificate = System.Security.Cryptography.X509Certificates.X509Certificate; + +namespace ECDH +{ + public partial class KeyGeneration + { + public static _IResult GenerateKeyPair(_IECDHCurveSpec curveSpec) + { + try + { + ECKeyPairGenerator generator = new ECKeyPairGenerator(); + SecureRandom rng = new SecureRandom(); + X9ECParameters p = ECCUtils.GetX9EcParameters(curveSpec); + + var domainParameters = new ECDomainParameters(p.Curve, p.G, p.N, p.H); + generator.Init(new ECKeyGenerationParameters(domainParameters, rng)); + AsymmetricCipherKeyPair kp = generator.GenerateKeyPair(); + ECPublicKeyParameters publicKeyParameters = (ECPublicKeyParameters)kp.Public; + // serialize the public and private keys, and then return them + var publicKey = SerializePublicKey(kp, curveSpec); + byte[] privateKey; + ECCUtils.EncodePrivateKey(kp, out privateKey); + + return new Result_Success(new EccKeyPair(byteseq.FromArray(privateKey), publicKey)); + } + catch (Exception e) + { + return Result + .create_Failure(new Error_Opaque(e)); + } + } + + public static ibyteseq SerializePublicKey(AsymmetricCipherKeyPair kp, _IECDHCurveSpec curveSpec) + { + var lookUpOid = ECCUtils.OidLookUp(curveSpec); + var ecPublicKeyParam = (ECPublicKeyParameters)kp.Public; + var pubInfo = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(ecPublicKeyParam); + + var algId = new AlgorithmIdentifier(pubInfo.Algorithm.Algorithm, new DerObjectIdentifier(lookUpOid.Value)); + var spki = new SubjectPublicKeyInfo(algId, pubInfo.PublicKey); + var spkiPublicKey = spki.GetDerEncoded(); + + return byteseq.FromArray(spkiPublicKey); + } + + } + + public partial class ECCUtils + { + public static _IResult, _IError> GetPublicKey(_IECDHCurveSpec curveSpec, + _IECCPrivateKey privateKey) + { + try + { + X9ECParameters p = GetX9EcParameters(curveSpec); + + ECDomainParameters dp = new ECDomainParameters(p); + ECPrivateKeyParameters skp = ParsePrivateKeyEccPemBytesToPrivateKey(privateKey.dtor_pem.CloneAsArray()); + + BigInteger dpOrder = dp.Curve.Order; + BigInteger skpOrder = skp.Parameters.Curve.Order; + + // Compare the encoded *Order* point in the parsed private key + // to the defined parameters we get from the parameter spec + // look up. This guarantees that we only ever derive the + // public key if these points are equal. + if (dpOrder.CompareTo(skpOrder) != 0) + { + return Result, _IError>.create_Failure( + new Error_AwsCryptographicPrimitivesError(Sequence.FromString("Private Key NOT on configured curve spec.")) + ); + } + + ECPoint Q = dp.G.Multiply(skp.D); + ECPublicKeyParameters parameters = new ECPublicKeyParameters(Q, dp); + + var subjectPublicKeyInfo = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(parameters); + + var lookUpOid = OidLookUp(curveSpec); + var algId = new AlgorithmIdentifier(subjectPublicKeyInfo.Algorithm.Algorithm, new DerObjectIdentifier(lookUpOid.Value)); + var spki = new SubjectPublicKeyInfo(algId, subjectPublicKeyInfo.PublicKey); + var spkiPublicKey = spki.GetDerEncoded(); + return new Result_Success(byteseq.FromArray(spkiPublicKey)); + } + catch (Exception e) + { + return Result, _IError>.create_Failure(new Error_Opaque(e)); + } + + } + + public static Oid OidLookUp(_IECDHCurveSpec curveSpec) + { + Oid o; +#if NETFRAMEWORK + // in .net framework the oid name is different that in .net + if (curveSpec.is_ECC__NIST__P256) + { + o = Oid.FromFriendlyName("ECDSA_P256", OidGroup.All); + } + else if (curveSpec.is_ECC__NIST__P384) + { + o = Oid.FromFriendlyName("ECDSA_P384", OidGroup.All); + } + else if (curveSpec.is_ECC__NIST__P521) + { + o = Oid.FromFriendlyName("ECDSA_P521", OidGroup.All); + } + else + { + throw new Exception("Curve not supported"); + } +#else + if (curveSpec.is_ECC__NIST__P256) + { + o = Oid.FromFriendlyName("secp256r1", OidGroup.All); + } + else if (curveSpec.is_ECC__NIST__P384) + { + o = Oid.FromFriendlyName("secp384r1", OidGroup.All); + } + else if (curveSpec.is_ECC__NIST__P521) + { + o = Oid.FromFriendlyName("secp521r1", OidGroup.All); + } + else + { + throw new Exception("Curve not supported"); + } +#endif + + return o; + } + + public static _IResult ValidatePublicKey(_IECDHCurveSpec curveSpec, + Dafny.ISequence publicKey) + { + try + { + X9ECParameters p = GetX9EcParameters(curveSpec); + + ECDomainParameters dp = new ECDomainParameters(p.Curve, p.G, p.N, p.H); + bool validPublicKey = NistPublicKeyValidationCriteria(publicKey.Elements, dp); + return new Result_Success(validPublicKey); + } + catch (Exception e) + { + return Result.create_Failure(new Error_Opaque(e)); + } + } + + private static bool NistPublicKeyValidationCriteria(byte[] publicKey, ECDomainParameters dp) + { + var spki = SubjectPublicKeyInfo.GetInstance(publicKey); + var spkiPublicKey = spki.PublicKey.GetBytes(); + + + ECPublicKeyParameters publicKeyParameters = new ECPublicKeyParameters(dp.Curve.DecodePoint(spkiPublicKey), dp); + + ECPoint q = publicKeyParameters.Q; + ECPoint pointOnCurve = + publicKeyParameters.Parameters.Curve.ValidatePoint(q.AffineXCoord.ToBigInteger(), + q.AffineYCoord.ToBigInteger()); + + return ValidatePointOnCurveIsNotInfinity(pointOnCurve) && + CoordinateBetweenZeroAndP(pointOnCurve.AffineXCoord.ToBigInteger(), dp.Curve) && + CoordinateBetweenZeroAndP(pointOnCurve.AffineYCoord.ToBigInteger(), dp.Curve); + } + + private static bool ValidatePointOnCurveIsNotInfinity(ECPoint ecPoint) + { + return !ecPoint.IsInfinity; + } + + private static bool CoordinateBetweenZeroAndP(BigInteger coordinate, ECCurve curve) + { + return coordinate.CompareTo(BigInteger.Zero) > 0 && coordinate.CompareTo(curve.Field.Characteristic) < 0; + } + + public static void EncodePrivateKey(AsymmetricCipherKeyPair keyPair, out byte[] privateKeyBytes) + { + using (var stringWriter = new StringWriter()) + { + var pemWriter = new PemWriter(stringWriter); + pemWriter.WriteObject(keyPair.Private); + privateKeyBytes = Encoding.UTF8.GetBytes(stringWriter.ToString()); + } + } + + public static ECPrivateKeyParameters ParsePrivateKeyEccPemBytesToPrivateKey(byte[] pemPrivateKey) + { + return ParsePrivateKeyPemBytes(pemPrivateKey); + } + + private static ECPrivateKeyParameters ParsePrivateKeyPemBytes(byte[] pemPrivateKey) + { + using (var stringReader = new StringReader(Encoding.UTF8.GetString(pemPrivateKey))) + { + switch (new PemReader(stringReader).ReadObject()) + { + // These casts are for correctness. + // This is to return ECPrivateKey parameters, + // and these two types both extend from AsymmetricKeyParameter. + // But also other things do as well (elliptic curves), + // these checks are to make sure that we only get EC keys back. + case AsymmetricCipherKeyPair keypair: + var keyParams = (ECPrivateKeyParameters)keypair.Private; + return keyParams; + case ECPrivateKeyParameters keyParameter: + return keyParameter; + default: + throw new ArgumentException("PEM does not contain an EC private key."); + } + } + } + + public static _IResult ParsePublicKey(ibyteseq dtorPublicKey) + { + try + { + var publicKeyBytes = dtorPublicKey.CloneAsArray(); + var subjectPublicKeyInfo = SubjectPublicKeyInfo.GetInstance(publicKeyBytes); + var derEncodedPublicKey = subjectPublicKeyInfo.GetDerEncoded(); + return new Result_Success(byteseq.FromArray(derEncodedPublicKey)); + } + catch (Exception e) + { + return Result.create_Failure( + new Error_AwsCryptographicPrimitivesError(Sequence.FromArray(e.Message.ToCharArray())) + ); + } + } + + public static _IResult DecompressPublicKey(ibyteseq dtorCompressedPublicKey, _IECDHCurveSpec dtorEccCurve) + { + try + { + X9ECParameters p = GetX9EcParameters(dtorEccCurve); + + ECDomainParameters dp = new ECDomainParameters(p.Curve, p.G, p.N, p.H); + var compressedPublicKeyBytes = dtorCompressedPublicKey.CloneAsArray(); + ECPoint compressedPoint = dp.Curve.DecodePoint(compressedPublicKeyBytes); + ECPublicKeyParameters publicKeyParameters = new ECPublicKeyParameters(compressedPoint, dp); + var lookUpOid = OidLookUp(dtorEccCurve); + var pubInfo = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(publicKeyParameters); + + var algId = new AlgorithmIdentifier(pubInfo.Algorithm.Algorithm, new DerObjectIdentifier(lookUpOid.Value)); + var spki = new SubjectPublicKeyInfo(algId, pubInfo.PublicKey); + var spkiPublicKey = spki.GetDerEncoded(); + return new Result_Success(byteseq.FromArray(spkiPublicKey)); + } + catch (Exception e) + { + return Result, _IError>.create_Failure(new Error_Opaque(e)); + } + } + + + public static _IResult CompressPublicKey(ibyteseq dafnyPublicKey, _IECDHCurveSpec dtorEccCurve) + { + try + { + X9ECParameters p = GetX9EcParameters(dtorEccCurve); + + ECDomainParameters dp = new ECDomainParameters(p.Curve, p.G, p.N, p.H); + var spki = SubjectPublicKeyInfo.GetInstance(dafnyPublicKey.CloneAsArray()); + var spkiPublicKey = spki.PublicKey.GetBytes(); + + ECPublicKeyParameters publicKeyParameters = new ECPublicKeyParameters(dp.Curve.DecodePoint(spkiPublicKey), dp); + return new Result_Success(byteseq.FromArray(publicKeyParameters.Q.GetEncoded(true))); + } + catch (Exception e) + { + return Result, _IError>.create_Failure(new Error_Opaque(e)); + } + } + + public static X9ECParameters GetX9EcParameters(_IECDHCurveSpec dtorEccCurve) + { + X9ECParameters p; + if (dtorEccCurve.is_ECC__NIST__P256) + { + p = ECNamedCurveTable.GetByName("secp256r1"); + } + else if (dtorEccCurve.is_ECC__NIST__P384) + { + p = ECNamedCurveTable.GetByName("secp384r1"); + } + else if (dtorEccCurve.is_ECC__NIST__P521) + { + p = ECNamedCurveTable.GetByName("secp521r1"); + } + else + { + throw new Exception($"Unsupported ECC Algorithm: {dtorEccCurve}"); + } + return p; + } + } + + public partial class DeriveSharedSecret + { + public static _IResult, _IError> CalculateSharedSecret(_IECDHCurveSpec curveSpec, + _IECCPrivateKey dafnyPrivateKey, _IECCPublicKey dafnyPublicKey) + { + try + { + X9ECParameters p = ECCUtils.GetX9EcParameters(curveSpec); + + ECDomainParameters dp = new ECDomainParameters(p.Curve, p.G, p.N, p.H); + ECPrivateKeyParameters skp = new ECPrivateKeyParameters(ECCUtils.ParsePrivateKeyEccPemBytesToPrivateKey(dafnyPrivateKey.dtor_pem.CloneAsArray()).D, dp); + + ECPoint pt = p.Curve.DecodePoint(_fromBytesPublicKey((byte[])dafnyPublicKey.dtor_der.Elements.Clone(), dp)); + ECPublicKeyParameters rkp = new ECPublicKeyParameters(pt, dp); + + var ecdhKeyAgreement = new ECDHBasicAgreement(); + ecdhKeyAgreement.Init(skp); + // Calling ToByteArray or ToUnsignedByteArray does not always work + // because of the way the size of the array is calculated in .net + // This can lead to different shared secrets that are off by a byte. + var sharedSecret = ecdhKeyAgreement.CalculateAgreement(rkp); + // Doing this specific conversion lets us tell .NET that we should be expecting a fixed-size array. + var keyAgreement = BigIntegers.AsUnsignedByteArray(ecdhKeyAgreement.GetFieldSize(), sharedSecret); + + return new Result_Success(byteseq.FromArray(keyAgreement)); + } + catch (Exception e) + { + return Result, _IError>.create_Failure(new Error_Opaque(e)); + } + } + private static byte[] _fromBytesPublicKey(byte[] publicKeyBytes, ECDomainParameters dp) + { + var spki = SubjectPublicKeyInfo.GetInstance(publicKeyBytes); + var spkiPublicKey = spki.PublicKey.GetBytes(); + + ECPublicKeyParameters publicKeyParameters = new ECPublicKeyParameters(dp.Curve.DecodePoint(spkiPublicKey), dp); + return publicKeyParameters.Q.GetEncoded(); + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/net/Generated/AtomicPrimitives.cs b/AwsCryptographyPrimitives/runtimes/net/Generated/AtomicPrimitives.cs index 5d6631404..b217f19a5 100644 --- a/AwsCryptographyPrimitives/runtimes/net/Generated/AtomicPrimitives.cs +++ b/AwsCryptographyPrimitives/runtimes/net/Generated/AtomicPrimitives.cs @@ -145,5 +145,54 @@ public bool ECDSAVerify(AWS.Cryptography.Primitives.ECDSAVerifyInput input) if (result.is_Failure) throw TypeConversion.FromDafny_CommonError(result.dtor_error); return TypeConversion.FromDafny_N3_aws__N12_cryptography__N10_primitives__S17_ECDSAVerifyOutput(result.dtor_value); } + public AWS.Cryptography.Primitives.GenerateECCKeyPairOutput GenerateECCKeyPair(AWS.Cryptography.Primitives.GenerateECCKeyPairInput input) + { + software.amazon.cryptography.primitives.internaldafny.types._IGenerateECCKeyPairInput internalInput = TypeConversion.ToDafny_N3_aws__N12_cryptography__N10_primitives__S23_GenerateECCKeyPairInput(input); + Wrappers_Compile._IResult result = _impl.GenerateECCKeyPair(internalInput); + if (result.is_Failure) throw TypeConversion.FromDafny_CommonError(result.dtor_error); + return TypeConversion.FromDafny_N3_aws__N12_cryptography__N10_primitives__S24_GenerateECCKeyPairOutput(result.dtor_value); + } + public AWS.Cryptography.Primitives.GetPublicKeyFromPrivateKeyOutput GetPublicKeyFromPrivateKey(AWS.Cryptography.Primitives.GetPublicKeyFromPrivateKeyInput input) + { + software.amazon.cryptography.primitives.internaldafny.types._IGetPublicKeyFromPrivateKeyInput internalInput = TypeConversion.ToDafny_N3_aws__N12_cryptography__N10_primitives__S31_GetPublicKeyFromPrivateKeyInput(input); + Wrappers_Compile._IResult result = _impl.GetPublicKeyFromPrivateKey(internalInput); + if (result.is_Failure) throw TypeConversion.FromDafny_CommonError(result.dtor_error); + return TypeConversion.FromDafny_N3_aws__N12_cryptography__N10_primitives__S32_GetPublicKeyFromPrivateKeyOutput(result.dtor_value); + } + public AWS.Cryptography.Primitives.ValidatePublicKeyOutput ValidatePublicKey(AWS.Cryptography.Primitives.ValidatePublicKeyInput input) + { + software.amazon.cryptography.primitives.internaldafny.types._IValidatePublicKeyInput internalInput = TypeConversion.ToDafny_N3_aws__N12_cryptography__N10_primitives__S22_ValidatePublicKeyInput(input); + Wrappers_Compile._IResult result = _impl.ValidatePublicKey(internalInput); + if (result.is_Failure) throw TypeConversion.FromDafny_CommonError(result.dtor_error); + return TypeConversion.FromDafny_N3_aws__N12_cryptography__N10_primitives__S23_ValidatePublicKeyOutput(result.dtor_value); + } + public AWS.Cryptography.Primitives.DeriveSharedSecretOutput DeriveSharedSecret(AWS.Cryptography.Primitives.DeriveSharedSecretInput input) + { + software.amazon.cryptography.primitives.internaldafny.types._IDeriveSharedSecretInput internalInput = TypeConversion.ToDafny_N3_aws__N12_cryptography__N10_primitives__S23_DeriveSharedSecretInput(input); + Wrappers_Compile._IResult result = _impl.DeriveSharedSecret(internalInput); + if (result.is_Failure) throw TypeConversion.FromDafny_CommonError(result.dtor_error); + return TypeConversion.FromDafny_N3_aws__N12_cryptography__N10_primitives__S24_DeriveSharedSecretOutput(result.dtor_value); + } + public AWS.Cryptography.Primitives.CompressPublicKeyOutput CompressPublicKey(AWS.Cryptography.Primitives.CompressPublicKeyInput input) + { + software.amazon.cryptography.primitives.internaldafny.types._ICompressPublicKeyInput internalInput = TypeConversion.ToDafny_N3_aws__N12_cryptography__N10_primitives__S22_CompressPublicKeyInput(input); + Wrappers_Compile._IResult result = _impl.CompressPublicKey(internalInput); + if (result.is_Failure) throw TypeConversion.FromDafny_CommonError(result.dtor_error); + return TypeConversion.FromDafny_N3_aws__N12_cryptography__N10_primitives__S23_CompressPublicKeyOutput(result.dtor_value); + } + public AWS.Cryptography.Primitives.DecompressPublicKeyOutput DecompressPublicKey(AWS.Cryptography.Primitives.DecompressPublicKeyInput input) + { + software.amazon.cryptography.primitives.internaldafny.types._IDecompressPublicKeyInput internalInput = TypeConversion.ToDafny_N3_aws__N12_cryptography__N10_primitives__S24_DecompressPublicKeyInput(input); + Wrappers_Compile._IResult result = _impl.DecompressPublicKey(internalInput); + if (result.is_Failure) throw TypeConversion.FromDafny_CommonError(result.dtor_error); + return TypeConversion.FromDafny_N3_aws__N12_cryptography__N10_primitives__S25_DecompressPublicKeyOutput(result.dtor_value); + } + public AWS.Cryptography.Primitives.ParsePublicKeyOutput ParsePublicKey(AWS.Cryptography.Primitives.ParsePublicKeyInput input) + { + software.amazon.cryptography.primitives.internaldafny.types._IParsePublicKeyInput internalInput = TypeConversion.ToDafny_N3_aws__N12_cryptography__N10_primitives__S19_ParsePublicKeyInput(input); + Wrappers_Compile._IResult result = _impl.ParsePublicKey(internalInput); + if (result.is_Failure) throw TypeConversion.FromDafny_CommonError(result.dtor_error); + return TypeConversion.FromDafny_N3_aws__N12_cryptography__N10_primitives__S20_ParsePublicKeyOutput(result.dtor_value); + } } } diff --git a/AwsCryptographyPrimitives/runtimes/net/Generated/CompressPublicKeyInput.cs b/AwsCryptographyPrimitives/runtimes/net/Generated/CompressPublicKeyInput.cs new file mode 100644 index 000000000..3d7906058 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/net/Generated/CompressPublicKeyInput.cs @@ -0,0 +1,37 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.Primitives; +namespace AWS.Cryptography.Primitives +{ + public class CompressPublicKeyInput + { + private AWS.Cryptography.Primitives.ECCPublicKey _publicKey; + private AWS.Cryptography.Primitives.ECDHCurveSpec _eccCurve; + public AWS.Cryptography.Primitives.ECCPublicKey PublicKey + { + get { return this._publicKey; } + set { this._publicKey = value; } + } + public bool IsSetPublicKey() + { + return this._publicKey != null; + } + public AWS.Cryptography.Primitives.ECDHCurveSpec EccCurve + { + get { return this._eccCurve; } + set { this._eccCurve = value; } + } + public bool IsSetEccCurve() + { + return this._eccCurve != null; + } + public void Validate() + { + if (!IsSetPublicKey()) throw new System.ArgumentException("Missing value for required property 'PublicKey'"); + if (!IsSetEccCurve()) throw new System.ArgumentException("Missing value for required property 'EccCurve'"); + + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/net/Generated/CompressPublicKeyOutput.cs b/AwsCryptographyPrimitives/runtimes/net/Generated/CompressPublicKeyOutput.cs new file mode 100644 index 000000000..3dcdd95b0 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/net/Generated/CompressPublicKeyOutput.cs @@ -0,0 +1,26 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.Primitives; +namespace AWS.Cryptography.Primitives +{ + public class CompressPublicKeyOutput + { + private System.IO.MemoryStream _compressedPublicKey; + public System.IO.MemoryStream CompressedPublicKey + { + get { return this._compressedPublicKey; } + set { this._compressedPublicKey = value; } + } + public bool IsSetCompressedPublicKey() + { + return this._compressedPublicKey != null; + } + public void Validate() + { + if (!IsSetCompressedPublicKey()) throw new System.ArgumentException("Missing value for required property 'CompressedPublicKey'"); + + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/net/Generated/DecompressPublicKeyInput.cs b/AwsCryptographyPrimitives/runtimes/net/Generated/DecompressPublicKeyInput.cs new file mode 100644 index 000000000..f5febc176 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/net/Generated/DecompressPublicKeyInput.cs @@ -0,0 +1,37 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.Primitives; +namespace AWS.Cryptography.Primitives +{ + public class DecompressPublicKeyInput + { + private System.IO.MemoryStream _compressedPublicKey; + private AWS.Cryptography.Primitives.ECDHCurveSpec _eccCurve; + public System.IO.MemoryStream CompressedPublicKey + { + get { return this._compressedPublicKey; } + set { this._compressedPublicKey = value; } + } + public bool IsSetCompressedPublicKey() + { + return this._compressedPublicKey != null; + } + public AWS.Cryptography.Primitives.ECDHCurveSpec EccCurve + { + get { return this._eccCurve; } + set { this._eccCurve = value; } + } + public bool IsSetEccCurve() + { + return this._eccCurve != null; + } + public void Validate() + { + if (!IsSetCompressedPublicKey()) throw new System.ArgumentException("Missing value for required property 'CompressedPublicKey'"); + if (!IsSetEccCurve()) throw new System.ArgumentException("Missing value for required property 'EccCurve'"); + + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/net/Generated/DecompressPublicKeyOutput.cs b/AwsCryptographyPrimitives/runtimes/net/Generated/DecompressPublicKeyOutput.cs new file mode 100644 index 000000000..f48bfd8e7 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/net/Generated/DecompressPublicKeyOutput.cs @@ -0,0 +1,26 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.Primitives; +namespace AWS.Cryptography.Primitives +{ + public class DecompressPublicKeyOutput + { + private AWS.Cryptography.Primitives.ECCPublicKey _publicKey; + public AWS.Cryptography.Primitives.ECCPublicKey PublicKey + { + get { return this._publicKey; } + set { this._publicKey = value; } + } + public bool IsSetPublicKey() + { + return this._publicKey != null; + } + public void Validate() + { + if (!IsSetPublicKey()) throw new System.ArgumentException("Missing value for required property 'PublicKey'"); + + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/net/Generated/DeriveSharedSecretInput.cs b/AwsCryptographyPrimitives/runtimes/net/Generated/DeriveSharedSecretInput.cs new file mode 100644 index 000000000..88442a3cd --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/net/Generated/DeriveSharedSecretInput.cs @@ -0,0 +1,48 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.Primitives; +namespace AWS.Cryptography.Primitives +{ + public class DeriveSharedSecretInput + { + private AWS.Cryptography.Primitives.ECDHCurveSpec _eccCurve; + private AWS.Cryptography.Primitives.ECCPrivateKey _privateKey; + private AWS.Cryptography.Primitives.ECCPublicKey _publicKey; + public AWS.Cryptography.Primitives.ECDHCurveSpec EccCurve + { + get { return this._eccCurve; } + set { this._eccCurve = value; } + } + public bool IsSetEccCurve() + { + return this._eccCurve != null; + } + public AWS.Cryptography.Primitives.ECCPrivateKey PrivateKey + { + get { return this._privateKey; } + set { this._privateKey = value; } + } + public bool IsSetPrivateKey() + { + return this._privateKey != null; + } + public AWS.Cryptography.Primitives.ECCPublicKey PublicKey + { + get { return this._publicKey; } + set { this._publicKey = value; } + } + public bool IsSetPublicKey() + { + return this._publicKey != null; + } + public void Validate() + { + if (!IsSetEccCurve()) throw new System.ArgumentException("Missing value for required property 'EccCurve'"); + if (!IsSetPrivateKey()) throw new System.ArgumentException("Missing value for required property 'PrivateKey'"); + if (!IsSetPublicKey()) throw new System.ArgumentException("Missing value for required property 'PublicKey'"); + + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/net/Generated/DeriveSharedSecretOutput.cs b/AwsCryptographyPrimitives/runtimes/net/Generated/DeriveSharedSecretOutput.cs new file mode 100644 index 000000000..358779cc3 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/net/Generated/DeriveSharedSecretOutput.cs @@ -0,0 +1,26 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.Primitives; +namespace AWS.Cryptography.Primitives +{ + public class DeriveSharedSecretOutput + { + private System.IO.MemoryStream _sharedSecret; + public System.IO.MemoryStream SharedSecret + { + get { return this._sharedSecret; } + set { this._sharedSecret = value; } + } + public bool IsSetSharedSecret() + { + return this._sharedSecret != null; + } + public void Validate() + { + if (!IsSetSharedSecret()) throw new System.ArgumentException("Missing value for required property 'SharedSecret'"); + + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/net/Generated/ECCPrivateKey.cs b/AwsCryptographyPrimitives/runtimes/net/Generated/ECCPrivateKey.cs new file mode 100644 index 000000000..e6a830722 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/net/Generated/ECCPrivateKey.cs @@ -0,0 +1,26 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.Primitives; +namespace AWS.Cryptography.Primitives +{ + public class ECCPrivateKey + { + private System.IO.MemoryStream _pem; + public System.IO.MemoryStream Pem + { + get { return this._pem; } + set { this._pem = value; } + } + public bool IsSetPem() + { + return this._pem != null; + } + public void Validate() + { + if (!IsSetPem()) throw new System.ArgumentException("Missing value for required property 'Pem'"); + + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/net/Generated/ECCPublicKey.cs b/AwsCryptographyPrimitives/runtimes/net/Generated/ECCPublicKey.cs new file mode 100644 index 000000000..9bc13cd11 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/net/Generated/ECCPublicKey.cs @@ -0,0 +1,26 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.Primitives; +namespace AWS.Cryptography.Primitives +{ + public class ECCPublicKey + { + private System.IO.MemoryStream _der; + public System.IO.MemoryStream Der + { + get { return this._der; } + set { this._der = value; } + } + public bool IsSetDer() + { + return this._der != null; + } + public void Validate() + { + if (!IsSetDer()) throw new System.ArgumentException("Missing value for required property 'Der'"); + + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/net/Generated/ECDHCurveSpec.cs b/AwsCryptographyPrimitives/runtimes/net/Generated/ECDHCurveSpec.cs new file mode 100644 index 000000000..6c7ee0d72 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/net/Generated/ECDHCurveSpec.cs @@ -0,0 +1,25 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.Primitives; +namespace AWS.Cryptography.Primitives +{ + using Amazon.Runtime; + public class ECDHCurveSpec : ConstantClass + { + + + public static readonly ECDHCurveSpec ECC_NIST_P256 = new ECDHCurveSpec("ECC_NIST_P256"); + + public static readonly ECDHCurveSpec ECC_NIST_P384 = new ECDHCurveSpec("ECC_NIST_P384"); + + public static readonly ECDHCurveSpec ECC_NIST_P521 = new ECDHCurveSpec("ECC_NIST_P521"); + + public static readonly ECDHCurveSpec SM2 = new ECDHCurveSpec("SM2"); + public static readonly ECDHCurveSpec[] Values = { + ECC_NIST_P256 , ECC_NIST_P384 , ECC_NIST_P521 , SM2 +}; + public ECDHCurveSpec(string value) : base(value) { } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/net/Generated/GenerateECCKeyPairInput.cs b/AwsCryptographyPrimitives/runtimes/net/Generated/GenerateECCKeyPairInput.cs new file mode 100644 index 000000000..a93cd7323 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/net/Generated/GenerateECCKeyPairInput.cs @@ -0,0 +1,26 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.Primitives; +namespace AWS.Cryptography.Primitives +{ + public class GenerateECCKeyPairInput + { + private AWS.Cryptography.Primitives.ECDHCurveSpec _eccCurve; + public AWS.Cryptography.Primitives.ECDHCurveSpec EccCurve + { + get { return this._eccCurve; } + set { this._eccCurve = value; } + } + public bool IsSetEccCurve() + { + return this._eccCurve != null; + } + public void Validate() + { + if (!IsSetEccCurve()) throw new System.ArgumentException("Missing value for required property 'EccCurve'"); + + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/net/Generated/GenerateECCKeyPairOutput.cs b/AwsCryptographyPrimitives/runtimes/net/Generated/GenerateECCKeyPairOutput.cs new file mode 100644 index 000000000..3441c6ec3 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/net/Generated/GenerateECCKeyPairOutput.cs @@ -0,0 +1,48 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.Primitives; +namespace AWS.Cryptography.Primitives +{ + public class GenerateECCKeyPairOutput + { + private AWS.Cryptography.Primitives.ECDHCurveSpec _eccCurve; + private AWS.Cryptography.Primitives.ECCPrivateKey _privateKey; + private AWS.Cryptography.Primitives.ECCPublicKey _publicKey; + public AWS.Cryptography.Primitives.ECDHCurveSpec EccCurve + { + get { return this._eccCurve; } + set { this._eccCurve = value; } + } + public bool IsSetEccCurve() + { + return this._eccCurve != null; + } + public AWS.Cryptography.Primitives.ECCPrivateKey PrivateKey + { + get { return this._privateKey; } + set { this._privateKey = value; } + } + public bool IsSetPrivateKey() + { + return this._privateKey != null; + } + public AWS.Cryptography.Primitives.ECCPublicKey PublicKey + { + get { return this._publicKey; } + set { this._publicKey = value; } + } + public bool IsSetPublicKey() + { + return this._publicKey != null; + } + public void Validate() + { + if (!IsSetEccCurve()) throw new System.ArgumentException("Missing value for required property 'EccCurve'"); + if (!IsSetPrivateKey()) throw new System.ArgumentException("Missing value for required property 'PrivateKey'"); + if (!IsSetPublicKey()) throw new System.ArgumentException("Missing value for required property 'PublicKey'"); + + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/net/Generated/GetPublicKeyFromPrivateKeyInput.cs b/AwsCryptographyPrimitives/runtimes/net/Generated/GetPublicKeyFromPrivateKeyInput.cs new file mode 100644 index 000000000..6c243949e --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/net/Generated/GetPublicKeyFromPrivateKeyInput.cs @@ -0,0 +1,37 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.Primitives; +namespace AWS.Cryptography.Primitives +{ + public class GetPublicKeyFromPrivateKeyInput + { + private AWS.Cryptography.Primitives.ECDHCurveSpec _eccCurve; + private AWS.Cryptography.Primitives.ECCPrivateKey _privateKey; + public AWS.Cryptography.Primitives.ECDHCurveSpec EccCurve + { + get { return this._eccCurve; } + set { this._eccCurve = value; } + } + public bool IsSetEccCurve() + { + return this._eccCurve != null; + } + public AWS.Cryptography.Primitives.ECCPrivateKey PrivateKey + { + get { return this._privateKey; } + set { this._privateKey = value; } + } + public bool IsSetPrivateKey() + { + return this._privateKey != null; + } + public void Validate() + { + if (!IsSetEccCurve()) throw new System.ArgumentException("Missing value for required property 'EccCurve'"); + if (!IsSetPrivateKey()) throw new System.ArgumentException("Missing value for required property 'PrivateKey'"); + + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/net/Generated/GetPublicKeyFromPrivateKeyOutput.cs b/AwsCryptographyPrimitives/runtimes/net/Generated/GetPublicKeyFromPrivateKeyOutput.cs new file mode 100644 index 000000000..6e1a43577 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/net/Generated/GetPublicKeyFromPrivateKeyOutput.cs @@ -0,0 +1,48 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.Primitives; +namespace AWS.Cryptography.Primitives +{ + public class GetPublicKeyFromPrivateKeyOutput + { + private AWS.Cryptography.Primitives.ECDHCurveSpec _eccCurve; + private AWS.Cryptography.Primitives.ECCPrivateKey _privateKey; + private System.IO.MemoryStream _publicKey; + public AWS.Cryptography.Primitives.ECDHCurveSpec EccCurve + { + get { return this._eccCurve; } + set { this._eccCurve = value; } + } + public bool IsSetEccCurve() + { + return this._eccCurve != null; + } + public AWS.Cryptography.Primitives.ECCPrivateKey PrivateKey + { + get { return this._privateKey; } + set { this._privateKey = value; } + } + public bool IsSetPrivateKey() + { + return this._privateKey != null; + } + public System.IO.MemoryStream PublicKey + { + get { return this._publicKey; } + set { this._publicKey = value; } + } + public bool IsSetPublicKey() + { + return this._publicKey != null; + } + public void Validate() + { + if (!IsSetEccCurve()) throw new System.ArgumentException("Missing value for required property 'EccCurve'"); + if (!IsSetPrivateKey()) throw new System.ArgumentException("Missing value for required property 'PrivateKey'"); + if (!IsSetPublicKey()) throw new System.ArgumentException("Missing value for required property 'PublicKey'"); + + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/net/Generated/ParsePublicKeyInput.cs b/AwsCryptographyPrimitives/runtimes/net/Generated/ParsePublicKeyInput.cs new file mode 100644 index 000000000..d1e660b36 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/net/Generated/ParsePublicKeyInput.cs @@ -0,0 +1,26 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.Primitives; +namespace AWS.Cryptography.Primitives +{ + public class ParsePublicKeyInput + { + private System.IO.MemoryStream _publicKey; + public System.IO.MemoryStream PublicKey + { + get { return this._publicKey; } + set { this._publicKey = value; } + } + public bool IsSetPublicKey() + { + return this._publicKey != null; + } + public void Validate() + { + if (!IsSetPublicKey()) throw new System.ArgumentException("Missing value for required property 'PublicKey'"); + + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/net/Generated/ParsePublicKeyOutput.cs b/AwsCryptographyPrimitives/runtimes/net/Generated/ParsePublicKeyOutput.cs new file mode 100644 index 000000000..9c2fd28a8 --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/net/Generated/ParsePublicKeyOutput.cs @@ -0,0 +1,26 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.Primitives; +namespace AWS.Cryptography.Primitives +{ + public class ParsePublicKeyOutput + { + private AWS.Cryptography.Primitives.ECCPublicKey _publicKey; + public AWS.Cryptography.Primitives.ECCPublicKey PublicKey + { + get { return this._publicKey; } + set { this._publicKey = value; } + } + public bool IsSetPublicKey() + { + return this._publicKey != null; + } + public void Validate() + { + if (!IsSetPublicKey()) throw new System.ArgumentException("Missing value for required property 'PublicKey'"); + + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/net/Generated/TypeConversion.cs b/AwsCryptographyPrimitives/runtimes/net/Generated/TypeConversion.cs index b9936d70f..9cbd7a436 100644 --- a/AwsCryptographyPrimitives/runtimes/net/Generated/TypeConversion.cs +++ b/AwsCryptographyPrimitives/runtimes/net/Generated/TypeConversion.cs @@ -88,6 +88,27 @@ public static software.amazon.cryptography.primitives.internaldafny.types.Error_ ToDafny_N3_aws__N12_cryptography__N10_primitives__S31_AwsCryptographicPrimitivesError__M7_message(value.getMessage()) ); } + public static AWS.Cryptography.Primitives.CompressPublicKeyInput FromDafny_N3_aws__N12_cryptography__N10_primitives__S22_CompressPublicKeyInput(software.amazon.cryptography.primitives.internaldafny.types._ICompressPublicKeyInput value) + { + software.amazon.cryptography.primitives.internaldafny.types.CompressPublicKeyInput concrete = (software.amazon.cryptography.primitives.internaldafny.types.CompressPublicKeyInput)value; AWS.Cryptography.Primitives.CompressPublicKeyInput converted = new AWS.Cryptography.Primitives.CompressPublicKeyInput(); converted.PublicKey = (AWS.Cryptography.Primitives.ECCPublicKey)FromDafny_N3_aws__N12_cryptography__N10_primitives__S22_CompressPublicKeyInput__M9_publicKey(concrete._publicKey); + converted.EccCurve = (AWS.Cryptography.Primitives.ECDHCurveSpec)FromDafny_N3_aws__N12_cryptography__N10_primitives__S22_CompressPublicKeyInput__M8_eccCurve(concrete._eccCurve); return converted; + } + public static software.amazon.cryptography.primitives.internaldafny.types._ICompressPublicKeyInput ToDafny_N3_aws__N12_cryptography__N10_primitives__S22_CompressPublicKeyInput(AWS.Cryptography.Primitives.CompressPublicKeyInput value) + { + value.Validate(); + + return new software.amazon.cryptography.primitives.internaldafny.types.CompressPublicKeyInput(ToDafny_N3_aws__N12_cryptography__N10_primitives__S22_CompressPublicKeyInput__M9_publicKey(value.PublicKey), ToDafny_N3_aws__N12_cryptography__N10_primitives__S22_CompressPublicKeyInput__M8_eccCurve(value.EccCurve)); + } + public static AWS.Cryptography.Primitives.CompressPublicKeyOutput FromDafny_N3_aws__N12_cryptography__N10_primitives__S23_CompressPublicKeyOutput(software.amazon.cryptography.primitives.internaldafny.types._ICompressPublicKeyOutput value) + { + software.amazon.cryptography.primitives.internaldafny.types.CompressPublicKeyOutput concrete = (software.amazon.cryptography.primitives.internaldafny.types.CompressPublicKeyOutput)value; AWS.Cryptography.Primitives.CompressPublicKeyOutput converted = new AWS.Cryptography.Primitives.CompressPublicKeyOutput(); converted.CompressedPublicKey = (System.IO.MemoryStream)FromDafny_N3_aws__N12_cryptography__N10_primitives__S23_CompressPublicKeyOutput__M19_compressedPublicKey(concrete._compressedPublicKey); return converted; + } + public static software.amazon.cryptography.primitives.internaldafny.types._ICompressPublicKeyOutput ToDafny_N3_aws__N12_cryptography__N10_primitives__S23_CompressPublicKeyOutput(AWS.Cryptography.Primitives.CompressPublicKeyOutput value) + { + value.Validate(); + + return new software.amazon.cryptography.primitives.internaldafny.types.CompressPublicKeyOutput(ToDafny_N3_aws__N12_cryptography__N10_primitives__S23_CompressPublicKeyOutput__M19_compressedPublicKey(value.CompressedPublicKey)); + } public static AWS.Cryptography.Primitives.CryptoConfig FromDafny_N3_aws__N12_cryptography__N10_primitives__S12_CryptoConfig(software.amazon.cryptography.primitives.internaldafny.types._ICryptoConfig value) { software.amazon.cryptography.primitives.internaldafny.types.CryptoConfig concrete = (software.amazon.cryptography.primitives.internaldafny.types.CryptoConfig)value; AWS.Cryptography.Primitives.CryptoConfig converted = new AWS.Cryptography.Primitives.CryptoConfig(); return converted; @@ -98,6 +119,49 @@ public static software.amazon.cryptography.primitives.internaldafny.types._ICryp return new software.amazon.cryptography.primitives.internaldafny.types.CryptoConfig(); } + public static AWS.Cryptography.Primitives.DecompressPublicKeyInput FromDafny_N3_aws__N12_cryptography__N10_primitives__S24_DecompressPublicKeyInput(software.amazon.cryptography.primitives.internaldafny.types._IDecompressPublicKeyInput value) + { + software.amazon.cryptography.primitives.internaldafny.types.DecompressPublicKeyInput concrete = (software.amazon.cryptography.primitives.internaldafny.types.DecompressPublicKeyInput)value; AWS.Cryptography.Primitives.DecompressPublicKeyInput converted = new AWS.Cryptography.Primitives.DecompressPublicKeyInput(); converted.CompressedPublicKey = (System.IO.MemoryStream)FromDafny_N3_aws__N12_cryptography__N10_primitives__S24_DecompressPublicKeyInput__M19_compressedPublicKey(concrete._compressedPublicKey); + converted.EccCurve = (AWS.Cryptography.Primitives.ECDHCurveSpec)FromDafny_N3_aws__N12_cryptography__N10_primitives__S24_DecompressPublicKeyInput__M8_eccCurve(concrete._eccCurve); return converted; + } + public static software.amazon.cryptography.primitives.internaldafny.types._IDecompressPublicKeyInput ToDafny_N3_aws__N12_cryptography__N10_primitives__S24_DecompressPublicKeyInput(AWS.Cryptography.Primitives.DecompressPublicKeyInput value) + { + value.Validate(); + + return new software.amazon.cryptography.primitives.internaldafny.types.DecompressPublicKeyInput(ToDafny_N3_aws__N12_cryptography__N10_primitives__S24_DecompressPublicKeyInput__M19_compressedPublicKey(value.CompressedPublicKey), ToDafny_N3_aws__N12_cryptography__N10_primitives__S24_DecompressPublicKeyInput__M8_eccCurve(value.EccCurve)); + } + public static AWS.Cryptography.Primitives.DecompressPublicKeyOutput FromDafny_N3_aws__N12_cryptography__N10_primitives__S25_DecompressPublicKeyOutput(software.amazon.cryptography.primitives.internaldafny.types._IDecompressPublicKeyOutput value) + { + software.amazon.cryptography.primitives.internaldafny.types.DecompressPublicKeyOutput concrete = (software.amazon.cryptography.primitives.internaldafny.types.DecompressPublicKeyOutput)value; AWS.Cryptography.Primitives.DecompressPublicKeyOutput converted = new AWS.Cryptography.Primitives.DecompressPublicKeyOutput(); converted.PublicKey = (AWS.Cryptography.Primitives.ECCPublicKey)FromDafny_N3_aws__N12_cryptography__N10_primitives__S25_DecompressPublicKeyOutput__M9_publicKey(concrete._publicKey); return converted; + } + public static software.amazon.cryptography.primitives.internaldafny.types._IDecompressPublicKeyOutput ToDafny_N3_aws__N12_cryptography__N10_primitives__S25_DecompressPublicKeyOutput(AWS.Cryptography.Primitives.DecompressPublicKeyOutput value) + { + value.Validate(); + + return new software.amazon.cryptography.primitives.internaldafny.types.DecompressPublicKeyOutput(ToDafny_N3_aws__N12_cryptography__N10_primitives__S25_DecompressPublicKeyOutput__M9_publicKey(value.PublicKey)); + } + public static AWS.Cryptography.Primitives.DeriveSharedSecretInput FromDafny_N3_aws__N12_cryptography__N10_primitives__S23_DeriveSharedSecretInput(software.amazon.cryptography.primitives.internaldafny.types._IDeriveSharedSecretInput value) + { + software.amazon.cryptography.primitives.internaldafny.types.DeriveSharedSecretInput concrete = (software.amazon.cryptography.primitives.internaldafny.types.DeriveSharedSecretInput)value; AWS.Cryptography.Primitives.DeriveSharedSecretInput converted = new AWS.Cryptography.Primitives.DeriveSharedSecretInput(); converted.EccCurve = (AWS.Cryptography.Primitives.ECDHCurveSpec)FromDafny_N3_aws__N12_cryptography__N10_primitives__S23_DeriveSharedSecretInput__M8_eccCurve(concrete._eccCurve); + converted.PrivateKey = (AWS.Cryptography.Primitives.ECCPrivateKey)FromDafny_N3_aws__N12_cryptography__N10_primitives__S23_DeriveSharedSecretInput__M10_privateKey(concrete._privateKey); + converted.PublicKey = (AWS.Cryptography.Primitives.ECCPublicKey)FromDafny_N3_aws__N12_cryptography__N10_primitives__S23_DeriveSharedSecretInput__M9_publicKey(concrete._publicKey); return converted; + } + public static software.amazon.cryptography.primitives.internaldafny.types._IDeriveSharedSecretInput ToDafny_N3_aws__N12_cryptography__N10_primitives__S23_DeriveSharedSecretInput(AWS.Cryptography.Primitives.DeriveSharedSecretInput value) + { + value.Validate(); + + return new software.amazon.cryptography.primitives.internaldafny.types.DeriveSharedSecretInput(ToDafny_N3_aws__N12_cryptography__N10_primitives__S23_DeriveSharedSecretInput__M8_eccCurve(value.EccCurve), ToDafny_N3_aws__N12_cryptography__N10_primitives__S23_DeriveSharedSecretInput__M10_privateKey(value.PrivateKey), ToDafny_N3_aws__N12_cryptography__N10_primitives__S23_DeriveSharedSecretInput__M9_publicKey(value.PublicKey)); + } + public static AWS.Cryptography.Primitives.DeriveSharedSecretOutput FromDafny_N3_aws__N12_cryptography__N10_primitives__S24_DeriveSharedSecretOutput(software.amazon.cryptography.primitives.internaldafny.types._IDeriveSharedSecretOutput value) + { + software.amazon.cryptography.primitives.internaldafny.types.DeriveSharedSecretOutput concrete = (software.amazon.cryptography.primitives.internaldafny.types.DeriveSharedSecretOutput)value; AWS.Cryptography.Primitives.DeriveSharedSecretOutput converted = new AWS.Cryptography.Primitives.DeriveSharedSecretOutput(); converted.SharedSecret = (System.IO.MemoryStream)FromDafny_N3_aws__N12_cryptography__N10_primitives__S24_DeriveSharedSecretOutput__M12_sharedSecret(concrete._sharedSecret); return converted; + } + public static software.amazon.cryptography.primitives.internaldafny.types._IDeriveSharedSecretOutput ToDafny_N3_aws__N12_cryptography__N10_primitives__S24_DeriveSharedSecretOutput(AWS.Cryptography.Primitives.DeriveSharedSecretOutput value) + { + value.Validate(); + + return new software.amazon.cryptography.primitives.internaldafny.types.DeriveSharedSecretOutput(ToDafny_N3_aws__N12_cryptography__N10_primitives__S24_DeriveSharedSecretOutput__M12_sharedSecret(value.SharedSecret)); + } public static AWS.Cryptography.Primitives.DigestAlgorithm FromDafny_N3_aws__N12_cryptography__N10_primitives__S15_DigestAlgorithm(software.amazon.cryptography.primitives.internaldafny.types._IDigestAlgorithm value) { if (value.is_SHA__512) return AWS.Cryptography.Primitives.DigestAlgorithm.SHA_512; @@ -131,6 +195,22 @@ public static Dafny.ISequence ToDafny_N3_aws__N12_cryptography__N10_primit { return ToDafny_N3_aws__N12_cryptography__N10_primitives__S12_DigestOutput__M6_digest(value); } + public static AWS.Cryptography.Primitives.ECDHCurveSpec FromDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec value) + { + if (value.is_ECC__NIST__P256) return AWS.Cryptography.Primitives.ECDHCurveSpec.ECC_NIST_P256; + if (value.is_ECC__NIST__P384) return AWS.Cryptography.Primitives.ECDHCurveSpec.ECC_NIST_P384; + if (value.is_ECC__NIST__P521) return AWS.Cryptography.Primitives.ECDHCurveSpec.ECC_NIST_P521; + if (value.is_SM2) return AWS.Cryptography.Primitives.ECDHCurveSpec.SM2; + throw new System.ArgumentException("Invalid AWS.Cryptography.Primitives.ECDHCurveSpec value"); + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec ToDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(AWS.Cryptography.Primitives.ECDHCurveSpec value) + { + if (AWS.Cryptography.Primitives.ECDHCurveSpec.ECC_NIST_P256.Equals(value)) return software.amazon.cryptography.primitives.internaldafny.types.ECDHCurveSpec.create_ECC__NIST__P256(); + if (AWS.Cryptography.Primitives.ECDHCurveSpec.ECC_NIST_P384.Equals(value)) return software.amazon.cryptography.primitives.internaldafny.types.ECDHCurveSpec.create_ECC__NIST__P384(); + if (AWS.Cryptography.Primitives.ECDHCurveSpec.ECC_NIST_P521.Equals(value)) return software.amazon.cryptography.primitives.internaldafny.types.ECDHCurveSpec.create_ECC__NIST__P521(); + if (AWS.Cryptography.Primitives.ECDHCurveSpec.SM2.Equals(value)) return software.amazon.cryptography.primitives.internaldafny.types.ECDHCurveSpec.create_SM2(); + throw new System.ArgumentException("Invalid AWS.Cryptography.Primitives.ECDHCurveSpec value"); + } public static AWS.Cryptography.Primitives.ECDSASignatureAlgorithm FromDafny_N3_aws__N12_cryptography__N10_primitives__S23_ECDSASignatureAlgorithm(software.amazon.cryptography.primitives.internaldafny.types._IECDSASignatureAlgorithm value) { if (value.is_ECDSA__P384) return AWS.Cryptography.Primitives.ECDSASignatureAlgorithm.ECDSA_P384; @@ -184,6 +264,28 @@ public static bool ToDafny_N3_aws__N12_cryptography__N10_primitives__S17_ECDSAVe { return ToDafny_N3_aws__N12_cryptography__N10_primitives__S17_ECDSAVerifyOutput__M7_success(value); } + public static AWS.Cryptography.Primitives.GenerateECCKeyPairInput FromDafny_N3_aws__N12_cryptography__N10_primitives__S23_GenerateECCKeyPairInput(software.amazon.cryptography.primitives.internaldafny.types._IGenerateECCKeyPairInput value) + { + software.amazon.cryptography.primitives.internaldafny.types.GenerateECCKeyPairInput concrete = (software.amazon.cryptography.primitives.internaldafny.types.GenerateECCKeyPairInput)value; AWS.Cryptography.Primitives.GenerateECCKeyPairInput converted = new AWS.Cryptography.Primitives.GenerateECCKeyPairInput(); converted.EccCurve = (AWS.Cryptography.Primitives.ECDHCurveSpec)FromDafny_N3_aws__N12_cryptography__N10_primitives__S23_GenerateECCKeyPairInput__M8_eccCurve(concrete._eccCurve); return converted; + } + public static software.amazon.cryptography.primitives.internaldafny.types._IGenerateECCKeyPairInput ToDafny_N3_aws__N12_cryptography__N10_primitives__S23_GenerateECCKeyPairInput(AWS.Cryptography.Primitives.GenerateECCKeyPairInput value) + { + value.Validate(); + + return new software.amazon.cryptography.primitives.internaldafny.types.GenerateECCKeyPairInput(ToDafny_N3_aws__N12_cryptography__N10_primitives__S23_GenerateECCKeyPairInput__M8_eccCurve(value.EccCurve)); + } + public static AWS.Cryptography.Primitives.GenerateECCKeyPairOutput FromDafny_N3_aws__N12_cryptography__N10_primitives__S24_GenerateECCKeyPairOutput(software.amazon.cryptography.primitives.internaldafny.types._IGenerateECCKeyPairOutput value) + { + software.amazon.cryptography.primitives.internaldafny.types.GenerateECCKeyPairOutput concrete = (software.amazon.cryptography.primitives.internaldafny.types.GenerateECCKeyPairOutput)value; AWS.Cryptography.Primitives.GenerateECCKeyPairOutput converted = new AWS.Cryptography.Primitives.GenerateECCKeyPairOutput(); converted.EccCurve = (AWS.Cryptography.Primitives.ECDHCurveSpec)FromDafny_N3_aws__N12_cryptography__N10_primitives__S24_GenerateECCKeyPairOutput__M8_eccCurve(concrete._eccCurve); + converted.PrivateKey = (AWS.Cryptography.Primitives.ECCPrivateKey)FromDafny_N3_aws__N12_cryptography__N10_primitives__S24_GenerateECCKeyPairOutput__M10_privateKey(concrete._privateKey); + converted.PublicKey = (AWS.Cryptography.Primitives.ECCPublicKey)FromDafny_N3_aws__N12_cryptography__N10_primitives__S24_GenerateECCKeyPairOutput__M9_publicKey(concrete._publicKey); return converted; + } + public static software.amazon.cryptography.primitives.internaldafny.types._IGenerateECCKeyPairOutput ToDafny_N3_aws__N12_cryptography__N10_primitives__S24_GenerateECCKeyPairOutput(AWS.Cryptography.Primitives.GenerateECCKeyPairOutput value) + { + value.Validate(); + + return new software.amazon.cryptography.primitives.internaldafny.types.GenerateECCKeyPairOutput(ToDafny_N3_aws__N12_cryptography__N10_primitives__S24_GenerateECCKeyPairOutput__M8_eccCurve(value.EccCurve), ToDafny_N3_aws__N12_cryptography__N10_primitives__S24_GenerateECCKeyPairOutput__M10_privateKey(value.PrivateKey), ToDafny_N3_aws__N12_cryptography__N10_primitives__S24_GenerateECCKeyPairOutput__M9_publicKey(value.PublicKey)); + } public static AWS.Cryptography.Primitives.GenerateECDSASignatureKeyInput FromDafny_N3_aws__N12_cryptography__N10_primitives__S30_GenerateECDSASignatureKeyInput(software.amazon.cryptography.primitives.internaldafny.types._IGenerateECDSASignatureKeyInput value) { software.amazon.cryptography.primitives.internaldafny.types.GenerateECDSASignatureKeyInput concrete = (software.amazon.cryptography.primitives.internaldafny.types.GenerateECDSASignatureKeyInput)value; AWS.Cryptography.Primitives.GenerateECDSASignatureKeyInput converted = new AWS.Cryptography.Primitives.GenerateECDSASignatureKeyInput(); converted.SignatureAlgorithm = (AWS.Cryptography.Primitives.ECDSASignatureAlgorithm)FromDafny_N3_aws__N12_cryptography__N10_primitives__S30_GenerateECDSASignatureKeyInput__M18_signatureAlgorithm(concrete._signatureAlgorithm); return converted; @@ -245,6 +347,29 @@ public static software.amazon.cryptography.primitives.internaldafny.types._IGene return new software.amazon.cryptography.primitives.internaldafny.types.GenerateRSAKeyPairOutput(ToDafny_N3_aws__N12_cryptography__N10_primitives__S24_GenerateRSAKeyPairOutput__M9_publicKey(value.PublicKey), ToDafny_N3_aws__N12_cryptography__N10_primitives__S24_GenerateRSAKeyPairOutput__M10_privateKey(value.PrivateKey)); } + public static AWS.Cryptography.Primitives.GetPublicKeyFromPrivateKeyInput FromDafny_N3_aws__N12_cryptography__N10_primitives__S31_GetPublicKeyFromPrivateKeyInput(software.amazon.cryptography.primitives.internaldafny.types._IGetPublicKeyFromPrivateKeyInput value) + { + software.amazon.cryptography.primitives.internaldafny.types.GetPublicKeyFromPrivateKeyInput concrete = (software.amazon.cryptography.primitives.internaldafny.types.GetPublicKeyFromPrivateKeyInput)value; AWS.Cryptography.Primitives.GetPublicKeyFromPrivateKeyInput converted = new AWS.Cryptography.Primitives.GetPublicKeyFromPrivateKeyInput(); converted.EccCurve = (AWS.Cryptography.Primitives.ECDHCurveSpec)FromDafny_N3_aws__N12_cryptography__N10_primitives__S31_GetPublicKeyFromPrivateKeyInput__M8_eccCurve(concrete._eccCurve); + converted.PrivateKey = (AWS.Cryptography.Primitives.ECCPrivateKey)FromDafny_N3_aws__N12_cryptography__N10_primitives__S31_GetPublicKeyFromPrivateKeyInput__M10_privateKey(concrete._privateKey); return converted; + } + public static software.amazon.cryptography.primitives.internaldafny.types._IGetPublicKeyFromPrivateKeyInput ToDafny_N3_aws__N12_cryptography__N10_primitives__S31_GetPublicKeyFromPrivateKeyInput(AWS.Cryptography.Primitives.GetPublicKeyFromPrivateKeyInput value) + { + value.Validate(); + + return new software.amazon.cryptography.primitives.internaldafny.types.GetPublicKeyFromPrivateKeyInput(ToDafny_N3_aws__N12_cryptography__N10_primitives__S31_GetPublicKeyFromPrivateKeyInput__M8_eccCurve(value.EccCurve), ToDafny_N3_aws__N12_cryptography__N10_primitives__S31_GetPublicKeyFromPrivateKeyInput__M10_privateKey(value.PrivateKey)); + } + public static AWS.Cryptography.Primitives.GetPublicKeyFromPrivateKeyOutput FromDafny_N3_aws__N12_cryptography__N10_primitives__S32_GetPublicKeyFromPrivateKeyOutput(software.amazon.cryptography.primitives.internaldafny.types._IGetPublicKeyFromPrivateKeyOutput value) + { + software.amazon.cryptography.primitives.internaldafny.types.GetPublicKeyFromPrivateKeyOutput concrete = (software.amazon.cryptography.primitives.internaldafny.types.GetPublicKeyFromPrivateKeyOutput)value; AWS.Cryptography.Primitives.GetPublicKeyFromPrivateKeyOutput converted = new AWS.Cryptography.Primitives.GetPublicKeyFromPrivateKeyOutput(); converted.EccCurve = (AWS.Cryptography.Primitives.ECDHCurveSpec)FromDafny_N3_aws__N12_cryptography__N10_primitives__S32_GetPublicKeyFromPrivateKeyOutput__M8_eccCurve(concrete._eccCurve); + converted.PrivateKey = (AWS.Cryptography.Primitives.ECCPrivateKey)FromDafny_N3_aws__N12_cryptography__N10_primitives__S32_GetPublicKeyFromPrivateKeyOutput__M10_privateKey(concrete._privateKey); + converted.PublicKey = (System.IO.MemoryStream)FromDafny_N3_aws__N12_cryptography__N10_primitives__S32_GetPublicKeyFromPrivateKeyOutput__M9_publicKey(concrete._publicKey); return converted; + } + public static software.amazon.cryptography.primitives.internaldafny.types._IGetPublicKeyFromPrivateKeyOutput ToDafny_N3_aws__N12_cryptography__N10_primitives__S32_GetPublicKeyFromPrivateKeyOutput(AWS.Cryptography.Primitives.GetPublicKeyFromPrivateKeyOutput value) + { + value.Validate(); + + return new software.amazon.cryptography.primitives.internaldafny.types.GetPublicKeyFromPrivateKeyOutput(ToDafny_N3_aws__N12_cryptography__N10_primitives__S32_GetPublicKeyFromPrivateKeyOutput__M8_eccCurve(value.EccCurve), ToDafny_N3_aws__N12_cryptography__N10_primitives__S32_GetPublicKeyFromPrivateKeyOutput__M10_privateKey(value.PrivateKey), ToDafny_N3_aws__N12_cryptography__N10_primitives__S32_GetPublicKeyFromPrivateKeyOutput__M9_publicKey(value.PublicKey)); + } public static AWS.Cryptography.Primitives.GetRSAKeyModulusLengthInput FromDafny_N3_aws__N12_cryptography__N10_primitives__S27_GetRSAKeyModulusLengthInput(software.amazon.cryptography.primitives.internaldafny.types._IGetRSAKeyModulusLengthInput value) { software.amazon.cryptography.primitives.internaldafny.types.GetRSAKeyModulusLengthInput concrete = (software.amazon.cryptography.primitives.internaldafny.types.GetRSAKeyModulusLengthInput)value; AWS.Cryptography.Primitives.GetRSAKeyModulusLengthInput converted = new AWS.Cryptography.Primitives.GetRSAKeyModulusLengthInput(); converted.PublicKey = (System.IO.MemoryStream)FromDafny_N3_aws__N12_cryptography__N10_primitives__S27_GetRSAKeyModulusLengthInput__M9_publicKey(concrete._publicKey); return converted; @@ -371,6 +496,26 @@ public static Dafny.ISequence ToDafny_N3_aws__N12_cryptography__N10_primit { return ToDafny_N3_aws__N12_cryptography__N10_primitives__S12_KdfCtrOutput__M3_okm(value); } + public static AWS.Cryptography.Primitives.ParsePublicKeyInput FromDafny_N3_aws__N12_cryptography__N10_primitives__S19_ParsePublicKeyInput(software.amazon.cryptography.primitives.internaldafny.types._IParsePublicKeyInput value) + { + software.amazon.cryptography.primitives.internaldafny.types.ParsePublicKeyInput concrete = (software.amazon.cryptography.primitives.internaldafny.types.ParsePublicKeyInput)value; AWS.Cryptography.Primitives.ParsePublicKeyInput converted = new AWS.Cryptography.Primitives.ParsePublicKeyInput(); converted.PublicKey = (System.IO.MemoryStream)FromDafny_N3_aws__N12_cryptography__N10_primitives__S19_ParsePublicKeyInput__M9_publicKey(concrete._publicKey); return converted; + } + public static software.amazon.cryptography.primitives.internaldafny.types._IParsePublicKeyInput ToDafny_N3_aws__N12_cryptography__N10_primitives__S19_ParsePublicKeyInput(AWS.Cryptography.Primitives.ParsePublicKeyInput value) + { + value.Validate(); + + return new software.amazon.cryptography.primitives.internaldafny.types.ParsePublicKeyInput(ToDafny_N3_aws__N12_cryptography__N10_primitives__S19_ParsePublicKeyInput__M9_publicKey(value.PublicKey)); + } + public static AWS.Cryptography.Primitives.ParsePublicKeyOutput FromDafny_N3_aws__N12_cryptography__N10_primitives__S20_ParsePublicKeyOutput(software.amazon.cryptography.primitives.internaldafny.types._IParsePublicKeyOutput value) + { + software.amazon.cryptography.primitives.internaldafny.types.ParsePublicKeyOutput concrete = (software.amazon.cryptography.primitives.internaldafny.types.ParsePublicKeyOutput)value; AWS.Cryptography.Primitives.ParsePublicKeyOutput converted = new AWS.Cryptography.Primitives.ParsePublicKeyOutput(); converted.PublicKey = (AWS.Cryptography.Primitives.ECCPublicKey)FromDafny_N3_aws__N12_cryptography__N10_primitives__S20_ParsePublicKeyOutput__M9_publicKey(concrete._publicKey); return converted; + } + public static software.amazon.cryptography.primitives.internaldafny.types._IParsePublicKeyOutput ToDafny_N3_aws__N12_cryptography__N10_primitives__S20_ParsePublicKeyOutput(AWS.Cryptography.Primitives.ParsePublicKeyOutput value) + { + value.Validate(); + + return new software.amazon.cryptography.primitives.internaldafny.types.ParsePublicKeyOutput(ToDafny_N3_aws__N12_cryptography__N10_primitives__S20_ParsePublicKeyOutput__M9_publicKey(value.PublicKey)); + } public static AWS.Cryptography.Primitives.RSADecryptInput FromDafny_N3_aws__N12_cryptography__N10_primitives__S15_RSADecryptInput(software.amazon.cryptography.primitives.internaldafny.types._IRSADecryptInput value) { software.amazon.cryptography.primitives.internaldafny.types.RSADecryptInput concrete = (software.amazon.cryptography.primitives.internaldafny.types.RSADecryptInput)value; AWS.Cryptography.Primitives.RSADecryptInput converted = new AWS.Cryptography.Primitives.RSADecryptInput(); converted.Padding = (AWS.Cryptography.Primitives.RSAPaddingMode)FromDafny_N3_aws__N12_cryptography__N10_primitives__S15_RSADecryptInput__M7_padding(concrete._padding); @@ -429,6 +574,27 @@ public static software.amazon.cryptography.primitives.internaldafny.types._IRSAP if (AWS.Cryptography.Primitives.RSAPaddingMode.OAEP_SHA512.Equals(value)) return software.amazon.cryptography.primitives.internaldafny.types.RSAPaddingMode.create_OAEP__SHA512(); throw new System.ArgumentException("Invalid AWS.Cryptography.Primitives.RSAPaddingMode value"); } + public static AWS.Cryptography.Primitives.ValidatePublicKeyInput FromDafny_N3_aws__N12_cryptography__N10_primitives__S22_ValidatePublicKeyInput(software.amazon.cryptography.primitives.internaldafny.types._IValidatePublicKeyInput value) + { + software.amazon.cryptography.primitives.internaldafny.types.ValidatePublicKeyInput concrete = (software.amazon.cryptography.primitives.internaldafny.types.ValidatePublicKeyInput)value; AWS.Cryptography.Primitives.ValidatePublicKeyInput converted = new AWS.Cryptography.Primitives.ValidatePublicKeyInput(); converted.EccCurve = (AWS.Cryptography.Primitives.ECDHCurveSpec)FromDafny_N3_aws__N12_cryptography__N10_primitives__S22_ValidatePublicKeyInput__M8_eccCurve(concrete._eccCurve); + converted.PublicKey = (System.IO.MemoryStream)FromDafny_N3_aws__N12_cryptography__N10_primitives__S22_ValidatePublicKeyInput__M9_publicKey(concrete._publicKey); return converted; + } + public static software.amazon.cryptography.primitives.internaldafny.types._IValidatePublicKeyInput ToDafny_N3_aws__N12_cryptography__N10_primitives__S22_ValidatePublicKeyInput(AWS.Cryptography.Primitives.ValidatePublicKeyInput value) + { + value.Validate(); + + return new software.amazon.cryptography.primitives.internaldafny.types.ValidatePublicKeyInput(ToDafny_N3_aws__N12_cryptography__N10_primitives__S22_ValidatePublicKeyInput__M8_eccCurve(value.EccCurve), ToDafny_N3_aws__N12_cryptography__N10_primitives__S22_ValidatePublicKeyInput__M9_publicKey(value.PublicKey)); + } + public static AWS.Cryptography.Primitives.ValidatePublicKeyOutput FromDafny_N3_aws__N12_cryptography__N10_primitives__S23_ValidatePublicKeyOutput(software.amazon.cryptography.primitives.internaldafny.types._IValidatePublicKeyOutput value) + { + software.amazon.cryptography.primitives.internaldafny.types.ValidatePublicKeyOutput concrete = (software.amazon.cryptography.primitives.internaldafny.types.ValidatePublicKeyOutput)value; AWS.Cryptography.Primitives.ValidatePublicKeyOutput converted = new AWS.Cryptography.Primitives.ValidatePublicKeyOutput(); converted.Success = (bool)FromDafny_N3_aws__N12_cryptography__N10_primitives__S23_ValidatePublicKeyOutput__M7_success(concrete._success); return converted; + } + public static software.amazon.cryptography.primitives.internaldafny.types._IValidatePublicKeyOutput ToDafny_N3_aws__N12_cryptography__N10_primitives__S23_ValidatePublicKeyOutput(AWS.Cryptography.Primitives.ValidatePublicKeyOutput value) + { + value.Validate(); + + return new software.amazon.cryptography.primitives.internaldafny.types.ValidatePublicKeyOutput(ToDafny_N3_aws__N12_cryptography__N10_primitives__S23_ValidatePublicKeyOutput__M7_success(value.Success)); + } public static AWS.Cryptography.Primitives.AES_GCM FromDafny_N3_aws__N12_cryptography__N10_primitives__S15_AESDecryptInput__M6_encAlg(software.amazon.cryptography.primitives.internaldafny.types._IAES__GCM value) { return FromDafny_N3_aws__N12_cryptography__N10_primitives__S7_AES_GCM(value); @@ -581,6 +747,86 @@ public static Dafny.ISequence ToDafny_N3_aws__N12_cryptography__N10_primit { return ToDafny_N6_smithy__N3_api__S6_String(value); } + public static AWS.Cryptography.Primitives.ECCPublicKey FromDafny_N3_aws__N12_cryptography__N10_primitives__S22_CompressPublicKeyInput__M9_publicKey(software.amazon.cryptography.primitives.internaldafny.types._IECCPublicKey value) + { + return FromDafny_N3_aws__N12_cryptography__N10_primitives__S12_ECCPublicKey(value); + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECCPublicKey ToDafny_N3_aws__N12_cryptography__N10_primitives__S22_CompressPublicKeyInput__M9_publicKey(AWS.Cryptography.Primitives.ECCPublicKey value) + { + return ToDafny_N3_aws__N12_cryptography__N10_primitives__S12_ECCPublicKey(value); + } + public static AWS.Cryptography.Primitives.ECDHCurveSpec FromDafny_N3_aws__N12_cryptography__N10_primitives__S22_CompressPublicKeyInput__M8_eccCurve(software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec value) + { + return FromDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(value); + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec ToDafny_N3_aws__N12_cryptography__N10_primitives__S22_CompressPublicKeyInput__M8_eccCurve(AWS.Cryptography.Primitives.ECDHCurveSpec value) + { + return ToDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(value); + } + public static System.IO.MemoryStream FromDafny_N3_aws__N12_cryptography__N10_primitives__S23_CompressPublicKeyOutput__M19_compressedPublicKey(Dafny.ISequence value) + { + return FromDafny_N6_smithy__N3_api__S4_Blob(value); + } + public static Dafny.ISequence ToDafny_N3_aws__N12_cryptography__N10_primitives__S23_CompressPublicKeyOutput__M19_compressedPublicKey(System.IO.MemoryStream value) + { + return ToDafny_N6_smithy__N3_api__S4_Blob(value); + } + public static System.IO.MemoryStream FromDafny_N3_aws__N12_cryptography__N10_primitives__S24_DecompressPublicKeyInput__M19_compressedPublicKey(Dafny.ISequence value) + { + return FromDafny_N6_smithy__N3_api__S4_Blob(value); + } + public static Dafny.ISequence ToDafny_N3_aws__N12_cryptography__N10_primitives__S24_DecompressPublicKeyInput__M19_compressedPublicKey(System.IO.MemoryStream value) + { + return ToDafny_N6_smithy__N3_api__S4_Blob(value); + } + public static AWS.Cryptography.Primitives.ECDHCurveSpec FromDafny_N3_aws__N12_cryptography__N10_primitives__S24_DecompressPublicKeyInput__M8_eccCurve(software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec value) + { + return FromDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(value); + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec ToDafny_N3_aws__N12_cryptography__N10_primitives__S24_DecompressPublicKeyInput__M8_eccCurve(AWS.Cryptography.Primitives.ECDHCurveSpec value) + { + return ToDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(value); + } + public static AWS.Cryptography.Primitives.ECCPublicKey FromDafny_N3_aws__N12_cryptography__N10_primitives__S25_DecompressPublicKeyOutput__M9_publicKey(software.amazon.cryptography.primitives.internaldafny.types._IECCPublicKey value) + { + return FromDafny_N3_aws__N12_cryptography__N10_primitives__S12_ECCPublicKey(value); + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECCPublicKey ToDafny_N3_aws__N12_cryptography__N10_primitives__S25_DecompressPublicKeyOutput__M9_publicKey(AWS.Cryptography.Primitives.ECCPublicKey value) + { + return ToDafny_N3_aws__N12_cryptography__N10_primitives__S12_ECCPublicKey(value); + } + public static AWS.Cryptography.Primitives.ECDHCurveSpec FromDafny_N3_aws__N12_cryptography__N10_primitives__S23_DeriveSharedSecretInput__M8_eccCurve(software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec value) + { + return FromDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(value); + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec ToDafny_N3_aws__N12_cryptography__N10_primitives__S23_DeriveSharedSecretInput__M8_eccCurve(AWS.Cryptography.Primitives.ECDHCurveSpec value) + { + return ToDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(value); + } + public static AWS.Cryptography.Primitives.ECCPrivateKey FromDafny_N3_aws__N12_cryptography__N10_primitives__S23_DeriveSharedSecretInput__M10_privateKey(software.amazon.cryptography.primitives.internaldafny.types._IECCPrivateKey value) + { + return FromDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECCPrivateKey(value); + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECCPrivateKey ToDafny_N3_aws__N12_cryptography__N10_primitives__S23_DeriveSharedSecretInput__M10_privateKey(AWS.Cryptography.Primitives.ECCPrivateKey value) + { + return ToDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECCPrivateKey(value); + } + public static AWS.Cryptography.Primitives.ECCPublicKey FromDafny_N3_aws__N12_cryptography__N10_primitives__S23_DeriveSharedSecretInput__M9_publicKey(software.amazon.cryptography.primitives.internaldafny.types._IECCPublicKey value) + { + return FromDafny_N3_aws__N12_cryptography__N10_primitives__S12_ECCPublicKey(value); + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECCPublicKey ToDafny_N3_aws__N12_cryptography__N10_primitives__S23_DeriveSharedSecretInput__M9_publicKey(AWS.Cryptography.Primitives.ECCPublicKey value) + { + return ToDafny_N3_aws__N12_cryptography__N10_primitives__S12_ECCPublicKey(value); + } + public static System.IO.MemoryStream FromDafny_N3_aws__N12_cryptography__N10_primitives__S24_DeriveSharedSecretOutput__M12_sharedSecret(Dafny.ISequence value) + { + return FromDafny_N6_smithy__N3_api__S4_Blob(value); + } + public static Dafny.ISequence ToDafny_N3_aws__N12_cryptography__N10_primitives__S24_DeriveSharedSecretOutput__M12_sharedSecret(System.IO.MemoryStream value) + { + return ToDafny_N6_smithy__N3_api__S4_Blob(value); + } public static AWS.Cryptography.Primitives.DigestAlgorithm FromDafny_N3_aws__N12_cryptography__N10_primitives__S11_DigestInput__M15_digestAlgorithm(software.amazon.cryptography.primitives.internaldafny.types._IDigestAlgorithm value) { return FromDafny_N3_aws__N12_cryptography__N10_primitives__S15_DigestAlgorithm(value); @@ -677,6 +923,38 @@ public static bool ToDafny_N3_aws__N12_cryptography__N10_primitives__S17_ECDSAVe { return ToDafny_N6_smithy__N3_api__S7_Boolean(value); } + public static AWS.Cryptography.Primitives.ECDHCurveSpec FromDafny_N3_aws__N12_cryptography__N10_primitives__S23_GenerateECCKeyPairInput__M8_eccCurve(software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec value) + { + return FromDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(value); + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec ToDafny_N3_aws__N12_cryptography__N10_primitives__S23_GenerateECCKeyPairInput__M8_eccCurve(AWS.Cryptography.Primitives.ECDHCurveSpec value) + { + return ToDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(value); + } + public static AWS.Cryptography.Primitives.ECDHCurveSpec FromDafny_N3_aws__N12_cryptography__N10_primitives__S24_GenerateECCKeyPairOutput__M8_eccCurve(software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec value) + { + return FromDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(value); + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec ToDafny_N3_aws__N12_cryptography__N10_primitives__S24_GenerateECCKeyPairOutput__M8_eccCurve(AWS.Cryptography.Primitives.ECDHCurveSpec value) + { + return ToDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(value); + } + public static AWS.Cryptography.Primitives.ECCPrivateKey FromDafny_N3_aws__N12_cryptography__N10_primitives__S24_GenerateECCKeyPairOutput__M10_privateKey(software.amazon.cryptography.primitives.internaldafny.types._IECCPrivateKey value) + { + return FromDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECCPrivateKey(value); + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECCPrivateKey ToDafny_N3_aws__N12_cryptography__N10_primitives__S24_GenerateECCKeyPairOutput__M10_privateKey(AWS.Cryptography.Primitives.ECCPrivateKey value) + { + return ToDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECCPrivateKey(value); + } + public static AWS.Cryptography.Primitives.ECCPublicKey FromDafny_N3_aws__N12_cryptography__N10_primitives__S24_GenerateECCKeyPairOutput__M9_publicKey(software.amazon.cryptography.primitives.internaldafny.types._IECCPublicKey value) + { + return FromDafny_N3_aws__N12_cryptography__N10_primitives__S12_ECCPublicKey(value); + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECCPublicKey ToDafny_N3_aws__N12_cryptography__N10_primitives__S24_GenerateECCKeyPairOutput__M9_publicKey(AWS.Cryptography.Primitives.ECCPublicKey value) + { + return ToDafny_N3_aws__N12_cryptography__N10_primitives__S12_ECCPublicKey(value); + } public static AWS.Cryptography.Primitives.ECDSASignatureAlgorithm FromDafny_N3_aws__N12_cryptography__N10_primitives__S30_GenerateECDSASignatureKeyInput__M18_signatureAlgorithm(software.amazon.cryptography.primitives.internaldafny.types._IECDSASignatureAlgorithm value) { return FromDafny_N3_aws__N12_cryptography__N10_primitives__S23_ECDSASignatureAlgorithm(value); @@ -749,6 +1027,46 @@ public static software.amazon.cryptography.primitives.internaldafny.types._IRSAP { return ToDafny_N3_aws__N12_cryptography__N10_primitives__S13_RSAPrivateKey(value); } + public static AWS.Cryptography.Primitives.ECDHCurveSpec FromDafny_N3_aws__N12_cryptography__N10_primitives__S31_GetPublicKeyFromPrivateKeyInput__M8_eccCurve(software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec value) + { + return FromDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(value); + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec ToDafny_N3_aws__N12_cryptography__N10_primitives__S31_GetPublicKeyFromPrivateKeyInput__M8_eccCurve(AWS.Cryptography.Primitives.ECDHCurveSpec value) + { + return ToDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(value); + } + public static AWS.Cryptography.Primitives.ECCPrivateKey FromDafny_N3_aws__N12_cryptography__N10_primitives__S31_GetPublicKeyFromPrivateKeyInput__M10_privateKey(software.amazon.cryptography.primitives.internaldafny.types._IECCPrivateKey value) + { + return FromDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECCPrivateKey(value); + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECCPrivateKey ToDafny_N3_aws__N12_cryptography__N10_primitives__S31_GetPublicKeyFromPrivateKeyInput__M10_privateKey(AWS.Cryptography.Primitives.ECCPrivateKey value) + { + return ToDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECCPrivateKey(value); + } + public static AWS.Cryptography.Primitives.ECDHCurveSpec FromDafny_N3_aws__N12_cryptography__N10_primitives__S32_GetPublicKeyFromPrivateKeyOutput__M8_eccCurve(software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec value) + { + return FromDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(value); + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec ToDafny_N3_aws__N12_cryptography__N10_primitives__S32_GetPublicKeyFromPrivateKeyOutput__M8_eccCurve(AWS.Cryptography.Primitives.ECDHCurveSpec value) + { + return ToDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(value); + } + public static AWS.Cryptography.Primitives.ECCPrivateKey FromDafny_N3_aws__N12_cryptography__N10_primitives__S32_GetPublicKeyFromPrivateKeyOutput__M10_privateKey(software.amazon.cryptography.primitives.internaldafny.types._IECCPrivateKey value) + { + return FromDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECCPrivateKey(value); + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECCPrivateKey ToDafny_N3_aws__N12_cryptography__N10_primitives__S32_GetPublicKeyFromPrivateKeyOutput__M10_privateKey(AWS.Cryptography.Primitives.ECCPrivateKey value) + { + return ToDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECCPrivateKey(value); + } + public static System.IO.MemoryStream FromDafny_N3_aws__N12_cryptography__N10_primitives__S32_GetPublicKeyFromPrivateKeyOutput__M9_publicKey(Dafny.ISequence value) + { + return FromDafny_N6_smithy__N3_api__S4_Blob(value); + } + public static Dafny.ISequence ToDafny_N3_aws__N12_cryptography__N10_primitives__S32_GetPublicKeyFromPrivateKeyOutput__M9_publicKey(System.IO.MemoryStream value) + { + return ToDafny_N6_smithy__N3_api__S4_Blob(value); + } public static System.IO.MemoryStream FromDafny_N3_aws__N12_cryptography__N10_primitives__S27_GetRSAKeyModulusLengthInput__M9_publicKey(Dafny.ISequence value) { return FromDafny_N6_smithy__N3_api__S4_Blob(value); @@ -965,6 +1283,22 @@ public static Dafny.ISequence ToDafny_N3_aws__N12_cryptography__N10_primit { return ToDafny_N6_smithy__N3_api__S4_Blob(value); } + public static System.IO.MemoryStream FromDafny_N3_aws__N12_cryptography__N10_primitives__S19_ParsePublicKeyInput__M9_publicKey(Dafny.ISequence value) + { + return FromDafny_N6_smithy__N3_api__S4_Blob(value); + } + public static Dafny.ISequence ToDafny_N3_aws__N12_cryptography__N10_primitives__S19_ParsePublicKeyInput__M9_publicKey(System.IO.MemoryStream value) + { + return ToDafny_N6_smithy__N3_api__S4_Blob(value); + } + public static AWS.Cryptography.Primitives.ECCPublicKey FromDafny_N3_aws__N12_cryptography__N10_primitives__S20_ParsePublicKeyOutput__M9_publicKey(software.amazon.cryptography.primitives.internaldafny.types._IECCPublicKey value) + { + return FromDafny_N3_aws__N12_cryptography__N10_primitives__S12_ECCPublicKey(value); + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECCPublicKey ToDafny_N3_aws__N12_cryptography__N10_primitives__S20_ParsePublicKeyOutput__M9_publicKey(AWS.Cryptography.Primitives.ECCPublicKey value) + { + return ToDafny_N3_aws__N12_cryptography__N10_primitives__S12_ECCPublicKey(value); + } public static AWS.Cryptography.Primitives.RSAPaddingMode FromDafny_N3_aws__N12_cryptography__N10_primitives__S15_RSADecryptInput__M7_padding(software.amazon.cryptography.primitives.internaldafny.types._IRSAPaddingMode value) { return FromDafny_N3_aws__N12_cryptography__N10_primitives__S14_RSAPaddingMode(value); @@ -1029,6 +1363,30 @@ public static Dafny.ISequence ToDafny_N3_aws__N12_cryptography__N10_primit { return ToDafny_N6_smithy__N3_api__S4_Blob(value); } + public static AWS.Cryptography.Primitives.ECDHCurveSpec FromDafny_N3_aws__N12_cryptography__N10_primitives__S22_ValidatePublicKeyInput__M8_eccCurve(software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec value) + { + return FromDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(value); + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECDHCurveSpec ToDafny_N3_aws__N12_cryptography__N10_primitives__S22_ValidatePublicKeyInput__M8_eccCurve(AWS.Cryptography.Primitives.ECDHCurveSpec value) + { + return ToDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECDHCurveSpec(value); + } + public static System.IO.MemoryStream FromDafny_N3_aws__N12_cryptography__N10_primitives__S22_ValidatePublicKeyInput__M9_publicKey(Dafny.ISequence value) + { + return FromDafny_N6_smithy__N3_api__S4_Blob(value); + } + public static Dafny.ISequence ToDafny_N3_aws__N12_cryptography__N10_primitives__S22_ValidatePublicKeyInput__M9_publicKey(System.IO.MemoryStream value) + { + return ToDafny_N6_smithy__N3_api__S4_Blob(value); + } + public static bool FromDafny_N3_aws__N12_cryptography__N10_primitives__S23_ValidatePublicKeyOutput__M7_success(bool value) + { + return FromDafny_N6_smithy__N3_api__S7_Boolean(value); + } + public static bool ToDafny_N3_aws__N12_cryptography__N10_primitives__S23_ValidatePublicKeyOutput__M7_success(bool value) + { + return ToDafny_N6_smithy__N3_api__S7_Boolean(value); + } public static AWS.Cryptography.Primitives.AES_GCM FromDafny_N3_aws__N12_cryptography__N10_primitives__S7_AES_GCM(software.amazon.cryptography.primitives.internaldafny.types._IAES__GCM value) { software.amazon.cryptography.primitives.internaldafny.types.AES__GCM concrete = (software.amazon.cryptography.primitives.internaldafny.types.AES__GCM)value; AWS.Cryptography.Primitives.AES_GCM converted = new AWS.Cryptography.Primitives.AES_GCM(); converted.KeyLength = (int)FromDafny_N3_aws__N12_cryptography__N10_primitives__S7_AES_GCM__M9_keyLength(concrete._keyLength); @@ -1070,6 +1428,26 @@ public static Dafny.ISequence ToDafny_N6_smithy__N3_api__S6_String(string { return Dafny.Sequence.FromString(value); } + public static AWS.Cryptography.Primitives.ECCPublicKey FromDafny_N3_aws__N12_cryptography__N10_primitives__S12_ECCPublicKey(software.amazon.cryptography.primitives.internaldafny.types._IECCPublicKey value) + { + software.amazon.cryptography.primitives.internaldafny.types.ECCPublicKey concrete = (software.amazon.cryptography.primitives.internaldafny.types.ECCPublicKey)value; AWS.Cryptography.Primitives.ECCPublicKey converted = new AWS.Cryptography.Primitives.ECCPublicKey(); converted.Der = (System.IO.MemoryStream)FromDafny_N3_aws__N12_cryptography__N10_primitives__S12_ECCPublicKey__M3_der(concrete._der); return converted; + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECCPublicKey ToDafny_N3_aws__N12_cryptography__N10_primitives__S12_ECCPublicKey(AWS.Cryptography.Primitives.ECCPublicKey value) + { + value.Validate(); + + return new software.amazon.cryptography.primitives.internaldafny.types.ECCPublicKey(ToDafny_N3_aws__N12_cryptography__N10_primitives__S12_ECCPublicKey__M3_der(value.Der)); + } + public static AWS.Cryptography.Primitives.ECCPrivateKey FromDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECCPrivateKey(software.amazon.cryptography.primitives.internaldafny.types._IECCPrivateKey value) + { + software.amazon.cryptography.primitives.internaldafny.types.ECCPrivateKey concrete = (software.amazon.cryptography.primitives.internaldafny.types.ECCPrivateKey)value; AWS.Cryptography.Primitives.ECCPrivateKey converted = new AWS.Cryptography.Primitives.ECCPrivateKey(); converted.Pem = (System.IO.MemoryStream)FromDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECCPrivateKey__M3_pem(concrete._pem); return converted; + } + public static software.amazon.cryptography.primitives.internaldafny.types._IECCPrivateKey ToDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECCPrivateKey(AWS.Cryptography.Primitives.ECCPrivateKey value) + { + value.Validate(); + + return new software.amazon.cryptography.primitives.internaldafny.types.ECCPrivateKey(ToDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECCPrivateKey__M3_pem(value.Pem)); + } public static bool FromDafny_N6_smithy__N3_api__S7_Boolean(bool value) { return value; @@ -1140,6 +1518,22 @@ public static int ToDafny_N3_aws__N12_cryptography__N10_primitives__S7_AES_GCM__ { return ToDafny_N3_aws__N12_cryptography__N10_primitives__S9_Uint8Bits(value); } + public static System.IO.MemoryStream FromDafny_N3_aws__N12_cryptography__N10_primitives__S12_ECCPublicKey__M3_der(Dafny.ISequence value) + { + return FromDafny_N6_smithy__N3_api__S4_Blob(value); + } + public static Dafny.ISequence ToDafny_N3_aws__N12_cryptography__N10_primitives__S12_ECCPublicKey__M3_der(System.IO.MemoryStream value) + { + return ToDafny_N6_smithy__N3_api__S4_Blob(value); + } + public static System.IO.MemoryStream FromDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECCPrivateKey__M3_pem(Dafny.ISequence value) + { + return FromDafny_N6_smithy__N3_api__S4_Blob(value); + } + public static Dafny.ISequence ToDafny_N3_aws__N12_cryptography__N10_primitives__S13_ECCPrivateKey__M3_pem(System.IO.MemoryStream value) + { + return ToDafny_N6_smithy__N3_api__S4_Blob(value); + } public static int FromDafny_N3_aws__N12_cryptography__N10_primitives__S12_RSAPublicKey__M10_lengthBits(int value) { return FromDafny_N3_aws__N12_cryptography__N10_primitives__S20_RSAModulusLengthBits(value); diff --git a/AwsCryptographyPrimitives/runtimes/net/Generated/ValidatePublicKeyInput.cs b/AwsCryptographyPrimitives/runtimes/net/Generated/ValidatePublicKeyInput.cs new file mode 100644 index 000000000..581dfeb6b --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/net/Generated/ValidatePublicKeyInput.cs @@ -0,0 +1,37 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.Primitives; +namespace AWS.Cryptography.Primitives +{ + public class ValidatePublicKeyInput + { + private AWS.Cryptography.Primitives.ECDHCurveSpec _eccCurve; + private System.IO.MemoryStream _publicKey; + public AWS.Cryptography.Primitives.ECDHCurveSpec EccCurve + { + get { return this._eccCurve; } + set { this._eccCurve = value; } + } + public bool IsSetEccCurve() + { + return this._eccCurve != null; + } + public System.IO.MemoryStream PublicKey + { + get { return this._publicKey; } + set { this._publicKey = value; } + } + public bool IsSetPublicKey() + { + return this._publicKey != null; + } + public void Validate() + { + if (!IsSetEccCurve()) throw new System.ArgumentException("Missing value for required property 'EccCurve'"); + if (!IsSetPublicKey()) throw new System.ArgumentException("Missing value for required property 'PublicKey'"); + + } + } +} diff --git a/AwsCryptographyPrimitives/runtimes/net/Generated/ValidatePublicKeyOutput.cs b/AwsCryptographyPrimitives/runtimes/net/Generated/ValidatePublicKeyOutput.cs new file mode 100644 index 000000000..9a6c8432a --- /dev/null +++ b/AwsCryptographyPrimitives/runtimes/net/Generated/ValidatePublicKeyOutput.cs @@ -0,0 +1,26 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 +// Do not modify this file. This file is machine generated, and any changes to it will be overwritten. +using System; +using AWS.Cryptography.Primitives; +namespace AWS.Cryptography.Primitives +{ + public class ValidatePublicKeyOutput + { + private bool? _success; + public bool Success + { + get { return this._success.GetValueOrDefault(); } + set { this._success = value; } + } + public bool IsSetSuccess() + { + return this._success.HasValue; + } + public void Validate() + { + if (!IsSetSuccess()) throw new System.ArgumentException("Missing value for required property 'Success'"); + + } + } +} diff --git a/AwsCryptographyPrimitives/src/AwsCryptographyPrimitivesOperations.dfy b/AwsCryptographyPrimitives/src/AwsCryptographyPrimitivesOperations.dfy index bf1e6c999..c646dd2c5 100644 --- a/AwsCryptographyPrimitives/src/AwsCryptographyPrimitivesOperations.dfy +++ b/AwsCryptographyPrimitives/src/AwsCryptographyPrimitivesOperations.dfy @@ -11,6 +11,7 @@ include "Digest.dfy" include "RSAEncryption.dfy" include "Signature.dfy" include "AesKdfCtr.dfy" +include "ECDH.dfy" module AwsCryptographyPrimitivesOperations refines AbstractAwsCryptographyPrimitivesOperations { import Random @@ -21,6 +22,7 @@ module AwsCryptographyPrimitivesOperations refines AbstractAwsCryptographyPrimit import Signature import KdfCtr import RSAEncryption + import ECDH datatype Config = Config type InternalConfig = Config @@ -217,4 +219,67 @@ module AwsCryptographyPrimitivesOperations refines AbstractAwsCryptographyPrimit input.signature ); } + + predicate GenerateECCKeyPairEnsuresPublicly(input: GenerateECCKeyPairInput, output: Result) + {true} + + method GenerateECCKeyPair (config: InternalConfig, input: GenerateECCKeyPairInput ) + returns (output: Result) + { + output := ECDH.GenerateEccKeyPair(input); + } + + predicate GetPublicKeyFromPrivateKeyEnsuresPublicly(input: GetPublicKeyFromPrivateKeyInput, output: Result) + {true} + + method GetPublicKeyFromPrivateKey (config: InternalConfig, input: GetPublicKeyFromPrivateKeyInput) + returns (output: Result) + { + output := ECDH.GetPublicKeyFromPrivate(input); + } + + predicate ValidatePublicKeyEnsuresPublicly(input: ValidatePublicKeyInput, output: Result) + {true} + + method ValidatePublicKey(config: InternalConfig, input: ValidatePublicKeyInput) + returns (output: Result) + { + output := ECDH.ValidatePublicKey(input); + } + + predicate DeriveSharedSecretEnsuresPublicly(input: DeriveSharedSecretInput, output: Result) + {true} + + method DeriveSharedSecret(config: InternalConfig, input: DeriveSharedSecretInput) + returns (output: Result) + { + output := ECDH.DeriveSharedSecret(input); + } + + predicate CompressPublicKeyEnsuresPublicly(input: CompressPublicKeyInput, output: Result) + {true} + + method CompressPublicKey(config: InternalConfig, input: CompressPublicKeyInput) + returns (output: Result) + { + output := ECDH.CompressPublicKey(input); + } + + predicate DecompressPublicKeyEnsuresPublicly(input: DecompressPublicKeyInput, output: Result) + {true} + + method DecompressPublicKey(config: InternalConfig, input: DecompressPublicKeyInput) + returns (output: Result) + { + output := ECDH.DecompressPublicKey(input); + } + + predicate ParsePublicKeyEnsuresPublicly(input: ParsePublicKeyInput, output: Result) + {true} + + method ParsePublicKey(config: InternalConfig, input: ParsePublicKeyInput) + returns (output: Result) + { + output := ECDH.ParsePublicKey(input); + } } diff --git a/AwsCryptographyPrimitives/src/ECDH.dfy b/AwsCryptographyPrimitives/src/ECDH.dfy new file mode 100644 index 000000000..77c55279e --- /dev/null +++ b/AwsCryptographyPrimitives/src/ECDH.dfy @@ -0,0 +1,200 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +include "../Model/AwsCryptographyPrimitivesTypes.dfy" + +module {:extern "ECDH"} ECDH { + import opened Wrappers + import opened UInt = StandardLibrary.UInt + import Types = AwsCryptographyPrimitivesTypes + + datatype EccKeyPair = EccKeyPair(privateKey: seq, publicKey: seq) + + method GenerateEccKeyPair( + input: Types.GenerateECCKeyPairInput + ) returns (output: Result) + { + var keyPair :- ExternEccKeyGen(input.eccCurve); + + return Success(Types.GenerateECCKeyPairOutput( + eccCurve := input.eccCurve, + privateKey := Types.ECCPrivateKey(pem := keyPair.privateKey), + publicKey := Types.ECCPublicKey(der := keyPair.publicKey) + )); + } + + method GetPublicKeyFromPrivate( + input: Types.GetPublicKeyFromPrivateKeyInput + ) returns (output: Result) + { + var publicKey :- ExternGetPublicKeyFromPrivate( + input.eccCurve, + input.privateKey + ); + + return Success(Types.GetPublicKeyFromPrivateKeyOutput( + eccCurve := input.eccCurve, + privateKey := input.privateKey, + publicKey := publicKey + )); + } + + method ValidatePublicKey( + input: Types.ValidatePublicKeyInput + ) returns (output: Result) + { + var result :- ExternValidatePublicKey( + input.eccCurve, + input.publicKey + ); + + return Success(Types.ValidatePublicKeyOutput( + success := result + )); + } + + method DeriveSharedSecret( + input: Types.DeriveSharedSecretInput + ) returns (output: Result) + { + var derivedSharedSecret :- ExternDeriveSharedSecret( + input.eccCurve, + input.privateKey, + input.publicKey + ); + + return Success(Types.DeriveSharedSecretOutput( + sharedSecret := derivedSharedSecret)); + } + + method CompressPublicKey( + input: Types.CompressPublicKeyInput + ) returns (output: Result) + { + var compressedPublicKey :- ExternCompressPublicKey( + input.publicKey.der, + input.eccCurve + ); + + return Success(Types.CompressPublicKeyOutput( + compressedPublicKey := compressedPublicKey + )); + } + + method DecompressPublicKey( + input: Types.DecompressPublicKeyInput + ) returns (output: Result) + { + var decompressedPublicKey :- ExternDecompressPublicKey( + input.compressedPublicKey, + input.eccCurve + ); + + return Success(Types.DecompressPublicKeyOutput( + publicKey := Types.ECCPublicKey(der := decompressedPublicKey) + )); + } + + method ParsePublicKey( + input: Types.ParsePublicKeyInput + ) returns (output: Result) + { + var derPublicKey :- ExternParsePublicKey( + input.publicKey + ); + return Success(Types.ParsePublicKeyOutput( + publicKey := Types.ECCPublicKey(der := derPublicKey) + )); + } + + method {:extern "ECDH.KeyGeneration", "GenerateKeyPair"} ExternEccKeyGen( + s: Types.ECDHCurveSpec + ) returns (res: Result) + ensures res.Success? ==> 1 < |res.value.publicKey| <= 8192 + + method {:extern "ECDH.ECCUtils", "GetPublicKey"} ExternGetPublicKeyFromPrivate( + curveAlgorithm: Types.ECDHCurveSpec, + privateKey: Types.ECCPrivateKey + ) returns (res: Result, Types.Error>) + + method {:extern "ECDH.ECCUtils", "ValidatePublicKey"} ExternValidatePublicKey( + curveAlgorithm: Types.ECDHCurveSpec, + publicKey: seq + ) returns (res: Result) + + method {:extern "ECDH.DeriveSharedSecret", "CalculateSharedSecret"} ExternDeriveSharedSecret( + curveAlgorithm: Types.ECDHCurveSpec, + privateKey: Types.ECCPrivateKey, + publicKey: Types.ECCPublicKey + ) returns (res: Result, Types.Error>) + + method {:extern "ECDH.ECCUtils", "CompressPublicKey"} ExternCompressPublicKey( + publicKey: seq, + curveAlgorithm: Types.ECDHCurveSpec + ) returns (res: Result, Types.Error>) + + method {:extern "ECDH.ECCUtils", "DecompressPublicKey"} ExternDecompressPublicKey( + publicKey: seq, + curveAlgorithm: Types.ECDHCurveSpec + ) returns (res: Result, Types.Error>) + + method {:extern "ECDH.ECCUtils", "ParsePublicKey"} ExternParsePublicKey( + publicKey: seq + ) returns (res: Result, Types.Error>) + + function method CreateExternEccKeyGenSuccess(output: EccKeyPair): Result { + Success(output) + } + + function method CreateExternEccKeyGenFailure(error: Types.Error): Result { + Failure(error) + } + + function method CreateExternGetPublicKeyFromPrivateSuccess(output: seq): Result, Types.Error> { + Success(output) + } + + function method CreateExternGetPublicKeyFromPrivateError(error: Types.Error): Result, Types.Error> { + Failure(error) + } + + function method CreateExternValidatePublicKeySuccess(output: bool): Result { + Success(output) + } + + function method CreateExternValidatePublicKeyError(error: Types.Error): Result { + Failure(error) + } + + function method CreateExternDerivesharedSecretSuccess(output: seq): Result, Types.Error> { + Success(output) + } + + function method CreateExternDerivesharedSecretError(error: Types.Error): Result, Types.Error> { + Failure(error) + } + + function method CreateExternCompressPublicKeyError(error: Types.Error): Result, Types.Error> { + Failure(error) + } + + function method CreateExternCompressPublicKeySuccess(output: seq): Result, Types.Error> { + Success(output) + } + + function method CreateExternDecompressPublicKeyError(error: Types.Error): Result, Types.Error> { + Failure(error) + } + + function method CreateExternDecompressPublicKeySuccess(output: seq): Result, Types.Error> { + Success(output) + } + + function method CreateExternParsePublicKeyError(error: Types.Error): Result, Types.Error> { + Failure(error) + } + + function method CreateExternParsePublicKeySuccess(output: seq): Result, Types.Error> { + Success(output) + } +} diff --git a/AwsCryptographyPrimitives/src/KDF/KdfCtr.dfy b/AwsCryptographyPrimitives/src/KDF/KdfCtr.dfy index aa02ff4ee..4c5debe13 100644 --- a/AwsCryptographyPrimitives/src/KDF/KdfCtr.dfy +++ b/AwsCryptographyPrimitives/src/KDF/KdfCtr.dfy @@ -28,16 +28,13 @@ module KdfCtr { returns (output: Result, Types.Error>) ensures output.Success? ==> |output.value| == input.expectedLength as nat { + // currently only SHA 256 and SHA 384 are allowed :- Need( - // Although KDF can support multiple digests; for our use case we only want - // to use SHA 256; we may rethink this if we ever want to support other algorithms - // We are requiring the requested length to be 32 bytes since this is only used for the hierarchy - // keyring it requires to derive a 32 byte key. - && input.digestAlgorithm == Types.DigestAlgorithm.SHA_256 - && |input.ikm| == 32 + && (input.digestAlgorithm == Types.DigestAlgorithm.SHA_256 || input.digestAlgorithm == Types.DigestAlgorithm.SHA_384) + && (|input.ikm| == 32 || |input.ikm| == 48 || |input.ikm| == 66) && input.nonce.Some? - && |input.nonce.value| == 16 - && input.expectedLength == 32 + && (|input.nonce.value| == 16 || |input.nonce.value| == 32) + && (input.expectedLength == 32 || input.expectedLength == 64) && 0 < ((input.expectedLength as int) * 8) as int < INT32_MAX_LIMIT, Types.AwsCryptographicPrimitivesError(message := "Kdf in Counter Mode input is invalid.") ); @@ -63,26 +60,26 @@ module KdfCtr { Types.AwsCryptographicPrimitivesError(message := "PRF input length exceeds INT32_MAX_LIMIT.") ); - okm :- RawDerive(ikm, explicitInfo, input.expectedLength, 0); + okm :- RawDerive(ikm, explicitInfo, input.expectedLength, 0, input.digestAlgorithm); return Success(okm); } - method RawDerive(ikm: seq, explicitInfo: seq, length: int32, offset: int32) + method RawDerive(ikm: seq, explicitInfo: seq, length: int32, offset: int32, digestAlgorithm: Types.DigestAlgorithm) returns (output: Result, Types.Error>) requires - && |ikm| == 32 - && length == 32 + && |ikm| >= 32 + && length > 0 && 4 + |explicitInfo| < INT32_MAX_LIMIT + && (digestAlgorithm == Types.DigestAlgorithm.SHA_256 || digestAlgorithm == Types.DigestAlgorithm.SHA_384) && length as int + Digest.Length(Types.DigestAlgorithm.SHA_256) < INT32_MAX_LIMIT - 1 + && length as int + Digest.Length(Types.DigestAlgorithm.SHA_384) < INT32_MAX_LIMIT - 1 ensures output.Success? ==> |output.value| == length as int { - // We will only support HMAC_SHA256, so no need to support additional Digests - var derivationMac := Types.DigestAlgorithm.SHA_256; - var hmac :- HMAC.HMac.Build(derivationMac); + var hmac :- HMAC.HMac.Build(digestAlgorithm); hmac.Init(key := ikm); - var macLengthBytes := Digest.Length(derivationMac) as int32; // "h" in SP800-108 + var macLengthBytes := Digest.Length(digestAlgorithm) as int32; // "h" in SP800-108 // Number of iterations required to compose output of required length. var iterations := (length + macLengthBytes - 1) / macLengthBytes; // "n" in SP800-108 var buffer := []; diff --git a/AwsCryptographyPrimitives/test/TestECDH.dfy b/AwsCryptographyPrimitives/test/TestECDH.dfy new file mode 100644 index 000000000..05b4f9156 --- /dev/null +++ b/AwsCryptographyPrimitives/test/TestECDH.dfy @@ -0,0 +1,384 @@ +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +include "../src/Index.dfy" +include "../src/ECDH.dfy" + +module TestECDH { + import Aws.Cryptography.Primitives + import opened StandardLibrary.UInt + import Types = Aws.Cryptography.Primitives.Types + import UTF8 + import HexStrings + import opened Wrappers + import ECDH + + const P256 := Types.ECDHCurveSpec.ECC_NIST_P256 + const P384 := Types.ECDHCurveSpec.ECC_NIST_P384 + const P521 := Types.ECDHCurveSpec.ECC_NIST_P521 + // TODO SM2 + + // THESE ARE TESTING RESOURCES; DO NOT USE IN A PROD ENVIRONMENT + // RUN openssl ecparam -name secp256r1 -genkey -noout -out private.pem + const ECC_P256_PRIVATE := "-----BEGIN PRIVATE KEY-----\n" + + "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgw+7YSKEOEAh8/DFZ\n" + + "22oSTm/D3jo4nH5tN48IUp0WjyuhRANCAASnUgx7SrlHhPIn3McZfc3cEIs8+XFf\n" + + "7JvhcuV1wWELGZ8AjuwnKjE0ielEwSY5HYzWCF773FvJaWGYGYGhSba8\n" + + "-----END PRIVATE KEY-----" + // HEX REPRESENATION OF THE PUBLIC KEY + // RUN openssl ec -in public_key.der -pubin -outform DER | xxd -p -c 256 + const ECC_P256_PUBLIC := "3059301306072a8648ce3d020106082a8648ce3d03010703420004a7520c7b4ab9478" + + "4f227dcc7197dcddc108b3cf9715fec9be172e575c1610b199f008eec272a313489" + + "e944c126391d8cd6085efbdc5bc96961981981a149b6bc" + + const ECC_P384_PRIVATE := "-----BEGIN PRIVATE KEY-----\n" + + "MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDAE/GcrZaGaZKKnWsbi\n" + + "6OiMB8HlhoyF1CQeaZHFdp1VFu7mSM2mUrSolCfpYRB50aahZANiAAQayPW6B3aV\n" + + "GKWFBbDH3SeuMhiY2GIPG+tBEHmMZ3QUaG6qNnQxXS+QpR95IWyQWZjInyDk2upe\n" + + "b1TivP0UYay+dIS8MrBFM7oLBsJIqxGiRQ1EPFIpBLv4mmteOma5qt8=\n" + + "-----END PRIVATE KEY-----" + const ECC_384_PUBLIC := "3076301006072a8648ce3d020106052b81040022036200041ac8f5ba07769518a58505" + + "b0c7dd27ae321898d8620f1beb4110798c677414686eaa3674315d2f90a51f79216c" + + "905998c89f20e4daea5e6f54e2bcfd1461acbe7484bc32b04533ba0b06c248ab11a2" + + "450d443c522904bbf89a6b5e3a66b9aadf" + + const ECC_P521_PRIVATE := "-----BEGIN PRIVATE KEY-----\n" + + "MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIB3azBoPIuF7SY3Z7g\n" + + "xK/dEnSqoqBsHaoiI78Sfs9Ydxsd/3Ref4xZC0v58EwZjKxIMWwcqxSNzg8yLOAV\n" + + "oaRbwryhgYkDgYYABAHeMnMkadh2nketUTcDvKE4WCcdTdIFKaDqwtMIbq/y5N4E\n" + + "I77OxYwKP7IdGBC9n/GkcNIWx6R91zc3AId9a7VrOQF9+HitnblByL1u3N6kWhUf\n" + + "C3ury11T8dkNW+LbVkmX8B3+s6VaEQWKa+SYBemPV05aJhU0xaaF/MhsLGwKLpPp\n" + + "Qg==\n" + + "-----END PRIVATE KEY-----" + const ECC_P521_PUBLIC := "30819b301006072a8648ce3d020106052b81040023038186000401de32732469d8769e" + + "47ad513703bca13858271d4dd20529a0eac2d3086eaff2e4de0423becec58c0a3fb2" + + "1d1810bd9ff1a470d216c7a47dd7373700877d6bb56b39017df878ad9db941c8bd6e" + + "dcdea45a151f0b7babcb5d53f1d90d5be2db564997f01dfeb3a55a11058a6be49805" + + "e98f574e5a261534c5a685fcc86c2c6c0a2e93e942" + + const ECC_256_PUBLIC_INF := "3059301306072a864886f70d0106082a864886f70d03010703420004000000000000" + + "00000000000000000000000000000000000000000000000000000000000000000000" + + "00000000000000000000000000000000000000000000000000000000" + const ECC_384_PUBLIC_INF := "3076301006072a864886f70d0106052b810400220362000400000000000000000000" + + "00000000000000000000000000000000000000000000000000000000000000000000" + + "00000000000000000000000000000000000000000000000000000000000000000000" + + "00000000000000" + const ECC_521_PUBLIC_INF := "3081ee3010060772a8648ce3d02106052b81040023038186000400000000000000000" + + "000000000000000000000000000000000000000000000000000000000000000000000" + + "000000000000000000000000000000000000000000000000000000000000000000000" + + "000000000000000000000000000000000000000000000000000000000000000000000" + + "0000000000000000000000000000000000000000000000000000000000000000000000" + + "00000000000000000000000000000000000000000000" + + const ECC_P256_PUBLIC_GP := "3059301306072a864886f70d0106082a864886f70d03010703420004000000000000000" + + "00000000000000000000000000000000000000000000000000000000000000000000000" + + "00000000000000000000000000000000000000000000000000000000000000000000000" + + "000000001" + const ECC_P384_PUBLIC_GP := "3076301006072a864886f70d0106052b810400220362000400000000000000000000000" + + "00000000000000000000000000000000000000000000000000000000000000000000000" + + "00000000000000000000000000000000000000000000000000000000000000000000000" + + "00000000000000000000000000000000000000000000000000000000000000000000000" + + "00000000000000000000000000000000000000000000000000000000000000000000000" + + "0000000000000000000000000000001" + const ECC_P521_PUBLIC_GP := "3081ee3010060772a8648ce3d02106052b8104002303818600040000000000000000000" + + "00000000000000000000000000000000000000000000000000000000000000000000000" + + "00000000000000000000000000000000000000000000000000000000000000000000000" + + "00000000000000000000000000000000000000000000000000000000000000000000000" + + "00000000000000000000000000000000000000000000000000000000000000000000000" + + "00000000000000000000000000000000001" + + method {:test} TestKeyGen() + { + var supportedCurves := [P256, P384, P521]; + for i := 0 to |supportedCurves| + { + var curve := supportedCurves[i]; + var keypair :- expect ECDH.GenerateEccKeyPair( + Types.GenerateECCKeyPairInput( + eccCurve := curve + ) + ); + } + } + + method {:test} TestGetPublicKeyFromPrivatePem() + { + var pemPrivateKeys := [ECC_P256_PRIVATE, ECC_P384_PRIVATE, ECC_P521_PRIVATE]; + var derPublicKeys := [ECC_P256_PUBLIC, ECC_384_PUBLIC, ECC_P521_PUBLIC]; + var supportedCurves := [P256, P384, P521]; + + for i := 0 to |supportedCurves| + { + var curve := supportedCurves[i]; + var privateKey :- expect UTF8.Encode(pemPrivateKeys[i]); + var looseHexPublicKey := expectLooseHexString(derPublicKeys[i]); + var publicKeyBytes := HexStrings.FromHexString(looseHexPublicKey); + + var expectedPublicKey :- expect ECDH.ParsePublicKey( + Types.ParsePublicKeyInput( + publicKey := publicKeyBytes + )); + + var publicKey :- expect ECDH.GetPublicKeyFromPrivate( + Types.GetPublicKeyFromPrivateKeyInput( + eccCurve := curve, + privateKey := Types.ECCPrivateKey(pem := privateKey) + ) + ); + + expect publicKey.publicKey == expectedPublicKey.publicKey.der; + } + } + + method {:test} TestGetPublicKeyFromPrivateIncorrectCruve() + { + var curve := P384; + var privateKey :- expect UTF8.Encode(ECC_P256_PRIVATE); + var looseHexPublicKey := expectLooseHexString(ECC_P256_PUBLIC); + var publicKeyBytes := HexStrings.FromHexString(looseHexPublicKey); + + var expectedPublicKey :- expect ECDH.ParsePublicKey( + Types.ParsePublicKeyInput( + publicKey := publicKeyBytes + )); + + var publicKey := ECDH.GetPublicKeyFromPrivate( + Types.GetPublicKeyFromPrivateKeyInput( + eccCurve := curve, + privateKey := Types.ECCPrivateKey(pem := privateKey) + ) + ); + + expect publicKey.Failure?; + } + + method expectLooseHexString(s: string) + returns (s2: HexStrings.LooseHexString) + { + expect HexStrings.IsLooseHexString(s); + return s; + } + + + method {:test} TestValidatePublicKeySuccess() + { + var supportedCurves := [P256, P384, P521]; + for i := 0 to |supportedCurves| + { + var curve := supportedCurves[i]; + var keypairA :- expect ECDH.GenerateEccKeyPair( + Types.GenerateECCKeyPairInput( + eccCurve := curve + ) + ); + var keypairB :- expect ECDH.GenerateEccKeyPair( + Types.GenerateECCKeyPairInput( + eccCurve := curve + ) + ); + + var validPublicKeyB :- expect ECDH.ValidatePublicKey( + Types.ValidatePublicKeyInput( + eccCurve := curve, + publicKey := keypairB.publicKey.der + ) + ); + } + + } + + method {:test} TestValidatePublicKeyFailure() + { + var supportedCurves := [P256, P384, P521]; + for i := 0 to |supportedCurves| + { + for j := 0 to |supportedCurves| + { + var curve_i := supportedCurves[i]; + var curve_j := supportedCurves[j]; + + var keypairA :- expect ECDH.GenerateEccKeyPair( + Types.GenerateECCKeyPairInput( + eccCurve := curve_i + ) + ); + var keypairB :- expect ECDH.GenerateEccKeyPair( + Types.GenerateECCKeyPairInput( + eccCurve := curve_j + ) + ); + + var validPublicKeyB := ECDH.ValidatePublicKey( + Types.ValidatePublicKeyInput( + eccCurve := curve_i, + publicKey := keypairB.publicKey.der + ) + ); + + if curve_i != curve_j { + expect validPublicKeyB.Failure?; + } else { + expect validPublicKeyB.Success?; + } + + } + } + } + + method {:test} TestValidatePublicKeyFailurePointAtINF() + { + var publicKeysWithPointsAtINF := [ECC_256_PUBLIC_INF, ECC_384_PUBLIC_INF, ECC_521_PUBLIC_INF]; + var supportedCurves := [P256, P384, P521]; + for i := 0 to |supportedCurves| + { + var looseHexPublicKey := expectLooseHexString(publicKeysWithPointsAtINF[i]); + var publicKeyBytes := HexStrings.FromHexString(looseHexPublicKey); + + var validPublicKey:= ECDH.ValidatePublicKey( + Types.ValidatePublicKeyInput( + eccCurve := supportedCurves[i], + publicKey := publicKeyBytes + ) + ); + expect validPublicKey.Failure?; + } + } + + method {:test} TestValidatePublicKeyFailurePointGreaterThanP() + { + var publicKeysWithPointsGreaterThanP := [ECC_P256_PUBLIC_GP, ECC_P384_PUBLIC_GP, ECC_P521_PUBLIC_GP]; + var supportedCurves := [P256, P384, P521]; + for i := 0 to |supportedCurves| + { + var looseHexPublicKey := expectLooseHexString(publicKeysWithPointsGreaterThanP[i]); + var publicKeyBytes := HexStrings.FromHexString(looseHexPublicKey); + + var validPublicKey:= ECDH.ValidatePublicKey( + Types.ValidatePublicKeyInput( + eccCurve := supportedCurves[i], + publicKey := publicKeyBytes + ) + ); + expect validPublicKey.Failure?; + } + } + + method {:test} TestGenerateSharedSecret() + { + var supportedCurves := [P256, P384, P521]; + for i := 0 to |supportedCurves| + { + var curve := supportedCurves[i]; + var keypairA :- expect ECDH.GenerateEccKeyPair( + Types.GenerateECCKeyPairInput( + eccCurve := curve + ) + ); + var keypairB :- expect ECDH.GenerateEccKeyPair( + Types.GenerateECCKeyPairInput( + eccCurve := curve + ) + ); + + expect + && keypairA.privateKey != keypairB.privateKey + && keypairA.publicKey != keypairB.publicKey; + + + var validPublicKeyB :- expect ECDH.ValidatePublicKey( + Types.ValidatePublicKeyInput( + eccCurve := curve, + publicKey := keypairB.publicKey.der + ) + ); + + var sharedSecretA :- expect ECDH.DeriveSharedSecret( + Types.DeriveSharedSecretInput( + eccCurve := curve, + privateKey := keypairA.privateKey, + publicKey := keypairB.publicKey + ) + ); + + var sharedSecretB :- expect ECDH.DeriveSharedSecret( + Types.DeriveSharedSecretInput( + eccCurve := curve, + privateKey := keypairB.privateKey, + publicKey := keypairA.publicKey + ) + ); + + expect sharedSecretA == sharedSecretB; + } + } + + method {:test} TestCompressDecompressPublicKey() { + var supportedCurves := [P256, P384, P521]; + for i := 0 to |supportedCurves| + { + var curve := supportedCurves[i]; + var keypair :- expect ECDH.GenerateEccKeyPair( + Types.GenerateECCKeyPairInput( + eccCurve := curve + ) + ); + var originalPublicKey := keypair.publicKey; + + var compressedPublicKeyResult :- expect ECDH.CompressPublicKey( + Types.CompressPublicKeyInput( + publicKey := originalPublicKey, + eccCurve := curve + ) + ); + + expect compressedPublicKeyResult.compressedPublicKey != originalPublicKey.der; + + var compressedPublicKey := compressedPublicKeyResult.compressedPublicKey; + + var decompressedPublicKeyResult :- expect ECDH.DecompressPublicKey( + Types.DecompressPublicKeyInput( + compressedPublicKey := compressedPublicKey, + eccCurve := curve + ) + ); + + var decompressedPublicKey := decompressedPublicKeyResult.publicKey; + + expect originalPublicKey.der == decompressedPublicKey.der; + } + } + + method {:test} TestCompressDecompressConstantPublicKeys() { + var derX509PublicKeys := [ECC_P256_PUBLIC, ECC_384_PUBLIC, ECC_P521_PUBLIC]; + var curves := [P256, P384, P521]; + for i := 0 to |curves| + { + var curve := curves[i]; + var originalPublicKey := derX509PublicKeys[i]; + var publicKeyBytes := HexStrings.FromHexString(originalPublicKey); + + var compressedPublicKeyResult :- expect ECDH.CompressPublicKey( + Types.CompressPublicKeyInput( + publicKey := Types.ECCPublicKey(der := publicKeyBytes), + eccCurve := curve + ) + ); + + expect compressedPublicKeyResult.compressedPublicKey != publicKeyBytes; + + var compressedPublicKey := compressedPublicKeyResult.compressedPublicKey; + + var decompressedPublicKeyResult :- expect ECDH.DecompressPublicKey( + Types.DecompressPublicKeyInput( + compressedPublicKey := compressedPublicKey, + eccCurve := curve + ) + ); + + var decompressedPublicKey := decompressedPublicKeyResult.publicKey; + + expect publicKeyBytes == decompressedPublicKey.der; + } + } + +} diff --git a/AwsCryptographyPrimitives/test/TestKDF.dfy b/AwsCryptographyPrimitives/test/TestKDF.dfy index 9f9f78ea9..c00ad7732 100644 --- a/AwsCryptographyPrimitives/test/TestKDF.dfy +++ b/AwsCryptographyPrimitives/test/TestKDF.dfy @@ -16,15 +16,20 @@ module TestKDF { ikm: seq, info: seq, L: Primitives.Types.PositiveInteger, - expectedOKM: seq + expectedOKM: seq, + digestAlgorithm: Primitives.Types.DigestAlgorithm ) requires - && |ikm| == 32 - && L == 32 + && |ikm| >= 32 + && L > 0 && 4 + |info| < INT32_MAX_LIMIT + && L as int + Digest.Length(Primitives.Types.DigestAlgorithm.SHA_256) < INT32_MAX_LIMIT - 1 + && L as int + Digest.Length(Primitives.Types.DigestAlgorithm.SHA_384) < INT32_MAX_LIMIT - 1 + && (digestAlgorithm == Primitives.Types.DigestAlgorithm.SHA_256 + || digestAlgorithm == Primitives.Types.DigestAlgorithm.SHA_384) { - var output := KdfCtr.RawDerive(ikm, info, L, 0); + var output := KdfCtr.RawDerive(ikm, info, L, 0, digestAlgorithm); if output.Success? { expect |output.value| == L as nat; diff --git a/AwsCryptographyPrimitives/test/TestKDF_TestVectors.dfy b/AwsCryptographyPrimitives/test/TestKDF_TestVectors.dfy index 706a42550..b0cb916f0 100644 --- a/AwsCryptographyPrimitives/test/TestKDF_TestVectors.dfy +++ b/AwsCryptographyPrimitives/test/TestKDF_TestVectors.dfy @@ -15,7 +15,7 @@ module TestKDFK_TestVectors { // UTF-8 encoded "aws-kms-hierarchy" const PURPOSE: UTF8.ValidUTF8Bytes := UTF8.EncodeAscii("aws-kms-hierarchy") // https://tiny.amazon.com/bhksn4so - const rawTestVectors: seq := [b1, b2, b3, b4, b5] + const rawTestVectors: seq := [b1, b2, b3, b4, b5, b6, b7, b8, b9, b10] const testVectors: seq := [c1, c2, c3, c4, c5] @@ -152,6 +152,73 @@ module TestKDFK_TestVectors { ] ) + const b6 := InternalTestVector( + name := "B.6 Test Case 6", + hash := Primitives.Types.SHA_384, + IKM := [ + 130,44,118,74,27,17,112,133,193, + 15,14,104,152,20,210,191,189,155, + 67,40,127,26,140,117,215,149,169, + 131,26,40,97,132,200,88,111,53, + 119,182,229,187,206,22,55,146,94, + 4,252,71 + ], + info := [ + 175,52,97,16,185,65,177,29,33,137, + 49,108,159,194,185,244,33,55,117, + 165,215,54,141,53,65,38,120,162, + 143,205,3,176,127,5,73,102,110,253 + ,243,12,128,240,171,85,99,114,10, + 86,239,97,106,19,187,143,119,128, + 3,111,192,142 + ], + L := 32, + OKM := [ + 224,174,35,92,184,35,128,82, + 123,231,105,52,166,150,34,57, + 109,144,231,191,167,226,210, + 149,228,55,91,206,224,209,177,1 + ] + ) + + const b7 := InternalTestVector( + name := "B.7 Test Case 7", + hash := Primitives.Types.SHA_384, + IKM := [52,14,33,45,117,142,131,204,91,137,228,181,106,134,238,140,150,49,174,78,75,186,236,21,172,9,94,164,64,123,199,182,52,173,99,13,208,190,133,169,28,8,168,199,225,225,3,11], + info := [60,213,86,26,209,47,173,252,228,8,224,65,128,175,206,227,139,131,21,107,158,75,224,119,156,79,13,185,226,107,254,92,205,67,225,89,33,151,124,210,107,29,184,40,139,128,8,158,183,209,187,215,245,158,16,17,179,225,139,81], + L := 32, + OKM := [ + 5,250,87,123,112,129,33,14,124,157,230,157,176,61,124,32,38,207,68,105,169,11,250,41,241,194,193,8,24,212,99,224 + ] + ) + + const b8 := InternalTestVector( + name := "B.8 Test Case 8", + hash := Primitives.Types.SHA_384, + IKM := [0,161,45,60,228,255,117,166,227,15,65,243,85,124,130,106,241,50,107,99,2,244,206,136,123,173,61,51,23,165,72,200,192,58,5,114,132,220,195,141,139,198,144,189,74,86,95,71], + info := [36,197,192,178,200,16,223,160,142,53,215,254,235,184,199,142,12,215,38,201,46,205,66,217,23,16,19,115,140,162,83,26,148,127,82,60,55,246,76,219,4,48,91,217,105,209,214,249,236,212,100,5,210,130,128,249,104,80,11,167], + L := 32, + OKM := [174,243,213,124,141,167,217,88,44,93,28,98,214,182,72,150,218,155,27,14,64,18,164,76,220,61,207,75,112,173,108,102] + ) + + const b9 := InternalTestVector( + name := "B.9 Test Case 9", + hash := Primitives.Types.SHA_384, + IKM := [0,0,217,183,236,111,190,253,242,86,253,104,34,11,82,5,172,101,162,0,17,69,17,140,80,186,107,101,112,50,25,139,139,124,227,178,247,6,138,120,13,193,124,34,69,154,242,183], + info := [216,87,84,28,98,184,87,86,220,115,222,125,194,216,111,93,94,139,40,51,139,176,169,69,181,196,253,124,129,247,25,97,185,112,93,61,21,59,25,25,93,0,59,116,33,32,104,237,16,249,108,83,67,134,83,8,122,1,82,207], + L := 20, + OKM := [121,62,241,19,249,99,151,171,0,49,234,160,250,167,119,193,7,231,208,60] + ) + + const b10 := InternalTestVector( + name := "B.10 Test Case 10", + hash := Primitives.Types.SHA_384, + IKM := [79,61,116,77,62,68,158,6,39,191,68,152,116,56,40,248,110,99,143,96,98,10,126,212,167,201,181,176,115,105,28,158,201,71,40,197,136,34,232,39,240,246,204,248,109,188,28,174], + info := [48,31,238,178,94,108,168,80,62,205,130,31,29,55,135,174,191,179,208,236,81,139,179,17,116,245,32,155,42,193,242,142,211,230,152,115,107,173,16,161,142,60,189,181,220,39,187,209,45,5,139,54,219,8,146,249,207,208,131,0], + L := 20, + OKM := [133,239,149,5,178,48,86,94,204,242,166,74,179,222,83,229,169,28,123,81] + ) + // Generated Test Vectors CAN call KdfCounterMode const c1 := TestVector( name := "C.1 Test Case 1", @@ -294,9 +361,12 @@ module TestKDFK_TestVectors { { var InternalTestVector(name, hash, IKM, info, L, OKM) := vector; print name + "\n"; - expect |IKM| == 32 && L == 32 && 4 + |info| < INT32_MAX_LIMIT; + expect (|IKM| == 32 || |IKM| == 48) && L > 0 && 4 + |info| < INT32_MAX_LIMIT && (hash == Primitives.Types.SHA_256 || hash == Primitives.Types.SHA_384); + expect + L as int + Digest.Length(Primitives.Types.DigestAlgorithm.SHA_256) < INT32_MAX_LIMIT - 1 + && L as int + Digest.Length(Primitives.Types.DigestAlgorithm.SHA_384) < INT32_MAX_LIMIT - 1; - TestKDF.KdfRawDeriveTest(IKM, info, L, OKM); + TestKDF.KdfRawDeriveTest(IKM, info, L, OKM, hash); } method ExpectTestVector(vector : TestVector) diff --git a/ComAmazonawsDynamodb/runtimes/java/build.gradle.kts b/ComAmazonawsDynamodb/runtimes/java/build.gradle.kts index 4bea73f2f..94d8ca118 100644 --- a/ComAmazonawsDynamodb/runtimes/java/build.gradle.kts +++ b/ComAmazonawsDynamodb/runtimes/java/build.gradle.kts @@ -64,7 +64,7 @@ dependencies { implementation("org.dafny:DafnyRuntime:${dafnyVersion}") implementation("software.amazon.cryptography:StandardLibrary:1.0-SNAPSHOT") implementation("software.amazon.smithy.dafny:conversion:0.1") - implementation(platform("software.amazon.awssdk:bom:2.19.1")) + implementation(platform("software.amazon.awssdk:bom:2.26.3")) implementation("software.amazon.awssdk:dynamodb") } diff --git a/ComAmazonawsDynamodb/runtimes/net/ComAmazonawsDynamodb.csproj b/ComAmazonawsDynamodb/runtimes/net/ComAmazonawsDynamodb.csproj index f5b4b453b..d9effd88b 100644 --- a/ComAmazonawsDynamodb/runtimes/net/ComAmazonawsDynamodb.csproj +++ b/ComAmazonawsDynamodb/runtimes/net/ComAmazonawsDynamodb.csproj @@ -58,7 +58,7 @@ - +