Skip to content

KMS: Remove the reserved key value pair from aad #8350

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 24, 2023
Merged

KMS: Remove the reserved key value pair from aad #8350

merged 2 commits into from
May 24, 2023

Conversation

sannya-singal
Copy link
Contributor

Issue: test_encrypt_via_aws_encryption_sdk in localstack-ext repo invokes aws_encryption_sdk which internally updates encryption context param value by the method _generate_signing_key_and_update_encryption_context which is done after the actual encryption. Now, when we decrypt this cipher text, we have an additional reserved key-value pair of encryption_context by the name aws-crypto-public-key which was missing during encryption.

The PR removes the check of any such reserved key-value pair during decryption as no such value is passed for authentication in encryption.

@sannya-singal sannya-singal added semver: patch Non-breaking changes which can be included in patch releases aws:kms AWS Key Management Service labels May 23, 2023
@sannya-singal sannya-singal marked this pull request as draft May 23, 2023 07:52
@coveralls
Copy link

coveralls commented May 23, 2023
edited
Loading

Coverage Status

Coverage: 82.267% (-0.02%) from 82.284% when pulling 0c0e4a6 on crypto_test_fix into 29bc673 on master.

@github-actions
Copy link

github-actions bot commented May 23, 2023
edited
Loading

LocalStack Community integration with Pro

2 067 tests   1 785 ✔️  1h 16m 54s ⏱️
       2 suites     282 💤
       2 files           0

Results for commit 0c0e4a6.

♻️ This comment has been updated with latest results.

@sannya-singal sannya-singal requested a review from whummer May 23, 2023 08:51
@sannya-singal sannya-singal marked this pull request as ready for review May 23, 2023 08:51
viren-nadkarni
viren-nadkarni reviewed May 23, 2023
View reviewed changes
Copy link
Member

@viren-nadkarni viren-nadkarni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Deferring to @whummer who has better context 🙂

whummer
whummer requested changes May 23, 2023
View reviewed changes
Copy link
Member

@whummer whummer left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kudos for digging into this issue @sannya-singal , great analysis! 🚀 Added a comment regarding the key name (removing the backticks), and a small suggestion for restructuring the code a bit. 👍

localstack/services/kms/models.py Outdated
aad.write(key.encode("utf-8"))
aad.write(value.encode("utf-8"))
# remove the reserved key-value pair from additional authentication data
if key != "`aws-crypto-public-key`":
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should compare against the verbatim string "aws-crypto-public-key" here, without the backticks.

After changing this line to the following, I was able to successfully run the upstream test in (test_encrypt_via_aws_encryption_sdk) that is currently disabled:

            if key != "aws-crypto-public-key":

nit: As a general note, we usually configure string constants like this one at the global scope of the module - this can help improve readability and reduce duplication, and can also facilitate monkey patching more easily (e.g., for testing, or if the logic needs to be extended from -ext, etc). 👍

I'd suggest that we define a global variable like IGNORED_CONTEXT_KEYS (somewhere at the top of this file), and then use it as follows:

# list of key names that should be skipped when serializing the encryption context
IGNORED_CONTEXT_KEYS = ["aws-crypto-public-key"]
...

def _serialize_encryption_context(...) ...:
    if encryption_context:
        aad = io.BytesIO()
        for key, value in sorted(encryption_context.items(), key=lambda x: x[0]):
            # remove ignored context keys from additional authentication data
            if key in IGNORED_CONTEXT_KEYS:
                continue
            ...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the detailed review @whummer 🙏🙂 Doing the restructure and pushing it back again.
Regarding backticks: My bad, I mistakenly added it in the defaults.py of aws_encryption_sdk and therefore in models.py as well, I am correcting this also.

@sannya-singal sannya-singal requested a review from whummer May 24, 2023 07:44
whummer
whummer approved these changes May 24, 2023
View reviewed changes
Copy link
Member

@whummer whummer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for addressing the comments. LGTM! 👍

@sannya-singal sannya-singal merged commit ab9064c into master May 24, 2023
@sannya-singal sannya-singal deleted the crypto_test_fix branch May 24, 2023 09:20
@sannya-singal sannya-singal self-assigned this Aug 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@viren-nadkarni viren-nadkarni viren-nadkarni left review comments

@whummer whummer whummer approved these changes

Assignees

@sannya-singal sannya-singal

Labels
aws:kms AWS Key Management Service semver: patch Non-breaking changes which can be included in patch releases
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sannya-singal @coveralls @whummer @viren-nadkarni