Add support for required encryption context subset on decrypt #69
Description
Problem
Due to the nature of CLI interactions, it is relatively difficult for users to inspect the encryption context after decrypting a ciphertext message. Because of this, the CLI needs a feature that has not yet been added to the SDK standard: automatic validation of encryption context on decrypt.
Solution
On decrypt, a user can specify an encryption context in the same manner as on encrypt. Once we load the input, before starting to decrypt a message, we will first read the header and verify that the specified key-value pairs are present in the header encryption context. If any of these pairs are missing, the decryption will stop and no plaintext will be written to the output.
--decrypt --encryption-context key=value test=string
If a parameter provided to the encryption context argument does not contain a =, then we will only check that a key with that name is present in the header encryption context.
--decrypt --encryption-context key=value special