docs: add CMM examples#239
docs: add CMM examples#239mattsb42-aws merged 12 commits intoaws:keyringfrom mattsb42-aws:cmm-examples
Conversation
|
Note for the record: all failing checks are expected. They are all from the test vector handler workflow. The tests from that workflow actually should not be running on pull request events, but I'll figure that out in a different PR. |
| def get_encryption_materials(self, request): | ||
| # type: (EncryptionMaterialsRequest) -> EncryptionMaterials | ||
| """Block any requests that include an algorithm suite without a KDF.""" | ||
| if request.algorithm is not None and request.algorithm.kdf is KDFSuite.NONE: |
There was a problem hiding this comment.
There isn't a particularly elegant way to do this in the Java ESDK. It would be something like:
if(!request.getRequestedAlgorithm().getDataKeyAlgo().contains("Hkdf"))I wouldn't normally recommend someone write code that depends on a string in that way. Alternatively, both Java and Python both have the isSafeToCache parameter, could this make use of that instead?
There was a problem hiding this comment.
Maybe. If we want to go that route I want to re-frame what the example is about: changing it from specifically barring non-KDF suites to instead making sure that you can cache the request.
Another option would be changing the requirement to be one of our two recommended (default or default - signing).
There was a problem hiding this comment.
yeah, I'd say let's do the second option. The example doesn't have to do anything particularly interesting or innovative to serve its purpose, that would show a basic validation so the user can get a sense of whats possible.
|
|
||
| def run(aws_kms_cmk, source_plaintext): | ||
| # type: (str, bytes) -> None | ||
| """Demonstrate an encrypt/decrypt cycle using a KMS keyring with a single CMK. |
| # Create the keyring that determines how your data keys are protected. | ||
| keyring = KmsKeyring(generator_key_id=aws_kms_cmk) | ||
|
|
||
| # Create the filtering cryptographic materials manager using your keyring. |
There was a problem hiding this comment.
This is the first time you used the terminology "filtering CMM". Do you want to introduce that at the top?
There was a problem hiding this comment.
This was just shorthand I was using, but you're right; I'll just replace these with references back to the actual custom CMM.
|
|
||
| def run(aws_kms_cmk, source_plaintext): | ||
| # type: (str, bytes) -> None | ||
| """Demonstrate an encrypt/decrypt cycle using a KMS keyring with a single CMK. |
| # Create the keyring that determines how your data keys are protected. | ||
| keyring = KmsKeyring(generator_key_id=aws_kms_cmk) | ||
|
|
||
| # Create the filtering cryptographic materials manager using your keyring. |
There was a problem hiding this comment.
same as algorithm_suite_enforcement, this is the first time you mention filtering cmm. Might be worth introducing the term at the top
|
|
||
| def run(aws_kms_cmk, source_plaintext): | ||
| # type: (str, bytes) -> None | ||
| """Demonstrate an encrypt/decrypt cycle using a KMS keyring with a single CMK. |
| If you supply a keyring or master key provider | ||
| those components will automatically wrap it in a default CMM. | ||
|
|
||
| This example shows how you could do this manually if you wanted to. |
There was a problem hiding this comment.
This example I'm a little unsure is necessary. It is useful in terms of educating the user about the default CMM, but practically, without any additional functionality, it is pointless. Would it be enough to include the description of the default CMM in one of the other examples?
There was a problem hiding this comment.
Maybe. What I was going for is demonstrating how to use the default CMM if you need it, such as if you're making a custom CMM that you configure using keyrings. More explanation in the other examples might be sufficient, yeah.
Co-Authored-By: Wesley Rosenblum <55108558+WesleyRosenblum@users.noreply.github.com>
examples/src/crypto_materials_manager/custom/algorithm_suite_enforcement.py
Outdated
Show resolved
Hide resolved
examples/src/crypto_materials_manager/custom/algorithm_suite_enforcement.py
Outdated
Show resolved
Hide resolved
Co-Authored-By: Wesley Rosenblum <55108558+WesleyRosenblum@users.noreply.github.com>
WesleyRosenblum
left a comment
There was a problem hiding this comment.
Nice job making all these examples :-)
Issue #, if available:
#156
Description of changes:
Adds examples for using and creating CMMs.
As always, everyone is welcome to review anything, but what I'm specifically looking for from each reviewer:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Check any applicable: