feat: AWS KMS multi-Region Key support (#254)

Added new the master key AwsKmsMrkAwareMasterKey and the new master key provider AwsKmsMrkAwareMasterKeyProvider that support AWS KMS multi-Region Keys. See https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html for more details about AWS KMS multi-Region Keys. See https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/configure.html#config-mrks for more details about how the AWS Encryption SDK interoperates with AWS KMS multi-Region keys. Co-authored-by: seebees <ryanemer@amazon.com>
aws · Jun 16, 2021 · 1aaa4c5 · 1aaa4c5
1 parent d67fff9
commit 1aaa4c5
Show file tree

Hide file tree

Showing 55 changed files with 4,915 additions and 133 deletions.
diff --git a/.gitignore b/.gitignore
@@ -5,4 +5,7 @@ target/
 .classpath
 /bin/
 .idea/
-*.iml
+*.iml
+/.history
+/.DS_Store
+/specification_compliance_report.html
diff --git a/.gitmodules b/.gitmodules
@@ -1,3 +1,6 @@
 [submodule "src/test/resources/aws-encryption-sdk-test-vectors"]
 	path = src/test/resources/aws-encryption-sdk-test-vectors
 	url = https://github.com/awslabs/private-aws-encryption-sdk-test-vectors-staging.git
+[submodule "aws-encryption-sdk-specification"]
+	path = aws-encryption-sdk-specification
+	url = https://github.com/awslabs/private-aws-encryption-sdk-specification-staging.git
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,20 @@
 # Changelog
 
+## 2.3.0 -- 2021-06-16
+
+* feat: AWS KMS multi-Region Key support
+
+  Added new the master key AwsKmsMrkAwareMasterKey
+  and the new master key provider AwsKmsMrkAwareMasterKeyProvider
+  that support AWS KMS multi-Region Keys.
+
+  See https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
+  for more details about AWS KMS multi-Region Keys.
+
+  See https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/configure.html#config-mrks
+  for more details about how the AWS Encryption SDK interoperates
+  with AWS KMS multi-Region keys.
+
 ## 2.2.0 -- 2021-05-27
 
 * feat: Improvements to the message decryption process. 

diff --git a/NOTICE.txt b/NOTICE.txt
@@ -8,4 +8,4 @@ This software includes third party software subject to the following copyrights:
 -Cryptographic functions from Bouncy Castle Crypto APIs for Java - Copyright
 2000-2013 The Legion of the Bouncy Castle
 
-The licenses for these third party components are included in LICENSE.txt 
+The licenses for these third party components are included in LICENSE.txt 
diff --git a/README-JML.md b/README-JML.md
@@ -646,4 +646,4 @@ OpenJML distinguishes between an assertion or specification being found to be in
 
 ## Where to Find Java Standard Library Specifications
 
-In the installation of OpenJML, the repo OpenJML/Specs (https://github.com/OpenJML/Specs) is downloaded. This contains specifications for a subset of Java's standard library, following the package structure of the JDK. Any missing specifications could be added into files in the projects contained. Note that the specifications provided for standard library classes and methods are assumed, rather than verified against particular implementations, so any added specifications should be carefully examined so as not to introduce potential unsoundness. If appropriate, additional standard library specifications could be merged into the official release of OpenJML by making a pull request to the development branch of OpenJML/Specs.
+In the installation of OpenJML, the repo OpenJML/Specs (https://github.com/OpenJML/Specs) is downloaded. This contains specifications for a subset of Java's standard library, following the package structure of the JDK. Any missing specifications could be added into files in the projects contained. Note that the specifications provided for standard library classes and methods are assumed, rather than verified against particular implementations, so any added specifications should be carefully examined so as not to introduce potential unsoundness. If appropriate, additional standard library specifications could be merged into the official release of OpenJML by making a pull request to the development branch of OpenJML/Specs.
diff --git a/README.md b/README.md
@@ -56,7 +56,7 @@ You can get the latest release from Maven:
 <dependency>
   <groupId>com.amazonaws</groupId>
   <artifactId>aws-encryption-sdk-java</artifactId>
-  <version>2.2.0</version>
+  <version>2.3.0</version>
 </dependency>
 ```
 

diff --git a/aws-encryption-sdk-specification b/aws-encryption-sdk-specification
diff --git a/codebuild/compliance.yml b/codebuild/compliance.yml
@@ -0,0 +1,9 @@
+version: 0.2
+
+phases:
+  install:
+    runtime-versions:
+      nodejs: 12
+  build:
+    commands:
+      - ./util/test-conditions.sh
diff --git a/codebuild/corretto11.yml b/codebuild/corretto11.yml
@@ -6,4 +6,4 @@ phases:
             java: corretto11
     build:
         commands:
-            - mvn install -Dgpg.skip=true "-DtestVectorZip=file://$CODEBUILD_SRC_DIR/src/test/resources/aws-encryption-sdk-test-vectors/vectors/awses-decrypt/python-2.2.0.zip"
+            - mvn install -Dgpg.skip=true "-DtestVectorZip=file://$CODEBUILD_SRC_DIR/src/test/resources/aws-encryption-sdk-test-vectors/vectors/awses-decrypt/python-2.3.0-mrks.zip"
diff --git a/codebuild/corretto8.yml b/codebuild/corretto8.yml
@@ -6,4 +6,4 @@ phases:
             java: corretto8
     build:
         commands:
-          - mvn install -Dgpg.skip=true "-DtestVectorZip=file://$CODEBUILD_SRC_DIR/src/test/resources/aws-encryption-sdk-test-vectors/vectors/awses-decrypt/python-2.2.0.zip"
+          - mvn install -Dgpg.skip=true "-DtestVectorZip=file://$CODEBUILD_SRC_DIR/src/test/resources/aws-encryption-sdk-test-vectors/vectors/awses-decrypt/python-2.3.0-mrks.zip"
diff --git a/codebuild/openjdk11.yml b/codebuild/openjdk11.yml
@@ -6,4 +6,4 @@ phases:
             java: openjdk11
     build:
         commands:
-            - mvn install -Dgpg.skip=true "-DtestVectorZip=file://$CODEBUILD_SRC_DIR/src/test/resources/aws-encryption-sdk-test-vectors/vectors/awses-decrypt/python-2.2.0.zip"
+            - mvn install -Dgpg.skip=true "-DtestVectorZip=file://$CODEBUILD_SRC_DIR/src/test/resources/aws-encryption-sdk-test-vectors/vectors/awses-decrypt/python-2.3.0-mrks.zip"
diff --git a/codebuild/openjdk8.yml b/codebuild/openjdk8.yml
@@ -6,4 +6,4 @@ phases:
             java: openjdk8
     build:
         commands:
-            - mvn install -Dgpg.skip=true "-DtestVectorZip=file://$CODEBUILD_SRC_DIR/src/test/resources/aws-encryption-sdk-test-vectors/vectors/awses-decrypt/python-2.2.0.zip"
+            - mvn install -Dgpg.skip=true "-DtestVectorZip=file://$CODEBUILD_SRC_DIR/src/test/resources/aws-encryption-sdk-test-vectors/vectors/awses-decrypt/python-2.3.0-mrks.zip"
diff --git a/compliance_exceptions/aws-kms-mrk-aware-multi-keyrings.java b/compliance_exceptions/aws-kms-mrk-aware-multi-keyrings.java
@@ -0,0 +1,104 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// The AWS Encryption SDK - Java does not implement
+// any of the Keyring interface at this time.
+
+//= compliance/framework/aws-kms/aws-kms-mrk-aware-multi-keyrings.txt#2.5
+//= type=exception
+//# The caller MUST provide:
+//#
+//# *  A set of Region strings
+//#
+//# *  An optional discovery filter that is an AWS partition and a set of
+//#    AWS accounts
+//#
+//# *  An optional method that can take a region string and return an AWS
+//#    KMS client e.g. a regional client supplier
+//#
+//# *  An optional list of AWS KMS grant tokens
+//#
+//# If an empty set of Region is provided this function MUST fail.  If
+//# any element of the set of regions is null or an empty string this
+//# function MUST fail.  If a regional client supplier is not passed,
+//# then a default MUST be created that takes a region string and
+//# generates a default AWS SDK client for the given region.
+//#
+//# A set of AWS KMS clients MUST be created by calling regional client
+//# supplier for each region in the input set of regions.
+//#
+//# Then a set of AWS KMS MRK Aware Symmetric Region Discovery Keyring
+//# (aws-kms-mrk-aware-symmetric-region-discovery-keyring.md) MUST be
+//# created for each AWS KMS client by initializing each keyring with
+//#
+//# *  The AWS KMS client
+//#
+//# *  The input discovery filter
+//#
+//# *  The input AWS KMS grant tokens
+//#
+//# Then a Multi-Keyring (../multi-keyring.md#inputs) MUST be initialize
+//# by using this set of discovery keyrings as the child keyrings
+//# (../multi-keyring.md#child-keyrings).  This Multi-Keyring MUST be
+//# this functions output.
+
+//= compliance/framework/aws-kms/aws-kms-mrk-aware-multi-keyrings.txt#2.6
+//= type=exception
+//# The caller MUST provide:
+//#
+//# *  An optional AWS KMS key identifiers to use as the generator.
+//#
+//# *  An optional set of AWS KMS key identifiers to us as child
+//#    keyrings.
+//#
+//# *  An optional method that can take a region string and return an AWS
+//#    KMS client e.g. a regional client supplier
+//#
+//# *  An optional list of AWS KMS grant tokens
+//#
+//# If any of the AWS KMS key identifiers is null or an empty string this
+//# function MUST fail.  At least one non-null or non-empty string AWS
+//# KMS key identifiers exists in the input this function MUST fail.  All
+//# AWS KMS identifiers are passed to Assert AWS KMS MRK are unique (aws-
+//# kms-mrk-are-unique.md#Implementation) and the function MUST return
+//# success otherwise this MUST fail.  If a regional client supplier is
+//# not passed, then a default MUST be created that takes a region string
+//# and generates a default AWS SDK client for the given region.
+//#
+//# If there is a generator input then the generator keyring MUST be a
+//# AWS KMS MRK Aware Symmetric Keyring (aws-kms-mrk-aware-symmetric-
+//# keyring.md) initialized with
+//#
+//# *  The generator input.
+//#
+//# *  The AWS KMS client that MUST be created by the regional client
+//#    supplier when called with the region part of the generator ARN or
+//#    a signal for the AWS SDK to select the default region.
+//#
+//# *  The input list of AWS KMS grant tokens
+//#
+//# If there is a set of child identifiers then a set of AWS KMS MRK
+//# Aware Symmetric Keyring (aws-kms-mrk-aware-symmetric-keyring.md) MUST
+//# be created for each AWS KMS key identifier by initialized each
+//# keyring with
+//#
+//# *  AWS KMS key identifier.
+//#
+//# *  The AWS KMS client that MUST be created by the regional client
+//#    supplier when called with the region part of the AWS KMS key
+//#    identifier or a signal for the AWS SDK to select the default
+//#    region.
+//#
+//# *  The input list of AWS KMS grant tokens
+//#
+//# NOTE: The AWS Encryption SDK SHOULD NOT attempt to evaluate its own
+//# default region.
+//#
+//# Then a Multi-Keyring (../multi-keyring.md#inputs) MUST be initialize
+//# by using this generator keyring as the generator keyring (../multi-
+//# keyring.md#generator-keyring) and this set of child keyrings as the
+//# child keyrings (../multi-keyring.md#child-keyrings).  This Multi-
+//# Keyring MUST be this functions output.
+
+
+