m

Author: ajewellamz

AwsEncryptionSDK/runtimes/rust/esdk_rust/esdk/src/bin/test_vector/main.rs

@@ -0,0 +1,55 @@
+use anyhow::Result;
+use clap::{Parser, Subcommand};
+
+#[derive(Parser)]
+#[command(version, about, long_about = None)]
+#[command(propagate_version = true)]
+struct Cli {
+    #[command(subcommand)]
+    command: Commands,
+}
+
+#[derive(Subcommand)]
+enum Commands {
+    /// Turn an Encrypt Manifest into a Decrypt Manifest
+    Encrypt {
+        #[arg(long, help = "where to find encrypt manifest.")]
+        manifest_path: String,
+        #[arg(long, help = "where to put the decrypt manifest.")]
+        decrypt_manifest_path: String,
+        #[arg(long, help = "id of the test to run.", default_value = "")]
+        test_name: String,
+    },
+    /// Validate a Decrypt Manifest
+    Decrypt {
+        #[arg(long, help = "where to find plaintext and ciphertext directories.")]
+        manifest_path: String,
+        #[arg(long, help = "where to put the decrypt manifest.")]
+        manifest_name: String,
+        #[arg(long, help = "id of the test to run.", default_value = "")]
+        test_name: String,
+    },
+}
+ #[tokio::main]
+ async fn main() -> Result<()> {
+    let cli = Cli::parse();
+
+    match &cli.command {
+        Commands::Encrypt {
+            manifest_path,
+            decrypt_manifest_path,
+            test_name,
+        } => aws_esdk::test_vectors::run_tests::encrypt_test_vectors(manifest_path, decrypt_manifest_path, test_name).await,
+        Commands::Decrypt {
+            manifest_path,
+            manifest_name,
+            test_name,
+        } => aws_esdk::test_vectors::run_tests::decrypt_test_vectors(manifest_path, manifest_name, test_name).await,
+    }
+}
+
+#[test]
+fn verify_cli() {
+    use clap::CommandFactory;
+    Cli::command().debug_assert();
+}

AwsEncryptionSDK/runtimes/rust/esdk_rust/esdk/src/esdk_operations.rs

@@ -557,15 +557,16 @@ async fn internal_decrypt(
             )?
         }
         ContentType::Framed => {
-            if dec_mat.verification_key.is_some() && safety_needed.yes() {
-                return Err("Streaming Interface can return data before signature has been validated. Set `i_accept_the_danger` in the DecryptStreamInput struct if this is ok.".into());
-            }
+            // if dec_mat.verification_key.is_some() && safety_needed.yes() {
+            //     return Err("Streaming Interface can return data before signature has been validated. Set `i_accept_the_danger` in the DecryptStreamInput struct if this is ok.".into());
+            // }
+            let fail_if_multi_frame = dec_mat.verification_key.is_some() && safety_needed.yes();
 
             //= compliance/client-apis/decrypt.txt#2.7.4
             //# If this decryption fails, this operation MUST immediately halt and
             //# fail.
             message_body::read_and_decrypt_framed_message_body(
-                ciphertext, plaintext, &header, &key, &mut dw,
+                ciphertext, plaintext, &header, &key, &mut dw, fail_if_multi_frame
             )?
         }
     };

AwsEncryptionSDK/runtimes/rust/esdk_rust/esdk/src/message_body.rs

@@ -110,15 +110,15 @@ pub(crate) fn body_aad2(
     result.extend_from_slice(&length.to_be_bytes());
 }
 
-// FIXME -- if last frame is empty, return penultimate frame.
 pub(crate) fn read_and_decrypt_framed_message_body(
     r: &mut dyn SafeRead,
     w: &mut dyn SafeWrite,
     header: &HeaderInfo,
     key: &[u8],
     raw: &mut dyn SafeWrite,
+    fail_if_multi_frame: bool,
 ) -> Result<Vec<u8>, Error> {
-    let mut expected_frame = START_SEQUENCE_NUMBER;
+    let mut expected_frame: u32 = START_SEQUENCE_NUMBER;
     let mut iv = vec![0u8; get_iv_length(&header.suite) as usize];
     let mut auth_tag = vec![0u8; get_tag_length(&header.suite) as usize];
     let alg = get_aes_alg(&header.suite);
@@ -151,21 +151,50 @@ pub(crate) fn read_and_decrypt_framed_message_body(
                 enc_content.len() as u64,
                 &mut aad,
             );
-            aes_decrypt(
-                alg,
-                key,
-                &enc_content,
-                &auth_tag,
-                &iv,
-                &aad,
-                &mut result[0..enc_content.len()],
-            )?;
-            result.resize(enc_content.len(), 0);
-            return Ok(result);
+            if enc_content.is_empty() {
+                // final frame is empty, to return last full frame
+                let mut empty_result = Vec::new();
+                aes_decrypt(
+                    alg,
+                    key,
+                    &enc_content,
+                    &auth_tag,
+                    &iv,
+                    &aad,
+                    &mut empty_result[..],
+                )?;
+                return Ok(result);
+            } else {
+                // write previous frame's data, now that we know we have another frame.
+                if expected_frame != START_SEQUENCE_NUMBER {
+                    if fail_if_multi_frame {
+                        return Err("Streaming Interface can return data before signature has been validated. Set `i_accept_the_danger` in the DecryptStreamInput struct if this is ok.".into());
+                    }
+                    serialize_functions::write_bytes(w, &result)?;
+                }
+                aes_decrypt(
+                    alg,
+                    key,
+                    &enc_content,
+                    &auth_tag,
+                    &iv,
+                    &aad,
+                    &mut result[0..enc_content.len()],
+                )?;
+                result.resize(enc_content.len(), 0);
+                return Ok(result);
+            }
         }
         if seq_num != expected_frame {
             return Err("Sequence number out of order.".into());
         }
+        // write previous frame's data, now that we know we have another frame.
+        if expected_frame != START_SEQUENCE_NUMBER {
+            if fail_if_multi_frame {
+                return Err("Streaming Interface can return data before signature has been validated. Set `i_accept_the_danger` in the DecryptStreamInput struct if this is ok.".into());
+            }
+            serialize_functions::write_bytes(w, &result)?;
+        }
         expected_frame += 1;
         read_bytes(r, &mut iv, raw)?;
         read_bytes(r, &mut enc_content, raw)?;
@@ -178,6 +207,5 @@ pub(crate) fn read_and_decrypt_framed_message_body(
             &mut aad,
         );
         aes_decrypt(alg, key, &enc_content, &auth_tag, &iv, &aad, &mut result)?;
-        serialize_functions::write_bytes(w, &result)?;
     }
 }

AwsEncryptionSDK/runtimes/rust/esdk_rust/esdk/src/test_vectors/run_tests.rs

@@ -1,7 +1,7 @@
 use crate::test_vectors::do_decrypt::read_json;
 use anyhow::Result;
 
-pub async fn do_decrypt(manifest_path: &str, manifest_name: &str) -> Result<()> {
+pub async fn decrypt_test_vectors(manifest_path: &str, manifest_name: &str, _test_name : &str) -> Result<()> {
     let json_data_base = read_json(manifest_name, manifest_path)?;
     let json_data = json_data_base.as_object().unwrap();
 
@@ -38,7 +38,7 @@ pub async fn do_decrypt(manifest_path: &str, manifest_name: &str) -> Result<()>
     Ok(())
 }
 
-pub async fn do_encrypt(encrypt_path: &str, decrypt_path: &str) -> Result<()> {
+pub async fn encrypt_test_vectors(encrypt_path: &str, decrypt_path: &str, _test_name : &str) -> Result<()> {
     drop(std::fs::remove_dir_all(format!(
         "{encrypt_path}/plaintexts"
     )));
@@ -96,32 +96,30 @@ pub async fn do_encrypt(encrypt_path: &str, decrypt_path: &str) -> Result<()> {
 #[cfg(test)]
 mod tests {
     use super::*;
-    // #[tokio::test(flavor = "multi_thread")]
-    // async fn test_do_decrypt() {
-    //     let manifest_path = "test_vectors_java";
-    //     let manifest_name = "decrypt-manifest.json";
-    //     let result = do_decrypt(manifest_path, manifest_name).await;
-    //     println!("{result:?}");
-    //     assert!(result.is_ok());
-    // }
-
-    // #[tokio::test(flavor = "multi_thread")]
-    // async fn test_python_decrypt() {
-    //     let manifest_path = "test_vectors_python";
-    //     let manifest_name = "decrypt_message.json";
-    //     let result = do_decrypt(manifest_path, manifest_name).await;
-    //     println!("{result:?}");
-    //     assert!(result.is_ok());
-    // }
+    #[tokio::test(flavor = "multi_thread")]
+    async fn test_do_decrypt() {
+        let manifest_path = "test_vectors_java";
+        let manifest_name = "decrypt-manifest.json";
+        let result = decrypt_test_vectors(manifest_path, manifest_name, "").await;
+        assert!(result.is_ok());
+    }
+
+    #[tokio::test(flavor = "multi_thread")]
+    async fn test_python_decrypt() {
+        let manifest_path = "test_vectors_python";
+        let manifest_name = "decrypt_message.json";
+        let result = decrypt_test_vectors(manifest_path, manifest_name, "").await;
+        assert!(result.is_ok());
+    }
     #[tokio::test(flavor = "multi_thread")]
     async fn test_do_encrypt() {
         let manifest_path = "test_vectors_rust";
         let manifest_name = "decrypt-manifest.json";
 
-        let result = do_encrypt(manifest_path, manifest_path).await;
+        let result = encrypt_test_vectors(manifest_path, manifest_path, "").await;
         assert!(result.is_ok());
 
-        let result = do_decrypt(manifest_path, manifest_name).await;
+        let result = decrypt_test_vectors(manifest_path, manifest_name, "").await;
         assert!(result.is_ok());
     }
 }