chore(dafny): more using uint64 instead of nat (#1490)

Author: ajewellamz

AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/AwsArnParsing.dfy

@@ -9,19 +9,21 @@ module AwsArnParsing {
   import opened Wrappers
   import opened Seq
   import opened UInt = StandardLibrary.UInt
+  import opened StandardLibrary.MemoryMath
   import Types = AwsCryptographyMaterialProvidersTypes
   import DDB = ComAmazonawsDynamodbTypes
   import UTF8
 
-  const MAX_AWS_KMS_IDENTIFIER_LENGTH := 2048
+  const MAX_AWS_KMS_IDENTIFIER_LENGTH := 2048 as uint64
 
   datatype AwsResource = AwsResource(
     resourceType: string,
     value: string
   ) {
     predicate method Valid()
     {
-      && 0 < |value|
+      SequenceIsSafeBecauseItIsInMemory(value);
+      && 0 < |value| as uint64
     }
 
     function method ToString(): string
@@ -43,11 +45,15 @@ module AwsArnParsing {
   ) {
     predicate method Valid()
     {
+      SequenceIsSafeBecauseItIsInMemory(partition);
+      SequenceIsSafeBecauseItIsInMemory(service);
+      SequenceIsSafeBecauseItIsInMemory(region);
+      SequenceIsSafeBecauseItIsInMemory(account);
       && arnLiteral == "arn"
-      && 0 < |partition|
-      && 0 < |service|
-      && 0 < |region|
-      && 0 < |account|
+      && 0 < |partition| as uint64
+      && 0 < |service| as uint64
+      && 0 < |region| as uint64
+      && 0 < |account| as uint64
       && resource.Valid()
     }
 
@@ -116,9 +122,10 @@ module AwsArnParsing {
   {
     var info := Split(identifier, '/');
 
-    :- Need(info[0] != "key", "Malformed raw key id: " + identifier);
+    :- Need(info[0 as uint32] != "key", "Malformed raw key id: " + identifier);
+    SequenceIsSafeBecauseItIsInMemory(info);
 
-    if |info| == 1 then
+    if |info| as uint64 == 1 then
       ParseAwsKmsResources("key/" + identifier)
     else
       ParseAwsKmsResources(identifier)
@@ -127,11 +134,12 @@ module AwsArnParsing {
   function method ParseAwsKmsResources(identifier: string): (result: Result<AwsKmsResource, string>)
   {
     var info := Split(identifier, '/');
+    SequenceIsSafeBecauseItIsInMemory(info);
 
-    :- Need(|info| > 1, "Malformed resource: " + identifier);
+    :- Need(|info| as uint64 > 1, "Malformed resource: " + identifier);
 
-    var resourceType := info[0];
-    var value := Join(info[1..], "/");
+    var resourceType := info[0 as uint32];
+    var value := Join(info[1 as uint32 ..], "/");
 
     var resource := AwsResource(resourceType, value);
 
@@ -239,17 +247,19 @@ module AwsArnParsing {
               && |Split(identifier, ':')[4]| > 0
   {
     var components := Split(identifier, ':');
+    SequenceIsSafeBecauseItIsInMemory(components);
 
-    :- Need(6 == |components|, "Malformed arn: " + identifier);
 
-    var resource :- ParseAwsKmsResources(components[5]);
+    :- Need(6 == |components| as uint64, "Malformed arn: " + identifier);
+
+    var resource :- ParseAwsKmsResources(components[5 as uint32]);
 
     var arn := AwsArn(
-                 components[0],
-                 components[1],
-                 components[2],
-                 components[3],
-                 components[4],
+                 components[0 as uint32],
+                 components[1 as uint32],
+                 components[2 as uint32],
+                 components[3 as uint32],
+                 components[4 as uint32],
                  resource
                );
 
@@ -268,17 +278,18 @@ module AwsArnParsing {
               && |Split(identifier, ':')[4]| > 0
   {
     var components := Split(identifier, ':');
+    SequenceIsSafeBecauseItIsInMemory(components);
 
-    :- Need(6 == |components|, "Malformed arn: " + identifier);
+    :- Need(6 == |components| as uint64, "Malformed arn: " + identifier);
 
-    var resource :- ParseAmazonDynamodbResources(components[5]);
+    var resource :- ParseAmazonDynamodbResources(components[5 as uint32]);
 
     var arn := AwsArn(
-                 components[0],
-                 components[1],
-                 components[2],
-                 components[3],
-                 components[4],
+                 components[0 as uint32],
+                 components[1 as uint32],
+                 components[2 as uint32],
+                 components[3 as uint32],
+                 components[4 as uint32],
                  resource
                );
 
@@ -454,7 +465,8 @@ module AwsArnParsing {
   ): (res: Result<AwsKmsIdentifier, string>)
   {
     :- Need(UTF8.IsASCIIString(s), "Not a valid ASCII string.");
-    :- Need(0 < |s| <= MAX_AWS_KMS_IDENTIFIER_LENGTH , "Identifier exceeds maximum length.");
+    SequenceIsSafeBecauseItIsInMemory(s);
+    :- Need(0 < |s| as uint64 <= MAX_AWS_KMS_IDENTIFIER_LENGTH, "Identifier exceeds maximum length.");
     ParseAwsKmsIdentifier(s)
   }
 

AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/AwsCryptographyMaterialProvidersOperations.dfy

@@ -39,6 +39,7 @@ module AwsCryptographyMaterialProvidersOperations refines AbstractAwsCryptograph
   import opened D = DiscoveryMultiKeyring
   import opened MD = MrkAwareDiscoveryMultiKeyring
   import opened M = MrkAwareStrictMultiKeyring
+  import opened StandardLibrary.MemoryMath
   import AwsKmsKeyring
   import AwsKmsHierarchicalKeyring
   import AwsKmsMrkKeyring
@@ -493,7 +494,8 @@ module AwsCryptographyMaterialProvidersOperations refines AbstractAwsCryptograph
   method CreateMultiKeyring ( config: InternalConfig,  input: CreateMultiKeyringInput )
     returns (output: Result<IKeyring, Error>)
   {
-    :- Need(input.generator.Some? || |input.childKeyrings| > 0,
+    SequenceIsSafeBecauseItIsInMemory(input.childKeyrings);
+    :- Need(input.generator.Some? || |input.childKeyrings| as uint64 > 0,
             Types.AwsCryptographicMaterialProvidersException(
               message := "Must include a generator keyring and/or at least one child keyring"));
 
@@ -539,10 +541,12 @@ module AwsCryptographyMaterialProvidersOperations refines AbstractAwsCryptograph
     var namespaceAndName :- ParseKeyNamespaceAndName(input.keyNamespace, input.keyName);
     var (namespace, name) := namespaceAndName;
 
-    :- Need(|input.wrappingKey| == 16 || |input.wrappingKey| == 24 || |input.wrappingKey| == 32,
+    SequenceIsSafeBecauseItIsInMemory(input.wrappingKey);
+    var wrapping_key_size := |input.wrappingKey| as uint64;
+    :- Need(wrapping_key_size == 16 || wrapping_key_size == 24 || wrapping_key_size == 32,
             Types.AwsCryptographicMaterialProvidersException(
               message := "Invalid wrapping key length"));
-    :- Need(|input.wrappingKey| == wrappingAlg.keyLength as int,
+    :- Need(wrapping_key_size == wrappingAlg.keyLength as uint64,
             Types.AwsCryptographicMaterialProvidersException(
               message := "Wrapping key length does not match specified wrapping algorithm"));
 
@@ -783,7 +787,8 @@ module AwsCryptographyMaterialProvidersOperations refines AbstractAwsCryptograph
   {
     :- Need(input.underlyingCMM.Some? && input.keyring.None?, CmpError("CreateRequiredEncryptionContextCMM currently only supports cmm."));
     var keySet : set<UTF8.ValidUTF8Bytes> := set k <- input.requiredEncryptionContextKeys;
-    :- Need(0 < |keySet|, CmpError("RequiredEncryptionContextCMM needs at least one requiredEncryptionContextKey."));
+    SetIsSafeBecauseItIsInMemory(keySet);
+    :- Need(0 < |keySet| as uint64, CmpError("RequiredEncryptionContextCMM needs at least one requiredEncryptionContextKey."));
     var cmm := new RequiredEncryptionContextCMM.RequiredEncryptionContextCMM(
       input.underlyingCMM.value,
       keySet);
@@ -809,14 +814,14 @@ module AwsCryptographyMaterialProvidersOperations refines AbstractAwsCryptograph
         return Success(cmc);
       case SingleThreaded(c) =>
         var cmc := new LocalCMC.LocalCMC(
-          c.entryCapacity as nat,
-          OptionalCountingNumber(c.entryPruningTailSize).UnwrapOr(1) as nat
+          c.entryCapacity as uint64,
+          OptionalCountingNumber(c.entryPruningTailSize).UnwrapOr(1) as uint64
         );
         return Success(cmc);
       case MultiThreaded(c) =>
         var cmc := new LocalCMC.LocalCMC(
-          c.entryCapacity as nat,
-          OptionalCountingNumber(c.entryPruningTailSize).UnwrapOr(1) as nat
+          c.entryCapacity as uint64,
+          OptionalCountingNumber(c.entryPruningTailSize).UnwrapOr(1) as uint64
         );
         var synCmc := new SynchronizedLocalCMC.SynchronizedLocalCMC(cmc);
         return Success(synCmc);

AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/CMCs/LocalCMC.dfy

@@ -7,6 +7,7 @@ include "../../../../../libraries/src/MutableMap/MutableMap.dfy"
 module {:options "/functionSyntax:4" } LocalCMC {
   import opened Wrappers
   import opened StandardLibrary.UInt
+  import opened StandardLibrary.MemoryMath
   import opened DafnyLibraries
   import Time
   import Types = AwsCryptographyMaterialProvidersTypes
@@ -351,7 +352,7 @@ module {:options "/functionSyntax:4" } LocalCMC {
          // with the tail MUST be in the cache
       && (forall c <- queue.Items :: c.identifier in cache.Keys() && cache.Select(c.identifier) == c)
 
-      && cache.Size() <= entryCapacity
+      && (ValueIsSafeBecauseItIsInMemory(cache.Size()); cache.Size() as uint64 <= entryCapacity)
     }
 
     var queue: DoublyLinkedCacheEntryList
@@ -360,14 +361,14 @@ module {:options "/functionSyntax:4" } LocalCMC {
     //= type=implication
     //# The local CMC MUST accept entry capacity values between zero
     //# and an implementation-defined maximum, inclusive.
-    const entryCapacity: nat
+    const entryCapacity: uint64
     //= aws-encryption-sdk-specification/framework/local-cryptographic-materials-cache.md#entry-pruning-tail-size
     //= type=implication
     //# The _entry pruning tail size_
     //# is the number of least recently used entries that the local CMC
     //# MUST check during [pruning](#pruning)
     //# for TTL-expired entries to evict.
-    const entryPruningTailSize: nat
+    const entryPruningTailSize: uint64
 
     //= aws-encryption-sdk-specification/framework/local-cryptographic-materials-cache.md#initialization
     //= type=implication
@@ -379,8 +380,8 @@ module {:options "/functionSyntax:4" } LocalCMC {
     //#
     //# - [Entry Pruning Tail Size](#entry-pruning-tail-size)
     constructor(
-      entryCapacity': nat,
-      entryPruningTailSize': nat := 1
+      entryCapacity': uint64,
+      entryPruningTailSize': uint64 := 1
     )
       requires entryPruningTailSize' >= 1
       ensures
@@ -506,7 +507,7 @@ module {:options "/functionSyntax:4" } LocalCMC {
       //= aws-encryption-sdk-specification/framework/local-cryptographic-materials-cache.md#entry-capacity
       //# The local CMC MUST NOT store more entries than this value,
       //# except temporarily while performing a Put Cache Entry operation.
-      if entryCapacity == cache.Size() {
+      if entryCapacity == cache.Size() as uint64 {
         assert 0 < |multiset(cache.Values())|;
         assert queue.tail.deref.identifier in cache.Keys();
         var _ :- DeleteCacheEntry'(Types.DeleteCacheEntryInput(
@@ -596,7 +597,7 @@ module {:options "/functionSyntax:4" } LocalCMC {
           LemmaMutableMapContainsPreservesInjectivity(old@CAN_REMOVE(cache), cache);
         }
         assert |cache.Keys()| == |old@CAN_REMOVE(cache.Keys())| - 1;
-        assert cache.Size() <= old@CAN_REMOVE(cache.Size()) <= entryCapacity;
+        assert cache.Size() as uint64 <= old@CAN_REMOVE(cache.Size()) as uint64 <= entryCapacity;
         queue.remove(cell);
         assert multiset(cache.Values()) == multiset(queue.Items) by {
           var cacheMultiset := multiset(cache.Values());

AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/CMCs/StormTracker.dfy

@@ -151,7 +151,7 @@ module {:options "/functionSyntax:4" }  StormTracker {
         inFlightTTL := cache.inFlightTTL as Types.PositiveLong;
       }
 
-      this.wrapped := new LocalCMC.LocalCMC(cache.entryCapacity as nat, cache.entryPruningTailSize.UnwrapOr(1) as nat);
+      this.wrapped := new LocalCMC.LocalCMC(cache.entryCapacity as uint64, cache.entryPruningTailSize.UnwrapOr(1) as uint64);
       this.inFlight := new MutableMap();
       this.gracePeriod := gracePeriod;
       this.graceInterval := graceInterval;
@@ -334,8 +334,8 @@ module {:options "/functionSyntax:4" }  StormTracker {
       // and T[0] is the most recent.
       var keySet := inFlight.Keys();
       var keys := SortedSets.ComputeSetToSequence(keySet);
-      for i := 0 to |keys|
-        invariant forall k | i <= k < |keys| :: keys[k] in inFlight.Keys()
+      for i : uint64 := 0 to |keys| as uint64
+        invariant forall k | i as nat <= k < |keys| :: keys[k] in inFlight.Keys()
         invariant ValidState()
       {
         reveal Seq.HasNoDuplicates();

AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/CMMs/DefaultCMM.dfy

@@ -13,6 +13,7 @@ include "../Keyrings/MultiKeyring.dfy"
 module DefaultCMM {
   import opened Wrappers
   import opened UInt = StandardLibrary.UInt
+  import opened StandardLibrary.MemoryMath
   import AlgorithmSuites
   import Materials
   import CMM
@@ -89,8 +90,8 @@ module DefaultCMM {
     }
 
     // The following are requirements for the CMM interface.
-    // However they are requirments of intent
-    // rather than something that can be verified programaticly.
+    // However they are requirements of intent
+    // rather than something that can be verified programmatically.
     // The configured keyring could violate these properties.
     // This is why these are listed as exception and not implications.
     // 
@@ -328,8 +329,8 @@ module DefaultCMM {
     }
 
     // The following are requirements for the CMM interface.
-    // However they are requirments of intent
-    // rather than something that can be verified programaticly.
+    // However they are requirements of intent
+    // rather than something that can be verified programmatically.
     // The configured keyring could violate these properties.
     // This is why these are listed as exception and not implications.
     //
@@ -465,12 +466,13 @@ module DefaultCMM {
         var keysSet := input.reproducedEncryptionContext.value.Keys;
         ghost var keysSet' := keysSet;
         var keysSeq := SortedSets.ComputeSetToSequence(keysSet);
-        var i := 0;
-        while i < |keysSeq|
+        var i : uint64 := 0;
+        SequenceIsSafeBecauseItIsInMemory(keysSeq);
+        while i < |keysSeq| as uint64
           invariant Seq.HasNoDuplicates(keysSeq)
-          invariant forall j | 0 <= j < i && i < |keysSeq| :: keysSeq[j] !in keysSet'
-          invariant forall j | i <= j < |keysSeq| :: keysSeq[j] in keysSet'
-          invariant |keysSet'| == |keysSeq| - i
+          invariant forall j | 0 <= j < i as nat && i as nat < |keysSeq| :: keysSeq[j] !in keysSet'
+          invariant forall j | i as nat <= j < |keysSeq| :: keysSeq[j] in keysSet'
+          invariant |keysSet'| == |keysSeq| - i as nat
           invariant forall key
                       |
                       && key in input.reproducedEncryptionContext.value
@@ -490,7 +492,7 @@ module DefaultCMM {
           }
           keysSet' := keysSet' - {key};
           i := i + 1;
-          assert forall j | i <= j < |keysSeq| :: keysSeq[j] in keysSet' by {
+          assert forall j | i as nat <= j < |keysSeq| :: keysSeq[j] in keysSet' by {
             reveal Seq.HasNoDuplicates();
           }
         }

AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/CanonicalEncryptionContext.dfy

@@ -6,6 +6,7 @@ include "../Model/AwsCryptographyMaterialProvidersTypes.dfy"
 module CanonicalEncryptionContext {
   import opened StandardLibrary
   import opened UInt = StandardLibrary.UInt
+  import opened StandardLibrary.MemoryMath
   import Types = AwsCryptographyMaterialProvidersTypes
   import opened Wrappers
   import Seq
@@ -24,11 +25,12 @@ module CanonicalEncryptionContext {
   ):
     (res: Result<seq<uint8>, Types.Error>)
   {
-    :- Need(|encryptionContext| < UINT16_LIMIT,
+    MapIsSafeBecauseItIsInMemory(encryptionContext);
+    :- Need(|encryptionContext| as uint64 < UINT16_LIMIT as uint64,
             Types.AwsCryptographicMaterialProvidersException( message := "Encryption Context is too large" ));
     var keys := SortedSets.ComputeSetToOrderedSequence2(encryptionContext.Keys, UInt.UInt8Less);
 
-    if |keys| == 0 then
+    if |keys| as uint16 == 0 then
       Success([])
     else
       var KeyIntoPairBytes := k