fix: PR comments

Author: Shubham Chaturvedi

.github/workflows/library_go_tests.yml

@@ -19,7 +19,13 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        library: [StandardLibrary, AwsCryptographyPrimitives]
+        library:
+          [
+            StandardLibrary,
+            ComAmazonawsKms,
+            ComAmazonawsDynamodb,
+            AwsCryptographyPrimitives,
+          ]
         go-version: ["1.23"]
         os: [
             # TODO fix Dafny-generated tests on Windows;

AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/Model/structures.smithy

@@ -150,5 +150,4 @@ map EncryptionContext {
   value: Utf8Bytes,
 }
 
-@sensitive
 blob Secret

AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore/Model/KeyStore.smithy

@@ -364,7 +364,6 @@ map HmacKeyMap {
   value: Secret
 }
 
-@sensitive
 blob Secret
 
 map EncryptionContext {

AwsCryptographicMaterialProviders/runtimes/net/tests/LocalCMC.Tests/LocalCMCTests.cs

@@ -75,6 +75,8 @@ private static void WorkForThread(object? state)
         BeaconKey = new BeaconKeyMaterials
         {
           BeaconKeyIdentifier = beaconKeyIdentifier,
+          // The cacheIdentifier is used as the material
+          // because we are not testing the cryptography here.
           BeaconKey = cacheIdentifier,
           EncryptionContext = new Dictionary<string, string>()
         }

AwsCryptographicMaterialProviders/runtimes/rust/Cargo.toml

@@ -15,7 +15,7 @@ readme = "README.md"
 [dependencies]
 aws-config = "1.5.8"
 aws-lc-rs = "1.10.0"
-aws-lc-sys = "0.22.0"
+aws-lc-sys = "0.23.1"
 aws-sdk-dynamodb = "1.50.0"
 aws-sdk-kms = "1.47.0"
 aws-smithy-runtime-api = {version = "1.7.2", features = ["client"] }
@@ -27,3 +27,6 @@ dashmap = "6.1.0"
 pem = "3.0.4"
 tokio = {version = "1.41.0", features = ["full"] }
 uuid = { version = "1.11.0", features = ["v4"] }
+timeout = "0.1.0"
+rand = "0.8.5"
+futures = "0.3"

AwsCryptographicMaterialProviders/runtimes/rust/tests/local_cmc_tests.rs

@@ -0,0 +1,162 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+#![deny(warnings, unconditional_panic)]
+#![deny(nonstandard_style)]
+#![deny(clippy::all)]
+
+pub struct BoxError(String);
+pub struct BoxError2(String);
+
+impl std::fmt::Debug for BoxError2 {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "{}", self.0)
+    }
+}
+
+impl From<BoxError> for BoxError2 {
+    fn from(error: BoxError) -> Self {
+        BoxError2(error.0)
+    }
+}
+
+impl<T: std::fmt::Debug> From<T> for BoxError {
+    fn from(error: T) -> Self {
+        let my_str = format!("{:?}", error);
+        BoxError(my_str)
+    }
+}
+
+pub mod local_cmc_tests {
+    use aws_mpl_rs::types::material_providers_config::MaterialProvidersConfig;
+    use aws_mpl_rs::client as mpl_client;
+    use aws_mpl_rs::types::CacheType;
+    use aws_mpl_rs::types::DefaultCache;
+    use aws_mpl_rs::types::cryptographic_materials_cache::CryptographicMaterialsCacheRef;
+    use aws_mpl_rs::operation::get_cache_entry::GetCacheEntryOutput;
+    use aws_mpl_rs::types::error::Error;
+    use aws_mpl_rs::types::Materials;
+    use aws_mpl_rs::deps::aws_cryptography_keyStore::types::BeaconKeyMaterials;
+    use std::collections::HashMap;
+    use chrono::Utc;
+    use rand::{thread_rng, Rng};
+    use futures::stream::StreamExt;
+    // Currently this is commented out to keep it consistent with other
+    // runtimes but every language should eventually have a network
+    // call delay while testing adding to the StormTrackingCache.
+    // use std::time::Duration;
+
+    async fn work_for_thread() -> Result<(), crate::BoxError> {
+        let mpl_config: MaterialProvidersConfig = MaterialProvidersConfig::builder().build()?;
+        let mpl: mpl_client::Client = mpl_client::Client::from_conf(mpl_config)?;
+
+        let test: CryptographicMaterialsCacheRef = mpl.create_cryptographic_materials_cache()
+            .cache(CacheType::Default(
+                DefaultCache::builder()
+                .entry_capacity(10)
+                .build()?))
+            .send()
+            .await?;
+
+        let identifiers: Vec<&str> = vec![
+            "one",
+            "two",
+            "three",
+            "four",
+            "five",
+            "six",
+            "seven",
+            "eight",
+            "nine",
+            "ten",
+            "eleven",
+            "twelve",
+            "thirteen",
+            "fourteen",
+            "fifteen",
+            "sixteen",
+            "seventeen",
+            "eighteen",
+            "nineteen",
+            "twenty",
+            "twenty one"
+        ];
+
+        let id_size: usize = identifiers.len();
+
+        let invocations = 300000;
+        let concurrent_tasks = 10;
+        
+        futures::stream::iter(0..invocations)
+            .map(|_i| {
+                let identifiers = identifiers.clone();
+                let test = test.clone();
+
+                async move {
+                    println!("-----------TestLotsofAdd-----------");
+                    let random = thread_rng().gen_range(0..id_size);
+                    let beacon_key_identifier: &str = identifiers[random];
+
+                    let cache_identifier: aws_smithy_types::Blob = aws_smithy_types::Blob::new(beacon_key_identifier.as_bytes());
+
+                    let cache_entry_output: Result<GetCacheEntryOutput, Error> = test.get_cache_entry()
+                        .identifier(cache_identifier.clone())
+                        .send()
+                        .await;
+
+                    match cache_entry_output {
+                        Ok(_) => {
+                            println!("Cache hit for beacon key identifier: {}", beacon_key_identifier);
+                        }
+                        Err(Error::EntryDoesNotExist {message: _m}) => {
+                            let materials = Materials::BeaconKey(
+                                    BeaconKeyMaterials::builder()
+                                    .beacon_key_identifier(beacon_key_identifier.to_string())
+                                    // The cacheIdentifier is used as the material
+                                    // because we are not testing the cryptography here.
+                                    .beacon_key(cache_identifier.clone())
+                                    .encryption_context(HashMap::new())
+                                    .build()?
+                                );
+                            // This sleep time is to mimic a KMS or DDB call
+                            // Currently this is commented out to keep it consistent with other
+                            // runtimes but every language should eventually have a network
+                            // call delay while testing adding to the StormTrackingCache.
+                            // The reason why this is commented out and not just set to 0 is because
+                            // setting it to 0 adds a significant overhead of task switching, and
+                            // with that, testing for 300_000 instances will not be possible.
+                            // let network_call_delay: u64 = 50;
+                            // tokio::time::sleep(Duration::from_millis(network_call_delay)).await;
+
+                            test.put_cache_entry()
+                                .identifier(cache_identifier)
+                                .creation_time(Utc::now().timestamp())
+                                .expiry_time(Utc::now().timestamp() + 1)
+                                .materials(materials)
+                                .send()
+                                .await?;
+                            
+                            println!("Cache miss for beacon key identifier: {}", beacon_key_identifier);
+                        }
+                        Err(e) => {
+                            panic!("Unexpected error while accessing cache: {}", e);
+                        }
+
+                    }
+
+                    Ok::<(), crate::BoxError>(())
+                }
+            })
+            .buffer_unordered(concurrent_tasks)
+            .collect::<Vec<_>>()
+            .await;
+        
+        Ok(())
+    }
+
+    #[tokio::test(flavor = "multi_thread")]
+    async fn test_a_lot_of_adding() -> Result<(), crate::BoxError2> {
+        work_for_thread().await?;
+        Ok(())
+    }
+}

AwsCryptographyPrimitives/runtimes/go/ImplementationFromDafny-go/AESEncryption/externs.go

@@ -83,20 +83,17 @@ func (CompanionStruct_Default___) AESEncryptExtern(algo AwsCryptographyPrimitive
 			dafny.SeqOfChars([]dafny.Char(err.Error())...)))
 	}
 
-	if algo.Is_AES__GCM() {
-		gcm, err := cipher.NewGCM(block)
-		if err != nil {
-			return Wrappers.Companion_Result_.Create_Failure_(AwsCryptographyPrimitivesTypes.Companion_Error_.Create_AwsCryptographicPrimitivesError_(
-				dafny.SeqOfChars([]dafny.Char(err.Error())...)))
-		}
-
-		cipherText := gcm.Seal(nil, ivBytes, dafny.ToByteArray(msg), aadBytes)
-		if cipherText == nil {
-			return Wrappers.Companion_Result_.Create_Failure_(AwsCryptographyPrimitivesTypes.Companion_Error_.Create_AwsCryptographicPrimitivesError_(
-				dafny.SeqOfChars([]dafny.Char(fmt.Errorf("failed to do AES_GCM Encrypt with the given parameters").Error())...)))
-		}
-		return Wrappers.Companion_Result_.Create_Success_(AwsCryptographyPrimitivesTypes.Companion_AESEncryptOutput_.Create_AESEncryptOutput_(
-			dafny.SeqOfBytes(cipherText[:len(cipherText)-gcm.Overhead()]), dafny.SeqOfBytes(cipherText[len(cipherText)-gcm.Overhead():])))
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return Wrappers.Companion_Result_.Create_Failure_(AwsCryptographyPrimitivesTypes.Companion_Error_.Create_AwsCryptographicPrimitivesError_(
+			dafny.SeqOfChars([]dafny.Char(err.Error())...)))
+	}
+
+	cipherText := gcm.Seal(nil, ivBytes, dafny.ToByteArray(msg), aadBytes)
+	if cipherText == nil {
+		return Wrappers.Companion_Result_.Create_Failure_(AwsCryptographyPrimitivesTypes.Companion_Error_.Create_AwsCryptographicPrimitivesError_(
+			dafny.SeqOfChars([]dafny.Char(fmt.Errorf("failed to do AES_GCM Encrypt with the given parameters").Error())...)))
 	}
-	return Wrappers.Companion_Result_.Create_Failure_(false)
+	return Wrappers.Companion_Result_.Create_Success_(AwsCryptographyPrimitivesTypes.Companion_AESEncryptOutput_.Create_AESEncryptOutput_(
+		dafny.SeqOfBytes(cipherText[:len(cipherText)-gcm.Overhead()]), dafny.SeqOfBytes(cipherText[len(cipherText)-gcm.Overhead():])))
 }

AwsCryptographyPrimitives/runtimes/go/ImplementationFromDafny-go/ExternDigest/externs.go

@@ -11,12 +11,12 @@ import (
 )
 
 func Digest(algorithm AwsCryptographyPrimitivesTypes.DigestAlgorithm, message dafny.Sequence) Wrappers.Result {
-	hash, _ := getNativeEcdhCurve(algorithm)
+	hash, _ := getNativeDigestAlgorithm(algorithm)
 	hash.Write(dafny.ToByteArray(message))
 	return Wrappers.Companion_Result_.Create_Success_(dafny.SeqOfBytes(hash.Sum(nil)))
 }
 
-func getNativeEcdhCurve(algorithm AwsCryptographyPrimitivesTypes.DigestAlgorithm) (hash.Hash, error) {
+func getNativeDigestAlgorithm(algorithm AwsCryptographyPrimitivesTypes.DigestAlgorithm) (hash.Hash, error) {
 	switch algorithm {
 	case AwsCryptographyPrimitivesTypes.Companion_DigestAlgorithm_.Create_SHA__256_():
 		return crypto.SHA256.New(), nil

AwsCryptographyPrimitives/runtimes/go/ImplementationFromDafny-go/HMAC/externs.go

@@ -41,9 +41,6 @@ func (hMac *HMac) BlockUpdate(message dafny.Sequence) {
 	}
 }
 
-func (hMac *HMac) String() string {
-	return ""
-}
 func (hMac *HMac) GetResult() dafny.Sequence {
 	res := hMac.hash.Sum(nil)
 	// reset the hash for future use. or maybe reinit it like rust?

AwsCryptographyPrimitives/runtimes/python/src/aws_cryptography_primitives/internaldafny/extern/Signature.py

@@ -21,6 +21,7 @@
   decode_dss_signature,
   encode_dss_signature
 )
+from cryptography.hazmat.primitives.asymmetric.utils import Prehashed
 
 from collections import namedtuple
 import _dafny
@@ -48,7 +49,7 @@ def ExternKeyGen(signature_algorithm):
         return Wrappers.Result_Failure(maybe_signature_algorithm.error)
 
       private_key = ec.generate_private_key(
-        maybe_signature_algorithm.value.value.curve
+        maybe_signature_algorithm.value.value.curve()
       )
 
       private_key_pem_bytes = private_key.private_bytes(Encoding.PEM, PrivateFormat.PKCS8, NoEncryption())
@@ -101,9 +102,9 @@ def Verify(signature_algorithm, verification_key, message, signature):
 
       message_digest_algorithm = maybe_signature_algorithm.value.value.message_digest_algorithm
       if message_digest_algorithm.is_SHA__256:
-        sign_algo = ec.ECDSA(hashes.SHA256())
+        sign_algo = ec.ECDSA(Prehashed(hashes.SHA256()))
       elif message_digest_algorithm.is_SHA__384:
-        sign_algo = ec.ECDSA(hashes.SHA384())
+        sign_algo = ec.ECDSA(Prehashed(hashes.SHA384()))
       else:
         return Wrappers.Result_Failure(Error_AwsCryptographicPrimitivesError(
           message=f"Requested Digest Algorithm is not supported. Requested {message_digest_algorithm}"
@@ -242,9 +243,9 @@ def _ecc_static_length_signature(key, algorithm, digest):
   :rtype: bytes
   """
   if algorithm.message_digest_algorithm.is_SHA__256:
-    sign_algo = ec.ECDSA(hashes.SHA256())
+    sign_algo = ec.ECDSA(Prehashed(hashes.SHA256()))
   elif algorithm.message_digest_algorithm.is_SHA__384:
-    sign_algo = ec.ECDSA(hashes.SHA384())
+    sign_algo = ec.ECDSA(Prehashed(hashes.SHA384()))
   pre_hashed_algorithm = sign_algo
   signature = b""
   while len(signature) != algorithm.expected_signature_length: