aws · texastony · Jun 4, 2025 · Jun 4, 2025 · Jun 4, 2025 · Jun 4, 2025
@@ -24,37 +24,37 @@ jobs:
     uses: ./.github/workflows/library_dafny_verification.yml
     with:
       dafny: ${{needs.getVerifyVersion.outputs.version}}
-  pr-ci-java:
-    needs: getVersion
-    uses: ./.github/workflows/library_java_tests.yml
-    with:
-      dafny: ${{needs.getVersion.outputs.version}}
-  pr-ci-net:
-    needs: getVersion
-    uses: ./.github/workflows/library_net_tests.yml
-    with:
-      dafny: ${{needs.getVersion.outputs.version}}
-  pr-ci-rust:
-    needs: getVersion
-    uses: ./.github/workflows/library_rust_tests.yml
-    with:
-      dafny: ${{needs.getVersion.outputs.version}}
-  pr-ci-python:
-    needs: getVersion
-    uses: ./.github/workflows/library_python_tests.yml
-    with:
-      dafny: ${{needs.getVersion.outputs.version}}
-  pr-ci-go:
-    needs: getVersion
-    uses: ./.github/workflows/library_go_tests.yml
-    with:
-      dafny: ${{needs.getVersion.outputs.version}}
-  pr-interop-test:
-    needs: getVersion
-    uses: ./.github/workflows/library_interop_tests.yml
-    with:
-      dafny: ${{needs.getVersion.outputs.version}}
-    secrets: inherit
+  # pr-ci-java:
+  #   needs: getVersion
+  #   uses: ./.github/workflows/library_java_tests.yml
+  #   with:
+  #     dafny: ${{needs.getVersion.outputs.version}}
+  # pr-ci-net:
+  #   needs: getVersion
+  #   uses: ./.github/workflows/library_net_tests.yml
+  #   with:
+  #     dafny: ${{needs.getVersion.outputs.version}}
+  # pr-ci-rust:
+  #   needs: getVersion
+  #   uses: ./.github/workflows/library_rust_tests.yml
+  #   with:
+  #     dafny: ${{needs.getVersion.outputs.version}}
+  # pr-ci-python:
+  #   needs: getVersion
+  #   uses: ./.github/workflows/library_python_tests.yml
+  #   with:
+  #     dafny: ${{needs.getVersion.outputs.version}}
+  # pr-ci-go:
+  #   needs: getVersion
+  #   uses: ./.github/workflows/library_go_tests.yml
+  #   with:
+  #     dafny: ${{needs.getVersion.outputs.version}}
+  # pr-interop-test:
+  #   needs: getVersion
+  #   uses: ./.github/workflows/library_interop_tests.yml
+  #   with:
+  #     dafny: ${{needs.getVersion.outputs.version}}
+  #   secrets: inherit
   pr-ci-all-required:
     if: always()
     needs:
@@ -63,12 +63,12 @@ jobs:
       - pr-ci-format
       - pr-ci-codegen
       - pr-ci-verification
-      - pr-ci-java
-      - pr-ci-net
-      - pr-ci-python
-      - pr-ci-go
-      - pr-ci-rust
-      - pr-interop-test
+      # - pr-ci-java
+      # - pr-ci-net
+      # - pr-ci-python
+      # - pr-ci-go
+      # - pr-ci-rust
+      # - pr-interop-test
     runs-on: ubuntu-22.04
     steps:
       - name: Verify all required jobs passed

@@ -22,43 +22,48 @@ module {:extern "software.amazon.cryptography.keystore.internaldafny.types" } Aw
     nameonly beaconKey: Option<Secret> := Option.None ,
     nameonly hmacKeys: Option<HmacKeyMap> := Option.None
   )
+  type BranchKeyIdentifier = string
   datatype BranchKeyMaterials = | BranchKeyMaterials (
-    nameonly branchKeyIdentifier: string ,
+    nameonly branchKeyIdentifier: BranchKeyIdentifier ,
     nameonly branchKeyVersion: Utf8Bytes ,
     nameonly encryptionContext: EncryptionContext ,
-    nameonly branchKey: Secret
+    nameonly branchKey: Secret ,
+    nameonly kmsArn: ComAmazonawsKmsTypes.KeyIdType ,
+    nameonly createTime: CreateTime ,
+    nameonly hierarchyVersion: HierarchyVersion
   )
   datatype CreateKeyInput = | CreateKeyInput (
-    nameonly branchKeyIdentifier: Option<string> := Option.None ,
+    nameonly branchKeyIdentifier: Option<BranchKeyIdentifier> := Option.None ,
     nameonly encryptionContext: Option<EncryptionContext> := Option.None
   )
   datatype CreateKeyOutput = | CreateKeyOutput (
-    nameonly branchKeyIdentifier: string
+    nameonly branchKeyIdentifier: BranchKeyIdentifier
   )
   datatype CreateKeyStoreInput = | CreateKeyStoreInput (
 
                                  )
   datatype CreateKeyStoreOutput = | CreateKeyStoreOutput (
     nameonly tableArn: ComAmazonawsDynamodbTypes.TableArn
   )
+  type CreateTime = string
   datatype Discovery = | Discovery (
 
                        )
   type EncryptionContext = map<Utf8Bytes, Utf8Bytes>
   datatype GetActiveBranchKeyInput = | GetActiveBranchKeyInput (
-    nameonly branchKeyIdentifier: string
+    nameonly branchKeyIdentifier: BranchKeyIdentifier
   )
   datatype GetActiveBranchKeyOutput = | GetActiveBranchKeyOutput (
     nameonly branchKeyMaterials: BranchKeyMaterials
   )
   datatype GetBeaconKeyInput = | GetBeaconKeyInput (
-    nameonly branchKeyIdentifier: string
+    nameonly branchKeyIdentifier: BranchKeyIdentifier
   )
   datatype GetBeaconKeyOutput = | GetBeaconKeyOutput (
     nameonly beaconKeyMaterials: BeaconKeyMaterials
   )
   datatype GetBranchKeyVersionInput = | GetBranchKeyVersionInput (
-    nameonly branchKeyIdentifier: string ,
+    nameonly branchKeyIdentifier: BranchKeyIdentifier ,
     nameonly branchKeyVersion: string
   )
   datatype GetBranchKeyVersionOutput = | GetBranchKeyVersionOutput (
@@ -72,6 +77,8 @@ module {:extern "software.amazon.cryptography.keystore.internaldafny.types" } Aw
     nameonly kmsConfiguration: KMSConfiguration
   )
   type GrantTokenList = seq<string>
+  datatype HierarchyVersion =
+    | v1
   type HmacKeyMap = map<string, Secret>
   class IKeyStoreClientCallHistory {
     ghost constructor() {

@@ -62,6 +62,18 @@ service KeyStore {
   errors: [KeyStoreException]
 }
 
+@documentation("The identifier for the Branch Key.")
+string BranchKeyIdentifier
+
+@documentation("Timestamp in ISO 8601 format in UTC, to microsecond precision, that this Branch Key Item's Material was generated.")
+string CreateTime
+
+@documentation("Schema Version of the Branch Key. All items of the same Branch Key SHOULD have the same hierarchy-version. The hierarchy-version determines how the Branch Key Store protects and validates the branch key.")
+@enum([
+  { name: "v1", value: "1" }
+])
+string HierarchyVersion
+
 structure KeyStoreConfig {
 
   //= aws-encryption-sdk-specification/framework/branch-key-store.md#initialization
@@ -192,18 +204,16 @@ operation CreateKey {
 //# - An optional branch key id
 //# - An optional encryption context
 structure CreateKeyInput {
-  @javadoc("The identifier for the created Branch Key.")
-  branchKeyIdentifier: String,
+  branchKeyIdentifier: BranchKeyIdentifier,
 
-  @javadoc("Custom encryption context for the Branch Key. Required if branchKeyIdentifier is set.")
+  @documentation("Encryption context for the Branch Key. Required if branchKeyIdentifier is set.")
   encryptionContext: EncryptionContext
 }
 
 @javadoc("Outputs for Branch Key creation.")
 structure CreateKeyOutput {
   @required
-  @javadoc("A identifier for the created Branch Key.")
-  branchKeyIdentifier: String
+  branchKeyIdentifier: BranchKeyIdentifier
 }
 
 // VersionKey will create a new branch key under the 
@@ -240,8 +250,7 @@ operation GetActiveBranchKey {
 @javadoc("Inputs for getting a Branch Key's ACTIVE version.")
 structure GetActiveBranchKeyInput {
   @required
-  @javadoc("The identifier for the Branch Key to get the ACTIVE version for.")
-  branchKeyIdentifier: String
+  branchKeyIdentifier: BranchKeyIdentifier
 }
 
 @javadoc("Outputs for getting a Branch Key's ACTIVE version.")
@@ -267,8 +276,7 @@ structure GetBranchKeyVersionInput {
   //= type=implication
   //# - MUST supply a `branch-key-id`
   @required
-  @javadoc("The identifier for the Branch Key to get a particular version for.")
-  branchKeyIdentifier: String,
+  branchKeyIdentifier: BranchKeyIdentifier,
 
   //= aws-encryption-sdk-specification/framework/branch-key-store.md#getbranchkeyversion
   //= type=implication
@@ -298,7 +306,7 @@ structure GetBeaconKeyInput {
   //# - MUST supply a `branch-key-id`
   @required
   @javadoc("The identifier of the Branch Key the Beacon Key is associated with.")
-  branchKeyIdentifier: String
+  branchKeyIdentifier: BranchKeyIdentifier
 }
 
 @javadoc("Outputs for getting a Beacon Key")
@@ -320,9 +328,12 @@ list GrantTokenList {
 //# - [Branch Key Id](#branch-key-id)
 //# - [Branch Key Version](#branch-key-version)
 //# - [Encryption Context](#encryption-context-3)
+//# - [KMS ARN](#kms-arn)
+//# - [Create Time](#create-time)
+//# - [Hierarchy Version](#hierarchy-version)
 structure BranchKeyMaterials {
     @required
-    branchKeyIdentifier: String,
+    branchKeyIdentifier: BranchKeyIdentifier,
 
     @required
     branchKeyVersion: Utf8Bytes,
@@ -331,7 +342,17 @@ structure BranchKeyMaterials {
     encryptionContext: EncryptionContext,
 
     @required
-    branchKey: Secret,
+    branchKey: Secret
+
+    @required
+    @documentation("The AWS KMS Key ARN used to protect this Branch Key.")
+    kmsArn: com.amazonaws.kms#KeyIdType
+
+    @required
+    createTime: CreateTime
+
+    @required
+    hierarchyVersion: HierarchyVersion
 }
 
 structure BeaconKeyMaterials {

@@ -0,0 +1,48 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+module {:options "/functionSyntax:4" } PrefixUtils {
+  // import opened Structure
+
+  function AddingPrefixToKeysOfMapDoesNotCreateCollisions(
+    nameonly prefix: string,
+    nameonly aMap: map<string, string>
+  ): (output: map<string, string>)
+    ensures forall k <- aMap
+              ::
+                && prefix + k in output
+                && output[prefix + k] == aMap[k]
+  {
+    // Dafny needs some help.
+    // Adding a fixed string
+    // will not make any of the keys collide.
+    // However, this leaks a lot of complexity.
+    // This is why the function is now opaque.
+    // Otherwise things timeout
+    assert forall k <- aMap.Keys
+        ::
+          k == (prefix + k)[|prefix|..];
+
+    map k <- aMap :: prefix + k := aMap[k]
+  }
+
+  opaque function FilterMapForKeysThatDoNotBeginWithPrefix (
+    nameonly prefix: string,
+    nameonly aMap: map<string, string>
+  ): (output: map<string, string>)
+    ensures forall k <- output
+              ::
+                && !( prefix < k)
+                && k in aMap
+                && output[k] == aMap[k]
+  {
+    var filteredKeys
+      :=
+      set k <- aMap
+          | !(prefix < k)
+        ::
+          k;
+    map i <- filteredKeys :: i := aMap[i]
+  }
+
+}