Skip to content

chore: update for mrk support in keystore #267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Apr 19, 2024
Merged

chore: update for mrk support in keystore #267

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f856f38
update for mrk support in keystore
ajewellamz Apr 19, 2024
03c05db
reformat
ajewellamz Apr 19, 2024
707db1a
feedback
ajewellamz Apr 19, 2024
ccd9db3
more PR feedback
ajewellamz Apr 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 22 additions & 7 deletions framework/branch-key-store.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,21 @@ The table name of the DynamoDb table that backs this Keystore.
A valid [AWS KMS Key ARN](./aws-kms/aws-kms-key-arn.md#a-valid-aws-kms-arn)
that wraps and unwraps keys stored in Amazon DynamoDB.

The KMS Configuration MUST distinguish between single region ARN compatibility and MRK ARN compatibility.

Both compatibility modes are allowed with both mrk ARN's and single region ARNs.

#### AWS Key ARN Compatibility

For two ARNs to be compatible:

If the [AWS KMS Configuration](#aws-kms-configuration) designates single region ARN compatibility,
then two ARNs are compatible if they are exactly equal.

If the [AWS KMS Configuration](#aws-kms-configuration) designates MRK ARN compatibility,
then two ARNs are compatible if they are equal in all parts other than the region.
That is, they are compatible if [AWS KMS MRK Match for Decrypt](aws-kms/aws-kms-mrk-match-for-decrypt.md#implementation) returns true.

### Logical KeyStore Name

This name is cryptographically bound to all data stored in this table,
Expand Down Expand Up @@ -206,7 +221,7 @@ The operation MUST call [AWS KMS API GenerateDataKeyWithoutPlaintext](https://do
The call to AWS KMS GenerateDataKeyWithoutPlaintext MUST use the configured AWS KMS client to make the call.
The operation MUST call AWS KMS GenerateDataKeyWithoutPlaintext with a request constructed as follows:

- `KeyId` MUST be the configured `AWS KMS Key ARN` in the [AWS KMS Configuration](#aws-kms-configuration) for this keystore
- `KeyId` MUST be [compatible with](#aws-key-arn-compatibility) the configured `AWS KMS Key ARN` in the [AWS KMS Configuration](#aws-kms-configuration) for this keystore.
- `NumberOfBytes` MUST be 32.
- `EncryptionContext` MUST be the [encryption context for beacon keys](#beacon-key-encryption-context).
- `GrantTokens` MUST be this keystore's [grant tokens](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token).
Expand All @@ -222,7 +237,7 @@ The operation MUST call [AWS KMS API GenerateDataKeyWithoutPlaintext](https://do
The call to AWS KMS GenerateDataKeyWithoutPlaintext MUST use the configured AWS KMS client to make the call.
The operation MUST call AWS KMS GenerateDataKeyWithoutPlaintext with a request constructed as follows:

- `KeyId` MUST be the configured `AWS KMS Key ARN` in the [AWS KMS Configuration](#aws-kms-configuration) for this keystore
- `KeyId` MUST be [compatible with](#aws-key-arn-compatibility) the configured `AWS KMS Key ARN` in the [AWS KMS Configuration](#aws-kms-configuration) for this keystore.
- `NumberOfBytes` MUST be 32.
- `EncryptionContext` MUST be the [DECRYPT_ONLY encryption context for branch keys](#decrypt_only-encryption-context).
- GenerateDataKeyWithoutPlaintext `GrantTokens` MUST be this keystore's [grant tokens](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token).
Expand All @@ -235,10 +250,10 @@ The operation MUST call [AWS KMS API ReEncrypt](https://docs.aws.amazon.com/kms/
with a request constructed as follows:

- `SourceEncryptionContext` MUST be the [DECRYPT_ONLY encryption context for branch keys](#decrypt_only-encryption-context).
- `SourceKeyId` MUST be the configured `AWS KMS Key ARN` in the [AWS KMS Configuration](#aws-kms-configuration) for this keystore
- `SourceKeyId` MUST be [compatible with](#aws-key-arn-compatibility) the configured `AWS KMS Key ARN` in the [AWS KMS Configuration](#aws-kms-configuration) for this keystore.
- `CiphertextBlob` MUST be the wrapped DECRYPT_ONLY Branch Key.
- ReEncrypt `GrantTokens` MUST be this keystore's [grant tokens](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token).
- `DestinationKeyId` MUST be the configured `AWS KMS Key ARN` in the [AWS KMS Configuration](#aws-kms-configuration) for this keystore
- `DestinationKeyId` MUST be [compatible with](#aws-key-arn-compatibility) the configured `AWS KMS Key ARN` in the [AWS KMS Configuration](#aws-kms-configuration) for this keystore.
- `DestinationEncryptionContext` MUST be the [ACTIVE encryption context for branch keys](#active-encryption-context).

If the call to AWS KMS ReEncrypt succeeds,
Expand Down Expand Up @@ -361,10 +376,10 @@ The operation MUST call [AWS KMS API ReEncrypt](https://docs.aws.amazon.com/kms/
with a request constructed as follows:

- `SourceEncryptionContext` MUST be the [encryption context](#encryption-context) constructed above
- `SourceKeyId` MUST be the configured `AWS KMS Key ARN` in the [AWS KMS Configuration](#aws-kms-configuration) for this keystore
- `SourceKeyId` MUST be [compatible with](#aws-key-arn-compatibility) the configured `AWS KMS Key ARN` in the [AWS KMS Configuration](#aws-kms-configuration) for this keystore.
- `CiphertextBlob` MUST be the `enc` attribute value on the AWS DDB response item
- `GrantTokens` MUST be the configured [grant tokens](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token).
- `DestinationKeyId` MUST be the configured `AWS KMS Key ARN` in the [AWS KMS Configuration](#aws-kms-configuration) for this keystore
- `DestinationKeyId` MUST be [compatible with](#aws-key-arn-compatibility) the configured `AWS KMS Key ARN` in the [AWS KMS Configuration](#aws-kms-configuration) for this keystore.
- `DestinationEncryptionContext` MUST be the [encryption context](#encryption-context) constructed above

### GetActiveBranchKey
Expand Down Expand Up @@ -503,7 +518,7 @@ The key `enc` MUST NOT exist in the constructed [encryption context](#encryption
When calling [AWS KMS Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html),
the keystore operation MUST call with a request constructed as follows:

- `KeyId` MUST be the configured `AWS KMS Key ARN` in the [AWS KMS Configuration](#aws-kms-configuration) for this keystore
- `KeyId` MUST be [compatible with](#aws-key-arn-compatibility) the configured `AWS KMS Key ARN` in the [AWS KMS Configuration](#aws-kms-configuration) for this keystore.
- `CiphertextBlob` MUST be the `enc` attribute value on the AWS DDB response item
- `EncryptionContext` MUST be the [encryption context](#encryption-context) constructed above
- `GrantTokens` MUST be this keystore's [grant tokens](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token).
Expand Down