Skip to content

chore: add more interop tests#2131

Merged
rishav-karanjit merged 61 commits into
ddbec-with-sdk-v2from
directKMSmaterial
Mar 19, 2026
Merged

chore: add more interop tests#2131
rishav-karanjit merged 61 commits into
ddbec-with-sdk-v2from
directKMSmaterial

Conversation

@rishav-karanjit

@rishav-karanjit rishav-karanjit commented Mar 13, 2026

Copy link
Copy Markdown
Member

Issue #, if available:

Description of changes:

  • This PR makes the interop test to allow more configuration to read from scenarios.json and then add more test scenarios in scenario.json
  • CI failure: The CI failure is unrelated to the diff.
    • Check Release Files CI is failing because there has been updates to the release file in main and I have not merged from main.
    • Check TODOs in code is failing because I commented running DB-ESDK examples and added todo to remove the comment. The plan is to revert the comment before merging to main.
    • not grep will pass once I merge from main.
    • I see some Rust flaky failure which will be less flaky when I merge from main.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

This reverts commit 24a064f.
Add optional Map<String, String> materialDescription field with
@JsonProperty("material_description") to the Scenario inner class
in both sdkv1 and sdkv2 ScenarioManifest. This allows test scenarios
to specify a custom material description (e.g. AES/128) that gets
passed through to the KMS materials provider constructor.

Existing scenarios without this field will deserialize as null thanks
to @JsonIgnoreProperties(ignoreUnknown = true) on Scenario.
Add materialDescription parameter to createProvider() and use the
3-arg DirectKmsMaterialsProvider constructor when a non-empty
materialDescription is present. This enables scenarios that specify
a custom encryption algorithm (e.g. AES/128) via the scenario manifest.

Metastore provider calls pass null since metastores don't use custom
material descriptions. Main provider calls pass scenario.materialDescription.
…olisticIT

Add materialDescription parameter to createProvider() and use the
3-arg DirectKmsMaterialProvider constructor when a non-empty
materialDescription is present. All 8 call sites updated: metastore
provider calls pass null, main provider calls pass
scenario.materialDescription.

Mirrors the equivalent change in sdkv2 HolisticIT.
Add a new v1 scenario that uses the awskms provider with
material_description {"amzn-ddb-env-alg": "AES/128"} to test
encryption with a 128-bit content encryption key instead of the
default 256-bit. Points to a new ciphertext vector file
aws-kms-aes128-1.json (to be generated separately).
Add generateKmsAes128Vector() to sdkv2 HolisticIT as a disabled
(@test(enabled = false)) one-off test. When temporarily enabled, it:
1. Creates a DirectKmsMaterialsProvider with {amzn-ddb-env-alg: AES/128}
2. Encrypts standard test data (all 4 record types + HashKeyOnly + KeysOnly)
3. Prints the DynamoDB tables as JSON in the test vector format

To generate the vector file:
  1. Set enabled = true
  2. Run the test and capture stdout
  3. Save as ciphertext/java/aws-kms-aes128-1.json
  4. Set enabled = false again
Add aws-kms-aes128-1.json containing 13 TableName items (4 standard
record types + 9 KeysOnly) and 3 HashKeyOnly items, all encrypted
using DirectKmsMaterialsProvider with {amzn-ddb-env-alg: AES/128}.

Update the generator test to also write HashKeyOnly and KeysOnly
items (which generateStandardData does not produce), then disable
the generator (@test(enabled = false)) now that the vector is committed.
Base automatically changed from encryption-context-test to ddbec-with-sdk-v2 March 13, 2026 20:05
This reverts commit a374774.
When a scenario specifies material_description, verify that each
value (e.g. AES/128) appears in the *amzn-ddb-map-desc* blob of
every encrypted record in the ciphertext vector file. This proves
the ciphertext was actually encrypted with the claimed algorithm,
not just that the SDK can decrypt it.

Also restores scenarios.json to AES/128 (was temporarily changed
to AES/256 for manual verification).
This reverts commit f660950.
@github-actions

Copy link
Copy Markdown

Changes to the release files or the check-files action requires 2 approvals from CODEOWNERS

Rewrite the wrapped case in createProvider() for both sdkv1 and sdkv2
to handle all 4 wrapping/signing combinations:
- AES wrapping + HMAC signing (existing)
- AES wrapping + RSA signing (new)
- RSA wrapping + HMAC signing (new)
- RSA wrapping + RSA signing (existing)

Uses a 2x2 check on decrypt key type x verify key type to select
the correct WrappedMaterialsProvider or AsymmetricStaticProvider
constructor.

Add two new scenarios to scenarios.json and corresponding generators
in CipherTextGeneratorIT. Both are network: false (no AWS credentials
needed).
@github-actions

Copy link
Copy Markdown

Detected changes to the release files or to the check-files action

@github-actions

Copy link
Copy Markdown

Changes to the release files or the check-files action requires 2 approvals from CODEOWNERS

@github-actions

Copy link
Copy Markdown

Detected changes to the release files or to the check-files action

@github-actions

Copy link
Copy Markdown

Changes to the release files or the check-files action requires 2 approvals from CODEOWNERS

@github-actions

Copy link
Copy Markdown

Detected changes to the release files or to the check-files action

@github-actions

Copy link
Copy Markdown

Changes to the release files or the check-files action requires 2 approvals from CODEOWNERS

@github-actions

Copy link
Copy Markdown

Detected changes to the release files or to the check-files action

@github-actions

Copy link
Copy Markdown

Changes to the release files or the check-files action requires 2 approvals from CODEOWNERS

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note to reviewer: these ciphertext are created with HolisticIT.java. It could be better to skip reviewing this JSON file and review encryptWithTestVector function in HolisticIT.java which generates this cipher.

@rishav-karanjit rishav-karanjit Mar 17, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note to reviewer: The way DDBEC works is on encrypt/decrypt interop test, it reads this scenarios.json file, iterate each item and encrypt/decrypt based on these items.

@rishav-karanjit rishav-karanjit changed the title chore: add test for direct KMS material provider with AES 128 chore: add more interop tests Mar 17, 2026
@github-actions

Copy link
Copy Markdown

Detected changes to the release files or to the check-files action

@github-actions

Copy link
Copy Markdown

Changes to the release files or the check-files action requires 2 approvals from CODEOWNERS

@github-actions

Copy link
Copy Markdown

Detected changes to the release files or to the check-files action

@github-actions

Copy link
Copy Markdown

Changes to the release files or the check-files action requires 2 approvals from CODEOWNERS

@rishav-karanjit rishav-karanjit marked this pull request as ready for review March 17, 2026 20:35
@rishav-karanjit rishav-karanjit requested a review from a team as a code owner March 17, 2026 20:35

@lucasmcdonald3 lucasmcdonald3 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rishav-karanjit rishav-karanjit merged commit c06bc3a into ddbec-with-sdk-v2 Mar 19, 2026
39 of 45 checks passed
@rishav-karanjit rishav-karanjit deleted the directKMSmaterial branch March 19, 2026 17:12
rishav-karanjit pushed a commit that referenced this pull request Apr 16, 2026
## [4.0.0](v3.9.1...v4.0.0) (2026-04-16)

### ⚠ BREAKING CHANGES

* **.net:** Bump MPL V2 (#2145)

### feat

* **.net:** Bump MPL V2 ([#2145](#2145)) ([87c534b](87c534b))

### Fixes -- Java

* **java:** drop hkdf offset method ([#2222](#2222)) ([7aad5fb](7aad5fb))

### Maintenance -- Java

* **java:** Attempt to reduce flaky CI ([#2220](#2220)) ([987aec6](987aec6))
* **java:** attempt to reduce flaky CI failures ([#2203](#2203)) ([b4d88f1](b4d88f1))
* **java:** merge from main  ([53d6ba3](53d6ba3))
* **java:** shut down local DDB in test ([#2176](#2176)) ([fa1e151](fa1e151))

### Maintenance -- Rust

* **rust:** release v1.2.4 ([#2184](#2184)) ([6823d31](6823d31))

### Miscellaneous

* **.net:** add ddb local to .net release ([#2075](#2075)) ([db55bdf](db55bdf))
* **.net:** comment out testvectors from release ([#2076](#2076)) ([fdaa9e3](fdaa9e3))
* **.net:** fix release commands to include all json tv files ([#2072](#2072)) ([10f809d](10f809d))
* **.net:** pin mpl to latest ([#2065](#2065)) ([f6b64a6](f6b64a6))
* **.net:** reference submoduled mpl ([#2080](#2080)) ([be3f58f](be3f58f))
* add code coverage check ([#2171](#2171)) ([c2ae8e7](c2ae8e7))
* add DDBEC examples ([#2064](#2064)) ([9b7c284](9b7c284))
* add integration test and unit test ([#2139](#2139)) ([3cb8a96](3cb8a96))
* add migration examples  ([#2057](#2057)) ([18dbc50](18dbc50))
* add more interop tests ([#2131](#2131)) ([c06bc3a](c06bc3a))
* add multi order test ([#2170](#2170)) ([d09cd16](d09cd16))
* add test for DDBEC with sdk v2 ([#2126](#2126)) ([e3ac7cd](e3ac7cd))
* add user agent string ([#2172](#2172)) ([88c597c](88c597c))
* bump GitHub Actions to latest versions ([#2144](#2144)) ([92615d4](92615d4))
* **ci:** add workflow_dispatch and remove run on PR for daily CI ([#2218](#2218)) ([d6fd0fb](d6fd0fb))
* **ci:** daily ci for branches ([#2208](#2208)) ([fcc4b97](fcc4b97))
* **ci:** remove branch default to main ([#2219](#2219)) ([1a3d1f0](1a3d1f0))
* **CI:** run clippy ([#2181](#2181)) ([6b54985](6b54985))
* **ci:** run test on Java 21 and windows OS ([#2159](#2159)) ([6e702d8](6e702d8))
* **ci:** use snapshot builds ([#2083](#2083)) ([0124ca6](0124ca6))
* copy DDBEC with SDK v2 code as-is from internal ([#2047](#2047)) ([dc439b4](dc439b4))
* delete ddbec which uses AWS SDK Java v1 ([#2193](#2193)) ([bb74687](bb74687))
* **deps:** bump actions/checkout v5->v6 and setup-docker-macos-action v1.0.2->v1.1.0 ([#2130](#2130)) ([337c776](337c776))
* **deps:** update aws-lc-sys requirement from 0.38 to 0.39 in /DynamoDbEncryption/runtimes/rust ([#2149](#2149)) ([b76bcb7](b76bcb7))
* fix CI (almost) and make AWS SDK v1 compileOnly ([#2049](#2049)) ([e509a56](e509a56))
* merge from main ([e9f8259](e9f8259))
* merge from main 2nd try ([eb17468](eb17468))
* merge from main and fix ubuntu failing ([#2192](#2192)) ([3317b4d](3317b4d))
* move put cache after signature verification ([#2223](#2223)) ([49b8b67](49b8b67))
* refactor non-prod CI to only run Go targets ([#2134](#2134)) ([0d2622c](0d2622c))
* release aws-db-esdk v1.2.3 ([#2122](#2122)) ([888aaba](888aaba))
* Rename `Directkmsmaterialsprovider` to `Directkmsmaterialprovider` ([#2150](#2150)) ([4126efa](4126efa))
* rename and format ([#2118](#2118)) ([091b7b4](091b7b4))
* run java test on ubuntu ([#2167](#2167)) ([cffa72c](cffa72c))
* update internal legacy override with adapter pattern  ([#2054](#2054)) ([abbac83](abbac83))
* update readme and remove comments in CI ([#2158](#2158)) ([7e1c863](7e1c863))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants