cloudopsy
diff --git a/‎example/main.go
Lines changed: 1 addition & 1 deletion b/‎example/main.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎example/sm/main.go
Lines changed: 1 addition & 1 deletion b/‎example/sm/main.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎example/sm/sm
-176 Bytes b/‎example/sm/sm
-176 Bytes
diff --git a/‎go.mod
Lines changed: 6 additions & 7 deletions b/‎go.mod
Lines changed: 6 additions & 7 deletions
diff --git a/‎go.sum
Lines changed: 8 additions & 19 deletions b/‎go.sum
Lines changed: 8 additions & 19 deletions
diff --git a/‎internal/fakekms/fakekms.go
Lines changed: 121 additions & 0 deletions b/‎internal/fakekms/fakekms.go
Lines changed: 121 additions & 0 deletions
@@ -16,7 +16,7 @@ import (
 
 const (
 	awsRegion         = "eu-west-2"
-	keyURI            = "aws-kms://arn:aws:kms:eu-west-2:076594877490:key/02813db0-b23a-420c-94b0-bdceb08e121b"
+	keyURI            = "arn:aws:kms:eu-west-2:076594877490:key/02813db0-b23a-420c-94b0-bdceb08e121b"
 	dynamoDBTableName = "meta"
 )
 
 
@@ -148,7 +148,7 @@ func main() {
 
 	tableName := "UserSecretsTest"
 
-	keyURI := "aws-kms://arn:aws:kms:eu-west-2:076123456789:key/02813db0-b23a-420c-94b0-bdceb08e121b"
+	keyURI := "aws-kms://arn:aws:kms:eu-west-2:076594877490:key/02813db0-b23a-420c-94b0-bdceb08e121b"
 
 	// Create DynamoDB client
 	dynamoDBClient := dynamodb.NewFromConfig(cfg)
 
@@ -3,13 +3,12 @@ module github.com/cloudopsy/dynamodb-encryption-go
 go 1.21.7
 
 require (
-	github.com/aws/aws-sdk-go v1.51.6
+	github.com/aws/aws-sdk-go v1.51.8
 	github.com/aws/aws-sdk-go-v2 v1.26.0
 	github.com/aws/aws-sdk-go-v2/config v1.27.9
-	github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.13.11
+	github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.13.12
 	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.31.0
-	github.com/stretchr/testify v1.9.0
-	github.com/tink-crypto/tink-go-awskms v0.0.0-20230616072154-ba4f9f22c3e9
+	github.com/google/go-cmp v0.6.0
 	github.com/tink-crypto/tink-go/v2 v2.1.0
 )
 
@@ -29,10 +28,10 @@ require (
 	github.com/aws/smithy-go v1.20.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/stretchr/objx v0.5.2 // indirect
+	github.com/tink-crypto/tink-go v0.0.0-20230613075026-d6de17e3f164 // indirect
+	github.com/tink-crypto/tink-go-awskms v0.0.0-20230616072154-ba4f9f22c3e9 // indirect
+	github.com/tink-crypto/tink-go-awskms/v2 v2.0.0 // indirect
 	golang.org/x/crypto v0.21.0 // indirect
 	golang.org/x/sys v0.18.0 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
@@ -1,21 +1,13 @@
-github.com/aws/aws-sdk-go v1.51.4 h1:yOVfGhRJyReBrACK0alLosJl8iXhWkNY1vrePYmhHdw=
-github.com/aws/aws-sdk-go v1.51.4/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
-github.com/aws/aws-sdk-go v1.51.6 h1:Ld36dn9r7P9IjU8WZSaswQ8Y/XUCRpewim5980DwYiU=
-github.com/aws/aws-sdk-go v1.51.6/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
+github.com/aws/aws-sdk-go v1.51.8 h1:tD7gQq5XKuKdhA6UMEH26ZNQH0s+HbL95rzv/ACz5TQ=
+github.com/aws/aws-sdk-go v1.51.8/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
 github.com/aws/aws-sdk-go-v2 v1.26.0 h1:/Ce4OCiM3EkpW7Y+xUnfAFpchU78K7/Ug01sZni9PgA=
 github.com/aws/aws-sdk-go-v2 v1.26.0/go.mod h1:35hUlJVYd+M++iLI3ALmVwMOyRYMmRqUXpTtRGW+K9I=
-github.com/aws/aws-sdk-go-v2/config v1.27.8 h1:0r8epOsiJ7YJz65MGcb8i91ehFp4kvvFe2qkq5oYeRI=
-github.com/aws/aws-sdk-go-v2/config v1.27.8/go.mod h1:XsmYKxYNuIhLsFddpNds+j9H5XKzjWDdg/SZngiwFio=
 github.com/aws/aws-sdk-go-v2/config v1.27.9 h1:gRx/NwpNEFSk+yQlgmk1bmxxvQ5TyJ76CWXs9XScTqg=
 github.com/aws/aws-sdk-go-v2/config v1.27.9/go.mod h1:dK1FQfpwpql83kbD873E9vz4FyAxuJtR22wzoXn3qq0=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.8 h1:WUdNLXbyNbU07V/WFrSOBXqZTDgmmMNMgUFzpYOKJhw=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.8/go.mod h1:iPZzLpaBIfhyvVS/XGD3JvR1GP3YdHTqpySKDlqkfs8=
 github.com/aws/aws-sdk-go-v2/credentials v1.17.9 h1:N8s0/7yW+h8qR8WaRlPQeJ6czVMNQVNtNdUqf6cItao=
 github.com/aws/aws-sdk-go-v2/credentials v1.17.9/go.mod h1:446YhIdmSV0Jf/SLafGZalQo+xr2iw7/fzXGDPTU1yQ=
-github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.13.11 h1:nyWawIVs7Y75DuNhh6vao/qmKKWS56zUuWt/+dOE5iI=
-github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.13.11/go.mod h1:5WPGXfp9+ss7gYsZ5QjJeY16qTpCLaIcQItE7Yw7ld4=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.4 h1:S+L2QSKhUuShih3aq9P/mkzDBiOO5tTyVg+vXREfsfg=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.4/go.mod h1:nQ3how7DMnFMWiU1SpECohgC82fpn4cKZ875NDMmwtA=
+github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.13.12 h1:q6f5Y1gcGQVz53Q4WcACo6y1sP2VuNGZPW4JtWhwplI=
+github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.13.12/go.mod h1:5WPGXfp9+ss7gYsZ5QjJeY16qTpCLaIcQItE7Yw7ld4=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 h1:af5YzcLf80tv4Em4jWVD75lpnOHSBkPUZxZfGkrI3HI=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0/go.mod h1:nQ3how7DMnFMWiU1SpECohgC82fpn4cKZ875NDMmwtA=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 h1:0ScVK/4qZ8CIW0k8jOeFVsyS/sAiXpYxRBLolMkuLQM=
@@ -54,12 +46,12 @@ github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfC
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
-github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/tink-crypto/tink-go v0.0.0-20230613075026-d6de17e3f164 h1:yhVO0Yhq84FjdcotvFFvDJRNHJ7mO743G12VdcW4Evc=
+github.com/tink-crypto/tink-go v0.0.0-20230613075026-d6de17e3f164/go.mod h1:HhtDVdE/PRZFRia834tkmcwuscnaAzda1RJUW9Pr3Rg=
 github.com/tink-crypto/tink-go-awskms v0.0.0-20230616072154-ba4f9f22c3e9 h1:MoIsYvBNJd8vkKZjLYloE3OK8bfcO10cMPw/EtydMBs=
 github.com/tink-crypto/tink-go-awskms v0.0.0-20230616072154-ba4f9f22c3e9/go.mod h1:TTE4PoQLsYB5jQ1kK2g7WU4wzHg0Arn1CEozIUXiGSY=
+github.com/tink-crypto/tink-go-awskms/v2 v2.0.0 h1:UT9z5+ofB2i1LXuuQlaRRxogToKQ5wO3fSDVpuUselA=
+github.com/tink-crypto/tink-go-awskms/v2 v2.0.0/go.mod h1:pm7AWeeSzYjPLFKoBTPcuzlMX1DDaKyaIOYdVbsy168=
 github.com/tink-crypto/tink-go/v2 v2.1.0 h1:QXFBguwMwTIaU17EgZpEJWsUSc60b1BAGTzBIoMdmok=
 github.com/tink-crypto/tink-go/v2 v2.1.0/go.mod h1:y1TnYFt1i2eZVfx4OGc+C+EMp4CoKWAw2VSEuoicHHI=
 golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
@@ -68,9 +60,6 @@ golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -0,0 +1,121 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+// Package fakeawskms provides a partial fake implementation of kmsiface.KMSAPI.
+package fakeawskms
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"sort"
+
+	"github.com/aws/aws-sdk-go/service/kms"
+	"github.com/aws/aws-sdk-go/service/kms/kmsiface"
+	"github.com/tink-crypto/tink-go/v2/aead"
+	"github.com/tink-crypto/tink-go/v2/keyset"
+	"github.com/tink-crypto/tink-go/v2/tink"
+)
+
+type fakeAWSKMS struct {
+	kmsiface.KMSAPI
+	aeads  map[string]tink.AEAD
+	keyIDs []string
+}
+
+// serializeContext serializes the context map in a canonical way into a byte array.
+func serializeContext(context map[string]*string) []byte {
+	names := make([]string, 0, len(context))
+	for name := range context {
+		names = append(names, name)
+	}
+	sort.Strings(names)
+	b := new(bytes.Buffer)
+	b.WriteString("{")
+	for i, name := range names {
+		if i > 0 {
+			b.WriteString(",")
+		}
+		fmt.Fprintf(b, "%q:%q", name, *context[name])
+	}
+	b.WriteString("}")
+	return b.Bytes()
+}
+
+// New returns a new fake AWS KMS API.
+func New(validKeyIDs []string) (kmsiface.KMSAPI, error) {
+	aeads := make(map[string]tink.AEAD)
+	for _, keyID := range validKeyIDs {
+		handle, err := keyset.NewHandle(aead.AES256GCMKeyTemplate())
+		if err != nil {
+			return nil, err
+		}
+		a, err := aead.New(handle)
+		if err != nil {
+			return nil, err
+		}
+		aeads[keyID] = a
+	}
+	return &fakeAWSKMS{
+		aeads:  aeads,
+		keyIDs: validKeyIDs,
+	}, nil
+}
+
+func (f *fakeAWSKMS) Encrypt(request *kms.EncryptInput) (*kms.EncryptOutput, error) {
+	a, ok := f.aeads[*request.KeyId]
+	if !ok {
+		return nil, fmt.Errorf("unknown keyID: %q not in %q", *request.KeyId, f.keyIDs)
+	}
+	serializedContext := serializeContext(request.EncryptionContext)
+	ciphertext, err := a.Encrypt(request.Plaintext, serializedContext)
+	if err != nil {
+		return nil, err
+	}
+	return &kms.EncryptOutput{
+		CiphertextBlob: ciphertext,
+		KeyId:          request.KeyId,
+	}, nil
+}
+
+func (f *fakeAWSKMS) Decrypt(request *kms.DecryptInput) (*kms.DecryptOutput, error) {
+	serializedContext := serializeContext(request.EncryptionContext)
+	if request.KeyId != nil {
+		a, ok := f.aeads[*request.KeyId]
+		if !ok {
+			return nil, fmt.Errorf("unknown keyID: %q not in %q", *request.KeyId, f.keyIDs)
+		}
+		plaintext, err := a.Decrypt(request.CiphertextBlob, serializedContext)
+		if err != nil {
+			return nil, fmt.Errorf("decryption with keyID %q failed", *request.KeyId)
+		}
+		return &kms.DecryptOutput{
+			Plaintext: plaintext,
+			KeyId:     request.KeyId,
+		}, nil
+	}
+	// When KeyId is not set, try out all AEADs.
+	for keyID, a := range f.aeads {
+		plaintext, err := a.Decrypt(request.CiphertextBlob, serializedContext)
+		if err == nil {
+			return &kms.DecryptOutput{
+				Plaintext: plaintext,
+				KeyId:     &keyID,
+			}, nil
+		}
+	}
+	return nil, errors.New("unable to decrypt message")
+}
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ import (`
`16`	`16`
`17`	`17`	`const (`
`18`	`18`	`awsRegion = "eu-west-2"`
`19`		`- keyURI = "aws-kms://arn:aws:kms:eu-west-2:076594877490:key/02813db0-b23a-420c-94b0-bdceb08e121b"`
	`19`	`+ keyURI = "arn:aws:kms:eu-west-2:076594877490:key/02813db0-b23a-420c-94b0-bdceb08e121b"`
`20`	`20`	`dynamoDBTableName = "meta"`
`21`	`21`	`)`
`22`	`22`