trelent-hyok 0.1.12

A Rust library implementing Hold Your Own Key (HYOK) encryption patterns with support for multiple cloud providers
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169

//! AWS Key Management Service (KMS) integration.
//!
//! This module provides integration with AWS KMS for key management operations.
//! It supports:
//!
//! - Key encryption/decryption
//! - Multiple encryption algorithms
//! - AWS KMS key aliases and ARNs
//! - Error handling for AWS operations

#![cfg(feature = "aws")]

use crate::cmk::CMKTrait;
use crate::error::cmk::CMKError;
use async_trait::async_trait;
use aws_sdk_kms::primitives::Blob;
use aws_sdk_kms::types::EncryptionAlgorithmSpec;
use aws_sdk_kms::Client;
use std::sync::Arc;

/// AWS Customer Managed Key implementation using AWS KMS.
///
/// This CMK implementation:
/// - Uses AWS KMS for cryptographic operations
/// - Supports multiple encryption algorithms
/// - Handles key aliases and ARNs
/// - Provides proper error handling
///
/// # Security
///
/// This implementation:
/// - Uses AWS KMS for key protection
/// - Supports key rotation
/// - Provides audit logging
/// - Enables access control via IAM
///
/// # Costs
///
/// Be aware that AWS KMS operations incur costs based on:
/// - Number of API calls
/// - Key storage duration
/// - Key usage volume
///
/// # Example
/// ```no_run
/// use std::sync::Arc;
/// use aws_sdk_kms::{Client, types::EncryptionAlgorithmSpec};
/// use hyokashi::AwsCMK;
///
/// async {
///     let client = Arc::new(Client::new(&aws_config::load_from_env().await));
///     let cmk = AwsCMK::new(
///         client,
///         "alias/my-key".to_string(),
///         EncryptionAlgorithmSpec::RsaesOaepSha256,
///     );
///
///     // Encrypt some data
///     let data = vec![1, 2, 3];
///     let encrypted = cmk.encrypt(data).await?;
///
///     // Decrypt the data
///     let decrypted = cmk.decrypt(encrypted).await?;
///     # Ok::<(), Box<dyn std::error::Error>>(())
/// };
/// ```
pub struct AwsCMK {
    pub(crate) client: Arc<Client>,
    pub(crate) key_name: String,
    pub(crate) encryption_algorithm: EncryptionAlgorithmSpec,
}

impl AwsCMK {
    /// Creates a new `AwsCMK` instance from an AWS KMS client, a key name, and an encryption algorithm.
    ///
    /// # Arguments
    ///
    /// * `client` - An `Arc` wrapping the AWS KMS client.
    /// * `key_name` - The AWS KMS key alias or ARN used to identify the key.
    /// * `encryption_algorithm` - The desired encryption algorithm.
    ///
    /// # Returns
    ///
    /// A new `AwsCMK` configured with the specified client, key, and algorithm.
    pub fn new(
        client: Arc<Client>,
        key_name: String,
        encryption_algorithm: EncryptionAlgorithmSpec
    ) -> Self {
        Self {
            client,
            key_name,
            encryption_algorithm,
        }
    }
}

#[async_trait]
impl CMKTrait for AwsCMK {
    /// Encrypts the specified plaintext data using the AWS CMK.
    ///
    /// # Arguments
    ///
    /// * `plaintext` - The plaintext bytes to be encrypted.
    ///
    /// # Errors
    ///
    /// Returns a `CMKError` if encryption fails in the AWS KMS service.
    ///
    /// # Examples
    ///
    /// ```no_run
    /// // let cmk = AwsCMK::new(/* ... */);
    /// // let encrypted = cmk.encrypt(vec![1, 2, 3]).await?;
    /// ```
    async fn encrypt(&self, plaintext: Vec<u8>) -> Result<Vec<u8>, CMKError> {
        let blob = Blob::new(plaintext);

        let encrypted = self.client
            .encrypt()
            .key_id(&self.key_name)
            .encryption_algorithm(self.encryption_algorithm.clone())
            .plaintext(blob)
            .send();
        match encrypted.await {
            Ok(encrypted) =>
                match encrypted.ciphertext_blob() {
                    Some(ciphertext) => Ok(ciphertext.clone().into_inner()),
                    None => Err(CMKError("CMK returned no ciphertext".to_owned())),
                }
            Err(e) => Err(CMKError(format!("Could not encrypt plaintext, Error: {:?}", e))),
        }
    }

    /// Decrypts the specified ciphertext data using the AWS CMK.
    ///
    /// # Arguments
    ///
    /// * `ciphertext` - The ciphertext bytes to be decrypted.
    ///
    /// # Errors
    ///
    /// Returns a `CMKError` if decryption fails in the AWS KMS service.
    ///
    /// # Examples
    ///
    /// ```no_run
    /// // let cmk = AwsCMK::new(/* ... */);
    /// // let decrypted = cmk.decrypt(some_encrypted_data).await?;
    /// ```
    async fn decrypt(&self, ciphertext: Vec<u8>) -> Result<Vec<u8>, CMKError> {
        let blob = Blob::new(ciphertext);

        let decrypted = self.client
            .decrypt()
            .key_id(&self.key_name)
            .encryption_algorithm(self.encryption_algorithm.clone())
            .ciphertext_blob(blob)
            .send();
        match decrypted.await {
            Ok(decrypted) =>
                match decrypted.plaintext() {
                    Some(plaintext) => Ok(plaintext.clone().into_inner()),
                    None => Err(CMKError("CMK returned no plaintext".to_string())),
                }
            Err(e) => Err(CMKError(format!("Could not decrypt ciphertext, Error: {:?}", e))),
        }
    }
}