Merge branch 'master' into custom-kms-client

Author: seebees

.github/workflows/ci_decrypt-oracle.yaml

@@ -11,8 +11,8 @@ jobs:
   tests:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
         with:
           # The oracle runs in a Python 3.6 Lamba
           python-version: 3.6
@@ -38,8 +38,8 @@ jobs:
           - flake8-tests
           - pylint-tests
     steps:
-        - uses: actions/checkout@v2
-        - uses: actions/setup-python@v1
+        - uses: actions/checkout@v3
+        - uses: actions/setup-python@v4
           with:
             python-version: 3.8
         - run: |

.github/workflows/ci_static-analysis.yaml

@@ -27,8 +27,8 @@ jobs:
           - black-check
           - isort-check
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
         with:
           python-version: 3.8
       - run: |

.github/workflows/ci_test-vector-handler.yaml

@@ -45,8 +45,8 @@ jobs:
           aws-access-key-id: ${{ secrets.INTEG_AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.INTEG_AWS_SECRET_ACCESS_KEY }}
           aws-region: us-west-2
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python }}
           architecture: ${{ matrix.architecture }}
@@ -72,8 +72,8 @@ jobs:
           - flake8-tests
           - pylint-tests
     steps:
-        - uses: actions/checkout@v2
-        - uses: actions/setup-python@v1
+        - uses: actions/checkout@v3
+        - uses: actions/setup-python@v4
           with:
             python-version: 3.8
         - run: |

.github/workflows/ci_tests.yaml

@@ -50,8 +50,8 @@ jobs:
           - os: macos-latest
             architecture: x86
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python }}
           architecture: ${{ matrix.architecture }}
@@ -71,8 +71,8 @@ jobs:
           - nocmk
           - test-upstream-requirements-py37
     steps:
-        - uses: actions/checkout@v2
-        - uses: actions/setup-python@v1
+        - uses: actions/checkout@v3
+        - uses: actions/setup-python@v4
           with:
             python-version: 3.7
         - run: |

.github/workflows/dependabot-auto-merge.yml

@@ -15,7 +15,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v1.2.1
+        uses: dependabot/fetch-metadata@v1.3.0
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
       - name: Enable auto-merge for Dependabot PRs

.github/workflows/repo-sync.yml

@@ -9,7 +9,7 @@ jobs:
     environment: repo-sync
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - uses: repo-sync/github-sync@v2
       name: Sync repo to branch
       with:

CHANGELOG.rst

@@ -2,6 +2,14 @@
 Changelog
 *********
 
+3.1.1 -- 2022-06-20
+===================
+
+Maintenance
+-----------
+* Replace deprecated cryptography ``verify_interface`` with ``isinstance``
+  `#467 <https://github.com/aws/aws-encryption-sdk-python/pull/467>`_
+
 3.1.0 -- 2021-11-10
 ===================
 

SUPPORT_POLICY.rst

@@ -22,13 +22,13 @@ This table describes the current support status of each major version of the AWS
       - Next status
       - Next status date
     * - 1.x
-      - Maintenance
       - End of Support
-      - 2022-06-30
+      - 
+      - 
     * - 2.x
-      - Maintenance
       - End of Support
-      - 2022-07-01
+      - 
+      - 
     * - 3.x
       - General Availability 
       -

codebuild/release/prod-release.yml

@@ -4,8 +4,8 @@ env:
   variables:
     BRANCH: "master"
   secrets-manager:
-    TWINE_USERNAME: PyPiAdmin:username 
-    TWINE_PASSWORD: PyPiAdmin:password
+    TWINE_USERNAME: PyPiAPIToken:username 
+    TWINE_PASSWORD: PyPiAPIToken:password
 
 phases:
   install:

codebuild/release/test-release.yml

@@ -4,8 +4,8 @@ env:
   variables:
     BRANCH: "master"
   secrets-manager:
-    TWINE_USERNAME: TestPyPiCryptoTools:username 
-    TWINE_PASSWORD: TestPyPiCryptoTools:password
+    TWINE_USERNAME: TestPyPiAPIToken:username 
+    TWINE_PASSWORD: TestPyPiAPIToken:password
 
 phases:
   install:

decrypt_oracle/test/pylintrc

@@ -5,7 +5,8 @@ disable =
     missing-docstring,  # we don't write docstrings for tests
     bad-continuation,  # we let black handle this
     ungrouped-imports,  # we let isort handle this
-    consider-using-f-string # disable until 2022-05-05; 6 months after 3.5 deprecation
+    consider-using-f-string, # disable until 2022-05-05; 6 months after 3.5 deprecation
+    missing-timeout # disabling until we come up with a reasonable number
 
 [FORMAT]
 max-line-length = 120

dev_requirements/linter-requirements.txt

@@ -1,13 +1,13 @@
-bandit==1.7.3
-black==22.1.0
+bandit==1.7.4
+black==22.3.0
 doc8==0.10.1
 flake8==4.0.1
-flake8-bugbear==22.1.11
+flake8-bugbear==22.9.11
 flake8-docstrings==1.6.0
 flake8-print==4.0.0
 isort==5.10.1
 pyflakes==2.4.0
-pylint==2.12.2
-readme_renderer==32.0
+pylint==2.13.5
+readme_renderer==34.0
 seed-isort-config==2.2.0
-vulture==2.3
+vulture==2.3

dev_requirements/release-requirements.txt

@@ -1,4 +1,4 @@
 pypi-parker==0.1.2
-setuptools==60.9.3
-twine==3.8.0
+setuptools==62.0.0
+twine==4.0.1
 wheel==0.37.1

requirements.txt

@@ -1,4 +1,4 @@
 boto3>=1.10.0
-cryptography>=2.5.0
+cryptography>=3.4.0
 attrs>=17.4.0
 wrapt>=1.10.11

src/aws_encryption_sdk/identifiers.py

@@ -27,7 +27,7 @@
     # We only actually need these imports when running the mypy checks
     pass
 
-__version__ = "3.1.0"
+__version__ = "3.1.1"
 USER_AGENT_SUFFIX = "AwsEncryptionSdkPython/{}".format(__version__)
 
 

src/aws_encryption_sdk/internal/crypto/authentication.py

@@ -18,7 +18,6 @@
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import ec
 from cryptography.hazmat.primitives.asymmetric.utils import Prehashed
-from cryptography.utils import InterfaceNotImplemented, verify_interface
 
 from ...exceptions import NotSupportedError
 from .elliptic_curve import (
@@ -47,11 +46,9 @@ def __init__(self, algorithm, key):
 
     def _set_signature_type(self):
         """Ensures that the algorithm signature type is a known type and sets a reference value."""
-        try:
-            verify_interface(ec.EllipticCurve, self.algorithm.signing_algorithm_info)
-            return ec.EllipticCurve
-        except InterfaceNotImplemented:
+        if not isinstance(self.algorithm.signing_algorithm_info, type(ec.EllipticCurve)):
             raise NotSupportedError("Unsupported signing algorithm info")
+        return ec.EllipticCurve
 
     def _build_hasher(self):
         """Builds the hasher instance which will calculate the digest of all passed data.

src/aws_encryption_sdk/internal/crypto/elliptic_curve.py

@@ -18,14 +18,13 @@
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric import ec
 from cryptography.hazmat.primitives.asymmetric.utils import Prehashed, decode_dss_signature, encode_dss_signature
-from cryptography.utils import InterfaceNotImplemented, int_to_bytes, verify_interface
+from cryptography.utils import int_to_bytes
 
 from ...exceptions import NotSupportedError
 from ..str_ops import to_bytes
 
 _LOGGER = logging.getLogger(__name__)
 
-
 # Curve parameter values are included strictly as a temporary measure
 #  until they can be rolled into the cryptography.io library.
 # Expanded values from http://www.secg.org/sec2-v2.pdf
@@ -44,10 +43,10 @@
         order=0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973,
     ),
     "secp521r1": _ECCCurveParameters(
-        p=0x01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF,  # noqa pylint: disable=line-too-long
-        a=0x01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC,  # noqa pylint: disable=line-too-long
-        b=0x0051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00,  # noqa pylint: disable=line-too-long
-        order=0x01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409,  # noqa pylint: disable=line-too-long
+        p=0x01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF, # noqa pylint: disable=line-too-long
+        a=0x01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC, # noqa pylint: disable=line-too-long
+        b=0x0051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00, # noqa pylint: disable=line-too-long
+        order=0x01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409, # noqa pylint: disable=line-too-long
     ),
 }
 
@@ -182,8 +181,6 @@ def generate_ecc_signing_key(algorithm):
     :returns: Generated signing key
     :raises NotSupportedError: if signing algorithm is not supported on this platform
     """
-    try:
-        verify_interface(ec.EllipticCurve, algorithm.signing_algorithm_info)
-        return ec.generate_private_key(curve=algorithm.signing_algorithm_info(), backend=default_backend())
-    except InterfaceNotImplemented:
+    if not isinstance(algorithm.signing_algorithm_info, type(ec.EllipticCurve)):
         raise NotSupportedError("Unsupported signing algorithm info")
+    return ec.generate_private_key(curve=algorithm.signing_algorithm_info(), backend=default_backend())

src/aws_encryption_sdk/streaming_client.py

@@ -299,10 +299,10 @@ def seek(self, offset, whence=0):
 
     def readline(self):
         """Read a chunk of the output"""
-        _LOGGER.info("reading line")
+        _LOGGER.debug("reading line")
         line = self.read(self.line_length)
         if len(line) < self.line_length:
-            _LOGGER.info("all lines read")
+            _LOGGER.debug("all lines read")
         return line
 
     def readlines(self):

test/unit/test_crypto_authentication_signer.py

@@ -30,6 +30,12 @@ def patch_default_backend(mocker):
     yield aws_encryption_sdk.internal.crypto.authentication.default_backend
 
 
+@pytest.fixture
+def patch_ec(mocker):
+    mocker.patch.object(aws_encryption_sdk.internal.crypto.authentication, "ec")
+    yield aws_encryption_sdk.internal.crypto.authentication.ec
+
+
 @pytest.fixture
 def patch_serialization(mocker):
     mocker.patch.object(aws_encryption_sdk.internal.crypto.authentication, "serialization")
@@ -71,8 +77,10 @@ def test_f_signer_key_bytes():
     assert test.key_bytes() == VALUES["ecc_private_key_prime_private_bytes"]
 
 
-def test_signer_from_key_bytes(patch_default_backend, patch_serialization, patch_build_hasher):
-    _algorithm = MagicMock()
+def test_signer_from_key_bytes(patch_default_backend, patch_serialization, patch_build_hasher, patch_ec):
+    mock_algorithm_info = MagicMock(return_value=sentinel.algorithm_info, spec=patch_ec.EllipticCurve)
+    _algorithm = MagicMock(signing_algorithm_info=mock_algorithm_info)
+
     signer = Signer.from_key_bytes(algorithm=_algorithm, key_bytes=sentinel.key_bytes)
 
     patch_serialization.load_der_private_key.assert_called_once_with(
@@ -83,9 +91,11 @@ def test_signer_from_key_bytes(patch_default_backend, patch_serialization, patch
     assert signer.key is patch_serialization.load_der_private_key.return_value
 
 
-def test_signer_key_bytes(patch_default_backend, patch_serialization, patch_build_hasher):
+def test_signer_key_bytes(patch_default_backend, patch_serialization, patch_build_hasher, patch_ec):
+    mock_algorithm_info = MagicMock(return_value=sentinel.algorithm_info, spec=patch_ec.EllipticCurve)
+    algorithm = MagicMock(signing_algorithm_info=mock_algorithm_info)
     private_key = MagicMock()
-    signer = Signer(MagicMock(), key=private_key)
+    signer = Signer(algorithm, key=private_key)
 
     test = signer.key_bytes()
 
@@ -98,30 +108,41 @@ def test_signer_key_bytes(patch_default_backend, patch_serialization, patch_buil
 
 
 def test_signer_encoded_public_key(
-    patch_default_backend, patch_serialization, patch_build_hasher, patch_ecc_encode_compressed_point, patch_base64
+    patch_default_backend,
+    patch_serialization,
+    patch_build_hasher,
+    patch_ecc_encode_compressed_point,
+    patch_base64,
+    patch_ec
 ):
     patch_ecc_encode_compressed_point.return_value = sentinel.compressed_point
     patch_base64.b64encode.return_value = sentinel.encoded_point
     private_key = MagicMock()
 
-    signer = Signer(MagicMock(), key=private_key)
+    mock_algorithm_info = MagicMock(return_value=sentinel.algorithm_info, spec=patch_ec.EllipticCurve)
+    algorithm = MagicMock(signing_algorithm_info=mock_algorithm_info)
+
+    signer = Signer(algorithm, key=private_key)
     test_key = signer.encoded_public_key()
 
     patch_ecc_encode_compressed_point.assert_called_once_with(private_key)
     patch_base64.b64encode.assert_called_once_with(sentinel.compressed_point)
     assert test_key == sentinel.encoded_point
 
 
-def test_signer_update(patch_default_backend, patch_serialization, patch_build_hasher):
-    signer = Signer(MagicMock(), key=MagicMock())
+def test_signer_update(patch_default_backend, patch_serialization, patch_build_hasher, patch_ec):
+    mock_algorithm_info = MagicMock(return_value=sentinel.algorithm_info, spec=patch_ec.EllipticCurve)
+    algorithm = MagicMock(signing_algorithm_info=mock_algorithm_info)
+    signer = Signer(algorithm, key=MagicMock())
     signer.update(sentinel.data)
     patch_build_hasher.return_value.update.assert_called_once_with(sentinel.data)
 
 
 def test_signer_finalize(
-    patch_default_backend, patch_serialization, patch_build_hasher, patch_ecc_static_length_signature
+    patch_default_backend, patch_serialization, patch_build_hasher, patch_ecc_static_length_signature, patch_ec
 ):
-    algorithm = MagicMock()
+    mock_algorithm_info = MagicMock(return_value=sentinel.algorithm_info, spec=patch_ec.EllipticCurve)
+    algorithm = MagicMock(signing_algorithm_info=mock_algorithm_info)
     private_key = MagicMock()
 
     signer = Signer(algorithm, key=private_key)