duvet

DynamoDbEncryption/dafny/DynamoDbItemEncryptor/Model/DynamoDbItemEncryptor.smithy

@@ -47,23 +47,24 @@ service DynamoDbItemEncryptor {
 
 @javadoc("The configuration for the client-side encryption of DynamoDB items.")
 structure DynamoDbItemEncryptorConfig {
-    //= specification/dynamodb-encryption-client/ddb-table-encryption-config.md#structure
+    //= specification/dynamodb-encryption-client/ddb-item-encryptor.md#initialization
     //= type=implication
-    //# The following are REQUIRED for DynamoDb Table Encryption Configuration:
-    //# - [Logical Table Name](#logical-table-name)
-    //# - [DynamoDB Partition Key Name](#dynamodb-partition-key-name)
-    //# - [Attribute Actions](#attribute-actions)
-    //# - A [CMM](#cmm) or [Keyring](#keyring)
-
-    //= specification/dynamodb-encryption-client/ddb-table-encryption-config.md#structure
+    //# On initialization of the DynamoDB Item Encryptor
+    //# the caller MUST provide:
+    //# - [DynamoDB Table Name](./ddb-table-encryption-config.md#dynamodb-table-name)
+    //# - [DynamoDB Partition Key Name](./ddb-table-encryption-config.md#dynamodb-partition-key-name)
+    //# - [Attribute Actions](./ddb-table-encryption-config.md#attribute-actions)
+    //# - A [CMM](./ddb-table-encryption-config.md#cmm) or [Keyring](./ddb-table-encryption-config.md#keyring)
+
+    //= specification/dynamodb-encryption-client/ddb-item-encryptor.md#initialization
     //= type=implication
-    //# The following are OPTIONAL for DynamoDb Table Encryption Configuration:
-    //# - [DynamoDB Sort Key Name](#dynamodb-sort-key-name)
-    //# - [Unauthenticated Attributes](#unauthenticated-attributes)
-    //# - [Unauthenticated Attribute Name Prefix](#unauthenticated-attribute-prefix)
-    //# - [Algorithm Suite](#algorithm-suite)
-    //# - [Legacy Config](#legacy-config)
-    //# - [Plaintext Policy](#plaintext-policy)
+    //# The following are OPTIONAL for the DynamoDB Item Encryptor:
+    //# - [DynamoDB Sort Key Name](./ddb-table-encryption-config.md#dynamodb-sort-key-name)
+    //# - [Unauthenticated Attributes](./ddb-table-encryption-config.md#unauthenticated-attributes)
+    //# - [Unauthenticated Attribute Name Prefix](./ddb-table-encryption-config.md#unauthenticated-attribute-prefix)
+    //# - [Algorithm Suite](./ddb-table-encryption-config.md#algorithm-suite)
+    //# - [Legacy Config](./ddb-table-encryption-config.md#legacy-config)
+    //# - [Plaintext Policy](./ddb-table-encryption-config.md#plaintext-policy)
 
     @required
     @javadoc("The logical table name for this table. This is the name that is cryptographically bound with your data. This can be the same as the actual DynamoDB table name. It's purpose is to be distinct from the DynamoDB table name so that the data may still be authenticated if being read from different (but logically similar) tables, such as a backup table.")

DynamoDbEncryption/dafny/StructuredEncryption/Model/StructuredEncryption.smithy

@@ -231,6 +231,12 @@ structure DecryptPathStructureOutput {
     parsedHeader: ParsedHeader,
 }
 
+//= specification/structured-encryption/resolve-auth-actions.md#input
+//= type=implication
+//# The following inputs to this behavior are REQUIRED:
+//# - [Table Name](#table-name)
+//# - [Auth List](#auth-list)
+//# - [Header Bytes](#header-bytes)
 structure ResolveAuthActionsInput {
     @required
     tableName: String,
@@ -240,6 +246,11 @@ structure ResolveAuthActionsInput {
     headerBytes: Blob
 }
 
+//= specification/structured-encryption/resolve-auth-actions.md#output
+//= type=implication
+//# This operation MUST output the following:
+//# [Crypto List](./structures.md#crypto-list): Input terminal data and the Crypto Schema for each Terminal,
+//#   calculated using the Crypto Legend in the header, the signature scope used for decryption, and the data in the input structure.
 structure ResolveAuthActionsOutput {
     @required
     cryptoActions: CryptoList,
@@ -333,6 +344,10 @@ structure StructureSegment {@required key : String}
 // integer Position
 // structure ListSegment {@required key : Position}
 // structure AttributeSegment {@required key : String}
+
+//= specification/structured-encryption/structures.md#path-segment
+//= type=implication
+//# A path segment MUST be a string, designating the name of a member of a structure.
 union PathSegment {
     member: StructureSegment,
     // Not needed now, but easy to add later
@@ -343,6 +358,12 @@ list Path {
     member: PathSegment
 }
 
+//= specification/structured-encryption/structures.md#crypto-item
+//= type=implication
+//# A crypto item MUST consist of
+//# - a [Path](#path)
+//# - a [Crypto Action](#crypto-action)
+//# - a [Terminal Data](#terminal-data)
 structure CryptoItem {
     @required
     key : Path,
@@ -352,10 +373,19 @@ structure CryptoItem {
     action: CryptoAction,
 }
 
+//= specification/structured-encryption/structures.md#crypto-list
+//= type=implication
+//# A crypto list MUST be a sequence of [crypto item](#crypto-item)
 list CryptoList {
     member: CryptoItem,
 }
 
+//= specification/structured-encryption/structures.md#auth-item
+//= type=implication
+//# An auth item MUST consist of
+//# - a [Path](#path)
+//# - an [Authenticate Action](#authenticate-action)
+//# - a [Terminal Data](#terminal-data)
 structure AuthItem {
     @required
     key : Path,
@@ -365,6 +395,9 @@ structure AuthItem {
     action: AuthenticateAction,
 }
 
+//= specification/structured-encryption/structures.md#auth-list
+//= type=implication
+//# An auth list MUST be a sequence of [auth item](#auth-item)
 list AuthList {
     member: AuthItem,
 }

specification/structured-encryption/decrypt-structure.md

@@ -5,12 +5,14 @@
 
 ## Version
 
-1.0.0
+1.1.0
 
 ### Changelog
 
-- 1.0.0
+- 1.1.0
+  - Update for simplified structured encryption
 
+- 1.0.0
   - Initial record
 
 ## Definitions

specification/structured-encryption/encrypt-structure.md

@@ -5,12 +5,14 @@
 
 ## Version
 
-1.0.0
+1.1.0
 
 ### Changelog
 
-- 1.0.0
+- 1.1.0
+  - Update for simplified structured encryption
 
+- 1.0.0
   - Initial record
 
 ## Definitions

specification/structured-encryption/resolve-auth-actions.md

@@ -0,0 +1,67 @@
+[//]: # "Copyright Amazon.com Inc. or its affiliates. All Rights Reserved."
+[//]: # "SPDX-License-Identifier: CC-BY-SA-4.0"
+
+# Resolve Auth Actions
+
+## Version
+
+1.0.0
+
+### Changelog
+
+- 1.0.0
+
+  - Initial record
+
+## Definitions
+
+### Conventions used in this document
+
+The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"
+in this document are to be interpreted as described in [RFC 2119](https://tools.ietf.org/html/rfc2119).
+
+## Overview
+
+ResolveAuthActions takes an encrypted record and determines the CryptoActions originally used for encryption.
+
+It makes no network calls and does no encryption nor decryption.
+
+## Input
+
+The following inputs to this behavior are REQUIRED:
+
+- [Table Name](#table-name)
+- [Auth List](#auth-list)
+- [Header Bytes](#header-bytes)
+
+### Table Name
+
+The logical name for the structure.
+This can be the same as the physical name.
+For example the name of the table to hold the encrypted record.
+
+### Auth List
+
+The [Auth List](./structures.md#auth-list) describes how each [Terminal Data](./structures.md#terminal-data) would be treated during decryption.
+
+The header and footer fields (aws_dbe_head and aws_dbe_foot) can be present, but they need not be present.
+
+Data members need not contain any particular values.
+
+### Header Bytes
+
+The sequence of bytes representing the serialized header, as is usually found in the `aws_dbe_head` attribute.
+
+## Output
+
+This operation MUST output the following:
+
+[Crypto List](./structures.md#crypto-list): Input terminal data and the Crypto Schema for each Terminal,
+  calculated using the Crypto Legend in the header, the signature scope used for decryption, and the data in the input structure.
+
+## Behavior
+
+Resolve Auth Actions examines the configuration and the provided header to determine
+the [Crypto Actions](structures.md#crypto-action) originally use for encryption.
+
+The data members are returned unchanged and unexamined.

specification/structured-encryption/structures.md

@@ -5,12 +5,14 @@
 
 ## Version
 
-1.0.0
+1.1.0
 
 ### Changelog
 
-- 1.0.0
+- 1.1.0
+  - Update for simplified structured encryption
 
+- 1.0.0
   - Initial record
 
 ## Definitions