3.7.0 (2024-09-17)
- add check only keyword action (#1327) (5d777d6)
- add ddb local to dafny interop test vectors (#1316) (6128a39)
- allow local testing (#1311) (e758e97)
- remove /// from smithy files (#1349) (303a8bd)
- remove assert to fix verification (#1360) (8849c1e)
3.6.2 (2024-08-22)
- ...the nightly build. Again. (#1297) (b7a91c9)
- add timing output to test vectors (#1298) (30dfaa8)
- Enable local testing (#1278) (7093266)
- fix ci mpl head gha (#1306) (c572d6a)
- fix dafny interop build steps (#1293) (c6ce809)
- fix nightly (#1300) (a445eff)
- GHA: add backwards interop dafny tests (#1279) (1e6be80)
- GHA: another gha fix (#1292) (df64b30)
- GHA: fix dafny_interop_java (#1283) (5a1c921)
- GHA: fix test vector dafny interop (#1291) (fdefaff)
- GHA: update nightlies for interop and interop action (#1287) (8bec538)
3.6.1 (2024-08-12)
- allow multi-tenant queries with allow_plaintext (#1240) (1487d7e)
- TestVectors: define StartUpObject in csproj (#1231) (2f97bf3)
- update error message (#1270) (7157e4d)
- Add examples to examine contents of query error list (#1251) (b5705ee)
- CI: add smithy diff checker GHA (#1226) (86406f5)
- deps: bump actions/setup-dotnet from 3 to 4 in /.github/workflows (#1191) (c3b736e)
- deps: bump aws-actions/configure-aws-credentials (#1190) (becbd0a)
- deps: bump com.amazonaws:aws-java-sdk-dynamodb (#1230) (3aa25d0)
- deps: bump dafny-lang/setup-dafny-action in /.github/workflows (#1200) (5284f0b)
- deps: bump software.amazon.awssdk:bom (#1227) (abd1727)
- deps: bump software.amazon.awssdk:bom (#1229) (bf3e1c3)
- deps: bump software.amazon.awssdk:core (#1228) (9c67729)
- do not add beacons when FORCE_PLAINTEXT_WRITE is used. (#1232) (23c8a18)
- include bad item keys in query errors (#1244) (07bba8b)
- update version to snapshot (#1225) (c817b5b)
3.6.0 (2024-07-23)
- bump dafny verification version to 4.7 (#1181) (e7801ec)
- CI/CD: use latest conventional-changelog-conventionalcommits (#1195) (510227e)
- Fix nightly build (aside from verification) (#1029) (862420e)
- GHA: add action for testing against MPL HEAD (#1187) (b2f70ca)
- GHA: fix daily ci (#1194) (a1427e0)
- MPL: Bump MPL to 1.5.1 (#1201) (808a5b4)
- Sonatype Migration to User Tokens (#1216) (a3b4ef9)
- Try to update existing issues (31c6b98)
- Try to update existing issues (4471295)
- update project.properties to be SNAPSHOT (#1087) (6f2825e)
3.5.0 (2024-05-30)
- DynamoDbEncryption: Add GetEncryptedDataKeyDescription operation (#856) (8f8471a)
- Bump MPL to 1.4 (#1067) (51bbab5). This provides three new KMSConfiguration options when constructing a KeyStore (see https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-hierarchical-keyring.html). To KmsKeyArn are added KmsMRKeyArn, Discovery and MrDiscovery.
- improve verification (#1020) (cbde4ef)
- simplify structured encryption (#866) (a70a569)
- allow Legacy to use subclass of DynamoDBEncryptor (#1073) (135acd9)
- Java-Release: update release commands and use SNAPSHOT builds (#995) (ac9b79e)
- reformat and enforce formatting (#1035) (8a76a9d)
- verify with Dafny 4.6 (#1072) (9db6e78)
3.4.0 (2024-04-30)
Prior to this fix, unset Integers defaulted to 0
, and unset Booleans defaulted to false
.
Now, all required fields MUST be set or a Runtime Exception will be thrown.
This particularly effects Searchable Encryption's
ConstructorPart
, who's required field previously
would have defaulted to false.
Any configuration ever created for Searchable Encryption can be re-created with the fix, but they may look different.
- feat(.NET): Validate user input #797 (785481c)
- format: enforce Dafny formatting (#865) (dfc0dbd)
- test: more test vectors (#959) (3ca15af)
- CI add verify test for test vectors (#897) (6c980e7)
- CI/CD: add semantic release automation (#949) (3f22abc)
- deps: bump actions/setup-dotnet from 3 to 4 in /.github/workflows (#943) (f5d9748)
- deps: bump aws-actions/configure-aws-credentials (#954) (90d7d78)
- deps(Java): bump io.github.gradle-nexus.publish-plugin (#903) (04c6cc4)
- deps(Java): bump org.projectlombok:lombok (#838) (56f1cd1)
- deps: bump rrainn/dynamodb-action in /.github/workflows (#932) (16e4d7b)
- docs: mention sign_and_include in javadoc for keyid supplier (#966) (2796693)
- docs: point to the correct readme (#845) (b950b4a)
- fix: repair json file names (#846) (3ca955a)
- test(.NET): "dotnet pack" in CI (#851) (75e44d0)
- test: add tests for attribute names that seem structured (#964) (c4c0886)
- deps(Java & .NET): Update MPL to 1.3.0 (#972) (3d8acae)
- A fourth Crypto Action will be made available :
SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT
, to join the existingDO_NOTHING
,SIGN_ONLY
andENCRYPT_AND_SIGN
.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT
behaves likeSIGN_ONLY
, but also includes the value in the encryption context, making it available to the branch key selector. - The Parsed Header, returned from EncryptItem and DecryptItem, now returns two more fields
- encryptionContext : the full encryption context used for encryption
- selectorContext : the encryption context as presented to the branch key selector
- The Java Enhanced Client now supports Single Table Design. When using the DynamoDbEnhancedTableEncryptionConfig builder, one can now specify
schemaOnEncrypt
multiple times, once for each class being modeled in the table. - There was a hard limit of 100 on the size of maps and lists in Items to be encrypted. This limit has been removed.
- support for .NET
- Beacon Styles :
- PartOnly : save a little bit of space for a beacon that used as part of a Compound Beacon, but never alone
- AsSet : turn a set of values into a set of beacons, rather than into a single beacon
- Twinned : calculate beacons for one attribute to be compatible with those from a different attribute
- TwinnedSet : both AsSet and Twinned
- Global Parts List : all compound beacons can now share a single list of Parts
- Test vectors to ensure cross language compatibility
- explicit error message when searching on a Compound Beacon that could never exist.
- New APIs : ResolveAttributes and GetVirtualFields to assist in development and debugging.
- String compare for client side filtering of Scan and Query results could sometimes produce the wrong result for certain characters.
Fixed an issue where, when using the DynamoDbEncryptionInterceptor, an encrypted item in the Attributes field of a DeleteItem, PutItem, or UpdateItem response was passed through unmodified instead of being decrypted.
Issue when a DynamoDB Set attribute is marked as SIGN_ONLY in the AWS Database Encryption SDK (DB-ESDK) for DynamoDB.
DB-ESDK for DynamoDB supports SIGN_ONLY and ENCRYPT_AND_SIGN attribute actions. In version 3.1.0 and below, when a Set type is assigned a SIGN_ONLY attribute action, there is a chance that signature validation of the record containing a Set will fail on read, even if the Set attributes contain the same values. The probability of a failure depends on the order of the elements in the Set combined with how DynamoDB returns this data, which is undefined.
This update addresses the issue by ensuring that any Set values are canonicalized in the same order while written to DynamoDB as when read back from DynamoDB.
See: https://github.com/aws/aws-database-encryption-sdk-dynamodb-java/tree/v3.1.1/DecryptWithPermute for additional details for additional details
- Support underscores in DynamoDB expression attribute names
- Upgrade various library dependencies
- A variety of fixes to the library's CI and testing
- Updates to the AWS Cryptographic Material Providers Library for Java,
a pivotal dependency of the this library,
introduce Thread Safe Cryptographic Materials Caches (CMCs):
- Storm Tracking Cache
Safe for use in a multi threaded environment,
tries to prevent redundant or overly parallel backend calls.
See Spec changes for details. - Multi Threaded Cache
Safe for use in a multi threaded environment,
but no extra functionality
- Storm Tracking Cache
- Examples for using the Enhanced Client via Lombok Annotation and TableSchemaBuilder
- Detection of ignored DynamoDB Encryption Configuration Tags due to Nested Data Models
- Multi Threading Example
- Updates to the AWS Cryptographic Material Providers Library for Java,
a pivotal dependency of the this library,
introduce the following breaking changes:
- CMCs:
- Original Cryptographic Materials Cache has been renamed to Single Threaded Cache
CreateCryptographicMaterialsCacheInput
now ONLY acceptsCacheType
,
which determines which, if any, of the three implemented CMCs will be returned.- The
DefaultCache
isStormTrackingCache
CreateAwsKmsHierarchicalKeyringInput
:- no longer has a
maxCacheSize
field - now has an optional
cache
field for aCacheType
- no longer has a
- Hierarchical Keyring's Key Store:
- The Hierarchical Keyring's Key Store's Data Structure has changed.
As such, entries persisted in the Key Store with prior versions of this library are NOT compatible.
Instead, we recommend Creating a new DynamoDB Table for this version of the Key Store. - The Key Store's
CreateKeyInput
now takes:- An Optional
String branchKeyIdentifier
- An Optional
EncryptionContext encryptionContext
- This
encryptionContext
will be added to the Encryption Context sent to KMS prefixed withaws-crypto-ec:
- This
- An Optional
- Creating a Key now also calls KMS:ReEncrypt
CreateKeyStore
no longer creates a GSI- The Encryption Context used with KMS'
GenerateDataKeyWithoutPlaintext
no longer includes the discarded GSI'sstatus
. - More details about the Key Store's changes are available in our Specification:
- The Hierarchical Keyring's Key Store's Data Structure has changed.
- CMCs:
- With the Enhanced Client, Identify Only Index attributes for Sign Only, NOT all Key Attributes, such as Auto Generated Last Modified Time Stamp.
- A variety of fixes to the libraries CI and testing
- The AWS SDK Core MUST NOT be depended on directly.
- Initial release of the AWS Database Encryption SDK. This release is considered a developer preview and is not intended for production use cases.