aws · imabhichow · Oct 10, 2025 · Oct 10, 2025 · Oct 10, 2025 · Oct 10, 2025
diff --git a/.github/workflows/library_net_tests.yml b/.github/workflows/library_net_tests.yml
@@ -88,22 +88,6 @@ jobs:
           CORES=$(node -e 'console.log(os.cpus().length)')
           make transpile_net CORES=$CORES
 
-      - name: Test .NET Framework net48
-        working-directory: ${{ matrix.library }}
-        shell: bash
-        run: |
-          make test_net FRAMEWORK=net48
-
-      - name: Test .NET net6.0
-        working-directory: ${{ matrix.library }}
-        shell: bash
-        run: |
-          if [ "$RUNNER_OS" == "macOS" ]; then
-            make test_net_mac_intel FRAMEWORK=net6.0
-          else
-            make test_net FRAMEWORK=net6.0
-          fi
-
       - name: Test Examples on .NET Framework net48
         working-directory: ${{ matrix.library }}
         if: matrix.os == 'windows-latest'
@@ -127,6 +111,24 @@ jobs:
               runtimes/net/Examples \
               --framework net6.0
           fi
+
+      - name: Test .NET Framework net48
+        working-directory: ${{ matrix.library }}
+        shell: bash
+        run: |
+          make test_net FRAMEWORK=net48
+
+      - name: Test .NET net6.0
+        working-directory: ${{ matrix.library }}
+        shell: bash
+        run: |
+          if [ "$RUNNER_OS" == "macOS" ]; then
+            make test_net_mac_intel FRAMEWORK=net6.0
+          else
+            make test_net FRAMEWORK=net6.0
+          fi
+
+
   testVectors:
     strategy:
       fail-fast: false

diff --git a/AwsEncryptionSDK/dafny/AwsEncryptionSdk/Model/AwsCryptographyEncryptionSdkTypes.dfy b/AwsEncryptionSDK/dafny/AwsEncryptionSdk/Model/AwsCryptographyEncryptionSdkTypes.dfy
@@ -176,16 +176,7 @@ module {:extern "software.amazon.cryptography.encryptionsdk.internaldafny.types"
     | CollectionOfErrors(list: seq<Error>, nameonly message: string)
       // The Opaque error, used for native, extern, wrapped or unknown errors
     | Opaque(obj: object)
-      // A better Opaque, with a visible string representation.
-    | OpaqueWithText(obj: object, objMessage : string)
-  type OpaqueError = e: Error | e.Opaque? || e.OpaqueWithText? witness *
-  // This dummy subset type is included to make sure Dafny
-  // always generates a _ExternBase___default.java class.
-  type DummySubsetType = x: int | IsDummySubsetType(x) witness 1
-  predicate method IsDummySubsetType(x: int) {
-    0 < x
-  }
-
+  type OpaqueError = e: Error | e.Opaque? witness *
 }
 abstract module AbstractAwsCryptographyEncryptionSdkService
 {

diff --git a/AwsEncryptionSDK/dafny/AwsEncryptionSdk/test/TestEncryptDecrypt.dfy b/AwsEncryptionSDK/dafny/AwsEncryptionSdk/test/TestEncryptDecrypt.dfy
@@ -17,23 +17,69 @@ module TestEncryptDecrypt {
   method {:test} TestEncryptDecrypt()
   {
     var kmsKey :=  Fixtures.keyArn;
+    print "=== TestEncryptDecrypt Starting ===\n";
+    print "Using KMS Key: ", kmsKey, "\n";
+
     // The string "asdf" as bytes
     var asdf := [ 97, 115, 100, 102 ];
+    print "Plaintext data: ", asdf, "\n";
 
+    print "Creating ESDK config...\n";
     var defaultConfig := ESDK.DefaultAwsEncryptionSdkConfig();
-    var esdk :- expect ESDK.ESDK(config := defaultConfig);
-    var mpl :- expect MaterialProviders.MaterialProviders();
-    var clientSupplier :- expect mpl.CreateDefaultClientSupplier(mplTypes.CreateDefaultClientSupplierInput);
-    var kmsClient :- expect clientSupplier.GetClient(mplTypes.GetClientInput(region := "us-west-2"));
+
+    print "Initializing ESDK...\n";
+    var esdkResult := ESDK.ESDK(config := defaultConfig);
+    if esdkResult.Failure? {
+      print "ESDK initialization failed: ", esdkResult.error, "\n";
+      expect false;
+    }
+    var esdk := esdkResult.value;
+    print "ESDK initialized successfully\n";
+
+    print "Initializing MaterialProviders...\n";
+    var mplResult := MaterialProviders.MaterialProviders();
+    if mplResult.Failure? {
+      print "MaterialProviders initialization failed: ", mplResult.error, "\n";
+      expect false;
+    }
+    var mpl := mplResult.value;
+    print "MaterialProviders initialized successfully\n";
+
+    print "Creating client supplier...\n";
+    var clientSupplierResult := mpl.CreateDefaultClientSupplier(mplTypes.CreateDefaultClientSupplierInput);
+    if clientSupplierResult.Failure? {
+      print "Client supplier creation failed: ", clientSupplierResult.error, "\n";
+      expect false;
+    }
+    var clientSupplier := clientSupplierResult.value;
+    print "Client supplier created successfully\n";
+
+    print "Getting KMS client for region us-west-2...\n";
+    var kmsClientResult := clientSupplier.GetClient(mplTypes.GetClientInput(region := "us-west-2"));
+    if kmsClientResult.Failure? {
+      print "KMS client creation failed: ", kmsClientResult.error, "\n";
+      expect false;
+    }
+    var kmsClient := kmsClientResult.value;
+    print "KMS client created successfully\n";
 
-    var kmsKeyring :- expect mpl.CreateAwsKmsKeyring(
+    print "Creating KMS keyring...\n";
+    var kmsKeyringResult := mpl.CreateAwsKmsKeyring(
       mplTypes.CreateAwsKmsKeyringInput(
         kmsKeyId := kmsKey,
         kmsClient := kmsClient,
         grantTokens := None
       )
     );
+
+    if kmsKeyringResult.Failure? {
+      print "KMS keyring creation failed: ", kmsKeyringResult.error, "\n";
+      expect false;
+    }
+    var kmsKeyring := kmsKeyringResult.value;
+    print "KMS keyring created successfully\n";
 
+    print "Starting encryption...\n";
     var encryptOutput := esdk.Encrypt(Types.EncryptInput(
                                         plaintext := asdf,
                                         encryptionContext := None,
@@ -43,19 +89,54 @@ module TestEncryptDecrypt {
                                         frameLength := None
                                       ));
 
-    expect encryptOutput.Success?;
+    if encryptOutput.Failure? {
+      print "Encryption failed with error: ", encryptOutput.error, "\n";
+      print "Error details: ";
+      match encryptOutput.error {
+        case AwsCryptographyMaterialProviders(mplError) => {
+          print "MaterialProviders error: ", mplError, "\n";
+          match mplError {
+            case AwsCryptographicMaterialProvidersException(message) => {
+              print "Exception message: ", message, "\n";
+            }
+            case _ => print "Other MPL error type\n";
+          }
+        }
+        case _ => print "Non-MPL error\n";
+      }
+      expect false;
+    }
+
+    print "Encryption successful\n";
     var esdkCiphertext := encryptOutput.value.ciphertext;
+    print "Ciphertext length: ", |esdkCiphertext|, " bytes\n";
 
+    print "Starting decryption...\n";
     var decryptOutput := esdk.Decrypt(Types.DecryptInput(
                                         ciphertext := esdkCiphertext,
                                         materialsManager := None,
                                         keyring := Some(kmsKeyring),
                                         encryptionContext := None
                                       ));
 
-    expect decryptOutput.Success?;
+    if decryptOutput.Failure? {
+      print "Decryption failed with error: ", decryptOutput.error, "\n";
+      expect false;
+    }
+
+    print "Decryption successful\n";
     var cycledPlaintext := decryptOutput.value.plaintext;
+    print "Decrypted plaintext: ", cycledPlaintext, "\n";
 
+    if cycledPlaintext == asdf {
+      print "Plaintext matches original - TEST PASSED\n";
+    } else {
+      print "Plaintext mismatch - TEST FAILED\n";
+      print "Expected: ", asdf, "\n";
+      print "Got: ", cycledPlaintext, "\n";
+    }
+
     expect cycledPlaintext == asdf;
+    print "=== TestEncryptDecrypt Completed Successfully ===\n";
   }
 }
diff --git a/AwsEncryptionSDK/dafny/AwsEncryptionSdk/test/TestRequiredEncryptionContext.dfy b/AwsEncryptionSDK/dafny/AwsEncryptionSdk/test/TestRequiredEncryptionContext.dfy
@@ -58,19 +58,19 @@ module TestRequiredEncryptionContext {
                                         plaintext := asdf,
                                         encryptionContext := Some(encryptionContext),
                                         materialsManager := None,
-                                        keyring := Some(multiKeyring),
+                                        keyring := Some(hKeyring),
                                         algorithmSuiteId := None,
                                         frameLength := None
                                       ));
-
+    print encryptOutput;
     expect encryptOutput.Success?;
     var esdkCiphertext := encryptOutput.value.ciphertext;
 
     // Test RSA
     var decryptOutput := esdk.Decrypt(Types.DecryptInput(
                                         ciphertext := esdkCiphertext,
                                         materialsManager := None,
-                                        keyring := Some(rsaKeyring),
+                                        keyring := Some(hKeyring),
                                         encryptionContext := Some(encryptionContext)
                                       ));
 
@@ -170,7 +170,7 @@ module TestRequiredEncryptionContext {
                                         algorithmSuiteId := None,
                                         frameLength := None
                                       ));
-
+    print encryptOutput;
     expect encryptOutput.Success?;
     var esdkCiphertext := encryptOutput.value.ciphertext;
 
@@ -1065,7 +1065,6 @@ module TestRequiredEncryptionContext {
     returns (output: mplTypes.IKeyring)
     ensures output.ValidState() && fresh(output) && fresh(output.History) && fresh(output.Modifies)
   {
-    var branchKeyId := BRANCH_KEY_ID;
     var ttl : mplTypes.PositiveLong := (1 * 60000) * 10;
     var mpl :- expect MaterialProviders.MaterialProviders();
 
@@ -1085,6 +1084,16 @@ module TestRequiredEncryptionContext {
 
     var keyStore :- expect KeyStore.KeyStore(keyStoreConfig);
 
+    // Try to create a new branch key instead of using the hardcoded one
+    print "Creating new branch key for hierarchical keyring...\n";
+    var createKeyResult := keyStore.CreateKey(KeyStoreTypes.CreateKeyInput());
+    var branchKeyId := if createKeyResult.Success? then 
+      createKeyResult.value.branchKeyIdentifier 
+    else 
+      BRANCH_KEY_ID; // fallback to hardcoded ID if creation fails
+
+    print "Using branch key: ", branchKeyId, "\n";
+
     output :- expect mpl.CreateAwsKmsHierarchicalKeyring(
       mplTypes.CreateAwsKmsHierarchicalKeyringInput(
         branchKeyId := Some(branchKeyId),
@@ -1093,6 +1102,8 @@ module TestRequiredEncryptionContext {
         ttlSeconds := ttl,
         cache := None
       ));
+
+    print "Hierarchical keyring created successfully\n";
   }
 
   method GetRsaKeyring()
@@ -1133,20 +1144,60 @@ module TestRequiredEncryptionContext {
     ensures output.ValidState() && fresh(output) && fresh(output.History) && fresh(output.Modifies)
   {
     var kmsKey :=  Fixtures.keyArn;
+    print "=== GetKmsKeyring ===\n";
+    print "Using KMS Key ARN: ", kmsKey, "\n";
+
     var defaultConfig := ESDK.DefaultAwsEncryptionSdkConfig();
-    var esdk :- expect ESDK.ESDK(config := defaultConfig);
-    var mpl :- expect MaterialProviders.MaterialProviders();
-    var clientSupplier :- expect mpl.CreateDefaultClientSupplier(mplTypes.CreateDefaultClientSupplierInput);
-    var kmsClient :- expect clientSupplier.GetClient(mplTypes.GetClientInput(region := "us-west-2"));
-
-    output :- expect mpl.CreateAwsKmsKeyring(
+    var esdkResult := ESDK.ESDK(config := defaultConfig);
+    if esdkResult.Failure? {
+      print "ESDK creation failed: ", esdkResult.error, "\n";
+      expect false;
+    }
+    var esdk := esdkResult.value;
+    print "ESDK created successfully\n";
+
+    var mplResult := MaterialProviders.MaterialProviders();
+    if mplResult.Failure? {
+      print "MaterialProviders creation failed: ", mplResult.error, "\n";
+      expect false;
+    }
+    var mpl := mplResult.value;
+    print "MaterialProviders created successfully\n";
+
+    var clientSupplierResult := mpl.CreateDefaultClientSupplier(mplTypes.CreateDefaultClientSupplierInput);
+    if clientSupplierResult.Failure? {
+      print "Client supplier creation failed: ", clientSupplierResult.error, "\n";
+      expect false;
+    }
+    var clientSupplier := clientSupplierResult.value;
+    print "Client supplier created successfully\n";
+
+    var kmsClientResult := clientSupplier.GetClient(mplTypes.GetClientInput(region := "us-west-2"));
+    if kmsClientResult.Failure? {
+      print "KMS client creation failed: ", kmsClientResult.error, "\n";
+      expect false;
+    }
+    var kmsClient := kmsClientResult.value;
+    print "KMS client created successfully\n";
+
+    var keyringResult := mpl.CreateAwsKmsKeyring(
       mplTypes.CreateAwsKmsKeyringInput(
         kmsKeyId := kmsKey,
         kmsClient := kmsClient,
         grantTokens := None
       )
     );
-
+
+    if keyringResult.Failure? {
+      print "KMS keyring creation failed: ", keyringResult.error, "\n";
+      print "This is likely due to account access issues\n";
+      print "Expected account: 370957321024 (from assumed role)\n";
+      print "Key account: Check if key ARN matches assumed role account\n";
+      expect false;
+    }
+
+    output := keyringResult.value;
+    print "KMS keyring created successfully\n";
   }
 
-} 
+}