chore: add php v3 s3ec and php v2 transitional

.github/workflows/test.yml

@@ -51,7 +51,7 @@ jobs:
           token: ${{ secrets.PAT_FOR_DOTNET }}
           repository: aws/private-amazon-s3-encryption-client-dotnet-staging
           # This is the branch for S3EC .NET V2
-          ref: v3sdk-development 
+          ref: v3sdk-development
           path: test-server/net-v2-v3-server/s3ec-net-v2/
 
       - name: Checkout .NET V3 code

test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java

@@ -431,6 +431,8 @@ public void kmsV1LegacyFailsWhenLegacyDisabled(TestUtils.LanguageServerTarget la
                 assertTrue(e.getMessage().contains(
                   "The requested object is encrypted with V1 encryption schemas that have been disabled by client configuration security_profile = :v2. Retry with :v2_and_legacy or re-encrypt the object."
                 ), "Actual error:" + e.getMessage());
+            } else if (language.getLanguageName().equals(PHP_V3)) {
+              assertTrue(e.getMessage().contains("The requested object is encrypted with V1 encryption schemas that have been disabled by client configuration @SecurityProfile=V3. Retry with V3_AND_LEGACY enabled or reencrypt the object."));; 
             } else {
                 assertTrue(e.getMessage().contains("Enable legacy wrapping algorithms to use legacy key wrapping algorithm: kms"));
             }

test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java

@@ -140,7 +140,7 @@ public class TestUtils {
             // NET_V2_TRANSITION,
             NET_V3_TRANSITION,
             CPP_V2_TRANSITION,
-            // PHP_V2_TRANSITION,
+            PHP_V2_TRANSITION,
             RUBY_V2_TRANSITION
         );
 
@@ -151,7 +151,7 @@ public class TestUtils {
             GO_V4,
             // NET_V4,
             CPP_V3,
-            // PHP_V3,
+            PHP_V3,
             RUBY_V3
         );
 

test-server/php-v2-transition-server/Makefile

@@ -6,13 +6,13 @@ PID_FILE := server.pid
 PORT := 8099
 
 start-server:
-	@echo "Starting PHP V2 server..."
+	@echo "Starting PHP V2 Transition server..."
 	AWS_ACCESS_KEY_ID="$$AWS_ACCESS_KEY_ID" \
 	AWS_SECRET_ACCESS_KEY="$$AWS_SECRET_ACCESS_KEY" \
 	AWS_SESSION_TOKEN="$$AWS_SESSION_TOKEN" \
 	AWS_REGION="us-west-2" \
 	composer run start & echo $$! > $(PID_FILE)
-	@echo "PHP V2 server starting..."
+	@echo "PHP V2 Transition server starting..."
 
 stop-server:
 	@if [ -f $(PID_FILE) ]; then \

test-server/php-v2-transition-server/src/client.php

@@ -19,6 +19,7 @@ function handleCreateClient()
     $legacyAlgorithms = $configData["enableLegacyWrappingAlgorithms"] ?? false;
     $clientId = Uuid::uuid4()->toString();
     $kmsKeyId = $keyMaterial["kmsKeyId"] ?? null;
+    $commitmentPolicy = $configData['commitmentPolicy'] ?? "FORBID_ENCRYPT_ALLOW_DECRYPT";
     $instFileConfig = $configData['instructionFileConfig'] ?? null;
     $instFilePut = false;
     if ($instFileConfig != null) {
@@ -31,6 +32,12 @@ function handleCreateClient()
     if (($keyMaterial || $kmsKeyId) === null) {
         return GenericServerError("Invalid keyMaterial in config", 400);
     }
+    if ($commitmentPolicy !== "FORBID_ENCRYPT_ALLOW_DECRYPT") {
+        return GenericServerError(
+            "Transition server only supports FORBID_ENCRYPT_ALLOW_DECRYPT"
+            . "commitment policy but received {$commitmentPolicy}"
+        );
+    }
 
     // Store client configuration instead of objects (AWS objects can't be serialized)
     $_SESSION['s3ecCache'][$clientId] = [
@@ -60,6 +67,7 @@ function handleCreateClient()
         ],
         'kmsKeyId' => $kmsKeyId,
         'legacy' => $legacyAlgorithms,
+        'commitmentPolicy' => $commitmentPolicy,
         'instFilePut' => $instFilePut,
         'created' => time()
     ];

test-server/php-v2-transition-server/src/get_object.php

@@ -38,6 +38,7 @@ function handleGetObject($params)
     } else {
         $legacy = "V2_AND_LEGACY";
     }
+    $commitmentPolicy = $s3ecClientTuple['config']['commitmentPolicy'];
 
     try {
         // Start output buffering before the AWS call to capture any unwanted output
@@ -47,6 +48,7 @@ function handleGetObject($params)
             '@SecurityProfile' => $legacy,
             '@MaterialsProvider' => $materialProvider,
             '@KmsEncryptionContext' => $encryptionContext,
+            '@CommitmentPolicy' => $commitmentPolicy,
             'Bucket' => $bucket,
             'Key' => $key,
         ]);
@@ -79,6 +81,7 @@ function handleGetObject($params)
         if (strpos($e->getMessage(), "@SecurityProfile=V2") !== false) {
             return S3EncryptionClientError($e->getMessage() . " " . "Enable legacy wrapping algorithms to use legacy key wrapping algorithm: kms");
         } else {
+            error_log("This is the error: " . $e->getMessage());
             return GenericServerError("Server error: " . $e->getMessage(), 500);
         }
     }

test-server/php-v3-server/.duvet/config.toml

@@ -6,15 +6,30 @@ pattern = "local-php-sdk/src/S3/**/*.php"
 [[source]]
 pattern = "local-php-sdk/src/Crypto/**/*.php"
 
+[[source]]
+pattern = "local-php-sdk/tests/S3/**/*.php"
+
+[[source]]
+pattern = "local-php-sdk/tests/Crypto/**/*.php"
+
+[[source]]
+pattern = "compliance_exceptions/*.txt"
+
 # Include required specifications here
 [[specification]]
 source = "../specification/s3-encryption/data-format/content-metadata.md"
 [[specification]]
 source = "../specification/s3-encryption/data-format/metadata-strategy.md"
 [[specification]]
+source = "../specification/s3-encryption/client.md"
+[[specification]]
+source = "../specification/s3-encryption/decryption.md"
+[[specification]]
 source = "../specification/s3-encryption/encryption.md"
 [[specification]]
 source = "../specification/s3-encryption/key-derivation.md"
+[[specification]]
+source = "../specification/s3-encryption/key-commitment.md"
 
 [report.html]
 enabled = true

test-server/php-v3-server/Makefile

@@ -6,13 +6,13 @@ PID_FILE := server.pid
 PORT := 8093
 
 start-server:
-	@echo "Starting PHP V2 server..."
+	@echo "Starting PHP V3 server..."
 	AWS_ACCESS_KEY_ID="$$AWS_ACCESS_KEY_ID" \
 	AWS_SECRET_ACCESS_KEY="$$AWS_SECRET_ACCESS_KEY" \
 	AWS_SESSION_TOKEN="$$AWS_SESSION_TOKEN" \
 	AWS_REGION="us-west-2" \
 	composer run start & echo $$! > $(PID_FILE)
-	@echo "PHP V2 server starting..."
+	@echo "PHP V3 server starting..."
 
 stop-server:
 	@if [ -f $(PID_FILE) ]; then \

test-server/php-v3-server/compliance_exceptions/client.txt

@@ -0,0 +1,170 @@
+//
+// The PHP V3 implementation is missing the following features:
+//
+// 1. Client Configuration Options:
+//    - Legacy algorithm support controls (wrapping algorithms, unauthenticated modes)
+//      - Uses V3/V3_AND_LEGACY instead
+//    - Delayed authentication mode configuration
+//    - Buffer size configuration for memory management
+//    - Raw keyring material (RSA, AES)
+//    - SDK client configuration inheritance (credentials, KMS client config)
+//    - Custom randomness source configuration
+//
+// 2. Api Operations:
+//    - DeleteObject and DeleteObjects (with instruction file cleanup)
+//    - Multipart upload operations (UploadPart, CompleteMultipartUpload, AbortMultipartUpload)
+//    - ReEncryptInstructionFile for key rotation
+//    - Non-encryption related S3 operations
+
+//= ../specification/s3-encryption/client.md#aws-sdk-compatibility
+//= type=exception
+//# The S3EC SHOULD support invoking operations unrelated to client-side encryption e.g.
+
+//= ../specification/s3-encryption/client.md#cryptographic-materials
+//= type=exception
+//# If both a CMM and a Keyring are provided, the S3EC MUST throw an exception.
+
+//= ../specification/s3-encryption/client.md#cryptographic-materials
+//= type=exception
+//# When a Keyring is provided, the S3EC MUST create an instance of the DefaultCMM using the provided Keyring.
+
+//= ../specification/s3-encryption/client.md#enable-legacy-wrapping-algorithms
+//= type=exception
+//# The option to enable legacy wrapping algorithms MUST be set to false by default.
+
+//= ../specification/s3-encryption/client.md#enable-legacy-unauthenticated-modes
+//= type=exception
+//# The S3EC MUST support the option to enable or disable legacy unauthenticated modes (content encryption algorithms).
+
+//= ../specification/s3-encryption/client.md#enable-legacy-unauthenticated-modes
+//= type=exception
+//# The option to enable legacy unauthenticated modes MUST be set to false by default.
+
+//= ../specification/s3-encryption/client.md#enable-legacy-unauthenticated-modes
+//= type=exception
+//# When enabled, the S3EC MUST be able to decrypt objects encrypted with all content encryption algorithms (both legacy and fully supported).
+
+//= ../specification/s3-encryption/client.md#enable-legacy-unauthenticated-modes
+//= type=exception
+//# When disabled, the S3EC MUST NOT decrypt objects encrypted using legacy content encryption algorithms;
+//# it MUST throw an exception when attempting to decrypt an object encrypted with a legacy content encryption algorithm.
+
+//= ../specification/s3-encryption/client.md#enable-delayed-authentication
+//= type=exception
+//# The S3EC MUST support the option to enable or disable Delayed Authentication mode.
+
+//= ../specification/s3-encryption/client.md#enable-delayed-authentication
+//= type=exception
+//# Delayed Authentication mode MUST be set to false by default.
+
+//= ../specification/s3-encryption/client.md#enable-delayed-authentication
+//= type=exception
+//# When enabled, the S3EC MAY release plaintext from a stream which has not been authenticated.
+
+//= ../specification/s3-encryption/client.md#enable-delayed-authentication
+//= type=exception
+//# When disabled the S3EC MUST NOT release plaintext from a stream which has not been authenticated.
+
+//= ../specification/s3-encryption/client.md#set-buffer-size
+//= type=exception
+//# The S3EC SHOULD accept a configurable buffer size which refers to the maximum ciphertext length in bytes to store in memory when Delayed Authentication mode is disabled.
+
+//= ../specification/s3-encryption/client.md#set-buffer-size
+//= type=exception
+//# If Delayed Authentication mode is enabled, and the buffer size has been set to a value other than its default, the S3EC MUST throw an exception.
+
+//= ../specification/s3-encryption/client.md#set-buffer-size
+//= type=exception
+//# If Delayed Authentication mode is disabled, and no buffer size is provided, the S3EC MUST set the buffer size to a reasonable default.
+
+//= ../specification/s3-encryption/client.md#cryptographic-materials
+//= type=exception
+//# The S3EC MAY accept key material directly.
+
+//= ../specification/s3-encryption/client.md#inherited-sdk-configuration
+//= type=exception
+//# The S3EC MAY support directly configuring the wrapped SDK clients through its initialization.
+
+//= ../specification/s3-encryption/client.md#inherited-sdk-configuration
+//= type=exception
+//# For example, the S3EC MAY accept a credentials provider instance during its initialization.
+
+//= ../specification/s3-encryption/client.md#inherited-sdk-configuration
+//= type=exception
+//# If the S3EC accepts SDK client configuration, the configuration MUST be applied to all wrapped S3 clients.
+
+//= ../specification/s3-encryption/client.md#inherited-sdk-configuration
+//= type=exception
+//# If the S3EC accepts SDK client configuration, the configuration MUST be applied to all wrapped SDK clients including the KMS client.
+
+//= ../specification/s3-encryption/client.md#randomness
+//= type=exception
+//# The S3EC MAY accept a source of randomness during client initialization.
+
+//= ../specification/s3-encryption/client.md#required-api-operations
+//= type=exception
+//# - DeleteObject MUST be implemented by the S3EC.
+
+//= ../specification/s3-encryption/client.md#required-api-operations
+//= type=exception
+//# - DeleteObject MUST delete the given object key.
+
+//= ../specification/s3-encryption/client.md#required-api-operations
+//= type=exception
+//# - DeleteObject MUST delete the associated instruction file using the default instruction file suffix.
+
+//= ../specification/s3-encryption/client.md#required-api-operations
+//= type=exception
+//# - DeleteObjects MUST be implemented by the S3EC.
+
+//= ../specification/s3-encryption/client.md#required-api-operations
+//= type=exception
+//# - DeleteObjects MUST delete each of the given objects.
+
+//= ../specification/s3-encryption/client.md#required-api-operations
+//= type=exception
+//# - DeleteObjects MUST delete each of the corresponding instruction files using the default instruction file suffix.
+
+//= ../specification/s3-encryption/client.md#optional-api-operations
+//= type=exception
+//# - UploadPart MAY be implemented by the S3EC.
+
+//= ../specification/s3-encryption/client.md#optional-api-operations
+//= type=exception
+//# - UploadPart MUST encrypt each part.
+
+//= ../specification/s3-encryption/client.md#optional-api-operations
+//= type=exception
+//# - Each part MUST be encrypted in sequence.
+
+//= ../specification/s3-encryption/client.md#optional-api-operations
+//= type=exception
+//# - Each part MUST be encrypted using the same cipher instance for each part.
+
+//= ../specification/s3-encryption/client.md#optional-api-operations
+//= type=exception
+//# - CompleteMultipartUpload MAY be implemented by the S3EC.
+
+//= ../specification/s3-encryption/client.md#optional-api-operations
+//= type=exception
+//# - CompleteMultipartUpload MUST complete the multipart upload.
+
+//= ../specification/s3-encryption/client.md#optional-api-operations
+//= type=exception
+//# - AbortMultipartUpload MAY be implemented by the S3EC.
+
+//= ../specification/s3-encryption/client.md#optional-api-operations
+//= type=exception
+//# - AbortMultipartUpload MUST abort the multipart upload.
+
+//= ../specification/s3-encryption/client.md#optional-api-operations
+//= type=exception
+//# - ReEncryptInstructionFile MAY be implemented by the S3EC.
+
+//= ../specification/s3-encryption/client.md#optional-api-operations
+//= type=exception
+//# - ReEncryptInstructionFile MUST decrypt the instruction file's encrypted data key for the given object using the client's CMM.
+
+//= ../specification/s3-encryption/client.md#optional-api-operations
+//= type=exception
+//# - ReEncryptInstructionFile MUST re-encrypt the plaintext data key with a provided keyring.

test-server/php-v3-server/compliance_exceptions/content-metadata-strategy.txt

@@ -0,0 +1,34 @@
+//
+// The PHP V3 implementation is missing the following features:
+//
+// 1. METADATA ENCODING:
+//    - S3 Server "double encoding" support for proper metadata decoding
+//
+// 2. INSTRUCTION FILE OPERATIONS:
+//    - Re-encryption/key rotation via instruction files
+//    - Custom instruction file suffix support for GetObject requests
+//
+
+//= ../specification/s3-encryption/data-format/metadata-strategy.md#object-metadata
+//= type=exception
+//# The S3EC SHOULD support decoding the S3 Server's "double encoding".
+
+//= ../specification/s3-encryption/data-format/metadata-strategy.md#object-metadata
+//= type=exception
+//# If the S3EC does not support decoding the S3 Server's "double encoding" then it MUST return the content metadata untouched.
+
+//= ../specification/s3-encryption/data-format/metadata-strategy.md#instruction-file
+//= type=exception
+//# The S3EC MAY support re-encryption/key rotation via Instruction Files.
+
+//= ../specification/s3-encryption/data-format/metadata-strategy.md#instruction-file
+//= type=exception
+//# The S3EC MUST NOT support providing a custom Instruction File suffix on ordinary writes; custom suffixes MUST only be used during re-encryption.
+
+//= ../specification/s3-encryption/data-format/metadata-strategy.md#instruction-file
+//= type=exception
+//# The S3EC SHOULD support providing a custom Instruction File suffix on GetObject requests, regardless of whether or not re-encryption is supported.
+
+//= ../specification/s3-encryption/data-format/metadata-strategy.md#v3-instruction-files
+//= type=exception
+//# - The V3 message format MUST store the mapkey "x-amz-m" and its value (when present in the content metadata) in the Instruction File.