address feedback

framework/test-vectors/complete-vectors/README.md

@@ -20,5 +20,5 @@ Unless otherwise specified, all "Basic Tests" MUST use a `DefaultCMM`
 
 By keeping every component separate is is easier to find
 and reason about the completeness of testing.
-This also allows top level clients like the ESDK or DBESDK to 
+This also allows top level clients like the ESDK or DBESDK to
 reuse the key or cmm description to avoid reinventing the wheel.

framework/test-vectors/complete-vectors/default-cmm.md

@@ -15,7 +15,7 @@ This describes the test cases for the [Default CMM](../../default-cmm.md)
 
 ### Basic tests
 
-A test MUST verify that on both encrypt and decrypt the correct 
+A test MUST verify that on both encrypt and decrypt the correct
 plaintext data key is produced.
 
 A test MUST verify that an encrypt keyring that returns
@@ -24,7 +24,6 @@ an incorrect plaintext data key will fail.
 A test MUST verify that a decrypt keyring that returns
 an incorrect plaintext data key will fail.
 
-
 ### Required and reproduced encryption context success cases
 
 For a given [encryption context](../../structures.md#encryption-context),
@@ -38,12 +37,12 @@ for every subset of the encryption context
 who's keys fully intersect with the `requiredEncryptionContextKeys`.
 
 For example:
+
 - Given an empty `requiredEncryptionContextKeys`,
-every combination of the original encryption context
-will succeed as `reproducedEncryptionContext`.
+  every combination of the original encryption context
+  will succeed as `reproducedEncryptionContext`.
 - Given a `requiredEncryptionContextKeys` consisting of `{a}` the
-`reproducedEncryptionContext` to try would be:
-    - `{ a : a }` and `{ a : a, b : b}` 
+  `reproducedEncryptionContext` to try would be: - `{ a : a }` and `{ a : a, b : b}`
 
 ### Required encryption context keys failures on encrypt
 
@@ -54,17 +53,18 @@ The keys of the encryption context attempted however
 MUST NOT fully intersect with the `requiredEncryptionContextKeys`.
 
 For example:
-- Given an `encryptionContext`: `{a:a, b:b, c:c}` will produce the subset 
-of `requiredEncryptionContextKeys`,  `{{}, {a}, {b}, {c}, {a,b}, {a,c), {b,c}, {a,b,c}}`
-- Given a `requiredEncryptionContextKeys` consisting of `{a}` the 
-`reproducedEncryptionContext` to try would be:
- - `{b:b, c:c}`
-- Given a `requiredEncryptionContextKeys` consisting of `{a,b}` the 
-`reproducedEncryptionContext` to try would be:
- - `{}`, `{c:c}`, and `{a:a, c:c}`
-- Given a `requiredEncryptionContextKeys` consisting of `{a,b,c}` the 
-`reproducedEncryptionContext` to try would be:
- - `{}`
+
+- Given an `encryptionContext`: `{a:a, b:b, c:c}` will produce the subset
+  of `requiredEncryptionContextKeys`, `{{}, {a}, {b}, {c}, {a,b}, {a,c), {b,c}, {a,b,c}}`
+- Given a `requiredEncryptionContextKeys` consisting of `{a}` the
+  `reproducedEncryptionContext` to try would be:
+- `{b:b, c:c}`
+- Given a `requiredEncryptionContextKeys` consisting of `{a,b}` the
+  `reproducedEncryptionContext` to try would be:
+- `{}`, `{c:c}`, and `{a:a, c:c}`
+- Given a `requiredEncryptionContextKeys` consisting of `{a,b,c}` the
+  `reproducedEncryptionContext` to try would be:
+- `{}`
 
 ### Reproduced encryption context failures on decrypt
 

framework/test-vectors/complete-vectors/hierarchy.md

@@ -15,7 +15,7 @@ This describes the test cases for the [Aws Kms Hierarchical Keyring](../../aws-k
 
 ### Basic tests
 
-For a given static branch key, 
+For a given static branch key,
 a test MUST attempt to encrypt and decrypt
 with every available [algorithm suite](../../algorithm-suites.md#algorithm-suite-id)
 

framework/test-vectors/complete-vectors/raw-aes.md

@@ -14,8 +14,9 @@ This describes the test cases for the [Raw AES Keyring](../../raw-aes-keyring.md
 ## Reference-level Explanation
 
 ## Definitions
+
 - positive key description: a [key description](../key-description.md) that when parsed and generated can produce
-valid encryption and decryption materials.
+  valid encryption and decryption materials.
 
 ### Basic tests
 

framework/test-vectors/complete-vectors/raw-rsa.md

@@ -14,8 +14,9 @@ This describes the test cases for the [Raw RSA Keyring](../../raw-rsa-keyring.md
 ## Reference-level Explanation
 
 ## Definitions
+
 - positive key description: a [key description](../key-description.md) that when parsed and generated can produce
-valid encryption and decryption materials.
+  valid encryption and decryption materials.
 
 ### Basic tests
 

framework/test-vectors/complete-vectors/required-encryption-context-cmm.md

@@ -15,7 +15,7 @@ This describes the test cases for the [Required Encryption Context CMM](../../re
 
 ### Basic tests
 
-A test MUST verify that on both encrypt and decrypt the correct 
+A test MUST verify that on both encrypt and decrypt the correct
 plaintext data key is produced.
 
 A test MUST verify that an encrypt keyring that returns
@@ -24,12 +24,57 @@ an incorrect plaintext data key will fail.
 A test MUST verify that a decrypt keyring that returns
 an incorrect plaintext data key will fail.
 
-With the above tests we infer
-that all other keyring tests that are wrapped by the DefaultCMM
-will fail successfully if the materials returned are not valid.
+### Required Encryption Context CMM failures on encrypt
 
-For every non signing algorithm suite, a test MUST verify that
-no verification key is appended to the encryption context.
+For a given [encryption context](../../structures.md#encryption-context),
+every subset of the keys for this encryption context
+MUST be attempted as the `requiredEncryptionContextKeys`.
+If any of the `requiredEncryptionContextKeys` do not exist in the
+supplied encryption context, then the test MUST fail.
 
-For every signing algorithm suite, a test MUST verify that
-a verification key is appended to the encryption context.
+For example:
+
+- Given an `encryptionContext`: `{a:a, b:b, c:c}` will produce the subset
+  of `requiredEncryptionContextKeys`, `{{}, {a}, {b}, {c}, {a,b}, {a,c), {b,c}, {a,b,c}}`
+- Given a `requiredEncryptionContextKeys` consisting of `{a}` the encryption context MUST
+  have the key `{a}`.
+- Given a `requiredEncryptionContextKeys` consisting of `{a,b}` the encryption context MUST
+  have the keys `{a,b}`.
+- Given a `requiredEncryptionContextKeys` consisting of `{a,b,c}` the encryption context MUST
+  have the keys `{a,b,c}`.
+
+If there is no `requiredEncryptionContextKeys`, then the test MUST fail.
+
+### Required Encryption Context CMM failures on decrypt
+
+For a given [encryption context](../../structures.md#encryption-context),
+every subset of the keys for this encryption context
+MUST be attempted as the `requiredEncryptionContextKeys`.
+An incorrect encryption context
+MUST be attempted that differs from the correct encryption context
+by both values and keys.
+
+For example:
+
+- Given the encryption context `{a: a, b: b}` with
+  `requiredEncryptionContextKeys` set to `{a, b}`, the test
+  MUST attempt to decrypt AND fail with reproduced encryption contexts
+  `{a:b, b:a}`,`{a:a}`, `{b:b}`,`{}`, and `{a:c, b:c, c:c}`
+
+### Required Encryption Context CMM success cases
+
+For a given [encryption context](../../structures.md#encryption-context),
+every subset of the keys for this encryption context
+MUST be attempted as the `requiredEncryptionContextKeys`.
+For example, `{ a: a, b: b }` produces the complete set of keys subsets: `{ {}, { a }, { b }, { a, b } }` called `requiredEncryptionContextKeys`.
+
+For every `requiredEncryptionContextKeys` produced above
+`reproducedEncryptionContext` MUST be attempted
+for every subset of the encryption context
+who's keys fully intersect with the `requiredEncryptionContextKeys`.
+
+For example:
+
+- Given the encryption context `{a:a, b:b}` with the `requiredEncryptionContextKeys`
+  set to `{a}`, the only success case for a message to successfully decrypt will be
+  to supply the reproducedEncryptionContext `{a}`.