chore: make EncodeAscii ghost

ajewellamz · ajewellamz · commit d83759abe9a5 · 2025-02-04T16:07:23.000-08:00
diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryption/test/Beacon.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryption/test/Beacon.dfy
@@ -18,6 +18,11 @@ module TestBaseBeacon {
   import DDB = ComAmazonawsDynamodbTypes
   import SE = AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes
 
+  const x123 : UTF8.ValidUTF8Bytes :=
+    var s := [0x31, 0x32, 0x33];
+    assert s == UTF8.EncodeAscii("123");
+    s
+
   method {:test} TestBeacon() {
     var primitives :- expect Primitives.AtomicPrimitives();
 
@@ -31,7 +36,7 @@ module TestBaseBeacon {
     expect bytes[7] == 0x80;
     str :- expect b.hash([], key := [1,2]);
     expect str == "80";
-    bytes :- expect bb.getHmac(UTF8.EncodeAscii("123"), key := [1,2]);
+    bytes :- expect bb.getHmac(x123, key := [1,2]);
     expect bytes[7] == 0x61;
   }
 
diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryption/test/DynamoDbEncryptionBranchKeyIdSupplierTest.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryption/test/DynamoDbEncryptionBranchKeyIdSupplierTest.dfy
@@ -27,7 +27,12 @@ module DynamoDbEncryptionBranchKeyIdSupplierTest {
 
   // These tests require a keystore populated with a key with this Id
   const BRANCH_KEY_ID := "75789115-1deb-4fe3-a2ec-be9e885d1945"
-  const BRANCH_KEY_ID_UTF8 := UTF8.EncodeAscii(BRANCH_KEY_ID)
+
+  const BRANCH_KEY_ID_UTF8 : UTF8.ValidUTF8Bytes :=
+    var s := [0x37, 0x35, 0x37, 0x38, 0x39, 0x31, 0x31, 0x35, 0x2d, 0x31, 0x64, 0x65, 0x62, 0x2d, 0x34, 0x66, 0x65, 0x33, 0x2d, 0x61, 0x32, 0x65, 0x63, 0x2d, 0x62, 0x65, 0x39, 0x65, 0x38, 0x38, 0x35, 0x64, 0x31, 0x39, 0x34, 0x35];
+    assert s == UTF8.EncodeAscii(BRANCH_KEY_ID);
+    s
+
   const ALTERNATE_BRANCH_KEY_ID := "4bb57643-07c1-419e-92ad-0df0df149d7c"
 
   // Constants for TestBranchKeySupplier
@@ -41,10 +46,23 @@ module DynamoDbEncryptionBranchKeyIdSupplierTest {
   const CASE_B_BYTES: seq<uint8> := STRING_TYPE_ID + [0x43, 0x41, 0x53, 0x45, 0x5f, 0x42]
   const BRANCH_KEY_ID_A := BRANCH_KEY_ID
   const BRANCH_KEY_ID_B := ALTERNATE_BRANCH_KEY_ID
-  const EC_PARTITION_NAME := UTF8.EncodeAscii("aws-crypto-partition-name")
+
+  const EC_PARTITION_NAME : UTF8.ValidUTF8Bytes :=
+    var s := [0x61, 0x77, 0x73, 0x2d, 0x63, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x2d, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x2d, 0x6e, 0x61, 0x6d, 0x65];
+    assert s == UTF8.EncodeAscii("aws-crypto-partition-name");
+    s
+
   const RESERVED_PREFIX := "aws-crypto-attr."
-  const KEY_ATTR_NAME := UTF8.EncodeAscii(RESERVED_PREFIX + BRANCH_KEY)
-  const BRANCH_KEY_NAME := UTF8.EncodeAscii(BRANCH_KEY)
+
+  const KEY_ATTR_NAME : UTF8.ValidUTF8Bytes :=
+    var s := [0x61, 0x77, 0x73, 0x2d, 0x63, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x2d, 0x61, 0x74, 0x74, 0x72, 0x2e, 0x62, 0x72, 0x61, 0x6e, 0x63, 0x68, 0x4b, 0x65, 0x79];
+    assert s == UTF8.EncodeAscii(RESERVED_PREFIX + BRANCH_KEY);
+    s
+
+  const BRANCH_KEY_NAME : UTF8.ValidUTF8Bytes :=
+    var s := [0x62, 0x72, 0x61, 0x6e, 0x63, 0x68, 0x4b, 0x65, 0x79];
+    assert s == UTF8.EncodeAscii(BRANCH_KEY);
+    s
 
   method {:test} {:vcs_split_on_every_assert} TestHappyCase()
   {
diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryption/test/DynamoDbGetEncryptedDataKeyDescriptionTest.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryption/test/DynamoDbGetEncryptedDataKeyDescriptionTest.dfy
@@ -14,20 +14,55 @@ module DynamoDbGetEncryptedDataKeyDescriptionTest {
   import EdkWrapping
   import AlgorithmSuites
 
+  const abc : UTF8.ValidUTF8Bytes :=
+    var s := [0x61, 0x62, 0x63];
+    assert s == UTF8.EncodeAscii("abc");
+    s
+
+  const def : UTF8.ValidUTF8Bytes :=
+    var s := [0x64, 0x65, 0x66];
+    assert s == UTF8.EncodeAscii("def");
+    s
+
+  const awskms : UTF8.ValidUTF8Bytes :=
+    var s := [0x61, 0x77, 0x73, 0x2d, 0x6b, 0x6d, 0x73];
+    assert s == UTF8.EncodeAscii("aws-kms");
+    s
+
+  const keyproviderInfo : UTF8.ValidUTF8Bytes :=
+    var s := [0x6b, 0x65, 0x79, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x49, 0x6e, 0x66, 0x6f];
+    assert s == UTF8.EncodeAscii("keyproviderInfo");
+    s
+
+  const aws_kms_hierarchy : UTF8.ValidUTF8Bytes :=
+    var s := [0x61, 0x77, 0x73, 0x2d, 0x6b, 0x6d, 0x73, 0x2d, 0x68, 0x69, 0x65, 0x72, 0x61, 0x72, 0x63, 0x68, 0x79];
+    assert s == UTF8.EncodeAscii("aws-kms-hierarchy");
+    s
+
+  const raw_rsa : UTF8.ValidUTF8Bytes :=
+    var s := [0x72, 0x61, 0x77, 0x2d, 0x72, 0x73, 0x61];
+    assert s == UTF8.EncodeAscii("raw-rsa");
+    s
+
+  const aws_kms_rsa : UTF8.ValidUTF8Bytes :=
+    var s := [0x61, 0x77, 0x73, 0x2d, 0x6b, 0x6d, 0x73, 0x2d, 0x72, 0x73, 0x61];
+    assert s == UTF8.EncodeAscii("aws-kms-rsa");
+    s
+
   // THIS IS A TESTING RESOURCE DO NOT USE IN A PRODUCTION ENVIRONMENT
   const testVersion : Version := 1
   const testFlavor0 : Flavor := 0
   const testFlavor1 : Flavor := 1
   const testMsgID : MessageID := [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32]
   const testLegend : Legend := [0x65, 0x73]
-  const testEncContext : CMPEncryptionContext := map[EncodeAscii("abc") := EncodeAscii("def")]
+  const testEncContext : CMPEncryptionContext := map[abc := def]
   const testAwsKmsDataKey := CMP.EncryptedDataKey(
-                               keyProviderId := EncodeAscii("aws-kms") ,
-                               keyProviderInfo := EncodeAscii("keyproviderInfo"),
+                               keyProviderId := awskms ,
+                               keyProviderInfo := keyproviderInfo,
                                ciphertext := [1, 2, 3, 4, 5])
   const testAwsKmsHDataKey := CMP.EncryptedDataKey(
-                                keyProviderId := EncodeAscii("aws-kms-hierarchy") ,
-                                keyProviderInfo := EncodeAscii("keyproviderInfo"),
+                                keyProviderId := aws_kms_hierarchy,
+                                keyProviderInfo := keyproviderInfo,
                                 ciphertext := [
                                   64, 92, 115, 7, 85, 121, 112, 79, 69, 12, 82, 25, 67, 34,
                                   11, 66, 93, 45, 40, 23, 90, 61, 16, 28, 59, 114, 52, 122,
@@ -40,12 +75,12 @@ module DynamoDbGetEncryptedDataKeyDescriptionTest {
                                   114, 76, 18, 103, 84, 34, 123, 1, 125, 61, 33, 13, 18, 81,
                                   24, 53, 53, 26, 60, 52, 85, 81, 96, 85, 72])
   const testRawRsaDataKey := CMP.EncryptedDataKey(
-                               keyProviderId := EncodeAscii("raw-rsa") ,
+                               keyProviderId := raw_rsa,
                                keyProviderInfo := [1, 2, 3, 4, 5],
                                ciphertext := [6, 7, 8, 9])
   const testAwsKmsRsaDataKey := CMP.EncryptedDataKey(
-                                  keyProviderId := EncodeAscii("aws-kms-rsa") ,
-                                  keyProviderInfo := EncodeAscii("keyproviderInfo"),
+                                  keyProviderId := aws_kms_rsa,
+                                  keyProviderInfo := keyproviderInfo,
                                   ciphertext := [1, 2, 3, 4, 5])
 
   method CreatePartialHeader(version : Version, flavor : Flavor, msgID : MessageID, legend : Legend, encContext : CMPEncryptionContext, dataKeyList : CMPEncryptedDataKeyList)
diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/DynamoDbMiddlewareSupport.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/DynamoDbMiddlewareSupport.dfy
@@ -121,7 +121,10 @@ module DynamoDbMiddlewareSupport {
     .MapFailure(e => AwsCryptographyDbEncryptionSdkDynamoDb(e))
   }
 
-  const HierarchicalKeyringId := UTF8.EncodeAscii("aws-kms-hierarchy")
+  const HierarchicalKeyringId : UTF8.ValidUTF8Bytes :=
+    var s := [0x61, 0x77, 0x73, 0x2d, 0x6b, 0x6d, 0x73, 0x2d, 0x68, 0x69, 0x65, 0x72, 0x61, 0x72, 0x63, 0x68, 0x79];
+    assert s == UTF8.EncodeAscii("aws-kms-hierarchy");
+    s
 
   // Return Beacon Key ID for use in beaconizing records to be written
   function method GetKeyIdFromHeader(config : ValidTableConfig, output : AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes.EncryptItemOutput) :
diff --git a/DynamoDbEncryption/dafny/DynamoDbItemEncryptor/src/Util.dfy b/DynamoDbEncryption/dafny/DynamoDbItemEncryptor/src/Util.dfy
@@ -35,9 +35,20 @@ module DynamoDbItemEncryptorUtil {
     x < y
   }
 
-  const TABLE_NAME : UTF8.ValidUTF8Bytes := UTF8.EncodeAscii("aws-crypto-table-name")
-  const PARTITION_NAME : UTF8.ValidUTF8Bytes := UTF8.EncodeAscii("aws-crypto-partition-name")
-  const SORT_NAME : UTF8.ValidUTF8Bytes := UTF8.EncodeAscii("aws-crypto-sort-name")
+  const TABLE_NAME : UTF8.ValidUTF8Bytes :=
+    var s := [0x61, 0x77, 0x73, 0x2d, 0x63, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x2d, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x2d, 0x6e, 0x61, 0x6d, 0x65];
+    assert s == UTF8.EncodeAscii("aws-crypto-table-name");
+    s
+
+  const PARTITION_NAME : UTF8.ValidUTF8Bytes :=
+    var s := [0x61, 0x77, 0x73, 0x2d, 0x63, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x2d, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x2d, 0x6e, 0x61, 0x6d, 0x65];
+    assert s == UTF8.EncodeAscii("aws-crypto-partition-name");
+    s
+
+  const SORT_NAME : UTF8.ValidUTF8Bytes :=
+    var s := [0x61, 0x77, 0x73, 0x2d, 0x63, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x2d, 0x73, 0x6f, 0x72, 0x74, 0x2d, 0x6e, 0x61, 0x6d, 0x65];
+    assert s == UTF8.EncodeAscii("aws-crypto-sort-name");
+    s
 
   const SELECTOR_TABLE_NAME : DDB.AttributeName := "aws_dbe_table_name"
   const SELECTOR_PARTITION_NAME : DDB.AttributeName := "aws_dbe_partition_name"
diff --git a/DynamoDbEncryption/dafny/DynamoDbItemEncryptor/test/DynamoDBItemEncryptorTest.dfy b/DynamoDbEncryption/dafny/DynamoDbItemEncryptor/test/DynamoDBItemEncryptorTest.dfy
@@ -25,7 +25,10 @@ module DynamoDbItemEncryptorTest {
   // encrypt => encrypted fields changed, others did not
   // various errors
 
-  const PublicKeyUtf8 : UTF8.ValidUTF8Bytes := UTF8.EncodeAscii("aws-crypto-public-key")
+  const PublicKeyUtf8 : UTF8.ValidUTF8Bytes :=
+    var s := [0x61, 0x77, 0x73, 0x2d, 0x63, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2d, 0x6b, 0x65, 0x79];
+    assert s == UTF8.EncodeAscii("aws-crypto-public-key");
+    s
 
   function method DDBS(x : string) : DDB.AttributeValue {
     DDB.AttributeValue.S(x)
diff --git a/DynamoDbEncryption/dafny/StructuredEncryption/src/Crypt.dfy b/DynamoDbEncryption/dafny/StructuredEncryption/src/Crypt.dfy
@@ -49,6 +49,11 @@ module StructuredEncryptionCrypt {
     keyR.MapFailure(e => AwsCryptographyPrimitives(e))
   }
 
+  const AwsDbeField : UTF8.ValidUTF8Bytes :=
+    var s := [0x41, 0x77, 0x73, 0x44, 0x62, 0x65, 0x46, 0x69, 0x65, 0x6c, 0x64];
+    assert s == UTF8.EncodeAscii("AwsDbeField");
+    s
+
   function method FieldKeyNonce(offset : uint32)
     : (ret : Bytes)
     ensures |ret| == 16 // NOT NonceSize
@@ -61,17 +66,24 @@ module StructuredEncryptionCrypt {
     //# | 0x2c          | 1        | 44, the length of the eventual FieldKey |
     //# | offset        | 4        | 32 bit integer representation of offset |
     ensures ret ==
-            UTF8.EncodeAscii("AwsDbeField")
+            AwsDbeField
             + [(KeySize+NonceSize) as uint8]
             + UInt32ToSeq(offset)
   {
-    UTF8.EncodeAscii("AwsDbeField")
+    AwsDbeField
     + [(KeySize+NonceSize) as uint8] // length
     + UInt32ToSeq(offset)
   }
 
-  const LABEL_COMMITMENT_KEY := UTF8.EncodeAscii("AWS_DBE_COMMIT_KEY")
-  const LABEL_ENCRYPTION_KEY := UTF8.EncodeAscii("AWS_DBE_DERIVE_KEY")
+  const LABEL_COMMITMENT_KEY : UTF8.ValidUTF8Bytes :=
+    var s := [0x41, 0x57, 0x53, 0x5f, 0x44, 0x42, 0x45, 0x5f, 0x43, 0x4f, 0x4d, 0x4d, 0x49, 0x54, 0x5f, 0x4b, 0x45, 0x59];
+    assert s == UTF8.EncodeAscii("AWS_DBE_COMMIT_KEY");
+    s
+
+  const LABEL_ENCRYPTION_KEY : UTF8.ValidUTF8Bytes :=
+    var s := [0x41, 0x57, 0x53, 0x5f, 0x44, 0x42, 0x45, 0x5f, 0x44, 0x45, 0x52, 0x49, 0x56, 0x45, 0x5f, 0x4b, 0x45, 0x59];
+    assert s == UTF8.EncodeAscii("AWS_DBE_DERIVE_KEY");
+    s
 
   // suitable for header field
   method GetCommitKey(
diff --git a/DynamoDbEncryption/dafny/StructuredEncryption/src/Footer.dfy b/DynamoDbEncryption/dafny/StructuredEncryption/src/Footer.dfy
@@ -140,16 +140,28 @@ module StructuredEncryptionFooter {
     }
   }
 
+  const ENCRYPTED : UTF8.ValidUTF8Bytes :=
+    var s := [0x45, 0x4e, 0x43, 0x52, 0x59, 0x50, 0x54, 0x45, 0x44];
+    assert s == UTF8.EncodeAscii("ENCRYPTED");
+    s
+
+  const PLAINTEXT : UTF8.ValidUTF8Bytes :=
+    var s := [0x50, 0x4c, 0x41, 0x49, 0x4e, 0x54, 0x45, 0x58, 0x54];
+    assert s == UTF8.EncodeAscii("PLAINTEXT");
+    s
+
+
+
   // Given a StructuredDataTerminal, return the canonical value for the type, for use in the footer checksum calculations
   function method GetCanonicalType(value : StructuredDataTerminal, isEncrypted : bool)
     : Result<Bytes, Error>
   {
     if isEncrypted then
       :- Need(2 <= |value.value| < UINT64_LIMIT, E("Bad length."));
-      Success(UInt64ToSeq((|value.value| - 2) as uint64) + UTF8.EncodeAscii("ENCRYPTED"))
+      Success(UInt64ToSeq((|value.value| - 2) as uint64) + ENCRYPTED)
     else
       :- Need(|value.value| < UINT64_LIMIT, E("Bad length."));
-      Success(UInt64ToSeq((|value.value|) as uint64) + UTF8.EncodeAscii("PLAINTEXT") + value.typeId)
+      Success(UInt64ToSeq((|value.value|) as uint64) + PLAINTEXT + value.typeId)
   }
 
   function method GetCanonicalEncryptedField(fieldName : CanonicalPath, value : StructuredDataTerminal)
@@ -169,14 +181,14 @@ module StructuredEncryptionFooter {
               && ret.value ==
                  fieldName
                  + UInt64ToSeq((|value.value| - 2) as uint64)
-                 + UTF8.EncodeAscii("ENCRYPTED")
+                 + ENCRYPTED
                  + value.value // this is 2 bytes of unencrypted type, followed by encrypted value
   {
     :- Need(2 <= |value.value| < UINT64_LIMIT, E("Bad length."));
     Success(
       fieldName
       + UInt64ToSeq((|value.value| - 2) as uint64)
-      + UTF8.EncodeAscii("ENCRYPTED")
+      + ENCRYPTED
       + value.value
     )
   }
@@ -198,15 +210,15 @@ module StructuredEncryptionFooter {
               && ret.value ==
                  fieldName
                  + UInt64ToSeq((|value.value|) as uint64)
-                 + UTF8.EncodeAscii("PLAINTEXT")
+                 + PLAINTEXT
                  + value.typeId
                  + value.value
   {
     :- Need(|value.value| < UINT64_LIMIT, E("Bad length."));
     Success(
       fieldName
       + UInt64ToSeq((|value.value|) as uint64)
-      + UTF8.EncodeAscii("PLAINTEXT")
+      + PLAINTEXT
       + value.typeId
       + value.value
     )
diff --git a/DynamoDbEncryption/dafny/StructuredEncryption/src/Util.dfy b/DynamoDbEncryption/dafny/StructuredEncryption/src/Util.dfy
@@ -26,23 +26,48 @@ module StructuredEncryptionUtil {
   const FooterPath : Path := [member(StructureSegment(key := FooterField))]
   const HeaderPaths : seq<Path> := [HeaderPath, FooterPath]
   const ReservedCryptoContextPrefixString := "aws-crypto-"
-  const ReservedCryptoContextPrefixUTF8 := UTF8.EncodeAscii(ReservedCryptoContextPrefixString)
+
+  const ReservedCryptoContextPrefixUTF8 : UTF8.ValidUTF8Bytes :=
+    var s := [0x61, 0x77, 0x73, 0x2d, 0x63, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x2d];
+    assert s == UTF8.EncodeAscii(ReservedCryptoContextPrefixString);
+    s
 
   const ATTR_PREFIX := ReservedCryptoContextPrefixString + "attr."
-  const EC_ATTR_PREFIX : UTF8.ValidUTF8Bytes := UTF8.EncodeAscii(ATTR_PREFIX)
+
+  const EC_ATTR_PREFIX : UTF8.ValidUTF8Bytes :=
+    var s := [0x61, 0x77, 0x73, 0x2d, 0x63, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x2d, 0x61, 0x74, 0x74, 0x72, 0x2e];
+    assert s == UTF8.EncodeAscii(ATTR_PREFIX);
+    s
+
   const LEGEND := ReservedCryptoContextPrefixString + "legend"
-  const LEGEND_UTF8 : UTF8.ValidUTF8Bytes := UTF8.EncodeAscii(LEGEND)
+
+  const LEGEND_UTF8 : UTF8.ValidUTF8Bytes :=
+    var s := [0x61, 0x77, 0x73, 0x2d, 0x63, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x2d, 0x6c, 0x65, 0x67, 0x65, 0x6e, 0x64];
+    assert s == UTF8.EncodeAscii(LEGEND);
+    s
+
   const LEGEND_STRING : char := 'S'
   const LEGEND_NUMBER : char := 'N'
   const LEGEND_LITERAL : char := 'L'
   const LEGEND_BINARY : char := 'B'
 
   const NULL_STR : string := "null"
-  const NULL_UTF8 : UTF8.ValidUTF8Bytes := UTF8.EncodeAscii(NULL_STR)
+  const NULL_UTF8 : UTF8.ValidUTF8Bytes :=
+    var s := [0x6e, 0x75, 0x6c, 0x6c];
+    assert s == UTF8.EncodeAscii(NULL_STR);
+    s
+
   const TRUE_STR : string := "true"
-  const TRUE_UTF8 : UTF8.ValidUTF8Bytes := UTF8.EncodeAscii(TRUE_STR)
+  const TRUE_UTF8 : UTF8.ValidUTF8Bytes :=
+    var s := [0x74, 0x72, 0x75, 0x65];
+    assert s == UTF8.EncodeAscii(TRUE_STR);
+    s
+
   const FALSE_STR : string := "false"
-  const FALSE_UTF8 : UTF8.ValidUTF8Bytes := UTF8.EncodeAscii(FALSE_STR)
+  const FALSE_UTF8 : UTF8.ValidUTF8Bytes :=
+    var s := [0x66, 0x61, 0x6c, 0x73, 0x65];
+    assert s == UTF8.EncodeAscii(FALSE_STR);
+    s
 
   datatype CanonCryptoItem = CanonCryptoItem (
     key : CanonicalPath,
@@ -290,9 +315,10 @@ module StructuredEncryptionUtil {
     //# where `typeId` is the attribute's [type ID](./ddb-attribute-serialization.md#type-id)
     //# and `serializedValue` is the attribute's value serialized according to
     //# [Attribute Value Serialization](./ddb-attribute-serialization.md#attribute-value-serialization).
-    ensures ret == UTF8.EncodeAscii(Base64.Encode(t.typeId + t.value))
+    ensures ret == UTF8.Encode(Base64.Encode(t.typeId + t.value)).value
   {
-    UTF8.EncodeAscii(Base64.Encode(t.typeId + t.value))
+    var base := Base64.Encode(t.typeId + t.value);
+    UTF8.Encode(base).value
   }
 
   function method DecodeTerminal(t : UTF8.ValidUTF8Bytes) : (ret : Result<StructuredDataTerminal, string>)
diff --git a/DynamoDbEncryption/dafny/StructuredEncryption/test/HappyCaseTests.dfy b/DynamoDbEncryption/dafny/StructuredEncryption/test/HappyCaseTests.dfy
@@ -13,12 +13,22 @@ module HappyCaseTests {
   import MaterialProviders
   import StructuredDataTestFixtures
 
+  const some : UTF8.ValidUTF8Bytes :=
+    var s := [0x73, 0x6f, 0x6d, 0x65];
+    assert s == UTF8.EncodeAscii("some");
+    s
+
+  const value : UTF8.ValidUTF8Bytes :=
+    var s := [0x76, 0x61, 0x6c, 0x75, 0x65];
+    assert s == UTF8.EncodeAscii("value");
+    s
+
   method {:test} TestRoundTrip() {
     var structuredEncryption :-
       expect StructuredEncryption.StructuredEncryption(StructuredEncryption.DefaultStructuredEncryptionConfig());
     var cmm := StructuredDataTestFixtures.GetDefaultCMMWithKMSKeyring();
 
-    var encContext := map[UTF8.EncodeAscii("some") := UTF8.EncodeAscii("value")];
+    var encContext := map[some := value];
     var algSuiteId := AlgorithmSuites.DBE_ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384_SYMSIG_HMAC_SHA384.id.DBE;
 
     assert  && structuredEncryption.ValidState();
diff --git a/DynamoDbEncryption/dafny/StructuredEncryption/test/Header.dfy b/DynamoDbEncryption/dafny/StructuredEncryption/test/Header.dfy
diff --git a/DynamoDbEncryption/dafny/StructuredEncryption/test/Paths.dfy b/DynamoDbEncryption/dafny/StructuredEncryption/test/Paths.dfy
diff --git a/TestVectors/dafny/DDBEncryption/src/JsonConfig.dfy b/TestVectors/dafny/DDBEncryption/src/JsonConfig.dfy
diff --git a/submodules/MaterialProviders b/submodules/MaterialProviders
