WithAad ignored in Transit

[cipherboy]

Transit auto-unseal mechanism currently has no way to specify that AAD should be used.

go-kms-wrapping/wrappers/transit/transit.go

Lines 83 to 87 in 1a1c5b0

	func (s *Wrapper) Encrypt(ctx context.Context, plaintext []byte, _ ...wrapping.Option) (*wrapping.BlobInfo, error) {
	ciphertext, err := s.client.Encrypt(ctx, plaintext)
	if err != nil {
	return nil, err
	}

Not clear is what the migration process looks like; ideally I think we'd have to add this to the KeyId, that AAD was used, so that we can definitively say whether we expect it to be present or not for decryption; if AAD is present in the keyId but not on the decryption request, we should reject it. Likewise if it is present in the options but not in the keyId, we should ignore it in the parameters.