Example 1 with ExtraMaterialsDescription
use of com.amazonaws.services.s3.model.ExtraMaterialsDescription in project aws-sdk-android by aws-amplify.
the class S3CryptoModuleAE method decipherWithInstructionFile.
private S3Object decipherWithInstructionFile(GetObjectRequest req, long[] desiredRange, long[] cryptoRange, S3ObjectWrapper retrieved, S3ObjectWrapper instructionFile) {
ExtraMaterialsDescription extraMatDesc = NONE;
boolean keyWrapExpected = isStrict();
if (req instanceof EncryptedGetObjectRequest) {
final EncryptedGetObjectRequest ereq = (EncryptedGetObjectRequest) req;
extraMatDesc = ereq.getExtraMaterialDescription();
if (!keyWrapExpected) {
keyWrapExpected = ereq.isKeyWrapExpected();
}
}
final String json = instructionFile.toJsonString();
@SuppressWarnings("unchecked") final Map<String, String> matdesc = Collections.unmodifiableMap(JsonUtils.jsonToMap(json));
final ContentCryptoMaterial cekMaterial = ContentCryptoMaterial.fromInstructionFile(matdesc, kekMaterialsProvider, cryptoConfig.getCryptoProvider(), // range is sometimes necessary to compute the adjusted IV
cryptoRange, extraMatDesc, keyWrapExpected, kms);
securityCheck(cekMaterial, retrieved);
final S3ObjectWrapper decrypted = decrypt(retrieved, cekMaterial, cryptoRange);
// Adjust the output to the desired range of bytes.
final S3ObjectWrapper adjusted = adjustToDesiredRange(decrypted, desiredRange, matdesc);
return adjusted.getS3Object();
}
Also used :
EncryptedGetObjectRequest(com.amazonaws.services.s3.model.EncryptedGetObjectRequest)
ExtraMaterialsDescription(com.amazonaws.services.s3.model.ExtraMaterialsDescription)
Example 2 with ExtraMaterialsDescription
use of com.amazonaws.services.s3.model.ExtraMaterialsDescription in project aws-sdk-android by aws-amplify.
the class ContentCryptoMaterial method fromObjectMetadata0.
/**
* @return a non-null content crypto material.
*/
private static ContentCryptoMaterial fromObjectMetadata0(ObjectMetadata metadata, EncryptionMaterialsAccessor kekMaterialAccessor, Provider securityProvider, long[] range, ExtraMaterialsDescription extra, boolean keyWrapExpected, AWSKMSClient kms) {
// CEK and IV
final Map<String, String> userMeta = metadata.getUserMetadata();
String b64key = userMeta.get(Headers.CRYPTO_KEY_V2);
if (b64key == null) {
b64key = userMeta.get(Headers.CRYPTO_KEY);
if (b64key == null) {
throw new AmazonClientException("Content encrypting key not found.");
}
}
final byte[] cekWrapped = Base64.decode(b64key);
byte[] iv = Base64.decode(userMeta.get(Headers.CRYPTO_IV));
if (cekWrapped == null || iv == null) {
throw new AmazonClientException("Content encrypting key or IV not found.");
}
// Material description
final String matdescStr = userMeta.get(Headers.MATERIALS_DESCRIPTION);
final String keyWrapAlgo = userMeta.get(Headers.CRYPTO_KEYWRAP_ALGORITHM);
final boolean isKMS = isKMSKeyWrapped(keyWrapAlgo);
final Map<String, String> core = matdescFromJson(matdescStr);
final Map<String, String> merged = isKMS || extra == null ? core : extra.mergeInto(core);
final EncryptionMaterials materials;
if (isKMS) {
materials = new KMSEncryptionMaterials(core.get(KMSEncryptionMaterials.CUSTOMER_MASTER_KEY_ID));
materials.addDescriptions(core);
} else {
materials = kekMaterialAccessor == null ? null : kekMaterialAccessor.getEncryptionMaterials(merged);
if (materials == null) {
throw new AmazonClientException("Unable to retrieve the client encryption materials");
}
}
// CEK algorithm
final String cekAlgo = userMeta.get(Headers.CRYPTO_CEK_ALGORITHM);
final boolean isRangeGet = range != null;
// The content crypto scheme may vary depending on whether
// it is a range get operation
final ContentCryptoScheme contentCryptoScheme = ContentCryptoScheme.fromCEKAlgo(cekAlgo, isRangeGet);
if (isRangeGet) {
// Adjust the IV as needed
iv = contentCryptoScheme.adjustIV(iv, range[0]);
} else {
// Validate the tag length supported
final int tagLenExpected = contentCryptoScheme.getTagLengthInBits();
if (tagLenExpected > 0) {
final String s = userMeta.get(Headers.CRYPTO_TAG_LENGTH);
final int tagLenActual = Integer.parseInt(s);
if (tagLenExpected != tagLenActual) {
throw new AmazonClientException("Unsupported tag length: " + tagLenActual + ", expected: " + tagLenExpected);
}
}
}
// Unwrap or decrypt the CEK
if (keyWrapExpected && keyWrapAlgo == null) {
throw newKeyWrapException();
}
final SecretKey cek = cek(cekWrapped, keyWrapAlgo, materials, securityProvider, contentCryptoScheme, kms);
return new ContentCryptoMaterial(merged, cekWrapped, keyWrapAlgo, contentCryptoScheme.createCipherLite(cek, iv, Cipher.DECRYPT_MODE, securityProvider));
}
Also used :
SecretKey(javax.crypto.SecretKey)
KMSEncryptionMaterials(com.amazonaws.services.s3.model.KMSEncryptionMaterials)
EncryptionMaterials(com.amazonaws.services.s3.model.EncryptionMaterials)
AmazonClientException(com.amazonaws.AmazonClientException)
KMSEncryptionMaterials(com.amazonaws.services.s3.model.KMSEncryptionMaterials)
Example 3 with ExtraMaterialsDescription
use of com.amazonaws.services.s3.model.ExtraMaterialsDescription in project aws-sdk-android by aws-amplify.
the class ContentCryptoMaterial method fromInstructionFile0.
/**
* @return a non-null content crypto material.
*/
private static ContentCryptoMaterial fromInstructionFile0(Map<String, String> instFile, EncryptionMaterialsAccessor kekMaterialAccessor, Provider securityProvider, long[] range, ExtraMaterialsDescription extra, boolean keyWrapExpected, AWSKMSClient kms) {
// CEK and IV
String b64key = instFile.get(Headers.CRYPTO_KEY_V2);
if (b64key == null) {
b64key = instFile.get(Headers.CRYPTO_KEY);
if (b64key == null) {
throw new AmazonClientException("Content encrypting key not found.");
}
}
final byte[] cekWrapped = Base64.decode(b64key);
byte[] iv = Base64.decode(instFile.get(Headers.CRYPTO_IV));
if (cekWrapped == null || iv == null) {
throw new AmazonClientException("Necessary encryption info not found in the instruction file " + instFile);
}
final String keyWrapAlgo = instFile.get(Headers.CRYPTO_KEYWRAP_ALGORITHM);
final boolean isKMS = isKMSKeyWrapped(keyWrapAlgo);
// Material description
final String matdescStr = instFile.get(Headers.MATERIALS_DESCRIPTION);
final Map<String, String> core = matdescFromJson(matdescStr);
final Map<String, String> merged = extra == null || isKMS ? core : extra.mergeInto(core);
EncryptionMaterials materials;
if (isKMS) {
materials = new KMSEncryptionMaterials(core.get(KMSEncryptionMaterials.CUSTOMER_MASTER_KEY_ID));
materials.addDescriptions(core);
} else {
materials = kekMaterialAccessor == null ? null : kekMaterialAccessor.getEncryptionMaterials(merged);
if (materials == null) {
throw new AmazonClientException("Unable to retrieve the encryption materials that originally " + "encrypted object corresponding to instruction file " + instFile);
}
}
// CEK algorithm
final String cekAlgo = instFile.get(Headers.CRYPTO_CEK_ALGORITHM);
final boolean isRangeGet = range != null;
// The content crypto scheme may vary depending on whether
// it is a range get operation
final ContentCryptoScheme contentCryptoScheme = ContentCryptoScheme.fromCEKAlgo(cekAlgo, isRangeGet);
if (isRangeGet) {
// Adjust the IV as needed
iv = contentCryptoScheme.adjustIV(iv, range[0]);
} else {
// Validate the tag length supported
final int tagLenExpected = contentCryptoScheme.getTagLengthInBits();
if (tagLenExpected > 0) {
final String s = instFile.get(Headers.CRYPTO_TAG_LENGTH);
final int tagLenActual = Integer.parseInt(s);
if (tagLenExpected != tagLenActual) {
throw new AmazonClientException("Unsupported tag length: " + tagLenActual + ", expected: " + tagLenExpected);
}
}
}
// Unwrap or decrypt the CEK
if (keyWrapExpected && keyWrapAlgo == null) {
throw newKeyWrapException();
}
final SecretKey cek = cek(cekWrapped, keyWrapAlgo, materials, securityProvider, contentCryptoScheme, kms);
return new ContentCryptoMaterial(merged, cekWrapped, keyWrapAlgo, contentCryptoScheme.createCipherLite(cek, iv, Cipher.DECRYPT_MODE, securityProvider));
}
Also used :
SecretKey(javax.crypto.SecretKey)
KMSEncryptionMaterials(com.amazonaws.services.s3.model.KMSEncryptionMaterials)
EncryptionMaterials(com.amazonaws.services.s3.model.EncryptionMaterials)
AmazonClientException(com.amazonaws.AmazonClientException)
KMSEncryptionMaterials(com.amazonaws.services.s3.model.KMSEncryptionMaterials)
Example 4 with ExtraMaterialsDescription
use of com.amazonaws.services.s3.model.ExtraMaterialsDescription in project aws-sdk-android by aws-amplify.
the class S3CryptoModuleAE method decipherWithMetadata.
private S3Object decipherWithMetadata(GetObjectRequest req, long[] desiredRange, long[] cryptoRange, S3ObjectWrapper retrieved) {
ExtraMaterialsDescription extraMatDesc = NONE;
boolean keyWrapExpected = isStrict();
if (req instanceof EncryptedGetObjectRequest) {
final EncryptedGetObjectRequest ereq = (EncryptedGetObjectRequest) req;
extraMatDesc = ereq.getExtraMaterialDescription();
if (!keyWrapExpected) {
keyWrapExpected = ereq.isKeyWrapExpected();
}
}
final ContentCryptoMaterial cekMaterial = ContentCryptoMaterial.fromObjectMetadata(retrieved.getObjectMetadata(), kekMaterialsProvider, cryptoConfig.getCryptoProvider(), // range is sometimes necessary to compute the adjusted IV
cryptoRange, extraMatDesc, keyWrapExpected, kms);
securityCheck(cekMaterial, retrieved);
final S3ObjectWrapper decrypted = decrypt(retrieved, cekMaterial, cryptoRange);
// Adjust the output to the desired range of bytes.
final S3ObjectWrapper adjusted = adjustToDesiredRange(decrypted, desiredRange, null);
return adjusted.getS3Object();
}
Also used :
EncryptedGetObjectRequest(com.amazonaws.services.s3.model.EncryptedGetObjectRequest)
ExtraMaterialsDescription(com.amazonaws.services.s3.model.ExtraMaterialsDescription)
Aggregations
AmazonClientException (com.amazonaws.AmazonClientException)2
EncryptedGetObjectRequest (com.amazonaws.services.s3.model.EncryptedGetObjectRequest)2
EncryptionMaterials (com.amazonaws.services.s3.model.EncryptionMaterials)2
ExtraMaterialsDescription (com.amazonaws.services.s3.model.ExtraMaterialsDescription)2
KMSEncryptionMaterials (com.amazonaws.services.s3.model.KMSEncryptionMaterials)2
SecretKey (javax.crypto.SecretKey)2
