Example 51 with CosClientException
use of com.qcloud.cos.exception.CosClientException in project cos-java-sdk-v5 by tencentyun.
the class ContentCryptoMaterial method fromInstructionFile0.
/**
* @return a non-null content crypto material.
*/
private static ContentCryptoMaterial fromInstructionFile0(Map<String, String> instFile, EncryptionMaterialsAccessor kekMaterialAccessor, Provider securityProvider, long[] range, boolean keyWrapExpected, QCLOUDKMS kms) {
// CEK and IV
String b64key = instFile.get(Headers.CRYPTO_KEY_V2);
if (b64key == null) {
b64key = instFile.get(Headers.CRYPTO_KEY);
if (b64key == null)
throw new CosClientException("Content encrypting key not found.");
}
byte[] cekWrapped = Base64.decode(b64key);
byte[] iv = Base64.decode(instFile.get(Headers.CRYPTO_IV));
if (cekWrapped == null || iv == null) {
throw new CosClientException("Necessary encryption info not found in the instruction file " + instFile);
}
final String keyWrapAlgo = instFile.get(Headers.CRYPTO_KEYWRAP_ALGORITHM);
final boolean isKMS = isKMSKeyWrapped(keyWrapAlgo);
// Material description
String matdescStr = instFile.get(Headers.MATERIALS_DESCRIPTION);
final Map<String, String> core = matdescFromJson(matdescStr);
EncryptionMaterials materials;
if (isKMS) {
materials = new KMSEncryptionMaterials(core.get(KMSEncryptionMaterials.CUSTOMER_MASTER_KEY_ID));
materials.addDescriptions(core);
} else {
materials = kekMaterialAccessor == null ? null : kekMaterialAccessor.getEncryptionMaterials(core);
if (materials == null) {
throw new CosClientException("Unable to retrieve the encryption materials that originally " + "encrypted object corresponding to instruction file " + instFile);
}
}
// CEK algorithm
final String cekAlgo = instFile.get(Headers.CRYPTO_CEK_ALGORITHM);
final boolean isRangeGet = range != null;
// The content crypto scheme may vary depending on whether
// it is a range get operation
ContentCryptoScheme contentCryptoScheme = ContentCryptoScheme.fromCEKAlgo(cekAlgo, isRangeGet);
if (isRangeGet) {
// Adjust the IV as needed
iv = contentCryptoScheme.adjustIV(iv, range[0]);
} else {
// Validate the tag length supported
int tagLenExpected = contentCryptoScheme.getTagLengthInBits();
if (tagLenExpected > 0) {
String s = instFile.get(Headers.CRYPTO_TAG_LENGTH);
int tagLenActual = Integer.parseInt(s);
if (tagLenExpected != tagLenActual) {
throw new CosClientException("Unsupported tag length: " + tagLenActual + ", expected: " + tagLenExpected);
}
}
}
// Unwrap or decrypt the CEK
if (keyWrapExpected && keyWrapAlgo == null)
throw newKeyWrapException();
SecretKey cek = cek(cekWrapped, keyWrapAlgo, materials, securityProvider, contentCryptoScheme, kms);
return new ContentCryptoMaterial(core, cekWrapped, keyWrapAlgo, contentCryptoScheme.createCipherLite(cek, iv, Cipher.DECRYPT_MODE, securityProvider), null);
}
Also used :
SecretKey(javax.crypto.SecretKey)
CosClientException(com.qcloud.cos.exception.CosClientException)
Example 52 with CosClientException
use of com.qcloud.cos.exception.CosClientException in project cos-java-sdk-v5 by tencentyun.
the class ContentCryptoMaterial method encryptIV.
public static byte[] encryptIV(byte[] iv, EncryptionMaterials materials, COSKeyWrapScheme kwScheme, SecureRandom srand, Provider p, QCLOUDKMS kms, CosServiceRequest req) {
if (materials.isKMSEnabled()) {
Map<String, String> matdesc = mergeMaterialDescriptions(materials, req);
EncryptRequest encryptRequest = new EncryptRequest();
try {
ObjectMapper mapper = new ObjectMapper();
encryptRequest.setEncryptionContext(mapper.writeValueAsString(matdesc));
} catch (JsonProcessingException e) {
throw new CosClientException("encrypt request set encryption context got json processing exception", e);
}
encryptRequest.setKeyId(materials.getCustomerMasterKeyId());
encryptRequest.setPlaintext(Base64.encodeAsString(iv));
EncryptResponse encryptResponse = kms.encrypt(encryptRequest);
String cipherIV = encryptResponse.getCiphertextBlob();
return cipherIV.getBytes(Charset.forName("UTF-8"));
}
Key kek;
if (materials.getKeyPair() != null) {
// Do envelope encryption with public key from key pair
kek = materials.getKeyPair().getPublic();
} else {
// Do envelope encryption with symmetric key
kek = materials.getSymmetricKey();
}
String keyWrapAlgo = kwScheme.getKeyWrapAlgorithm(kek);
try {
Cipher cipher = p == null ? Cipher.getInstance(keyWrapAlgo) : Cipher.getInstance(keyWrapAlgo, p);
cipher.init(Cipher.ENCRYPT_MODE, kek, srand);
return cipher.doFinal(iv);
} catch (Exception e) {
throw new CosClientException("Unable to encrypt IV", e);
}
}
Also used :
EncryptResponse(com.tencentcloudapi.kms.v20190118.models.EncryptResponse)
CosClientException(com.qcloud.cos.exception.CosClientException)
Cipher(javax.crypto.Cipher)
JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)
ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)
Key(java.security.Key)
SecretKey(javax.crypto.SecretKey)
CosClientException(com.qcloud.cos.exception.CosClientException)
IOException(java.io.IOException)
JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)
EncryptRequest(com.tencentcloudapi.kms.v20190118.models.EncryptRequest)
Example 53 with CosClientException
use of com.qcloud.cos.exception.CosClientException in project cos-java-sdk-v5 by tencentyun.
the class ContentCryptoMaterial method cekByKMS.
/**
* Decrypts the secured CEK via KMS; involves network calls.
*
* @return the CEK (in plaintext).
*/
private static SecretKey cekByKMS(byte[] cekSecured, String keyWrapAlgo, EncryptionMaterials materials, ContentCryptoScheme contentCryptoScheme, QCLOUDKMS kms) {
DecryptRequest decryptReq = new DecryptRequest();
Map<String, String> materialDesc = materials.getMaterialsDescription();
try {
ObjectMapper mapper = new ObjectMapper();
decryptReq.setEncryptionContext(mapper.writeValueAsString(materialDesc));
} catch (JsonProcessingException e) {
throw new CosClientException("decrypt request set encryption context got json processing exception", e);
}
decryptReq.setCiphertextBlob(new String(cekSecured));
DecryptResponse decryptRes = kms.decrypt(decryptReq);
byte[] key = Base64.decode(decryptRes.getPlaintext());
return new SecretKeySpec(key, contentCryptoScheme.getKeyGeneratorAlgorithm());
}
Also used :
DecryptResponse(com.tencentcloudapi.kms.v20190118.models.DecryptResponse)
CosClientException(com.qcloud.cos.exception.CosClientException)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)
DecryptRequest(com.tencentcloudapi.kms.v20190118.models.DecryptRequest)
ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)
Example 54 with CosClientException
use of com.qcloud.cos.exception.CosClientException in project cos-java-sdk-v5 by tencentyun.
the class ContentCryptoMaterial method secureCEK.
/**
* Secure the given CEK. Note network calls are involved if the CEK is to be protected by KMS.
*
* @param cek content encrypting key to be secured
* @param materials used to provide the key-encryption-key (KEK); or if it is KMS-enabled, the
* customer master key id and material description.
* @param contentCryptoScheme the content crypto scheme
* @param p optional security provider; can be null if the default is used.
* @return a secured CEK in the form of ciphertext or ciphertext blob.
*/
private static SecuredCEK secureCEK(SecretKey cek, EncryptionMaterials materials, COSKeyWrapScheme kwScheme, SecureRandom srand, Provider p, QCLOUDKMS kms, CosServiceRequest req) {
final Map<String, String> matdesc;
if (materials.isKMSEnabled()) {
matdesc = mergeMaterialDescriptions(materials, req);
EncryptRequest encryptRequest = new EncryptRequest();
try {
ObjectMapper mapper = new ObjectMapper();
encryptRequest.setEncryptionContext(mapper.writeValueAsString(matdesc));
} catch (JsonProcessingException e) {
throw new CosClientException("encrypt request set encryption context got json processing exception", e);
}
encryptRequest.setKeyId(materials.getCustomerMasterKeyId());
encryptRequest.setPlaintext(cek.getEncoded().toString());
EncryptResponse encryptResponse = kms.encrypt(encryptRequest);
byte[] keyBlob = encryptResponse.getCiphertextBlob().getBytes();
return new KMSSecuredCEK(keyBlob, matdesc);
} else {
matdesc = materials.getMaterialsDescription();
}
Key kek;
if (materials.getKeyPair() != null) {
// Do envelope encryption with public key from key pair
kek = materials.getKeyPair().getPublic();
} else {
// Do envelope encryption with symmetric key
kek = materials.getSymmetricKey();
}
String keyWrapAlgo = kwScheme.getKeyWrapAlgorithm(kek);
try {
Cipher cipher = p == null ? Cipher.getInstance(keyWrapAlgo) : Cipher.getInstance(keyWrapAlgo, p);
cipher.init(Cipher.WRAP_MODE, kek, srand);
return new SecuredCEK(cipher.wrap(cek), keyWrapAlgo, matdesc);
} catch (Exception e) {
throw new CosClientException("Unable to encrypt symmetric key", e);
}
}
Also used :
EncryptResponse(com.tencentcloudapi.kms.v20190118.models.EncryptResponse)
CosClientException(com.qcloud.cos.exception.CosClientException)
CosClientException(com.qcloud.cos.exception.CosClientException)
IOException(java.io.IOException)
JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)
Cipher(javax.crypto.Cipher)
JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)
ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)
Key(java.security.Key)
SecretKey(javax.crypto.SecretKey)
EncryptRequest(com.tencentcloudapi.kms.v20190118.models.EncryptRequest)
Example 55 with CosClientException
use of com.qcloud.cos.exception.CosClientException in project cos-java-sdk-v5 by tencentyun.
the class COSCryptoModuleBase method completeMultipartUploadSecurely.
@Override
public CompleteMultipartUploadResult completeMultipartUploadSecurely(CompleteMultipartUploadRequest req) {
String uploadId = req.getUploadId();
final MultipartUploadCryptoContext uploadContext = multipartUploadContexts.get(uploadId);
if (uploadContext != null && !uploadContext.hasFinalPartBeenSeen()) {
throw new CosClientException("Unable to complete an encrypted multipart upload without being told which part was the last. " + "Without knowing which part was the last, the encrypted data in COS is incomplete and corrupt.");
}
CompleteMultipartUploadResult result = cos.completeMultipartUpload(req);
// after the whole upload has completed correctly.
if (uploadContext != null && cryptoConfig.getStorageMode() == InstructionFile) {
// Put the instruction file into COS
cos.putObject(createInstructionPutRequest(uploadContext.getBucketName(), uploadContext.getKey(), uploadContext.getContentCryptoMaterial()));
}
multipartUploadContexts.remove(uploadId);
return result;
}
Also used :
CosClientException(com.qcloud.cos.exception.CosClientException)
CompleteMultipartUploadResult(com.qcloud.cos.model.CompleteMultipartUploadResult)
Aggregations
CosClientException (com.qcloud.cos.exception.CosClientException)111
CosServiceException (com.qcloud.cos.exception.CosServiceException)64
COSCredentials (com.qcloud.cos.auth.COSCredentials)41
ClientConfig (com.qcloud.cos.ClientConfig)39
BasicCOSCredentials (com.qcloud.cos.auth.BasicCOSCredentials)39
Region (com.qcloud.cos.region.Region)39
COSClient (com.qcloud.cos.COSClient)37
IOException (java.io.IOException)31
File (java.io.File)28
ByteArrayInputStream (java.io.ByteArrayInputStream)18
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)15
TransferManager (com.qcloud.cos.transfer.TransferManager)14
ExecutorService (java.util.concurrent.ExecutorService)14
ObjectMetadata (com.qcloud.cos.model.ObjectMetadata)13
URISyntaxException (java.net.URISyntaxException)13
MultiObjectDeleteException (com.qcloud.cos.exception.MultiObjectDeleteException)12
PutObjectRequest (com.qcloud.cos.model.PutObjectRequest)12
SecretKey (javax.crypto.SecretKey)12
MalformedURLException (java.net.MalformedURLException)11
PutObjectResult (com.qcloud.cos.model.PutObjectResult)10
