Working and V2 compatible encrypt.

Author: smswz

aws-java-sdk-s3/pom.xml

@@ -5,13 +5,13 @@
   <modelVersion>4.0.0</modelVersion>
 
   <groupId>software.amazon.encryption</groupId>
-  <artifactId>s3-client</artifactId>
+  <artifactId>s3</artifactId>
   <version>3.0-SNAPSHOT</version>
   <packaging>jar</packaging>
 
   <name>AWS S3 Encryption Client</name>
   <description>The AWS S3 Encryption Client provides client-side encryption for S3</description>
-  <url>https://github.com/aws/aws-s33c-java</url>
+  <url>https://github.com/aws/aws-s3-encryption-client-java</url>
 
   <licenses>
     <license>
@@ -51,7 +51,7 @@
       <dependency>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>bom</artifactId>
-        <version>2.17.154</version>
+        <version>2.17.204</version>
         <optional>true</optional>
         <type>pom</type>
         <scope>import</scope>
@@ -80,14 +80,14 @@
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>s3</artifactId>
-      <version>2.17.154</version>
+      <version>2.17.204</version>
       <optional>true</optional>
     </dependency>
 
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>kms</artifactId>
-      <version>2.17.154</version>
+      <version>2.17.204</version>
       <optional>true</optional>
     </dependency>
   </dependencies>

pom.xml

@@ -0,0 +1,123 @@
+package software.amazon.encryption.s3;
+
+import java.io.IOException;
+import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.spec.InvalidParameterSpecException;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Map.Entry;
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.GCMParameterSpec;
+import javax.crypto.spec.IvParameterSpec;
+import software.amazon.awssdk.awscore.exception.AwsServiceException;
+import software.amazon.awssdk.core.exception.SdkClientException;
+import software.amazon.awssdk.core.sync.RequestBody;
+import software.amazon.awssdk.protocols.jsoncore.JsonWriter;
+import software.amazon.awssdk.protocols.jsoncore.JsonWriter.JsonGenerationException;
+import software.amazon.awssdk.services.s3.S3Client;
+import software.amazon.awssdk.services.s3.model.PutObjectRequest;
+import software.amazon.awssdk.services.s3.model.PutObjectResponse;
+import software.amazon.awssdk.services.s3.model.S3Exception;
+import software.amazon.awssdk.utils.IoUtils;
+import software.amazon.encryption.s3.materials.DefaultMaterialsManager;
+import software.amazon.encryption.s3.materials.DefaultMaterialsManager.EncryptionMaterialsRequest;
+import software.amazon.encryption.s3.materials.EncryptedDataKey;
+import software.amazon.encryption.s3.materials.EncryptionMaterials;
+
+public class S3EncryptionClient implements S3Client {
+
+    private final S3Client _wrappedClient;
+    private final DefaultMaterialsManager _materialsManager;
+
+    public S3EncryptionClient(S3Client client, DefaultMaterialsManager materialsManager) {
+        _wrappedClient = client;
+        _materialsManager = materialsManager;
+    }
+
+    @Override
+    public PutObjectResponse putObject(PutObjectRequest putObjectRequest, RequestBody requestBody)
+            throws AwsServiceException, SdkClientException, S3Exception {
+
+        // Get content encryption key
+        EncryptionMaterials materials = _materialsManager.getEncryptionMaterials(new EncryptionMaterialsRequest());
+        SecretKey contentKey = materials.dataKey();
+        // Encrypt content
+        byte[] iv = new byte[12]; // default GCM IV length
+        new SecureRandom().nextBytes(iv);
+
+        final String contentEncryptionAlgorithm = "AES/GCM/NoPadding";
+        final Cipher cipher;
+        try {
+            cipher = Cipher.getInstance(contentEncryptionAlgorithm);
+            //GCMParameterSpec defaultSpec = cipher.getParameters().getParameterSpec(GCMParameterSpec.class);
+            cipher.init(Cipher.ENCRYPT_MODE, contentKey, new GCMParameterSpec(128, iv));
+        } catch (NoSuchAlgorithmException
+                 | NoSuchPaddingException
+                 | InvalidAlgorithmParameterException
+                 | InvalidKeyException e) {
+            throw new RuntimeException(e);
+        }/* catch (InvalidParameterSpecException e) {
+            throw new RuntimeException(e);
+        }*/
+
+        byte[] ciphertext;
+        try {
+            byte[] input = IoUtils.toByteArray(requestBody.contentStreamProvider().newStream());
+            ciphertext = cipher.doFinal(input);
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        } catch (IllegalBlockSizeException e) {
+            throw new RuntimeException(e);
+        } catch (BadPaddingException e) {
+            throw new RuntimeException(e);
+        }
+
+        // Save content metadata into request
+        Base64.Encoder encoder = Base64.getEncoder();
+        Map<String,String> metadata = new HashMap<>(putObjectRequest.metadata());
+        EncryptedDataKey edk = materials.encryptedDataKeys().get(0);
+        metadata.put("x-amz-key-v2", encoder.encodeToString(edk.ciphertext()));
+        metadata.put("x-amz-iv", encoder.encodeToString(iv));
+        metadata.put("x-amz-matdesc", /* TODO: JSON encoded */ "{}");
+        metadata.put("x-amz-cek-alg", contentEncryptionAlgorithm);
+        metadata.put("x-amz-tag-len", /* TODO: take from algo suite */ "128");
+        metadata.put("x-amz-wrap-alg", edk.keyProviderId());
+
+        try (JsonWriter jsonWriter = JsonWriter.create()) {
+            jsonWriter.writeStartObject();
+            for (Entry<String,String> entry : materials.encryptionContext().entrySet()) {
+                jsonWriter.writeFieldName(entry.getKey()).writeValue(entry.getValue());
+            }
+            jsonWriter.writeEndObject();
+
+            String jsonEncryptionContext = new String(jsonWriter.getBytes(), StandardCharsets.UTF_8);
+            metadata.put("x-amz-matdesc", jsonEncryptionContext);
+        } catch (JsonGenerationException e) {
+            throw new RuntimeException(e);
+        }
+
+        putObjectRequest = putObjectRequest.toBuilder().metadata(metadata).build();
+
+        return _wrappedClient.putObject(putObjectRequest, RequestBody.fromBytes(ciphertext));
+    }
+
+    @Override
+    public String serviceName() {
+        return _wrappedClient.serviceName();
+    }
+
+    @Override
+    public void close() {
+        _wrappedClient.close();
+    }
+}

src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java

@@ -0,0 +1,2 @@
+package software.amazon.encryption.s3;public class TracerBullet {
+}

src/main/java/software/amazon/encryption/s3/TracerBullet.java

@@ -0,0 +1,7 @@
+package software.amazon.encryption.s3.algorithms;
+
+
+public enum AlgorithmSuite {
+    // TODO: fill in these values
+    // ALG_AES_256_GCM_IV12_TAG16_NO_KDF(12, 16, Constants.GCM_MAX_CONTENT_LEN, "AES", 32, 0x0078, "AES", 32),
+}

src/main/java/software/amazon/encryption/s3/algorithms/AlgorithmSuite.java

@@ -0,0 +1,6 @@
+package software.amazon.encryption.s3.algorithms;
+
+class Constants {
+    /** Maximum length of the content that can be encrypted in GCM mode. */
+    public static final long GCM_MAX_CONTENT_LEN = (1L << 36) - 32;
+}

src/main/java/software/amazon/encryption/s3/algorithms/Constants.java

@@ -0,0 +1,72 @@
+package software.amazon.encryption.s3.materials;
+
+import java.nio.charset.StandardCharsets;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.util.ArrayList;
+import java.util.List;
+import javax.crypto.Cipher;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.GCMParameterSpec;
+
+public class AESKeyring implements Keyring {
+
+    private static final String KEY_PROVIDER_ID = "AES/GCM";
+    private static final String CIPHER_ALGORITHM = "AES/GCM/NoPadding";
+    private static final int IV_LENGTH_IN_BYTES = 12;
+    private static final int TAG_LENGTH_IN_BYTES = 16;
+    private static final int TAG_LENGTH_IN_BITS = TAG_LENGTH_IN_BYTES * 8;
+    private final SecretKey _wrappingKey;
+
+    public AESKeyring(SecretKey wrappingKey) {
+        if (!wrappingKey.getAlgorithm().equals("AES")) {
+            // TODO: throw?
+        }
+
+        _wrappingKey = wrappingKey;
+    }
+
+    @Override
+    public EncryptionMaterials OnEncrypt(EncryptionMaterials materials) {
+        // TODO: handle a null plaintext data key
+
+        try {
+            SecureRandom secureRandom = new SecureRandom();
+
+            byte[] iv = new byte[IV_LENGTH_IN_BYTES];
+            secureRandom.nextBytes(iv);
+            GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LENGTH_IN_BITS, iv);
+
+            final Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM);
+            // TODO: should/can this be Cipher.WRAP_MODE?
+            cipher.init(Cipher.ENCRYPT_MODE, _wrappingKey, gcmParameterSpec, secureRandom);
+
+            // this is the CONTENT encryption, not the wrapping encryption
+            // TODO: get this from encryption context or preferably algorithm suite
+            cipher.updateAAD("AES/GCM/NoPadding".getBytes(StandardCharsets.UTF_8));
+
+            // The encrypted data key is the IV prepended to the ciphertext
+            iv = cipher.getIV();
+            byte[] ciphertext = cipher.doFinal(materials.plaintextDataKey());
+
+            byte[] encodedBytes = new byte[iv.length + ciphertext.length];
+            System.arraycopy(iv, 0, encodedBytes, 0, iv.length);
+            System.arraycopy(ciphertext, 0, encodedBytes, iv.length, ciphertext.length);
+
+            EncryptedDataKey encryptedDataKey = EncryptedDataKey.builder()
+                    .keyProviderId(KEY_PROVIDER_ID)
+                    .ciphertext(encodedBytes)
+                    .build();
+
+            List<EncryptedDataKey> encryptedDataKeys = new ArrayList<>(materials.encryptedDataKeys());
+            encryptedDataKeys.add(encryptedDataKey);
+
+            return materials.toBuilder()
+                    .encryptedDataKeys(encryptedDataKeys)
+                    .build();
+        } catch (Exception e) {
+            throw new UnsupportedOperationException("Unable to AES/GCM/NoPadding wrap", e);
+        }
+    }
+}