Implemented enforceRotation method and it is invoked in the reEncryptInstructionFile method

Anirav Kareddy · Anirav Kareddy · commit 142413dd0253 · 2025-07-09T20:28:50.000-07:00
diff --git a/src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java b/src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java
@@ -259,6 +259,10 @@ public ReEncryptInstructionFileResponse reEncryptInstructionFile(ReEncryptInstru
             throw new S3EncryptionClientException("New keyring must have new materials description!");
         }
 
+        if (reEncryptInstructionFileRequest.enforceRotation()) {
+            enforceRotation(encryptedMaterials, request);
+        }
+
         ContentMetadataEncodingStrategy encodeStrategy = new ContentMetadataEncodingStrategy(_instructionFileConfig);
 
         if (reEncryptInstructionFileRequest.instructionFileSuffix().equals(INSTRUCTION_FILE_SUFFIX)) {
@@ -277,6 +281,21 @@ public ReEncryptInstructionFileResponse reEncryptInstructionFile(ReEncryptInstru
 
     }
 
+    private void enforceRotation(EncryptionMaterials newEncryptionMaterials, GetObjectRequest request) {
+        try {
+            DecryptionMaterials decryptedMaterials = this._cryptoMaterialsManager.decryptMaterials(
+              DecryptMaterialsRequest.builder()
+                .algorithmSuite(newEncryptionMaterials.algorithmSuite())
+                .encryptedDataKeys(Collections.singletonList(newEncryptionMaterials.encryptedDataKeys()).get(0))
+                .s3Request(request)
+                .build()
+            );
+        } catch (S3EncryptionClientException e) {
+            return;
+        }
+        throw new S3EncryptionClientException("Key rotation is not enforced! Old keyring is still able to decrypt the new encrypted data key");
+    }
+
     /**
      * See {@link S3EncryptionClient#putObject(PutObjectRequest, RequestBody)}.
      * <p>
