Create new materials manager for legacy keyrings.

smswz · smswz · commit 27188ab5f166 · 2022-06-30T15:24:35.000-05:00
diff --git a/README.md b/README.md
@@ -24,7 +24,9 @@ class Example {
                 .wrappingKeyId(KMS_WRAPPING_KEY_ID)
                 .build();
 
-        MaterialsManager materialsManager = new DefaultMaterialsManager(keyring);
+        MaterialsManager materialsManager = DefaultMaterialsManager.builder()
+                .keyring(keyring)
+                .build();
         S3Client v3Client = S3EncryptionClient.builder()
                 .materialsManager(materialsManager)
                 .build();
@@ -51,7 +53,9 @@ class Example {
                 .wrappingKey(aesKey)
                 .build();
 
-        MaterialsManager materialsManager = new DefaultMaterialsManager(keyring);
+        MaterialsManager materialsManager = DefaultMaterialsManager.builder()
+                .keyring(keyring)
+                .build();
         S3Client v3Client = S3EncryptionClient.builder()
                 .materialsManager(materialsManager)
                 .build();
@@ -78,7 +82,9 @@ class Example {
                 .wrappingKeyPair(rsaKey)
                 .build();
 
-        MaterialsManager materialsManager = new DefaultMaterialsManager(keyring);
+        MaterialsManager materialsManager = DefaultMaterialsManager.builder()
+                .keyring(keyring)
+                .build();
         S3Client v3Client = S3EncryptionClient.builder()
                 .materialsManager(materialsManager)
                 .build();
@@ -102,18 +108,19 @@ class Example {
                 .build();
 
         // V3
-        // Create the non-legacy keyring first
         Keyring keyring = AesGcmKeyring.builder()
                 .wrappingKey(aesKey)
                 .build();
         
-        // Create the legacy keyring, passing in the non-legacy keyring
-        keyring = AesWrapKeyring.builder()
+        Keyring legacyKeyring = AesWrapKeyring.builder()
                 .wrappingKey(aesKey)
                 .nonLegacyKeyring(keyring)
                 .build();
 
-        MaterialsManager materialsManager = new DefaultMaterialsManager(keyring);
+        MaterialsManager materialsManager = LegacyDecryptMaterialsManager.builder()
+                .keyring(keyring)
+                .legacyKeyring(legacyKeyring)
+                .build();
         S3Client v3Client = S3EncryptionClient.builder()
                 .materialsManager(materialsManager)
                 .build();
diff --git a/src/main/java/software/amazon/encryption/s3/legacy/materials/AesWrapKeyring.java b/src/main/java/software/amazon/encryption/s3/legacy/materials/AesWrapKeyring.java
@@ -21,11 +21,9 @@ public class AesWrapKeyring implements Keyring {
     private static final String CIPHER_ALGORITHM = "AESWrap";
 
     private final SecretKey _wrappingKey;
-    private final Keyring _nonLegacyKeyring;
 
     private AesWrapKeyring(Builder builder) {
         _wrappingKey = builder._wrappingKey;
-        _nonLegacyKeyring = builder._nonLegacyKeyring;
     }
 
     public static Builder builder() {
@@ -34,15 +32,13 @@ public static Builder builder() {
 
     @Override
     public EncryptionMaterials onEncrypt(EncryptionMaterials materials) {
-        return _nonLegacyKeyring.onEncrypt(materials);
+        throw new S3EncryptionClientException("Encrypt not supported for " + KEY_PROVIDER_ID);
     }
 
     @Override
     public DecryptionMaterials onDecrypt(DecryptionMaterials materials, List<EncryptedDataKey> encryptedDataKeys) {
-        materials = _nonLegacyKeyring.onDecrypt(materials, encryptedDataKeys);
-
         if (materials.plaintextDataKey() != null) {
-            return materials;
+            throw new S3EncryptionClientException("Decryption materials already contains a plaintext data key.");
         }
 
         for (EncryptedDataKey encryptedDataKey : encryptedDataKeys) {
@@ -67,7 +63,6 @@ public DecryptionMaterials onDecrypt(DecryptionMaterials materials, List<Encrypt
 
     public static class Builder {
         private SecretKey _wrappingKey;
-        private Keyring _nonLegacyKeyring;
 
         private Builder() {}
 
@@ -79,15 +74,7 @@ public Builder wrappingKey(SecretKey wrappingKey) {
             return this;
         }
 
-        public Builder nonLegacyKeyring(Keyring nonLegacyKeyring) {
-            _nonLegacyKeyring = nonLegacyKeyring;
-            return this;
-        }
-
         public AesWrapKeyring build() {
-            if (_nonLegacyKeyring == null) {
-                // TODO: should we warn or throw an exception if no encryption method is supported?
-            }
             return new AesWrapKeyring(this);
         }
     }
diff --git a/src/main/java/software/amazon/encryption/s3/legacy/materials/LegacyDecryptMaterialsManager.java b/src/main/java/software/amazon/encryption/s3/legacy/materials/LegacyDecryptMaterialsManager.java
@@ -0,0 +1,73 @@
+package software.amazon.encryption.s3.legacy.materials;
+
+import software.amazon.encryption.s3.algorithms.AlgorithmSuite;
+import software.amazon.encryption.s3.materials.DecryptMaterialsRequest;
+import software.amazon.encryption.s3.materials.DecryptionMaterials;
+import software.amazon.encryption.s3.materials.EncryptionMaterials;
+import software.amazon.encryption.s3.materials.EncryptionMaterialsRequest;
+import software.amazon.encryption.s3.materials.Keyring;
+import software.amazon.encryption.s3.materials.MaterialsManager;
+
+/**
+ * This class supports legacy decrypt as well as non-legacy encrypt and decrypt.
+ */
+public class LegacyDecryptMaterialsManager implements MaterialsManager {
+    private final Keyring _keyring;
+    private Keyring _legacyKeyring;
+
+    private LegacyDecryptMaterialsManager(Builder builder) {
+        _keyring = builder._keyring;
+        _legacyKeyring = builder._legacyKeyring;
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    public EncryptionMaterials getEncryptionMaterials(EncryptionMaterialsRequest request) {
+        EncryptionMaterials materials = EncryptionMaterials.builder()
+                .algorithmSuite(AlgorithmSuite.ALG_AES_256_GCM_IV12_TAG16_NO_KDF)
+                .encryptionContext(request.encryptionContext())
+                .build();
+
+        return _keyring.onEncrypt(materials);
+    }
+
+    public DecryptionMaterials decryptMaterials(DecryptMaterialsRequest request) {
+        DecryptionMaterials materials = DecryptionMaterials.builder()
+                .algorithmSuite(request.algorithmSuite())
+                .encryptionContext(request.encryptionContext())
+                .build();
+
+        materials = _legacyKeyring.onDecrypt(materials, request.encryptedDataKeys());
+        if (materials.plaintextDataKey() != null) {
+            // Have a legacy-encrypted data key
+            // TODO: warn here?
+            return materials;
+        }
+
+        return _keyring.onDecrypt(materials, request.encryptedDataKeys());
+    }
+
+    public static class Builder {
+        private Keyring _keyring;
+        private Keyring _legacyKeyring;
+
+        private Builder() {}
+
+        public Builder keyring(Keyring keyring) {
+            this._keyring = keyring;
+            return this;
+        }
+
+        public Builder legacyKeyring(Keyring legacyKeyring) {
+            this._legacyKeyring = legacyKeyring;
+            return this;
+        }
+
+        public LegacyDecryptMaterialsManager build() {
+            // TODO: warn if both keyrings are not set
+            return new LegacyDecryptMaterialsManager(this);
+        }
+    }
+}
diff --git a/src/main/java/software/amazon/encryption/s3/materials/DefaultMaterialsManager.java b/src/main/java/software/amazon/encryption/s3/materials/DefaultMaterialsManager.java
@@ -6,8 +6,12 @@ public class DefaultMaterialsManager implements MaterialsManager {
     private final Keyring _keyring;
 
 
-    public DefaultMaterialsManager(Keyring keyring) {
-        _keyring = keyring;
+    private DefaultMaterialsManager(Builder builder) {
+        _keyring = builder._keyring;
+    }
+
+    public static Builder builder() {
+        return new Builder();
     }
 
     public EncryptionMaterials getEncryptionMaterials(EncryptionMaterialsRequest request) {
@@ -28,4 +32,18 @@ public DecryptionMaterials decryptMaterials(DecryptMaterialsRequest request) {
         return _keyring.onDecrypt(materials, request.encryptedDataKeys());
     }
 
+    public static class Builder {
+        private Keyring _keyring;
+
+        private Builder() {}
+
+        public Builder keyring(Keyring keyring) {
+            this._keyring = keyring;
+            return this;
+        }
+
+        public DefaultMaterialsManager build() {
+            return new DefaultMaterialsManager(this);
+        }
+    }
 }
