Adds PartialKeyPair for supporting encrypt/decrypt only behavior, implements PartialRsaKeyPair for use in RsaKeyring

J Plasmeier · J Plasmeier · commit 37a8479a8eab · 2022-09-06T15:18:24.000-07:00
diff --git a/src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java b/src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java
@@ -1,6 +1,6 @@
 package software.amazon.encryption.s3;
 
-import java.security.KeyPair;
+import java.security.*;
 import java.util.Map;
 import java.util.function.Consumer;
 import javax.crypto.SecretKey;
@@ -17,12 +17,7 @@
 import software.amazon.awssdk.services.s3.model.PutObjectResponse;
 import software.amazon.encryption.s3.internal.GetEncryptedObjectPipeline;
 import software.amazon.encryption.s3.internal.PutEncryptedObjectPipeline;
-import software.amazon.encryption.s3.materials.AesKeyring;
-import software.amazon.encryption.s3.materials.CryptographicMaterialsManager;
-import software.amazon.encryption.s3.materials.DefaultCryptoMaterialsManager;
-import software.amazon.encryption.s3.materials.Keyring;
-import software.amazon.encryption.s3.materials.KmsKeyring;
-import software.amazon.encryption.s3.materials.RsaKeyring;
+import software.amazon.encryption.s3.materials.*;
 
 /**
  * This client is a drop-in replacement for the S3 client. It will automatically encrypt objects
@@ -94,7 +89,7 @@ public static class Builder {
         private CryptographicMaterialsManager _cryptoMaterialsManager;
         private Keyring _keyring;
         private SecretKey _aesKey;
-        private KeyPair _rsaKeyPair;
+        private PartialRsaKeyPair _rsaKeyPair;
         private String _kmsKeyId;
         private boolean _enableLegacyModes = false;
 
@@ -127,7 +122,14 @@ public Builder aesKey(SecretKey aesKey) {
         }
 
         public Builder rsaKeyPair(KeyPair rsaKeyPair) {
-            this._rsaKeyPair = rsaKeyPair;
+            this._rsaKeyPair = new PartialRsaKeyPair(rsaKeyPair);
+            checkKeyOptions();
+
+            return this;
+        }
+
+        public Builder rsaKeyPair(PartialRsaKeyPair partialRsaKeyPair) {
+            this._rsaKeyPair = partialRsaKeyPair;
             checkKeyOptions();
 
             return this;
diff --git a/src/main/java/software/amazon/encryption/s3/materials/PartialKeyPair.java b/src/main/java/software/amazon/encryption/s3/materials/PartialKeyPair.java
@@ -0,0 +1,16 @@
+package software.amazon.encryption.s3.materials;
+
+import java.security.PrivateKey;
+import java.security.PublicKey;
+
+/**
+ * This interface allows use of key pairs where only one of the public or private keys
+ * has been provided. This allows consumers to be able to e.g. provide only the
+ * public portion of a key pair in the part of their application which puts encrypted
+ * objects into S3 to avoid distributing the private key.
+ */
+public interface PartialKeyPair {
+    PublicKey getPublicKey();
+
+    PrivateKey getPrivateKey();
+}
diff --git a/src/main/java/software/amazon/encryption/s3/materials/PartialRsaKeyPair.java b/src/main/java/software/amazon/encryption/s3/materials/PartialRsaKeyPair.java
@@ -0,0 +1,99 @@
+package software.amazon.encryption.s3.materials;
+
+import software.amazon.encryption.s3.S3EncryptionClientException;
+
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.util.Objects;
+
+public class PartialRsaKeyPair implements PartialKeyPair {
+    private final PrivateKey _privateKey;
+    private final PublicKey _publicKey;
+
+    private static final String RSA_KEY_ALGORITHM = "RSA";
+
+    public PartialRsaKeyPair(final KeyPair keyPair) {
+        _privateKey = keyPair.getPrivate();
+        _publicKey = keyPair.getPublic();
+
+        validateKeyPair();
+    }
+
+    public PartialRsaKeyPair(final PrivateKey privateKey, final PublicKey publicKey) {
+        _privateKey = privateKey;
+        _publicKey = publicKey;
+
+        validateKeyPair();
+    }
+
+    private void validateKeyPair() {
+        if (_privateKey == null && _publicKey == null) {
+            throw new S3EncryptionClientException("The public key and private cannot both be null. You must provide a " +
+                    "public key, or a private key, or both.");
+        }
+
+        if (_privateKey != null && !_privateKey.getAlgorithm().equals(RSA_KEY_ALGORITHM)) {
+            throw new S3EncryptionClientException("%s is not a supported algorithm. Only RSA keys are supported. Please reconfigure your client with an RSA key.");
+        }
+
+        if (_publicKey != null && !_publicKey.getAlgorithm().equals(RSA_KEY_ALGORITHM)) {
+            throw new S3EncryptionClientException("%s is not a supported algorithm. Only RSA keys are supported. Please reconfigure your client with an RSA key.");
+        }
+    }
+
+    @Override
+    public PublicKey getPublicKey() {
+        if (_publicKey == null) {
+            throw new S3EncryptionClientException("No public key provided. You must configure a public key to be able to" +
+                    " encrypt data.");
+        }
+        return _publicKey;
+    }
+
+    @Override
+    public PrivateKey getPrivateKey() {
+        if (_privateKey == null) {
+            throw new S3EncryptionClientException("No private key provided. You must configure a private key to be able to" +
+                    " decrypt data.");
+        }
+        return _privateKey;
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (o == null || getClass() != o.getClass()) return false;
+        PartialRsaKeyPair that = (PartialRsaKeyPair) o;
+        return Objects.equals(_privateKey, that._privateKey) && Objects.equals(_publicKey, that._publicKey);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(_privateKey, _publicKey);
+    }
+
+    public static class Builder {
+        private PublicKey _publicKey;
+        private PrivateKey _privateKey;
+
+        private Builder() {}
+
+        public Builder publicKey(final PublicKey publicKey) {
+            _publicKey = publicKey;
+            return this;
+        }
+
+        public Builder privateKey(final PrivateKey privateKey) {
+            _privateKey = privateKey;
+            return this;
+        }
+
+        public PartialRsaKeyPair build() {
+            return new PartialRsaKeyPair(_privateKey, _publicKey);
+        }
+    }
+}
diff --git a/src/main/java/software/amazon/encryption/s3/materials/RsaKeyring.java b/src/main/java/software/amazon/encryption/s3/materials/RsaKeyring.java
@@ -1,10 +1,7 @@
 package software.amazon.encryption.s3.materials;
 
 import java.nio.charset.StandardCharsets;
-import java.security.GeneralSecurityException;
-import java.security.Key;
-import java.security.KeyPair;
-import java.security.SecureRandom;
+import java.security.*;
 import java.security.spec.MGF1ParameterSpec;
 import java.util.Arrays;
 import java.util.HashMap;
@@ -23,7 +20,7 @@ public class RsaKeyring extends S3Keyring {
 
     private static final String KEY_ALGORITHM = "RSA";
 
-    private final KeyPair _wrappingKeyPair;
+    private final PartialRsaKeyPair _partialRsaKeyPair;
 
     private final DecryptDataKeyStrategy _rsaEcbStrategy = new DecryptDataKeyStrategy() {
         private static final String KEY_PROVIDER_INFO = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";
@@ -42,7 +39,7 @@ public String keyProviderInfo() {
         @Override
         public byte[] decryptDataKey(DecryptionMaterials materials, byte[] encryptedDataKey) throws GeneralSecurityException {
             final Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM);
-            cipher.init(Cipher.UNWRAP_MODE, _wrappingKeyPair.getPrivate());
+            cipher.init(Cipher.UNWRAP_MODE, _partialRsaKeyPair.getPrivateKey());
 
             Key plaintextKey = cipher.unwrap(encryptedDataKey, CIPHER_ALGORITHM, Cipher.SECRET_KEY);
 
@@ -76,7 +73,7 @@ public String keyProviderInfo() {
         public byte[] encryptDataKey(SecureRandom secureRandom,
                 EncryptionMaterials materials) throws GeneralSecurityException {
             final Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM);
-            cipher.init(Cipher.WRAP_MODE, _wrappingKeyPair.getPublic(), OAEP_PARAMETER_SPEC, secureRandom);
+            cipher.init(Cipher.WRAP_MODE, _partialRsaKeyPair.getPublicKey(), OAEP_PARAMETER_SPEC, secureRandom);
 
             // Create a pseudo-data key with the content encryption appended to the data key
             byte[] dataKey = materials.plaintextDataKey();
@@ -95,7 +92,7 @@ public byte[] encryptDataKey(SecureRandom secureRandom,
         @Override
         public byte[] decryptDataKey(DecryptionMaterials materials, byte[] encryptedDataKey) throws GeneralSecurityException {
             final Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM);
-            cipher.init(Cipher.UNWRAP_MODE, _wrappingKeyPair.getPrivate(), OAEP_PARAMETER_SPEC);
+            cipher.init(Cipher.UNWRAP_MODE, _partialRsaKeyPair.getPrivateKey(), OAEP_PARAMETER_SPEC);
 
             String dataKeyAlgorithm = materials.algorithmSuite().dataKeyAlgorithm();
             Key pseudoDataKey = cipher.unwrap(encryptedDataKey, dataKeyAlgorithm, Cipher.SECRET_KEY);
@@ -133,7 +130,7 @@ private byte[] parsePseudoDataKey(DecryptionMaterials materials, byte[] pseudoDa
     private RsaKeyring(Builder builder) {
         super(builder);
 
-        _wrappingKeyPair = builder._wrappingKeyPair;
+        _partialRsaKeyPair = builder._partialRsaKeyPair;
 
         decryptStrategies.put(_rsaEcbStrategy.keyProviderInfo(), _rsaEcbStrategy);
         decryptStrategies.put(_rsaOaepStrategy.keyProviderInfo(), _rsaOaepStrategy);
@@ -143,7 +140,6 @@ public static Builder builder() {
         return new Builder();
     }
 
-
     @Override
     protected EncryptDataKeyStrategy encryptStrategy() {
         return _rsaOaepStrategy;
@@ -155,7 +151,7 @@ protected Map<String, DecryptDataKeyStrategy> decryptStrategies() {
     }
 
     public static class Builder extends S3Keyring.Builder<S3Keyring, Builder> {
-        private KeyPair _wrappingKeyPair;
+        private PartialRsaKeyPair _partialRsaKeyPair;
 
         private Builder() {
             super();
@@ -166,11 +162,8 @@ protected Builder builder() {
             return this;
         }
 
-        public Builder wrappingKeyPair(KeyPair wrappingKeyPair) {
-            if (!wrappingKeyPair.getPublic().getAlgorithm().equals(KEY_ALGORITHM)) {
-                throw new S3EncryptionClientException("Invalid algorithm '" + wrappingKeyPair.getPublic().getAlgorithm() + "', expecting " + KEY_ALGORITHM);
-            }
-            _wrappingKeyPair = wrappingKeyPair;
+        public Builder wrappingKeyPair(final PartialRsaKeyPair partialRsaKeyPair) {
+            _partialRsaKeyPair = partialRsaKeyPair;
             return builder();
         }
 
diff --git a/src/test/java/software/amazon/encryption/s3/S3EncryptionClientRsaKeyPairTest.java b/src/test/java/software/amazon/encryption/s3/S3EncryptionClientRsaKeyPairTest.java
@@ -0,0 +1,100 @@
+package software.amazon.encryption.s3;
+
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import software.amazon.awssdk.core.ResponseBytes;
+import software.amazon.awssdk.core.sync.RequestBody;
+import software.amazon.awssdk.services.s3.S3Client;
+import software.amazon.awssdk.services.s3.model.GetObjectResponse;
+import software.amazon.awssdk.services.s3.model.PutObjectRequest;
+import software.amazon.encryption.s3.materials.PartialRsaKeyPair;
+
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+public class S3EncryptionClientRsaKeyPairTest {
+    private static final String BUCKET = System.getenv("AWS_S3EC_TEST_BUCKET");
+
+    private static KeyPair RSA_KEY_PAIR;
+
+    @BeforeAll
+    public static void setUp() throws NoSuchAlgorithmException {
+        KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
+        keyPairGen.initialize(2048);
+        RSA_KEY_PAIR = keyPairGen.generateKeyPair();
+    }
+
+    @Test
+    public void RsaPublicAndPrivateKeys() {
+        final String BUCKET_KEY = "rsa-public-and-private";
+
+        // V3 Client
+        S3Client v3Client = S3EncryptionClient.builder()
+                .rsaKeyPair(RSA_KEY_PAIR)
+                .build();
+
+        // Asserts
+        final String input = "RsaOaepV3toV3";
+        v3Client.putObject(PutObjectRequest.builder()
+                .bucket(BUCKET)
+                .key(BUCKET_KEY)
+                .build(), RequestBody.fromString(input));
+
+        ResponseBytes<GetObjectResponse> objectResponse = v3Client.getObjectAsBytes(builder -> builder
+                .bucket(BUCKET)
+                .key(BUCKET_KEY));
+        String output = objectResponse.asUtf8String();
+        assertEquals(input, output);
+    }
+
+    @Test
+    public void RsaPrivateKeyCanOnlyDecrypt() {
+        S3Client v3Client = S3EncryptionClient.builder()
+                .rsaKeyPair(RSA_KEY_PAIR)
+                .build();
+
+        S3Client v3ClientReadOnly = S3EncryptionClient.builder()
+                .rsaKeyPair(new PartialRsaKeyPair(RSA_KEY_PAIR.getPrivate(), null))
+                .build();
+
+        final String input = "RsaOaepV3toV3";
+        v3Client.putObject(PutObjectRequest.builder()
+                .bucket(BUCKET)
+                .key(input)
+                .build(), RequestBody.fromString(input));
+
+        ResponseBytes<GetObjectResponse> objectResponse = v3ClientReadOnly.getObjectAsBytes(builder -> builder
+                .bucket(BUCKET)
+                .key(input));
+        String output = objectResponse.asUtf8String();
+        assertEquals(input, output);
+
+        assertThrows(S3EncryptionClientException.class, () -> v3ClientReadOnly.putObject(PutObjectRequest.builder()
+                .bucket(BUCKET)
+                .key(input)
+                .build(), RequestBody.fromString(input)));
+    }
+
+    @Test
+    public void RsaPublicKeyCanOnlyEncrypt() {
+        final String BUCKET_KEY = "rsa-public-key-only";
+        S3Client v3Client = S3EncryptionClient.builder()
+                .rsaKeyPair(new PartialRsaKeyPair(null, RSA_KEY_PAIR.getPublic()))
+                .build();
+
+        v3Client.putObject(PutObjectRequest.builder()
+                .bucket(BUCKET)
+                .key(BUCKET_KEY)
+                .build(), RequestBody.fromString(BUCKET_KEY));
+
+        assertThrows(S3EncryptionClientException.class, () -> v3Client.getObjectAsBytes(builder -> builder
+                .bucket(BUCKET)
+                .key(BUCKET_KEY)));
+    }
+
+
+}
diff --git a/src/test/java/software/amazon/encryption/s3/S3EncryptionClientTest.java b/src/test/java/software/amazon/encryption/s3/S3EncryptionClientTest.java
@@ -5,6 +5,7 @@
 import software.amazon.awssdk.core.sync.RequestBody;
 import software.amazon.awssdk.services.s3.S3Client;
 import software.amazon.awssdk.services.s3.model.GetObjectResponse;
+import software.amazon.awssdk.services.s3.model.PutObjectRequest;
 
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
diff --git a/src/test/java/software/amazon/encryption/s3/materials/PartialRsaKeyPairTest.java b/src/test/java/software/amazon/encryption/s3/materials/PartialRsaKeyPairTest.java
