Basic decrypt working

Author: smswz

src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java

@@ -1,5 +1,6 @@
 package software.amazon.encryption.s3;
 
+import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
@@ -9,7 +10,9 @@
 import java.security.SecureRandom;
 import java.security.spec.InvalidParameterSpecException;
 import java.util.Base64;
+import java.util.Collections;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
 import javax.crypto.BadPaddingException;
@@ -19,17 +22,29 @@
 import javax.crypto.SecretKey;
 import javax.crypto.spec.GCMParameterSpec;
 import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
 import software.amazon.awssdk.awscore.exception.AwsServiceException;
+import software.amazon.awssdk.core.ResponseInputStream;
 import software.amazon.awssdk.core.exception.SdkClientException;
 import software.amazon.awssdk.core.sync.RequestBody;
+import software.amazon.awssdk.core.sync.ResponseTransformer;
+import software.amazon.awssdk.http.AbortableInputStream;
+import software.amazon.awssdk.protocols.jsoncore.JsonNode;
+import software.amazon.awssdk.protocols.jsoncore.JsonNodeParser;
 import software.amazon.awssdk.protocols.jsoncore.JsonWriter;
 import software.amazon.awssdk.protocols.jsoncore.JsonWriter.JsonGenerationException;
 import software.amazon.awssdk.services.s3.S3Client;
+import software.amazon.awssdk.services.s3.model.GetObjectRequest;
+import software.amazon.awssdk.services.s3.model.GetObjectResponse;
+import software.amazon.awssdk.services.s3.model.InvalidObjectStateException;
+import software.amazon.awssdk.services.s3.model.NoSuchKeyException;
 import software.amazon.awssdk.services.s3.model.PutObjectRequest;
 import software.amazon.awssdk.services.s3.model.PutObjectResponse;
 import software.amazon.awssdk.services.s3.model.S3Exception;
 import software.amazon.awssdk.utils.IoUtils;
+import software.amazon.encryption.s3.materials.DecryptionMaterials;
 import software.amazon.encryption.s3.materials.DefaultMaterialsManager;
+import software.amazon.encryption.s3.materials.DefaultMaterialsManager.DecryptionMaterialsRequest;
 import software.amazon.encryption.s3.materials.DefaultMaterialsManager.EncryptionMaterialsRequest;
 import software.amazon.encryption.s3.materials.EncryptedDataKey;
 import software.amazon.encryption.s3.materials.EncryptionMaterials;
@@ -111,6 +126,88 @@ public PutObjectResponse putObject(PutObjectRequest putObjectRequest, RequestBod
         return _wrappedClient.putObject(putObjectRequest, RequestBody.fromBytes(ciphertext));
     }
 
+    @Override
+    public <T> T getObject(GetObjectRequest getObjectRequest, ResponseTransformer<GetObjectResponse, T> responseTransformer)
+            throws NoSuchKeyException, InvalidObjectStateException, AwsServiceException, SdkClientException, S3Exception {
+        ResponseInputStream<GetObjectResponse> objectStream =  _wrappedClient.getObject(getObjectRequest);
+        byte[] output;
+        try {
+            output = IoUtils.toByteArray(objectStream);
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+
+        GetObjectResponse response = objectStream.response();
+        Map<String, String> metadata = response.metadata();
+
+        // Build encrypted data key
+        Base64.Decoder decoder = Base64.getDecoder();
+        byte[] edkCiphertext = decoder.decode(metadata.get("x-amz-key-v2"));
+        String keyProviderId = metadata.get("x-amz-wrap-alg");
+        EncryptedDataKey edk = EncryptedDataKey.builder()
+                .ciphertext(edkCiphertext)
+                .keyProviderId(keyProviderId)
+                .build();
+        List<EncryptedDataKey> encryptedDataKeys = Collections.singletonList(edk);
+
+        // Get encryption context
+        final Map<String, String> encryptionContext = new HashMap<>();
+        final String jsonEncryptionContext = metadata.get("x-amz-matdesc");
+        try {
+            JsonNodeParser parser = JsonNodeParser.create();
+            JsonNode objectNode = parser.parse(jsonEncryptionContext);
+
+            for (Map.Entry<String, JsonNode> entry : objectNode.asObject().entrySet()) {
+                encryptionContext.put(entry.getKey(), entry.getValue().asString());
+            }
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+
+        // Get decryption materials
+        final String contentEncryptionAlgorithm = metadata.get("x-amz-cek-alg");
+        int algorithmSuiteId = 0;
+        if (contentEncryptionAlgorithm.equals("AES/GCM/NoPadding")) {
+            algorithmSuiteId = 0x0078;
+        }
+
+        DecryptionMaterialsRequest request = new DecryptionMaterialsRequest();
+        request.encryptionContext = encryptionContext;
+        request.algorithmSuiteId = algorithmSuiteId;
+        request.encryptedDataKeys = encryptedDataKeys;
+        DecryptionMaterials materials = _materialsManager.getDecryptionMaterials(request);
+
+        // Get content encryption information
+        SecretKey contentKey = new SecretKeySpec(materials.plaintextDataKey(), "AES");
+        final int tagLength = Integer.parseInt(metadata.get("x-amz-tag-len"));
+        byte[] iv = decoder.decode(metadata.get("x-amz-iv"));
+        final Cipher cipher;
+        byte[] plaintext;
+        try {
+            cipher = Cipher.getInstance(contentEncryptionAlgorithm);
+            cipher.init(Cipher.DECRYPT_MODE, contentKey, new GCMParameterSpec(tagLength, iv));
+            plaintext = cipher.doFinal(output);
+        } catch (NoSuchAlgorithmException
+                 | NoSuchPaddingException
+                 | InvalidAlgorithmParameterException
+                 | InvalidKeyException e) {
+            throw new RuntimeException(e);
+        } catch (IllegalBlockSizeException e) {
+            throw new RuntimeException(e);
+        } catch (BadPaddingException e) {
+            throw new RuntimeException(e);
+        }
+
+        try {
+            return responseTransformer.transform(response,
+                    AbortableInputStream.create(new ByteArrayInputStream(plaintext)));
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+
+//        return _wrappedClient.getObject(getObjectRequest, responseTransformer);
+    }
+
     @Override
     public String serviceName() {
         return _wrappedClient.serviceName();

src/main/java/software/amazon/encryption/s3/materials/AESKeyring.java

@@ -28,7 +28,7 @@ public AESKeyring(SecretKey wrappingKey) {
     }
 
     @Override
-    public EncryptionMaterials OnEncrypt(EncryptionMaterials materials) {
+    public EncryptionMaterials onEncrypt(EncryptionMaterials materials) {
         // TODO: handle a null plaintext data key
 
         try {
@@ -39,7 +39,6 @@ public EncryptionMaterials OnEncrypt(EncryptionMaterials materials) {
             GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LENGTH_IN_BITS, iv);
 
             final Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM);
-            // TODO: should/can this be Cipher.WRAP_MODE?
             cipher.init(Cipher.ENCRYPT_MODE, _wrappingKey, gcmParameterSpec, secureRandom);
 
             // this is the CONTENT encryption, not the wrapping encryption
@@ -69,4 +68,59 @@ public EncryptionMaterials OnEncrypt(EncryptionMaterials materials) {
             throw new UnsupportedOperationException("Unable to AES/GCM/NoPadding wrap", e);
         }
     }
+
+    @Override
+    public DecryptionMaterials onDecrypt(final DecryptionMaterials materials, List<EncryptedDataKey> encryptedDataKeys) {
+        /*
+        ByteBuffer encryptedCekBuff = ByteBuffer.wrap(encryptedCek);
+        // Split the IV from the front of the ciphertext
+        byte[] iv = new byte[IV_LENGTH_IN_BYTES];
+        byte[] taggedCek = new byte[encryptedCek.length - IV_LENGTH_IN_BYTES];
+        encryptedCekBuff.get(iv);
+        encryptedCekBuff.get(taggedCek);
+
+        Cipher cipher = this.cipherProvider.createCipher();
+        GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LENGTH_IN_BITS, iv);
+        try {
+            cipher.init(Cipher.DECRYPT_MODE, key, gcmParameterSpec);
+            cipher.updateAAD(this.cekAlgorithm.getBytes(StandardCharsets.UTF_8));
+            return cipher.doFinal(taggedCek);
+        } catch (Exception e) {
+            throw failure(e, "An exception was thrown when attempting to decrypt the Content Encryption Key");
+        }
+         */
+        if (materials.plaintextDataKey() != null) {
+            return materials;
+        }
+
+        for (EncryptedDataKey encryptedDataKey : encryptedDataKeys) {
+            if (!encryptedDataKey.keyProviderId().equals(KEY_PROVIDER_ID)) {
+                continue;
+            }
+
+            byte[] encodedBytes = encryptedDataKey.ciphertext();
+            byte[] iv = new byte[IV_LENGTH_IN_BYTES];
+            byte[] ciphertext = new byte[encodedBytes.length - iv.length];
+
+            System.arraycopy(encodedBytes, 0, iv, 0, iv.length);
+            System.arraycopy(encodedBytes, iv.length, ciphertext, 0, ciphertext.length);
+
+            GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LENGTH_IN_BITS, iv);
+            try {
+                final Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM);
+                cipher.init(Cipher.DECRYPT_MODE, _wrappingKey, gcmParameterSpec);
+                // this is the CONTENT encryption, not the wrapping encryption
+                // TODO: get this from encryption context or preferably algorithm suite
+                cipher.updateAAD("AES/GCM/NoPadding".getBytes(StandardCharsets.UTF_8));
+                byte[] plaintext = cipher.doFinal(ciphertext);
+
+                return materials.toBuilder().plaintextDataKey(plaintext).build();
+            } catch (Exception e) {
+                // TODO: maybe this should fall through?
+                throw new UnsupportedOperationException("Unable to AES/GCM/NoPadding unwrap", e);
+            }
+        }
+
+        return materials;
+    }
 }

src/main/java/software/amazon/encryption/s3/materials/DecryptionMaterials.java

@@ -0,0 +1,88 @@
+package software.amazon.encryption.s3.materials;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+
+final public class DecryptionMaterials {
+
+    // Identifies what sort of crypto algorithms we want to use
+    // In ESDK, this is an enum
+    private final int _algorithmSuiteId;
+
+    // Additional information passed into encrypted that is required on decryption as well
+    // Should NOT contain sensitive information
+    private final Map<String, String> _encryptionContext;
+
+    private final byte[] _plaintextDataKey;
+
+    // Unused in here since signing is not supported
+    // private final byte[] _signingKey;
+
+
+    private DecryptionMaterials(Builder builder) {
+        this._algorithmSuiteId = builder._algorithmSuiteId;
+        this._encryptionContext = builder._encryptionContext;
+        this._plaintextDataKey = builder._plaintextDataKey;
+    }
+
+    static public Builder builder() {
+        return new Builder();
+    }
+
+    public int algorithmSuiteId() {
+        return _algorithmSuiteId;
+    }
+
+    public Map<String, String> encryptionContext() {
+        return _encryptionContext;
+    }
+
+    public byte[] plaintextDataKey() {
+        return _plaintextDataKey;
+    }
+
+    public SecretKey dataKey() {
+        return new SecretKeySpec(_plaintextDataKey, "AES");
+    }
+
+    public Builder toBuilder() {
+        return new Builder()
+                .algorithmSuiteId(_algorithmSuiteId)
+                .encryptionContext(_encryptionContext)
+                .plaintextDataKey(_plaintextDataKey);
+    }
+
+    static public class Builder {
+
+        private int _algorithmSuiteId = -1;
+        private Map<String, String> _encryptionContext = Collections.emptyMap();
+        private byte[] _plaintextDataKey = null;
+
+        private Builder() {
+        }
+
+        public Builder algorithmSuiteId(int id) {
+            _algorithmSuiteId = id;
+            return this;
+        }
+
+        public Builder encryptionContext(Map<String, String> encryptionContext) {
+            _encryptionContext = encryptionContext == null
+                    ? Collections.emptyMap()
+                    : Collections.unmodifiableMap(encryptionContext);
+            return this;
+        }
+
+        public Builder plaintextDataKey(byte[] plaintextDataKey) {
+            _plaintextDataKey = plaintextDataKey == null ? null : plaintextDataKey.clone();
+            return this;
+        }
+
+        public DecryptionMaterials build() {
+            return new DecryptionMaterials(this);
+        }
+    }
+}

src/main/java/software/amazon/encryption/s3/materials/DefaultMaterialsManager.java

@@ -2,6 +2,7 @@
 
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
+import java.util.List;
 import java.util.Map;
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
@@ -25,7 +26,7 @@ public EncryptionMaterials getEncryptionMaterials(EncryptionMaterialsRequest req
                 .plaintextDataKey(key.getEncoded())
                 .build();
 
-        return _keyring.OnEncrypt(materials);
+        return _keyring.onEncrypt(materials);
     }
 
     private SecretKey generateDataKey() {
@@ -40,7 +41,22 @@ private SecretKey generateDataKey() {
         return generator.generateKey();
     }
 
+    public DecryptionMaterials getDecryptionMaterials(DecryptionMaterialsRequest request) {
+        DecryptionMaterials materials = DecryptionMaterials.builder()
+                .algorithmSuiteId(request.algorithmSuiteId)
+                .encryptionContext(request.encryptionContext)
+                .build();
+
+        return _keyring.onDecrypt(materials, request.encryptedDataKeys);
+    }
+
     public static class EncryptionMaterialsRequest {
         public Map<String, String> encryptionContext;
     }
+
+    public static class DecryptionMaterialsRequest {
+        public int algorithmSuiteId;
+        public List<EncryptedDataKey> encryptedDataKeys;
+        public Map<String, String> encryptionContext;
+    }
 }

src/main/java/software/amazon/encryption/s3/materials/Keyring.java

@@ -1,5 +1,8 @@
 package software.amazon.encryption.s3.materials;
 
+import java.util.List;
+
 public interface Keyring {
-    EncryptionMaterials OnEncrypt(final EncryptionMaterials materials);
+    EncryptionMaterials onEncrypt(final EncryptionMaterials materials);
+    DecryptionMaterials onDecrypt(final DecryptionMaterials materials, final List<EncryptedDataKey> encryptedDataKeys);
 }