Merge branch 'main' into aniravk/validateAgainstLegacyWrappingOnClientButCustomerPassesKeyring

Author: akareddy04

CHANGELOG.md

@@ -1,13 +1,18 @@
 # Changelog
 
-## [3.3.5](https://github.com/aws/aws-s3-encryption-client-java/compare/v3.3.4...v3.3.5) (2025-05-20)
+## [3.3.5](https://github.com/aws/aws-s3-encryption-client-java/compare/v3.3.4...v3.3.5) (2025-05-21)
 
 ### Fixes
 
 * determine effective contentLength, account for tagLength on decrypt ([#463](https://github.com/aws/aws-s3-encryption-client-java/issues/463)) ([969d721](https://github.com/aws/aws-s3-encryption-client-java/commit/969d7213b7bd6250fbce159bd5705a19ee439f23))
 * disable low-level Multipart Upload in Async client ([#461](https://github.com/aws/aws-s3-encryption-client-java/issues/461)) ([599f941](https://github.com/aws/aws-s3-encryption-client-java/commit/599f9417335efac4cf952e555a99bbc6d7d8cc0f))
 * support PutObjectResponse fields ([#462](https://github.com/aws/aws-s3-encryption-client-java/issues/462)) ([dec503b](https://github.com/aws/aws-s3-encryption-client-java/commit/dec503b49f3e57113de16fcc861ee1ecedbd2ff6))
 
+### Maintenance
+
+* Revert "Amazon S3 Encryption Client 3.3.5 Release -- 2025-05-20" ([#465](https://github.com/aws/aws-s3-encryption-client-java/issues/465)) ([3f9ac8e](https://github.com/aws/aws-s3-encryption-client-java/commit/3f9ac8e419f5ed55f59fb0daf742fc2945eea9d0))
+* update dependency needed for semantic-release  ([#464](https://github.com/aws/aws-s3-encryption-client-java/issues/464)) ([0fd3b58](https://github.com/aws/aws-s3-encryption-client-java/commit/0fd3b5826964b41a07a4c004fd0500404e347360))
+
 ## [3.3.4](https://github.com/aws/aws-s3-encryption-client-java/compare/v3.3.3...v3.3.4) (2025-05-12)
 
 ### Fixes

cfn/release.yml

@@ -189,6 +189,7 @@ Resources:
                 "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-CI-Credentials-eBrSNB",
                 "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Github/aws-crypto-tools-ci-bot-AGUB3U",
                 "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-User-Token-zK61bM",
+                "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Central-Portal-XrYUs2",
                 "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-haLIjZ",
                 "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-Credentials-WgJanS"
               ],

codebuild/release/release-prod.yml

@@ -10,8 +10,8 @@ env:
   secrets-manager:
     GPG_KEY: Maven-GPG-Keys-Release-Credentials:Keyname
     GPG_PASS: Maven-GPG-Keys-Release-Credentials:Passphrase
-    SONA_USERNAME: Sonatype-User-Token:username
-    SONA_PASSWORD: Sonatype-User-Token:password
+    SONA_USERNAME: Sonatype-Central-Portal:Username
+    SONA_PASSWORD: Sonatype-Central-Portal:Password
 
 phases:
   install:

codebuild/release/settings.xml

@@ -13,7 +13,7 @@ SPDX-License-Identifier: Apache-2.0
       <password>${codeartifact.token}</password>
     </server>
     <server>
-      <id>sonatype-nexus-staging</id>
+      <id>central</id>
       <username>${sonatype.username}</username>
       <password>${sonatype.password}</password>
     </server>

codebuild/release/version.yml

@@ -19,6 +19,7 @@ phases:
       - npm install @semantic-release/changelog -d
       - npm install @semantic-release/exec -d
       - npm install @semantic-release/git -d
+      - npm install conventional-changelog-conventionalcommits -d
       - npm install --save conventional-changelog
     runtime-versions:
       nodejs: 16
@@ -30,4 +31,4 @@ phases:
   build:
     commands:
       # semantic-release uses config stored in ~/.releaserc
-      - npx semantic-release --branches $BRANCH --no-ci
+      - npx semantic-release --branches $BRANCH --no-ci

pom.xml

@@ -33,7 +33,7 @@
   </developers>
 
   <scm>
-    <url>https://github.com/aws/amazon-s3-encryption-client.git</url>
+    <url>https://github.com/aws/amazon-s3-encryption-client-java.git</url>
   </scm>
 
   <properties>
@@ -308,8 +308,8 @@
 
       <distributionManagement>
         <snapshotRepository>
-          <id>sonatype-nexus-staging</id>
-          <url>https://oss.sonatype.org/content/repositories/snapshots</url>
+          <id>central</id>
+          <url>https://ossrh-staging-api.central.sonatype.com/content/repositories/snapshots</url>
         </snapshotRepository>
       </distributionManagement>
 
@@ -336,13 +336,13 @@
             </executions>
           </plugin>
           <plugin>
-            <groupId>org.sonatype.plugins</groupId>
-            <artifactId>nexus-staging-maven-plugin</artifactId>
-            <version>1.6.13</version>
+            <groupId>org.sonatype.central</groupId>
+            <artifactId>central-publishing-maven-plugin</artifactId>
+            <version>0.7.0</version>
             <extensions>true</extensions>
             <configuration>
-              <serverId>sonatype-nexus-staging</serverId>
-                <nexusUrl>https://aws.oss.sonatype.org</nexusUrl>
+              <publishingServerId>central</publishingServerId>
+              <autoPublish>true</autoPublish>
             </configuration>
            </plugin>
         </plugins>

src/main/java/software/amazon/encryption/s3/S3AsyncEncryptionClient.java

@@ -79,7 +79,7 @@ public class S3AsyncEncryptionClient extends DelegatingS3AsyncClient {
     private final boolean _enableDelayedAuthenticationMode;
     private final boolean _enableMultipartPutObject;
     private final long _bufferSize;
-    private InstructionFileConfig _instructionFileConfig;
+    private final InstructionFileConfig _instructionFileConfig;
 
     private S3AsyncEncryptionClient(Builder builder) {
         super(builder._wrappedClient);
@@ -151,6 +151,7 @@ public CompletableFuture<PutObjectResponse> putObject(PutObjectRequest putObject
                 .s3AsyncClient(_wrappedClient)
                 .cryptoMaterialsManager(_cryptoMaterialsManager)
                 .secureRandom(_secureRandom)
+                .instructionFileConfig(_instructionFileConfig)
                 .build();
 
         return pipeline.putObject(putObjectRequest, requestBody);
@@ -169,6 +170,7 @@ private CompletableFuture<PutObjectResponse> multipartPutObject(PutObjectRequest
                 .s3AsyncClient(mpuClient)
                 .cryptoMaterialsManager(_cryptoMaterialsManager)
                 .secureRandom(_secureRandom)
+                .instructionFileConfig(_instructionFileConfig)
                 .build();
         // Ensures parts are not retried to avoid corrupting ciphertext
         AsyncRequestBody noRetryBody = new NoRetriesAsyncRequestBody(requestBody);
@@ -289,6 +291,7 @@ public void close() {
         _instructionFileConfig.closeClient();
     }
 
+
     // This is very similar to the S3EncryptionClient builder
     // Make sure to keep both clients in mind when adding new builder options
     public static class Builder implements S3AsyncClientBuilder {

src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java

@@ -203,6 +203,7 @@ public PutObjectResponse putObject(PutObjectRequest putObjectRequest, RequestBod
                 .s3AsyncClient(_wrappedAsyncClient)
                 .cryptoMaterialsManager(_cryptoMaterialsManager)
                 .secureRandom(_secureRandom)
+                .instructionFileConfig(_instructionFileConfig)
                 .build();
 
         ExecutorService singleThreadExecutor = Executors.newSingleThreadExecutor();
@@ -1171,6 +1172,7 @@ public S3EncryptionClient build() {
                     .s3AsyncClient(_wrappedAsyncClient)
                     .cryptoMaterialsManager(_cryptoMaterialsManager)
                     .secureRandom(_secureRandom)
+                    .instructionFileConfig(_instructionFileConfig)
                     .build();
 
             return new S3EncryptionClient(this);

src/main/java/software/amazon/encryption/s3/internal/ContentMetadataDecodingStrategy.java

@@ -169,7 +169,6 @@ private ContentMetadata readFromMap(Map<String, String> metadata, GetObjectRespo
 
     public ContentMetadata decode(GetObjectRequest request, GetObjectResponse response) {
         Map<String, String> metadata = response.metadata();
-        ContentMetadataDecodingStrategy strategy;
         if (metadata != null
                 && metadata.containsKey(MetadataKeyConstants.CONTENT_IV)
                 && (metadata.containsKey(MetadataKeyConstants.ENCRYPTED_DATA_KEY_V1)

src/main/java/software/amazon/encryption/s3/internal/ContentMetadataEncodingStrategy.java

@@ -2,13 +2,94 @@
 // SPDX-License-Identifier: Apache-2.0
 package software.amazon.encryption.s3.internal;
 
+import software.amazon.awssdk.protocols.jsoncore.JsonWriter;
+import software.amazon.awssdk.services.s3.model.CreateMultipartUploadRequest;
+import software.amazon.awssdk.services.s3.model.PutObjectRequest;
+import software.amazon.encryption.s3.S3EncryptionClientException;
+import software.amazon.encryption.s3.materials.EncryptedDataKey;
 import software.amazon.encryption.s3.materials.EncryptionMaterials;
 
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.HashMap;
 import java.util.Map;
 
-@FunctionalInterface
-public interface ContentMetadataEncodingStrategy {
+public class ContentMetadataEncodingStrategy {
 
-    Map<String, String> encodeMetadata(EncryptionMaterials materials, byte[] iv,
-                                              Map<String, String> metadata);
+    private static final Base64.Encoder ENCODER = Base64.getEncoder();
+    private final InstructionFileConfig _instructionFileConfig;
+
+    public ContentMetadataEncodingStrategy(InstructionFileConfig instructionFileConfig) {
+        _instructionFileConfig = instructionFileConfig;
+    }
+
+    public PutObjectRequest encodeMetadata(EncryptionMaterials materials, byte[] iv, PutObjectRequest putObjectRequest) {
+        if (_instructionFileConfig.isInstructionFilePutEnabled()) {
+            final String metadataString = metadataToString(materials, iv);
+            _instructionFileConfig.putInstructionFile(putObjectRequest, metadataString);
+            // the original request object is returned as-is
+            return putObjectRequest;
+        } else {
+            Map<String, String> newMetadata = addMetadataToMap(putObjectRequest.metadata(), materials, iv);
+            return putObjectRequest.toBuilder()
+                    .metadata(newMetadata)
+                    .build();
+        }
+    }
+
+    public CreateMultipartUploadRequest encodeMetadata(EncryptionMaterials materials, byte[] iv, CreateMultipartUploadRequest createMultipartUploadRequest) {
+        if(_instructionFileConfig.isInstructionFilePutEnabled()) {
+            final String metadataString = metadataToString(materials, iv);
+            PutObjectRequest putObjectRequest = ConvertSDKRequests.convertRequest(createMultipartUploadRequest);
+            _instructionFileConfig.putInstructionFile(putObjectRequest, metadataString);
+            // the original request object is returned as-is
+            return createMultipartUploadRequest;
+        } else {
+            Map<String, String> newMetadata = addMetadataToMap(createMultipartUploadRequest.metadata(), materials, iv);
+            return createMultipartUploadRequest.toBuilder()
+                    .metadata(newMetadata)
+                    .build();
+        }
+    }
+    private String metadataToString(EncryptionMaterials materials, byte[] iv) {
+        // this is just the metadata map serialized as JSON
+        // so first get the Map
+        final Map<String, String> metadataMap = addMetadataToMap(new HashMap<>(), materials, iv);
+        // then serialize it
+        try (JsonWriter jsonWriter = JsonWriter.create()) {
+            jsonWriter.writeStartObject();
+            for (Map.Entry<String, String> entry : metadataMap.entrySet()) {
+                jsonWriter.writeFieldName(entry.getKey()).writeValue(entry.getValue());
+            }
+            jsonWriter.writeEndObject();
+
+            return new String(jsonWriter.getBytes(), StandardCharsets.UTF_8);
+        } catch (JsonWriter.JsonGenerationException e) {
+            throw new S3EncryptionClientException("Cannot serialize materials to JSON.", e);
+        }
+    }
+
+    private Map<String, String> addMetadataToMap(Map<String, String> map, EncryptionMaterials materials, byte[] iv) {
+        Map<String, String> metadata = new HashMap<>(map);
+        EncryptedDataKey edk = materials.encryptedDataKeys().get(0);
+        metadata.put(MetadataKeyConstants.ENCRYPTED_DATA_KEY_V2, ENCODER.encodeToString(edk.encryptedDatakey()));
+        metadata.put(MetadataKeyConstants.CONTENT_IV, ENCODER.encodeToString(iv));
+        metadata.put(MetadataKeyConstants.CONTENT_CIPHER, materials.algorithmSuite().cipherName());
+        metadata.put(MetadataKeyConstants.CONTENT_CIPHER_TAG_LENGTH, Integer.toString(materials.algorithmSuite().cipherTagLengthBits()));
+        metadata.put(MetadataKeyConstants.ENCRYPTED_DATA_KEY_ALGORITHM, new String(edk.keyProviderInfo(), StandardCharsets.UTF_8));
+
+        try (JsonWriter jsonWriter = JsonWriter.create()) {
+            jsonWriter.writeStartObject();
+            for (Map.Entry<String, String> entry : materials.encryptionContext().entrySet()) {
+                jsonWriter.writeFieldName(entry.getKey()).writeValue(entry.getValue());
+            }
+            jsonWriter.writeEndObject();
+
+            String jsonEncryptionContext = new String(jsonWriter.getBytes(), StandardCharsets.UTF_8);
+            metadata.put(MetadataKeyConstants.ENCRYPTED_DATA_KEY_CONTEXT, jsonEncryptionContext);
+        } catch (JsonWriter.JsonGenerationException e) {
+            throw new S3EncryptionClientException("Cannot serialize encryption context to JSON.", e);
+        }
+        return metadata;
+    }
 }