made changes according to first round of PR

Anirav Kareddy · Anirav Kareddy · commit 7d8dda5c1b60 · 2025-07-18T10:22:22.000-07:00
diff --git a/pom.xml b/pom.xml
@@ -168,6 +168,18 @@
       <scope>test</scope>
     </dependency>
 
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>jcl-over-slf4j</artifactId>
+      <version>2.1.0-alpha1</version>
+    </dependency>
+
+    <dependency>
+      <groupId>ch.qos.logback</groupId>
+      <artifactId>logback-classic</artifactId>
+      <version>1.5.18</version>
+    </dependency>
+
   </dependencies>
 
   <build>
diff --git a/src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java b/src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java
@@ -3,6 +3,7 @@
 package software.amazon.encryption.s3;
 
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+import org.apache.commons.logging.LogFactory;
 import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
 import software.amazon.awssdk.awscore.AwsRequestOverrideConfiguration;
 import software.amazon.awssdk.awscore.exception.AwsServiceException;
@@ -1069,10 +1070,10 @@ public S3EncryptionClient build() {
             if (!onlyOneNonNull(_cryptoMaterialsManager, _keyring, _aesKey, _rsaKeyPair, _kmsKeyId)) {
                 throw new S3EncryptionClientException("Exactly one must be set of: crypto materials manager, keyring, AES key, RSA key pair, KMS key id");
             }
-            if (_enableLegacyWrappingAlgorithms && _keyring !=null && _keyring instanceof S3Keyring) {
+            if (_enableLegacyWrappingAlgorithms && _keyring !=null) {
                 S3Keyring keyring = (S3Keyring) _keyring;
-                if (!keyring.enableLegacyWrappingAlgorithms()) {
-                    throw new S3EncryptionClientException("Legacy wrapping algorithms are not enabled for this keyring");
+                if (!keyring.areLegacyWrappingAlgorithmsEnabled()) {
+                    LogFactory.getLog(getClass()).warn("enableLegacyWrappingAlgorithms is set on the client, but is not set on the keyring provided. In order to enable legacy wrapping algorithms, set enableLegacyWrappingAlgorithms to true in the keyring's builder.");
                 }
             }
 
diff --git a/src/main/java/software/amazon/encryption/s3/materials/S3Keyring.java b/src/main/java/software/amazon/encryption/s3/materials/S3Keyring.java
@@ -36,9 +36,7 @@ protected S3Keyring(Builder<?, ?> builder) {
     /**
      * @return true if legacy wrapping algorithms are enabled, false otherwise
      */
-    public boolean enableLegacyWrappingAlgorithms() {
-        return _enableLegacyWrappingAlgorithms;
-    }
+    public boolean areLegacyWrappingAlgorithmsEnabled() { return _enableLegacyWrappingAlgorithms;}
 
     /**
      * Generates a data key using the provided EncryptionMaterials and the configured DataKeyGenerator.
diff --git a/src/test/java/software/amazon/encryption/s3/S3EncryptionClientCompatibilityTest.java b/src/test/java/software/amazon/encryption/s3/S3EncryptionClientCompatibilityTest.java
@@ -2,6 +2,9 @@
 // SPDX-License-Identifier: Apache-2.0
 package software.amazon.encryption.s3;
 
+import ch.qos.logback.classic.Logger;
+import ch.qos.logback.classic.spi.ILoggingEvent;
+import ch.qos.logback.core.read.ListAppender;
 import com.amazonaws.services.kms.AWSKMS;
 import com.amazonaws.services.kms.AWSKMSClientBuilder;
 import com.amazonaws.services.s3.AmazonS3Encryption;
@@ -15,17 +18,12 @@
 import com.amazonaws.services.s3.model.EncryptedPutObjectRequest;
 import com.amazonaws.services.s3.model.EncryptionMaterials;
 import com.amazonaws.services.s3.model.EncryptionMaterialsProvider;
-import com.amazonaws.services.s3.model.GetObjectMetadataRequest;
-import com.amazonaws.services.s3.model.InitiateMultipartUploadRequest;
-import com.amazonaws.services.s3.model.InitiateMultipartUploadResult;
 import com.amazonaws.services.s3.model.KMSEncryptionMaterials;
 import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider;
-import com.amazonaws.services.s3.model.ObjectMetadata;
 import com.amazonaws.services.s3.model.StaticEncryptionMaterialsProvider;
-import com.amazonaws.services.s3.model.StorageClass;
-import com.amazonaws.services.s3.model.UploadObjectRequest;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
+import org.slf4j.LoggerFactory;
 import software.amazon.awssdk.core.ResponseBytes;
 import software.amazon.awssdk.core.sync.RequestBody;
 import software.amazon.awssdk.services.s3.S3Client;
@@ -44,17 +42,15 @@
 import javax.crypto.SecretKey;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
-import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
 import java.security.NoSuchAlgorithmException;
 import java.util.HashMap;
 import java.util.Map;
-import java.util.concurrent.ExecutionException;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertNotEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
@@ -983,69 +979,158 @@ public void nullMaterialDescriptionV3() {
     }
 
     @Test
-    public void validateAgainstSettingLegacyWrappingOnClientWithAesKeyringPassedV1toV3() {
-        try {
-            AesKeyring aesKeyring = AesKeyring.builder()
-              .wrappingKey(AES_KEY)
-              .build();
-
-            S3Client wrappedClient = S3Client.create();
-            S3Client v3Client = S3EncryptionClient.builder()
-              .keyring(aesKeyring)
-              .wrappedClient(wrappedClient)
-              .enableLegacyWrappingAlgorithms(true)
-              .enableLegacyUnauthenticatedModes(true)
-              .build();
-            throw new RuntimeException("Expected failure");
-        } catch (S3EncryptionClientException e) {
-            assertTrue(e.getMessage().contains("Legacy wrapping algorithms are not enabled for this keyring"));
-        }
+    public void LegacyWrappingEnabledOnClientButNotOnAesKeyring() {
+        Logger logger = (Logger) LoggerFactory.getLogger(S3EncryptionClient.class);
+        ListAppender<ILoggingEvent> listAppender = new ListAppender<>();
+        listAppender.start();
+        logger.addAppender(listAppender);
+
+        AesKeyring aesKeyring = AesKeyring.builder()
+          .wrappingKey(AES_KEY)
+          .build();
+
+        S3Client wrappedClient = S3Client.create();
+        S3Client v3Client = S3EncryptionClient.builder()
+          .keyring(aesKeyring)
+          .wrappedClient(wrappedClient)
+          .enableLegacyWrappingAlgorithms(true)
+          .enableLegacyUnauthenticatedModes(true)
+          .build();
 
+        assertTrue(listAppender.list.stream().anyMatch(event -> event.getMessage().contains("enableLegacyWrappingAlgorithms is set on the client, but is not set on the keyring provided. In order to enable legacy wrapping algorithms, set enableLegacyWrappingAlgorithms to true in the keyring's builder.")));
+        logger.detachAppender(listAppender);
     }
 
     @Test
-    public void validateAgainstSettingLegacyWrappingOnClientWithRsaKeyringPassedV1toV3() {
-        try {
-            PartialRsaKeyPair partialRsaKeyPair = PartialRsaKeyPair.builder()
-              .publicKey(RSA_KEY_PAIR.getPublic())
-              .privateKey(RSA_KEY_PAIR.getPrivate())
-              .build();
-
-            RsaKeyring rsaKeyring = RsaKeyring.builder()
-              .wrappingKeyPair(partialRsaKeyPair)
-              .build();
-
-            S3Client wrappedClient = S3Client.create();
-            S3Client v3Client = S3EncryptionClient.builder()
-              .keyring(rsaKeyring)
-              .wrappedClient(wrappedClient)
-              .enableLegacyWrappingAlgorithms(true)
-              .enableLegacyUnauthenticatedModes(true)
-              .build();
-            throw new RuntimeException("Expected failure");
-        } catch (S3EncryptionClientException e) {
-            assertTrue(e.getMessage().contains("Legacy wrapping algorithms are not enabled for this keyring"));
-        }
+    public void LegacyWrappingEnabledOnClientButNotOnRsaKeyring() {
+        Logger logger = (Logger) LoggerFactory.getLogger(S3EncryptionClient.class);
+        ListAppender<ILoggingEvent> listAppender = new ListAppender<>();
+        listAppender.start();
+        logger.addAppender(listAppender);
+
+        PartialRsaKeyPair partialRsaKeyPair = PartialRsaKeyPair.builder()
+          .publicKey(RSA_KEY_PAIR.getPublic())
+          .privateKey(RSA_KEY_PAIR.getPrivate())
+          .build();
+
+        RsaKeyring rsaKeyring = RsaKeyring.builder()
+          .wrappingKeyPair(partialRsaKeyPair)
+          .build();
+
+        S3Client wrappedClient = S3Client.create();
+        S3Client v3Client = S3EncryptionClient.builder()
+          .keyring(rsaKeyring)
+          .wrappedClient(wrappedClient)
+          .enableLegacyWrappingAlgorithms(true)
+          .enableLegacyUnauthenticatedModes(true)
+          .build();
+
+        assertTrue(listAppender.list.stream().anyMatch(event -> event.getMessage().contains("enableLegacyWrappingAlgorithms is set on the client, but is not set on the keyring provided. In order to enable legacy wrapping algorithms, set enableLegacyWrappingAlgorithms to true in the keyring's builder.")));
+        logger.detachAppender(listAppender);
+
     }
 
     @Test
-    public void validateAgainstSettingLegacyWrappingOnClientWithKmsKeyringPassedV1toV3() {
-        try {
-            KmsKeyring kmsKeyring = KmsKeyring.builder()
-              .wrappingKeyId(KMS_KEY_ID)
-              .build();
-
-            S3Client wrappedClient = S3Client.create();
-            S3Client v3Client = S3EncryptionClient.builder()
-              .keyring(kmsKeyring)
-              .wrappedClient(wrappedClient)
-              .enableLegacyWrappingAlgorithms(true)
-              .enableLegacyUnauthenticatedModes(true)
-              .build();
-            throw new RuntimeException("Expected failure");
-        } catch (S3EncryptionClientException e) {
-            assertTrue(e.getMessage().contains("Legacy wrapping algorithms are not enabled for this keyring"));
+    public void LegacyWrappingEnabledOnClientButNotOnKmsKeyring() {
+        Logger logger = (Logger) LoggerFactory.getLogger(S3EncryptionClient.class);
+        ListAppender<ILoggingEvent> listAppender = new ListAppender<>();
+        listAppender.start();
+        logger.addAppender(listAppender);
+
+        KmsKeyring kmsKeyring = KmsKeyring.builder()
+          .wrappingKeyId(KMS_KEY_ID)
+          .build();
+
+        S3Client wrappedClient = S3Client.create();
+        S3Client v3Client = S3EncryptionClient.builder()
+          .keyring(kmsKeyring)
+          .wrappedClient(wrappedClient)
+          .enableLegacyWrappingAlgorithms(true)
+          .enableLegacyUnauthenticatedModes(true)
+          .build();
+
+        assertTrue(listAppender.list.stream().anyMatch(event -> event.getMessage().contains("enableLegacyWrappingAlgorithms is set on the client, but is not set on the keyring provided. In order to enable legacy wrapping algorithms, set enableLegacyWrappingAlgorithms to true in the keyring's builder.")));
+        logger.detachAppender(listAppender);
+
         }
+
+    @Test
+    public void LegacyWrappingEnabledOnBothClientAndAesKeyring() {
+        Logger logger = (Logger) LoggerFactory.getLogger(S3EncryptionClient.class);
+        ListAppender<ILoggingEvent> listAppender = new ListAppender<>();
+        listAppender.start();
+        logger.addAppender(listAppender);
+
+        AesKeyring aesKeyring = AesKeyring.builder()
+          .wrappingKey(AES_KEY)
+          .enableLegacyWrappingAlgorithms(true)
+          .build();
+
+        S3Client wrappedClient = S3Client.create();
+        S3Client v3Client = S3EncryptionClient.builder()
+          .keyring(aesKeyring)
+          .wrappedClient(wrappedClient)
+          .enableLegacyWrappingAlgorithms(true)
+          .enableLegacyUnauthenticatedModes(true)
+          .build();
+
+        assertFalse(listAppender.list.stream()
+          .anyMatch(event -> event.getMessage().contains("enableLegacyWrappingAlgorithms is set on the client, but is not set on the keyring provided. In order to enable legacy wrapping algorithms, set enableLegacyWrappingAlgorithms to true in the keyring's builder.")));
+        logger.detachAppender(listAppender);
+    }
+
+    @Test
+    public void LegacyWrappingEnabledOnBothClientAndRsaKeyring() {
+        Logger logger = (Logger) LoggerFactory.getLogger(S3EncryptionClient.class);
+        ListAppender<ILoggingEvent> listAppender = new ListAppender<>();
+        listAppender.start();
+        logger.addAppender(listAppender);
+
+        PartialRsaKeyPair partialRsaKeyPair = PartialRsaKeyPair.builder()
+          .publicKey(RSA_KEY_PAIR.getPublic())
+          .privateKey(RSA_KEY_PAIR.getPrivate())
+          .build();
+
+        RsaKeyring rsaKeyring = RsaKeyring.builder()
+          .wrappingKeyPair(partialRsaKeyPair)
+          .enableLegacyWrappingAlgorithms(true)
+          .build();
+
+        S3Client wrappedClient = S3Client.create();
+        S3Client v3Client = S3EncryptionClient.builder()
+          .keyring(rsaKeyring)
+          .wrappedClient(wrappedClient)
+          .enableLegacyWrappingAlgorithms(true)
+          .enableLegacyUnauthenticatedModes(true)
+          .build();
+
+        assertFalse(listAppender.list.stream()
+          .anyMatch(event -> event.getMessage().contains("enableLegacyWrappingAlgorithms is set on the client, but is not set on the keyring provided. In order to enable legacy wrapping algorithms, set enableLegacyWrappingAlgorithms to true in the keyring's builder.")));
+        logger.detachAppender(listAppender);
     }
 
+    @Test
+    public void LegacyWrappingEnabledOnBothClientAndKmsKeyring() {
+        Logger logger = (Logger) LoggerFactory.getLogger(S3EncryptionClient.class);
+        ListAppender<ILoggingEvent> listAppender = new ListAppender<>();
+        listAppender.start();
+        logger.addAppender(listAppender);
+
+        KmsKeyring kmsKeyring = KmsKeyring.builder()
+          .wrappingKeyId(KMS_KEY_ID)
+          .enableLegacyWrappingAlgorithms(true)
+          .build();
+
+        S3Client wrappedClient = S3Client.create();
+        S3Client v3Client = S3EncryptionClient.builder()
+          .keyring(kmsKeyring)
+          .wrappedClient(wrappedClient)
+          .enableLegacyWrappingAlgorithms(true)
+          .enableLegacyUnauthenticatedModes(true)
+          .build();
+
+        assertFalse(listAppender.list.stream()
+          .anyMatch(event -> event.getMessage().contains("enableLegacyWrappingAlgorithms is set on the client, but is not set on the keyring provided. In order to enable legacy wrapping algorithms, set enableLegacyWrappingAlgorithms to true in the keyring's builder.")));
+        logger.detachAppender(listAppender);
+    }
 }
diff --git a/src/test/resources/logback-test.xml b/src/test/resources/logback-test.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+    <appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder>
+            <pattern>%highlight(WARNING: %msg%n)</pattern>
+        </encoder>
+        <filter class="ch.qos.logback.classic.filter.LevelFilter">
+            <level>WARN</level>
+            <onMatch>ACCEPT</onMatch>
+            <onMismatch>DENY</onMismatch>
+        </filter>
+    </appender>
+
+    <root level="warn">
+        <appender-ref ref="CONSOLE" />
+    </root>
+</configuration>

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@`
`3`	`3`	`package software.amazon.encryption.s3;`
`4`	`4`
`5`	`5`	`import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;`
	`6`	`+import org.apache.commons.logging.LogFactory;`
`6`	`7`	`import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;`
`7`	`8`	`import software.amazon.awssdk.awscore.AwsRequestOverrideConfiguration;`
`8`	`9`	`import software.amazon.awssdk.awscore.exception.AwsServiceException;`
`@@ -1069,10 +1070,10 @@ public S3EncryptionClient build() {`
`1069`	`1070`	`if (!onlyOneNonNull(_cryptoMaterialsManager, _keyring, _aesKey, _rsaKeyPair, _kmsKeyId)) {`
`1070`	`1071`	`throw new S3EncryptionClientException("Exactly one must be set of: crypto materials manager, keyring, AES key, RSA key pair, KMS key id");`
`1071`	`1072`	`}`
`1072`		`- if (_enableLegacyWrappingAlgorithms && _keyring !=null && _keyring instanceof S3Keyring) {`
	`1073`	`+ if (_enableLegacyWrappingAlgorithms && _keyring !=null) {`
`1073`	`1074`	`S3Keyring keyring = (S3Keyring) _keyring;`
`1074`		`- if (!keyring.enableLegacyWrappingAlgorithms()) {`
`1075`		`- throw new S3EncryptionClientException("Legacy wrapping algorithms are not enabled for this keyring");`
	`1075`	`+ if (!keyring.areLegacyWrappingAlgorithmsEnabled()) {`
	`1076`	`+ LogFactory.getLog(getClass()).warn("enableLegacyWrappingAlgorithms is set on the client, but is not set on the keyring provided. In order to enable legacy wrapping algorithms, set enableLegacyWrappingAlgorithms to true in the keyring's builder.");`
`1076`	`1077`	`}`
`1077`	`1078`	`}`
`1078`	`1079`