Add Instruction File metadata decoding strategy(legacy)

Author: imabhichow

src/main/java/software/amazon/encryption/s3/internal/ContentMetadataDecodingStrategy.java

@@ -1,9 +1,8 @@
 package software.amazon.encryption.s3.internal;
 
 import java.util.Map;
-import software.amazon.awssdk.services.s3.model.GetObjectResponse;
 
 @FunctionalInterface
 public interface ContentMetadataDecodingStrategy {
-    ContentMetadata decodeMetadata(GetObjectResponse response);
+    ContentMetadata decodeMetadata(Map<String, String> response);
 }

src/main/java/software/amazon/encryption/s3/internal/GetEncryptedObjectPipeline.java

@@ -3,10 +3,15 @@
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
+
 import software.amazon.awssdk.core.ResponseInputStream;
 import software.amazon.awssdk.core.sync.ResponseTransformer;
 import software.amazon.awssdk.http.AbortableInputStream;
+import software.amazon.awssdk.protocols.jsoncore.JsonNode;
+import software.amazon.awssdk.protocols.jsoncore.JsonNodeParser;
 import software.amazon.awssdk.services.s3.S3Client;
 import software.amazon.awssdk.services.s3.model.GetObjectRequest;
 import software.amazon.awssdk.services.s3.model.GetObjectResponse;
@@ -49,7 +54,30 @@ public <T> T getObject(GetObjectRequest getObjectRequest,
                 .builder()
                 .build();
 
-        ContentMetadata contentMetadata = contentMetadataDecodingStrategy.decodeMetadata(response);
+        Map metadata = response.metadata();
+
+        // If Metadata is not in S3 Object,
+        // Pulls metadata from Instruction File which is stored parallel to S3 Object
+        if ((metadata == null) || (metadata.get(MetadataKeyConstants.CONTENT_CIPHER) == null)) {
+            contentMetadataDecodingStrategy = InstructionFileMetadataDecodingStrategy.builder().build();
+            String instructionSuffix = ".instruction";
+
+            GetObjectRequest instructionGetObjectRequest = GetObjectRequest.builder()
+                    .bucket(getObjectRequest.bucket())
+                    .key(getObjectRequest.key() + instructionSuffix )
+                    .build();
+            ResponseInputStream<GetObjectResponse> instruction = _s3Client.getObject(instructionGetObjectRequest);
+
+            Map<String, String> metadataContext = new HashMap<>();
+            JsonNodeParser parser = JsonNodeParser.create();
+            JsonNode objectNode = parser.parse(instruction);
+            for (Map.Entry<String, JsonNode> entry : objectNode.asObject().entrySet()) {
+                metadataContext.put(entry.getKey(), entry.getValue().asString());
+            }
+            metadata = metadataContext;
+        }
+
+        ContentMetadata contentMetadata = contentMetadataDecodingStrategy.decodeMetadata(metadata);
 
         AlgorithmSuite algorithmSuite = contentMetadata.algorithmSuite();
         List<EncryptedDataKey> encryptedDataKeys = Collections.singletonList(contentMetadata.encryptedDataKey());

src/main/java/software/amazon/encryption/s3/internal/InstructionFileMetadataDecodingStrategy.java

@@ -0,0 +1,128 @@
+package software.amazon.encryption.s3.internal;
+
+import software.amazon.awssdk.protocols.jsoncore.JsonNode;
+import software.amazon.awssdk.protocols.jsoncore.JsonNodeParser;
+import software.amazon.awssdk.protocols.jsoncore.JsonWriter;
+import software.amazon.awssdk.protocols.jsoncore.JsonWriter.JsonGenerationException;
+import software.amazon.awssdk.services.s3.model.PutObjectRequest;
+import software.amazon.encryption.s3.S3EncryptionClientException;
+import software.amazon.encryption.s3.algorithms.AlgorithmSuite;
+import software.amazon.encryption.s3.materials.EncryptedDataKey;
+import software.amazon.encryption.s3.materials.EncryptionMaterials;
+import software.amazon.encryption.s3.materials.S3Keyring;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Map.Entry;
+
+/**
+ * This Decrypts metadata from Instruction File which is stored parallel to S3 Object.
+ * The name is not a typo
+ */
+public class InstructionFileMetadataDecodingStrategy implements ContentMetadataDecodingStrategy {
+    private final Base64.Decoder _decoder;
+
+    private InstructionFileMetadataDecodingStrategy(Builder builder) {
+        this._decoder = builder._decoder;
+    }
+
+    public static Builder builder() { return new Builder(); }
+
+    @Override
+    public ContentMetadata decodeMetadata(Map<String, String> metadata) {
+
+        // Get algorithm suite
+        final String contentEncryptionAlgorithm = metadata.get(MetadataKeyConstants.CONTENT_CIPHER);
+        AlgorithmSuite algorithmSuite;
+        if (contentEncryptionAlgorithm == null
+                || contentEncryptionAlgorithm.equals(AlgorithmSuite.ALG_AES_256_CBC_IV16_NO_KDF.cipherName())) {
+            algorithmSuite = AlgorithmSuite.ALG_AES_256_CBC_IV16_NO_KDF;
+        } else if (contentEncryptionAlgorithm.equals(AlgorithmSuite.ALG_AES_256_GCM_IV12_TAG16_NO_KDF.cipherName())) {
+            algorithmSuite = AlgorithmSuite.ALG_AES_256_GCM_IV12_TAG16_NO_KDF;
+        } else {
+            throw new S3EncryptionClientException(
+                    "Unknown content encryption algorithm: " + contentEncryptionAlgorithm);
+        }
+
+        // Do algorithm suite dependent decoding
+        byte[] edkCiphertext;
+
+        // Currently, this is not stored within the metadata,
+        // signal to keyring(s) intended for S3EC
+        final String keyProviderId = S3Keyring.KEY_PROVIDER_ID;
+        String keyProviderInfo;
+        switch (algorithmSuite) {
+            case ALG_AES_256_CBC_IV16_NO_KDF:
+                // Extract encrypted data key ciphertext
+                edkCiphertext = _decoder.decode(metadata.get(MetadataKeyConstants.ENCRYPTED_DATA_KEY_V1));
+
+                // Hardcode the key provider id to match what V1 does
+                keyProviderInfo = "AES";
+
+                break;
+            case ALG_AES_256_GCM_IV12_TAG16_NO_KDF:
+                // Check tag length
+                final int tagLength = Integer.parseInt(metadata.get(MetadataKeyConstants.CONTENT_CIPHER_TAG_LENGTH));
+                if (tagLength != algorithmSuite.cipherTagLengthBits()) {
+                    throw new S3EncryptionClientException("Expected tag length (bits) of: "
+                            + algorithmSuite.cipherTagLengthBits()
+                            + ", got: " + tagLength);
+                }
+
+                // Extract encrypted data key ciphertext and provider id
+                edkCiphertext = _decoder.decode(metadata.get(MetadataKeyConstants.ENCRYPTED_DATA_KEY_V2));
+                keyProviderInfo = metadata.get(MetadataKeyConstants.ENCRYPTED_DATA_KEY_ALGORITHM);
+
+                break;
+            default:
+                throw new S3EncryptionClientException(
+                        "Unknown content encryption algorithm: " + algorithmSuite.id());
+        }
+
+        // Build encrypted data key
+        EncryptedDataKey edk = EncryptedDataKey.builder()
+                .ciphertext(edkCiphertext)
+                .keyProviderId(keyProviderId)
+                .keyProviderInfo(keyProviderInfo.getBytes(StandardCharsets.UTF_8))
+                .build();
+
+        // Get encrypted data key encryption context
+        final Map<String, String> encryptionContext = new HashMap<>();
+        final String jsonEncryptionContext = metadata.get(MetadataKeyConstants.ENCRYPTED_DATA_KEY_CONTEXT);
+        try {
+            JsonNodeParser parser = JsonNodeParser.create();
+            JsonNode objectNode = parser.parse(jsonEncryptionContext);
+
+            for (Entry<String, JsonNode> entry : objectNode.asObject().entrySet()) {
+                encryptionContext.put(entry.getKey(), entry.getValue().asString());
+            }
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+
+        // Get content nonce
+        byte[] nonce = _decoder.decode(metadata.get(MetadataKeyConstants.CONTENT_NONCE));
+
+        return ContentMetadata.builder()
+                .algorithmSuite(algorithmSuite)
+                .encryptedDataKey(edk)
+                .encryptedDataKeyContext(encryptionContext)
+                .contentNonce(nonce)
+                .build();
+    }
+
+    public static class Builder {
+        private  Base64.Decoder _decoder = Base64.getDecoder();
+
+        public Builder base64Decoder(Base64.Decoder decoder) {
+            this._decoder = decoder;
+            return this;
+        }
+
+        public InstructionFileMetadataDecodingStrategy build() {
+            return new InstructionFileMetadataDecodingStrategy(this);
+        }
+    }
+}

src/main/java/software/amazon/encryption/s3/internal/S3ObjectMetadataStrategy.java

@@ -9,7 +9,6 @@
 import software.amazon.awssdk.protocols.jsoncore.JsonNodeParser;
 import software.amazon.awssdk.protocols.jsoncore.JsonWriter;
 import software.amazon.awssdk.protocols.jsoncore.JsonWriter.JsonGenerationException;
-import software.amazon.awssdk.services.s3.model.GetObjectResponse;
 import software.amazon.awssdk.services.s3.model.PutObjectRequest;
 import software.amazon.encryption.s3.S3EncryptionClientException;
 import software.amazon.encryption.s3.algorithms.AlgorithmSuite;
@@ -63,8 +62,7 @@ public PutObjectRequest encodeMetadata(
     }
 
     @Override
-    public ContentMetadata decodeMetadata(GetObjectResponse response) {
-        Map<String, String> metadata = response.metadata();
+    public ContentMetadata decodeMetadata(Map<String, String> metadata) {
 
         // Get algorithm suite
         final String contentEncryptionAlgorithm = metadata.get(MetadataKeyConstants.CONTENT_CIPHER);

src/test/java/S3EncryptionClientTest.java

@@ -6,15 +6,8 @@
 import com.amazonaws.services.s3.AmazonS3EncryptionClient;
 import com.amazonaws.services.s3.AmazonS3EncryptionClientV2;
 import com.amazonaws.services.s3.AmazonS3EncryptionV2;
-import com.amazonaws.services.s3.model.CryptoConfiguration;
-import com.amazonaws.services.s3.model.CryptoConfigurationV2;
-import com.amazonaws.services.s3.model.CryptoMode;
-import com.amazonaws.services.s3.model.EncryptedPutObjectRequest;
-import com.amazonaws.services.s3.model.EncryptionMaterials;
-import com.amazonaws.services.s3.model.EncryptionMaterialsProvider;
-import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider;
-import com.amazonaws.services.s3.model.ObjectMetadata;
-import com.amazonaws.services.s3.model.StaticEncryptionMaterialsProvider;
+import com.amazonaws.services.s3.model.*;
+
 import java.io.ByteArrayInputStream;
 import java.nio.charset.StandardCharsets;
 import java.security.KeyPair;
@@ -35,11 +28,11 @@
 public class S3EncryptionClientTest {
 
     // TODO: make these dynamic
-    private static final String BUCKET = "845853869857-s3-research";
+    private static final String BUCKET = "s3encryptionclient";
 
-    private static final String KMS_MASTER_KEY = "e45015eb-1643-448f-9145-8ed4679138e4";
+    private static final String KMS_MASTER_KEY = "6c7db579-a16c-48c0-adea-604f6b449758";
 
-    private static final Region KMS_REGION = Region.getRegion(Regions.US_EAST_2);
+    private static final Region KMS_REGION = Region.getRegion(Regions.US_WEST_2);
 
     private static SecretKey AES_KEY;
     private static KeyPair RSA_KEY_PAIR;
@@ -117,6 +110,38 @@ public void AesWrapV1toV3() {
         assertEquals(input, output);
     }
 
+    @Test
+    public void AesWrapV1toV3WithInstructionMode() {
+        final String BUCKET_KEY = "aes-wrap-v1-to-v3-with-instruction-storage-mode";
+
+        // V1 Client
+        EncryptionMaterialsProvider materialsProvider =
+                new StaticEncryptionMaterialsProvider(new EncryptionMaterials(AES_KEY));
+        CryptoConfiguration v1CryptoConfig =
+                new CryptoConfiguration(CryptoMode.AuthenticatedEncryption)
+                        .withStorageMode(CryptoStorageMode.InstructionFile);
+        AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder()
+                .withCryptoConfiguration(v1CryptoConfig)
+                .withEncryptionMaterials(materialsProvider)
+                .build();
+
+        // V3 Client
+        S3Client v3Client = S3EncryptionClient.builder()
+                .aesKey(AES_KEY)
+                .enableLegacyModes(true)
+                .build();
+
+        // Asserts
+        final String input = "AesGcmV1toV3";
+        v1Client.putObject(BUCKET, BUCKET_KEY, input);
+
+        ResponseBytes<GetObjectResponse> objectResponse = v3Client.getObjectAsBytes(GetObjectRequest.builder()
+                .bucket(BUCKET)
+                .key(BUCKET_KEY).build());
+        String output = objectResponse.asUtf8String();
+        assertEquals(input, output);
+    }
+
     @Test
     public void AesGcmV2toV3() {
         final String BUCKET_KEY = "aes-gcm-v3-to-v2";
@@ -257,6 +282,38 @@ public void RsaEcbV1toV3() {
         assertEquals(input, output);
     }
 
+    @Test
+    public void RsaEcbV1toV3WithInstructionMode() {
+        final String BUCKET_KEY = "rsa-ecb-v1-to-v3-with-instruction-mode";
+
+        // V1 Client
+        EncryptionMaterialsProvider materialsProvider =
+                new StaticEncryptionMaterialsProvider(new EncryptionMaterials(RSA_KEY_PAIR));
+        CryptoConfiguration v1CryptoConfig =
+                new CryptoConfiguration(CryptoMode.AuthenticatedEncryption)
+                        .withStorageMode(CryptoStorageMode.InstructionFile);;
+        AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder()
+                .withCryptoConfiguration(v1CryptoConfig)
+                .withEncryptionMaterials(materialsProvider)
+                .build();
+
+        // V3 Client
+        S3Client v3Client = S3EncryptionClient.builder()
+                .rsaKeyPair(RSA_KEY_PAIR)
+                .enableLegacyModes(true)
+                .build();
+
+        // Asserts
+        final String input = "RsaEcbV1toV3";
+        v1Client.putObject(BUCKET, BUCKET_KEY, input);
+
+        ResponseBytes<GetObjectResponse> objectResponse = v3Client.getObjectAsBytes(GetObjectRequest.builder()
+                .bucket(BUCKET)
+                .key(BUCKET_KEY).build());
+        String output = objectResponse.asUtf8String();
+        assertEquals(input, output);
+    }
+
     @Test
     public void RsaOaepV2toV3() {
         final String BUCKET_KEY = "rsa-oaep-v2-to-v3";
@@ -265,7 +322,40 @@ public void RsaOaepV2toV3() {
         EncryptionMaterialsProvider materialsProvider =
                 new StaticEncryptionMaterialsProvider(new EncryptionMaterials(RSA_KEY_PAIR));
         CryptoConfigurationV2 cryptoConfig =
-                new CryptoConfigurationV2(CryptoMode.StrictAuthenticatedEncryption);
+                new CryptoConfigurationV2(CryptoMode.StrictAuthenticatedEncryption)
+                        .withStorageMode(CryptoStorageMode.InstructionFile);
+        AmazonS3EncryptionV2 v2Client = AmazonS3EncryptionClientV2.encryptionBuilder()
+                .withCryptoConfiguration(cryptoConfig)
+                .withEncryptionMaterialsProvider(materialsProvider)
+                .build();
+
+        // V3 Client
+        S3Client v3Client = S3EncryptionClient.builder()
+                .rsaKeyPair(RSA_KEY_PAIR)
+                .build();
+
+        // Asserts
+        final String input = "RsaOaepV2toV3";
+        v2Client.putObject(BUCKET, BUCKET_KEY, input);
+
+        ResponseBytes<GetObjectResponse> objectResponse = v3Client.getObjectAsBytes(
+                GetObjectRequest.builder()
+                        .bucket(BUCKET)
+                        .key(BUCKET_KEY).build());
+        String output = objectResponse.asUtf8String();
+        assertEquals(input, output);
+    }
+
+    @Test
+    public void RsaOaepV2toV3WithInstructionMode() {
+        final String BUCKET_KEY = "rsa-oaep-v2-to-v3-with-instruction-mode";
+
+        // V2 Client
+        EncryptionMaterialsProvider materialsProvider =
+                new StaticEncryptionMaterialsProvider(new EncryptionMaterials(RSA_KEY_PAIR));
+        CryptoConfigurationV2 cryptoConfig =
+                new CryptoConfigurationV2(CryptoMode.StrictAuthenticatedEncryption)
+                        .withStorageMode(CryptoStorageMode.InstructionFile);
         AmazonS3EncryptionV2 v2Client = AmazonS3EncryptionClientV2.encryptionBuilder()
                 .withCryptoConfiguration(cryptoConfig)
                 .withEncryptionMaterialsProvider(materialsProvider)
@@ -402,6 +492,40 @@ public void KmsV1toV3() {
         assertEquals(input, output);
     }
 
+    @Test
+    public void KmsV1toV3WithInstructionMode() {
+        final String BUCKET_KEY = "kms-v1-to-v3-with-instruction-mode";
+
+        // V1 Client
+        EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(KMS_MASTER_KEY);
+
+        CryptoConfiguration v1Config =
+                new CryptoConfiguration(CryptoMode.AuthenticatedEncryption)
+                        .withStorageMode(CryptoStorageMode.InstructionFile)
+                        .withAwsKmsRegion(KMS_REGION);
+
+        AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder()
+                .withCryptoConfiguration(v1Config)
+                .withEncryptionMaterials(materialsProvider)
+                .build();
+
+        // V3 Client
+        S3Client v3Client = S3EncryptionClient.builder()
+                .kmsKeyId(KMS_MASTER_KEY)
+                .enableLegacyModes(true)
+                .build();
+
+        // Asserts
+        final String input = "KmsV1toV3";
+        v1Client.putObject(BUCKET, BUCKET_KEY, input);
+
+        ResponseBytes<GetObjectResponse> objectResponse = v3Client.getObjectAsBytes(GetObjectRequest.builder()
+                .bucket(BUCKET)
+                .key(BUCKET_KEY).build());
+        String output = objectResponse.asUtf8String();
+        assertEquals(input, output);
+    }
+
     @Test
     public void KmsContextV2toV3() {
         final String BUCKET_KEY = "kms-context-v2-to-v3";