Create put object pipeline.

Factored out the content encryption and metadata storage strategies.

Author: smswz

src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java

@@ -2,17 +2,14 @@
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
-import java.nio.charset.StandardCharsets;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
 import java.util.Base64;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.Map.Entry;
 import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
 import javax.crypto.IllegalBlockSizeException;
@@ -28,23 +25,17 @@
 import software.amazon.awssdk.http.AbortableInputStream;
 import software.amazon.awssdk.protocols.jsoncore.JsonNode;
 import software.amazon.awssdk.protocols.jsoncore.JsonNodeParser;
-import software.amazon.awssdk.protocols.jsoncore.JsonWriter;
-import software.amazon.awssdk.protocols.jsoncore.JsonWriter.JsonGenerationException;
 import software.amazon.awssdk.services.s3.S3Client;
 import software.amazon.awssdk.services.s3.model.GetObjectRequest;
 import software.amazon.awssdk.services.s3.model.GetObjectResponse;
-import software.amazon.awssdk.services.s3.model.InvalidObjectStateException;
-import software.amazon.awssdk.services.s3.model.NoSuchKeyException;
 import software.amazon.awssdk.services.s3.model.PutObjectRequest;
 import software.amazon.awssdk.services.s3.model.PutObjectResponse;
-import software.amazon.awssdk.services.s3.model.S3Exception;
 import software.amazon.awssdk.utils.IoUtils;
 import software.amazon.encryption.s3.algorithms.AlgorithmSuite;
-import software.amazon.encryption.s3.materials.DecryptionMaterials;
+import software.amazon.encryption.s3.internal.PutEncryptedObjectPipeline;
 import software.amazon.encryption.s3.materials.DecryptMaterialsRequest;
-import software.amazon.encryption.s3.materials.EncryptionMaterialsRequest;
+import software.amazon.encryption.s3.materials.DecryptionMaterials;
 import software.amazon.encryption.s3.materials.EncryptedDataKey;
-import software.amazon.encryption.s3.materials.EncryptionMaterials;
 import software.amazon.encryption.s3.materials.MaterialsManager;
 
 public class S3EncryptionClient implements S3Client {
@@ -59,78 +50,25 @@ public S3EncryptionClient(S3Client client, MaterialsManager materialsManager) {
 
     @Override
     public PutObjectResponse putObject(PutObjectRequest putObjectRequest, RequestBody requestBody)
-            throws AwsServiceException, SdkClientException, S3Exception {
-
-        // TODO: This is proof-of-concept code and needs to be refactored
-
-        // Get content encryption key
-        EncryptionMaterials materials = _materialsManager.getEncryptionMaterials(EncryptionMaterialsRequest.builder()
-                .build());
-        SecretKey contentKey = materials.dataKey();
-        // Encrypt content
-        byte[] iv = new byte[12]; // default GCM IV length
-        new SecureRandom().nextBytes(iv);
-
-        final String contentEncryptionAlgorithm = "AES/GCM/NoPadding";
-        final Cipher cipher;
-        try {
-            cipher = Cipher.getInstance(contentEncryptionAlgorithm);
-            cipher.init(Cipher.ENCRYPT_MODE, contentKey, new GCMParameterSpec(128, iv));
-        } catch (NoSuchAlgorithmException
-                 | NoSuchPaddingException
-                 | InvalidAlgorithmParameterException
-                 | InvalidKeyException e) {
-            throw new RuntimeException(e);
-        }
+            throws AwsServiceException, SdkClientException {
 
-        byte[] ciphertext;
-        try {
-            byte[] input = IoUtils.toByteArray(requestBody.contentStreamProvider().newStream());
-            ciphertext = cipher.doFinal(input);
-        } catch (IOException e) {
-            throw new RuntimeException(e);
-        } catch (IllegalBlockSizeException e) {
-            throw new RuntimeException(e);
-        } catch (BadPaddingException e) {
-            throw new RuntimeException(e);
-        }
-
-        // Save content metadata into request
-        Base64.Encoder encoder = Base64.getEncoder();
-        Map<String,String> metadata = new HashMap<>(putObjectRequest.metadata());
-        EncryptedDataKey edk = materials.encryptedDataKeys().get(0);
-        metadata.put("x-amz-key-v2", encoder.encodeToString(edk.ciphertext()));
-        metadata.put("x-amz-iv", encoder.encodeToString(iv));
-        metadata.put("x-amz-matdesc", /* TODO: JSON encoded */ "{}");
-        metadata.put("x-amz-cek-alg", contentEncryptionAlgorithm);
-        metadata.put("x-amz-tag-len", /* TODO: take from algo suite */ "128");
-        metadata.put("x-amz-wrap-alg", edk.keyProviderId());
-
-        try (JsonWriter jsonWriter = JsonWriter.create()) {
-            jsonWriter.writeStartObject();
-            for (Entry<String,String> entry : materials.encryptionContext().entrySet()) {
-                jsonWriter.writeFieldName(entry.getKey()).writeValue(entry.getValue());
-            }
-            jsonWriter.writeEndObject();
-
-            String jsonEncryptionContext = new String(jsonWriter.getBytes(), StandardCharsets.UTF_8);
-            metadata.put("x-amz-matdesc", jsonEncryptionContext);
-        } catch (JsonGenerationException e) {
-            throw new RuntimeException(e);
-        }
-
-        putObjectRequest = putObjectRequest.toBuilder().metadata(metadata).build();
+        PutEncryptedObjectPipeline pipeline = PutEncryptedObjectPipeline.builder()
+                .s3Client(_wrappedClient)
+                .materialsManager(_materialsManager)
+                .build();
 
-        return _wrappedClient.putObject(putObjectRequest, RequestBody.fromBytes(ciphertext));
+        return pipeline.putObject(putObjectRequest, requestBody);
     }
 
     @Override
-    public <T> T getObject(GetObjectRequest getObjectRequest, ResponseTransformer<GetObjectResponse, T> responseTransformer)
-            throws NoSuchKeyException, InvalidObjectStateException, AwsServiceException, SdkClientException, S3Exception {
+    public <T> T getObject(GetObjectRequest getObjectRequest,
+            ResponseTransformer<GetObjectResponse, T> responseTransformer)
+            throws AwsServiceException, SdkClientException {
 
         // TODO: This is proof-of-concept code and needs to be refactored
 
-        ResponseInputStream<GetObjectResponse> objectStream =  _wrappedClient.getObject(getObjectRequest);
+        ResponseInputStream<GetObjectResponse> objectStream = _wrappedClient.getObject(
+                getObjectRequest);
         byte[] output;
         try {
             output = IoUtils.toByteArray(objectStream);
@@ -169,11 +107,12 @@ public <T> T getObject(GetObjectRequest getObjectRequest, ResponseTransformer<Ge
         final String contentEncryptionAlgorithm = metadata.get("x-amz-cek-alg");
         AlgorithmSuite algorithmSuite = null;
         if (contentEncryptionAlgorithm.equals("AES/GCM/NoPadding")) {
-            algorithmSuite = AlgorithmSuite.ALG_AES_256_GCM_IV12_TAG16_NO_KDF;;
+            algorithmSuite = AlgorithmSuite.ALG_AES_256_GCM_IV12_TAG16_NO_KDF;
         }
 
         if (algorithmSuite == null) {
-            throw new RuntimeException("Unknown content encryption algorithm: " + contentEncryptionAlgorithm);
+            throw new RuntimeException(
+                    "Unknown content encryption algorithm: " + contentEncryptionAlgorithm);
         }
 
         DecryptMaterialsRequest request = DecryptMaterialsRequest.builder()

…/encryption/s3/algorithms/Constants.java …on/s3/algorithms/AlgorithmConstants.javasrc/main/java/software/amazon/encryption/s3/algorithms/Constants.java renamed to src/main/java/software/amazon/encryption/s3/algorithms/AlgorithmConstants.java src/main/java/software/amazon/encryption/s3/algorithms/Constants.java renamed to src/main/java/software/amazon/encryption/s3/algorithms/AlgorithmConstants.java

@@ -1,6 +1,6 @@
 package software.amazon.encryption.s3.algorithms;
 
-class Constants {
+class AlgorithmConstants {
     // Maximum length of the content that can be encrypted in GCM mode.
     static final long GCM_MAX_CONTENT_LENGTH_BITS = (1L<<39) - 256;
 }

src/main/java/software/amazon/encryption/s3/algorithms/AlgorithmSuite.java

@@ -9,7 +9,7 @@ public enum AlgorithmSuite {
             128,
             96,
             128,
-            Constants.GCM_MAX_CONTENT_LENGTH_BITS);
+            AlgorithmConstants.GCM_MAX_CONTENT_LENGTH_BITS);
 
     private int _id;
     private String _dataKeyAlgorithm;
@@ -51,6 +51,10 @@ public String cipherName() {
         return _cipherName;
     }
 
+    public int cipherTagLengthBits() {
+        return _cipherTagLengthBits;
+    }
+
     public int nonceLengthBytes() {
         return _cipherNonceLengthBits / 8;
     }

src/main/java/software/amazon/encryption/s3/internal/AesGcmContentEncryptionStrategy.java

@@ -0,0 +1,78 @@
+package software.amazon.encryption.s3.internal;
+
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.GCMParameterSpec;
+import software.amazon.awssdk.utils.IoUtils;
+import software.amazon.encryption.s3.S3EncryptionClientException;
+import software.amazon.encryption.s3.algorithms.AlgorithmSuite;
+import software.amazon.encryption.s3.internal.PutEncryptedObjectPipeline.ContentEncryptionStrategy;
+import software.amazon.encryption.s3.internal.PutEncryptedObjectPipeline.EncryptedContent;
+import software.amazon.encryption.s3.materials.EncryptionMaterials;
+
+/**
+ * This class will encrypt data according to the algorithm suite constants
+ */
+public class AesGcmContentEncryptionStrategy implements ContentEncryptionStrategy {
+
+    final private SecureRandom _secureRandom;
+
+    private AesGcmContentEncryptionStrategy(Builder builder) {
+        this._secureRandom = builder._secureRandom;
+    }
+
+    public static Builder builder() { return new Builder(); }
+
+    @Override
+    public EncryptedContent encryptContent(EncryptionMaterials materials, byte[] content) {
+        final AlgorithmSuite algorithmSuite = materials.algorithmSuite();
+
+        final byte[] nonce = new byte[algorithmSuite.nonceLengthBytes()];
+        _secureRandom.nextBytes(nonce);
+
+        final String cipherName = algorithmSuite.cipherName();
+        try {
+            final Cipher cipher = Cipher.getInstance(cipherName);
+
+            cipher.init(Cipher.ENCRYPT_MODE,
+                    materials.dataKey(),
+                    new GCMParameterSpec(algorithmSuite.cipherTagLengthBits(), nonce));
+
+            EncryptedContent result = new EncryptedContent();
+            result.nonce = nonce;
+            result.ciphertext = cipher.doFinal(content);
+
+            return result;
+        } catch (NoSuchAlgorithmException
+                 | NoSuchPaddingException
+                 | InvalidAlgorithmParameterException
+                 | InvalidKeyException
+                 | IllegalBlockSizeException
+                 | BadPaddingException e) {
+            throw new S3EncryptionClientException("Unable to " + cipherName + " content encrypt.", e);
+        }
+    }
+
+    public static class Builder {
+        private SecureRandom _secureRandom = new SecureRandom();
+
+        private Builder() {}
+
+        public Builder secureRandom(SecureRandom secureRandom) {
+            _secureRandom = secureRandom;
+            return this;
+        }
+
+        public AesGcmContentEncryptionStrategy build() {
+            return new AesGcmContentEncryptionStrategy(this);
+        }
+    }
+}

src/main/java/software/amazon/encryption/s3/internal/MetadataKey.java

@@ -0,0 +1,13 @@
+package software.amazon.encryption.s3.internal;
+
+public class MetadataKey {
+    public static final String ENCRYPTED_DATA_KEY = "x-amz-key-v2";
+    // This is the name of the keyring/algorithm e.g. AES/GCM or kms+context
+    public static final String ENCRYPTED_DATA_KEY_ALGORITHM = "x-amz-wrap-alg";
+    public static final String ENCRYPTED_DATA_KEY_CONTEXT = "x-amz-matdesc";
+
+    public static final String CONTENT_NONCE = "x-amz-iv";
+    // This is usually an actual Java cipher e.g. AES/GCM/NoPadding
+    public static final String CONTENT_CIPHER = "x-amz-cek-alg";
+    public static final String CONTENT_CIPHER_TAG_LENGTH = "x-amz-tag-len";
+}

src/main/java/software/amazon/encryption/s3/internal/ObjectMetadataMetadataEncodingStrategy.java

@@ -0,0 +1,71 @@
+package software.amazon.encryption.s3.internal;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Map.Entry;
+import software.amazon.awssdk.protocols.jsoncore.JsonWriter;
+import software.amazon.awssdk.protocols.jsoncore.JsonWriter.JsonGenerationException;
+import software.amazon.awssdk.services.s3.model.PutObjectRequest;
+import software.amazon.encryption.s3.S3EncryptionClientException;
+import software.amazon.encryption.s3.internal.PutEncryptedObjectPipeline.EncryptedContent;
+import software.amazon.encryption.s3.internal.PutEncryptedObjectPipeline.MetadataEncodingStrategy;
+import software.amazon.encryption.s3.materials.EncryptedDataKey;
+import software.amazon.encryption.s3.materials.EncryptionMaterials;
+
+/**
+ * This stores encryption metadata in the S3 object metadata.
+ * The name is not a typo
+ */
+public class ObjectMetadataMetadataEncodingStrategy implements MetadataEncodingStrategy {
+    private final Base64.Encoder _encoder;
+
+    private ObjectMetadataMetadataEncodingStrategy(Builder builder) {
+        this._encoder = builder._encoder;
+    }
+
+    public static Builder builder() { return new Builder(); }
+
+    @Override
+    public PutObjectRequest encodeMetadata(
+            EncryptionMaterials materials,
+            EncryptedContent encryptedContent,
+            PutObjectRequest request) {
+        Map<String,String> metadata = new HashMap<>(request.metadata());
+        EncryptedDataKey edk = materials.encryptedDataKeys().get(0);
+        metadata.put(MetadataKey.ENCRYPTED_DATA_KEY, _encoder.encodeToString(edk.ciphertext()));
+        metadata.put(MetadataKey.CONTENT_NONCE, _encoder.encodeToString(encryptedContent.nonce));
+        metadata.put(MetadataKey.CONTENT_CIPHER, materials.algorithmSuite().cipherName());
+        metadata.put(MetadataKey.CONTENT_CIPHER_TAG_LENGTH, Integer.toString(materials.algorithmSuite().cipherTagLengthBits()));
+        metadata.put(MetadataKey.ENCRYPTED_DATA_KEY_ALGORITHM, edk.keyProviderId());
+
+        try (JsonWriter jsonWriter = JsonWriter.create()) {
+            jsonWriter.writeStartObject();
+            for (Entry<String,String> entry : materials.encryptionContext().entrySet()) {
+                jsonWriter.writeFieldName(entry.getKey()).writeValue(entry.getValue());
+            }
+            jsonWriter.writeEndObject();
+
+            String jsonEncryptionContext = new String(jsonWriter.getBytes(), StandardCharsets.UTF_8);
+            metadata.put(MetadataKey.ENCRYPTED_DATA_KEY_CONTEXT, jsonEncryptionContext);
+        } catch (JsonGenerationException e) {
+            throw new S3EncryptionClientException("Cannot serialize encryption context to JSON.", e);
+        }
+
+        return request.toBuilder().metadata(metadata).build();
+    }
+
+    public static class Builder {
+        private Base64.Encoder _encoder = Base64.getEncoder();
+
+        public Builder base64Encoder(Base64.Encoder encoder) {
+            this._encoder = encoder;
+            return this;
+        }
+
+        public ObjectMetadataMetadataEncodingStrategy build() {
+            return new ObjectMetadataMetadataEncodingStrategy(this);
+        }
+    }
+}