Use key provider id to namespace S3 keyring(s).

Author: smswz

src/main/java/software/amazon/encryption/s3/internal/S3ObjectMetadataStrategy.java

@@ -15,6 +15,7 @@
 import software.amazon.encryption.s3.algorithms.AlgorithmSuite;
 import software.amazon.encryption.s3.materials.EncryptedDataKey;
 import software.amazon.encryption.s3.materials.EncryptionMaterials;
+import software.amazon.encryption.s3.materials.S3Keyring;
 
 /**
  * This stores encryption metadata in the S3 object metadata.
@@ -43,7 +44,7 @@ public PutObjectRequest encodeMetadata(
         metadata.put(MetadataKey.CONTENT_NONCE, _encoder.encodeToString(encryptedContent.nonce));
         metadata.put(MetadataKey.CONTENT_CIPHER, materials.algorithmSuite().cipherName());
         metadata.put(MetadataKey.CONTENT_CIPHER_TAG_LENGTH, Integer.toString(materials.algorithmSuite().cipherTagLengthBits()));
-        metadata.put(MetadataKey.ENCRYPTED_DATA_KEY_ALGORITHM, edk.keyProviderId());
+        metadata.put(MetadataKey.ENCRYPTED_DATA_KEY_ALGORITHM, new String(edk.keyProviderInfo(), StandardCharsets.UTF_8));
 
         try (JsonWriter jsonWriter = JsonWriter.create()) {
             jsonWriter.writeStartObject();
@@ -61,32 +62,6 @@ public PutObjectRequest encodeMetadata(
         return request.toBuilder().metadata(metadata).build();
     }
 
-    public PutObjectRequest encodeMetadata(ContentMetadata contentMetadata, PutObjectRequest request) {
-        Map<String,String> requestMetadata = new HashMap<>(request.metadata());
-        EncryptedDataKey edk = contentMetadata.encryptedDataKey();
-        requestMetadata.put(MetadataKey.ENCRYPTED_DATA_KEY_V2, _encoder.encodeToString(edk.ciphertext()));
-        requestMetadata.put(MetadataKey.CONTENT_NONCE, _encoder.encodeToString(
-                contentMetadata.contentNonce()));
-        requestMetadata.put(MetadataKey.CONTENT_CIPHER, contentMetadata.algorithmSuite().cipherName());
-        requestMetadata.put(MetadataKey.CONTENT_CIPHER_TAG_LENGTH, Integer.toString(contentMetadata.algorithmSuite().cipherTagLengthBits()));
-        requestMetadata.put(MetadataKey.ENCRYPTED_DATA_KEY_ALGORITHM, edk.keyProviderId());
-
-        try (JsonWriter jsonWriter = JsonWriter.create()) {
-            jsonWriter.writeStartObject();
-            for (Entry<String,String> entry : contentMetadata.encryptedDataKeyContext().entrySet()) {
-                jsonWriter.writeFieldName(entry.getKey()).writeValue(entry.getValue());
-            }
-            jsonWriter.writeEndObject();
-
-            String jsonEncryptionContext = new String(jsonWriter.getBytes(), StandardCharsets.UTF_8);
-            requestMetadata.put(MetadataKey.ENCRYPTED_DATA_KEY_CONTEXT, jsonEncryptionContext);
-        } catch (JsonGenerationException e) {
-            throw new S3EncryptionClientException("Cannot serialize encryption context to JSON.", e);
-        }
-
-        return request.toBuilder().metadata(requestMetadata).build();
-    }
-
     @Override
     public ContentMetadata decodeMetadata(GetObjectResponse response) {
         Map<String, String> metadata = response.metadata();
@@ -106,14 +81,18 @@ public ContentMetadata decodeMetadata(GetObjectResponse response) {
 
         // Do algorithm suite dependent decoding
         byte[] edkCiphertext;
-        String keyProviderId;
+
+        // Currently, this is not stored within the metadata,
+        // signal to keyring(s) intended for S3EC
+        final String keyProviderId = S3Keyring.KEY_PROVIDER_ID;
+        String keyProviderInfo;
         switch (algorithmSuite) {
             case ALG_AES_256_CBC_IV16_NO_KDF:
                 // Extract encrypted data key ciphertext
                 edkCiphertext = _decoder.decode(metadata.get(MetadataKey.ENCRYPTED_DATA_KEY_V1));
 
                 // Hardcode the key provider id to match what V1 does
-                keyProviderId = "AES";
+                keyProviderInfo = "AES";
 
                 break;
             case ALG_AES_256_GCM_IV12_TAG16_NO_KDF:
@@ -127,7 +106,7 @@ public ContentMetadata decodeMetadata(GetObjectResponse response) {
 
                 // Extract encrypted data key ciphertext and provider id
                 edkCiphertext = _decoder.decode(metadata.get(MetadataKey.ENCRYPTED_DATA_KEY_V2));
-                keyProviderId = metadata.get(MetadataKey.ENCRYPTED_DATA_KEY_ALGORITHM);
+                keyProviderInfo = metadata.get(MetadataKey.ENCRYPTED_DATA_KEY_ALGORITHM);
 
                 break;
             default:
@@ -139,6 +118,7 @@ public ContentMetadata decodeMetadata(GetObjectResponse response) {
         EncryptedDataKey edk = EncryptedDataKey.builder()
                 .ciphertext(edkCiphertext)
                 .keyProviderId(keyProviderId)
+                .keyProviderInfo(keyProviderInfo.getBytes(StandardCharsets.UTF_8))
                 .build();
 
         // Get encrypted data key encryption context

src/main/java/software/amazon/encryption/s3/materials/AesKeyring.java

@@ -24,7 +24,7 @@ public class AesKeyring extends S3Keyring {
 
     private final DecryptDataKeyStrategy _aesStrategy = new DecryptDataKeyStrategy() {
 
-        private static final String KEY_PROVIDER_ID = "AES";
+        private static final String KEY_PROVIDER_INFO = "AES";
         private static final String CIPHER_ALGORITHM = "AES";
 
         @Override
@@ -33,8 +33,8 @@ public boolean isLegacy() {
         }
 
         @Override
-        public String keyProviderId() {
-            return KEY_PROVIDER_ID;
+        public String keyProviderInfo() {
+            return KEY_PROVIDER_INFO;
         }
 
         @Override
@@ -48,7 +48,7 @@ public byte[] decryptDataKey(DecryptionMaterials materials, EncryptedDataKey enc
 
     private final DecryptDataKeyStrategy _aesWrapStrategy = new DecryptDataKeyStrategy() {
 
-        private static final String KEY_PROVIDER_ID = "AESWrap";
+        private static final String KEY_PROVIDER_INFO = "AESWrap";
         private static final String CIPHER_ALGORITHM = "AESWrap";
 
         @Override
@@ -57,8 +57,8 @@ public boolean isLegacy() {
         }
 
         @Override
-        public String keyProviderId() {
-            return KEY_PROVIDER_ID;
+        public String keyProviderInfo() {
+            return KEY_PROVIDER_INFO;
         }
 
         @Override
@@ -73,7 +73,7 @@ public byte[] decryptDataKey(DecryptionMaterials materials, EncryptedDataKey enc
 
     private final DataKeyStrategy _aesGcmStrategy = new DataKeyStrategy() {
 
-        private static final String KEY_PROVIDER_ID = "AES/GCM";
+        private static final String KEY_PROVIDER_INFO = "AES/GCM";
         private static final String CIPHER_ALGORITHM = "AES/GCM/NoPadding";
         private static final int NONCE_LENGTH_BYTES = 12;
         private static final int TAG_LENGTH_BYTES = 16;
@@ -85,8 +85,8 @@ public boolean isLegacy() {
         }
 
         @Override
-        public String keyProviderId() {
-            return KEY_PROVIDER_ID;
+        public String keyProviderInfo() {
+            return KEY_PROVIDER_INFO;
         }
 
         @Override
@@ -138,9 +138,9 @@ private AesKeyring(Builder builder) {
 
         _wrappingKey = builder._wrappingKey;
 
-        decryptStrategies.put(_aesStrategy.keyProviderId(), _aesStrategy);
-        decryptStrategies.put(_aesWrapStrategy.keyProviderId(), _aesWrapStrategy);
-        decryptStrategies.put(_aesGcmStrategy.keyProviderId(), _aesGcmStrategy);
+        decryptStrategies.put(_aesStrategy.keyProviderInfo(), _aesStrategy);
+        decryptStrategies.put(_aesWrapStrategy.keyProviderInfo(), _aesWrapStrategy);
+        decryptStrategies.put(_aesGcmStrategy.keyProviderInfo(), _aesGcmStrategy);
     }
 
     public static Builder builder() {

src/main/java/software/amazon/encryption/s3/materials/DecryptDataKeyStrategy.java

@@ -5,7 +5,7 @@
 public interface DecryptDataKeyStrategy {
     boolean isLegacy();
 
-    String keyProviderId();
+    String keyProviderInfo();
 
     byte[] decryptDataKey(DecryptionMaterials materials, EncryptedDataKey encryptedDataKey)
             throws GeneralSecurityException;

src/main/java/software/amazon/encryption/s3/materials/EncryptDataKeyStrategy.java

@@ -2,10 +2,9 @@
 
 import java.security.GeneralSecurityException;
 import java.security.SecureRandom;
-import java.util.Map;
 
 public interface EncryptDataKeyStrategy {
-    String keyProviderId();
+    String keyProviderInfo();
 
     default EncryptionMaterials modifyMaterials(EncryptionMaterials materials) {
         return materials;

src/main/java/software/amazon/encryption/s3/materials/KmsKeyring.java

@@ -1,7 +1,6 @@
 package software.amazon.encryption.s3.materials;
 
 import java.security.SecureRandom;
-import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.TreeMap;
@@ -28,16 +27,16 @@ public class KmsKeyring extends S3Keyring {
 
     private final DecryptDataKeyStrategy _kmsStrategy = new DecryptDataKeyStrategy() {
 
-        private static final String KEY_PROVIDER_ID = "kms";
+        private static final String KEY_PROVIDER_INFO = "kms";
 
         @Override
         public boolean isLegacy() {
             return true;
         }
 
         @Override
-        public String keyProviderId() {
-            return KEY_PROVIDER_ID;
+        public String keyProviderInfo() {
+            return KEY_PROVIDER_INFO;
         }
 
         @Override
@@ -56,7 +55,7 @@ public byte[] decryptDataKey(DecryptionMaterials materials, EncryptedDataKey enc
 
     private final DataKeyStrategy _kmsContextStrategy = new DataKeyStrategy() {
 
-        private static final String KEY_PROVIDER_ID = "kms+context";
+        private static final String KEY_PROVIDER_INFO = "kms+context";
         private static final String ENCRYPTION_CONTEXT_ALGORITHM_KEY = "aws:x-amz-cek-alg";
 
         @Override
@@ -65,8 +64,8 @@ public boolean isLegacy() {
         }
 
         @Override
-        public String keyProviderId() {
-            return KEY_PROVIDER_ID;
+        public String keyProviderInfo() {
+            return KEY_PROVIDER_INFO;
         }
 
         @Override
@@ -121,8 +120,8 @@ public KmsKeyring(Builder builder) {
         _kmsClient = builder._kmsClient;
         _wrappingKeyId = builder._wrappingKeyId;
 
-        decryptStrategies.put(_kmsStrategy.keyProviderId(), _kmsStrategy);
-        decryptStrategies.put(_kmsContextStrategy.keyProviderId(), _kmsContextStrategy);
+        decryptStrategies.put(_kmsStrategy.keyProviderInfo(), _kmsStrategy);
+        decryptStrategies.put(_kmsContextStrategy.keyProviderInfo(), _kmsContextStrategy);
     }
 
     public static Builder builder() {

src/main/java/software/amazon/encryption/s3/materials/RsaKeyring.java

@@ -26,7 +26,7 @@ public class RsaKeyring extends S3Keyring {
     private final KeyPair _wrappingKeyPair;
 
     private final DecryptDataKeyStrategy _rsaEcbStrategy = new DecryptDataKeyStrategy() {
-        private static final String KEY_PROVIDER_ID = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";
+        private static final String KEY_PROVIDER_INFO = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";
         private static final String CIPHER_ALGORITHM = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";
 
         @Override
@@ -35,8 +35,8 @@ public boolean isLegacy() {
         }
 
         @Override
-        public String keyProviderId() {
-            return KEY_PROVIDER_ID;
+        public String keyProviderInfo() {
+            return KEY_PROVIDER_INFO;
         }
 
         @Override
@@ -52,7 +52,7 @@ public byte[] decryptDataKey(DecryptionMaterials materials, EncryptedDataKey enc
 
     private final DataKeyStrategy _rsaOaepStrategy = new DataKeyStrategy() {
 
-        private static final String KEY_PROVIDER_ID = "RSA-OAEP-SHA1";
+        private static final String KEY_PROVIDER_INFO = "RSA-OAEP-SHA1";
         private static final String CIPHER_ALGORITHM = "RSA/ECB/OAEPPadding";
         private static final String DIGEST_NAME = "SHA-1";
         private static final String MGF_NAME = "MGF1";
@@ -68,8 +68,8 @@ public boolean isLegacy() {
         }
 
         @Override
-        public String keyProviderId() {
-            return KEY_PROVIDER_ID;
+        public String keyProviderInfo() {
+            return KEY_PROVIDER_INFO;
         }
 
         @Override
@@ -135,8 +135,8 @@ private RsaKeyring(Builder builder) {
 
         _wrappingKeyPair = builder._wrappingKeyPair;
 
-        decryptStrategies.put(_rsaEcbStrategy.keyProviderId(), _rsaEcbStrategy);
-        decryptStrategies.put(_rsaOaepStrategy.keyProviderId(), _rsaOaepStrategy);
+        decryptStrategies.put(_rsaEcbStrategy.keyProviderInfo(), _rsaEcbStrategy);
+        decryptStrategies.put(_rsaOaepStrategy.keyProviderInfo(), _rsaOaepStrategy);
     }
 
     public static Builder builder() {

src/main/java/software/amazon/encryption/s3/materials/S3Keyring.java

@@ -1,5 +1,6 @@
 package software.amazon.encryption.s3.materials;
 
+import java.nio.charset.StandardCharsets;
 import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.List;
@@ -13,6 +14,8 @@
  */
 abstract public class S3Keyring implements Keyring {
 
+    public static final String KEY_PROVIDER_ID = "S3Keyring";
+
     private final boolean _enableLegacyModes;
     private final SecureRandom _secureRandom;
     private final DataKeyGenerator _dataKeyGenerator;
@@ -39,7 +42,8 @@ public EncryptionMaterials onEncrypt(EncryptionMaterials materials) {
 
             byte[] ciphertext = encryptStrategy.encryptDataKey(_secureRandom, materials);
             EncryptedDataKey encryptedDataKey = EncryptedDataKey.builder()
-                    .keyProviderId(encryptStrategy.keyProviderId())
+                    .keyProviderId(S3Keyring.KEY_PROVIDER_ID)
+                    .keyProviderInfo(encryptStrategy.keyProviderInfo().getBytes(StandardCharsets.UTF_8))
                     .ciphertext(ciphertext)
                     .build();
 
@@ -50,7 +54,7 @@ public EncryptionMaterials onEncrypt(EncryptionMaterials materials) {
                     .encryptedDataKeys(encryptedDataKeys)
                     .build();
         } catch (Exception e) {
-            throw new S3EncryptionClientException("Unable to " + encryptStrategy.keyProviderId() + " wrap", e);
+            throw new S3EncryptionClientException("Unable to " + encryptStrategy.keyProviderInfo() + " wrap", e);
         }
     }
 
@@ -68,21 +72,26 @@ public DecryptionMaterials onDecrypt(final DecryptionMaterials materials, List<E
 
         EncryptedDataKey encryptedDataKey = encryptedDataKeys.get(0);
         final String keyProviderId = encryptedDataKey.keyProviderId();
+        if (!KEY_PROVIDER_ID.equals(keyProviderId)) {
+            throw new S3EncryptionClientException("Unknown key provider: " + keyProviderId);
+        }
+
+        String keyProviderInfo = new String(encryptedDataKey.keyProviderInfo(), StandardCharsets.UTF_8);
 
-        DecryptDataKeyStrategy decryptStrategy = decryptStrategies().get(keyProviderId);
+        DecryptDataKeyStrategy decryptStrategy = decryptStrategies().get(keyProviderInfo);
         if (decryptStrategy == null) {
-            throw new S3EncryptionClientException("Unknown key wrap: " + keyProviderId);
+            throw new S3EncryptionClientException("Unknown key wrap: " + keyProviderInfo);
         }
 
         if (decryptStrategy.isLegacy() && !_enableLegacyModes) {
-            throw new S3EncryptionClientException("Enable legacy modes to use legacy key wrap: " + keyProviderId);
+            throw new S3EncryptionClientException("Enable legacy modes to use legacy key wrap: " + keyProviderInfo);
         }
 
         try {
             byte[] plaintext = decryptStrategy.decryptDataKey(materials, encryptedDataKey);
             return materials.toBuilder().plaintextDataKey(plaintext).build();
         } catch (Exception e) {
-            throw new S3EncryptionClientException("Unable to " + keyProviderId + " unwrap", e);
+            throw new S3EncryptionClientException("Unable to " + keyProviderInfo + " unwrap", e);
         }
     }