Merge pull request #15 from justplaz/partial-kp

Adds PartialKeyPair for supporting encrypt/decrypt only behavior

Author: kessplas

pom.xml

@@ -142,6 +142,21 @@
           </execution>
         </executions>
       </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-checkstyle-plugin</artifactId>
+        <version>3.2.0</version>
+        <configuration>
+          <configLocation>utils/checkstyle.xml</configLocation>
+        </configuration>
+        <executions>
+          <execution>
+            <goals>
+              <goal>check</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
     </plugins>
   </build>
 

src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java

@@ -22,6 +22,7 @@
 import software.amazon.encryption.s3.materials.DefaultCryptoMaterialsManager;
 import software.amazon.encryption.s3.materials.Keyring;
 import software.amazon.encryption.s3.materials.KmsKeyring;
+import software.amazon.encryption.s3.materials.PartialRsaKeyPair;
 import software.amazon.encryption.s3.materials.RsaKeyring;
 
 /**
@@ -94,7 +95,7 @@ public static class Builder {
         private CryptographicMaterialsManager _cryptoMaterialsManager;
         private Keyring _keyring;
         private SecretKey _aesKey;
-        private KeyPair _rsaKeyPair;
+        private PartialRsaKeyPair _rsaKeyPair;
         private String _kmsKeyId;
         private boolean _enableLegacyModes = false;
 
@@ -127,7 +128,14 @@ public Builder aesKey(SecretKey aesKey) {
         }
 
         public Builder rsaKeyPair(KeyPair rsaKeyPair) {
-            this._rsaKeyPair = rsaKeyPair;
+            this._rsaKeyPair = new PartialRsaKeyPair(rsaKeyPair);
+            checkKeyOptions();
+
+            return this;
+        }
+
+        public Builder rsaKeyPair(PartialRsaKeyPair partialRsaKeyPair) {
+            this._rsaKeyPair = partialRsaKeyPair;
             checkKeyOptions();
 
             return this;

src/main/java/software/amazon/encryption/s3/materials/PartialKeyPair.java

@@ -0,0 +1,16 @@
+package software.amazon.encryption.s3.materials;
+
+import java.security.PrivateKey;
+import java.security.PublicKey;
+
+/**
+ * This interface allows use of key pairs where only one of the public or private keys
+ * has been provided. This allows consumers to be able to e.g. provide only the
+ * public portion of a key pair in the part of their application which puts encrypted
+ * objects into S3 to avoid distributing the private key.
+ */
+public interface PartialKeyPair {
+    PublicKey getPublicKey();
+
+    PrivateKey getPrivateKey();
+}

src/main/java/software/amazon/encryption/s3/materials/PartialRsaKeyPair.java

@@ -0,0 +1,99 @@
+package software.amazon.encryption.s3.materials;
+
+import software.amazon.encryption.s3.S3EncryptionClientException;
+
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.util.Objects;
+
+public class PartialRsaKeyPair implements PartialKeyPair {
+    private final PrivateKey _privateKey;
+    private final PublicKey _publicKey;
+
+    private static final String RSA_KEY_ALGORITHM = "RSA";
+
+    public PartialRsaKeyPair(final KeyPair keyPair) {
+        _privateKey = keyPair.getPrivate();
+        _publicKey = keyPair.getPublic();
+
+        validateKeyPair();
+    }
+
+    public PartialRsaKeyPair(final PrivateKey privateKey, final PublicKey publicKey) {
+        _privateKey = privateKey;
+        _publicKey = publicKey;
+
+        validateKeyPair();
+    }
+
+    private void validateKeyPair() {
+        if (_privateKey == null && _publicKey == null) {
+            throw new S3EncryptionClientException("The public key and private cannot both be null. You must provide a " +
+                    "public key, or a private key, or both.");
+        }
+
+        if (_privateKey != null && !_privateKey.getAlgorithm().equals(RSA_KEY_ALGORITHM)) {
+            throw new S3EncryptionClientException("%s is not a supported algorithm. Only RSA keys are supported. Please reconfigure your client with an RSA key.");
+        }
+
+        if (_publicKey != null && !_publicKey.getAlgorithm().equals(RSA_KEY_ALGORITHM)) {
+            throw new S3EncryptionClientException("%s is not a supported algorithm. Only RSA keys are supported. Please reconfigure your client with an RSA key.");
+        }
+    }
+
+    @Override
+    public PublicKey getPublicKey() {
+        if (_publicKey == null) {
+            throw new S3EncryptionClientException("No public key provided. You must configure a public key to be able to" +
+                    " encrypt data.");
+        }
+        return _publicKey;
+    }
+
+    @Override
+    public PrivateKey getPrivateKey() {
+        if (_privateKey == null) {
+            throw new S3EncryptionClientException("No private key provided. You must configure a private key to be able to" +
+                    " decrypt data.");
+        }
+        return _privateKey;
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (o == null || getClass() != o.getClass()) return false;
+        PartialRsaKeyPair that = (PartialRsaKeyPair) o;
+        return Objects.equals(_privateKey, that._privateKey) && Objects.equals(_publicKey, that._publicKey);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(_privateKey, _publicKey);
+    }
+
+    public static class Builder {
+        private PublicKey _publicKey;
+        private PrivateKey _privateKey;
+
+        private Builder() {}
+
+        public Builder publicKey(final PublicKey publicKey) {
+            _publicKey = publicKey;
+            return this;
+        }
+
+        public Builder privateKey(final PrivateKey privateKey) {
+            _privateKey = privateKey;
+            return this;
+        }
+
+        public PartialRsaKeyPair build() {
+            return new PartialRsaKeyPair(_privateKey, _publicKey);
+        }
+    }
+}

src/main/java/software/amazon/encryption/s3/materials/RsaKeyring.java

@@ -3,7 +3,6 @@
 import java.nio.charset.StandardCharsets;
 import java.security.GeneralSecurityException;
 import java.security.Key;
-import java.security.KeyPair;
 import java.security.SecureRandom;
 import java.security.spec.MGF1ParameterSpec;
 import java.util.Arrays;
@@ -21,9 +20,7 @@
  */
 public class RsaKeyring extends S3Keyring {
 
-    private static final String KEY_ALGORITHM = "RSA";
-
-    private final KeyPair _wrappingKeyPair;
+    private final PartialRsaKeyPair _partialRsaKeyPair;
 
     private final DecryptDataKeyStrategy _rsaEcbStrategy = new DecryptDataKeyStrategy() {
         private static final String KEY_PROVIDER_INFO = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";
@@ -42,7 +39,7 @@ public String keyProviderInfo() {
         @Override
         public byte[] decryptDataKey(DecryptionMaterials materials, byte[] encryptedDataKey) throws GeneralSecurityException {
             final Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM);
-            cipher.init(Cipher.UNWRAP_MODE, _wrappingKeyPair.getPrivate());
+            cipher.init(Cipher.UNWRAP_MODE, _partialRsaKeyPair.getPrivateKey());
 
             Key plaintextKey = cipher.unwrap(encryptedDataKey, CIPHER_ALGORITHM, Cipher.SECRET_KEY);
 
@@ -74,9 +71,9 @@ public String keyProviderInfo() {
 
         @Override
         public byte[] encryptDataKey(SecureRandom secureRandom,
-                EncryptionMaterials materials) throws GeneralSecurityException {
+                                     EncryptionMaterials materials) throws GeneralSecurityException {
             final Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM);
-            cipher.init(Cipher.WRAP_MODE, _wrappingKeyPair.getPublic(), OAEP_PARAMETER_SPEC, secureRandom);
+            cipher.init(Cipher.WRAP_MODE, _partialRsaKeyPair.getPublicKey(), OAEP_PARAMETER_SPEC, secureRandom);
 
             // Create a pseudo-data key with the content encryption appended to the data key
             byte[] dataKey = materials.plaintextDataKey();
@@ -95,7 +92,7 @@ public byte[] encryptDataKey(SecureRandom secureRandom,
         @Override
         public byte[] decryptDataKey(DecryptionMaterials materials, byte[] encryptedDataKey) throws GeneralSecurityException {
             final Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM);
-            cipher.init(Cipher.UNWRAP_MODE, _wrappingKeyPair.getPrivate(), OAEP_PARAMETER_SPEC);
+            cipher.init(Cipher.UNWRAP_MODE, _partialRsaKeyPair.getPrivateKey(), OAEP_PARAMETER_SPEC);
 
             String dataKeyAlgorithm = materials.algorithmSuite().dataKeyAlgorithm();
             Key pseudoDataKey = cipher.unwrap(encryptedDataKey, dataKeyAlgorithm, Cipher.SECRET_KEY);
@@ -133,7 +130,7 @@ private byte[] parsePseudoDataKey(DecryptionMaterials materials, byte[] pseudoDa
     private RsaKeyring(Builder builder) {
         super(builder);
 
-        _wrappingKeyPair = builder._wrappingKeyPair;
+        _partialRsaKeyPair = builder._partialRsaKeyPair;
 
         decryptStrategies.put(_rsaEcbStrategy.keyProviderInfo(), _rsaEcbStrategy);
         decryptStrategies.put(_rsaOaepStrategy.keyProviderInfo(), _rsaOaepStrategy);
@@ -143,7 +140,6 @@ public static Builder builder() {
         return new Builder();
     }
 
-
     @Override
     protected EncryptDataKeyStrategy encryptStrategy() {
         return _rsaOaepStrategy;
@@ -155,7 +151,7 @@ protected Map<String, DecryptDataKeyStrategy> decryptStrategies() {
     }
 
     public static class Builder extends S3Keyring.Builder<S3Keyring, Builder> {
-        private KeyPair _wrappingKeyPair;
+        private PartialRsaKeyPair _partialRsaKeyPair;
 
         private Builder() {
             super();
@@ -166,11 +162,8 @@ protected Builder builder() {
             return this;
         }
 
-        public Builder wrappingKeyPair(KeyPair wrappingKeyPair) {
-            if (!wrappingKeyPair.getPublic().getAlgorithm().equals(KEY_ALGORITHM)) {
-                throw new S3EncryptionClientException("Invalid algorithm '" + wrappingKeyPair.getPublic().getAlgorithm() + "', expecting " + KEY_ALGORITHM);
-            }
-            _wrappingKeyPair = wrappingKeyPair;
+        public Builder wrappingKeyPair(final PartialRsaKeyPair partialRsaKeyPair) {
+            _partialRsaKeyPair = partialRsaKeyPair;
             return builder();
         }
 

src/test/java/software/amazon/encryption/s3/S3EncryptionClientRsaKeyPairTest.java

@@ -0,0 +1,100 @@
+package software.amazon.encryption.s3;
+
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import software.amazon.awssdk.core.ResponseBytes;
+import software.amazon.awssdk.core.sync.RequestBody;
+import software.amazon.awssdk.services.s3.S3Client;
+import software.amazon.awssdk.services.s3.model.GetObjectResponse;
+import software.amazon.awssdk.services.s3.model.PutObjectRequest;
+import software.amazon.encryption.s3.materials.PartialRsaKeyPair;
+
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+public class S3EncryptionClientRsaKeyPairTest {
+    private static final String BUCKET = System.getenv("AWS_S3EC_TEST_BUCKET");
+
+    private static KeyPair RSA_KEY_PAIR;
+
+    @BeforeAll
+    public static void setUp() throws NoSuchAlgorithmException {
+        KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
+        keyPairGen.initialize(2048);
+        RSA_KEY_PAIR = keyPairGen.generateKeyPair();
+    }
+
+    @Test
+    public void RsaPublicAndPrivateKeys() {
+        final String BUCKET_KEY = "rsa-public-and-private";
+
+        // V3 Client
+        S3Client v3Client = S3EncryptionClient.builder()
+                .rsaKeyPair(RSA_KEY_PAIR)
+                .build();
+
+        // Asserts
+        final String input = "RsaOaepV3toV3";
+        v3Client.putObject(PutObjectRequest.builder()
+                .bucket(BUCKET)
+                .key(BUCKET_KEY)
+                .build(), RequestBody.fromString(input));
+
+        ResponseBytes<GetObjectResponse> objectResponse = v3Client.getObjectAsBytes(builder -> builder
+                .bucket(BUCKET)
+                .key(BUCKET_KEY));
+        String output = objectResponse.asUtf8String();
+        assertEquals(input, output);
+    }
+
+    @Test
+    public void RsaPrivateKeyCanOnlyDecrypt() {
+        S3Client v3Client = S3EncryptionClient.builder()
+                .rsaKeyPair(RSA_KEY_PAIR)
+                .build();
+
+        S3Client v3ClientReadOnly = S3EncryptionClient.builder()
+                .rsaKeyPair(new PartialRsaKeyPair(RSA_KEY_PAIR.getPrivate(), null))
+                .build();
+
+        final String input = "RsaOaepV3toV3";
+        v3Client.putObject(PutObjectRequest.builder()
+                .bucket(BUCKET)
+                .key(input)
+                .build(), RequestBody.fromString(input));
+
+        ResponseBytes<GetObjectResponse> objectResponse = v3ClientReadOnly.getObjectAsBytes(builder -> builder
+                .bucket(BUCKET)
+                .key(input));
+        String output = objectResponse.asUtf8String();
+        assertEquals(input, output);
+
+        assertThrows(S3EncryptionClientException.class, () -> v3ClientReadOnly.putObject(PutObjectRequest.builder()
+                .bucket(BUCKET)
+                .key(input)
+                .build(), RequestBody.fromString(input)));
+    }
+
+    @Test
+    public void RsaPublicKeyCanOnlyEncrypt() {
+        final String BUCKET_KEY = "rsa-public-key-only";
+        S3Client v3Client = S3EncryptionClient.builder()
+                .rsaKeyPair(new PartialRsaKeyPair(null, RSA_KEY_PAIR.getPublic()))
+                .build();
+
+        v3Client.putObject(PutObjectRequest.builder()
+                .bucket(BUCKET)
+                .key(BUCKET_KEY)
+                .build(), RequestBody.fromString(BUCKET_KEY));
+
+        assertThrows(S3EncryptionClientException.class, () -> v3Client.getObjectAsBytes(builder -> builder
+                .bucket(BUCKET)
+                .key(BUCKET_KEY)));
+    }
+
+
+}