Add validation tests to demonstrate that setting enableLegacyWrappingAlgorithms

Anirav Kareddy · Anirav Kareddy · commit aff10d993ac1 · 2025-07-14T12:57:44.000-07:00
on the S3 Encryption Client while passing in a keyring that does not have it enabled will fail
diff --git a/src/test/java/software/amazon/encryption/s3/S3EncryptionClientCompatibilityTest.java b/src/test/java/software/amazon/encryption/s3/S3EncryptionClientCompatibilityTest.java
@@ -18,6 +18,7 @@
 import com.amazonaws.services.s3.model.KMSEncryptionMaterials;
 import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider;
 import com.amazonaws.services.s3.model.StaticEncryptionMaterialsProvider;
+import org.bouncycastle.jcajce.provider.symmetric.AES;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 import software.amazon.awssdk.core.ResponseBytes;
@@ -28,6 +29,10 @@
 import software.amazon.awssdk.services.s3.model.MetadataDirective;
 import software.amazon.awssdk.services.s3.model.PutObjectRequest;
 import software.amazon.encryption.s3.internal.InstructionFileConfig;
+import software.amazon.encryption.s3.materials.AesKeyring;
+import software.amazon.encryption.s3.materials.KmsKeyring;
+import software.amazon.encryption.s3.materials.PartialRsaKeyPair;
+import software.amazon.encryption.s3.materials.RsaKeyring;
 
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
@@ -42,6 +47,7 @@
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 import static software.amazon.encryption.s3.S3EncryptionClient.withAdditionalConfiguration;
 import static software.amazon.encryption.s3.utils.S3EncryptionClientTestResources.BUCKET;
 import static software.amazon.encryption.s3.utils.S3EncryptionClientTestResources.KMS_KEY_ID;
@@ -962,4 +968,255 @@ public void nullMaterialDescriptionV3() {
         v3Client.close();
 
     }
+
+    @Test
+    public void validateAgainstSettingLegacyWrappingOnClientWithAesKeyringPassedV1toV3() {
+        final String objectKey = appendTestSuffix("validate-against-setting-legacy-wrapping-on-client-with-aes-keyring-v1-to-v3");
+        final String input = "Validate Against Setting Legacy Wrapping On Client With AES Keyring V1 to V3";
+
+        EncryptionMaterialsProvider materialsProvider =
+                new StaticEncryptionMaterialsProvider(new EncryptionMaterials(AES_KEY));
+        CryptoConfiguration v1CryptoConfig =
+                new CryptoConfiguration(CryptoMode.AuthenticatedEncryption);
+        AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder()
+                .withCryptoConfiguration(v1CryptoConfig)
+                .withEncryptionMaterials(materialsProvider)
+                .build();
+
+        v1Client.putObject(BUCKET, objectKey, input);
+
+        AesKeyring aesKeyring = AesKeyring.builder()
+          .wrappingKey(AES_KEY)
+          .build();
+
+        S3Client wrappedClient = S3Client.create();
+        S3Client v3Client = S3EncryptionClient.builder()
+          .keyring(aesKeyring)
+          .wrappedClient(wrappedClient)
+          .enableLegacyUnauthenticatedModes(true)
+          .enableLegacyWrappingAlgorithms(true)
+          .build();
+
+        try {
+            ResponseBytes<GetObjectResponse> output = v3Client.getObjectAsBytes(builder -> builder
+              .bucket(BUCKET)
+              .key(objectKey));
+            throw new RuntimeException("Expected failure");
+        } catch (Exception e) {
+            assertTrue(e.getMessage().contains("Enable legacy wrapping algorithms to use legacy key wrapping algorithm: AESWrap"));
+        }
+
+        deleteObject(BUCKET, objectKey, v3Client);
+        v3Client.close();
+    }
+
+    @Test
+    public void validateAgainstSettingLegacyWrappingOnClientWithAesKeyringPassedV1toV3EncryptionOnly() {
+        final String objectKey = appendTestSuffix("validate-against-setting-legacy-wrapping-on-client-with-aes-keyring-v1-to-v3-encryption-only");
+        final String input = "Validate Against Setting Legacy Wrapping On Client With AES Keyring V1 to V3";
+
+        EncryptionMaterialsProvider materialsProvider =
+          new StaticEncryptionMaterialsProvider(new EncryptionMaterials(AES_KEY));
+        CryptoConfiguration v1CryptoConfig =
+          new CryptoConfiguration(CryptoMode.EncryptionOnly);
+        AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder()
+          .withCryptoConfiguration(v1CryptoConfig)
+          .withEncryptionMaterials(materialsProvider)
+          .build();
+
+        v1Client.putObject(BUCKET, objectKey, input);
+
+        AesKeyring aesKeyring = AesKeyring.builder()
+          .wrappingKey(AES_KEY)
+          .build();
+
+        S3Client wrappedClient = S3Client.create();
+        S3Client v3Client = S3EncryptionClient.builder()
+          .keyring(aesKeyring)
+          .wrappedClient(wrappedClient)
+          .enableLegacyUnauthenticatedModes(true)
+          .enableLegacyWrappingAlgorithms(true)
+          .build();
+
+        try {
+            ResponseBytes<GetObjectResponse> output = v3Client.getObjectAsBytes(builder -> builder
+              .bucket(BUCKET)
+              .key(objectKey));
+            throw new RuntimeException("Expected failure");
+        } catch (Exception e) {
+            assertTrue(e.getMessage().contains("Enable legacy wrapping algorithms to use legacy key wrapping algorithm: AES"));
+        }
+
+        deleteObject(BUCKET, objectKey, v3Client);
+        v3Client.close();
+    }
+
+    @Test
+    public void validateAgainstSettingLegacyWrappingOnClientWithRsaKeyringPassedV1toV3() {
+        final String objectKey = appendTestSuffix("validate-against-setting-legacy-wrapping-on-client-with-rsa-keyring-v1-to-v3");
+        final String input = "Validate Against Setting Legacy Wrapping On Client With RSA Keyring V1 to V3";
+
+        EncryptionMaterialsProvider materialsProvider =
+          new StaticEncryptionMaterialsProvider(new EncryptionMaterials(RSA_KEY_PAIR));
+        CryptoConfiguration v1CryptoConfig =
+          new CryptoConfiguration(CryptoMode.StrictAuthenticatedEncryption);
+        AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder()
+          .withCryptoConfiguration(v1CryptoConfig)
+          .withEncryptionMaterials(materialsProvider)
+          .build();
+
+        v1Client.putObject(BUCKET, objectKey, input);
+
+        PartialRsaKeyPair partialRsaKeyPair = PartialRsaKeyPair.builder()
+          .publicKey(RSA_KEY_PAIR.getPublic())
+          .privateKey(RSA_KEY_PAIR.getPrivate())
+          .build();
+
+        RsaKeyring rsaKeyring = RsaKeyring.builder()
+          .wrappingKeyPair(partialRsaKeyPair)
+          .build();
+
+        S3Client wrappedClient = S3Client.create();
+        S3Client v3Client = S3EncryptionClient.builder()
+          .keyring(rsaKeyring)
+          .wrappedClient(wrappedClient)
+          .enableLegacyUnauthenticatedModes(true)
+          .enableLegacyWrappingAlgorithms(true)
+          .build();
+
+        try {
+            ResponseBytes<GetObjectResponse> output = v3Client.getObjectAsBytes(builder -> builder
+              .bucket(BUCKET)
+              .key(objectKey));
+            throw new RuntimeException("Expected failure");
+        } catch (Exception e) {
+            assertTrue(e.getMessage().contains("Enable legacy wrapping algorithms to use legacy key wrapping algorithm: RSA/ECB/OAEPWithSHA-256AndMGF1Padding"));
+        }
+
+        deleteObject(BUCKET, objectKey, v3Client);
+        v3Client.close();
+    }
+
+    @Test
+    public void validateAgainstSettingLegacyWrappingOnClientWithRsaKeyringPassedV1toV3EncryptionOnly() {
+        final String objectKey = appendTestSuffix("validate-against-setting-legacy-wrapping-on-client-with-rsa-keyring-v1-to-v3-encryption-only");
+        final String input = "Validate Against Setting Legacy Wrapping On Client With RSA Keyring V1 to V3";
+
+        EncryptionMaterialsProvider materialsProvider =
+          new StaticEncryptionMaterialsProvider(new EncryptionMaterials(RSA_KEY_PAIR));
+        CryptoConfiguration v1CryptoConfig =
+          new CryptoConfiguration(CryptoMode.EncryptionOnly);
+        AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder()
+          .withCryptoConfiguration(v1CryptoConfig)
+          .withEncryptionMaterials(materialsProvider)
+          .build();
+
+        v1Client.putObject(BUCKET, objectKey, input);
+
+        PartialRsaKeyPair partialRsaKeyPair = PartialRsaKeyPair.builder()
+          .publicKey(RSA_KEY_PAIR.getPublic())
+          .privateKey(RSA_KEY_PAIR.getPrivate())
+          .build();
+
+        RsaKeyring rsaKeyring = RsaKeyring.builder()
+          .wrappingKeyPair(partialRsaKeyPair)
+          .build();
+
+        S3Client wrappedClient = S3Client.create();
+        S3Client v3Client = S3EncryptionClient.builder()
+          .keyring(rsaKeyring)
+          .wrappedClient(wrappedClient)
+          .enableLegacyUnauthenticatedModes(true)
+          .enableLegacyWrappingAlgorithms(true)
+          .build();
+
+        try {
+            ResponseBytes<GetObjectResponse> output = v3Client.getObjectAsBytes(builder -> builder
+              .bucket(BUCKET)
+              .key(objectKey));
+            throw new RuntimeException("Expected failure");
+        } catch (Exception e) {
+            assertTrue(e.getMessage().contains("Enable legacy wrapping algorithms to use legacy key wrapping algorithm: RSA"));
+        }
+
+        deleteObject(BUCKET, objectKey, v3Client);
+        v3Client.close();
+    }
+
+    @Test
+    public void validateAgainstSettingLegacyWrappingOnClientWithKmsKeyringPassedV1toV3EncryptionOnly() {
+        final String objectKey = appendTestSuffix("validate-against-setting-legacy-wrapping-on-client-with-kms-keyring-v1-to-v3-encryption-only");
+        final String input = "Validate Against Setting Legacy Wrapping On Client With KMS Keyring V1 to V3";
+
+        KMSEncryptionMaterials kmsMaterials = new KMSEncryptionMaterials(KMS_KEY_ID);
+        kmsMaterials.addDescription("user-metadata-key", "user-metadata-value-v1-to-v3");
+        EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(kmsMaterials);
+
+        CryptoConfiguration v1CryptoConfig =
+          new CryptoConfiguration(CryptoMode.EncryptionOnly);
+
+        AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder()
+          .withCryptoConfiguration(v1CryptoConfig)
+          .withEncryptionMaterials(materialsProvider)
+          .build();
+
+        v1Client.putObject(BUCKET, objectKey, input);
+        S3Client wrappedClient = S3Client.create();
+        S3Client v3Client = S3EncryptionClient.builder()
+          .keyring(KmsKeyring.builder()
+            .wrappingKeyId(KMS_KEY_ID)
+            .build())
+          .wrappedClient(wrappedClient)
+          .enableLegacyUnauthenticatedModes(true)
+          .enableLegacyWrappingAlgorithms(true)
+          .build();
+
+        try {
+            ResponseBytes<GetObjectResponse> output = v3Client.getObjectAsBytes(builder -> builder
+              .bucket(BUCKET)
+              .key(objectKey));
+            throw new RuntimeException("Expected failure");
+        } catch (Exception e) {
+           assertTrue(e.getMessage().contains("Enable legacy wrapping algorithms to use legacy key wrapping algorithm: kms"));
+        }
+    }
+
+    @Test
+    public void validateAgainstSettingLegacyWrappingOnClientWithKmsKeyringPassedV1toV3() {
+        final String objectKey = appendTestSuffix("validate-against-setting-legacy-wrapping-on-client-with-kms-keyring-v1-to-v3");
+        final String input = "Validate Against Setting Legacy Wrapping On Client With KMS Keyring V1 to V3";
+
+        KMSEncryptionMaterials kmsMaterials = new KMSEncryptionMaterials(KMS_KEY_ID);
+        kmsMaterials.addDescription("user-metadata-key", "user-metadata-value-v1-to-v3");
+        EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(kmsMaterials);
+
+        CryptoConfiguration v1CryptoConfig =
+          new CryptoConfiguration(CryptoMode.AuthenticatedEncryption);
+
+        AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder()
+          .withCryptoConfiguration(v1CryptoConfig)
+          .withEncryptionMaterials(materialsProvider)
+          .build();
+
+        v1Client.putObject(BUCKET, objectKey, input);
+        S3Client wrappedClient = S3Client.create();
+        S3Client v3Client = S3EncryptionClient.builder()
+          .keyring(KmsKeyring.builder()
+            .wrappingKeyId(KMS_KEY_ID)
+            .build())
+          .wrappedClient(wrappedClient)
+          .enableLegacyUnauthenticatedModes(true)
+          .enableLegacyWrappingAlgorithms(true)
+          .build();
+
+        try {
+            ResponseBytes<GetObjectResponse> output = v3Client.getObjectAsBytes(builder -> builder
+              .bucket(BUCKET)
+              .key(objectKey));
+            throw new RuntimeException("Expected failure");
+        } catch (Exception e) {
+           assertTrue(e.getMessage().contains("Enable legacy wrapping algorithms to use legacy key wrapping algorithm: kms"));
+        }
+    }
+
 }
