added public getter function to retrieve whether enableLegacyWrappingAlgorithm was enabled or not for keyring. From there, in the S3EncryptionClient Builder, I checked whether enableLegacyWrappingAlgorithm was set, but was not set for the keyring that was passed; if not, an exception is thrown. The test cases I wrote illustrates this

Anirav Kareddy · Anirav Kareddy · commit c5b8e4133347 · 2025-07-14T22:51:43.000-07:00
diff --git a/src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java b/src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java
@@ -61,6 +61,7 @@
 import software.amazon.encryption.s3.materials.MultipartConfiguration;
 import software.amazon.encryption.s3.materials.PartialRsaKeyPair;
 import software.amazon.encryption.s3.materials.RsaKeyring;
+import software.amazon.encryption.s3.materials.S3Keyring;
 
 import javax.crypto.SecretKey;
 import java.io.IOException;
@@ -1067,6 +1068,12 @@ public S3EncryptionClient build() {
             if (!onlyOneNonNull(_cryptoMaterialsManager, _keyring, _aesKey, _rsaKeyPair, _kmsKeyId)) {
                 throw new S3EncryptionClientException("Exactly one must be set of: crypto materials manager, keyring, AES key, RSA key pair, KMS key id");
             }
+            if (_enableLegacyWrappingAlgorithms && _keyring !=null && _keyring instanceof S3Keyring) {
+                S3Keyring keyring = (S3Keyring) _keyring;
+                if (!keyring.enableLegacyWrappingAlgorithms()) {
+                    throw new S3EncryptionClientException("Legacy wrapping algorithms are not enabled for this keyring");
+                }
+            }
 
             if (_bufferSize >= 0) {
                 if (_enableDelayedAuthenticationMode) {
diff --git a/src/main/java/software/amazon/encryption/s3/materials/S3Keyring.java b/src/main/java/software/amazon/encryption/s3/materials/S3Keyring.java
@@ -33,6 +33,13 @@ protected S3Keyring(Builder<?, ?> builder) {
         _dataKeyGenerator = builder._dataKeyGenerator;
     }
 
+    /**
+     * @return true if legacy wrapping algorithms are enabled, false otherwise
+     */
+    public boolean enableLegacyWrappingAlgorithms() {
+        return _enableLegacyWrappingAlgorithms;
+    }
+
     /**
      * Generates a data key using the provided EncryptionMaterials and the configured DataKeyGenerator.
      * <p>
diff --git a/src/test/java/software/amazon/encryption/s3/S3EncryptionClientCompatibilityTest.java b/src/test/java/software/amazon/encryption/s3/S3EncryptionClientCompatibilityTest.java
@@ -971,251 +971,66 @@ public void nullMaterialDescriptionV3() {
 
     @Test
     public void validateAgainstSettingLegacyWrappingOnClientWithAesKeyringPassedV1toV3() {
-        final String objectKey = appendTestSuffix("validate-against-setting-legacy-wrapping-on-client-with-aes-keyring-v1-to-v3");
-        final String input = "Validate Against Setting Legacy Wrapping On Client With AES Keyring V1 to V3";
-
-        EncryptionMaterialsProvider materialsProvider =
-                new StaticEncryptionMaterialsProvider(new EncryptionMaterials(AES_KEY));
-        CryptoConfiguration v1CryptoConfig =
-                new CryptoConfiguration(CryptoMode.AuthenticatedEncryption);
-        AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder()
-                .withCryptoConfiguration(v1CryptoConfig)
-                .withEncryptionMaterials(materialsProvider)
-                .build();
-
-        v1Client.putObject(BUCKET, objectKey, input);
-
-        AesKeyring aesKeyring = AesKeyring.builder()
-          .wrappingKey(AES_KEY)
-          .build();
-
-        S3Client wrappedClient = S3Client.create();
-        S3Client v3Client = S3EncryptionClient.builder()
-          .keyring(aesKeyring)
-          .wrappedClient(wrappedClient)
-          .enableLegacyUnauthenticatedModes(true)
-          .enableLegacyWrappingAlgorithms(true)
-          .build();
-
         try {
-            ResponseBytes<GetObjectResponse> output = v3Client.getObjectAsBytes(builder -> builder
-              .bucket(BUCKET)
-              .key(objectKey));
+            AesKeyring aesKeyring = AesKeyring.builder()
+              .wrappingKey(AES_KEY)
+              .build();
+
+            S3Client wrappedClient = S3Client.create();
+            S3Client v3Client = S3EncryptionClient.builder()
+              .keyring(aesKeyring)
+              .wrappedClient(wrappedClient)
+              .enableLegacyWrappingAlgorithms(true)
+              .enableLegacyUnauthenticatedModes(true)
+              .build();
             throw new RuntimeException("Expected failure");
-        } catch (Exception e) {
-            assertTrue(e.getMessage().contains("Enable legacy wrapping algorithms to use legacy key wrapping algorithm: AESWrap"));
+        } catch (S3EncryptionClientException e) {
+            assertTrue(e.getMessage().contains("Legacy wrapping algorithms are not enabled for this keyring"));
         }
 
-        deleteObject(BUCKET, objectKey, v3Client);
-        v3Client.close();
-    }
-
-    @Test
-    public void validateAgainstSettingLegacyWrappingOnClientWithAesKeyringPassedV1toV3EncryptionOnly() {
-        final String objectKey = appendTestSuffix("validate-against-setting-legacy-wrapping-on-client-with-aes-keyring-v1-to-v3-encryption-only");
-        final String input = "Validate Against Setting Legacy Wrapping On Client With AES Keyring V1 to V3";
-
-        EncryptionMaterialsProvider materialsProvider =
-          new StaticEncryptionMaterialsProvider(new EncryptionMaterials(AES_KEY));
-        CryptoConfiguration v1CryptoConfig =
-          new CryptoConfiguration(CryptoMode.EncryptionOnly);
-        AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder()
-          .withCryptoConfiguration(v1CryptoConfig)
-          .withEncryptionMaterials(materialsProvider)
-          .build();
-
-        v1Client.putObject(BUCKET, objectKey, input);
-
-        AesKeyring aesKeyring = AesKeyring.builder()
-          .wrappingKey(AES_KEY)
-          .build();
-
-        S3Client wrappedClient = S3Client.create();
-        S3Client v3Client = S3EncryptionClient.builder()
-          .keyring(aesKeyring)
-          .wrappedClient(wrappedClient)
-          .enableLegacyUnauthenticatedModes(true)
-          .enableLegacyWrappingAlgorithms(true)
-          .build();
-
-        try {
-            ResponseBytes<GetObjectResponse> output = v3Client.getObjectAsBytes(builder -> builder
-              .bucket(BUCKET)
-              .key(objectKey));
-            throw new RuntimeException("Expected failure");
-        } catch (Exception e) {
-            assertTrue(e.getMessage().contains("Enable legacy wrapping algorithms to use legacy key wrapping algorithm: AES"));
-        }
-
-        deleteObject(BUCKET, objectKey, v3Client);
-        v3Client.close();
     }
 
     @Test
     public void validateAgainstSettingLegacyWrappingOnClientWithRsaKeyringPassedV1toV3() {
-        final String objectKey = appendTestSuffix("validate-against-setting-legacy-wrapping-on-client-with-rsa-keyring-v1-to-v3");
-        final String input = "Validate Against Setting Legacy Wrapping On Client With RSA Keyring V1 to V3";
-
-        EncryptionMaterialsProvider materialsProvider =
-          new StaticEncryptionMaterialsProvider(new EncryptionMaterials(RSA_KEY_PAIR));
-        CryptoConfiguration v1CryptoConfig =
-          new CryptoConfiguration(CryptoMode.StrictAuthenticatedEncryption);
-        AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder()
-          .withCryptoConfiguration(v1CryptoConfig)
-          .withEncryptionMaterials(materialsProvider)
-          .build();
-
-        v1Client.putObject(BUCKET, objectKey, input);
-
-        PartialRsaKeyPair partialRsaKeyPair = PartialRsaKeyPair.builder()
-          .publicKey(RSA_KEY_PAIR.getPublic())
-          .privateKey(RSA_KEY_PAIR.getPrivate())
-          .build();
-
-        RsaKeyring rsaKeyring = RsaKeyring.builder()
-          .wrappingKeyPair(partialRsaKeyPair)
-          .build();
-
-        S3Client wrappedClient = S3Client.create();
-        S3Client v3Client = S3EncryptionClient.builder()
-          .keyring(rsaKeyring)
-          .wrappedClient(wrappedClient)
-          .enableLegacyUnauthenticatedModes(true)
-          .enableLegacyWrappingAlgorithms(true)
-          .build();
-
         try {
-            ResponseBytes<GetObjectResponse> output = v3Client.getObjectAsBytes(builder -> builder
-              .bucket(BUCKET)
-              .key(objectKey));
+            PartialRsaKeyPair partialRsaKeyPair = PartialRsaKeyPair.builder()
+              .publicKey(RSA_KEY_PAIR.getPublic())
+              .privateKey(RSA_KEY_PAIR.getPrivate())
+              .build();
+
+            RsaKeyring rsaKeyring = RsaKeyring.builder()
+              .wrappingKeyPair(partialRsaKeyPair)
+              .build();
+
+            S3Client wrappedClient = S3Client.create();
+            S3Client v3Client = S3EncryptionClient.builder()
+              .keyring(rsaKeyring)
+              .wrappedClient(wrappedClient)
+              .enableLegacyWrappingAlgorithms(true)
+              .enableLegacyUnauthenticatedModes(true)
+              .build();
             throw new RuntimeException("Expected failure");
-        } catch (Exception e) {
-            assertTrue(e.getMessage().contains("Enable legacy wrapping algorithms to use legacy key wrapping algorithm: RSA/ECB/OAEPWithSHA-256AndMGF1Padding"));
-        }
-
-        deleteObject(BUCKET, objectKey, v3Client);
-        v3Client.close();
-    }
-
-    @Test
-    public void validateAgainstSettingLegacyWrappingOnClientWithRsaKeyringPassedV1toV3EncryptionOnly() {
-        final String objectKey = appendTestSuffix("validate-against-setting-legacy-wrapping-on-client-with-rsa-keyring-v1-to-v3-encryption-only");
-        final String input = "Validate Against Setting Legacy Wrapping On Client With RSA Keyring V1 to V3";
-
-        EncryptionMaterialsProvider materialsProvider =
-          new StaticEncryptionMaterialsProvider(new EncryptionMaterials(RSA_KEY_PAIR));
-        CryptoConfiguration v1CryptoConfig =
-          new CryptoConfiguration(CryptoMode.EncryptionOnly);
-        AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder()
-          .withCryptoConfiguration(v1CryptoConfig)
-          .withEncryptionMaterials(materialsProvider)
-          .build();
-
-        v1Client.putObject(BUCKET, objectKey, input);
-
-        PartialRsaKeyPair partialRsaKeyPair = PartialRsaKeyPair.builder()
-          .publicKey(RSA_KEY_PAIR.getPublic())
-          .privateKey(RSA_KEY_PAIR.getPrivate())
-          .build();
-
-        RsaKeyring rsaKeyring = RsaKeyring.builder()
-          .wrappingKeyPair(partialRsaKeyPair)
-          .build();
-
-        S3Client wrappedClient = S3Client.create();
-        S3Client v3Client = S3EncryptionClient.builder()
-          .keyring(rsaKeyring)
-          .wrappedClient(wrappedClient)
-          .enableLegacyUnauthenticatedModes(true)
-          .enableLegacyWrappingAlgorithms(true)
-          .build();
-
-        try {
-            ResponseBytes<GetObjectResponse> output = v3Client.getObjectAsBytes(builder -> builder
-              .bucket(BUCKET)
-              .key(objectKey));
-            throw new RuntimeException("Expected failure");
-        } catch (Exception e) {
-            assertTrue(e.getMessage().contains("Enable legacy wrapping algorithms to use legacy key wrapping algorithm: RSA"));
-        }
-
-        deleteObject(BUCKET, objectKey, v3Client);
-        v3Client.close();
-    }
-
-    @Test
-    public void validateAgainstSettingLegacyWrappingOnClientWithKmsKeyringPassedV1toV3EncryptionOnly() {
-        final String objectKey = appendTestSuffix("validate-against-setting-legacy-wrapping-on-client-with-kms-keyring-v1-to-v3-encryption-only");
-        final String input = "Validate Against Setting Legacy Wrapping On Client With KMS Keyring V1 to V3";
-
-        KMSEncryptionMaterials kmsMaterials = new KMSEncryptionMaterials(KMS_KEY_ID);
-        kmsMaterials.addDescription("user-metadata-key", "user-metadata-value-v1-to-v3");
-        EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(kmsMaterials);
-
-        CryptoConfiguration v1CryptoConfig =
-          new CryptoConfiguration(CryptoMode.EncryptionOnly);
-
-        AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder()
-          .withCryptoConfiguration(v1CryptoConfig)
-          .withEncryptionMaterials(materialsProvider)
-          .build();
-
-        v1Client.putObject(BUCKET, objectKey, input);
-        S3Client wrappedClient = S3Client.create();
-        S3Client v3Client = S3EncryptionClient.builder()
-          .keyring(KmsKeyring.builder()
-            .wrappingKeyId(KMS_KEY_ID)
-            .build())
-          .wrappedClient(wrappedClient)
-          .enableLegacyUnauthenticatedModes(true)
-          .enableLegacyWrappingAlgorithms(true)
-          .build();
-
-        try {
-            ResponseBytes<GetObjectResponse> output = v3Client.getObjectAsBytes(builder -> builder
-              .bucket(BUCKET)
-              .key(objectKey));
-            throw new RuntimeException("Expected failure");
-        } catch (Exception e) {
-           assertTrue(e.getMessage().contains("Enable legacy wrapping algorithms to use legacy key wrapping algorithm: kms"));
+        } catch (S3EncryptionClientException e) {
+            assertTrue(e.getMessage().contains("Legacy wrapping algorithms are not enabled for this keyring"));
         }
     }
 
     @Test
     public void validateAgainstSettingLegacyWrappingOnClientWithKmsKeyringPassedV1toV3() {
-        final String objectKey = appendTestSuffix("validate-against-setting-legacy-wrapping-on-client-with-kms-keyring-v1-to-v3");
-        final String input = "Validate Against Setting Legacy Wrapping On Client With KMS Keyring V1 to V3";
-
-        KMSEncryptionMaterials kmsMaterials = new KMSEncryptionMaterials(KMS_KEY_ID);
-        kmsMaterials.addDescription("user-metadata-key", "user-metadata-value-v1-to-v3");
-        EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(kmsMaterials);
-
-        CryptoConfiguration v1CryptoConfig =
-          new CryptoConfiguration(CryptoMode.AuthenticatedEncryption);
-
-        AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder()
-          .withCryptoConfiguration(v1CryptoConfig)
-          .withEncryptionMaterials(materialsProvider)
-          .build();
-
-        v1Client.putObject(BUCKET, objectKey, input);
-        S3Client wrappedClient = S3Client.create();
-        S3Client v3Client = S3EncryptionClient.builder()
-          .keyring(KmsKeyring.builder()
-            .wrappingKeyId(KMS_KEY_ID)
-            .build())
-          .wrappedClient(wrappedClient)
-          .enableLegacyUnauthenticatedModes(true)
-          .enableLegacyWrappingAlgorithms(true)
-          .build();
-
         try {
-            ResponseBytes<GetObjectResponse> output = v3Client.getObjectAsBytes(builder -> builder
-              .bucket(BUCKET)
-              .key(objectKey));
-            throw new RuntimeException("Expected failure");
-        } catch (Exception e) {
-           assertTrue(e.getMessage().contains("Enable legacy wrapping algorithms to use legacy key wrapping algorithm: kms"));
+            KmsKeyring kmsKeyring = KmsKeyring.builder()
+              .wrappingKeyId(KMS_KEY_ID)
+              .build();
+
+            S3Client wrappedClient = S3Client.create();
+            S3Client v3Client = S3EncryptionClient.builder()
+              .keyring(kmsKeyring)
+              .wrappedClient(wrappedClient)
+              .enableLegacyWrappingAlgorithms(true)
+              .enableLegacyUnauthenticatedModes(true)
+              .build();
+        } catch (S3EncryptionClientException e) {
+            assertTrue(e.getMessage().contains("Legacy wrapping algorithms are not enabled for this keyring"));
         }
     }
 
