aws
diff --git a/‎src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java‎
Lines changed: 8 additions & 0 deletions b/‎src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎src/main/java/software/amazon/encryption/s3/internal/BufferedAesGcmContentStrategy.java‎
Lines changed: 14 additions & 31 deletions b/‎src/main/java/software/amazon/encryption/s3/internal/BufferedAesGcmContentStrategy.java‎
Lines changed: 14 additions & 31 deletions
diff --git a/‎src/main/java/software/amazon/encryption/s3/internal/CryptoFactory.java‎
Lines changed: 36 additions & 0 deletions b/‎src/main/java/software/amazon/encryption/s3/internal/CryptoFactory.java‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎src/main/java/software/amazon/encryption/s3/legacy/internal/UnauthenticatedContentStrategy.java‎
Lines changed: 2 additions & 1 deletion b/‎src/main/java/software/amazon/encryption/s3/legacy/internal/UnauthenticatedContentStrategy.java‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/main/java/software/amazon/encryption/s3/materials/AesKeyring.java‎
Lines changed: 5 additions & 4 deletions b/‎src/main/java/software/amazon/encryption/s3/materials/AesKeyring.java‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎src/main/java/software/amazon/encryption/s3/materials/DataKeyGenerator.java‎
Lines changed: 3 additions & 1 deletion b/‎src/main/java/software/amazon/encryption/s3/materials/DataKeyGenerator.java‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎src/main/java/software/amazon/encryption/s3/materials/DecryptionMaterials.java‎
Lines changed: 15 additions & 1 deletion b/‎src/main/java/software/amazon/encryption/s3/materials/DecryptionMaterials.java‎
Lines changed: 15 additions & 1 deletion
diff --git a/‎src/main/java/software/amazon/encryption/s3/materials/DefaultCryptoMaterialsManager.java‎
Lines changed: 12 additions & 1 deletion b/‎src/main/java/software/amazon/encryption/s3/materials/DefaultCryptoMaterialsManager.java‎
Lines changed: 12 additions & 1 deletion
diff --git a/‎src/main/java/software/amazon/encryption/s3/materials/DefaultDataKeyGenerator.java‎
Lines changed: 6 additions & 11 deletions b/‎src/main/java/software/amazon/encryption/s3/materials/DefaultDataKeyGenerator.java‎
Lines changed: 6 additions & 11 deletions
@@ -3,6 +3,7 @@
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 
 import java.security.KeyPair;
+import java.security.Provider;
 import java.util.ArrayList;
 import java.util.List;
 import java.security.SecureRandom;
@@ -148,6 +149,7 @@ public static class Builder {
         private String _kmsKeyId;
         private boolean _enableLegacyUnauthenticatedModes = false;
         private boolean _enableDelayedAuthenticationMode = false;
+        private Provider _cryptoProvider = null;
         private SecureRandom _secureRandom = new SecureRandom();
 
         private Builder() {
@@ -243,6 +245,11 @@ public Builder enableDelayedAuthenticationMode(boolean shouldEnableDelayedAuthen
             return this;
         }
 
+        public Builder cryptoProvider(Provider cryptoProvider) {
+            this._cryptoProvider = cryptoProvider;
+            return this;
+        }
+           
         public Builder secureRandom(SecureRandom secureRandom) {
             if (secureRandom == null) {
                 throw new S3EncryptionClientException("SecureRandom provided to S3EncryptionClient cannot be null");
@@ -281,6 +288,7 @@ public S3EncryptionClient build() {
             if (_cryptoMaterialsManager == null) {
                 _cryptoMaterialsManager = DefaultCryptoMaterialsManager.builder()
                         .keyring(_keyring)
+                        .cryptoPovider(_cryptoProvider)
                         .build();
             }
 
 
@@ -1,29 +1,22 @@
 package software.amazon.encryption.s3.internal;
 
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
-
-import javax.crypto.BadPaddingException;
-import javax.crypto.Cipher;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.NoSuchPaddingException;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.GCMParameterSpec;
-import javax.crypto.spec.SecretKeySpec;
-
 import software.amazon.awssdk.utils.IoUtils;
 import software.amazon.encryption.s3.S3EncryptionClientException;
 import software.amazon.encryption.s3.algorithms.AlgorithmSuite;
 import software.amazon.encryption.s3.materials.DecryptionMaterials;
 import software.amazon.encryption.s3.materials.EncryptionMaterials;
 
+import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.GCMParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.GeneralSecurityException;
+import java.security.SecureRandom;
+
 /**
  * This class will encrypt data according to the algorithm suite constants
  */
@@ -52,7 +45,7 @@ public EncryptedContent encryptContent(EncryptionMaterials materials, byte[] con
 
         final String cipherName = algorithmSuite.cipherName();
         try {
-            final Cipher cipher = Cipher.getInstance(cipherName);
+            final Cipher cipher = CryptoFactory.createCipher(algorithmSuite.cipherName(), materials.cryptoProvider());
 
             cipher.init(Cipher.ENCRYPT_MODE,
                     materials.dataKey(),
@@ -63,12 +56,7 @@ public EncryptedContent encryptContent(EncryptionMaterials materials, byte[] con
             result.ciphertext = cipher.doFinal(content);
 
             return result;
-        } catch (NoSuchAlgorithmException
-                 | NoSuchPaddingException
-                 | InvalidAlgorithmParameterException
-                 | InvalidKeyException
-                 | IllegalBlockSizeException
-                 | BadPaddingException e) {
+        } catch (GeneralSecurityException e) {
             throw new S3EncryptionClientException("Unable to " + cipherName + " content encrypt.", e);
         }
     }
@@ -101,15 +89,10 @@ public InputStream decryptContent(ContentMetadata contentMetadata, DecryptionMat
         final Cipher cipher;
         byte[] plaintext;
         try {
-            cipher = Cipher.getInstance(algorithmSuite.cipherName());
+            cipher = CryptoFactory.createCipher(algorithmSuite.cipherName(), materials.cryptoProvider());
             cipher.init(Cipher.DECRYPT_MODE, contentKey, new GCMParameterSpec(tagLength, iv));
             plaintext = cipher.doFinal(ciphertext);
-        } catch (NoSuchAlgorithmException
-                 | NoSuchPaddingException
-                 | InvalidAlgorithmParameterException
-                 | InvalidKeyException
-                 | IllegalBlockSizeException
-                 | BadPaddingException e) {
+        } catch (GeneralSecurityException e) {
             throw new S3EncryptionClientException("Unable to " + algorithmSuite.cipherName() + " content decrypt.", e);
         }
 
 
@@ -0,0 +1,36 @@
+package software.amazon.encryption.s3.internal;
+
+import software.amazon.encryption.s3.S3EncryptionClientException;
+
+import javax.crypto.Cipher;
+import javax.crypto.KeyGenerator;
+import javax.crypto.NoSuchPaddingException;
+import java.security.NoSuchAlgorithmException;
+import java.security.Provider;
+
+public class CryptoFactory {
+    public static Cipher createCipher(String algorithm, Provider provider)
+            throws NoSuchPaddingException, NoSuchAlgorithmException {
+        // if the user has specified a provider, go with that.
+        if (provider != null) {
+            return Cipher.getInstance(algorithm, provider);
+        }
+
+        // Otherwise, go with the default provider.
+        return Cipher.getInstance(algorithm);
+    }
+
+    public  static KeyGenerator generateKey(String algorithm, Provider provider) {
+        KeyGenerator generator;
+        try {
+            if (provider == null) {
+                generator = KeyGenerator.getInstance(algorithm);
+            } else {
+                generator = KeyGenerator.getInstance(algorithm, provider);
+            }
+        }  catch (NoSuchAlgorithmException e) {
+            throw new S3EncryptionClientException("Unable to generate a(n) " + algorithm + " data key", e);
+        }
+        return generator;
+    }
+}
@@ -12,6 +12,7 @@
 import software.amazon.encryption.s3.internal.CipherInputStream;
 import software.amazon.encryption.s3.internal.ContentDecryptionStrategy;
 import software.amazon.encryption.s3.internal.ContentMetadata;
+import software.amazon.encryption.s3.internal.CryptoFactory;
 import software.amazon.encryption.s3.materials.DecryptionMaterials;
 
 /**
@@ -39,7 +40,7 @@ public InputStream decryptContent(ContentMetadata contentMetadata, DecryptionMat
         SecretKey contentKey = new SecretKeySpec(materials.plaintextDataKey(), algorithmSuite.dataKeyAlgorithm());
         try {
             // TODO: Allow configurable Cryptographic provider
-            final Cipher cipher = Cipher.getInstance(algorithmSuite.cipherName());
+            final Cipher cipher = CryptoFactory.createCipher(algorithmSuite.cipherName(), materials.cryptoProvider());
             cipher.init(Cipher.DECRYPT_MODE, contentKey, new IvParameterSpec(iv));
             InputStream plaintext = new CipherInputStream(ciphertextStream, cipher);
             return RangedGetUtils.adjustToDesiredRange(plaintext, desiredRange, contentMetadata.contentRange(), algorithmSuite.cipherTagLengthBits());
 
@@ -12,6 +12,7 @@
 
 import software.amazon.encryption.s3.S3EncryptionClientException;
 import software.amazon.encryption.s3.algorithms.AlgorithmSuite;
+import software.amazon.encryption.s3.internal.CryptoFactory;
 
 /**
  * This keyring can wrap keys with the active keywrap algorithm and
@@ -40,7 +41,7 @@ public String keyProviderInfo() {
 
         @Override
         public byte[] decryptDataKey(DecryptionMaterials materials, byte[] encryptedDataKey) throws GeneralSecurityException {
-            Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM);
+            final Cipher cipher = CryptoFactory.createCipher(CIPHER_ALGORITHM, materials.cryptoProvider());
             cipher.init(Cipher.DECRYPT_MODE, _wrappingKey);
 
             return cipher.doFinal(encryptedDataKey);
@@ -64,7 +65,7 @@ public String keyProviderInfo() {
 
         @Override
         public byte[] decryptDataKey(DecryptionMaterials materials, byte[] encryptedDataKey) throws GeneralSecurityException {
-            final Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM);
+            final Cipher cipher = CryptoFactory.createCipher(CIPHER_ALGORITHM, materials.cryptoProvider());
             cipher.init(Cipher.UNWRAP_MODE, _wrappingKey);
 
             Key plaintextKey = cipher.unwrap(encryptedDataKey, CIPHER_ALGORITHM, Cipher.SECRET_KEY);
@@ -98,7 +99,7 @@ public byte[] encryptDataKey(SecureRandom secureRandom,
             secureRandom.nextBytes(nonce);
             GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LENGTH_BITS, nonce);
 
-            final Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM);
+            final Cipher cipher = CryptoFactory.createCipher(CIPHER_ALGORITHM, materials.cryptoProvider());
             cipher.init(Cipher.ENCRYPT_MODE, _wrappingKey, gcmParameterSpec, secureRandom);
 
             final byte[] aADBytes = AlgorithmSuite.ALG_AES_256_GCM_IV12_TAG16_NO_KDF.cipherName().getBytes(StandardCharsets.UTF_8);
@@ -123,7 +124,7 @@ public byte[] decryptDataKey(DecryptionMaterials materials, byte[] encryptedData
             System.arraycopy(encodedBytes, nonce.length, ciphertext, 0, ciphertext.length);
 
             GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LENGTH_BITS, nonce);
-            final Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM);
+            final Cipher cipher = CryptoFactory.createCipher(CIPHER_ALGORITHM, materials.cryptoProvider());
             cipher.init(Cipher.DECRYPT_MODE, _wrappingKey, gcmParameterSpec);
 
             final byte[] aADBytes = AlgorithmSuite.ALG_AES_256_GCM_IV12_TAG16_NO_KDF.cipherName().getBytes(StandardCharsets.UTF_8);
 
@@ -3,7 +3,9 @@
 import javax.crypto.SecretKey;
 import software.amazon.encryption.s3.algorithms.AlgorithmSuite;
 
+import java.security.Provider;
+
 @FunctionalInterface
 public interface DataKeyGenerator {
-    SecretKey generateDataKey(AlgorithmSuite algorithmSuite);
+    SecretKey generateDataKey(AlgorithmSuite algorithmSuite, Provider provider);
 }
@@ -2,6 +2,7 @@
 
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 
+import java.security.Provider;
 import java.util.Collections;
 import java.util.Map;
 
@@ -26,13 +27,15 @@ final public class DecryptionMaterials implements CryptographicMaterials {
     private final byte[] _plaintextDataKey;
 
     private long _ciphertextLength;
+    private Provider _cryptoProvider;
 
     private DecryptionMaterials(Builder builder) {
         this._s3Request = builder._s3Request;
         this._algorithmSuite = builder._algorithmSuite;
         this._encryptionContext = builder._encryptionContext;
         this._plaintextDataKey = builder._plaintextDataKey;
         this._ciphertextLength = builder._ciphertextLength;
+        this._cryptoProvider = builder._cryptoProvider;
     }
 
     static public Builder builder() {
@@ -68,6 +71,10 @@ public SecretKey dataKey() {
         return new SecretKeySpec(_plaintextDataKey, "AES");
     }
 
+    public Provider cryptoProvider() {
+        return _cryptoProvider;
+    }
+
     public long ciphertextLength() {
         return _ciphertextLength;
     }
@@ -78,12 +85,14 @@ public Builder toBuilder() {
                 .algorithmSuite(_algorithmSuite)
                 .encryptionContext(_encryptionContext)
                 .plaintextDataKey(_plaintextDataKey)
-                .ciphertextLength(_ciphertextLength);
+                .ciphertextLength(_ciphertextLength)
+                .cryptoProvider(_cryptoProvider);
     }
 
     static public class Builder {
 
         public GetObjectRequest _s3Request = null;
+        private Provider _cryptoProvider = null;
         private AlgorithmSuite _algorithmSuite = AlgorithmSuite.ALG_AES_256_GCM_IV12_TAG16_NO_KDF;
         private Map<String, String> _encryptionContext = Collections.emptyMap();
         private byte[] _plaintextDataKey = null;
@@ -119,6 +128,11 @@ public Builder ciphertextLength(long ciphertextLength) {
             return this;
         }
 
+        public Builder cryptoProvider(Provider cryptoProvider) {
+            _cryptoProvider = cryptoProvider;
+            return this;
+        }
+
         public DecryptionMaterials build() {
             return new DecryptionMaterials(this);
         }
 
@@ -2,12 +2,15 @@
 
 import software.amazon.encryption.s3.algorithms.AlgorithmSuite;
 
+import java.security.Provider;
+
 public class DefaultCryptoMaterialsManager implements CryptographicMaterialsManager {
     private final Keyring _keyring;
-
+    private final Provider _cryptoProvider;
 
     private DefaultCryptoMaterialsManager(Builder builder) {
         _keyring = builder._keyring;
+        _cryptoProvider = builder._cryptoProvider;
     }
 
     public static Builder builder() {
@@ -19,6 +22,7 @@ public EncryptionMaterials getEncryptionMaterials(EncryptionMaterialsRequest req
                 .s3Request(request.s3Request())
                 .algorithmSuite(AlgorithmSuite.ALG_AES_256_GCM_IV12_TAG16_NO_KDF)
                 .encryptionContext(request.encryptionContext())
+                .cryptoProvider(_cryptoProvider)
                 .build();
 
         return _keyring.onEncrypt(materials);
@@ -30,13 +34,15 @@ public DecryptionMaterials decryptMaterials(DecryptMaterialsRequest request) {
                 .algorithmSuite(request.algorithmSuite())
                 .encryptionContext(request.encryptionContext())
                 .ciphertextLength(request.ciphertextLength())
+                .cryptoProvider(_cryptoProvider)
                 .build();
 
         return _keyring.onDecrypt(materials, request.encryptedDataKeys());
     }
 
     public static class Builder {
         private Keyring _keyring;
+        private Provider _cryptoProvider;
 
         private Builder() {}
 
@@ -45,6 +51,11 @@ public Builder keyring(Keyring keyring) {
             return this;
         }
 
+        public Builder cryptoPovider(Provider cryptoProvider) {
+            this._cryptoProvider = cryptoProvider;
+            return this;
+        }
+
         public DefaultCryptoMaterialsManager build() {
             return new DefaultCryptoMaterialsManager(this);
         }
 
@@ -1,21 +1,16 @@
 package software.amazon.encryption.s3.materials;
 
-import java.security.NoSuchAlgorithmException;
+import software.amazon.encryption.s3.algorithms.AlgorithmSuite;
+import software.amazon.encryption.s3.internal.CryptoFactory;
+
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
-import software.amazon.encryption.s3.S3EncryptionClientException;
-import software.amazon.encryption.s3.algorithms.AlgorithmSuite;
+import java.security.Provider;
 
 public class DefaultDataKeyGenerator implements DataKeyGenerator {
 
-    public SecretKey generateDataKey(AlgorithmSuite algorithmSuite) {
-        KeyGenerator generator;
-        try {
-            generator = KeyGenerator.getInstance(algorithmSuite.dataKeyAlgorithm());
-        } catch (NoSuchAlgorithmException e) {
-            throw new S3EncryptionClientException("Unable to generate a(n) " + algorithmSuite.dataKeyAlgorithm() + " data key", e);
-        }
-
+    public SecretKey generateDataKey(AlgorithmSuite algorithmSuite, Provider provider) {
+        KeyGenerator generator = CryptoFactory.generateKey(algorithmSuite.dataKeyAlgorithm(), provider);
         generator.init(algorithmSuite.dataKeyLengthBits());
         return generator.generateKey();
     }