feat(Examples): Create raw AES and RSA keyring examples (#169)

Author: lucasmcdonald3

Examples/runtimes/java/DynamoDbEncryption/build.gradle.kts

@@ -64,6 +64,8 @@ dependencies {
     implementation("software.amazon.awssdk:dynamodb-enhanced")
     implementation("software.amazon.awssdk:kms")
 
+    implementation("org.bouncycastle:bcprov-jdk18on:1.72")
+
     // https://mvnrepository.com/artifact/org.testng/testng
     testImplementation("org.testng:testng:7.5")
 }

Examples/runtimes/java/DynamoDbEncryption/src/main/java/software/aws/cryptography/examples/ExampleBranchKeyIdSupplier.java renamed to Examples/runtimes/java/DynamoDbEncryption/src/main/java/software/aws/cryptography/examples/keyring/ExampleBranchKeyIdSupplier.java

@@ -1,4 +1,4 @@
-package software.aws.cryptography.examples;
+package software.aws.cryptography.examples.keyring;
 
 import software.amazon.awssdk.services.dynamodb.model.AttributeValue;
 import software.amazon.cryptography.dbencryptionsdk.dynamodb.IDynamoDbKeyBranchKeyIdSupplier;

Examples/runtimes/java/DynamoDbEncryption/src/main/java/software/aws/cryptography/examples/HierarchicalKeyringExample.java renamed to Examples/runtimes/java/DynamoDbEncryption/src/main/java/software/aws/cryptography/examples/keyring/HierarchicalKeyringExample.java

@@ -1,4 +1,4 @@
-package software.aws.cryptography.examples;
+package software.aws.cryptography.examples.keyring;
 
 import software.amazon.awssdk.core.client.config.ClientOverrideConfiguration;
 import software.amazon.awssdk.services.dynamodb.DynamoDbClient;
@@ -17,7 +17,6 @@
 import software.amazon.cryptography.materialproviders.IKeyring;
 import software.amazon.cryptography.materialproviders.MaterialProviders;
 import software.amazon.cryptography.materialproviders.model.CreateAwsKmsHierarchicalKeyringInput;
-import software.amazon.cryptography.materialproviders.model.CreateAwsKmsMrkMultiKeyringInput;
 import software.amazon.cryptography.materialproviders.model.MaterialProvidersConfig;
 import software.amazon.cryptography.dbencryptionsdk.structuredencryption.model.CryptoAction;
 import software.aws.cryptography.dbencryptionsdk.dynamodb.DynamoDbEncryptionInterceptor;

Examples/runtimes/java/DynamoDbEncryption/src/main/java/software/aws/cryptography/examples/keyring/RawAesKeyringExample.java

@@ -0,0 +1,201 @@
+package software.aws.cryptography.examples.keyring;
+
+import java.nio.ByteBuffer;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.util.HashMap;
+import java.util.Map;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+import software.amazon.awssdk.core.client.config.ClientOverrideConfiguration;
+import software.amazon.awssdk.services.dynamodb.DynamoDbClient;
+import software.amazon.awssdk.services.dynamodb.model.AttributeValue;
+import software.amazon.awssdk.services.dynamodb.model.GetItemRequest;
+import software.amazon.awssdk.services.dynamodb.model.GetItemResponse;
+import software.amazon.awssdk.services.dynamodb.model.PutItemRequest;
+import software.amazon.awssdk.services.dynamodb.model.PutItemResponse;
+import software.amazon.cryptography.dbencryptionsdk.dynamodb.model.DynamoDbTableEncryptionConfig;
+import software.amazon.cryptography.dbencryptionsdk.dynamodb.model.DynamoDbTablesEncryptionConfig;
+import software.amazon.cryptography.materialproviders.IKeyring;
+import software.amazon.cryptography.materialproviders.MaterialProviders;
+import software.amazon.cryptography.materialproviders.model.AesWrappingAlg;
+import software.amazon.cryptography.materialproviders.model.CreateRawAesKeyringInput;
+import software.amazon.cryptography.materialproviders.model.MaterialProvidersConfig;
+import software.amazon.cryptography.dbencryptionsdk.structuredencryption.model.CryptoAction;
+import software.aws.cryptography.dbencryptionsdk.dynamodb.DynamoDbEncryptionInterceptor;
+
+/*
+  This example sets up DynamoDb Encryption for the AWS SDK client
+  using the raw AES Keyring. This keyring takes in an AES key
+  and uses that key to protect the data keys that encrypt and
+  decrypt DynamoDb table items.
+
+  This example takes in an `aesKeyBytes` parameter. This parameter
+  should be a ByteBuffer representing a 256-bit AES key. If this example
+  is run through the class' main method, it will create a new key.
+  In practice, users of this library should not randomly generate a key,
+  and should instead retrieve an existing key from a secure key
+  management system (e.g. an HSM).
+
+  This example encrypts a test item using the provided AES key and puts the
+  encrypted item to the provided DynamoDb table. Then, it gets the
+  item from the table and decrypts it.
+
+  Running this example requires access to the DDB Table whose name
+  is provided in CLI arguments.
+  This table must be configured with the following
+  primary key configuration:
+    - Partition key is named "partition_key" with type (S)
+    - Sort key is named "sort_key" with type (S)
+ */
+public class RawAesKeyringExample {
+
+    public static void RawAesKeyringGetItemPutItem(String ddbTableName, ByteBuffer aesKeyBytes) {
+        // 1. Create the keyring.
+        //    The DynamoDb encryption client uses this to encrypt and decrypt items.
+        final CreateRawAesKeyringInput keyringInput = CreateRawAesKeyringInput.builder()
+            .keyName("my-aes-key-name")
+            .keyNamespace("my-key-namespace")
+            .wrappingKey(aesKeyBytes)
+            .wrappingAlg(AesWrappingAlg.ALG_AES256_GCM_IV12_TAG16)
+            .build();
+        final MaterialProviders matProv = MaterialProviders.builder()
+            .MaterialProvidersConfig(MaterialProvidersConfig.builder().build())
+            .build();
+        IKeyring rawAesKeyring = matProv.CreateRawAesKeyring(keyringInput);
+
+        // 2. Configure which attributes are encrypted and/or signed when writing new items.
+        //    For each attribute that may exist on the items we plan to write to our DynamoDbTable,
+        //    we must explicitly configure how they should be treated during item encryption:
+        //      - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
+        //      - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
+        //      - DO_NOTHING: The attribute is not encrypted and not included in the signature
+        final Map<String, CryptoAction> attributeActions = new HashMap<>();
+        attributeActions.put("partition_key", CryptoAction.SIGN_ONLY); // Our partition attribute must be SIGN_ONLY
+        attributeActions.put("sort_key", CryptoAction.SIGN_ONLY); // Our sort attribute must be SIGN_ONLY
+        attributeActions.put("sensitive_data", CryptoAction.ENCRYPT_AND_SIGN);
+
+        // 3. Configure which attributes we expect to be included in the signature
+        //    when reading items. There are two options for configuring this:
+        //
+        //    - (Recommended) Configure `allowedUnauthenticatedAttributesPrefix`:
+        //      When defining your DynamoDb schema and deciding on attribute names,
+        //      choose a distinguishing prefix (such as ":") for all attributes that
+        //      you do not want to include in the signature.
+        //      This has two main benefits:
+        //      - It is easier to reason about the security and authenticity of data within your item
+        //        when all unauthenticated data is easily distinguishable by their attribute name.
+        //      - If you need to add new unauthenticated attributes in the future,
+        //        you can easily make the corresponding update to your `attributeActions`
+        //        and immediately start writing to that new attribute, without
+        //        any other configuration update needed.
+        //      Once you configure this field, it is not safe to update it.
+        //
+        //    - Configure `allowedUnauthenticatedAttributes`: You may also explicitly list
+        //      a set of attributes that should be considered unauthenticated when encountered
+        //      on read. Be careful if you use this configuration. Do not remove an attribute
+        //      name from this configuration, even if you are no longer writing with that attribute,
+        //      as old items may still include this attribute, and our configuration needs to know
+        //      to continue to exclude this attribute from the signature scope.
+        //      If you add new attribute names to this field, you must first deploy the update to this
+        //      field to all readers in your host fleet before deploying the update to start writing
+        //      with that new attribute.
+        //
+        //   For this example, we currently authenticate all attributes. To make it easier to
+        //   add unauthenticated attributes in the future, we define a prefix ":" for such attributes.
+        final String unauthAttrPrefix = ":";
+
+        // 4. Create the DynamoDb Encryption configuration for the table we will be writing to.
+        final Map<String, DynamoDbTableEncryptionConfig> tableConfigs = new HashMap<>();
+        final DynamoDbTableEncryptionConfig config = DynamoDbTableEncryptionConfig.builder()
+                .logicalTableName(ddbTableName)
+                .partitionKeyName("partition_key")
+                .sortKeyName("sort_key")
+                .attributeActions(attributeActions)
+                .keyring(rawAesKeyring)
+                .allowedUnauthenticatedAttributePrefix(unauthAttrPrefix)
+                .build();
+        tableConfigs.put(ddbTableName, config);
+
+        // 5. Create the DynamoDb Encryption Interceptor
+        DynamoDbEncryptionInterceptor encryptionInterceptor = DynamoDbEncryptionInterceptor.builder()
+                .config(DynamoDbTablesEncryptionConfig.builder()
+                        .tableEncryptionConfigs(tableConfigs)
+                        .build())
+                .build();
+
+        // 6. Create a new AWS SDK DynamoDb client using the DynamoDb Encryption Interceptor above
+        final DynamoDbClient ddb = DynamoDbClient.builder()
+                .overrideConfiguration(
+                        ClientOverrideConfiguration.builder()
+                                .addExecutionInterceptor(encryptionInterceptor)
+                                .build())
+                .build();
+
+        // 7. Put an item into our table using the above client.
+        //    Before the item gets sent to DynamoDb, it will be encrypted
+        //    client-side, according to our configuration.
+        final HashMap<String, AttributeValue> item = new HashMap<>();
+        item.put("partition_key", AttributeValue.builder().s("rawAesKeyringItem").build());
+        item.put("sort_key", AttributeValue.builder().n("0").build());
+        item.put("sensitive_data", AttributeValue.builder().s("encrypt and sign me!").build());
+
+        final PutItemRequest putRequest = PutItemRequest.builder()
+                .tableName(ddbTableName)
+                .item(item)
+                .build();
+
+        final PutItemResponse putResponse = ddb.putItem(putRequest);
+
+        // Demonstrate that PutItem succeeded
+        assert 200 == putResponse.sdkHttpResponse().statusCode();
+
+        // 8. Get the item back from our table using the same client.
+        //    The client will decrypt the item client-side, and return
+        //    back the original item.
+        final HashMap<String, AttributeValue> keyToGet = new HashMap<>();
+        keyToGet.put("partition_key", AttributeValue.builder().s("rawAesKeyringItem").build());
+        keyToGet.put("sort_key", AttributeValue.builder().n("0").build());
+
+        final GetItemRequest getRequest = GetItemRequest.builder()
+                .key(keyToGet)
+                .tableName(ddbTableName)
+                .build();
+
+        final GetItemResponse getResponse = ddb.getItem(getRequest);
+
+        // Demonstrate that GetItem succeeded and returned the decrypted item
+        assert 200 == getResponse.sdkHttpResponse().statusCode();
+        final Map<String, AttributeValue> returnedItem = getResponse.item();
+        assert returnedItem.get("sensitive_data").s().equals("encrypt and sign me!");
+    }
+
+    public static void main(final String[] args) {
+        if (args.length <= 0) {
+            throw new IllegalArgumentException("To run this example, include the ddbTable in args");
+        }
+        final String ddbTableName = args[0];
+
+        // Generate a new AES key
+        ByteBuffer aesKeyBytes = generateAesKeyBytes();
+
+        RawAesKeyringGetItemPutItem(ddbTableName, aesKeyBytes);
+    }
+
+    static ByteBuffer generateAesKeyBytes() {
+        // This example uses BouncyCastle's KeyGenerator to generate the key bytes.
+        // In practice, you should not generate this key in your code, and should instead
+        //     retrieve this key from a secure key management system (e.g. HSM).
+        // This key is created here for example purposes only and should not be used for any other purpose.
+        KeyGenerator aesGen;
+        try {
+            aesGen = KeyGenerator.getInstance("AES");
+        } catch (NoSuchAlgorithmException e) {
+            throw new RuntimeException("No such algorithm", e);
+        }
+        aesGen.init(256, new SecureRandom());
+        SecretKey encryptionKey = aesGen.generateKey();
+        ByteBuffer encryptionKeyByteBuffer = ByteBuffer.wrap(encryptionKey.getEncoded());
+        return encryptionKeyByteBuffer;
+    }
+}