@Override public int hashCode() { final int prime = 31; int hashCode = 1; hashCode = prime * hashCode + ((getKeyId() == null) ? 0 : getKeyId().hashCode()); hashCode = prime * hashCode + ((getPlaintext() == null) ? 0 : getPlaintext().hashCode()); return hashCode; }
public DecryptResult unmarshall(JsonUnmarshallerContext context) throws Exception { DecryptResult decryptResult = new DecryptResult(); if (context.testExpression("KeyId", targetDepth)) { context.nextToken(); decryptResult.setKeyId(context.getUnmarshaller(String.class).unmarshall(context)); decryptResult.setPlaintext(context.getUnmarshaller(java.nio.ByteBuffer.class).unmarshall(context));
/** * Decrypts the secured CEK via KMS; involves network calls. * * @return the CEK (in plaintext). */ private static SecretKey cekByKMS(byte[] cekSecured, String keyWrapAlgo, EncryptionMaterials materials, ContentCryptoScheme contentCryptoScheme, AWSKMS kms) { DecryptRequest kmsreq = new DecryptRequest() .withEncryptionContext(materials.getMaterialsDescription()) .withCiphertextBlob(ByteBuffer.wrap(cekSecured)); DecryptResult result = kms.decrypt(kmsreq); return new SecretKeySpec(copyAllBytesFrom(result.getPlaintext()), contentCryptoScheme.getKeyGeneratorAlgorithm()); }
@Override public DecryptResult decrypt(AWSKMSClient awsKmsClient, DecryptRequest decryptRequest) { // Check the cipher text. if (decryptRequest.getCiphertextBlob().equals(ByteBuffer.wrap(Base64.decodeBase64(MOCK_CIPHER_TEXT_INVALID)))) { throw new InvalidCiphertextException("(Service: AWSKMS; Status Code: 400; Error Code: InvalidCiphertextException; Request ID: NONE)"); } DecryptResult decryptResult = new DecryptResult(); // Convert the test plain text to byte buffer and set the plain text return value. decryptResult.setPlaintext(ByteBuffer.wrap(MOCK_PLAIN_TEXT.getBytes())); return decryptResult; } }
/** * <p> * Decrypted plaintext data. When you use the HTTP API or the AWS CLI, the value is Base64-encdoded. Otherwise, it * is not encoded. * </p> * <p> * The AWS SDK for Java performs a Base64 encoding on this field before sending this request to the AWS service. * Users of the SDK should not perform Base64 encoding on this field. * </p> * <p> * Warning: ByteBuffers returned by the SDK are mutable. Changes to the content or position of the byte buffer will * be seen by all objects that have a reference to this object. It is recommended to call ByteBuffer.duplicate() or * ByteBuffer.asReadOnlyBuffer() before using or reading from the buffer. This behavior will be changed in a future * major version of the SDK. * </p> * * @param plaintext * Decrypted plaintext data. When you use the HTTP API or the AWS CLI, the value is Base64-encdoded. * Otherwise, it is not encoded. * @return Returns a reference to this object so that method calls can be chained together. */ public DecryptResult withPlaintext(java.nio.ByteBuffer plaintext) { setPlaintext(plaintext); return this; }
/** * <p> * ARN of the key used to perform the decryption. This value is returned if no errors are encountered during the * operation. * </p> * * @param keyId * ARN of the key used to perform the decryption. This value is returned if no errors are encountered during * the operation. * @return Returns a reference to this object so that method calls can be chained together. */ public DecryptResult withKeyId(String keyId) { setKeyId(keyId); return this; }
/** * Decrypts the secured CEK via KMS; involves network calls. * * @return the CEK (in plaintext). */ private static SecretKey cekByKMS(byte[] cekSecured, String keyWrapAlgo, EncryptionMaterials materials, ContentCryptoScheme contentCryptoScheme, AWSKMSClient kms) { final DecryptRequest kmsreq = new DecryptRequest() .withEncryptionContext(materials.getMaterialsDescription()) .withCiphertextBlob(ByteBuffer.wrap(cekSecured)); final DecryptResult result = kms.decrypt(kmsreq); return new SecretKeySpec(copyAllBytesFrom(result.getPlaintext()), contentCryptoScheme.getKeyGeneratorAlgorithm()); }
/** * <p> * Decrypted plaintext data. When you use the HTTP API or the AWS CLI, the value is Base64-encdoded. Otherwise, it * is not encoded. * </p> * <p> * The AWS SDK for Java performs a Base64 encoding on this field before sending this request to the AWS service. * Users of the SDK should not perform Base64 encoding on this field. * </p> * <p> * Warning: ByteBuffers returned by the SDK are mutable. Changes to the content or position of the byte buffer will * be seen by all objects that have a reference to this object. It is recommended to call ByteBuffer.duplicate() or * ByteBuffer.asReadOnlyBuffer() before using or reading from the buffer. This behavior will be changed in a future * major version of the SDK. * </p> * * @param plaintext * Decrypted plaintext data. When you use the HTTP API or the AWS CLI, the value is Base64-encdoded. * Otherwise, it is not encoded. * @return Returns a reference to this object so that method calls can be chained together. */ public DecryptResult withPlaintext(java.nio.ByteBuffer plaintext) { setPlaintext(plaintext); return this; }
/** * <p> * ARN of the key used to perform the decryption. This value is returned if no errors are encountered during the * operation. * </p> * * @param keyId * ARN of the key used to perform the decryption. This value is returned if no errors are encountered during * the operation. * @return Returns a reference to this object so that method calls can be chained together. */ public DecryptResult withKeyId(String keyId) { setKeyId(keyId); return this; }
@Override public boolean equals(Object obj) { if (this == obj) return true; if (obj == null) return false; if (obj instanceof DecryptResult == false) return false; DecryptResult other = (DecryptResult) obj; if (other.getKeyId() == null ^ this.getKeyId() == null) return false; if (other.getKeyId() != null && other.getKeyId().equals(this.getKeyId()) == false) return false; if (other.getPlaintext() == null ^ this.getPlaintext() == null) return false; if (other.getPlaintext() != null && other.getPlaintext().equals(this.getPlaintext()) == false) return false; return true; }
@Override public String decrypt(AwsParamsDto awsParamsDto, String base64ciphertextBlob) { // Construct a new AWS KMS service client using the specified client configuration. // A credentials provider chain will be used that searches for credentials in this order: // - Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY // - Java System Properties - aws.accessKeyId and aws.secretKey // - Instance Profile Credentials - delivered through the Amazon EC2 metadata service AWSKMSClient awsKmsClient = new AWSKMSClient(awsHelper.getClientConfiguration(awsParamsDto)); // Decode the base64 encoded ciphertext. ByteBuffer ciphertextBlob = ByteBuffer.wrap(Base64.decodeBase64(base64ciphertextBlob)); // Create the decrypt request. DecryptRequest decryptRequest = new DecryptRequest().withCiphertextBlob(ciphertextBlob); // Call AWS KMS decrypt service method. DecryptResult decryptResult = kmsOperations.decrypt(awsKmsClient, decryptRequest); // Get decrypted plaintext data. ByteBuffer plainText = decryptResult.getPlaintext(); // Return the plain text as a string. return new String(plainText.array(), StandardCharsets.UTF_8); } }
public DecryptResult unmarshall(JsonUnmarshallerContext context) throws Exception { DecryptResult decryptResult = new DecryptResult(); AwsJsonReader reader = context.getReader(); reader.beginObject(); while (reader.hasNext()) { String name = reader.nextName(); if (name.equals("KeyId")) { decryptResult.setKeyId(StringJsonUnmarshaller.getInstance() .unmarshall(context)); } else if (name.equals("Plaintext")) { decryptResult.setPlaintext(ByteBufferJsonUnmarshaller.getInstance() .unmarshall(context)); } else { reader.skipValue(); } } reader.endObject(); return decryptResult; }
/** * <p> * Decrypted plaintext data. When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is * not encoded. * </p> * <p> * The AWS SDK for Java performs a Base64 encoding on this field before sending this request to the AWS service. * Users of the SDK should not perform Base64 encoding on this field. * </p> * <p> * Warning: ByteBuffers returned by the SDK are mutable. Changes to the content or position of the byte buffer will * be seen by all objects that have a reference to this object. It is recommended to call ByteBuffer.duplicate() or * ByteBuffer.asReadOnlyBuffer() before using or reading from the buffer. This behavior will be changed in a future * major version of the SDK. * </p> * * @param plaintext * Decrypted plaintext data. When you use the HTTP API or the AWS CLI, the value is Base64-encoded. * Otherwise, it is not encoded. * @return Returns a reference to this object so that method calls can be chained together. */ public DecryptResult withPlaintext(java.nio.ByteBuffer plaintext) { setPlaintext(plaintext); return this; }
/** * <p> * ARN of the key used to perform the decryption. This value is returned if no errors are encountered during the * operation. * </p> * * @param keyId * ARN of the key used to perform the decryption. This value is returned if no errors are encountered during * the operation. * @return Returns a reference to this object so that method calls can be chained together. */ public DecryptResult withKeyId(String keyId) { setKeyId(keyId); return this; }
/** * Returns a string representation of this object. This is useful for testing and debugging. Sensitive data will be * redacted from this string using a placeholder value. * * @return A string representation of this object. * * @see java.lang.Object#toString() */ @Override public String toString() { StringBuilder sb = new StringBuilder(); sb.append("{"); if (getKeyId() != null) sb.append("KeyId: ").append(getKeyId()).append(","); if (getPlaintext() != null) sb.append("Plaintext: ").append("***Sensitive Data Redacted***"); sb.append("}"); return sb.toString(); }
@Override public String decrypt(AwsParamsDto awsParamsDto, String base64ciphertextBlob) { // Construct a new AWS KMS service client using the specified client configuration. // A credentials provider chain will be used that searches for credentials in this order: // - Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY // - Java System Properties - aws.accessKeyId and aws.secretKey // - Instance Profile Credentials - delivered through the Amazon EC2 metadata service AWSKMSClient awsKmsClient = new AWSKMSClient(awsHelper.getClientConfiguration(awsParamsDto)); // Decode the base64 encoded ciphertext. ByteBuffer ciphertextBlob = ByteBuffer.wrap(Base64.decodeBase64(base64ciphertextBlob)); // Create the decrypt request. DecryptRequest decryptRequest = new DecryptRequest().withCiphertextBlob(ciphertextBlob); // Call AWS KMS decrypt service method. DecryptResult decryptResult = kmsOperations.decrypt(awsKmsClient, decryptRequest); // Get decrypted plaintext data. ByteBuffer plainText = decryptResult.getPlaintext(); // Return the plain text as a string. return new String(plainText.array(), StandardCharsets.UTF_8); } }
public DecryptResult unmarshall(JsonUnmarshallerContext context) throws Exception { DecryptResult decryptResult = new DecryptResult(); AwsJsonReader reader = context.getReader(); reader.beginObject(); while (reader.hasNext()) { String name = reader.nextName(); if (name.equals("KeyId")) { decryptResult.setKeyId(StringJsonUnmarshaller.getInstance() .unmarshall(context)); } else if (name.equals("Plaintext")) { decryptResult.setPlaintext(ByteBufferJsonUnmarshaller.getInstance() .unmarshall(context)); } else { reader.skipValue(); } } reader.endObject(); return decryptResult; }
@Override public int hashCode() { final int prime = 31; int hashCode = 1; hashCode = prime * hashCode + ((getKeyId() == null) ? 0 : getKeyId().hashCode()); hashCode = prime * hashCode + ((getPlaintext() == null) ? 0 : getPlaintext().hashCode()); return hashCode; }
@Override public KeyProvider build() { if ( null == key || 0 == key.length ) { return new KeyProviderImpl(null); } else if ( 16 == key.length ) { return new KeyProviderImpl(new SecretKeySpec(key, "AES")); } AWSKMS kms = _amazonWebServiceClients.withEndpoint( new AWSKMSClient( _credProviderFactory.create(credProvider), _clientConfigurations.withProxy(new ClientConfiguration(), proxy)), endpoint); key = kms.decrypt(new DecryptRequest() .withCiphertextBlob(ByteBuffer.wrap(key))) .getPlaintext().array(); if ( 16 != key.length ) { LOG.warn("Expected decrypted key to be exactly 16 bytes, got "+key.length+" bytes. Please "+ "verify the key was not base64 encoded before encrypting with KMS"); return new KeyProviderImpl(null); } return new KeyProviderImpl(new SecretKeySpec(key, "AES")); } }
public DecryptResult unmarshall(JsonUnmarshallerContext context) throws Exception { DecryptResult decryptResult = new DecryptResult(); AwsJsonReader reader = context.getReader(); reader.beginObject(); while (reader.hasNext()) { String name = reader.nextName(); if (name.equals("KeyId")) { decryptResult.setKeyId(StringJsonUnmarshaller.getInstance() .unmarshall(context)); } else if (name.equals("Plaintext")) { decryptResult.setPlaintext(ByteBufferJsonUnmarshaller.getInstance() .unmarshall(context)); } else { reader.skipValue(); } } reader.endObject(); return decryptResult; }