fix: throw S3EC error on GCM key/IV reuse (#513)

rishav-karanjit · web-flow · commit 53dc99d20ebb · 2026-05-20T16:57:29.000-07:00
diff --git a/pom.xml b/pom.xml
@@ -56,7 +56,7 @@
       <dependency>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>bom</artifactId>
-        <version>2.31.14</version>
+        <version>2.43.0</version>
         <optional>true</optional>
         <type>pom</type>
         <scope>import</scope>
@@ -68,21 +68,21 @@
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>s3</artifactId>
-      <version>2.31.14</version>
+      <version>2.43.0</version>
     </dependency>
 
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>kms</artifactId>
-      <version>2.31.14</version>
+      <version>2.43.0</version>
     </dependency>
 
     <!-- Used when enableMultipartPutObject is configured -->
     <dependency>
       <groupId>software.amazon.awssdk.crt</groupId>
       <artifactId>aws-crt</artifactId>
       <optional>true</optional>
-      <version>0.37.0</version>
+      <version>0.45.1</version>
     </dependency>
 
     <dependency>
@@ -169,7 +169,7 @@
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>sts</artifactId>
-      <version>2.31.14</version>
+      <version>2.43.0</version>
       <optional>true</optional>
       <scope>test</scope>
     </dependency>
diff --git a/src/main/java/software/amazon/encryption/s3/internal/PutEncryptedObjectPipeline.java b/src/main/java/software/amazon/encryption/s3/internal/PutEncryptedObjectPipeline.java
@@ -84,7 +84,7 @@ public CompletableFuture<PutObjectResponse> putObject(PutObjectRequest request,
                 .overrideConfiguration(API_NAME_INTERCEPTOR)
                 .contentLength(encryptedContent.getCiphertextLength())
                 .build();
-        return _s3AsyncClient.putObject(encryptedPutRequest, encryptedContent.getAsyncCiphertext());
+        return _s3AsyncClient.putObject(encryptedPutRequest, new NoRetriesAsyncRequestBody(encryptedContent.getAsyncCiphertext()));
     }
 
     public static class Builder {
diff --git a/src/test/java/software/amazon/encryption/s3/S3AsyncEncryptionClientTest.java b/src/test/java/software/amazon/encryption/s3/S3AsyncEncryptionClientTest.java
@@ -46,13 +46,15 @@
 import software.amazon.awssdk.services.s3.multipart.MultipartConfiguration;
 import software.amazon.encryption.s3.algorithms.AlgorithmSuite;
 import software.amazon.encryption.s3.internal.InstructionFileConfig;
+import software.amazon.encryption.s3.materials.AesKeyring;
 import software.amazon.encryption.s3.materials.KmsKeyring;
 import software.amazon.encryption.s3.utils.BoundedInputStream;
 import software.amazon.encryption.s3.utils.S3EncryptionClientTestResources;
 import software.amazon.encryption.s3.utils.TinyBufferAsyncRequestBody;
 
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.NoSuchAlgorithmException;
@@ -349,6 +351,31 @@ public void asyncTopLevelConfigurationWrongRegion() {
         }
     }
 
+    @RetryingTest(3)
+    public void roundTripWithCrossRegionAccessEnabled() {
+        final String objectKey = appendTestSuffix("roundTripWithCrossRegionAccessEnabled-async-s3ec");
+        SecretKeySpec aesKey = new SecretKeySpec(new byte[32], "AES");
+        AesKeyring keyRing = AesKeyring.builder().wrappingKey(aesKey).build();
+
+        S3AsyncClient s3Client = S3AsyncEncryptionClient.builderV4()
+                .region(Region.EU_CENTRAL_1)
+                .crossRegionAccessEnabled(true)
+                .keyring(keyRing)
+                .build();
+
+        try {
+            PutObjectRequest request = PutObjectRequest.builder().bucket(BUCKET).key(objectKey).build();
+            CompletionException ex = assertThrows(CompletionException.class, () ->
+                    s3Client.putObject(request, AsyncRequestBody.fromBytes("test".getBytes())).join());
+            // Cross-region redirect causes the SDK to re-subscribe to the request body.
+            // NoRetriesAsyncRequestBody blocks this to prevent GCM cipher key/IV reuse.
+            assertTrue(ex.getCause() instanceof S3EncryptionClientException);
+            assertTrue(ex.getCause().getMessage().contains("Re-subscription is not supported"));
+        } finally {
+            s3Client.close();
+        }
+    }
+
     @RetryingTest(3)
     public void asyncTopLevelConfigurationNullCreds() {
         final String objectKey = appendTestSuffix("wrapped-s3-client-with-null-credentials-async");
diff --git a/src/test/java/software/amazon/encryption/s3/S3EncryptionClientTest.java b/src/test/java/software/amazon/encryption/s3/S3EncryptionClientTest.java
@@ -42,6 +42,7 @@
 import software.amazon.encryption.s3.algorithms.AlgorithmSuite;
 import software.amazon.encryption.s3.internal.InstructionFileConfig;
 import software.amazon.encryption.s3.internal.MetadataKeyConstants;
+import software.amazon.encryption.s3.materials.AesKeyring;
 import software.amazon.encryption.s3.materials.CryptographicMaterialsManager;
 import software.amazon.encryption.s3.materials.DefaultCryptoMaterialsManager;
 import software.amazon.encryption.s3.materials.KmsKeyring;
@@ -52,6 +53,7 @@
 
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
 import java.security.NoSuchAlgorithmException;
@@ -964,6 +966,30 @@ public void s3EncryptionClientTopLevelCredentialsWrongRegion() {
         }
     }
 
+    @RetryingTest(3)
+    public void roundTripWithCrossRegionAccessEnabled() {
+        final String objectKey = appendTestSuffix("roundTripWithCrossRegionAccessEnabled-sync-s3ec");
+        SecretKeySpec aesKey = new SecretKeySpec(new byte[32], "AES");
+        AesKeyring keyRing = AesKeyring.builder().wrappingKey(aesKey).build();
+
+        S3Client s3 = S3EncryptionClient.builderV4()
+                .region(Region.EU_CENTRAL_1)
+                .crossRegionAccessEnabled(true)
+                .keyring(keyRing)
+                .build();
+
+        try {
+            PutObjectRequest request = PutObjectRequest.builder().bucket(BUCKET).key(objectKey).build();
+            S3EncryptionClientException ex = assertThrows(S3EncryptionClientException.class, () ->
+                    s3.putObject(request, RequestBody.fromBytes("test".getBytes())));
+            // Cross-region redirect causes the SDK to re-subscribe to the request body.
+            // S3EC blocks this to prevent GCM cipher key/IV reuse.
+            assertTrue(ex.getCause().getMessage().contains("Re-subscription is not supported"));
+        } finally {
+            s3.close();
+        }
+    }
+
     @RetryingTest(3)
     public void s3EncryptionClientTopLevelCredentialsNullCreds() {
         final String objectKey = appendTestSuffix("wrapped-s3-client-with-null-credentials");

Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@ public CompletableFuture<PutObjectResponse> putObject(PutObjectRequest request,`
`84`	`84`	`.overrideConfiguration(API_NAME_INTERCEPTOR)`
`85`	`85`	`.contentLength(encryptedContent.getCiphertextLength())`
`86`	`86`	`.build();`
`87`		`- return _s3AsyncClient.putObject(encryptedPutRequest, encryptedContent.getAsyncCiphertext());`
	`87`	`+ return _s3AsyncClient.putObject(encryptedPutRequest, new NoRetriesAsyncRequestBody(encryptedContent.getAsyncCiphertext()));`
`88`	`88`	`}`
`89`	`89`
`90`	`90`	`public static class Builder {`