m

rishav-karanjit · rishav-karanjit · commit c078643f6068 · 2026-05-19T15:46:01.000-07:00
diff --git a/src/main/java/software/amazon/encryption/s3/internal/PutEncryptedObjectPipeline.java b/src/main/java/software/amazon/encryption/s3/internal/PutEncryptedObjectPipeline.java
@@ -84,7 +84,7 @@ public CompletableFuture<PutObjectResponse> putObject(PutObjectRequest request,
                 .overrideConfiguration(API_NAME_INTERCEPTOR)
                 .contentLength(encryptedContent.getCiphertextLength())
                 .build();
-        return _s3AsyncClient.putObject(encryptedPutRequest, encryptedContent.getAsyncCiphertext());
+        return _s3AsyncClient.putObject(encryptedPutRequest, new NoRetriesAsyncRequestBody(encryptedContent.getAsyncCiphertext()));
     }
 
     public static class Builder {
diff --git a/src/test/java/software/amazon/encryption/s3/S3EncryptionClientTest.java b/src/test/java/software/amazon/encryption/s3/S3EncryptionClientTest.java
@@ -17,6 +17,7 @@
 import com.amazonaws.services.s3.model.StaticEncryptionMaterialsProvider;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
 import org.junitpioneer.jupiter.RetryingTest;
 import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
 import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
@@ -966,7 +967,7 @@ public void s3EncryptionClientTopLevelCredentialsWrongRegion() {
         }
     }
 
-    @RetryingTest(3)
+    @Test
     public void crossRegionRoundTrip() {
         final String objectKey = appendTestSuffix("cross-region-test");
         SecretKeySpec aesKey = new SecretKeySpec(new byte[32], "AES");
@@ -980,14 +981,12 @@ public void crossRegionRoundTrip() {
 
         try {
             PutObjectRequest request = PutObjectRequest.builder().bucket(BUCKET).key(objectKey).build();
-            s3.putObject(request, RequestBody.fromBytes("test".getBytes()));
-            ResponseBytes<GetObjectResponse> response = s3.getObjectAsBytes(builder -> builder
-                    .bucket(BUCKET)
-                    .key(objectKey)
-                    .build());
-            assertEquals("test", response.asUtf8String());
+            S3EncryptionClientException ex = assertThrows(S3EncryptionClientException.class, () ->
+                    s3.putObject(request, RequestBody.fromBytes("test".getBytes())));
+            // Cross-region redirect causes the SDK to re-subscribe to the request body.
+            // NoRetriesAsyncRequestBody blocks this to prevent GCM cipher key/IV reuse.
+            assertTrue(ex.getMessage().contains("Re-subscription is not supported"));
         } finally {
-            deleteObject(BUCKET, objectKey, s3);
             s3.close();
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@ public CompletableFuture<PutObjectResponse> putObject(PutObjectRequest request,`
`84`	`84`	`.overrideConfiguration(API_NAME_INTERCEPTOR)`
`85`	`85`	`.contentLength(encryptedContent.getCiphertextLength())`
`86`	`86`	`.build();`
`87`		`- return _s3AsyncClient.putObject(encryptedPutRequest, encryptedContent.getAsyncCiphertext());`
	`87`	`+ return _s3AsyncClient.putObject(encryptedPutRequest, new NoRetriesAsyncRequestBody(encryptedContent.getAsyncCiphertext()));`
`88`	`88`	`}`
`89`	`89`
`90`	`90`	`public static class Builder {`