Merge branch 'main' into rishav/slack-notification

Author: rishav-karanjit

.github/workflows/build.yml

@@ -45,6 +45,9 @@ jobs:
         shell: bash
 
       - name: Test
+        env:
+          AWS_RETRY_MODE: adaptive
+          AWS_MAX_ATTEMPTS: '5'
         run: |
           export AWS_S3EC_TEST_ALT_KMS_KEY_ARN=arn:aws:kms:${{ vars.CI_AWS_REGION }}:${{ secrets.CI_AWS_ACCOUNT_ID }}:key/${{ vars.CI_ALT_KMS_KEY_ID }}
           export AWS_S3EC_TEST_ALT_ROLE_ARN=arn:aws:iam::${{ secrets.CI_AWS_ACCOUNT_ID }}:role/service-role/${{ vars.CI_ALT_ROLE }}

.gitmodules

@@ -1,4 +1,3 @@
 [submodule "specification"]
 	path = specification
-	url = git@github.com:awslabs/private-aws-encryption-sdk-specification-staging.git
-	branch = fire-egg-staging
+	url = git@github.com:awslabs/aws-encryption-sdk-specification.git

CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## [4.0.1](https://github.com/aws/aws-s3-encryption-client-java/compare/v4.0.0...v4.0.1) (2026-02-10)
+
+### Fixes
+
+* set instruction file content length ([b76c281](https://github.com/aws/aws-s3-encryption-client-java/commit/b76c2812b856eb1528eb83bbdf8d7e6ead80016e))
+
+### Maintenance
+
+* fix examples & spec path ([#493](https://github.com/aws/aws-s3-encryption-client-java/issues/493)) ([a95aa3f](https://github.com/aws/aws-s3-encryption-client-java/commit/a95aa3fddb5abf4e17551c0ef3c247c7a43edf40))
+
 ## [4.0.0](https://github.com/aws/aws-s3-encryption-client-java/compare/v3.6.0...v4.0.0) (2025-12-17)
 
 ### ⚠ BREAKING CHANGES

README.md

@@ -79,7 +79,7 @@ class Example {
 }
 ```
 
-For detailed migration guidance and step-by-step examples, refer to the [Migration Examples](migration_examples/v3-to-v4/README.md). For more information, refer to the <a href="https://docs.aws.amazon.com/amazon-s3-encryption-client/latest/developerguide/java-v4-migration.html">Developer Guide</a>.
+For detailed migration guidance and step-by-step examples, refer to the [Migration Examples](https://github.com/aws/amazon-s3-encryption-client-java/tree/main/migration_examples/v3-to-v4). For more information, refer to the <a href="https://docs.aws.amazon.com/amazon-s3-encryption-client/latest/developerguide/java-v4-migration.html">Developer Guide</a>.
 
 
 #### V2 KMS Materials Provider to V4

migration_examples/v3-to-v4/README.md

@@ -1,6 +1,6 @@
 # S3 Encryption Client v3 to v4 Migration Examples
 
-> **Note:** This directory contains migration-specific examples for users upgrading from v3 to v4. If you're starting fresh with the S3 Encryption Client, see the [code examples](../../../src/examples/java/software/amazon/encryption/s3/examples).
+> **Note:** This directory contains migration-specific examples for users upgrading from v3 to v4. If you're starting fresh with the S3 Encryption Client, see the [code examples](https://github.com/aws/amazon-s3-encryption-client-java/tree/main/src/examples/java/software/amazon/encryption/s3/examples).
 
 This directory contains examples demonstrating the migration path from S3 Encryption Client v3 to v4, focusing on different commitment policy configurations. For more information, refer to the <a href="https://docs.aws.amazon.com/amazon-s3-encryption-client/latest/developerguide/java-v4-migration.html">Developer Guide</a>.
 

migration_examples/v3-to-v4/v4/pom.xml

@@ -17,7 +17,7 @@
         <maven.compiler.target>8</maven.compiler.target>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <aws.sdk.version>2.31.14</aws.sdk.version>
-        <s3ec.version>4.0.0</s3ec.version>
+        <s3ec.version>4.0.1</s3ec.version>
     </properties>
 
     <dependencies>

pom.xml

@@ -6,7 +6,7 @@
 
   <groupId>software.amazon.encryption.s3</groupId>
   <artifactId>amazon-s3-encryption-client-java</artifactId>
-  <version>4.0.0</version>
+  <version>4.0.1</version>
   <packaging>jar</packaging>
 
   <name>Amazon S3 Encryption Client</name>
@@ -120,6 +120,12 @@
 
     <!-- Test Dependencies -->
     <!-- https://mvnrepository.com/artifact/org.mockito/mockito-core -->
+    <dependency>
+      <groupId>org.junit-pioneer</groupId>
+      <artifactId>junit-pioneer</artifactId>
+      <version>1.9.1</version>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.mockito</groupId>
       <artifactId>mockito-core</artifactId>

specification

@@ -0,0 +1,92 @@
+package software.amazon.encryption.s3.examples;
+
+import java.security.NoSuchAlgorithmException;
+
+import software.amazon.awssdk.core.ResponseBytes;
+import software.amazon.awssdk.core.sync.RequestBody;
+import software.amazon.awssdk.services.kms.KmsClient;
+import software.amazon.awssdk.services.s3.S3Client;
+import software.amazon.awssdk.services.s3.model.GetObjectResponse;
+import software.amazon.encryption.s3.S3EncryptionClient;
+import software.amazon.encryption.s3.S3EncryptionClientException;
+import software.amazon.encryption.s3.internal.InstructionFileConfig;
+import software.amazon.encryption.s3.materials.KmsKeyring;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static software.amazon.encryption.s3.utils.S3EncryptionClientTestResources.appendTestSuffix;
+import static software.amazon.encryption.s3.utils.S3EncryptionClientTestResources.deleteObject;
+
+public class InstructionFileExample {
+
+    public static void main(final String[] args) throws NoSuchAlgorithmException {
+        final String bucket = args[0];
+        final String kmsKeyId = args.length > 1 ? args[1] : null;
+
+        if (kmsKeyId != null) {
+            InstructionFileExample.simpleKmsKeyringUseInstructionFile(bucket, kmsKeyId);
+        }
+    }
+    /**
+     * This example demonstrates using Instruction Files.
+     *
+     * @param bucket      The name of the Amazon S3 bucket to perform operations on.
+     * @param kmsKeyId    The KMS key ID used for encryption
+     */
+    public static void simpleKmsKeyringUseInstructionFile(
+        final String bucket,
+        final String kmsKeyId
+    ) {
+        // Set up the S3 object key and content to be encrypted
+        final String objectKey = appendTestSuffix(
+            "kms-instruction-file-test"
+        );
+        final String input =
+            "Testing encryption of instruction file with KMS Keyring";
+
+        // Create a KMS client for key operations
+        KmsClient kmsClient = KmsClient.create();
+
+        // Create the original KMS keyring with the first KMS key
+        KmsKeyring originalKeyring = KmsKeyring
+            .builder()
+            .kmsClient(kmsClient)
+            .wrappingKeyId(kmsKeyId)
+            .build();
+
+        // Create a default S3 client for instruction file operations
+        S3Client wrappedClient = S3Client.create();
+
+        // Create the S3 Encryption Client with instruction file support enabled
+        // The client can perform both putObject and getObject operations using the KMS key
+        ResponseBytes<GetObjectResponse> decryptedObject;
+        try (S3EncryptionClient s3ec = S3EncryptionClient
+            .builderV4()
+            .keyring(originalKeyring)
+            .instructionFileConfig(
+                InstructionFileConfig
+                    .builder()
+                    .instructionFileClient(wrappedClient)
+                    .enableInstructionFilePutObject(true)
+                    .build()
+            ).build()) {
+
+            // Upload both the encrypted object and instruction file to the specified bucket in S3
+            s3ec.putObject(
+                builder -> builder.bucket(bucket).key(objectKey).build(),
+                RequestBody.fromString(input)
+            );
+
+            // Verify that the client can successfully decrypt the object
+            decryptedObject = s3ec.getObjectAsBytes(builder ->
+                builder.bucket(bucket).key(objectKey).build()
+            );
+            // Assert that the decrypted object's content matches the original input
+            assertEquals(input, decryptedObject.asUtf8String());
+
+            // Call deleteObject to delete the object and instruction file
+            // from given S3 Bucket
+            deleteObject(bucket, objectKey, s3ec);
+        }
+    }
+}

src/examples/java/software/amazon/encryption/s3/examples/InstructionFileExample.java

@@ -3,7 +3,7 @@
 package software.amazon.encryption.s3;
 
 import org.junit.jupiter.api.BeforeAll;
-import org.junit.jupiter.api.Test;
+import org.junitpioneer.jupiter.RetryingTest;
 import software.amazon.awssdk.core.ResponseBytes;
 import software.amazon.awssdk.core.sync.RequestBody;
 import software.amazon.awssdk.services.s3.S3Client;
@@ -65,7 +65,7 @@ public static void setUp() throws NoSuchAlgorithmException {
      * Test AES keyring with null additionalDecryptionKeyMaterial map.
      * This tests the default behavior when no additional key material is provided.
      */
-    @Test
+    @RetryingTest(3)
     public void testAesKeyringWithNullAdditionalKeyMaterial() {
         final String objectKey = appendTestSuffix("aes-null-additional-key-material");
         final String input = "AES with null additional key material";
@@ -129,7 +129,7 @@ public void testAesKeyringWithNullAdditionalKeyMaterial() {
      * Test AES keyring with empty additionalDecryptionKeyMaterial map.
      * This tests the behavior when an empty map is provided.
      */
-    @Test
+    @RetryingTest(3)
     public void testAesKeyringWithEmptyAdditionalKeyMaterial() {
         final String objectKey = appendTestSuffix("aes-empty-additional-key-material");
         final String input = "AES with empty additional key material";
@@ -194,7 +194,7 @@ public void testAesKeyringWithEmptyAdditionalKeyMaterial() {
      * Test AES keyring with a singleton additionalDecryptionKeyMaterial map.
      * This tests the behavior when a single additional key material is provided.
      */
-    @Test
+    @RetryingTest(3)
     public void testAesKeyringWithSingletonAdditionalKeyMaterial() {
         final String objectKey = appendTestSuffix("aes-singleton-additional-key-material");
         final String input = "AES with singleton additional key material";
@@ -265,7 +265,7 @@ public void testAesKeyringWithSingletonAdditionalKeyMaterial() {
      * Test AES keyring with multiple entries in the additionalDecryptionKeyMaterial map.
      * This tests the behavior when multiple additional key materials are provided.
      */
-    @Test
+    @RetryingTest(3)
     public void testAesKeyringWithMultipleAdditionalKeyMaterials() {
         final String objectKey = appendTestSuffix("aes-multiple-additional-key-materials");
         final String input = "AES with multiple additional key materials";
@@ -348,7 +348,7 @@ public void testAesKeyringWithMultipleAdditionalKeyMaterials() {
      * Test AES keyring with additionalDecryptionKeyMaterial that doesn't match.
      * This tests the behavior when no matching key material is found and it should fall back to the default key.
      */
-    @Test
+    @RetryingTest(3)
     public void testAesKeyringWithNonMatchingAdditionalKeyMaterial() {
         final String objectKey = appendTestSuffix("aes-non-matching-additional-key-material");
         final String input = "AES with non-matching additional key material";
@@ -423,7 +423,7 @@ public void testAesKeyringWithNonMatchingAdditionalKeyMaterial() {
      * Test AES keyring with additionalDecryptionKeyMaterial that doesn't match and a wrong default key.
      * This tests the behavior when no matching key material is found and the default key is also wrong.
      */
-    @Test
+    @RetryingTest(3)
     public void testAesKeyringWithNonMatchingAdditionalKeyMaterialAndWrongDefaultKey() {
         final String objectKey = appendTestSuffix("aes-non-matching-additional-key-material-wrong-default");
         final String input = "AES with non-matching additional key material and wrong default key";
@@ -494,7 +494,7 @@ public void testAesKeyringWithNonMatchingAdditionalKeyMaterialAndWrongDefaultKey
      * Test RSA keyring with null additionalDecryptionKeyMaterial map.
      * This tests the default behavior when no additional key material is provided.
      */
-    @Test
+    @RetryingTest(3)
     public void testRsaKeyringWithNullAdditionalKeyMaterial() {
         final String objectKey = appendTestSuffix("rsa-null-additional-key-material");
         final String input = "RSA with null additional key material";
@@ -564,7 +564,7 @@ public void testRsaKeyringWithNullAdditionalKeyMaterial() {
      * Test RSA keyring with empty additionalDecryptionKeyMaterial map.
      * This tests the behavior when an empty map is provided.
      */
-    @Test
+    @RetryingTest(3)
     public void testRsaKeyringWithEmptyAdditionalKeyMaterial() {
         final String objectKey = appendTestSuffix("rsa-empty-additional-key-material");
         final String input = "RSA with empty additional key material";
@@ -635,7 +635,7 @@ public void testRsaKeyringWithEmptyAdditionalKeyMaterial() {
      * Test RSA keyring with a singleton additionalDecryptionKeyMaterial map.
      * This tests the behavior when a single additional key material is provided.
      */
-    @Test
+    @RetryingTest(3)
     public void testRsaKeyringWithSingletonAdditionalKeyMaterial() {
         final String objectKey = appendTestSuffix("rsa-singleton-additional-key-material");
         final String input = "RSA with singleton additional key material";
@@ -715,7 +715,7 @@ public void testRsaKeyringWithSingletonAdditionalKeyMaterial() {
      * Test RSA keyring with multiple entries in the additionalDecryptionKeyMaterial map.
      * This tests the behavior when multiple additional key materials are provided.
      */
-    @Test
+    @RetryingTest(3)
     public void testRsaKeyringWithMultipleAdditionalKeyMaterials() {
         final String objectKey = appendTestSuffix("rsa-multiple-additional-key-materials");
         final String input = "RSA with multiple additional key materials";
@@ -810,7 +810,7 @@ public void testRsaKeyringWithMultipleAdditionalKeyMaterials() {
      * Test RSA keyring with additionalDecryptionKeyMaterial that doesn't match.
      * This tests the behavior when no matching key material is found and it should fall back to the default key.
      */
-    @Test
+    @RetryingTest(3)
     public void testRsaKeyringWithNonMatchingAdditionalKeyMaterial() {
         final String objectKey = appendTestSuffix("rsa-non-matching-additional-key-material");
         final String input = "RSA with non-matching additional key material";
@@ -894,7 +894,7 @@ public void testRsaKeyringWithNonMatchingAdditionalKeyMaterial() {
      * Test RSA keyring with additionalDecryptionKeyMaterial that doesn't match and a wrong default key.
      * This tests the behavior when no matching key material is found and the default key is also wrong.
      */
-    @Test
+    @RetryingTest(3)
     public void testRsaKeyringWithNonMatchingAdditionalKeyMaterialAndWrongDefaultKey() {
         final String objectKey = appendTestSuffix("rsa-non-matching-additional-key-material-wrong-default");
         final String input = "RSA with non-matching additional key material and wrong default key";