Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .github/workflows/ci_examples_java.yml
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,8 @@ jobs:
working-directory: ./Examples
run: |
# Run simple examples
gradle -p runtimes/java/DynamoDbEncryption test
# TODO -- remove this
# gradle -p runtimes/java/DynamoDbEncryption test
gradle -p runtimes/java/DDBECwithSDKV2 test
# Run migration examples
gradle -p runtimes/java/Migration/PlaintextToAWSDBE test
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/pull.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ name: PR CI
permissions:
contents: read
id-token: write

on:
pull_request:

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,10 @@ public static Result<Option<InternalLegacyOverride>, Error> Build(
}

final LegacyEncryptorAdapter encryptorAdapter;
if (maybeEncryptor instanceof com.amazonaws.services.dynamodbv2.datamodeling.encryption.DynamoDBEncryptor) {
if (
maybeEncryptor instanceof
com.amazonaws.services.dynamodbv2.datamodeling.encryption.DynamoDBEncryptor
) {
encryptorAdapter =
new V1EncryptorAdapter(
(com.amazonaws.services.dynamodbv2.datamodeling.encryption.DynamoDBEncryptor) maybeEncryptor,
Expand All @@ -218,11 +221,11 @@ public static Result<Option<InternalLegacyOverride>, Error> Build(
);
} else if (
maybeEncryptor instanceof
software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.DynamoDBEncryptor
com.amazonaws.services.dynamodbv2.datamodeling.sdkv2.encryption.DynamoDBEncryptor
) {
encryptorAdapter =
new V2EncryptorAdapter(
(software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.DynamoDBEncryptor) maybeEncryptor,
(com.amazonaws.services.dynamodbv2.datamodeling.sdkv2.encryption.DynamoDBEncryptor) maybeEncryptor,
convertActionsV1ToV2(maybeActions.value()),
convertEncryptionContextV1ToV2(maybeEncryptionContext.value())
);
Expand Down Expand Up @@ -259,32 +262,33 @@ public static boolean isDynamoDBEncryptor(
software.amazon.cryptography.dbencryptionsdk.dynamodb.ILegacyDynamoDbEncryptor maybe
) {
return (
maybe instanceof com.amazonaws.services.dynamodbv2.datamodeling.encryption.DynamoDBEncryptor ||
maybe instanceof
software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.DynamoDBEncryptor
com.amazonaws.services.dynamodbv2.datamodeling.encryption.DynamoDBEncryptor ||
maybe instanceof
com.amazonaws.services.dynamodbv2.datamodeling.sdkv2.encryption.DynamoDBEncryptor
);
}

// Convert SDK V1 EncryptionFlags to SDK V2
private static Map<
String,
Set<
software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.EncryptionFlags
com.amazonaws.services.dynamodbv2.datamodeling.sdkv2.encryption.EncryptionFlags
>
> convertActionsV1ToV2(Map<String, Set<EncryptionFlags>> v1Actions) {
Map<
String,
Set<
software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.EncryptionFlags
com.amazonaws.services.dynamodbv2.datamodeling.sdkv2.encryption.EncryptionFlags
>
> v2Actions = new HashMap<>();
for (Map.Entry<String, Set<EncryptionFlags>> entry : v1Actions.entrySet()) {
Set<
software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.EncryptionFlags
com.amazonaws.services.dynamodbv2.datamodeling.sdkv2.encryption.EncryptionFlags
> v2Flags = new HashSet<>();
for (EncryptionFlags v1Flag : entry.getValue()) {
v2Flags.add(
software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.EncryptionFlags.valueOf(
com.amazonaws.services.dynamodbv2.datamodeling.sdkv2.encryption.EncryptionFlags.valueOf(
v1Flag.name()
)
);
Expand All @@ -295,11 +299,11 @@ > convertActionsV1ToV2(Map<String, Set<EncryptionFlags>> v1Actions) {
}

// Convert SDK V1 EncryptionContext to SDK V2
private static software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.EncryptionContext convertEncryptionContextV1ToV2(
private static com.amazonaws.services.dynamodbv2.datamodeling.sdkv2.encryption.EncryptionContext convertEncryptionContextV1ToV2(
final EncryptionContext v1Context
) {
final software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.EncryptionContext.Builder builder =
software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.EncryptionContext
final com.amazonaws.services.dynamodbv2.datamodeling.sdkv2.encryption.EncryptionContext.Builder builder =
com.amazonaws.services.dynamodbv2.datamodeling.sdkv2.encryption.EncryptionContext
.builder()
.tableName(v1Context.getTableName())
.hashKeyName(v1Context.getHashKeyName())
Expand Down
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
package software.amazon.cryptography.dbencryptionsdk.dynamodb.itemencryptor.internaldafny.legacy;

import com.amazonaws.services.dynamodbv2.datamodeling.sdkv2.encryption.DynamoDBEncryptor;
import com.amazonaws.services.dynamodbv2.datamodeling.sdkv2.encryption.EncryptionContext;
import com.amazonaws.services.dynamodbv2.datamodeling.sdkv2.encryption.EncryptionFlags;
import java.security.GeneralSecurityException;
import java.util.Map;
import java.util.Set;
import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.DynamoDBEncryptor;
import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.EncryptionContext;
import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.EncryptionFlags;

public class V2EncryptorAdapter implements LegacyEncryptorAdapter {

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,157 @@
/*
* Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
package com.amazonaws.services.dynamodbv2.datamodeling.sdkv2.encryption;

import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;

/**
* Identifies keys which should not be used directly with {@link Cipher} but
* instead contain their own cryptographic logic. This can be used to wrap more
* complex logic, HSM integration, or service-calls.
*
* <p>
* Most delegated keys will only support a subset of these operations. (For
* example, AES keys will generally not support {@link #sign(byte[], String)} or
* {@link #verify(byte[], byte[], String)} and HMAC keys will generally not
* support anything except <code>sign</code> and <code>verify</code>.)
* {@link UnsupportedOperationException} should be thrown in these cases.
*
* @author Greg Rubin
*/
public interface DelegatedKey extends SecretKey {
/**
* Encrypts the provided plaintext and returns a byte-array containing the ciphertext.
*
* @param plainText
* @param additionalAssociatedData
* Optional additional data which must then also be provided for successful
* decryption. Both <code>null</code> and arrays of length 0 are treated identically.
* Not all keys will support this parameter.
* @param algorithm
* the transformation to be used when encrypting the data
* @return ciphertext the ciphertext produced by this encryption operation
* @throws UnsupportedOperationException
* if encryption is not supported or if <code>additionalAssociatedData</code> is
* provided, but not supported.
*/
byte[] encrypt(
byte[] plainText,
byte[] additionalAssociatedData,
String algorithm
)
throws InvalidKeyException, IllegalBlockSizeException, BadPaddingException, NoSuchAlgorithmException, NoSuchPaddingException;

/**
* Decrypts the provided ciphertext and returns a byte-array containing the
* plaintext.
*
* @param cipherText
* @param additionalAssociatedData
* Optional additional data which was provided during encryption.
* Both <code>null</code> and arrays of length 0 are treated
* identically. Not all keys will support this parameter.
* @param algorithm
* the transformation to be used when decrypting the data
* @return plaintext the result of decrypting the input ciphertext
* @throws UnsupportedOperationException
* if decryption is not supported or if
* <code>additionalAssociatedData</code> is provided, but not
* supported.
*/
byte[] decrypt(
byte[] cipherText,
byte[] additionalAssociatedData,
String algorithm
)
throws InvalidKeyException, IllegalBlockSizeException, BadPaddingException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidAlgorithmParameterException;

/**
* Wraps (encrypts) the provided <code>key</code> to make it safe for
* storage or transmission.
*
* @param key
* @param additionalAssociatedData
* Optional additional data which must then also be provided for
* successful unwrapping. Both <code>null</code> and arrays of
* length 0 are treated identically. Not all keys will support
* this parameter.
* @param algorithm
* the transformation to be used when wrapping the key
* @return the wrapped key
* @throws UnsupportedOperationException
* if wrapping is not supported or if
* <code>additionalAssociatedData</code> is provided, but not
* supported.
*/
byte[] wrap(Key key, byte[] additionalAssociatedData, String algorithm)
throws InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, IllegalBlockSizeException;

/**
* Unwraps (decrypts) the provided <code>wrappedKey</code> to recover the
* original key.
*
* @param wrappedKey
* @param additionalAssociatedData
* Optional additional data which was provided during wrapping.
* Both <code>null</code> and arrays of length 0 are treated
* identically. Not all keys will support this parameter.
* @param algorithm
* the transformation to be used when unwrapping the key
* @return the unwrapped key
* @throws UnsupportedOperationException
* if wrapping is not supported or if
* <code>additionalAssociatedData</code> is provided, but not
* supported.
*/
Key unwrap(
byte[] wrappedKey,
String wrappedKeyAlgorithm,
int wrappedKeyType,
byte[] additionalAssociatedData,
String algorithm
)
throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException;

/**
* Calculates and returns a signature for <code>dataToSign</code>.
*
* @param dataToSign
* @param algorithm
* @return the signature
* @throws UnsupportedOperationException if signing is not supported
*/
byte[] sign(byte[] dataToSign, String algorithm)
throws GeneralSecurityException;

/**
* Checks the provided signature for correctness.
*
* @param dataToSign
* @param signature
* @param algorithm
* @return true if and only if the <code>signature</code> matches the <code>dataToSign</code>.
* @throws UnsupportedOperationException if signature validation is not supported
*/
boolean verify(byte[] dataToSign, byte[] signature, String algorithm);
}
Loading
Loading