com.amazonaws.encryptionsdk.kms.KmsMasterKeyProvider Java Examples

The following examples show how to use com.amazonaws.encryptionsdk.kms.KmsMasterKeyProvider. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: KMSEncryptorTest.java    From strongbox with Apache License 2.0 6 votes vote down vote up 
@BeforeMethod
public void setUp() throws Exception {
    AWSCredentialsProvider mockCredentials = mock(AWSCredentialsProvider.class);
    ClientConfiguration mockConfig = mock(ClientConfiguration.class);
    SecretsGroupIdentifier group = new SecretsGroupIdentifier(Region.US_WEST_1, "test.group");

    this.mockAwsCrypto = mock(AwsCrypto.class);
    this.mockKmsManager = mock(KMSManager.class);
    KMSEncryptor encryptor = new KMSEncryptor(mockKmsManager, mockCredentials, mockConfig, group, mockAwsCrypto, EncryptionStrength.AES_256);

    this.kmsEncryptor = spy(encryptor);
    this.mockProvider = mock(KmsMasterKeyProvider.class);
    doReturn(mockProvider).when(kmsEncryptor).getProvider();

    // Verify the expected encryption algorithm was set.
    verify(mockAwsCrypto, times(1)).setEncryptionAlgorithm(
            CryptoAlgorithm.ALG_AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384);
}
Example #2
Source File: KMSEncryptor.java    From strongbox with Apache License 2.0 5 votes vote down vote up 
protected KmsMasterKeyProvider getProvider() {
    if (!prov.isPresent()) {
        Region region = RegionUtils.getRegion(groupIdentifier.region.getName());
        prov = Optional.of(new KmsMasterKeyProvider(awsCredentials, region, transformAndVerifyOrThrow(clientConfiguration), getKeyArn()));
    }
    return prov.get();
}
Example #3
Source File: EncryptionService.java    From cerberus with Apache License 2.0 5 votes vote down vote up 
/**
 * Initialize a Multi-KMS-MasterKeyProvider.
 *
 * <p>For encrypt, KMS in all regions must be available. For decrypt, KMS in at least one region
 * must be available.
 */
public static MasterKeyProvider<KmsMasterKey> initializeKeyProvider(
    List<String> cmkArns, Region currentRegion) {
  List<MasterKeyProvider<KmsMasterKey>> providers =
      getSortedArnListByCurrentRegion(cmkArns, currentRegion).stream()
          .map(KmsMasterKeyProvider::new)
          .collect(Collectors.toList());
  return (MasterKeyProvider<KmsMasterKey>) MultipleProviderFactory.buildMultiProvider(providers);
}
Example #4
Source File: EscrowedEncryptExample.java    From aws-encryption-sdk-java with Apache License 2.0 5 votes vote down vote up 
private static void standardEncrypt(final String kmsArn, final String fileName) throws Exception {
    // Encrypt with the KMS CMK and the escrowed public key
    // 1. Instantiate the SDK
    final AwsCrypto crypto = new AwsCrypto();

    // 2. Instantiate a KMS master key provider
    final KmsMasterKeyProvider kms = new KmsMasterKeyProvider(kmsArn);
    
    // 3. Instantiate a JCE master key provider
    // Because the user does not have access to the private escrow key,
    // they pass in "null" for the private key parameter.
    final JceMasterKey escrowPub = JceMasterKey.getInstance(publicEscrowKey, null, "Escrow", "Escrow",
            "RSA/ECB/OAEPWithSHA-512AndMGF1Padding");

    // 4. Combine the providers into a single master key provider
    final MasterKeyProvider<?> provider = MultipleProviderFactory.buildMultiProvider(kms, escrowPub);

    // 5. Encrypt the file
    // To simplify the code, we omit the encryption context. Production code should always 
    // use an encryption context. For an example, see the other SDK samples.
    final FileInputStream in = new FileInputStream(fileName);
    final FileOutputStream out = new FileOutputStream(fileName + ".encrypted");
    final CryptoOutputStream<?> encryptingStream = crypto.createEncryptingStream(provider, out);

    IOUtils.copy(in, encryptingStream);
    in.close();
    encryptingStream.close();
}
Example #5
Source File: EscrowedEncryptExample.java    From aws-encryption-sdk-java with Apache License 2.0 5 votes vote down vote up 
private static void standardDecrypt(final String kmsArn, final String fileName) throws Exception {
    // Decrypt with the KMS CMK and the escrow public key. You can use a combined provider,
    // as shown here, or just the KMS master key provider.

    // 1. Instantiate the SDK
    final AwsCrypto crypto = new AwsCrypto();

    // 2. Instantiate a KMS master key provider
    final KmsMasterKeyProvider kms = new KmsMasterKeyProvider(kmsArn);
    
    // 3. Instantiate a JCE master key provider
    // Because the user does not have access to the private 
    // escrow key, they pass in "null" for the private key parameter.
    final JceMasterKey escrowPub = JceMasterKey.getInstance(publicEscrowKey, null, "Escrow", "Escrow",
            "RSA/ECB/OAEPWithSHA-512AndMGF1Padding");

    // 4. Combine the providers into a single master key provider
    final MasterKeyProvider<?> provider = MultipleProviderFactory.buildMultiProvider(kms, escrowPub);

    // 5. Decrypt the file
    // To simplify the code, we omit the encryption context. Production code should always 
    // use an encryption context. For an example, see the other SDK samples.
    final FileInputStream in = new FileInputStream(fileName + ".encrypted");
    final FileOutputStream out = new FileOutputStream(fileName + ".decrypted");
    final CryptoOutputStream<?> decryptingStream = crypto.createDecryptingStream(provider, out);
    IOUtils.copy(in, decryptingStream);
    in.close();
    decryptingStream.close();
}
Example #6
Source File: TestVectorRunner.java    From aws-encryption-sdk-java with Apache License 2.0 5 votes vote down vote up 
@Parameterized.Parameters(name="Compatibility Test: {0}")
@SuppressWarnings("unchecked")
public static Collection<Object[]> data() throws Exception {
    final String zipPath = System.getProperty("testVectorZip");
    if (zipPath == null) {
        return Collections.emptyList();
    }

    final JarURLConnection jarConnection = (JarURLConnection) new URL("jar:" + zipPath + "!/").openConnection();

    try (JarFile jar = jarConnection.getJarFile()) {
        final Map<String, Object> manifest = readJsonMapFromJar(jar, "manifest.json");

        final Map<String, Object> metaData = (Map<String, Object>) manifest.get("manifest");

        // We only support "awses-decrypt" type manifests right now
        if (!"awses-decrypt".equals(metaData.get("type"))) {
            throw new IllegalArgumentException("Unsupported manifest type: " + metaData.get("type"));
        }

        if (!Integer.valueOf(1).equals(metaData.get("version"))) {
            throw new IllegalArgumentException("Unsupported manifest version: " + metaData.get("version"));
        }

        final Map<String, KeyEntry> keys = parseKeyManifest(readJsonMapFromJar(jar, (String) manifest.get("keys")));

        final KmsMasterKeyProvider kmsProv = KmsMasterKeyProvider
                                                     .builder()
                                                     .withCredentials(new DefaultAWSCredentialsProviderChain())
                                                     .build();

        List<Object[]> testCases = new ArrayList<>();
        for (Map.Entry<String, Map<String, Object>> testEntry :
                ((Map<String, Map<String, Object>>) manifest.get("tests")).entrySet()) {
            testCases.add(new Object[]{testEntry.getKey(),
                    parseTest(testEntry.getKey(), testEntry.getValue(), keys, jar, kmsProv)});
        }
        return testCases;
    }
}
Example #7
Source File: AwsKmsEncryptionServiceTest.java    From ignite with Apache License 2.0 5 votes vote down vote up 
/**
 * Test encryption and decryption.
 */
@Test
public void testEncryptDecrypt() {
    String encKey = "12345";
    byte[] testData = "test string".getBytes(StandardCharsets.UTF_8);
    byte[] encTestData = "enc test string".getBytes(StandardCharsets.UTF_8);

    AwsKmsEncryptionService awsKmsEncryptionSvc = Mockito.spy(new AwsKmsEncryptionService());
    awsKmsEncryptionSvc.setKeyId(encKey)
        .setCredentials(new BasicAWSCredentials("dummy", "dummy"))
        .setRegion(Region.getRegion(Regions.AP_SOUTH_1));

    AwsCrypto awsCrypto = Mockito.mock(AwsCrypto.class);
    KmsMasterKeyProvider prov = Mockito.mock(KmsMasterKeyProvider.class);
    CryptoResult encCryptoRes = Mockito.mock(CryptoResult.class);
    CryptoResult decCryptoRes = Mockito.mock(CryptoResult.class);

    Mockito.doReturn(awsCrypto).when(awsKmsEncryptionSvc).createClient();
    Mockito.doReturn(prov).when(awsKmsEncryptionSvc).createKmsMasterKeyProvider();

    awsKmsEncryptionSvc.init();

    Mockito.doReturn(encCryptoRes).when(awsCrypto).encryptData(prov, testData);
    Mockito.doReturn(encTestData).when(encCryptoRes).getResult();

    Mockito.doReturn(decCryptoRes).when(awsCrypto).decryptData(prov, encTestData);
    Mockito.doReturn(Arrays.asList(encKey)).when(decCryptoRes).getMasterKeyIds();
    Mockito.doReturn(testData).when(decCryptoRes).getResult();

    byte[] encData = awsKmsEncryptionSvc.encrypt(testData);
    byte[] actualOutput = awsKmsEncryptionSvc.decrypt(encData);

    Assert.assertArrayEquals(testData, actualOutput);
}
Example #8
Source File: AwsKmsEncryptionService.java    From ignite with Apache License 2.0 4 votes vote down vote up 
/**
 * @return An instance of {@link KmsMasterKeyProvider}.
 */
KmsMasterKeyProvider createKmsMasterKeyProvider() {
    return new KmsMasterKeyProvider(new AWSStaticCredentialsProvider(creds), region, clientConf, keyId);
}