com.amazonaws.encryptionsdk.AwsCrypto Java Examples
The following examples show how to use
com.amazonaws.encryptionsdk.AwsCrypto.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: KMSProviderBuilderIntegrationTests.java From aws-encryption-sdk-java with Apache License 2.0 | 6 votes |
|
@SuppressWarnings("deprecation") @Test(expected = CannotUnwrapDataKeyException.class)
public void whenLegacyConstructorsUsed_multiRegionDecryptIsNotSupported() throws Exception {
KmsMasterKeyProvider mkp = new KmsMasterKeyProvider();
for (String key : KMSTestFixtures.TEST_KEY_IDS) {
byte[] ciphertext =
new AwsCrypto().encryptData(
KmsMasterKeyProvider.builder()
.withKeysForEncryption(key)
.build(),
new byte[1]
).getResult();
new AwsCrypto().decryptData(mkp, ciphertext);
}
}
Example #2
| Source File: KeyStoreProviderTest.java From aws-encryption-sdk-java with Apache License 2.0 | 6 votes |
|
@Test
public void multipleKeys() throws Exception {
addEntry("key1");
addEntry("key2");
final KeyStoreProvider mkp = new KeyStoreProvider(ks, PP, "KeyStore", "RSA/ECB/OAEPWithSHA-256AndMGF1Padding",
"key1",
"key2");
@SuppressWarnings("unused")
final JceMasterKey mk1 = mkp.getMasterKey("key1");
final JceMasterKey mk2 = mkp.getMasterKey("key2");
final AwsCrypto crypto = new AwsCrypto();
final CryptoResult<byte[], JceMasterKey> ct = crypto.encryptData(mkp, PLAINTEXT);
assertEquals(2, ct.getMasterKeyIds().size());
CryptoResult<byte[], JceMasterKey> result = crypto.decryptData(mkp, ct.getResult());
assertArrayEquals(PLAINTEXT, result.getResult());
// Order is non-deterministic
assertEquals(1, result.getMasterKeys().size());
// Delete the first key and see if it works
ks.deleteEntry("key1");
result = crypto.decryptData(mkp, ct.getResult());
assertArrayEquals(PLAINTEXT, result.getResult());
// Only the first found key should be used
assertEquals(1, result.getMasterKeys().size());
assertEquals(mk2, result.getMasterKeys().get(0));
}
Example #3
| Source File: KMSProviderBuilderMockTests.java From aws-encryption-sdk-java with Apache License 2.0 | 6 votes |
|
@Test
public void testUserAgentPassthrough() throws Exception {
MockKMSClient client = spy(new MockKMSClient());
String key1 = client.createKey().getKeyMetadata().getArn();
String key2 = client.createKey().getKeyMetadata().getArn();
KmsMasterKeyProvider mkp = KmsMasterKeyProvider.builder()
.withKeysForEncryption(key1, key2)
.withCustomClientFactory(ignored -> client)
.build();
new AwsCrypto().decryptData(mkp, new AwsCrypto().encryptData(mkp, new byte[0]).getResult());
ArgumentCaptor<GenerateDataKeyRequest> gdkr = ArgumentCaptor.forClass(GenerateDataKeyRequest.class);
verify(client, times(1)).generateDataKey(gdkr.capture());
assertTrue(getUA(gdkr.getValue()).contains(VersionInfo.USER_AGENT));
ArgumentCaptor<EncryptRequest> encr = ArgumentCaptor.forClass(EncryptRequest.class);
verify(client, times(1)).encrypt(encr.capture());
assertTrue(getUA(encr.getValue()).contains(VersionInfo.USER_AGENT));
ArgumentCaptor<DecryptRequest> decr = ArgumentCaptor.forClass(DecryptRequest.class);
verify(client, times(1)).decrypt(decr.capture());
assertTrue(getUA(decr.getValue()).contains(VersionInfo.USER_AGENT));
}
Example #4
| Source File: KMSProviderBuilderMockTests.java From aws-encryption-sdk-java with Apache License 2.0 | 6 votes |
|
@Test
public void testLegacyGrantTokenPassthrough() throws Exception {
MockKMSClient client = spy(new MockKMSClient());
String key1 = client.createKey().getKeyMetadata().getArn();
KmsMasterKeyProvider mkp = new KmsMasterKeyProvider(client, getRegion(fromName("us-west-2")), singletonList(key1));
mkp.addGrantToken("x");
mkp.setGrantTokens(new ArrayList<>(Arrays.asList("y")));
mkp.setGrantTokens(new ArrayList<>(Arrays.asList("a", "b")));
mkp.addGrantToken("c");
byte[] ciphertext = new AwsCrypto().encryptData(mkp, new byte[0]).getResult();
ArgumentCaptor<GenerateDataKeyRequest> gdkr = ArgumentCaptor.forClass(GenerateDataKeyRequest.class);
verify(client, times(1)).generateDataKey(gdkr.capture());
List<String> grantTokens = gdkr.getValue().getGrantTokens();
assertTrue(grantTokens.contains("a"));
assertTrue(grantTokens.contains("b"));
assertTrue(grantTokens.contains("c"));
assertFalse(grantTokens.contains("x"));
assertFalse(grantTokens.contains("z"));
}
Example #5
| Source File: KeyStoreProviderTest.java From aws-encryption-sdk-java with Apache License 2.0 | 6 votes |
|
@Test
public void escrowAndSymmetricSecondProvider() throws GeneralSecurityException, IOException {
addPublicEntry("key1");
addEntry("key2");
final KeyStoreProvider mkp = new KeyStoreProvider(ks, PP, "KeyStore", "RSA/ECB/OAEPWithSHA-256AndMGF1Padding",
"key1",
"key2");
@SuppressWarnings("unused")
final JceMasterKey mk1 = mkp.getMasterKey("key1");
final JceMasterKey mk2 = mkp.getMasterKey("key2");
final AwsCrypto crypto = new AwsCrypto();
final CryptoResult<byte[], JceMasterKey> ct = crypto.encryptData(mkp, PLAINTEXT);
assertEquals(2, ct.getMasterKeyIds().size());
final KeyStoreProvider mkp2 = new KeyStoreProvider(ks, PP, "KeyStore", "RSA/ECB/OAEPWithSHA-256AndMGF1Padding",
"key1");
CryptoResult<byte[], JceMasterKey> result = crypto.decryptData(mkp2, ct.getResult());
assertArrayEquals(PLAINTEXT, result.getResult());
// Only could have decrypted with the keypair
assertEquals(1, result.getMasterKeys().size());
assertEquals(mk2, result.getMasterKeys().get(0));
}
Example #6
| Source File: KMSProviderBuilderMockTests.java From aws-encryption-sdk-java with Apache License 2.0 | 6 votes |
|
@Test
public void testBareAliasMapping_withLegacyCtor() {
MockKMSClient client = spy(new MockKMSClient());
RegionalClientSupplier supplier = mock(RegionalClientSupplier.class);
when(supplier.getClient(any())).thenReturn(client);
String key1 = client.createKey().getKeyMetadata().getKeyId();
client.createAlias(new CreateAliasRequest()
.withAliasName("foo")
.withTargetKeyId(key1)
);
KmsMasterKeyProvider mkp0 = new KmsMasterKeyProvider(
client, Region.getRegion(Regions.DEFAULT_REGION), Arrays.asList("alias/foo")
);
new AwsCrypto().encryptData(mkp0, new byte[0]);
}
Example #7
| Source File: KMSProviderBuilderMockTests.java From aws-encryption-sdk-java with Apache License 2.0 | 6 votes |
|
@Test
public void testBareAliasMapping() {
MockKMSClient client = spy(new MockKMSClient());
RegionalClientSupplier supplier = mock(RegionalClientSupplier.class);
when(supplier.getClient(notNull())).thenReturn(client);
String key1 = client.createKey().getKeyMetadata().getKeyId();
client.createAlias(new CreateAliasRequest()
.withAliasName("foo")
.withTargetKeyId(key1)
);
KmsMasterKeyProvider mkp0 = KmsMasterKeyProvider.builder()
.withKeysForEncryption("alias/foo")
.withCustomClientFactory(supplier)
.withDefaultRegion("us-west-2")
.build();
new AwsCrypto().encryptData(mkp0, new byte[0]);
}
Example #8
| Source File: KeyStoreProviderTest.java From aws-encryption-sdk-java with Apache License 2.0 | 6 votes |
|
@Test
public void keystoreAndRawProvider() throws GeneralSecurityException, IOException {
addEntry("key1");
final SecretKeySpec k1 = new SecretKeySpec(generate(32), "AES");
final JceMasterKey jcep = JceMasterKey.getInstance(k1, "jce", "1", "AES/GCM/NoPadding");
final KeyStoreProvider ksp = new KeyStoreProvider(ks, PP, "KeyStore", "RSA/ECB/OAEPWithSHA-256AndMGF1Padding",
"key1");
MasterKeyProvider<JceMasterKey> multiProvider = MultipleProviderFactory.buildMultiProvider(JceMasterKey.class,
jcep, ksp);
assertEquals(jcep, multiProvider.getMasterKey("jce", "1"));
final AwsCrypto crypto = new AwsCrypto();
final CryptoResult<byte[], JceMasterKey> ct = crypto.encryptData(multiProvider, PLAINTEXT);
assertEquals(2, ct.getMasterKeyIds().size());
CryptoResult<byte[], JceMasterKey> result = crypto.decryptData(multiProvider, ct.getResult());
assertArrayEquals(PLAINTEXT, result.getResult());
assertEquals(jcep, result.getMasterKeys().get(0));
// Decrypt just using each individually
assertArrayEquals(PLAINTEXT, crypto.decryptData(jcep, ct.getResult()).getResult());
assertArrayEquals(PLAINTEXT, crypto.decryptData(ksp, ct.getResult()).getResult());
}
Example #9
| Source File: DecryptionHandlerTest.java From aws-encryption-sdk-java with Apache License 2.0 | 6 votes |
|
private byte[] getTestHeaders() {
final CryptoAlgorithm cryptoAlgorithm_ = AwsCrypto.getDefaultCryptoAlgorithm();
final int frameSize_ = AwsCrypto.getDefaultFrameSize();
final Map<String, String> encryptionContext = Collections.<String, String> emptyMap();
final EncryptionMaterialsRequest encryptionMaterialsRequest = EncryptionMaterialsRequest.newBuilder()
.setContext(encryptionContext)
.setRequestedAlgorithm(cryptoAlgorithm_)
.build();
final EncryptionMaterials encryptionMaterials = new DefaultCryptoMaterialsManager(masterKeyProvider_)
.getMaterialsForEncrypt(encryptionMaterialsRequest);
final EncryptionHandler encryptionHandler = new EncryptionHandler(frameSize_, encryptionMaterials);
// create the ciphertext headers by calling encryption handler.
final byte[] in = new byte[0];
final int ciphertextLen = encryptionHandler.estimateOutputSize(in.length);
final byte[] ciphertext = new byte[ciphertextLen];
encryptionHandler.processBytes(in, 0, in.length, ciphertext, 0);
return ciphertext;
}
Example #10
| Source File: KMSProviderBuilderIntegrationTests.java From aws-encryption-sdk-java with Apache License 2.0 | 6 votes |
|
@Test
public void whenCustomCredentialsSet_theyAreUsed() throws Exception {
AWSCredentialsProvider customProvider = spy(new DefaultAWSCredentialsProviderChain());
KmsMasterKeyProvider mkp = KmsMasterKeyProvider.builder()
.withCredentials(customProvider)
.withKeysForEncryption(KMSTestFixtures.TEST_KEY_IDS[0])
.build();
new AwsCrypto().encryptData(mkp, new byte[1]);
verify(customProvider, atLeastOnce()).getCredentials();
AWSCredentials customCredentials = spy(customProvider.getCredentials());
mkp = KmsMasterKeyProvider.builder()
.withCredentials(customCredentials)
.withKeysForEncryption(KMSTestFixtures.TEST_KEY_IDS[0])
.build();
new AwsCrypto().encryptData(mkp, new byte[1]);
verify(customCredentials, atLeastOnce()).getAWSSecretKey();
}
Example #11
| Source File: CipherHandlerTest.java From aws-encryption-sdk-java with Apache License 2.0 | 6 votes |
|
@Test(expected = BadCiphertextException.class)
public void tamperCiphertext() {
final CryptoAlgorithm cryptoAlgorithm = AwsCrypto.getDefaultCryptoAlgorithm();
final byte[] content = RandomBytesGenerator.generate(contentLen_);
final byte[] keyBytes = RandomBytesGenerator.generate(cryptoAlgorithm.getKeyLength());
final byte[] nonce = RandomBytesGenerator.generate(cryptoAlgorithm.getNonceLen());
final SecretKey key = new SecretKeySpec(keyBytes, cryptoAlgorithm.getKeyAlgo());
CipherHandler cipherHandler = createCipherHandler(key, cryptoAlgorithm, Cipher.ENCRYPT_MODE);
final byte[] encryptedBytes = cipherHandler.cipherData(nonce, contentAad_, content, 0, content.length);
encryptedBytes[0] += 1; // tamper the first byte in ciphertext
cipherHandler = createCipherHandler(key, cryptoAlgorithm, Cipher.DECRYPT_MODE);
cipherHandler.cipherData(nonce, contentAad_, encryptedBytes, 0, encryptedBytes.length);
}
Example #12
| Source File: KMSProviderBuilderIntegrationTests.java From aws-encryption-sdk-java with Apache License 2.0 | 6 votes |
|
@Test
public void whenHandlerConfigured_handlerIsInvoked() throws Exception {
RequestHandler2 handler = spy(new RequestHandler2() {});
KmsMasterKeyProvider mkp =
KmsMasterKeyProvider.builder()
.withClientBuilder(
AWSKMSClientBuilder.standard()
.withRequestHandlers(handler)
)
.withKeysForEncryption(KMSTestFixtures.TEST_KEY_IDS[0])
.build();
new AwsCrypto().encryptData(mkp, new byte[1]);
verify(handler).beforeRequest(any());
}
Example #13
| Source File: KMSProviderBuilderIntegrationTests.java From aws-encryption-sdk-java with Apache License 2.0 | 6 votes |
|
@Test
public void whenConstructedWithoutArguments_canUseMultipleRegions() throws Exception {
KmsMasterKeyProvider mkp = KmsMasterKeyProvider.builder().build();
for (String key : KMSTestFixtures.TEST_KEY_IDS) {
byte[] ciphertext =
new AwsCrypto().encryptData(
KmsMasterKeyProvider.builder()
.withKeysForEncryption(key)
.build(),
new byte[1]
).getResult();
new AwsCrypto().decryptData(mkp, ciphertext);
}
}
Example #14
| Source File: MultipleMasterKeyTest.java From aws-encryption-sdk-java with Apache License 2.0 | 6 votes |
|
@Test
public void testMixedKeys() {
final SecretKeySpec k1 = new SecretKeySpec(generate(32), "AES");
final JceMasterKey mk1 = JceMasterKey.getInstance(k1, "jce", "1", WRAPPING_ALG);
StaticMasterKey mk2 = new StaticMasterKey("mock1");
final MasterKeyProvider<?> mkp = MultipleProviderFactory.buildMultiProvider(mk1, mk2);
AwsCrypto crypto = new AwsCrypto();
CryptoResult<byte[], ?> ct = crypto.encryptData(mkp, PLAINTEXT);
assertEquals(2, ct.getMasterKeyIds().size());
CryptoResult<byte[], ?> result = crypto.decryptData(mkp, ct.getResult());
assertArrayEquals(PLAINTEXT, result.getResult());
// Only the first found key should be used
assertEquals(1, result.getMasterKeys().size());
assertEquals(mk1, result.getMasterKeys().get(0));
assertMultiReturnsKeys(mkp, mk1, mk2);
}
Example #15
| Source File: KMSEncryptor.java From strongbox with Apache License 2.0 | 6 votes |
|
public KMSEncryptor(KMSManager kmsManager, AWSCredentialsProvider awsCredentials, ClientConfiguration clientConfiguration, SecretsGroupIdentifier groupIdentifier, AwsCrypto awsCrypto, EncryptionStrength encryptionStrength) {
this.awsCredentials = awsCredentials;
this.clientConfiguration = clientConfiguration;
this.groupIdentifier = groupIdentifier;
this.kmsManager = kmsManager;
if (encryptionStrength.equals(EncryptionStrength.AES_128)) {
awsCrypto.setEncryptionAlgorithm(CryptoAlgorithm.ALG_AES_128_GCM_IV12_TAG16_HKDF_SHA256_ECDSA_P256);
} else if (encryptionStrength.equals(EncryptionStrength.AES_256)) {
awsCrypto.setEncryptionAlgorithm(CryptoAlgorithm.ALG_AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384);
} else {
throw new IllegalArgumentException(String.format("Unrecognized encryption strength %s", encryptionStrength.toString()));
}
this.crypto = awsCrypto;
}
Example #16
| Source File: KMSEncryptorTest.java From strongbox with Apache License 2.0 | 6 votes |
|
@BeforeMethod
public void setUp() throws Exception {
AWSCredentialsProvider mockCredentials = mock(AWSCredentialsProvider.class);
ClientConfiguration mockConfig = mock(ClientConfiguration.class);
SecretsGroupIdentifier group = new SecretsGroupIdentifier(Region.US_WEST_1, "test.group");
this.mockAwsCrypto = mock(AwsCrypto.class);
this.mockKmsManager = mock(KMSManager.class);
KMSEncryptor encryptor = new KMSEncryptor(mockKmsManager, mockCredentials, mockConfig, group, mockAwsCrypto, EncryptionStrength.AES_256);
this.kmsEncryptor = spy(encryptor);
this.mockProvider = mock(KmsMasterKeyProvider.class);
doReturn(mockProvider).when(kmsEncryptor).getProvider();
// Verify the expected encryption algorithm was set.
verify(mockAwsCrypto, times(1)).setEncryptionAlgorithm(
CryptoAlgorithm.ALG_AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384);
}
Example #17
| Source File: MultipleMasterKeyTest.java From aws-encryption-sdk-java with Apache License 2.0 | 6 votes |
|
@Test
public void testMixedKeysSingleDecrypt() {
final SecretKeySpec k1 = new SecretKeySpec(generate(32), "AES");
final JceMasterKey mk1 = JceMasterKey.getInstance(k1, "jce", "1", WRAPPING_ALG);
StaticMasterKey mk2 = new StaticMasterKey("mock1");
final MasterKeyProvider<?> mkp = MultipleProviderFactory.buildMultiProvider(mk1, mk2);
AwsCrypto crypto = new AwsCrypto();
CryptoResult<byte[], ?> ct = crypto.encryptData(mkp, PLAINTEXT);
assertEquals(2, ct.getMasterKeyIds().size());
CryptoResult<byte[], ?> result = crypto.decryptData(mk1, ct.getResult());
assertArrayEquals(PLAINTEXT, result.getResult());
// Only the first found key should be used
assertEquals(1, result.getMasterKeys().size());
assertEquals(mk1, result.getMasterKeys().get(0));
result = crypto.decryptData(mk2, ct.getResult());
assertArrayEquals(PLAINTEXT, result.getResult());
// Only the first found key should be used
assertEquals(1, result.getMasterKeys().size());
assertEquals(mk2, result.getMasterKeys().get(0));
}
Example #18
| Source File: KMSProviderBuilderIntegrationTests.java From aws-encryption-sdk-java with Apache License 2.0 | 6 votes |
|
@Test
public void whenOperationSuccessful_clientIsCached() {
AtomicReference<ConcurrentHashMap<String, AWSKMS>> kmsCache = new AtomicReference<>();
KmsMasterKeyProvider mkp = (new KmsMasterKeyProvider.Builder() {
@Override protected void snoopClientCache(
final ConcurrentHashMap<String, AWSKMS> map
) {
kmsCache.set(map);
}
}).withKeysForEncryption(KMSTestFixtures.TEST_KEY_IDS[0])
.build();
new AwsCrypto().encryptData(mkp, new byte[1]);
AWSKMS kms = kmsCache.get().get("us-west-2");
assertNotNull(kms);
new AwsCrypto().encryptData(mkp, new byte[1]);
// Cache entry should stay the same
assertEquals(kms, kmsCache.get().get("us-west-2"));
}
Example #19
| Source File: EscrowedEncryptExample.java From aws-encryption-sdk-java with Apache License 2.0 | 6 votes |
|
private static void escrowDecrypt(final String fileName) throws Exception {
// You can decrypt the stream using only the private key.
// This method does not call AWS KMS.
// 1. Instantiate the SDK
final AwsCrypto crypto = new AwsCrypto();
// 2. Instantiate a JCE master key provider
// This method call uses the escrowed private key, not null
final JceMasterKey escrowPriv = JceMasterKey.getInstance(publicEscrowKey, privateEscrowKey, "Escrow", "Escrow",
"RSA/ECB/OAEPWithSHA-512AndMGF1Padding");
// 3. Decrypt the file
// To simplify the code, we omit the encryption context. Production code should always
// use an encryption context. For an example, see the other SDK samples.
final FileInputStream in = new FileInputStream(fileName + ".encrypted");
final FileOutputStream out = new FileOutputStream(fileName + ".deescrowed");
final CryptoOutputStream<?> decryptingStream = crypto.createDecryptingStream(escrowPriv, out);
IOUtils.copy(in, decryptingStream);
in.close();
decryptingStream.close();
}
Example #20
| Source File: LegacyKMSMasterKeyProviderTests.java From aws-encryption-sdk-java with Apache License 2.0 | 6 votes |
|
@Test
public void testMultipleKmsKeys() {
final MockKMSClient kms = new MockKMSClient();
final String arn1 = kms.createKey().getKeyMetadata().getArn();
final String arn2 = kms.createKey().getKeyMetadata().getArn();
MasterKeyProvider<KmsMasterKey> prov = legacyConstruct(kms, arn1, arn2);
KmsMasterKey mk1 = prov.getMasterKey(arn1);
AwsCrypto crypto = new AwsCrypto();
CryptoResult<byte[], KmsMasterKey> ct = crypto.encryptData(prov, PLAINTEXT);
assertEquals(2, ct.getMasterKeyIds().size());
CryptoResult<byte[], KmsMasterKey> result = crypto.decryptData(prov, ct.getResult());
assertArrayEquals(PLAINTEXT, result.getResult());
// Only the first found key should be used
assertEquals(1, result.getMasterKeys().size());
assertEquals(mk1, result.getMasterKeys().get(0));
}
Example #21
| Source File: MultipleMasterKeyTest.java From aws-encryption-sdk-java with Apache License 2.0 | 6 votes |
|
@Test
public void testMultipleJceKeysSingleDecrypt() {
final SecretKeySpec k1 = new SecretKeySpec(generate(32), "AES");
final JceMasterKey mk1 = JceMasterKey.getInstance(k1, "jce", "1", WRAPPING_ALG);
final SecretKeySpec k2 = new SecretKeySpec(generate(32), "AES");
final JceMasterKey mk2 = JceMasterKey.getInstance(k2, "jce", "2", WRAPPING_ALG);
final MasterKeyProvider<JceMasterKey> mkp = MultipleProviderFactory.buildMultiProvider(JceMasterKey.class,
mk1, mk2);
AwsCrypto crypto = new AwsCrypto();
CryptoResult<byte[], JceMasterKey> ct = crypto.encryptData(mkp, PLAINTEXT);
assertEquals(2, ct.getMasterKeyIds().size());
CryptoResult<byte[], JceMasterKey> result = crypto.decryptData(mk1, ct.getResult());
assertArrayEquals(PLAINTEXT, result.getResult());
// Only the first found key should be used
assertEquals(1, result.getMasterKeys().size());
assertEquals(mk1, result.getMasterKeys().get(0));
result = crypto.decryptData(mk2, ct.getResult());
assertArrayEquals(PLAINTEXT, result.getResult());
// Only the first found key should be used
assertEquals(1, result.getMasterKeys().size());
assertEquals(mk2, result.getMasterKeys().get(0));
}
Example #22
| Source File: MultipleMasterKeyTest.java From aws-encryption-sdk-java with Apache License 2.0 | 6 votes |
|
@Test
public void testMultipleJceKeys() {
final SecretKeySpec k1 = new SecretKeySpec(generate(32), "AES");
final JceMasterKey mk1 = JceMasterKey.getInstance(k1, "jce", "1", WRAPPING_ALG);
final SecretKeySpec k2 = new SecretKeySpec(generate(32), "AES");
final JceMasterKey mk2 = JceMasterKey.getInstance(k2, "jce", "2", WRAPPING_ALG);
final MasterKeyProvider<JceMasterKey> mkp = MultipleProviderFactory.buildMultiProvider(JceMasterKey.class,
mk1, mk2);
AwsCrypto crypto = new AwsCrypto();
CryptoResult<byte[], JceMasterKey> ct = crypto.encryptData(mkp, PLAINTEXT);
assertEquals(2, ct.getMasterKeyIds().size());
CryptoResult<byte[], JceMasterKey> result = crypto.decryptData(mkp, ct.getResult());
assertArrayEquals(PLAINTEXT, result.getResult());
// Only the first found key should be used
assertEquals(1, result.getMasterKeys().size());
assertEquals(mk1, result.getMasterKeys().get(0));
assertMultiReturnsKeys(mkp, mk1, mk2);
}
Example #23
| Source File: LegacyKMSMasterKeyProviderTests.java From aws-encryption-sdk-java with Apache License 2.0 | 6 votes |
|
@Test
public void testMixedKeys() {
final SecretKeySpec k1 = new SecretKeySpec(generate(32), "AES");
final JceMasterKey mk1 = JceMasterKey.getInstance(k1, "jce", "1", WRAPPING_ALG);
final MockKMSClient kms = new MockKMSClient();
final String arn2 = kms.createKey().getKeyMetadata().getArn();
MasterKeyProvider<KmsMasterKey> prov = legacyConstruct(kms);
KmsMasterKey mk2 = prov.getMasterKey(arn2);
final MasterKeyProvider<?> mkp = MultipleProviderFactory.buildMultiProvider(mk1, mk2);
AwsCrypto crypto = new AwsCrypto();
CryptoResult<byte[], ?> ct = crypto.encryptData(mkp, PLAINTEXT);
assertEquals(2, ct.getMasterKeyIds().size());
CryptoResult<byte[], ?> result = crypto.decryptData(mkp, ct.getResult());
assertArrayEquals(PLAINTEXT, result.getResult());
// Only the first found key should be used
assertEquals(1, result.getMasterKeys().size());
assertEquals(mk1, result.getMasterKeys().get(0));
assertMultiReturnsKeys(mkp, mk1, mk2);
}
Example #24
| Source File: LegacyKMSMasterKeyProviderTests.java From aws-encryption-sdk-java with Apache License 2.0 | 6 votes |
|
@Test
public void testMixedKeysSingleDecrypt() {
final SecretKeySpec k1 = new SecretKeySpec(generate(32), "AES");
final JceMasterKey mk1 = JceMasterKey.getInstance(k1, "jce", "1", WRAPPING_ALG);
final MockKMSClient kms = new MockKMSClient();
final String arn2 = kms.createKey().getKeyMetadata().getArn();
MasterKeyProvider<KmsMasterKey> prov = legacyConstruct(kms);
KmsMasterKey mk2 = prov.getMasterKey(arn2);
final MasterKeyProvider<?> mkp = MultipleProviderFactory.buildMultiProvider(mk1, mk2);
AwsCrypto crypto = new AwsCrypto();
CryptoResult<byte[], ?> ct = crypto.encryptData(mkp, PLAINTEXT);
assertEquals(2, ct.getMasterKeyIds().size());
CryptoResult<byte[], ?> result = crypto.decryptData(mk1, ct.getResult());
assertArrayEquals(PLAINTEXT, result.getResult());
// Only the first found key should be used
assertEquals(1, result.getMasterKeys().size());
assertEquals(mk1, result.getMasterKeys().get(0));
result = crypto.decryptData(mk2, ct.getResult());
assertArrayEquals(PLAINTEXT, result.getResult());
// Only the first found key should be used
assertEquals(1, result.getMasterKeys().size());
assertEquals(mk2, result.getMasterKeys().get(0));
}
Example #25
| Source File: FrameDecryptionHandlerTest.java From aws-encryption-sdk-java with Apache License 2.0 | 5 votes |
|
@Test(expected = BadCiphertextException.class)
public void finalFrameLengthTooLarge() {
final ByteBuffer byteBuffer = ByteBuffer.allocate(25);
byteBuffer.put(TestUtils.unsignedBytesToSignedBytes(
new int[] {255, 255, 255, 255, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1}));
byteBuffer.putInt(AwsCrypto.getDefaultFrameSize() + 1);
final byte[] in = byteBuffer.array();
final byte[] out = new byte[in.length];
frameDecryptionHandler_.processBytes(in, 0, in.length, out, 0);
}
Example #26
| Source File: KeyStoreProviderTest.java From aws-encryption-sdk-java with Apache License 2.0 | 5 votes |
|
@Test
public void escrowCase() throws GeneralSecurityException, IOException {
addEntry("escrowKey");
KeyStore ks2 = KeyStore.getInstance(KeyStore.getDefaultType());
ks2.load(null, PASSWORD);
copyPublicPart(ks, ks2, "escrowKey");
final KeyStoreProvider mkp = new KeyStoreProvider(ks, PP, "KeyStore", "RSA/ECB/OAEPWithSHA-256AndMGF1Padding",
"escrowKey");
final KeyStoreProvider escrowProvider = new KeyStoreProvider(ks2, PP, "KeyStore",
"RSA/ECB/OAEPWithSHA-256AndMGF1Padding",
"escrowKey");
final JceMasterKey mk1 = escrowProvider.getMasterKey("escrowKey");
final AwsCrypto crypto = new AwsCrypto();
final CryptoResult<byte[], JceMasterKey> ct = crypto.encryptData(escrowProvider, PLAINTEXT);
assertEquals(1, ct.getMasterKeyIds().size());
try {
crypto.decryptData(escrowProvider, ct.getResult());
fail("Expected CannotUnwrapDataKeyException");
} catch (final CannotUnwrapDataKeyException ex) {
// expected
}
CryptoResult<byte[], JceMasterKey> result = crypto.decryptData(mkp, ct.getResult());
assertArrayEquals(PLAINTEXT, result.getResult());
// Only could have decrypted with the keypair
assertEquals(1, result.getMasterKeys().size());
assertEquals(mk1, result.getMasterKeys().get(0));
}
Example #27
| Source File: AwsKmsEncryptionServiceTest.java From ignite with Apache License 2.0 | 5 votes |
|
/**
* Test encryption and decryption.
*/
@Test
public void testEncryptDecrypt() {
String encKey = "12345";
byte[] testData = "test string".getBytes(StandardCharsets.UTF_8);
byte[] encTestData = "enc test string".getBytes(StandardCharsets.UTF_8);
AwsKmsEncryptionService awsKmsEncryptionSvc = Mockito.spy(new AwsKmsEncryptionService());
awsKmsEncryptionSvc.setKeyId(encKey)
.setCredentials(new BasicAWSCredentials("dummy", "dummy"))
.setRegion(Region.getRegion(Regions.AP_SOUTH_1));
AwsCrypto awsCrypto = Mockito.mock(AwsCrypto.class);
KmsMasterKeyProvider prov = Mockito.mock(KmsMasterKeyProvider.class);
CryptoResult encCryptoRes = Mockito.mock(CryptoResult.class);
CryptoResult decCryptoRes = Mockito.mock(CryptoResult.class);
Mockito.doReturn(awsCrypto).when(awsKmsEncryptionSvc).createClient();
Mockito.doReturn(prov).when(awsKmsEncryptionSvc).createKmsMasterKeyProvider();
awsKmsEncryptionSvc.init();
Mockito.doReturn(encCryptoRes).when(awsCrypto).encryptData(prov, testData);
Mockito.doReturn(encTestData).when(encCryptoRes).getResult();
Mockito.doReturn(decCryptoRes).when(awsCrypto).decryptData(prov, encTestData);
Mockito.doReturn(Arrays.asList(encKey)).when(decCryptoRes).getMasterKeyIds();
Mockito.doReturn(testData).when(decCryptoRes).getResult();
byte[] encData = awsKmsEncryptionSvc.encrypt(testData);
byte[] actualOutput = awsKmsEncryptionSvc.decrypt(encData);
Assert.assertArrayEquals(testData, actualOutput);
}
Example #28
| Source File: KMSEncryptor.java From strongbox with Apache License 2.0 | 5 votes |
|
public static KMSEncryptor fromCredentials(AWSCredentialsProvider awsCredentials,
ClientConfiguration clientConfiguration,
SecretsGroupIdentifier groupIdentifier,
EncryptionStrength encryptionStrength) {
KMSManager manager = KMSManager.fromCredentials(awsCredentials, clientConfiguration, groupIdentifier);
return new KMSEncryptor(manager, awsCredentials, clientConfiguration, groupIdentifier, new AwsCrypto(), encryptionStrength);
}
Example #29
| Source File: FieldEncrypter.java From datacollector with Apache License 2.0 | 5 votes |
|
private EncryptionProvider createProvider(List<ConfigIssue> issues) {
CryptoMaterialsManager cmManager = createCryptoMaterialsManager(issues);
if (!issues.isEmpty()) {
return null;
}
AwsCrypto crypto = new AwsCrypto();
crypto.setEncryptionAlgorithm(conf.getCipher());
crypto.setEncryptionFrameSize(conf.getFrameSize());
return AWSEncryptionProvider.builder().withMode(mode).withCrypto(crypto).withCmManager(cmManager).build();
}
Example #30
| Source File: KeyStoreProviderTest.java From aws-encryption-sdk-java with Apache License 2.0 | 5 votes |
|
@Test
public void escrowAndSymmetric() throws Exception {
addPublicEntry("key1");
addEntry("key2");
final KeyStoreProvider mkp = new KeyStoreProvider(ks, PP, "KeyStore", "RSA/ECB/OAEPWithSHA-256AndMGF1Padding",
"key1",
"key2");
@SuppressWarnings("unused")
final JceMasterKey mk1 = mkp.getMasterKey("key1");
final JceMasterKey mk2 = mkp.getMasterKey("key2");
final AwsCrypto crypto = new AwsCrypto();
final CryptoResult<byte[], JceMasterKey> ct = crypto.encryptData(mkp, PLAINTEXT);
assertEquals(2, ct.getMasterKeyIds().size());
CryptoResult<byte[], JceMasterKey> result = crypto.decryptData(mkp, ct.getResult());
assertArrayEquals(PLAINTEXT, result.getResult());
// Only could have decrypted with the keypair
assertEquals(1, result.getMasterKeys().size());
assertEquals(mk2, result.getMasterKeys().get(0));
// Delete the first key and see if it works
ks.deleteEntry("key1");
result = crypto.decryptData(mkp, ct.getResult());
assertArrayEquals(PLAINTEXT, result.getResult());
// Only the first found key should be used
assertEquals(1, result.getMasterKeys().size());
assertEquals(mk2, result.getMasterKeys().get(0));
}
