com.amazonaws.encryptionsdk.kms.KmsMasterKey Java Examples

The following examples show how to use com.amazonaws.encryptionsdk.kms.KmsMasterKey. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: KMSEncryptor.java    From strongbox with Apache License 2.0 6 votes vote down vote up 
@Override
public byte[] decrypt(byte[] ciphertext, EncryptionContext context) {
    try {
        final CryptoResult<byte[], KmsMasterKey> decryptResult = crypto.decryptData(getProvider(), ciphertext);

        verify(decryptResult, context);

        return decryptResult.getResult();
    } catch (AwsCryptoException e) {
        if (isInvalidKeyException(e)) {
            throw new UnlimitedEncryptionNotSetException();
        } else {
            throw e;
        }
    }
}
Example #2
Source File: KMSEncryptor.java    From strongbox with Apache License 2.0 5 votes vote down vote up 
@Override
public String decrypt(String ciphertext, EncryptionContext context) {
    final CryptoResult<String, KmsMasterKey> decryptResult = crypto.decryptString(getProvider(), ciphertext);

    verify(decryptResult, context);

    return decryptResult.getResult();
}
Example #3
Source File: KMSEncryptor.java    From strongbox with Apache License 2.0 5 votes vote down vote up 
private void verify(CryptoResult<?, KmsMasterKey> decryptResult, EncryptionContext context) {
    if (!decryptResult.getMasterKeyIds().get(0).equals(getKeyArn())) {
        throw new IllegalStateException("Wrong key id!");
    }

    for (final Map.Entry<String, String> e : context.toMap().entrySet()) {
        if (!e.getValue().equals(decryptResult.getEncryptionContext().get(e.getKey()))) {
            throw new IllegalStateException("Wrong Encryption Context!");
        }
    }
}
Example #4
Source File: EncryptionService.java    From cerberus with Apache License 2.0 5 votes vote down vote up 
private CryptoMaterialsManager getCryptoMaterialsManager(
    List<String> cmkArns, Region currentRegion) {
  if (cmkArnList.containsAll(cmkArns)) {
    return decryptCryptoMaterialsManager;
  } else {
    MasterKeyProvider<KmsMasterKey> provider = initializeKeyProvider(cmkArns, currentRegion);
    return new DefaultCryptoMaterialsManager(provider);
  }
}
Example #5
Source File: EncryptionService.java    From cerberus with Apache License 2.0 5 votes vote down vote up 
/**
 * Decrypt the encryptedPayload.
 *
 * @param parsedCiphertext encryptedPayload
 */
public static String decrypt(
    ParsedCiphertext parsedCiphertext, AwsCrypto awsCrypto, Region currentRegion) {
  // Parses the ARNs out of the encryptedPayload so that you can manually rotate the CMKs, if
  // desired
  // Whatever CMKs were used in the encrypt operation will be used to decrypt
  List<String> cmkArns = CiphertextUtils.getCustomerMasterKeyArns(parsedCiphertext);
  MasterKeyProvider<KmsMasterKey> decryptProvider = initializeKeyProvider(cmkArns, currentRegion);
  return new String(
      awsCrypto.decryptData(decryptProvider, parsedCiphertext).getResult(),
      StandardCharsets.UTF_8);
}
Example #6
Source File: EncryptionService.java    From cerberus with Apache License 2.0 5 votes vote down vote up 
/**
 * Initialize a Multi-KMS-MasterKeyProvider.
 *
 * <p>For encrypt, KMS in all regions must be available. For decrypt, KMS in at least one region
 * must be available.
 */
public static MasterKeyProvider<KmsMasterKey> initializeKeyProvider(
    List<String> cmkArns, Region currentRegion) {
  List<MasterKeyProvider<KmsMasterKey>> providers =
      getSortedArnListByCurrentRegion(cmkArns, currentRegion).stream()
          .map(KmsMasterKeyProvider::new)
          .collect(Collectors.toList());
  return (MasterKeyProvider<KmsMasterKey>) MultipleProviderFactory.buildMultiProvider(providers);
}
Example #7
Source File: ApplicationConfiguration.java    From cerberus with Apache License 2.0 5 votes vote down vote up 
@Bean("encryptCryptoMaterialsManager")
public CryptoMaterialsManager encryptCryptoMaterialsManager(
    @Value("${cerberus.encryption.cmk.arns}") String cmkArns,
    @Value("${cerberus.encryption.cache.enabled:false}") boolean cacheEnabled,
    @Value("${cerberus.encryption.cache.encrypt.maxSize:100}") int encryptMaxSize,
    @Value("${cerberus.encryption.cache.encrypt.maxAgeInSeconds:60}") int encryptMaxAge,
    @Value("${cerberus.encryption.cache.encrypt.messageUseLimit:100}") int encryptMessageUseLimit,
    Region currentRegion,
    MetricsService metricsService) {
  MasterKeyProvider<KmsMasterKey> keyProvider = initializeKeyProvider(cmkArns, currentRegion);
  if (cacheEnabled) {
    log.info(
        "Initializing caching encryptCryptoMaterialsManager with CMK: {}, maxSize: {}, maxAge: {}, "
            + "messageUseLimit: {}",
        cmkArns,
        encryptMaxSize,
        encryptMaxAge,
        encryptMessageUseLimit);
    CryptoMaterialsCache cache =
        new MetricReportingCryptoMaterialsCache(encryptMaxSize, metricsService);
    CryptoMaterialsManager cachingCmm =
        CachingCryptoMaterialsManager.newBuilder()
            .withMasterKeyProvider(keyProvider)
            .withCache(cache)
            .withMaxAge(encryptMaxAge, TimeUnit.SECONDS)
            .withMessageUseLimit(encryptMessageUseLimit)
            .build();
    return cachingCmm;
  } else {
    log.info("Initializing encryptCryptoMaterialsManager with CMK: {}", cmkArns);
    return new DefaultCryptoMaterialsManager(keyProvider);
  }
}
Example #8
Source File: ApplicationConfiguration.java    From cerberus with Apache License 2.0 5 votes vote down vote up 
@Bean("decryptCryptoMaterialsManager")
public CryptoMaterialsManager decryptCryptoMaterialsManager(
    @Value("${cerberus.encryption.cmk.arns}") String cmkArns,
    @Value("${cerberus.encryption.cache.enabled:#{false}}") boolean cacheEnabled,
    @Value("${cerberus.encryption.cache.decrypt.maxSize:1000}") int decryptMaxSize,
    @Value("${cerberus.encryption.cache.decrypt.maxAgeInSeconds:60}") int decryptMaxAge,
    Region currentRegion,
    MetricsService metricsService) {
  MasterKeyProvider<KmsMasterKey> keyProvider = initializeKeyProvider(cmkArns, currentRegion);
  if (cacheEnabled) {
    log.info(
        "Initializing caching decryptCryptoMaterialsManager with CMK: {}, maxSize: {}, maxAge: {}",
        cmkArns,
        decryptMaxSize,
        decryptMaxAge);
    CryptoMaterialsCache cache =
        new MetricReportingCryptoMaterialsCache(decryptMaxAge, metricsService);
    CryptoMaterialsManager cachingCmm =
        CachingCryptoMaterialsManager.newBuilder()
            .withMasterKeyProvider(keyProvider)
            .withCache(cache)
            .withMaxAge(decryptMaxAge, TimeUnit.SECONDS)
            .build();
    return cachingCmm;
  } else {
    log.info("Initializing decryptCryptoMaterialsManager with CMK: {}", cmkArns);
    return new DefaultCryptoMaterialsManager(keyProvider);
  }
}
Example #9
Source File: AwsKmsEncryptionService.java    From ignite with Apache License 2.0 5 votes vote down vote up 
/** {@inheritDoc} */
@Override public byte[] decrypt(byte[] data) {
    if (crypto == null || prov == null)
        throw new IgniteException("The init() method was not called.");

    CryptoResult<byte[], KmsMasterKey> decryptRes = crypto.decryptData(prov, data);

    List<String> keyIds = decryptRes.getMasterKeyIds();

    if (keyIds != null && !keyIds.contains(keyId))
        throw new IgniteException("Wrong KMS key ID!");

    return decryptRes.getResult();
}
Example #10
Source File: EncryptionService.java    From cerberus with Apache License 2.0 2 votes vote down vote up 
/**
 * Initialize a Multi-KMS-MasterKeyProvider.
 *
 * <p>For encrypt, KMS in all regions must be available. For decrypt, KMS in at least one region
 * must be available.
 */
public static MasterKeyProvider<KmsMasterKey> initializeKeyProvider(
    String cmkArns, Region currentRegion) {
  return initializeKeyProvider(splitArns(cmkArns), currentRegion);
}