Fix to number of Bytes in DirectKmsMaterialProvider. Support multiple materials in MostRecentProvider.

Author: SalusaSecondus

src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/DynamoDBEncryptor.java

@@ -308,8 +308,13 @@ public Map<String, AttributeValue> encryptRecord(
         // The description must be stored after encryption because its data
         // is necessary for proper decryption.
         final String signingAlgo = materialDescription.get(signingAlgorithmHeader);
-        DynamoDBSigner signer = DynamoDBSigner.getInstance(signingAlgo == null ? DEFAULT_SIGNATURE_ALGORITHM : signingAlgo, Utils.getRng());
-        
+        DynamoDBSigner signer;
+        if (signingAlgo != null) {
+            signer = DynamoDBSigner.getInstance(signingAlgo, Utils.getRng());
+        } else {
+            signer = DynamoDBSigner.getInstance(DEFAULT_SIGNATURE_ALGORITHM, Utils.getRng());
+        }
+
         if (materials.getSigningKey() instanceof PrivateKey ) {
             materialDescription.put(signingAlgorithmHeader, signer.getSigningAlgorithm());
         }

src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/providers/DirectKmsMaterialProvider.java

@@ -42,6 +42,7 @@
 import com.amazonaws.services.kms.model.GenerateDataKeyRequest;
 import com.amazonaws.services.kms.model.GenerateDataKeyResult;
 import com.amazonaws.util.Base64;
+import com.amazonaws.util.StringUtils;
 import com.amazonaws.util.VersionInfoUtils;
 
 /**
@@ -126,6 +127,7 @@ public DecryptionMaterials getDecryptionMaterials(EncryptionContext context) {
         request.setCiphertextBlob(ByteBuffer.wrap(Base64.decode(materialDescription.get(ENVELOPE_KEY))));
         request.setEncryptionContext(ec);
         final DecryptResult decryptResult = kms.decrypt(request);
+        validateEncryptionKeyId(decryptResult.getKeyId(), context);
 
         final Hkdf kdf;
         try {
@@ -153,9 +155,16 @@ public EncryptionMaterials getEncryptionMaterials(EncryptionContext context) {
         ec.put("*" + SIGNING_KEY_ALGORITHM + "*", sigKeyDesc);
         populateKmsEcFromEc(context, ec);
 
+        final String keyId = selectEncryptionKeyId(context);
+        if (StringUtils.isNullOrEmpty(keyId)) {
+            throw new DynamoDBMappingException("Encryption key id is empty.");
+        }
+
         final GenerateDataKeyRequest req = appendUserAgent(new GenerateDataKeyRequest());
-        req.setKeyId(encryptionKeyId);
-        req.setNumberOfBytes(256);
+        req.setKeyId(keyId);
+        // NumberOfBytes parameter is used because we're not using this key as an AES-256 key,
+        // we're using it as an HKDF-SHA256 key.
+        req.setNumberOfBytes(256 / 8);
         req.setEncryptionContext(ec);
 
         final GenerateDataKeyResult dataKeyResult = kms.generateDataKey(req);
@@ -182,6 +191,36 @@ public EncryptionMaterials getEncryptionMaterials(EncryptionContext context) {
         return new SymmetricRawMaterials(encryptionKey, signatureKey, materialDescription);
     }
 
+    /**
+     * Get encryption key id.
+     * @return encryption key id.
+     */
+    protected String getEncryptionKeyId() {
+        return this.encryptionKeyId;
+    }
+
+    /**
+     * Select encryption key id to be used to generate data key. The default implementation of this method returns
+     * {@link DirectKmsMaterialProvider#encryptionKeyId}.
+     * @param context encryption context.
+     * @return the encryptionKeyId.
+     * @throws DynamoDBMappingException when we fails to select a valid encryption key id.
+     */
+    protected String selectEncryptionKeyId(EncryptionContext context) throws DynamoDBMappingException {
+        return getEncryptionKeyId();
+    }
+
+    /**
+     * Validate the encryption key id. The default implementation of this method does nothing.
+     * @param encryptionKeyId encryption key id from {@link DecryptResult}.
+     * @param context encryption context.
+     * @throws DynamoDBMappingException when encryptionKeyId is invalid.
+     */
+    protected void validateEncryptionKeyId(String encryptionKeyId, EncryptionContext context)
+            throws DynamoDBMappingException {
+        // No action taken.
+    }
+
     /**
      * Extracts relevant information from {@code context} and uses it to populate fields in
      * {@code kmsEc}. Currently, these fields are:
@@ -234,7 +273,7 @@ private static byte[] toArray(final ByteBuffer buff) {
         return result;
     }
 
-    private final <X extends AmazonWebServiceRequest> X appendUserAgent(final X request) {
+    private static <X extends AmazonWebServiceRequest> X appendUserAgent(final X request) {
         request.getRequestClientOptions().appendUserAgent(USER_AGENT);
         return request;
     }

src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/providers/MostRecentProvider.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2015 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved.
  * 
  * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except
  * in compliance with the License. A copy of the License is located at
@@ -30,12 +30,11 @@
 public class MostRecentProvider implements EncryptionMaterialsProvider {
     private static final long MILLI_TO_NANO = 1000000L;
     private static final long TTL_GRACE_IN_NANO = 500 * MILLI_TO_NANO;
-    private final ReentrantLock lock = new ReentrantLock(true);
     private final ProviderStore keystore;
-    private final String materialName;
+    protected final String defaultMaterialName;
     private final long ttlInNanos;
     private final LRUCache<EncryptionMaterialsProvider> cache;
-    private final AtomicReference<State> state = new AtomicReference<>(new State());
+    private final LRUCache<LockedState> currentVersions;
 
     /**
      * Creates a new {@link MostRecentProvider}.
@@ -45,22 +44,26 @@ public class MostRecentProvider implements EncryptionMaterialsProvider {
      */
     public MostRecentProvider(final ProviderStore keystore, final String materialName, final long ttlInMillis) {
         this.keystore = checkNotNull(keystore, "keystore must not be null");
-        this.materialName = checkNotNull(materialName, "materialName must not be null");
+        this.defaultMaterialName = materialName;
         this.ttlInNanos = ttlInMillis * MILLI_TO_NANO;
         this.cache = new LRUCache<EncryptionMaterialsProvider>(1000);
+        this.currentVersions = new LRUCache<>(1000);
     }
 
     @Override
     public EncryptionMaterials getEncryptionMaterials(EncryptionContext context) {
-        State s = state.get();
+        final String materialName = getMaterialName(context);
+        final LockedState ls = getCurrentVersion(materialName);
+
+        final State s = ls.getState();
         if (s.provider != null && System.nanoTime() - s.lastUpdated <= ttlInNanos) {
             return s.provider.getEncryptionMaterials(context);
         }
         if (s.provider == null || System.nanoTime() - s.lastUpdated > ttlInNanos + TTL_GRACE_IN_NANO) {
             // Either we don't have a provider at all, or we're more than 500 milliseconds past
             // our update time. Either way, grab the lock and force an update.
-            lock.lock();
-        } else if (!lock.tryLock()) {
+            ls.lock();
+        } else if (!ls.tryLock()) {
             // If we can't get the lock immediately, just use the current provider
             return s.provider.getEncryptionMaterials(context);
         }
@@ -73,36 +76,37 @@ public EncryptionMaterials getEncryptionMaterials(EncryptionContext context) {
                 // First version of the material, so we want to allow creation
                 currentVersion = 0;
                 currentProvider = keystore.getOrCreate(materialName, currentVersion);
-                cache.add(Long.toString(currentVersion), currentProvider);
+                cache.add(buildCacheKey(materialName, currentVersion), currentProvider);
             } else if (newVersion != s.currentVersion) {
                 // We're retrieving an existing version, so we avoid the creation
                 // flow as it is slower
                 currentVersion = newVersion;
                 currentProvider = keystore.getProvider(materialName, currentVersion);
-                cache.add(Long.toString(currentVersion), currentProvider);
+                cache.add(buildCacheKey(materialName, currentVersion), currentProvider);
             } else {
                 // Our version hasn't changed, so we'll just re-use the existing
                 // provider to avoid the overhead of retrieving and building a new one
                 currentVersion = newVersion;
                 currentProvider = s.provider;
                 // There is no need to add this to the cache as it's already there
             }
-            s = new State(currentProvider, currentVersion);
-            state.set(s);
 
-            return s.provider.getEncryptionMaterials(context);
+            ls.update(currentProvider, currentVersion);
+
+            return ls.getState().provider.getEncryptionMaterials(context);
         } finally {
-            lock.unlock();
+            ls.unlock();
         }
     }
 
     public DecryptionMaterials getDecryptionMaterials(EncryptionContext context) {
+        final String materialName = getMaterialName(context);
         final long version = keystore.getVersionFromMaterialDescription(
                 context.getMaterialDescription());
-        EncryptionMaterialsProvider provider = cache.get(Long.toString(version));
+        EncryptionMaterialsProvider provider = cache.get(buildCacheKey(materialName, version));
         if (provider == null) {
             provider = keystore.getProvider(materialName, version);
-            cache.add(Long.toString(version), provider);
+            cache.add(buildCacheKey(materialName, version), provider);
         }
         return provider.getDecryptionMaterials(context);
     }
@@ -112,12 +116,12 @@ public DecryptionMaterials getDecryptionMaterials(EncryptionContext context) {
      */
     @Override
     public void refresh() {
-        state.set(new State());
+        currentVersions.clear();
         cache.clear();
     }
 
     public String getMaterialName() {
-        return materialName;
+        return defaultMaterialName;
     }
 
     public long getTtlInMills() {
@@ -129,15 +133,36 @@ public long getTtlInMills() {
      * currently have a current version.
      */
     public long getCurrentVersion() {
-        return state.get().currentVersion;
+        return getCurrentVersion(getMaterialName()).getState().currentVersion;
     }
 
     /**
      * The last time the current version was updated. Returns 0 if we do not currently have a
      * current version.
      */
     public long getLastUpdated() {
-        return state.get().lastUpdated / MILLI_TO_NANO;
+        return getCurrentVersion(getMaterialName()).getState().lastUpdated / MILLI_TO_NANO;
+    }
+
+    protected String getMaterialName(final EncryptionContext context) {
+        return defaultMaterialName;
+    }
+
+    private LockedState getCurrentVersion(final String materialName) {
+        final LockedState result = currentVersions.get(materialName);
+        if (result == null) {
+            currentVersions.add(materialName, new LockedState());
+            return currentVersions.get(materialName);
+        } else {
+            return result;
+        }
+    }
+
+    private static String buildCacheKey(final String materialName, final long version) {
+        StringBuilder result = new StringBuilder(materialName);
+        result.append('#');
+        result.append(version);
+        return result.toString();
     }
 
     private static <V> V checkNotNull(final V ref, final String errMsg) {
@@ -148,6 +173,34 @@ private static <V> V checkNotNull(final V ref, final String errMsg) {
         }
     }
 
+    private static class LockedState {
+        private final ReentrantLock lock = new ReentrantLock(true);
+        private volatile AtomicReference<State> state = new AtomicReference<>(new State());
+
+        public State getState() {
+            return state.get();
+        }
+
+        public void unlock() {
+            lock.unlock();
+        }
+
+        public boolean tryLock() {
+            return lock.tryLock();
+        }
+
+        public void lock() {
+            lock.lock();
+        }
+
+        public void update(EncryptionMaterialsProvider provider, long currentVersion) {
+            if (!lock.isHeldByCurrentThread()) {
+                throw new IllegalStateException("Lock not held by current thread");
+            }
+            state.set(new State(provider, currentVersion));
+        }
+    }
+
     private static class State {
         public final EncryptionMaterialsProvider provider;
         public final long currentVersion;

src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/internal/AttributeValueMarshaller.java

@@ -80,6 +80,7 @@ public static ByteBuffer marshall(final AttributeValue attributeValue) {
 
     private static void marshall(final AttributeValue attributeValue, final DataOutputStream out)
             throws IOException {
+        
         if (attributeValue.getB() != null) {
             out.writeChar('b');
             writeBytes(attributeValue.getB(), out);
@@ -92,8 +93,8 @@ private static void marshall(final AttributeValue attributeValue, final DataOutp
         } else if (attributeValue.getNS() != null) {
             out.writeChar('N');
 
-            List<String> ns = new ArrayList<String>(attributeValue.getNS().size());
-            for (String n : attributeValue.getNS()) {
+            final List<String> ns = new ArrayList<String>(attributeValue.getNS().size());
+            for (final String n : attributeValue.getNS()) {
                 ns.add(trimZeros(n));
             }
             writeStringList(ns, out);
@@ -113,6 +114,11 @@ private static void marshall(final AttributeValue attributeValue, final DataOutp
             out.writeChar('L');
             out.writeInt(l.size());
             for (final AttributeValue attr : l) {
+                if (attr == null) {
+                    throw new NullPointerException(
+                        "Encountered null list entry value while marshalling attribute value "
+                        + attributeValue);
+                }
                 marshall(attr, out);
             }
         } else if (attributeValue.getM() != null) {
@@ -123,7 +129,17 @@ private static void marshall(final AttributeValue attributeValue, final DataOutp
             out.writeInt(m.size());
             for (final String mKey : mKeys) {
                 marshall(new AttributeValue().withS(mKey), out);
-                marshall(m.get(mKey), out);
+                
+                final AttributeValue mValue = m.get(mKey);
+                
+                if (mValue == null) {
+                    throw new NullPointerException(
+                        "Encountered null map value for key "
+                        + mKey
+                        + " while marshalling attribute value "
+                        + attributeValue);
+                }
+                marshall(mValue, out);
             }
         } else {
             throw new IllegalArgumentException("A seemingly empty AttributeValue is indicative of invalid input or potential errors");