getEncryptionActionOverrides();
-
- /**
- * Returns an {@link EncryptionContext} to be used by the encryption client. Has information about the table
- * name, the names of the primary indices etc.
- * @return An {@link EncryptionContext} object.
- */
- EncryptionContext getEncryptionContext();
-
- /**
- * Default builder for an immutable implementation of {@link DynamoDbEncryptionConfiguration}.
- * @return A newly initialized {@link BasicDynamoDbEncryptionConfiguration.Builder}.
- */
- static BasicDynamoDbEncryptionConfiguration.Builder builder() {
- return new BasicDynamoDbEncryptionConfiguration.Builder();
- }
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/EncryptionAction.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/EncryptionAction.java
deleted file mode 100644
index 9ee1c798..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/EncryptionAction.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2;
-
-/**
- * When configuring the {@link DynamoDbEncryptionClient} you may specify a default behavior for how attributes should
- * be treated when encrypting and decrypting, and also you may include overrides to change the behavior for specific
- * attributes. The following enumeration are the different valid behaviors for how a single attribute should be treated.
- */
-public enum EncryptionAction {
- /**
- * DO_NOTHING : This instructs the encryption client to completely ignore the attribute. The attribute will not be
- * encrypted and it will not be included in the signature calculation of the record.
- */
- DO_NOTHING,
-
- /**
- * SIGN_ONLY : This instructs the encryption client to include the attribute in the signature calculation of the
- * record, but not to encrypt its value.
- */
- SIGN_ONLY,
-
- /**
- * ENCRYPT_AND_SIGN : This instructs the encryption client to include the attribute in the signature calculation of
- * the record and to encrypt its value.
- */
- ENCRYPT_AND_SIGN
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/DelegatedKey.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/DelegatedKey.java
deleted file mode 100644
index 52e02f2e..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/DelegatedKey.java
+++ /dev/null
@@ -1,146 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption;
-
-import java.security.GeneralSecurityException;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.InvalidKeyException;
-import java.security.Key;
-import java.security.NoSuchAlgorithmException;
-
-import javax.crypto.BadPaddingException;
-import javax.crypto.Cipher;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.NoSuchPaddingException;
-import javax.crypto.SecretKey;
-
-/**
- * Identifies keys which should not be used directly with {@link Cipher} but
- * instead contain their own cryptographic logic. This can be used to wrap more
- * complex logic, HSM integration, or service-calls.
- *
- *
- * Most delegated keys will only support a subset of these operations. (For
- * example, AES keys will generally not support {@link #sign(byte[], String)} or
- * {@link #verify(byte[], byte[], String)} and HMAC keys will generally not
- * support anything except sign and verify.)
- * {@link UnsupportedOperationException} should be thrown in these cases.
- *
- * @author Greg Rubin
- */
-public interface DelegatedKey extends SecretKey {
- /**
- * Encrypts the provided plaintext and returns a byte-array containing the ciphertext.
- *
- * @param plainText
- * @param additionalAssociatedData
- * Optional additional data which must then also be provided for successful
- * decryption. Both null and arrays of length 0 are treated identically.
- * Not all keys will support this parameter.
- * @param algorithm
- * the transformation to be used when encrypting the data
- * @return ciphertext the ciphertext produced by this encryption operation
- * @throws UnsupportedOperationException
- * if encryption is not supported or if additionalAssociatedData is
- * provided, but not supported.
- */
- byte[] encrypt(byte[] plainText, byte[] additionalAssociatedData, String algorithm)
- throws InvalidKeyException, IllegalBlockSizeException, BadPaddingException, NoSuchAlgorithmException,
- NoSuchPaddingException;
-
- /**
- * Decrypts the provided ciphertext and returns a byte-array containing the
- * plaintext.
- *
- * @param cipherText
- * @param additionalAssociatedData
- * Optional additional data which was provided during encryption.
- * Both null and arrays of length 0 are treated
- * identically. Not all keys will support this parameter.
- * @param algorithm
- * the transformation to be used when decrypting the data
- * @return plaintext the result of decrypting the input ciphertext
- * @throws UnsupportedOperationException
- * if decryption is not supported or if
- * additionalAssociatedData is provided, but not
- * supported.
- */
- byte[] decrypt(byte[] cipherText, byte[] additionalAssociatedData, String algorithm)
- throws InvalidKeyException, IllegalBlockSizeException, BadPaddingException, NoSuchAlgorithmException,
- NoSuchPaddingException, InvalidAlgorithmParameterException;
-
- /**
- * Wraps (encrypts) the provided key to make it safe for
- * storage or transmission.
- *
- * @param key
- * @param additionalAssociatedData
- * Optional additional data which must then also be provided for
- * successful unwrapping. Both null and arrays of
- * length 0 are treated identically. Not all keys will support
- * this parameter.
- * @param algorithm
- * the transformation to be used when wrapping the key
- * @return the wrapped key
- * @throws UnsupportedOperationException
- * if wrapping is not supported or if
- * additionalAssociatedData is provided, but not
- * supported.
- */
- byte[] wrap(Key key, byte[] additionalAssociatedData, String algorithm) throws InvalidKeyException,
- NoSuchAlgorithmException, NoSuchPaddingException, IllegalBlockSizeException;
-
- /**
- * Unwraps (decrypts) the provided wrappedKey to recover the
- * original key.
- *
- * @param wrappedKey
- * @param additionalAssociatedData
- * Optional additional data which was provided during wrapping.
- * Both null and arrays of length 0 are treated
- * identically. Not all keys will support this parameter.
- * @param algorithm
- * the transformation to be used when unwrapping the key
- * @return the unwrapped key
- * @throws UnsupportedOperationException
- * if wrapping is not supported or if
- * additionalAssociatedData is provided, but not
- * supported.
- */
- Key unwrap(byte[] wrappedKey, String wrappedKeyAlgorithm, int wrappedKeyType,
- byte[] additionalAssociatedData, String algorithm) throws NoSuchAlgorithmException, NoSuchPaddingException,
- InvalidKeyException;
-
- /**
- * Calculates and returns a signature for dataToSign.
- *
- * @param dataToSign
- * @param algorithm
- * @return the signature
- * @throws UnsupportedOperationException if signing is not supported
- */
- byte[] sign(byte[] dataToSign, String algorithm) throws GeneralSecurityException;
-
- /**
- * Checks the provided signature for correctness.
- *
- * @param dataToSign
- * @param signature
- * @param algorithm
- * @return true if and only if the signature matches the dataToSign.
- * @throws UnsupportedOperationException if signature validation is not supported
- */
- boolean verify(byte[] dataToSign, byte[] signature, String algorithm);
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/DynamoDbEncryptor.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/DynamoDbEncryptor.java
deleted file mode 100644
index 775fd12d..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/DynamoDbEncryptor.java
+++ /dev/null
@@ -1,564 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption;
-
-import java.io.ByteArrayOutputStream;
-import java.io.DataInputStream;
-import java.io.DataOutputStream;
-import java.io.EOFException;
-import java.io.IOException;
-import java.nio.ByteBuffer;
-import java.nio.charset.Charset;
-import java.security.GeneralSecurityException;
-import java.security.PrivateKey;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Set;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.function.Function;
-import java.util.stream.Collectors;
-
-import javax.crypto.Cipher;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.IvParameterSpec;
-
-import software.amazon.awssdk.core.SdkBytes;
-import software.amazon.awssdk.services.dynamodb.model.AttributeValue;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.DynamoDbEncryptionClient;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.DynamoDbEncryptionConfiguration;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.EncryptionAction;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.exceptions.DynamoDbEncryptionException;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.DecryptionMaterials;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.EncryptionMaterials;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.providers.EncryptionMaterialsProvider;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.internal.AttributeValueMarshaller;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.internal.ByteBufferInputStream;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.internal.Utils;
-
-/**
- * The low-level API for performing crypto operations on the record attributes.
- *
- * @author Greg Rubin
- */
-public class DynamoDbEncryptor implements DynamoDbEncryptionClient {
- private static final String DEFAULT_SIGNATURE_ALGORITHM = "SHA256withRSA";
- private static final String DEFAULT_METADATA_FIELD = "*amzn-ddb-map-desc*";
- private static final String DEFAULT_SIGNATURE_FIELD = "*amzn-ddb-map-sig*";
- private static final String DEFAULT_DESCRIPTION_BASE = "amzn-ddb-map-"; // Same as the Mapper
- private static final Charset UTF8 = Charset.forName("UTF-8");
- private static final String SYMMETRIC_ENCRYPTION_MODE = "/CBC/PKCS5Padding";
- private static final ConcurrentHashMap BLOCK_SIZE_CACHE = new ConcurrentHashMap<>();
- private static final Function BLOCK_SIZE_CALCULATOR = (transformation) -> {
- try {
- final Cipher c = Cipher.getInstance(transformation);
- return c.getBlockSize();
- } catch (final GeneralSecurityException ex) {
- throw new IllegalArgumentException("Algorithm does not exist", ex);
- }
- };
-
- private static final int CURRENT_VERSION = 0;
-
- // Static map used to convert an EncryptionAction into a corresponding set of EncryptionFlags
- private static final Map> ENCRYPTION_ACTION_TO_FLAGS_MAP;
- static {
- Map> encrytionActionToFlagsMap = new HashMap<>();
- encrytionActionToFlagsMap.put(EncryptionAction.DO_NOTHING, Collections.emptySet());
- encrytionActionToFlagsMap.put(EncryptionAction.SIGN_ONLY, Collections.singleton(EncryptionFlags.SIGN));
- encrytionActionToFlagsMap.put(EncryptionAction.ENCRYPT_AND_SIGN,
- Collections.unmodifiableSet(new HashSet<>(Arrays.asList(EncryptionFlags.SIGN, EncryptionFlags.ENCRYPT))));
- ENCRYPTION_ACTION_TO_FLAGS_MAP = Collections.unmodifiableMap(encrytionActionToFlagsMap);
- }
-
- private String signatureFieldName = DEFAULT_SIGNATURE_FIELD;
- private String materialDescriptionFieldName = DEFAULT_METADATA_FIELD;
-
- private EncryptionMaterialsProvider encryptionMaterialsProvider;
- private final String descriptionBase;
- private final String symmetricEncryptionModeHeader;
- private final String signingAlgorithmHeader;
-
- static final String DEFAULT_SIGNING_ALGORITHM_HEADER = DEFAULT_DESCRIPTION_BASE + "signingAlg";
-
- private Function encryptionContextOverrideOperator;
-
- protected DynamoDbEncryptor(EncryptionMaterialsProvider provider, String descriptionBase) {
- this.encryptionMaterialsProvider = provider;
- this.descriptionBase = descriptionBase;
- symmetricEncryptionModeHeader = this.descriptionBase + "sym-mode";
- signingAlgorithmHeader = this.descriptionBase + "signingAlg";
- }
-
- protected DynamoDbEncryptor(EncryptionMaterialsProvider provider) {
- this(provider, DEFAULT_DESCRIPTION_BASE);
- }
-
- public static Builder builder() {
- return new Builder();
- }
-
- public static class Builder {
- private EncryptionMaterialsProvider encryptionMaterialsProvider;
-
- public Builder encryptionMaterialsProvider(EncryptionMaterialsProvider encryptionMaterialsProvider) {
- this.encryptionMaterialsProvider = encryptionMaterialsProvider;
- return this;
- }
-
- public DynamoDbEncryptor build() {
- if (encryptionMaterialsProvider == null) {
- throw new IllegalArgumentException("A DynamoDbEncryptor cannot be built without an "
- + "EncryptionMaterialsProvider");
- }
-
- return new DynamoDbEncryptor(encryptionMaterialsProvider);
- }
- }
-
- @Override
- public Map encryptRecord(Map record,
- DynamoDbEncryptionConfiguration configuration) {
-
- validateParameters(record, configuration);
- return internalEncryptRecord(record,
- getEncryptionFlagsFromConfiguration(record, configuration),
- configuration.getEncryptionContext());
- }
-
- @Override
- public Map decryptRecord(Map record,
- DynamoDbEncryptionConfiguration configuration) {
-
- validateParameters(record, configuration);
- return internalDecryptRecord(record,
- getEncryptionFlagsFromConfiguration(record, configuration),
- configuration.getEncryptionContext());
- }
-
- private void validateParameters(Map record,
- DynamoDbEncryptionConfiguration configuration) {
- if (record == null) {
- throw new IllegalArgumentException("AttributeValues must not be null");
- }
- if (configuration == null) {
- throw new IllegalArgumentException("DynamoDbEncryptionConfiguration must not be null");
- }
- if (configuration.getEncryptionContext() == null) {
- throw new IllegalArgumentException("DynamoDbEncryptionConfiguration's EncryptionContext must not be null");
- }
- if (configuration.getDefaultEncryptionAction() == null) {
- throw new IllegalArgumentException("DynamoDbEncryptionConfiguration's DefaultEncryptionAction must not be"
- + " null");
- }
- }
-
-
- private Map> getEncryptionFlagsFromConfiguration(
- Map record,
- DynamoDbEncryptionConfiguration configuration) {
-
- return record.keySet()
- .stream()
- // Do not let attributes created by the encryption library participate in encrypting or signing
- .filter(key -> !key.equals(getMaterialDescriptionFieldName())
- && !key.equals(getSignatureFieldName()))
- .collect(Collectors.toMap(Function.identity(), key -> {
- EncryptionAction encryptionAction = configuration.getEncryptionActionOverrides().get(key);
-
- if (encryptionAction == null) {
- encryptionAction = configuration.getDefaultEncryptionAction();
- }
-
- return getEncryptionFlagsForAction(encryptionAction);
- }));
- }
-
- private Map internalDecryptRecord(
- Map itemAttributes,
- Map> attributeFlags,
- EncryptionContext context) {
- if (attributeFlags.isEmpty()) {
- return itemAttributes;
- }
- // Copy to avoid changing anyone elses objects
- itemAttributes = new HashMap<>(itemAttributes);
-
- Map materialDescription = Collections.emptyMap();
- DecryptionMaterials materials;
- SecretKey decryptionKey;
-
- DynamoDbSigner signer = DynamoDbSigner.getInstance(DEFAULT_SIGNATURE_ALGORITHM, Utils.getRng());
-
- if (itemAttributes.containsKey(materialDescriptionFieldName)) {
- materialDescription = unmarshallDescription(itemAttributes.get(materialDescriptionFieldName));
- }
- // Copy the material description and attribute values into the context
- context = context.toBuilder()
- .materialDescription(materialDescription)
- .attributeValues(itemAttributes)
- .build();
-
- Function encryptionContextOverrideOperator = getEncryptionContextOverrideOperator();
- if (encryptionContextOverrideOperator != null) {
- context = encryptionContextOverrideOperator.apply(context);
- }
-
- materials = encryptionMaterialsProvider.getDecryptionMaterials(context);
- decryptionKey = materials.getDecryptionKey();
- if (materialDescription.containsKey(signingAlgorithmHeader)) {
- String signingAlg = materialDescription.get(signingAlgorithmHeader);
- signer = DynamoDbSigner.getInstance(signingAlg, Utils.getRng());
- }
-
- ByteBuffer signature;
- if (!itemAttributes.containsKey(signatureFieldName) || itemAttributes.get(signatureFieldName).b() == null) {
- signature = ByteBuffer.allocate(0);
- } else {
- signature = itemAttributes.get(signatureFieldName).b().asByteBuffer();
- }
- itemAttributes.remove(signatureFieldName);
-
- String associatedData = "TABLE>" + context.getTableName() + " internalEncryptRecord(
- Map itemAttributes,
- Map> attributeFlags,
- EncryptionContext context) {
- if (attributeFlags.isEmpty()) {
- return itemAttributes;
- }
- // Copy to avoid changing anyone elses objects
- itemAttributes = new HashMap<>(itemAttributes);
-
- // Copy the attribute values into the context
- context = context.toBuilder()
- .attributeValues(itemAttributes)
- .build();
-
- Function encryptionContextOverrideOperator =
- getEncryptionContextOverrideOperator();
- if (encryptionContextOverrideOperator != null) {
- context = encryptionContextOverrideOperator.apply(context);
- }
-
- EncryptionMaterials materials = encryptionMaterialsProvider.getEncryptionMaterials(context);
- // We need to copy this because we modify it to record other encryption details
- Map materialDescription = new HashMap<>(
- materials.getMaterialDescription());
- SecretKey encryptionKey = materials.getEncryptionKey();
-
- try {
- actualEncryption(itemAttributes, attributeFlags, materialDescription, encryptionKey);
-
- // The description must be stored after encryption because its data
- // is necessary for proper decryption.
- final String signingAlgo = materialDescription.get(signingAlgorithmHeader);
- DynamoDbSigner signer;
- if (signingAlgo != null) {
- signer = DynamoDbSigner.getInstance(signingAlgo, Utils.getRng());
- } else {
- signer = DynamoDbSigner.getInstance(DEFAULT_SIGNATURE_ALGORITHM, Utils.getRng());
- }
-
- if (materials.getSigningKey() instanceof PrivateKey) {
- materialDescription.put(signingAlgorithmHeader, signer.getSigningAlgorithm());
- }
- if (! materialDescription.isEmpty()) {
- itemAttributes.put(materialDescriptionFieldName, marshallDescription(materialDescription));
- }
-
- String associatedData = "TABLE>" + context.getTableName() + " itemAttributes,
- Map> attributeFlags, SecretKey encryptionKey,
- Map materialDescription) throws GeneralSecurityException {
- final String encryptionMode = encryptionKey != null ? encryptionKey.getAlgorithm() +
- materialDescription.get(symmetricEncryptionModeHeader) : null;
- Cipher cipher = null;
- int blockSize = -1;
-
- for (Map.Entry entry: itemAttributes.entrySet()) {
- Set flags = attributeFlags.get(entry.getKey());
- if (flags != null && flags.contains(EncryptionFlags.ENCRYPT)) {
- if (!flags.contains(EncryptionFlags.SIGN)) {
- throw new IllegalArgumentException("All encrypted fields must be signed. Bad field: " + entry.getKey());
- }
- ByteBuffer plainText;
- ByteBuffer cipherText = entry.getValue().b().asByteBuffer();
- cipherText.rewind();
- if (encryptionKey instanceof DelegatedKey) {
- plainText = ByteBuffer.wrap(((DelegatedKey)encryptionKey).decrypt(toByteArray(cipherText), null, encryptionMode));
- } else {
- if (cipher == null) {
- blockSize = getBlockSize(encryptionMode);
- cipher = Cipher.getInstance(encryptionMode);
- }
- byte[] iv = new byte[blockSize];
- cipherText.get(iv);
- cipher.init(Cipher.DECRYPT_MODE, encryptionKey, new IvParameterSpec(iv), Utils.getRng());
- plainText = ByteBuffer.allocate(cipher.getOutputSize(cipherText.remaining()));
- cipher.doFinal(cipherText, plainText);
- plainText.rewind();
- }
- entry.setValue(AttributeValueMarshaller.unmarshall(plainText));
- }
- }
- }
-
- private static int getBlockSize(final String encryptionMode) {
- return BLOCK_SIZE_CACHE.computeIfAbsent(encryptionMode, BLOCK_SIZE_CALCULATOR);
- }
-
- /**
- * This method has the side effect of replacing the plaintext
- * attribute-values of "itemAttributes" with ciphertext attribute-values
- * (which are always in the form of ByteBuffer) as per the corresponding
- * attribute flags.
- */
- private void actualEncryption(Map itemAttributes,
- Map> attributeFlags,
- Map materialDescription,
- SecretKey encryptionKey) throws GeneralSecurityException {
- String encryptionMode = null;
- if (encryptionKey != null) {
- materialDescription.put(this.symmetricEncryptionModeHeader,
- SYMMETRIC_ENCRYPTION_MODE);
- encryptionMode = encryptionKey.getAlgorithm() + SYMMETRIC_ENCRYPTION_MODE;
- }
- Cipher cipher = null;
- int blockSize = -1;
-
- for (Map.Entry entry: itemAttributes.entrySet()) {
- Set flags = attributeFlags.get(entry.getKey());
- if (flags != null && flags.contains(EncryptionFlags.ENCRYPT)) {
- if (!flags.contains(EncryptionFlags.SIGN)) {
- throw new IllegalArgumentException("All encrypted fields must be signed. Bad field: " + entry.getKey());
- }
- ByteBuffer plainText = AttributeValueMarshaller.marshall(entry.getValue());
- plainText.rewind();
- ByteBuffer cipherText;
- if (encryptionKey instanceof DelegatedKey) {
- DelegatedKey dk = (DelegatedKey) encryptionKey;
- cipherText = ByteBuffer.wrap(
- dk.encrypt(toByteArray(plainText), null, encryptionMode));
- } else {
- if (cipher == null) {
- blockSize = getBlockSize(encryptionMode);
- cipher = Cipher.getInstance(encryptionMode);
- }
- // Encryption format:
- // Note a unique iv is generated per attribute
- cipher.init(Cipher.ENCRYPT_MODE, encryptionKey, Utils.getRng());
- cipherText = ByteBuffer.allocate(blockSize + cipher.getOutputSize(plainText.remaining()));
- cipherText.position(blockSize);
- cipher.doFinal(plainText, cipherText);
- cipherText.flip();
- final byte[] iv = cipher.getIV();
- if (iv.length != blockSize) {
- throw new IllegalStateException(String.format("Generated IV length (%d) not equal to block size (%d)",
- iv.length, blockSize));
- }
- cipherText.put(iv);
- cipherText.rewind();
- }
- // Replace the plaintext attribute value with the encrypted content
- entry.setValue(AttributeValue.builder().b(SdkBytes.fromByteBuffer(cipherText)).build());
- }
- }
- }
-
- /**
- * Get the name of the DynamoDB field used to store the signature.
- * Defaults to {@link #DEFAULT_SIGNATURE_FIELD}.
- *
- * @return the name of the DynamoDB field used to store the signature
- */
- String getSignatureFieldName() {
- return signatureFieldName;
- }
-
- /**
- * Set the name of the DynamoDB field used to store the signature.
- *
- * @param signatureFieldName
- */
- void setSignatureFieldName(final String signatureFieldName) {
- this.signatureFieldName = signatureFieldName;
- }
-
- /**
- * Get the name of the DynamoDB field used to store metadata used by the
- * DynamoDBEncryptedMapper. Defaults to {@link #DEFAULT_METADATA_FIELD}.
- *
- * @return the name of the DynamoDB field used to store metadata used by the
- * DynamoDBEncryptedMapper
- */
- String getMaterialDescriptionFieldName() {
- return materialDescriptionFieldName;
- }
-
- /**
- * Set the name of the DynamoDB field used to store metadata used by the
- * DynamoDBEncryptedMapper
- *
- * @param materialDescriptionFieldName
- */
- void setMaterialDescriptionFieldName(final String materialDescriptionFieldName) {
- this.materialDescriptionFieldName = materialDescriptionFieldName;
- }
-
- /**
- * Marshalls the description into a ByteBuffer by outputting
- * each key (modified UTF-8) followed by its value (also in modified UTF-8).
- *
- * @param description
- * @return the description encoded as an AttributeValue with a ByteBuffer value
- * @see java.io.DataOutput#writeUTF(String)
- */
- private static AttributeValue marshallDescription(Map description) {
- try {
- ByteArrayOutputStream bos = new ByteArrayOutputStream();
- DataOutputStream out = new DataOutputStream(bos);
- out.writeInt(CURRENT_VERSION);
- for (Map.Entry entry : description.entrySet()) {
- byte[] bytes = entry.getKey().getBytes(UTF8);
- out.writeInt(bytes.length);
- out.write(bytes);
- bytes = entry.getValue().getBytes(UTF8);
- out.writeInt(bytes.length);
- out.write(bytes);
- }
- out.close();
- return AttributeValue.builder().b(SdkBytes.fromByteArray(bos.toByteArray())).build();
- } catch (IOException ex) {
- // Due to the objects in use, an IOException is not possible.
- throw new RuntimeException("Unexpected exception", ex);
- }
- }
-
- /**
- * @see #marshallDescription(Map)
- */
- private static Map unmarshallDescription(AttributeValue attributeValue) {
- try (DataInputStream in = new DataInputStream(
- new ByteBufferInputStream(attributeValue.b().asByteBuffer())) ) {
- Map result = new HashMap<>();
- int version = in.readInt();
- if (version != CURRENT_VERSION) {
- throw new IllegalArgumentException("Unsupported description version");
- }
-
- String key, value;
- int keyLength, valueLength;
- try {
- while(in.available() > 0) {
- keyLength = in.readInt();
- byte[] bytes = new byte[keyLength];
- if (in.read(bytes) != keyLength) {
- throw new IllegalArgumentException("Malformed description");
- }
- key = new String(bytes, UTF8);
- valueLength = in.readInt();
- bytes = new byte[valueLength];
- if (in.read(bytes) != valueLength) {
- throw new IllegalArgumentException("Malformed description");
- }
- value = new String(bytes, UTF8);
- result.put(key, value);
- }
- } catch (EOFException eof) {
- throw new IllegalArgumentException("Malformed description", eof);
- }
- return result;
- } catch (IOException ex) {
- // Due to the objects in use, an IOException is not possible.
- throw new RuntimeException("Unexpected exception", ex);
- }
- }
-
- /**
- * @param encryptionContextOverrideOperator the nullable operator which will be used to override
- * the EncryptionContext.
- * @see EncryptionContextOperators
- */
- void setEncryptionContextOverrideOperator(
- Function encryptionContextOverrideOperator) {
- this.encryptionContextOverrideOperator = encryptionContextOverrideOperator;
- }
-
- /**
- * @return the operator used to override the EncryptionContext
- * @see #setEncryptionContextOverrideOperator(Function)
- */
- private Function getEncryptionContextOverrideOperator() {
- return encryptionContextOverrideOperator;
- }
-
- private static Set getEncryptionFlagsForAction(EncryptionAction encryptionAction) {
- Set encryptionFlags = ENCRYPTION_ACTION_TO_FLAGS_MAP.get(encryptionAction);
-
- if (encryptionFlags == null) {
- throw new RuntimeException("Unrecognized EncryptionAction : " + encryptionAction.name());
- }
-
- return encryptionFlags;
- }
-
- private static byte[] toByteArray(ByteBuffer buffer) {
- buffer = buffer.duplicate();
- // We can only return the array directly if:
- // 1. The ByteBuffer exposes an array
- // 2. The ByteBuffer starts at the beginning of the array
- // 3. The ByteBuffer uses the entire array
- if (buffer.hasArray() && buffer.arrayOffset() == 0) {
- byte[] result = buffer.array();
- if (buffer.remaining() == result.length) {
- return result;
- }
- }
-
- byte[] result = new byte[buffer.remaining()];
- buffer.get(result);
- return result;
- }
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/DynamoDbSigner.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/DynamoDbSigner.java
deleted file mode 100644
index e27710c3..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/DynamoDbSigner.java
+++ /dev/null
@@ -1,250 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.nio.ByteBuffer;
-import java.nio.charset.Charset;
-import java.security.GeneralSecurityException;
-import java.security.Key;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.PublicKey;
-import java.security.SecureRandom;
-import java.security.Signature;
-import java.security.SignatureException;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.concurrent.ConcurrentHashMap;
-
-import javax.crypto.Mac;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.internal.AttributeValueMarshaller;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.internal.Utils;
-
-import software.amazon.awssdk.services.dynamodb.model.AttributeValue;
-
-/**
- * @author Greg Rubin
- */
-// NOTE: This class must remain thread-safe.
-class DynamoDbSigner {
- private static final ConcurrentHashMap cache =
- new ConcurrentHashMap<>();
-
- protected static final Charset UTF8 = Charset.forName("UTF-8");
- private final SecureRandom rnd;
- private final SecretKey hmacComparisonKey;
- private final String signingAlgorithm;
-
- /**
- * @param signingAlgorithm
- * is the algorithm used for asymmetric signing (ex:
- * SHA256withRSA). This is ignored for symmetric HMACs as that
- * algorithm is fully specified by the key.
- */
- static DynamoDbSigner getInstance(String signingAlgorithm, SecureRandom rnd) {
- DynamoDbSigner result = cache.get(signingAlgorithm);
- if (result == null) {
- result = new DynamoDbSigner(signingAlgorithm, rnd);
- cache.putIfAbsent(signingAlgorithm, result);
- }
- return result;
- }
-
- /**
- * @param signingAlgorithm
- * is the algorithm used for asymmetric signing (ex:
- * SHA256withRSA). This is ignored for symmetric HMACs as that
- * algorithm is fully specified by the key.
- */
- private DynamoDbSigner(String signingAlgorithm, SecureRandom rnd) {
- if (rnd == null) {
- rnd = Utils.getRng();
- }
- this.rnd = rnd;
- this.signingAlgorithm = signingAlgorithm;
- // Shorter than the output of SHA256 to avoid weak keys.
- // http://cs.nyu.edu/~dodis/ps/h-of-h.pdf
- // http://link.springer.com/chapter/10.1007%2F978-3-642-32009-5_21
- byte[] tmpKey = new byte[31];
- rnd.nextBytes(tmpKey);
- hmacComparisonKey = new SecretKeySpec(tmpKey, "HmacSHA256");
- }
-
- void verifySignature(Map itemAttributes, Map> attributeFlags,
- byte[] associatedData, Key verificationKey, ByteBuffer signature) throws GeneralSecurityException {
- if (verificationKey instanceof DelegatedKey) {
- DelegatedKey dKey = (DelegatedKey)verificationKey;
- byte[] stringToSign = calculateStringToSign(itemAttributes, attributeFlags, associatedData);
- if (!dKey.verify(stringToSign, toByteArray(signature), dKey.getAlgorithm())) {
- throw new SignatureException("Bad signature");
- }
- } else if (verificationKey instanceof SecretKey) {
- byte[] calculatedSig = calculateSignature(itemAttributes, attributeFlags, associatedData, (SecretKey)verificationKey);
- if (!safeEquals(signature, calculatedSig)) {
- throw new SignatureException("Bad signature");
- }
- } else if (verificationKey instanceof PublicKey) {
- PublicKey integrityKey = (PublicKey)verificationKey;
- byte[] stringToSign = calculateStringToSign(itemAttributes, attributeFlags, associatedData);
- Signature sig = Signature.getInstance(getSigningAlgorithm());
- sig.initVerify(integrityKey);
- sig.update(stringToSign);
- if (!sig.verify(toByteArray(signature))) {
- throw new SignatureException("Bad signature");
- }
- } else {
- throw new IllegalArgumentException("No integrity key provided");
- }
- }
-
- static byte[] calculateStringToSign(Map itemAttributes,
- Map> attributeFlags, byte[] associatedData)
- throws NoSuchAlgorithmException {
- try {
- ByteArrayOutputStream out = new ByteArrayOutputStream();
- List attrNames = new ArrayList<>(itemAttributes.keySet());
- Collections.sort(attrNames);
- MessageDigest sha256 = MessageDigest.getInstance("SHA-256");
- if (associatedData != null) {
- out.write(sha256.digest(associatedData));
- } else {
- out.write(sha256.digest());
- }
- sha256.reset();
-
- for (String name : attrNames) {
- Set set = attributeFlags.get(name);
- if(set != null && set.contains(EncryptionFlags.SIGN)) {
- AttributeValue tmp = itemAttributes.get(name);
- out.write(sha256.digest(name.getBytes(UTF8)));
- sha256.reset();
- if (set.contains(EncryptionFlags.ENCRYPT)) {
- sha256.update("ENCRYPTED".getBytes(UTF8));
- } else {
- sha256.update("PLAINTEXT".getBytes(UTF8));
- }
- out.write(sha256.digest());
-
- sha256.reset();
-
- sha256.update(AttributeValueMarshaller.marshall(tmp));
- out.write(sha256.digest());
- sha256.reset();
- }
- }
- return out.toByteArray();
- } catch (IOException ex) {
- // Due to the objects in use, an IOException is not possible.
- throw new RuntimeException("Unexpected exception", ex);
- }
- }
-
- /**
- * The itemAttributes have already been encrypted, if necessary, before the
- * signing.
- */
- byte[] calculateSignature(
- Map itemAttributes,
- Map> attributeFlags,
- byte[] associatedData, Key key) throws GeneralSecurityException {
- if (key instanceof DelegatedKey) {
- return calculateSignature(itemAttributes, attributeFlags, associatedData, (DelegatedKey) key);
- } else if (key instanceof SecretKey) {
- return calculateSignature(itemAttributes, attributeFlags, associatedData, (SecretKey) key);
- } else if (key instanceof PrivateKey) {
- return calculateSignature(itemAttributes, attributeFlags, associatedData, (PrivateKey) key);
- } else {
- throw new IllegalArgumentException("No integrity key provided");
- }
- }
-
- byte[] calculateSignature(Map itemAttributes,
- Map> attributeFlags, byte[] associatedData,
- DelegatedKey key) throws GeneralSecurityException {
- byte[] stringToSign = calculateStringToSign(itemAttributes, attributeFlags, associatedData);
- return key.sign(stringToSign, key.getAlgorithm());
- }
-
- byte[] calculateSignature(Map itemAttributes,
- Map> attributeFlags, byte[] associatedData,
- SecretKey key) throws GeneralSecurityException {
- if (key instanceof DelegatedKey) {
- return calculateSignature(itemAttributes, attributeFlags, associatedData, (DelegatedKey)key);
- }
- byte[] stringToSign = calculateStringToSign(itemAttributes, attributeFlags, associatedData);
- Mac hmac = Mac.getInstance(key.getAlgorithm());
- hmac.init(key);
- hmac.update(stringToSign);
- return hmac.doFinal();
- }
-
- byte[] calculateSignature(Map itemAttributes,
- Map> attributeFlags, byte[] associatedData,
- PrivateKey key) throws GeneralSecurityException {
- byte[] stringToSign = calculateStringToSign(itemAttributes, attributeFlags, associatedData);
- Signature sig = Signature.getInstance(signingAlgorithm);
- sig.initSign(key, rnd);
- sig.update(stringToSign);
- return sig.sign();
- }
-
- String getSigningAlgorithm() {
- return signingAlgorithm;
- }
-
- /**
- * Constant-time equality check.
- */
- private boolean safeEquals(ByteBuffer signature, byte[] calculatedSig) {
- try {
- signature.rewind();
- Mac hmac = Mac.getInstance(hmacComparisonKey.getAlgorithm());
- hmac.init(hmacComparisonKey);
- hmac.update(signature);
- byte[] signatureHash = hmac.doFinal();
-
- hmac.reset();
- hmac.update(calculatedSig);
- byte[] calculatedHash = hmac.doFinal();
-
- return MessageDigest.isEqual(signatureHash, calculatedHash);
- } catch (GeneralSecurityException ex) {
- // We've hardcoded these algorithms, so the error should not be possible.
- throw new RuntimeException("Unexpected exception", ex);
- }
- }
-
- private static byte[] toByteArray(ByteBuffer buffer) {
- if (buffer.hasArray()) {
- byte[] result = buffer.array();
- buffer.rewind();
- return result;
- } else {
- byte[] result = new byte[buffer.remaining()];
- buffer.get(result);
- buffer.rewind();
- return result;
- }
- }
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/EncryptionContext.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/EncryptionContext.java
deleted file mode 100644
index 4651a8ea..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/EncryptionContext.java
+++ /dev/null
@@ -1,187 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption;
-
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
-
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.DecryptionMaterials;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.EncryptionMaterials;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.providers.EncryptionMaterialsProvider;
-
-import software.amazon.awssdk.services.dynamodb.model.AttributeValue;
-
-/**
- * This class serves to provide additional useful data to
- * {@link EncryptionMaterialsProvider}s so they can more intelligently select
- * the proper {@link EncryptionMaterials} or {@link DecryptionMaterials} for
- * use. Any of the methods are permitted to return null.
- *
- * For the simplest cases, all a developer needs to provide in the context are:
- *
- * - TableName
- * - HashKeyName
- * - RangeKeyName (if present)
- *
- *
- * This class is immutable.
- *
- * @author Greg Rubin
- */
-public final class EncryptionContext {
- private final String tableName;
- private final Map attributeValues;
- private final Object developerContext;
- private final String hashKeyName;
- private final String rangeKeyName;
- private final Map materialDescription;
-
- /**
- * Return a new builder that can be used to construct an {@link EncryptionContext}
- * @return A newly initialized {@link EncryptionContext.Builder}.
- */
- public static Builder builder() {
- return new Builder();
- }
-
- private EncryptionContext(Builder builder) {
- tableName = builder.tableName;
- attributeValues = builder.attributeValues;
- developerContext = builder.developerContext;
- hashKeyName = builder.hashKeyName;
- rangeKeyName = builder.rangeKeyName;
- materialDescription = builder.materialDescription;
- }
-
- /**
- * Returns the name of the DynamoDB Table this record is associated with.
- */
- public String getTableName() {
- return tableName;
- }
-
- /**
- * Returns the DynamoDB record about to be encrypted/decrypted.
- */
- public Map getAttributeValues() {
- return attributeValues;
- }
-
- /**
- * This object has no meaning (and will not be set or examined) by any core libraries.
- * It exists to allow custom object mappers and data access layers to pass
- * data to {@link EncryptionMaterialsProvider}s through the {@link DynamoDbEncryptor}.
- */
- public Object getDeveloperContext() {
- return developerContext;
- }
-
- /**
- * Returns the name of the HashKey attribute for the record to be encrypted/decrypted.
- */
- public String getHashKeyName() {
- return hashKeyName;
- }
-
- /**
- * Returns the name of the RangeKey attribute for the record to be encrypted/decrypted.
- */
- public String getRangeKeyName() {
- return rangeKeyName;
- }
-
- public Map getMaterialDescription() {
- return materialDescription;
- }
-
- /**
- * Converts an existing {@link EncryptionContext} into a builder that can be used to mutate and make a new version.
- * @return A new {@link EncryptionContext.Builder} with all the fields filled out to match the current object.
- */
- public Builder toBuilder() {
- return new Builder(this);
- }
-
- /**
- * Builder class for {@link EncryptionContext}.
- * Mutable objects (other than developerContext) will undergo
- * a defensive copy prior to being stored in the builder.
- *
- * This class is not thread-safe.
- */
- public static final class Builder {
- private String tableName = null;
- private Map attributeValues = null;
- private Object developerContext = null;
- private String hashKeyName = null;
- private String rangeKeyName = null;
- private Map materialDescription = null;
-
- private Builder() {
- }
-
- private Builder(EncryptionContext context) {
- tableName = context.getTableName();
- attributeValues = context.getAttributeValues();
- hashKeyName = context.getHashKeyName();
- rangeKeyName = context.getRangeKeyName();
- developerContext = context.getDeveloperContext();
- materialDescription = context.getMaterialDescription();
- }
-
- public EncryptionContext build() {
- return new EncryptionContext(this);
- }
-
- public Builder tableName(String tableName) {
- this.tableName = tableName;
- return this;
- }
-
- public Builder attributeValues(Map attributeValues) {
- this.attributeValues = Collections.unmodifiableMap(new HashMap<>(attributeValues));
- return this;
- }
-
- public Builder developerContext(Object developerContext) {
- this.developerContext = developerContext;
- return this;
- }
-
- public Builder hashKeyName(String hashKeyName) {
- this.hashKeyName = hashKeyName;
- return this;
- }
-
- public Builder rangeKeyName(String rangeKeyName) {
- this.rangeKeyName = rangeKeyName;
- return this;
- }
-
- public Builder materialDescription(Map materialDescription) {
- this.materialDescription = Collections.unmodifiableMap(new HashMap<>(materialDescription));
- return this;
- }
- }
-
- @Override
- public String toString() {
- return "EncryptionContext [tableName=" + tableName + ", attributeValues=" + attributeValues
- + ", developerContext=" + developerContext
- + ", hashKeyName=" + hashKeyName + ", rangeKeyName=" + rangeKeyName
- + ", materialDescription=" + materialDescription + "]";
- }
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/EncryptionContextOperators.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/EncryptionContextOperators.java
deleted file mode 100644
index 2c880d39..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/EncryptionContextOperators.java
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption;
-
-import java.util.Map;
-import java.util.function.UnaryOperator;
-
-/**
- * Implementations of common operators for overriding the EncryptionContext
- */
-class EncryptionContextOperators {
-
- // Prevent instantiation
- private EncryptionContextOperators() {
- }
-
- /**
- * An operator for overriding EncryptionContext's table name for a specific DynamoDbEncryptor. If any table names or
- * the encryption context itself is null, then it returns the original EncryptionContext.
- *
- * @param originalTableName the name of the table that should be overridden in the Encryption Context
- * @param newTableName the table name that should be used in the Encryption Context
- * @return A UnaryOperator that produces a new EncryptionContext with the supplied table name
- */
- static UnaryOperator overrideEncryptionContextTableName(
- String originalTableName,
- String newTableName) {
- return encryptionContext -> {
- if (encryptionContext == null
- || encryptionContext.getTableName() == null
- || originalTableName == null
- || newTableName == null) {
- return encryptionContext;
- }
- if (originalTableName.equals(encryptionContext.getTableName())) {
- return encryptionContext.toBuilder().tableName(newTableName).build();
- } else {
- return encryptionContext;
- }
- };
- }
-
- /**
- * An operator for mapping multiple table names in the Encryption Context to a new table name. If the table name for
- * a given EncryptionContext is missing, then it returns the original EncryptionContext. Similarly, it returns the
- * original EncryptionContext if the value it is overridden to is null, or if the original table name is null.
- *
- * @param tableNameOverrideMap a map specifying the names of tables that should be overridden,
- * and the values to which they should be overridden. If the given table name
- * corresponds to null, or isn't in the map, then the table name won't be overridden.
- * @return A UnaryOperator that produces a new EncryptionContext with the supplied table name
- */
- static UnaryOperator overrideEncryptionContextTableNameUsingMap(
- Map tableNameOverrideMap) {
- return encryptionContext -> {
- if (tableNameOverrideMap == null || encryptionContext == null || encryptionContext.getTableName() == null) {
- return encryptionContext;
- }
- String newTableName = tableNameOverrideMap.get(encryptionContext.getTableName());
- if (newTableName != null) {
- return encryptionContext.toBuilder().tableName(newTableName).build();
- } else {
- return encryptionContext;
- }
- };
- }
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/EncryptionFlags.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/EncryptionFlags.java
deleted file mode 100644
index ce3031da..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/EncryptionFlags.java
+++ /dev/null
@@ -1,23 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption;
-
-/**
- * @author Greg Rubin
- */
-enum EncryptionFlags {
- ENCRYPT,
- SIGN
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/exceptions/DynamoDbEncryptionException.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/exceptions/DynamoDbEncryptionException.java
deleted file mode 100644
index f245d66e..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/exceptions/DynamoDbEncryptionException.java
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.exceptions;
-
-/**
- * Generic exception thrown for any problem the DynamoDB encryption client has performing tasks
- */
-public class DynamoDbEncryptionException extends RuntimeException {
- private static final long serialVersionUID = - 7565904179772520868L;
-
- /**
- * Standard constructor
- * @param cause exception cause
- */
- public DynamoDbEncryptionException(Throwable cause) {
- super(cause);
- }
-
- /**
- * Standard constructor
- * @param message exception message
- */
- public DynamoDbEncryptionException(String message) {
- super(message);
- }
-
- /**
- * Standard constructor
- * @param message exception message
- * @param cause exception cause
- */
- public DynamoDbEncryptionException(String message, Throwable cause) {
- super(message, cause);
- }
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/materials/AbstractRawMaterials.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/materials/AbstractRawMaterials.java
deleted file mode 100644
index 5dfbb197..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/materials/AbstractRawMaterials.java
+++ /dev/null
@@ -1,73 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials;
-
-import java.security.Key;
-import java.security.KeyPair;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
-
-import javax.crypto.SecretKey;
-
-/**
- * @author Greg Rubin
- */
-public abstract class AbstractRawMaterials implements DecryptionMaterials, EncryptionMaterials {
- private Map description;
- private final Key signingKey;
- private final Key verificationKey;
-
- @SuppressWarnings("unchecked")
- protected AbstractRawMaterials(KeyPair signingPair) {
- this(signingPair, Collections.EMPTY_MAP);
- }
-
- protected AbstractRawMaterials(KeyPair signingPair, Map description) {
- this.signingKey = signingPair.getPrivate();
- this.verificationKey = signingPair.getPublic();
- setMaterialDescription(description);
- }
-
- @SuppressWarnings("unchecked")
- protected AbstractRawMaterials(SecretKey macKey) {
- this(macKey, Collections.EMPTY_MAP);
- }
-
- protected AbstractRawMaterials(SecretKey macKey, Map description) {
- this.signingKey = macKey;
- this.verificationKey = macKey;
- this.description = Collections.unmodifiableMap(new HashMap<>(description));
- }
-
- @Override
- public Map getMaterialDescription() {
- return new HashMap<>(description);
- }
-
- public void setMaterialDescription(Map description) {
- this.description = Collections.unmodifiableMap(new HashMap<>(description));
- }
-
- @Override
- public Key getSigningKey() {
- return signingKey;
- }
-
- @Override
- public Key getVerificationKey() {
- return verificationKey;
- }
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/materials/AsymmetricRawMaterials.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/materials/AsymmetricRawMaterials.java
deleted file mode 100644
index 003d0b60..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/materials/AsymmetricRawMaterials.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials;
-
-import java.security.GeneralSecurityException;
-import java.security.KeyPair;
-import java.util.Collections;
-import java.util.Map;
-
-import javax.crypto.SecretKey;
-
-/**
- * @author Greg Rubin
- */
-public class AsymmetricRawMaterials extends WrappedRawMaterials {
- @SuppressWarnings("unchecked")
- public AsymmetricRawMaterials(KeyPair encryptionKey, KeyPair signingPair)
- throws GeneralSecurityException {
- this(encryptionKey, signingPair, Collections.EMPTY_MAP);
- }
-
- public AsymmetricRawMaterials(KeyPair encryptionKey, KeyPair signingPair, Map description)
- throws GeneralSecurityException {
- super(encryptionKey.getPublic(), encryptionKey.getPrivate(), signingPair, description);
- }
-
- @SuppressWarnings("unchecked")
- public AsymmetricRawMaterials(KeyPair encryptionKey, SecretKey macKey)
- throws GeneralSecurityException {
- this(encryptionKey, macKey, Collections.EMPTY_MAP);
- }
-
- public AsymmetricRawMaterials(KeyPair encryptionKey, SecretKey macKey, Map description)
- throws GeneralSecurityException {
- super(encryptionKey.getPublic(), encryptionKey.getPrivate(), macKey, description);
- }
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/materials/CryptographicMaterials.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/materials/CryptographicMaterials.java
deleted file mode 100644
index 033d331f..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/materials/CryptographicMaterials.java
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials;
-
-import java.util.Map;
-
-/**
- * @author Greg Rubin
- */
-public interface CryptographicMaterials {
- Map getMaterialDescription();
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/materials/DecryptionMaterials.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/materials/DecryptionMaterials.java
deleted file mode 100644
index 00f8548b..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/materials/DecryptionMaterials.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials;
-
-import java.security.Key;
-
-import javax.crypto.SecretKey;
-
-/**
- * @author Greg Rubin
- */
-public interface DecryptionMaterials extends CryptographicMaterials {
- SecretKey getDecryptionKey();
- Key getVerificationKey();
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/materials/EncryptionMaterials.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/materials/EncryptionMaterials.java
deleted file mode 100644
index ecef9e9f..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/materials/EncryptionMaterials.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials;
-
-import java.security.Key;
-
-import javax.crypto.SecretKey;
-
-/**
- * @author Greg Rubin
- */
-public interface EncryptionMaterials extends CryptographicMaterials {
- SecretKey getEncryptionKey();
- Key getSigningKey();
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/materials/SymmetricRawMaterials.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/materials/SymmetricRawMaterials.java
deleted file mode 100644
index b3daab44..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/materials/SymmetricRawMaterials.java
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials;
-
-import java.security.KeyPair;
-import java.util.Collections;
-import java.util.Map;
-
-import javax.crypto.SecretKey;
-
-/**
- * @author Greg Rubin
- */
-public class SymmetricRawMaterials extends AbstractRawMaterials {
- private final SecretKey cryptoKey;
-
- @SuppressWarnings("unchecked")
- public SymmetricRawMaterials(SecretKey encryptionKey, KeyPair signingPair) {
- this(encryptionKey, signingPair, Collections.EMPTY_MAP);
- }
-
- public SymmetricRawMaterials(SecretKey encryptionKey, KeyPair signingPair, Map description) {
- super(signingPair, description);
- this.cryptoKey = encryptionKey;
- }
-
- @SuppressWarnings("unchecked")
- public SymmetricRawMaterials(SecretKey encryptionKey, SecretKey macKey) {
- this(encryptionKey, macKey, Collections.EMPTY_MAP);
- }
-
- public SymmetricRawMaterials(SecretKey encryptionKey, SecretKey macKey, Map description) {
- super(macKey, description);
- this.cryptoKey = encryptionKey;
- }
-
- @Override
- public SecretKey getEncryptionKey() {
- return cryptoKey;
- }
-
- @Override
- public SecretKey getDecryptionKey() {
- return cryptoKey;
- }
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/materials/WrappedRawMaterials.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/materials/WrappedRawMaterials.java
deleted file mode 100644
index 2941cf68..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/materials/WrappedRawMaterials.java
+++ /dev/null
@@ -1,200 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials;
-
-import java.security.GeneralSecurityException;
-import java.security.InvalidKeyException;
-import java.security.Key;
-import java.security.KeyPair;
-import java.security.NoSuchAlgorithmException;
-import java.util.Collections;
-import java.util.Map;
-
-import javax.crypto.Cipher;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.KeyGenerator;
-import javax.crypto.NoSuchPaddingException;
-import javax.crypto.SecretKey;
-
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.DelegatedKey;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.internal.Base64;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.internal.Utils;
-
-/**
- * Represents cryptographic materials used to manage unique record-level keys.
- * This class specifically implements Envelope Encryption where a unique content
- * key is randomly generated each time this class is constructed which is then
- * encrypted with the Wrapping Key and then persisted in the Description. If a
- * wrapped key is present in the Description, then that content key is unwrapped
- * and used to decrypt the actual data in the record.
- *
- * Other possibly implementations might use a Key-Derivation Function to derive
- * a unique key per record.
- *
- * @author Greg Rubin
- */
-
-public class WrappedRawMaterials extends AbstractRawMaterials {
- /**
- * The key-name in the Description which contains the algorithm use to wrap
- * content key. Example values are "AESWrap", or
- * "RSA/ECB/OAEPWithSHA-256AndMGF1Padding".
- */
- public static final String KEY_WRAPPING_ALGORITHM = "amzn-ddb-wrap-alg";
- /**
- * The key-name in the Description which contains the algorithm used by the
- * content key. Example values are "AES", or "Blowfish".
- */
- public static final String CONTENT_KEY_ALGORITHM = "amzn-ddb-env-alg";
- /**
- * The key-name in the Description which which contains the wrapped content
- * key.
- */
- public static final String ENVELOPE_KEY = "amzn-ddb-env-key";
- private static final String DEFAULT_ALGORITHM = "AES/256";
-
- protected final Key wrappingKey;
- protected final Key unwrappingKey;
- private final SecretKey envelopeKey;
-
- public WrappedRawMaterials(Key wrappingKey, Key unwrappingKey, KeyPair signingPair)
- throws GeneralSecurityException {
- this(wrappingKey, unwrappingKey, signingPair, Collections.emptyMap());
- }
-
- public WrappedRawMaterials(Key wrappingKey, Key unwrappingKey, KeyPair signingPair,
- Map description) throws GeneralSecurityException {
- super(signingPair, description);
- this.wrappingKey = wrappingKey;
- this.unwrappingKey = unwrappingKey;
- this.envelopeKey = initEnvelopeKey();
- }
-
- public WrappedRawMaterials(Key wrappingKey, Key unwrappingKey, SecretKey macKey)
- throws GeneralSecurityException {
- this(wrappingKey, unwrappingKey, macKey, Collections.emptyMap());
- }
-
- public WrappedRawMaterials(Key wrappingKey, Key unwrappingKey, SecretKey macKey,
- Map description) throws GeneralSecurityException {
- super(macKey, description);
- this.wrappingKey = wrappingKey;
- this.unwrappingKey = unwrappingKey;
- this.envelopeKey = initEnvelopeKey();
- }
-
- @Override
- public SecretKey getDecryptionKey() {
- return envelopeKey;
- }
-
- @Override
- public SecretKey getEncryptionKey() {
- return envelopeKey;
- }
-
- /**
- * Called by the constructors. If there is already a key associated with
- * this record (usually signified by a value stored in the description in
- * the key {@link #ENVELOPE_KEY}) it extracts it and returns it. Otherwise
- * it generates a new key, stores a wrapped version in the Description, and
- * returns the key to the caller.
- *
- * @return the content key (which is returned by both
- * {@link #getDecryptionKey()} and {@link #getEncryptionKey()}.
- * @throws GeneralSecurityException if there is a problem
- */
- protected SecretKey initEnvelopeKey() throws GeneralSecurityException {
- Map description = getMaterialDescription();
- if (description.containsKey(ENVELOPE_KEY)) {
- if (unwrappingKey == null) {
- throw new IllegalStateException("No private decryption key provided.");
- }
- byte[] encryptedKey = Base64.decode(description.get(ENVELOPE_KEY));
- String wrappingAlgorithm = unwrappingKey.getAlgorithm();
- if (description.containsKey(KEY_WRAPPING_ALGORITHM)) {
- wrappingAlgorithm = description.get(KEY_WRAPPING_ALGORITHM);
- }
- return unwrapKey(description, encryptedKey, wrappingAlgorithm);
- } else {
- SecretKey key = description.containsKey(CONTENT_KEY_ALGORITHM) ?
- generateContentKey(description.get(CONTENT_KEY_ALGORITHM)) :
- generateContentKey(DEFAULT_ALGORITHM);
-
- String wrappingAlg = description.containsKey(KEY_WRAPPING_ALGORITHM) ?
- description.get(KEY_WRAPPING_ALGORITHM) :
- getTransformation(wrappingKey.getAlgorithm());
- byte[] encryptedKey = wrapKey(key, wrappingAlg);
- description.put(ENVELOPE_KEY, Base64.encodeToString(encryptedKey));
- description.put(CONTENT_KEY_ALGORITHM, key.getAlgorithm());
- description.put(KEY_WRAPPING_ALGORITHM, wrappingAlg);
- setMaterialDescription(description);
- return key;
- }
- }
-
- public byte[] wrapKey(SecretKey key, String wrappingAlg) throws NoSuchAlgorithmException, NoSuchPaddingException,
- InvalidKeyException, IllegalBlockSizeException {
- if (wrappingKey instanceof DelegatedKey) {
- return ((DelegatedKey)wrappingKey).wrap(key, null, wrappingAlg);
- } else {
- Cipher cipher = Cipher.getInstance(wrappingAlg);
- cipher.init(Cipher.WRAP_MODE, wrappingKey, Utils.getRng());
- return cipher.wrap(key);
- }
- }
-
- protected SecretKey unwrapKey(Map description, byte[] encryptedKey, String wrappingAlgorithm)
- throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException {
- if (unwrappingKey instanceof DelegatedKey) {
- return (SecretKey)((DelegatedKey)unwrappingKey).unwrap(encryptedKey,
- description.get(CONTENT_KEY_ALGORITHM), Cipher.SECRET_KEY, null, wrappingAlgorithm);
- } else {
- Cipher cipher = Cipher.getInstance(wrappingAlgorithm);
- cipher.init(Cipher.UNWRAP_MODE, unwrappingKey, Utils.getRng());
- return (SecretKey) cipher.unwrap(encryptedKey,
- description.get(CONTENT_KEY_ALGORITHM), Cipher.SECRET_KEY);
- }
- }
-
- protected SecretKey generateContentKey(final String algorithm) throws NoSuchAlgorithmException {
- String[] pieces = algorithm.split("/", 2);
- KeyGenerator kg = KeyGenerator.getInstance(pieces[0]);
- int keyLen = 0;
- if (pieces.length == 2) {
- try {
- keyLen = Integer.parseInt(pieces[1]);
- } catch (NumberFormatException ignored) {
- }
- }
-
- if (keyLen > 0) {
- kg.init(keyLen, Utils.getRng());
- } else {
- kg.init(Utils.getRng());
- }
- return kg.generateKey();
- }
-
- private static String getTransformation(final String algorithm) {
- if (algorithm.equalsIgnoreCase("RSA")) {
- return "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";
- } else if (algorithm.equalsIgnoreCase("AES")) {
- return "AESWrap";
- } else {
- return algorithm;
- }
- }
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/AsymmetricStaticProvider.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/AsymmetricStaticProvider.java
deleted file mode 100644
index b49e2b9a..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/AsymmetricStaticProvider.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.providers;
-
-import java.security.KeyPair;
-import java.util.Collections;
-import java.util.Map;
-
-import javax.crypto.SecretKey;
-
-/**
- * This is a thin wrapper around the {@link WrappedMaterialsProvider}, using
- * the provided encryptionKey for wrapping and unwrapping the
- * record key. Please see that class for detailed documentation.
- *
- * @author Greg Rubin
- */
-public class AsymmetricStaticProvider extends WrappedMaterialsProvider {
- public AsymmetricStaticProvider(KeyPair encryptionKey, KeyPair signingPair) {
- this(encryptionKey, signingPair, Collections.emptyMap());
- }
-
- public AsymmetricStaticProvider(KeyPair encryptionKey, SecretKey macKey) {
- this(encryptionKey, macKey, Collections.emptyMap());
- }
-
- public AsymmetricStaticProvider(KeyPair encryptionKey, KeyPair signingPair, Map description) {
- super(encryptionKey.getPublic(), encryptionKey.getPrivate(), signingPair, description);
- }
-
- public AsymmetricStaticProvider(KeyPair encryptionKey, SecretKey macKey, Map description) {
- super(encryptionKey.getPublic(), encryptionKey.getPrivate(), macKey, description);
- }
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/DirectKmsMaterialsProvider.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/DirectKmsMaterialsProvider.java
deleted file mode 100644
index ab402cbb..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/DirectKmsMaterialsProvider.java
+++ /dev/null
@@ -1,297 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.providers;
-
-import static software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.WrappedRawMaterials.CONTENT_KEY_ALGORITHM;
-import static software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.WrappedRawMaterials.ENVELOPE_KEY;
-import static software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.WrappedRawMaterials.KEY_WRAPPING_ALGORITHM;
-
-import java.security.NoSuchAlgorithmException;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
-
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.EncryptionContext;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.exceptions.DynamoDbEncryptionException;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.DecryptionMaterials;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.EncryptionMaterials;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.SymmetricRawMaterials;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.WrappedRawMaterials;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.internal.Base64;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.internal.Hkdf;
-
-import software.amazon.awssdk.core.SdkBytes;
-import software.amazon.awssdk.services.dynamodb.model.AttributeValue;
-import software.amazon.awssdk.services.kms.KmsClient;
-import software.amazon.awssdk.services.kms.model.DecryptRequest;
-import software.amazon.awssdk.services.kms.model.DecryptResponse;
-import software.amazon.awssdk.services.kms.model.GenerateDataKeyRequest;
-import software.amazon.awssdk.services.kms.model.GenerateDataKeyResponse;
-
-/**
- * Generates a unique data key for each record in DynamoDB and protects that key
- * using {@link KmsClient}. Currently, the HashKey, RangeKey, and TableName will be
- * included in the KMS EncryptionContext for wrapping/unwrapping the key. This
- * means that records cannot be copied/moved between tables without re-encryption.
- *
- * @see KMS Encryption Context
- */
-public class DirectKmsMaterialsProvider implements EncryptionMaterialsProvider {
- private static final String COVERED_ATTR_CTX_KEY = "aws-kms-ec-attr";
- private static final String SIGNING_KEY_ALGORITHM = "amzn-ddb-sig-alg";
- private static final String TABLE_NAME_EC_KEY = "*aws-kms-table*";
-
- private static final String DEFAULT_ENC_ALG = "AES/256";
- private static final String DEFAULT_SIG_ALG = "HmacSHA256/256";
- private static final String KEY_COVERAGE = "*keys*";
- private static final String KDF_ALG = "HmacSHA256";
- private static final String KDF_SIG_INFO = "Signing";
- private static final String KDF_ENC_INFO = "Encryption";
-
- private final KmsClient kms;
- private final String encryptionKeyId;
- private final Map description;
- private final String dataKeyAlg;
- private final int dataKeyLength;
- private final String dataKeyDesc;
- private final String sigKeyAlg;
- private final int sigKeyLength;
- private final String sigKeyDesc;
-
- public DirectKmsMaterialsProvider(KmsClient kms) {
- this(kms, null);
- }
-
- public DirectKmsMaterialsProvider(KmsClient kms, String encryptionKeyId, Map materialDescription) {
- this.kms = kms;
- this.encryptionKeyId = encryptionKeyId;
- this.description = materialDescription != null ?
- Collections.unmodifiableMap(new HashMap<>(materialDescription)) :
- Collections.emptyMap();
-
- dataKeyDesc = description.getOrDefault(WrappedRawMaterials.CONTENT_KEY_ALGORITHM, DEFAULT_ENC_ALG);
-
- String[] parts = dataKeyDesc.split("/", 2);
- this.dataKeyAlg = parts[0];
- this.dataKeyLength = parts.length == 2 ? Integer.parseInt(parts[1]) : 256;
-
- sigKeyDesc = description.getOrDefault(SIGNING_KEY_ALGORITHM, DEFAULT_SIG_ALG);
-
- parts = sigKeyDesc.split("/", 2);
- this.sigKeyAlg = parts[0];
- this.sigKeyLength = parts.length == 2 ? Integer.parseInt(parts[1]) : 256;
- }
-
- public DirectKmsMaterialsProvider(KmsClient kms, String encryptionKeyId) {
- this(kms, encryptionKeyId, Collections.emptyMap());
- }
-
- @Override
- public DecryptionMaterials getDecryptionMaterials(EncryptionContext context) {
- final Map materialDescription = context.getMaterialDescription();
-
- final Map ec = new HashMap<>();
- final String providedEncAlg = materialDescription.get(CONTENT_KEY_ALGORITHM);
- final String providedSigAlg = materialDescription.get(SIGNING_KEY_ALGORITHM);
-
- ec.put("*" + CONTENT_KEY_ALGORITHM + "*", providedEncAlg);
- ec.put("*" + SIGNING_KEY_ALGORITHM + "*", providedSigAlg);
-
- populateKmsEcFromEc(context, ec);
-
- DecryptRequest.Builder request = DecryptRequest.builder();
- request.ciphertextBlob(SdkBytes.fromByteArray(Base64.decode(materialDescription.get(ENVELOPE_KEY))));
- request.encryptionContext(ec);
- final DecryptResponse decryptResponse = decrypt(request.build(), context);
- validateEncryptionKeyId(decryptResponse.keyId(), context);
-
- final Hkdf kdf;
- try {
- kdf = Hkdf.getInstance(KDF_ALG);
- } catch (NoSuchAlgorithmException e) {
- throw new DynamoDbEncryptionException(e);
- }
- kdf.init(decryptResponse.plaintext().asByteArray());
-
- final String[] encAlgParts = providedEncAlg.split("/", 2);
- int encLength = encAlgParts.length == 2 ? Integer.parseInt(encAlgParts[1]) : 256;
- final String[] sigAlgParts = providedSigAlg.split("/", 2);
- int sigLength = sigAlgParts.length == 2 ? Integer.parseInt(sigAlgParts[1]) : 256;
-
- final SecretKey encryptionKey = new SecretKeySpec(kdf.deriveKey(KDF_ENC_INFO, encLength / 8), encAlgParts[0]);
- final SecretKey macKey = new SecretKeySpec(kdf.deriveKey(KDF_SIG_INFO, sigLength / 8), sigAlgParts[0]);
-
- return new SymmetricRawMaterials(encryptionKey, macKey, materialDescription);
- }
-
- @Override
- public EncryptionMaterials getEncryptionMaterials(EncryptionContext context) {
- final Map ec = new HashMap<>();
- ec.put("*" + CONTENT_KEY_ALGORITHM + "*", dataKeyDesc);
- ec.put("*" + SIGNING_KEY_ALGORITHM + "*", sigKeyDesc);
- populateKmsEcFromEc(context, ec);
-
- final String keyId = selectEncryptionKeyId(context);
- if (keyId == null || keyId.isEmpty()) {
- throw new DynamoDbEncryptionException("Encryption key id is empty.");
- }
-
- final GenerateDataKeyRequest.Builder req = GenerateDataKeyRequest.builder();
- req.keyId(keyId);
- // NumberOfBytes parameter is used because we're not using this key as an AES-256 key,
- // we're using it as an HKDF-SHA256 key.
- req.numberOfBytes(256 / 8);
- req.encryptionContext(ec);
-
- final GenerateDataKeyResponse dataKeyResult = generateDataKey(req.build(), context);
-
- final Map materialDescription = new HashMap<>(description);
- materialDescription.put(COVERED_ATTR_CTX_KEY, KEY_COVERAGE);
- materialDescription.put(KEY_WRAPPING_ALGORITHM, "kms");
- materialDescription.put(CONTENT_KEY_ALGORITHM, dataKeyDesc);
- materialDescription.put(SIGNING_KEY_ALGORITHM, sigKeyDesc);
- materialDescription.put(ENVELOPE_KEY,
- Base64.encodeToString(dataKeyResult.ciphertextBlob().asByteArray()));
-
- final Hkdf kdf;
- try {
- kdf = Hkdf.getInstance(KDF_ALG);
- } catch (NoSuchAlgorithmException e) {
- throw new DynamoDbEncryptionException(e);
- }
-
- kdf.init(dataKeyResult.plaintext().asByteArray());
-
- final SecretKey encryptionKey = new SecretKeySpec(kdf.deriveKey(KDF_ENC_INFO, dataKeyLength / 8), dataKeyAlg);
- final SecretKey signatureKey = new SecretKeySpec(kdf.deriveKey(KDF_SIG_INFO, sigKeyLength / 8), sigKeyAlg);
- return new SymmetricRawMaterials(encryptionKey, signatureKey, materialDescription);
- }
-
- /**
- * Get encryption key id that is used to create the {@link EncryptionMaterials}.
- *
- * @return encryption key id.
- */
- protected String getEncryptionKeyId() {
- return this.encryptionKeyId;
- }
-
- /**
- * Select encryption key id to be used to generate data key. The default implementation of this method returns
- * {@link DirectKmsMaterialsProvider#encryptionKeyId}.
- *
- * @param context encryption context.
- * @return the encryptionKeyId.
- * @throws DynamoDbEncryptionException when we fails to select a valid encryption key id.
- */
- protected String selectEncryptionKeyId(EncryptionContext context) throws DynamoDbEncryptionException {
- return getEncryptionKeyId();
- }
-
- /**
- * Validate the encryption key id. The default implementation of this method does not validate
- * encryption key id.
- *
- * @param encryptionKeyId encryption key id from {@link DecryptResponse}.
- * @param context encryption context.
- * @throws DynamoDbEncryptionException when encryptionKeyId is invalid.
- */
- protected void validateEncryptionKeyId(String encryptionKeyId, EncryptionContext context)
- throws DynamoDbEncryptionException {
- // No action taken.
- }
-
- /**
- * Decrypts ciphertext. The default implementation calls KMS to decrypt the ciphertext using the parameters
- * provided in the {@link DecryptRequest}. Subclass can override the default implementation to provide
- * additional request parameters using attributes within the {@link EncryptionContext}.
- *
- * @param request request parameters to decrypt the given ciphertext.
- * @param context additional useful data to decrypt the ciphertext.
- * @return the decrypted plaintext for the given ciphertext.
- */
- protected DecryptResponse decrypt(final DecryptRequest request, final EncryptionContext context) {
- return kms.decrypt(request);
- }
-
- /**
- * Returns a data encryption key that you can use in your application to encrypt data locally. The default
- * implementation calls KMS to generate the data key using the parameters provided in the
- * {@link GenerateDataKeyRequest}. Subclass can override the default implementation to provide additional
- * request parameters using attributes within the {@link EncryptionContext}.
- *
- * @param request request parameters to generate the data key.
- * @param context additional useful data to generate the data key.
- * @return the newly generated data key which includes both the plaintext and ciphertext.
- */
- protected GenerateDataKeyResponse generateDataKey(final GenerateDataKeyRequest request,
- final EncryptionContext context) {
- return kms.generateDataKey(request);
- }
-
- /**
- * Extracts relevant information from {@code context} and uses it to populate fields in
- * {@code kmsEc}. Subclass can override the default implementation to provide an alternative
- * encryption context in calls to KMS. Currently, the default implementation includes these fields:
- *
- * - {@code HashKeyName}
- * - {@code HashKeyValue}
- * - {@code RangeKeyName}
- * - {@code RangeKeyValue}
- * - {@link #TABLE_NAME_EC_KEY}
- * - {@code TableName}
- */
- protected void populateKmsEcFromEc(EncryptionContext context, Map kmsEc) {
- final String hashKeyName = context.getHashKeyName();
- if (hashKeyName != null) {
- final AttributeValue hashKey = context.getAttributeValues().get(hashKeyName);
- if (hashKey.n() != null) {
- kmsEc.put(hashKeyName, hashKey.n());
- } else if (hashKey.s() != null) {
- kmsEc.put(hashKeyName, hashKey.s());
- } else if (hashKey.b() != null) {
- kmsEc.put(hashKeyName, Base64.encodeToString(hashKey.b().asByteArray()));
- } else {
- throw new UnsupportedOperationException("DirectKmsMaterialsProvider only supports String, Number, and Binary HashKeys");
- }
- }
- final String rangeKeyName = context.getRangeKeyName();
- if (rangeKeyName != null) {
- final AttributeValue rangeKey = context.getAttributeValues().get(rangeKeyName);
- if (rangeKey.n() != null) {
- kmsEc.put(rangeKeyName, rangeKey.n());
- } else if (rangeKey.s() != null) {
- kmsEc.put(rangeKeyName, rangeKey.s());
- } else if (rangeKey.b() != null) {
- kmsEc.put(rangeKeyName, Base64.encodeToString(rangeKey.b().asByteArray()));
- } else {
- throw new UnsupportedOperationException("DirectKmsMaterialsProvider only supports String, Number, and Binary RangeKeys");
- }
- }
-
- final String tableName = context.getTableName();
- if (tableName != null) {
- kmsEc.put(TABLE_NAME_EC_KEY, tableName);
- }
- }
-
- @Override
- public void refresh() {
- // No action needed
- }
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/EncryptionMaterialsProvider.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/EncryptionMaterialsProvider.java
deleted file mode 100644
index b60fee3e..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/EncryptionMaterialsProvider.java
+++ /dev/null
@@ -1,71 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.providers;
-
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.EncryptionContext;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.DecryptionMaterials;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.EncryptionMaterials;
-
-/**
- * Interface for providing encryption materials.
- * Implementations are free to use any strategy for providing encryption
- * materials, such as simply providing static material that doesn't change,
- * or more complicated implementations, such as integrating with existing
- * key management systems.
- *
- * @author Greg Rubin
- */
-public interface EncryptionMaterialsProvider {
-
- /**
- * Retrieves encryption materials matching the specified description from some source.
- *
- * @param context
- * Information to assist in selecting a the proper return value. The implementation
- * is free to determine the minimum necessary for successful processing.
- *
- * @return
- * The encryption materials that match the description, or null if no matching encryption materials found.
- */
- DecryptionMaterials getDecryptionMaterials(EncryptionContext context);
-
- /**
- * Returns EncryptionMaterials which the caller can use for encryption.
- * Each implementation of EncryptionMaterialsProvider can choose its own
- * strategy for loading encryption material. For example, an
- * implementation might load encryption material from an existing key
- * management system, or load new encryption material when keys are
- * rotated.
- *
- * @param context
- * Information to assist in selecting a the proper return value. The implementation
- * is free to determine the minimum necessary for successful processing.
- *
- * @return EncryptionMaterials which the caller can use to encrypt or
- * decrypt data.
- */
- EncryptionMaterials getEncryptionMaterials(EncryptionContext context);
-
- /**
- * Forces this encryption materials provider to refresh its encryption
- * material. For many implementations of encryption materials provider,
- * this may simply be a no-op, such as any encryption materials provider
- * implementation that vends static/non-changing encryption material.
- * For other implementations that vend different encryption material
- * throughout their lifetime, this method should force the encryption
- * materials provider to refresh its encryption material.
- */
- void refresh();
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/KeyStoreMaterialsProvider.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/KeyStoreMaterialsProvider.java
deleted file mode 100644
index 483b81b5..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/KeyStoreMaterialsProvider.java
+++ /dev/null
@@ -1,199 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.providers;
-
-import java.security.GeneralSecurityException;
-import java.security.KeyPair;
-import java.security.KeyStore;
-import java.security.KeyStore.Entry;
-import java.security.KeyStore.PrivateKeyEntry;
-import java.security.KeyStore.ProtectionParameter;
-import java.security.KeyStore.SecretKeyEntry;
-import java.security.KeyStore.TrustedCertificateEntry;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.PublicKey;
-import java.security.UnrecoverableEntryException;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.concurrent.atomic.AtomicReference;
-
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.EncryptionContext;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.exceptions.DynamoDbEncryptionException;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.AsymmetricRawMaterials;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.DecryptionMaterials;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.EncryptionMaterials;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.SymmetricRawMaterials;
-
-/**
- * @author Greg Rubin
- */
-public class KeyStoreMaterialsProvider implements EncryptionMaterialsProvider {
- private final Map description;
- private final String encryptionAlias;
- private final String signingAlias;
- private final ProtectionParameter encryptionProtection;
- private final ProtectionParameter signingProtection;
- private final KeyStore keyStore;
- private final AtomicReference currMaterials =
- new AtomicReference<>();
-
- public KeyStoreMaterialsProvider(KeyStore keyStore, String encryptionAlias, String signingAlias, Map description)
- throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableEntryException {
- this(keyStore, encryptionAlias, signingAlias, null, null, description);
- }
-
- public KeyStoreMaterialsProvider(KeyStore keyStore, String encryptionAlias, String signingAlias,
- ProtectionParameter encryptionProtection, ProtectionParameter signingProtection,
- Map description)
- throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableEntryException {
- super();
- this.keyStore = keyStore;
- this.encryptionAlias = encryptionAlias;
- this.signingAlias = signingAlias;
- this.encryptionProtection = encryptionProtection;
- this.signingProtection = signingProtection;
- this.description = Collections.unmodifiableMap(new HashMap<>(description));
-
- validateKeys();
- loadKeys();
- }
-
- @Override
- public DecryptionMaterials getDecryptionMaterials(EncryptionContext context) {
- CurrentMaterials materials = currMaterials.get();
- if (context.getMaterialDescription().entrySet().containsAll(description.entrySet())) {
- if (materials.encryptionEntry instanceof SecretKeyEntry) {
- return materials.symRawMaterials;
- } else {
- try {
- return makeAsymMaterials(materials, context.getMaterialDescription());
- } catch (GeneralSecurityException ex) {
- throw new DynamoDbEncryptionException("Unable to decrypt envelope key", ex);
- }
- }
- } else {
- return null;
- }
- }
-
- @Override
- public EncryptionMaterials getEncryptionMaterials(EncryptionContext context) {
- CurrentMaterials materials = currMaterials.get();
- if (materials.encryptionEntry instanceof SecretKeyEntry) {
- return materials.symRawMaterials;
- } else {
- try {
- return makeAsymMaterials(materials, description);
- } catch (GeneralSecurityException ex) {
- throw new DynamoDbEncryptionException("Unable to encrypt envelope key", ex);
- }
- }
- }
-
- private AsymmetricRawMaterials makeAsymMaterials(CurrentMaterials materials,
- Map description) throws GeneralSecurityException {
- KeyPair encryptionPair = entry2Pair(materials.encryptionEntry);
- if (materials.signingEntry instanceof SecretKeyEntry) {
- return new AsymmetricRawMaterials(encryptionPair,
- ((SecretKeyEntry) materials.signingEntry).getSecretKey(), description);
- } else {
- return new AsymmetricRawMaterials(encryptionPair, entry2Pair(materials.signingEntry),
- description);
- }
- }
-
- private static KeyPair entry2Pair(Entry entry) {
- PublicKey pub = null;
- PrivateKey priv = null;
-
- if (entry instanceof PrivateKeyEntry) {
- PrivateKeyEntry pk = (PrivateKeyEntry) entry;
- if (pk.getCertificate() != null) {
- pub = pk.getCertificate().getPublicKey();
- }
- priv = pk.getPrivateKey();
- } else if (entry instanceof TrustedCertificateEntry) {
- TrustedCertificateEntry tc = (TrustedCertificateEntry) entry;
- pub = tc.getTrustedCertificate().getPublicKey();
- } else {
- throw new IllegalArgumentException(
- "Only entry types PrivateKeyEntry and TrustedCertificateEntry are supported.");
- }
- return new KeyPair(pub, priv);
- }
-
- /**
- * Reloads the keys from the underlying keystore by calling
- * {@link KeyStore#getEntry(String, ProtectionParameter)} again for each of them.
- */
- @Override
- public void refresh() {
- try {
- loadKeys();
- } catch (GeneralSecurityException ex) {
- throw new DynamoDbEncryptionException("Unable to load keys from keystore", ex);
- }
- }
-
- private void validateKeys() throws KeyStoreException {
- if (!keyStore.containsAlias(encryptionAlias)) {
- throw new IllegalArgumentException("Keystore does not contain alias: "
- + encryptionAlias);
- }
- if (!keyStore.containsAlias(signingAlias)) {
- throw new IllegalArgumentException("Keystore does not contain alias: "
- + signingAlias);
- }
- }
-
- private void loadKeys() throws NoSuchAlgorithmException, UnrecoverableEntryException,
- KeyStoreException {
- Entry encryptionEntry = keyStore.getEntry(encryptionAlias, encryptionProtection);
- Entry signingEntry = keyStore.getEntry(signingAlias, signingProtection);
- CurrentMaterials newMaterials = new CurrentMaterials(encryptionEntry, signingEntry);
- currMaterials.set(newMaterials);
- }
-
- private class CurrentMaterials {
- public final Entry encryptionEntry;
- public final Entry signingEntry;
- public final SymmetricRawMaterials symRawMaterials;
-
- public CurrentMaterials(Entry encryptionEntry, Entry signingEntry) {
- super();
- this.encryptionEntry = encryptionEntry;
- this.signingEntry = signingEntry;
-
- if (encryptionEntry instanceof SecretKeyEntry) {
- if (signingEntry instanceof SecretKeyEntry) {
- this.symRawMaterials = new SymmetricRawMaterials(
- ((SecretKeyEntry) encryptionEntry).getSecretKey(),
- ((SecretKeyEntry) signingEntry).getSecretKey(),
- description);
- } else {
- this.symRawMaterials = new SymmetricRawMaterials(
- ((SecretKeyEntry) encryptionEntry).getSecretKey(),
- entry2Pair(signingEntry),
- description);
- }
- } else {
- this.symRawMaterials = null;
- }
- }
- }
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/MostRecentProvider.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/MostRecentProvider.java
deleted file mode 100644
index f0edc768..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/MostRecentProvider.java
+++ /dev/null
@@ -1,219 +0,0 @@
-/*
- * Copyright 2016-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except
- * in compliance with the License. A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.providers;
-
-import java.util.concurrent.atomic.AtomicReference;
-import java.util.concurrent.locks.ReentrantLock;
-
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.EncryptionContext;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.DecryptionMaterials;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.EncryptionMaterials;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.providers.store.ProviderStore;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.internal.LRUCache;
-
-/**
- * This meta-Provider encrypts data with the most recent version of keying materials from a
- * {@link ProviderStore} and decrypts using whichever version is appropriate. It also caches the
- * results from the {@link ProviderStore} to avoid excessive load on the backing systems. The cache
- * is not currently configurable.
- */
-public class MostRecentProvider implements EncryptionMaterialsProvider {
- private static final long MILLI_TO_NANO = 1000000L;
- private static final long TTL_GRACE_IN_NANO = 500 * MILLI_TO_NANO;
- private final ProviderStore keystore;
- protected final String defaultMaterialName;
- private final long ttlInNanos;
- private final LRUCache cache;
- private final LRUCache currentVersions;
-
- /**
- * Creates a new {@link MostRecentProvider}.
- *
- * @param ttlInMillis
- * The length of time in milliseconds to cache the most recent provider
- */
- public MostRecentProvider(final ProviderStore keystore, final String materialName, final long ttlInMillis) {
- this.keystore = checkNotNull(keystore, "keystore must not be null");
- this.defaultMaterialName = materialName;
- this.ttlInNanos = ttlInMillis * MILLI_TO_NANO;
- this.cache = new LRUCache(1000);
- this.currentVersions = new LRUCache<>(1000);
- }
-
- @Override
- public EncryptionMaterials getEncryptionMaterials(EncryptionContext context) {
- final String materialName = getMaterialName(context);
- final LockedState ls = getCurrentVersion(materialName);
-
- final State s = ls.getState();
- if (s.provider != null && System.nanoTime() - s.lastUpdated <= ttlInNanos) {
- return s.provider.getEncryptionMaterials(context);
- }
- if (s.provider == null || System.nanoTime() - s.lastUpdated > ttlInNanos + TTL_GRACE_IN_NANO) {
- // Either we don't have a provider at all, or we're more than 500 milliseconds past
- // our update time. Either way, grab the lock and force an update.
- ls.lock();
- } else if (!ls.tryLock()) {
- // If we can't get the lock immediately, just use the current provider
- return s.provider.getEncryptionMaterials(context);
- }
-
- try {
- final long newVersion = keystore.getMaxVersion(materialName);
- final long currentVersion;
- final EncryptionMaterialsProvider currentProvider;
- if (newVersion < 0) {
- // First version of the material, so we want to allow creation
- currentVersion = 0;
- currentProvider = keystore.getOrCreate(materialName, currentVersion);
- cache.add(buildCacheKey(materialName, currentVersion), currentProvider);
- } else if (newVersion != s.currentVersion) {
- // We're retrieving an existing version, so we avoid the creation
- // flow as it is slower
- currentVersion = newVersion;
- currentProvider = keystore.getProvider(materialName, currentVersion);
- cache.add(buildCacheKey(materialName, currentVersion), currentProvider);
- } else {
- // Our version hasn't changed, so we'll just re-use the existing
- // provider to avoid the overhead of retrieving and building a new one
- currentVersion = newVersion;
- currentProvider = s.provider;
- // There is no need to add this to the cache as it's already there
- }
-
- ls.update(currentProvider, currentVersion);
-
- return ls.getState().provider.getEncryptionMaterials(context);
- } finally {
- ls.unlock();
- }
- }
-
- public DecryptionMaterials getDecryptionMaterials(EncryptionContext context) {
- final String materialName = getMaterialName(context);
- final long version = keystore.getVersionFromMaterialDescription(
- context.getMaterialDescription());
- EncryptionMaterialsProvider provider = cache.get(buildCacheKey(materialName, version));
- if (provider == null) {
- provider = keystore.getProvider(materialName, version);
- cache.add(buildCacheKey(materialName, version), provider);
- }
- return provider.getDecryptionMaterials(context);
- }
-
- /**
- * Completely empties the cache of both the current and old versions.
- */
- @Override
- public void refresh() {
- currentVersions.clear();
- cache.clear();
- }
-
- public String getMaterialName() {
- return defaultMaterialName;
- }
-
- public long getTtlInMills() {
- return ttlInNanos / MILLI_TO_NANO;
- }
-
- /**
- * The current version of the materials being used for encryption. Returns -1 if we do not
- * currently have a current version.
- */
- public long getCurrentVersion() {
- return getCurrentVersion(getMaterialName()).getState().currentVersion;
- }
-
- /**
- * The last time the current version was updated. Returns 0 if we do not currently have a
- * current version.
- */
- public long getLastUpdated() {
- return getCurrentVersion(getMaterialName()).getState().lastUpdated / MILLI_TO_NANO;
- }
-
- protected String getMaterialName(final EncryptionContext context) {
- return defaultMaterialName;
- }
-
- private LockedState getCurrentVersion(final String materialName) {
- final LockedState result = currentVersions.get(materialName);
- if (result == null) {
- currentVersions.add(materialName, new LockedState());
- return currentVersions.get(materialName);
- } else {
- return result;
- }
- }
-
- private static String buildCacheKey(final String materialName, final long version) {
- StringBuilder result = new StringBuilder(materialName);
- result.append('#');
- result.append(version);
- return result.toString();
- }
-
- private static V checkNotNull(final V ref, final String errMsg) {
- if (ref == null) {
- throw new NullPointerException(errMsg);
- } else {
- return ref;
- }
- }
-
- private static class LockedState {
- private final ReentrantLock lock = new ReentrantLock(true);
- private volatile AtomicReference state = new AtomicReference<>(new State());
-
- public State getState() {
- return state.get();
- }
-
- public void unlock() {
- lock.unlock();
- }
-
- public boolean tryLock() {
- return lock.tryLock();
- }
-
- public void lock() {
- lock.lock();
- }
-
- public void update(EncryptionMaterialsProvider provider, long currentVersion) {
- if (!lock.isHeldByCurrentThread()) {
- throw new IllegalStateException("Lock not held by current thread");
- }
- state.set(new State(provider, currentVersion));
- }
- }
-
- private static class State {
- public final EncryptionMaterialsProvider provider;
- public final long currentVersion;
- public final long lastUpdated;
-
- public State() {
- this(null, -1);
- }
-
- public State(EncryptionMaterialsProvider provider, long currentVersion) {
- this.provider = provider;
- this.currentVersion = currentVersion;
- this.lastUpdated = currentVersion == -1 ? 0 : System.nanoTime();
- }
- }
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/SymmetricStaticProvider.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/SymmetricStaticProvider.java
deleted file mode 100644
index 8a63a032..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/SymmetricStaticProvider.java
+++ /dev/null
@@ -1,130 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.providers;
-
-import java.security.KeyPair;
-import java.util.Collections;
-import java.util.Map;
-
-import javax.crypto.SecretKey;
-
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.EncryptionContext;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.CryptographicMaterials;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.DecryptionMaterials;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.EncryptionMaterials;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.SymmetricRawMaterials;
-
-/**
- * A provider which always returns the same provided symmetric
- * encryption/decryption key and the same signing/verification key(s).
- *
- * @author Greg Rubin
- */
-public class SymmetricStaticProvider implements EncryptionMaterialsProvider {
- private final SymmetricRawMaterials materials;
-
- /**
- * @param encryptionKey
- * the value to be returned by
- * {@link #getEncryptionMaterials(EncryptionContext)} and
- * {@link #getDecryptionMaterials(EncryptionContext)}
- * @param signingPair
- * the keypair used to sign/verify the data stored in Dynamo. If
- * only the public key is provided, then this provider may be
- * used for decryption, but not encryption.
- */
- public SymmetricStaticProvider(SecretKey encryptionKey, KeyPair signingPair) {
- this(encryptionKey, signingPair, Collections.emptyMap());
- }
-
- /**
- * @param encryptionKey
- * the value to be returned by
- * {@link #getEncryptionMaterials(EncryptionContext)} and
- * {@link #getDecryptionMaterials(EncryptionContext)}
- * @param signingPair
- * the keypair used to sign/verify the data stored in Dynamo. If
- * only the public key is provided, then this provider may be
- * used for decryption, but not encryption.
- * @param description
- * the value to be returned by
- * {@link CryptographicMaterials#getMaterialDescription()} for
- * any {@link CryptographicMaterials} returned by this object.
- */
- public SymmetricStaticProvider(SecretKey encryptionKey,
- KeyPair signingPair, Map description) {
- materials = new SymmetricRawMaterials(encryptionKey, signingPair,
- description);
- }
-
- /**
- * @param encryptionKey
- * the value to be returned by
- * {@link #getEncryptionMaterials(EncryptionContext)} and
- * {@link #getDecryptionMaterials(EncryptionContext)}
- * @param macKey
- * the key used to sign/verify the data stored in Dynamo.
- */
- public SymmetricStaticProvider(SecretKey encryptionKey, SecretKey macKey) {
- this(encryptionKey, macKey, Collections.emptyMap());
- }
-
- /**
- * @param encryptionKey
- * the value to be returned by
- * {@link #getEncryptionMaterials(EncryptionContext)} and
- * {@link #getDecryptionMaterials(EncryptionContext)}
- * @param macKey
- * the key used to sign/verify the data stored in Dynamo.
- * @param description
- * the value to be returned by
- * {@link CryptographicMaterials#getMaterialDescription()} for
- * any {@link CryptographicMaterials} returned by this object.
- */
- public SymmetricStaticProvider(SecretKey encryptionKey, SecretKey macKey, Map description) {
- materials = new SymmetricRawMaterials(encryptionKey, macKey, description);
- }
-
- /**
- * Returns the encryptionKey provided to the constructor if and only if
- * materialDescription is a super-set (may be equal) to the
- * description provided to the constructor.
- */
- @Override
- public DecryptionMaterials getDecryptionMaterials(EncryptionContext context) {
- if (context.getMaterialDescription().entrySet().containsAll(materials.getMaterialDescription().entrySet())) {
- return materials;
- }
- else {
- return null;
- }
- }
-
- /**
- * Returns the encryptionKey provided to the constructor.
- */
- @Override
- public EncryptionMaterials getEncryptionMaterials(EncryptionContext context) {
- return materials;
- }
-
- /**
- * Does nothing.
- */
- @Override
- public void refresh() {
- // Do Nothing
- }
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/WrappedMaterialsProvider.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/WrappedMaterialsProvider.java
deleted file mode 100644
index 1c92fb3f..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/WrappedMaterialsProvider.java
+++ /dev/null
@@ -1,163 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.providers;
-
-import java.security.GeneralSecurityException;
-import java.security.Key;
-import java.security.KeyPair;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
-
-import javax.crypto.SecretKey;
-
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.EncryptionContext;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.exceptions.DynamoDbEncryptionException;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.CryptographicMaterials;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.DecryptionMaterials;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.EncryptionMaterials;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.WrappedRawMaterials;
-
-/**
- * This provider will use create a unique (random) symmetric key upon each call to
- * {@link #getEncryptionMaterials(EncryptionContext)}. Practically, this means each record in DynamoDB will be
- * encrypted under a unique record key. A wrapped/encrypted copy of this record key is stored in the
- * MaterialsDescription field of that record and is unwrapped/decrypted upon reading that record.
- *
- * This is generally a more secure way of encrypting data than with the
- * {@link SymmetricStaticProvider}.
- *
- * @see WrappedRawMaterials
- *
- * @author Greg Rubin
- */
-public class WrappedMaterialsProvider implements EncryptionMaterialsProvider {
- private final Key wrappingKey;
- private final Key unwrappingKey;
- private final KeyPair sigPair;
- private final SecretKey macKey;
- private final Map description;
-
- /**
- * @param wrappingKey
- * The key used to wrap/encrypt the symmetric record key. (May be the same as the
- * unwrappingKey.)
- * @param unwrappingKey
- * The key used to unwrap/decrypt the symmetric record key. (May be the same as the
- * wrappingKey.) If null, then this provider may only be used for
- * decryption, but not encryption.
- * @param signingPair
- * the keypair used to sign/verify the data stored in Dynamo. If only the public key
- * is provided, then this provider may only be used for decryption, but not
- * encryption.
- */
- public WrappedMaterialsProvider(Key wrappingKey, Key unwrappingKey, KeyPair signingPair) {
- this(wrappingKey, unwrappingKey, signingPair, Collections.emptyMap());
- }
-
- /**
- * @param wrappingKey
- * The key used to wrap/encrypt the symmetric record key. (May be the same as the
- * unwrappingKey.)
- * @param unwrappingKey
- * The key used to unwrap/decrypt the symmetric record key. (May be the same as the
- * wrappingKey.) If null, then this provider may only be used for
- * decryption, but not encryption.
- * @param signingPair
- * the keypair used to sign/verify the data stored in Dynamo. If only the public key
- * is provided, then this provider may only be used for decryption, but not
- * encryption.
- * @param description
- * description the value to be returned by
- * {@link CryptographicMaterials#getMaterialDescription()} for any
- * {@link CryptographicMaterials} returned by this object.
- */
- public WrappedMaterialsProvider(Key wrappingKey, Key unwrappingKey, KeyPair signingPair, Map description) {
- this.wrappingKey = wrappingKey;
- this.unwrappingKey = unwrappingKey;
- this.sigPair = signingPair;
- this.macKey = null;
- this.description = Collections.unmodifiableMap(new HashMap<>(description));
- }
-
- /**
- * @param wrappingKey
- * The key used to wrap/encrypt the symmetric record key. (May be the same as the
- * unwrappingKey.)
- * @param unwrappingKey
- * The key used to unwrap/decrypt the symmetric record key. (May be the same as the
- * wrappingKey.) If null, then this provider may only be used for
- * decryption, but not encryption.
- * @param macKey
- * the key used to sign/verify the data stored in Dynamo.
- */
- public WrappedMaterialsProvider(Key wrappingKey, Key unwrappingKey, SecretKey macKey) {
- this(wrappingKey, unwrappingKey, macKey, Collections.emptyMap());
- }
-
- /**
- * @param wrappingKey
- * The key used to wrap/encrypt the symmetric record key. (May be the same as the
- * unwrappingKey.)
- * @param unwrappingKey
- * The key used to unwrap/decrypt the symmetric record key. (May be the same as the
- * wrappingKey.) If null, then this provider may only be used for
- * decryption, but not encryption.
- * @param macKey
- * the key used to sign/verify the data stored in Dynamo.
- * @param description
- * description the value to be returned by
- * {@link CryptographicMaterials#getMaterialDescription()} for any
- * {@link CryptographicMaterials} returned by this object.
- */
- public WrappedMaterialsProvider(Key wrappingKey, Key unwrappingKey, SecretKey macKey, Map description) {
- this.wrappingKey = wrappingKey;
- this.unwrappingKey = unwrappingKey;
- this.sigPair = null;
- this.macKey = macKey;
- this.description = Collections.unmodifiableMap(new HashMap<>(description));
- }
-
- @Override
- public DecryptionMaterials getDecryptionMaterials(EncryptionContext context) {
- try {
- if (macKey != null) {
- return new WrappedRawMaterials(wrappingKey, unwrappingKey, macKey, context.getMaterialDescription());
- } else {
- return new WrappedRawMaterials(wrappingKey, unwrappingKey, sigPair, context.getMaterialDescription());
- }
- } catch (GeneralSecurityException ex) {
- throw new DynamoDbEncryptionException("Unable to decrypt envelope key", ex);
- }
- }
-
- @Override
- public EncryptionMaterials getEncryptionMaterials(EncryptionContext context) {
- try {
- if (macKey != null) {
- return new WrappedRawMaterials(wrappingKey, unwrappingKey, macKey, description);
- } else {
- return new WrappedRawMaterials(wrappingKey, unwrappingKey, sigPair, description);
- }
- } catch (GeneralSecurityException ex) {
- throw new DynamoDbEncryptionException("Unable to encrypt envelope key", ex);
- }
- }
-
- @Override
- public void refresh() {
- // Do nothing
- }
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/store/MetaStore.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/store/MetaStore.java
deleted file mode 100644
index 9bc50036..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/store/MetaStore.java
+++ /dev/null
@@ -1,432 +0,0 @@
-/*
- * Copyright 2015-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except
- * in compliance with the License. A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.providers.store;
-
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.function.Function;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-import java.util.stream.Collectors;
-
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-import software.amazon.awssdk.core.SdkBytes;
-import software.amazon.awssdk.core.exception.SdkClientException;
-import software.amazon.awssdk.services.dynamodb.DynamoDbClient;
-import software.amazon.awssdk.services.dynamodb.model.AttributeDefinition;
-import software.amazon.awssdk.services.dynamodb.model.AttributeValue;
-import software.amazon.awssdk.services.dynamodb.model.ComparisonOperator;
-import software.amazon.awssdk.services.dynamodb.model.Condition;
-import software.amazon.awssdk.services.dynamodb.model.ConditionalCheckFailedException;
-import software.amazon.awssdk.services.dynamodb.model.CreateTableRequest;
-import software.amazon.awssdk.services.dynamodb.model.CreateTableResponse;
-import software.amazon.awssdk.services.dynamodb.model.ExpectedAttributeValue;
-import software.amazon.awssdk.services.dynamodb.model.GetItemRequest;
-import software.amazon.awssdk.services.dynamodb.model.KeySchemaElement;
-import software.amazon.awssdk.services.dynamodb.model.KeyType;
-import software.amazon.awssdk.services.dynamodb.model.ProvisionedThroughput;
-import software.amazon.awssdk.services.dynamodb.model.PutItemRequest;
-import software.amazon.awssdk.services.dynamodb.model.QueryRequest;
-import software.amazon.awssdk.services.dynamodb.model.ScalarAttributeType;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.DynamoDbEncryptionConfiguration;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.EncryptionAction;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.DynamoDbEncryptor;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.EncryptionContext;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.providers.EncryptionMaterialsProvider;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.providers.WrappedMaterialsProvider;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.internal.Utils;
-
-
-/**
- * Provides a simple collection of EncryptionMaterialProviders backed by an encrypted DynamoDB
- * table. This can be used to build key hierarchies or meta providers.
- *
- * Currently, this only supports AES-256 in AESWrap mode and HmacSHA256 for the providers persisted
- * in the table.
- *
- * @author rubin
- */
-public class MetaStore extends ProviderStore {
- private static final String INTEGRITY_ALGORITHM_FIELD = "intAlg";
- private static final String INTEGRITY_KEY_FIELD = "int";
- private static final String ENCRYPTION_ALGORITHM_FIELD = "encAlg";
- private static final String ENCRYPTION_KEY_FIELD = "enc";
- private static final Pattern COMBINED_PATTERN = Pattern.compile("([^#]+)#(\\d*)");
- private static final String DEFAULT_INTEGRITY = "HmacSHA256";
- private static final String DEFAULT_ENCRYPTION = "AES";
- private static final String MATERIAL_TYPE_VERSION = "t";
- private static final String META_ID = "amzn-ddb-meta-id";
-
- private static final String DEFAULT_HASH_KEY = "N";
- private static final String DEFAULT_RANGE_KEY = "V";
-
- /** Default no-op implementation of {@link ExtraDataSupplier}. */
- private static final EmptyExtraDataSupplier EMPTY_EXTRA_DATA_SUPPLIER
- = new EmptyExtraDataSupplier();
-
- /** DDB fields that must be encrypted. */
- private static final Set ENCRYPTED_FIELDS;
- static {
- final Set tempEncryptedFields = new HashSet<>();
- tempEncryptedFields.add(MATERIAL_TYPE_VERSION);
- tempEncryptedFields.add(ENCRYPTION_KEY_FIELD);
- tempEncryptedFields.add(ENCRYPTION_ALGORITHM_FIELD);
- tempEncryptedFields.add(INTEGRITY_KEY_FIELD);
- tempEncryptedFields.add(INTEGRITY_ALGORITHM_FIELD);
- ENCRYPTED_FIELDS = tempEncryptedFields;
- }
-
- private final Map doesNotExist;
- private final DynamoDbEncryptionConfiguration encryptionConfiguration;
- private final String tableName;
- private final DynamoDbClient ddb;
- private final DynamoDbEncryptor encryptor;
- private final ExtraDataSupplier extraDataSupplier;
-
- /**
- * Provides extra data that should be persisted along with the standard material data.
- */
- public interface ExtraDataSupplier {
-
- /**
- * Gets the extra data attributes for the specified material name.
- *
- * @param materialName material name.
- * @param version version number.
- * @return plain text of the extra data.
- */
- Map getAttributes(final String materialName, final long version);
-
- /**
- * Gets the extra data field names that should be signed only but not encrypted.
- *
- * @return signed only fields.
- */
- Set getSignedOnlyFieldNames();
- }
-
- /**
- * Create a new MetaStore with specified table name.
- *
- * @param ddb Interface for accessing DynamoDB.
- * @param tableName DynamoDB table name for this {@link MetaStore}.
- * @param encryptor used to perform crypto operations on the record attributes.
- */
- public MetaStore(final DynamoDbClient ddb, final String tableName,
- final DynamoDbEncryptor encryptor) {
- this(ddb, tableName, encryptor, EMPTY_EXTRA_DATA_SUPPLIER);
- }
-
- /**
- * Create a new MetaStore with specified table name and extra data supplier.
- *
- * @param ddb Interface for accessing DynamoDB.
- * @param tableName DynamoDB table name for this {@link MetaStore}.
- * @param encryptor used to perform crypto operations on the record attributes
- * @param extraDataSupplier provides extra data that should be stored along with the material.
- */
- public MetaStore(final DynamoDbClient ddb, final String tableName,
- final DynamoDbEncryptor encryptor, final ExtraDataSupplier extraDataSupplier) {
- this.ddb = checkNotNull(ddb, "ddb must not be null");
- this.tableName = checkNotNull(tableName, "tableName must not be null");
- this.encryptor = checkNotNull(encryptor, "encryptor must not be null");
- this.extraDataSupplier = checkNotNull(extraDataSupplier, "extraDataSupplier must not be null");
-
- final Map tmpExpected = new HashMap<>();
- tmpExpected.put(DEFAULT_HASH_KEY, ExpectedAttributeValue.builder().exists(false).build());
- tmpExpected.put(DEFAULT_RANGE_KEY, ExpectedAttributeValue.builder().exists(false).build());
- doesNotExist = Collections.unmodifiableMap(tmpExpected);
-
- this.encryptionConfiguration = DynamoDbEncryptionConfiguration.builder()
- .encryptionContext(EncryptionContext.builder()
- .tableName(this.tableName)
- .hashKeyName(DEFAULT_HASH_KEY)
- .rangeKeyName(DEFAULT_RANGE_KEY)
- .build())
- // All fields default to ENCRYPT_AND_SIGN with 'sign only' fields being explicitly overridden
- .defaultEncryptionAction(EncryptionAction.ENCRYPT_AND_SIGN)
- .addEncryptionActionOverrides(getSignedOnlyFields(extraDataSupplier).stream()
- .collect(Collectors.toMap(Function.identity(),
- ignored -> EncryptionAction.SIGN_ONLY)))
- .build();
- ;
- }
-
- @Override
- public EncryptionMaterialsProvider getProvider(final String materialName, final long version) {
- final Map item = getMaterialItem(materialName, version);
- return decryptProvider(item);
- }
-
- @Override
- public EncryptionMaterialsProvider getOrCreate(final String materialName, final long nextId) {
- final Map plaintext = createMaterialItem(materialName, nextId);
- final Map ciphertext = conditionalPut(getEncryptedText(plaintext));
- return decryptProvider(ciphertext);
- }
-
- @Override
- public long getMaxVersion(final String materialName) {
-
- final List> items =
- ddb.query(
- QueryRequest.builder()
- .tableName(tableName)
- .consistentRead(Boolean.TRUE)
- .keyConditions(
- Collections.singletonMap(
- DEFAULT_HASH_KEY,
- Condition.builder()
- .comparisonOperator(ComparisonOperator.EQ)
- .attributeValueList(AttributeValue.builder().s(materialName).build())
- .build()))
- .limit(1)
- .scanIndexForward(false)
- .attributesToGet(DEFAULT_RANGE_KEY)
- .build())
- .items();
-
- if (items.isEmpty()) {
- return -1L;
- } else {
- return Long.parseLong(items.get(0).get(DEFAULT_RANGE_KEY).n());
- }
- }
-
- @Override
- public long getVersionFromMaterialDescription(final Map description) {
- final Matcher m = COMBINED_PATTERN.matcher(description.get(META_ID));
- if (m.matches()) {
- return Long.parseLong(m.group(2));
- } else {
- throw new IllegalArgumentException("No meta id found");
- }
- }
-
- /**
- * This API retrieves the intermediate keys from the source region and replicates it in the target region.
- *
- * @param materialName material name of the encryption material.
- * @param version version of the encryption material.
- * @param targetMetaStore target MetaStore where the encryption material to be stored.
- */
- public void replicate(final String materialName, final long version, final MetaStore targetMetaStore) {
- try {
- final Map item = getMaterialItem(materialName, version);
-
- final Map plainText = getPlainText(item);
- final Map encryptedText = targetMetaStore.getEncryptedText(plainText);
- final PutItemRequest put = PutItemRequest.builder()
- .tableName(targetMetaStore.tableName)
- .item(encryptedText)
- .expected(doesNotExist)
- .build();
- targetMetaStore.ddb.putItem(put);
- } catch (ConditionalCheckFailedException e) {
- //Item already present.
- }
- }
-
- /**
- * Creates a DynamoDB Table with the correct properties to be used with a ProviderStore.
- *
- * @param ddb interface for accessing DynamoDB
- * @param tableName name of table that stores the meta data of the material.
- * @param provisionedThroughput required provisioned throughput of the this table.
- * @return result of create table request.
- */
- public static CreateTableResponse createTable(final DynamoDbClient ddb, final String tableName,
- final ProvisionedThroughput provisionedThroughput) {
- return ddb.createTable(
- CreateTableRequest.builder()
- .tableName(tableName)
- .attributeDefinitions(Arrays.asList(
- AttributeDefinition.builder()
- .attributeName(DEFAULT_HASH_KEY)
- .attributeType(ScalarAttributeType.S)
- .build(),
- AttributeDefinition.builder()
- .attributeName(DEFAULT_RANGE_KEY)
- .attributeType(ScalarAttributeType.N).build()))
- .keySchema(Arrays.asList(
- KeySchemaElement.builder()
- .attributeName(DEFAULT_HASH_KEY)
- .keyType(KeyType.HASH)
- .build(),
- KeySchemaElement.builder()
- .attributeName(DEFAULT_RANGE_KEY)
- .keyType(KeyType.RANGE)
- .build()))
- .provisionedThroughput(provisionedThroughput).build());
- }
-
- private Map getMaterialItem(final String materialName, final long version) {
- final Map ddbKey = new HashMap<>();
- ddbKey.put(DEFAULT_HASH_KEY, AttributeValue.builder().s(materialName).build());
- ddbKey.put(DEFAULT_RANGE_KEY, AttributeValue.builder().n(Long.toString(version)).build());
- final Map item = ddbGet(ddbKey);
- if (item == null || item.isEmpty()) {
- throw new IndexOutOfBoundsException("No material found: " + materialName + "#" + version);
- }
- return item;
- }
-
-
- /**
- * Empty extra data supplier. This default class is intended to simplify the default
- * implementation of {@link MetaStore}.
- */
- private static class EmptyExtraDataSupplier implements ExtraDataSupplier {
- @Override
- public Map getAttributes(String materialName, long version) {
- return Collections.emptyMap();
- }
-
- @Override
- public Set getSignedOnlyFieldNames() {
- return Collections.emptySet();
- }
- }
-
- /**
- * Get a set of fields that must be signed but not encrypted.
- *
- * @param extraDataSupplier extra data supplier that is used to return sign only field names.
- * @return fields that must be signed.
- */
- private static Set getSignedOnlyFields(final ExtraDataSupplier extraDataSupplier) {
- final Set signedOnlyFields = extraDataSupplier.getSignedOnlyFieldNames();
- for (final String signedOnlyField : signedOnlyFields) {
- if (ENCRYPTED_FIELDS.contains(signedOnlyField)) {
- throw new IllegalArgumentException(signedOnlyField + " must be encrypted");
- }
- }
-
- // fields that should not be encrypted
- final Set doNotEncryptFields = new HashSet<>();
- doNotEncryptFields.add(DEFAULT_HASH_KEY);
- doNotEncryptFields.add(DEFAULT_RANGE_KEY);
- doNotEncryptFields.addAll(signedOnlyFields);
- return Collections.unmodifiableSet(doNotEncryptFields);
- }
-
- private Map conditionalPut(final Map item) {
- try {
- final PutItemRequest put = PutItemRequest.builder().tableName(tableName).item(item)
- .expected(doesNotExist).build();
- ddb.putItem(put);
- return item;
- } catch (final ConditionalCheckFailedException ex) {
- final Map ddbKey = new HashMap<>();
- ddbKey.put(DEFAULT_HASH_KEY, item.get(DEFAULT_HASH_KEY));
- ddbKey.put(DEFAULT_RANGE_KEY, item.get(DEFAULT_RANGE_KEY));
- return ddbGet(ddbKey);
- }
- }
-
- private Map ddbGet(final Map ddbKey) {
- return ddb.getItem(
- GetItemRequest.builder().tableName(tableName).consistentRead(true)
- .key(ddbKey).build()).item();
- }
-
- /**
- * Build an material item for a given material name and version with newly generated
- * encryption and integrity keys.
- *
- * @param materialName material name.
- * @param version version of the material.
- * @return newly generated plaintext material item.
- */
- private Map createMaterialItem(final String materialName, final long version) {
- final SecretKeySpec encryptionKey = new SecretKeySpec(Utils.getRandom(32), DEFAULT_ENCRYPTION);
- final SecretKeySpec integrityKey = new SecretKeySpec(Utils.getRandom(32), DEFAULT_INTEGRITY);
-
- final Map plaintext = new HashMap<>();
- plaintext.put(DEFAULT_HASH_KEY, AttributeValue.builder().s(materialName).build());
- plaintext.put(DEFAULT_RANGE_KEY, AttributeValue.builder().n(Long.toString(version)).build());
- plaintext.put(MATERIAL_TYPE_VERSION, AttributeValue.builder().s("0").build());
- plaintext.put(ENCRYPTION_KEY_FIELD,
- AttributeValue.builder().b(SdkBytes.fromByteArray(encryptionKey.getEncoded())).build());
- plaintext.put(ENCRYPTION_ALGORITHM_FIELD, AttributeValue.builder().s(encryptionKey.getAlgorithm()).build());
- plaintext.put(INTEGRITY_KEY_FIELD,
- AttributeValue.builder().b(SdkBytes.fromByteArray(integrityKey.getEncoded())).build());
- plaintext.put(INTEGRITY_ALGORITHM_FIELD, AttributeValue.builder().s(integrityKey.getAlgorithm()).build());
- plaintext.putAll(extraDataSupplier.getAttributes(materialName, version));
-
- return plaintext;
- }
-
- private EncryptionMaterialsProvider decryptProvider(final Map item) {
- final Map plaintext = getPlainText(item);
-
- final String type = plaintext.get(MATERIAL_TYPE_VERSION).s();
- final SecretKey encryptionKey;
- final SecretKey integrityKey;
- // This switch statement is to make future extensibility easier and more obvious
- switch (type) {
- case "0": // Only currently supported type
- encryptionKey = new SecretKeySpec(plaintext.get(ENCRYPTION_KEY_FIELD).b().asByteArray(),
- plaintext.get(ENCRYPTION_ALGORITHM_FIELD).s());
- integrityKey = new SecretKeySpec(plaintext.get(INTEGRITY_KEY_FIELD).b().asByteArray(), plaintext
- .get(INTEGRITY_ALGORITHM_FIELD).s());
- break;
- default:
- throw new IllegalStateException("Unsupported material type: " + type);
- }
- return new WrappedMaterialsProvider(encryptionKey, encryptionKey, integrityKey,
- buildDescription(plaintext));
- }
-
- /**
- * Decrypts attributes in the ciphertext item using {@link DynamoDbEncryptor}.
- * except the attribute names specified in doNotEncrypt.
- * @param ciphertext the ciphertext to be decrypted.
- * @throws SdkClientException when failed to decrypt material item.
- * @return decrypted item.
- */
- private Map getPlainText(final Map ciphertext) {
- return encryptor.decryptRecord(ciphertext, this.encryptionConfiguration);
- }
-
- /**
- * Encrypts attributes in the plaintext item using {@link DynamoDbEncryptor}.
- * except the attribute names specified in doNotEncrypt.
- *
- * @throws SdkClientException when failed to encrypt material item.
- * @param plaintext plaintext to be encrypted.
- */
- private Map getEncryptedText(Map plaintext) {
- return encryptor.encryptRecord(plaintext, this.encryptionConfiguration);
- }
-
- private Map buildDescription(final Map plaintext) {
- return Collections.singletonMap(META_ID, plaintext.get(DEFAULT_HASH_KEY).s() + "#"
- + plaintext.get(DEFAULT_RANGE_KEY).n());
- }
-
- private static V checkNotNull(final V ref, final String errMsg) {
- if (ref == null) {
- throw new NullPointerException(errMsg);
- } else {
- return ref;
- }
- }
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/store/ProviderStore.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/store/ProviderStore.java
deleted file mode 100644
index a29fe9b3..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/store/ProviderStore.java
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Copyright 2015-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except
- * in compliance with the License. A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.providers.store;
-
-import java.util.Map;
-
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.providers.EncryptionMaterialsProvider;
-
-/**
- * Provides a standard way to retrieve and optionally create {@link EncryptionMaterialsProvider}s
- * backed by some form of persistent storage.
- *
- * @author rubin
- *
- */
-public abstract class ProviderStore {
-
- /**
- * Returns the most recent provider with the specified name. If there are no providers with this
- * name, it will create one with version 0.
- */
- public EncryptionMaterialsProvider getProvider(final String materialName) {
- final long currVersion = getMaxVersion(materialName);
- if (currVersion >= 0) {
- return getProvider(materialName, currVersion);
- } else {
- return getOrCreate(materialName, 0);
- }
- }
-
- /**
- * Returns the provider with the specified name and version.
- *
- * @throws IndexOutOfBoundsException
- * if {@code version} is not a valid version
- */
- public abstract EncryptionMaterialsProvider getProvider(final String materialName, final long version);
-
- /**
- * Creates a new provider with a version one greater than the current max version. If multiple
- * clients attempt to create a provider with this same version simultaneously, they will
- * properly coordinate and the result will be that a single provider is created and that all
- * ProviderStores return the same one.
- */
- public EncryptionMaterialsProvider newProvider(final String materialName) {
- final long nextId = getMaxVersion(materialName) + 1;
- return getOrCreate(materialName, nextId);
- }
-
- /**
- * Returns the provider with the specified name and version and creates it if it doesn't exist.
- *
- * @throws UnsupportedOperationException
- * if a new provider cannot be created
- */
- public EncryptionMaterialsProvider getOrCreate(final String materialName, final long nextId) {
- try {
- return getProvider(materialName, nextId);
- } catch (final IndexOutOfBoundsException ex) {
- throw new UnsupportedOperationException("This ProviderStore does not support creation.", ex);
- }
- }
-
- /**
- * Returns the maximum version number associated with {@code materialName}. If there are no
- * versions, returns -1.
- */
- public abstract long getMaxVersion(final String materialName);
-
- /**
- * Extracts the material version from {@code description}.
- */
- public abstract long getVersionFromMaterialDescription(final Map description);
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/internal/AttributeValueMarshaller.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/internal/AttributeValueMarshaller.java
deleted file mode 100644
index e9348af0..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/internal/AttributeValueMarshaller.java
+++ /dev/null
@@ -1,331 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.internal;
-
-import java.io.ByteArrayOutputStream;
-import java.io.DataInputStream;
-import java.io.DataOutputStream;
-import java.io.IOException;
-import java.math.BigDecimal;
-import java.nio.ByteBuffer;
-import java.nio.charset.Charset;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.stream.Collectors;
-
-import software.amazon.awssdk.core.BytesWrapper;
-import software.amazon.awssdk.core.SdkBytes;
-import software.amazon.awssdk.core.util.DefaultSdkAutoConstructList;
-import software.amazon.awssdk.core.util.DefaultSdkAutoConstructMap;
-import software.amazon.awssdk.services.dynamodb.model.AttributeValue;
-
-
-/**
- * @author Greg Rubin
- */
-public class AttributeValueMarshaller {
- private static final Charset UTF8 = Charset.forName("UTF-8");
- private static final int TRUE_FLAG = 1;
- private static final int FALSE_FLAG = 0;
-
- private AttributeValueMarshaller() {
- // Prevent instantiation
- }
-
- /**
- * Marshalls the data using a TLV (Tag-Length-Value) encoding. The tag may be 'b', 'n', 's',
- * '?', '\0' to represent a ByteBuffer, Number, String, Boolean, or Null respectively. The tag
- * may also be capitalized (for 'b', 'n', and 's',) to represent an array of that type. If an
- * array is stored, then a four-byte big-endian integer is written representing the number of
- * array elements. If a ByteBuffer is stored, the length of the buffer is stored as a four-byte
- * big-endian integer and the buffer then copied directly. Both Numbers and Strings are treated
- * identically and are stored as UTF8 encoded Unicode, proceeded by the length of the encoded
- * string (in bytes) as a four-byte big-endian integer. Boolean is encoded as a single byte, 0
- * for false and 1 for true (and so has no Length parameter). The
- * Null tag ('\0') takes neither a Length nor a Value parameter.
- *
- * The tags 'L' and 'M' are for the document types List and Map respectively. These are encoded
- * recursively with the Length being the size of the collection. In the case of List, the value
- * is a Length number of marshalled AttributeValues. If the case of Map, the value is a Length
- * number of AttributeValue Pairs where the first must always have a String value.
- *
- * This implementation does not recognize loops. If an AttributeValue contains itself
- * (even indirectly) this code will recurse infinitely.
- *
- * @param attributeValue an AttributeValue instance
- * @return the serialized AttributeValue
- * @see java.io.DataInput
- */
- public static ByteBuffer marshall(final AttributeValue attributeValue) {
- try (ByteArrayOutputStream resultBytes = new ByteArrayOutputStream();
- DataOutputStream out = new DataOutputStream(resultBytes);) {
- marshall(attributeValue, out);
- out.close();
- resultBytes.close();
- return ByteBuffer.wrap(resultBytes.toByteArray());
- } catch (final IOException ex) {
- // Due to the objects in use, an IOException is not possible.
- throw new RuntimeException("Unexpected exception", ex);
- }
- }
-
- private static void marshall(final AttributeValue attributeValue, final DataOutputStream out)
- throws IOException {
-
- if (attributeValue.b() != null) {
- out.writeChar('b');
- writeBytes(attributeValue.b().asByteBuffer(), out);
- } else if (hasAttributeValueSet(attributeValue.bs())) {
- out.writeChar('B');
- writeBytesList(attributeValue.bs().stream()
- .map(BytesWrapper::asByteBuffer).collect(Collectors.toList()), out);
- } else if (attributeValue.n() != null) {
- out.writeChar('n');
- writeString(trimZeros(attributeValue.n()), out);
- } else if (hasAttributeValueSet(attributeValue.ns())) {
- out.writeChar('N');
-
- final List ns = new ArrayList<>(attributeValue.ns().size());
- for (final String n : attributeValue.ns()) {
- ns.add(trimZeros(n));
- }
- writeStringList(ns, out);
- } else if (attributeValue.s() != null) {
- out.writeChar('s');
- writeString(attributeValue.s(), out);
- } else if (hasAttributeValueSet(attributeValue.ss())) {
- out.writeChar('S');
- writeStringList(attributeValue.ss(), out);
- } else if (attributeValue.bool() != null) {
- out.writeChar('?');
- out.writeByte((attributeValue.bool() ? TRUE_FLAG : FALSE_FLAG));
- } else if (Boolean.TRUE.equals(attributeValue.nul())) {
- out.writeChar('\0');
- } else if (hasAttributeValueSet(attributeValue.l())) {
- final List l = attributeValue.l();
- out.writeChar('L');
- out.writeInt(l.size());
- for (final AttributeValue attr : l) {
- if (attr == null) {
- throw new NullPointerException(
- "Encountered null list entry value while marshalling attribute value "
- + attributeValue);
- }
- marshall(attr, out);
- }
- } else if (hasAttributeValueMap(attributeValue.m())) {
- final Map m = attributeValue.m();
- final List mKeys = new ArrayList<>(m.keySet());
- Collections.sort(mKeys);
- out.writeChar('M');
- out.writeInt(m.size());
- for (final String mKey : mKeys) {
- marshall(AttributeValue.builder().s(mKey).build(), out);
-
- final AttributeValue mValue = m.get(mKey);
-
- if (mValue == null) {
- throw new NullPointerException(
- "Encountered null map value for key "
- + mKey
- + " while marshalling attribute value "
- + attributeValue);
- }
- marshall(mValue, out);
- }
- } else {
- throw new IllegalArgumentException("A seemingly empty AttributeValue is indicative of invalid input or potential errors");
- }
- }
-
- /**
- * @see #marshall(AttributeValue)
- */
- public static AttributeValue unmarshall(final ByteBuffer plainText) {
- try (final DataInputStream in = new DataInputStream(
- new ByteBufferInputStream(plainText.asReadOnlyBuffer()))) {
- return unmarshall(in);
- } catch (IOException ex) {
- // Due to the objects in use, an IOException is not possible.
- throw new RuntimeException("Unexpected exception", ex);
- }
- }
-
- private static AttributeValue unmarshall(final DataInputStream in) throws IOException {
- char type = in.readChar();
- AttributeValue.Builder result = AttributeValue.builder();
- switch (type) {
- case '\0':
- result.nul(Boolean.TRUE);
- break;
- case 'b':
- result.b(SdkBytes.fromByteBuffer(readBytes(in)));
- break;
- case 'B':
- result.bs(readBytesList(in).stream().map(SdkBytes::fromByteBuffer).collect(Collectors.toList()));
- break;
- case 'n':
- result.n(readString(in));
- break;
- case 'N':
- result.ns(readStringList(in));
- break;
- case 's':
- result.s(readString(in));
- break;
- case 'S':
- result.ss(readStringList(in));
- break;
- case '?':
- final byte boolValue = in.readByte();
-
- if (boolValue == TRUE_FLAG) {
- result.bool(Boolean.TRUE);
- } else if (boolValue == FALSE_FLAG) {
- result.bool(Boolean.FALSE);
- } else {
- throw new IllegalArgumentException("Improperly formatted data");
- }
- break;
- case 'L':
- final int lCount = in.readInt();
- final List l = new ArrayList<>(lCount);
- for (int lIdx = 0; lIdx < lCount; lIdx++) {
- l.add(unmarshall(in));
- }
- result.l(l);
- break;
- case 'M':
- final int mCount = in.readInt();
- final Map m = new HashMap<>();
- for (int mIdx = 0; mIdx < mCount; mIdx++) {
- final AttributeValue key = unmarshall(in);
- if (key.s() == null) {
- throw new IllegalArgumentException("Improperly formatted data");
- }
- AttributeValue value = unmarshall(in);
- m.put(key.s(), value);
- }
- result.m(m);
- break;
- default:
- throw new IllegalArgumentException("Unsupported data encoding");
- }
-
- return result.build();
- }
-
- private static String trimZeros(final String n) {
- BigDecimal number = new BigDecimal(n);
- if (number.compareTo(BigDecimal.ZERO) == 0) {
- return "0";
- }
- return number.stripTrailingZeros().toPlainString();
- }
-
- private static void writeStringList(List values, final DataOutputStream out) throws IOException {
- final List sorted = new ArrayList<>(values);
- Collections.sort(sorted);
- out.writeInt(sorted.size());
- for (final String v : sorted) {
- writeString(v, out);
- }
- }
-
- private static List readStringList(final DataInputStream in) throws IOException,
- IllegalArgumentException {
- final int nCount = in.readInt();
- List ns = new ArrayList<>(nCount);
- for (int nIdx = 0; nIdx < nCount; nIdx++) {
- ns.add(readString(in));
- }
- return ns;
- }
-
- private static void writeString(String value, final DataOutputStream out) throws IOException {
- final byte[] bytes = value.getBytes(UTF8);
- out.writeInt(bytes.length);
- out.write(bytes);
- }
-
- private static String readString(final DataInputStream in) throws IOException,
- IllegalArgumentException {
- byte[] bytes;
- int length;
- length = in.readInt();
- bytes = new byte[length];
- if(in.read(bytes) != length) {
- throw new IllegalArgumentException("Improperly formatted data");
- }
- return new String(bytes, UTF8);
- }
-
- private static void writeBytesList(List values, final DataOutputStream out) throws IOException {
- final List sorted = new ArrayList<>(values);
- Collections.sort(sorted);
- out.writeInt(sorted.size());
- for (final ByteBuffer v : sorted) {
- writeBytes(v, out);
- }
- }
-
- private static List readBytesList(final DataInputStream in) throws IOException {
- final int bCount = in.readInt();
- List bs = new ArrayList<>(bCount);
- for (int bIdx = 0; bIdx < bCount; bIdx++) {
- bs.add(readBytes(in));
- }
- return bs;
- }
-
- private static void writeBytes(ByteBuffer value, final DataOutputStream out) throws IOException {
- value = value.asReadOnlyBuffer();
- value.rewind();
- out.writeInt(value.remaining());
- while (value.hasRemaining()) {
- out.writeByte(value.get());
- }
- }
-
- private static ByteBuffer readBytes(final DataInputStream in) throws IOException {
- final int length = in.readInt();
- final byte[] buf = new byte[length];
- in.readFully(buf);
- return ByteBuffer.wrap(buf);
- }
-
- /**
- * Determines if the value of a 'set' type AttributeValue (various S types) has been explicitly set or not.
- * @param value the actual value portion of an AttributeValue of the appropriate type
- * @return true if the value of this type field has been explicitly set, false if it has not
- */
- private static boolean hasAttributeValueSet(Collection value) {
- return value != null && value != DefaultSdkAutoConstructList.getInstance();
- }
-
- /**
- * Determines if the value of a 'map' type AttributeValue (M type) has been explicitly set or not.
- * @param value the actual value portion of a AttributeValue of the appropriate type
- * @return true if the value of this type field has been explicitly set, false if it has not
- */
- private static boolean hasAttributeValueMap(Map value) {
- return value != null && value != DefaultSdkAutoConstructMap.getInstance();
- }
-
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/internal/Base64.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/internal/Base64.java
deleted file mode 100644
index ee94a86a..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/internal/Base64.java
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.internal;
-
-import static java.util.Base64.*;
-
-/**
- * A class for decoding Base64 strings and encoding bytes as Base64 strings.
- */
-public class Base64 {
- private static final Decoder DECODER = getMimeDecoder();
- private static final Encoder ENCODER = getEncoder();
-
- private Base64() { }
-
- /**
- * Encode the bytes as a Base64 string.
- *
- * See the Basic encoder in {@link java.util.Base64}
- */
- public static String encodeToString(byte[] bytes) {
- return ENCODER.encodeToString(bytes);
- }
-
- /**
- * Decode the Base64 string as bytes, ignoring illegal characters.
- *
- * See the Mime Decoder in {@link java.util.Base64}
- */
- public static byte[] decode(String str) {
- if(str == null) {
- return null;
- }
- return DECODER.decode(str);
- }
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/internal/ByteBufferInputStream.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/internal/ByteBufferInputStream.java
deleted file mode 100644
index ff703068..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/internal/ByteBufferInputStream.java
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.internal;
-
-import java.io.InputStream;
-import java.nio.ByteBuffer;
-
-/**
- * @author Greg Rubin
- */
-public class ByteBufferInputStream extends InputStream {
- private final ByteBuffer buffer;
-
- public ByteBufferInputStream(ByteBuffer buffer) {
- this.buffer = buffer;
- }
-
- @Override
- public int read() {
- if (buffer.hasRemaining()) {
- int tmp = buffer.get();
- if (tmp < 0) {
- tmp += 256;
- }
- return tmp;
- } else {
- return -1;
- }
- }
-
- @Override
- public int read(byte[] b, int off, int len) {
- if (available() < len) {
- len = available();
- }
- buffer.get(b, off, len);
- return len;
- }
-
- @Override
- public int available() {
- return buffer.remaining();
- }
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/internal/Hkdf.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/internal/Hkdf.java
deleted file mode 100644
index 15422aaa..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/internal/Hkdf.java
+++ /dev/null
@@ -1,316 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.internal;
-
-import java.nio.charset.StandardCharsets;
-import java.security.GeneralSecurityException;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.Provider;
-import java.util.Arrays;
-
-import javax.crypto.Mac;
-import javax.crypto.SecretKey;
-import javax.crypto.ShortBufferException;
-import javax.crypto.spec.SecretKeySpec;
-
-/**
- * HMAC-based Key Derivation Function.
- *
- * @see RFC 5869
- */
-public final class Hkdf {
- private static final byte[] EMPTY_ARRAY = new byte[0];
- private final String algorithm;
- private final Provider provider;
-
- private SecretKey prk = null;
-
- /**
- * Returns an Hkdf object using the specified algorithm.
- *
- * @param algorithm
- * the standard name of the requested MAC algorithm. See the Mac
- * section in the Java Cryptography Architecture Standard Algorithm Name
- * Documentation for information about standard algorithm
- * names.
- * @return the new Hkdf object
- * @throws NoSuchAlgorithmException
- * if no Provider supports a MacSpi implementation for the
- * specified algorithm.
- */
- public static Hkdf getInstance(final String algorithm)
- throws NoSuchAlgorithmException {
- // Constructed specifically to sanity-test arguments.
- Mac mac = Mac.getInstance(algorithm);
- return new Hkdf(algorithm, mac.getProvider());
- }
-
- /**
- * Returns an Hkdf object using the specified algorithm.
- *
- * @param algorithm
- * the standard name of the requested MAC algorithm. See the Mac
- * section in the Java Cryptography Architecture Standard Algorithm Name
- * Documentation for information about standard algorithm
- * names.
- * @param provider
- * the name of the provider
- * @return the new Hkdf object
- * @throws NoSuchAlgorithmException
- * if a MacSpi implementation for the specified algorithm is not
- * available from the specified provider.
- * @throws NoSuchProviderException
- * if the specified provider is not registered in the security
- * provider list.
- */
- public static Hkdf getInstance(final String algorithm, final String provider)
- throws NoSuchAlgorithmException, NoSuchProviderException {
- // Constructed specifically to sanity-test arguments.
- Mac mac = Mac.getInstance(algorithm, provider);
- return new Hkdf(algorithm, mac.getProvider());
- }
-
- /**
- * Returns an Hkdf object using the specified algorithm.
- *
- * @param algorithm
- * the standard name of the requested MAC algorithm. See the Mac
- * section in the Java Cryptography Architecture Standard Algorithm Name
- * Documentation for information about standard algorithm
- * names.
- * @param provider
- * the provider
- * @return the new Hkdf object
- * @throws NoSuchAlgorithmException
- * if a MacSpi implementation for the specified algorithm is not
- * available from the specified provider.
- */
- public static Hkdf getInstance(final String algorithm,
- final Provider provider) throws NoSuchAlgorithmException {
- // Constructed specifically to sanity-test arguments.
- Mac mac = Mac.getInstance(algorithm, provider);
- return new Hkdf(algorithm, mac.getProvider());
- }
-
- /**
- * Initializes this Hkdf with input keying material. A default salt of
- * HashLen zeros will be used (where HashLen is the length of the return
- * value of the supplied algorithm).
- *
- * @param ikm
- * the Input Keying Material
- */
- public void init(final byte[] ikm) {
- init(ikm, null);
- }
-
- /**
- * Initializes this Hkdf with input keying material and a salt. If
- * salt is null or of length 0, then a default salt of
- * HashLen zeros will be used (where HashLen is the length of the return
- * value of the supplied algorithm).
- *
- * @param salt
- * the salt used for key extraction (optional)
- * @param ikm
- * the Input Keying Material
- */
- public void init(final byte[] ikm, final byte[] salt) {
- byte[] realSalt = (salt == null) ? EMPTY_ARRAY : salt.clone();
- byte[] rawKeyMaterial = EMPTY_ARRAY;
- try {
- Mac extractionMac = Mac.getInstance(algorithm, provider);
- if (realSalt.length == 0) {
- realSalt = new byte[extractionMac.getMacLength()];
- Arrays.fill(realSalt, (byte) 0);
- }
- extractionMac.init(new SecretKeySpec(realSalt, algorithm));
- rawKeyMaterial = extractionMac.doFinal(ikm);
- SecretKeySpec key = new SecretKeySpec(rawKeyMaterial, algorithm);
- Arrays.fill(rawKeyMaterial, (byte) 0); // Zeroize temporary array
- unsafeInitWithoutKeyExtraction(key);
- } catch (GeneralSecurityException e) {
- // We've already checked all of the parameters so no exceptions
- // should be possible here.
- throw new RuntimeException("Unexpected exception", e);
- } finally {
- Arrays.fill(rawKeyMaterial, (byte) 0); // Zeroize temporary array
- }
- }
-
- /**
- * Initializes this Hkdf to use the provided key directly for creation of
- * new keys. If rawKey is not securely generated and uniformly
- * distributed over the total key-space, then this will result in an
- * insecure key derivation function (KDF). DO NOT USE THIS UNLESS YOU
- * ARE ABSOLUTELY POSITIVE THIS IS THE CORRECT THING TO DO.
- *
- * @param rawKey
- * the pseudorandom key directly used to derive keys
- * @throws InvalidKeyException
- * if the algorithm for rawKey does not match the
- * algorithm this Hkdf was created with
- */
- public void unsafeInitWithoutKeyExtraction(final SecretKey rawKey)
- throws InvalidKeyException {
- if (!rawKey.getAlgorithm().equals(algorithm)) {
- throw new InvalidKeyException(
- "Algorithm for the provided key must match the algorithm for this Hkdf. Expected " +
- algorithm + " but found " + rawKey.getAlgorithm());
- }
-
- this.prk = rawKey;
- }
-
- private Hkdf(final String algorithm, final Provider provider) {
- if (!algorithm.startsWith("Hmac")) {
- throw new IllegalArgumentException("Invalid algorithm " + algorithm
- + ". Hkdf may only be used with Hmac algorithms.");
- }
- this.algorithm = algorithm;
- this.provider = provider;
- }
-
- /**
- * Returns a pseudorandom key of length bytes.
- *
- * @param info
- * optional context and application specific information (can be
- * a zero-length string). This will be treated as UTF-8.
- * @param length
- * the length of the output key in bytes
- * @return a pseudorandom key of length bytes.
- * @throws IllegalStateException
- * if this object has not been initialized
- */
- public byte[] deriveKey(final String info, final int length) throws IllegalStateException {
- return deriveKey((info != null ? info.getBytes(StandardCharsets.UTF_8) : null), length);
- }
-
- /**
- * Returns a pseudorandom key of length bytes.
- *
- * @param info
- * optional context and application specific information (can be
- * a zero-length array).
- * @param length
- * the length of the output key in bytes
- * @return a pseudorandom key of length bytes.
- * @throws IllegalStateException
- * if this object has not been initialized
- */
- public byte[] deriveKey(final byte[] info, final int length) throws IllegalStateException {
- byte[] result = new byte[length];
- try {
- deriveKey(info, length, result, 0);
- } catch (ShortBufferException ex) {
- // This exception is impossible as we ensure the buffer is long
- // enough
- throw new RuntimeException(ex);
- }
- return result;
- }
-
- /**
- * Derives a pseudorandom key of length bytes and stores the
- * result in output.
- *
- * @param info
- * optional context and application specific information (can be
- * a zero-length array).
- * @param length
- * the length of the output key in bytes
- * @param output
- * the buffer where the pseudorandom key will be stored
- * @param offset
- * the offset in output where the key will be stored
- * @throws ShortBufferException
- * if the given output buffer is too small to hold the result
- * @throws IllegalStateException
- * if this object has not been initialized
- */
- public void deriveKey(final byte[] info, final int length,
- final byte[] output, final int offset) throws ShortBufferException,
- IllegalStateException {
- assertInitialized();
- if (length < 0) {
- throw new IllegalArgumentException("Length must be a non-negative value.");
- }
- if (output.length < offset + length) {
- throw new ShortBufferException();
- }
- Mac mac = createMac();
-
- if (length > 255 * mac.getMacLength()) {
- throw new IllegalArgumentException(
- "Requested keys may not be longer than 255 times the underlying HMAC length.");
- }
-
- byte[] t = EMPTY_ARRAY;
- try {
- int loc = 0;
- byte i = 1;
- while (loc < length) {
- mac.update(t);
- mac.update(info);
- mac.update(i);
- t = mac.doFinal();
-
- for (int x = 0; x < t.length && loc < length; x++, loc++) {
- output[loc] = t[x];
- }
-
- i++;
- }
- } finally {
- Arrays.fill(t, (byte) 0); // Zeroize temporary array
- }
- }
-
- private Mac createMac() {
- try {
- Mac mac = Mac.getInstance(algorithm, provider);
- mac.init(prk);
- return mac;
- } catch (NoSuchAlgorithmException ex) {
- // We've already validated that this algorithm is correct.
- throw new RuntimeException(ex);
- } catch (InvalidKeyException ex) {
- // We've already validated that this key is correct.
- throw new RuntimeException(ex);
- }
- }
-
- /**
- * Throws an IllegalStateException if this object has not been
- * initialized.
- *
- * @throws IllegalStateException
- * if this object has not been initialized
- */
- private void assertInitialized() throws IllegalStateException {
- if (prk == null) {
- throw new IllegalStateException("Hkdf has not been initialized");
- }
- }
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/internal/LRUCache.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/internal/LRUCache.java
deleted file mode 100644
index 22a4d35e..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/internal/LRUCache.java
+++ /dev/null
@@ -1,149 +0,0 @@
-/*
- * Copyright 2015-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.internal;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Iterator;
-import java.util.LinkedHashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Map.Entry;
-
-import software.amazon.awssdk.annotations.ThreadSafe;
-
-/**
- * A bounded cache that has a LRU eviction policy when the cache is full.
- *
- * @param
- * value type
- */
-@ThreadSafe
-public final class LRUCache {
- /**
- * Used for the internal cache.
- */
- private final Map map;
- /**
- * Listener for cache entry eviction.
- */
- private final RemovalListener listener;
- /**
- * Maximum size of the cache.
- */
- private final int maxSize;
-
- /**
- * @param maxSize
- * the maximum number of entries of the cache
- * @param listener
- * object which is notified immediately prior to the removal of
- * any objects from the cache
- */
- public LRUCache(final int maxSize, final RemovalListener listener) {
- if (maxSize < 1) {
- throw new IllegalArgumentException("maxSize " + maxSize + " must be at least 1");
- }
- this.maxSize = maxSize;
- this.listener = listener;
- map = Collections.synchronizedMap(new LRUHashMap(maxSize, listener));
- }
-
- /**
- * @param maxSize
- * the maximum number of entries of the cache
- */
- public LRUCache(final int maxSize) {
- this(maxSize, null);
- }
-
- /**
- * Adds an entry to the cache, evicting the earliest entry if necessary.
- */
- public T add(final String key, final T value) {
- return map.put(key, value);
- }
-
- /** Returns the value of the given key; or null of no such entry exists. */
- public T get(final String key) {
- return map.get(key);
- }
-
- /**
- * Returns the current size of the cache.
- */
- public int size() {
- return map.size();
- }
-
- /**
- * Returns the maximum size of the cache.
- */
- public int getMaxSize() {
- return maxSize;
- }
-
- public void clear() {
- // The more complicated logic is to ensure that the listener is
- // actually called for all entries.
- if (listener != null) {
- List> removedEntries = new ArrayList>();
- synchronized (map) {
- Iterator> it = map.entrySet().iterator();
- while(it.hasNext()) {
- removedEntries.add(it.next());
- it.remove();
- }
- }
- for (Entry entry : removedEntries) {
- listener.onRemoval(entry);
- }
- } else {
- map.clear();
- }
- }
-
- @Override
- public String toString() {
- return map.toString();
- }
-
- @SuppressWarnings("serial")
- private static class LRUHashMap extends LinkedHashMap {
- private final int maxSize;
- private final RemovalListener listener;
-
- private LRUHashMap(final int maxSize, final RemovalListener listener) {
- super(10, 0.75F, true);
- this.maxSize = maxSize;
- this.listener = listener;
- }
-
- @Override
- protected boolean removeEldestEntry(final Entry eldest) {
- if (size() > maxSize) {
- if (listener != null) {
- listener.onRemoval(eldest);
- }
- return true;
- }
- return false;
- }
- }
-
- public interface RemovalListener {
- void onRemoval(Entry entry);
- }
-}
diff --git a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/internal/Utils.java b/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/internal/Utils.java
deleted file mode 100644
index 6d092cc0..00000000
--- a/sdk2/src/main/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/internal/Utils.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.internal;
-
-import java.security.SecureRandom;
-
-public class Utils {
- private static final ThreadLocal RND = ThreadLocal.withInitial(() -> {
- final SecureRandom result = new SecureRandom();
- result.nextBoolean(); // Force seeding
- return result;
- });
-
- private Utils() {
- // Prevent instantiation
- }
-
- public static SecureRandom getRng() {
- return RND.get();
- }
-
- public static byte[] getRandom(int len) {
- final byte[] result = new byte[len];
- getRng().nextBytes(result);
- return result;
- }
-}
diff --git a/sdk2/src/test/java/log4j.properties b/sdk2/src/test/java/log4j.properties
deleted file mode 100644
index ad0e4b0a..00000000
--- a/sdk2/src/test/java/log4j.properties
+++ /dev/null
@@ -1,13 +0,0 @@
-log4j.rootLogger=INFO, A1
-log4j.appender.A1=org.apache.log4j.ConsoleAppender
-log4j.appender.A1.layout=org.apache.log4j.PatternLayout
-
-# Print the date in ISO 8601 format
-log4j.appender.A1.layout.ConversionPattern=%d [%t] %-5p %c - %m%n
-
-# Adjust to see more / less logging
-#log4j.logger.httpclient.wire=TRACE
-log4j.logger.com.amazonaws=DEBUG
-
-# HttpClient 4 Wire Logging
-# log4j.logger.org.apache.http.wire=DEBUG
\ No newline at end of file
diff --git a/sdk2/src/test/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/DelegatedEncryptionTest.java b/sdk2/src/test/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/DelegatedEncryptionTest.java
deleted file mode 100644
index f11de383..00000000
--- a/sdk2/src/test/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/DelegatedEncryptionTest.java
+++ /dev/null
@@ -1,263 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption;
-
-import static java.util.Arrays.asList;
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.testng.AssertJUnit.assertEquals;
-import static org.testng.AssertJUnit.assertFalse;
-import static org.testng.AssertJUnit.assertNotNull;
-import static org.testng.AssertJUnit.assertNull;
-import static org.testng.AssertJUnit.assertTrue;
-
-import java.security.GeneralSecurityException;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Set;
-
-import javax.crypto.spec.SecretKeySpec;
-
-import org.testng.annotations.BeforeClass;
-import org.testng.annotations.BeforeMethod;
-import org.testng.annotations.Test;
-
-import software.amazon.awssdk.core.SdkBytes;
-import software.amazon.awssdk.services.dynamodb.model.AttributeValue;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.exceptions.DynamoDbEncryptionException;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.providers.EncryptionMaterialsProvider;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.providers.SymmetricStaticProvider;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.internal.Utils;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.testing.AttrMatcher;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.testing.EncryptionTestHelper;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.testing.TestDelegatedKey;
-
-public class DelegatedEncryptionTest {
- private static SecretKeySpec rawEncryptionKey;
- private static SecretKeySpec rawMacKey;
- private static DelegatedKey encryptionKey;
- private static DelegatedKey macKey;
-
- private EncryptionMaterialsProvider prov;
- private DynamoDbEncryptor encryptor;
- private Map attribs;
- private EncryptionContext context;
-
- @BeforeClass
- public static void setupClass() {
- rawEncryptionKey = new SecretKeySpec(Utils.getRandom(32), "AES");
- encryptionKey = new TestDelegatedKey(rawEncryptionKey);
-
- rawMacKey = new SecretKeySpec(Utils.getRandom(32), "HmacSHA256");
- macKey = new TestDelegatedKey(rawMacKey);
- }
-
- @BeforeMethod
- public void setUp() {
- prov = new SymmetricStaticProvider(encryptionKey, macKey,
- Collections.emptyMap());
- encryptor = new DynamoDbEncryptor(prov, "encryptor-");
-
- attribs = new HashMap<>();
- attribs.put("intValue", AttributeValue.builder().n("123").build());
- attribs.put("stringValue", AttributeValue.builder().s("Hello world!").build());
- attribs.put("byteArrayValue",
- AttributeValue.builder().b(SdkBytes.fromByteArray(new byte[] {0, 1, 2, 3, 4, 5})).build());
- attribs.put("stringSet", AttributeValue.builder().ss("Goodbye", "Cruel", "World", "?").build());
- attribs.put("intSet", AttributeValue.builder().ns("1", "200", "10", "15", "0").build());
- attribs.put("hashKey", AttributeValue.builder().n("5").build());
- attribs.put("rangeKey", AttributeValue.builder().n("7").build());
- attribs.put("version", AttributeValue.builder().n("0").build());
-
- context = EncryptionContext.builder()
- .tableName("TableName")
- .hashKeyName("hashKey")
- .rangeKeyName("rangeKey")
- .build();
- }
-
- @Test
- public void testSetSignatureFieldName() {
- assertNotNull(encryptor.getSignatureFieldName());
- encryptor.setSignatureFieldName("A different value");
- assertEquals("A different value", encryptor.getSignatureFieldName());
- }
-
- @Test
- public void testSetMaterialDescriptionFieldName() {
- assertNotNull(encryptor.getMaterialDescriptionFieldName());
- encryptor.setMaterialDescriptionFieldName("A different value");
- assertEquals("A different value", encryptor.getMaterialDescriptionFieldName());
- }
-
- @Test
- public void fullEncryption() {
- Map encryptedAttributes =
- EncryptionTestHelper.encryptAllFieldsExcept(encryptor, Collections.unmodifiableMap(attribs), context, asList("hashKey", "rangeKey", "version"));
- assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
- Map decryptedAttributes =
- EncryptionTestHelper.decryptAllFieldsExcept(encryptor, Collections.unmodifiableMap(encryptedAttributes), context, asList("hashKey", "rangeKey", "version"));
- assertThat(decryptedAttributes, AttrMatcher.match(attribs));
-
- // Make sure keys and version are not encrypted
- assertAttrEquals(attribs.get("hashKey"), encryptedAttributes.get("hashKey"));
- assertAttrEquals(attribs.get("rangeKey"), encryptedAttributes.get("rangeKey"));
- assertAttrEquals(attribs.get("version"), encryptedAttributes.get("version"));
-
- // Make sure String has been encrypted (we'll assume the others are correct as well)
- assertTrue(encryptedAttributes.containsKey("stringValue"));
- assertNull(encryptedAttributes.get("stringValue").s());
- assertNotNull(encryptedAttributes.get("stringValue").b());
- }
-
- @Test(expectedExceptions = DynamoDbEncryptionException.class)
- public void fullEncryptionBadSignature() {
- Map encryptedAttributes =
- EncryptionTestHelper.encryptAllFieldsExcept(encryptor, Collections.unmodifiableMap(attribs), context, asList("hashKey", "rangeKey", "version"));
- assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
- Map modifiedEncryptedAttributes = new HashMap<>(encryptedAttributes);
- modifiedEncryptedAttributes.put("hashKey", AttributeValue.builder().n("666").build());
- EncryptionTestHelper.decryptAllFieldsExcept(encryptor, Collections.unmodifiableMap(modifiedEncryptedAttributes), context, asList("hashKey", "rangeKey", "version"));
- }
-
- @Test(expectedExceptions = IllegalArgumentException.class)
- public void badVersionNumber() {
- Map encryptedAttributes =
- EncryptionTestHelper.encryptAllFieldsExcept(encryptor, Collections.unmodifiableMap(attribs), context, asList("hashKey", "rangeKey", "version"));
- byte[] rawArray = encryptedAttributes.get(encryptor.getMaterialDescriptionFieldName()).b().asByteArray();
- assertEquals(0, rawArray[0]); // This will need to be kept in sync with the current version.
- rawArray[0] = 100;
- encryptedAttributes.put(encryptor.getMaterialDescriptionFieldName(),
- AttributeValue.builder().b(SdkBytes.fromByteArray(rawArray)).build());
- EncryptionTestHelper.decryptAllFieldsExcept(encryptor, Collections.unmodifiableMap(encryptedAttributes), context, asList("hashKey", "rangeKey", "version"));
- }
-
- @Test
- public void signedOnly() {
- Map encryptedAttributes =
- EncryptionTestHelper.encryptAllFieldsExcept(encryptor, attribs, context, attribs.keySet());
- assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
- Map decryptedAttributes =
- EncryptionTestHelper.decryptAllFieldsExcept(encryptor, encryptedAttributes, context, attribs.keySet());
- assertThat(decryptedAttributes, AttrMatcher.match(attribs));
-
- // Make sure keys and version are not encrypted
- assertAttrEquals(attribs.get("hashKey"), encryptedAttributes.get("hashKey"));
- assertAttrEquals(attribs.get("rangeKey"), encryptedAttributes.get("rangeKey"));
- assertAttrEquals(attribs.get("version"), encryptedAttributes.get("version"));
-
- // Make sure String has not been encrypted (we'll assume the others are correct as well)
- assertAttrEquals(attribs.get("stringValue"), encryptedAttributes.get("stringValue"));
- }
-
- @Test
- public void signedOnlyNullCryptoKey() {
- prov = new SymmetricStaticProvider(null, macKey, Collections.emptyMap());
- encryptor = new DynamoDbEncryptor(prov, "encryptor-");
- Map encryptedAttributes =
- EncryptionTestHelper.encryptAllFieldsExcept(encryptor, attribs, context, attribs.keySet());
- assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
- Map decryptedAttributes = EncryptionTestHelper.decryptAllFieldsExcept(encryptor, encryptedAttributes, context, attribs.keySet());
- assertThat(decryptedAttributes, AttrMatcher.match(attribs));
-
- // Make sure keys and version are not encrypted
- assertAttrEquals(attribs.get("hashKey"), encryptedAttributes.get("hashKey"));
- assertAttrEquals(attribs.get("rangeKey"), encryptedAttributes.get("rangeKey"));
- assertAttrEquals(attribs.get("version"), encryptedAttributes.get("version"));
-
- // Make sure String has not been encrypted (we'll assume the others are correct as well)
- assertAttrEquals(attribs.get("stringValue"), encryptedAttributes.get("stringValue"));
- }
-
- @Test(expectedExceptions = DynamoDbEncryptionException.class)
- public void signedOnlyBadSignature() {
- Map encryptedAttributes =
- EncryptionTestHelper.encryptAllFieldsExcept(encryptor, attribs, context, attribs.keySet());
- assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
- Map modifiedEncryptedAttributes = new HashMap<>(encryptedAttributes);
- modifiedEncryptedAttributes.put("hashKey", AttributeValue.builder().n("666").build());
- EncryptionTestHelper.decryptAllFieldsExcept(encryptor, modifiedEncryptedAttributes, context, attribs.keySet());
- }
-
- @Test(expectedExceptions = DynamoDbEncryptionException.class)
- public void signedOnlyNoSignature() {
- Map encryptedAttributes =
- EncryptionTestHelper.encryptAllFieldsExcept(encryptor, attribs, context, attribs.keySet());
- assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
- encryptedAttributes.remove(encryptor.getSignatureFieldName());
- EncryptionTestHelper.decryptAllFieldsExcept(encryptor, encryptedAttributes, context, attribs.keySet());
- }
-
- @Test
- public void RsaSignedOnly() throws GeneralSecurityException {
- KeyPairGenerator rsaGen = KeyPairGenerator.getInstance("RSA");
- rsaGen.initialize(2048, Utils.getRng());
- KeyPair sigPair = rsaGen.generateKeyPair();
- encryptor = new DynamoDbEncryptor(
- new SymmetricStaticProvider(encryptionKey, sigPair, Collections.emptyMap()), "encryptor-");
-
- Map encryptedAttributes = EncryptionTestHelper.encryptAllFieldsExcept(encryptor, attribs, context, attribs.keySet());
- assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
- Map decryptedAttributes =
- EncryptionTestHelper.decryptAllFieldsExcept(encryptor, encryptedAttributes, context, attribs.keySet());
- assertThat(decryptedAttributes, AttrMatcher.match(attribs));
-
- // Make sure keys and version are not encrypted
- assertAttrEquals(attribs.get("hashKey"), encryptedAttributes.get("hashKey"));
- assertAttrEquals(attribs.get("rangeKey"), encryptedAttributes.get("rangeKey"));
- assertAttrEquals(attribs.get("version"), encryptedAttributes.get("version"));
-
- // Make sure String has not been encrypted (we'll assume the others are correct as well)
- assertAttrEquals(attribs.get("stringValue"), encryptedAttributes.get("stringValue"));
- }
-
- @Test(expectedExceptions = DynamoDbEncryptionException.class)
- public void RsaSignedOnlyBadSignature() throws GeneralSecurityException {
- KeyPairGenerator rsaGen = KeyPairGenerator.getInstance("RSA");
- rsaGen.initialize(2048, Utils.getRng());
- KeyPair sigPair = rsaGen.generateKeyPair();
- encryptor = new DynamoDbEncryptor(
- new SymmetricStaticProvider(encryptionKey, sigPair, Collections.emptyMap()), "encryptor-");
-
- Map encryptedAttributes = EncryptionTestHelper.encryptAllFieldsExcept(encryptor, attribs, context, attribs.keySet());
- assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
- Map modifiedEncryptedAttributes = new HashMap<>(encryptedAttributes);
- modifiedEncryptedAttributes.put("hashKey", AttributeValue.builder().n("666").build());
- EncryptionTestHelper.decryptAllFieldsExcept(encryptor, modifiedEncryptedAttributes, context, attribs.keySet());
- }
-
- private void assertAttrEquals(AttributeValue o1, AttributeValue o2) {
- assertEquals(o1.b(), o2.b());
- assertSetsEqual(o1.bs(), o2.bs());
- assertEquals(o1.n(), o2.n());
- assertSetsEqual(o1.ns(), o2.ns());
- assertEquals(o1.s(), o2.s());
- assertSetsEqual(o1.ss(), o2.ss());
- }
-
- private void assertSetsEqual(Collection c1, Collection c2) {
- assertFalse(c1 == null ^ c2 == null);
- if (c1 != null) {
- Set s1 = new HashSet<>(c1);
- Set s2 = new HashSet<>(c2);
- assertEquals(s1, s2);
- }
- }
-
-}
diff --git a/sdk2/src/test/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/DelegatedEnvelopeEncryptionTest.java b/sdk2/src/test/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/DelegatedEnvelopeEncryptionTest.java
deleted file mode 100644
index a403db97..00000000
--- a/sdk2/src/test/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/DelegatedEnvelopeEncryptionTest.java
+++ /dev/null
@@ -1,265 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption;
-
-import static java.util.Arrays.asList;
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.testng.AssertJUnit.assertEquals;
-import static org.testng.AssertJUnit.assertFalse;
-import static org.testng.AssertJUnit.assertNotNull;
-import static org.testng.AssertJUnit.assertNull;
-import static org.testng.AssertJUnit.assertTrue;
-
-import java.security.GeneralSecurityException;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Set;
-
-import javax.crypto.spec.SecretKeySpec;
-
-import org.testng.annotations.BeforeClass;
-import org.testng.annotations.BeforeMethod;
-import org.testng.annotations.Test;
-
-import software.amazon.awssdk.core.SdkBytes;
-import software.amazon.awssdk.services.dynamodb.model.AttributeValue;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.exceptions.DynamoDbEncryptionException;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.providers.EncryptionMaterialsProvider;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.providers.SymmetricStaticProvider;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.providers.WrappedMaterialsProvider;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.internal.Utils;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.testing.AttrMatcher;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.testing.EncryptionTestHelper;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.testing.TestDelegatedKey;
-
-public class DelegatedEnvelopeEncryptionTest {
- private static SecretKeySpec rawEncryptionKey;
- private static SecretKeySpec rawMacKey;
- private static DelegatedKey encryptionKey;
- private static DelegatedKey macKey;
-
- private EncryptionMaterialsProvider prov;
- private DynamoDbEncryptor encryptor;
- private Map attribs;
- private EncryptionContext context;
-
- @BeforeClass
- public static void setupClass() {
- rawEncryptionKey = new SecretKeySpec(Utils.getRandom(32), "AES");
- encryptionKey = new TestDelegatedKey(rawEncryptionKey);
-
- rawMacKey = new SecretKeySpec(Utils.getRandom(32), "HmacSHA256");
- macKey = new TestDelegatedKey(rawMacKey);
- }
-
- @BeforeMethod
- public void setUp() {
- prov = new WrappedMaterialsProvider(encryptionKey, encryptionKey, macKey, Collections.emptyMap());
- encryptor = new DynamoDbEncryptor(prov, "encryptor-");
-
- attribs = new HashMap<>();
- attribs.put("intValue", AttributeValue.builder().n("123").build());
- attribs.put("stringValue", AttributeValue.builder().s("Hello world!").build());
- attribs.put("byteArrayValue",
- AttributeValue.builder().b(SdkBytes.fromByteArray(new byte[]{0, 1, 2, 3, 4, 5})).build());
- attribs.put("stringSet",AttributeValue.builder().ss("Goodbye", "Cruel", "World", "?").build());
- attribs.put("intSet", AttributeValue.builder().ns("1", "200", "10", "15", "0").build());
- attribs.put("hashKey", AttributeValue.builder().n("5").build());
- attribs.put("rangeKey", AttributeValue.builder().n("7").build());
- attribs.put("version", AttributeValue.builder().n("0").build());
-
- context = EncryptionContext.builder()
- .tableName("TableName")
- .hashKeyName("hashKey")
- .rangeKeyName("rangeKey")
- .build();
- }
-
- @Test
- public void testSetSignatureFieldName() {
- assertNotNull(encryptor.getSignatureFieldName());
- encryptor.setSignatureFieldName("A different value");
- assertEquals("A different value", encryptor.getSignatureFieldName());
- }
-
- @Test
- public void testSetMaterialDescriptionFieldName() {
- assertNotNull(encryptor.getMaterialDescriptionFieldName());
- encryptor.setMaterialDescriptionFieldName("A different value");
- assertEquals("A different value", encryptor.getMaterialDescriptionFieldName());
- }
-
- @Test
- public void fullEncryption() {
- Map encryptedAttributes =
- EncryptionTestHelper.encryptAllFieldsExcept(encryptor, Collections.unmodifiableMap(attribs), context, asList("hashKey", "rangeKey", "version"));
- assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
- Map decryptedAttributes =
- EncryptionTestHelper.decryptAllFieldsExcept(encryptor, Collections.unmodifiableMap(encryptedAttributes), context, asList("hashKey", "rangeKey", "version"));
- assertThat(decryptedAttributes, AttrMatcher.match(attribs));
-
- // Make sure keys and version are not encrypted
- assertAttrEquals(attribs.get("hashKey"), encryptedAttributes.get("hashKey"));
- assertAttrEquals(attribs.get("rangeKey"), encryptedAttributes.get("rangeKey"));
- assertAttrEquals(attribs.get("version"), encryptedAttributes.get("version"));
-
- // Make sure String has been encrypted (we'll assume the others are correct as well)
- assertTrue(encryptedAttributes.containsKey("stringValue"));
- assertNull(encryptedAttributes.get("stringValue").s());
- assertNotNull(encryptedAttributes.get("stringValue").b());
- }
-
- @Test(expectedExceptions = DynamoDbEncryptionException.class)
- public void fullEncryptionBadSignature() {
- Map encryptedAttributes =
- EncryptionTestHelper.encryptAllFieldsExcept(encryptor, Collections.unmodifiableMap(attribs), context, asList("hashKey", "rangeKey", "version"));
- assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
- Map modifiedEncryptedAttributes = new HashMap<>(encryptedAttributes);
- modifiedEncryptedAttributes.put("hashKey", AttributeValue.builder().n("666").build());
- EncryptionTestHelper.decryptAllFieldsExcept(encryptor, Collections.unmodifiableMap(modifiedEncryptedAttributes), context, asList("hashKey", "rangeKey", "version"));
- }
-
- @Test(expectedExceptions = IllegalArgumentException.class)
- public void badVersionNumber() {
- Map encryptedAttributes =
- EncryptionTestHelper.encryptAllFieldsExcept(encryptor, Collections.unmodifiableMap(attribs), context, asList("hashKey", "rangeKey", "version"));
- byte[] rawArray = encryptedAttributes.get(encryptor.getMaterialDescriptionFieldName()).b().asByteArray();
- assertEquals(0, rawArray[0]); // This will need to be kept in sync with the current version.
- rawArray[0] = 100;
- encryptedAttributes.put(encryptor.getMaterialDescriptionFieldName(),
- AttributeValue.builder().b(SdkBytes.fromByteArray(rawArray)).build());
- EncryptionTestHelper.decryptAllFieldsExcept(encryptor, Collections.unmodifiableMap(encryptedAttributes), context, asList("hashKey", "rangeKey", "version"));
- }
-
- @Test
- public void signedOnly() {
- Map encryptedAttributes =
- EncryptionTestHelper.encryptAllFieldsExcept(encryptor, attribs, context, attribs.keySet());
- assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
- Map decryptedAttributes =
- EncryptionTestHelper.decryptAllFieldsExcept(encryptor, encryptedAttributes, context, attribs.keySet());
- assertThat(decryptedAttributes, AttrMatcher.match(attribs));
-
- // Make sure keys and version are not encrypted
- assertAttrEquals(attribs.get("hashKey"), encryptedAttributes.get("hashKey"));
- assertAttrEquals(attribs.get("rangeKey"), encryptedAttributes.get("rangeKey"));
- assertAttrEquals(attribs.get("version"), encryptedAttributes.get("version"));
-
- // Make sure String has not been encrypted (we'll assume the others are correct as well)
- assertAttrEquals(attribs.get("stringValue"), encryptedAttributes.get("stringValue"));
- }
-
- @Test
- public void signedOnlyNullCryptoKey() {
- prov = new SymmetricStaticProvider(null, macKey, Collections.emptyMap());
- encryptor = new DynamoDbEncryptor(prov, "encryptor-");
- Map encryptedAttributes =
- EncryptionTestHelper.encryptAllFieldsExcept(encryptor, attribs, context, attribs.keySet());
- assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
- Map decryptedAttributes = EncryptionTestHelper.decryptAllFieldsExcept(encryptor, encryptedAttributes, context, attribs.keySet());
- assertThat(decryptedAttributes, AttrMatcher.match(attribs));
-
- // Make sure keys and version are not encrypted
- assertAttrEquals(attribs.get("hashKey"), encryptedAttributes.get("hashKey"));
- assertAttrEquals(attribs.get("rangeKey"), encryptedAttributes.get("rangeKey"));
- assertAttrEquals(attribs.get("version"), encryptedAttributes.get("version"));
-
- // Make sure String has not been encrypted (we'll assume the others are correct as well)
- assertAttrEquals(attribs.get("stringValue"), encryptedAttributes.get("stringValue"));
- }
-
- @Test(expectedExceptions = DynamoDbEncryptionException.class)
- public void signedOnlyBadSignature() {
- Map encryptedAttributes =
- EncryptionTestHelper.encryptAllFieldsExcept(encryptor, attribs, context, attribs.keySet());
- assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
- Map modifiedEncryptedAttributes = new HashMap<>(encryptedAttributes);
- modifiedEncryptedAttributes.put("hashKey", AttributeValue.builder().n("666").build());
- EncryptionTestHelper.decryptAllFieldsExcept(encryptor, modifiedEncryptedAttributes, context, attribs.keySet());
- }
-
- @Test(expectedExceptions = DynamoDbEncryptionException.class)
- public void signedOnlyNoSignature() {
- Map encryptedAttributes =
- EncryptionTestHelper.encryptAllFieldsExcept(encryptor, attribs, context, attribs.keySet());
- assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
- encryptedAttributes.remove(encryptor.getSignatureFieldName());
- EncryptionTestHelper.decryptAllFieldsExcept(encryptor, encryptedAttributes, context, attribs.keySet());
- }
-
- @Test
- public void RsaSignedOnly() throws GeneralSecurityException {
- KeyPairGenerator rsaGen = KeyPairGenerator.getInstance("RSA");
- rsaGen.initialize(2048, Utils.getRng());
- KeyPair sigPair = rsaGen.generateKeyPair();
- encryptor = new DynamoDbEncryptor(
- new SymmetricStaticProvider(encryptionKey, sigPair,
- Collections.emptyMap()), "encryptor-");
-
- Map encryptedAttributes = EncryptionTestHelper.encryptAllFieldsExcept(encryptor, attribs, context, attribs.keySet());
- assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
- Map decryptedAttributes =
- EncryptionTestHelper.decryptAllFieldsExcept(encryptor, encryptedAttributes, context, attribs.keySet());
- assertThat(decryptedAttributes, AttrMatcher.match(attribs));
-
- // Make sure keys and version are not encrypted
- assertAttrEquals(attribs.get("hashKey"), encryptedAttributes.get("hashKey"));
- assertAttrEquals(attribs.get("rangeKey"), encryptedAttributes.get("rangeKey"));
- assertAttrEquals(attribs.get("version"), encryptedAttributes.get("version"));
-
- // Make sure String has not been encrypted (we'll assume the others are correct as well)
- assertAttrEquals(attribs.get("stringValue"), encryptedAttributes.get("stringValue"));
- }
-
- @Test(expectedExceptions = DynamoDbEncryptionException.class)
- public void RsaSignedOnlyBadSignature() throws GeneralSecurityException {
- KeyPairGenerator rsaGen = KeyPairGenerator.getInstance("RSA");
- rsaGen.initialize(2048, Utils.getRng());
- KeyPair sigPair = rsaGen.generateKeyPair();
- encryptor = new DynamoDbEncryptor(
- new SymmetricStaticProvider(encryptionKey, sigPair,
- Collections.emptyMap()), "encryptor-");
-
- Map encryptedAttributes = EncryptionTestHelper.encryptAllFieldsExcept(encryptor, attribs, context, attribs.keySet());
- assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
- Map modifiedEncryptedAttributes = new HashMap<>(encryptedAttributes);
- modifiedEncryptedAttributes.put("hashKey", AttributeValue.builder().n("666").build());
- EncryptionTestHelper.decryptAllFieldsExcept(encryptor, modifiedEncryptedAttributes, context, attribs.keySet());
- }
-
- private void assertAttrEquals(AttributeValue o1, AttributeValue o2) {
- assertEquals(o1.b(), o2.b());
- assertSetsEqual(o1.bs(), o2.bs());
- assertEquals(o1.n(), o2.n());
- assertSetsEqual(o1.ns(), o2.ns());
- assertEquals(o1.s(), o2.s());
- assertSetsEqual(o1.ss(), o2.ss());
- }
-
- private void assertSetsEqual(Collection c1, Collection c2) {
- assertFalse(c1 == null ^ c2 == null);
- if (c1 != null) {
- Set s1 = new HashSet<>(c1);
- Set s2 = new HashSet<>(c2);
- assertEquals(s1, s2);
- }
- }
-
-}
diff --git a/sdk2/src/test/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/DynamoDbEncryptorTest.java b/sdk2/src/test/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/DynamoDbEncryptorTest.java
deleted file mode 100644
index 8acbcabc..00000000
--- a/sdk2/src/test/java/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/DynamoDbEncryptorTest.java
+++ /dev/null
@@ -1,624 +0,0 @@
-/*
- * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
- *
- * Licensed under the Apache License, Version 2.0 (the "License").
- * You may not use this file except in compliance with the License.
- * A copy of the License is located at
- *
- * http://aws.amazon.com/apache2.0
- *
- * or in the "license" file accompanying this file. This file is distributed
- * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied. See the License for the specific language governing
- * permissions and limitations under the License.
- */
-package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption;
-
-import static java.util.Arrays.asList;
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.equalTo;
-import static org.hamcrest.Matchers.is;
-import static org.hamcrest.Matchers.not;
-import static org.testng.AssertJUnit.assertEquals;
-import static org.testng.AssertJUnit.assertFalse;
-import static org.testng.AssertJUnit.assertNotNull;
-import static org.testng.AssertJUnit.assertNull;
-import static org.testng.AssertJUnit.assertTrue;
-import static software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.EncryptionContextOperators.overrideEncryptionContextTableName;
-
-import java.lang.reflect.Method;
-import java.nio.ByteBuffer;
-import java.security.GeneralSecurityException;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.Security;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Set;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.atomic.AtomicInteger;
-
-import javax.crypto.KeyGenerator;
-import javax.crypto.SecretKey;
-
-import org.bouncycastle.jce.ECNamedCurveTable;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.bouncycastle.jce.spec.ECParameterSpec;
-import org.testng.annotations.BeforeClass;
-import org.testng.annotations.BeforeMethod;
-import org.testng.annotations.Test;
-
-import software.amazon.awssdk.core.SdkBytes;
-import software.amazon.awssdk.services.dynamodb.model.AttributeValue;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.DynamoDbEncryptionConfiguration;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.EncryptionAction;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.exceptions.DynamoDbEncryptionException;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.DecryptionMaterials;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.materials.EncryptionMaterials;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.providers.EncryptionMaterialsProvider;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.providers.SymmetricStaticProvider;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.internal.Utils;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.testing.AttrMatcher;
-import software.amazon.cryptools.dynamodbencryptionclientsdk2.testing.EncryptionTestHelper;
-
-public class DynamoDbEncryptorTest {
- private static SecretKey encryptionKey;
- private static SecretKey macKey;
-
- private InstrumentedEncryptionMaterialsProvider prov;
- private DynamoDbEncryptor encryptor;
- private Map attribs;
- private EncryptionContext context;
- private static final String OVERRIDDEN_TABLE_NAME = "TheBestTableName";
-
- @BeforeClass
- public static void setUpClass() throws Exception {
- KeyGenerator aesGen = KeyGenerator.getInstance("AES");
- aesGen.init(128, Utils.getRng());
- encryptionKey = aesGen.generateKey();
-
- KeyGenerator macGen = KeyGenerator.getInstance("HmacSHA256");
- macGen.init(256, Utils.getRng());
- macKey = macGen.generateKey();
- }
-
- @BeforeMethod
- public void setUp() {
- prov = new InstrumentedEncryptionMaterialsProvider(
- new SymmetricStaticProvider(encryptionKey, macKey,
- Collections.emptyMap()));
- encryptor = new DynamoDbEncryptor(prov, "encryptor-");
-
- attribs = new HashMap<>();
- attribs.put("intValue", AttributeValue.builder().n("123").build());
- attribs.put("stringValue", AttributeValue.builder().s("Hello world!").build());
- attribs.put("byteArrayValue",
- AttributeValue.builder().b(SdkBytes.fromByteArray(new byte[] {0, 1, 2, 3, 4, 5})).build());
- attribs.put("stringSet", AttributeValue.builder().ss("Goodbye", "Cruel", "World", "?").build());
- attribs.put("intSet", AttributeValue.builder().ns("1", "200", "10", "15", "0").build());
- attribs.put("hashKey", AttributeValue.builder().n("5").build());
- attribs.put("rangeKey", AttributeValue.builder().n("7").build());
- attribs.put("version", AttributeValue.builder().n("0").build());
-
- // New(er) data types
- attribs.put("booleanTrue", AttributeValue.builder().bool(true).build());
- attribs.put("booleanFalse", AttributeValue.builder().bool(false).build());
- attribs.put("nullValue", AttributeValue.builder().nul(true).build());
- Map tmpMap = new HashMap<>(attribs);
- attribs.put("listValue", AttributeValue.builder().l(
- AttributeValue.builder().s("I'm a string").build(),
- AttributeValue.builder().n("42").build(),
- AttributeValue.builder().s("Another string").build(),
- AttributeValue.builder().ns("1", "4", "7").build(),
- AttributeValue.builder().m(tmpMap).build(),
- AttributeValue.builder().l(
- AttributeValue.builder().n("123").build(),
- AttributeValue.builder().ns("1", "200", "10", "15", "0").build(),
- AttributeValue.builder().ss("Goodbye", "Cruel", "World", "!").build()
- ).build()).build());
- tmpMap = new HashMap<>();
- tmpMap.put("another string", AttributeValue.builder().s("All around the cobbler's bench").build());
- tmpMap.put("next line", AttributeValue.builder().ss("the monkey", "chased", "the weasel").build());
- tmpMap.put("more lyrics", AttributeValue.builder().l(
- AttributeValue.builder().s("the monkey").build(),
- AttributeValue.builder().s("thought twas").build(),
- AttributeValue.builder().s("all in fun").build()
- ).build());
- tmpMap.put("weasel", AttributeValue.builder().m(Collections.singletonMap("pop", AttributeValue.builder().bool(true).build())).build());
- attribs.put("song", AttributeValue.builder().m(tmpMap).build());
-
-
- context = EncryptionContext.builder()
- .tableName("TableName")
- .hashKeyName("hashKey")
- .rangeKeyName("rangeKey")
- .build();
- }
-
- @Test
- public void testSetSignatureFieldName() {
- assertNotNull(encryptor.getSignatureFieldName());
- encryptor.setSignatureFieldName("A different value");
- assertEquals("A different value", encryptor.getSignatureFieldName());
- }
-
- @Test
- public void testSetMaterialDescriptionFieldName() {
- assertNotNull(encryptor.getMaterialDescriptionFieldName());
- encryptor.setMaterialDescriptionFieldName("A different value");
- assertEquals("A different value", encryptor.getMaterialDescriptionFieldName());
- }
-
- @Test
- public void fullEncryption() {
- Map encryptedAttributes = EncryptionTestHelper.encryptAllFieldsExcept(encryptor,
- Collections.unmodifiableMap(attribs), context, asList("hashKey", "rangeKey", "version"));
- assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
-
- Map decryptedAttributes = EncryptionTestHelper.decryptAllFieldsExcept(encryptor,
- Collections.unmodifiableMap(encryptedAttributes), context, asList("hashKey", "rangeKey", "version"));
- assertThat(decryptedAttributes, AttrMatcher.match(attribs));
-
- // Make sure keys and version are not encrypted
- assertAttrEquals(attribs.get("hashKey"), encryptedAttributes.get("hashKey"));
- assertAttrEquals(attribs.get("rangeKey"), encryptedAttributes.get("rangeKey"));
- assertAttrEquals(attribs.get("version"), encryptedAttributes.get("version"));
-
- // Make sure String has been encrypted (we'll assume the others are correct as well)
- assertTrue(encryptedAttributes.containsKey("stringValue"));
- assertNull(encryptedAttributes.get("stringValue").s());
- assertNotNull(encryptedAttributes.get("stringValue").b());
-
- // Make sure we're calling the proper getEncryptionMaterials method
- assertEquals("Wrong getEncryptionMaterials() called",
- 1, prov.getCallCount("getEncryptionMaterials(EncryptionContext context)"));
- }
-
- @Test(expectedExceptions = IllegalArgumentException.class)
- public void encryptWithDefaultEncryptionActionOfNullWithKeyOverridesThrowsIllegalArgumentException() {
- DynamoDbEncryptionConfiguration configuration = DynamoDbEncryptionConfiguration.builder()
- .addEncryptionActionOverride("hashKey", EncryptionAction.SIGN_ONLY)
- .addEncryptionActionOverride("rangeKey", EncryptionAction.SIGN_ONLY)
- .addEncryptionActionOverride("version", EncryptionAction.SIGN_ONLY)
- .encryptionContext(context)
- .build();
-
- encryptor.encryptRecord(Collections.unmodifiableMap(attribs), configuration);
- }
-
- @Test(expectedExceptions = IllegalArgumentException.class)
- public void decryptWithDefaultEncryptionActionOfNullWithKeyOverridesThrowsIllegalArgumentException() {
- DynamoDbEncryptionConfiguration configuration = DynamoDbEncryptionConfiguration.builder()
- .addEncryptionActionOverride("hashKey", EncryptionAction.SIGN_ONLY)
- .addEncryptionActionOverride("rangeKey", EncryptionAction.SIGN_ONLY)
- .addEncryptionActionOverride("version", EncryptionAction.SIGN_ONLY)
- .encryptionContext(context)
- .build();
-
- encryptor.decryptRecord(Collections.unmodifiableMap(attribs), configuration);
- }
-
- @Test
- public void defaultEncryptionActionOfSignAndEncryptWithKeyOverrides() {
- DynamoDbEncryptionConfiguration configuration = DynamoDbEncryptionConfiguration.builder()
- .defaultEncryptionAction(EncryptionAction.ENCRYPT_AND_SIGN)
- .addEncryptionActionOverride("hashKey", EncryptionAction.SIGN_ONLY)
- .addEncryptionActionOverride("rangeKey", EncryptionAction.SIGN_ONLY)
- .addEncryptionActionOverride("version", EncryptionAction.SIGN_ONLY)
- .encryptionContext(context)
- .build();
-
- Map encryptedAttributes =
- encryptor.encryptRecord(Collections.unmodifiableMap(attribs), configuration);
- assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
- Map decryptedAttributes =
- encryptor.decryptRecord(Collections.unmodifiableMap(encryptedAttributes), configuration);
- assertThat(decryptedAttributes, AttrMatcher.match(attribs));
-
- // Make sure keys and version are not encrypted
- assertAttrEquals(attribs.get("hashKey"), encryptedAttributes.get("hashKey"));
- assertAttrEquals(attribs.get("rangeKey"), encryptedAttributes.get("rangeKey"));
- assertAttrEquals(attribs.get("version"), encryptedAttributes.get("version"));
-
- // Make sure String has been encrypted (we'll assume the others are correct as well)
- assertTrue(encryptedAttributes.containsKey("stringValue"));
- assertNull(encryptedAttributes.get("stringValue").s());
- assertNotNull(encryptedAttributes.get("stringValue").b());
-
- // Make sure we're calling the proper getEncryptionMaterials method
- assertEquals("Wrong getEncryptionMaterials() called",
- 1, prov.getCallCount("getEncryptionMaterials(EncryptionContext context)"));
- }
-
- @Test
- public void defaultEncryptionActionOfSignOnlyWithNoOverrides() {
- DynamoDbEncryptionConfiguration configuration = DynamoDbEncryptionConfiguration.builder()
- .defaultEncryptionAction(EncryptionAction.SIGN_ONLY)
- .encryptionContext(context)
- .build();
-
- Map encryptedAttributes =
- encryptor.encryptRecord(Collections.unmodifiableMap(attribs), configuration);
- assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
- Map decryptedAttributes =
- encryptor.decryptRecord(Collections.unmodifiableMap(encryptedAttributes), configuration);
- assertThat(decryptedAttributes, AttrMatcher.match(attribs));
-
- // Verify that nothing actually got encrypted
- Map copyOfEncryptedAttributes = new HashMap<>(encryptedAttributes);
- copyOfEncryptedAttributes.remove(encryptor.getMaterialDescriptionFieldName());
- copyOfEncryptedAttributes.remove(encryptor.getSignatureFieldName());
- assertThat(copyOfEncryptedAttributes, AttrMatcher.match(attribs));
- }
-
- @Test
- public void defaultEncryptionActionOfIgnoreWithNoOverrides() {
- DynamoDbEncryptionConfiguration configuration = DynamoDbEncryptionConfiguration.builder()
- .defaultEncryptionAction(EncryptionAction.DO_NOTHING)
- .encryptionContext(context)
- .build();
-
- Map encryptedAttributes =
- new HashMap<>(encryptor.encryptRecord(Collections.unmodifiableMap(attribs), configuration));
-
- // Verify that nothing actually got encrypted
- Map copyOfEncryptedAttributes = new HashMap<>(encryptedAttributes);
- copyOfEncryptedAttributes.remove(encryptor.getMaterialDescriptionFieldName());
- copyOfEncryptedAttributes.remove(encryptor.getSignatureFieldName());
- assertThat(copyOfEncryptedAttributes, AttrMatcher.match(attribs));
-
- // Now modify one of the attributes and decrypt to prove that it was not signed
- Map copyOfAttributes = new HashMap<>(attribs);
- encryptedAttributes.put("stringValue", AttributeValue.builder().s("Goodbye world!").build());
- copyOfAttributes.put("stringValue", AttributeValue.builder().s("Goodbye world!").build());
- Map decryptedAttributes = encryptor.decryptRecord(encryptedAttributes, configuration);
- assertThat(decryptedAttributes, AttrMatcher.match(copyOfAttributes));
- }
-
- @Test
- public void ensureEncryptedAttributesUnmodified() {
- Map encryptedAttributes =
- EncryptionTestHelper.encryptAllFieldsExcept(encryptor, Collections.unmodifiableMap(attribs), context, asList("hashKey", "rangeKey", "version"));
- String encryptedString = encryptedAttributes.toString();
- EncryptionTestHelper.decryptAllFieldsExcept(encryptor, Collections.unmodifiableMap(encryptedAttributes), context, asList("hashKey", "rangeKey", "version"));
-
- assertEquals(encryptedString, encryptedAttributes.toString());
- }
-
- @Test(expectedExceptions = DynamoDbEncryptionException.class)
- public void fullEncryptionBadSignature() {
- Map encryptedAttributes =
- EncryptionTestHelper.encryptAllFieldsExcept(encryptor, Collections.unmodifiableMap(attribs), context, asList("hashKey", "rangeKey", "version"));
- assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
- Map modifiedEncryptedAttributes = new HashMap<>(encryptedAttributes);
- modifiedEncryptedAttributes.put("hashKey", AttributeValue.builder().n("666").build());
- EncryptionTestHelper.decryptAllFieldsExcept(encryptor, Collections.unmodifiableMap(modifiedEncryptedAttributes), context, asList("hashKey", "rangeKey", "version"));
- }
-
- @Test(expectedExceptions =IllegalArgumentException.class)
- public void badVersionNumber() {
- Map encryptedAttributes =
- EncryptionTestHelper.encryptAllFieldsExcept(encryptor, Collections.unmodifiableMap(attribs), context, asList("hashKey", "rangeKey", "version"));
- byte[] rawArray = encryptedAttributes.get(encryptor.getMaterialDescriptionFieldName()).b().asByteArray();
- assertEquals(0, rawArray[0]); // This will need to be kept in sync with the current version.
- rawArray[0] = 100;
- encryptedAttributes.put(encryptor.getMaterialDescriptionFieldName(),
- AttributeValue.builder().b(SdkBytes.fromByteArray(rawArray)).build());
- EncryptionTestHelper.decryptAllFieldsExcept(encryptor, Collections.unmodifiableMap(encryptedAttributes), context, asList("hashKey", "rangeKey", "version"));
- }
-
- @Test
- public void signedOnly() {
- Map