Merge head of master into keyring (#169)

* Add a basic example for encrypting and decrypting with a KMS CMK (#136)

* *Issue #, if available:* #108

*Description of changes:*

Add a basic example for encrypting and decrypting with a KMS CMK.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

# Check any applicable:
- [ ] Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files.

* Add test and Maven plugin to include examples directory as test source

* Update docs in prep for 1.6.1 (#133)

* Update docs in prep for 1.6.1
* Actually bump version for release

* Fix for new versions of gpg

* Refactor JceMasterKey to extract logic to be shared by raw keyrings. (#139)

* Refactor JceMasterKey to extract logic to be shared by raw keyrings.

*Issue #, if available:* #102

*Description of changes:*

In anticipation of the RawAesKeyring and RawRsaKeyring needing logic currently embedded in the JceMasterKey, this change extracts that logic into the JceKeyCipher class so it may be shared.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

- [ ] Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files.

* fix: The final frame can not be larger than the Frame Length (#166)

* Add validation to ensure the length of the final frame in the final
frame header does not exceed the frame size specified in the message
header.

* Validate that frame length is positive for framed data

* Reverting removal of variable frame length code

* Reverting removal of variable frame length code

* Fix spacing after if

Co-authored-by: SalusaSecondus <[email protected]>
Co-authored-by: Greg Rubin <[email protected]>

Author: WesleyRosenblum

src/main/java/com/amazonaws/encryptionsdk/internal/FrameDecryptionHandler.java

@@ -133,6 +133,11 @@ public ProcessingSummary processBytes(final byte[] in, final int off, final int
                 int protectedContentLen = -1;
                 if (currentFrameHeaders_.isFinalFrame()) {
                     protectedContentLen = currentFrameHeaders_.getFrameContentLength();
+
+                    // The final frame should not be able to exceed the frameLength
+                    if (frameSize_ > 0 && protectedContentLen > frameSize_) {
+                        throw new BadCiphertextException("Final frame length exceeds frame length.");
+                    }
                 } else {
                     protectedContentLen = frameSize_;
                 }

src/main/java/com/amazonaws/encryptionsdk/model/CiphertextHeaders.java

@@ -859,4 +859,4 @@ public void setHeaderNonce(final byte[] headerNonce) {
     public void setHeaderTag(final byte[] headerTag) {
         headerTag_ = headerTag.clone();
     }
-}
+}

src/test/java/com/amazonaws/encryptionsdk/internal/FrameDecryptionHandlerTest.java

@@ -15,11 +15,14 @@
 
 import static org.junit.Assert.assertTrue;
 
+import java.nio.ByteBuffer;
 import java.security.SecureRandom;
 
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
 
+import com.amazonaws.encryptionsdk.TestUtils;
+import com.amazonaws.encryptionsdk.exception.BadCiphertextException;
 import org.junit.Before;
 import org.junit.Test;
 
@@ -72,4 +75,18 @@ public void decryptMaxContentLength() {
         frameDecryptionHandler_.processBytes(in, 0, in.length, out, 0);
         frameDecryptionHandler_.processBytes(in, 0, Integer.MAX_VALUE, out, 0);
     }
-}
+
+    @Test(expected = BadCiphertextException.class)
+    public void finalFrameLengthTooLarge() {
+
+        final ByteBuffer byteBuffer = ByteBuffer.allocate(25);
+        byteBuffer.put(TestUtils.unsignedBytesToSignedBytes(
+                new int[] {255, 255, 255, 255, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1}));
+        byteBuffer.putInt(AwsCrypto.getDefaultFrameSize() + 1);
+
+        final byte[] in = byteBuffer.array();
+        final byte[] out = new byte[in.length];
+
+        frameDecryptionHandler_.processBytes(in, 0, in.length, out, 0);
+    }
+}