Skip to content

Backwards compatibility issue with alias/name and getMasterkey #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
michaelajr opened this issue Apr 5, 2018 · 3 comments
Closed

Backwards compatibility issue with alias/name and getMasterkey #50

michaelajr opened this issue Apr 5, 2018 · 3 comments
Labels
bug regression

Comments

@michaelajr
Copy link

In 1.3.1 I could get a MasterKeyProvider using aliases and regions. In the code below I have a list of regions (this.regions) where the alias (this.keyId) has been created in each. I create the KmsMasterKeyProvider for each region and return a MultiProvider.

    private MasterKeyProvider<?> masterKeyProvider() {

        AWSCredentialsProvider credentials
                = new DefaultAWSCredentialsProviderChain();

        List<KmsMasterKey> masterKeys
                = new LinkedList<>();

        for (String region : this.regions) {

            KmsMasterKeyProvider provider
                    = new KmsMasterKeyProvider(
                            credentials,
                            Region.getRegion(
                                    Regions.fromName(
                                            region)),
                            new ClientConfiguration(),
                            this.keyId);

            masterKeys.add(
                    provider.getMasterKey(
                            this.keyId));
        }

        return MultipleProviderFactory
                .buildMultiProvider(
                        masterKeys);
    }

I can then use the MultiProvider with AwsCrypto like so...

                CryptoOutputStream<?> encryptingStream
                        = awsCrypto
                                .createEncryptingStream(
                                        masterKeyProvider(),
                                        fileOutputStram))

This no longer works. The getMasteKeyMethod at line 452 of the KmsMasterKeyProvider.java now requires an ARN for the keyId.

String regionName = parseRegionfromKeyArn(keyId);

The result is that regionName is null.

Is there another way to do what I'm trying to do? Thanks.

M
@michaelajr
Copy link
Author

So creating the full ARN from the alias seems to be the new way of doing this.

    private MasterKeyProvider<?> masterKeyProvider() {

        final AWSCredentialsProvider credentials
                = new DefaultAWSCredentialsProviderChain();

        List<KmsMasterKeyProvider> providers 
                = new LinkedList<>();

        for (String region : this.regions) { 
            providers.add(
                    KmsMasterKeyProvider
                            .builder()
                            .withCredentials(
                                    credentials)
                            .withKeysForEncryption(
                                    new StringBuilder()
                                            .append("arn:aws:kms:")
                                            .append(region)
                                            .append(":")
                                            .append(this.account)
                                            .append(":")
                                            .append(this.keyId)
                                            .toString())
                            .build());
        } 

        return MultipleProviderFactory
                .buildMultiProvider(
                        providers);
    }

@bdonlan
Copy link
Contributor

bdonlan commented Apr 5, 2018

This is a regression. Reopening to fix.

@bdonlan bdonlan reopened this Apr 5, 2018
bdonlan pushed a commit to bdonlan/aws-encryption-sdk-java that referenced this issue Apr 5, 2018
Fix bare aliases not using default region
39a711e 
The default region was not actually being consulted when presented with a
regionless key ID (such as a bare UUID or an "alias/foo" value). Fixes aws#50.
@bdonlan bdonlan mentioned this issue Apr 5, 2018
Merged
@michaelajr michaelajr mentioned this issue Apr 5, 2018
Closed
@bdonlan
Copy link
Contributor

bdonlan commented Apr 5, 2018

Note that when using the builder it is intentional that you need to specify a default region, but that also is currently broken. When using legacy constructors we intended for behavior to be unchanged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug regression
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bdonlan @michaelajr