protected final SecretKey generateCEK() {
KeyGenerator generator;
try {
generator = KeyGenerator.getInstance(contentCryptoScheme.getKeyGeneratorAlgorithm());
generator.init(contentCryptoScheme.getKeyLengthInBits(), cryptoScheme.getSecureRandom());
return generator.generateKey();
} catch (NoSuchAlgorithmException e) {
throw new AmazonClientException(
"Unable to generate envelope symmetric key:" + e.getMessage(), e);
}
}
protected S3CryptoModuleBase(
S3Direct s3,
AWSCredentialsProvider credentialsProvider,
EncryptionMaterialsProvider kekMaterialsProvider,
ClientConfiguration clientConfig,
CryptoConfiguration cryptoConfig,
S3CryptoScheme cryptoScheme) {
this.kekMaterialsProvider = kekMaterialsProvider;
this.cryptoConfig = cryptoConfig;
this.s3 = s3;
this.cryptoScheme = cryptoScheme;
this.contentCryptoScheme = cryptoScheme.getContentCryptoScheme();
}
protected final SecuredCEK secureCEK(
SecretKey toBeEncrypted, EncryptionMaterials materials, Provider cryptoProvider) {
Key kek;
if (materials.getKeyPair() != null) {
// Do envelope encryption with public key from key pair
kek = materials.getKeyPair().getPublic();
} else {
// Do envelope encryption with symmetric key
kek = materials.getSymmetricKey();
}
S3KeyWrapScheme kwScheme = cryptoScheme.getKeyWrapScheme();
String keyWrapAlgo = kwScheme.getKeyWrapAlgorithm(kek);
try {
if (keyWrapAlgo != null) {
Cipher cipher =
cryptoProvider == null
? Cipher.getInstance(keyWrapAlgo)
: Cipher.getInstance(keyWrapAlgo, cryptoProvider);
cipher.init(Cipher.WRAP_MODE, kek, cryptoScheme.getSecureRandom());
return new SecuredCEK(cipher.wrap(toBeEncrypted), keyWrapAlgo);
}
// fall back to the Encryption Only (EO) key encrypting method
Cipher cipher;
byte[] toBeEncryptedBytes = toBeEncrypted.getEncoded();
String algo = kek.getAlgorithm();
if (cryptoProvider != null) {
cipher = Cipher.getInstance(algo, cryptoProvider);
} else {
cipher = Cipher.getInstance(algo); // Use default JCE Provider
}
cipher.init(Cipher.ENCRYPT_MODE, kek);
return new SecuredCEK(cipher.doFinal(toBeEncryptedBytes), null);
} catch (Exception e) {
throw new AmazonClientException("Unable to encrypt symmetric key: " + e.getMessage(), e);
}
}
/**
* Generates and returns the content encryption material with the given kek material and security
* providers.
*/
protected final ContentCryptoMaterial newContentCryptoMaterial(
EncryptionMaterialsProvider kekMaterialProvider, Provider provider) {
// Generate a one-time use symmetric key and initialize a cipher to encrypt object data
SecretKey cek = generateCEK();
// Randomly generate the IV
byte[] iv = new byte[contentCryptoScheme.getIVLengthInBytes()];
cryptoScheme.getSecureRandom().nextBytes(iv);
// Encrypt the envelope symmetric key
EncryptionMaterials kekMaterials = kekMaterialProvider.getEncryptionMaterials();
SecuredCEK cekSecured = secureCEK(cek, kekMaterials, provider);
// Return a new instruction with the appropriate fields.
return new ContentCryptoMaterial(
kekMaterials.getMaterialsDescription(),
cekSecured.encrypted,
cekSecured.keyWrapAlgorithm,
contentCryptoScheme.createCipherLite(cek, iv, Cipher.ENCRYPT_MODE, provider));
}