protected final SecuredCEK secureCEK(
SecretKey toBeEncrypted, EncryptionMaterials materials, Provider cryptoProvider) {
Key kek;
if (materials.getKeyPair() != null) {
// Do envelope encryption with public key from key pair
kek = materials.getKeyPair().getPublic();
} else {
// Do envelope encryption with symmetric key
kek = materials.getSymmetricKey();
}
S3KeyWrapScheme kwScheme = cryptoScheme.getKeyWrapScheme();
String keyWrapAlgo = kwScheme.getKeyWrapAlgorithm(kek);
try {
if (keyWrapAlgo != null) {
Cipher cipher =
cryptoProvider == null
? Cipher.getInstance(keyWrapAlgo)
: Cipher.getInstance(keyWrapAlgo, cryptoProvider);
cipher.init(Cipher.WRAP_MODE, kek, cryptoScheme.getSecureRandom());
return new SecuredCEK(cipher.wrap(toBeEncrypted), keyWrapAlgo);
}
// fall back to the Encryption Only (EO) key encrypting method
Cipher cipher;
byte[] toBeEncryptedBytes = toBeEncrypted.getEncoded();
String algo = kek.getAlgorithm();
if (cryptoProvider != null) {
cipher = Cipher.getInstance(algo, cryptoProvider);
} else {
cipher = Cipher.getInstance(algo); // Use default JCE Provider
}
cipher.init(Cipher.ENCRYPT_MODE, kek);
return new SecuredCEK(cipher.doFinal(toBeEncryptedBytes), null);
} catch (Exception e) {
throw new AmazonClientException("Unable to encrypt symmetric key: " + e.getMessage(), e);
}
}
