final class ContentCryptoMaterial
extends java.lang.Object
Modifier and Type | Field and Description |
---|---|
private CipherLite |
cipherLite |
private byte[] |
encryptedCEK |
private java.util.Map<java.lang.String,java.lang.String> |
kekMaterialsDescription |
private java.lang.String |
keyWrappingAlgorithm |
Constructor and Description |
---|
ContentCryptoMaterial(java.util.Map<java.lang.String,java.lang.String> kekMaterialsDescription,
byte[] encryptedCEK,
java.lang.String keyWrappingAlgorithm,
CipherLite cipherLite) |
Modifier and Type | Method and Description |
---|---|
private static javax.crypto.SecretKey |
cek(byte[] cekSecured,
java.lang.String keyWrapAlgo,
EncryptionMaterials materials,
java.security.Provider securityProvider,
ContentCryptoScheme contentCryptoScheme,
AWSKMSClient kms)
Returns the content encrypting key unwrapped or decrypted.
|
private static javax.crypto.SecretKey |
cekByKMS(byte[] cekSecured,
java.lang.String keyWrapAlgo,
EncryptionMaterials materials,
ContentCryptoScheme contentCryptoScheme,
AWSKMSClient kms)
Decrypts the secured CEK via KMS; involves network calls.
|
private static java.lang.String |
convertStreamToString(java.io.InputStream inputStream)
Converts the contents of an input stream to a String
|
(package private) static ContentCryptoMaterial |
create(javax.crypto.SecretKey cek,
byte[] iv,
EncryptionMaterials kekMaterials,
ContentCryptoScheme contentCryptoScheme,
S3CryptoScheme targetScheme,
java.security.Provider provider,
AWSKMSClient kms,
AmazonWebServiceRequest req)
Returns a new instance of
ContentCryptoMaterial for the
input parameters using the specified content crypto scheme, and the key
wrapping and secure randomness specified of the specified s3 crypto
scheme. |
(package private) static ContentCryptoMaterial |
create(javax.crypto.SecretKey cek,
byte[] iv,
EncryptionMaterials kekMaterials,
S3CryptoScheme scheme,
java.security.Provider provider,
AWSKMSClient kms,
AmazonWebServiceRequest req)
Returns a new instance of
ContentCryptoMaterial
for the input parameters using the specified s3 crypto scheme. |
private static ContentCryptoMaterial |
doCreate(javax.crypto.SecretKey cek,
byte[] iv,
EncryptionMaterials kekMaterials,
ContentCryptoScheme contentCryptoScheme,
S3CryptoScheme targetS3CryptoScheme,
java.security.Provider provider,
AWSKMSClient kms,
AmazonWebServiceRequest req)
Returns a new instance of
ContentCryptoMaterial for the
given input parameters by using the specified content crypto scheme, and
S3 crypto scheme. |
(package private) static ContentCryptoMaterial |
fromInstructionFile(java.util.Map<java.lang.String,java.lang.String> instFile,
EncryptionMaterialsAccessor kekMaterialAccessor,
java.security.Provider securityProvider,
boolean keyWrapExpected,
AWSKMSClient kms) |
(package private) static ContentCryptoMaterial |
fromInstructionFile(java.util.Map<java.lang.String,java.lang.String> instFile,
EncryptionMaterialsAccessor kekMaterialAccessor,
java.security.Provider securityProvider,
long[] range,
ExtraMaterialsDescription extra,
boolean keyWrapExpected,
AWSKMSClient kms)
Factory method to return the content crypto material from the S3
instruction file, using the specified key encrypting key material
accessor and an optional security provider.
|
private static ContentCryptoMaterial |
fromInstructionFile0(java.util.Map<java.lang.String,java.lang.String> instFile,
EncryptionMaterialsAccessor kekMaterialAccessor,
java.security.Provider securityProvider,
long[] range,
ExtraMaterialsDescription extra,
boolean keyWrapExpected,
AWSKMSClient kms) |
(package private) static ContentCryptoMaterial |
fromObjectMetadata(ObjectMetadata metadata,
EncryptionMaterialsAccessor kekMaterialAccessor,
java.security.Provider securityProvider,
boolean keyWrapExpected,
AWSKMSClient kms) |
(package private) static ContentCryptoMaterial |
fromObjectMetadata(ObjectMetadata metadata,
EncryptionMaterialsAccessor kekMaterialAccessor,
java.security.Provider securityProvider,
long[] range,
ExtraMaterialsDescription extra,
boolean keyWrapExpected,
AWSKMSClient kms)
Factory method to return the content crypto material from the S3 object
meta data, using the specified key encrypting key material accessor and
an optional security provider.
|
private static ContentCryptoMaterial |
fromObjectMetadata0(ObjectMetadata metadata,
EncryptionMaterialsAccessor kekMaterialAccessor,
java.security.Provider securityProvider,
long[] range,
ExtraMaterialsDescription extra,
boolean keyWrapExpected,
AWSKMSClient kms) |
(package private) CipherLite |
getCipherLite()
Return the cipher lite used for content encryption/decryption purposes.
|
(package private) ContentCryptoScheme |
getContentCryptoScheme()
Returns the content crypto scheme.
|
(package private) byte[] |
getEncryptedCEK()
Returns an array of bytes representing the encrypted envelope symmetric
key.
|
(package private) java.util.Map<java.lang.String,java.lang.String> |
getKEKMaterialsDescription()
Returns the description of the kek materials that were used to encrypt
the cek.
|
(package private) java.lang.String |
getKeyWrappingAlgorithm()
Returns the key wrapping algorithm, or null if the content key is not
secured via a key wrapping algorithm.
|
private java.lang.String |
kekMaterialDescAsJson()
Returns the key-encrypting-key material description as a non-null json
string;
|
private static java.util.Map<java.lang.String,java.lang.String> |
matdescFromJson(java.lang.String json)
Returns the corresponding kek material description from the given json;
or null if the input is null.
|
(package private) static java.util.Map<java.lang.String,java.lang.String> |
mergeMaterialDescriptions(EncryptionMaterials materials,
AmazonWebServiceRequest req) |
private static KeyWrapException |
newKeyWrapException() |
(package private) static java.lang.String |
parseInstructionFile(S3Object instructionFile)
Parses instruction data retrieved from S3 and returns a JSON string
representing the instruction.
|
(package private) ContentCryptoMaterial |
recreate(EncryptionMaterials newKEK,
EncryptionMaterialsAccessor accessor,
S3CryptoScheme targetScheme,
java.security.Provider p,
AWSKMSClient kms,
AmazonWebServiceRequest req)
Recreates a new content crypto material from the current material given a
new KEK encryption materials.
|
(package private) ContentCryptoMaterial |
recreate(java.util.Map<java.lang.String,java.lang.String> newKEKMatDesc,
EncryptionMaterialsAccessor accessor,
S3CryptoScheme targetScheme,
java.security.Provider p,
AWSKMSClient kms,
AmazonWebServiceRequest req)
Recreates a new content crypto material from the current material given a
new KEK material-descriptions.
|
private static SecuredCEK |
secureCEK(javax.crypto.SecretKey cek,
EncryptionMaterials materials,
S3KeyWrapScheme kwScheme,
java.security.SecureRandom srand,
java.security.Provider p,
AWSKMSClient kms,
AmazonWebServiceRequest req)
Secure the given CEK.
|
private java.lang.String |
toJsonString()
Returns the json string in the latest format.
|
(package private) java.lang.String |
toJsonString(CryptoMode mode)
Returns the json string in backward compatibility (old) format, so it can
be read by older version of the AWS SDK.
|
private java.lang.String |
toJsonStringEO() |
private ObjectMetadata |
toObjectMetadata(ObjectMetadata metadata)
Returns the metadata in the latest format.
|
(package private) ObjectMetadata |
toObjectMetadata(ObjectMetadata metadata,
CryptoMode mode)
Returns the given metadata updated with this content crypto material.
|
private ObjectMetadata |
toObjectMetadataEO(ObjectMetadata metadata)
Returns the metadata in backward compatibility (old) format, so it can be
read by older version of the AWS SDK.
|
private boolean |
usesKMSKey()
Returns true if KMS is used for the content key protection; false
otherwise.
|
static ContentCryptoMaterial |
wrap(javax.crypto.SecretKey cek,
byte[] iv,
ContentCryptoScheme contentCryptoScheme,
java.security.Provider provider,
SecuredCEK cekSecured)
Returns a new instance of
ContentCryptoMaterial by wrapping
the input parameters, including the already secured CEK. |
private final java.lang.String keyWrappingAlgorithm
private final CipherLite cipherLite
private final java.util.Map<java.lang.String,java.lang.String> kekMaterialsDescription
private final byte[] encryptedCEK
ContentCryptoMaterial(java.util.Map<java.lang.String,java.lang.String> kekMaterialsDescription, byte[] encryptedCEK, java.lang.String keyWrappingAlgorithm, CipherLite cipherLite)
java.lang.String getKeyWrappingAlgorithm()
Note if the returned value is , it means the key is protected via KMS rather than a direct key-wrapping algorithm.
private boolean usesKMSKey()
ContentCryptoScheme getContentCryptoScheme()
ObjectMetadata toObjectMetadata(ObjectMetadata metadata, CryptoMode mode)
private ObjectMetadata toObjectMetadata(ObjectMetadata metadata)
private ObjectMetadata toObjectMetadataEO(ObjectMetadata metadata)
java.lang.String toJsonString(CryptoMode mode)
private java.lang.String toJsonString()
private java.lang.String toJsonStringEO()
private java.lang.String kekMaterialDescAsJson()
private static java.util.Map<java.lang.String,java.lang.String> matdescFromJson(java.lang.String json)
private static javax.crypto.SecretKey cek(byte[] cekSecured, java.lang.String keyWrapAlgo, EncryptionMaterials materials, java.security.Provider securityProvider, ContentCryptoScheme contentCryptoScheme, AWSKMSClient kms)
cekSecured
- the content encrypting key in wrapped or encrypted form; must
not be nullkeyWrapAlgo
- key wrapping algorithm; or null if direct encryption instead
of key wrapping is usedmaterials
- the client key encrypting key material for the content
encrypting keysecurityProvider
- security provider or null if the default security provider of
the JCE is usedprivate static javax.crypto.SecretKey cekByKMS(byte[] cekSecured, java.lang.String keyWrapAlgo, EncryptionMaterials materials, ContentCryptoScheme contentCryptoScheme, AWSKMSClient kms)
static ContentCryptoMaterial fromObjectMetadata(ObjectMetadata metadata, EncryptionMaterialsAccessor kekMaterialAccessor, java.security.Provider securityProvider, boolean keyWrapExpected, AWSKMSClient kms)
static ContentCryptoMaterial fromObjectMetadata(ObjectMetadata metadata, EncryptionMaterialsAccessor kekMaterialAccessor, java.security.Provider securityProvider, long[] range, ExtraMaterialsDescription extra, boolean keyWrapExpected, AWSKMSClient kms)
private static ContentCryptoMaterial fromObjectMetadata0(ObjectMetadata metadata, EncryptionMaterialsAccessor kekMaterialAccessor, java.security.Provider securityProvider, long[] range, ExtraMaterialsDescription extra, boolean keyWrapExpected, AWSKMSClient kms)
private static KeyWrapException newKeyWrapException()
static ContentCryptoMaterial fromInstructionFile(java.util.Map<java.lang.String,java.lang.String> instFile, EncryptionMaterialsAccessor kekMaterialAccessor, java.security.Provider securityProvider, boolean keyWrapExpected, AWSKMSClient kms)
static ContentCryptoMaterial fromInstructionFile(java.util.Map<java.lang.String,java.lang.String> instFile, EncryptionMaterialsAccessor kekMaterialAccessor, java.security.Provider securityProvider, long[] range, ExtraMaterialsDescription extra, boolean keyWrapExpected, AWSKMSClient kms)
private static ContentCryptoMaterial fromInstructionFile0(java.util.Map<java.lang.String,java.lang.String> instFile, EncryptionMaterialsAccessor kekMaterialAccessor, java.security.Provider securityProvider, long[] range, ExtraMaterialsDescription extra, boolean keyWrapExpected, AWSKMSClient kms)
static java.lang.String parseInstructionFile(S3Object instructionFile)
private static java.lang.String convertStreamToString(java.io.InputStream inputStream) throws java.io.IOException
java.io.IOException
CipherLite getCipherLite()
java.util.Map<java.lang.String,java.lang.String> getKEKMaterialsDescription()
byte[] getEncryptedCEK()
ContentCryptoMaterial recreate(java.util.Map<java.lang.String,java.lang.String> newKEKMatDesc, EncryptionMaterialsAccessor accessor, S3CryptoScheme targetScheme, java.security.Provider p, AWSKMSClient kms, AmazonWebServiceRequest req)
newKEKMatDesc
- material descriptions for the new KEK; never nullaccessor
- used to retrieve the KEK given the corresponding material
descriptiontargetScheme
- the target crypto scheme to be used for key wrapping, etc.p
- optional security provider; null means to use the default.java.lang.SecurityException
- if the old and new material description are the same; or if
the old and new KEK are the sameContentCryptoMaterial recreate(EncryptionMaterials newKEK, EncryptionMaterialsAccessor accessor, S3CryptoScheme targetScheme, java.security.Provider p, AWSKMSClient kms, AmazonWebServiceRequest req)
newKEK
- encryption materials for the new KEK; must not be nullaccessor
- used to retrieve the original KEK given the corresponding
material descriptiontargetScheme
- the target crypto scheme to use for recreating the content
crypto materialp
- optional security provider; null means to use the default.java.lang.SecurityException
- if the old and new material description are the same; or if
the old and new KEK are the samestatic ContentCryptoMaterial create(javax.crypto.SecretKey cek, byte[] iv, EncryptionMaterials kekMaterials, ContentCryptoScheme contentCryptoScheme, S3CryptoScheme targetScheme, java.security.Provider provider, AWSKMSClient kms, AmazonWebServiceRequest req)
ContentCryptoMaterial
for the
input parameters using the specified content crypto scheme, and the key
wrapping and secure randomness specified of the specified s3 crypto
scheme.
Note network calls are involved if the CEK is to be protected by KMS.cek
- content encrypting key; must not be null.iv
- initialization vector; must not be null.contentCryptoScheme
- content crypto scheme to be usedtargetScheme
- the target s3 crypto scheme to be used for recreating the
content crypto material by providing the key wrapping scheme
and mechanism for secure randomnessprovider
- optional security providerstatic ContentCryptoMaterial create(javax.crypto.SecretKey cek, byte[] iv, EncryptionMaterials kekMaterials, S3CryptoScheme scheme, java.security.Provider provider, AWSKMSClient kms, AmazonWebServiceRequest req)
ContentCryptoMaterial
for the input parameters using the specified s3 crypto scheme.
Note network calls are involved if the CEK is to be protected by KMS.cek
- content encrypting keyiv
- initialization vectorkekMaterials
- kek encryption material used to secure the CEK;
can be KMS enabled.scheme
- s3 crypto scheme to be used for the content crypto material by
providing the content crypto scheme, key wrapping scheme and
mechanism for secure randomnessprovider
- optional security providerkms
- reference to the KMS clientreq
- originating service requestprivate static ContentCryptoMaterial doCreate(javax.crypto.SecretKey cek, byte[] iv, EncryptionMaterials kekMaterials, ContentCryptoScheme contentCryptoScheme, S3CryptoScheme targetS3CryptoScheme, java.security.Provider provider, AWSKMSClient kms, AmazonWebServiceRequest req)
ContentCryptoMaterial
for the
given input parameters by using the specified content crypto scheme, and
S3 crypto scheme.
Note network calls are involved if the CEK is to be protected by KMS.cek
- content encrypting keyiv
- initialization vectorkekMaterials
- kek encryption material used to secure the CEK; can be KMS
enabled.contentCryptoScheme
- content crypto scheme to be used, which can differ from the
one of targetS3CryptoScheme
targetS3CryptoScheme
- the target s3 crypto scheme to be used for providing the key
wrapping scheme and mechanism for secure randomnessprovider
- security providerkms
- reference to the KMS clientreq
- the originating AWS service requestpublic static ContentCryptoMaterial wrap(javax.crypto.SecretKey cek, byte[] iv, ContentCryptoScheme contentCryptoScheme, java.security.Provider provider, SecuredCEK cekSecured)
ContentCryptoMaterial
by wrapping
the input parameters, including the already secured CEK. No network calls
are involved.private static SecuredCEK secureCEK(javax.crypto.SecretKey cek, EncryptionMaterials materials, S3KeyWrapScheme kwScheme, java.security.SecureRandom srand, java.security.Provider p, AWSKMSClient kms, AmazonWebServiceRequest req)
cek
- content encrypting key to be securedmaterials
- used to provide the key-encryption-key (KEK); or if
it is KMS-enabled, the customer master key id and material description.contentCryptoScheme
- the content crypto schemep
- optional security provider; can be null if the default is used.static java.util.Map<java.lang.String,java.lang.String> mergeMaterialDescriptions(EncryptionMaterials materials, AmazonWebServiceRequest req)