feat: ReEncryptInstructionFile Implementation #470
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
added 21 commits June 17, 2025 15:16
…file implementation
…stom instruction file suffix if specified
…on files with AES + RSA keyrings and both of these tests pass
… third-party client is unable toretrieve the encrypted object in s3 if they do not include the overrideConfiguration with their custom instruction file suffix since it will by default use the original instruction file, not theirs.:
…ion object, not the object itself. Also reworded one of the exception messages to be clearer for when instruction file suffix request is specified for AES keyring (which should not happen)
…MaterialsDescription class
kessplas requested changes Jul 9, 2025
src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java Outdated Show resolved Hide resolved
src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java Outdated Show resolved Hide resolved
src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java Outdated Show resolved Hide resolved
src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java Outdated Show resolved Hide resolved
src/test/java/software/amazon/encryption/s3/S3EncryptionClientReEncryptInstructionFileTest.java Outdated Show resolved Hide resolved
src/test/java/software/amazon/encryption/s3/S3EncryptionClientReEncryptInstructionFileTest.java Outdated Show resolved Hide resolved
src/test/java/software/amazon/encryption/s3/S3EncryptionClientReEncryptInstructionFileTest.java Outdated Show resolved Hide resolved
src/test/java/software/amazon/encryption/s3/S3EncryptionClientReEncryptInstructionFileTest.java Outdated Show resolved Hide resolved
src/test/java/software/amazon/encryption/s3/S3EncryptionClientReEncryptInstructionFileTest.java Outdated Show resolved Hide resolved
added 5 commits July 10, 2025 20:28
added 14 commits July 10, 2025 21:10
…ataKeyMatDescOrContext()
… support both the default and custom instruction file suffixes
… since secureRandom should now be initialized by default. I also removed all the unused imports
…SA keyrings in all of the test cases
….encryptedDataKeyMatDescOrContext()
…r enforceRotation in javadoc
…file suffix + legacy wrapping algorithm upgrades from V1/V2 to V3
…eSuffix to mention that the . prefix is automatically added to the suffix + in reEncryptInstructionFileResponse, the . prefix will be removed from the suffix and return what the user requested the suffix be
kessplas requested changes Jul 11, 2025
| * This example demonstrates generating a custom instruction file to enable access to encrypted object by a third party. | ||
| * This enables secure sharing of encrypted objects without sharing private keys. | ||
| * This example demonstrates re-encrypting the encrypted data key in an instruction file with a new RSA wrapping key. | ||
| * The other cryptographic parameters in the instruction file such as the IV and wrapping algorithm remain unchanged. |
There was a problem hiding this comment.
Suggested change
| * The other cryptographic parameters in the instruction file such as the IV and wrapping algorithm remain unchanged. |
This refers to an implementation detail that customers shouldn't need to worry about. It's a useful comment for internal stuff but not necessary in the examples.
| assertTrue(e.getMessage().contains("Unable to RSA-OAEP-SHA1 unwrap")); | ||
| } | ||
| | ||
| // Create a new client with the rotated AES key |
There was a problem hiding this comment.
Suggested change
| // Create a new client with the rotated AES key | |
| // Create a new client with the rotated RSA key |
| * - Default instruction file suffix required for AES keyrings | ||
| * - Legacy to V3: Can rotate same wrapping key from legacy wrapping algorithms to fully supported wrapping algorithms | ||
| * - Within V3: When rotating the wrapping key, the new keyring must be different from the current keyring | ||
| * - Enforce Rotation: When enabled, ensures old keyring cannot decrypt data encrypted by new keyring |
There was a problem hiding this comment.
Suggested change
| * - Enforce Rotation: When enabled, ensures old keyring cannot decrypt data encrypted by new keyring |
nit: this PR doesn't have Enforce Rotation yet
| */ | ||
| public ReEncryptInstructionFileResponse reEncryptInstructionFile(ReEncryptInstructionFileRequest reEncryptInstructionFileRequest) { | ||
| GetObjectRequest request = GetObjectRequest.builder() | ||
| //GetObjectRequest MUST be kept the same |
There was a problem hiding this comment.
Suggested change
| //GetObjectRequest MUST be kept the same |
these comments aren't terribly helpful, final enforces this
| EncryptedDataKey originalEncryptedDataKeys = contentMetadata.encryptedDataKey(); | ||
| Map<String, String> currentKeyringMaterialsDescription = contentMetadata.encryptedDataKeyContext(); | ||
| byte[] iv = contentMetadata.contentIv(); | ||
| // Algorithm Suite MUST be kept the same |
There was a problem hiding this comment.
ditto, redundant comment (each of these)
| ); | ||
| byte[] plaintextDataKey = decryptedMaterials.plaintextDataKey(); | ||
| | ||
| //Plaintext Data Key MUST be kept the same |
| EncryptionMaterials encryptedMaterials = newKeyring.onEncrypt(encryptionMaterials); | ||
| | ||
| Map<String, String> newMaterialsDescription = encryptedMaterials.materialsDescription().getMaterialsDescription(); | ||
| //New Keyring MUST be kept the same |
added 3 commits July 14, 2025 10:27
…odified test cases to illustrate this
kessplas requested changes Jul 15, 2025
| .key(objectKey) | ||
| .build(), RequestBody.fromString(input)); | ||
| | ||
| // Generate a new RSA key pair for the third party customer |
There was a problem hiding this comment.
this is a bit nitty but I think worth it:
we should create two separate keyrings using the third party's key:
- one with just the public key (used in ReEncrypt) maybe called
sharedKeyring - second with the public+private key (used to show decryption works)
this is more accurate to the workflow
akareddy04 changed the title Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Issue #, if available:
Description of changes:
Implemented the reEncryptInstructionFile feature and I also modified the current API to help support this.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Check any applicable: