feat: Enforce Rotation Functionality for ReEncrypt-feature #474
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
added 30 commits June 17, 2025 15:16
…file implementation
…stom instruction file suffix if specified
…on files with AES + RSA keyrings and both of these tests pass
… third-party client is unable toretrieve the encrypted object in s3 if they do not include the overrideConfiguration with their custom instruction file suffix since it will by default use the original instruction file, not theirs.:
…ion object, not the object itself. Also reworded one of the exception messages to be clearer for when instruction file suffix request is specified for AES keyring (which should not happen)
…MaterialsDescription class
…ataKeyMatDescOrContext()
added 17 commits July 10, 2025 21:13
… support both the default and custom instruction file suffixes
… since secureRandom should now be initialized by default. I also removed all the unused imports
…SA keyrings in all of the test cases
….encryptedDataKeyMatDescOrContext()
…r enforceRotation in javadoc
…file suffix + legacy wrapping algorithm upgrades from V1/V2 to V3
…eSuffix to mention that the . prefix is automatically added to the suffix + in reEncryptInstructionFileResponse, the . prefix will be removed from the suffix and return what the user requested the suffix be
…odified test cases to illustrate this
kessplas requested changes Jul 18, 2025
| DecryptionMaterials decryptedMaterials = this._cryptoMaterialsManager.decryptMaterials( | ||
| DecryptMaterialsRequest.builder() | ||
| .algorithmSuite(newEncryptionMaterials.algorithmSuite()) | ||
| .encryptedDataKeys(Collections.singletonList(newEncryptionMaterials.encryptedDataKeys()).get(0)) |
There was a problem hiding this comment.
Suggested change
| .encryptedDataKeys(Collections.singletonList(newEncryptionMaterials.encryptedDataKeys()).get(0)) | |
| .encryptedDataKeys(newEncryptionMaterials.encryptedDataKeys()) |
| } catch (S3EncryptionClientException e) { | ||
| return; | ||
| } | ||
| throw new S3EncryptionClientException("Key rotation is not enforced! Old keyring is still able to decrypt the newly encrypted data key"); |
There was a problem hiding this comment.
I'd change this a bit. Instead of Key rotation is not enforced! (this kind of implies that enforceRotation is not set), maybe say Re-encryption failed due to enforced rotation! (then the second sentence).
| } | ||
| | ||
| /** | ||
| * Sets whether to enforce rotation for the re-encrypted instruction file. |
There was a problem hiding this comment.
Let's give a bit more info here:
When enabled, the client will attempt to decrypt the re-encrypted instruction file with the old key material and throw an exception when decryption succeeds. This is a stronger level of validation that the wrapping key has been rotated than the standard assertion that the materials descriptions are different.
| ReEncryptInstructionFileResponse response = client.reEncryptInstructionFile(reEncryptInstructionFileRequest); | ||
| assertTrue(response.enforceRotation()); | ||
| } catch (S3EncryptionClientException e) { | ||
| throw new RuntimeException("Enforce rotation should not throw exception"); |
There was a problem hiding this comment.
Suggested change
| throw new RuntimeException("Enforce rotation should not throw exception"); | |
| fail("Enforce rotation should not throw exception"); |
| | ||
| try { | ||
| ReEncryptInstructionFileResponse response = client.reEncryptInstructionFile(reEncryptInstructionFileRequest); | ||
| throw new RuntimeException("Enforce rotation should throw exception"); |
There was a problem hiding this comment.
Suggested change
| throw new RuntimeException("Enforce rotation should throw exception"); | |
| fail("Enforce rotation should throw exception"); |
| ReEncryptInstructionFileResponse response = v3OriginalClient.reEncryptInstructionFile(reEncryptInstructionFileRequest); | ||
| assertTrue(response.enforceRotation()); | ||
| } catch (S3EncryptionClientException e) { | ||
| throw new RuntimeException("Enforce rotation should not throw exception"); |
There was a problem hiding this comment.
Suggested change
| throw new RuntimeException("Enforce rotation should not throw exception"); | |
| fail("Enforce rotation should not throw exception"); |
| | ||
| try { | ||
| ReEncryptInstructionFileResponse response = v3OriginalClient.reEncryptInstructionFile(reEncryptInstructionFileRequest); | ||
| throw new RuntimeException("Enforce rotation should throw exception"); |
There was a problem hiding this comment.
Suggested change
| throw new RuntimeException("Enforce rotation should throw exception"); | |
| fail("Enforce rotation should throw exception"); |
| ReEncryptInstructionFileResponse response = v3OriginalClient.reEncryptInstructionFile(reEncryptInstructionFileRequest); | ||
| assertTrue(response.enforceRotation()); | ||
| } catch (S3EncryptionClientException e) { | ||
| throw new RuntimeException("Enforce rotation should not throw exception"); |
There was a problem hiding this comment.
Suggested change
| throw new RuntimeException("Enforce rotation should not throw exception"); | |
| fail("Enforce rotation should not throw exception"); |
| ReEncryptInstructionFileResponse response = v3OriginalClient.reEncryptInstructionFile(reEncryptInstructionFileRequest); | ||
| assertTrue(response.enforceRotation()); | ||
| } catch (S3EncryptionClientException e) { | ||
| throw new RuntimeException("Enforce rotation should not throw exception"); |
There was a problem hiding this comment.
Suggested change
| throw new RuntimeException("Enforce rotation should not throw exception"); | |
| fail("Enforce rotation should not throw exception"); |
| | ||
| try { | ||
| ReEncryptInstructionFileResponse response = v3OriginalClient.reEncryptInstructionFile(reEncryptInstructionFileRequest); | ||
| throw new RuntimeException("Enforce rotation should throw exception"); |
There was a problem hiding this comment.
Suggested change
| throw new RuntimeException("Enforce rotation should throw exception"); | |
| fail("Enforce rotation should throw exception"); |
added 4 commits July 18, 2025 13:40
…ation only (not for custom instruction file suffix since it does not make sense
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Description of changes:
I implemented the Enforce Rotation check for the ReEncrypt feature and I also wrote some test cases to test this logic.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Check any applicable: