Skip to content

chore: validate against legacy wrapping on client but customer passes keyring with no legacy wrapping #473

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Jul 21, 2025
Merged

chore: validate against legacy wrapping on client but customer passes keyring with no legacy wrapping #473

merged 10 commits into from
Jul 21, 2025

Conversation

akareddy04
Copy link
Contributor

Issue #, if available:

Description of changes:

Added validation for the case where enableLegacyWrappingAlgorithms is set on the client, but customer passes in a keyring to S3EC builder where enableLegacyWrappingAlgorithms is not set on keyring.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Check any applicable:

  • Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files.

akareddy04 and others added 4 commits May 20, 2025 19:33
@akareddy04
Merge pull request #1 from aws/main
d217f60 
Amazon S3 Encryption Client 3.3.5 Release -- 2025-05-20
Add validation tests to demonstrate that setting enableLegacyWrapping…
aff10d9 
…Algorithms

on the S3 Encryption Client while passing in a keyring that does not have it enabled will fail
added public getter function to retrieve whether enableLegacyWrapping…
c5b8e41 
…Algorithm was enabled or not for keyring. From there, in the S3EncryptionClient Builder, I checked whether enableLegacyWrappingAlgorithm was set, but was not set for the keyring that was passed; if not, an exception is thrown. The test cases I wrote illustrates this
throws runtime exception if build was successful in test cases (shoul…
f7023a4 
…d not be)
@akareddy04 akareddy04 requested a review from a team as a code owner July 15, 2025 17:09
@akareddy04 akareddy04 changed the title Aniravk/validate against legacy wrapping on client but customer passes keyring aniravk/validate against legacy wrapping on client but customer passes keyring Jul 15, 2025
kessplas
kessplas requested changes Jul 15, 2025
View reviewed changes
src/main/java/software/amazon/encryption/s3/materials/S3Keyring.java Outdated
/**
* @return true if legacy wrapping algorithms are enabled, false otherwise
*/
public boolean enableLegacyWrappingAlgorithms() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
public boolean enableLegacyWrappingAlgorithms() {
public boolean areLegacyWrappingAlgorithmsEnabled() {

src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java Outdated
if (_enableLegacyWrappingAlgorithms && _keyring !=null && _keyring instanceof S3Keyring) {
S3Keyring keyring = (S3Keyring) _keyring;
if (!keyring.enableLegacyWrappingAlgorithms()) {
throw new S3EncryptionClientException("Legacy wrapping algorithms are not enabled for this keyring");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this error message can be much more helpful, maybe something like:

"enableLegacyWrappingAlgorithms is set on the client, but is not set on the keyring provided. In order to enable legacy wrapping algorithms, set enableLegacyWrappingAlgorithms to true in the keyring's builder."

also....
i'm debating if we want to throw an exception here as it would be a breaking change.
it's better to log a warning.
let's do that instead.

src/test/java/software/amazon/encryption/s3/S3EncryptionClientCompatibilityTest.java Outdated
}

@Test
public void validateAgainstSettingLegacyWrappingOnClientWithKmsKeyringPassedV1toV3() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this test name doesn't make sense

src/test/java/software/amazon/encryption/s3/S3EncryptionClientCompatibilityTest.java
@@ -976,4 +981,71 @@ public void nullMaterialDescriptionV3() {
v3Client.close();

}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we also add a simple test (for each keyring) that when _enableLegacyWrappingAlgorithms is set on the keyring and the client that there's no error?

also if we're logging instead,
it's a bit harder to test that.
it should be possible though,
we can chat offline

src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java Outdated
@@ -1068,6 +1069,12 @@ public S3EncryptionClient build() {
if (!onlyOneNonNull(_cryptoMaterialsManager, _keyring, _aesKey, _rsaKeyPair, _kmsKeyId)) {
throw new S3EncryptionClientException("Exactly one must be set of: crypto materials manager, keyring, AES key, RSA key pair, KMS key id");
}
if (_enableLegacyWrappingAlgorithms && _keyring !=null && _keyring instanceof S3Keyring) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we want to break out the _keyring instanceof S3Keyring check;
if the customer passes a custom keyring (i.e. not an S3Keyring instance),
then setting _enableLegacyWrappingAlgorithms on the client is still useless.
we can't check keyring.enableLegacyWrappingAlgorithms() so we should log in any case.

Anirav Kareddy added 4 commits July 18, 2025 10:22
made changes according to first round of PR
7d8dda5
change in pom.xml
30cc33c
had to remove the ability to test for logged warnings due to vulnerab…
12907a0 
…ilties in the dependency + most of the dependencies latest versions only support java 11 and we are currently only supporting java 8
Remove logback-test.xml configuration file
0eaedf0
@akareddy04 akareddy04 changed the title aniravk/validate against legacy wrapping on client but customer passes keyring chore: validate against legacy wrapping on client but customer passes keyring with no legacy wrapping Jul 21, 2025
@kessplas kessplas merged commit bb898d1 into main Jul 21, 2025
28 of 31 checks passed
@kessplas kessplas deleted the aniravk/validateAgainstLegacyWrappingOnClientButCustomerPassesKeyring branch July 21, 2025 17:26
aws-crypto-tools-ci-bot pushed a commit that referenced this pull request Jul 30, 2025
@semantic-release-bot
Amazon S3 Encryption Client 3.4.0 Release -- 2025-07-30
59027c4 
## [3.4.0](v3.3.5...v3.4.0) (2025-07-30)

### Features

* put object with instruction file configured  ([#466](#466)) ([99077dc](99077dc))
* reEncryptInstructionFile Implementation  ([#475](#475)) ([ff66e72](ff66e72))
* reEncryptInstructionFile Implementation ([#478](#478)) ([f7e6fa5](f7e6fa5))

### Fixes

* Revert "feat: reEncryptInstructionFile Implementation  ([#475](#475))" ([#477](#477)) ([6d45ec5](6d45ec5))

### Maintenance

* guard against properties conflicts ([#479](#479)) ([793c73b](793c73b))
* **pom:** fix scm url ([#469](#469)) ([1bc2ca3](1bc2ca3))
* **release:** Migrate release to Central Portal ([#468](#468)) ([da71231](da71231))
* validate against legacy wrapping on client but customer passes keyring with no legacy wrapping ([#473](#473)) ([bb898d1](bb898d1))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kessplas kessplas kessplas approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@akareddy04 @kessplas