Skip to content

chore: validate against legacy wrapping on client but customer passes keyring with no legacy wrapping #473

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Jul 21, 2025
Merged

chore: validate against legacy wrapping on client but customer passes keyring with no legacy wrapping #473

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
d217f60
Merge pull request #1 from aws/main
akareddy04 May 21, 2025
aff10d9
Add validation tests to demonstrate that setting enableLegacyWrapping…
Jul 14, 2025
c5b8e41
added public getter function to retrieve whether enableLegacyWrapping…
Jul 15, 2025
f7023a4
throws runtime exception if build was successful in test cases (shoul…
Jul 15, 2025
32c9582
removed unused import
Jul 15, 2025
5b90bd4
Merge branch 'main' into aniravk/validateAgainstLegacyWrappingOnClien…
akareddy04 Jul 15, 2025
7d8dda5
made changes according to first round of PR
Jul 18, 2025
30cc33c
change in pom.xml
Jul 18, 2025
12907a0
had to remove the ability to test for logged warnings due to vulnerab…
Jul 18, 2025
0eaedf0
Remove logback-test.xml configuration file
Jul 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
package software.amazon.encryption.s3;

import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.apache.commons.logging.LogFactory;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.awscore.AwsRequestOverrideConfiguration;
import software.amazon.awssdk.awscore.exception.AwsServiceException;
Expand Down Expand Up @@ -61,6 +62,7 @@
import software.amazon.encryption.s3.materials.MultipartConfiguration;
import software.amazon.encryption.s3.materials.PartialRsaKeyPair;
import software.amazon.encryption.s3.materials.RsaKeyring;
import software.amazon.encryption.s3.materials.S3Keyring;

import javax.crypto.SecretKey;
import java.io.IOException;
Expand Down Expand Up @@ -1068,6 +1070,12 @@ public S3EncryptionClient build() {
if (!onlyOneNonNull(_cryptoMaterialsManager, _keyring, _aesKey, _rsaKeyPair, _kmsKeyId)) {
throw new S3EncryptionClientException("Exactly one must be set of: crypto materials manager, keyring, AES key, RSA key pair, KMS key id");
}
if (_enableLegacyWrappingAlgorithms && _keyring !=null) {
S3Keyring keyring = (S3Keyring) _keyring;
if (!keyring.areLegacyWrappingAlgorithmsEnabled()) {
LogFactory.getLog(getClass()).warn("enableLegacyWrappingAlgorithms is set on the client, but is not set on the keyring provided. In order to enable legacy wrapping algorithms, set enableLegacyWrappingAlgorithms to true in the keyring's builder.");
}
}

if (_bufferSize >= 0) {
if (_enableDelayedAuthenticationMode) {
Expand Down
5 changes: 5 additions & 0 deletions src/main/java/software/amazon/encryption/s3/materials/S3Keyring.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,11 @@ protected S3Keyring(Builder<?, ?> builder) {
_dataKeyGenerator = builder._dataKeyGenerator;
}

/**
* @return true if legacy wrapping algorithms are enabled, false otherwise
*/
public boolean areLegacyWrappingAlgorithmsEnabled() { return _enableLegacyWrappingAlgorithms;}

/**
* Generates a data key using the provided EncryptionMaterials and the configured DataKeyGenerator.
* <p>
Expand Down
13 changes: 2 additions & 11 deletions src/test/java/software/amazon/encryption/s3/S3EncryptionClientCompatibilityTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,9 @@
import com.amazonaws.services.s3.model.EncryptedPutObjectRequest;
import com.amazonaws.services.s3.model.EncryptionMaterials;
import com.amazonaws.services.s3.model.EncryptionMaterialsProvider;
import com.amazonaws.services.s3.model.GetObjectMetadataRequest;
import com.amazonaws.services.s3.model.InitiateMultipartUploadRequest;
import com.amazonaws.services.s3.model.InitiateMultipartUploadResult;
import com.amazonaws.services.s3.model.KMSEncryptionMaterials;
import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider;
import com.amazonaws.services.s3.model.ObjectMetadata;
import com.amazonaws.services.s3.model.StaticEncryptionMaterialsProvider;
import com.amazonaws.services.s3.model.StorageClass;
import com.amazonaws.services.s3.model.UploadObjectRequest;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
import software.amazon.awssdk.core.ResponseBytes;
Expand All @@ -34,25 +28,21 @@
import software.amazon.awssdk.services.s3.model.MetadataDirective;
import software.amazon.awssdk.services.s3.model.PutObjectRequest;
import software.amazon.encryption.s3.internal.InstructionFileConfig;
import software.amazon.encryption.s3.utils.BoundedInputStream;

import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.ExecutionException;

import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotEquals;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static software.amazon.encryption.s3.S3EncryptionClient.builder;

import static software.amazon.encryption.s3.S3EncryptionClient.withAdditionalConfiguration;
import static software.amazon.encryption.s3.utils.S3EncryptionClientTestResources.BUCKET;
import static software.amazon.encryption.s3.utils.S3EncryptionClientTestResources.KMS_KEY_ID;
Expand Down Expand Up @@ -976,4 +966,5 @@ public void nullMaterialDescriptionV3() {
v3Client.close();

}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we also add a simple test (for each keyring) that when _enableLegacyWrappingAlgorithms is set on the keyring and the client that there's no error?

also if we're logging instead,
it's a bit harder to test that.
it should be possible though,
we can chat offline

}