Comments (6)
Hi! Thanks for the bug report, you're right and this is something we want to support, although we don't yet have a timeline yet for closing this gap. We're thinking about doing it by adding a replacement for JceMasterKey and KeyStoreProvider, which will come with support for symmetric master keys. Which keystore implementation are you using with the KeyStoreProvider?
from aws-encryption-sdk-java.
I am currently using "BKS":
KeyStore.getInstance("BKS", "BC");
But an open to other options with what JCE/Bouncy Castle support.
My current hack is this (and fails for keys that begin with the same prefix... again, a hack):
USSFNRSPICKEL01:aws-encryption-sdk-java ricks$ git diff
diff --git a/src/main/java/com/amazonaws/encryptionsdk/jce/KeyStoreProvider.java b/src/main/java/com/amazonaws/encryptionsdk/jce/KeyStoreProvider.java
index 1e92cd2..5fd0553 100644
--- a/src/main/java/com/amazonaws/encryptionsdk/jce/KeyStoreProvider.java
+++ b/src/main/java/com/amazonaws/encryptionsdk/jce/KeyStoreProvider.java
@@ -178,6 +178,19 @@ public class KeyStoreProvider extends MasterKeyProvider<JceMasterKey> {
return result;
}
}
+ // ugly hack, try to decrypt with each master key that matches the front...
+ for (final String al : Collections.list(keystore_.aliases()))
+ {
+ if (alias.startsWith(al))
+ {
+ final DataKey<JceMasterKey> result = getMasterKey(al).decryptDataKey(algorithm,
+ Collections.singletonList(edk),
+ encryptionContext);
+ if (result != null) {
+ return result;
+ }
+ }
+ }
}
} catch (final Exception ex) {
exceptions.add(ex);
from aws-encryption-sdk-java.
Easier to read, the full method:
/**
* Attempts to decrypts the {@code encryptedDataKeys} by first iterating through all
* {@code aliasNames} specified in the constructor and then over
* <em>all other compatible keys</em> in the {@link KeyStore}. This includes
* {@code TrustedCertificates} as well as standard key entries.
*/
@Override
public DataKey<JceMasterKey> decryptDataKey(final CryptoAlgorithm algorithm,
final Collection<? extends EncryptedDataKey> encryptedDataKeys,
final Map<String, String> encryptionContext)
throws UnsupportedProviderException, AwsCryptoException {
final List<Exception> exceptions = new ArrayList<>();
for (final EncryptedDataKey edk : encryptedDataKeys) {
try {
if (canProvide(edk.getProviderId())) {
final String alias = new String(edk.getProviderInformation(), StandardCharsets.UTF_8);
if (keystore_.isKeyEntry(alias)) {
final DataKey<JceMasterKey> result = getMasterKey(alias).decryptDataKey(algorithm,
Collections.singletonList(edk),
encryptionContext);
if (result != null) {
return result;
}
}
// ugly hack, try to decrypt with each master key that matches the front...
for (final String al : Collections.list(keystore_.aliases()))
{
if (alias.startsWith(al))
{
final DataKey<JceMasterKey> result = getMasterKey(al).decryptDataKey(algorithm,
Collections.singletonList(edk),
encryptionContext);
if (result != null) {
return result;
}
}
}
}
} catch (final Exception ex) {
exceptions.add(ex);
}
}
throw buildCannotDecryptDksException(exceptions);
}
}
from aws-encryption-sdk-java.
Thanks for the feedback. We’ll look into a way that we can support symmetric master keys in the future.
from aws-encryption-sdk-java.
Is there a plan for fixing this? It's pretty weird that the JCE KeyStoreProvider doesn't work for symmetric keys when it seems it should be a drop in replacement for the KmsMasterKeyProvider-- trying to use it for local development setup instead of KmsMasterKeyProvider.
from aws-encryption-sdk-java.
Hey bbeck10,
We don't have a specific plan for updating Master Key Providers; instead, we plan to move the Java Encryption SDK to our new and improved way of specifying wrapping keys, Keyrings, which do support symmetric keys.
In the meantime, your best option for local development is likely to do some sort of mocking of KMS.
I'm going to close this out, but feel free to re-open or open another issue if you have any other questions.
Thanks,
Ben
from aws-encryption-sdk-java.
Related Issues (20)
- AWSCredentialsProvider Not Found HOT 2
- CVE-2023-33201 - new Encryption SDK release? HOT 1
- AwsKmsMrkAwareMasterKeyProvider always attempts to resolve defaultRegion through DefaultAwsRegionProviderChain HOT 3
- Need to generate data key without plaintext HOT 3
- Maven Compile Warning for SuppressFBWarnings HOT 3
- Intermittent exception in thread "main" com.amazonaws.encryptionsdk.exception.CannotUnwrapDataKeyException: Unable to decrypt any data keys HOT 3
- Intermittently we get "com.amazonaws.encryptionsdk.exception.CannotUnwrapDataKeyException: Unable to decrypt any data keys" caused by "com.amazonaws.encryptionsdk.exception.NoSuchMasterKeyException: Key must be in supplied list of keyIds" HOT 1
- IllegalArgumentException getting a master key due to localization HOT 1
- Chore: Audit Dependencies HOT 1
- V2 KmsMasterKeyProvider - cannot set Synch client - need to set proxy HOT 1
- Thread Pinning With Virtual Threads HOT 1
- Need to encrypt and decrypt with separate AWS account. How to specify the AWS access key and secret key programatically HOT 1
- [Question] en/decryptData with CryptoMaterialsManager is deprecated, how to migrate to non-deprecated? HOT 10
- Why software.amazon.awssdk:dynamodb is not a dependency
- [Question] Migrating from 2.4.1 to 3.0.0 HOT 1
- Encryption Context for DecryptionMaterials on v3.0.0 HOT 4
- How to compile into arm architecture can be used. solibrary HOT 1
- JavaDocs: Document replacement methods for MKP methods HOT 1
- Getting BadCiphertextException: Invalid version HOT 3
- [Question] What is the appropriate dependency to import to upgrade from 2.4.1 to 3.0.0? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-encryption-sdk-java.