Additional example code for Keyrings

Author: WesleyRosenblum

pom.xml

@@ -80,6 +80,19 @@
             <scope>test</scope>
         </dependency>
 
+        <dependency>
+            <groupId>com.amazonaws</groupId>
+            <artifactId>aws-lambda-java-core</artifactId>
+            <version>1.2.0</version>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>com.amazonaws</groupId>
+            <artifactId>aws-lambda-java-events</artifactId>
+            <version>2.2.7</version>
+            <scope>test</scope>
+        </dependency>
 
         <dependency>
             <groupId>com.google.code.findbugs</groupId>

src/examples/java/com/amazonaws/crypto/examples/BasicEncryptionExample.java

@@ -85,7 +85,7 @@ static void encryptAndDecrypt(final AwsKmsCmkId keyArn) {
         }
 
         // 7. Also, verify that the encryption context in the result contains the
-        //    encryption context supplied to the encryptData method. Because the
+        //    encryption context supplied to the encrypt method. Because the
         //    SDK can add values to the encryption context, don't require that
         //    the entire context matches.
         if (!encryptionContext.entrySet().stream()

src/examples/java/com/amazonaws/crypto/examples/RawAesKeyringExample.java

@@ -0,0 +1,107 @@
+/*
+ * Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except
+ * in compliance with the License. A copy of the License is located at
+ *
+ * http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+
+package com.amazonaws.crypto.examples;
+
+import com.amazonaws.encryptionsdk.AwsCrypto;
+import com.amazonaws.encryptionsdk.AwsCryptoResult;
+import com.amazonaws.encryptionsdk.DecryptRequest;
+import com.amazonaws.encryptionsdk.EncryptRequest;
+import com.amazonaws.encryptionsdk.keyrings.Keyring;
+import com.amazonaws.encryptionsdk.keyrings.StandardKeyrings;
+
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+import java.nio.charset.StandardCharsets;
+import java.security.SecureRandom;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Map;
+
+/**
+ * <p>
+ * Encrypts and then decrypts data using the Raw AES Keyring.
+ */
+public class RawAesKeyringExample {
+
+    private static final byte[] EXAMPLE_DATA = "Hello World".getBytes(StandardCharsets.UTF_8);
+
+    public static void main(final String[] args) {
+        encryptAndDecrypt();
+    }
+
+    static void encryptAndDecrypt() {
+        // 1. Instantiate the SDK
+        final AwsCrypto crypto = new AwsCrypto();
+
+        // 2. Retrieve an encryption key. In this example, we generate a random key.
+        //    In practice, you would get a key from an existing store
+        final SecretKey cryptoKey = retrieveEncryptionKey();
+
+        // 3. Instantiate a Raw AES Keyring with the encryption key
+        final Keyring keyring = StandardKeyrings.rawAes()
+                .keyNamespace("ExampleKeyNamespace")
+                .keyName("ExampleKeyName")
+                .wrappingKey(cryptoKey).build();
+
+        // 4. Create an encryption context
+        //
+        //    Most encrypted data should have an associated encryption context
+        //    to protect integrity. This sample uses placeholder values.
+        //
+        //    For more information see:
+        //    blogs.aws.amazon.com/security/post/Tx2LZ6WBJJANTNW/How-to-Protect-the-Integrity-of-Your-Encrypted-Data-by-Using-AWS-Key-Management
+        final Map<String, String> encryptionContext = Collections.singletonMap("ExampleContextKey", "ExampleContextValue");
+
+        // 5. Encrypt the data with the keyring and encryption context
+        final AwsCryptoResult<byte[]> encryptResult = crypto.encrypt(EncryptRequest.builder()
+                .keyring(keyring)
+                .encryptionContext(encryptionContext)
+                .plaintext(EXAMPLE_DATA).build());
+        final byte[] ciphertext = encryptResult.getResult();
+
+        // 6. Decrypt the data
+        final AwsCryptoResult<byte[]> decryptResult = crypto.decrypt(DecryptRequest.builder()
+                .keyring(keyring)
+                .ciphertext(ciphertext).build());
+
+        // 7. Before verifying the plaintext, verify that the key that was used in the encryption
+        //    operation was the one used during the decryption operation.
+        if (!decryptResult.getKeyringTrace().getEntries().get(0).getKeyName().equals("ExampleKeyName")) {
+            throw new IllegalStateException("Wrong key ID!");
+        }
+
+        // 8. Also, verify that the encryption context in the result contains the
+        // encryption context supplied to the encrypt method. Because the
+        // SDK can add values to the encryption context, don't require that
+        // the entire context matches.
+        if (!encryptionContext.entrySet().stream()
+                .allMatch(e -> e.getValue().equals(decryptResult.getEncryptionContext().get(e.getKey())))) {
+            throw new IllegalStateException("Wrong Encryption Context!");
+        }
+
+        // 9. Verify that the decrypted plaintext matches the original plaintext
+        assert Arrays.equals(decryptResult.getResult(), EXAMPLE_DATA);
+    }
+
+    /**
+     * In practice, this key would be saved in a secure location.
+     * For this demo, we generate a new random key for each operation.
+     */
+    private static SecretKey retrieveEncryptionKey() {
+        SecureRandom rnd = new SecureRandom();
+        byte[] rawKey = new byte[16]; // 128 bits
+        rnd.nextBytes(rawKey);
+        return new SecretKeySpec(rawKey, "AES");
+    }
+}

src/examples/java/com/amazonaws/crypto/examples/RawRsaKeyringDecryptExample.java

@@ -0,0 +1,49 @@
+/*
+ * Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except
+ * in compliance with the License. A copy of the License is located at
+ *
+ * http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+
+package com.amazonaws.crypto.examples;
+
+import com.amazonaws.encryptionsdk.AwsCrypto;
+import com.amazonaws.encryptionsdk.AwsCryptoResult;
+import com.amazonaws.encryptionsdk.DecryptRequest;
+import com.amazonaws.encryptionsdk.keyrings.Keyring;
+import com.amazonaws.encryptionsdk.keyrings.StandardKeyrings;
+
+import java.security.KeyPair;
+
+/**
+ * <p>
+ * Decrypts data using the Raw RSA Keyring.
+ */
+public class RawRsaKeyringDecryptExample {
+
+    public static byte[] decrypt(byte[] ciphertext, KeyPair keyPair) {
+        // 1. Instantiate the SDK
+        final AwsCrypto crypto = new AwsCrypto();
+
+        // 2. Instantiate a Raw RSA Keyring with the private key
+        final Keyring keyring = StandardKeyrings.rawRsa()
+                .keyNamespace("ExampleKeyNamespace")
+                .keyName("ExampleKeyName")
+                .wrappingAlgorithm("RSA/ECB/OAEPWithSHA-512AndMGF1Padding")
+                .privateKey(keyPair.getPrivate()).build();
+
+        // 3. Decrypt the ciphertext with the keyring
+        final AwsCryptoResult<byte[]> decryptResult = crypto.decrypt(DecryptRequest.builder()
+                .keyring(keyring)
+                .ciphertext(ciphertext).build());
+
+        // 4. Return the decrypted byte array result
+        return decryptResult.getResult();
+    }
+}

src/examples/java/com/amazonaws/crypto/examples/RawRsaKeyringEncryptExample.java

@@ -0,0 +1,63 @@
+/*
+ * Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except
+ * in compliance with the License. A copy of the License is located at
+ *
+ * http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+
+package com.amazonaws.crypto.examples;
+
+import com.amazonaws.encryptionsdk.AwsCrypto;
+import com.amazonaws.encryptionsdk.AwsCryptoResult;
+import com.amazonaws.encryptionsdk.EncryptRequest;
+import com.amazonaws.encryptionsdk.keyrings.Keyring;
+import com.amazonaws.encryptionsdk.keyrings.StandardKeyrings;
+
+import java.nio.charset.StandardCharsets;
+import java.security.PublicKey;
+import java.util.Collections;
+import java.util.Map;
+
+/**
+ * Encrypts data using the Raw RSA Keyring.
+ */
+public class RawRsaKeyringEncryptExample {
+
+    static final byte[] EXAMPLE_DATA = "Hello World".getBytes(StandardCharsets.UTF_8);
+
+    public static byte[] encrypt(PublicKey publicKey) {
+        // 1. Instantiate the SDK
+        final AwsCrypto crypto = new AwsCrypto();
+
+        // 2. Instantiate a Raw RSA Keyring with the public key
+        final Keyring keyring = StandardKeyrings.rawRsa()
+                .keyNamespace("ExampleKeyNamespace")
+                .keyName("ExampleKeyName")
+                .wrappingAlgorithm("RSA/ECB/OAEPWithSHA-512AndMGF1Padding")
+                .publicKey(publicKey).build();
+
+        // 3. Create an encryption context
+        //
+        //    Most encrypted data should have an associated encryption context
+        //    to protect integrity. This sample uses placeholder values.
+        //
+        //    For more information see:
+        //    blogs.aws.amazon.com/security/post/Tx2LZ6WBJJANTNW/How-to-Protect-the-Integrity-of-Your-Encrypted-Data-by-Using-AWS-Key-Management
+        final Map<String, String> encryptionContext = Collections.singletonMap("ExampleContextKey", "ExampleContextValue");
+
+        // 4. Encrypt the data with the keyring and encryption context
+        final AwsCryptoResult<byte[]> encryptResult = crypto.encrypt(EncryptRequest.builder()
+                .keyring(keyring)
+                .encryptionContext(encryptionContext)
+                .plaintext(EXAMPLE_DATA).build());
+
+        // 5. Return the encrypted byte array result
+        return encryptResult.getResult();
+    }
+}

src/examples/java/com/amazonaws/crypto/examples/datakeycaching/LambdaDecryptAndWriteExample.java

@@ -0,0 +1,97 @@
+/*
+ * Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except
+ * in compliance with the License. A copy of the License is located at
+ *
+ * http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+
+package com.amazonaws.crypto.examples.datakeycaching;
+
+import java.nio.ByteBuffer;
+import java.nio.charset.StandardCharsets;
+import java.util.concurrent.TimeUnit;
+
+import com.amazonaws.encryptionsdk.AwsCrypto;
+import com.amazonaws.encryptionsdk.AwsCryptoResult;
+import com.amazonaws.encryptionsdk.DecryptRequest;
+import com.amazonaws.encryptionsdk.caching.CachingCryptoMaterialsManager;
+import com.amazonaws.encryptionsdk.caching.LocalCryptoMaterialsCache;
+import com.amazonaws.encryptionsdk.keyrings.StandardKeyrings;
+import com.amazonaws.encryptionsdk.kms.AwsKmsCmkId;
+import com.amazonaws.services.dynamodbv2.AmazonDynamoDBClientBuilder;
+import com.amazonaws.services.dynamodbv2.document.DynamoDB;
+import com.amazonaws.services.dynamodbv2.document.Item;
+import com.amazonaws.services.dynamodbv2.document.Table;
+import com.amazonaws.services.lambda.runtime.Context;
+import com.amazonaws.services.lambda.runtime.RequestHandler;
+import com.amazonaws.services.lambda.runtime.events.KinesisEvent;
+import com.amazonaws.services.lambda.runtime.events.KinesisEvent.KinesisEventRecord;
+import com.amazonaws.util.BinaryUtils;
+
+/**
+ * Decrypts all incoming Kinesis records and writes records to DynamoDB.
+ */
+public class LambdaDecryptAndWriteExample implements RequestHandler<KinesisEvent, Void> {
+    private static final long MAX_ENTRY_AGE_MILLISECONDS = 600000;
+    private static final int MAX_CACHE_ENTRIES = 100;
+    private final CachingCryptoMaterialsManager cachingMaterialsManager_;
+    private final AwsCrypto crypto_;
+    private final Table table_;
+
+    /**
+     * Because the cache is used only for decryption, the code doesn't set
+     * the max bytes or max message security thresholds that are enforced
+     * only on on data keys used for encryption.
+     *
+     * @param cmkArn The AWS KMS customer master key to use for decryption
+     * @param tableName The DynamoDB table name to store decrypted messages in
+     */
+    public LambdaDecryptAndWriteExample(final String cmkArn, final String tableName) {
+        cachingMaterialsManager_ = CachingCryptoMaterialsManager.newBuilder()
+                .withKeyring(StandardKeyrings.awsKms(AwsKmsCmkId.fromString(cmkArn)))
+                .withCache(new LocalCryptoMaterialsCache(MAX_CACHE_ENTRIES))
+                .withMaxAge(MAX_ENTRY_AGE_MILLISECONDS, TimeUnit.MILLISECONDS)
+                .build();
+        crypto_ = new AwsCrypto();
+        table_ = new DynamoDB(AmazonDynamoDBClientBuilder.defaultClient()).getTable(tableName);
+    }
+
+    /**
+     * Decrypts Kinesis events and writes the data to DynamoDB
+     *
+     * @param event The KinesisEvent to decrypt
+     * @param context The lambda context
+     */
+    @Override
+    public Void handleRequest(KinesisEvent event, Context context) {
+        for (KinesisEventRecord record : event.getRecords()) {
+            ByteBuffer ciphertextBuffer = record.getKinesis().getData();
+            byte[] ciphertext = BinaryUtils.copyAllBytesFrom(ciphertextBuffer);
+
+            // Decrypt and unpack record
+            AwsCryptoResult<byte[]> plaintextResult = crypto_.decrypt(
+                    DecryptRequest.builder()
+                            .cryptoMaterialsManager(cachingMaterialsManager_)
+                            .ciphertext(ciphertext).build());
+
+            // Verify the encryption context value
+            String streamArn = record.getEventSourceARN();
+            String streamName = streamArn.substring(streamArn.indexOf("/") + 1);
+            if (!streamName.equals(plaintextResult.getEncryptionContext().get("stream"))) {
+                throw new IllegalStateException("Wrong Encryption Context!");
+            }
+
+            // Write record to DynamoDB
+            String jsonItem = new String(plaintextResult.getResult(), StandardCharsets.UTF_8);
+            table_.putItem(Item.fromJSON(jsonItem));
+        }
+
+        return null;
+    }
+}