public abstract class S3CryptoModuleBase<T extends MultipartUploadCryptoContext> extends S3CryptoModule<T>
Modifier and Type | Field and Description |
---|---|
protected ContentCryptoScheme |
contentCryptoScheme |
protected CryptoConfiguration |
cryptoConfig
A read-only copy of the crypto configuration.
|
protected S3CryptoScheme |
cryptoScheme |
protected static int |
DEFAULT_BUFFER_SIZE |
private static boolean |
IS_MULTI_PART |
protected EncryptionMaterialsProvider |
kekMaterialsProvider |
protected AWSKMSClient |
kms |
protected org.apache.commons.logging.Log |
log |
protected java.util.Map<java.lang.String,T> |
multipartUploadContexts
Map of data about in progress encrypted multipart uploads.
|
protected S3Direct |
s3 |
Modifier | Constructor and Description |
---|---|
protected |
S3CryptoModuleBase(AWSKMSClient kms,
S3Direct s3,
AWSCredentialsProvider credentialsProvider,
EncryptionMaterialsProvider kekMaterialsProvider,
CryptoConfiguration cryptoConfig) |
protected |
S3CryptoModuleBase(S3Direct s3,
AWSCredentialsProvider credentialsProvider,
EncryptionMaterialsProvider kekMaterialsProvider,
CryptoConfiguration cryptoConfig)
For testing purposes only.
|
Modifier and Type | Method and Description |
---|---|
void |
abortMultipartUploadSecurely(AbortMultipartUploadRequest req) |
(package private) <X extends AmazonWebServiceRequest> |
appendUserAgent(X request,
java.lang.String userAgent)
Appends a user agent to the request's USER_AGENT client marker.
|
private ContentCryptoMaterial |
buildContentCryptoMaterial(EncryptionMaterials materials,
java.security.Provider provider,
AmazonWebServiceRequest req) |
private ContentCryptoMaterial |
ccmFromJson(java.lang.String json) |
(package private) abstract CipherLite |
cipherLiteForNextPart(T uploadContext) |
protected abstract long |
ciphertextLength(long plaintextLength)
Returns the length of the ciphertext computed from the length of the
plaintext.
|
CompleteMultipartUploadResult |
completeMultipartUploadSecurely(CompleteMultipartUploadRequest req) |
(package private) abstract long |
computeLastPartSize(UploadPartRequest req) |
private ContentCryptoMaterial |
contentCryptoMaterialOf(S3ObjectWrapper s3w)
Returns the content crypto material of an existing S3 object.
|
CopyPartResult |
copyPartSecurely(CopyPartRequest copyPartRequest) |
protected ContentCryptoMaterial |
createContentCryptoMaterial(AmazonWebServiceRequest req)
Creates and returns a non-null content crypto material for the given
request.
|
(package private) GetObjectRequest |
createInstructionGetRequest(S3ObjectId id)
Creates a get object request for an instruction file using
the default instruction file suffix.
|
(package private) GetObjectRequest |
createInstructionGetRequest(S3ObjectId s3objectId,
java.lang.String instFileSuffix)
Creates and return a get object request for an instruction file.
|
protected PutObjectRequest |
createInstructionPutRequest(java.lang.String bucketName,
java.lang.String key,
ContentCryptoMaterial cekMaterial) |
(package private) S3ObjectWrapper |
fetchInstructionFile(S3ObjectId s3ObjectId,
java.lang.String instFileSuffix)
Retrieves an instruction file from S3; or null if no instruction file is
found.
|
protected javax.crypto.SecretKey |
generateCEK(EncryptionMaterials kekMaterials,
java.security.Provider providerIn) |
(package private) static long[] |
getAdjustedCryptoRange(long[] range) |
private static long |
getCipherBlockLowerBound(long leftmostBytePosition) |
private static long |
getCipherBlockUpperBound(long rightmostBytePosition)
Takes the position of the rightmost desired byte of a user specified
range and returns the position of the end of the following cipher block;
or if the resultant position has a value that
exceeds .
|
S3CryptoScheme |
getS3CryptoScheme() |
InitiateMultipartUploadResult |
initiateMultipartUploadSecurely(InitiateMultipartUploadRequest req) |
private ContentCryptoMaterial |
newContentCryptoMaterial(EncryptionMaterialsProvider kekMaterialProvider,
java.util.Map<java.lang.String,java.lang.String> materialsDescription,
java.security.Provider provider,
AmazonWebServiceRequest req)
Returns the content encryption material generated with the given kek
material, material description and security providers; or null if
the encryption material cannot be found for the specified description.
|
private ContentCryptoMaterial |
newContentCryptoMaterial(EncryptionMaterialsProvider kekMaterialProvider,
java.security.Provider provider,
AmazonWebServiceRequest req)
Returns a non-null content encryption material generated with the given kek
material and security providers.
|
protected CipherLiteInputStream |
newMultipartS3CipherInputStream(UploadPartRequest req,
CipherLite cipherLite) |
private CipherLiteInputStream |
newS3CipherLiteInputStream(AbstractPutObjectRequest req,
ContentCryptoMaterial cekMaterial,
long plaintextLength) |
(package private) abstract T |
newUploadContext(InitiateMultipartUploadRequest req,
ContentCryptoMaterial cekMaterial) |
protected long |
plaintextLength(AbstractPutObjectRequest request,
ObjectMetadata metadata)
Returns the plaintext length from the request and metadata; or -1 if
unknown.
|
PutObjectResult |
putInstructionFileSecurely(PutInstructionFileRequest req) |
void |
putLocalObjectSecurely(UploadObjectRequest reqIn,
java.lang.String uploadId,
java.io.OutputStream os) |
PutObjectResult |
putObjectSecurely(PutObjectRequest req) |
private PutObjectResult |
putObjectUsingInstructionFile(PutObjectRequest putObjectRequest)
Puts an encrypted object into S3, and puts an instruction file into S3.
|
private PutObjectResult |
putObjectUsingMetadata(PutObjectRequest req) |
protected void |
securityCheck(ContentCryptoMaterial cekMaterial,
S3ObjectWrapper retrieved)
Checks if the the crypto scheme used in the given content crypto material
is allowed to be used in this crypto module.
|
protected PutObjectRequest |
updateInstructionPutRequest(PutObjectRequest req,
ContentCryptoMaterial cekMaterial)
Updates put request to store the specified instruction object in S3.
|
protected ObjectMetadata |
updateMetadataWithContentCryptoMaterial(ObjectMetadata metadata,
java.io.File file,
ContentCryptoMaterial instruction) |
(package private) abstract void |
updateUploadContext(T uploadContext,
SdkFilterInputStream is) |
UploadPartResult |
uploadPartSecurely(UploadPartRequest req) |
(package private) abstract <I extends CipherLiteInputStream> |
wrapForMultipart(I is,
long partSize) |
protected <R extends AbstractPutObjectRequest> |
wrapWithCipher(R request,
ContentCryptoMaterial cekMaterial)
Returns the given
PutObjectRequest but has the content as
input stream wrapped with a cipher, and configured with some meta data
and user metadata. |
getObjectSecurely, getObjectSecurely
private static final boolean IS_MULTI_PART
protected static final int DEFAULT_BUFFER_SIZE
protected final EncryptionMaterialsProvider kekMaterialsProvider
protected final org.apache.commons.logging.Log log
protected final S3CryptoScheme cryptoScheme
protected final ContentCryptoScheme contentCryptoScheme
protected final CryptoConfiguration cryptoConfig
protected final java.util.Map<java.lang.String,T extends MultipartUploadCryptoContext> multipartUploadContexts
protected final S3Direct s3
protected final AWSKMSClient kms
protected S3CryptoModuleBase(AWSKMSClient kms, S3Direct s3, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, CryptoConfiguration cryptoConfig)
cryptoConfig
- a read-only copy of the crypto configuration.protected S3CryptoModuleBase(S3Direct s3, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, CryptoConfiguration cryptoConfig)
protected abstract long ciphertextLength(long plaintextLength)
plaintextLength
- a non-negative numberpublic PutObjectResult putObjectSecurely(PutObjectRequest req)
putObjectSecurely
in class S3CryptoModule<T extends MultipartUploadCryptoContext>
private PutObjectResult putObjectUsingMetadata(PutObjectRequest req)
private PutObjectResult putObjectUsingInstructionFile(PutObjectRequest putObjectRequest)
putObjectRequest
- The request object containing all the parameters to upload a
new object to Amazon S3.PutObjectResult
object containing the information
returned by Amazon S3 for the new, created object.public final void abortMultipartUploadSecurely(AbortMultipartUploadRequest req)
abortMultipartUploadSecurely
in class S3CryptoModule<T extends MultipartUploadCryptoContext>
public final CopyPartResult copyPartSecurely(CopyPartRequest copyPartRequest)
copyPartSecurely
in class S3CryptoModule<T extends MultipartUploadCryptoContext>
abstract T newUploadContext(InitiateMultipartUploadRequest req, ContentCryptoMaterial cekMaterial)
public InitiateMultipartUploadResult initiateMultipartUploadSecurely(InitiateMultipartUploadRequest req)
initiateMultipartUploadSecurely
in class S3CryptoModule<T extends MultipartUploadCryptoContext>
abstract CipherLite cipherLiteForNextPart(T uploadContext)
abstract long computeLastPartSize(UploadPartRequest req)
abstract <I extends CipherLiteInputStream> SdkFilterInputStream wrapForMultipart(I is, long partSize)
abstract void updateUploadContext(T uploadContext, SdkFilterInputStream is)
public UploadPartResult uploadPartSecurely(UploadPartRequest req)
NOTE: Because the encryption process requires context from previous blocks, parts uploaded with the AmazonS3EncryptionClient (as opposed to the normal AmazonS3Client) must be uploaded serially, and in order. Otherwise, the previous encryption context isn't available to use when encrypting the current part.
uploadPartSecurely
in class S3CryptoModule<T extends MultipartUploadCryptoContext>
protected final CipherLiteInputStream newMultipartS3CipherInputStream(UploadPartRequest req, CipherLite cipherLite)
public CompleteMultipartUploadResult completeMultipartUploadSecurely(CompleteMultipartUploadRequest req)
completeMultipartUploadSecurely
in class S3CryptoModule<T extends MultipartUploadCryptoContext>
protected final ObjectMetadata updateMetadataWithContentCryptoMaterial(ObjectMetadata metadata, java.io.File file, ContentCryptoMaterial instruction)
protected final ContentCryptoMaterial createContentCryptoMaterial(AmazonWebServiceRequest req)
AmazonClientException
- if no encryption material can be found.private ContentCryptoMaterial newContentCryptoMaterial(EncryptionMaterialsProvider kekMaterialProvider, java.util.Map<java.lang.String,java.lang.String> materialsDescription, java.security.Provider provider, AmazonWebServiceRequest req)
private ContentCryptoMaterial newContentCryptoMaterial(EncryptionMaterialsProvider kekMaterialProvider, java.security.Provider provider, AmazonWebServiceRequest req)
AmazonClientException
- if no encryption material can be found from
the given encryption material provider.public final void putLocalObjectSecurely(UploadObjectRequest reqIn, java.lang.String uploadId, java.io.OutputStream os) throws java.io.IOException
putLocalObjectSecurely
in class S3CryptoModule<T extends MultipartUploadCryptoContext>
uploadId
- multipart upload idos
- output stream which will be closed upon method completion.java.io.IOException
private ContentCryptoMaterial buildContentCryptoMaterial(EncryptionMaterials materials, java.security.Provider provider, AmazonWebServiceRequest req)
materials
- a non-null encryption materialprotected final javax.crypto.SecretKey generateCEK(EncryptionMaterials kekMaterials, java.security.Provider providerIn)
kekMaterials
- non-null encryption materialsprotected final <R extends AbstractPutObjectRequest> R wrapWithCipher(R request, ContentCryptoMaterial cekMaterial)
PutObjectRequest
but has the content as
input stream wrapped with a cipher, and configured with some meta data
and user metadata.private CipherLiteInputStream newS3CipherLiteInputStream(AbstractPutObjectRequest req, ContentCryptoMaterial cekMaterial, long plaintextLength)
protected final long plaintextLength(AbstractPutObjectRequest request, ObjectMetadata metadata)
public final S3CryptoScheme getS3CryptoScheme()
protected final PutObjectRequest updateInstructionPutRequest(PutObjectRequest req, ContentCryptoMaterial cekMaterial)
req
- The put-instruction-file request for the instruction file to
be stored in S3.cekMaterial
- The instruction object to be stored in S3.protected final PutObjectRequest createInstructionPutRequest(java.lang.String bucketName, java.lang.String key, ContentCryptoMaterial cekMaterial)
final <X extends AmazonWebServiceRequest> X appendUserAgent(X request, java.lang.String userAgent)
protected void securityCheck(ContentCryptoMaterial cekMaterial, S3ObjectWrapper retrieved)
java.lang.SecurityException
- if the crypto scheme used in the given content crypto
material is not allowed in this crypto module.final S3ObjectWrapper fetchInstructionFile(S3ObjectId s3ObjectId, java.lang.String instFileSuffix)
s3ObjectId
- the S3 object id (not the instruction file id)instFileSuffix
- suffix of the instruction file to be retrieved; or null to use
the default suffix.public final PutObjectResult putInstructionFileSecurely(PutInstructionFileRequest req)
putInstructionFileSecurely
in class S3CryptoModule<T extends MultipartUploadCryptoContext>
EncryptedGetObjectRequest
.private ContentCryptoMaterial contentCryptoMaterialOf(S3ObjectWrapper s3w)
s3w
- an existing S3 object (wrapper)s3objectId
- the object id used to retrieve the existing S3 objectprivate ContentCryptoMaterial ccmFromJson(java.lang.String json)
final GetObjectRequest createInstructionGetRequest(S3ObjectId id)
id
- an S3 object id (not the instruction file id)final GetObjectRequest createInstructionGetRequest(S3ObjectId s3objectId, java.lang.String instFileSuffix)
s3objectId
- an S3 object id (not the instruction file id)instFileSuffix
- suffix of the specific instruction file to be used, or null if
the default instruction file is to be used.static long[] getAdjustedCryptoRange(long[] range)
private static long getCipherBlockLowerBound(long leftmostBytePosition)
private static long getCipherBlockUpperBound(long rightmostBytePosition)