com.google.crypto.tink.integration.awskms.AwsKmsAead.java Source code

Java tutorial

Introduction

Here is the source code for com.google.crypto.tink.integration.awskms.AwsKmsAead.java

Source

// Copyright 2017 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
////////////////////////////////////////////////////////////////////////////////

package com.google.crypto.tink.integration.awskms;

import com.amazonaws.AmazonServiceException;
import com.amazonaws.services.kms.AWSKMS;
import com.amazonaws.services.kms.model.DecryptRequest;
import com.amazonaws.services.kms.model.DecryptResult;
import com.amazonaws.services.kms.model.EncryptRequest;
import com.amazonaws.util.BinaryUtils;
import com.google.crypto.tink.Aead;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;

/**
 * A {@link Aead} that forwards encryption/decryption requests to a key in <a
 * href="https://aws.amazon.com/kms/">AWS KMS</a>.
 *
 * @since 1.0.0
 */
public final class AwsKmsAead implements Aead {

    /** This client knows how to talk to AWS KMS. */
    private final AWSKMS kmsClient;

    // The location of a crypto key in AWS KMS, without the aws-kms:// prefix.
    private final String keyArn;

    public AwsKmsAead(AWSKMS kmsClient, String keyUri) throws GeneralSecurityException {
        this.kmsClient = kmsClient;
        this.keyArn = keyUri;
    }

    @Override
    public byte[] encrypt(final byte[] plaintext, final byte[] associatedData) throws GeneralSecurityException {
        try {
            EncryptRequest req = new EncryptRequest().withKeyId(keyArn).withPlaintext(ByteBuffer.wrap(plaintext));
            if (associatedData != null && associatedData.length != 0) {
                req = req.addEncryptionContextEntry("associatedData", BinaryUtils.toHex(associatedData));
            }
            return kmsClient.encrypt(req).getCiphertextBlob().array();
        } catch (AmazonServiceException e) {
            throw new GeneralSecurityException("encryption failed", e);
        }
    }

    @Override
    public byte[] decrypt(final byte[] ciphertext, final byte[] associatedData) throws GeneralSecurityException {
        try {
            DecryptRequest req = new DecryptRequest().withCiphertextBlob(ByteBuffer.wrap(ciphertext));
            if (associatedData != null && associatedData.length != 0) {
                req = req.addEncryptionContextEntry("associatedData", BinaryUtils.toHex(associatedData));
            }
            DecryptResult result = kmsClient.decrypt(req);
            if (!result.getKeyId().equals(keyArn)) {
                throw new GeneralSecurityException("decryption failed: wrong key id");
            }
            return result.getPlaintext().array();
        } catch (AmazonServiceException e) {
            throw new GeneralSecurityException("decryption failed", e);
        }
    }
}