Skip to content

ReEncryptInstructionFile Implementation #470

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 41 commits into
base: aniravk/ReEncrypt-feature
Choose a base branch
from
Open

ReEncryptInstructionFile Implementation #470

wants to merge 41 commits into from

Conversation

akareddy04
Copy link
Contributor

Issue #, if available:

Description of changes:
Implemented the reEncryptInstructionFile feature and I also modified the current API to help support this.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Check any applicable:

  • Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files.

Anirav Kareddy added 21 commits June 17, 2025 15:16
Added ReEncryptInstructionFileRequest class
cc6e593
Added the ReEncryptInstructionFileResponse class
effe9bb
Merge ReEncrypt-feature branch to get latest changes for instruction …
8ac06bb 
…file implementation
changed S3Keyring to RawKeyring and also added getter functions
8b16a23
cleaned up ReEncryptInstructionFileResponse class
f501b43
Rough outline of reEncryptInstructionFile method (default suffix)
d16db4d
added support for custom instruction file suffix in getObject
5a1f292
added optional attribte for custom instruction file suffix in encode …
8fb7167 
…metadata
method overloading for putInstructionFile to be able to handle the cu…
3ffc4b2 
…stom instruction file suffix if specified
wrote 2 comprehensive test cases regarding re-encryption of instructi…
6194b64 
…on files with AES + RSA keyrings and both of these tests pass
appends a period in front of the instruction file suffix
f6e43e5
verified in test case testRsaKeyringReEncryptInstructionFile that the…
5b7b3ae 
… third-party client is unable toretrieve the encrypted object in s3 if they do not include the overrideConfiguration with their custom instruction file suffix since it will by default use the original instruction file, not theirs.:
Added examples of re-encryption of instruction files via RSA + AES ke…
3bbb9fb 
…yrings
added Amazon copyright notice
24b804b
renamed ReEncryptionInstructionFileExample class to ReEncryptInstruct…
4164acf 
…ionFile
Added test cases to test legacy wrapping algorithm upgrades + backwar…
d45c026 
…ds compatability
Added javadoc comments for readability
d4cef6e
added more test cases to ensure build validation
0e2b8ce
added fix to retrieve the actual contents from the materials descript…
e652052 
…ion object, not the object itself. Also reworded one of the exception messages to be clearer for when instruction file suffix request is specified for AES keyring (which should not happen)
small fixes
effb4ec
added one small fix (eliminated space between package and imports in …
2b6dcc8 
…MaterialsDescription class
@akareddy04 akareddy04 requested a review from a team as a code owner July 7, 2025 21:17
@akareddy04 akareddy04 changed the base branch from main to aniravk/ReEncrypt-feature July 7, 2025 21:17
kessplas
kessplas requested changes Jul 9, 2025
View reviewed changes
Anirav Kareddy added 14 commits July 10, 2025 21:10
Changed INSTRUCTION_FILE_SUFFIX to DEFAULT_INSTRUCTION_FILE_SUFFIX
0bbd9e7
refactored the encodeMetadata to be cleaner
3ae2fa4
updated getter for encryptionContext to be contentMetadata.encryptedD…
3696fa9 
…ataKeyMatDescOrContext()
Changed INSTRUCTION_FILE_SUFFIX to DEFAULT_INSTRUCTION_FILE_SUFFIX
4e70b6a
Made sure to modify the javadoc comments to mention that RSA keyrings…
767c58b 
… support both the default and custom instruction file suffixes
Modified the names of all the getter functions to be lowercase
9e8f502
removed setting the secureRandom attribute for the Aes + RSA keyrings…
887ffd0 
… since secureRandom should now be initialized by default. I also removed all the unused imports
removed setting the secureRandom attribute in the builder for AES + R…
b6b59b6 
…SA keyrings in all of the test cases
rennamed getter to match the newly updated one: actualContentMetadata…
8ce42fe 
….encryptedDataKeyMatDescOrContext()
added space between all of the test cases
b4c1d57
cleaned up the reEncryptInstructionFile method + added description fo…
66126e0 
…r enforceRotation in javadoc
cleaned up some of the test-cases (will continue working on this)
cc35216
added more test cases with RSA key rotation with default instruction …
b36455a 
…file suffix + legacy wrapping algorithm upgrades from V1/V2 to V3
Added a note to the javadoc comment for the setter for instructionFil…
7d2e3f0 
…eSuffix to mention that the . prefix is automatically added to the suffix + in reEncryptInstructionFileResponse, the . prefix will be removed from the suffix and return what the user requested the suffix be
kessplas
kessplas requested changes Jul 11, 2025
View reviewed changes
Copy link
Contributor

@kessplas kessplas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some nits about comments.

src/examples/java/software/amazon/encryption/s3/examples/ReEncryptInstructionFileExample.java
* This example demonstrates generating a custom instruction file to enable access to encrypted object by a third party.
* This enables secure sharing of encrypted objects without sharing private keys.
* This example demonstrates re-encrypting the encrypted data key in an instruction file with a new RSA wrapping key.
* The other cryptographic parameters in the instruction file such as the IV and wrapping algorithm remain unchanged.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* The other cryptographic parameters in the instruction file such as the IV and wrapping algorithm remain unchanged.

This refers to an implementation detail that customers shouldn't need to worry about. It's a useful comment for internal stuff but not necessary in the examples.

src/examples/java/software/amazon/encryption/s3/examples/ReEncryptInstructionFileExample.java
assertTrue(e.getMessage().contains("Unable to RSA-OAEP-SHA1 unwrap"));
}

// Create a new client with the rotated AES key
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Create a new client with the rotated AES key
// Create a new client with the rotated RSA key

src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java
* - Default instruction file suffix required for AES keyrings
* - Legacy to V3: Can rotate same wrapping key from legacy wrapping algorithms to fully supported wrapping algorithms
* - Within V3: When rotating the wrapping key, the new keyring must be different from the current keyring
* - Enforce Rotation: When enabled, ensures old keyring cannot decrypt data encrypted by new keyring
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* - Enforce Rotation: When enabled, ensures old keyring cannot decrypt data encrypted by new keyring

nit: this PR doesn't have Enforce Rotation yet

src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java
*
* @param reEncryptInstructionFileRequest the request containing bucket, object key, new keyring, and optional instruction file suffix
* @return ReEncryptInstructionFileResponse containing the bucket, object key, and instruction file suffix used
* @throws S3EncryptionClientException if the new keyring has the same materials description as the current one
*/
public ReEncryptInstructionFileResponse reEncryptInstructionFile(ReEncryptInstructionFileRequest reEncryptInstructionFileRequest) {
GetObjectRequest request = GetObjectRequest.builder()
//GetObjectRequest MUST be kept the same
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
//GetObjectRequest MUST be kept the same

these comments aren't terribly helpful, final enforces this

src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java
EncryptedDataKey originalEncryptedDataKeys = contentMetadata.encryptedDataKey();
Map<String, String> currentKeyringMaterialsDescription = contentMetadata.encryptedDataKeyContext();
byte[] iv = contentMetadata.contentIv();
// Algorithm Suite MUST be kept the same
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto, redundant comment (each of these)

src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java
.s3Request(request)
.build()
);
byte[] plaintextDataKey = decryptedMaterials.plaintextDataKey();

//Plaintext Data Key MUST be kept the same
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto, redundant comment

src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java
EncryptionMaterials encryptedMaterials = newKeyring.onEncrypt(encryptionMaterials);

Map<String, String> newMaterialsDescription = encryptedMaterials.materialsDescription().getMaterialsDescription();
//New Keyring MUST be kept the same
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto, redundant comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kessplas kessplas kessplas requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@akareddy04 @kessplas