Class S3CryptoModuleBase<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>

java.lang.Object
com.amazonaws.services.s3.internal.crypto.S3CryptoModule<T>
com.amazonaws.services.s3.internal.crypto.S3CryptoModuleBase<T>
public abstract class S3CryptoModuleBase<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext> extends S3CryptoModule<T>
Common implementation for different S3 cryptographic modules.

  • Field Details

    • DEFAULT_BUFFER_SIZE

      protected static final int DEFAULT_BUFFER_SIZE
      See Also:

    • kekMaterialsProvider

      protected final EncryptionMaterialsProvider kekMaterialsProvider

    • log

      protected final org.apache.commons.logging.Log log

    • cryptoScheme

      protected final com.amazonaws.services.s3.internal.crypto.S3CryptoScheme cryptoScheme

    • contentCryptoScheme

      protected final com.amazonaws.services.s3.internal.crypto.ContentCryptoScheme contentCryptoScheme

    • cryptoConfig

      protected final CryptoConfiguration cryptoConfig
      A read-only copy of the crypto configuration.

    • multipartUploadContexts

      protected final Map<String, T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext> multipartUploadContexts
      Map of data about in progress encrypted multipart uploads.

    • s3

      protected final com.amazonaws.services.s3.internal.S3Direct s3

    • kms

      protected final AWSKMSClient kms

  • Constructor Details

  • Method Details

    • ciphertextLength

      protected abstract long ciphertextLength(long plaintextLength)
      Returns the length of the ciphertext computed from the length of the plaintext.
      Parameters:
      plaintextLength - a non-negative number
      Returns:
      a non-negative number

    • putObjectSecurely

      public PutObjectResult putObjectSecurely(PutObjectRequest req)
      ///////////////////// Common Implementation ////////////////////////
      Specified by:
      putObjectSecurely in class S3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>
      Returns:
      the result of the putting the S3 object.

    • abortMultipartUploadSecurely

      public final void abortMultipartUploadSecurely(AbortMultipartUploadRequest req)
      Specified by:
      abortMultipartUploadSecurely in class S3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>

    • copyPartSecurely

      public final CopyPartResult copyPartSecurely(CopyPartRequest copyPartRequest)
      Specified by:
      copyPartSecurely in class S3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>

    • initiateMultipartUploadSecurely

      public InitiateMultipartUploadResult initiateMultipartUploadSecurely(InitiateMultipartUploadRequest req)
      Specified by:
      initiateMultipartUploadSecurely in class S3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>

    • uploadPartSecurely

      public UploadPartResult uploadPartSecurely(UploadPartRequest req)

      NOTE: Because the encryption process requires context from previous blocks, parts uploaded with the AmazonS3EncryptionClient (as opposed to the normal AmazonS3Client) must be uploaded serially, and in order. Otherwise, the previous encryption context isn't available to use when encrypting the current part.

      Specified by:
      uploadPartSecurely in class S3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>

    • newMultipartS3CipherInputStream

      protected final CipherLiteInputStream newMultipartS3CipherInputStream(UploadPartRequest req, com.amazonaws.services.s3.internal.crypto.CipherLite cipherLite)

    • completeMultipartUploadSecurely

      public CompleteMultipartUploadResult completeMultipartUploadSecurely(CompleteMultipartUploadRequest req)
      Specified by:
      completeMultipartUploadSecurely in class S3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>

    • updateMetadataWithContentCryptoMaterial

      protected final ObjectMetadata updateMetadataWithContentCryptoMaterial(ObjectMetadata metadata, File file, com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial instruction)

    • createContentCryptoMaterial

      protected final com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial createContentCryptoMaterial(AmazonWebServiceRequest req)
      Creates and returns a non-null content crypto material for the given request.
      Throws:
      AmazonClientException - if no encryption material can be found.

    • putLocalObjectSecurely

      public final void putLocalObjectSecurely(UploadObjectRequest reqIn, String uploadId, OutputStream os) throws IOException
      Specified by:
      putLocalObjectSecurely in class S3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>
      Parameters:
      uploadId - multipart upload id
      os - output stream which will be closed upon method completion.
      Throws:
      IOException

    • generateCEK

      protected final SecretKey generateCEK(EncryptionMaterials kekMaterials, Provider providerIn)
      Parameters:
      kekMaterials - non-null encryption materials

    • wrapWithCipher

      protected final <R extends AbstractPutObjectRequest> R wrapWithCipher(R request, com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial cekMaterial)
      Returns the given PutObjectRequest but has the content as input stream wrapped with a cipher, and configured with some meta data and user metadata.

    • plaintextLength

      protected final long plaintextLength(AbstractPutObjectRequest request, ObjectMetadata metadata)
      Returns the plaintext length from the request and metadata; or -1 if unknown.

    • getS3CryptoScheme

      public final com.amazonaws.services.s3.internal.crypto.S3CryptoScheme getS3CryptoScheme()

    • updateInstructionPutRequest

      protected final PutObjectRequest updateInstructionPutRequest(PutObjectRequest req, com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial cekMaterial)
      Updates put request to store the specified instruction object in S3.
      Parameters:
      req - The put-instruction-file request for the instruction file to be stored in S3.
      cekMaterial - The instruction object to be stored in S3.
      Returns:
      A put request to store the specified instruction object in S3.

    • createInstructionPutRequest

      protected final PutObjectRequest createInstructionPutRequest(String bucketName, String key, com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial cekMaterial)

    • securityCheck

      protected void securityCheck(com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial cekMaterial, com.amazonaws.services.s3.internal.crypto.S3ObjectWrapper retrieved)
      Checks if the the crypto scheme used in the given content crypto material is allowed to be used in this crypto module. Default is no-op. Subclass may override.
      Throws:
      SecurityException - if the crypto scheme used in the given content crypto material is not allowed in this crypto module.

    • putInstructionFileSecurely

      public final PutObjectResult putInstructionFileSecurely(PutInstructionFileRequest req)
      Specified by:
      putInstructionFileSecurely in class S3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>
      Returns:
      the result of putting the instruction file in S3; or null if the specified S3 object doesn't exist. The S3 object can be subsequently retrieved using the new instruction file via the usual get operation by specifying a EncryptedGetObjectRequest.