Class S3CryptoModuleBase<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>
- java.lang.Object
-
- com.amazonaws.services.s3.internal.crypto.S3CryptoModule<T>
-
- com.amazonaws.services.s3.internal.crypto.S3CryptoModuleBase<T>
-
public abstract class S3CryptoModuleBase<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext> extends S3CryptoModule<T>
Common implementation for different S3 cryptographic modules.
-
-
Field Summary
Fields Modifier and Type Field Description protected com.amazonaws.services.s3.internal.crypto.ContentCryptoScheme
contentCryptoScheme
protected CryptoConfiguration
cryptoConfig
A read-only copy of the crypto configuration.protected com.amazonaws.services.s3.internal.crypto.S3CryptoScheme
cryptoScheme
protected static int
DEFAULT_BUFFER_SIZE
protected EncryptionMaterialsProvider
kekMaterialsProvider
protected AWSKMSClient
kms
protected org.apache.commons.logging.Log
log
protected Map<String,T>
multipartUploadContexts
Map of data about in progress encrypted multipart uploads.protected com.amazonaws.services.s3.internal.S3Direct
s3
-
Constructor Summary
Constructors Modifier Constructor Description protected
S3CryptoModuleBase(AWSKMSClient kms, com.amazonaws.services.s3.internal.S3Direct s3, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, CryptoConfiguration cryptoConfig)
protected
S3CryptoModuleBase(com.amazonaws.services.s3.internal.S3Direct s3, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, CryptoConfiguration cryptoConfig)
For testing purposes only.
-
Method Summary
All Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description void
abortMultipartUploadSecurely(AbortMultipartUploadRequest req)
protected abstract long
ciphertextLength(long plaintextLength)
Returns the length of the ciphertext computed from the length of the plaintext.CompleteMultipartUploadResult
completeMultipartUploadSecurely(CompleteMultipartUploadRequest req)
CopyPartResult
copyPartSecurely(CopyPartRequest copyPartRequest)
protected com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial
createContentCryptoMaterial(AmazonWebServiceRequest req)
Creates and returns a non-null content crypto material for the given request.protected PutObjectRequest
createInstructionPutRequest(String bucketName, String key, com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial cekMaterial)
protected SecretKey
generateCEK(EncryptionMaterials kekMaterials, Provider providerIn)
com.amazonaws.services.s3.internal.crypto.S3CryptoScheme
getS3CryptoScheme()
InitiateMultipartUploadResult
initiateMultipartUploadSecurely(InitiateMultipartUploadRequest req)
protected CipherLiteInputStream
newMultipartS3CipherInputStream(UploadPartRequest req, com.amazonaws.services.s3.internal.crypto.CipherLite cipherLite)
protected long
plaintextLength(AbstractPutObjectRequest request, ObjectMetadata metadata)
Returns the plaintext length from the request and metadata; or -1 if unknown.PutObjectResult
putInstructionFileSecurely(PutInstructionFileRequest req)
void
putLocalObjectSecurely(UploadObjectRequest reqIn, String uploadId, OutputStream os)
PutObjectResult
putObjectSecurely(PutObjectRequest req)
protected void
securityCheck(com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial cekMaterial, com.amazonaws.services.s3.internal.crypto.S3ObjectWrapper retrieved)
Checks if the the crypto scheme used in the given content crypto material is allowed to be used in this crypto module.protected PutObjectRequest
updateInstructionPutRequest(PutObjectRequest req, com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial cekMaterial)
Updates put request to store the specified instruction object in S3.protected ObjectMetadata
updateMetadataWithContentCryptoMaterial(ObjectMetadata metadata, File file, com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial instruction)
UploadPartResult
uploadPartSecurely(UploadPartRequest req)
protected <R extends AbstractPutObjectRequest>
RwrapWithCipher(R request, com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial cekMaterial)
Returns the givenPutObjectRequest
but has the content as input stream wrapped with a cipher, and configured with some meta data and user metadata.-
Methods inherited from class com.amazonaws.services.s3.internal.crypto.S3CryptoModule
getObjectSecurely, getObjectSecurely
-
-
-
-
Field Detail
-
DEFAULT_BUFFER_SIZE
protected static final int DEFAULT_BUFFER_SIZE
- See Also:
- Constant Field Values
-
kekMaterialsProvider
protected final EncryptionMaterialsProvider kekMaterialsProvider
-
log
protected final org.apache.commons.logging.Log log
-
cryptoScheme
protected final com.amazonaws.services.s3.internal.crypto.S3CryptoScheme cryptoScheme
-
contentCryptoScheme
protected final com.amazonaws.services.s3.internal.crypto.ContentCryptoScheme contentCryptoScheme
-
cryptoConfig
protected final CryptoConfiguration cryptoConfig
A read-only copy of the crypto configuration.
-
multipartUploadContexts
protected final Map<String,T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext> multipartUploadContexts
Map of data about in progress encrypted multipart uploads.
-
s3
protected final com.amazonaws.services.s3.internal.S3Direct s3
-
kms
protected final AWSKMSClient kms
-
-
Constructor Detail
-
S3CryptoModuleBase
protected S3CryptoModuleBase(AWSKMSClient kms, com.amazonaws.services.s3.internal.S3Direct s3, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, CryptoConfiguration cryptoConfig)
- Parameters:
cryptoConfig
- a read-only copy of the crypto configuration.
-
S3CryptoModuleBase
protected S3CryptoModuleBase(com.amazonaws.services.s3.internal.S3Direct s3, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, CryptoConfiguration cryptoConfig)
For testing purposes only.
-
-
Method Detail
-
ciphertextLength
protected abstract long ciphertextLength(long plaintextLength)
Returns the length of the ciphertext computed from the length of the plaintext.- Parameters:
plaintextLength
- a non-negative number- Returns:
- a non-negative number
-
putObjectSecurely
public PutObjectResult putObjectSecurely(PutObjectRequest req)
- Specified by:
putObjectSecurely
in classS3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>
- Returns:
- the result of the putting the S3 object.
-
abortMultipartUploadSecurely
public final void abortMultipartUploadSecurely(AbortMultipartUploadRequest req)
- Specified by:
abortMultipartUploadSecurely
in classS3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>
-
copyPartSecurely
public final CopyPartResult copyPartSecurely(CopyPartRequest copyPartRequest)
- Specified by:
copyPartSecurely
in classS3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>
-
initiateMultipartUploadSecurely
public InitiateMultipartUploadResult initiateMultipartUploadSecurely(InitiateMultipartUploadRequest req)
- Specified by:
initiateMultipartUploadSecurely
in classS3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>
-
uploadPartSecurely
public UploadPartResult uploadPartSecurely(UploadPartRequest req)
NOTE: Because the encryption process requires context from previous blocks, parts uploaded with the AmazonS3EncryptionClient (as opposed to the normal AmazonS3Client) must be uploaded serially, and in order. Otherwise, the previous encryption context isn't available to use when encrypting the current part.
- Specified by:
uploadPartSecurely
in classS3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>
-
newMultipartS3CipherInputStream
protected final CipherLiteInputStream newMultipartS3CipherInputStream(UploadPartRequest req, com.amazonaws.services.s3.internal.crypto.CipherLite cipherLite)
-
completeMultipartUploadSecurely
public CompleteMultipartUploadResult completeMultipartUploadSecurely(CompleteMultipartUploadRequest req)
- Specified by:
completeMultipartUploadSecurely
in classS3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>
-
updateMetadataWithContentCryptoMaterial
protected final ObjectMetadata updateMetadataWithContentCryptoMaterial(ObjectMetadata metadata, File file, com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial instruction)
-
createContentCryptoMaterial
protected final com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial createContentCryptoMaterial(AmazonWebServiceRequest req)
Creates and returns a non-null content crypto material for the given request.- Throws:
AmazonClientException
- if no encryption material can be found.
-
putLocalObjectSecurely
public final void putLocalObjectSecurely(UploadObjectRequest reqIn, String uploadId, OutputStream os) throws IOException
- Specified by:
putLocalObjectSecurely
in classS3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>
uploadId
- multipart upload idos
- output stream which will be closed upon method completion.- Throws:
IOException
-
generateCEK
protected final SecretKey generateCEK(EncryptionMaterials kekMaterials, Provider providerIn)
- Parameters:
kekMaterials
- non-null encryption materials
-
wrapWithCipher
protected final <R extends AbstractPutObjectRequest> R wrapWithCipher(R request, com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial cekMaterial)
Returns the givenPutObjectRequest
but has the content as input stream wrapped with a cipher, and configured with some meta data and user metadata.
-
plaintextLength
protected final long plaintextLength(AbstractPutObjectRequest request, ObjectMetadata metadata)
Returns the plaintext length from the request and metadata; or -1 if unknown.
-
getS3CryptoScheme
public final com.amazonaws.services.s3.internal.crypto.S3CryptoScheme getS3CryptoScheme()
-
updateInstructionPutRequest
protected final PutObjectRequest updateInstructionPutRequest(PutObjectRequest req, com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial cekMaterial)
Updates put request to store the specified instruction object in S3.- Parameters:
req
- The put-instruction-file request for the instruction file to be stored in S3.cekMaterial
- The instruction object to be stored in S3.- Returns:
- A put request to store the specified instruction object in S3.
-
createInstructionPutRequest
protected final PutObjectRequest createInstructionPutRequest(String bucketName, String key, com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial cekMaterial)
-
securityCheck
protected void securityCheck(com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial cekMaterial, com.amazonaws.services.s3.internal.crypto.S3ObjectWrapper retrieved)
Checks if the the crypto scheme used in the given content crypto material is allowed to be used in this crypto module. Default is no-op. Subclass may override.- Throws:
SecurityException
- if the crypto scheme used in the given content crypto material is not allowed in this crypto module.
-
putInstructionFileSecurely
public final PutObjectResult putInstructionFileSecurely(PutInstructionFileRequest req)
- Specified by:
putInstructionFileSecurely
in classS3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>
- Returns:
- the result of putting the instruction file in S3; or null if the
specified S3 object doesn't exist. The S3 object can be
subsequently retrieved using the new instruction file via the
usual get operation by specifying a
EncryptedGetObjectRequest
.
-
-