Class S3CryptoModuleBase<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>
java.lang.Object
com.amazonaws.services.s3.internal.crypto.S3CryptoModule<T>
com.amazonaws.services.s3.internal.crypto.S3CryptoModuleBase<T>
public abstract class S3CryptoModuleBase<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>
extends S3CryptoModule<T>
Common implementation for different S3 cryptographic modules.
-
Field Summary
FieldsModifier and TypeFieldDescriptionprotected final com.amazonaws.services.s3.internal.crypto.ContentCryptoScheme
protected final CryptoConfiguration
A read-only copy of the crypto configuration.protected final com.amazonaws.services.s3.internal.crypto.S3CryptoScheme
protected static final int
protected final EncryptionMaterialsProvider
protected final AWSKMSClient
protected final org.apache.commons.logging.Log
Map of data about in progress encrypted multipart uploads.protected final com.amazonaws.services.s3.internal.S3Direct
-
Constructor Summary
ConstructorsModifierConstructorDescriptionprotected
S3CryptoModuleBase
(AWSKMSClient kms, com.amazonaws.services.s3.internal.S3Direct s3, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, CryptoConfiguration cryptoConfig) protected
S3CryptoModuleBase
(com.amazonaws.services.s3.internal.S3Direct s3, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, CryptoConfiguration cryptoConfig) For testing purposes only. -
Method Summary
Modifier and TypeMethodDescriptionfinal void
protected abstract long
ciphertextLength
(long plaintextLength) Returns the length of the ciphertext computed from the length of the plaintext.final CopyPartResult
copyPartSecurely
(CopyPartRequest copyPartRequest) protected final com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial
Creates and returns a non-null content crypto material for the given request.protected final PutObjectRequest
createInstructionPutRequest
(String bucketName, String key, com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial cekMaterial) protected final SecretKey
generateCEK
(EncryptionMaterials kekMaterials, Provider providerIn) final com.amazonaws.services.s3.internal.crypto.S3CryptoScheme
protected final CipherLiteInputStream
newMultipartS3CipherInputStream
(UploadPartRequest req, com.amazonaws.services.s3.internal.crypto.CipherLite cipherLite) protected final long
plaintextLength
(AbstractPutObjectRequest request, ObjectMetadata metadata) Returns the plaintext length from the request and metadata; or -1 if unknown.final PutObjectResult
final void
putLocalObjectSecurely
(UploadObjectRequest reqIn, String uploadId, OutputStream os) protected void
securityCheck
(com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial cekMaterial, com.amazonaws.services.s3.internal.crypto.S3ObjectWrapper retrieved) Checks if the the crypto scheme used in the given content crypto material is allowed to be used in this crypto module.protected final PutObjectRequest
updateInstructionPutRequest
(PutObjectRequest req, com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial cekMaterial) Updates put request to store the specified instruction object in S3.protected final ObjectMetadata
updateMetadataWithContentCryptoMaterial
(ObjectMetadata metadata, File file, com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial instruction) protected final <R extends AbstractPutObjectRequest>
RwrapWithCipher
(R request, com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial cekMaterial) Returns the givenPutObjectRequest
but has the content as input stream wrapped with a cipher, and configured with some meta data and user metadata.Methods inherited from class com.amazonaws.services.s3.internal.crypto.S3CryptoModule
getObjectSecurely, getObjectSecurely
-
Field Details
-
DEFAULT_BUFFER_SIZE
protected static final int DEFAULT_BUFFER_SIZE- See Also:
-
kekMaterialsProvider
-
log
protected final org.apache.commons.logging.Log log -
cryptoScheme
protected final com.amazonaws.services.s3.internal.crypto.S3CryptoScheme cryptoScheme -
contentCryptoScheme
protected final com.amazonaws.services.s3.internal.crypto.ContentCryptoScheme contentCryptoScheme -
cryptoConfig
A read-only copy of the crypto configuration. -
multipartUploadContexts
protected final Map<String,T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext> multipartUploadContextsMap of data about in progress encrypted multipart uploads. -
s3
protected final com.amazonaws.services.s3.internal.S3Direct s3 -
kms
-
-
Constructor Details
-
S3CryptoModuleBase
protected S3CryptoModuleBase(AWSKMSClient kms, com.amazonaws.services.s3.internal.S3Direct s3, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, CryptoConfiguration cryptoConfig) - Parameters:
cryptoConfig
- a read-only copy of the crypto configuration.
-
S3CryptoModuleBase
protected S3CryptoModuleBase(com.amazonaws.services.s3.internal.S3Direct s3, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, CryptoConfiguration cryptoConfig) For testing purposes only.
-
-
Method Details
-
ciphertextLength
protected abstract long ciphertextLength(long plaintextLength) Returns the length of the ciphertext computed from the length of the plaintext.- Parameters:
plaintextLength
- a non-negative number- Returns:
- a non-negative number
-
putObjectSecurely
- Specified by:
putObjectSecurely
in classS3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>
- Returns:
- the result of the putting the S3 object.
-
abortMultipartUploadSecurely
- Specified by:
abortMultipartUploadSecurely
in classS3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>
-
copyPartSecurely
- Specified by:
copyPartSecurely
in classS3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>
-
initiateMultipartUploadSecurely
public InitiateMultipartUploadResult initiateMultipartUploadSecurely(InitiateMultipartUploadRequest req) - Specified by:
initiateMultipartUploadSecurely
in classS3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>
-
uploadPartSecurely
NOTE: Because the encryption process requires context from previous blocks, parts uploaded with the AmazonS3EncryptionClient (as opposed to the normal AmazonS3Client) must be uploaded serially, and in order. Otherwise, the previous encryption context isn't available to use when encrypting the current part.
- Specified by:
uploadPartSecurely
in classS3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>
-
newMultipartS3CipherInputStream
protected final CipherLiteInputStream newMultipartS3CipherInputStream(UploadPartRequest req, com.amazonaws.services.s3.internal.crypto.CipherLite cipherLite) -
completeMultipartUploadSecurely
public CompleteMultipartUploadResult completeMultipartUploadSecurely(CompleteMultipartUploadRequest req) - Specified by:
completeMultipartUploadSecurely
in classS3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>
-
updateMetadataWithContentCryptoMaterial
protected final ObjectMetadata updateMetadataWithContentCryptoMaterial(ObjectMetadata metadata, File file, com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial instruction) -
createContentCryptoMaterial
protected final com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial createContentCryptoMaterial(AmazonWebServiceRequest req) Creates and returns a non-null content crypto material for the given request.- Throws:
AmazonClientException
- if no encryption material can be found.
-
putLocalObjectSecurely
public final void putLocalObjectSecurely(UploadObjectRequest reqIn, String uploadId, OutputStream os) throws IOException - Specified by:
putLocalObjectSecurely
in classS3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>
uploadId
- multipart upload idos
- output stream which will be closed upon method completion.- Throws:
IOException
-
generateCEK
- Parameters:
kekMaterials
- non-null encryption materials
-
wrapWithCipher
protected final <R extends AbstractPutObjectRequest> R wrapWithCipher(R request, com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial cekMaterial) Returns the givenPutObjectRequest
but has the content as input stream wrapped with a cipher, and configured with some meta data and user metadata. -
plaintextLength
Returns the plaintext length from the request and metadata; or -1 if unknown. -
getS3CryptoScheme
public final com.amazonaws.services.s3.internal.crypto.S3CryptoScheme getS3CryptoScheme() -
updateInstructionPutRequest
protected final PutObjectRequest updateInstructionPutRequest(PutObjectRequest req, com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial cekMaterial) Updates put request to store the specified instruction object in S3.- Parameters:
req
- The put-instruction-file request for the instruction file to be stored in S3.cekMaterial
- The instruction object to be stored in S3.- Returns:
- A put request to store the specified instruction object in S3.
-
createInstructionPutRequest
protected final PutObjectRequest createInstructionPutRequest(String bucketName, String key, com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial cekMaterial) -
securityCheck
protected void securityCheck(com.amazonaws.services.s3.internal.crypto.ContentCryptoMaterial cekMaterial, com.amazonaws.services.s3.internal.crypto.S3ObjectWrapper retrieved) Checks if the the crypto scheme used in the given content crypto material is allowed to be used in this crypto module. Default is no-op. Subclass may override.- Throws:
SecurityException
- if the crypto scheme used in the given content crypto material is not allowed in this crypto module.
-
putInstructionFileSecurely
- Specified by:
putInstructionFileSecurely
in classS3CryptoModule<T extends com.amazonaws.services.s3.internal.crypto.MultipartUploadCryptoContext>
- Returns:
- the result of putting the instruction file in S3; or null if the
specified S3 object doesn't exist. The S3 object can be
subsequently retrieved using the new instruction file via the
usual get operation by specifying a
EncryptedGetObjectRequest
.
-