java_src/src/main/java/com/google/crypto/tink/integration/awskms/AwsKmsAead.java - third_party/tink - Git at Google

 // Copyright 2017 Google Inc.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
 ////////////////////////////////////////////////////////////////////////////////

 package com.google.crypto.tink.integration.awskms;

 import com.amazonaws.AmazonServiceException;
 import com.amazonaws.services.kms.AWSKMS;
 import com.amazonaws.services.kms.model.DecryptRequest;
 import com.amazonaws.services.kms.model.DecryptResult;
 import com.amazonaws.services.kms.model.EncryptRequest;
 import com.amazonaws.util.BinaryUtils;
 import com.google.crypto.tink.Aead;
 import java.nio.ByteBuffer;
 import java.security.GeneralSecurityException;

 /**
  * A {@link Aead} that forwards encryption/decryption requests to a key in <a
  * href="https://aws.amazon.com/kms/">AWS KMS</a>.
  *
  * @since 1.0.0
  */
 public final class AwsKmsAead implements Aead {

   /** This client knows how to talk to AWS KMS. */
   private final AWSKMS kmsClient;

   // The location of a crypto key in AWS KMS, without the aws-kms:// prefix.
   private final String keyArn;

   public AwsKmsAead(AWSKMS kmsClient, String keyUri) throws GeneralSecurityException {
     this.kmsClient = kmsClient;
     this.keyArn = keyUri;
   }

   @Override
   public byte[] encrypt(final byte[] plaintext, final byte[] associatedData)
       throws GeneralSecurityException {
     try {
       EncryptRequest req =
           new EncryptRequest().withKeyId(keyArn).withPlaintext(ByteBuffer.wrap(plaintext));
       if (associatedData != null && associatedData.length != 0) {
         req = req.addEncryptionContextEntry("associatedData", BinaryUtils.toHex(associatedData));
       }
       return kmsClient.encrypt(req).getCiphertextBlob().array();
     } catch (AmazonServiceException e) {
       throw new GeneralSecurityException("encryption failed", e);
     }
   }

   @Override
   public byte[] decrypt(final byte[] ciphertext, final byte[] associatedData)
       throws GeneralSecurityException {
     try {
       DecryptRequest req = new DecryptRequest().withCiphertextBlob(ByteBuffer.wrap(ciphertext));
       if (associatedData != null && associatedData.length != 0) {
         req = req.addEncryptionContextEntry("associatedData", BinaryUtils.toHex(associatedData));
       }
       DecryptResult result = kmsClient.decrypt(req);
       if (!result.getKeyId().equals(keyArn)) {
         throw new GeneralSecurityException("decryption failed: wrong key id");
       }
       return result.getPlaintext().array();
     } catch (AmazonServiceException e) {
       throw new GeneralSecurityException("decryption failed", e);
     }
   }
 }
	// Copyright 2017 Google Inc.
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.
	//
	////////////////////////////////////////////////////////////////////////////////

	package com.google.crypto.tink.integration.awskms;

	import com.amazonaws.AmazonServiceException;
	import com.amazonaws.services.kms.AWSKMS;
	import com.amazonaws.services.kms.model.DecryptRequest;
	import com.amazonaws.services.kms.model.DecryptResult;
	import com.amazonaws.services.kms.model.EncryptRequest;
	import com.amazonaws.util.BinaryUtils;
	import com.google.crypto.tink.Aead;
	import java.nio.ByteBuffer;
	import java.security.GeneralSecurityException;

	/**
	* A {@link Aead} that forwards encryption/decryption requests to a key in <a
	* href="https://aws.amazon.com/kms/">AWS KMS</a>.
	*
	* @since 1.0.0
	*/
	public final class AwsKmsAead implements Aead {

	/** This client knows how to talk to AWS KMS. */
	private final AWSKMS kmsClient;

	// The location of a crypto key in AWS KMS, without the aws-kms:// prefix.
	private final String keyArn;

	public AwsKmsAead(AWSKMS kmsClient, String keyUri) throws GeneralSecurityException {
	this.kmsClient = kmsClient;
	this.keyArn = keyUri;
	}

	@Override
	public byte[] encrypt(final byte[] plaintext, final byte[] associatedData)
	throws GeneralSecurityException {
	try {
	EncryptRequest req =
	new EncryptRequest().withKeyId(keyArn).withPlaintext(ByteBuffer.wrap(plaintext));
	if (associatedData != null && associatedData.length != 0) {
	req = req.addEncryptionContextEntry("associatedData", BinaryUtils.toHex(associatedData));
	}
	return kmsClient.encrypt(req).getCiphertextBlob().array();
	} catch (AmazonServiceException e) {
	throw new GeneralSecurityException("encryption failed", e);
	}
	}

	@Override
	public byte[] decrypt(final byte[] ciphertext, final byte[] associatedData)
	throws GeneralSecurityException {
	try {
	DecryptRequest req = new DecryptRequest().withCiphertextBlob(ByteBuffer.wrap(ciphertext));
	if (associatedData != null && associatedData.length != 0) {
	req = req.addEncryptionContextEntry("associatedData", BinaryUtils.toHex(associatedData));
	}
	DecryptResult result = kmsClient.decrypt(req);
	if (!result.getKeyId().equals(keyArn)) {
	throw new GeneralSecurityException("decryption failed: wrong key id");
	}
	return result.getPlaintext().array();
	} catch (AmazonServiceException e) {
	throw new GeneralSecurityException("decryption failed", e);
	}
	}
	}