Package com.amazonaws.services.dynamodbv2.datamodeling.encryption.materials

Class WrappedRawMaterials

java.lang.Object

com.amazonaws.services.dynamodbv2.datamodeling.encryption.materials.AbstractRawMaterials

com.amazonaws.services.dynamodbv2.datamodeling.encryption.materials.WrappedRawMaterials

All Implemented Interfaces:

CryptographicMaterials, DecryptionMaterials, EncryptionMaterials

Direct Known Subclasses:

AsymmetricRawMaterials

public class WrappedRawMaterials
extends AbstractRawMaterials

Represents cryptographic materials used to manage unique record-level keys. This class specifically implements Envelope Encryption where a unique content key is randomly generated each time this class is constructed which is then encrypted with the Wrapping Key and then persisted in the Description. If a wrapped key is present in the Description, then that content key is unwrapped and used to decrypt the actual data in the record.

Other possibly implementations might use a Key-Derivation Function to derive a unique key per record.

Author:

Greg Rubin

Field Summary

Fields

Modifier and Type	Field	Description
static final String	CONTENT_KEY_ALGORITHM	The key-name in the Description which contains the algorithm used by the content key.
static final String	ENVELOPE_KEY	The key-name in the Description which which contains the wrapped content key.
static final String	KEY_WRAPPING_ALGORITHM	The key-name in the Description which contains the algorithm use to wrap content key.
protected final Key	unwrappingKey
protected final Key	wrappingKey

Constructor Summary

Constructors

Constructor	Description
WrappedRawMaterials(Key wrappingKey, Key unwrappingKey, KeyPair signingPair)
WrappedRawMaterials(Key wrappingKey, Key unwrappingKey, KeyPair signingPair, Map<String,String> description)
WrappedRawMaterials(Key wrappingKey, Key unwrappingKey, SecretKey macKey)
WrappedRawMaterials(Key wrappingKey, Key unwrappingKey, SecretKey macKey, Map<String,String> description)

Method Summary

Modifier and Type	Method	Description
protected SecretKey	generateContentKey(String algorithm)
SecretKey	getDecryptionKey()
SecretKey	getEncryptionKey()
protected SecretKey	initEnvelopeKey()	Called by the constructors.
protected SecretKey	unwrapKey(Map<String,String> description, byte[] encryptedKey, String wrappingAlgorithm)
byte[]	wrapKey(SecretKey key, String wrappingAlg)

Methods inherited from class com.amazonaws.services.dynamodbv2.datamodeling.encryption.materials.AbstractRawMaterials

getMaterialDescription, getSigningKey, getVerificationKey, setMaterialDescription

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

KEY_WRAPPING_ALGORITHM

public static final String KEY_WRAPPING_ALGORITHM

The key-name in the Description which contains the algorithm use to wrap content key. Example values are "AESWrap", or "RSA/ECB/OAEPWithSHA-256AndMGF1Padding".

See Also:

• Constant Field Values

CONTENT_KEY_ALGORITHM

public static final String CONTENT_KEY_ALGORITHM

The key-name in the Description which contains the algorithm used by the content key. Example values are "AES", or "Blowfish".

See Also:

• Constant Field Values

ENVELOPE_KEY

public static final String ENVELOPE_KEY

The key-name in the Description which which contains the wrapped content key.

See Also:

• Constant Field Values

wrappingKey

protected final Key wrappingKey

unwrappingKey

protected final Key unwrappingKey

Constructor Details

WrappedRawMaterials

public WrappedRawMaterials(Key wrappingKey,
 Key unwrappingKey,
 KeyPair signingPair)
                    throws GeneralSecurityException

Throws:

GeneralSecurityException

WrappedRawMaterials

public WrappedRawMaterials(Key wrappingKey,
 Key unwrappingKey,
 KeyPair signingPair,
 Map<String,String> description)
                    throws GeneralSecurityException

Throws:

GeneralSecurityException

WrappedRawMaterials

public WrappedRawMaterials(Key wrappingKey,
 Key unwrappingKey,
 SecretKey macKey)
                    throws GeneralSecurityException

Throws:

GeneralSecurityException

WrappedRawMaterials

public WrappedRawMaterials(Key wrappingKey,
 Key unwrappingKey,
 SecretKey macKey,
 Map<String,String> description)
                    throws GeneralSecurityException

Throws:

GeneralSecurityException

Method Details

getDecryptionKey

public SecretKey getDecryptionKey()

getEncryptionKey

public SecretKey getEncryptionKey()

initEnvelopeKey

protected SecretKey initEnvelopeKey()
                             throws GeneralSecurityException

Called by the constructors. If there is already a key associated with this record (usually signified by a value stored in the description in the key ENVELOPE_KEY) it extracts it and returns it. Otherwise it generates a new key, stores a wrapped version in the Description, and returns the key to the caller.

Returns:

the content key (which is returned by both getDecryptionKey() and getEncryptionKey().

Throws:

GeneralSecurityException

wrapKey

public byte[] wrapKey(SecretKey key,
 String wrappingAlg)
               throws NoSuchAlgorithmException,
NoSuchPaddingException,
InvalidKeyException,
IllegalBlockSizeException

Throws:

NoSuchAlgorithmException

NoSuchPaddingException

InvalidKeyException

IllegalBlockSizeException

unwrapKey

protected SecretKey unwrapKey(Map<String,String> description,
 byte[] encryptedKey,
 String wrappingAlgorithm)
                       throws NoSuchAlgorithmException,
NoSuchPaddingException,
InvalidKeyException

Throws:

NoSuchAlgorithmException

NoSuchPaddingException

InvalidKeyException

generateContentKey

protected SecretKey generateContentKey(String algorithm)
                                throws NoSuchAlgorithmException

Throws:

NoSuchAlgorithmException