feat: implement CBC decryption in async getObject (#59)

* feat: implement getObject async

Author: kessplas

src/main/java/software/amazon/encryption/s3/internal/GetEncryptedObjectPipeline.java

@@ -1,7 +1,6 @@
 package software.amazon.encryption.s3.internal;
 
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
-
 import software.amazon.awssdk.core.ResponseInputStream;
 import software.amazon.awssdk.core.async.AsyncResponseTransformer;
 import software.amazon.awssdk.core.async.SdkPublisher;
@@ -23,6 +22,7 @@
 import javax.crypto.Cipher;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.GCMParameterSpec;
+import javax.crypto.spec.IvParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
 import java.io.InputStream;
 import java.nio.ByteBuffer;
@@ -64,29 +64,6 @@ public <T> CompletableFuture<T> getObject(GetObjectRequest getObjectRequest, Asy
                 getObjectRequest));
     }
 
-    /**
-     * This helps reduce code duplication between async and default getObject implementations.
-     */
-    private DecryptionMaterials prepareMaterialsFromRequest(final GetObjectRequest getObjectRequest, final GetObjectResponse getObjectResponse,
-                                                            final ContentMetadata contentMetadata) {
-        AlgorithmSuite algorithmSuite = contentMetadata.algorithmSuite();
-        if (!_enableLegacyUnauthenticatedModes && algorithmSuite.isLegacy()) {
-            throw new S3EncryptionClientException("Enable legacy unauthenticated modes to use legacy content decryption: " + algorithmSuite.cipherName());
-        }
-
-        List<EncryptedDataKey> encryptedDataKeys = Collections.singletonList(contentMetadata.encryptedDataKey());
-
-        DecryptMaterialsRequest materialsRequest = DecryptMaterialsRequest.builder()
-                .s3Request(getObjectRequest)
-                .algorithmSuite(algorithmSuite)
-                .encryptedDataKeys(encryptedDataKeys)
-                .encryptionContext(contentMetadata.encryptedDataKeyContext())
-                .ciphertextLength(getObjectResponse.contentLength())
-                .build();
-
-        return _cryptoMaterialsManager.decryptMaterials(materialsRequest);
-    }
-
     public <T> T getObject(GetObjectRequest getObjectRequest,
                            ResponseTransformer<GetObjectResponse, T> responseTransformer) {
         ResponseInputStream<GetObjectResponse> objectStream;
@@ -114,6 +91,29 @@ public <T> T getObject(GetObjectRequest getObjectRequest,
         }
     }
 
+    /**
+     * This helps reduce code duplication between async and default getObject implementations.
+     */
+    private DecryptionMaterials prepareMaterialsFromRequest(final GetObjectRequest getObjectRequest, final GetObjectResponse getObjectResponse,
+                                                            final ContentMetadata contentMetadata) {
+        AlgorithmSuite algorithmSuite = contentMetadata.algorithmSuite();
+        if (!_enableLegacyUnauthenticatedModes && algorithmSuite.isLegacy()) {
+            throw new S3EncryptionClientException("Enable legacy unauthenticated modes to use legacy content decryption: " + algorithmSuite.cipherName());
+        }
+
+        List<EncryptedDataKey> encryptedDataKeys = Collections.singletonList(contentMetadata.encryptedDataKey());
+
+        DecryptMaterialsRequest materialsRequest = DecryptMaterialsRequest.builder()
+                .s3Request(getObjectRequest)
+                .algorithmSuite(algorithmSuite)
+                .encryptedDataKeys(encryptedDataKeys)
+                .encryptionContext(contentMetadata.encryptedDataKeyContext())
+                .ciphertextLength(getObjectResponse.contentLength())
+                .build();
+
+        return _cryptoMaterialsManager.decryptMaterials(materialsRequest);
+    }
+
     private ContentDecryptionStrategy selectContentDecryptionStrategy(final DecryptionMaterials materials) {
         switch (materials.algorithmSuite()) {
             case ALG_AES_256_CBC_IV16_NO_KDF:
@@ -161,6 +161,9 @@ public CompletableFuture<T> prepare() {
         @Override
         public void onResponse(GetObjectResponse response) {
             getObjectResponse = response;
+            if (!_enableLegacyUnauthenticatedModes && getObjectRequest.range() != null) {
+                throw new S3EncryptionClientException("Enable legacy unauthenticated modes to use Ranged Get.");
+            }
             // TODO: Implement instruction file handling - this is a bit less intuitive in async
             contentMetadata = ContentMetadataStrategy.decode(null, getObjectRequest, response);
             materials = prepareMaterialsFromRequest(getObjectRequest, response, contentMetadata);
@@ -180,7 +183,18 @@ public void onStream(SdkPublisher<ByteBuffer> ciphertextPublisher) {
             byte[] iv = contentMetadata.contentNonce();
             try {
                 final Cipher cipher = CryptoFactory.createCipher(algorithmSuite.cipherName(), materials.cryptoProvider());
-                cipher.init(Cipher.DECRYPT_MODE, contentKey, new GCMParameterSpec(tagLength, iv));
+                switch (algorithmSuite) {
+                    case ALG_AES_256_GCM_IV12_TAG16_NO_KDF:
+                        cipher.init(Cipher.DECRYPT_MODE, contentKey, new GCMParameterSpec(tagLength, iv));
+                        break;
+                    case ALG_AES_256_CBC_IV16_NO_KDF:
+                        cipher.init(Cipher.DECRYPT_MODE, contentKey, new IvParameterSpec(iv));
+                        break;
+                    case ALG_AES_256_CTR_IV16_TAG16_NO_KDF:
+                        // TODO: Ranged Get
+                    default:
+                        throw new S3EncryptionClientException("Unknown algorithm: " + algorithmSuite.cipherName());
+                }
 
                 CipherPublisher plaintextPublisher = new CipherPublisher(cipher, ciphertextPublisher, getObjectResponse.contentLength());
                 wrappedAsyncResponseTransformer.onStream(plaintextPublisher);

src/test/java/software/amazon/encryption/s3/S3AsyncEncryptionClientTest.java

@@ -1,7 +1,10 @@
 package software.amazon.encryption.s3;
 
+import com.amazonaws.services.s3.AmazonS3Encryption;
+import com.amazonaws.services.s3.AmazonS3EncryptionClient;
 import com.amazonaws.services.s3.AmazonS3EncryptionClientV2;
 import com.amazonaws.services.s3.AmazonS3EncryptionV2;
+import com.amazonaws.services.s3.model.CryptoConfiguration;
 import com.amazonaws.services.s3.model.CryptoConfigurationV2;
 import com.amazonaws.services.s3.model.CryptoMode;
 import com.amazonaws.services.s3.model.CryptoStorageMode;
@@ -78,6 +81,42 @@ public void putDefaultGetAsync() {
         v3AsyncClient.close();
     }
 
+    @Test
+    public void aesCbcV1toV3Async() {
+        final String objectKey = "aes-cbc-v1-to-v3-async";
+
+        // V1 Client
+        EncryptionMaterialsProvider materialsProvider =
+                new StaticEncryptionMaterialsProvider(new EncryptionMaterials(AES_KEY));
+        CryptoConfiguration v1CryptoConfig =
+                new CryptoConfiguration();
+        AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder()
+                .withCryptoConfiguration(v1CryptoConfig)
+                .withEncryptionMaterials(materialsProvider)
+                .build();
+
+        final String input = "0bcdefghijklmnopqrst0BCDEFGHIJKLMNOPQRST";
+
+        v1Client.putObject(BUCKET, objectKey, input);
+
+        // V3 Client
+        S3AsyncClient v3Client = S3AsyncEncryptionClient.builder()
+                .aesKey(AES_KEY)
+                .enableLegacyUnauthenticatedModes(true)
+                .build();
+
+        CompletableFuture<ResponseBytes<GetObjectResponse>> futureResponse = v3Client.getObject(builder -> builder
+                .bucket(BUCKET)
+                .key(objectKey), AsyncResponseTransformer.toBytes());
+        ResponseBytes<GetObjectResponse> response = futureResponse.join();
+        String output = response.asUtf8String();
+        assertEquals(input, output);
+
+        // Cleanup
+        deleteObject(BUCKET, objectKey, v3Client);
+        v3Client.close();
+    }
+
     @Test
     public void deleteObjectWithInstructionFileSuccessAsync() {
         final String objectKey = "async-delete-object-with-instruction-file";