Skip malformed arns in OnDecrypt instead of failing

Author: WesleyRosenblum

src/main/java/com/amazonaws/encryptionsdk/keyrings/KmsKeyring.java

@@ -127,16 +127,9 @@ public void onDecrypt(DecryptionMaterials decryptionMaterials, List<? extends En
             return;
         }
 
-        if (!encryptedDataKeys.stream()
-                .filter(edk -> edk.getProviderId().equals(KMS_PROVIDER_ID))
-                .map(edk -> new String(edk.getProviderInformation(), PROVIDER_ENCODING))
-                .allMatch(KmsUtils::isArnWellFormed)) {
-            throw new MalformedArnException("encryptedDataKeys contains a malformed ARN");
-        }
-
         final Set<String> configuredKeyIds = new HashSet<>(keyIds);
 
-        if(generatorKeyId != null) {
+        if (generatorKeyId != null) {
             configuredKeyIds.add(generatorKeyId);
         }
 
@@ -163,6 +156,12 @@ private boolean okToDecrypt(EncryptedDataKey encryptedDataKey, Set<String> confi
             return false;
         }
 
+        // If the key ARN cannot be parsed, skip it
+        if(!isArnWellFormed(new String(encryptedDataKey.getProviderInformation(), PROVIDER_ENCODING)))
+        {
+            return false;
+        }
+
         // If this keyring is a discovery keyring, OnDecrypt MUST attempt to
         // decrypt every encrypted data key in the input encrypted data key list
         if (isDiscovery) {

src/test/java/com/amazonaws/encryptionsdk/keyrings/KmsKeyringTest.java

@@ -104,7 +104,10 @@ void testMalformedArns() {
 
         List<EncryptedDataKey> encryptedDataKeys = new ArrayList<>();
         encryptedDataKeys.add(new KeyBlob(KMS_PROVIDER_ID, "badArn".getBytes(PROVIDER_ENCODING), new byte[]{}));
-        assertThrows(MalformedArnException.class, () -> keyring.onDecrypt(decryptionMaterials, encryptedDataKeys));
+        encryptedDataKeys.add(ENCRYPTED_KEY_1);
+
+        keyring.onDecrypt(decryptionMaterials, encryptedDataKeys);
+        assertEquals(PLAINTEXT_DATA_KEY, decryptionMaterials.getPlaintextDataKey());
 
         // Malformed Arn for a non KMS provider shouldn't fail
         encryptedDataKeys.clear();