Make EncryptionMaterials, DecryptionMaterials and KeyringTrace immutable

Author: WesleyRosenblum

src/main/java/com/amazonaws/encryptionsdk/DefaultCryptoMaterialsManager.java

@@ -137,9 +137,7 @@ private EncryptionMaterials getEncryptionMaterialsForKeyring(EncryptionMaterials
                         .setTrailingSignatureKey(signingKey)
                         .build();
 
-        keyring.onEncrypt(encryptionMaterials);
-
-        return encryptionMaterials;
+        return keyring.onEncrypt(encryptionMaterials);
     }
 
     private DecryptionMaterials getDecryptionMaterialsForKeyring(DecryptionMaterialsRequest request) {
@@ -152,13 +150,13 @@ private DecryptionMaterials getDecryptionMaterialsForKeyring(DecryptionMaterials
                         .setTrailingSignatureKey(verificationKey)
                         .build();
 
-        keyring.onDecrypt(decryptionMaterials, request.getEncryptedDataKeys());
+        final DecryptionMaterials result = keyring.onDecrypt(decryptionMaterials, request.getEncryptedDataKeys());
 
-        if(!decryptionMaterials.hasCleartextDataKey()) {
+        if(!result.hasCleartextDataKey()) {
             throw new CannotUnwrapDataKeyException("Could not decrypt any data keys");
         }
 
-        return decryptionMaterials;
+        return result;
     }
 
     private PrivateKey getSigningKey(CryptoAlgorithm algorithmSuite, Map<String, String> encryptionContext) {

src/main/java/com/amazonaws/encryptionsdk/keyrings/Keyring.java

@@ -27,16 +27,18 @@ public interface Keyring {
     /**
      * Attempt to encrypt either the given data key (if present) or one that may be generated
      *
-     * @param encryptionMaterials Materials needed for encryption that the keyring may modify.
+     * @param encryptionMaterials Materials needed for encryption.
+     * @return Encryption materials with added information provided by this keyring.
      */
-    void onEncrypt(EncryptionMaterials encryptionMaterials);
+    EncryptionMaterials onEncrypt(EncryptionMaterials encryptionMaterials);
 
     /**
      * Attempt to decrypt the encrypted data keys
      *
-     * @param decryptionMaterials Materials needed for decryption that the keyring may modify.
+     * @param decryptionMaterials Materials needed for decryption.
      * @param encryptedDataKeys   List of encrypted data keys.
+     * @return Decryption materials with added information provided by this keyring.
      */
-    void onDecrypt(DecryptionMaterials decryptionMaterials, List<? extends EncryptedDataKey> encryptedDataKeys);
+    DecryptionMaterials onDecrypt(DecryptionMaterials decryptionMaterials, List<? extends EncryptedDataKey> encryptedDataKeys);
 
 }

src/main/java/com/amazonaws/encryptionsdk/keyrings/KeyringTrace.java

@@ -17,35 +17,34 @@
 import org.apache.commons.lang3.builder.ToStringStyle;
 
 import java.util.ArrayList;
-import java.util.Collections;
 import java.util.List;
+import java.util.Objects;
+
+import static java.util.Collections.emptyList;
+import static java.util.Collections.unmodifiableList;
 
 /**
  * A keyring trace containing all of the actions that keyrings have taken on a set of encryption materials.
  */
 public class KeyringTrace {
 
-    private final List<KeyringTraceEntry> entries = new ArrayList<>();
+    private final List<KeyringTraceEntry> entries;
+    public static final KeyringTrace EMPTY_TRACE = new KeyringTrace(emptyList());
 
-    /**
-     * Add a new entry to the keyring trace.
-     *
-     * @param keyNamespace The namespace for the key.
-     * @param keyName      The name of the key.
-     * @param flags        A set of one or more KeyringTraceFlag enums
-     *                     indicating what actions were taken by a keyring.
-     */
-    public void add(String keyNamespace, String keyName, KeyringTraceFlag... flags) {
-        add(new KeyringTraceEntry(keyNamespace, keyName, flags));
+    public KeyringTrace(final List<KeyringTraceEntry> entries) {
+        this.entries = unmodifiableList(new ArrayList<>(entries));
     }
 
     /**
-     * Add a new entry to the keyring trace.
+     * Creates a new instance of {@code KeyringTrace} with the provided {@link KeyringTraceEntry}.
      *
-     * @param entry The entry to add.
+     * @param entry The entry to include in the new {@code KeyringTrace}.
+     * @return The new {@code KeyringTrace} instance.
      */
-    public void add(KeyringTraceEntry entry) {
-        entries.add(entry);
+    public KeyringTrace with(KeyringTraceEntry entry) {
+        final List<KeyringTraceEntry> newEntries = new ArrayList<>(entries);
+        newEntries.add(entry);
+        return new KeyringTrace(newEntries);
     }
 
     /**
@@ -56,7 +55,7 @@ public void add(KeyringTraceEntry entry) {
      * @return An unmodifiable list of `KeyringTraceEntry`s
      */
     public List<KeyringTraceEntry> getEntries() {
-        return Collections.unmodifiableList(entries);
+        return entries;
     }
 
     @Override
@@ -65,4 +64,17 @@ public String toString() {
                 .append("entries", entries)
                 .toString();
     }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        KeyringTrace that = (KeyringTrace) o;
+        return Objects.equals(entries, that.entries);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(entries);
+    }
 }

src/main/java/com/amazonaws/encryptionsdk/keyrings/KmsKeyring.java

@@ -70,14 +70,16 @@ class KmsKeyring implements Keyring {
     }
 
     @Override
-    public void onEncrypt(EncryptionMaterials encryptionMaterials) {
+    public EncryptionMaterials onEncrypt(EncryptionMaterials encryptionMaterials) {
         requireNonNull(encryptionMaterials, "encryptionMaterials are required");
 
         // If this keyring is a discovery keyring, OnEncrypt MUST return the input encryption materials unmodified.
         if (isDiscovery) {
-            return;
+            return encryptionMaterials;
         }
 
+        EncryptionMaterials resultMaterials = encryptionMaterials;
+
         // If the input encryption materials do not contain a plaintext data key and this keyring does not
         // have a generator defined, OnEncrypt MUST not modify the encryption materials and MUST fail.
         if (!encryptionMaterials.hasCleartextDataKey() && generatorKeyId == null) {
@@ -89,7 +91,7 @@ public void onEncrypt(EncryptionMaterials encryptionMaterials) {
         // If the input encryption materials do not contain a plaintext data key and a generator is defined onEncrypt
         // MUST attempt to generate a new plaintext data key and encrypt that data key by calling KMS GenerateDataKey.
         if (!encryptionMaterials.hasCleartextDataKey()) {
-            generateDataKey(encryptionMaterials);
+            resultMaterials = generateDataKey(encryptionMaterials);
         } else if (generatorKeyId != null) {
             // If this keyring's generator is defined and was not used to generate a data key, OnEncrypt
             // MUST also attempt to encrypt the plaintext data key using the CMK specified by the generator.
@@ -99,35 +101,38 @@ public void onEncrypt(EncryptionMaterials encryptionMaterials) {
         // Given a plaintext data key in the encryption materials, OnEncrypt MUST attempt
         // to encrypt the plaintext data key using each CMK specified in it's key IDs list.
         for (String keyId : keyIdsToEncrypt) {
-            encryptDataKey(keyId, encryptionMaterials);
+            resultMaterials = encryptDataKey(keyId, resultMaterials);
         }
+
+        return resultMaterials;
     }
 
-    private void generateDataKey(final EncryptionMaterials encryptionMaterials) {
+    private EncryptionMaterials generateDataKey(final EncryptionMaterials encryptionMaterials) {
         final GenerateDataKeyResult result = dataKeyEncryptionDao.generateDataKey(generatorKeyId,
                 encryptionMaterials.getAlgorithm(), encryptionMaterials.getEncryptionContext());
 
-        encryptionMaterials.setCleartextDataKey(result.getPlaintextDataKey(),
-                new KeyringTraceEntry(KMS_PROVIDER_ID, generatorKeyId, KeyringTraceFlag.GENERATED_DATA_KEY));
-        encryptionMaterials.addEncryptedDataKey(new KeyBlob(result.getEncryptedDataKey()),
-                new KeyringTraceEntry(KMS_PROVIDER_ID, generatorKeyId, KeyringTraceFlag.ENCRYPTED_DATA_KEY, KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT));
+        return encryptionMaterials
+                .withCleartextDataKey(result.getPlaintextDataKey(),
+                        new KeyringTraceEntry(KMS_PROVIDER_ID, generatorKeyId, KeyringTraceFlag.GENERATED_DATA_KEY))
+                .withEncryptedDataKey(new KeyBlob(result.getEncryptedDataKey()),
+                        new KeyringTraceEntry(KMS_PROVIDER_ID, generatorKeyId, KeyringTraceFlag.ENCRYPTED_DATA_KEY, KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT));
     }
 
-    private void encryptDataKey(final String keyId, final EncryptionMaterials encryptionMaterials) {
+    private EncryptionMaterials encryptDataKey(final String keyId, final EncryptionMaterials encryptionMaterials) {
         final EncryptedDataKey encryptedDataKey = dataKeyEncryptionDao.encryptDataKey(keyId,
                 encryptionMaterials.getCleartextDataKey(), encryptionMaterials.getEncryptionContext());
 
-        encryptionMaterials.addEncryptedDataKey(new KeyBlob(encryptedDataKey),
+        return encryptionMaterials.withEncryptedDataKey(new KeyBlob(encryptedDataKey),
                 new KeyringTraceEntry(KMS_PROVIDER_ID, keyId, KeyringTraceFlag.ENCRYPTED_DATA_KEY, KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT));
     }
 
     @Override
-    public void onDecrypt(DecryptionMaterials decryptionMaterials, List<? extends EncryptedDataKey> encryptedDataKeys) {
+    public DecryptionMaterials onDecrypt(DecryptionMaterials decryptionMaterials, List<? extends EncryptedDataKey> encryptedDataKeys) {
         requireNonNull(decryptionMaterials, "decryptionMaterials are required");
         requireNonNull(encryptedDataKeys, "encryptedDataKeys are required");
 
         if (decryptionMaterials.hasCleartextDataKey() || encryptedDataKeys.isEmpty()) {
-            return;
+            return decryptionMaterials;
         }
 
         final Set<String> configuredKeyIds = new HashSet<>(keyIds);
@@ -142,15 +147,16 @@ public void onDecrypt(DecryptionMaterials decryptionMaterials, List<? extends En
                     final DecryptDataKeyResult result = dataKeyEncryptionDao.decryptDataKey(encryptedDataKey,
                             decryptionMaterials.getAlgorithm(), decryptionMaterials.getEncryptionContext());
 
-                    decryptionMaterials.setCleartextDataKey(result.getPlaintextDataKey(),
+                    return decryptionMaterials.withCleartextDataKey(result.getPlaintextDataKey(),
                             new KeyringTraceEntry(KMS_PROVIDER_ID, result.getKeyArn(),
                                     KeyringTraceFlag.DECRYPTED_DATA_KEY, KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT));
-                    return;
                 } catch (CannotUnwrapDataKeyException e) {
                     continue;
                 }
             }
         }
+
+        return decryptionMaterials;
     }
 
     private boolean okToDecrypt(EncryptedDataKey encryptedDataKey, Set<String> configuredKeyIds) {

src/main/java/com/amazonaws/encryptionsdk/keyrings/MultiKeyring.java

@@ -45,30 +45,34 @@ class MultiKeyring implements Keyring {
     }
 
     @Override
-    public void onEncrypt(EncryptionMaterials encryptionMaterials) {
+    public EncryptionMaterials onEncrypt(EncryptionMaterials encryptionMaterials) {
         requireNonNull(encryptionMaterials, "encryptionMaterials are required");
 
+        EncryptionMaterials resultMaterials = encryptionMaterials;
+
         if (generatorKeyring != null) {
-            generatorKeyring.onEncrypt(encryptionMaterials);
+            resultMaterials = generatorKeyring.onEncrypt(encryptionMaterials);
         }
 
-        if (!encryptionMaterials.hasCleartextDataKey()) {
+        if (!resultMaterials.hasCleartextDataKey()) {
             throw new AwsCryptoException("Either a generator keyring must be supplied that produces a cleartext " +
                     "data key or a cleartext data key must already be present in the encryption materials.");
         }
 
         for (Keyring keyring : childrenKeyrings) {
-            keyring.onEncrypt(encryptionMaterials);
+            resultMaterials = keyring.onEncrypt(resultMaterials);
         }
+
+        return resultMaterials;
     }
 
     @Override
-    public void onDecrypt(DecryptionMaterials decryptionMaterials, List<? extends EncryptedDataKey> encryptedDataKeys) {
+    public DecryptionMaterials onDecrypt(DecryptionMaterials decryptionMaterials, List<? extends EncryptedDataKey> encryptedDataKeys) {
         requireNonNull(decryptionMaterials, "decryptionMaterials are required");
         requireNonNull(encryptedDataKeys, "encryptedDataKeys are required");
 
         if (decryptionMaterials.hasCleartextDataKey()) {
-            return;
+            return decryptionMaterials;
         }
 
         final List<Keyring> keyringsToDecryptWith = new ArrayList<>();
@@ -83,11 +87,11 @@ public void onDecrypt(DecryptionMaterials decryptionMaterials, List<? extends En
 
         for (Keyring keyring : keyringsToDecryptWith) {
             try {
-                keyring.onDecrypt(decryptionMaterials, encryptedDataKeys);
+                final DecryptionMaterials resultMaterials = keyring.onDecrypt(decryptionMaterials, encryptedDataKeys);
 
-                if (decryptionMaterials.hasCleartextDataKey()) {
+                if (resultMaterials.hasCleartextDataKey()) {
                     // Decryption succeeded, return immediately
-                    return;
+                    return resultMaterials;
                 }
             } catch (Exception e) {
                 exceptions.add(e);
@@ -100,5 +104,7 @@ public void onDecrypt(DecryptionMaterials decryptionMaterials, List<? extends En
             exceptions.forEach(exception::addSuppressed);
             throw exception;
         }
+
+        return decryptionMaterials;
     }
 }

src/main/java/com/amazonaws/encryptionsdk/keyrings/RawKeyring.java

@@ -65,53 +65,54 @@ abstract class RawKeyring implements Keyring {
     abstract boolean validToDecrypt(EncryptedDataKey encryptedDataKey);
 
     @Override
-    public void onEncrypt(EncryptionMaterials encryptionMaterials) {
+    public EncryptionMaterials onEncrypt(EncryptionMaterials encryptionMaterials) {
         requireNonNull(encryptionMaterials, "encryptionMaterials are required");
 
+        EncryptionMaterials resultMaterials = encryptionMaterials;
+
         if (!encryptionMaterials.hasCleartextDataKey()) {
-            generateDataKey(encryptionMaterials);
+            resultMaterials = generateDataKey(encryptionMaterials);
         }
 
         final EncryptedDataKey encryptedDataKey = jceKeyCipher.encryptKey(
-                encryptionMaterials.getCleartextDataKey().getEncoded(),
-                keyName, keyNamespace, encryptionMaterials.getEncryptionContext());
-        encryptionMaterials.addEncryptedDataKey(new KeyBlob(encryptedDataKey),
+                resultMaterials.getCleartextDataKey().getEncoded(),
+                keyName, keyNamespace, resultMaterials.getEncryptionContext());
+        return resultMaterials.withEncryptedDataKey(new KeyBlob(encryptedDataKey),
                 new KeyringTraceEntry(keyNamespace, keyName, encryptTraceFlags()));
     }
 
     @Override
-    public void onDecrypt(DecryptionMaterials decryptionMaterials, List<? extends EncryptedDataKey> encryptedDataKeys) {
+    public DecryptionMaterials onDecrypt(DecryptionMaterials decryptionMaterials, List<? extends EncryptedDataKey> encryptedDataKeys) {
         requireNonNull(decryptionMaterials, "decryptionMaterials are required");
         requireNonNull(encryptedDataKeys, "encryptedDataKeys are required");
 
         if (decryptionMaterials.hasCleartextDataKey() || encryptedDataKeys.isEmpty()) {
-            return;
+            return decryptionMaterials;
         }
 
         for (EncryptedDataKey encryptedDataKey : encryptedDataKeys) {
             if (validToDecrypt(encryptedDataKey)) {
                 try {
                     final byte[] decryptedKey = jceKeyCipher.decryptKey(
                             encryptedDataKey, keyName, decryptionMaterials.getEncryptionContext());
-                    decryptionMaterials.setCleartextDataKey(
+                    return decryptionMaterials.withCleartextDataKey(
                             new SecretKeySpec(decryptedKey, decryptionMaterials.getAlgorithm().getDataKeyAlgo()),
                             new KeyringTraceEntry(keyNamespace, keyName, decryptTraceFlags()));
-                    return;
                 } catch (Exception e) {
                     LOGGER.info("Could not decrypt key due to: " + e.getMessage());
                 }
             }
         }
 
-        LOGGER.warning("Could not decrypt any data keys");
+        return decryptionMaterials;
     }
 
-    private void generateDataKey(EncryptionMaterials encryptionMaterials) {
+    private EncryptionMaterials generateDataKey(EncryptionMaterials encryptionMaterials) {
         final byte[] rawKey = new byte[encryptionMaterials.getAlgorithm().getDataKeyLength()];
         Utils.getSecureRandom().nextBytes(rawKey);
         final SecretKey key = new SecretKeySpec(rawKey, encryptionMaterials.getAlgorithm().getDataKeyAlgo());
 
-        encryptionMaterials.setCleartextDataKey(key, new KeyringTraceEntry(keyNamespace, keyName, GENERATED_DATA_KEY));
+        return encryptionMaterials.withCleartextDataKey(key, new KeyringTraceEntry(keyNamespace, keyName, GENERATED_DATA_KEY));
     }
 
     private KeyringTraceFlag[] encryptTraceFlags() {

src/main/java/com/amazonaws/encryptionsdk/keyrings/StandardKeyrings.java

@@ -66,13 +66,14 @@ public static Keyring rawRsa(String keyNamespace, String keyName, PublicKey publ
      * @param clientSupplier    A function that returns a KMS client that can make GenerateDataKey,
      *                          Encrypt, and Decrypt calls in a particular AWS region.
      * @param grantTokens       A list of string grant tokens to be included in all KMS calls.
-     * @param keyIds            A list of strings identifying KMS CMKs, in ARN, CMK Alias, or ARN Alias format.
-     * @param generator         A string that identifies a KMS CMK responsible for generating a data key,
+     * @param keyIds            A list of strings identifying KMS CMKs used for encrypting and decrypting data keys in
+     *                          ARN, CMK Alias, or ARN Alias format.
+     * @param generatorKeyId    A string that identifies a KMS CMK responsible for generating a data key,
      *                          as well as encrypting and decrypting data keys in ARN, CMK Alias, or ARN Alias format.
      * @return The {@code Keyring}
      */
-    public static Keyring kms(KmsClientSupplier clientSupplier, List<String> grantTokens, List<String> keyIds, String generator) {
-        return new KmsKeyring(DataKeyEncryptionDao.kms(clientSupplier, grantTokens), keyIds, generator);
+    public static Keyring kms(KmsClientSupplier clientSupplier, List<String> grantTokens, List<String> keyIds, String generatorKeyId) {
+        return new KmsKeyring(DataKeyEncryptionDao.kms(clientSupplier, grantTokens), keyIds, generatorKeyId);
     }
 
     /**