Limit ability to create discovery AWS KMS Keyrings to explicit creation

Author: WesleyRosenblum

src/main/java/com/amazonaws/encryptionsdk/keyrings/AwsKmsKeyring.java

@@ -23,6 +23,7 @@
 import com.amazonaws.encryptionsdk.model.DecryptionMaterials;
 import com.amazonaws.encryptionsdk.model.EncryptionMaterials;
 import com.amazonaws.encryptionsdk.model.KeyBlob;
+import org.apache.commons.lang3.Validate;
 
 import java.util.ArrayList;
 import java.util.HashSet;
@@ -47,12 +48,20 @@ class AwsKmsKeyring implements Keyring {
     private final AwsKmsCmkId generatorKeyId;
     private final boolean isDiscovery;
 
-    AwsKmsKeyring(DataKeyEncryptionDao dataKeyEncryptionDao, List<AwsKmsCmkId> keyIds, AwsKmsCmkId generatorKeyId) {
+    AwsKmsKeyring(DataKeyEncryptionDao dataKeyEncryptionDao, List<AwsKmsCmkId> keyIds, AwsKmsCmkId generatorKeyId, boolean isDiscovery) {
         requireNonNull(dataKeyEncryptionDao, "dataKeyEncryptionDao is required");
         this.dataKeyEncryptionDao = dataKeyEncryptionDao;
         this.keyIds = keyIds == null ? emptyList() : unmodifiableList(new ArrayList<>(keyIds));
         this.generatorKeyId = generatorKeyId;
-        this.isDiscovery = this.generatorKeyId == null && this.keyIds.isEmpty();
+        this.isDiscovery = isDiscovery;
+
+        if(isDiscovery) {
+            Validate.isTrue(generatorKeyId == null && this.keyIds.isEmpty(),
+                    "AWS KMS Discovery keyrings cannot specify any key IDs");
+        } else {
+            Validate.isTrue(generatorKeyId != null || !this.keyIds.isEmpty(),
+                    "GeneratorKeyId or KeyIds are required for non-discovery AWS KMS Keyrings.");
+        }
 
         if (this.keyIds.contains(generatorKeyId)) {
             throw new IllegalArgumentException("KeyIds should not contain the generatorKeyId");

src/main/java/com/amazonaws/encryptionsdk/keyrings/AwsKmsKeyringBuilder.java

@@ -24,9 +24,13 @@ public class AwsKmsKeyringBuilder {
     private List<String> grantTokens;
     private List<AwsKmsCmkId> keyIds;
     private AwsKmsCmkId generatorKeyId;
+    private final boolean isDiscovery;
 
-    private AwsKmsKeyringBuilder() {
+    private AwsKmsKeyringBuilder(boolean isDiscovery) {
         // Use AwsKmsKeyringBuilder.standard() or StandardKeyrings.awsKms() to instantiate
+        // or AwsKmsKeyringBuilder.discovery() or StandardKeyrings.awsKmsDiscovery() to instantiate
+        // a discovery keyring builder.
+        this.isDiscovery = isDiscovery;
     }
 
     /**
@@ -35,7 +39,18 @@ private AwsKmsKeyringBuilder() {
      * @return The {@code AwsKmsKeyringBuilder}
      */
     public static AwsKmsKeyringBuilder standard() {
-        return new AwsKmsKeyringBuilder();
+        return new AwsKmsKeyringBuilder(false);
+    }
+
+    /**
+     * Constructs a new instance of {@code AwsKmsKeyringBuilder} that produces an AWS KMS Discovery keyring.
+     * AWS KMS Discovery keyrings do not specify any CMKs to decrypt with, and thus will attempt to decrypt
+     * using any encrypted data key in an encrypted message. AWS KMS Discovery keyrings do not perform encryption.
+     *
+     * @return The {@code AwsKmsKeyringBuilder}
+     */
+    public static AwsKmsKeyringBuilder discovery() {
+        return new AwsKmsKeyringBuilder(true);
     }
 
     /**
@@ -98,6 +113,9 @@ public Keyring build() {
         if(awsKmsClientSupplier == null) {
             awsKmsClientSupplier = AwsKmsClientSupplier.builder().build();
         }
-        return new AwsKmsKeyring(DataKeyEncryptionDao.awsKms(awsKmsClientSupplier, grantTokens), keyIds, generatorKeyId);
+
+        return new AwsKmsKeyring(DataKeyEncryptionDao.awsKms(awsKmsClientSupplier, grantTokens),
+                keyIds, generatorKeyId, isDiscovery);
     }
+
 }

src/main/java/com/amazonaws/encryptionsdk/keyrings/StandardKeyrings.java

@@ -76,25 +76,26 @@ public static AwsKmsKeyringBuilder awsKms() {
     }
 
     /**
-     * Constructs a {@code Keyring} which interacts with AWS Key Management Service (KMS) to attempt to
-     * decrypt all data keys provided to it. AWS KMS Discovery keyrings do not perform encryption.
+     * Returns an {@link AwsKmsKeyringBuilder} for use in constructing an AWS KMS Discovery keyring.
+     * AWS KMS Discovery keyrings do not specify any CMKs to decrypt with, and thus will attempt to decrypt
+     * using any encrypted data key in an encrypted message. AWS KMS Discovery keyrings do not perform encryption.
      * <p></p>
-     * To create an AWS KMS Regional Discovery Keyring, use {@link #awsKms()} and the
+     * To create an AWS KMS Regional Discovery Keyring, construct an {@link AwsKmsClientSupplier} using
      * {@link AwsKmsClientSupplier#builder()} to specify which regions to include/exclude.
      * <p></p>
      * For example, to include only CMKs in the us-east-1 region:
      * <pre>
-     * StandardKeyrings.awsKms()
+     * StandardKeyrings.awsKmsDiscovery()
      *             .awsKmsClientSupplier(
      *                     AwsKmsClientSupplier.builder()
      *                     .allowedRegions(Collections.singleton("us-east-1")).build())
      *             .build();
      * </pre>
      *
-     * @return The {@code Keyring}
+     * @return The {@code AwsKmsKeyringBuilder}
      */
-    public static Keyring awsKmsDiscovery() {
-        return AwsKmsKeyringBuilder.standard().build();
+    public static AwsKmsKeyringBuilder awsKmsDiscovery() {
+        return AwsKmsKeyringBuilder.discovery();
     }
 
     /**

src/test/java/com/amazonaws/encryptionsdk/keyrings/AwsKmsKeyringTest.java

@@ -95,7 +95,7 @@ void setup() {
         List<AwsKmsCmkId> keyIds = new ArrayList<>();
         keyIds.add(AwsKmsCmkId.fromString(KEY_ID_1));
         keyIds.add(AwsKmsCmkId.fromString(KEY_ID_2));
-        keyring = new AwsKmsKeyring(dataKeyEncryptionDao, keyIds, AwsKmsCmkId.fromString(GENERATOR_KEY_ID));
+        keyring = new AwsKmsKeyring(dataKeyEncryptionDao, keyIds, AwsKmsCmkId.fromString(GENERATOR_KEY_ID), false);
     }
 
     @Test
@@ -106,23 +106,44 @@ void testMalformedArns() {
                 .build();
 
         List<EncryptedDataKey> encryptedDataKeys = new ArrayList<>();
-        encryptedDataKeys.add(new KeyBlob(AWS_KMS_PROVIDER_ID, "badArn".getBytes(PROVIDER_ENCODING), new byte[]{}));
+        encryptedDataKeys.add(new KeyBlob(AWS_KMS_PROVIDER_ID, "arn:badArn".getBytes(PROVIDER_ENCODING), new byte[]{}));
         encryptedDataKeys.add(ENCRYPTED_KEY_1);
 
         decryptionMaterials = keyring.onDecrypt(decryptionMaterials, encryptedDataKeys);
         assertEquals(PLAINTEXT_DATA_KEY, decryptionMaterials.getCleartextDataKey());
 
+        decryptionMaterials = DecryptionMaterials.newBuilder()
+                .setAlgorithm(ALGORITHM_SUITE)
+                .setEncryptionContext(ENCRYPTION_CONTEXT)
+                .build();
+
         // Malformed Arn for a non KMS provider shouldn't fail
         encryptedDataKeys.clear();
-        encryptedDataKeys.add(new KeyBlob("OtherProviderId", "badArn".getBytes(PROVIDER_ENCODING), new byte[]{}));
-        keyring.onDecrypt(decryptionMaterials, encryptedDataKeys);
+        encryptedDataKeys.add(new KeyBlob("OtherProviderId", "arn:badArn".getBytes(PROVIDER_ENCODING), new byte[]{}));
+        assertFalse(keyring.onDecrypt(decryptionMaterials, encryptedDataKeys).hasCleartextDataKey());
     }
 
     @Test
     void testGeneratorKeyInKeyIds() {
         assertThrows(IllegalArgumentException.class, () -> new AwsKmsKeyring(dataKeyEncryptionDao,
                 Collections.singletonList(AwsKmsCmkId.fromString(GENERATOR_KEY_ID)),
-                AwsKmsCmkId.fromString(GENERATOR_KEY_ID)));
+                AwsKmsCmkId.fromString(GENERATOR_KEY_ID), false));
+    }
+
+    @Test
+    void testNotDiscoveryNoKeysIds() {
+        assertThrows(IllegalArgumentException.class, () -> new AwsKmsKeyring(dataKeyEncryptionDao,
+                null,null, false));
+    }
+
+    @Test
+    void testDiscoveryWithKeyId() {
+        assertThrows(IllegalArgumentException.class, () -> new AwsKmsKeyring(dataKeyEncryptionDao,
+                null,
+                AwsKmsCmkId.fromString(GENERATOR_KEY_ID), true));
+        assertThrows(IllegalArgumentException.class, () -> new AwsKmsKeyring(dataKeyEncryptionDao,
+                Collections.singletonList(AwsKmsCmkId.fromString(GENERATOR_KEY_ID)),
+                null, true));
     }
 
     @Test
@@ -207,7 +228,7 @@ void testEncryptNullGenerator() {
                 .build();
 
         Keyring keyring = new AwsKmsKeyring(dataKeyEncryptionDao,
-                Collections.singletonList(AwsKmsCmkId.fromString(KEY_ID_1)), null);
+                Collections.singletonList(AwsKmsCmkId.fromString(KEY_ID_1)), null, false);
 
         encryptionMaterials = keyring.onEncrypt(encryptionMaterials);
 
@@ -222,7 +243,7 @@ void testEncryptNullGenerator() {
 
     @Test
     void testDiscoveryEncrypt() {
-        keyring = new AwsKmsKeyring(dataKeyEncryptionDao, null, null);
+        keyring = new AwsKmsKeyring(dataKeyEncryptionDao, null, null, true);
 
         EncryptionMaterials encryptionMaterials = EncryptionMaterials.newBuilder()
                 .setAlgorithm(ALGORITHM_SUITE)
@@ -237,7 +258,7 @@ void testDiscoveryEncrypt() {
     @Test
     void testEncryptNoGeneratorOrCleartextDataKey() {
         keyring = new AwsKmsKeyring(dataKeyEncryptionDao,
-                Collections.singletonList(AwsKmsCmkId.fromString(KEY_ID_1)), null);
+                Collections.singletonList(AwsKmsCmkId.fromString(KEY_ID_1)), null, false);
 
         EncryptionMaterials encryptionMaterials = EncryptionMaterials.newBuilder().setAlgorithm(ALGORITHM_SUITE).build();
         assertThrows(AwsCryptoException.class, () -> keyring.onEncrypt(encryptionMaterials));
@@ -297,7 +318,7 @@ void testDecryptFirstKeyWrongProvider() {
 
     @Test
     void testDiscoveryDecrypt() {
-        keyring = new AwsKmsKeyring(dataKeyEncryptionDao, null, null);
+        keyring = new AwsKmsKeyring(dataKeyEncryptionDao, null, null, true);
 
         DecryptionMaterials decryptionMaterials = DecryptionMaterials.newBuilder()
                 .setAlgorithm(ALGORITHM_SUITE)