AWS SDK v2 support

pom.xml

@@ -38,29 +38,31 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     </properties>
 
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>software.amazon.awssdk</groupId>
+                <artifactId>bom</artifactId>
+                <version>2.17.136</version>
+                <optional>true</optional>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
     <dependencies>
-        <!-- Support AWS SDK v1 -->
         <dependency>
             <groupId>com.amazonaws</groupId>
             <artifactId>aws-java-sdk</artifactId>
-            <version>1.12.131</version>
-            <optional>true</optional>
-        </dependency>
-
-        <!-- Support AWS SDK v2 -->
-        <dependency>
-            <groupId>software.amazon.awssdk</groupId>
-            <artifactId>bom</artifactId>
-            <version>2.17.110</version>
+            <version>1.12.146</version>
             <optional>true</optional>
-            <type>pom</type>
-            <scope>import</scope>
         </dependency>
 
         <dependency>
             <groupId>software.amazon.awssdk</groupId>
             <artifactId>kms</artifactId>
-            <version>2.17.109</version>
+            <version>2.17.136</version>
             <optional>true</optional>
         </dependency>
 

src/main/java/com/amazonaws/encryptionsdk/internal/VersionInfo.java

@@ -24,13 +24,29 @@ public class VersionInfo {
    * Loads the version of the library
    */
   public static String loadUserAgent() {
+    return USER_AGENT_PREFIX + versionNumber();
+  }
+
+  /**
+   * This returns the API name compatible with the AWS SDK v2
+   *
+   * @return the name of the library with a tag indicating intended for AWS SDK v2
+   */
+  public static String apiName() {
+    return USER_AGENT_PREFIX.substring(0, USER_AGENT_PREFIX.length() - 1);
+  }
+
+  /*
+   * String representation of the library version e.g. 2.3.3
+   */
+  public static String versionNumber() {
     try {
       final Properties properties = new Properties();
       final ClassLoader loader = VersionInfo.class.getClassLoader();
       properties.load(loader.getResourceAsStream("project.properties"));
-      return USER_AGENT_PREFIX + properties.getProperty("version");
+      return properties.getProperty("version");
     } catch (final IOException ex) {
-      return USER_AGENT_PREFIX + UNKNOWN_VERSION;
+      return UNKNOWN_VERSION;
     }
   }
 }

src/main/java/com/amazonaws/encryptionsdk/kms/AwsKmsMrkAwareMasterKey.java

@@ -90,7 +90,6 @@ private AwsKmsMrkAwareMasterKey(
           "AwsKmsMrkAwareMasterKey must be configured with an AWS KMS client.");
     }
 
-    /* Precondition: A provider is required. */
     if (provider == null) {
       throw new IllegalArgumentException(
           "AwsKmsMrkAwareMasterKey must be configured with a source provider.");
@@ -177,7 +176,6 @@ public DataKey<AwsKmsMrkAwareMasterKey> generateDataKey(
     // # The response's "KeyId"
     // # MUST be valid.
     final String gdkResultKeyId = gdkResult.getKeyId();
-    /* Exceptional Postcondition: Must have an AWS KMS ARN from AWS KMS generateDataKey. */
     if (parseInfoFromKeyArn(gdkResultKeyId) == null) {
       throw new IllegalStateException("Received an empty or invalid keyId from KMS");
     }
@@ -212,7 +210,6 @@ public DataKey<AwsKmsMrkAwareMasterKey> encryptDataKey(
       final Map<String, String> encryptionContext,
       final DataKey<?> dataKey) {
     final SecretKey key = dataKey.getKey();
-    /* Precondition: The key format MUST be RAW. */
     if (!key.getFormat().equals("RAW")) {
       throw new IllegalArgumentException("Only RAW encoded keys are supported");
     }
@@ -237,7 +234,6 @@ public DataKey<AwsKmsMrkAwareMasterKey> encryptDataKey(
       final String encryptResultKeyId = encryptResult.getKeyId();
       // = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key.txt#2.11
       // # The AWS KMS Encrypt response MUST contain a valid "KeyId".
-      /* Postcondition: Must have an AWS KMS ARN from AWS KMS encrypt. */
       if (parseInfoFromKeyArn(encryptResultKeyId) == null) {
         throw new IllegalStateException("Received an empty or invalid keyId from KMS");
       }
@@ -326,7 +322,6 @@ public DataKey<AwsKmsMrkAwareMasterKey> decryptDataKey(
         // = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key.txt#2.9
         // # The output MUST be the same as the Master Key Decrypt Data Key
         // # (../master-key-interface.md#decrypt-data-key) interface.
-        /* Exceptional Postcondition: Master key was unable to decrypt. */
         .orElseThrow(() -> buildCannotDecryptDksException(exceptions));
   }
 
@@ -358,7 +353,6 @@ static DataKey<AwsKmsMrkAwareMasterKey> decryptSingleEncryptedDataKey(
                     .withKeyId(awsKmsIdentifier)));
 
     final String decryptResultKeyId = decryptResult.getKeyId();
-    /* Exceptional Postcondition: Must have a CMK ARN from AWS KMS to match. */
     if (decryptResultKeyId == null) {
       throw new IllegalStateException("Received an empty keyId from KMS");
     }

src/main/java/com/amazonaws/encryptionsdk/kms/AwsKmsMrkAwareMasterKeyProvider.java

@@ -284,7 +284,6 @@ static KmsMasterKeyProvider.RegionalClientSupplier clientFactory(
               : AWSKMSClientBuilder.standard();
 
       return region -> {
-        /* Check for early return (Postcondition): If a client already exists, use that. */
         if (clientCache.containsKey(region)) {
           return clientCache.get(region);
         }
@@ -381,10 +380,6 @@ private AwsKmsMrkAwareMasterKeyProvider(
     // # kms-mrk-are-unique.md#Implementation) and the function MUST return
     // # success.
     assertMrksAreUnique(keyIds);
-    /* Precondition: A region is required to contact AWS KMS.
-     * This is an edge case because the default region will be the same as the SDK default,
-     * but it is still possible.
-     */
     if (!isDiscovery
         && defaultRegion == null
         && keyIds.stream()
@@ -447,16 +442,6 @@ static void assertMrksAreUnique(List<String> keyIdentifiers) {
             // # arn.md#identifying-an-aws-kms-multi-region-key) this function MUST
             // # exit successfully.
             //
-            /* Postcondition: Filter out duplicate resources that are not multi-region keys.
-             * I expect only have duplicates of specific multi-region keys.
-             * In JSON something like
-             * {
-             *      "mrk-edb7fe6942894d32ac46dbb1c922d574" : [
-             *          "arn:aws:kms:us-west-2:111122223333:key/mrk-edb7fe6942894d32ac46dbb1c922d574",
-             *          "arn:aws:kms:us-east-2:111122223333:key/mrk-edb7fe6942894d32ac46dbb1c922d574"
-             *      ]
-             *  }
-             */
             .filter(maybeMrk -> isMRK(maybeMrk.getKey()))
             /* Flatten the duplicate identifiers into a single list. */
             .flatMap(mrkEntry -> mrkEntry.getValue().stream())
@@ -481,35 +466,12 @@ static void assertMrksAreUnique(List<String> keyIdentifiers) {
    */
   static String getResourceForResourceTypeKey(String identifier) {
     final AwsKmsCmkArnInfo info = parseInfoFromKeyArn(identifier);
-    /* Check for early return (Postcondition): Non-ARNs may be raw resources.
-     * Raw aliases ('alias/my-key')
-     * or key ids ('mrk-edb7fe6942894d32ac46dbb1c922d574').
-     */
     if (info == null) return identifier;
 
-    /* Check for early return (Postcondition): Return the identifier for non-key resource types.
-     * I only care about duplicate multi-region *keys*.
-     * Any other resource type
-     * should get filtered out.
-     * I return the entire identifier
-     * on the off chance that
-     * a customer has created
-     * an alias with a name `mrk-*`.
-     * This way such an alias
-     * can never accidentally
-     * collided with an existing multi-region key
-     * or a duplicate alias.
-     */
     if (!info.getResourceType().equals("key")) {
       return identifier;
     }
 
-    /* Postcondition: Return the key id.
-     * This will be used
-     * to find different regional replicas of
-     * the same multi-region key
-     * because the key id for replicas is always the same.
-     */
     return info.getResource();
   }
 
@@ -559,10 +521,6 @@ public AwsKmsMrkAwareMasterKey getMasterKey(final String providerId, final Strin
     // = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.7
     // # In discovery mode, the requested
     // # AWS KMS key identifier MUST be a well formed AWS KMS ARN.
-    /* Precondition: Discovery mode requires requestedKeyArn be an ARN.
-     * This function is called on the encrypt path.
-     * It _may_ be the case that a raw key id, for example, was configured.
-     */
     if (isDiscovery_ && requestedKeyArnInfo == null) {
       throw new NoSuchMasterKeyException(
           "Cannot use AWS KMS identifiers " + "when in discovery mode.");