fix: allow CipherSubscriber to determine if the part is last part (#453)

Author: kessplas

pom.xml

@@ -56,7 +56,7 @@
       <dependency>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>bom</artifactId>
-        <version>2.30.38</version>
+        <version>2.31.14</version>
         <optional>true</optional>
         <type>pom</type>
         <scope>import</scope>
@@ -68,21 +68,21 @@
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>s3</artifactId>
-      <version>2.30.38</version>
+      <version>2.31.14</version>
     </dependency>
 
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>kms</artifactId>
-      <version>2.30.38</version>
+      <version>2.31.14</version>
     </dependency>
 
     <!-- Used when enableMultipartPutObject is configured -->
     <dependency>
       <groupId>software.amazon.awssdk.crt</groupId>
       <artifactId>aws-crt</artifactId>
       <optional>true</optional>
-      <version>0.36.3</version>
+      <version>0.37.0</version>
     </dependency>
 
     <dependency>
@@ -163,7 +163,7 @@
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>sts</artifactId>
-      <version>2.30.38</version>
+      <version>2.31.14</version>
       <optional>true</optional>
       <scope>test</scope>
     </dependency>

src/examples/java/software/amazon/encryption/s3/examples/MultipartUploadExample.java

@@ -1,10 +1,6 @@
 package software.amazon.encryption.s3.examples;
 
-import static org.junit.jupiter.api.Assertions.assertTrue;
-import static software.amazon.encryption.s3.S3EncryptionClient.withAdditionalConfiguration;
-import static software.amazon.encryption.s3.utils.S3EncryptionClientTestResources.KMS_KEY_ID;
-import static software.amazon.encryption.s3.utils.S3EncryptionClientTestResources.appendTestSuffix;
-
+import org.apache.commons.io.IOUtils;
 import software.amazon.awssdk.core.ResponseInputStream;
 import software.amazon.awssdk.core.sync.RequestBody;
 import software.amazon.awssdk.services.s3.S3Client;
@@ -26,7 +22,10 @@
 import java.util.List;
 import java.util.Map;
 
-import org.apache.commons.io.IOUtils;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static software.amazon.encryption.s3.S3EncryptionClient.withAdditionalConfiguration;
+import static software.amazon.encryption.s3.utils.S3EncryptionClientTestResources.KMS_KEY_ID;
+import static software.amazon.encryption.s3.utils.S3EncryptionClientTestResources.appendTestSuffix;
 
 public class MultipartUploadExample {
     public static String BUCKET;

src/main/java/software/amazon/encryption/s3/internal/CipherAsyncRequestBody.java

@@ -20,12 +20,14 @@ public class CipherAsyncRequestBody implements AsyncRequestBody {
     private final Long ciphertextLength;
     private final CryptographicMaterials materials;
     private final byte[] iv;
+    private final boolean isLastPart;
 
     public CipherAsyncRequestBody(final AsyncRequestBody wrappedAsyncRequestBody, final Long ciphertextLength, final CryptographicMaterials materials, final byte[] iv, final boolean isLastPart) {
         this.wrappedAsyncRequestBody = wrappedAsyncRequestBody;
         this.ciphertextLength = ciphertextLength;
         this.materials = materials;
         this.iv = iv;
+        this.isLastPart = isLastPart;
     }
 
     public CipherAsyncRequestBody(final AsyncRequestBody wrappedAsyncRequestBody, final Long ciphertextLength, final CryptographicMaterials materials, final byte[] iv) {
@@ -38,7 +40,7 @@ public CipherAsyncRequestBody(final AsyncRequestBody wrappedAsyncRequestBody, fi
     public void subscribe(Subscriber<? super ByteBuffer> subscriber) {
         wrappedAsyncRequestBody.subscribe(new CipherSubscriber(subscriber,
                 contentLength().orElseThrow(() -> new S3EncryptionClientException("Unbounded streams are currently not supported.")),
-                materials, iv));
+                materials, iv, isLastPart));
     }
 
     @Override

src/main/java/software/amazon/encryption/s3/internal/CipherSubscriber.java

@@ -18,17 +18,13 @@ public class CipherSubscriber implements Subscriber<ByteBuffer> {
     private final Subscriber<? super ByteBuffer> wrappedSubscriber;
     private Cipher cipher;
     private final Long contentLength;
-    private final CryptographicMaterials materials;
-    private byte[] iv;
     private boolean isLastPart;
 
     private byte[] outputBuffer;
 
     CipherSubscriber(Subscriber<? super ByteBuffer> wrappedSubscriber, Long contentLength, CryptographicMaterials materials, byte[] iv, boolean isLastPart) {
         this.wrappedSubscriber = wrappedSubscriber;
         this.contentLength = contentLength;
-        this.materials = materials;
-        this.iv = iv;
         cipher = materials.getCipher(iv);
         this.isLastPart = isLastPart;
     }

src/main/java/software/amazon/encryption/s3/internal/GetEncryptedObjectPipeline.java

@@ -17,12 +17,7 @@
 import software.amazon.encryption.s3.materials.DecryptionMaterials;
 import software.amazon.encryption.s3.materials.EncryptedDataKey;
 
-import javax.crypto.Cipher;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.GCMParameterSpec;
-import javax.crypto.spec.IvParameterSpec;
 import java.nio.ByteBuffer;
-import java.security.GeneralSecurityException;
 import java.util.Collections;
 import java.util.List;
 import java.util.concurrent.CompletableFuture;
@@ -143,42 +138,23 @@ public void onStream(SdkPublisher<ByteBuffer> ciphertextPublisher) {
             long[] desiredRange = RangedGetUtils.getRange(materials.getContentRange());
             long[] cryptoRange = RangedGetUtils.getCryptoRange(materials.getContentRange());
             AlgorithmSuite algorithmSuite = materials.algorithmSuite();
-            SecretKey contentKey = materials.dataKey();
-            final int tagLength = algorithmSuite.cipherTagLengthBits();
             byte[] iv = contentMetadata.contentIv();
             if (algorithmSuite == AlgorithmSuite.ALG_AES_256_CTR_IV16_TAG16_NO_KDF) {
                 iv = AesCtrUtils.adjustIV(iv, cryptoRange[0]);
             }
-            try {
-                final Cipher cipher = CryptoFactory.createCipher(algorithmSuite.cipherName(), materials.cryptoProvider());
-                switch (algorithmSuite) {
-                    case ALG_AES_256_GCM_IV12_TAG16_NO_KDF:
-                        cipher.init(Cipher.DECRYPT_MODE, contentKey, new GCMParameterSpec(tagLength, iv));
-                        break;
-                    case ALG_AES_256_CTR_IV16_TAG16_NO_KDF:
-                    case ALG_AES_256_CBC_IV16_NO_KDF:
-                        cipher.init(Cipher.DECRYPT_MODE, contentKey, new IvParameterSpec(iv));
-                        break;
-                    default:
-                        throw new S3EncryptionClientException("Unknown algorithm: " + algorithmSuite.cipherName());
-                }
-
-                if (algorithmSuite.equals(AlgorithmSuite.ALG_AES_256_CBC_IV16_NO_KDF)
-                        || algorithmSuite.equals(AlgorithmSuite.ALG_AES_256_CTR_IV16_TAG16_NO_KDF)
-                        || _enableDelayedAuthentication) {
-                    // CBC and GCM with delayed auth enabled use a standard publisher
-                    CipherPublisher plaintextPublisher = new CipherPublisher(ciphertextPublisher,
-                            getObjectResponse.contentLength(), desiredRange, contentMetadata.contentRange(), algorithmSuite.cipherTagLengthBits(), materials, iv);
-                    wrappedAsyncResponseTransformer.onStream(plaintextPublisher);
-                } else {
-                    // Use buffered publisher for GCM when delayed auth is not enabled
-                    BufferedCipherPublisher plaintextPublisher = new BufferedCipherPublisher(ciphertextPublisher,
-                            getObjectResponse.contentLength(), materials, iv, _bufferSize);
-                    wrappedAsyncResponseTransformer.onStream(plaintextPublisher);
-                }
-
-            } catch (GeneralSecurityException e) {
-                throw new S3EncryptionClientException("Unable to " + algorithmSuite.cipherName() + " content decrypt.", e);
+
+            if (algorithmSuite.equals(AlgorithmSuite.ALG_AES_256_CBC_IV16_NO_KDF)
+                    || algorithmSuite.equals(AlgorithmSuite.ALG_AES_256_CTR_IV16_TAG16_NO_KDF)
+                    || _enableDelayedAuthentication) {
+                // CBC and GCM with delayed auth enabled use a standard publisher
+                CipherPublisher plaintextPublisher = new CipherPublisher(ciphertextPublisher,
+                        getObjectResponse.contentLength(), desiredRange, contentMetadata.contentRange(), algorithmSuite.cipherTagLengthBits(), materials, iv);
+                wrappedAsyncResponseTransformer.onStream(plaintextPublisher);
+            } else {
+                // Use buffered publisher for GCM when delayed auth is not enabled
+                BufferedCipherPublisher plaintextPublisher = new BufferedCipherPublisher(ciphertextPublisher,
+                        getObjectResponse.contentLength(), materials, iv, _bufferSize);
+                wrappedAsyncResponseTransformer.onStream(plaintextPublisher);
             }
         }
     }

src/test/java/software/amazon/encryption/s3/examples/AsyncClientExampleTest.java

@@ -3,11 +3,18 @@
 import org.junit.jupiter.api.Test;
 import software.amazon.encryption.s3.utils.S3EncryptionClientTestResources;
 
+import static org.junit.jupiter.api.Assertions.fail;
+
 public class AsyncClientExampleTest {
 
     @Test
     public void testAsyncClientExamples() {
         final String bucket = S3EncryptionClientTestResources.BUCKET;
-        AsyncClientExample.main(new String[]{bucket});
+        try {
+            AsyncClientExample.main(new String[]{bucket});
+        } catch (Throwable exception) {
+            exception.printStackTrace();
+            fail("Async Example Test Failed!!", exception);
+        }
     }
 }

src/test/java/software/amazon/encryption/s3/examples/ClientConfigurationExampleTest.java

@@ -2,9 +2,16 @@
 
 import org.junit.jupiter.api.Test;
 
+import static org.junit.jupiter.api.Assertions.fail;
+
 public class ClientConfigurationExampleTest {
   @Test
   public void testClientConfigurationExamples() {
-      ClientConfigurationExample.main(new String[0]);
+      try {
+          ClientConfigurationExample.main(new String[0]);
+      } catch (Throwable exception) {
+          exception.printStackTrace();
+          fail("Client Configuration Example Test Failed!!", exception);
+      }
   }
 }

src/test/java/software/amazon/encryption/s3/examples/MultipartUploadExampleTest.java

@@ -3,13 +3,18 @@
 import org.junit.jupiter.api.Test;
 import software.amazon.encryption.s3.utils.S3EncryptionClientTestResources;
 
-import java.io.IOException;
+import static org.junit.jupiter.api.Assertions.fail;
 
 public class MultipartUploadExampleTest {
 
     @Test
-    public void testMultipartUploadExamples() throws IOException {
+    public void testMultipartUploadExamples() {
         final String bucket = S3EncryptionClientTestResources.BUCKET;
-        MultipartUploadExample.main(new String[]{bucket});
+        try {
+            MultipartUploadExample.main(new String[]{bucket});
+        } catch (Throwable exception) {
+            exception.printStackTrace();
+            fail("Multipart Example Test Failed!!", exception);
+        }
     }
 }

src/test/java/software/amazon/encryption/s3/examples/PartialKeyPairExampleTest.java

@@ -5,12 +5,18 @@
 import org.junit.jupiter.api.Test;
 import software.amazon.encryption.s3.utils.S3EncryptionClientTestResources;
 
+import static org.junit.jupiter.api.Assertions.fail;
+
 public class PartialKeyPairExampleTest {
 
     @Test
     public void testPartialKeyPairExamples() {
         final String bucket = S3EncryptionClientTestResources.BUCKET;
-
-        PartialKeyPairExample.main(new String[]{bucket});
+        try {
+            PartialKeyPairExample.main(new String[]{bucket});
+        } catch (Throwable exception) {
+            exception.printStackTrace();
+            fail("Partial Key Pair Example Test Failed!!", exception);
+        }
     }
 }

src/test/java/software/amazon/encryption/s3/examples/RangedGetExampleTest.java

@@ -3,11 +3,18 @@
 import org.junit.jupiter.api.Test;
 import software.amazon.encryption.s3.utils.S3EncryptionClientTestResources;
 
+import static org.junit.jupiter.api.Assertions.fail;
+
 public class RangedGetExampleTest {
 
     @Test
     public void testRangedGetExamples() {
         final String bucket = S3EncryptionClientTestResources.BUCKET;
-        RangedGetExample.main(new String[]{bucket});
+        try {
+            RangedGetExample.main(new String[]{bucket});
+        } catch (Throwable exception) {
+            exception.printStackTrace();
+            fail("Ranged Get Test Failed!!", exception);
+        }
     }
 }