@@ -81,17 +81,19 @@ public static void simpleAesKeyringReEncryptInstructionFile(
8181 // Generate the original AES key for initial encryption
8282 SecretKey originalAesKey = generateAesKey ();
8383
84+ // Sample metadata for AES keyring identification and context - not used for encryption/decryption purposes
85+ // Helps distinguish between the old and new AES keyrings during the reEncryptInstructionFile operation
86+ MaterialsDescription originalMaterialsDescription = MaterialsDescription
87+ .builder ()
88+ .put ("version" , "1.0" )
89+ .put ("rotated" , "no" )
90+ .build ();
91+
8492 // Create the original AES keyring with materials description
8593 AesKeyring oldKeyring = AesKeyring
8694 .builder ()
8795 .wrappingKey (originalAesKey )
88- .materialsDescription (
89- MaterialsDescription
90- .builder ()
91- .put ("version" , "1.0" )
92- .put ("rotated" , "no" )
93- .build ()
94- )
96+ .materialsDescription (originalMaterialsDescription )
9597 .build ();
9698
9799 // Create a default S3 client for instruction file operations
@@ -120,17 +122,19 @@ public static void simpleAesKeyringReEncryptInstructionFile(
120122 // Generate a new AES key for re-encryption (rotating wrapping key)
121123 SecretKey newAesKey = generateAesKey ();
122124
125+ // Sample metadata for rotated AES keyring identification and context - not used for encryption/decryption purposes
126+ // Helps distinguish between the old and new AES keyrings during the reEncryptInstructionFile operation
127+ MaterialsDescription newMaterialsDescription = MaterialsDescription
128+ .builder ()
129+ .put ("version" , "2.0" )
130+ .put ("rotated" , "yes" )
131+ .build ();
132+
123133 // Create a new keyring with the new AES key and updated materials description
124134 AesKeyring newKeyring = AesKeyring
125135 .builder ()
126136 .wrappingKey (newAesKey )
127- .materialsDescription (
128- MaterialsDescription
129- .builder ()
130- .put ("version" , "2.0" )
131- .put ("rotated" , "yes" )
132- .build ()
133- )
137+ .materialsDescription (newMaterialsDescription )
134138 .build ();
135139
136140 // Create the re-encryption of instruction file request to re-encrypt the encrypted data key with the new wrapping key
@@ -216,17 +220,19 @@ public static void simpleRsaKeyringReEncryptInstructionFile(
216220 .privateKey (originalPrivateKey )
217221 .build ();
218222
223+ // Sample metadata for RSA keyring identification and context - not used for encryption/decryption purposes
224+ // Helps distinguish between the old and new RSA keyrings during the reEncryptInstructionFile operation
225+ MaterialsDescription originalMaterialsDescription = MaterialsDescription
226+ .builder ()
227+ .put ("version" , "1.0" )
228+ .put ("rotated" , "no" )
229+ .build ();
230+
219231 // Create the original RSA keyring with materials description
220232 RsaKeyring originalKeyring = RsaKeyring
221233 .builder ()
222234 .wrappingKeyPair (originalPartialRsaKeyPair )
223- .materialsDescription (
224- MaterialsDescription
225- .builder ()
226- .put ("version" , "1.0" )
227- .put ("rotated" , "no" )
228- .build ()
229- )
235+ .materialsDescription (originalMaterialsDescription )
230236 .build ();
231237
232238 // Create a default S3 client for instruction file operations
@@ -264,17 +270,19 @@ public static void simpleRsaKeyringReEncryptInstructionFile(
264270 .privateKey (newPrivateKey )
265271 .build ();
266272
273+ // Sample metadata for rotated RSA keyring identification and context - not used for encryption/decryption purposes
274+ // Helps distinguish between the old and new RSA keyrings during the reEncryptInstructionFile operation
275+ MaterialsDescription newMaterialsDescription = MaterialsDescription
276+ .builder ()
277+ .put ("version" , "2.0" )
278+ .put ("rotated" , "yes" )
279+ .build ();
280+
267281 // Create the new RSA keyring with updated materials description
268282 RsaKeyring newKeyring = RsaKeyring
269283 .builder ()
270284 .wrappingKeyPair (newPartialRsaKeyPair )
271- .materialsDescription (
272- MaterialsDescription
273- .builder ()
274- .put ("version" , "2.0" )
275- .put ("rotated" , "yes" )
276- .build ()
277- )
285+ .materialsDescription (newMaterialsDescription )
278286 .build ();
279287
280288 // Create the re-encryption of instruction file request to re-encrypt the encrypted data key with the new wrapping key
@@ -334,7 +342,12 @@ public static void simpleRsaKeyringReEncryptInstructionFile(
334342
335343 /**
336344 * This example demonstrates generating a custom instruction file to enable access to encrypted object by a third party.
337- * This enables secure sharing of encrypted objects without sharing private keys.
345+ * It showcases a scenario where:
346+ * 1. The original client encrypts and uploads an object to S3.
347+ * 2. The original client wants to share this encrypted object with a third party client without sharing their private key.
348+ * 3. A new instruction file is created specifically for the third party client, containing the data key encrypted with the third party's public key.
349+ * 4. The third party client can then access and decrypt the object using their own private key and custom instruction file.
350+ * 5. The original client can still access and decrypt the object using their own private key and instruction file.
338351 *
339352 * @param bucket The name of the Amazon S3 bucket to perform operations on.
340353 * @throws NoSuchAlgorithmException if RSA algorithm is not available
@@ -361,17 +374,19 @@ public static void simpleRsaKeyringReEncryptInstructionFileWithCustomSuffix(
361374 .privateKey (clientPrivateKey )
362375 .build ();
363376
377+ // Sample metadata for client keyring identification and context - not used for encryption/decryption purposes
378+ // Helps distinguish between the client and third party RSA keyrings during the reEncryptInstructionFile operation
379+ MaterialsDescription clientMaterialsDescription = MaterialsDescription
380+ .builder ()
381+ .put ("isOwner" , "yes" )
382+ .put ("access-level" , "admin" )
383+ .build ();
384+
364385 // Create the client's RSA keyring with materials description
365386 RsaKeyring clientKeyring = RsaKeyring
366387 .builder ()
367388 .wrappingKeyPair (clientPartialRsaKeyPair )
368- .materialsDescription (
369- MaterialsDescription
370- .builder ()
371- .put ("isOwner" , "yes" )
372- .put ("access-level" , "admin" )
373- .build ()
374- )
389+ .materialsDescription (clientMaterialsDescription )
375390 .build ();
376391
377392 // Create a default S3 client for instruction file operations
@@ -409,19 +424,21 @@ public static void simpleRsaKeyringReEncryptInstructionFileWithCustomSuffix(
409424 .privateKey (thirdPartyPrivateKey )
410425 .build ();
411426
427+ // Sample metadata for third party keyring identification and context - not used for encryption/decryption purposes
428+ // Helps distinguish between the client and third party RSA keyrings during the reEncryptInstructionFile operation
429+ MaterialsDescription thirdPartyMaterialsDescription = MaterialsDescription
430+ .builder ()
431+ .put ("isOwner" , "no" )
432+ .put ("access-level" , "user" )
433+ .build ();
434+
412435 // Create RSA keyring with third party's public key and updated materials description for re-encryption request
413436 RsaKeyring sharedKeyring = RsaKeyring
414437 .builder ()
415438 .wrappingKeyPair (
416439 PartialRsaKeyPair .builder ().publicKey (thirdPartyPublicKey ).build ()
417440 )
418- .materialsDescription (
419- MaterialsDescription
420- .builder ()
421- .put ("isOwner" , "no" )
422- .put ("access-level" , "user" )
423- .build ()
424- )
441+ .materialsDescription (thirdPartyMaterialsDescription )
425442 .build ();
426443
427444 // Create RSA keyring with third party's public and private keys for decryption purposes with updated materials description
0 commit comments