import com.amazonaws.services.kms.AWSKMS; //导入依赖的package包/类
public static String decrypt(String str, Region region) throws UnsupportedEncodingException {
  if (isJUnitTest()) {
    return str;
  }

  AWSKMS kms = AWSKMSClientBuilder.standard().withRegion(region.getName()).build();

  /*
   * The KMS ciphertext is base64 encoded and must be decoded before the request is made
   */
  String cipherString = str;
  byte[] cipherBytes = Base64.decode(cipherString);

  /*
   * Create decode request and decode
   */
  ByteBuffer cipherBuffer = ByteBuffer.wrap(cipherBytes);
  DecryptRequest req = new DecryptRequest().withCiphertextBlob(cipherBuffer);
  DecryptResult resp = kms.decrypt(req);

  /*
   * Convert the response plaintext bytes to a string
   */
  return new String(resp.getPlaintext().array(), Charset.forName("UTF-8"));
}
 

import com.amazonaws.services.kms.AWSKMS; //导入依赖的package包/类
private static void cleanUpKMSKeys(Regions testRegion, String testResourcePrefix, Date createdBeforeThreshold,
                                   AWSCredentialsProvider awsCredentials) {
    LOG.info("Cleaning KMS...");

    AWSKMS kmsClient = AWSKMSClientBuilder.standard()
            .withCredentials(awsCredentials)
            .withRegion(testRegion)
            .build();

    List<AliasListEntry> keys = kmsClient.listAliases().getAliases();
    for (AliasListEntry entry: keys) {
        if (!entry.getAliasName().startsWith("alias/" + testResourcePrefix)) {
            continue;
        }

        DescribeKeyRequest request = new DescribeKeyRequest().withKeyId(entry.getTargetKeyId());
        KeyMetadata metadata = kmsClient.describeKey(request).getKeyMetadata();

        if (KMSKeyState.fromString(metadata.getKeyState()) != KMSKeyState.PENDING_DELETION &&
                metadata.getCreationDate().before(createdBeforeThreshold)) {
            LOG.info("Scheduling KMS key for deletion:" + entry.getAliasName());
            scheduleKeyDeletion(kmsClient, entry);
        }
    }
}
 

import com.amazonaws.services.kms.AWSKMS; //导入依赖的package包/类
LinkGeneratorLambdaHandler(String region, String jwtEncryptKeyArn, String pageStorageBucket, String authVerifyEndpointURL,
                           AWSCredentialsProvider awsCredential, String introPageTemplateName) throws IOException, TemplateException {
    AWSKMS kmsClient = AWSKMSClientBuilder.standard()
            .withCredentials(awsCredential)
            .withRegion(region)
            .build();
    AmazonS3 s3client = AmazonS3ClientBuilder
            .standard()
            .withCredentials(awsCredential)
            .withRegion(region)
            .build();
    kmsEncrypt = new KMSEncrypt(kmsClient, jwtEncryptKeyArn);
    this.pageStorageBucket = pageStorageBucket;
    this.authVerifyEndpointURL = authVerifyEndpointURL;
    this.pageUploader = new PageUploader(s3client, pageStorageBucket);


    this.introPageTemplate = new IntroPageTemplate(introPageTemplateName);
}
 

import com.amazonaws.services.kms.AWSKMS; //导入依赖的package包/类
@Before
public void setUp() throws Exception {
    context = mock(Context.class);
    when(context.getLogger()).thenReturn(System.out::println);

    handler = new AuthLambdaHandler(TEST_AWS_REGION, TEST_JWT_KEY_ARN, TEST_VIDEO_STORAGE_BUCKET,
            TEST_USER_ACCESS_KEY_ID, TEST_USER_SECRET_ACCESS_KEY);

    AWSKMS kmsClient = AWSKMSClientBuilder.standard()
            .withRegion(TEST_AWS_REGION)
            .withCredentials(new AWSStaticCredentialsProvider(
                    new BasicAWSCredentials(TEST_USER_ACCESS_KEY_ID, TEST_USER_SECRET_ACCESS_KEY))
            )
            .build();
    kmsEncrypt = new KMSEncrypt(kmsClient, TEST_JWT_KEY_ARN);
}
 

import com.amazonaws.services.kms.AWSKMS; //导入依赖的package包/类
@Before
public void setUp() {
    dynamoDBClient = Mockito.mock(AmazonDynamoDB.class);

    GenerateDataKeyResult generateDatakeyResult = new GenerateDataKeyResult();
    generateDatakeyResult.setCiphertextBlob(Mockito.mock(ByteBuffer.class));
    generateDatakeyResult.setPlaintext(Mockito.mock(ByteBuffer.class));

    DecryptResult decryptResult = new DecryptResult();
    decryptResult.setKeyId("alias/foo");
    decryptResult.setPlaintext(Mockito.mock(ByteBuffer.class));

    awskmsClient = Mockito.mock(AWSKMS.class);
    Mockito.when(awskmsClient.generateDataKey(Mockito.any(GenerateDataKeyRequest.class))).thenReturn(generateDatakeyResult);
    Mockito.when(awskmsClient.decrypt(Mockito.any(DecryptRequest.class))).thenReturn(decryptResult);
}
 

import com.amazonaws.services.kms.AWSKMS; //导入依赖的package包/类
private RegionalClientSupplier clientFactory() {
    if (regionalClientSupplier_ != null) {
        return regionalClientSupplier_;
    }

    // Clone again; this MKP builder might be reused to build a second MKP with different creds.
    AWSKMSClientBuilder builder = templateBuilder_ != null ? cloneClientBuilder(templateBuilder_)
                                                           : AWSKMSClientBuilder.standard();

    ConcurrentHashMap<String, AWSKMS> clientCache = new ConcurrentHashMap<>();

    return region -> clientCache.computeIfAbsent(region, region2 -> {
        // Clone yet again as we're going to change the region field.
        return cloneClientBuilder(builder).withRegion(region2).build();
    });
}
 

import com.amazonaws.services.kms.AWSKMS; //导入依赖的package包/类
@Override
public KmsMasterKey getMasterKey(final String provider, final String keyId) throws UnsupportedProviderException,
        NoSuchMasterKeyException {
    if (!canProvide(provider)) {
        throw new UnsupportedProviderException();
    }

    String regionName = parseRegionfromKeyArn(keyId);
    AWSKMS kms = regionalClientSupplier_.getClient(regionName);
    if (kms == null) {
        throw new AwsCryptoException("Can't use keys from region " + regionName);
    }

    final KmsMasterKey result = KmsMasterKey.getInstance(kms, keyId, this);
    result.setGrantTokens(grantTokens_);
    return result;
}
 

import com.amazonaws.services.kms.AWSKMS; //导入依赖的package包/类
@Override
public KeyProvider build() {
    if ( null == key || 0 == key.length ) {
        return new KeyProviderImpl(null);
    } else if ( 16 == key.length ) {
        return new KeyProviderImpl(new SecretKeySpec(key, "AES"));
    }
    AWSKMS kms = _amazonWebServiceClients.withEndpoint(
        new AWSKMSClient(
            _credProviderFactory.create(credProvider),
            _clientConfigurations.withProxy(new ClientConfiguration(), proxy)),
        endpoint);
    key = kms.decrypt(new DecryptRequest()
                      .withCiphertextBlob(ByteBuffer.wrap(key)))
        .getPlaintext().array();
    if ( 16 != key.length ) {
        LOG.warn("Expected decrypted key to be exactly 16 bytes, got "+key.length+" bytes. Please "+
                 "verify the key was not base64 encoded before encrypting with KMS");
        return new KeyProviderImpl(null);
    }
    return new KeyProviderImpl(new SecretKeySpec(key, "AES"));
}
 

import com.amazonaws.services.kms.AWSKMS; //导入依赖的package包/类
/**
 * Decodes the encrypted token and attempts to decrypt it using AWS KMS. If
 * successful, the token is returned.
 *
 * @param kmsClient      KMS client
 * @param encryptedToken Token to decode and decrypt
 * @return Decrypted token
 */
protected VaultAuthResponse decryptToken(AWSKMS kmsClient, String encryptedToken) {
    byte[] decodedToken;

    try {
        decodedToken = Base64.decode(encryptedToken);
    } catch (IllegalArgumentException iae) {
        throw new VaultClientException("Encrypted token not Base64 encoded", iae);
    }

    final DecryptRequest request = new DecryptRequest().withCiphertextBlob(ByteBuffer.wrap(decodedToken));
    final DecryptResult result = kmsClient.decrypt(request);

    final String decryptedAuthData = new String(result.getPlaintext().array(), Charset.forName("UTF-8"));

    return gson.fromJson(decryptedAuthData, VaultAuthResponse.class);
}
 

import com.amazonaws.services.kms.AWSKMS; //导入依赖的package包/类
@Test
public void testAwsPrivateKeyStore() throws Exception {
    String bucketName = "my_bucket";
    String keyName = "my_key";
    String expected = "my_value";
    
    AmazonS3 s3 = Mockito.mock(AmazonS3.class);
    AWSKMS kms = Mockito.mock(AWSKMS.class);
    S3Object s3Object = Mockito.mock(S3Object.class);
    Mockito.when(s3.getObject(bucketName, keyName)).thenReturn(s3Object);
    InputStream is = new ByteArrayInputStream( expected.getBytes() );
    S3ObjectInputStream s3ObjectInputStream = new S3ObjectInputStream(is, null);
    Mockito.when(s3Object.getObjectContent()).thenReturn(s3ObjectInputStream);

    String result = expected;
    ByteBuffer buffer = ByteBuffer.wrap(result.getBytes());
    DecryptResult decryptResult = Mockito.mock(DecryptResult.class); 
    Mockito.when(kms.decrypt(Mockito.any(DecryptRequest.class))).thenReturn(decryptResult);
    Mockito.when(decryptResult.getPlaintext()).thenReturn(buffer);

    AwsPrivateKeyStore awsPrivateKeyStore = new AwsPrivateKeyStore(s3, kms);
    String actual = awsPrivateKeyStore.getApplicationSecret(bucketName, keyName);
    Assert.assertEquals(actual, expected);
    
}
 

import com.amazonaws.services.kms.AWSKMS; //导入依赖的package包/类
@Before
public void setUp() throws Exception {
    mockKms = mock(AWSKMS.class);
    textEncryptor = new KmsTextEncryptor(mockKms, KMS_KEY_ID);

    expectedEncryptRequest = new EncryptRequest();
    expectedEncryptRequest.setKeyId(KMS_KEY_ID);
    expectedEncryptRequest.setPlaintext(wrap(PLAINTEXT.getBytes()));

    encryptResult = new EncryptResult();
    encryptResult.setCiphertextBlob(wrap(CIPHER_TEXT.getBytes()));
    when(mockKms.encrypt(any(EncryptRequest.class))).thenReturn(encryptResult);

    expectedDecryptRequest = new DecryptRequest();
    expectedDecryptRequest.setCiphertextBlob(wrap(CIPHER_TEXT.getBytes()));

    decryptResult = new DecryptResult();
    decryptResult.setPlaintext(wrap(PLAINTEXT.getBytes()));
    when(mockKms.decrypt(any(DecryptRequest.class))).thenReturn(decryptResult);
}
 

import com.amazonaws.services.kms.AWSKMS; //导入依赖的package包/类
public DirectKmsMaterialProvider(AWSKMS kms, String encryptionKeyId, Map<String, String> materialDescription) {
    this.kms = kms;
    this.encryptionKeyId = encryptionKeyId;
    this.description = materialDescription != null ?
            Collections.unmodifiableMap(new HashMap<>(materialDescription)) :
                Collections.<String, String> emptyMap();

    dataKeyDesc = description
            .containsKey(WrappedRawMaterials.CONTENT_KEY_ALGORITHM) ? description
            .get(WrappedRawMaterials.CONTENT_KEY_ALGORITHM) : DEFAULT_ENC_ALG;

    String[] parts = dataKeyDesc.split("/", 2);
    this.dataKeyAlg = parts[0];
    this.dataKeyLength = parts.length == 2 ? Integer.parseInt(parts[1]) : 256;

    sigKeyDesc = description
            .containsKey(SIGNING_KEY_ALGORITHM) ? description
            .get(SIGNING_KEY_ALGORITHM) : DEFAULT_SIG_ALG;

    parts = sigKeyDesc.split("/", 2);
    this.sigKeyAlg = parts[0];
    this.sigKeyLength = parts.length == 2 ? Integer.parseInt(parts[1]) : 256;
}
 

import com.amazonaws.services.kms.AWSKMS; //导入依赖的package包/类
/**
 * Creates the KMS client {@link Bean}.
 *
 * Uses the default client, but if a region is unspecified, uses {@code us-east-1}.
 *
 * @return The KMS client.
 */
@Bean
public AWSKMS awsKms() {
	AWSKMS client = null;

	try {
		client = AWSKMSClientBuilder.defaultClient();
	} catch (SdkClientException exception) {
		API_LOG.info("Default KMS client failed to build, trying again with region us-east-1", exception);
		client = planB();
	}

	return client;
}
 

import com.amazonaws.services.kms.AWSKMS; //导入依赖的package包/类
@Test
public void testDefaultClient() {
	mockStatic(AWSKMSClientBuilder.class);
	when(AWSKMSClientBuilder.defaultClient()).thenReturn(Mockito.mock(AWSKMS.class));
	Assert.assertNotNull(underTest.awsKms());
	verify(underTest, times(0)).planB();
}
 

import com.amazonaws.services.kms.AWSKMS; //导入依赖的package包/类
public KMSManager(AWSKMS client, AWSCredentialsProvider awsCredentials, ClientConfiguration clientConfiguration, SecretsGroupIdentifier groupIdentifier) {
    this.kms = client;
    this.awsCredentials = awsCredentials;
    this.clientConfiguration = clientConfiguration;
    this.group = groupIdentifier;

    RegionLocalResourceName resourceName = new RegionLocalResourceName(groupIdentifier);
    this.aliasKeyName = ALIAS_PREFIX + resourceName.toString();
}
 

import com.amazonaws.services.kms.AWSKMS; //导入依赖的package包/类
public static KMSManager fromCredentials(AWSCredentialsProvider awsCredentials,
                                         ClientConfiguration clientConfiguration,
                                         SecretsGroupIdentifier groupIdentifier) {
    AWSKMS client = AWSKMSClientBuilder.standard()
        .withCredentials(awsCredentials)
        .withClientConfiguration(transformAndVerifyOrThrow(clientConfiguration))
        .withRegion(groupIdentifier.region.getName())
        .build();
    return new KMSManager(client, awsCredentials, clientConfiguration, groupIdentifier);
}
 

import com.amazonaws.services.kms.AWSKMS; //导入依赖的package包/类
AmazonS3EncryptionClientParamsWrapper(AwsSyncClientParams getClientParams,
                                      S3ClientOptions getS3ClientOptions,
                                      EncryptionMaterialsProvider encryptionMaterials,
                                      CryptoConfiguration cryptoConfiguration,
                                      AWSKMS kms) {
    this.encryptionMaterials = encryptionMaterials;
    this.cryptoConfiguration = cryptoConfiguration;
    this.kms = kms;
    this.getClientParams = getClientParams;
    this.getS3ClientOptions = getS3ClientOptions;
}
 

import com.amazonaws.services.kms.AWSKMS; //导入依赖的package包/类
/**
 * Decrypts the secured CEK via KMS; involves network calls.
 *
 * @return the CEK (in plaintext).
 */
private static SecretKey cekByKMS(byte[] cekSecured, String keyWrapAlgo,
        EncryptionMaterials materials,
        ContentCryptoScheme contentCryptoScheme, AWSKMS kms) {
    DecryptRequest kmsreq = new DecryptRequest()
        .withEncryptionContext(materials.getMaterialsDescription())
        .withCiphertextBlob(ByteBuffer.wrap(cekSecured));
    DecryptResult result = kms.decrypt(kmsreq);
    return new SecretKeySpec(copyAllBytesFrom(result.getPlaintext()),
            contentCryptoScheme.getKeyGeneratorAlgorithm());
}
 

import com.amazonaws.services.kms.AWSKMS; //导入依赖的package包/类
/**
 * @return a non-null content crypto material.
 */
static ContentCryptoMaterial fromObjectMetadata(
        ObjectMetadata metadata,
        EncryptionMaterialsAccessor kekMaterialAccessor,
        Provider securityProvider,
        boolean keyWrapExpected,
        AWSKMS kms) {
    return fromObjectMetadata0(metadata, kekMaterialAccessor,
            securityProvider, null, NONE, keyWrapExpected, kms);
}
 

import com.amazonaws.services.kms.AWSKMS; //导入依赖的package包/类
/**
 * @return a non-null content crypto material.
 */
static ContentCryptoMaterial fromInstructionFile(
        Map<String, String> instFile,
        EncryptionMaterialsAccessor kekMaterialAccessor,
        Provider securityProvider,
        boolean keyWrapExpected,
        AWSKMS kms) {
    return fromInstructionFile0(instFile, kekMaterialAccessor,
            securityProvider, null, NONE, keyWrapExpected, kms);
}