From 22f9e9bf7cd51accbf01ca6468cff2cf93afb817 Mon Sep 17 00:00:00 2001 From: Rishav karanjit Date: Wed, 10 Jun 2026 12:27:53 -0700 Subject: [PATCH 01/11] chore: Add test for RSA decryption validation for v1 object This test class verifies the decryption of RSA-encrypted objects using legacy wrapping. It includes setup for encryption and parameterized tests for various runtime and policy combinations. --- .../s3/RsaV1LegacyDecryptTests.java | 124 ++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java new file mode 100644 index 00000000..52e8370f --- /dev/null +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java @@ -0,0 +1,124 @@ +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0 + */ + +package software.amazon.encryption.s3; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static software.amazon.encryption.s3.TestUtils.*; + +import java.nio.charset.StandardCharsets; +import java.nio.ByteBuffer; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.util.List; +import java.util.stream.Stream; + +import com.amazonaws.services.s3.AmazonS3Encryption; +import com.amazonaws.services.s3.AmazonS3EncryptionClient; +import com.amazonaws.services.s3.model.CryptoConfiguration; +import com.amazonaws.services.s3.model.CryptoMode; +import com.amazonaws.services.s3.model.CryptoStorageMode; +import com.amazonaws.services.s3.model.EncryptionMaterials; +import com.amazonaws.services.s3.model.StaticEncryptionMaterialsProvider; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.Arguments; +import org.junit.jupiter.params.provider.MethodSource; +import software.amazon.encryption.s3.client.S3ECTestServerClient; +import software.amazon.encryption.s3.model.CommitmentPolicy; +import software.amazon.encryption.s3.model.CreateClientInput; +import software.amazon.encryption.s3.model.EncryptionAlgorithm; +import software.amazon.encryption.s3.model.GetObjectInput; +import software.amazon.encryption.s3.model.GetObjectOutput; +import software.amazon.encryption.s3.model.KeyMaterial; +import software.amazon.encryption.s3.model.S3ECConfig; + +/** + * Verifies that V1 RSA-encrypted objects can be + * successfully decrypted by all RSA-capable runtimes with legacy wrapping enabled. + * + * Encrypt: Java V1 client (RSA PKCS#1v1.5 wrap + AES-GCM content encryption) + * Decrypt: Each RSA-capable runtime × commitment policy matrix + */ +public class RsaV1LegacyDecryptTests { + + private static KeyPair rsaKeyPair; + private static String v1ObjectKey; + private static final String INPUT = "test-data-for-rsa-v1-legacy-decrypt"; + + @BeforeAll + static void setup() throws Exception { + validateServersRunning(); + + KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA"); + keyPairGen.initialize(2048); + rsaKeyPair = keyPairGen.generateKeyPair(); + + // Encrypt with Java V1 client: RSA PKCS#1v1.5 key wrap + AES-GCM content + v1ObjectKey = appendTestSuffix("rsa-v1-legacy-decrypt"); + AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() + .withCryptoConfiguration(new CryptoConfiguration(CryptoMode.EncryptionOnly) + .withStorageMode(CryptoStorageMode.ObjectMetadata)) + .withEncryptionMaterials(new StaticEncryptionMaterialsProvider( + new EncryptionMaterials(rsaKeyPair))) + .build(); + + v1Client.putObject(BUCKET, v1ObjectKey, INPUT); + } + + static Stream rsaRuntimeAndPolicyMatrix() { + List allConfigs = List.of( + new Object[]{"GCM-forbid-encrypt-allow-decrypt", + CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT, + EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF}, + new Object[]{"KC-GCM-require-encrypt-allow-decrypt", + CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT, + EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY}, + new Object[]{"KC-GCM-require-encrypt-require-decrypt", + CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT, + EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY} + ); + + List transitionConfigs = allConfigs.subList(0, 1); + + // For each RSA-capable runtime, pair it with the applicable config set. + // Transition versions only support FORBID_ENCRYPT_ALLOW_DECRYPT (no key commitment), + // so they get a single config. Improved versions get all three policies. + return clientsRawRsaForTest().flatMap(langArg -> { + LanguageServerTarget lang = (LanguageServerTarget) langArg.get()[0]; + var configs = TRANSITION_VERSIONS.contains(lang.getLanguageName()) + ? transitionConfigs : allConfigs; + return configs.stream().map(cfg -> Arguments.of(lang, cfg[0], cfg[1], cfg[2])); + }); + } + + @ParameterizedTest(name = "Encrypt: Java-V1-RSA, Decrypt: {0} / {1}") + @MethodSource("rsaRuntimeAndPolicyMatrix") + void canDecryptV1RsaObjectWithLegacyEnabled(LanguageServerTarget language, String configName, + CommitmentPolicy policy, EncryptionAlgorithm algo) { + S3ECTestServerClient client = testServerClientFor(language); + + KeyMaterial rsaKeyMaterial = KeyMaterial.builder() + .rsaKey(ByteBuffer.wrap(rsaKeyPair.getPrivate().getEncoded())) + .build(); + + String clientId = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(rsaKeyMaterial) + .commitmentPolicy(policy) + .encryptionAlgorithm(algo) + .enableLegacyWrappingAlgorithms(true) + .build()) + .build()).getClientId(); + + GetObjectOutput output = client.getObject(GetObjectInput.builder() + .clientID(clientId) + .bucket(BUCKET) + .key(v1ObjectKey) + .build()); + + assertEquals(INPUT, StandardCharsets.UTF_8.decode(output.getBody()).toString()); + } +} From 95de740ed7fc8ef98f5714b30cfe2556f2b30395 Mon Sep 17 00:00:00 2001 From: Rishav karanjit Date: Wed, 10 Jun 2026 13:25:57 -0700 Subject: [PATCH 02/11] Change crypto mode to AuthenticatedEncryption --- .../software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java index 52e8370f..725f9239 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java @@ -59,7 +59,7 @@ static void setup() throws Exception { // Encrypt with Java V1 client: RSA PKCS#1v1.5 key wrap + AES-GCM content v1ObjectKey = appendTestSuffix("rsa-v1-legacy-decrypt"); AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() - .withCryptoConfiguration(new CryptoConfiguration(CryptoMode.EncryptionOnly) + .withCryptoConfiguration(new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) .withStorageMode(CryptoStorageMode.ObjectMetadata)) .withEncryptionMaterials(new StaticEncryptionMaterialsProvider( new EncryptionMaterials(rsaKeyPair))) From 352606363e23b9dc13930be75453027464717bd5 Mon Sep 17 00:00:00 2001 From: Rishav karanjit Date: Wed, 10 Jun 2026 13:49:59 -0700 Subject: [PATCH 03/11] Change crypto configuration to EncryptionOnly mode --- .../software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java index 725f9239..b638fe28 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java @@ -59,7 +59,7 @@ static void setup() throws Exception { // Encrypt with Java V1 client: RSA PKCS#1v1.5 key wrap + AES-GCM content v1ObjectKey = appendTestSuffix("rsa-v1-legacy-decrypt"); AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() - .withCryptoConfiguration(new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) + .withCryptoConfiguration(new CryptoConfiguration(CryptoMode.EncryptionOnly) .withStorageMode(CryptoStorageMode.ObjectMetadata)) .withEncryptionMaterials(new StaticEncryptionMaterialsProvider( new EncryptionMaterials(rsaKeyPair))) @@ -109,6 +109,7 @@ void canDecryptV1RsaObjectWithLegacyEnabled(LanguageServerTarget language, Strin .keyMaterial(rsaKeyMaterial) .commitmentPolicy(policy) .encryptionAlgorithm(algo) + .enableLegacyUnauthenticatedModes(true) .enableLegacyWrappingAlgorithms(true) .build()) .build()).getClientId(); From 665952a83a95f106b24ee25a7c93b426bfbda93f Mon Sep 17 00:00:00 2001 From: Rishav karanjit Date: Wed, 10 Jun 2026 13:53:44 -0700 Subject: [PATCH 04/11] Clean up rsaRuntimeAndPolicyMatrix method Refactor rsaRuntimeAndPolicyMatrix to remove unused configurations. --- .../amazon/encryption/s3/RsaV1LegacyDecryptTests.java | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java index b638fe28..3c7c0cdf 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java @@ -70,14 +70,11 @@ static void setup() throws Exception { static Stream rsaRuntimeAndPolicyMatrix() { List allConfigs = List.of( - new Object[]{"GCM-forbid-encrypt-allow-decrypt", + new Object[]{"forbid-encrypt-allow-decrypt-policy", CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF}, - new Object[]{"KC-GCM-require-encrypt-allow-decrypt", + new Object[]{"require-encrypt-allow-decrypt-policy", CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT, - EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY}, - new Object[]{"KC-GCM-require-encrypt-require-decrypt", - CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY} ); From 7256ee1601228478bf1009ab500628849b47805d Mon Sep 17 00:00:00 2001 From: Rishav karanjit Date: Thu, 11 Jun 2026 12:24:26 -0700 Subject: [PATCH 05/11] Update RsaV1LegacyDecryptTests.java Co-authored-by: Kess Plasmeier <76071473+kessplas@users.noreply.github.com> --- .../software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java index 3c7c0cdf..8133e416 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java @@ -39,7 +39,7 @@ * Verifies that V1 RSA-encrypted objects can be * successfully decrypted by all RSA-capable runtimes with legacy wrapping enabled. * - * Encrypt: Java V1 client (RSA PKCS#1v1.5 wrap + AES-GCM content encryption) + * Encrypt: Java V1 client (RSA PKCS#1v1.5 wrap + AES-CBC content encryption) * Decrypt: Each RSA-capable runtime × commitment policy matrix */ public class RsaV1LegacyDecryptTests { From adb2e21e98d53503e15b0f892a3984ff3e2b7c4b Mon Sep 17 00:00:00 2001 From: Rishav karanjit Date: Thu, 11 Jun 2026 12:26:45 -0700 Subject: [PATCH 06/11] Update RsaV1LegacyDecryptTests.java Co-authored-by: Kess Plasmeier <76071473+kessplas@users.noreply.github.com> --- .../software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java index 8133e416..3a4d388f 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java @@ -56,7 +56,7 @@ static void setup() throws Exception { keyPairGen.initialize(2048); rsaKeyPair = keyPairGen.generateKeyPair(); - // Encrypt with Java V1 client: RSA PKCS#1v1.5 key wrap + AES-GCM content + // Encrypt with Java V1 client: RSA PKCS#1v1.5 key wrap + AES-CBC content v1ObjectKey = appendTestSuffix("rsa-v1-legacy-decrypt"); AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() .withCryptoConfiguration(new CryptoConfiguration(CryptoMode.EncryptionOnly) From 6e81a83f4f743d5699d577eef2ccaa5e5a461dec Mon Sep 17 00:00:00 2001 From: Rishav karanjit Date: Thu, 11 Jun 2026 12:30:24 -0700 Subject: [PATCH 07/11] Update RsaV1LegacyDecryptTests.java --- .../s3/RsaV1LegacyDecryptTests.java | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java index 3a4d388f..b99b3379 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java @@ -119,4 +119,33 @@ void canDecryptV1RsaObjectWithLegacyEnabled(LanguageServerTarget language, Strin assertEquals(INPUT, StandardCharsets.UTF_8.decode(output.getBody()).toString()); } + + @ParameterizedTest(name = "Encrypt: Java-V1-RSA, Decrypt: {0} / {1}") + @MethodSource("rsaRuntimeAndPolicyMatrix") + void cannotDecryptV1RsaObjectWithLegacyDisabled(LanguageServerTarget language, String configName, + CommitmentPolicy policy, EncryptionAlgorithm algo) { + S3ECTestServerClient client = testServerClientFor(language); + + KeyMaterial rsaKeyMaterial = KeyMaterial.builder() + .rsaKey(ByteBuffer.wrap(rsaKeyPair.getPrivate().getEncoded())) + .build(); + + String clientId = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(rsaKeyMaterial) + .commitmentPolicy(policy) + .encryptionAlgorithm(algo) + .enableLegacyUnauthenticatedModes(true) + .enableLegacyWrappingAlgorithms(false) + .build()) + .build()).getClientId(); + + assertThrows(Exception.class, () -> + client.getObject(GetObjectInput.builder() + .clientID(clientId) + .bucket(BUCKET) + .key(v1ObjectKey) + .build()) + ); + } } From 8a305626c70259090915b15fc5c291f78a45ce11 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Thu, 11 Jun 2026 12:51:32 -0700 Subject: [PATCH 08/11] m --- .../software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java | 1 + 1 file changed, 1 insertion(+) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java index b99b3379..62427928 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java @@ -6,6 +6,7 @@ package software.amazon.encryption.s3; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; import static software.amazon.encryption.s3.TestUtils.*; import java.nio.charset.StandardCharsets; From d93c0ac70fa380e991f6d14769e8c0f21a9aba9e Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Thu, 11 Jun 2026 12:55:52 -0700 Subject: [PATCH 09/11] m --- .../amazon/encryption/s3/RsaV1LegacyDecryptTests.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java index 62427928..c1329ca1 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java @@ -27,6 +27,7 @@ import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.Arguments; import org.junit.jupiter.params.provider.MethodSource; +import software.amazon.encryption.s3.TestUtils.LanguageServerTarget; import software.amazon.encryption.s3.client.S3ECTestServerClient; import software.amazon.encryption.s3.model.CommitmentPolicy; import software.amazon.encryption.s3.model.CreateClientInput; @@ -35,6 +36,7 @@ import software.amazon.encryption.s3.model.GetObjectOutput; import software.amazon.encryption.s3.model.KeyMaterial; import software.amazon.encryption.s3.model.S3ECConfig; +import software.amazon.encryption.s3.model.S3EncryptionClientError; /** * Verifies that V1 RSA-encrypted objects can be @@ -141,7 +143,7 @@ void cannotDecryptV1RsaObjectWithLegacyDisabled(LanguageServerTarget language, S .build()) .build()).getClientId(); - assertThrows(Exception.class, () -> + assertThrows(S3EncryptionClientError.class, () -> client.getObject(GetObjectInput.builder() .clientID(clientId) .bucket(BUCKET) From a5f3327ad44d692f16bdf019c81efc96b1e8029d Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Thu, 11 Jun 2026 13:29:05 -0700 Subject: [PATCH 10/11] m --- .../software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java index c1329ca1..b7fa5be4 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java @@ -138,7 +138,7 @@ void cannotDecryptV1RsaObjectWithLegacyDisabled(LanguageServerTarget language, S .keyMaterial(rsaKeyMaterial) .commitmentPolicy(policy) .encryptionAlgorithm(algo) - .enableLegacyUnauthenticatedModes(true) + .enableLegacyUnauthenticatedModes(false) .enableLegacyWrappingAlgorithms(false) .build()) .build()).getClientId(); From 2f2d00a81d80be697efda6cdd05bd5230d761f08 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Thu, 11 Jun 2026 13:29:49 -0700 Subject: [PATCH 11/11] m --- .../s3/RsaV1LegacyDecryptTests.java | 29 ------------------- 1 file changed, 29 deletions(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java index b7fa5be4..eb8930e7 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RsaV1LegacyDecryptTests.java @@ -122,33 +122,4 @@ void canDecryptV1RsaObjectWithLegacyEnabled(LanguageServerTarget language, Strin assertEquals(INPUT, StandardCharsets.UTF_8.decode(output.getBody()).toString()); } - - @ParameterizedTest(name = "Encrypt: Java-V1-RSA, Decrypt: {0} / {1}") - @MethodSource("rsaRuntimeAndPolicyMatrix") - void cannotDecryptV1RsaObjectWithLegacyDisabled(LanguageServerTarget language, String configName, - CommitmentPolicy policy, EncryptionAlgorithm algo) { - S3ECTestServerClient client = testServerClientFor(language); - - KeyMaterial rsaKeyMaterial = KeyMaterial.builder() - .rsaKey(ByteBuffer.wrap(rsaKeyPair.getPrivate().getEncoded())) - .build(); - - String clientId = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(rsaKeyMaterial) - .commitmentPolicy(policy) - .encryptionAlgorithm(algo) - .enableLegacyUnauthenticatedModes(false) - .enableLegacyWrappingAlgorithms(false) - .build()) - .build()).getClientId(); - - assertThrows(S3EncryptionClientError.class, () -> - client.getObject(GetObjectInput.builder() - .clientID(clientId) - .bucket(BUCKET) - .key(v1ObjectKey) - .build()) - ); - } }