From abb14759d0b9b5f940b2336577ca404b438291d7 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 25 Sep 2025 13:58:46 -0700 Subject: [PATCH 01/37] add v3 metadata work --- test-server/php-v2-server/local-php-sdk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test-server/php-v2-server/local-php-sdk b/test-server/php-v2-server/local-php-sdk index d78bd3b2..b7973fd2 160000 --- a/test-server/php-v2-server/local-php-sdk +++ b/test-server/php-v2-server/local-php-sdk @@ -1 +1 @@ -Subproject commit d78bd3b221890aac679ec3b6cb5abcb01fd42699 +Subproject commit b7973fd259feb7373c888425d0e644dafda5a038 From 65f2bb04297a128828ae0ad0c660e31fb0ed7621 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 25 Sep 2025 14:03:53 -0700 Subject: [PATCH 02/37] use a v3 client --- test-server/php-v3-server/local-php-sdk | 2 +- test-server/php-v3-server/src/index.php | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/test-server/php-v3-server/local-php-sdk b/test-server/php-v3-server/local-php-sdk index d78bd3b2..0a654d86 160000 --- a/test-server/php-v3-server/local-php-sdk +++ b/test-server/php-v3-server/local-php-sdk @@ -1 +1 @@ -Subproject commit d78bd3b221890aac679ec3b6cb5abcb01fd42699 +Subproject commit 0a654d867009f5f6e48816c34f9b1f068ac78fdc diff --git a/test-server/php-v3-server/src/index.php b/test-server/php-v3-server/src/index.php index cc5dee29..b20367bb 100644 --- a/test-server/php-v3-server/src/index.php +++ b/test-server/php-v3-server/src/index.php @@ -5,7 +5,7 @@ require_once __DIR__ . '/get_object.php'; require_once __DIR__ . '/put_object.php'; -use Aws\S3\Crypto\S3EncryptionClientV2; +use Aws\S3\Crypto\S3EncryptionClientV3; use Aws\Crypto\KmsMaterialsProviderV2; use Aws\S3\S3Client; use Aws\Kms\KmsClient; @@ -157,7 +157,7 @@ function getCachedClient($clientId) // Recreate the AWS clients from stored configuration $s3Client = new S3Client($config['s3Config']); - $encryptionClient = new S3EncryptionClientV2($s3Client); + $encryptionClient = new S3EncryptionClientV3($s3Client); $kmsClient = new KmsClient($config['kmsConfig']); $materialsProvider = new KmsMaterialsProviderV2($kmsClient, $config['kmsKeyId']); @@ -183,7 +183,7 @@ function createDefaultClientTuple(): array ] ] ]); - $encryptionClient = new S3EncryptionClientV2($s3Client); + $encryptionClient = new S3EncryptionClientV3($s3Client); $kmsClient = new KmsClient([ 'region' => 'us-west-2', From 8c1d2cc1780db40f1a850f6076942356b50a8eeb Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 25 Sep 2025 16:59:47 -0700 Subject: [PATCH 03/37] point to newer v3 --- test-server/php-v3-server/local-php-sdk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test-server/php-v3-server/local-php-sdk b/test-server/php-v3-server/local-php-sdk index 0a654d86..4cf1388a 160000 --- a/test-server/php-v3-server/local-php-sdk +++ b/test-server/php-v3-server/local-php-sdk @@ -1 +1 @@ -Subproject commit 0a654d867009f5f6e48816c34f9b1f068ac78fdc +Subproject commit 4cf1388a7b183bc053ed89176b92a48d05c43a1d From 144f29569ac67d5881fdb9c80222171587692e4d Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Fri, 26 Sep 2025 10:42:38 -0700 Subject: [PATCH 04/37] use v3 kms material provider --- test-server/php-v3-server/local-php-sdk | 2 +- test-server/php-v3-server/src/index.php | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/test-server/php-v3-server/local-php-sdk b/test-server/php-v3-server/local-php-sdk index 4cf1388a..f4b03ebb 160000 --- a/test-server/php-v3-server/local-php-sdk +++ b/test-server/php-v3-server/local-php-sdk @@ -1 +1 @@ -Subproject commit 4cf1388a7b183bc053ed89176b92a48d05c43a1d +Subproject commit f4b03ebb7271238ff9b8e6f68699c6a9ce5950d3 diff --git a/test-server/php-v3-server/src/index.php b/test-server/php-v3-server/src/index.php index b20367bb..41b9b47c 100644 --- a/test-server/php-v3-server/src/index.php +++ b/test-server/php-v3-server/src/index.php @@ -6,7 +6,7 @@ require_once __DIR__ . '/put_object.php'; use Aws\S3\Crypto\S3EncryptionClientV3; -use Aws\Crypto\KmsMaterialsProviderV2; +use Aws\Crypto\KmsMaterialsProviderV3; use Aws\S3\S3Client; use Aws\Kms\KmsClient; @@ -160,7 +160,7 @@ function getCachedClient($clientId) $encryptionClient = new S3EncryptionClientV3($s3Client); $kmsClient = new KmsClient($config['kmsConfig']); - $materialsProvider = new KmsMaterialsProviderV2($kmsClient, $config['kmsKeyId']); + $materialsProvider = new KmsMaterialsProviderV3($kmsClient, $config['kmsKeyId']); return [ 'encryptionClient' => $encryptionClient, @@ -197,7 +197,7 @@ function createDefaultClientTuple(): array ] ] ]); - $materialsProvider = new KmsMaterialsProviderV2($kmsClient, 'arn:aws:kms:us-west-2:370957321024:alias/S3EC-Test-Server-Github-KMS-Key'); + $materialsProvider = new KmsMaterialsProviderV3($kmsClient, 'arn:aws:kms:us-west-2:370957321024:alias/S3EC-Test-Server-Github-KMS-Key'); return [ 'encryptionClient' => $encryptionClient, From 769748a9bb6fc0a0d502324d6a9a92b05db66b1b Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Fri, 26 Sep 2025 11:05:28 -0700 Subject: [PATCH 05/37] ci --- .github/workflows/test.yml | 2 +- test-server/php-v2-server/local-php-sdk | 2 +- test-server/php-v3-server/local-php-sdk | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8c8a9616..80beefc1 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -42,7 +42,7 @@ jobs: token: ${{ secrets.PAT_FOR_DOTNET }} repository: aws/private-amazon-s3-encryption-client-dotnet-staging # This is the branch for S3EC .NET V2 - ref: v3sdk-development + ref: v3sdk-development path: test-server/net-v2-v3-server/s3ec-net-v2/ - name: Checkout .NET V3 code diff --git a/test-server/php-v2-server/local-php-sdk b/test-server/php-v2-server/local-php-sdk index b7973fd2..ab8aee74 160000 --- a/test-server/php-v2-server/local-php-sdk +++ b/test-server/php-v2-server/local-php-sdk @@ -1 +1 @@ -Subproject commit b7973fd259feb7373c888425d0e644dafda5a038 +Subproject commit ab8aee74db1141da07c9c979cf313418fddae256 diff --git a/test-server/php-v3-server/local-php-sdk b/test-server/php-v3-server/local-php-sdk index f4b03ebb..bd3f79ce 160000 --- a/test-server/php-v3-server/local-php-sdk +++ b/test-server/php-v3-server/local-php-sdk @@ -1 +1 @@ -Subproject commit f4b03ebb7271238ff9b8e6f68699c6a9ce5950d3 +Subproject commit bd3f79ce839ea22adcf55919c8fb817df9d76504 From 847ba63279b6ac75f6dfd59a43bb30c52aa16741 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Mon, 29 Sep 2025 13:44:46 -0700 Subject: [PATCH 06/37] fix error wrapping --- test-server/php-v2-server/src/get_object.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test-server/php-v2-server/src/get_object.php b/test-server/php-v2-server/src/get_object.php index 61bacb5b..3150ec04 100644 --- a/test-server/php-v2-server/src/get_object.php +++ b/test-server/php-v2-server/src/get_object.php @@ -77,7 +77,7 @@ function handleGetObject($params) ob_end_clean(); } if (strpos($e->getMessage(), "@SecurityProfile=V2") !== false) { - return S3EncryptionClientError($e->getMessage() . " " . "Enable legacy wrapping algorithms to use legacy key wrapping algorithm: kms"); + return S3EncryptionClientError($e->getMessage()); } else { return GenericServerError("Server argument: " . $e->getMessage(), 500); } From 395c144eee6e17fc4b3fcca49a09cb4025d1eab6 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Mon, 29 Sep 2025 13:49:06 -0700 Subject: [PATCH 07/37] add v3 client and have it pass ec tests --- test-server/php-v3-server/src/get_object.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/test-server/php-v3-server/src/get_object.php b/test-server/php-v3-server/src/get_object.php index 59e2192c..17a2ba43 100644 --- a/test-server/php-v3-server/src/get_object.php +++ b/test-server/php-v3-server/src/get_object.php @@ -77,7 +77,10 @@ function handleGetObject($params) ob_end_clean(); } if (strpos($e->getMessage(), "@SecurityProfile=V2") !== false) { - return S3EncryptionClientError($e->getMessage() . " " . "Enable legacy wrapping algorithms to use legacy key wrapping algorithm: kms"); + return S3EncryptionClientError($e->getMessage()); + } + if (strpos($e->getMessage(), "Provided encryption context does not match information retrieved from S3") !== false) { + return S3EncryptionClientError($e->getMessage()); } else { return GenericServerError("Server argument: " . $e->getMessage(), 500); } From f8cf974986d5197a0d48b12d04017b2ae16cfeac Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Mon, 29 Sep 2025 13:49:31 -0700 Subject: [PATCH 08/37] update tests --- .../it/java/software/amazon/encryption/s3/RoundTripTests.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java index e8dc4bae..0f7565fe 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java @@ -411,6 +411,8 @@ public void kmsV1LegacyFailsWhenLegacyDisabled(TestUtils.LanguageServerTarget la assertTrue(e.getMessage().contains( "The requested object is encrypted with V1 encryption schemas that have been disabled by client configuration security_profile = :v2. Retry with :v2_and_legacy or re-encrypt the object." ), "Actual error:" + e.getMessage()); + } else if (language.getLanguageName().equals(PHP_V2_CURRENT) || language.getLanguageName().equals(PHP_V3)) { + assertTrue(e.getMessage().contains("The requested object is encrypted with V1 encryption schemas that have been disabled by client configuration @SecurityProfile=V2. Retry with V2_AND_LEGACY enabled or reencrypt the object."));; } else { assertTrue(e.getMessage().contains("Enable legacy wrapping algorithms to use legacy key wrapping algorithm: kms")); } From ebaeafd84562ff56531c5f34bac5ab86c930a322 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Tue, 30 Sep 2025 14:33:49 -0700 Subject: [PATCH 09/37] more --- .../src/it/java/software/amazon/encryption/s3/TestUtils.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java index a6af0872..155a3ef5 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java @@ -144,7 +144,7 @@ public class TestUtils { servers.put(RUBY_V3, new LanguageServerTarget(RUBY_V3, "8092")); servers.put(PHP_V3, new LanguageServerTarget(PHP_V3, "8093")); // TODO: Create and add transition servers - servers.put(JAVA_V3_TRANSITION, new LanguageServerTarget(JAVA_V3_TRANSITION, "8094")); + // servers.put(JAVA_V3_TRANSITION, new LanguageServerTarget(JAVA_V3_TRANSITION, "8094")); // servers.put(GO_V3_TRANSITION, new LanguageServerTarget(GO_V3_TRANSITION, "8095")); // servers.put(NET_V2_TRANSITION, new LanguageServerTarget(NET_V2_TRANSITION, "8096")); servers.put(CPP_V2_TRANSITION, new LanguageServerTarget(CPP_V2_TRANSITION, "8097")); From 4b0972641a1f4cd6bc427f5fec4d5be712168b71 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Wed, 1 Oct 2025 13:55:58 -0700 Subject: [PATCH 10/37] fixed --- .../src/it/java/software/amazon/encryption/s3/TestUtils.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java index 155a3ef5..a6af0872 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java @@ -144,7 +144,7 @@ public class TestUtils { servers.put(RUBY_V3, new LanguageServerTarget(RUBY_V3, "8092")); servers.put(PHP_V3, new LanguageServerTarget(PHP_V3, "8093")); // TODO: Create and add transition servers - // servers.put(JAVA_V3_TRANSITION, new LanguageServerTarget(JAVA_V3_TRANSITION, "8094")); + servers.put(JAVA_V3_TRANSITION, new LanguageServerTarget(JAVA_V3_TRANSITION, "8094")); // servers.put(GO_V3_TRANSITION, new LanguageServerTarget(GO_V3_TRANSITION, "8095")); // servers.put(NET_V2_TRANSITION, new LanguageServerTarget(NET_V2_TRANSITION, "8096")); servers.put(CPP_V2_TRANSITION, new LanguageServerTarget(CPP_V2_TRANSITION, "8097")); From f6e6f4ec96be721b05f5d661415bd101ae3fa740 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Tue, 7 Oct 2025 17:25:33 -0700 Subject: [PATCH 11/37] newer sdk --- test-server/php-v3-server/.duvet/config.toml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/test-server/php-v3-server/.duvet/config.toml b/test-server/php-v3-server/.duvet/config.toml index 64b00927..c3ae4317 100644 --- a/test-server/php-v3-server/.duvet/config.toml +++ b/test-server/php-v3-server/.duvet/config.toml @@ -6,6 +6,15 @@ pattern = "local-php-sdk/src/S3/**/*.php" [[source]] pattern = "local-php-sdk/src/Crypto/**/*.php" +[[source]] +pattern = "local-php-sdk/tests/S3/**/*.php" + +[[source]] +pattern = "local-php-sdk/tests/Crypto/**/*.php" + +[[source]] +pattern = "local-php-sdk/compliance_exceptions/*.txt" + # Include required specifications here [[specification]] source = "../specification/s3-encryption/data-format/content-metadata.md" From b538c435665d3a30ccf070e11a03f57d648f0797 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Tue, 28 Oct 2025 17:25:25 -0700 Subject: [PATCH 12/37] update php v3 test server --- test-server/php-v3-server/src/client.php | 2 ++ test-server/php-v3-server/src/get_object.php | 7 +++++-- test-server/php-v3-server/src/put_object.php | 4 +++- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/test-server/php-v3-server/src/client.php b/test-server/php-v3-server/src/client.php index 6c40f590..4a430311 100644 --- a/test-server/php-v3-server/src/client.php +++ b/test-server/php-v3-server/src/client.php @@ -19,6 +19,7 @@ function handleCreateClient() $legacyAlgorithms = $configData["enableLegacyWrappingAlgorithms"] ?? false; $clientId = Uuid::uuid4()->toString(); $kmsKeyId = $keyMaterial["kmsKeyId"] ?? null; + $commitmentPolicy = $configData['commitmentPolicy'] ?? "REQUIRE_ENCRYPT_REQUIRE_DECRYPT"; if (empty($configData)) { return GenericServerError("Invalid config in request body", 400); @@ -55,6 +56,7 @@ function handleCreateClient() ], 'kmsKeyId' => $kmsKeyId, 'legacy' => $legacyAlgorithms, + 'commitmentPolicy' => $commitmentPolicy, 'created' => time() ]; diff --git a/test-server/php-v3-server/src/get_object.php b/test-server/php-v3-server/src/get_object.php index 17a2ba43..ae10789e 100644 --- a/test-server/php-v3-server/src/get_object.php +++ b/test-server/php-v3-server/src/get_object.php @@ -34,10 +34,11 @@ function handleGetObject($params) $legacyConfig = $clientConfig["legacy"] ?? false; $legacy = null; if ($legacyConfig === false) { - $legacy = "V2"; + $legacy = "V3"; } else { - $legacy = "V2_AND_LEGACY"; + $legacy = "V3_AND_LEGACY"; } + $commitmentPolicy = $s3ecClientTuple['config']['commitmentPolicy']; try { // Start output buffering before the AWS call to capture any unwanted output @@ -47,6 +48,7 @@ function handleGetObject($params) '@SecurityProfile' => $legacy, '@MaterialsProvider' => $materialProvider, '@KmsEncryptionContext' => $encryptionContext, + '@CommitmentPolicy' => $commitmentPolicy, 'Bucket' => $bucket, 'Key' => $key, ]); @@ -82,6 +84,7 @@ function handleGetObject($params) if (strpos($e->getMessage(), "Provided encryption context does not match information retrieved from S3") !== false) { return S3EncryptionClientError($e->getMessage()); } else { + error_log("This is the error: " . $e->getMessage()); return GenericServerError("Server argument: " . $e->getMessage(), 500); } } diff --git a/test-server/php-v3-server/src/put_object.php b/test-server/php-v3-server/src/put_object.php index 63058f7d..16afa0f6 100644 --- a/test-server/php-v3-server/src/put_object.php +++ b/test-server/php-v3-server/src/put_object.php @@ -28,7 +28,7 @@ function handlePutObject($params) $key = $params['key'] ?? null; if (is_null($bucket) || is_null($key)) { - return GenericServerError("Invalidb bucket or key parameters", 400); + return GenericServerError("Invalid bucket or key parameters", 400); } $s3ec = $s3ecClientTuple["encryptionClient"]; @@ -44,11 +44,13 @@ function handlePutObject($params) } else { $legacy = "V2_AND_LEGACY"; } + $commitmentPolicy = $s3ecClientTuple['config']['commitmentPolicy']; try { $result = $s3ec->putObject([ '@SecurityProfile' => $legacy, '@MaterialsProvider' => $materialProvider, + '@CommitmentPolicy' => $commitmentPolicy, '@KmsEncryptionContext' => $encryptionContext, '@CipherOptions' => $cipherOptions, 'Bucket' => $bucket, From 1fcdd8ae375d624bc4b141f1983787e84eafbb0e Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Wed, 29 Oct 2025 13:04:10 -0700 Subject: [PATCH 13/37] move sdk up --- .../s3/ExhaustiveRoundTripTests1_25.java | 201 +++--- .../amazon/encryption/s3/RoundTripTests.java | 580 +++++++++--------- .../amazon/encryption/s3/TestUtils.java | 6 +- 3 files changed, 394 insertions(+), 393 deletions(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java index eb48d6bd..9a7cf2b9 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java @@ -66,105 +66,105 @@ public static void setup() { // Outcome Version Operation Policy Content Encryption // Pass Improved Decrypt ForbidEncryptAllowDecrypt CBC - @ParameterizedTest(name = "{displayName} for Encrypt: Java-V1, Decrypt: {0}") - @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") - public void GIVEN_CBCEncryptedData_AND_ImprovedClientDecryptingWithForbidEncryptAllowDecrypt_WHEN_Decrypt_THEN_Pass( - TestUtils.LanguageServerTarget language - ) { - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - final String objectKey = "test-key-kms-v1-" + language; - final String input = "simple-test-input"; - KeyMaterial kmsKeyArn = KeyMaterial.builder() - .kmsKeyId(TestUtils.KMS_KEY_ARN) - .build(); - - // Create the object using the old client - // V1 Client - EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(TestUtils.KMS_KEY_ARN); - - CryptoConfiguration v1Config = - new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) - .withStorageMode(CryptoStorageMode.ObjectMetadata) - .withAwsKmsRegion(TestUtils.KMS_REGION); - - AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() - .withCryptoConfiguration(v1Config) - .withEncryptionMaterials(materialsProvider) - .build(); - - v1Client.putObject(TestUtils.BUCKET, objectKey, input); - - S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); - CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .enableLegacyWrappingAlgorithms(true) - .build() - ) - .build()); - String decS3ECId = decClientOutput.getClientId(); - - // When: decrypt KC object with a current version client - GetObjectOutput output = decClient.getObject(GetObjectInput.builder() - .clientID(decS3ECId) - .bucket(TestUtils.BUCKET) - .key(objectKey) - .build()); - - // Then: Pass - } - - // Exhaustive test 3 - // Outcome Version Operation Policy Content Encryption - // Pass Improved Decrypt ForbidEncryptAllowDecrypt GCM - - @ParameterizedTest(name = "{displayName} for Encrypt: Java-V1-GCM, Decrypt: {0}") - @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") - public void GIVEN_GCMEncryptedData_AND_ImprovedClientDecryptingWithForbidEncryptAllowDecrypt_WHEN_Decrypt_THEN_Pass( - TestUtils.LanguageServerTarget language - ) { - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - final String objectKey = "test-key-kms-v1-gcm-" + language; - final String input = "simple-test-input"; - KeyMaterial kmsKeyArn = KeyMaterial.builder() - .kmsKeyId(TestUtils.KMS_KEY_ARN) - .build(); - CreateClientOutput output1 = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .enableLegacyWrappingAlgorithms(true) - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build()) - .build()); - String s3ECId = output1.getClientId(); - - // Create the object using the old client with GCM encryption - // V1 Client with GCM - EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(TestUtils.KMS_KEY_ARN); - - CryptoConfiguration v1Config = - new CryptoConfiguration(CryptoMode.StrictAuthenticatedEncryption) // StrictAuthenticatedEncryption uses GCM - .withStorageMode(CryptoStorageMode.ObjectMetadata) - .withAwsKmsRegion(TestUtils.KMS_REGION); - - AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() - .withCryptoConfiguration(v1Config) - .withEncryptionMaterials(materialsProvider) - .build(); - - v1Client.putObject(TestUtils.BUCKET, objectKey, input); - - // When: decrypt GCM object with an improved version client - GetObjectOutput output = client.getObject(GetObjectInput.builder() - .clientID(s3ECId) - .bucket(TestUtils.BUCKET) - .key(objectKey) - .build()); - - // Then: Pass - assertEquals(input, new String(output.getBody().array())); - } +// @ParameterizedTest(name = "{displayName} for Encrypt: Java-V1, Decrypt: {0}") +// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") +// public void GIVEN_CBCEncryptedData_AND_ImprovedClientDecryptingWithForbidEncryptAllowDecrypt_WHEN_Decrypt_THEN_Pass( +// TestUtils.LanguageServerTarget language +// ) { +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// final String objectKey = "test-key-kms-v1-" + language; +// final String input = "simple-test-input"; +// KeyMaterial kmsKeyArn = KeyMaterial.builder() +// .kmsKeyId(TestUtils.KMS_KEY_ARN) +// .build(); + +// // Create the object using the old client +// // V1 Client +// EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(TestUtils.KMS_KEY_ARN); + +// CryptoConfiguration v1Config = +// new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) +// .withStorageMode(CryptoStorageMode.ObjectMetadata) +// .withAwsKmsRegion(TestUtils.KMS_REGION); + +// AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() +// .withCryptoConfiguration(v1Config) +// .withEncryptionMaterials(materialsProvider) +// .build(); + +// v1Client.putObject(TestUtils.BUCKET, objectKey, input); + +// S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); +// CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) +// .enableLegacyWrappingAlgorithms(true) +// .build() +// ) +// .build()); +// String decS3ECId = decClientOutput.getClientId(); + +// // When: decrypt KC object with a current version client +// GetObjectOutput output = decClient.getObject(GetObjectInput.builder() +// .clientID(decS3ECId) +// .bucket(TestUtils.BUCKET) +// .key(objectKey) +// .build()); + +// // Then: Pass +// } + +// // Exhaustive test 3 +// // Outcome Version Operation Policy Content Encryption +// // Pass Improved Decrypt ForbidEncryptAllowDecrypt GCM + +// @ParameterizedTest(name = "{displayName} for Encrypt: Java-V1-GCM, Decrypt: {0}") +// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") +// public void GIVEN_GCMEncryptedData_AND_ImprovedClientDecryptingWithForbidEncryptAllowDecrypt_WHEN_Decrypt_THEN_Pass( +// TestUtils.LanguageServerTarget language +// ) { +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// final String objectKey = "test-key-kms-v1-gcm-" + language; +// final String input = "simple-test-input"; +// KeyMaterial kmsKeyArn = KeyMaterial.builder() +// .kmsKeyId(TestUtils.KMS_KEY_ARN) +// .build(); +// CreateClientOutput output1 = client.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .enableLegacyWrappingAlgorithms(true) +// .keyMaterial(kmsKeyArn) +// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) +// .build()) +// .build()); +// String s3ECId = output1.getClientId(); + +// // Create the object using the old client with GCM encryption +// // V1 Client with GCM +// EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(TestUtils.KMS_KEY_ARN); + +// CryptoConfiguration v1Config = +// new CryptoConfiguration(CryptoMode.StrictAuthenticatedEncryption) // StrictAuthenticatedEncryption uses GCM +// .withStorageMode(CryptoStorageMode.ObjectMetadata) +// .withAwsKmsRegion(TestUtils.KMS_REGION); + +// AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() +// .withCryptoConfiguration(v1Config) +// .withEncryptionMaterials(materialsProvider) +// .build(); + +// v1Client.putObject(TestUtils.BUCKET, objectKey, input); + +// // When: decrypt GCM object with an improved version client +// GetObjectOutput output = client.getObject(GetObjectInput.builder() +// .clientID(s3ECId) +// .bucket(TestUtils.BUCKET) +// .key(objectKey) +// .build()); + +// // Then: Pass +// assertEquals(input, new String(output.getBody().array())); +// } // Exhaustive test 4 // Outcome Version Operation Policy Content Encryption @@ -173,11 +173,12 @@ public void GIVEN_GCMEncryptedData_AND_ImprovedClientDecryptingWithForbidEncrypt @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") @MethodSource("software.amazon.encryption.s3.TestUtils#encryptImprovedDecryptImproved") public void GIVEN_KCGCMEncryptedData_AND_ImprovedClientDecryptingWithForbidEncryptAllowDecrypt_WHEN_Decrypt_THEN_Pass( - TestUtils.LanguageServerTarget encLang, TestUtils.LanguageServerTarget decLang + LanguageServerTarget encLang, LanguageServerTarget decLang ) { S3ECTestServerClient encClient = TestUtils.testServerClientFor(encLang); final String objectKey = "encrypt-kc-gcm-decrypt-improved-test-key-" + encLang; + final String objectKey2 = "encrypt-kc-gcm-decrypt-improved-test-key-CPP-V3"; final String input = "simple-test-input"; KeyMaterial kmsKeyArn = KeyMaterial.builder() .kmsKeyId(TestUtils.KMS_KEY_ARN) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java index 0f7565fe..6edcab95 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java @@ -49,129 +49,129 @@ public static void setup() { validateServersRunning(); } - @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") - @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") - public void crossLanguageTestKms(LanguageServerTarget encLang, LanguageServerTarget decLang) { - S3ECTestServerClient encClient = testServerClientFor(encLang); - final String objectKey = appendTestSuffix("cross-lang-test-key-" + encLang); - final String input = "simple-test-input"; - KeyMaterial kmsKeyArn = KeyMaterial.builder() - .kmsKeyId(KMS_KEY_ARN) - .build(); - CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() - .config(S3ECConfig - .builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build() - ) - .build()); - String encS3ECId = encClientOutput.getClientId(); - encClient.putObject(PutObjectInput.builder() - .clientID(encS3ECId) - .key(objectKey) - .bucket(BUCKET) - .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) - .build()); - S3ECTestServerClient decClient = testServerClientFor(decLang); - CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build() - ) - .build()); - String decS3ECId = decClientOutput.getClientId(); - GetObjectOutput output = decClient.getObject(GetObjectInput.builder() - .clientID(decS3ECId) - .bucket(BUCKET) - .key(objectKey) - .build()); - - if (!input.equals(StandardCharsets.UTF_8.decode(output.getBody()).toString())) { - fail(String.format("Encryption in %s failed to decrpyt in %s!", encLang, decLang)); - } - } - - @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") - @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") - public void crossLanguageTestKmsWithEncCtx(LanguageServerTarget encLang, LanguageServerTarget decLang) { - if (ENCRYPTION_CONTEXT_ON_ENCRYPT_UNSUPPORTED.contains(encLang.getLanguageName())) { - return; - } - S3ECTestServerClient encClient = testServerClientFor(encLang); - final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-" + encLang); - final String input = "simple-test-input"; - final Map encCtx = new HashMap<>(); - encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); - encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); - final List mdAsList = metadataMapToList(encCtx); - KeyMaterial kmsKeyArn = KeyMaterial.builder() - .kmsKeyId(KMS_KEY_ARN) - .build(); - CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build() - ) - .build()); - String encS3ECId = encClientOutput.getClientId(); - - encClient.putObject(PutObjectInput.builder() - .clientID(encS3ECId) - .key(objectKey) - .bucket(BUCKET) - .metadata(mdAsList) - .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) - .build()); - S3ECTestServerClient decClient = testServerClientFor(decLang); - CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build() - ) - .build()); - String decS3ECId = decClientOutput.getClientId(); - GetObjectOutput output = decClient.getObject(GetObjectInput.builder() - .clientID(decS3ECId) - .bucket(BUCKET) - .key(objectKey) - .metadata(mdAsList) - .build()); - - if (!input.equals(StandardCharsets.UTF_8.decode(output.getBody()).toString())) { - fail(String.format("Encryption in %s failed to decrpyt in %s!", encLang, decLang)); - } - } - - @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") - @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") - public void crossLanguageTestKmsWithSubsetEncCtxFails(LanguageServerTarget encLang, LanguageServerTarget decLang) { - if (ENCRYPTION_CONTEXT_ON_DECRYPT_UNSUPPORTED.contains(decLang.getLanguageName())) { - return; - } - if (ENCRYPTION_CONTEXT_ON_ENCRYPT_UNSUPPORTED.contains(encLang.getLanguageName())) { - return; - } - S3ECTestServerClient encClient = testServerClientFor(encLang); - final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-subset-fails" + encLang); - final String input = "simple-test-input"; - final Map encCtx = new HashMap<>(); - encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); - encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); - final List mdAsList = metadataMapToList(encCtx); - KeyMaterial kmsKeyArn = KeyMaterial.builder() - .kmsKeyId(KMS_KEY_ARN) - .build(); - CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build()) - .build()); - String encS3ECId = encClientOutput.getClientId(); + // @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") + // @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") + // public void crossLanguageTestKms(LanguageServerTarget encLang, LanguageServerTarget decLang) { + // S3ECTestServerClient encClient = testServerClientFor(encLang); + // final String objectKey = appendTestSuffix("cross-lang-test-key-" + encLang); + // final String input = "simple-test-input"; + // KeyMaterial kmsKeyArn = KeyMaterial.builder() + // .kmsKeyId(KMS_KEY_ARN) + // .build(); + // CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() + // .config(S3ECConfig + // .builder() + // .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + // .build() + // ) + // .build()); + // String encS3ECId = encClientOutput.getClientId(); + // encClient.putObject(PutObjectInput.builder() + // .clientID(encS3ECId) + // .key(objectKey) + // .bucket(BUCKET) + // .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) + // .build()); + // S3ECTestServerClient decClient = testServerClientFor(decLang); + // CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() + // .config(S3ECConfig.builder() + // .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + // .build() + // ) + // .build()); + // String decS3ECId = decClientOutput.getClientId(); + // GetObjectOutput output = decClient.getObject(GetObjectInput.builder() + // .clientID(decS3ECId) + // .bucket(BUCKET) + // .key(objectKey) + // .build()); + + // if (!input.equals(StandardCharsets.UTF_8.decode(output.getBody()).toString())) { + // fail(String.format("Encryption in %s failed to decrpyt in %s!", encLang, decLang)); + // } + // } + + // @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") + // @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") + // public void crossLanguageTestKmsWithEncCtx(LanguageServerTarget encLang, LanguageServerTarget decLang) { + // if (ENCRYPTION_CONTEXT_ON_ENCRYPT_UNSUPPORTED.contains(encLang.getLanguageName())) { + // return; + // } + // S3ECTestServerClient encClient = testServerClientFor(encLang); + // final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-" + encLang); + // final String input = "simple-test-input"; + // final Map encCtx = new HashMap<>(); + // encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); + // encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); + // final List mdAsList = metadataMapToList(encCtx); + // KeyMaterial kmsKeyArn = KeyMaterial.builder() + // .kmsKeyId(KMS_KEY_ARN) + // .build(); + // CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() + // .config(S3ECConfig.builder() + // .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + // .build() + // ) + // .build()); + // String encS3ECId = encClientOutput.getClientId(); + + // encClient.putObject(PutObjectInput.builder() + // .clientID(encS3ECId) + // .key(objectKey) + // .bucket(BUCKET) + // .metadata(mdAsList) + // .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) + // .build()); + // S3ECTestServerClient decClient = testServerClientFor(decLang); + // CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() + // .config(S3ECConfig.builder() + // .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + // .build() + // ) + // .build()); + // String decS3ECId = decClientOutput.getClientId(); + // GetObjectOutput output = decClient.getObject(GetObjectInput.builder() + // .clientID(decS3ECId) + // .bucket(BUCKET) + // .key(objectKey) + // .metadata(mdAsList) + // .build()); + + // if (!input.equals(StandardCharsets.UTF_8.decode(output.getBody()).toString())) { + // fail(String.format("Encryption in %s failed to decrpyt in %s!", encLang, decLang)); + // } + // } + + // @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") + // @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") + // public void crossLanguageTestKmsWithSubsetEncCtxFails(LanguageServerTarget encLang, LanguageServerTarget decLang) { + // if (ENCRYPTION_CONTEXT_ON_DECRYPT_UNSUPPORTED.contains(decLang.getLanguageName())) { + // return; + // } + // if (ENCRYPTION_CONTEXT_ON_ENCRYPT_UNSUPPORTED.contains(encLang.getLanguageName())) { + // return; + // } + // S3ECTestServerClient encClient = testServerClientFor(encLang); + // final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-subset-fails" + encLang); + // final String input = "simple-test-input"; + // final Map encCtx = new HashMap<>(); + // encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); + // encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); + // final List mdAsList = metadataMapToList(encCtx); + // KeyMaterial kmsKeyArn = KeyMaterial.builder() + // .kmsKeyId(KMS_KEY_ARN) + // .build(); + // CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() + // .config(S3ECConfig.builder() + // .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + // .build()) + // .build()); + // String encS3ECId = encClientOutput.getClientId(); encClient.putObject(PutObjectInput.builder() .clientID(encS3ECId) @@ -205,47 +205,47 @@ public void crossLanguageTestKmsWithSubsetEncCtxFails(LanguageServerTarget encLa } } - @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") - @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") - public void crossLanguageTestKmsWithIncorrectEncCtxFails(LanguageServerTarget encLang, LanguageServerTarget decLang) { - if (ENCRYPTION_CONTEXT_ON_DECRYPT_UNSUPPORTED.contains(decLang.getLanguageName())) { - return; - } - S3ECTestServerClient encClient = testServerClientFor(encLang); - final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-incorrect-fails" + encLang); - final String input = "simple-test-input"; - final Map encCtx = new HashMap<>(); - encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); - encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); - final List mdAsList = metadataMapToList(encCtx); - KeyMaterial kmsKeyArn = KeyMaterial.builder() - .kmsKeyId(KMS_KEY_ARN) - .build(); - CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build() - ) - .build()); - String encS3ECId = encClientOutput.getClientId(); - - encClient.putObject(PutObjectInput.builder() - .clientID(encS3ECId) - .key(objectKey) - .bucket(BUCKET) - .metadata(mdAsList) - .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) - .build()); - S3ECTestServerClient decClient = testServerClientFor(decLang); - CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build() - ) - .build()); - String decS3ECId = decClientOutput.getClientId(); + // @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") + // @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") + // public void crossLanguageTestKmsWithIncorrectEncCtxFails(LanguageServerTarget encLang, LanguageServerTarget decLang) { + // if (ENCRYPTION_CONTEXT_ON_DECRYPT_UNSUPPORTED.contains(decLang.getLanguageName())) { + // return; + // } + // S3ECTestServerClient encClient = testServerClientFor(encLang); + // final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-incorrect-fails" + encLang); + // final String input = "simple-test-input"; + // final Map encCtx = new HashMap<>(); + // encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); + // encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); + // final List mdAsList = metadataMapToList(encCtx); + // KeyMaterial kmsKeyArn = KeyMaterial.builder() + // .kmsKeyId(KMS_KEY_ARN) + // .build(); + // CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() + // .config(S3ECConfig.builder() + // .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + // .build() + // ) + // .build()); + // String encS3ECId = encClientOutput.getClientId(); + + // encClient.putObject(PutObjectInput.builder() + // .clientID(encS3ECId) + // .key(objectKey) + // .bucket(BUCKET) + // .metadata(mdAsList) + // .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) + // .build()); + // S3ECTestServerClient decClient = testServerClientFor(decLang); + // CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() + // .config(S3ECConfig.builder() + // .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + // .build() + // ) + // .build()); + // String decS3ECId = decClientOutput.getClientId(); final Map incorrectEncCtx = new HashMap<>(); incorrectEncCtx.put("this-is-wrong-ec-key", "bad-value"); @@ -267,132 +267,132 @@ public void crossLanguageTestKmsWithIncorrectEncCtxFails(LanguageServerTarget en } } - @ParameterizedTest(name = "{displayName} for Encrypt: Java, Decrypt: {0}") - @MethodSource("software.amazon.encryption.s3.TestUtils#clientsForTest") - public void kmsV1Legacy(TestUtils.LanguageServerTarget language) { - S3ECTestServerClient client = testServerClientFor(language); - final String objectKey = appendTestSuffix("test-key-kms-v1-" + language); - final String input = "simple-test-input"; - KeyMaterial kmsKeyArn = KeyMaterial.builder() - .kmsKeyId(KMS_KEY_ARN) - .build(); - CreateClientOutput output1 = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .enableLegacyWrappingAlgorithms(true) - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build()) - .build()); - String s3ECId = output1.getClientId(); - - // Create the object using the old client - // V1 Client - EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(KMS_KEY_ARN); - - CryptoConfiguration v1Config = - new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) - .withStorageMode(CryptoStorageMode.ObjectMetadata) - .withAwsKmsRegion(KMS_REGION); - - AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() - .withCryptoConfiguration(v1Config) - .withEncryptionMaterials(materialsProvider) - .build(); - - v1Client.putObject(BUCKET, objectKey, input); - - GetObjectOutput output = client.getObject(GetObjectInput.builder() - .clientID(s3ECId) - .bucket(BUCKET) - .key(objectKey) - .build()); - - assertEquals(input, new String(output.getBody().array())); - } - - @ParameterizedTest(name = "{displayName} for Encrypt: Java, Decrypt: {0}") - @MethodSource("software.amazon.encryption.s3.TestUtils#clientsForTest") - public void kmsV1LegacyWithEncCtx(TestUtils.LanguageServerTarget language) { - S3ECTestServerClient client = testServerClientFor(language); - final String objectKey = appendTestSuffix("test-key-kms-v1-with-enc-ctx-" + language); - final String input = "simple-test-input"; - KeyMaterial kmsKeyArn = KeyMaterial.builder() - .kmsKeyId(KMS_KEY_ARN) - .build(); - CreateClientOutput output1 = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .enableLegacyWrappingAlgorithms(true) - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build()) - .build()); - String s3ECId = output1.getClientId(); - - // Create the object using the old client - // V1 Client - final String ecKey = "user-metadata-key"; - final String ecValue = "user-metadata-value-v1"; - KMSEncryptionMaterials kmsMaterials = new KMSEncryptionMaterials(KMS_KEY_ARN); - kmsMaterials.addDescription(ecKey, ecValue); - EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(kmsMaterials); - - CryptoConfiguration v1Config = - new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) - .withStorageMode(CryptoStorageMode.ObjectMetadata) - .withAwsKmsRegion(KMS_REGION); - - AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() - .withCryptoConfiguration(v1Config) - .withEncryptionMaterials(materialsProvider) - .build(); - - v1Client.putObject(BUCKET, objectKey, input); - - final Map encCtx = new HashMap<>(); - encCtx.put(ecKey, ecValue); - GetObjectOutput output = client.getObject(GetObjectInput.builder() - .clientID(s3ECId) - .bucket(BUCKET) - .key(objectKey) - .metadata(metadataMapToList(encCtx)) - .build()); - - assertEquals(input, new String(output.getBody().array())); - } - - @ParameterizedTest(name = "{displayName} for Encrypt: Java, Decrypt: {0}") - @MethodSource("software.amazon.encryption.s3.TestUtils#clientsForTest") - public void kmsV1LegacyFailsWhenLegacyDisabled(TestUtils.LanguageServerTarget language) { - S3ECTestServerClient client = testServerClientFor(language); - final String objectKey = appendTestSuffix("test-key-kms-v1-fails-disabled" + language); - final String input = "simple-test-input"; - KeyMaterial kmsKeyArn = KeyMaterial.builder() - .kmsKeyId(KMS_KEY_ARN) - .build(); - CreateClientOutput output1 = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .enableLegacyWrappingAlgorithms(false) - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build()) - .build()); - String s3ECId = output1.getClientId(); - - // Create the object using the old client - // V1 Client - EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(KMS_KEY_ARN); - - CryptoConfiguration v1Config = - new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) - .withStorageMode(CryptoStorageMode.ObjectMetadata) - .withAwsKmsRegion(KMS_REGION); - - AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() - .withCryptoConfiguration(v1Config) - .withEncryptionMaterials(materialsProvider) - .build(); - - v1Client.putObject(BUCKET, objectKey, input); + // @ParameterizedTest(name = "{displayName} for Encrypt: Java, Decrypt: {0}") + // @MethodSource("software.amazon.encryption.s3.TestUtils#clientsForTest") + // public void kmsV1Legacy(TestUtils.LanguageServerTarget language) { + // S3ECTestServerClient client = testServerClientFor(language); + // final String objectKey = appendTestSuffix("test-key-kms-v1-" + language); + // final String input = "simple-test-input"; + // KeyMaterial kmsKeyArn = KeyMaterial.builder() + // .kmsKeyId(KMS_KEY_ARN) + // .build(); + // CreateClientOutput output1 = client.createClient(CreateClientInput.builder() + // .config(S3ECConfig.builder() + // .enableLegacyWrappingAlgorithms(true) + // .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + // .build()) + // .build()); + // String s3ECId = output1.getClientId(); + + // // Create the object using the old client + // // V1 Client + // EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(KMS_KEY_ARN); + + // CryptoConfiguration v1Config = + // new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) + // .withStorageMode(CryptoStorageMode.ObjectMetadata) + // .withAwsKmsRegion(KMS_REGION); + + // AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() + // .withCryptoConfiguration(v1Config) + // .withEncryptionMaterials(materialsProvider) + // .build(); + + // v1Client.putObject(BUCKET, objectKey, input); + + // GetObjectOutput output = client.getObject(GetObjectInput.builder() + // .clientID(s3ECId) + // .bucket(BUCKET) + // .key(objectKey) + // .build()); + + // assertEquals(input, new String(output.getBody().array())); + // } + + // @ParameterizedTest(name = "{displayName} for Encrypt: Java, Decrypt: {0}") + // @MethodSource("software.amazon.encryption.s3.TestUtils#clientsForTest") + // public void kmsV1LegacyWithEncCtx(TestUtils.LanguageServerTarget language) { + // S3ECTestServerClient client = testServerClientFor(language); + // final String objectKey = appendTestSuffix("test-key-kms-v1-with-enc-ctx-" + language); + // final String input = "simple-test-input"; + // KeyMaterial kmsKeyArn = KeyMaterial.builder() + // .kmsKeyId(KMS_KEY_ARN) + // .build(); + // CreateClientOutput output1 = client.createClient(CreateClientInput.builder() + // .config(S3ECConfig.builder() + // .enableLegacyWrappingAlgorithms(true) + // .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + // .build()) + // .build()); + // String s3ECId = output1.getClientId(); + + // // Create the object using the old client + // // V1 Client + // final String ecKey = "user-metadata-key"; + // final String ecValue = "user-metadata-value-v1"; + // KMSEncryptionMaterials kmsMaterials = new KMSEncryptionMaterials(KMS_KEY_ARN); + // kmsMaterials.addDescription(ecKey, ecValue); + // EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(kmsMaterials); + + // CryptoConfiguration v1Config = + // new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) + // .withStorageMode(CryptoStorageMode.ObjectMetadata) + // .withAwsKmsRegion(KMS_REGION); + + // AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() + // .withCryptoConfiguration(v1Config) + // .withEncryptionMaterials(materialsProvider) + // .build(); + + // v1Client.putObject(BUCKET, objectKey, input); + + // final Map encCtx = new HashMap<>(); + // encCtx.put(ecKey, ecValue); + // GetObjectOutput output = client.getObject(GetObjectInput.builder() + // .clientID(s3ECId) + // .bucket(BUCKET) + // .key(objectKey) + // .metadata(metadataMapToList(encCtx)) + // .build()); + + // assertEquals(input, new String(output.getBody().array())); + // } + + // @ParameterizedTest(name = "{displayName} for Encrypt: Java, Decrypt: {0}") + // @MethodSource("software.amazon.encryption.s3.TestUtils#clientsForTest") + // public void kmsV1LegacyFailsWhenLegacyDisabled(TestUtils.LanguageServerTarget language) { + // S3ECTestServerClient client = testServerClientFor(language); + // final String objectKey = appendTestSuffix("test-key-kms-v1-fails-disabled" + language); + // final String input = "simple-test-input"; + // KeyMaterial kmsKeyArn = KeyMaterial.builder() + // .kmsKeyId(KMS_KEY_ARN) + // .build(); + // CreateClientOutput output1 = client.createClient(CreateClientInput.builder() + // .config(S3ECConfig.builder() + // .enableLegacyWrappingAlgorithms(false) + // .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + // .build()) + // .build()); + // String s3ECId = output1.getClientId(); + + // // Create the object using the old client + // // V1 Client + // EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(KMS_KEY_ARN); + + // CryptoConfiguration v1Config = + // new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) + // .withStorageMode(CryptoStorageMode.ObjectMetadata) + // .withAwsKmsRegion(KMS_REGION); + + // AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() + // .withCryptoConfiguration(v1Config) + // .withEncryptionMaterials(materialsProvider) + // .build(); + + // v1Client.putObject(BUCKET, objectKey, input); try { client.getObject(GetObjectInput.builder() diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java index a6af0872..7c0a1fa6 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java @@ -124,8 +124,8 @@ public class TestUtils { GO_V4, // NET_V3, // CPP_V3, - // PHP_V3, - RUBY_V3 + PHP_V3 + // RUBY_V3 ); private static final Map serverMap; @@ -144,7 +144,7 @@ public class TestUtils { servers.put(RUBY_V3, new LanguageServerTarget(RUBY_V3, "8092")); servers.put(PHP_V3, new LanguageServerTarget(PHP_V3, "8093")); // TODO: Create and add transition servers - servers.put(JAVA_V3_TRANSITION, new LanguageServerTarget(JAVA_V3_TRANSITION, "8094")); + // servers.put(JAVA_V3_TRANSITION, new LanguageServerTarget(JAVA_V3_TRANSITION, "8094")); // servers.put(GO_V3_TRANSITION, new LanguageServerTarget(GO_V3_TRANSITION, "8095")); // servers.put(NET_V2_TRANSITION, new LanguageServerTarget(NET_V2_TRANSITION, "8096")); servers.put(CPP_V2_TRANSITION, new LanguageServerTarget(CPP_V2_TRANSITION, "8097")); From 203aae64d2dba6716833ac83681c38a75a0742ec Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Wed, 29 Oct 2025 16:02:26 -0700 Subject: [PATCH 14/37] v3 php round trips and decrypts other languages --- .../amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java index 9a7cf2b9..470e8937 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java @@ -178,7 +178,7 @@ public void GIVEN_KCGCMEncryptedData_AND_ImprovedClientDecryptingWithForbidEncry S3ECTestServerClient encClient = TestUtils.testServerClientFor(encLang); final String objectKey = "encrypt-kc-gcm-decrypt-improved-test-key-" + encLang; - final String objectKey2 = "encrypt-kc-gcm-decrypt-improved-test-key-CPP-V3"; + final String objectKey2 = "encrypt-kc-gcm-decrypt-improved-test-key-Go-V4"; final String input = "simple-test-input"; KeyMaterial kmsKeyArn = KeyMaterial.builder() .kmsKeyId(TestUtils.KMS_KEY_ARN) From 19417edcc483ca8c88cb8c00b0889ea127dc7548 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 30 Oct 2025 10:54:43 -0700 Subject: [PATCH 15/37] fix tests --- .../s3/ExhaustiveRoundTripTests1_25.java | 198 +++--- .../amazon/encryption/s3/RoundTripTests.java | 580 +++++++++--------- 2 files changed, 389 insertions(+), 389 deletions(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java index 470e8937..70c597f1 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java @@ -66,105 +66,105 @@ public static void setup() { // Outcome Version Operation Policy Content Encryption // Pass Improved Decrypt ForbidEncryptAllowDecrypt CBC -// @ParameterizedTest(name = "{displayName} for Encrypt: Java-V1, Decrypt: {0}") -// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") -// public void GIVEN_CBCEncryptedData_AND_ImprovedClientDecryptingWithForbidEncryptAllowDecrypt_WHEN_Decrypt_THEN_Pass( -// TestUtils.LanguageServerTarget language -// ) { -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// final String objectKey = "test-key-kms-v1-" + language; -// final String input = "simple-test-input"; -// KeyMaterial kmsKeyArn = KeyMaterial.builder() -// .kmsKeyId(TestUtils.KMS_KEY_ARN) -// .build(); - -// // Create the object using the old client -// // V1 Client -// EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(TestUtils.KMS_KEY_ARN); - -// CryptoConfiguration v1Config = -// new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) -// .withStorageMode(CryptoStorageMode.ObjectMetadata) -// .withAwsKmsRegion(TestUtils.KMS_REGION); - -// AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() -// .withCryptoConfiguration(v1Config) -// .withEncryptionMaterials(materialsProvider) -// .build(); - -// v1Client.putObject(TestUtils.BUCKET, objectKey, input); - -// S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); -// CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) -// .enableLegacyWrappingAlgorithms(true) -// .build() -// ) -// .build()); -// String decS3ECId = decClientOutput.getClientId(); - -// // When: decrypt KC object with a current version client -// GetObjectOutput output = decClient.getObject(GetObjectInput.builder() -// .clientID(decS3ECId) -// .bucket(TestUtils.BUCKET) -// .key(objectKey) -// .build()); - -// // Then: Pass -// } - -// // Exhaustive test 3 -// // Outcome Version Operation Policy Content Encryption -// // Pass Improved Decrypt ForbidEncryptAllowDecrypt GCM - -// @ParameterizedTest(name = "{displayName} for Encrypt: Java-V1-GCM, Decrypt: {0}") -// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") -// public void GIVEN_GCMEncryptedData_AND_ImprovedClientDecryptingWithForbidEncryptAllowDecrypt_WHEN_Decrypt_THEN_Pass( -// TestUtils.LanguageServerTarget language -// ) { -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// final String objectKey = "test-key-kms-v1-gcm-" + language; -// final String input = "simple-test-input"; -// KeyMaterial kmsKeyArn = KeyMaterial.builder() -// .kmsKeyId(TestUtils.KMS_KEY_ARN) -// .build(); -// CreateClientOutput output1 = client.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .enableLegacyWrappingAlgorithms(true) -// .keyMaterial(kmsKeyArn) -// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) -// .build()) -// .build()); -// String s3ECId = output1.getClientId(); - -// // Create the object using the old client with GCM encryption -// // V1 Client with GCM -// EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(TestUtils.KMS_KEY_ARN); - -// CryptoConfiguration v1Config = -// new CryptoConfiguration(CryptoMode.StrictAuthenticatedEncryption) // StrictAuthenticatedEncryption uses GCM -// .withStorageMode(CryptoStorageMode.ObjectMetadata) -// .withAwsKmsRegion(TestUtils.KMS_REGION); - -// AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() -// .withCryptoConfiguration(v1Config) -// .withEncryptionMaterials(materialsProvider) -// .build(); - -// v1Client.putObject(TestUtils.BUCKET, objectKey, input); - -// // When: decrypt GCM object with an improved version client -// GetObjectOutput output = client.getObject(GetObjectInput.builder() -// .clientID(s3ECId) -// .bucket(TestUtils.BUCKET) -// .key(objectKey) -// .build()); - -// // Then: Pass -// assertEquals(input, new String(output.getBody().array())); -// } + @ParameterizedTest(name = "{displayName} for Encrypt: Java-V1, Decrypt: {0}") + @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") + public void GIVEN_CBCEncryptedData_AND_ImprovedClientDecryptingWithForbidEncryptAllowDecrypt_WHEN_Decrypt_THEN_Pass( + TestUtils.LanguageServerTarget language + ) { + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + final String objectKey = "test-key-kms-v1-" + language; + final String input = "simple-test-input"; + KeyMaterial kmsKeyArn = KeyMaterial.builder() + .kmsKeyId(TestUtils.KMS_KEY_ARN) + .build(); + + // Create the object using the old client + // V1 Client + EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(TestUtils.KMS_KEY_ARN); + + CryptoConfiguration v1Config = + new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) + .withStorageMode(CryptoStorageMode.ObjectMetadata) + .withAwsKmsRegion(TestUtils.KMS_REGION); + + AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() + .withCryptoConfiguration(v1Config) + .withEncryptionMaterials(materialsProvider) + .build(); + + v1Client.putObject(TestUtils.BUCKET, objectKey, input); + + S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); + CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .enableLegacyWrappingAlgorithms(true) + .build() + ) + .build()); + String decS3ECId = decClientOutput.getClientId(); + + // When: decrypt KC object with a current version client + GetObjectOutput output = decClient.getObject(GetObjectInput.builder() + .clientID(decS3ECId) + .bucket(TestUtils.BUCKET) + .key(objectKey) + .build()); + + // Then: Pass + } + + // Exhaustive test 3 + // Outcome Version Operation Policy Content Encryption + // Pass Improved Decrypt ForbidEncryptAllowDecrypt GCM + + @ParameterizedTest(name = "{displayName} for Encrypt: Java-V1-GCM, Decrypt: {0}") + @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") + public void GIVEN_GCMEncryptedData_AND_ImprovedClientDecryptingWithForbidEncryptAllowDecrypt_WHEN_Decrypt_THEN_Pass( + TestUtils.LanguageServerTarget language + ) { + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + final String objectKey = "test-key-kms-v1-gcm-" + language; + final String input = "simple-test-input"; + KeyMaterial kmsKeyArn = KeyMaterial.builder() + .kmsKeyId(TestUtils.KMS_KEY_ARN) + .build(); + CreateClientOutput output1 = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .enableLegacyWrappingAlgorithms(true) + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build()) + .build()); + String s3ECId = output1.getClientId(); + + // Create the object using the old client with GCM encryption + // V1 Client with GCM + EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(TestUtils.KMS_KEY_ARN); + + CryptoConfiguration v1Config = + new CryptoConfiguration(CryptoMode.StrictAuthenticatedEncryption) // StrictAuthenticatedEncryption uses GCM + .withStorageMode(CryptoStorageMode.ObjectMetadata) + .withAwsKmsRegion(TestUtils.KMS_REGION); + + AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() + .withCryptoConfiguration(v1Config) + .withEncryptionMaterials(materialsProvider) + .build(); + + v1Client.putObject(TestUtils.BUCKET, objectKey, input); + + // When: decrypt GCM object with an improved version client + GetObjectOutput output = client.getObject(GetObjectInput.builder() + .clientID(s3ECId) + .bucket(TestUtils.BUCKET) + .key(objectKey) + .build()); + + // Then: Pass + assertEquals(input, new String(output.getBody().array())); + } // Exhaustive test 4 // Outcome Version Operation Policy Content Encryption diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java index 6edcab95..0f7565fe 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java @@ -49,129 +49,129 @@ public static void setup() { validateServersRunning(); } - // @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") - // @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") - // public void crossLanguageTestKms(LanguageServerTarget encLang, LanguageServerTarget decLang) { - // S3ECTestServerClient encClient = testServerClientFor(encLang); - // final String objectKey = appendTestSuffix("cross-lang-test-key-" + encLang); - // final String input = "simple-test-input"; - // KeyMaterial kmsKeyArn = KeyMaterial.builder() - // .kmsKeyId(KMS_KEY_ARN) - // .build(); - // CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() - // .config(S3ECConfig - // .builder() - // .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - // .build() - // ) - // .build()); - // String encS3ECId = encClientOutput.getClientId(); - // encClient.putObject(PutObjectInput.builder() - // .clientID(encS3ECId) - // .key(objectKey) - // .bucket(BUCKET) - // .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) - // .build()); - // S3ECTestServerClient decClient = testServerClientFor(decLang); - // CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() - // .config(S3ECConfig.builder() - // .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - // .build() - // ) - // .build()); - // String decS3ECId = decClientOutput.getClientId(); - // GetObjectOutput output = decClient.getObject(GetObjectInput.builder() - // .clientID(decS3ECId) - // .bucket(BUCKET) - // .key(objectKey) - // .build()); - - // if (!input.equals(StandardCharsets.UTF_8.decode(output.getBody()).toString())) { - // fail(String.format("Encryption in %s failed to decrpyt in %s!", encLang, decLang)); - // } - // } - - // @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") - // @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") - // public void crossLanguageTestKmsWithEncCtx(LanguageServerTarget encLang, LanguageServerTarget decLang) { - // if (ENCRYPTION_CONTEXT_ON_ENCRYPT_UNSUPPORTED.contains(encLang.getLanguageName())) { - // return; - // } - // S3ECTestServerClient encClient = testServerClientFor(encLang); - // final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-" + encLang); - // final String input = "simple-test-input"; - // final Map encCtx = new HashMap<>(); - // encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); - // encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); - // final List mdAsList = metadataMapToList(encCtx); - // KeyMaterial kmsKeyArn = KeyMaterial.builder() - // .kmsKeyId(KMS_KEY_ARN) - // .build(); - // CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() - // .config(S3ECConfig.builder() - // .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - // .build() - // ) - // .build()); - // String encS3ECId = encClientOutput.getClientId(); - - // encClient.putObject(PutObjectInput.builder() - // .clientID(encS3ECId) - // .key(objectKey) - // .bucket(BUCKET) - // .metadata(mdAsList) - // .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) - // .build()); - // S3ECTestServerClient decClient = testServerClientFor(decLang); - // CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() - // .config(S3ECConfig.builder() - // .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - // .build() - // ) - // .build()); - // String decS3ECId = decClientOutput.getClientId(); - // GetObjectOutput output = decClient.getObject(GetObjectInput.builder() - // .clientID(decS3ECId) - // .bucket(BUCKET) - // .key(objectKey) - // .metadata(mdAsList) - // .build()); - - // if (!input.equals(StandardCharsets.UTF_8.decode(output.getBody()).toString())) { - // fail(String.format("Encryption in %s failed to decrpyt in %s!", encLang, decLang)); - // } - // } - - // @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") - // @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") - // public void crossLanguageTestKmsWithSubsetEncCtxFails(LanguageServerTarget encLang, LanguageServerTarget decLang) { - // if (ENCRYPTION_CONTEXT_ON_DECRYPT_UNSUPPORTED.contains(decLang.getLanguageName())) { - // return; - // } - // if (ENCRYPTION_CONTEXT_ON_ENCRYPT_UNSUPPORTED.contains(encLang.getLanguageName())) { - // return; - // } - // S3ECTestServerClient encClient = testServerClientFor(encLang); - // final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-subset-fails" + encLang); - // final String input = "simple-test-input"; - // final Map encCtx = new HashMap<>(); - // encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); - // encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); - // final List mdAsList = metadataMapToList(encCtx); - // KeyMaterial kmsKeyArn = KeyMaterial.builder() - // .kmsKeyId(KMS_KEY_ARN) - // .build(); - // CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() - // .config(S3ECConfig.builder() - // .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - // .build()) - // .build()); - // String encS3ECId = encClientOutput.getClientId(); + @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") + @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") + public void crossLanguageTestKms(LanguageServerTarget encLang, LanguageServerTarget decLang) { + S3ECTestServerClient encClient = testServerClientFor(encLang); + final String objectKey = appendTestSuffix("cross-lang-test-key-" + encLang); + final String input = "simple-test-input"; + KeyMaterial kmsKeyArn = KeyMaterial.builder() + .kmsKeyId(KMS_KEY_ARN) + .build(); + CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() + .config(S3ECConfig + .builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build() + ) + .build()); + String encS3ECId = encClientOutput.getClientId(); + encClient.putObject(PutObjectInput.builder() + .clientID(encS3ECId) + .key(objectKey) + .bucket(BUCKET) + .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) + .build()); + S3ECTestServerClient decClient = testServerClientFor(decLang); + CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build() + ) + .build()); + String decS3ECId = decClientOutput.getClientId(); + GetObjectOutput output = decClient.getObject(GetObjectInput.builder() + .clientID(decS3ECId) + .bucket(BUCKET) + .key(objectKey) + .build()); + + if (!input.equals(StandardCharsets.UTF_8.decode(output.getBody()).toString())) { + fail(String.format("Encryption in %s failed to decrpyt in %s!", encLang, decLang)); + } + } + + @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") + @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") + public void crossLanguageTestKmsWithEncCtx(LanguageServerTarget encLang, LanguageServerTarget decLang) { + if (ENCRYPTION_CONTEXT_ON_ENCRYPT_UNSUPPORTED.contains(encLang.getLanguageName())) { + return; + } + S3ECTestServerClient encClient = testServerClientFor(encLang); + final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-" + encLang); + final String input = "simple-test-input"; + final Map encCtx = new HashMap<>(); + encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); + encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); + final List mdAsList = metadataMapToList(encCtx); + KeyMaterial kmsKeyArn = KeyMaterial.builder() + .kmsKeyId(KMS_KEY_ARN) + .build(); + CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build() + ) + .build()); + String encS3ECId = encClientOutput.getClientId(); + + encClient.putObject(PutObjectInput.builder() + .clientID(encS3ECId) + .key(objectKey) + .bucket(BUCKET) + .metadata(mdAsList) + .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) + .build()); + S3ECTestServerClient decClient = testServerClientFor(decLang); + CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build() + ) + .build()); + String decS3ECId = decClientOutput.getClientId(); + GetObjectOutput output = decClient.getObject(GetObjectInput.builder() + .clientID(decS3ECId) + .bucket(BUCKET) + .key(objectKey) + .metadata(mdAsList) + .build()); + + if (!input.equals(StandardCharsets.UTF_8.decode(output.getBody()).toString())) { + fail(String.format("Encryption in %s failed to decrpyt in %s!", encLang, decLang)); + } + } + + @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") + @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") + public void crossLanguageTestKmsWithSubsetEncCtxFails(LanguageServerTarget encLang, LanguageServerTarget decLang) { + if (ENCRYPTION_CONTEXT_ON_DECRYPT_UNSUPPORTED.contains(decLang.getLanguageName())) { + return; + } + if (ENCRYPTION_CONTEXT_ON_ENCRYPT_UNSUPPORTED.contains(encLang.getLanguageName())) { + return; + } + S3ECTestServerClient encClient = testServerClientFor(encLang); + final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-subset-fails" + encLang); + final String input = "simple-test-input"; + final Map encCtx = new HashMap<>(); + encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); + encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); + final List mdAsList = metadataMapToList(encCtx); + KeyMaterial kmsKeyArn = KeyMaterial.builder() + .kmsKeyId(KMS_KEY_ARN) + .build(); + CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build()) + .build()); + String encS3ECId = encClientOutput.getClientId(); encClient.putObject(PutObjectInput.builder() .clientID(encS3ECId) @@ -205,47 +205,47 @@ public static void setup() { } } - // @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") - // @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") - // public void crossLanguageTestKmsWithIncorrectEncCtxFails(LanguageServerTarget encLang, LanguageServerTarget decLang) { - // if (ENCRYPTION_CONTEXT_ON_DECRYPT_UNSUPPORTED.contains(decLang.getLanguageName())) { - // return; - // } - // S3ECTestServerClient encClient = testServerClientFor(encLang); - // final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-incorrect-fails" + encLang); - // final String input = "simple-test-input"; - // final Map encCtx = new HashMap<>(); - // encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); - // encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); - // final List mdAsList = metadataMapToList(encCtx); - // KeyMaterial kmsKeyArn = KeyMaterial.builder() - // .kmsKeyId(KMS_KEY_ARN) - // .build(); - // CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() - // .config(S3ECConfig.builder() - // .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - // .build() - // ) - // .build()); - // String encS3ECId = encClientOutput.getClientId(); - - // encClient.putObject(PutObjectInput.builder() - // .clientID(encS3ECId) - // .key(objectKey) - // .bucket(BUCKET) - // .metadata(mdAsList) - // .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) - // .build()); - // S3ECTestServerClient decClient = testServerClientFor(decLang); - // CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() - // .config(S3ECConfig.builder() - // .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - // .build() - // ) - // .build()); - // String decS3ECId = decClientOutput.getClientId(); + @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") + @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") + public void crossLanguageTestKmsWithIncorrectEncCtxFails(LanguageServerTarget encLang, LanguageServerTarget decLang) { + if (ENCRYPTION_CONTEXT_ON_DECRYPT_UNSUPPORTED.contains(decLang.getLanguageName())) { + return; + } + S3ECTestServerClient encClient = testServerClientFor(encLang); + final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-incorrect-fails" + encLang); + final String input = "simple-test-input"; + final Map encCtx = new HashMap<>(); + encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); + encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); + final List mdAsList = metadataMapToList(encCtx); + KeyMaterial kmsKeyArn = KeyMaterial.builder() + .kmsKeyId(KMS_KEY_ARN) + .build(); + CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build() + ) + .build()); + String encS3ECId = encClientOutput.getClientId(); + + encClient.putObject(PutObjectInput.builder() + .clientID(encS3ECId) + .key(objectKey) + .bucket(BUCKET) + .metadata(mdAsList) + .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) + .build()); + S3ECTestServerClient decClient = testServerClientFor(decLang); + CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build() + ) + .build()); + String decS3ECId = decClientOutput.getClientId(); final Map incorrectEncCtx = new HashMap<>(); incorrectEncCtx.put("this-is-wrong-ec-key", "bad-value"); @@ -267,132 +267,132 @@ public static void setup() { } } - // @ParameterizedTest(name = "{displayName} for Encrypt: Java, Decrypt: {0}") - // @MethodSource("software.amazon.encryption.s3.TestUtils#clientsForTest") - // public void kmsV1Legacy(TestUtils.LanguageServerTarget language) { - // S3ECTestServerClient client = testServerClientFor(language); - // final String objectKey = appendTestSuffix("test-key-kms-v1-" + language); - // final String input = "simple-test-input"; - // KeyMaterial kmsKeyArn = KeyMaterial.builder() - // .kmsKeyId(KMS_KEY_ARN) - // .build(); - // CreateClientOutput output1 = client.createClient(CreateClientInput.builder() - // .config(S3ECConfig.builder() - // .enableLegacyWrappingAlgorithms(true) - // .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - // .build()) - // .build()); - // String s3ECId = output1.getClientId(); - - // // Create the object using the old client - // // V1 Client - // EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(KMS_KEY_ARN); - - // CryptoConfiguration v1Config = - // new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) - // .withStorageMode(CryptoStorageMode.ObjectMetadata) - // .withAwsKmsRegion(KMS_REGION); - - // AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() - // .withCryptoConfiguration(v1Config) - // .withEncryptionMaterials(materialsProvider) - // .build(); - - // v1Client.putObject(BUCKET, objectKey, input); - - // GetObjectOutput output = client.getObject(GetObjectInput.builder() - // .clientID(s3ECId) - // .bucket(BUCKET) - // .key(objectKey) - // .build()); - - // assertEquals(input, new String(output.getBody().array())); - // } - - // @ParameterizedTest(name = "{displayName} for Encrypt: Java, Decrypt: {0}") - // @MethodSource("software.amazon.encryption.s3.TestUtils#clientsForTest") - // public void kmsV1LegacyWithEncCtx(TestUtils.LanguageServerTarget language) { - // S3ECTestServerClient client = testServerClientFor(language); - // final String objectKey = appendTestSuffix("test-key-kms-v1-with-enc-ctx-" + language); - // final String input = "simple-test-input"; - // KeyMaterial kmsKeyArn = KeyMaterial.builder() - // .kmsKeyId(KMS_KEY_ARN) - // .build(); - // CreateClientOutput output1 = client.createClient(CreateClientInput.builder() - // .config(S3ECConfig.builder() - // .enableLegacyWrappingAlgorithms(true) - // .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - // .build()) - // .build()); - // String s3ECId = output1.getClientId(); - - // // Create the object using the old client - // // V1 Client - // final String ecKey = "user-metadata-key"; - // final String ecValue = "user-metadata-value-v1"; - // KMSEncryptionMaterials kmsMaterials = new KMSEncryptionMaterials(KMS_KEY_ARN); - // kmsMaterials.addDescription(ecKey, ecValue); - // EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(kmsMaterials); - - // CryptoConfiguration v1Config = - // new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) - // .withStorageMode(CryptoStorageMode.ObjectMetadata) - // .withAwsKmsRegion(KMS_REGION); - - // AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() - // .withCryptoConfiguration(v1Config) - // .withEncryptionMaterials(materialsProvider) - // .build(); - - // v1Client.putObject(BUCKET, objectKey, input); - - // final Map encCtx = new HashMap<>(); - // encCtx.put(ecKey, ecValue); - // GetObjectOutput output = client.getObject(GetObjectInput.builder() - // .clientID(s3ECId) - // .bucket(BUCKET) - // .key(objectKey) - // .metadata(metadataMapToList(encCtx)) - // .build()); - - // assertEquals(input, new String(output.getBody().array())); - // } - - // @ParameterizedTest(name = "{displayName} for Encrypt: Java, Decrypt: {0}") - // @MethodSource("software.amazon.encryption.s3.TestUtils#clientsForTest") - // public void kmsV1LegacyFailsWhenLegacyDisabled(TestUtils.LanguageServerTarget language) { - // S3ECTestServerClient client = testServerClientFor(language); - // final String objectKey = appendTestSuffix("test-key-kms-v1-fails-disabled" + language); - // final String input = "simple-test-input"; - // KeyMaterial kmsKeyArn = KeyMaterial.builder() - // .kmsKeyId(KMS_KEY_ARN) - // .build(); - // CreateClientOutput output1 = client.createClient(CreateClientInput.builder() - // .config(S3ECConfig.builder() - // .enableLegacyWrappingAlgorithms(false) - // .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - // .build()) - // .build()); - // String s3ECId = output1.getClientId(); - - // // Create the object using the old client - // // V1 Client - // EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(KMS_KEY_ARN); - - // CryptoConfiguration v1Config = - // new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) - // .withStorageMode(CryptoStorageMode.ObjectMetadata) - // .withAwsKmsRegion(KMS_REGION); - - // AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() - // .withCryptoConfiguration(v1Config) - // .withEncryptionMaterials(materialsProvider) - // .build(); - - // v1Client.putObject(BUCKET, objectKey, input); + @ParameterizedTest(name = "{displayName} for Encrypt: Java, Decrypt: {0}") + @MethodSource("software.amazon.encryption.s3.TestUtils#clientsForTest") + public void kmsV1Legacy(TestUtils.LanguageServerTarget language) { + S3ECTestServerClient client = testServerClientFor(language); + final String objectKey = appendTestSuffix("test-key-kms-v1-" + language); + final String input = "simple-test-input"; + KeyMaterial kmsKeyArn = KeyMaterial.builder() + .kmsKeyId(KMS_KEY_ARN) + .build(); + CreateClientOutput output1 = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .enableLegacyWrappingAlgorithms(true) + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build()) + .build()); + String s3ECId = output1.getClientId(); + + // Create the object using the old client + // V1 Client + EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(KMS_KEY_ARN); + + CryptoConfiguration v1Config = + new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) + .withStorageMode(CryptoStorageMode.ObjectMetadata) + .withAwsKmsRegion(KMS_REGION); + + AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() + .withCryptoConfiguration(v1Config) + .withEncryptionMaterials(materialsProvider) + .build(); + + v1Client.putObject(BUCKET, objectKey, input); + + GetObjectOutput output = client.getObject(GetObjectInput.builder() + .clientID(s3ECId) + .bucket(BUCKET) + .key(objectKey) + .build()); + + assertEquals(input, new String(output.getBody().array())); + } + + @ParameterizedTest(name = "{displayName} for Encrypt: Java, Decrypt: {0}") + @MethodSource("software.amazon.encryption.s3.TestUtils#clientsForTest") + public void kmsV1LegacyWithEncCtx(TestUtils.LanguageServerTarget language) { + S3ECTestServerClient client = testServerClientFor(language); + final String objectKey = appendTestSuffix("test-key-kms-v1-with-enc-ctx-" + language); + final String input = "simple-test-input"; + KeyMaterial kmsKeyArn = KeyMaterial.builder() + .kmsKeyId(KMS_KEY_ARN) + .build(); + CreateClientOutput output1 = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .enableLegacyWrappingAlgorithms(true) + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build()) + .build()); + String s3ECId = output1.getClientId(); + + // Create the object using the old client + // V1 Client + final String ecKey = "user-metadata-key"; + final String ecValue = "user-metadata-value-v1"; + KMSEncryptionMaterials kmsMaterials = new KMSEncryptionMaterials(KMS_KEY_ARN); + kmsMaterials.addDescription(ecKey, ecValue); + EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(kmsMaterials); + + CryptoConfiguration v1Config = + new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) + .withStorageMode(CryptoStorageMode.ObjectMetadata) + .withAwsKmsRegion(KMS_REGION); + + AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() + .withCryptoConfiguration(v1Config) + .withEncryptionMaterials(materialsProvider) + .build(); + + v1Client.putObject(BUCKET, objectKey, input); + + final Map encCtx = new HashMap<>(); + encCtx.put(ecKey, ecValue); + GetObjectOutput output = client.getObject(GetObjectInput.builder() + .clientID(s3ECId) + .bucket(BUCKET) + .key(objectKey) + .metadata(metadataMapToList(encCtx)) + .build()); + + assertEquals(input, new String(output.getBody().array())); + } + + @ParameterizedTest(name = "{displayName} for Encrypt: Java, Decrypt: {0}") + @MethodSource("software.amazon.encryption.s3.TestUtils#clientsForTest") + public void kmsV1LegacyFailsWhenLegacyDisabled(TestUtils.LanguageServerTarget language) { + S3ECTestServerClient client = testServerClientFor(language); + final String objectKey = appendTestSuffix("test-key-kms-v1-fails-disabled" + language); + final String input = "simple-test-input"; + KeyMaterial kmsKeyArn = KeyMaterial.builder() + .kmsKeyId(KMS_KEY_ARN) + .build(); + CreateClientOutput output1 = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .enableLegacyWrappingAlgorithms(false) + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build()) + .build()); + String s3ECId = output1.getClientId(); + + // Create the object using the old client + // V1 Client + EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(KMS_KEY_ARN); + + CryptoConfiguration v1Config = + new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) + .withStorageMode(CryptoStorageMode.ObjectMetadata) + .withAwsKmsRegion(KMS_REGION); + + AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() + .withCryptoConfiguration(v1Config) + .withEncryptionMaterials(materialsProvider) + .build(); + + v1Client.putObject(BUCKET, objectKey, input); try { client.getObject(GetObjectInput.builder() From 4352bf078287b337fad5fda4d036b9e57cf90937 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 30 Oct 2025 14:16:52 -0700 Subject: [PATCH 16/37] update --- test-server/php-v3-server/local-php-sdk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test-server/php-v3-server/local-php-sdk b/test-server/php-v3-server/local-php-sdk index bd3f79ce..6f0c8811 160000 --- a/test-server/php-v3-server/local-php-sdk +++ b/test-server/php-v3-server/local-php-sdk @@ -1 +1 @@ -Subproject commit bd3f79ce839ea22adcf55919c8fb817df9d76504 +Subproject commit 6f0c8811705ce1d9247a4025cd7a4e2ac41f66a9 From 555972a0db6d30e23c28c327c77b58462f1844a3 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 30 Oct 2025 14:17:27 -0700 Subject: [PATCH 17/37] update test server --- test-server/php-v3-server/src/get_object.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/test-server/php-v3-server/src/get_object.php b/test-server/php-v3-server/src/get_object.php index ae10789e..7851170a 100644 --- a/test-server/php-v3-server/src/get_object.php +++ b/test-server/php-v3-server/src/get_object.php @@ -80,8 +80,9 @@ function handleGetObject($params) } if (strpos($e->getMessage(), "@SecurityProfile=V2") !== false) { return S3EncryptionClientError($e->getMessage()); - } - if (strpos($e->getMessage(), "Provided encryption context does not match information retrieved from S3") !== false) { + } elseif (strpos($e->getMessage(), "Provided encryption context does not match information retrieved from S3") !== false) { + return S3EncryptionClientError($e->getMessage()); + } elseif (strpos($e->getMessage(), "Message is encrypted with a non commiting algorithm but commitment policy is set to REQUIRE_ENCRYPT_REQUIRE_DECRYPT. Select a valid commitment policy to decrypt this object.") !== false) { return S3EncryptionClientError($e->getMessage()); } else { error_log("This is the error: " . $e->getMessage()); From 7333028b99c7c377c6fbe7b3789907361f0774b8 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 30 Oct 2025 14:18:49 -0700 Subject: [PATCH 18/37] change to latest sdk updates --- test-server/php-v2-transition-server/local-php-sdk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test-server/php-v2-transition-server/local-php-sdk b/test-server/php-v2-transition-server/local-php-sdk index d78bd3b2..6f0c8811 160000 --- a/test-server/php-v2-transition-server/local-php-sdk +++ b/test-server/php-v2-transition-server/local-php-sdk @@ -1 +1 @@ -Subproject commit d78bd3b221890aac679ec3b6cb5abcb01fd42699 +Subproject commit 6f0c8811705ce1d9247a4025cd7a4e2ac41f66a9 From db22516806cb2743ff3120af965ff99062bd6d8a Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 30 Oct 2025 15:23:45 -0700 Subject: [PATCH 19/37] sdk updates --- test-server/php-v2-transition-server/local-php-sdk | 2 +- test-server/php-v3-server/local-php-sdk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test-server/php-v2-transition-server/local-php-sdk b/test-server/php-v2-transition-server/local-php-sdk index 6f0c8811..27de7d3e 160000 --- a/test-server/php-v2-transition-server/local-php-sdk +++ b/test-server/php-v2-transition-server/local-php-sdk @@ -1 +1 @@ -Subproject commit 6f0c8811705ce1d9247a4025cd7a4e2ac41f66a9 +Subproject commit 27de7d3e3e78a686e01709f679f4092583597510 diff --git a/test-server/php-v3-server/local-php-sdk b/test-server/php-v3-server/local-php-sdk index 6f0c8811..27de7d3e 160000 --- a/test-server/php-v3-server/local-php-sdk +++ b/test-server/php-v3-server/local-php-sdk @@ -1 +1 @@ -Subproject commit 6f0c8811705ce1d9247a4025cd7a4e2ac41f66a9 +Subproject commit 27de7d3e3e78a686e01709f679f4092583597510 From 85d6bb553ac9e8b6f09444b2fbba2a79a150f7a9 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 30 Oct 2025 15:24:43 -0700 Subject: [PATCH 20/37] test server updates --- test-server/php-v2-transition-server/src/client.php | 8 ++++++++ test-server/php-v2-transition-server/src/get_object.php | 3 +++ 2 files changed, 11 insertions(+) diff --git a/test-server/php-v2-transition-server/src/client.php b/test-server/php-v2-transition-server/src/client.php index 44fe1b39..2be65682 100644 --- a/test-server/php-v2-transition-server/src/client.php +++ b/test-server/php-v2-transition-server/src/client.php @@ -19,6 +19,7 @@ function handleCreateClient() $legacyAlgorithms = $configData["enableLegacyWrappingAlgorithms"] ?? false; $clientId = Uuid::uuid4()->toString(); $kmsKeyId = $keyMaterial["kmsKeyId"] ?? null; + $commitmentPolicy = $configData['commitmentPolicy'] ?? "FORBID_ENCRYPT_ALLOW_DECRYPT"; if ($configData == []) { return GenericServerError("Invalid config in request body", 400); @@ -26,6 +27,12 @@ function handleCreateClient() if (($keyMaterial || $kmsKeyId) === null) { return GenericServerError("Invalid keyMaterial in config", 400); } + if ($commitmentPolicy !== "FORBID_ENCRYPT_ALLOW_DECRYPT") { + return GenericServerError( + "Transition server only supports FORBID_ENCRYPT_ALLOW_DECRYPT" + . "commitment policy but received {$commitmentPolicy}" + ); + } // Store client configuration instead of objects (AWS objects can't be serialized) $_SESSION['s3ecCache'][$clientId] = [ @@ -55,6 +62,7 @@ function handleCreateClient() ], 'kmsKeyId' => $kmsKeyId, 'legacy' => $legacyAlgorithms, + 'commitmentPolicy' => $commitmentPolicy, 'created' => time() ]; diff --git a/test-server/php-v2-transition-server/src/get_object.php b/test-server/php-v2-transition-server/src/get_object.php index 41875f54..5800e850 100644 --- a/test-server/php-v2-transition-server/src/get_object.php +++ b/test-server/php-v2-transition-server/src/get_object.php @@ -38,6 +38,7 @@ function handleGetObject($params) } else { $legacy = "V2_AND_LEGACY"; } + $commitmentPolicy = $s3ecClientTuple['config']['commitmentPolicy']; try { // Start output buffering before the AWS call to capture any unwanted output @@ -47,6 +48,7 @@ function handleGetObject($params) '@SecurityProfile' => $legacy, '@MaterialsProvider' => $materialProvider, '@KmsEncryptionContext' => $encryptionContext, + '@CommitmentPolicy' => $commitmentPolicy, 'Bucket' => $bucket, 'Key' => $key, ]); @@ -79,6 +81,7 @@ function handleGetObject($params) if (strpos($e->getMessage(), "@SecurityProfile=V2") !== false) { return S3EncryptionClientError($e->getMessage() . " " . "Enable legacy wrapping algorithms to use legacy key wrapping algorithm: kms"); } else { + error_log("This is the error: " . $e->getMessage()); return GenericServerError("Server error: " . $e->getMessage(), 500); } } From e1517872c8bf9187ebca5520a8a70c618166f6bc Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 30 Oct 2025 15:25:59 -0700 Subject: [PATCH 21/37] update tests to include php v2-transition and v3 --- .../s3/ExhaustiveRoundTripTests1_25.java | 1 - .../software/amazon/encryption/s3/TestUtils.java | 14 ++++++++------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java index 70c597f1..818ae383 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java @@ -178,7 +178,6 @@ public void GIVEN_KCGCMEncryptedData_AND_ImprovedClientDecryptingWithForbidEncry S3ECTestServerClient encClient = TestUtils.testServerClientFor(encLang); final String objectKey = "encrypt-kc-gcm-decrypt-improved-test-key-" + encLang; - final String objectKey2 = "encrypt-kc-gcm-decrypt-improved-test-key-Go-V4"; final String input = "simple-test-input"; KeyMaterial kmsKeyArn = KeyMaterial.builder() .kmsKeyId(TestUtils.KMS_KEY_ARN) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java index 7c0a1fa6..3857f5f2 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java @@ -113,7 +113,7 @@ public class TestUtils { // GO_V3_TRANSITION, // NET_V2_TRANSITION, CPP_V2_TRANSITION, - // PHP_V2_TRANSITION, + PHP_V2_TRANSITION, RUBY_V2_TRANSITION ); @@ -123,9 +123,9 @@ public class TestUtils { // PYTHON_V3, GO_V4, // NET_V3, - // CPP_V3, - PHP_V3 - // RUBY_V3 + CPP_V3, + PHP_V3, + RUBY_V3 ); private static final Map serverMap; @@ -138,16 +138,17 @@ public class TestUtils { servers.put(NET_V2_CURRENT, new LanguageServerTarget(NET_V2_CURRENT, "8083")); servers.put(NET_V3, new LanguageServerTarget(NET_V3, "8084")); servers.put(CPP_V2_CURRENT, new LanguageServerTarget(CPP_V2_CURRENT, "8085")); + servers.put(CPP_V2_TRANSITION, new LanguageServerTarget(CPP_V2_TRANSITION, "8097")); + servers.put(CPP_V3, new LanguageServerTarget(CPP_V3, "8091")); // servers.put(RUBY_V2_CURRENT, new LanguageServerTarget(RUBY_V2_CURRENT, "8086")); servers.put(PHP_V2_CURRENT, new LanguageServerTarget(PHP_V2_CURRENT, "8087")); servers.put(GO_V4, new LanguageServerTarget(GO_V4, "8089")); servers.put(RUBY_V3, new LanguageServerTarget(RUBY_V3, "8092")); servers.put(PHP_V3, new LanguageServerTarget(PHP_V3, "8093")); // TODO: Create and add transition servers - // servers.put(JAVA_V3_TRANSITION, new LanguageServerTarget(JAVA_V3_TRANSITION, "8094")); + servers.put(JAVA_V3_TRANSITION, new LanguageServerTarget(JAVA_V3_TRANSITION, "8094")); // servers.put(GO_V3_TRANSITION, new LanguageServerTarget(GO_V3_TRANSITION, "8095")); // servers.put(NET_V2_TRANSITION, new LanguageServerTarget(NET_V2_TRANSITION, "8096")); - servers.put(CPP_V2_TRANSITION, new LanguageServerTarget(CPP_V2_TRANSITION, "8097")); servers.put(RUBY_V2_TRANSITION, new LanguageServerTarget(RUBY_V2_TRANSITION, "8098")); servers.put(PHP_V2_TRANSITION, new LanguageServerTarget(PHP_V2_TRANSITION, "8099")); servers.put(JAVA_V4, new LanguageServerTarget(JAVA_V4, "8090")); @@ -508,3 +509,4 @@ public static void Decrypt_fails( assertEquals(successfulDecrypt.size(), 0, "Decryption should have failed:" + String.join(",", successfulDecrypt)); } } + From 70a63d3b9d384180c27768b2d103eeba7e3b7218 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Fri, 31 Oct 2025 14:23:15 -0700 Subject: [PATCH 22/37] update sdk --- test-server/php-v2-transition-server/local-php-sdk | 2 +- test-server/php-v3-server/local-php-sdk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test-server/php-v2-transition-server/local-php-sdk b/test-server/php-v2-transition-server/local-php-sdk index 27de7d3e..ba2953f8 160000 --- a/test-server/php-v2-transition-server/local-php-sdk +++ b/test-server/php-v2-transition-server/local-php-sdk @@ -1 +1 @@ -Subproject commit 27de7d3e3e78a686e01709f679f4092583597510 +Subproject commit ba2953f8d3b4161f08c03076135868603fe82c36 diff --git a/test-server/php-v3-server/local-php-sdk b/test-server/php-v3-server/local-php-sdk index 27de7d3e..ba2953f8 160000 --- a/test-server/php-v3-server/local-php-sdk +++ b/test-server/php-v3-server/local-php-sdk @@ -1 +1 @@ -Subproject commit 27de7d3e3e78a686e01709f679f4092583597510 +Subproject commit ba2953f8d3b4161f08c03076135868603fe82c36 From 2885d2e17becf69f10437841715ae6e212608e91 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Sun, 2 Nov 2025 15:02:41 -0800 Subject: [PATCH 23/37] updates --- test-server/php-v2-transition-server/Makefile | 4 ++-- test-server/php-v2-transition-server/local-php-sdk | 2 +- test-server/php-v3-server/.duvet/config.toml | 4 ++++ test-server/php-v3-server/Makefile | 4 ++-- test-server/php-v3-server/local-php-sdk | 2 +- 5 files changed, 10 insertions(+), 6 deletions(-) diff --git a/test-server/php-v2-transition-server/Makefile b/test-server/php-v2-transition-server/Makefile index 536d5cdb..2544679d 100644 --- a/test-server/php-v2-transition-server/Makefile +++ b/test-server/php-v2-transition-server/Makefile @@ -6,13 +6,13 @@ PID_FILE := server.pid PORT := 8099 start-server: - @echo "Starting PHP V2 server..." + @echo "Starting PHP V2 Transition server..." AWS_ACCESS_KEY_ID="$$AWS_ACCESS_KEY_ID" \ AWS_SECRET_ACCESS_KEY="$$AWS_SECRET_ACCESS_KEY" \ AWS_SESSION_TOKEN="$$AWS_SESSION_TOKEN" \ AWS_REGION="us-west-2" \ composer run start & echo $$! > $(PID_FILE) - @echo "PHP V2 server starting..." + @echo "PHP V2 Transition server starting..." stop-server: @if [ -f $(PID_FILE) ]; then \ diff --git a/test-server/php-v2-transition-server/local-php-sdk b/test-server/php-v2-transition-server/local-php-sdk index ba2953f8..8f3ef218 160000 --- a/test-server/php-v2-transition-server/local-php-sdk +++ b/test-server/php-v2-transition-server/local-php-sdk @@ -1 +1 @@ -Subproject commit ba2953f8d3b4161f08c03076135868603fe82c36 +Subproject commit 8f3ef2182f6f69721787a6f65bb8cf6b5dea1598 diff --git a/test-server/php-v3-server/.duvet/config.toml b/test-server/php-v3-server/.duvet/config.toml index c3ae4317..486d1037 100644 --- a/test-server/php-v3-server/.duvet/config.toml +++ b/test-server/php-v3-server/.duvet/config.toml @@ -21,6 +21,10 @@ source = "../specification/s3-encryption/data-format/content-metadata.md" [[specification]] source = "../specification/s3-encryption/data-format/metadata-strategy.md" [[specification]] +source = "../specification/s3-encryption/client.md" +[[specification]] +source = "../specification/s3-encryption/decryption.md" +[[specification]] source = "../specification/s3-encryption/encryption.md" [[specification]] source = "../specification/s3-encryption/key-derivation.md" diff --git a/test-server/php-v3-server/Makefile b/test-server/php-v3-server/Makefile index 7b386f71..0ec40802 100644 --- a/test-server/php-v3-server/Makefile +++ b/test-server/php-v3-server/Makefile @@ -6,13 +6,13 @@ PID_FILE := server.pid PORT := 8093 start-server: - @echo "Starting PHP V2 server..." + @echo "Starting PHP V3 server..." AWS_ACCESS_KEY_ID="$$AWS_ACCESS_KEY_ID" \ AWS_SECRET_ACCESS_KEY="$$AWS_SECRET_ACCESS_KEY" \ AWS_SESSION_TOKEN="$$AWS_SESSION_TOKEN" \ AWS_REGION="us-west-2" \ composer run start & echo $$! > $(PID_FILE) - @echo "PHP V2 server starting..." + @echo "PHP V3 server starting..." stop-server: @if [ -f $(PID_FILE) ]; then \ diff --git a/test-server/php-v3-server/local-php-sdk b/test-server/php-v3-server/local-php-sdk index ba2953f8..8f3ef218 160000 --- a/test-server/php-v3-server/local-php-sdk +++ b/test-server/php-v3-server/local-php-sdk @@ -1 +1 @@ -Subproject commit ba2953f8d3b4161f08c03076135868603fe82c36 +Subproject commit 8f3ef2182f6f69721787a6f65bb8cf6b5dea1598 From 4afb9bc2b72ca3dabdf612a72f1d929d0f4e30a1 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Mon, 3 Nov 2025 15:20:41 -0800 Subject: [PATCH 24/37] duvet progress --- test-server/php-v3-server/.duvet/config.toml | 4 +- .../compliance_exceptions/client.txt | 156 ++++++++++++++++++ .../content-metadata-strategy.txt | 0 .../content-metadata.txt | 0 .../compliance_exceptions/decryption.txt | 0 .../compliance_exceptions/encryption.txt | 0 .../compliance_exceptions/key-commitment.txt | 0 .../compliance_exceptions/key-derivation.txt | 0 test-server/php-v3-server/local-php-sdk | 2 +- 9 files changed, 160 insertions(+), 2 deletions(-) create mode 100644 test-server/php-v3-server/compliance_exceptions/client.txt create mode 100644 test-server/php-v3-server/compliance_exceptions/content-metadata-strategy.txt create mode 100644 test-server/php-v3-server/compliance_exceptions/content-metadata.txt create mode 100644 test-server/php-v3-server/compliance_exceptions/decryption.txt create mode 100644 test-server/php-v3-server/compliance_exceptions/encryption.txt create mode 100644 test-server/php-v3-server/compliance_exceptions/key-commitment.txt create mode 100644 test-server/php-v3-server/compliance_exceptions/key-derivation.txt diff --git a/test-server/php-v3-server/.duvet/config.toml b/test-server/php-v3-server/.duvet/config.toml index 486d1037..d7627473 100644 --- a/test-server/php-v3-server/.duvet/config.toml +++ b/test-server/php-v3-server/.duvet/config.toml @@ -13,7 +13,7 @@ pattern = "local-php-sdk/tests/S3/**/*.php" pattern = "local-php-sdk/tests/Crypto/**/*.php" [[source]] -pattern = "local-php-sdk/compliance_exceptions/*.txt" +pattern = "compliance_exceptions/*.txt" # Include required specifications here [[specification]] @@ -28,6 +28,8 @@ source = "../specification/s3-encryption/decryption.md" source = "../specification/s3-encryption/encryption.md" [[specification]] source = "../specification/s3-encryption/key-derivation.md" +[[specification]] +source = "../specification/s3-encryption/key-commitment.md" [report.html] enabled = true diff --git a/test-server/php-v3-server/compliance_exceptions/client.txt b/test-server/php-v3-server/compliance_exceptions/client.txt new file mode 100644 index 00000000..ae86e6a9 --- /dev/null +++ b/test-server/php-v3-server/compliance_exceptions/client.txt @@ -0,0 +1,156 @@ +//= ../specification/s3-encryption/encryption.md#alg-aes-256-gcm-iv12-tag16-no-kdf +//= type=exception +//# The client MUST NOT provide any AAD when encrypting with ALG_AES_256_GCM_IV12_TAG16_NO_KDF. + +//= ../specification/s3-encryption/client.md#aws-sdk-compatibility +//= type=exception +//# The S3EC SHOULD support invoking operations unrelated to client-side encryption e.g. + +//= ../specification/s3-encryption/client.md#cryptographic-materials +//= type=exception +//# If both a CMM and a Keyring are provided, the S3EC MUST throw an exception. + +//= ../specification/s3-encryption/client.md#cryptographic-materials +//= type=exception +//# When a Keyring is provided, the S3EC MUST create an instance of the DefaultCMM using the provided Keyring. + +//= ../specification/s3-encryption/client.md#enable-legacy-wrapping-algorithms +//= type=exception +//# The option to enable legacy wrapping algorithms MUST be set to false by default. + +//= ../specification/s3-encryption/client.md#enable-legacy-unauthenticated-modes +//= type=exception +//# The S3EC MUST support the option to enable or disable legacy unauthenticated modes (content encryption algorithms). + +//= ../specification/s3-encryption/client.md#enable-legacy-unauthenticated-modes +//= type=exception +//# The option to enable legacy unauthenticated modes MUST be set to false by default. + +//= ../specification/s3-encryption/client.md#enable-legacy-unauthenticated-modes +//= type=exception +//# When enabled, the S3EC MUST be able to decrypt objects encrypted with all content encryption algorithms (both legacy and fully supported). + +//= ../specification/s3-encryption/client.md#enable-legacy-unauthenticated-modes +//= type=exception +//# When disabled, the S3EC MUST NOT decrypt objects encrypted using legacy content encryption algorithms; +//# it MUST throw an exception when attempting to decrypt an object encrypted with a legacy content encryption algorithm. + +//= ../specification/s3-encryption/client.md#enable-delayed-authentication +//= type=exception +//# The S3EC MUST support the option to enable or disable Delayed Authentication mode. + +//= ../specification/s3-encryption/client.md#enable-delayed-authentication +//= type=exception +//# Delayed Authentication mode MUST be set to false by default. + +//= ../specification/s3-encryption/client.md#enable-delayed-authentication +//= type=exception +//# When enabled, the S3EC MAY release plaintext from a stream which has not been authenticated. + +//= ../specification/s3-encryption/client.md#enable-delayed-authentication +//= type=exception +//# When disabled the S3EC MUST NOT release plaintext from a stream which has not been authenticated. + +//= ../specification/s3-encryption/client.md#set-buffer-size +//= type=exception +//# The S3EC SHOULD accept a configurable buffer size which refers to the maximum ciphertext length in bytes to store in memory when Delayed Authentication mode is disabled. + +//= ../specification/s3-encryption/client.md#set-buffer-size +//= type=exception +//# If Delayed Authentication mode is enabled, and the buffer size has been set to a value other than its default, the S3EC MUST throw an exception. + +//= ../specification/s3-encryption/client.md#set-buffer-size +//= type=exception +//# If Delayed Authentication mode is disabled, and no buffer size is provided, the S3EC MUST set the buffer size to a reasonable default. + +//= ../specification/s3-encryption/client.md#cryptographic-materials +//= type=exception +//# The S3EC MAY accept key material directly. + +//= ../specification/s3-encryption/client.md#inherited-sdk-configuration +//= type=exception +//# The S3EC MAY support directly configuring the wrapped SDK clients through its initialization. + +//= ../specification/s3-encryption/client.md#inherited-sdk-configuration +//= type=exception +//# For example, the S3EC MAY accept a credentials provider instance during its initialization. + +//= ../specification/s3-encryption/client.md#inherited-sdk-configuration +//= type=exception +//# If the S3EC accepts SDK client configuration, the configuration MUST be applied to all wrapped S3 clients. + +//= ../specification/s3-encryption/client.md#inherited-sdk-configuration +//= type=exception +//# If the S3EC accepts SDK client configuration, the configuration MUST be applied to all wrapped SDK clients including the KMS client. + +//= ../specification/s3-encryption/client.md#randomness +//= type=exception +//# The S3EC MAY accept a source of randomness during client initialization. + +//= ../specification/s3-encryption/client.md#required-api-operations +//= type=exception +//# - DeleteObject MUST be implemented by the S3EC. + +//= ../specification/s3-encryption/client.md#required-api-operations +//= type=exception +//# - DeleteObject MUST delete the given object key. + +//= ../specification/s3-encryption/client.md#required-api-operations +//= type=exception +//# - DeleteObject MUST delete the associated instruction file using the default instruction file suffix. + +//= ../specification/s3-encryption/client.md#required-api-operations +//= type=exception +//# - DeleteObjects MUST be implemented by the S3EC. + +//= ../specification/s3-encryption/client.md#required-api-operations +//= type=exception +//# - DeleteObjects MUST delete each of the given objects. + +//= ../specification/s3-encryption/client.md#required-api-operations +//= type=exception +//# - DeleteObjects MUST delete each of the corresponding instruction files using the default instruction file suffix. + +//= ../specification/s3-encryption/client.md#optional-api-operations +//= type=exception +//# - UploadPart MAY be implemented by the S3EC. + +//= ../specification/s3-encryption/client.md#optional-api-operations +//= type=exception +//# - UploadPart MUST encrypt each part. + +//= ../specification/s3-encryption/client.md#optional-api-operations +//= type=exception +//# - Each part MUST be encrypted in sequence. + +//= ../specification/s3-encryption/client.md#optional-api-operations +//= type=exception +//# - Each part MUST be encrypted using the same cipher instance for each part. + +//= ../specification/s3-encryption/client.md#optional-api-operations +//= type=exception +//# - CompleteMultipartUpload MAY be implemented by the S3EC. + +//= ../specification/s3-encryption/client.md#optional-api-operations +//= type=exception +//# - CompleteMultipartUpload MUST complete the multipart upload. + +//= ../specification/s3-encryption/client.md#optional-api-operations +//= type=exception +//# - AbortMultipartUpload MAY be implemented by the S3EC. + +//= ../specification/s3-encryption/client.md#optional-api-operations +//= type=exception +//# - AbortMultipartUpload MUST abort the multipart upload. + +//= ../specification/s3-encryption/client.md#optional-api-operations +//= type=exception +//# - ReEncryptInstructionFile MAY be implemented by the S3EC. + +//= ../specification/s3-encryption/client.md#optional-api-operations +//= type=exception +//# - ReEncryptInstructionFile MUST decrypt the instruction file's encrypted data key for the given object using the client's CMM. + +//= ../specification/s3-encryption/client.md#optional-api-operations +//= type=exception +//# - ReEncryptInstructionFile MUST re-encrypt the plaintext data key with a provided keyring. diff --git a/test-server/php-v3-server/compliance_exceptions/content-metadata-strategy.txt b/test-server/php-v3-server/compliance_exceptions/content-metadata-strategy.txt new file mode 100644 index 00000000..e69de29b diff --git a/test-server/php-v3-server/compliance_exceptions/content-metadata.txt b/test-server/php-v3-server/compliance_exceptions/content-metadata.txt new file mode 100644 index 00000000..e69de29b diff --git a/test-server/php-v3-server/compliance_exceptions/decryption.txt b/test-server/php-v3-server/compliance_exceptions/decryption.txt new file mode 100644 index 00000000..e69de29b diff --git a/test-server/php-v3-server/compliance_exceptions/encryption.txt b/test-server/php-v3-server/compliance_exceptions/encryption.txt new file mode 100644 index 00000000..e69de29b diff --git a/test-server/php-v3-server/compliance_exceptions/key-commitment.txt b/test-server/php-v3-server/compliance_exceptions/key-commitment.txt new file mode 100644 index 00000000..e69de29b diff --git a/test-server/php-v3-server/compliance_exceptions/key-derivation.txt b/test-server/php-v3-server/compliance_exceptions/key-derivation.txt new file mode 100644 index 00000000..e69de29b diff --git a/test-server/php-v3-server/local-php-sdk b/test-server/php-v3-server/local-php-sdk index 8f3ef218..ce4d276b 160000 --- a/test-server/php-v3-server/local-php-sdk +++ b/test-server/php-v3-server/local-php-sdk @@ -1 +1 @@ -Subproject commit 8f3ef2182f6f69721787a6f65bb8cf6b5dea1598 +Subproject commit ce4d276b18b392004c8b365e918d535ae2467c96 From 471fb70bf66ec96dd2e3d10d2e6cad291893a4d0 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Mon, 3 Nov 2025 16:56:25 -0800 Subject: [PATCH 25/37] duvet exceptions --- .../content-metadata.txt | 27 +++++++++++++++++++ test-server/php-v3-server/local-php-sdk | 2 +- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/test-server/php-v3-server/compliance_exceptions/content-metadata.txt b/test-server/php-v3-server/compliance_exceptions/content-metadata.txt index e69de29b..b80fadf8 100644 --- a/test-server/php-v3-server/compliance_exceptions/content-metadata.txt +++ b/test-server/php-v3-server/compliance_exceptions/content-metadata.txt @@ -0,0 +1,27 @@ +//= ../specification/s3-encryption/data-format/content-metadata.md#content-metadata-mapkeys +//= type=exception +//# - The mapkey "x-amz-key" MUST be present for V1 format objects. + +//= ../specification/s3-encryption/data-format/content-metadata.md#content-metadata-mapkeys +//= type=exception +//# - The mapkey "x-amz-m" SHOULD be present for V3 format objects that use Raw Keyring Material Description. + +//= ../specification/s3-encryption/data-format/content-metadata.md#v3-only +//= type=exception +//# This material description string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. + +//= ../specification/s3-encryption/data-format/content-metadata.md#v3-only +//= type=exception +//# This encryption context string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. + +//= ../specification/s3-encryption/data-format/content-metadata.md#v3-only +//= type=exception +//# - The wrapping algorithm value "02" MUST be translated to AES/GCM upon retrieval, and vice versa on write. + +//= ../specification/s3-encryption/data-format/content-metadata.md#v3-only +//= type=exception +//# - The wrapping algorithm value "22" MUST be translated to RSA-OAEP-SHA1 upon retrieval, and vice versa on write. + +//= ../specification/s3-encryption/data-format/content-metadata.md#v1-v2-shared +//= type=exception +//# This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. diff --git a/test-server/php-v3-server/local-php-sdk b/test-server/php-v3-server/local-php-sdk index ce4d276b..1092a3d9 160000 --- a/test-server/php-v3-server/local-php-sdk +++ b/test-server/php-v3-server/local-php-sdk @@ -1 +1 @@ -Subproject commit ce4d276b18b392004c8b365e918d535ae2467c96 +Subproject commit 1092a3d9b2b38c131e63a52d7b7d18fe0b545af0 From a3addb6252f1b7b48dae58d226ed9c64334ecdfd Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Tue, 4 Nov 2025 14:30:07 -0800 Subject: [PATCH 26/37] more updates --- .../compliance_exceptions/content-metadata.txt | 12 ++++++++++++ test-server/php-v3-server/local-php-sdk | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/test-server/php-v3-server/compliance_exceptions/content-metadata.txt b/test-server/php-v3-server/compliance_exceptions/content-metadata.txt index b80fadf8..aec5eb1c 100644 --- a/test-server/php-v3-server/compliance_exceptions/content-metadata.txt +++ b/test-server/php-v3-server/compliance_exceptions/content-metadata.txt @@ -25,3 +25,15 @@ //= ../specification/s3-encryption/data-format/content-metadata.md#v1-v2-shared //= type=exception //# This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. + +//= ../specification/s3-encryption/data-format/content-metadata.md#determining-s3ec-object-status +//= type=exception +//# - If the metadata contains "x-amz-iv" and "x-amz-key" then the object MUST be considered as an S3EC-encrypted object using the V1 format. + +//= ../specification/s3-encryption/data-format/content-metadata.md#determining-s3ec-object-status +//= type=exception +//# If the object matches none of the V1/V2/V3 formats, the S3EC MUST attempt to get the instruction file. + +//= ../specification/s3-encryption/data-format/content-metadata.md#v3-only +//= type=exception +//# The Material Description MUST be used for wrapping algorithms `AES/GCM` (`02`) and `RSA-OAEP-SHA1` (`22`). diff --git a/test-server/php-v3-server/local-php-sdk b/test-server/php-v3-server/local-php-sdk index 1092a3d9..95a56946 160000 --- a/test-server/php-v3-server/local-php-sdk +++ b/test-server/php-v3-server/local-php-sdk @@ -1 +1 @@ -Subproject commit 1092a3d9b2b38c131e63a52d7b7d18fe0b545af0 +Subproject commit 95a56946a96072cb3b1d511259f8117b2403301f From f16dd2ac0ce596a26b578356352bce2e9a295b73 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Wed, 5 Nov 2025 16:42:03 -0800 Subject: [PATCH 27/37] updates --- .../content-metadata-strategy.txt | 23 +++++++++++++++++++ .../content-metadata.txt | 4 ++++ test-server/php-v3-server/local-php-sdk | 2 +- 3 files changed, 28 insertions(+), 1 deletion(-) diff --git a/test-server/php-v3-server/compliance_exceptions/content-metadata-strategy.txt b/test-server/php-v3-server/compliance_exceptions/content-metadata-strategy.txt index e69de29b..04731949 100644 --- a/test-server/php-v3-server/compliance_exceptions/content-metadata-strategy.txt +++ b/test-server/php-v3-server/compliance_exceptions/content-metadata-strategy.txt @@ -0,0 +1,23 @@ +//= ../specification/s3-encryption/data-format/metadata-strategy.md#object-metadata +//= type=exception +//# The S3EC SHOULD support decoding the S3 Server's "double encoding". + +//= ../specification/s3-encryption/data-format/metadata-strategy.md#object-metadata +//= type=exception +//# If the S3EC does not support decoding the S3 Server's "double encoding" then it MUST return the content metadata untouched. + +//= ../specification/s3-encryption/data-format/metadata-strategy.md#instruction-file +//= type=exception +//# The S3EC MAY support re-encryption/key rotation via Instruction Files. + +//= ../specification/s3-encryption/data-format/metadata-strategy.md#instruction-file +//= type=exception +//# The S3EC MUST NOT support providing a custom Instruction File suffix on ordinary writes; custom suffixes MUST only be used during re-encryption. + +//= ../specification/s3-encryption/data-format/metadata-strategy.md#instruction-file +//= type=exception +//# The S3EC SHOULD support providing a custom Instruction File suffix on GetObject requests, regardless of whether or not re-encryption is supported. + +//= ../specification/s3-encryption/data-format/metadata-strategy.md#v3-instruction-files +//= type=exception +//# - The V3 message format MUST store the mapkey "x-amz-m" and its value (when present in the content metadata) in the Instruction File. \ No newline at end of file diff --git a/test-server/php-v3-server/compliance_exceptions/content-metadata.txt b/test-server/php-v3-server/compliance_exceptions/content-metadata.txt index aec5eb1c..c5fd4012 100644 --- a/test-server/php-v3-server/compliance_exceptions/content-metadata.txt +++ b/test-server/php-v3-server/compliance_exceptions/content-metadata.txt @@ -37,3 +37,7 @@ //= ../specification/s3-encryption/data-format/content-metadata.md#v3-only //= type=exception //# The Material Description MUST be used for wrapping algorithms `AES/GCM` (`02`) and `RSA-OAEP-SHA1` (`22`). + +//= ../specification/s3-encryption/data-format/content-metadata.md#v3-only +//= type=exception +//# If the mapkey is not present, the default Material Description value MUST be set to an empty map (`{}`). diff --git a/test-server/php-v3-server/local-php-sdk b/test-server/php-v3-server/local-php-sdk index 95a56946..a5fa9e74 160000 --- a/test-server/php-v3-server/local-php-sdk +++ b/test-server/php-v3-server/local-php-sdk @@ -1 +1 @@ -Subproject commit 95a56946a96072cb3b1d511259f8117b2403301f +Subproject commit a5fa9e746bcd9fea5300b5604de25d567f548e81 From 229c8db291d8abcf2a9a2e7f5279465739497241 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 6 Nov 2025 12:40:03 -0800 Subject: [PATCH 28/37] more duvet --- .../compliance_exceptions/client.txt | 4 ---- .../compliance_exceptions/decryption.txt | 19 +++++++++++++++++++ .../compliance_exceptions/encryption.txt | 15 +++++++++++++++ test-server/php-v3-server/local-php-sdk | 2 +- 4 files changed, 35 insertions(+), 5 deletions(-) diff --git a/test-server/php-v3-server/compliance_exceptions/client.txt b/test-server/php-v3-server/compliance_exceptions/client.txt index ae86e6a9..87d2bf56 100644 --- a/test-server/php-v3-server/compliance_exceptions/client.txt +++ b/test-server/php-v3-server/compliance_exceptions/client.txt @@ -1,7 +1,3 @@ -//= ../specification/s3-encryption/encryption.md#alg-aes-256-gcm-iv12-tag16-no-kdf -//= type=exception -//# The client MUST NOT provide any AAD when encrypting with ALG_AES_256_GCM_IV12_TAG16_NO_KDF. - //= ../specification/s3-encryption/client.md#aws-sdk-compatibility //= type=exception //# The S3EC SHOULD support invoking operations unrelated to client-side encryption e.g. diff --git a/test-server/php-v3-server/compliance_exceptions/decryption.txt b/test-server/php-v3-server/compliance_exceptions/decryption.txt index e69de29b..dbac1f19 100644 --- a/test-server/php-v3-server/compliance_exceptions/decryption.txt +++ b/test-server/php-v3-server/compliance_exceptions/decryption.txt @@ -0,0 +1,19 @@ +//= ../specification/s3-encryption/decryption.md#ranged-gets +//= type=exception +//# The S3EC MAY support the "range" parameter on GetObject which specifies a subset of bytes to download and decrypt. + +//= ../specification/s3-encryption/decryption.md#ranged-gets +//= type=exception +//# If the S3EC supports Ranged Gets, the S3EC MUST adjust the customer-provided range to include the beginning and end of the cipher blocks for the given range. + +//= ../specification/s3-encryption/decryption.md#ranged-gets +//= type=exception +//# If the object was encrypted with ALG_AES_256_GCM_IV12_TAG16_NO_KDF, then ALG_AES_256_CTR_IV16_TAG16_NO_KDF MUST be used to decrypt the range of the object. + +//= ../specification/s3-encryption/decryption.md#ranged-gets +//= type=exception +//# If the object was encrypted with ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY, then ALG_AES_256_CTR_HKDF_SHA512_COMMIT_KEY MUST be used to decrypt the range of the object. + +//= ../specification/s3-encryption/decryption.md#ranged-gets +//= type=exception +//# If the GetObject response contains a range, but the GetObject request does not contain a range, the S3EC MUST throw an exception. diff --git a/test-server/php-v3-server/compliance_exceptions/encryption.txt b/test-server/php-v3-server/compliance_exceptions/encryption.txt index e69de29b..0c0364cf 100644 --- a/test-server/php-v3-server/compliance_exceptions/encryption.txt +++ b/test-server/php-v3-server/compliance_exceptions/encryption.txt @@ -0,0 +1,15 @@ +//= ../specification/s3-encryption/encryption.md#alg-aes-256-ctr-iv16-tag16-no-kdf +//= type=exception +//# Attempts to encrypt using AES-CTR MUST fail. + +//= ../specification/s3-encryption/encryption.md#alg-aes-256-ctr-hkdf-sha512-commit-key +//= type=exception +//# Attempts to encrypt using key committing AES-CTR MUST fail. + +//= ../specification/s3-encryption/encryption.md#alg-aes-256-gcm-iv12-tag16-no-kdf +//= type=exception +//# The client MUST NOT provide any AAD when encrypting with ALG_AES_256_GCM_IV12_TAG16_NO_KDF. + +//= ../specification/s3-encryption/encryption.md#cipher-initialization +//= type=exception +//# The client SHOULD validate that the generated IV or Message ID is not zeros. diff --git a/test-server/php-v3-server/local-php-sdk b/test-server/php-v3-server/local-php-sdk index a5fa9e74..b4ea831d 160000 --- a/test-server/php-v3-server/local-php-sdk +++ b/test-server/php-v3-server/local-php-sdk @@ -1 +1 @@ -Subproject commit a5fa9e746bcd9fea5300b5604de25d567f548e81 +Subproject commit b4ea831d4ba1580cc064dd57025d901cf270e54b From fe45b59b4e8d31d10445119d103b593ccdd8a48c Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Thu, 6 Nov 2025 13:39:49 -0800 Subject: [PATCH 29/37] last duvet --- .../php-v3-server/compliance_exceptions/key-commitment.txt | 0 .../php-v3-server/compliance_exceptions/key-derivation.txt | 0 test-server/php-v3-server/local-php-sdk | 2 +- 3 files changed, 1 insertion(+), 1 deletion(-) delete mode 100644 test-server/php-v3-server/compliance_exceptions/key-commitment.txt delete mode 100644 test-server/php-v3-server/compliance_exceptions/key-derivation.txt diff --git a/test-server/php-v3-server/compliance_exceptions/key-commitment.txt b/test-server/php-v3-server/compliance_exceptions/key-commitment.txt deleted file mode 100644 index e69de29b..00000000 diff --git a/test-server/php-v3-server/compliance_exceptions/key-derivation.txt b/test-server/php-v3-server/compliance_exceptions/key-derivation.txt deleted file mode 100644 index e69de29b..00000000 diff --git a/test-server/php-v3-server/local-php-sdk b/test-server/php-v3-server/local-php-sdk index b4ea831d..35a52086 160000 --- a/test-server/php-v3-server/local-php-sdk +++ b/test-server/php-v3-server/local-php-sdk @@ -1 +1 @@ -Subproject commit b4ea831d4ba1580cc064dd57025d901cf270e54b +Subproject commit 35a52086c5ccf7f5e62e3c17e210923e129c823b From 39d9c8efb8d4c8dd5527a7dac300b9709efbeed4 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Fri, 7 Nov 2025 11:18:10 -0800 Subject: [PATCH 30/37] m --- .../amazon/encryption/s3/CBCDecryptTests.java | 314 ++++----- .../s3/ExhaustiveRoundTripTests1_25.java | 434 ++++++------ .../amazon/encryption/s3/GCMTests.java | 344 +++++----- .../amazon/encryption/s3/KC_GCMTests.java | 406 ++++++------ .../amazon/encryption/s3/RoundTripTests.java | 622 +++++++++--------- .../amazon/encryption/s3/TestUtils.java | 26 +- 6 files changed, 1073 insertions(+), 1073 deletions(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/CBCDecryptTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/CBCDecryptTests.java index 4de6aef4..cabc1d6d 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/CBCDecryptTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/CBCDecryptTests.java @@ -1,182 +1,182 @@ -/* -* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -* SPDX-License-Identifier: Apache-2.0 -*/ +// /* +// * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// * SPDX-License-Identifier: Apache-2.0 +// */ -package software.amazon.encryption.s3; +// package software.amazon.encryption.s3; -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertTrue; -import static org.junit.jupiter.api.Assertions.fail; -import static software.amazon.encryption.s3.TestUtils.*; +// import static org.junit.jupiter.api.Assertions.assertEquals; +// import static org.junit.jupiter.api.Assertions.assertTrue; +// import static org.junit.jupiter.api.Assertions.fail; +// import static software.amazon.encryption.s3.TestUtils.*; -import java.nio.ByteBuffer; -import java.nio.charset.StandardCharsets; -import java.util.Arrays; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.stream.Stream; +// import java.nio.ByteBuffer; +// import java.nio.charset.StandardCharsets; +// import java.util.Arrays; +// import java.util.HashMap; +// import java.util.List; +// import java.util.Map; +// import java.util.stream.Stream; -import com.amazonaws.services.s3.model.KMSEncryptionMaterials; -import org.junit.jupiter.api.BeforeAll; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.Arguments; -import org.junit.jupiter.params.provider.MethodSource; -import org.junit.jupiter.api.Nested; -import software.amazon.encryption.s3.client.S3ECTestServerClient; -import software.amazon.encryption.s3.model.CommitmentPolicy; -import software.amazon.encryption.s3.model.CreateClientInput; -import software.amazon.encryption.s3.model.CreateClientOutput; -import software.amazon.encryption.s3.model.GetObjectInput; -import software.amazon.encryption.s3.model.GetObjectOutput; -import software.amazon.encryption.s3.model.KeyMaterial; -import software.amazon.encryption.s3.model.PutObjectInput; -import software.amazon.encryption.s3.model.S3ECConfig; -import software.amazon.encryption.s3.model.S3EncryptionClientError; -import software.amazon.encryption.s3.model.EncryptionAlgorithm; +// import com.amazonaws.services.s3.model.KMSEncryptionMaterials; +// import org.junit.jupiter.api.BeforeAll; +// import org.junit.jupiter.params.ParameterizedTest; +// import org.junit.jupiter.params.provider.Arguments; +// import org.junit.jupiter.params.provider.MethodSource; +// import org.junit.jupiter.api.Nested; +// import software.amazon.encryption.s3.client.S3ECTestServerClient; +// import software.amazon.encryption.s3.model.CommitmentPolicy; +// import software.amazon.encryption.s3.model.CreateClientInput; +// import software.amazon.encryption.s3.model.CreateClientOutput; +// import software.amazon.encryption.s3.model.GetObjectInput; +// import software.amazon.encryption.s3.model.GetObjectOutput; +// import software.amazon.encryption.s3.model.KeyMaterial; +// import software.amazon.encryption.s3.model.PutObjectInput; +// import software.amazon.encryption.s3.model.S3ECConfig; +// import software.amazon.encryption.s3.model.S3EncryptionClientError; +// import software.amazon.encryption.s3.model.EncryptionAlgorithm; -import com.amazonaws.services.s3.AmazonS3Encryption; -import com.amazonaws.services.s3.AmazonS3EncryptionClient; -import com.amazonaws.services.s3.model.CryptoConfiguration; -import com.amazonaws.services.s3.model.CryptoMode; -import com.amazonaws.services.s3.model.CryptoStorageMode; -import software.amazon.encryption.s3.TestUtils.*; -import com.amazonaws.services.s3.model.EncryptionMaterialsProvider; -import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider; +// import com.amazonaws.services.s3.AmazonS3Encryption; +// import com.amazonaws.services.s3.AmazonS3EncryptionClient; +// import com.amazonaws.services.s3.model.CryptoConfiguration; +// import com.amazonaws.services.s3.model.CryptoMode; +// import com.amazonaws.services.s3.model.CryptoStorageMode; +// import software.amazon.encryption.s3.TestUtils.*; +// import com.amazonaws.services.s3.model.EncryptionMaterialsProvider; +// import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider; -/** -* Exhaustive tests for S3 Encryption Client round-trip operations. -* These tests cover various combinations of client versions, commitment policies, and encryption modes. -* -* Tests are based on the exhaustive test matrix defined at: -* https://tiny.amazon.com/3xnzwczl/loopcloumicrpeyJ3 -* -* These tests deal with decrypting CBC messages -*/ +// /** +// * Exhaustive tests for S3 Encryption Client round-trip operations. +// * These tests cover various combinations of client versions, commitment policies, and encryption modes. +// * +// * Tests are based on the exhaustive test matrix defined at: +// * https://tiny.amazon.com/3xnzwczl/loopcloumicrpeyJ3 +// * +// * These tests deal with decrypting CBC messages +// */ -class CBCDecryptTests { - private static String sharedObjectKey = appendTestSuffix("test-cbc-kms-v1-"); - private static KeyMaterial kmsKeyArn = KeyMaterial.builder() - .kmsKeyId(TestUtils.KMS_KEY_ARN) - .build(); +// class CBCDecryptTests { +// private static String sharedObjectKey = appendTestSuffix("test-cbc-kms-v1-"); +// private static KeyMaterial kmsKeyArn = KeyMaterial.builder() +// .kmsKeyId(TestUtils.KMS_KEY_ARN) +// .build(); - @BeforeAll - static void encryptCBCObject() { - // Create the object using the old client - // V1 Client - EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(TestUtils.KMS_KEY_ARN); +// @BeforeAll +// static void encryptCBCObject() { +// // Create the object using the old client +// // V1 Client +// EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(TestUtils.KMS_KEY_ARN); - CryptoConfiguration v1Config = - new CryptoConfiguration(CryptoMode.EncryptionOnly) - .withStorageMode(CryptoStorageMode.ObjectMetadata) - .withAwsKmsRegion(TestUtils.KMS_REGION); +// CryptoConfiguration v1Config = +// new CryptoConfiguration(CryptoMode.EncryptionOnly) +// .withStorageMode(CryptoStorageMode.ObjectMetadata) +// .withAwsKmsRegion(TestUtils.KMS_REGION); - AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() - .withCryptoConfiguration(v1Config) - .withEncryptionMaterials(materialsProvider) - .build(); +// AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() +// .withCryptoConfiguration(v1Config) +// .withEncryptionMaterials(materialsProvider) +// .build(); - v1Client.putObject(TestUtils.BUCKET, sharedObjectKey, sharedObjectKey); - } +// v1Client.putObject(TestUtils.BUCKET, sharedObjectKey, sharedObjectKey); +// } - @ParameterizedTest(name = "{0}: Transition configured with the default should decrypt CBC") - @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") - void transition_configured_with_the_default_should_decrypt_cbc(TestUtils.LanguageServerTarget language) { +// @ParameterizedTest(name = "{0}: Transition configured with the default should decrypt CBC") +// @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") +// void transition_configured_with_the_default_should_decrypt_cbc(TestUtils.LanguageServerTarget language) { - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .enableLegacyUnauthenticatedModes(true) - .enableLegacyWrappingAlgorithms(true) - .build()) - .build()); - String S3ECId = clientOutput.getClientId(); +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) +// .enableLegacyUnauthenticatedModes(true) +// .enableLegacyWrappingAlgorithms(true) +// .build()) +// .build()); +// String S3ECId = clientOutput.getClientId(); - TestUtils.Decrypt(client, S3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); - } +// TestUtils.Decrypt(client, S3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); +// } - @ParameterizedTest(name = "{0}: Transition configured with ForbidEncryptAllowDecrypt should decrypt CBC") - @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") - void transition_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_cbc(TestUtils.LanguageServerTarget language) { +// @ParameterizedTest(name = "{0}: Transition configured with ForbidEncryptAllowDecrypt should decrypt CBC") +// @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") +// void transition_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_cbc(TestUtils.LanguageServerTarget language) { - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .enableLegacyUnauthenticatedModes(true) - .enableLegacyWrappingAlgorithms(true) - .build()) - .build()); - String S3ECId = clientOutput.getClientId(); +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) +// .enableLegacyUnauthenticatedModes(true) +// .enableLegacyWrappingAlgorithms(true) +// .build()) +// .build()); +// String S3ECId = clientOutput.getClientId(); - TestUtils.Decrypt(client, S3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); - } +// TestUtils.Decrypt(client, S3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); +// } - @ParameterizedTest(name = "{0}: Improved configured with ForbidEncryptAllowDecrypt should decrypt CBC") - @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") - void improved_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_cbc(TestUtils.LanguageServerTarget language) { - S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); - CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .enableLegacyUnauthenticatedModes(true) - .enableLegacyWrappingAlgorithms(true) - .build()) - .build()); - String decS3ECId = decClientOutput.getClientId(); +// @ParameterizedTest(name = "{0}: Improved configured with ForbidEncryptAllowDecrypt should decrypt CBC") +// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") +// void improved_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_cbc(TestUtils.LanguageServerTarget language) { +// S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); +// CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) +// .enableLegacyUnauthenticatedModes(true) +// .enableLegacyWrappingAlgorithms(true) +// .build()) +// .build()); +// String decS3ECId = decClientOutput.getClientId(); - TestUtils.Decrypt(decClient, decS3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); - } +// TestUtils.Decrypt(decClient, decS3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); +// } - @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptAllowDecrypt should decrypt CBC") - @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") - void improved_configured_with_require_encrypt_allow_decrypt_should_decrypt_cbc(TestUtils.LanguageServerTarget language) { - S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); - CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT) - .enableLegacyUnauthenticatedModes(true) - .enableLegacyWrappingAlgorithms(true) - .build()) - .build()); - String decS3ECId = decClientOutput.getClientId(); +// @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptAllowDecrypt should decrypt CBC") +// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") +// void improved_configured_with_require_encrypt_allow_decrypt_should_decrypt_cbc(TestUtils.LanguageServerTarget language) { +// S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); +// CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT) +// .enableLegacyUnauthenticatedModes(true) +// .enableLegacyWrappingAlgorithms(true) +// .build()) +// .build()); +// String decS3ECId = decClientOutput.getClientId(); - TestUtils.Decrypt(decClient, decS3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); - } +// TestUtils.Decrypt(decClient, decS3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); +// } - @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptRequireDecrypt should fail to decrypt CBC") - @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") - void improved_configured_with_require_encrypt_require_decrypt_should_fail_to_decrypt_cbc(TestUtils.LanguageServerTarget language) { - S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); - CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) - .enableLegacyUnauthenticatedModes(true) - .build()) - .build()); - String decS3ECId = decClientOutput.getClientId(); +// @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptRequireDecrypt should fail to decrypt CBC") +// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") +// void improved_configured_with_require_encrypt_require_decrypt_should_fail_to_decrypt_cbc(TestUtils.LanguageServerTarget language) { +// S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); +// CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) +// .enableLegacyUnauthenticatedModes(true) +// .build()) +// .build()); +// String decS3ECId = decClientOutput.getClientId(); - TestUtils.Decrypt_fails(decClient, decS3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); - } +// TestUtils.Decrypt_fails(decClient, decS3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); +// } - @ParameterizedTest(name = "{0}: Improved configured with the default should fail to decrypt CBC") - @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") - void improved_configured_with_the_default_should_fail_to_decrypt_cbc(TestUtils.LanguageServerTarget language) { - S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); - CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .build()) - .build()); - String decS3ECId = decClientOutput.getClientId(); +// @ParameterizedTest(name = "{0}: Improved configured with the default should fail to decrypt CBC") +// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") +// void improved_configured_with_the_default_should_fail_to_decrypt_cbc(TestUtils.LanguageServerTarget language) { +// S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); +// CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// .build()) +// .build()); +// String decS3ECId = decClientOutput.getClientId(); - TestUtils.Decrypt_fails(decClient, decS3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); - } -} +// TestUtils.Decrypt_fails(decClient, decS3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); +// } +// } diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java index 818ae383..f2c08239 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java @@ -1,221 +1,221 @@ -/* - * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0 - */ - -package software.amazon.encryption.s3; - -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertTrue; -import static org.junit.jupiter.api.Assertions.fail; -import static software.amazon.encryption.s3.TestUtils.*; - -import java.nio.ByteBuffer; -import java.nio.charset.StandardCharsets; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.stream.Stream; - -import com.amazonaws.services.s3.model.KMSEncryptionMaterials; -import org.junit.jupiter.api.BeforeAll; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.Arguments; -import org.junit.jupiter.params.provider.MethodSource; -import software.amazon.encryption.s3.client.S3ECTestServerClient; -import software.amazon.encryption.s3.model.CommitmentPolicy; -import software.amazon.encryption.s3.model.CreateClientInput; -import software.amazon.encryption.s3.model.CreateClientOutput; -import software.amazon.encryption.s3.model.GetObjectInput; -import software.amazon.encryption.s3.model.GetObjectOutput; -import software.amazon.encryption.s3.model.KeyMaterial; -import software.amazon.encryption.s3.model.PutObjectInput; -import software.amazon.encryption.s3.model.S3ECConfig; -import software.amazon.encryption.s3.model.S3EncryptionClientError; - -import com.amazonaws.services.s3.AmazonS3Encryption; -import com.amazonaws.services.s3.AmazonS3EncryptionClient; -import com.amazonaws.services.s3.model.CryptoConfiguration; -import com.amazonaws.services.s3.model.CryptoMode; -import com.amazonaws.services.s3.model.CryptoStorageMode; -import software.amazon.encryption.s3.TestUtils.*; -import com.amazonaws.services.s3.model.EncryptionMaterialsProvider; -import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider; - -/** - * Exhaustive tests for S3 Encryption Client round-trip operations. - * These tests cover various combinations of client versions, commitment policies, and encryption modes. - * - * Tests are based on the exhaustive test matrix defined at: - * https://tiny.amazon.com/3xnzwczl/loopcloumicrpeyJ3 - * - * Tests 1-25 are included in this file. - */ -public class ExhaustiveRoundTripTests1_25 { - - @BeforeAll - public static void setup() { - TestUtils.validateServersRunning(); - } - - // Begin Exhaustive tests defined here: - // https://tiny.amazon.com/3xnzwczl/loopcloumicrpeyJ3 +// /* +// * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// * SPDX-License-Identifier: Apache-2.0 +// */ + +// package software.amazon.encryption.s3; + +// import static org.junit.jupiter.api.Assertions.assertEquals; +// import static org.junit.jupiter.api.Assertions.assertTrue; +// import static org.junit.jupiter.api.Assertions.fail; +// import static software.amazon.encryption.s3.TestUtils.*; + +// import java.nio.ByteBuffer; +// import java.nio.charset.StandardCharsets; +// import java.util.HashMap; +// import java.util.List; +// import java.util.Map; +// import java.util.stream.Stream; + +// import com.amazonaws.services.s3.model.KMSEncryptionMaterials; +// import org.junit.jupiter.api.BeforeAll; +// import org.junit.jupiter.params.ParameterizedTest; +// import org.junit.jupiter.params.provider.Arguments; +// import org.junit.jupiter.params.provider.MethodSource; +// import software.amazon.encryption.s3.client.S3ECTestServerClient; +// import software.amazon.encryption.s3.model.CommitmentPolicy; +// import software.amazon.encryption.s3.model.CreateClientInput; +// import software.amazon.encryption.s3.model.CreateClientOutput; +// import software.amazon.encryption.s3.model.GetObjectInput; +// import software.amazon.encryption.s3.model.GetObjectOutput; +// import software.amazon.encryption.s3.model.KeyMaterial; +// import software.amazon.encryption.s3.model.PutObjectInput; +// import software.amazon.encryption.s3.model.S3ECConfig; +// import software.amazon.encryption.s3.model.S3EncryptionClientError; + +// import com.amazonaws.services.s3.AmazonS3Encryption; +// import com.amazonaws.services.s3.AmazonS3EncryptionClient; +// import com.amazonaws.services.s3.model.CryptoConfiguration; +// import com.amazonaws.services.s3.model.CryptoMode; +// import com.amazonaws.services.s3.model.CryptoStorageMode; +// import software.amazon.encryption.s3.TestUtils.*; +// import com.amazonaws.services.s3.model.EncryptionMaterialsProvider; +// import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider; + +// /** +// * Exhaustive tests for S3 Encryption Client round-trip operations. +// * These tests cover various combinations of client versions, commitment policies, and encryption modes. +// * +// * Tests are based on the exhaustive test matrix defined at: +// * https://tiny.amazon.com/3xnzwczl/loopcloumicrpeyJ3 +// * +// * Tests 1-25 are included in this file. +// */ +// public class ExhaustiveRoundTripTests1_25 { + +// @BeforeAll +// public static void setup() { +// TestUtils.validateServersRunning(); +// } + +// // Begin Exhaustive tests defined here: +// // https://tiny.amazon.com/3xnzwczl/loopcloumicrpeyJ3 - // Exhaustive test 2 - // Outcome Version Operation Policy Content Encryption - // Pass Improved Decrypt ForbidEncryptAllowDecrypt CBC - - @ParameterizedTest(name = "{displayName} for Encrypt: Java-V1, Decrypt: {0}") - @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") - public void GIVEN_CBCEncryptedData_AND_ImprovedClientDecryptingWithForbidEncryptAllowDecrypt_WHEN_Decrypt_THEN_Pass( - TestUtils.LanguageServerTarget language - ) { - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - final String objectKey = "test-key-kms-v1-" + language; - final String input = "simple-test-input"; - KeyMaterial kmsKeyArn = KeyMaterial.builder() - .kmsKeyId(TestUtils.KMS_KEY_ARN) - .build(); - - // Create the object using the old client - // V1 Client - EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(TestUtils.KMS_KEY_ARN); - - CryptoConfiguration v1Config = - new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) - .withStorageMode(CryptoStorageMode.ObjectMetadata) - .withAwsKmsRegion(TestUtils.KMS_REGION); - - AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() - .withCryptoConfiguration(v1Config) - .withEncryptionMaterials(materialsProvider) - .build(); - - v1Client.putObject(TestUtils.BUCKET, objectKey, input); - - S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); - CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .enableLegacyWrappingAlgorithms(true) - .build() - ) - .build()); - String decS3ECId = decClientOutput.getClientId(); - - // When: decrypt KC object with a current version client - GetObjectOutput output = decClient.getObject(GetObjectInput.builder() - .clientID(decS3ECId) - .bucket(TestUtils.BUCKET) - .key(objectKey) - .build()); - - // Then: Pass - } - - // Exhaustive test 3 - // Outcome Version Operation Policy Content Encryption - // Pass Improved Decrypt ForbidEncryptAllowDecrypt GCM - - @ParameterizedTest(name = "{displayName} for Encrypt: Java-V1-GCM, Decrypt: {0}") - @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") - public void GIVEN_GCMEncryptedData_AND_ImprovedClientDecryptingWithForbidEncryptAllowDecrypt_WHEN_Decrypt_THEN_Pass( - TestUtils.LanguageServerTarget language - ) { - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - final String objectKey = "test-key-kms-v1-gcm-" + language; - final String input = "simple-test-input"; - KeyMaterial kmsKeyArn = KeyMaterial.builder() - .kmsKeyId(TestUtils.KMS_KEY_ARN) - .build(); - CreateClientOutput output1 = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .enableLegacyWrappingAlgorithms(true) - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build()) - .build()); - String s3ECId = output1.getClientId(); - - // Create the object using the old client with GCM encryption - // V1 Client with GCM - EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(TestUtils.KMS_KEY_ARN); - - CryptoConfiguration v1Config = - new CryptoConfiguration(CryptoMode.StrictAuthenticatedEncryption) // StrictAuthenticatedEncryption uses GCM - .withStorageMode(CryptoStorageMode.ObjectMetadata) - .withAwsKmsRegion(TestUtils.KMS_REGION); - - AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() - .withCryptoConfiguration(v1Config) - .withEncryptionMaterials(materialsProvider) - .build(); - - v1Client.putObject(TestUtils.BUCKET, objectKey, input); - - // When: decrypt GCM object with an improved version client - GetObjectOutput output = client.getObject(GetObjectInput.builder() - .clientID(s3ECId) - .bucket(TestUtils.BUCKET) - .key(objectKey) - .build()); - - // Then: Pass - assertEquals(input, new String(output.getBody().array())); - } - - // Exhaustive test 4 - // Outcome Version Operation Policy Content Encryption - // Pass Improved Decrypt ForbidEncryptAllowDecrypt KC-GCM - - @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") - @MethodSource("software.amazon.encryption.s3.TestUtils#encryptImprovedDecryptImproved") - public void GIVEN_KCGCMEncryptedData_AND_ImprovedClientDecryptingWithForbidEncryptAllowDecrypt_WHEN_Decrypt_THEN_Pass( - LanguageServerTarget encLang, LanguageServerTarget decLang - ) { - - S3ECTestServerClient encClient = TestUtils.testServerClientFor(encLang); - final String objectKey = "encrypt-kc-gcm-decrypt-improved-test-key-" + encLang; - final String input = "simple-test-input"; - KeyMaterial kmsKeyArn = KeyMaterial.builder() - .kmsKeyId(TestUtils.KMS_KEY_ARN) - .build(); - CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) - .build()) - .build()); - String encS3ECId = encClientOutput.getClientId(); +// // Exhaustive test 2 +// // Outcome Version Operation Policy Content Encryption +// // Pass Improved Decrypt ForbidEncryptAllowDecrypt CBC + +// @ParameterizedTest(name = "{displayName} for Encrypt: Java-V1, Decrypt: {0}") +// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") +// public void GIVEN_CBCEncryptedData_AND_ImprovedClientDecryptingWithForbidEncryptAllowDecrypt_WHEN_Decrypt_THEN_Pass( +// TestUtils.LanguageServerTarget language +// ) { +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// final String objectKey = "test-key-kms-v1-" + language; +// final String input = "simple-test-input"; +// KeyMaterial kmsKeyArn = KeyMaterial.builder() +// .kmsKeyId(TestUtils.KMS_KEY_ARN) +// .build(); + +// // Create the object using the old client +// // V1 Client +// EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(TestUtils.KMS_KEY_ARN); + +// CryptoConfiguration v1Config = +// new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) +// .withStorageMode(CryptoStorageMode.ObjectMetadata) +// .withAwsKmsRegion(TestUtils.KMS_REGION); + +// AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() +// .withCryptoConfiguration(v1Config) +// .withEncryptionMaterials(materialsProvider) +// .build(); + +// v1Client.putObject(TestUtils.BUCKET, objectKey, input); + +// S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); +// CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) +// .enableLegacyWrappingAlgorithms(true) +// .build() +// ) +// .build()); +// String decS3ECId = decClientOutput.getClientId(); + +// // When: decrypt KC object with a current version client +// GetObjectOutput output = decClient.getObject(GetObjectInput.builder() +// .clientID(decS3ECId) +// .bucket(TestUtils.BUCKET) +// .key(objectKey) +// .build()); + +// // Then: Pass +// } + +// // Exhaustive test 3 +// // Outcome Version Operation Policy Content Encryption +// // Pass Improved Decrypt ForbidEncryptAllowDecrypt GCM + +// @ParameterizedTest(name = "{displayName} for Encrypt: Java-V1-GCM, Decrypt: {0}") +// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") +// public void GIVEN_GCMEncryptedData_AND_ImprovedClientDecryptingWithForbidEncryptAllowDecrypt_WHEN_Decrypt_THEN_Pass( +// TestUtils.LanguageServerTarget language +// ) { +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// final String objectKey = "test-key-kms-v1-gcm-" + language; +// final String input = "simple-test-input"; +// KeyMaterial kmsKeyArn = KeyMaterial.builder() +// .kmsKeyId(TestUtils.KMS_KEY_ARN) +// .build(); +// CreateClientOutput output1 = client.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .enableLegacyWrappingAlgorithms(true) +// .keyMaterial(kmsKeyArn) +// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) +// .build()) +// .build()); +// String s3ECId = output1.getClientId(); + +// // Create the object using the old client with GCM encryption +// // V1 Client with GCM +// EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(TestUtils.KMS_KEY_ARN); + +// CryptoConfiguration v1Config = +// new CryptoConfiguration(CryptoMode.StrictAuthenticatedEncryption) // StrictAuthenticatedEncryption uses GCM +// .withStorageMode(CryptoStorageMode.ObjectMetadata) +// .withAwsKmsRegion(TestUtils.KMS_REGION); + +// AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() +// .withCryptoConfiguration(v1Config) +// .withEncryptionMaterials(materialsProvider) +// .build(); + +// v1Client.putObject(TestUtils.BUCKET, objectKey, input); + +// // When: decrypt GCM object with an improved version client +// GetObjectOutput output = client.getObject(GetObjectInput.builder() +// .clientID(s3ECId) +// .bucket(TestUtils.BUCKET) +// .key(objectKey) +// .build()); + +// // Then: Pass +// assertEquals(input, new String(output.getBody().array())); +// } + +// // Exhaustive test 4 +// // Outcome Version Operation Policy Content Encryption +// // Pass Improved Decrypt ForbidEncryptAllowDecrypt KC-GCM + +// @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") +// @MethodSource("software.amazon.encryption.s3.TestUtils#encryptImprovedDecryptImproved") +// public void GIVEN_KCGCMEncryptedData_AND_ImprovedClientDecryptingWithForbidEncryptAllowDecrypt_WHEN_Decrypt_THEN_Pass( +// LanguageServerTarget encLang, LanguageServerTarget decLang +// ) { + +// S3ECTestServerClient encClient = TestUtils.testServerClientFor(encLang); +// final String objectKey = "encrypt-kc-gcm-decrypt-improved-test-key-" + encLang; +// final String input = "simple-test-input"; +// KeyMaterial kmsKeyArn = KeyMaterial.builder() +// .kmsKeyId(TestUtils.KMS_KEY_ARN) +// .build(); +// CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) +// .build()) +// .build()); +// String encS3ECId = encClientOutput.getClientId(); - // Given: object encrypted with key commitment - encClient.putObject(PutObjectInput.builder() - .clientID(encS3ECId) - .key(objectKey) - .bucket(TestUtils.BUCKET) - .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) - .build()); +// // Given: object encrypted with key commitment +// encClient.putObject(PutObjectInput.builder() +// .clientID(encS3ECId) +// .key(objectKey) +// .bucket(TestUtils.BUCKET) +// .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) +// .build()); - S3ECTestServerClient decClient = TestUtils.testServerClientFor(decLang); - CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build()) - .build()); - String decS3ECId = decClientOutput.getClientId(); - - // When: decrypt KC-GCM object with an improved version client with ForbidEncryptAllowDecrypt policy - GetObjectOutput output = decClient.getObject(GetObjectInput.builder() - .clientID(decS3ECId) - .bucket(TestUtils.BUCKET) - .key(objectKey) - .build()); - - // Then: Pass - assertEquals(input, StandardCharsets.UTF_8.decode(output.getBody()).toString()); - } - -} +// S3ECTestServerClient decClient = TestUtils.testServerClientFor(decLang); +// CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) +// .build()) +// .build()); +// String decS3ECId = decClientOutput.getClientId(); + +// // When: decrypt KC-GCM object with an improved version client with ForbidEncryptAllowDecrypt policy +// GetObjectOutput output = decClient.getObject(GetObjectInput.builder() +// .clientID(decS3ECId) +// .bucket(TestUtils.BUCKET) +// .key(objectKey) +// .build()); + +// // Then: Pass +// assertEquals(input, StandardCharsets.UTF_8.decode(output.getBody()).toString()); +// } + +// } diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/GCMTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/GCMTests.java index deb1571d..a571edfe 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/GCMTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/GCMTests.java @@ -1,201 +1,201 @@ -/* -* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -* SPDX-License-Identifier: Apache-2.0 -*/ +// /* +// * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// * SPDX-License-Identifier: Apache-2.0 +// */ -package software.amazon.encryption.s3; +// package software.amazon.encryption.s3; -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertTrue; -import static org.junit.jupiter.api.Assertions.fail; -import static software.amazon.encryption.s3.TestUtils.*; +// import static org.junit.jupiter.api.Assertions.assertEquals; +// import static org.junit.jupiter.api.Assertions.assertTrue; +// import static org.junit.jupiter.api.Assertions.fail; +// import static software.amazon.encryption.s3.TestUtils.*; -import java.lang.annotation.ElementType; -import java.nio.ByteBuffer; -import java.nio.charset.StandardCharsets; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.stream.Stream; +// import java.lang.annotation.ElementType; +// import java.nio.ByteBuffer; +// import java.nio.charset.StandardCharsets; +// import java.util.ArrayList; +// import java.util.HashMap; +// import java.util.List; +// import java.util.Map; +// import java.util.stream.Stream; -import com.amazonaws.services.s3.model.KMSEncryptionMaterials; -import org.junit.jupiter.api.BeforeAll; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.Arguments; -import org.junit.jupiter.params.provider.MethodSource; -import org.junit.jupiter.api.TestMethodOrder; -import org.junit.jupiter.api.MethodOrderer; -import org.junit.jupiter.api.Order; -import software.amazon.encryption.s3.client.S3ECTestServerClient; -import software.amazon.encryption.s3.model.CommitmentPolicy; -import software.amazon.encryption.s3.model.CreateClientInput; -import software.amazon.encryption.s3.model.CreateClientOutput; -import software.amazon.encryption.s3.model.EncryptionAlgorithm; -import software.amazon.encryption.s3.model.GetObjectInput; -import software.amazon.encryption.s3.model.GetObjectOutput; -import software.amazon.encryption.s3.model.KeyMaterial; -import software.amazon.encryption.s3.model.PutObjectInput; -import software.amazon.encryption.s3.model.S3ECConfig; -import software.amazon.encryption.s3.model.S3EncryptionClientError; +// import com.amazonaws.services.s3.model.KMSEncryptionMaterials; +// import org.junit.jupiter.api.BeforeAll; +// import org.junit.jupiter.params.ParameterizedTest; +// import org.junit.jupiter.params.provider.Arguments; +// import org.junit.jupiter.params.provider.MethodSource; +// import org.junit.jupiter.api.TestMethodOrder; +// import org.junit.jupiter.api.MethodOrderer; +// import org.junit.jupiter.api.Order; +// import software.amazon.encryption.s3.client.S3ECTestServerClient; +// import software.amazon.encryption.s3.model.CommitmentPolicy; +// import software.amazon.encryption.s3.model.CreateClientInput; +// import software.amazon.encryption.s3.model.CreateClientOutput; +// import software.amazon.encryption.s3.model.EncryptionAlgorithm; +// import software.amazon.encryption.s3.model.GetObjectInput; +// import software.amazon.encryption.s3.model.GetObjectOutput; +// import software.amazon.encryption.s3.model.KeyMaterial; +// import software.amazon.encryption.s3.model.PutObjectInput; +// import software.amazon.encryption.s3.model.S3ECConfig; +// import software.amazon.encryption.s3.model.S3EncryptionClientError; -import com.amazonaws.services.s3.AmazonS3Encryption; -import com.amazonaws.services.s3.AmazonS3EncryptionClient; -import com.amazonaws.services.s3.model.CryptoConfiguration; -import com.amazonaws.services.s3.model.CryptoMode; -import com.amazonaws.services.s3.model.CryptoStorageMode; -import software.amazon.encryption.s3.TestUtils.*; -import com.amazonaws.services.s3.model.EncryptionMaterialsProvider; -import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider; +// import com.amazonaws.services.s3.AmazonS3Encryption; +// import com.amazonaws.services.s3.AmazonS3EncryptionClient; +// import com.amazonaws.services.s3.model.CryptoConfiguration; +// import com.amazonaws.services.s3.model.CryptoMode; +// import com.amazonaws.services.s3.model.CryptoStorageMode; +// import software.amazon.encryption.s3.TestUtils.*; +// import com.amazonaws.services.s3.model.EncryptionMaterialsProvider; +// import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider; -/** -* Exhaustive tests for S3 Encryption Client round-trip operations. -* These tests cover various combinations of client versions, commitment policies, and encryption modes. -* -* Tests are based on the exhaustive test matrix defined at: -* https://tiny.amazon.com/3xnzwczl/loopcloumicrpeyJ3 -* -*/ +// /** +// * Exhaustive tests for S3 Encryption Client round-trip operations. +// * These tests cover various combinations of client versions, commitment policies, and encryption modes. +// * +// * Tests are based on the exhaustive test matrix defined at: +// * https://tiny.amazon.com/3xnzwczl/loopcloumicrpeyJ3 +// * +// */ -@TestMethodOrder(MethodOrderer.OrderAnnotation.class) -class GCMTests { - private static String sharedObjectKeyBase = "test-gcm-kms"; - private static KeyMaterial kmsKeyArn = KeyMaterial.builder() - .kmsKeyId(TestUtils.KMS_KEY_ARN) - .build(); - private static List crossLanguageObjects = new ArrayList<>(); +// @TestMethodOrder(MethodOrderer.OrderAnnotation.class) +// class GCMTests { +// private static String sharedObjectKeyBase = "test-gcm-kms"; +// private static KeyMaterial kmsKeyArn = KeyMaterial.builder() +// .kmsKeyId(TestUtils.KMS_KEY_ARN) +// .build(); +// private static List crossLanguageObjects = new ArrayList<>(); - @Order(1) - @ParameterizedTest(name = "{0}: Improved configured with ForbidEncryptAllowDecrypt should encrypt GCM") - @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") - void improved_configured_with_forbid_encrypt_allow_decrypt_should_encrypt_gcm(TestUtils.LanguageServerTarget language) { - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build()) - .build()); - String S3ECId = clientOutput.getClientId(); +// @Order(1) +// @ParameterizedTest(name = "{0}: Improved configured with ForbidEncryptAllowDecrypt should encrypt GCM") +// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") +// void improved_configured_with_forbid_encrypt_allow_decrypt_should_encrypt_gcm(TestUtils.LanguageServerTarget language) { +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) +// .build()) +// .build()); +// String S3ECId = clientOutput.getClientId(); - TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); - } +// TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); +// } - @Order(2) - @ParameterizedTest(name = "{0}: Transition configured with the default should encrypt GCM") - @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") - void transition_configured_with_the_default_should_encrypt_gcm(TestUtils.LanguageServerTarget language) { - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build()) - .build()); - String S3ECId = clientOutput.getClientId(); +// @Order(2) +// @ParameterizedTest(name = "{0}: Transition configured with the default should encrypt GCM") +// @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") +// void transition_configured_with_the_default_should_encrypt_gcm(TestUtils.LanguageServerTarget language) { +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) +// .build()) +// .build()); +// String S3ECId = clientOutput.getClientId(); - TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); - } +// TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); +// } - @Order(3) - @ParameterizedTest(name = "{0}: Transition configured with ForbidEncryptAllowDecrypt should encrypt GCM") - @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") - void transition_configured_with_forbid_encrypt_allow_decrypt_should_encrypt_gcm(TestUtils.LanguageServerTarget language) { - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build()) - .build()); - String S3ECId = clientOutput.getClientId(); +// @Order(3) +// @ParameterizedTest(name = "{0}: Transition configured with ForbidEncryptAllowDecrypt should encrypt GCM") +// @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") +// void transition_configured_with_forbid_encrypt_allow_decrypt_should_encrypt_gcm(TestUtils.LanguageServerTarget language) { +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) +// .build()) +// .build()); +// String S3ECId = clientOutput.getClientId(); - TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); - } +// TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); +// } - @Order(10) - @ParameterizedTest(name = "{0}: Improved configured with ForbidEncryptAllowDecrypt should decrypt GCM") - @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") - void improved_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_gcm(TestUtils.LanguageServerTarget language) { +// @Order(10) +// @ParameterizedTest(name = "{0}: Improved configured with ForbidEncryptAllowDecrypt should decrypt GCM") +// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") +// void improved_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_gcm(TestUtils.LanguageServerTarget language) { - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build()) - .build()); - String S3ECId = clientOutput.getClientId(); +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) +// .build()) +// .build()); +// String S3ECId = clientOutput.getClientId(); - TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); - } +// TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); +// } - @Order(11) - @ParameterizedTest(name = "{0}: Transition configured with the default should decrypt GCM") - @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") - void transition_configured_with_the_default_should_decrypt_gcm(TestUtils.LanguageServerTarget language) { +// @Order(11) +// @ParameterizedTest(name = "{0}: Transition configured with the default should decrypt GCM") +// @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") +// void transition_configured_with_the_default_should_decrypt_gcm(TestUtils.LanguageServerTarget language) { - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build()) - .build()); - String S3ECId = clientOutput.getClientId(); +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) +// .build()) +// .build()); +// String S3ECId = clientOutput.getClientId(); - TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); - } +// TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); +// } - @Order(12) - @ParameterizedTest(name = "{0}: Transition configured with ForbidEncryptAllowDecrypt should decrypt GCM") - @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") - void transition_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_gcm(TestUtils.LanguageServerTarget language) { +// @Order(12) +// @ParameterizedTest(name = "{0}: Transition configured with ForbidEncryptAllowDecrypt should decrypt GCM") +// @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") +// void transition_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_gcm(TestUtils.LanguageServerTarget language) { - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build()) - .build()); - String S3ECId = clientOutput.getClientId(); +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) +// .build()) +// .build()); +// String S3ECId = clientOutput.getClientId(); - TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); - } +// TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); +// } - @Order(13) - @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptAllowDecrypt should decrypt GCM") - @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") - void improved_configured_with_require_encrypt_allow_decrypt_should_decrypt_gcm(TestUtils.LanguageServerTarget language) { +// @Order(13) +// @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptAllowDecrypt should decrypt GCM") +// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") +// void improved_configured_with_require_encrypt_allow_decrypt_should_decrypt_gcm(TestUtils.LanguageServerTarget language) { - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT) - .build()) - .build()); - String S3ECId = clientOutput.getClientId(); +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT) +// .build()) +// .build()); +// String S3ECId = clientOutput.getClientId(); - TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); - } +// TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); +// } - @Order(14) - @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptRequireDecrypt should fail to decrypt GCM") - @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") - void improved_configured_with_require_encrypt_require_decrypt_should_fail_to_decrypt_gcm(TestUtils.LanguageServerTarget language) { +// @Order(14) +// @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptRequireDecrypt should fail to decrypt GCM") +// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") +// void improved_configured_with_require_encrypt_require_decrypt_should_fail_to_decrypt_gcm(TestUtils.LanguageServerTarget language) { - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) - .build()) - .build()); - String S3ECId = clientOutput.getClientId(); +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) +// .build()) +// .build()); +// String S3ECId = clientOutput.getClientId(); - TestUtils.Decrypt_fails(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); - } +// TestUtils.Decrypt_fails(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); +// } -} +// } diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/KC_GCMTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/KC_GCMTests.java index 9e77e20e..30007d54 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/KC_GCMTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/KC_GCMTests.java @@ -1,218 +1,218 @@ -/* -* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -* SPDX-License-Identifier: Apache-2.0 -*/ +// /* +// * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// * SPDX-License-Identifier: Apache-2.0 +// */ -package software.amazon.encryption.s3; +// package software.amazon.encryption.s3; -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertTrue; -import static org.junit.jupiter.api.Assertions.fail; -import static software.amazon.encryption.s3.TestUtils.*; +// import static org.junit.jupiter.api.Assertions.assertEquals; +// import static org.junit.jupiter.api.Assertions.assertTrue; +// import static org.junit.jupiter.api.Assertions.fail; +// import static software.amazon.encryption.s3.TestUtils.*; -import java.lang.annotation.ElementType; -import java.nio.ByteBuffer; -import java.nio.charset.StandardCharsets; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.stream.Stream; +// import java.lang.annotation.ElementType; +// import java.nio.ByteBuffer; +// import java.nio.charset.StandardCharsets; +// import java.util.ArrayList; +// import java.util.HashMap; +// import java.util.List; +// import java.util.Map; +// import java.util.stream.Stream; -import com.amazonaws.services.s3.model.KMSEncryptionMaterials; -import org.junit.jupiter.api.BeforeAll; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.Arguments; -import org.junit.jupiter.params.provider.MethodSource; -import org.junit.jupiter.api.TestMethodOrder; -import org.junit.jupiter.api.MethodOrderer; -import org.junit.jupiter.api.Order; -import software.amazon.encryption.s3.client.S3ECTestServerClient; -import software.amazon.encryption.s3.model.CommitmentPolicy; -import software.amazon.encryption.s3.model.CreateClientInput; -import software.amazon.encryption.s3.model.CreateClientOutput; -import software.amazon.encryption.s3.model.EncryptionAlgorithm; -import software.amazon.encryption.s3.model.GetObjectInput; -import software.amazon.encryption.s3.model.GetObjectOutput; -import software.amazon.encryption.s3.model.KeyMaterial; -import software.amazon.encryption.s3.model.PutObjectInput; -import software.amazon.encryption.s3.model.S3ECConfig; -import software.amazon.encryption.s3.model.S3EncryptionClientError; +// import com.amazonaws.services.s3.model.KMSEncryptionMaterials; +// import org.junit.jupiter.api.BeforeAll; +// import org.junit.jupiter.params.ParameterizedTest; +// import org.junit.jupiter.params.provider.Arguments; +// import org.junit.jupiter.params.provider.MethodSource; +// import org.junit.jupiter.api.TestMethodOrder; +// import org.junit.jupiter.api.MethodOrderer; +// import org.junit.jupiter.api.Order; +// import software.amazon.encryption.s3.client.S3ECTestServerClient; +// import software.amazon.encryption.s3.model.CommitmentPolicy; +// import software.amazon.encryption.s3.model.CreateClientInput; +// import software.amazon.encryption.s3.model.CreateClientOutput; +// import software.amazon.encryption.s3.model.EncryptionAlgorithm; +// import software.amazon.encryption.s3.model.GetObjectInput; +// import software.amazon.encryption.s3.model.GetObjectOutput; +// import software.amazon.encryption.s3.model.KeyMaterial; +// import software.amazon.encryption.s3.model.PutObjectInput; +// import software.amazon.encryption.s3.model.S3ECConfig; +// import software.amazon.encryption.s3.model.S3EncryptionClientError; -import com.amazonaws.services.s3.AmazonS3Encryption; -import com.amazonaws.services.s3.AmazonS3EncryptionClient; -import com.amazonaws.services.s3.model.CryptoConfiguration; -import com.amazonaws.services.s3.model.CryptoMode; -import com.amazonaws.services.s3.model.CryptoStorageMode; -import software.amazon.encryption.s3.TestUtils.*; -import com.amazonaws.services.s3.model.EncryptionMaterialsProvider; -import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider; +// import com.amazonaws.services.s3.AmazonS3Encryption; +// import com.amazonaws.services.s3.AmazonS3EncryptionClient; +// import com.amazonaws.services.s3.model.CryptoConfiguration; +// import com.amazonaws.services.s3.model.CryptoMode; +// import com.amazonaws.services.s3.model.CryptoStorageMode; +// import software.amazon.encryption.s3.TestUtils.*; +// import com.amazonaws.services.s3.model.EncryptionMaterialsProvider; +// import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider; -/** -* Exhaustive tests for S3 Encryption Client round-trip operations. -* These tests cover various combinations of client versions, commitment policies, and encryption modes. -* -* Tests are based on the exhaustive test matrix defined at: -* https://tiny.amazon.com/3xnzwczl/loopcloumicrpeyJ3 -* -*/ +// /** +// * Exhaustive tests for S3 Encryption Client round-trip operations. +// * These tests cover various combinations of client versions, commitment policies, and encryption modes. +// * +// * Tests are based on the exhaustive test matrix defined at: +// * https://tiny.amazon.com/3xnzwczl/loopcloumicrpeyJ3 +// * +// */ -@TestMethodOrder(MethodOrderer.OrderAnnotation.class) -class KC_GCMTests { - private static String sharedObjectKeyBase = "test-kc-gcm-kms"; - private static KeyMaterial kmsKeyArn = KeyMaterial.builder() - .kmsKeyId(TestUtils.KMS_KEY_ARN) - .build(); - private static List crossLanguageObjects = new ArrayList<>(); +// @TestMethodOrder(MethodOrderer.OrderAnnotation.class) +// class KC_GCMTests { +// private static String sharedObjectKeyBase = "test-kc-gcm-kms"; +// private static KeyMaterial kmsKeyArn = KeyMaterial.builder() +// .kmsKeyId(TestUtils.KMS_KEY_ARN) +// .build(); +// private static List crossLanguageObjects = new ArrayList<>(); - @Order(1) - @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptAllowDecrypt should encrypt KC-GCM") - @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") - void improved_configured_with_require_encrypt_allow_decrypt_should_encrypt_kc_gcm(TestUtils.LanguageServerTarget language) { - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT) - .build()) - .build()); - String S3ECId = clientOutput.getClientId(); - - TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); - } +// @Order(1) +// @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptAllowDecrypt should encrypt KC-GCM") +// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") +// void improved_configured_with_require_encrypt_allow_decrypt_should_encrypt_kc_gcm(TestUtils.LanguageServerTarget language) { +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT) +// .build()) +// .build()); +// String S3ECId = clientOutput.getClientId(); + +// TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); +// } - @Order(2) - @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptRequireDecrypt should encrypt KC-GCM") - @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") - void improved_configured_with_require_encrypt_require_decrypt_should_encrypt_kc_gcm(TestUtils.LanguageServerTarget language) { - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) - .build()) - .build()); - String S3ECId = clientOutput.getClientId(); - - TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); - } +// @Order(2) +// @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptRequireDecrypt should encrypt KC-GCM") +// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") +// void improved_configured_with_require_encrypt_require_decrypt_should_encrypt_kc_gcm(TestUtils.LanguageServerTarget language) { +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) +// .build()) +// .build()); +// String S3ECId = clientOutput.getClientId(); + +// TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); +// } - @Order(2) - @ParameterizedTest(name = "{0}: Improved configured with the default should encrypt KC-GCM") - @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") - void improved_configured_with_the_default_should_encrypt_kc_gcm(TestUtils.LanguageServerTarget language) { - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) - .build()) - .build()); - String S3ECId = clientOutput.getClientId(); - - TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); - } - - @Order(10) - @ParameterizedTest(name = "{0}: Transition configured with the default should decrypt KC-GCM") - @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") - void transition_configured_with_the_default_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { - - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build()) - .build()); - String S3ECId = clientOutput.getClientId(); - - TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); - } +// @Order(2) +// @ParameterizedTest(name = "{0}: Improved configured with the default should encrypt KC-GCM") +// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") +// void improved_configured_with_the_default_should_encrypt_kc_gcm(TestUtils.LanguageServerTarget language) { +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// // .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) +// .build()) +// .build()); +// String S3ECId = clientOutput.getClientId(); + +// TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); +// } + +// @Order(10) +// @ParameterizedTest(name = "{0}: Transition configured with the default should decrypt KC-GCM") +// @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") +// void transition_configured_with_the_default_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { + +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) +// .build()) +// .build()); +// String S3ECId = clientOutput.getClientId(); + +// TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); +// } - @Order(11) - @ParameterizedTest(name = "{0}: Transition configured with ForbidEncryptAllowDecrypt should decrypt KC-GCM") - @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") - void transition_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { - - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build()) - .build()); - String S3ECId = clientOutput.getClientId(); - - TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); - } +// @Order(11) +// @ParameterizedTest(name = "{0}: Transition configured with ForbidEncryptAllowDecrypt should decrypt KC-GCM") +// @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") +// void transition_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { + +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) +// .build()) +// .build()); +// String S3ECId = clientOutput.getClientId(); + +// TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); +// } - @Order(12) - @ParameterizedTest(name = "{0}: Improved configured with ForbidEncryptAllowDecrypt should decrypt KC-GCM") - @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") - void improved_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { - - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build()) - .build()); - String S3ECId = clientOutput.getClientId(); - - TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); - } +// @Order(12) +// @ParameterizedTest(name = "{0}: Improved configured with ForbidEncryptAllowDecrypt should decrypt KC-GCM") +// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") +// void improved_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { + +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) +// .build()) +// .build()); +// String S3ECId = clientOutput.getClientId(); + +// TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); +// } - @Order(13) - @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptAllowDecrypt should decrypt KC-GCM") - @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") - void improved_configured_with_require_encrypt_allow_decrypt_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { - - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT) - .build()) - .build()); - String S3ECId = clientOutput.getClientId(); - - TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); - } +// @Order(13) +// @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptAllowDecrypt should decrypt KC-GCM") +// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") +// void improved_configured_with_require_encrypt_allow_decrypt_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { + +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT) +// .build()) +// .build()); +// String S3ECId = clientOutput.getClientId(); + +// TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); +// } - @Order(14) - @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptRequireDecrypt should decrypt KC-GCM") - @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") - void improved_configured_with_require_encrypt_require_decrypt_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { - - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) - .build()) - .build()); - String S3ECId = clientOutput.getClientId(); - - TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); - } +// @Order(14) +// @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptRequireDecrypt should decrypt KC-GCM") +// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") +// void improved_configured_with_require_encrypt_require_decrypt_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { + +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) +// .build()) +// .build()); +// String S3ECId = clientOutput.getClientId(); + +// TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); +// } - @Order(15) - @ParameterizedTest(name = "{0}: Improved configured with the default should decrypt KC-GCM") - @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") - void improved_configured_with_the_default_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { - - S3ECTestServerClient client = TestUtils.testServerClientFor(language); - CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) - .build()) - .build()); - String S3ECId = clientOutput.getClientId(); - - TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); - } - -} +// @Order(15) +// @ParameterizedTest(name = "{0}: Improved configured with the default should decrypt KC-GCM") +// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") +// void improved_configured_with_the_default_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { + +// S3ECTestServerClient client = TestUtils.testServerClientFor(language); +// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() +// .config(S3ECConfig.builder() +// .keyMaterial(kmsKeyArn) +// // .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) +// .build()) +// .build()); +// String S3ECId = clientOutput.getClientId(); + +// TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); +// } + +// } diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java index 5d4f7ad9..bedf7c2e 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java @@ -56,316 +56,316 @@ public static void setup() { validateServersRunning(); } - @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") - @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") - public void crossLanguageTestKms(LanguageServerTarget encLang, LanguageServerTarget decLang) { - S3ECTestServerClient encClient = testServerClientFor(encLang); - final String objectKey = appendTestSuffix("cross-lang-test-key-" + encLang); - final String input = "simple-test-input"; - KeyMaterial kmsKeyArn = KeyMaterial.builder() - .kmsKeyId(KMS_KEY_ARN) - .build(); - CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() - .config(S3ECConfig - .builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build() - ) - .build()); - String encS3ECId = encClientOutput.getClientId(); - encClient.putObject(PutObjectInput.builder() - .clientID(encS3ECId) - .key(objectKey) - .bucket(BUCKET) - .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) - .build()); - S3ECTestServerClient decClient = testServerClientFor(decLang); - CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build() - ) - .build()); - String decS3ECId = decClientOutput.getClientId(); - GetObjectOutput output = decClient.getObject(GetObjectInput.builder() - .clientID(decS3ECId) - .bucket(BUCKET) - .key(objectKey) - .build()); - - if (!input.equals(StandardCharsets.UTF_8.decode(output.getBody()).toString())) { - fail(String.format("Encryption in %s failed to decrpyt in %s!", encLang, decLang)); - } - } - - @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") - @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") - public void crossLanguageTestKmsWithEncCtx(LanguageServerTarget encLang, LanguageServerTarget decLang) { - if (ENCRYPTION_CONTEXT_ON_ENCRYPT_UNSUPPORTED.contains(encLang.getLanguageName())) { - return; - } - S3ECTestServerClient encClient = testServerClientFor(encLang); - final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-" + encLang); - final String input = "simple-test-input"; - final Map encCtx = new HashMap<>(); - encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); - encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); - final List mdAsList = metadataMapToList(encCtx); - KeyMaterial kmsKeyArn = KeyMaterial.builder() - .kmsKeyId(KMS_KEY_ARN) - .build(); - CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build() - ) - .build()); - String encS3ECId = encClientOutput.getClientId(); - - encClient.putObject(PutObjectInput.builder() - .clientID(encS3ECId) - .key(objectKey) - .bucket(BUCKET) - .metadata(mdAsList) - .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) - .build()); - S3ECTestServerClient decClient = testServerClientFor(decLang); - CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build() - ) - .build()); - String decS3ECId = decClientOutput.getClientId(); - GetObjectOutput output = decClient.getObject(GetObjectInput.builder() - .clientID(decS3ECId) - .bucket(BUCKET) - .key(objectKey) - .metadata(mdAsList) - .build()); - - if (!input.equals(StandardCharsets.UTF_8.decode(output.getBody()).toString())) { - fail(String.format("Encryption in %s failed to decrpyt in %s!", encLang, decLang)); - } - } - - @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") - @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") - public void crossLanguageTestKmsWithSubsetEncCtxFails(LanguageServerTarget encLang, LanguageServerTarget decLang) { - if (ENCRYPTION_CONTEXT_ON_DECRYPT_UNSUPPORTED.contains(decLang.getLanguageName())) { - return; - } - if (ENCRYPTION_CONTEXT_ON_ENCRYPT_UNSUPPORTED.contains(encLang.getLanguageName())) { - return; - } - S3ECTestServerClient encClient = testServerClientFor(encLang); - final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-subset-fails" + encLang); - final String input = "simple-test-input"; - final Map encCtx = new HashMap<>(); - encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); - encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); - final List mdAsList = metadataMapToList(encCtx); - KeyMaterial kmsKeyArn = KeyMaterial.builder() - .kmsKeyId(KMS_KEY_ARN) - .build(); - CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build()) - .build()); - String encS3ECId = encClientOutput.getClientId(); - - encClient.putObject(PutObjectInput.builder() - .clientID(encS3ECId) - .key(objectKey) - .bucket(BUCKET) - .metadata(mdAsList) - .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) - .build()); - S3ECTestServerClient decClient = testServerClientFor(decLang); - CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build() - ) - .build()); - String decS3ECId = decClientOutput.getClientId(); - try { - decClient.getObject(GetObjectInput.builder() - .clientID(decS3ECId) - .bucket(BUCKET) - .key(objectKey) - .build()); - fail("Expected exception!"); - } catch (S3EncryptionClientError e) { - if (decLang.getLanguageName().equals(RUBY_V3) || decLang.getLanguageName().equals(RUBY_V2_CURRENT) || decLang.getLanguageName().equals(RUBY_V2_TRANSITION)) { - assertTrue(e.getMessage().contains("Value of encryption context from envelope does not match the provided encryption context")); - } else { - assertTrue(e.getMessage().contains("Provided encryption context does not match information retrieved from S3")); - } - } - } - - @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") - @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") - public void crossLanguageTestKmsWithIncorrectEncCtxFails(LanguageServerTarget encLang, LanguageServerTarget decLang) { - if (ENCRYPTION_CONTEXT_ON_DECRYPT_UNSUPPORTED.contains(decLang.getLanguageName())) { - return; - } - S3ECTestServerClient encClient = testServerClientFor(encLang); - final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-incorrect-fails" + encLang); - final String input = "simple-test-input"; - final Map encCtx = new HashMap<>(); - encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); - encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); - final List mdAsList = metadataMapToList(encCtx); - KeyMaterial kmsKeyArn = KeyMaterial.builder() - .kmsKeyId(KMS_KEY_ARN) - .build(); - CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build() - ) - .build()); - String encS3ECId = encClientOutput.getClientId(); - - encClient.putObject(PutObjectInput.builder() - .clientID(encS3ECId) - .key(objectKey) - .bucket(BUCKET) - .metadata(mdAsList) - .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) - .build()); - S3ECTestServerClient decClient = testServerClientFor(decLang); - CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build() - ) - .build()); - String decS3ECId = decClientOutput.getClientId(); - - final Map incorrectEncCtx = new HashMap<>(); - incorrectEncCtx.put("this-is-wrong-ec-key", "bad-value"); - var incorrectMdAsList = metadataMapToList(incorrectEncCtx); - try { - decClient.getObject(GetObjectInput.builder() - .clientID(decS3ECId) - .bucket(BUCKET) - .key(objectKey) - .metadata(incorrectMdAsList) - .build()); - fail("Expected exception!"); - } catch (S3EncryptionClientError e) { - if (decLang.getLanguageName().equals(RUBY_V3) || decLang.getLanguageName().equals(RUBY_V2_CURRENT) || decLang.getLanguageName().equals(RUBY_V2_TRANSITION)) { - assertTrue(e.getMessage().contains("Value of encryption context from envelope does not match the provided encryption context")); - } else { - assertTrue(e.getMessage().contains("Provided encryption context does not match information retrieved from S3")); - } - } - } - - @ParameterizedTest(name = "{displayName} for Encrypt: Java, Decrypt: {0}") - @MethodSource("software.amazon.encryption.s3.TestUtils#clientsForTest") - public void kmsV1Legacy(TestUtils.LanguageServerTarget language) { - S3ECTestServerClient client = testServerClientFor(language); - final String objectKey = appendTestSuffix("test-key-kms-v1-" + language); - final String input = "simple-test-input"; - KeyMaterial kmsKeyArn = KeyMaterial.builder() - .kmsKeyId(KMS_KEY_ARN) - .build(); - CreateClientOutput output1 = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .enableLegacyWrappingAlgorithms(true) - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build()) - .build()); - String s3ECId = output1.getClientId(); - - // Create the object using the old client - // V1 Client - EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(KMS_KEY_ARN); - - CryptoConfiguration v1Config = - new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) - .withStorageMode(CryptoStorageMode.ObjectMetadata) - .withAwsKmsRegion(KMS_REGION); - - AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() - .withCryptoConfiguration(v1Config) - .withEncryptionMaterials(materialsProvider) - .build(); - - v1Client.putObject(BUCKET, objectKey, input); - - GetObjectOutput output = client.getObject(GetObjectInput.builder() - .clientID(s3ECId) - .bucket(BUCKET) - .key(objectKey) - .build()); - - assertEquals(input, new String(output.getBody().array())); - } - - @ParameterizedTest(name = "{displayName} for Encrypt: Java, Decrypt: {0}") - @MethodSource("software.amazon.encryption.s3.TestUtils#clientsForTest") - public void kmsV1LegacyWithEncCtx(TestUtils.LanguageServerTarget language) { - S3ECTestServerClient client = testServerClientFor(language); - final String objectKey = appendTestSuffix("test-key-kms-v1-with-enc-ctx-" + language); - final String input = "simple-test-input"; - KeyMaterial kmsKeyArn = KeyMaterial.builder() - .kmsKeyId(KMS_KEY_ARN) - .build(); - CreateClientOutput output1 = client.createClient(CreateClientInput.builder() - .config(S3ECConfig.builder() - .enableLegacyWrappingAlgorithms(true) - .keyMaterial(kmsKeyArn) - .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - .build()) - .build()); - String s3ECId = output1.getClientId(); - - // Create the object using the old client - // V1 Client - final String ecKey = "user-metadata-key"; - final String ecValue = "user-metadata-value-v1"; - KMSEncryptionMaterials kmsMaterials = new KMSEncryptionMaterials(KMS_KEY_ARN); - kmsMaterials.addDescription(ecKey, ecValue); - EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(kmsMaterials); - - CryptoConfiguration v1Config = - new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) - .withStorageMode(CryptoStorageMode.ObjectMetadata) - .withAwsKmsRegion(KMS_REGION); - - AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() - .withCryptoConfiguration(v1Config) - .withEncryptionMaterials(materialsProvider) - .build(); - - v1Client.putObject(BUCKET, objectKey, input); - - final Map encCtx = new HashMap<>(); - encCtx.put(ecKey, ecValue); - GetObjectOutput output = client.getObject(GetObjectInput.builder() - .clientID(s3ECId) - .bucket(BUCKET) - .key(objectKey) - .metadata(metadataMapToList(encCtx)) - .build()); - - assertEquals(input, new String(output.getBody().array())); - } + // @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") + // @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") + // public void crossLanguageTestKms(LanguageServerTarget encLang, LanguageServerTarget decLang) { + // S3ECTestServerClient encClient = testServerClientFor(encLang); + // final String objectKey = appendTestSuffix("cross-lang-test-key-" + encLang); + // final String input = "simple-test-input"; + // KeyMaterial kmsKeyArn = KeyMaterial.builder() + // .kmsKeyId(KMS_KEY_ARN) + // .build(); + // CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() + // .config(S3ECConfig + // .builder() + // .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + // .build() + // ) + // .build()); + // String encS3ECId = encClientOutput.getClientId(); + // encClient.putObject(PutObjectInput.builder() + // .clientID(encS3ECId) + // .key(objectKey) + // .bucket(BUCKET) + // .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) + // .build()); + // S3ECTestServerClient decClient = testServerClientFor(decLang); + // CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() + // .config(S3ECConfig.builder() + // .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + // .build() + // ) + // .build()); + // String decS3ECId = decClientOutput.getClientId(); + // GetObjectOutput output = decClient.getObject(GetObjectInput.builder() + // .clientID(decS3ECId) + // .bucket(BUCKET) + // .key(objectKey) + // .build()); + + // if (!input.equals(StandardCharsets.UTF_8.decode(output.getBody()).toString())) { + // fail(String.format("Encryption in %s failed to decrpyt in %s!", encLang, decLang)); + // } + // } + + // @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") + // @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") + // public void crossLanguageTestKmsWithEncCtx(LanguageServerTarget encLang, LanguageServerTarget decLang) { + // if (ENCRYPTION_CONTEXT_ON_ENCRYPT_UNSUPPORTED.contains(encLang.getLanguageName())) { + // return; + // } + // S3ECTestServerClient encClient = testServerClientFor(encLang); + // final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-" + encLang); + // final String input = "simple-test-input"; + // final Map encCtx = new HashMap<>(); + // encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); + // encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); + // final List mdAsList = metadataMapToList(encCtx); + // KeyMaterial kmsKeyArn = KeyMaterial.builder() + // .kmsKeyId(KMS_KEY_ARN) + // .build(); + // CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() + // .config(S3ECConfig.builder() + // .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + // .build() + // ) + // .build()); + // String encS3ECId = encClientOutput.getClientId(); + + // encClient.putObject(PutObjectInput.builder() + // .clientID(encS3ECId) + // .key(objectKey) + // .bucket(BUCKET) + // .metadata(mdAsList) + // .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) + // .build()); + // S3ECTestServerClient decClient = testServerClientFor(decLang); + // CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() + // .config(S3ECConfig.builder() + // .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + // .build() + // ) + // .build()); + // String decS3ECId = decClientOutput.getClientId(); + // GetObjectOutput output = decClient.getObject(GetObjectInput.builder() + // .clientID(decS3ECId) + // .bucket(BUCKET) + // .key(objectKey) + // .metadata(mdAsList) + // .build()); + + // if (!input.equals(StandardCharsets.UTF_8.decode(output.getBody()).toString())) { + // fail(String.format("Encryption in %s failed to decrpyt in %s!", encLang, decLang)); + // } + // } + + // @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") + // @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") + // public void crossLanguageTestKmsWithSubsetEncCtxFails(LanguageServerTarget encLang, LanguageServerTarget decLang) { + // if (ENCRYPTION_CONTEXT_ON_DECRYPT_UNSUPPORTED.contains(decLang.getLanguageName())) { + // return; + // } + // if (ENCRYPTION_CONTEXT_ON_ENCRYPT_UNSUPPORTED.contains(encLang.getLanguageName())) { + // return; + // } + // S3ECTestServerClient encClient = testServerClientFor(encLang); + // final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-subset-fails" + encLang); + // final String input = "simple-test-input"; + // final Map encCtx = new HashMap<>(); + // encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); + // encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); + // final List mdAsList = metadataMapToList(encCtx); + // KeyMaterial kmsKeyArn = KeyMaterial.builder() + // .kmsKeyId(KMS_KEY_ARN) + // .build(); + // CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() + // .config(S3ECConfig.builder() + // .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + // .build()) + // .build()); + // String encS3ECId = encClientOutput.getClientId(); + + // encClient.putObject(PutObjectInput.builder() + // .clientID(encS3ECId) + // .key(objectKey) + // .bucket(BUCKET) + // .metadata(mdAsList) + // .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) + // .build()); + // S3ECTestServerClient decClient = testServerClientFor(decLang); + // CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() + // .config(S3ECConfig.builder() + // .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + // .build() + // ) + // .build()); + // String decS3ECId = decClientOutput.getClientId(); + // try { + // decClient.getObject(GetObjectInput.builder() + // .clientID(decS3ECId) + // .bucket(BUCKET) + // .key(objectKey) + // .build()); + // fail("Expected exception!"); + // } catch (S3EncryptionClientError e) { + // if (decLang.getLanguageName().equals(RUBY_V3) || decLang.getLanguageName().equals(RUBY_V2_CURRENT) || decLang.getLanguageName().equals(RUBY_V2_TRANSITION)) { + // assertTrue(e.getMessage().contains("Value of encryption context from envelope does not match the provided encryption context")); + // } else { + // assertTrue(e.getMessage().contains("Provided encryption context does not match information retrieved from S3")); + // } + // } + // } + + // @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") + // @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") + // public void crossLanguageTestKmsWithIncorrectEncCtxFails(LanguageServerTarget encLang, LanguageServerTarget decLang) { + // if (ENCRYPTION_CONTEXT_ON_DECRYPT_UNSUPPORTED.contains(decLang.getLanguageName())) { + // return; + // } + // S3ECTestServerClient encClient = testServerClientFor(encLang); + // final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-incorrect-fails" + encLang); + // final String input = "simple-test-input"; + // final Map encCtx = new HashMap<>(); + // encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); + // encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); + // final List mdAsList = metadataMapToList(encCtx); + // KeyMaterial kmsKeyArn = KeyMaterial.builder() + // .kmsKeyId(KMS_KEY_ARN) + // .build(); + // CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() + // .config(S3ECConfig.builder() + // .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + // .build() + // ) + // .build()); + // String encS3ECId = encClientOutput.getClientId(); + + // encClient.putObject(PutObjectInput.builder() + // .clientID(encS3ECId) + // .key(objectKey) + // .bucket(BUCKET) + // .metadata(mdAsList) + // .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) + // .build()); + // S3ECTestServerClient decClient = testServerClientFor(decLang); + // CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() + // .config(S3ECConfig.builder() + // .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + // .build() + // ) + // .build()); + // String decS3ECId = decClientOutput.getClientId(); + + // final Map incorrectEncCtx = new HashMap<>(); + // incorrectEncCtx.put("this-is-wrong-ec-key", "bad-value"); + // var incorrectMdAsList = metadataMapToList(incorrectEncCtx); + // try { + // decClient.getObject(GetObjectInput.builder() + // .clientID(decS3ECId) + // .bucket(BUCKET) + // .key(objectKey) + // .metadata(incorrectMdAsList) + // .build()); + // fail("Expected exception!"); + // } catch (S3EncryptionClientError e) { + // if (decLang.getLanguageName().equals(RUBY_V3) || decLang.getLanguageName().equals(RUBY_V2_CURRENT) || decLang.getLanguageName().equals(RUBY_V2_TRANSITION)) { + // assertTrue(e.getMessage().contains("Value of encryption context from envelope does not match the provided encryption context")); + // } else { + // assertTrue(e.getMessage().contains("Provided encryption context does not match information retrieved from S3")); + // } + // } + // } + + // @ParameterizedTest(name = "{displayName} for Encrypt: Java, Decrypt: {0}") + // @MethodSource("software.amazon.encryption.s3.TestUtils#clientsForTest") + // public void kmsV1Legacy(TestUtils.LanguageServerTarget language) { + // S3ECTestServerClient client = testServerClientFor(language); + // final String objectKey = appendTestSuffix("test-key-kms-v1-" + language); + // final String input = "simple-test-input"; + // KeyMaterial kmsKeyArn = KeyMaterial.builder() + // .kmsKeyId(KMS_KEY_ARN) + // .build(); + // CreateClientOutput output1 = client.createClient(CreateClientInput.builder() + // .config(S3ECConfig.builder() + // .enableLegacyWrappingAlgorithms(true) + // .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + // .build()) + // .build()); + // String s3ECId = output1.getClientId(); + + // // Create the object using the old client + // // V1 Client + // EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(KMS_KEY_ARN); + + // CryptoConfiguration v1Config = + // new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) + // .withStorageMode(CryptoStorageMode.ObjectMetadata) + // .withAwsKmsRegion(KMS_REGION); + + // AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() + // .withCryptoConfiguration(v1Config) + // .withEncryptionMaterials(materialsProvider) + // .build(); + + // v1Client.putObject(BUCKET, objectKey, input); + + // GetObjectOutput output = client.getObject(GetObjectInput.builder() + // .clientID(s3ECId) + // .bucket(BUCKET) + // .key(objectKey) + // .build()); + + // assertEquals(input, new String(output.getBody().array())); + // } + + // @ParameterizedTest(name = "{displayName} for Encrypt: Java, Decrypt: {0}") + // @MethodSource("software.amazon.encryption.s3.TestUtils#clientsForTest") + // public void kmsV1LegacyWithEncCtx(TestUtils.LanguageServerTarget language) { + // S3ECTestServerClient client = testServerClientFor(language); + // final String objectKey = appendTestSuffix("test-key-kms-v1-with-enc-ctx-" + language); + // final String input = "simple-test-input"; + // KeyMaterial kmsKeyArn = KeyMaterial.builder() + // .kmsKeyId(KMS_KEY_ARN) + // .build(); + // CreateClientOutput output1 = client.createClient(CreateClientInput.builder() + // .config(S3ECConfig.builder() + // .enableLegacyWrappingAlgorithms(true) + // .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + // .build()) + // .build()); + // String s3ECId = output1.getClientId(); + + // // Create the object using the old client + // // V1 Client + // final String ecKey = "user-metadata-key"; + // final String ecValue = "user-metadata-value-v1"; + // KMSEncryptionMaterials kmsMaterials = new KMSEncryptionMaterials(KMS_KEY_ARN); + // kmsMaterials.addDescription(ecKey, ecValue); + // EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(kmsMaterials); + + // CryptoConfiguration v1Config = + // new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) + // .withStorageMode(CryptoStorageMode.ObjectMetadata) + // .withAwsKmsRegion(KMS_REGION); + + // AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() + // .withCryptoConfiguration(v1Config) + // .withEncryptionMaterials(materialsProvider) + // .build(); + + // v1Client.putObject(BUCKET, objectKey, input); + + // final Map encCtx = new HashMap<>(); + // encCtx.put(ecKey, ecValue); + // GetObjectOutput output = client.getObject(GetObjectInput.builder() + // .clientID(s3ECId) + // .bucket(BUCKET) + // .key(objectKey) + // .metadata(metadataMapToList(encCtx)) + // .build()); + + // assertEquals(input, new String(output.getBody().array())); + // } @ParameterizedTest(name = "{displayName} for Encrypt: Java, Decrypt: {0}") @MethodSource("software.amazon.encryption.s3.TestUtils#clientsForTest") @@ -419,7 +419,7 @@ public void kmsV1LegacyFailsWhenLegacyDisabled(TestUtils.LanguageServerTarget la "The requested object is encrypted with V1 encryption schemas that have been disabled by client configuration security_profile = :v2. Retry with :v2_and_legacy or re-encrypt the object." ), "Actual error:" + e.getMessage()); } else if (language.getLanguageName().equals(PHP_V2_CURRENT) || language.getLanguageName().equals(PHP_V3)) { - assertTrue(e.getMessage().contains("The requested object is encrypted with V1 encryption schemas that have been disabled by client configuration @SecurityProfile=V2. Retry with V2_AND_LEGACY enabled or reencrypt the object."));; + assertTrue(e.getMessage().contains("The requested object is encrypted with V1 encryption schemas that have been disabled by client configuration @SecurityProfile=V3. Retry with V3_AND_LEGACY enabled or reencrypt the object."));; } else { assertTrue(e.getMessage().contains("Enable legacy wrapping algorithms to use legacy key wrapping algorithm: kms")); } diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java index b1078ed6..aacf79f4 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java @@ -148,26 +148,26 @@ public class TestUtils { static { final Map servers = new LinkedHashMap<>(); - servers.put(JAVA_V3_CURRENT, new LanguageServerTarget(JAVA_V3_CURRENT, "8080")); - servers.put(PYTHON_V3, new LanguageServerTarget(PYTHON_V3, "8081")); - servers.put(GO_V3_CURRENT, new LanguageServerTarget(GO_V3_CURRENT, "8082")); - servers.put(NET_V2_CURRENT, new LanguageServerTarget(NET_V2_CURRENT, "8083")); - servers.put(NET_V3, new LanguageServerTarget(NET_V3, "8084")); - servers.put(CPP_V2_CURRENT, new LanguageServerTarget(CPP_V2_CURRENT, "8085")); - servers.put(CPP_V2_TRANSITION, new LanguageServerTarget(CPP_V2_TRANSITION, "8097")); - servers.put(CPP_V3, new LanguageServerTarget(CPP_V3, "8091")); + // servers.put(JAVA_V3_CURRENT, new LanguageServerTarget(JAVA_V3_CURRENT, "8080")); + // servers.put(PYTHON_V3, new LanguageServerTarget(PYTHON_V3, "8081")); + // servers.put(GO_V3_CURRENT, new LanguageServerTarget(GO_V3_CURRENT, "8082")); + // servers.put(NET_V2_CURRENT, new LanguageServerTarget(NET_V2_CURRENT, "8083")); + // servers.put(NET_V3, new LanguageServerTarget(NET_V3, "8084")); + // servers.put(CPP_V2_CURRENT, new LanguageServerTarget(CPP_V2_CURRENT, "8085")); + // servers.put(CPP_V2_TRANSITION, new LanguageServerTarget(CPP_V2_TRANSITION, "8097")); + // servers.put(CPP_V3, new LanguageServerTarget(CPP_V3, "8091")); // servers.put(RUBY_V2_CURRENT, new LanguageServerTarget(RUBY_V2_CURRENT, "8086")); - servers.put(PHP_V2_CURRENT, new LanguageServerTarget(PHP_V2_CURRENT, "8087")); - servers.put(GO_V4, new LanguageServerTarget(GO_V4, "8089")); + // servers.put(PHP_V2_CURRENT, new LanguageServerTarget(PHP_V2_CURRENT, "8087")); + // servers.put(GO_V4, new LanguageServerTarget(GO_V4, "8089")); // servers.put(RUBY_V3, new LanguageServerTarget(RUBY_V3, "8092")); servers.put(PHP_V3, new LanguageServerTarget(PHP_V3, "8093")); // TODO: Create and add transition servers - servers.put(JAVA_V3_TRANSITION, new LanguageServerTarget(JAVA_V3_TRANSITION, "8094")); + // servers.put(JAVA_V3_TRANSITION, new LanguageServerTarget(JAVA_V3_TRANSITION, "8094")); // servers.put(GO_V3_TRANSITION, new LanguageServerTarget(GO_V3_TRANSITION, "8095")); // servers.put(NET_V2_TRANSITION, new LanguageServerTarget(NET_V2_TRANSITION, "8096")); // servers.put(RUBY_V2_TRANSITION, new LanguageServerTarget(RUBY_V2_TRANSITION, "8098")); - servers.put(PHP_V2_TRANSITION, new LanguageServerTarget(PHP_V2_TRANSITION, "8099")); - servers.put(JAVA_V4, new LanguageServerTarget(JAVA_V4, "8090")); + // servers.put(PHP_V2_TRANSITION, new LanguageServerTarget(PHP_V2_TRANSITION, "8099")); + // servers.put(JAVA_V4, new LanguageServerTarget(JAVA_V4, "8090")); serverMap = filterServers(servers); } From be68da6c6db4cc47ed6d810fe30ac1a03b3e7bac Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Fri, 7 Nov 2025 11:22:08 -0800 Subject: [PATCH 31/37] fix tests --- .../amazon/encryption/s3/CBCDecryptTests.java | 314 ++++----- .../s3/ExhaustiveRoundTripTests1_25.java | 434 ++++++------ .../amazon/encryption/s3/GCMTests.java | 344 +++++----- .../amazon/encryption/s3/KC_GCMTests.java | 406 ++++++------ .../amazon/encryption/s3/RoundTripTests.java | 620 +++++++++--------- .../amazon/encryption/s3/TestUtils.java | 30 +- test-server/php-v3-server/src/get_object.php | 2 +- 7 files changed, 1075 insertions(+), 1075 deletions(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/CBCDecryptTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/CBCDecryptTests.java index cabc1d6d..4de6aef4 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/CBCDecryptTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/CBCDecryptTests.java @@ -1,182 +1,182 @@ -// /* -// * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -// * SPDX-License-Identifier: Apache-2.0 -// */ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ -// package software.amazon.encryption.s3; +package software.amazon.encryption.s3; -// import static org.junit.jupiter.api.Assertions.assertEquals; -// import static org.junit.jupiter.api.Assertions.assertTrue; -// import static org.junit.jupiter.api.Assertions.fail; -// import static software.amazon.encryption.s3.TestUtils.*; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertTrue; +import static org.junit.jupiter.api.Assertions.fail; +import static software.amazon.encryption.s3.TestUtils.*; -// import java.nio.ByteBuffer; -// import java.nio.charset.StandardCharsets; -// import java.util.Arrays; -// import java.util.HashMap; -// import java.util.List; -// import java.util.Map; -// import java.util.stream.Stream; +import java.nio.ByteBuffer; +import java.nio.charset.StandardCharsets; +import java.util.Arrays; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.stream.Stream; -// import com.amazonaws.services.s3.model.KMSEncryptionMaterials; -// import org.junit.jupiter.api.BeforeAll; -// import org.junit.jupiter.params.ParameterizedTest; -// import org.junit.jupiter.params.provider.Arguments; -// import org.junit.jupiter.params.provider.MethodSource; -// import org.junit.jupiter.api.Nested; -// import software.amazon.encryption.s3.client.S3ECTestServerClient; -// import software.amazon.encryption.s3.model.CommitmentPolicy; -// import software.amazon.encryption.s3.model.CreateClientInput; -// import software.amazon.encryption.s3.model.CreateClientOutput; -// import software.amazon.encryption.s3.model.GetObjectInput; -// import software.amazon.encryption.s3.model.GetObjectOutput; -// import software.amazon.encryption.s3.model.KeyMaterial; -// import software.amazon.encryption.s3.model.PutObjectInput; -// import software.amazon.encryption.s3.model.S3ECConfig; -// import software.amazon.encryption.s3.model.S3EncryptionClientError; -// import software.amazon.encryption.s3.model.EncryptionAlgorithm; +import com.amazonaws.services.s3.model.KMSEncryptionMaterials; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.Arguments; +import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.api.Nested; +import software.amazon.encryption.s3.client.S3ECTestServerClient; +import software.amazon.encryption.s3.model.CommitmentPolicy; +import software.amazon.encryption.s3.model.CreateClientInput; +import software.amazon.encryption.s3.model.CreateClientOutput; +import software.amazon.encryption.s3.model.GetObjectInput; +import software.amazon.encryption.s3.model.GetObjectOutput; +import software.amazon.encryption.s3.model.KeyMaterial; +import software.amazon.encryption.s3.model.PutObjectInput; +import software.amazon.encryption.s3.model.S3ECConfig; +import software.amazon.encryption.s3.model.S3EncryptionClientError; +import software.amazon.encryption.s3.model.EncryptionAlgorithm; -// import com.amazonaws.services.s3.AmazonS3Encryption; -// import com.amazonaws.services.s3.AmazonS3EncryptionClient; -// import com.amazonaws.services.s3.model.CryptoConfiguration; -// import com.amazonaws.services.s3.model.CryptoMode; -// import com.amazonaws.services.s3.model.CryptoStorageMode; -// import software.amazon.encryption.s3.TestUtils.*; -// import com.amazonaws.services.s3.model.EncryptionMaterialsProvider; -// import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider; +import com.amazonaws.services.s3.AmazonS3Encryption; +import com.amazonaws.services.s3.AmazonS3EncryptionClient; +import com.amazonaws.services.s3.model.CryptoConfiguration; +import com.amazonaws.services.s3.model.CryptoMode; +import com.amazonaws.services.s3.model.CryptoStorageMode; +import software.amazon.encryption.s3.TestUtils.*; +import com.amazonaws.services.s3.model.EncryptionMaterialsProvider; +import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider; -// /** -// * Exhaustive tests for S3 Encryption Client round-trip operations. -// * These tests cover various combinations of client versions, commitment policies, and encryption modes. -// * -// * Tests are based on the exhaustive test matrix defined at: -// * https://tiny.amazon.com/3xnzwczl/loopcloumicrpeyJ3 -// * -// * These tests deal with decrypting CBC messages -// */ +/** +* Exhaustive tests for S3 Encryption Client round-trip operations. +* These tests cover various combinations of client versions, commitment policies, and encryption modes. +* +* Tests are based on the exhaustive test matrix defined at: +* https://tiny.amazon.com/3xnzwczl/loopcloumicrpeyJ3 +* +* These tests deal with decrypting CBC messages +*/ -// class CBCDecryptTests { -// private static String sharedObjectKey = appendTestSuffix("test-cbc-kms-v1-"); -// private static KeyMaterial kmsKeyArn = KeyMaterial.builder() -// .kmsKeyId(TestUtils.KMS_KEY_ARN) -// .build(); +class CBCDecryptTests { + private static String sharedObjectKey = appendTestSuffix("test-cbc-kms-v1-"); + private static KeyMaterial kmsKeyArn = KeyMaterial.builder() + .kmsKeyId(TestUtils.KMS_KEY_ARN) + .build(); -// @BeforeAll -// static void encryptCBCObject() { -// // Create the object using the old client -// // V1 Client -// EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(TestUtils.KMS_KEY_ARN); + @BeforeAll + static void encryptCBCObject() { + // Create the object using the old client + // V1 Client + EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(TestUtils.KMS_KEY_ARN); -// CryptoConfiguration v1Config = -// new CryptoConfiguration(CryptoMode.EncryptionOnly) -// .withStorageMode(CryptoStorageMode.ObjectMetadata) -// .withAwsKmsRegion(TestUtils.KMS_REGION); + CryptoConfiguration v1Config = + new CryptoConfiguration(CryptoMode.EncryptionOnly) + .withStorageMode(CryptoStorageMode.ObjectMetadata) + .withAwsKmsRegion(TestUtils.KMS_REGION); -// AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() -// .withCryptoConfiguration(v1Config) -// .withEncryptionMaterials(materialsProvider) -// .build(); + AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() + .withCryptoConfiguration(v1Config) + .withEncryptionMaterials(materialsProvider) + .build(); -// v1Client.putObject(TestUtils.BUCKET, sharedObjectKey, sharedObjectKey); -// } + v1Client.putObject(TestUtils.BUCKET, sharedObjectKey, sharedObjectKey); + } -// @ParameterizedTest(name = "{0}: Transition configured with the default should decrypt CBC") -// @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") -// void transition_configured_with_the_default_should_decrypt_cbc(TestUtils.LanguageServerTarget language) { + @ParameterizedTest(name = "{0}: Transition configured with the default should decrypt CBC") + @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") + void transition_configured_with_the_default_should_decrypt_cbc(TestUtils.LanguageServerTarget language) { -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) -// .enableLegacyUnauthenticatedModes(true) -// .enableLegacyWrappingAlgorithms(true) -// .build()) -// .build()); -// String S3ECId = clientOutput.getClientId(); + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .enableLegacyUnauthenticatedModes(true) + .enableLegacyWrappingAlgorithms(true) + .build()) + .build()); + String S3ECId = clientOutput.getClientId(); -// TestUtils.Decrypt(client, S3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); -// } + TestUtils.Decrypt(client, S3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); + } -// @ParameterizedTest(name = "{0}: Transition configured with ForbidEncryptAllowDecrypt should decrypt CBC") -// @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") -// void transition_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_cbc(TestUtils.LanguageServerTarget language) { + @ParameterizedTest(name = "{0}: Transition configured with ForbidEncryptAllowDecrypt should decrypt CBC") + @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") + void transition_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_cbc(TestUtils.LanguageServerTarget language) { -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) -// .enableLegacyUnauthenticatedModes(true) -// .enableLegacyWrappingAlgorithms(true) -// .build()) -// .build()); -// String S3ECId = clientOutput.getClientId(); + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .enableLegacyUnauthenticatedModes(true) + .enableLegacyWrappingAlgorithms(true) + .build()) + .build()); + String S3ECId = clientOutput.getClientId(); -// TestUtils.Decrypt(client, S3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); -// } + TestUtils.Decrypt(client, S3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); + } -// @ParameterizedTest(name = "{0}: Improved configured with ForbidEncryptAllowDecrypt should decrypt CBC") -// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") -// void improved_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_cbc(TestUtils.LanguageServerTarget language) { -// S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); -// CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) -// .enableLegacyUnauthenticatedModes(true) -// .enableLegacyWrappingAlgorithms(true) -// .build()) -// .build()); -// String decS3ECId = decClientOutput.getClientId(); + @ParameterizedTest(name = "{0}: Improved configured with ForbidEncryptAllowDecrypt should decrypt CBC") + @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") + void improved_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_cbc(TestUtils.LanguageServerTarget language) { + S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); + CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .enableLegacyUnauthenticatedModes(true) + .enableLegacyWrappingAlgorithms(true) + .build()) + .build()); + String decS3ECId = decClientOutput.getClientId(); -// TestUtils.Decrypt(decClient, decS3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); -// } + TestUtils.Decrypt(decClient, decS3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); + } -// @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptAllowDecrypt should decrypt CBC") -// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") -// void improved_configured_with_require_encrypt_allow_decrypt_should_decrypt_cbc(TestUtils.LanguageServerTarget language) { -// S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); -// CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT) -// .enableLegacyUnauthenticatedModes(true) -// .enableLegacyWrappingAlgorithms(true) -// .build()) -// .build()); -// String decS3ECId = decClientOutput.getClientId(); + @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptAllowDecrypt should decrypt CBC") + @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") + void improved_configured_with_require_encrypt_allow_decrypt_should_decrypt_cbc(TestUtils.LanguageServerTarget language) { + S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); + CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT) + .enableLegacyUnauthenticatedModes(true) + .enableLegacyWrappingAlgorithms(true) + .build()) + .build()); + String decS3ECId = decClientOutput.getClientId(); -// TestUtils.Decrypt(decClient, decS3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); -// } + TestUtils.Decrypt(decClient, decS3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); + } -// @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptRequireDecrypt should fail to decrypt CBC") -// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") -// void improved_configured_with_require_encrypt_require_decrypt_should_fail_to_decrypt_cbc(TestUtils.LanguageServerTarget language) { -// S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); -// CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) -// .enableLegacyUnauthenticatedModes(true) -// .build()) -// .build()); -// String decS3ECId = decClientOutput.getClientId(); + @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptRequireDecrypt should fail to decrypt CBC") + @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") + void improved_configured_with_require_encrypt_require_decrypt_should_fail_to_decrypt_cbc(TestUtils.LanguageServerTarget language) { + S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); + CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) + .enableLegacyUnauthenticatedModes(true) + .build()) + .build()); + String decS3ECId = decClientOutput.getClientId(); -// TestUtils.Decrypt_fails(decClient, decS3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); -// } + TestUtils.Decrypt_fails(decClient, decS3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); + } -// @ParameterizedTest(name = "{0}: Improved configured with the default should fail to decrypt CBC") -// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") -// void improved_configured_with_the_default_should_fail_to_decrypt_cbc(TestUtils.LanguageServerTarget language) { -// S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); -// CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// .build()) -// .build()); -// String decS3ECId = decClientOutput.getClientId(); + @ParameterizedTest(name = "{0}: Improved configured with the default should fail to decrypt CBC") + @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") + void improved_configured_with_the_default_should_fail_to_decrypt_cbc(TestUtils.LanguageServerTarget language) { + S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); + CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .build()) + .build()); + String decS3ECId = decClientOutput.getClientId(); -// TestUtils.Decrypt_fails(decClient, decS3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); -// } -// } + TestUtils.Decrypt_fails(decClient, decS3ECId, Arrays.asList(sharedObjectKey), EncryptionAlgorithm.ALG_AES_256_CBC_IV16_NO_KDF); + } +} diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java index f2c08239..818ae383 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java @@ -1,221 +1,221 @@ -// /* -// * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -// * SPDX-License-Identifier: Apache-2.0 -// */ - -// package software.amazon.encryption.s3; - -// import static org.junit.jupiter.api.Assertions.assertEquals; -// import static org.junit.jupiter.api.Assertions.assertTrue; -// import static org.junit.jupiter.api.Assertions.fail; -// import static software.amazon.encryption.s3.TestUtils.*; - -// import java.nio.ByteBuffer; -// import java.nio.charset.StandardCharsets; -// import java.util.HashMap; -// import java.util.List; -// import java.util.Map; -// import java.util.stream.Stream; - -// import com.amazonaws.services.s3.model.KMSEncryptionMaterials; -// import org.junit.jupiter.api.BeforeAll; -// import org.junit.jupiter.params.ParameterizedTest; -// import org.junit.jupiter.params.provider.Arguments; -// import org.junit.jupiter.params.provider.MethodSource; -// import software.amazon.encryption.s3.client.S3ECTestServerClient; -// import software.amazon.encryption.s3.model.CommitmentPolicy; -// import software.amazon.encryption.s3.model.CreateClientInput; -// import software.amazon.encryption.s3.model.CreateClientOutput; -// import software.amazon.encryption.s3.model.GetObjectInput; -// import software.amazon.encryption.s3.model.GetObjectOutput; -// import software.amazon.encryption.s3.model.KeyMaterial; -// import software.amazon.encryption.s3.model.PutObjectInput; -// import software.amazon.encryption.s3.model.S3ECConfig; -// import software.amazon.encryption.s3.model.S3EncryptionClientError; - -// import com.amazonaws.services.s3.AmazonS3Encryption; -// import com.amazonaws.services.s3.AmazonS3EncryptionClient; -// import com.amazonaws.services.s3.model.CryptoConfiguration; -// import com.amazonaws.services.s3.model.CryptoMode; -// import com.amazonaws.services.s3.model.CryptoStorageMode; -// import software.amazon.encryption.s3.TestUtils.*; -// import com.amazonaws.services.s3.model.EncryptionMaterialsProvider; -// import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider; - -// /** -// * Exhaustive tests for S3 Encryption Client round-trip operations. -// * These tests cover various combinations of client versions, commitment policies, and encryption modes. -// * -// * Tests are based on the exhaustive test matrix defined at: -// * https://tiny.amazon.com/3xnzwczl/loopcloumicrpeyJ3 -// * -// * Tests 1-25 are included in this file. -// */ -// public class ExhaustiveRoundTripTests1_25 { - -// @BeforeAll -// public static void setup() { -// TestUtils.validateServersRunning(); -// } - -// // Begin Exhaustive tests defined here: -// // https://tiny.amazon.com/3xnzwczl/loopcloumicrpeyJ3 +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0 + */ + +package software.amazon.encryption.s3; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertTrue; +import static org.junit.jupiter.api.Assertions.fail; +import static software.amazon.encryption.s3.TestUtils.*; + +import java.nio.ByteBuffer; +import java.nio.charset.StandardCharsets; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.stream.Stream; + +import com.amazonaws.services.s3.model.KMSEncryptionMaterials; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.Arguments; +import org.junit.jupiter.params.provider.MethodSource; +import software.amazon.encryption.s3.client.S3ECTestServerClient; +import software.amazon.encryption.s3.model.CommitmentPolicy; +import software.amazon.encryption.s3.model.CreateClientInput; +import software.amazon.encryption.s3.model.CreateClientOutput; +import software.amazon.encryption.s3.model.GetObjectInput; +import software.amazon.encryption.s3.model.GetObjectOutput; +import software.amazon.encryption.s3.model.KeyMaterial; +import software.amazon.encryption.s3.model.PutObjectInput; +import software.amazon.encryption.s3.model.S3ECConfig; +import software.amazon.encryption.s3.model.S3EncryptionClientError; + +import com.amazonaws.services.s3.AmazonS3Encryption; +import com.amazonaws.services.s3.AmazonS3EncryptionClient; +import com.amazonaws.services.s3.model.CryptoConfiguration; +import com.amazonaws.services.s3.model.CryptoMode; +import com.amazonaws.services.s3.model.CryptoStorageMode; +import software.amazon.encryption.s3.TestUtils.*; +import com.amazonaws.services.s3.model.EncryptionMaterialsProvider; +import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider; + +/** + * Exhaustive tests for S3 Encryption Client round-trip operations. + * These tests cover various combinations of client versions, commitment policies, and encryption modes. + * + * Tests are based on the exhaustive test matrix defined at: + * https://tiny.amazon.com/3xnzwczl/loopcloumicrpeyJ3 + * + * Tests 1-25 are included in this file. + */ +public class ExhaustiveRoundTripTests1_25 { + + @BeforeAll + public static void setup() { + TestUtils.validateServersRunning(); + } + + // Begin Exhaustive tests defined here: + // https://tiny.amazon.com/3xnzwczl/loopcloumicrpeyJ3 -// // Exhaustive test 2 -// // Outcome Version Operation Policy Content Encryption -// // Pass Improved Decrypt ForbidEncryptAllowDecrypt CBC - -// @ParameterizedTest(name = "{displayName} for Encrypt: Java-V1, Decrypt: {0}") -// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") -// public void GIVEN_CBCEncryptedData_AND_ImprovedClientDecryptingWithForbidEncryptAllowDecrypt_WHEN_Decrypt_THEN_Pass( -// TestUtils.LanguageServerTarget language -// ) { -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// final String objectKey = "test-key-kms-v1-" + language; -// final String input = "simple-test-input"; -// KeyMaterial kmsKeyArn = KeyMaterial.builder() -// .kmsKeyId(TestUtils.KMS_KEY_ARN) -// .build(); - -// // Create the object using the old client -// // V1 Client -// EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(TestUtils.KMS_KEY_ARN); - -// CryptoConfiguration v1Config = -// new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) -// .withStorageMode(CryptoStorageMode.ObjectMetadata) -// .withAwsKmsRegion(TestUtils.KMS_REGION); - -// AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() -// .withCryptoConfiguration(v1Config) -// .withEncryptionMaterials(materialsProvider) -// .build(); - -// v1Client.putObject(TestUtils.BUCKET, objectKey, input); - -// S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); -// CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) -// .enableLegacyWrappingAlgorithms(true) -// .build() -// ) -// .build()); -// String decS3ECId = decClientOutput.getClientId(); - -// // When: decrypt KC object with a current version client -// GetObjectOutput output = decClient.getObject(GetObjectInput.builder() -// .clientID(decS3ECId) -// .bucket(TestUtils.BUCKET) -// .key(objectKey) -// .build()); - -// // Then: Pass -// } - -// // Exhaustive test 3 -// // Outcome Version Operation Policy Content Encryption -// // Pass Improved Decrypt ForbidEncryptAllowDecrypt GCM - -// @ParameterizedTest(name = "{displayName} for Encrypt: Java-V1-GCM, Decrypt: {0}") -// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") -// public void GIVEN_GCMEncryptedData_AND_ImprovedClientDecryptingWithForbidEncryptAllowDecrypt_WHEN_Decrypt_THEN_Pass( -// TestUtils.LanguageServerTarget language -// ) { -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// final String objectKey = "test-key-kms-v1-gcm-" + language; -// final String input = "simple-test-input"; -// KeyMaterial kmsKeyArn = KeyMaterial.builder() -// .kmsKeyId(TestUtils.KMS_KEY_ARN) -// .build(); -// CreateClientOutput output1 = client.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .enableLegacyWrappingAlgorithms(true) -// .keyMaterial(kmsKeyArn) -// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) -// .build()) -// .build()); -// String s3ECId = output1.getClientId(); - -// // Create the object using the old client with GCM encryption -// // V1 Client with GCM -// EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(TestUtils.KMS_KEY_ARN); - -// CryptoConfiguration v1Config = -// new CryptoConfiguration(CryptoMode.StrictAuthenticatedEncryption) // StrictAuthenticatedEncryption uses GCM -// .withStorageMode(CryptoStorageMode.ObjectMetadata) -// .withAwsKmsRegion(TestUtils.KMS_REGION); - -// AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() -// .withCryptoConfiguration(v1Config) -// .withEncryptionMaterials(materialsProvider) -// .build(); - -// v1Client.putObject(TestUtils.BUCKET, objectKey, input); - -// // When: decrypt GCM object with an improved version client -// GetObjectOutput output = client.getObject(GetObjectInput.builder() -// .clientID(s3ECId) -// .bucket(TestUtils.BUCKET) -// .key(objectKey) -// .build()); - -// // Then: Pass -// assertEquals(input, new String(output.getBody().array())); -// } - -// // Exhaustive test 4 -// // Outcome Version Operation Policy Content Encryption -// // Pass Improved Decrypt ForbidEncryptAllowDecrypt KC-GCM - -// @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") -// @MethodSource("software.amazon.encryption.s3.TestUtils#encryptImprovedDecryptImproved") -// public void GIVEN_KCGCMEncryptedData_AND_ImprovedClientDecryptingWithForbidEncryptAllowDecrypt_WHEN_Decrypt_THEN_Pass( -// LanguageServerTarget encLang, LanguageServerTarget decLang -// ) { - -// S3ECTestServerClient encClient = TestUtils.testServerClientFor(encLang); -// final String objectKey = "encrypt-kc-gcm-decrypt-improved-test-key-" + encLang; -// final String input = "simple-test-input"; -// KeyMaterial kmsKeyArn = KeyMaterial.builder() -// .kmsKeyId(TestUtils.KMS_KEY_ARN) -// .build(); -// CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) -// .build()) -// .build()); -// String encS3ECId = encClientOutput.getClientId(); + // Exhaustive test 2 + // Outcome Version Operation Policy Content Encryption + // Pass Improved Decrypt ForbidEncryptAllowDecrypt CBC + + @ParameterizedTest(name = "{displayName} for Encrypt: Java-V1, Decrypt: {0}") + @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") + public void GIVEN_CBCEncryptedData_AND_ImprovedClientDecryptingWithForbidEncryptAllowDecrypt_WHEN_Decrypt_THEN_Pass( + TestUtils.LanguageServerTarget language + ) { + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + final String objectKey = "test-key-kms-v1-" + language; + final String input = "simple-test-input"; + KeyMaterial kmsKeyArn = KeyMaterial.builder() + .kmsKeyId(TestUtils.KMS_KEY_ARN) + .build(); + + // Create the object using the old client + // V1 Client + EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(TestUtils.KMS_KEY_ARN); + + CryptoConfiguration v1Config = + new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) + .withStorageMode(CryptoStorageMode.ObjectMetadata) + .withAwsKmsRegion(TestUtils.KMS_REGION); + + AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() + .withCryptoConfiguration(v1Config) + .withEncryptionMaterials(materialsProvider) + .build(); + + v1Client.putObject(TestUtils.BUCKET, objectKey, input); + + S3ECTestServerClient decClient = TestUtils.testServerClientFor(language); + CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .enableLegacyWrappingAlgorithms(true) + .build() + ) + .build()); + String decS3ECId = decClientOutput.getClientId(); + + // When: decrypt KC object with a current version client + GetObjectOutput output = decClient.getObject(GetObjectInput.builder() + .clientID(decS3ECId) + .bucket(TestUtils.BUCKET) + .key(objectKey) + .build()); + + // Then: Pass + } + + // Exhaustive test 3 + // Outcome Version Operation Policy Content Encryption + // Pass Improved Decrypt ForbidEncryptAllowDecrypt GCM + + @ParameterizedTest(name = "{displayName} for Encrypt: Java-V1-GCM, Decrypt: {0}") + @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") + public void GIVEN_GCMEncryptedData_AND_ImprovedClientDecryptingWithForbidEncryptAllowDecrypt_WHEN_Decrypt_THEN_Pass( + TestUtils.LanguageServerTarget language + ) { + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + final String objectKey = "test-key-kms-v1-gcm-" + language; + final String input = "simple-test-input"; + KeyMaterial kmsKeyArn = KeyMaterial.builder() + .kmsKeyId(TestUtils.KMS_KEY_ARN) + .build(); + CreateClientOutput output1 = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .enableLegacyWrappingAlgorithms(true) + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build()) + .build()); + String s3ECId = output1.getClientId(); + + // Create the object using the old client with GCM encryption + // V1 Client with GCM + EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(TestUtils.KMS_KEY_ARN); + + CryptoConfiguration v1Config = + new CryptoConfiguration(CryptoMode.StrictAuthenticatedEncryption) // StrictAuthenticatedEncryption uses GCM + .withStorageMode(CryptoStorageMode.ObjectMetadata) + .withAwsKmsRegion(TestUtils.KMS_REGION); + + AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() + .withCryptoConfiguration(v1Config) + .withEncryptionMaterials(materialsProvider) + .build(); + + v1Client.putObject(TestUtils.BUCKET, objectKey, input); + + // When: decrypt GCM object with an improved version client + GetObjectOutput output = client.getObject(GetObjectInput.builder() + .clientID(s3ECId) + .bucket(TestUtils.BUCKET) + .key(objectKey) + .build()); + + // Then: Pass + assertEquals(input, new String(output.getBody().array())); + } + + // Exhaustive test 4 + // Outcome Version Operation Policy Content Encryption + // Pass Improved Decrypt ForbidEncryptAllowDecrypt KC-GCM + + @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") + @MethodSource("software.amazon.encryption.s3.TestUtils#encryptImprovedDecryptImproved") + public void GIVEN_KCGCMEncryptedData_AND_ImprovedClientDecryptingWithForbidEncryptAllowDecrypt_WHEN_Decrypt_THEN_Pass( + LanguageServerTarget encLang, LanguageServerTarget decLang + ) { + + S3ECTestServerClient encClient = TestUtils.testServerClientFor(encLang); + final String objectKey = "encrypt-kc-gcm-decrypt-improved-test-key-" + encLang; + final String input = "simple-test-input"; + KeyMaterial kmsKeyArn = KeyMaterial.builder() + .kmsKeyId(TestUtils.KMS_KEY_ARN) + .build(); + CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) + .build()) + .build()); + String encS3ECId = encClientOutput.getClientId(); -// // Given: object encrypted with key commitment -// encClient.putObject(PutObjectInput.builder() -// .clientID(encS3ECId) -// .key(objectKey) -// .bucket(TestUtils.BUCKET) -// .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) -// .build()); + // Given: object encrypted with key commitment + encClient.putObject(PutObjectInput.builder() + .clientID(encS3ECId) + .key(objectKey) + .bucket(TestUtils.BUCKET) + .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) + .build()); -// S3ECTestServerClient decClient = TestUtils.testServerClientFor(decLang); -// CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) -// .build()) -// .build()); -// String decS3ECId = decClientOutput.getClientId(); - -// // When: decrypt KC-GCM object with an improved version client with ForbidEncryptAllowDecrypt policy -// GetObjectOutput output = decClient.getObject(GetObjectInput.builder() -// .clientID(decS3ECId) -// .bucket(TestUtils.BUCKET) -// .key(objectKey) -// .build()); - -// // Then: Pass -// assertEquals(input, StandardCharsets.UTF_8.decode(output.getBody()).toString()); -// } - -// } + S3ECTestServerClient decClient = TestUtils.testServerClientFor(decLang); + CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build()) + .build()); + String decS3ECId = decClientOutput.getClientId(); + + // When: decrypt KC-GCM object with an improved version client with ForbidEncryptAllowDecrypt policy + GetObjectOutput output = decClient.getObject(GetObjectInput.builder() + .clientID(decS3ECId) + .bucket(TestUtils.BUCKET) + .key(objectKey) + .build()); + + // Then: Pass + assertEquals(input, StandardCharsets.UTF_8.decode(output.getBody()).toString()); + } + +} diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/GCMTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/GCMTests.java index a571edfe..deb1571d 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/GCMTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/GCMTests.java @@ -1,201 +1,201 @@ -// /* -// * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -// * SPDX-License-Identifier: Apache-2.0 -// */ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ -// package software.amazon.encryption.s3; +package software.amazon.encryption.s3; -// import static org.junit.jupiter.api.Assertions.assertEquals; -// import static org.junit.jupiter.api.Assertions.assertTrue; -// import static org.junit.jupiter.api.Assertions.fail; -// import static software.amazon.encryption.s3.TestUtils.*; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertTrue; +import static org.junit.jupiter.api.Assertions.fail; +import static software.amazon.encryption.s3.TestUtils.*; -// import java.lang.annotation.ElementType; -// import java.nio.ByteBuffer; -// import java.nio.charset.StandardCharsets; -// import java.util.ArrayList; -// import java.util.HashMap; -// import java.util.List; -// import java.util.Map; -// import java.util.stream.Stream; +import java.lang.annotation.ElementType; +import java.nio.ByteBuffer; +import java.nio.charset.StandardCharsets; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.stream.Stream; -// import com.amazonaws.services.s3.model.KMSEncryptionMaterials; -// import org.junit.jupiter.api.BeforeAll; -// import org.junit.jupiter.params.ParameterizedTest; -// import org.junit.jupiter.params.provider.Arguments; -// import org.junit.jupiter.params.provider.MethodSource; -// import org.junit.jupiter.api.TestMethodOrder; -// import org.junit.jupiter.api.MethodOrderer; -// import org.junit.jupiter.api.Order; -// import software.amazon.encryption.s3.client.S3ECTestServerClient; -// import software.amazon.encryption.s3.model.CommitmentPolicy; -// import software.amazon.encryption.s3.model.CreateClientInput; -// import software.amazon.encryption.s3.model.CreateClientOutput; -// import software.amazon.encryption.s3.model.EncryptionAlgorithm; -// import software.amazon.encryption.s3.model.GetObjectInput; -// import software.amazon.encryption.s3.model.GetObjectOutput; -// import software.amazon.encryption.s3.model.KeyMaterial; -// import software.amazon.encryption.s3.model.PutObjectInput; -// import software.amazon.encryption.s3.model.S3ECConfig; -// import software.amazon.encryption.s3.model.S3EncryptionClientError; +import com.amazonaws.services.s3.model.KMSEncryptionMaterials; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.Arguments; +import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.api.TestMethodOrder; +import org.junit.jupiter.api.MethodOrderer; +import org.junit.jupiter.api.Order; +import software.amazon.encryption.s3.client.S3ECTestServerClient; +import software.amazon.encryption.s3.model.CommitmentPolicy; +import software.amazon.encryption.s3.model.CreateClientInput; +import software.amazon.encryption.s3.model.CreateClientOutput; +import software.amazon.encryption.s3.model.EncryptionAlgorithm; +import software.amazon.encryption.s3.model.GetObjectInput; +import software.amazon.encryption.s3.model.GetObjectOutput; +import software.amazon.encryption.s3.model.KeyMaterial; +import software.amazon.encryption.s3.model.PutObjectInput; +import software.amazon.encryption.s3.model.S3ECConfig; +import software.amazon.encryption.s3.model.S3EncryptionClientError; -// import com.amazonaws.services.s3.AmazonS3Encryption; -// import com.amazonaws.services.s3.AmazonS3EncryptionClient; -// import com.amazonaws.services.s3.model.CryptoConfiguration; -// import com.amazonaws.services.s3.model.CryptoMode; -// import com.amazonaws.services.s3.model.CryptoStorageMode; -// import software.amazon.encryption.s3.TestUtils.*; -// import com.amazonaws.services.s3.model.EncryptionMaterialsProvider; -// import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider; +import com.amazonaws.services.s3.AmazonS3Encryption; +import com.amazonaws.services.s3.AmazonS3EncryptionClient; +import com.amazonaws.services.s3.model.CryptoConfiguration; +import com.amazonaws.services.s3.model.CryptoMode; +import com.amazonaws.services.s3.model.CryptoStorageMode; +import software.amazon.encryption.s3.TestUtils.*; +import com.amazonaws.services.s3.model.EncryptionMaterialsProvider; +import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider; -// /** -// * Exhaustive tests for S3 Encryption Client round-trip operations. -// * These tests cover various combinations of client versions, commitment policies, and encryption modes. -// * -// * Tests are based on the exhaustive test matrix defined at: -// * https://tiny.amazon.com/3xnzwczl/loopcloumicrpeyJ3 -// * -// */ +/** +* Exhaustive tests for S3 Encryption Client round-trip operations. +* These tests cover various combinations of client versions, commitment policies, and encryption modes. +* +* Tests are based on the exhaustive test matrix defined at: +* https://tiny.amazon.com/3xnzwczl/loopcloumicrpeyJ3 +* +*/ -// @TestMethodOrder(MethodOrderer.OrderAnnotation.class) -// class GCMTests { -// private static String sharedObjectKeyBase = "test-gcm-kms"; -// private static KeyMaterial kmsKeyArn = KeyMaterial.builder() -// .kmsKeyId(TestUtils.KMS_KEY_ARN) -// .build(); -// private static List crossLanguageObjects = new ArrayList<>(); +@TestMethodOrder(MethodOrderer.OrderAnnotation.class) +class GCMTests { + private static String sharedObjectKeyBase = "test-gcm-kms"; + private static KeyMaterial kmsKeyArn = KeyMaterial.builder() + .kmsKeyId(TestUtils.KMS_KEY_ARN) + .build(); + private static List crossLanguageObjects = new ArrayList<>(); -// @Order(1) -// @ParameterizedTest(name = "{0}: Improved configured with ForbidEncryptAllowDecrypt should encrypt GCM") -// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") -// void improved_configured_with_forbid_encrypt_allow_decrypt_should_encrypt_gcm(TestUtils.LanguageServerTarget language) { -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) -// .build()) -// .build()); -// String S3ECId = clientOutput.getClientId(); + @Order(1) + @ParameterizedTest(name = "{0}: Improved configured with ForbidEncryptAllowDecrypt should encrypt GCM") + @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") + void improved_configured_with_forbid_encrypt_allow_decrypt_should_encrypt_gcm(TestUtils.LanguageServerTarget language) { + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build()) + .build()); + String S3ECId = clientOutput.getClientId(); -// TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); -// } + TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); + } -// @Order(2) -// @ParameterizedTest(name = "{0}: Transition configured with the default should encrypt GCM") -// @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") -// void transition_configured_with_the_default_should_encrypt_gcm(TestUtils.LanguageServerTarget language) { -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) -// .build()) -// .build()); -// String S3ECId = clientOutput.getClientId(); + @Order(2) + @ParameterizedTest(name = "{0}: Transition configured with the default should encrypt GCM") + @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") + void transition_configured_with_the_default_should_encrypt_gcm(TestUtils.LanguageServerTarget language) { + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build()) + .build()); + String S3ECId = clientOutput.getClientId(); -// TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); -// } + TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); + } -// @Order(3) -// @ParameterizedTest(name = "{0}: Transition configured with ForbidEncryptAllowDecrypt should encrypt GCM") -// @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") -// void transition_configured_with_forbid_encrypt_allow_decrypt_should_encrypt_gcm(TestUtils.LanguageServerTarget language) { -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) -// .build()) -// .build()); -// String S3ECId = clientOutput.getClientId(); + @Order(3) + @ParameterizedTest(name = "{0}: Transition configured with ForbidEncryptAllowDecrypt should encrypt GCM") + @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") + void transition_configured_with_forbid_encrypt_allow_decrypt_should_encrypt_gcm(TestUtils.LanguageServerTarget language) { + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build()) + .build()); + String S3ECId = clientOutput.getClientId(); -// TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); -// } + TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); + } -// @Order(10) -// @ParameterizedTest(name = "{0}: Improved configured with ForbidEncryptAllowDecrypt should decrypt GCM") -// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") -// void improved_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_gcm(TestUtils.LanguageServerTarget language) { + @Order(10) + @ParameterizedTest(name = "{0}: Improved configured with ForbidEncryptAllowDecrypt should decrypt GCM") + @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") + void improved_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_gcm(TestUtils.LanguageServerTarget language) { -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) -// .build()) -// .build()); -// String S3ECId = clientOutput.getClientId(); + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build()) + .build()); + String S3ECId = clientOutput.getClientId(); -// TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); -// } + TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); + } -// @Order(11) -// @ParameterizedTest(name = "{0}: Transition configured with the default should decrypt GCM") -// @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") -// void transition_configured_with_the_default_should_decrypt_gcm(TestUtils.LanguageServerTarget language) { + @Order(11) + @ParameterizedTest(name = "{0}: Transition configured with the default should decrypt GCM") + @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") + void transition_configured_with_the_default_should_decrypt_gcm(TestUtils.LanguageServerTarget language) { -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) -// .build()) -// .build()); -// String S3ECId = clientOutput.getClientId(); + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build()) + .build()); + String S3ECId = clientOutput.getClientId(); -// TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); -// } + TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); + } -// @Order(12) -// @ParameterizedTest(name = "{0}: Transition configured with ForbidEncryptAllowDecrypt should decrypt GCM") -// @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") -// void transition_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_gcm(TestUtils.LanguageServerTarget language) { + @Order(12) + @ParameterizedTest(name = "{0}: Transition configured with ForbidEncryptAllowDecrypt should decrypt GCM") + @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") + void transition_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_gcm(TestUtils.LanguageServerTarget language) { -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) -// .build()) -// .build()); -// String S3ECId = clientOutput.getClientId(); + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build()) + .build()); + String S3ECId = clientOutput.getClientId(); -// TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); -// } + TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); + } -// @Order(13) -// @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptAllowDecrypt should decrypt GCM") -// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") -// void improved_configured_with_require_encrypt_allow_decrypt_should_decrypt_gcm(TestUtils.LanguageServerTarget language) { + @Order(13) + @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptAllowDecrypt should decrypt GCM") + @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") + void improved_configured_with_require_encrypt_allow_decrypt_should_decrypt_gcm(TestUtils.LanguageServerTarget language) { -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT) -// .build()) -// .build()); -// String S3ECId = clientOutput.getClientId(); + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT) + .build()) + .build()); + String S3ECId = clientOutput.getClientId(); -// TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); -// } + TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); + } -// @Order(14) -// @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptRequireDecrypt should fail to decrypt GCM") -// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") -// void improved_configured_with_require_encrypt_require_decrypt_should_fail_to_decrypt_gcm(TestUtils.LanguageServerTarget language) { + @Order(14) + @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptRequireDecrypt should fail to decrypt GCM") + @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") + void improved_configured_with_require_encrypt_require_decrypt_should_fail_to_decrypt_gcm(TestUtils.LanguageServerTarget language) { -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) -// .build()) -// .build()); -// String S3ECId = clientOutput.getClientId(); + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) + .build()) + .build()); + String S3ECId = clientOutput.getClientId(); -// TestUtils.Decrypt_fails(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); -// } + TestUtils.Decrypt_fails(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF); + } -// } +} diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/KC_GCMTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/KC_GCMTests.java index 30007d54..9e77e20e 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/KC_GCMTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/KC_GCMTests.java @@ -1,218 +1,218 @@ -// /* -// * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -// * SPDX-License-Identifier: Apache-2.0 -// */ +/* +* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +* SPDX-License-Identifier: Apache-2.0 +*/ -// package software.amazon.encryption.s3; +package software.amazon.encryption.s3; -// import static org.junit.jupiter.api.Assertions.assertEquals; -// import static org.junit.jupiter.api.Assertions.assertTrue; -// import static org.junit.jupiter.api.Assertions.fail; -// import static software.amazon.encryption.s3.TestUtils.*; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertTrue; +import static org.junit.jupiter.api.Assertions.fail; +import static software.amazon.encryption.s3.TestUtils.*; -// import java.lang.annotation.ElementType; -// import java.nio.ByteBuffer; -// import java.nio.charset.StandardCharsets; -// import java.util.ArrayList; -// import java.util.HashMap; -// import java.util.List; -// import java.util.Map; -// import java.util.stream.Stream; +import java.lang.annotation.ElementType; +import java.nio.ByteBuffer; +import java.nio.charset.StandardCharsets; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.stream.Stream; -// import com.amazonaws.services.s3.model.KMSEncryptionMaterials; -// import org.junit.jupiter.api.BeforeAll; -// import org.junit.jupiter.params.ParameterizedTest; -// import org.junit.jupiter.params.provider.Arguments; -// import org.junit.jupiter.params.provider.MethodSource; -// import org.junit.jupiter.api.TestMethodOrder; -// import org.junit.jupiter.api.MethodOrderer; -// import org.junit.jupiter.api.Order; -// import software.amazon.encryption.s3.client.S3ECTestServerClient; -// import software.amazon.encryption.s3.model.CommitmentPolicy; -// import software.amazon.encryption.s3.model.CreateClientInput; -// import software.amazon.encryption.s3.model.CreateClientOutput; -// import software.amazon.encryption.s3.model.EncryptionAlgorithm; -// import software.amazon.encryption.s3.model.GetObjectInput; -// import software.amazon.encryption.s3.model.GetObjectOutput; -// import software.amazon.encryption.s3.model.KeyMaterial; -// import software.amazon.encryption.s3.model.PutObjectInput; -// import software.amazon.encryption.s3.model.S3ECConfig; -// import software.amazon.encryption.s3.model.S3EncryptionClientError; +import com.amazonaws.services.s3.model.KMSEncryptionMaterials; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.Arguments; +import org.junit.jupiter.params.provider.MethodSource; +import org.junit.jupiter.api.TestMethodOrder; +import org.junit.jupiter.api.MethodOrderer; +import org.junit.jupiter.api.Order; +import software.amazon.encryption.s3.client.S3ECTestServerClient; +import software.amazon.encryption.s3.model.CommitmentPolicy; +import software.amazon.encryption.s3.model.CreateClientInput; +import software.amazon.encryption.s3.model.CreateClientOutput; +import software.amazon.encryption.s3.model.EncryptionAlgorithm; +import software.amazon.encryption.s3.model.GetObjectInput; +import software.amazon.encryption.s3.model.GetObjectOutput; +import software.amazon.encryption.s3.model.KeyMaterial; +import software.amazon.encryption.s3.model.PutObjectInput; +import software.amazon.encryption.s3.model.S3ECConfig; +import software.amazon.encryption.s3.model.S3EncryptionClientError; -// import com.amazonaws.services.s3.AmazonS3Encryption; -// import com.amazonaws.services.s3.AmazonS3EncryptionClient; -// import com.amazonaws.services.s3.model.CryptoConfiguration; -// import com.amazonaws.services.s3.model.CryptoMode; -// import com.amazonaws.services.s3.model.CryptoStorageMode; -// import software.amazon.encryption.s3.TestUtils.*; -// import com.amazonaws.services.s3.model.EncryptionMaterialsProvider; -// import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider; +import com.amazonaws.services.s3.AmazonS3Encryption; +import com.amazonaws.services.s3.AmazonS3EncryptionClient; +import com.amazonaws.services.s3.model.CryptoConfiguration; +import com.amazonaws.services.s3.model.CryptoMode; +import com.amazonaws.services.s3.model.CryptoStorageMode; +import software.amazon.encryption.s3.TestUtils.*; +import com.amazonaws.services.s3.model.EncryptionMaterialsProvider; +import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider; -// /** -// * Exhaustive tests for S3 Encryption Client round-trip operations. -// * These tests cover various combinations of client versions, commitment policies, and encryption modes. -// * -// * Tests are based on the exhaustive test matrix defined at: -// * https://tiny.amazon.com/3xnzwczl/loopcloumicrpeyJ3 -// * -// */ +/** +* Exhaustive tests for S3 Encryption Client round-trip operations. +* These tests cover various combinations of client versions, commitment policies, and encryption modes. +* +* Tests are based on the exhaustive test matrix defined at: +* https://tiny.amazon.com/3xnzwczl/loopcloumicrpeyJ3 +* +*/ -// @TestMethodOrder(MethodOrderer.OrderAnnotation.class) -// class KC_GCMTests { -// private static String sharedObjectKeyBase = "test-kc-gcm-kms"; -// private static KeyMaterial kmsKeyArn = KeyMaterial.builder() -// .kmsKeyId(TestUtils.KMS_KEY_ARN) -// .build(); -// private static List crossLanguageObjects = new ArrayList<>(); +@TestMethodOrder(MethodOrderer.OrderAnnotation.class) +class KC_GCMTests { + private static String sharedObjectKeyBase = "test-kc-gcm-kms"; + private static KeyMaterial kmsKeyArn = KeyMaterial.builder() + .kmsKeyId(TestUtils.KMS_KEY_ARN) + .build(); + private static List crossLanguageObjects = new ArrayList<>(); -// @Order(1) -// @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptAllowDecrypt should encrypt KC-GCM") -// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") -// void improved_configured_with_require_encrypt_allow_decrypt_should_encrypt_kc_gcm(TestUtils.LanguageServerTarget language) { -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT) -// .build()) -// .build()); -// String S3ECId = clientOutput.getClientId(); - -// TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); -// } + @Order(1) + @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptAllowDecrypt should encrypt KC-GCM") + @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") + void improved_configured_with_require_encrypt_allow_decrypt_should_encrypt_kc_gcm(TestUtils.LanguageServerTarget language) { + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT) + .build()) + .build()); + String S3ECId = clientOutput.getClientId(); + + TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); + } -// @Order(2) -// @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptRequireDecrypt should encrypt KC-GCM") -// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") -// void improved_configured_with_require_encrypt_require_decrypt_should_encrypt_kc_gcm(TestUtils.LanguageServerTarget language) { -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) -// .build()) -// .build()); -// String S3ECId = clientOutput.getClientId(); - -// TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); -// } + @Order(2) + @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptRequireDecrypt should encrypt KC-GCM") + @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") + void improved_configured_with_require_encrypt_require_decrypt_should_encrypt_kc_gcm(TestUtils.LanguageServerTarget language) { + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) + .build()) + .build()); + String S3ECId = clientOutput.getClientId(); + + TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); + } -// @Order(2) -// @ParameterizedTest(name = "{0}: Improved configured with the default should encrypt KC-GCM") -// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") -// void improved_configured_with_the_default_should_encrypt_kc_gcm(TestUtils.LanguageServerTarget language) { -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// // .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) -// .build()) -// .build()); -// String S3ECId = clientOutput.getClientId(); - -// TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); -// } - -// @Order(10) -// @ParameterizedTest(name = "{0}: Transition configured with the default should decrypt KC-GCM") -// @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") -// void transition_configured_with_the_default_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { - -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) -// .build()) -// .build()); -// String S3ECId = clientOutput.getClientId(); - -// TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); -// } + @Order(2) + @ParameterizedTest(name = "{0}: Improved configured with the default should encrypt KC-GCM") + @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") + void improved_configured_with_the_default_should_encrypt_kc_gcm(TestUtils.LanguageServerTarget language) { + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) + .build()) + .build()); + String S3ECId = clientOutput.getClientId(); + + TestUtils.Encrypt(client, S3ECId, appendTestSuffix(sharedObjectKeyBase + language.getLanguageName()), crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); + } + + @Order(10) + @ParameterizedTest(name = "{0}: Transition configured with the default should decrypt KC-GCM") + @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") + void transition_configured_with_the_default_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { + + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build()) + .build()); + String S3ECId = clientOutput.getClientId(); + + TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); + } -// @Order(11) -// @ParameterizedTest(name = "{0}: Transition configured with ForbidEncryptAllowDecrypt should decrypt KC-GCM") -// @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") -// void transition_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { - -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) -// .build()) -// .build()); -// String S3ECId = clientOutput.getClientId(); - -// TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); -// } + @Order(11) + @ParameterizedTest(name = "{0}: Transition configured with ForbidEncryptAllowDecrypt should decrypt KC-GCM") + @MethodSource("software.amazon.encryption.s3.TestUtils#transitionClientsForTest") + void transition_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { + + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build()) + .build()); + String S3ECId = clientOutput.getClientId(); + + TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); + } -// @Order(12) -// @ParameterizedTest(name = "{0}: Improved configured with ForbidEncryptAllowDecrypt should decrypt KC-GCM") -// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") -// void improved_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { - -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) -// .build()) -// .build()); -// String S3ECId = clientOutput.getClientId(); - -// TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); -// } + @Order(12) + @ParameterizedTest(name = "{0}: Improved configured with ForbidEncryptAllowDecrypt should decrypt KC-GCM") + @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") + void improved_configured_with_forbid_encrypt_allow_decrypt_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { + + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build()) + .build()); + String S3ECId = clientOutput.getClientId(); + + TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); + } -// @Order(13) -// @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptAllowDecrypt should decrypt KC-GCM") -// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") -// void improved_configured_with_require_encrypt_allow_decrypt_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { - -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT) -// .build()) -// .build()); -// String S3ECId = clientOutput.getClientId(); - -// TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); -// } + @Order(13) + @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptAllowDecrypt should decrypt KC-GCM") + @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") + void improved_configured_with_require_encrypt_allow_decrypt_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { + + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT) + .build()) + .build()); + String S3ECId = clientOutput.getClientId(); + + TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); + } -// @Order(14) -// @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptRequireDecrypt should decrypt KC-GCM") -// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") -// void improved_configured_with_require_encrypt_require_decrypt_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { - -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) -// .build()) -// .build()); -// String S3ECId = clientOutput.getClientId(); - -// TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); -// } + @Order(14) + @ParameterizedTest(name = "{0}: Improved configured with RequireEncryptRequireDecrypt should decrypt KC-GCM") + @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") + void improved_configured_with_require_encrypt_require_decrypt_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { + + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) + .build()) + .build()); + String S3ECId = clientOutput.getClientId(); + + TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); + } -// @Order(15) -// @ParameterizedTest(name = "{0}: Improved configured with the default should decrypt KC-GCM") -// @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") -// void improved_configured_with_the_default_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { - -// S3ECTestServerClient client = TestUtils.testServerClientFor(language); -// CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() -// .config(S3ECConfig.builder() -// .keyMaterial(kmsKeyArn) -// // .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) -// .build()) -// .build()); -// String S3ECId = clientOutput.getClientId(); - -// TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); -// } - -// } + @Order(15) + @ParameterizedTest(name = "{0}: Improved configured with the default should decrypt KC-GCM") + @MethodSource("software.amazon.encryption.s3.TestUtils#improvedClientsForTest") + void improved_configured_with_the_default_should_decrypt_kc_gcm(TestUtils.LanguageServerTarget language) { + + S3ECTestServerClient client = TestUtils.testServerClientFor(language); + CreateClientOutput clientOutput = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + // .commitmentPolicy(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) + .build()) + .build()); + String S3ECId = clientOutput.getClientId(); + + TestUtils.Decrypt(client, S3ECId, crossLanguageObjects, EncryptionAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY); + } + +} diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java index bedf7c2e..f7c650fe 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java @@ -56,316 +56,316 @@ public static void setup() { validateServersRunning(); } - // @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") - // @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") - // public void crossLanguageTestKms(LanguageServerTarget encLang, LanguageServerTarget decLang) { - // S3ECTestServerClient encClient = testServerClientFor(encLang); - // final String objectKey = appendTestSuffix("cross-lang-test-key-" + encLang); - // final String input = "simple-test-input"; - // KeyMaterial kmsKeyArn = KeyMaterial.builder() - // .kmsKeyId(KMS_KEY_ARN) - // .build(); - // CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() - // .config(S3ECConfig - // .builder() - // .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - // .build() - // ) - // .build()); - // String encS3ECId = encClientOutput.getClientId(); - // encClient.putObject(PutObjectInput.builder() - // .clientID(encS3ECId) - // .key(objectKey) - // .bucket(BUCKET) - // .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) - // .build()); - // S3ECTestServerClient decClient = testServerClientFor(decLang); - // CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() - // .config(S3ECConfig.builder() - // .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - // .build() - // ) - // .build()); - // String decS3ECId = decClientOutput.getClientId(); - // GetObjectOutput output = decClient.getObject(GetObjectInput.builder() - // .clientID(decS3ECId) - // .bucket(BUCKET) - // .key(objectKey) - // .build()); - - // if (!input.equals(StandardCharsets.UTF_8.decode(output.getBody()).toString())) { - // fail(String.format("Encryption in %s failed to decrpyt in %s!", encLang, decLang)); - // } - // } - - // @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") - // @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") - // public void crossLanguageTestKmsWithEncCtx(LanguageServerTarget encLang, LanguageServerTarget decLang) { - // if (ENCRYPTION_CONTEXT_ON_ENCRYPT_UNSUPPORTED.contains(encLang.getLanguageName())) { - // return; - // } - // S3ECTestServerClient encClient = testServerClientFor(encLang); - // final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-" + encLang); - // final String input = "simple-test-input"; - // final Map encCtx = new HashMap<>(); - // encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); - // encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); - // final List mdAsList = metadataMapToList(encCtx); - // KeyMaterial kmsKeyArn = KeyMaterial.builder() - // .kmsKeyId(KMS_KEY_ARN) - // .build(); - // CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() - // .config(S3ECConfig.builder() - // .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - // .build() - // ) - // .build()); - // String encS3ECId = encClientOutput.getClientId(); - - // encClient.putObject(PutObjectInput.builder() - // .clientID(encS3ECId) - // .key(objectKey) - // .bucket(BUCKET) - // .metadata(mdAsList) - // .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) - // .build()); - // S3ECTestServerClient decClient = testServerClientFor(decLang); - // CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() - // .config(S3ECConfig.builder() - // .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - // .build() - // ) - // .build()); - // String decS3ECId = decClientOutput.getClientId(); - // GetObjectOutput output = decClient.getObject(GetObjectInput.builder() - // .clientID(decS3ECId) - // .bucket(BUCKET) - // .key(objectKey) - // .metadata(mdAsList) - // .build()); - - // if (!input.equals(StandardCharsets.UTF_8.decode(output.getBody()).toString())) { - // fail(String.format("Encryption in %s failed to decrpyt in %s!", encLang, decLang)); - // } - // } - - // @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") - // @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") - // public void crossLanguageTestKmsWithSubsetEncCtxFails(LanguageServerTarget encLang, LanguageServerTarget decLang) { - // if (ENCRYPTION_CONTEXT_ON_DECRYPT_UNSUPPORTED.contains(decLang.getLanguageName())) { - // return; - // } - // if (ENCRYPTION_CONTEXT_ON_ENCRYPT_UNSUPPORTED.contains(encLang.getLanguageName())) { - // return; - // } - // S3ECTestServerClient encClient = testServerClientFor(encLang); - // final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-subset-fails" + encLang); - // final String input = "simple-test-input"; - // final Map encCtx = new HashMap<>(); - // encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); - // encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); - // final List mdAsList = metadataMapToList(encCtx); - // KeyMaterial kmsKeyArn = KeyMaterial.builder() - // .kmsKeyId(KMS_KEY_ARN) - // .build(); - // CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() - // .config(S3ECConfig.builder() - // .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - // .build()) - // .build()); - // String encS3ECId = encClientOutput.getClientId(); - - // encClient.putObject(PutObjectInput.builder() - // .clientID(encS3ECId) - // .key(objectKey) - // .bucket(BUCKET) - // .metadata(mdAsList) - // .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) - // .build()); - // S3ECTestServerClient decClient = testServerClientFor(decLang); - // CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() - // .config(S3ECConfig.builder() - // .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - // .build() - // ) - // .build()); - // String decS3ECId = decClientOutput.getClientId(); - // try { - // decClient.getObject(GetObjectInput.builder() - // .clientID(decS3ECId) - // .bucket(BUCKET) - // .key(objectKey) - // .build()); - // fail("Expected exception!"); - // } catch (S3EncryptionClientError e) { - // if (decLang.getLanguageName().equals(RUBY_V3) || decLang.getLanguageName().equals(RUBY_V2_CURRENT) || decLang.getLanguageName().equals(RUBY_V2_TRANSITION)) { - // assertTrue(e.getMessage().contains("Value of encryption context from envelope does not match the provided encryption context")); - // } else { - // assertTrue(e.getMessage().contains("Provided encryption context does not match information retrieved from S3")); - // } - // } - // } - - // @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") - // @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") - // public void crossLanguageTestKmsWithIncorrectEncCtxFails(LanguageServerTarget encLang, LanguageServerTarget decLang) { - // if (ENCRYPTION_CONTEXT_ON_DECRYPT_UNSUPPORTED.contains(decLang.getLanguageName())) { - // return; - // } - // S3ECTestServerClient encClient = testServerClientFor(encLang); - // final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-incorrect-fails" + encLang); - // final String input = "simple-test-input"; - // final Map encCtx = new HashMap<>(); - // encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); - // encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); - // final List mdAsList = metadataMapToList(encCtx); - // KeyMaterial kmsKeyArn = KeyMaterial.builder() - // .kmsKeyId(KMS_KEY_ARN) - // .build(); - // CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() - // .config(S3ECConfig.builder() - // .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - // .build() - // ) - // .build()); - // String encS3ECId = encClientOutput.getClientId(); - - // encClient.putObject(PutObjectInput.builder() - // .clientID(encS3ECId) - // .key(objectKey) - // .bucket(BUCKET) - // .metadata(mdAsList) - // .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) - // .build()); - // S3ECTestServerClient decClient = testServerClientFor(decLang); - // CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() - // .config(S3ECConfig.builder() - // .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - // .build() - // ) - // .build()); - // String decS3ECId = decClientOutput.getClientId(); - - // final Map incorrectEncCtx = new HashMap<>(); - // incorrectEncCtx.put("this-is-wrong-ec-key", "bad-value"); - // var incorrectMdAsList = metadataMapToList(incorrectEncCtx); - // try { - // decClient.getObject(GetObjectInput.builder() - // .clientID(decS3ECId) - // .bucket(BUCKET) - // .key(objectKey) - // .metadata(incorrectMdAsList) - // .build()); - // fail("Expected exception!"); - // } catch (S3EncryptionClientError e) { - // if (decLang.getLanguageName().equals(RUBY_V3) || decLang.getLanguageName().equals(RUBY_V2_CURRENT) || decLang.getLanguageName().equals(RUBY_V2_TRANSITION)) { - // assertTrue(e.getMessage().contains("Value of encryption context from envelope does not match the provided encryption context")); - // } else { - // assertTrue(e.getMessage().contains("Provided encryption context does not match information retrieved from S3")); - // } - // } - // } - - // @ParameterizedTest(name = "{displayName} for Encrypt: Java, Decrypt: {0}") - // @MethodSource("software.amazon.encryption.s3.TestUtils#clientsForTest") - // public void kmsV1Legacy(TestUtils.LanguageServerTarget language) { - // S3ECTestServerClient client = testServerClientFor(language); - // final String objectKey = appendTestSuffix("test-key-kms-v1-" + language); - // final String input = "simple-test-input"; - // KeyMaterial kmsKeyArn = KeyMaterial.builder() - // .kmsKeyId(KMS_KEY_ARN) - // .build(); - // CreateClientOutput output1 = client.createClient(CreateClientInput.builder() - // .config(S3ECConfig.builder() - // .enableLegacyWrappingAlgorithms(true) - // .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - // .build()) - // .build()); - // String s3ECId = output1.getClientId(); - - // // Create the object using the old client - // // V1 Client - // EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(KMS_KEY_ARN); - - // CryptoConfiguration v1Config = - // new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) - // .withStorageMode(CryptoStorageMode.ObjectMetadata) - // .withAwsKmsRegion(KMS_REGION); - - // AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() - // .withCryptoConfiguration(v1Config) - // .withEncryptionMaterials(materialsProvider) - // .build(); - - // v1Client.putObject(BUCKET, objectKey, input); - - // GetObjectOutput output = client.getObject(GetObjectInput.builder() - // .clientID(s3ECId) - // .bucket(BUCKET) - // .key(objectKey) - // .build()); - - // assertEquals(input, new String(output.getBody().array())); - // } - - // @ParameterizedTest(name = "{displayName} for Encrypt: Java, Decrypt: {0}") - // @MethodSource("software.amazon.encryption.s3.TestUtils#clientsForTest") - // public void kmsV1LegacyWithEncCtx(TestUtils.LanguageServerTarget language) { - // S3ECTestServerClient client = testServerClientFor(language); - // final String objectKey = appendTestSuffix("test-key-kms-v1-with-enc-ctx-" + language); - // final String input = "simple-test-input"; - // KeyMaterial kmsKeyArn = KeyMaterial.builder() - // .kmsKeyId(KMS_KEY_ARN) - // .build(); - // CreateClientOutput output1 = client.createClient(CreateClientInput.builder() - // .config(S3ECConfig.builder() - // .enableLegacyWrappingAlgorithms(true) - // .keyMaterial(kmsKeyArn) - // .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - // .build()) - // .build()); - // String s3ECId = output1.getClientId(); - - // // Create the object using the old client - // // V1 Client - // final String ecKey = "user-metadata-key"; - // final String ecValue = "user-metadata-value-v1"; - // KMSEncryptionMaterials kmsMaterials = new KMSEncryptionMaterials(KMS_KEY_ARN); - // kmsMaterials.addDescription(ecKey, ecValue); - // EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(kmsMaterials); - - // CryptoConfiguration v1Config = - // new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) - // .withStorageMode(CryptoStorageMode.ObjectMetadata) - // .withAwsKmsRegion(KMS_REGION); - - // AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() - // .withCryptoConfiguration(v1Config) - // .withEncryptionMaterials(materialsProvider) - // .build(); - - // v1Client.putObject(BUCKET, objectKey, input); - - // final Map encCtx = new HashMap<>(); - // encCtx.put(ecKey, ecValue); - // GetObjectOutput output = client.getObject(GetObjectInput.builder() - // .clientID(s3ECId) - // .bucket(BUCKET) - // .key(objectKey) - // .metadata(metadataMapToList(encCtx)) - // .build()); - - // assertEquals(input, new String(output.getBody().array())); - // } + @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") + @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") + public void crossLanguageTestKms(LanguageServerTarget encLang, LanguageServerTarget decLang) { + S3ECTestServerClient encClient = testServerClientFor(encLang); + final String objectKey = appendTestSuffix("cross-lang-test-key-" + encLang); + final String input = "simple-test-input"; + KeyMaterial kmsKeyArn = KeyMaterial.builder() + .kmsKeyId(KMS_KEY_ARN) + .build(); + CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() + .config(S3ECConfig + .builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build() + ) + .build()); + String encS3ECId = encClientOutput.getClientId(); + encClient.putObject(PutObjectInput.builder() + .clientID(encS3ECId) + .key(objectKey) + .bucket(BUCKET) + .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) + .build()); + S3ECTestServerClient decClient = testServerClientFor(decLang); + CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build() + ) + .build()); + String decS3ECId = decClientOutput.getClientId(); + GetObjectOutput output = decClient.getObject(GetObjectInput.builder() + .clientID(decS3ECId) + .bucket(BUCKET) + .key(objectKey) + .build()); + + if (!input.equals(StandardCharsets.UTF_8.decode(output.getBody()).toString())) { + fail(String.format("Encryption in %s failed to decrpyt in %s!", encLang, decLang)); + } + } + + @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") + @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") + public void crossLanguageTestKmsWithEncCtx(LanguageServerTarget encLang, LanguageServerTarget decLang) { + if (ENCRYPTION_CONTEXT_ON_ENCRYPT_UNSUPPORTED.contains(encLang.getLanguageName())) { + return; + } + S3ECTestServerClient encClient = testServerClientFor(encLang); + final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-" + encLang); + final String input = "simple-test-input"; + final Map encCtx = new HashMap<>(); + encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); + encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); + final List mdAsList = metadataMapToList(encCtx); + KeyMaterial kmsKeyArn = KeyMaterial.builder() + .kmsKeyId(KMS_KEY_ARN) + .build(); + CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build() + ) + .build()); + String encS3ECId = encClientOutput.getClientId(); + + encClient.putObject(PutObjectInput.builder() + .clientID(encS3ECId) + .key(objectKey) + .bucket(BUCKET) + .metadata(mdAsList) + .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) + .build()); + S3ECTestServerClient decClient = testServerClientFor(decLang); + CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build() + ) + .build()); + String decS3ECId = decClientOutput.getClientId(); + GetObjectOutput output = decClient.getObject(GetObjectInput.builder() + .clientID(decS3ECId) + .bucket(BUCKET) + .key(objectKey) + .metadata(mdAsList) + .build()); + + if (!input.equals(StandardCharsets.UTF_8.decode(output.getBody()).toString())) { + fail(String.format("Encryption in %s failed to decrpyt in %s!", encLang, decLang)); + } + } + + @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") + @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") + public void crossLanguageTestKmsWithSubsetEncCtxFails(LanguageServerTarget encLang, LanguageServerTarget decLang) { + if (ENCRYPTION_CONTEXT_ON_DECRYPT_UNSUPPORTED.contains(decLang.getLanguageName())) { + return; + } + if (ENCRYPTION_CONTEXT_ON_ENCRYPT_UNSUPPORTED.contains(encLang.getLanguageName())) { + return; + } + S3ECTestServerClient encClient = testServerClientFor(encLang); + final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-subset-fails" + encLang); + final String input = "simple-test-input"; + final Map encCtx = new HashMap<>(); + encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); + encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); + final List mdAsList = metadataMapToList(encCtx); + KeyMaterial kmsKeyArn = KeyMaterial.builder() + .kmsKeyId(KMS_KEY_ARN) + .build(); + CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build()) + .build()); + String encS3ECId = encClientOutput.getClientId(); + + encClient.putObject(PutObjectInput.builder() + .clientID(encS3ECId) + .key(objectKey) + .bucket(BUCKET) + .metadata(mdAsList) + .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) + .build()); + S3ECTestServerClient decClient = testServerClientFor(decLang); + CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build() + ) + .build()); + String decS3ECId = decClientOutput.getClientId(); + try { + decClient.getObject(GetObjectInput.builder() + .clientID(decS3ECId) + .bucket(BUCKET) + .key(objectKey) + .build()); + fail("Expected exception!"); + } catch (S3EncryptionClientError e) { + if (decLang.getLanguageName().equals(RUBY_V3) || decLang.getLanguageName().equals(RUBY_V2_CURRENT) || decLang.getLanguageName().equals(RUBY_V2_TRANSITION)) { + assertTrue(e.getMessage().contains("Value of encryption context from envelope does not match the provided encryption context")); + } else { + assertTrue(e.getMessage().contains("Provided encryption context does not match information retrieved from S3")); + } + } + } + + @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") + @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") + public void crossLanguageTestKmsWithIncorrectEncCtxFails(LanguageServerTarget encLang, LanguageServerTarget decLang) { + if (ENCRYPTION_CONTEXT_ON_DECRYPT_UNSUPPORTED.contains(decLang.getLanguageName())) { + return; + } + S3ECTestServerClient encClient = testServerClientFor(encLang); + final String objectKey = appendTestSuffix("cross-lang-test-key-kms-ec-incorrect-fails" + encLang); + final String input = "simple-test-input"; + final Map encCtx = new HashMap<>(); + encCtx.put("user-defined-enc-ctx-key", "user-defined-enc-ctx-value"); + encCtx.put("user-defined-enc-ctx-key-2", "user-defined-enc-ctx-value-2"); + final List mdAsList = metadataMapToList(encCtx); + KeyMaterial kmsKeyArn = KeyMaterial.builder() + .kmsKeyId(KMS_KEY_ARN) + .build(); + CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build() + ) + .build()); + String encS3ECId = encClientOutput.getClientId(); + + encClient.putObject(PutObjectInput.builder() + .clientID(encS3ECId) + .key(objectKey) + .bucket(BUCKET) + .metadata(mdAsList) + .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) + .build()); + S3ECTestServerClient decClient = testServerClientFor(decLang); + CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build() + ) + .build()); + String decS3ECId = decClientOutput.getClientId(); + + final Map incorrectEncCtx = new HashMap<>(); + incorrectEncCtx.put("this-is-wrong-ec-key", "bad-value"); + var incorrectMdAsList = metadataMapToList(incorrectEncCtx); + try { + decClient.getObject(GetObjectInput.builder() + .clientID(decS3ECId) + .bucket(BUCKET) + .key(objectKey) + .metadata(incorrectMdAsList) + .build()); + fail("Expected exception!"); + } catch (S3EncryptionClientError e) { + if (decLang.getLanguageName().equals(RUBY_V3) || decLang.getLanguageName().equals(RUBY_V2_CURRENT) || decLang.getLanguageName().equals(RUBY_V2_TRANSITION)) { + assertTrue(e.getMessage().contains("Value of encryption context from envelope does not match the provided encryption context")); + } else { + assertTrue(e.getMessage().contains("Provided encryption context does not match information retrieved from S3")); + } + } + } + + @ParameterizedTest(name = "{displayName} for Encrypt: Java, Decrypt: {0}") + @MethodSource("software.amazon.encryption.s3.TestUtils#clientsForTest") + public void kmsV1Legacy(TestUtils.LanguageServerTarget language) { + S3ECTestServerClient client = testServerClientFor(language); + final String objectKey = appendTestSuffix("test-key-kms-v1-" + language); + final String input = "simple-test-input"; + KeyMaterial kmsKeyArn = KeyMaterial.builder() + .kmsKeyId(KMS_KEY_ARN) + .build(); + CreateClientOutput output1 = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .enableLegacyWrappingAlgorithms(true) + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build()) + .build()); + String s3ECId = output1.getClientId(); + + // Create the object using the old client + // V1 Client + EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(KMS_KEY_ARN); + + CryptoConfiguration v1Config = + new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) + .withStorageMode(CryptoStorageMode.ObjectMetadata) + .withAwsKmsRegion(KMS_REGION); + + AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() + .withCryptoConfiguration(v1Config) + .withEncryptionMaterials(materialsProvider) + .build(); + + v1Client.putObject(BUCKET, objectKey, input); + + GetObjectOutput output = client.getObject(GetObjectInput.builder() + .clientID(s3ECId) + .bucket(BUCKET) + .key(objectKey) + .build()); + + assertEquals(input, new String(output.getBody().array())); + } + + @ParameterizedTest(name = "{displayName} for Encrypt: Java, Decrypt: {0}") + @MethodSource("software.amazon.encryption.s3.TestUtils#clientsForTest") + public void kmsV1LegacyWithEncCtx(TestUtils.LanguageServerTarget language) { + S3ECTestServerClient client = testServerClientFor(language); + final String objectKey = appendTestSuffix("test-key-kms-v1-with-enc-ctx-" + language); + final String input = "simple-test-input"; + KeyMaterial kmsKeyArn = KeyMaterial.builder() + .kmsKeyId(KMS_KEY_ARN) + .build(); + CreateClientOutput output1 = client.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .enableLegacyWrappingAlgorithms(true) + .keyMaterial(kmsKeyArn) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .build()) + .build()); + String s3ECId = output1.getClientId(); + + // Create the object using the old client + // V1 Client + final String ecKey = "user-metadata-key"; + final String ecValue = "user-metadata-value-v1"; + KMSEncryptionMaterials kmsMaterials = new KMSEncryptionMaterials(KMS_KEY_ARN); + kmsMaterials.addDescription(ecKey, ecValue); + EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(kmsMaterials); + + CryptoConfiguration v1Config = + new CryptoConfiguration(CryptoMode.AuthenticatedEncryption) + .withStorageMode(CryptoStorageMode.ObjectMetadata) + .withAwsKmsRegion(KMS_REGION); + + AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder() + .withCryptoConfiguration(v1Config) + .withEncryptionMaterials(materialsProvider) + .build(); + + v1Client.putObject(BUCKET, objectKey, input); + + final Map encCtx = new HashMap<>(); + encCtx.put(ecKey, ecValue); + GetObjectOutput output = client.getObject(GetObjectInput.builder() + .clientID(s3ECId) + .bucket(BUCKET) + .key(objectKey) + .metadata(metadataMapToList(encCtx)) + .build()); + + assertEquals(input, new String(output.getBody().array())); + } @ParameterizedTest(name = "{displayName} for Encrypt: Java, Decrypt: {0}") @MethodSource("software.amazon.encryption.s3.TestUtils#clientsForTest") diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java index aacf79f4..ca3967e0 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java @@ -148,26 +148,26 @@ public class TestUtils { static { final Map servers = new LinkedHashMap<>(); - // servers.put(JAVA_V3_CURRENT, new LanguageServerTarget(JAVA_V3_CURRENT, "8080")); - // servers.put(PYTHON_V3, new LanguageServerTarget(PYTHON_V3, "8081")); - // servers.put(GO_V3_CURRENT, new LanguageServerTarget(GO_V3_CURRENT, "8082")); - // servers.put(NET_V2_CURRENT, new LanguageServerTarget(NET_V2_CURRENT, "8083")); - // servers.put(NET_V3, new LanguageServerTarget(NET_V3, "8084")); - // servers.put(CPP_V2_CURRENT, new LanguageServerTarget(CPP_V2_CURRENT, "8085")); - // servers.put(CPP_V2_TRANSITION, new LanguageServerTarget(CPP_V2_TRANSITION, "8097")); - // servers.put(CPP_V3, new LanguageServerTarget(CPP_V3, "8091")); + servers.put(JAVA_V3_CURRENT, new LanguageServerTarget(JAVA_V3_CURRENT, "8080")); + servers.put(PYTHON_V3, new LanguageServerTarget(PYTHON_V3, "8081")); + servers.put(GO_V3_CURRENT, new LanguageServerTarget(GO_V3_CURRENT, "8082")); + servers.put(NET_V2_CURRENT, new LanguageServerTarget(NET_V2_CURRENT, "8083")); + servers.put(NET_V3, new LanguageServerTarget(NET_V3, "8084")); + servers.put(CPP_V2_CURRENT, new LanguageServerTarget(CPP_V2_CURRENT, "8085")); + servers.put(CPP_V2_TRANSITION, new LanguageServerTarget(CPP_V2_TRANSITION, "8097")); + servers.put(CPP_V3, new LanguageServerTarget(CPP_V3, "8091")); // servers.put(RUBY_V2_CURRENT, new LanguageServerTarget(RUBY_V2_CURRENT, "8086")); - // servers.put(PHP_V2_CURRENT, new LanguageServerTarget(PHP_V2_CURRENT, "8087")); - // servers.put(GO_V4, new LanguageServerTarget(GO_V4, "8089")); + servers.put(PHP_V2_CURRENT, new LanguageServerTarget(PHP_V2_CURRENT, "8087")); + servers.put(GO_V4, new LanguageServerTarget(GO_V4, "8089")); // servers.put(RUBY_V3, new LanguageServerTarget(RUBY_V3, "8092")); servers.put(PHP_V3, new LanguageServerTarget(PHP_V3, "8093")); // TODO: Create and add transition servers - // servers.put(JAVA_V3_TRANSITION, new LanguageServerTarget(JAVA_V3_TRANSITION, "8094")); - // servers.put(GO_V3_TRANSITION, new LanguageServerTarget(GO_V3_TRANSITION, "8095")); - // servers.put(NET_V2_TRANSITION, new LanguageServerTarget(NET_V2_TRANSITION, "8096")); + servers.put(JAVA_V3_TRANSITION, new LanguageServerTarget(JAVA_V3_TRANSITION, "8094")); + servers.put(GO_V3_TRANSITION, new LanguageServerTarget(GO_V3_TRANSITION, "8095")); + servers.put(NET_V2_TRANSITION, new LanguageServerTarget(NET_V2_TRANSITION, "8096")); // servers.put(RUBY_V2_TRANSITION, new LanguageServerTarget(RUBY_V2_TRANSITION, "8098")); - // servers.put(PHP_V2_TRANSITION, new LanguageServerTarget(PHP_V2_TRANSITION, "8099")); - // servers.put(JAVA_V4, new LanguageServerTarget(JAVA_V4, "8090")); + servers.put(PHP_V2_TRANSITION, new LanguageServerTarget(PHP_V2_TRANSITION, "8099")); + servers.put(JAVA_V4, new LanguageServerTarget(JAVA_V4, "8090")); serverMap = filterServers(servers); } diff --git a/test-server/php-v3-server/src/get_object.php b/test-server/php-v3-server/src/get_object.php index 7851170a..3de7f779 100644 --- a/test-server/php-v3-server/src/get_object.php +++ b/test-server/php-v3-server/src/get_object.php @@ -78,7 +78,7 @@ function handleGetObject($params) if (ob_get_level()) { ob_end_clean(); } - if (strpos($e->getMessage(), "@SecurityProfile=V2") !== false) { + if (strpos($e->getMessage(), "@SecurityProfile=V3") !== false) { return S3EncryptionClientError($e->getMessage()); } elseif (strpos($e->getMessage(), "Provided encryption context does not match information retrieved from S3") !== false) { return S3EncryptionClientError($e->getMessage()); From 2ac0624c29335b53d30ffee63086eb3f63c8fad5 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Mon, 10 Nov 2025 17:07:43 -0800 Subject: [PATCH 32/37] update --- .../java/software/amazon/encryption/s3/TestUtils.java | 11 ++++------- test-server/php-v2-transition-server/local-php-sdk | 2 +- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java index c87791e7..b28cea25 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java @@ -129,14 +129,12 @@ public class TestUtils { public static final Set TRANSITION_VERSIONS = Set.of( // JAVA_V3_TRANSITION, - // GO_V3_TRANSITION, - // NET_V2_TRANSITION - PHP_V2_TRANSITION, - RUBY_V2_TRANSITION GO_V3_TRANSITION, - // NET_V2_TRANSITION, + NET_V2_TRANSITION, NET_V3_TRANSITION, - CPP_V2_TRANSITION + CPP_V2_TRANSITION, + PHP_V2_TRANSITION, + RUBY_V2_TRANSITION ); public static final Set IMPROVED_VERSIONS = @@ -144,7 +142,6 @@ public class TestUtils { JAVA_V4, // PYTHON_V3, GO_V4, - // NET_V3, CPP_V3, PHP_V3, // NET_V4, diff --git a/test-server/php-v2-transition-server/local-php-sdk b/test-server/php-v2-transition-server/local-php-sdk index 8f3ef218..35a52086 160000 --- a/test-server/php-v2-transition-server/local-php-sdk +++ b/test-server/php-v2-transition-server/local-php-sdk @@ -1 +1 @@ -Subproject commit 8f3ef2182f6f69721787a6f65bb8cf6b5dea1598 +Subproject commit 35a52086c5ccf7f5e62e3c17e210923e129c823b From d913e5e120dd28ded7732a946b6dc7128ee52879 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Mon, 10 Nov 2025 17:09:49 -0800 Subject: [PATCH 33/37] m --- .../it/java/software/amazon/encryption/s3/TestUtils.java | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java index b28cea25..c9b3afa0 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java @@ -129,8 +129,8 @@ public class TestUtils { public static final Set TRANSITION_VERSIONS = Set.of( // JAVA_V3_TRANSITION, - GO_V3_TRANSITION, - NET_V2_TRANSITION, + // GO_V3_TRANSITION, + // NET_V2_TRANSITION, NET_V3_TRANSITION, CPP_V2_TRANSITION, PHP_V2_TRANSITION, @@ -142,9 +142,9 @@ public class TestUtils { JAVA_V4, // PYTHON_V3, GO_V4, + // NET_V4, CPP_V3, PHP_V3, - // NET_V4, RUBY_V3 ); @@ -167,7 +167,7 @@ public class TestUtils { servers.put(PHP_V3, new LanguageServerTarget(PHP_V3, "8093")); // TODO: Create and add transition servers // servers.put(JAVA_V3_TRANSITION, new LanguageServerTarget(JAVA_V3_TRANSITION, "8094")); - servers.put(GO_V3_TRANSITION, new LanguageServerTarget(GO_V3_TRANSITION, "8095")); + // servers.put(GO_V3_TRANSITION, new LanguageServerTarget(GO_V3_TRANSITION, "8095")); // servers.put(NET_V2_TRANSITION, new LanguageServerTarget(NET_V2_TRANSITION, "8096")); servers.put(RUBY_V2_TRANSITION, new LanguageServerTarget(RUBY_V2_TRANSITION, "8098")); servers.put(PHP_V2_TRANSITION, new LanguageServerTarget(PHP_V2_TRANSITION, "8099")); @@ -541,4 +541,3 @@ public static void Decrypt_fails( assertEquals(successfulDecrypt.size(), 0, "Decryption should have failed:" + String.join(",", successfulDecrypt)); } } - From 9935aecdb85a8dba6c108174e1666b9364f975f1 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Mon, 10 Nov 2025 17:10:24 -0800 Subject: [PATCH 34/37] m --- .../src/it/java/software/amazon/encryption/s3/TestUtils.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java index c9b3afa0..01c07734 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java @@ -129,7 +129,7 @@ public class TestUtils { public static final Set TRANSITION_VERSIONS = Set.of( // JAVA_V3_TRANSITION, - // GO_V3_TRANSITION, + GO_V3_TRANSITION, // NET_V2_TRANSITION, NET_V3_TRANSITION, CPP_V2_TRANSITION, From 0e2a3f70ebdd559bd312e554a3b864c31c7061d4 Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Mon, 10 Nov 2025 17:12:12 -0800 Subject: [PATCH 35/37] m --- .../amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java | 2 +- .../src/it/java/software/amazon/encryption/s3/TestUtils.java | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java index bdf45bb0..100925a9 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/ExhaustiveRoundTripTests1_25.java @@ -176,7 +176,7 @@ public void GIVEN_GCMEncryptedData_AND_ImprovedClientDecryptingWithForbidEncrypt @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") @MethodSource("software.amazon.encryption.s3.TestUtils#encryptImprovedDecryptImproved") public void GIVEN_KCGCMEncryptedData_AND_ImprovedClientDecryptingWithForbidEncryptAllowDecrypt_WHEN_Decrypt_THEN_Pass( - LanguageServerTarget encLang, LanguageServerTarget decLang + TestUtils.LanguageServerTarget encLang, TestUtils.LanguageServerTarget decLang ) { S3ECTestServerClient encClient = TestUtils.testServerClientFor(encLang); diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java index 01c07734..2889e531 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java @@ -129,7 +129,7 @@ public class TestUtils { public static final Set TRANSITION_VERSIONS = Set.of( // JAVA_V3_TRANSITION, - GO_V3_TRANSITION, + GO_V3_TRANSITION, // NET_V2_TRANSITION, NET_V3_TRANSITION, CPP_V2_TRANSITION, @@ -167,7 +167,7 @@ public class TestUtils { servers.put(PHP_V3, new LanguageServerTarget(PHP_V3, "8093")); // TODO: Create and add transition servers // servers.put(JAVA_V3_TRANSITION, new LanguageServerTarget(JAVA_V3_TRANSITION, "8094")); - // servers.put(GO_V3_TRANSITION, new LanguageServerTarget(GO_V3_TRANSITION, "8095")); + servers.put(GO_V3_TRANSITION, new LanguageServerTarget(GO_V3_TRANSITION, "8095")); // servers.put(NET_V2_TRANSITION, new LanguageServerTarget(NET_V2_TRANSITION, "8096")); servers.put(RUBY_V2_TRANSITION, new LanguageServerTarget(RUBY_V2_TRANSITION, "8098")); servers.put(PHP_V2_TRANSITION, new LanguageServerTarget(PHP_V2_TRANSITION, "8099")); From 5002c3ce9ee2a5ba0ccededb891ed85d70b72f4a Mon Sep 17 00:00:00 2001 From: Jose Corella Date: Mon, 10 Nov 2025 17:51:50 -0800 Subject: [PATCH 36/37] m --- .../it/java/software/amazon/encryption/s3/RoundTripTests.java | 2 +- test-server/php-v2-server/src/get_object.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java index 6fc70c82..266348b2 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java @@ -429,7 +429,7 @@ public void kmsV1LegacyFailsWhenLegacyDisabled(TestUtils.LanguageServerTarget la assertTrue(e.getMessage().contains( "The requested object is encrypted with V1 encryption schemas that have been disabled by client configuration security_profile = :v2. Retry with :v2_and_legacy or re-encrypt the object." ), "Actual error:" + e.getMessage()); - } else if (language.getLanguageName().equals(PHP_V2_CURRENT) || language.getLanguageName().equals(PHP_V3)) { + } else if (language.getLanguageName().equals(PHP_V3)) { assertTrue(e.getMessage().contains("The requested object is encrypted with V1 encryption schemas that have been disabled by client configuration @SecurityProfile=V3. Retry with V3_AND_LEGACY enabled or reencrypt the object."));; } else { assertTrue(e.getMessage().contains("Enable legacy wrapping algorithms to use legacy key wrapping algorithm: kms")); diff --git a/test-server/php-v2-server/src/get_object.php b/test-server/php-v2-server/src/get_object.php index 3150ec04..61bacb5b 100644 --- a/test-server/php-v2-server/src/get_object.php +++ b/test-server/php-v2-server/src/get_object.php @@ -77,7 +77,7 @@ function handleGetObject($params) ob_end_clean(); } if (strpos($e->getMessage(), "@SecurityProfile=V2") !== false) { - return S3EncryptionClientError($e->getMessage()); + return S3EncryptionClientError($e->getMessage() . " " . "Enable legacy wrapping algorithms to use legacy key wrapping algorithm: kms"); } else { return GenericServerError("Server argument: " . $e->getMessage(), 500); } From 22604cd474cefb369742796b66254d84ba88e971 Mon Sep 17 00:00:00 2001 From: Kess Plasmeier <76071473+kessplas@users.noreply.github.com> Date: Tue, 11 Nov 2025 13:43:33 -0800 Subject: [PATCH 37/37] add summaries to exceptions (#82) --- .../compliance_exceptions/client.txt | 18 ++++++++++++++++++ .../content-metadata-strategy.txt | 13 ++++++++++++- .../compliance_exceptions/content-metadata.txt | 7 +++++++ .../compliance_exceptions/decryption.txt | 6 ++++++ .../compliance_exceptions/encryption.txt | 11 +++++++++++ 5 files changed, 54 insertions(+), 1 deletion(-) diff --git a/test-server/php-v3-server/compliance_exceptions/client.txt b/test-server/php-v3-server/compliance_exceptions/client.txt index 87d2bf56..0efb20bd 100644 --- a/test-server/php-v3-server/compliance_exceptions/client.txt +++ b/test-server/php-v3-server/compliance_exceptions/client.txt @@ -1,3 +1,21 @@ +// +// The PHP V3 implementation is missing the following features: +// +// 1. Client Configuration Options: +// - Legacy algorithm support controls (wrapping algorithms, unauthenticated modes) +// - Uses V3/V3_AND_LEGACY instead +// - Delayed authentication mode configuration +// - Buffer size configuration for memory management +// - Raw keyring material (RSA, AES) +// - SDK client configuration inheritance (credentials, KMS client config) +// - Custom randomness source configuration +// +// 2. Api Operations: +// - DeleteObject and DeleteObjects (with instruction file cleanup) +// - Multipart upload operations (UploadPart, CompleteMultipartUpload, AbortMultipartUpload) +// - ReEncryptInstructionFile for key rotation +// - Non-encryption related S3 operations + //= ../specification/s3-encryption/client.md#aws-sdk-compatibility //= type=exception //# The S3EC SHOULD support invoking operations unrelated to client-side encryption e.g. diff --git a/test-server/php-v3-server/compliance_exceptions/content-metadata-strategy.txt b/test-server/php-v3-server/compliance_exceptions/content-metadata-strategy.txt index 04731949..bb86da72 100644 --- a/test-server/php-v3-server/compliance_exceptions/content-metadata-strategy.txt +++ b/test-server/php-v3-server/compliance_exceptions/content-metadata-strategy.txt @@ -1,3 +1,14 @@ +// +// The PHP V3 implementation is missing the following features: +// +// 1. METADATA ENCODING: +// - S3 Server "double encoding" support for proper metadata decoding +// +// 2. INSTRUCTION FILE OPERATIONS: +// - Re-encryption/key rotation via instruction files +// - Custom instruction file suffix support for GetObject requests +// + //= ../specification/s3-encryption/data-format/metadata-strategy.md#object-metadata //= type=exception //# The S3EC SHOULD support decoding the S3 Server's "double encoding". @@ -20,4 +31,4 @@ //= ../specification/s3-encryption/data-format/metadata-strategy.md#v3-instruction-files //= type=exception -//# - The V3 message format MUST store the mapkey "x-amz-m" and its value (when present in the content metadata) in the Instruction File. \ No newline at end of file +//# - The V3 message format MUST store the mapkey "x-amz-m" and its value (when present in the content metadata) in the Instruction File. diff --git a/test-server/php-v3-server/compliance_exceptions/content-metadata.txt b/test-server/php-v3-server/compliance_exceptions/content-metadata.txt index c5fd4012..6053a0a6 100644 --- a/test-server/php-v3-server/compliance_exceptions/content-metadata.txt +++ b/test-server/php-v3-server/compliance_exceptions/content-metadata.txt @@ -1,3 +1,10 @@ +// +// The PHP V3 implementation is missing the following features: +// +// - Instruction file fallback when object doesn't match V1/V2/V3 formats +// - S3 Server "double encoding" scheme support +// - Writing raw keyring formats (RSA, AES) + //= ../specification/s3-encryption/data-format/content-metadata.md#content-metadata-mapkeys //= type=exception //# - The mapkey "x-amz-key" MUST be present for V1 format objects. diff --git a/test-server/php-v3-server/compliance_exceptions/decryption.txt b/test-server/php-v3-server/compliance_exceptions/decryption.txt index dbac1f19..df86d896 100644 --- a/test-server/php-v3-server/compliance_exceptions/decryption.txt +++ b/test-server/php-v3-server/compliance_exceptions/decryption.txt @@ -1,3 +1,9 @@ +// +// The PHP V3 implementation is missing the following features: +// +// - Support for "range" parameter on GetObject for partial downloads and decryption +// + //= ../specification/s3-encryption/decryption.md#ranged-gets //= type=exception //# The S3EC MAY support the "range" parameter on GetObject which specifies a subset of bytes to download and decrypt. diff --git a/test-server/php-v3-server/compliance_exceptions/encryption.txt b/test-server/php-v3-server/compliance_exceptions/encryption.txt index 0c0364cf..5ae44c91 100644 --- a/test-server/php-v3-server/compliance_exceptions/encryption.txt +++ b/test-server/php-v3-server/compliance_exceptions/encryption.txt @@ -1,3 +1,14 @@ +// +// The PHP V3 implementation is missing the following features: +// +// - Support for "range" parameter on GetObject for partial downloads and decryption +// +// The PHP V3 implementation has an extra "feature". +// NOTE that using this feature will cause the message to be unable to be decrypted by other language implementations. + +// - Support for AAD during content encryption +// + //= ../specification/s3-encryption/encryption.md#alg-aes-256-ctr-iv16-tag16-no-kdf //= type=exception //# Attempts to encrypt using AES-CTR MUST fail.