From 4a2e50b72c38dc7a24ea2402303d5744d20ccf5b Mon Sep 17 00:00:00 2001 From: Kess Plasmeier Date: Thu, 6 Nov 2025 12:51:39 -0800 Subject: [PATCH 1/9] add RSA support to Java and Dotnet test servers and a simple RSA roundtrip test --- .gitignore | 3 ++ .../amazon/encryption/s3/RoundTripTests.java | 47 +++++++++++++++++++ .../amazon/encryption/s3/TestUtils.java | 16 +++++-- .../s3/CreateClientOperationImpl.java | 19 +++++++- .../s3/CreateClientOperationImpl.java | 19 +++++++- .../s3/CreateClientOperationImpl.java | 19 +++++++- .../Controllers/ClientController.cs | 43 ++++++++++++----- .../net-v2-v3-server/Models/ClientRequest.cs | 4 +- 8 files changed, 143 insertions(+), 27 deletions(-) diff --git a/.gitignore b/.gitignore index 9a2c0f8a..5cd8f239 100644 --- a/.gitignore +++ b/.gitignore @@ -52,3 +52,6 @@ gradle-app.setting .DS_Store smithy-java-core/out + +# test server +*.pid diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java index e8dc4bae..52166b2f 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java @@ -12,6 +12,8 @@ import java.nio.ByteBuffer; import java.nio.charset.StandardCharsets; +import java.security.KeyPair; +import java.security.KeyPairGenerator; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -22,6 +24,7 @@ import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.Arguments; import org.junit.jupiter.params.provider.MethodSource; +import org.opentest4j.TestAbortedException; import software.amazon.encryption.s3.client.S3ECTestServerClient; import software.amazon.encryption.s3.model.CommitmentPolicy; import software.amazon.encryption.s3.model.CreateClientInput; @@ -416,4 +419,48 @@ public void kmsV1LegacyFailsWhenLegacyDisabled(TestUtils.LanguageServerTarget la } } } + + @ParameterizedTest(name = "{displayName} for Encrypt: {0}, Decrypt: {1}") + @MethodSource("software.amazon.encryption.s3.TestUtils#crossLanguageClients") + public void rsaRoundTrip(LanguageServerTarget encLang, LanguageServerTarget decLang) throws Exception { + if (!RAW_SUPPORTED.contains(encLang.getLanguageName())) { + throw new TestAbortedException("not encrypting raw keyrings with: " + encLang.getLanguageName()); + } + if (!RAW_SUPPORTED.contains(decLang.getLanguageName())) { + throw new TestAbortedException("not decrypting raw keyrings with: " + decLang.getLanguageName()); + } + S3ECTestServerClient encClient = testServerClientFor(encLang); + S3ECTestServerClient decClient = testServerClientFor(decLang); + final String objectKey = appendTestSuffix(String.format("rsa-write-%s-read-%s", encLang.getLanguageName(), decLang.getLanguageName())); + final String input = "simple-test-input-rsa"; + KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA"); + keyPairGen.initialize(2048); + KeyPair RSA_KEY_PAIR_1 = keyPairGen.generateKeyPair(); + + KeyMaterial rsaKeyOne = KeyMaterial.builder() + .rsaKey(ByteBuffer.wrap(RSA_KEY_PAIR_1.getPrivate().getEncoded())) + .build(); + CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(rsaKeyOne).build()) + .build()); + String encS3ECId = encClientOutput.getClientId(); + CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder() + .config(S3ECConfig.builder() + .keyMaterial(rsaKeyOne).build()) + .build()); + String decS3ECId = decClientOutput.getClientId(); + encClient.putObject(PutObjectInput.builder() + .clientID(encS3ECId) + .key(objectKey) + .bucket(BUCKET) + .body(ByteBuffer.wrap(input.getBytes(StandardCharsets.UTF_8))) + .build()); + GetObjectOutput output = decClient.getObject(GetObjectInput.builder() + .clientID(decS3ECId) + .bucket(BUCKET) + .key(objectKey) + .build()); + assertEquals(input, new String(output.getBody().array())); + } } diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java index 4b0c8e74..bf8b544c 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java @@ -97,6 +97,12 @@ public class TestUtils { public static final Set ENCRYPTION_CONTEXT_ON_ENCRYPT_UNSUPPORTED = Set.of(NET_V2_CURRENT, NET_V3); + // For now, only .NET and Java have AES and RSA support + public static final Set RAW_SUPPORTED = + Set.of(JAVA_V3_CURRENT, JAVA_V3_TRANSITION, JAVA_V4 + , NET_V2_CURRENT, NET_V3 + ); + public static final Set CURRENT_VERSIONS = Set.of( JAVA_V3_CURRENT, @@ -286,7 +292,7 @@ public static List metadataMapToList(Map md) { public static void validateServersRunning() { for (LanguageServerTarget server : serverMap.values()) { if (!serverListening(server.getServerURI())) { - throw new RuntimeException(String.format("Test Server for %s is not running at endpoint: %s", + throw new RuntimeException(String.format("Test Server for %s is not running at endpoint: %s", server.getLanguageName(), server.getServerURI())); } } @@ -430,7 +436,7 @@ public static EncryptionAlgorithm GetEncryptionAlgorithm(String objectKey) return EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF; } } - + throw new RuntimeException("Need to support instruction files!"); } @@ -456,7 +462,7 @@ public static void Encrypt( crossLanguageObjects.add(objectKey); } - + public static void Decrypt( S3ECTestServerClient client, String S3ECId, List crossLanguageObjects, @@ -468,7 +474,7 @@ public static void Decrypt( .bucket(TestUtils.BUCKET) .key(objectKey) .build()); - + // Then: Pass assertEquals(objectKey, new String(output.getBody().array())); assertEquals( @@ -478,7 +484,7 @@ public static void Decrypt( ); } } - + public static void Decrypt_fails( S3ECTestServerClient client, String S3ECId, List crossLanguageObjects, diff --git a/test-server/java-v3-server/src/main/java/software/amazon/encryption/s3/CreateClientOperationImpl.java b/test-server/java-v3-server/src/main/java/software/amazon/encryption/s3/CreateClientOperationImpl.java index d992c435..c008f375 100644 --- a/test-server/java-v3-server/src/main/java/software/amazon/encryption/s3/CreateClientOperationImpl.java +++ b/test-server/java-v3-server/src/main/java/software/amazon/encryption/s3/CreateClientOperationImpl.java @@ -21,8 +21,11 @@ import java.io.StringWriter; import java.security.KeyFactory; import java.security.NoSuchAlgorithmException; +import java.security.PublicKey; +import java.security.interfaces.RSAPrivateCrtKey; import java.security.spec.InvalidKeySpecException; import java.security.spec.PKCS8EncodedKeySpec; +import java.security.spec.RSAPublicKeySpec; import java.util.Arrays; import java.util.Map; import java.util.Optional; @@ -72,13 +75,25 @@ public CreateClientOutput createClient(CreateClientInput input, RequestContext c key.getRsaKey().get(keyBytes); PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(keyBytes); KeyFactory keyFactory = KeyFactory.getInstance("RSA"); + RSAPrivateCrtKey privateKey = (RSAPrivateCrtKey) keyFactory.generatePrivate(keySpec); + RSAPublicKeySpec publicKeySpec = new RSAPublicKeySpec( + privateKey.getModulus(), + privateKey.getPublicExponent() + ); + + // Generate public key + PublicKey publicKey = keyFactory.generatePublic(publicKeySpec); + keyring = RsaKeyring.builder() .enableLegacyWrappingAlgorithms(input.getConfig().isEnableLegacyWrappingAlgorithms()) .wrappingKeyPair(PartialRsaKeyPair.builder() - .privateKey(keyFactory.generatePrivate(keySpec)).build()) + .publicKey(publicKey) + .privateKey(privateKey).build()) .build(); } catch (NoSuchAlgorithmException | InvalidKeySpecException nse) { - throw new RuntimeException(nse); + throw GenericServerError.builder() + .message(nse.getMessage()) + .build(); } } else if (key.getKmsKeyId() != null) { keyring = KmsKeyring.builder() diff --git a/test-server/java-v3-transition-server/src/main/java/software/amazon/encryption/s3/CreateClientOperationImpl.java b/test-server/java-v3-transition-server/src/main/java/software/amazon/encryption/s3/CreateClientOperationImpl.java index d992c435..a45a64ee 100644 --- a/test-server/java-v3-transition-server/src/main/java/software/amazon/encryption/s3/CreateClientOperationImpl.java +++ b/test-server/java-v3-transition-server/src/main/java/software/amazon/encryption/s3/CreateClientOperationImpl.java @@ -21,7 +21,10 @@ import java.io.StringWriter; import java.security.KeyFactory; import java.security.NoSuchAlgorithmException; +import java.security.PublicKey; +import java.security.interfaces.RSAPrivateCrtKey; import java.security.spec.InvalidKeySpecException; +import java.security.spec.RSAPublicKeySpec; import java.security.spec.PKCS8EncodedKeySpec; import java.util.Arrays; import java.util.Map; @@ -72,13 +75,25 @@ public CreateClientOutput createClient(CreateClientInput input, RequestContext c key.getRsaKey().get(keyBytes); PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(keyBytes); KeyFactory keyFactory = KeyFactory.getInstance("RSA"); + RSAPrivateCrtKey privateKey = (RSAPrivateCrtKey) keyFactory.generatePrivate(keySpec); + RSAPublicKeySpec publicKeySpec = new RSAPublicKeySpec( + privateKey.getModulus(), + privateKey.getPublicExponent() + ); + + // Generate public key + PublicKey publicKey = keyFactory.generatePublic(publicKeySpec); + keyring = RsaKeyring.builder() .enableLegacyWrappingAlgorithms(input.getConfig().isEnableLegacyWrappingAlgorithms()) .wrappingKeyPair(PartialRsaKeyPair.builder() - .privateKey(keyFactory.generatePrivate(keySpec)).build()) + .publicKey(publicKey) + .privateKey(privateKey).build()) .build(); } catch (NoSuchAlgorithmException | InvalidKeySpecException nse) { - throw new RuntimeException(nse); + throw GenericServerError.builder() + .message(nse.getMessage()) + .build(); } } else if (key.getKmsKeyId() != null) { keyring = KmsKeyring.builder() diff --git a/test-server/java-v4-server/src/main/java/software/amazon/encryption/s3/CreateClientOperationImpl.java b/test-server/java-v4-server/src/main/java/software/amazon/encryption/s3/CreateClientOperationImpl.java index d992c435..a45a64ee 100644 --- a/test-server/java-v4-server/src/main/java/software/amazon/encryption/s3/CreateClientOperationImpl.java +++ b/test-server/java-v4-server/src/main/java/software/amazon/encryption/s3/CreateClientOperationImpl.java @@ -21,7 +21,10 @@ import java.io.StringWriter; import java.security.KeyFactory; import java.security.NoSuchAlgorithmException; +import java.security.PublicKey; +import java.security.interfaces.RSAPrivateCrtKey; import java.security.spec.InvalidKeySpecException; +import java.security.spec.RSAPublicKeySpec; import java.security.spec.PKCS8EncodedKeySpec; import java.util.Arrays; import java.util.Map; @@ -72,13 +75,25 @@ public CreateClientOutput createClient(CreateClientInput input, RequestContext c key.getRsaKey().get(keyBytes); PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(keyBytes); KeyFactory keyFactory = KeyFactory.getInstance("RSA"); + RSAPrivateCrtKey privateKey = (RSAPrivateCrtKey) keyFactory.generatePrivate(keySpec); + RSAPublicKeySpec publicKeySpec = new RSAPublicKeySpec( + privateKey.getModulus(), + privateKey.getPublicExponent() + ); + + // Generate public key + PublicKey publicKey = keyFactory.generatePublic(publicKeySpec); + keyring = RsaKeyring.builder() .enableLegacyWrappingAlgorithms(input.getConfig().isEnableLegacyWrappingAlgorithms()) .wrappingKeyPair(PartialRsaKeyPair.builder() - .privateKey(keyFactory.generatePrivate(keySpec)).build()) + .publicKey(publicKey) + .privateKey(privateKey).build()) .build(); } catch (NoSuchAlgorithmException | InvalidKeySpecException nse) { - throw new RuntimeException(nse); + throw GenericServerError.builder() + .message(nse.getMessage()) + .build(); } } else if (key.getKmsKeyId() != null) { keyring = KmsKeyring.builder() diff --git a/test-server/net-v2-v3-server/Controllers/ClientController.cs b/test-server/net-v2-v3-server/Controllers/ClientController.cs index 01bf610c..7e626e56 100644 --- a/test-server/net-v2-v3-server/Controllers/ClientController.cs +++ b/test-server/net-v2-v3-server/Controllers/ClientController.cs @@ -1,3 +1,5 @@ +using System.Net; +using System.Security.Cryptography; using System.Text.Json; using Amazon.Extensions.S3.Encryption; using Amazon.Extensions.S3.Encryption.Primitives; @@ -19,25 +21,40 @@ public IActionResult CreateClient([FromBody] ClientRequest request) return StatusCode(501, new GenericServerError { Message = "EnableDelayedAuthenticationMode not supported" }); if (request.Config.SetBufferSize.HasValue) return StatusCode(501, new GenericServerError { Message = "SetBufferSize not supported" }); - if (request.Config.KeyMaterial.RsaKey != null) - return StatusCode(501, new GenericServerError { Message = "RsaKey not supported" }); if (request.Config.KeyMaterial.AesKey != null) return StatusCode(501, new GenericServerError { Message = "AesKey not supported" }); - var kmsKeyId = request.Config.KeyMaterial.KmsKeyId; - var enableLegacyUnauthenticatedModes = request.Config.EnableLegacyUnauthenticatedModes; - var enableLegacyWrappingAlgorithms = request.Config.EnableLegacyWrappingAlgorithms; - try { - // The POST request does not contain encryption context. - // However, encryption context is a required field when using KMS. - // So, we are passing empty dictionary. - var encryptionContext = new Dictionary(); - var encryptionMaterial = new EncryptionMaterialsV2(kmsKeyId, KmsType.KmsContext, encryptionContext); - logger.LogInformation( - "Created EncryptionMaterialsV2: KMS={KmsKeyId}", + EncryptionMaterialsV2 encryptionMaterial; + if (request.Config.KeyMaterial.KmsKeyId != null) + { + // The POST request does not contain encryption context. + // However, encryption context is a required field when using KMS. + // So, we are passing empty dictionary. + var encryptionContext = new Dictionary(); + var kmsKeyId = request.Config.KeyMaterial.KmsKeyId; + encryptionMaterial = new EncryptionMaterialsV2(kmsKeyId, KmsType.KmsContext, encryptionContext); + logger.LogInformation( + "Created EncryptionMaterialsV2: KMS={KmsKeyId}", kmsKeyId); + } + else if (request.Config.KeyMaterial.RsaKey != null) + { + var rsaKeyBytes = request.Config.KeyMaterial.RsaKey; + var rsaKey = RSA.Create(); + rsaKey.ImportPkcs8PrivateKey(new ReadOnlySpan(rsaKeyBytes), out _); + encryptionMaterial = new EncryptionMaterialsV2(rsaKey, AsymmetricAlgorithmType.RsaOaepSha1); + logger.LogInformation( + "Created EncryptionMaterialsV2: RSA"); + } else + { + return StatusCode(501, new GenericServerError { Message = "Unknown or missing key material!" }); + } + + var enableLegacyUnauthenticatedModes = request.Config.EnableLegacyUnauthenticatedModes; + var enableLegacyWrappingAlgorithms = request.Config.EnableLegacyWrappingAlgorithms; + // SecurityProfile V2AndLegacy can decrypt from legacy S3EC but V2 cannot var enableLegacyMode = enableLegacyUnauthenticatedModes || enableLegacyWrappingAlgorithms; var securityProfile = enableLegacyMode ? SecurityProfile.V2AndLegacy : SecurityProfile.V2; diff --git a/test-server/net-v2-v3-server/Models/ClientRequest.cs b/test-server/net-v2-v3-server/Models/ClientRequest.cs index 6882b4f9..95644524 100644 --- a/test-server/net-v2-v3-server/Models/ClientRequest.cs +++ b/test-server/net-v2-v3-server/Models/ClientRequest.cs @@ -22,7 +22,5 @@ public class KeyMaterial { public byte[]? RsaKey { get; set; } public byte[]? AesKey { get; set; } - - [Required] - public string KmsKeyId { get; set; } = string.Empty; + public string? KmsKeyId { get; set; } } \ No newline at end of file From 5e24f3f2c89157c9a7a661d0d7919ef85ee95a2f Mon Sep 17 00:00:00 2001 From: Kess Plasmeier <76071473+kessplas@users.noreply.github.com> Date: Fri, 7 Nov 2025 15:49:01 -0800 Subject: [PATCH 2/9] Update TestUtils.java --- .../src/it/java/software/amazon/encryption/s3/TestUtils.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java index 7a17b00a..76bacf74 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java @@ -96,7 +96,7 @@ public class TestUtils { public static final Set ENCRYPTION_CONTEXT_ON_ENCRYPT_UNSUPPORTED = Set.of(NET_V2_CURRENT, NET_V3_CURRENT, NET_V3_TRANSITION); - // For now, only .NET and Java have AES and RSA support + // For now, only .NET and Java have RSA support public static final Set RAW_SUPPORTED = Set.of(JAVA_V3_CURRENT, JAVA_V3_TRANSITION, JAVA_V4 , NET_V2_CURRENT, NET_V3 From fefe5052b61dcfc9f45d13d6f7faa14da8bf2110 Mon Sep 17 00:00:00 2001 From: Kess Plasmeier Date: Mon, 10 Nov 2025 13:13:29 -0800 Subject: [PATCH 3/9] update for net v3 transition --- .../amazon/encryption/s3/TestUtils.java | 2 +- .../Controllers/ClientController.cs | 39 +++++++++++++------ .../Models/ClientRequest.cs | 4 +- 3 files changed, 29 insertions(+), 16 deletions(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java index 56ebfe2f..6fd179b3 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java @@ -99,7 +99,7 @@ public class TestUtils { // For now, only .NET and Java have RSA support public static final Set RAW_SUPPORTED = Set.of(JAVA_V3_CURRENT, JAVA_V3_TRANSITION, JAVA_V4 - , NET_V2_CURRENT, NET_V3 + , NET_V2_CURRENT, NET_V3_CURRENT, NET_V3_TRANSITION ); // .NET only supports decrypting instruction files using AES and RSA. diff --git a/test-server/net-v3-transition-server/Controllers/ClientController.cs b/test-server/net-v3-transition-server/Controllers/ClientController.cs index 16630e9c..1cba1ced 100644 --- a/test-server/net-v3-transition-server/Controllers/ClientController.cs +++ b/test-server/net-v3-transition-server/Controllers/ClientController.cs @@ -19,30 +19,45 @@ public IActionResult CreateClient([FromBody] ClientRequest request) return StatusCode(501, new GenericServerError { Message = "EnableDelayedAuthenticationMode not supported" }); if (request.Config.SetBufferSize.HasValue) return StatusCode(501, new GenericServerError { Message = "SetBufferSize not supported" }); - if (request.Config.KeyMaterial.RsaKey != null) - return StatusCode(501, new GenericServerError { Message = "RsaKey not supported" }); if (request.Config.KeyMaterial.AesKey != null) return StatusCode(501, new GenericServerError { Message = "AesKey not supported" }); try { - var kmsKeyId = request.Config.KeyMaterial.KmsKeyId; + EncryptionMaterialsV2 encryptionMaterial; + if (request.Config.KeyMaterial.KmsKeyId != null) + { + // The POST request does not contain encryption context. + // However, encryption context is a required field when using KMS. + // So, we are passing empty dictionary. + var encryptionContext = new Dictionary(); + var kmsKeyId = request.Config.KeyMaterial.KmsKeyId; + encryptionMaterial = new EncryptionMaterialsV2(kmsKeyId, KmsType.KmsContext, encryptionContext); + logger.LogInformation( + "[NET-V3-Transitional] Created EncryptionMaterialsV2: KMS={KmsKeyId}", + kmsKeyId); + kmsKeyId); + } + else if (request.Config.KeyMaterial.RsaKey != null) + { + var rsaKeyBytes = request.Config.KeyMaterial.RsaKey; + var rsaKey = RSA.Create(); + rsaKey.ImportPkcs8PrivateKey(new ReadOnlySpan(rsaKeyBytes), out _); + encryptionMaterial = new EncryptionMaterialsV2(rsaKey, AsymmetricAlgorithmType.RsaOaepSha1); + logger.LogInformation( + "Created EncryptionMaterialsV2: RSA"); + } else + { + return StatusCode(501, new GenericServerError { Message = "Unknown or missing key material!" }); + } + var enableLegacyUnauthenticatedModes = request.Config.EnableLegacyUnauthenticatedModes; var enableLegacyWrappingAlgorithms = request.Config.EnableLegacyWrappingAlgorithms; var commitmentPolicy = MapCommitmentPolicy(request.Config.CommitmentPolicy); - // The POST request does not contain encryption context. - // However, encryption context is a required field when using KMS. - // So, we are passing empty dictionary. - var encryptionContext = new Dictionary(); - var encryptionMaterial = new EncryptionMaterialsV2(kmsKeyId, KmsType.KmsContext, encryptionContext); - logger.LogInformation( - "[NET-V3-Transitional] Created EncryptionMaterialsV2: KMS={KmsKeyId}", - kmsKeyId); // SecurityProfile V2AndLegacy can decrypt from legacy S3EC but V2 cannot var enableLegacyMode = enableLegacyUnauthenticatedModes || enableLegacyWrappingAlgorithms; var securityProfile = enableLegacyMode ? SecurityProfile.V2AndLegacy : SecurityProfile.V2; - logger.LogInformation("[NET-V3-Transitional] Created securityProfile= {securityProfile}", securityProfile.ToString()); var encryptionAlgorithm = MapEncryptionAlgorithm(request.Config.EncryptionAlgorithm); diff --git a/test-server/net-v3-transition-server/Models/ClientRequest.cs b/test-server/net-v3-transition-server/Models/ClientRequest.cs index cd5fa406..cd963e53 100644 --- a/test-server/net-v3-transition-server/Models/ClientRequest.cs +++ b/test-server/net-v3-transition-server/Models/ClientRequest.cs @@ -27,9 +27,7 @@ public class KeyMaterial { public byte[]? RsaKey { get; set; } public byte[]? AesKey { get; set; } - - [Required] - public string KmsKeyId { get; set; } = string.Empty; + public string KmsKeyId { get; set; } } [JsonConverter(typeof(JsonStringEnumConverter))] From f859357d3c36cfd1926dea6276891e95cf02854e Mon Sep 17 00:00:00 2001 From: Kess Plasmeier Date: Mon, 10 Nov 2025 13:56:05 -0800 Subject: [PATCH 4/9] fix net --- .../net-v3-transition-server/Controllers/ClientController.cs | 1 - 1 file changed, 1 deletion(-) diff --git a/test-server/net-v3-transition-server/Controllers/ClientController.cs b/test-server/net-v3-transition-server/Controllers/ClientController.cs index 1cba1ced..7ea4e31e 100644 --- a/test-server/net-v3-transition-server/Controllers/ClientController.cs +++ b/test-server/net-v3-transition-server/Controllers/ClientController.cs @@ -36,7 +36,6 @@ public IActionResult CreateClient([FromBody] ClientRequest request) logger.LogInformation( "[NET-V3-Transitional] Created EncryptionMaterialsV2: KMS={KmsKeyId}", kmsKeyId); - kmsKeyId); } else if (request.Config.KeyMaterial.RsaKey != null) { From e61d975c197000ab2a93747b57ff91f9e8ffe6df Mon Sep 17 00:00:00 2001 From: Kess Plasmeier Date: Mon, 10 Nov 2025 16:05:43 -0800 Subject: [PATCH 5/9] disable net v3 transition --- .../src/it/java/software/amazon/encryption/s3/TestUtils.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java index 6fd179b3..a2aa8c98 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java @@ -99,7 +99,8 @@ public class TestUtils { // For now, only .NET and Java have RSA support public static final Set RAW_SUPPORTED = Set.of(JAVA_V3_CURRENT, JAVA_V3_TRANSITION, JAVA_V4 - , NET_V2_CURRENT, NET_V3_CURRENT, NET_V3_TRANSITION + , NET_V2_CURRENT, NET_V3_CURRENT +// , NET_V3_TRANSITION ); // .NET only supports decrypting instruction files using AES and RSA. From f2e30fa7f6fdff73bea44d18c819f2b05646c637 Mon Sep 17 00:00:00 2001 From: Kess Plasmeier Date: Mon, 10 Nov 2025 18:20:25 -0800 Subject: [PATCH 6/9] fix dotnet --- .../net-v3-transition-server/Controllers/ClientController.cs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test-server/net-v3-transition-server/Controllers/ClientController.cs b/test-server/net-v3-transition-server/Controllers/ClientController.cs index 7ea4e31e..0746618e 100644 --- a/test-server/net-v3-transition-server/Controllers/ClientController.cs +++ b/test-server/net-v3-transition-server/Controllers/ClientController.cs @@ -1,3 +1,5 @@ +using System.Net; +using System.Security.Cryptography; using System.Text.Json; using Amazon.Extensions.S3.Encryption; using Amazon.Extensions.S3.Encryption.Primitives; From bbcb0520320c39adf8042511dd75cb4630840d2c Mon Sep 17 00:00:00 2001 From: Kess Plasmeier Date: Mon, 10 Nov 2025 19:00:36 -0800 Subject: [PATCH 7/9] fix merge error --- .../it/java/software/amazon/encryption/s3/RoundTripTests.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java index 4f452a50..94fd31db 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java @@ -182,6 +182,7 @@ public void crossLanguageTestKmsWithSubsetEncCtxFails(LanguageServerTarget encLa .config(S3ECConfig.builder() .keyMaterial(kmsKeyArn) .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .encryptionAlgorithm(EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF) .build()) .build()); String encS3ECId = encClientOutput.getClientId(); @@ -198,6 +199,7 @@ public void crossLanguageTestKmsWithSubsetEncCtxFails(LanguageServerTarget encLa .config(S3ECConfig.builder() .keyMaterial(kmsKeyArn) .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + .encryptionAlgorithm(EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF) .build() ) .build()); From a53d6ef357e4d12688b65faaedc7a532ff631d9c Mon Sep 17 00:00:00 2001 From: Kess Plasmeier Date: Mon, 10 Nov 2025 19:40:03 -0800 Subject: [PATCH 8/9] specify classic gcm --- .../it/java/software/amazon/encryption/s3/RoundTripTests.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java index 94fd31db..20557a93 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java @@ -459,6 +459,8 @@ public void rsaRoundTrip(LanguageServerTarget encLang, LanguageServerTarget decL .build(); CreateClientOutput encClientOutput = encClient.createClient(CreateClientInput.builder() .config(S3ECConfig.builder() + // TODO: use this for now to satisfy current. think about long term soln for this + .encryptionAlgorithm(EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF) .keyMaterial(rsaKeyOne).build()) .build()); String encS3ECId = encClientOutput.getClientId(); From 656403d9978a2e157bf7a931ce626794cdacaf2a Mon Sep 17 00:00:00 2001 From: Kess Plasmeier Date: Mon, 10 Nov 2025 20:21:52 -0800 Subject: [PATCH 9/9] commitpol --- .../it/java/software/amazon/encryption/s3/RoundTripTests.java | 1 + 1 file changed, 1 insertion(+) diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java index 20557a93..91805ab3 100644 --- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java +++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java @@ -461,6 +461,7 @@ public void rsaRoundTrip(LanguageServerTarget encLang, LanguageServerTarget decL .config(S3ECConfig.builder() // TODO: use this for now to satisfy current. think about long term soln for this .encryptionAlgorithm(EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF) + .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) .keyMaterial(rsaKeyOne).build()) .build()); String encS3ECId = encClientOutput.getClientId();