-
Notifications
You must be signed in to change notification settings - Fork 123
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create keyring trace and add to encryption and decryption materials. (#…
…134) * Create keyring trace and add to encryption and decryption materials. *Issue #, if available:* #102 *Description of changes:* Creating a keyring trace and adding to encryption and decryption materials to allow for auditing actions a keyring has taken on encryption materials. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. # Check any applicable: - [ ] Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files.
- Loading branch information
1 parent
3ef8958
commit 9307933
Showing
6 changed files
with
315 additions
and
2 deletions.
There are no files selected for viewing
62 changes: 62 additions & 0 deletions
62
src/main/java/com/amazonaws/encryptionsdk/keyrings/KeyringTrace.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| /* | ||
| * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except | ||
| * in compliance with the License. A copy of the License is located at | ||
| * | ||
| * http://aws.amazon.com/apache2.0 | ||
| * | ||
| * or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations under the License. | ||
| */ | ||
|
|
||
| package com.amazonaws.encryptionsdk.keyrings; | ||
|
|
||
| import org.apache.commons.lang3.builder.ToStringBuilder; | ||
| import org.apache.commons.lang3.builder.ToStringStyle; | ||
|
|
||
| import java.util.ArrayList; | ||
| import java.util.Arrays; | ||
| import java.util.Collections; | ||
| import java.util.HashSet; | ||
| import java.util.List; | ||
|
|
||
| /** | ||
| * A keyring trace containing all of the actions that keyrings have taken on a set of encryption materials. | ||
| */ | ||
| public class KeyringTrace { | ||
|
|
||
| private final List<KeyringTraceEntry> entries = new ArrayList<>(); | ||
|
|
||
| /** | ||
| * Add a new entry to the keyring trace. | ||
| * | ||
| * @param keyNamespace The namespace for the key. | ||
| * @param keyName The name of the key. | ||
| * @param flags A set of one or more KeyringTraceFlag enums | ||
| * indicating what actions were taken by a keyring. | ||
| */ | ||
| public void add(String keyNamespace, String keyName, KeyringTraceFlag... flags) { | ||
| entries.add(new KeyringTraceEntry(keyNamespace, keyName, | ||
| new HashSet<>(Arrays.asList(flags)))); | ||
| } | ||
|
|
||
| /** | ||
| * Gets an unmodifiable list of `KeyringTraceEntry`s ordered sequentially | ||
| * according to the order the actions were taken, with the earliest action | ||
| * corresponding to the first `KeyringTraceEntry` in the list. | ||
| * | ||
| * @return An unmodifiable list of `KeyringTraceEntry`s | ||
| */ | ||
| public List<KeyringTraceEntry> getEntries() { | ||
| return Collections.unmodifiableList(entries); | ||
| } | ||
|
|
||
| @Override | ||
| public String toString() { | ||
| return new ToStringBuilder(this, ToStringStyle.SHORT_PREFIX_STYLE) | ||
| .append("entries", entries) | ||
| .toString(); | ||
| } | ||
| } |
104 changes: 104 additions & 0 deletions
104
src/main/java/com/amazonaws/encryptionsdk/keyrings/KeyringTraceEntry.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,104 @@ | ||
| /* | ||
| * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except | ||
| * in compliance with the License. A copy of the License is located at | ||
| * | ||
| * http://aws.amazon.com/apache2.0 | ||
| * | ||
| * or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations under the License. | ||
| */ | ||
|
|
||
| package com.amazonaws.encryptionsdk.keyrings; | ||
|
|
||
| import org.apache.commons.lang3.builder.ToStringBuilder; | ||
| import org.apache.commons.lang3.builder.ToStringStyle; | ||
|
|
||
| import java.util.Collections; | ||
| import java.util.Objects; | ||
| import java.util.Set; | ||
|
|
||
| import static org.apache.commons.lang3.Validate.notBlank; | ||
| import static org.apache.commons.lang3.Validate.notEmpty; | ||
|
|
||
| /** | ||
| * A representation of an action that a keyring has taken on a data key. | ||
| */ | ||
| public class KeyringTraceEntry { | ||
|
|
||
| private final String keyNamespace; | ||
| private final String keyName; | ||
| private final Set<KeyringTraceFlag> flags; | ||
|
|
||
| /** | ||
| * Constructs a new `KeyringTraceEntry`. | ||
| * | ||
| * @param keyNamespace The namespace for the key. | ||
| * @param keyName The name of the key. | ||
| * @param flags A set of one or more KeyringTraceFlag enums | ||
| * indicating what actions were taken by a keyring. | ||
| */ | ||
| KeyringTraceEntry(final String keyNamespace, final String keyName, final Set<KeyringTraceFlag> flags) { | ||
| notBlank(keyNamespace, "keyNamespace is required"); | ||
| notBlank(keyName, "keyName is required"); | ||
| notEmpty(flags, "At least one flag is required"); | ||
|
|
||
| this.keyNamespace = keyNamespace; | ||
| this.keyName = keyName; | ||
| this.flags = Collections.unmodifiableSet(flags); | ||
| } | ||
|
|
||
| /** | ||
| * Returns the key namespace. | ||
| * | ||
| * @return The key namespace. | ||
| */ | ||
| public String getKeyNamespace() { | ||
| return this.keyNamespace; | ||
| } | ||
|
|
||
| /** | ||
| * Returns the key name. | ||
| * | ||
| * @return The key name. | ||
| */ | ||
| public String getKeyName() { | ||
| return this.keyName; | ||
| } | ||
|
|
||
| /** | ||
| * Returns an unmodifiable set of flags that indicate | ||
| * which actions were taken by a keyring. | ||
| * | ||
| * @return The unmodifiable set of flags. | ||
| */ | ||
| public Set<KeyringTraceFlag> getFlags() { | ||
| return this.flags; | ||
| } | ||
|
|
||
| @Override | ||
| public boolean equals(Object o) { | ||
| if (this == o) return true; | ||
| if (o == null || getClass() != o.getClass()) return false; | ||
| KeyringTraceEntry that = (KeyringTraceEntry) o; | ||
| return Objects.equals(keyNamespace, that.keyNamespace) && | ||
| Objects.equals(keyName, that.keyName) && | ||
| Objects.equals(flags, that.flags); | ||
| } | ||
|
|
||
| @Override | ||
| public int hashCode() { | ||
| return Objects.hash(keyNamespace, keyName, flags); | ||
| } | ||
|
|
||
| @Override | ||
| public String toString() { | ||
| return new ToStringBuilder(this, ToStringStyle.SHORT_PREFIX_STYLE) | ||
| .append("keyNamespace", this.keyNamespace) | ||
| .append("keyName", this.keyName) | ||
| .append("flags", this.flags) | ||
| .toString(); | ||
| } | ||
| } |
49 changes: 49 additions & 0 deletions
49
src/main/java/com/amazonaws/encryptionsdk/keyrings/KeyringTraceFlag.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| /* | ||
| * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except | ||
| * in compliance with the License. A copy of the License is located at | ||
| * | ||
| * http://aws.amazon.com/apache2.0 | ||
| * | ||
| * or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations under the License. | ||
| */ | ||
|
|
||
| package com.amazonaws.encryptionsdk.keyrings; | ||
|
|
||
| /** | ||
| * Enum representing the possible actions a keyring may take on the | ||
| * different wrapping keys it manages. | ||
| */ | ||
| public enum KeyringTraceFlag { | ||
|
|
||
| /** | ||
| * A flag to represent that a keyring has generated a plaintext data key. | ||
| */ | ||
| GENERATED_DATA_KEY, | ||
|
|
||
| /** | ||
| * A flag to represent that a keyring has created an encrypted data key. | ||
| */ | ||
| ENCRYPTED_DATA_KEY, | ||
|
|
||
| /** | ||
| * A flag to represent that a keyring has obtained the | ||
| * corresponding plaintext data key from an encrypted data key. | ||
| */ | ||
| DECRYPTED_DATA_KEY, | ||
|
|
||
| /** | ||
| * A flag to represent that the keyring has cryptographically | ||
| * bound the encryption context to a newly created encrypted data key. | ||
| */ | ||
| SIGNED_ENCRYPTION_CONTEXT, | ||
|
|
||
| /** | ||
| * A flag to represent that the keyring has verified that an encrypted | ||
| * data key was originally created with a particular encryption context. | ||
| */ | ||
| VERIFIED_ENCRYPTION_CONTEXT | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.