List of usage examples for com.amazonaws.services.kms AWSKMSClient AWSKMSClient
AWSKMSClient(AwsSyncClientParams clientParams)
From source file:com.choicemaker.xmlencryption.AwsKmsUtils.java
License:Open Source License
public static ByteBuffer computeSecretBytes(AWSCredentials creds, String masterKeyId, String algorithm, String encValueSecretKey, String endpoint) throws Base64DecodingException { Precondition.assertNonNullArgument("null credentials", creds); Precondition.assertNonEmptyString("null or blank master key id", masterKeyId); Precondition.assertNonEmptyString("null or blank encrypted value", encValueSecretKey); if (!StringUtils.nonEmptyString(algorithm)) { algorithm = DefaultAlgorithms.DEFAULT_AWS_KEY_ENCRYPTION_ALGORITHM; }/*from w w w . j a v a2 s . c o m*/ AWSKMSClient kms = new AWSKMSClient(creds); if (endpoint != null) { kms.setEndpoint(endpoint); } byte[] encBase64 = encValueSecretKey.getBytes(); byte[] encBytes = Base64.decode(encBase64); ByteBuffer encryptedKey = ByteBuffer.wrap(encBytes); DecryptRequest request = new DecryptRequest().withCiphertextBlob(encryptedKey); DecryptResult result = kms.decrypt(request); ByteBuffer retVal = result.getPlaintext(); return retVal; }
From source file:com.choicemaker.xmlencryption.AwsKmsUtils.java
License:Open Source License
static GenerateDataKeyResult generateDataKey(AWSCredentials creds, String masterKeyId, String algorithm, String endpoint) {/*from w w w. ja va 2s.c o m*/ Precondition.assertNonNullArgument("null credentials", creds); Precondition.assertNonEmptyString("null or blank master key id", masterKeyId); if (!StringUtils.nonEmptyString(algorithm)) { algorithm = DefaultAlgorithms.DEFAULT_AWS_KEY_ENCRYPTION_ALGORITHM; } AWSKMSClient kms = new AWSKMSClient(creds); if (endpoint != null) { kms.setEndpoint(endpoint); } GenerateDataKeyRequest dataKeyRequest = new GenerateDataKeyRequest(); dataKeyRequest.setKeyId(masterKeyId); dataKeyRequest.setKeySpec(algorithm); GenerateDataKeyResult retVal = kms.generateDataKey(dataKeyRequest); return retVal; }
From source file:org.apache.coheigea.cxf.kms.asymmetric.KMSPasswordEncryptor.java
License:Apache License
@Override public String encrypt(String password) { final AWSCredentials creds = new BasicAWSCredentials(accessKey, secretKey); AWSKMSClient kms = new AWSKMSClient(creds); kms.setEndpoint(endpoint);/*from www.ja va2s .c o m*/ ByteBuffer plaintext = ByteBuffer.wrap(password.getBytes()); EncryptRequest req = new EncryptRequest().withPlaintext(plaintext); req.setKeyId(masterKeyId); ByteBuffer encryptedKey = kms.encrypt(req).getCiphertextBlob(); byte[] key = new byte[encryptedKey.remaining()]; encryptedKey.get(key); return Base64.encode(key); }
From source file:org.apache.coheigea.cxf.kms.asymmetric.KMSPasswordEncryptor.java
License:Apache License
@Override public String decrypt(String encryptedPassword) { final AWSCredentials creds = new BasicAWSCredentials(accessKey, secretKey); AWSKMSClient kms = new AWSKMSClient(creds); kms.setEndpoint(endpoint);/*from w w w . j a va 2s .c o m*/ try { byte[] encryptedBytes = Base64.decode(encryptedPassword); ByteBuffer encryptedKey = ByteBuffer.wrap(encryptedBytes); DecryptRequest req = new DecryptRequest().withCiphertextBlob(encryptedKey); ByteBuffer plaintextKey = kms.decrypt(req).getPlaintext(); byte[] key = new byte[plaintextKey.remaining()]; plaintextKey.get(key); return new String(key); } catch (Base64DecodingException ex) { return null; } }
From source file:org.apache.coheigea.cxf.kms.common.CommonCallbackHandler.java
License:Apache License
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof WSPasswordCallback) { WSPasswordCallback pc = (WSPasswordCallback) callbacks[i]; if (pc.getUsage() == WSPasswordCallback.SECRET_KEY) { final AWSCredentials creds = new BasicAWSCredentials(accessKey, secretKey); AWSKMSClient kms = new AWSKMSClient(creds); kms.setEndpoint(endpoint); if (pc.getEncryptedSecret() != null) { ByteBuffer encryptedKey = ByteBuffer.wrap(pc.getEncryptedSecret()); DecryptRequest req = new DecryptRequest().withCiphertextBlob(encryptedKey); ByteBuffer plaintextKey = kms.decrypt(req).getPlaintext(); byte[] key = new byte[plaintextKey.remaining()]; plaintextKey.get(key); pc.setKey(key);//from www . j a va2s . co m } else { GenerateDataKeyRequest dataKeyRequest = new GenerateDataKeyRequest(); dataKeyRequest.setKeyId(masterKeyId); String algorithm = "AES_128"; if (pc.getAlgorithm() != null && pc.getAlgorithm().contains("aes256")) { algorithm = "AES_256"; } dataKeyRequest.setKeySpec(algorithm); GenerateDataKeyResult dataKeyResult = kms.generateDataKey(dataKeyRequest); ByteBuffer plaintextKey = dataKeyResult.getPlaintext(); byte[] key = new byte[plaintextKey.remaining()]; plaintextKey.get(key); pc.setKey(key); ByteBuffer encryptedKey = dataKeyResult.getCiphertextBlob(); byte[] encKey = new byte[encryptedKey.remaining()]; encryptedKey.get(encKey); pc.setEncryptedSecret(encKey); // Create a KeyName pointing to the encryption key Document doc = DOMUtils.newDocument(); Element keyInfoElement = doc.createElementNS(WSConstants.SIG_NS, WSConstants.SIG_PREFIX + ":" + WSConstants.KEYINFO_LN); keyInfoElement.setAttributeNS(WSConstants.XMLNS_NS, "xmlns:" + WSConstants.SIG_PREFIX, WSConstants.SIG_NS); Element keyNameElement = doc.createElementNS(WSConstants.SIG_NS, WSConstants.SIG_PREFIX + ":KeyName"); keyNameElement.setTextContent("1c84a3f2-51cc-4c66-9045-68f51ef8b1eb"); keyInfoElement.appendChild(keyNameElement); pc.setKeyInfoReference(keyInfoElement); } } } } }
From source file:org.finra.dm.dao.impl.KmsDaoImpl.java
License:Apache License
/** * {@inheritDoc}//from ww w . jav a2 s . c o m */ @Override public String decrypt(AwsParamsDto awsParamsDto, String base64ciphertextBlob) { // Construct a new AWS KMS service client using the specified client configuration. // A credentials provider chain will be used that searches for credentials in this order: // - Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY // - Java System Properties - aws.accessKeyId and aws.secretKey // - Instance Profile Credentials - delivered through the Amazon EC2 metadata service AWSKMSClient awsKmsClient = new AWSKMSClient(awsHelper.getClientConfiguration(awsParamsDto)); // Decode the base64 encoded ciphertext. ByteBuffer ciphertextBlob = ByteBuffer.wrap(Base64.decodeBase64(base64ciphertextBlob)); // Create the decrypt request. DecryptRequest decryptRequest = new DecryptRequest().withCiphertextBlob(ciphertextBlob); // Call AWS KMS decrypt service method. DecryptResult decryptResult = kmsOperations.decrypt(awsKmsClient, decryptRequest); // Get decrypted plaintext data. ByteBuffer plainText = decryptResult.getPlaintext(); // Return the plain text as a string. return new String(plainText.array(), StandardCharsets.UTF_8); }
From source file:org.finra.herd.dao.impl.KmsDaoImpl.java
License:Apache License
@Override public String decrypt(AwsParamsDto awsParamsDto, String base64ciphertextBlob) { // Construct a new AWS KMS service client using the specified client configuration. // A credentials provider chain will be used that searches for credentials in this order: // - Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY // - Java System Properties - aws.accessKeyId and aws.secretKey // - Instance Profile Credentials - delivered through the Amazon EC2 metadata service AWSKMSClient awsKmsClient = new AWSKMSClient(awsHelper.getClientConfiguration(awsParamsDto)); // Decode the base64 encoded ciphertext. ByteBuffer ciphertextBlob = ByteBuffer.wrap(Base64.decodeBase64(base64ciphertextBlob)); // Create the decrypt request. DecryptRequest decryptRequest = new DecryptRequest().withCiphertextBlob(ciphertextBlob); // Call AWS KMS decrypt service method. DecryptResult decryptResult = kmsOperations.decrypt(awsKmsClient, decryptRequest); // Get decrypted plaintext data. ByteBuffer plainText = decryptResult.getPlaintext(); // Return the plain text as a string. return new String(plainText.array(), StandardCharsets.UTF_8); }
From source file:org.sfs.encryption.AwsKms.java
License:Apache License
public Observable<Void> start(VertxContext<Server> vertxContext, JsonObject config) { AwsKms _this = this; SfsVertx sfsVertx = vertxContext.vertx(); Context context = sfsVertx.getOrCreateContext(); return Defer.aVoid().filter(aVoid -> started.compareAndSet(false, true)).flatMap(aVoid -> { String keyStoreAwsKmsEndpoint = ConfigHelper.getFieldOrEnv(config, "keystore.aws.kms.endpoint"); Preconditions.checkArgument(keyStoreAwsKmsEndpoint != null, "keystore.aws.kms.endpoint is required"); _this.keyId = ConfigHelper.getFieldOrEnv(config, "keystore.aws.kms.key_id"); Preconditions.checkArgument(_this.keyId != null, "keystore.aws.kms.key_id is required"); _this.accessKeyId = ConfigHelper.getFieldOrEnv(config, "keystore.aws.kms.access_key_id"); Preconditions.checkArgument(_this.accessKeyId != null, "keystore.aws.kms.access_key_id is required"); _this.secretKey = ConfigHelper.getFieldOrEnv(config, "keystore.aws.kms.secret_key"); Preconditions.checkArgument(_this.secretKey != null, "keystore.aws.kms.secret_key is required"); return RxHelper.executeBlocking(context, sfsVertx.getBackgroundPool(), () -> { kms = new AWSKMSClient(new AWSCredentials() { @Override//from w ww .j a v a 2 s .c om public String getAWSAccessKeyId() { return _this.accessKeyId; } @Override public String getAWSSecretKey() { return _this.secretKey; } }); kms.setEndpoint(keyStoreAwsKmsEndpoint); return (Void) null; }); }).singleOrDefault(null); }