List of usage examples for com.amazonaws.services.s3.model EncryptionMaterials EncryptionMaterials
public EncryptionMaterials(SecretKey symmetricKey)
From source file:S3ClientSideEncryptionWithSymmetricMasterKey.java
License:Apache License
public static void main(String[] args) throws Exception { SecretKey mySymmetricKey = loadSymmetricAESKey(masterKeyDir, "AES"); EncryptionMaterials encryptionMaterials = new EncryptionMaterials(mySymmetricKey); AWSCredentials credentials = new BasicAWSCredentials("Q3AM3UQ867SPQQA43P2F", "zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG"); AmazonS3EncryptionClient encryptionClient = new AmazonS3EncryptionClient(credentials, new StaticEncryptionMaterialsProvider(encryptionMaterials)); Region usEast1 = Region.getRegion(Regions.US_EAST_1); encryptionClient.setRegion(usEast1); encryptionClient.setEndpoint("https://play.minio.io:9000"); final S3ClientOptions clientOptions = S3ClientOptions.builder().setPathStyleAccess(true).build(); encryptionClient.setS3ClientOptions(clientOptions); // Create the bucket encryptionClient.createBucket(bucketName); // Upload object using the encryption client. byte[] plaintext = "Hello World, S3 Client-side Encryption Using Asymmetric Master Key!".getBytes(); System.out.println("plaintext's length: " + plaintext.length); encryptionClient.putObject(new PutObjectRequest(bucketName, objectKey, new ByteArrayInputStream(plaintext), new ObjectMetadata())); // Download the object. S3Object downloadedObject = encryptionClient.getObject(bucketName, objectKey); byte[] decrypted = IOUtils.toByteArray(downloadedObject.getObjectContent()); // Verify same data. Assert.assertTrue(Arrays.equals(plaintext, decrypted)); //deleteBucketAndAllContents(encryptionClient); }
From source file:S3ClientSideEncryptionAsymmetricMasterKey.java
License:Apache License
public static void main(String[] args) throws Exception { // 1. Load keys from files byte[] bytes = FileUtils.readFileToByteArray(new File(keyDir + "/private.key")); KeyFactory kf = KeyFactory.getInstance("RSA"); PKCS8EncodedKeySpec ks = new PKCS8EncodedKeySpec(bytes); PrivateKey pk = kf.generatePrivate(ks); bytes = FileUtils.readFileToByteArray(new File(keyDir + "/public.key")); PublicKey publicKey = KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(bytes)); KeyPair loadedKeyPair = new KeyPair(publicKey, pk); // 2. Construct an instance of AmazonS3EncryptionClient. EncryptionMaterials encryptionMaterials = new EncryptionMaterials(loadedKeyPair); AWSCredentials credentials = new BasicAWSCredentials("Q3AM3UQ867SPQQA43P2F", "zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG"); AmazonS3EncryptionClient encryptionClient = new AmazonS3EncryptionClient(credentials, new StaticEncryptionMaterialsProvider(encryptionMaterials)); Region usEast1 = Region.getRegion(Regions.US_EAST_1); encryptionClient.setRegion(usEast1); encryptionClient.setEndpoint("https://play.minio.io:9000"); final S3ClientOptions clientOptions = S3ClientOptions.builder().setPathStyleAccess(true).build(); encryptionClient.setS3ClientOptions(clientOptions); // Create the bucket encryptionClient.createBucket(bucketName); // 3. Upload the object. byte[] plaintext = "Hello World, S3 Client-side Encryption Using Asymmetric Master Key!".getBytes(); System.out.println("plaintext's length: " + plaintext.length); encryptionClient.putObject(new PutObjectRequest(bucketName, objectKey, new ByteArrayInputStream(plaintext), new ObjectMetadata())); // 4. Download the object. S3Object downloadedObject = encryptionClient.getObject(bucketName, objectKey); byte[] decrypted = IOUtils.toByteArray(downloadedObject.getObjectContent()); Assert.assertTrue(Arrays.equals(plaintext, decrypted)); System.out.println("decrypted length: " + decrypted.length); //deleteBucketAndAllContents(encryptionClient); }
From source file:com.emc.vipr.services.s3.S3ClientFactory.java
License:Open Source License
/** * Creates an EncryptionClient for testing. Loads the public and private keys from * the properties file (not suitable for production). * * @return/*from w ww. j a va 2 s.c om*/ * @throws IOException */ public static AmazonS3EncryptionClient getEncryptionClient() throws IOException { try { Properties props = ViprConfig.getProperties(); String accessKey = ViprConfig.getPropertyNotEmpty(props, ViprConfig.PROP_S3_ACCESS_KEY_ID); String secretKey = ViprConfig.getPropertyNotEmpty(props, ViprConfig.PROP_S3_SECRET_KEY); String endpoint = ViprConfig.getPropertyNotEmpty(props, ViprConfig.PROP_S3_ENDPOINT); String publicKey = ViprConfig.getPropertyNotEmpty(props, ViprConfig.PROP_PUBLIC_KEY); String privateKey = ViprConfig.getPropertyNotEmpty(props, ViprConfig.PROP_PRIVATE_KEY); byte[] pubKeyBytes = Base64.decodeBase64(publicKey.getBytes("US-ASCII")); byte[] privKeyBytes = Base64.decodeBase64(privateKey.getBytes("US-ASCII")); X509EncodedKeySpec pubKeySpec = new X509EncodedKeySpec(pubKeyBytes); PKCS8EncodedKeySpec privKeySpec = new PKCS8EncodedKeySpec(privKeyBytes); PublicKey pubKey; PrivateKey privKey; try { KeyFactory keyFactory = KeyFactory.getInstance("RSA"); pubKey = keyFactory.generatePublic(pubKeySpec); privKey = keyFactory.generatePrivate(privKeySpec); } catch (GeneralSecurityException e) { throw new RuntimeException("Could not load key pair: " + e, e); } EncryptionMaterials keys = new EncryptionMaterials(new KeyPair(pubKey, privKey)); BasicAWSCredentials creds = new BasicAWSCredentials(accessKey, secretKey); AmazonS3EncryptionClient client = new AmazonS3EncryptionClient(creds, keys); client.setEndpoint(endpoint); checkProxyConfig(client, props); return client; } catch (Exception e) { log.info("Could not load configuration: " + e); return null; } }
From source file:com.intuit.s3encrypt.S3Encrypt.java
License:Open Source License
public static void main(String[] args) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException { // create Options object Options options = new Options(); options.addOption(create_bucket);//ww w .j a v a2s .c o m options.addOption(create_key); options.addOption(delete_bucket); options.addOption(get); options.addOption(help); options.addOption(inspect); options.addOption(keyfile); options.addOption(list_buckets); options.addOption(list_objects); options.addOption(put); options.addOption(remove); options.addOption(rotate); options.addOption(rotateall); options.addOption(rotateKey); // CommandLineParser parser = new GnuParser(); // Changed from above GnuParser to below PosixParser because I found code which allows for multiple arguments PosixParser parser = new PosixParser(); CommandLine cmd; try { cmd = parser.parse(options, args); Logger.getRootLogger().setLevel(Level.OFF); if (cmd.hasOption("help")) { HelpFormatter help = new HelpFormatter(); System.out.println(); help.printHelp("S3Encrypt", options); System.out.println(); System.exit(1); } else if (cmd.hasOption("create_key")) { keyname = cmd.getOptionValue("keyfile"); createKeyFile(keyname); key = new File(keyname); } else { if (cmd.hasOption("keyfile")) { keyname = cmd.getOptionValue("keyfile"); } key = new File(keyname); } if (!(key.exists())) { System.out.println("Key does not exist or not provided"); System.exit(1); } // AmazonS3 s3 = new AmazonS3Client(new ClasspathPropertiesFileCredentialsProvider()); ClasspathPropertiesFileCredentialsProvider credentials = new ClasspathPropertiesFileCredentialsProvider( ".s3encrypt"); EncryptionMaterials encryptionMaterials = new EncryptionMaterials(getKeyFile(keyname)); AmazonS3EncryptionClient s3 = new AmazonS3EncryptionClient(credentials.getCredentials(), encryptionMaterials); // Region usWest2 = Region.getRegion(Regions.US_WEST_2); // s3.setRegion(usWest2); if (cmd.hasOption("create_bucket")) { String bucket = cmd.getOptionValue("create_bucket"); System.out.println("Creating bucket " + bucket + "\n"); s3.createBucket(bucket); } else if (cmd.hasOption("delete_bucket")) { String bucket = cmd.getOptionValue("delete_bucket"); System.out.println("Deleting bucket " + bucket + "\n"); s3.deleteBucket(bucket); } else if (cmd.hasOption("get")) { String[] searchArgs = cmd.getOptionValues("get"); String bucket = searchArgs[0]; String filename = searchArgs[1]; getS3Object(cmd, s3, bucket, filename); } else if (cmd.hasOption("inspect")) { String[] searchArgs = cmd.getOptionValues("inspect"); String bucket = searchArgs[0]; String filename = searchArgs[1]; String keyname = "encryption_key"; String metadata = inspectS3Object(cmd, s3, bucket, filename, keyname); System.out.println(metadata); } else if (cmd.hasOption("list_buckets")) { System.out.println("Listing buckets"); for (Bucket bucket : s3.listBuckets()) { System.out.println(bucket.getName()); } System.out.println(); } else if (cmd.hasOption("list_objects")) { String bucket = cmd.getOptionValue("list_objects"); System.out.println("Listing objects"); ObjectListing objectListing = s3.listObjects(new ListObjectsRequest().withBucketName(bucket)); for (S3ObjectSummary objectSummary : objectListing.getObjectSummaries()) { System.out.println(objectSummary.getKey() + " " + "(size = " + objectSummary.getSize() + ")"); } System.out.println(); } else if (cmd.hasOption("put")) { String[] searchArgs = cmd.getOptionValues("put"); String bucket = searchArgs[0]; String filename = searchArgs[1]; String metadataKeyname = "encryption_key"; String key = keyname; putS3Object(cmd, s3, bucket, filename, metadataKeyname, key); } else if (cmd.hasOption("remove")) { String[] searchArgs = cmd.getOptionValues("remove"); String bucket = searchArgs[0]; String filename = searchArgs[1]; System.out.println("Removing object in S3 from BUCKET = " + bucket + " FILENAME = " + filename); s3.deleteObject(new DeleteObjectRequest(bucket, filename)); System.out.println(); } else if (cmd.hasOption("rotate")) { String[] searchArgs = cmd.getOptionValues("rotate"); String bucket = searchArgs[0]; String filename = searchArgs[1]; String key1 = cmd.getOptionValue("keyfile"); String key2 = cmd.getOptionValue("rotateKey"); String metadataKeyname = "encryption_key"; System.out.println("Supposed to get object from here OPTION VALUE = " + bucket + " FILENAME = " + filename + " KEY1 = " + key1 + " KEY2 = " + key2); EncryptionMaterials rotateEncryptionMaterials = new EncryptionMaterials(getKeyFile(key2)); AmazonS3EncryptionClient rotateS3 = new AmazonS3EncryptionClient(credentials.getCredentials(), rotateEncryptionMaterials); getS3Object(cmd, s3, bucket, filename); putS3Object(cmd, rotateS3, bucket, filename, metadataKeyname, key2); } else if (cmd.hasOption("rotateall")) { String[] searchArgs = cmd.getOptionValues("rotateall"); String bucket = searchArgs[0]; String key1 = searchArgs[1]; String key2 = searchArgs[2]; System.out.println("Supposed to rotateall here for BUCKET NAME = " + bucket + " KEY1 = " + key1 + " KEY2 = " + key2); } else { System.out.println("Something went wrong... "); System.exit(1); } } catch (ParseException e) { e.printStackTrace(); } catch (AmazonServiceException ase) { System.out.println("Caught an AmazonServiceException, which " + "means your request made it " + "to Amazon S3, but was rejected with an error response" + " for some reason."); System.out.println("Error Message: " + ase.getMessage()); System.out.println("HTTP Status Code: " + ase.getStatusCode()); System.out.println("AWS Error Code: " + ase.getErrorCode()); System.out.println("Error Type: " + ase.getErrorType()); System.out.println("Request ID: " + ase.getRequestId()); } catch (AmazonClientException ace) { System.out.println("Caught an AmazonClientException, which " + "means the client encountered " + "an internal error while trying to " + "communicate with S3, " + "such as not being able to access the network."); System.out.println("Error Message: " + ace.getMessage()); } }
From source file:com.zotoh.cloudapi.aws.AWSCloud.java
License:Open Source License
private void createAWSClients(Properties ps) { AWSCredentials cc = new BasicAWSCredentials(ps.getProperty(P_ID), ps.getProperty(P_PWD)); AmazonWebServiceClient c;/*from w w w. j av a2 s . c o m*/ _WEB.put("ec2", new AmazonEC2Client(cc)); _WEB.put("s3", new AmazonS3Client(cc)); // SIMPLE-DB c = new AmazonSimpleDBClient(cc); _WEB.put("sdb", c); c.setEndpoint("sdb.amazonaws.com"); // LOAD BALANCER c = new AmazonElasticLoadBalancingClient(cc); _WEB.put("elb", c); c.setEndpoint("elasticloadbalancing.amazonaws.com"); _WEB.put("cloudwatch", new AmazonCloudWatchClient(cc)); _WEB.put("autoscale", new AmazonAutoScalingClient(cc)); // NOTIFICATION c = new AmazonSNSClient(cc); _WEB.put("sns", c); c.setEndpoint("sns.us-east-1.amazonaws.com"); _WEB.put("sqs", new AmazonSQSClient(cc)); _WEB.put("rds", new AmazonRDSClient(cc)); _WEB.put("s3s", new AmazonS3EncryptionClient(cc, new EncryptionMaterials((KeyPair) null))); }
From source file:org.apache.nifi.processors.aws.s3.encryption.ClientSideCMKEncryptionStrategy.java
License:Apache License
/** * Create an encryption client.// w w w . ja v a2s .co m * * @param credentialsProvider AWS credentials provider. * @param clientConfiguration Client configuration * @param region AWS region * @param keyIdOrMaterial client master key, always base64 encoded * @return AWS S3 client */ @Override public AmazonS3Client createEncryptionClient(AWSCredentialsProvider credentialsProvider, ClientConfiguration clientConfiguration, String region, String keyIdOrMaterial) throws SecurityException { if (!validateKey(keyIdOrMaterial).isValid()) { throw new SecurityException("Invalid client key; ensure key material is base64 encoded."); } byte[] keyMaterial = Base64.decodeBase64(keyIdOrMaterial); SecretKeySpec symmetricKey = new SecretKeySpec(keyMaterial, "AES"); StaticEncryptionMaterialsProvider encryptionMaterialsProvider = new StaticEncryptionMaterialsProvider( new EncryptionMaterials(symmetricKey)); boolean haveRegion = StringUtils.isNotBlank(region); CryptoConfiguration cryptoConfig = new CryptoConfiguration(); Region awsRegion = null; if (haveRegion) { awsRegion = Region.getRegion(Regions.fromName(region)); cryptoConfig.setAwsKmsRegion(awsRegion); } AmazonS3EncryptionClient client = new AmazonS3EncryptionClient(credentialsProvider, encryptionMaterialsProvider, cryptoConfig); if (haveRegion && awsRegion != null) { client.setRegion(awsRegion); } return client; }
From source file:org.apache.nifi.processors.aws.s3.encryption.service.StandardS3ClientSideEncryptionService.java
License:Apache License
private EncryptionMaterials encryptionMaterials() { if (!StringUtils.isBlank(kmsCmkId)) { return new KMSEncryptionMaterials(kmsCmkId); }/*from www . j a v a 2 s . co m*/ if (!StringUtils.isBlank(secretKey)) { return new EncryptionMaterials(new SecretKeySpec(secretKey.getBytes(), secretKeyAlgorithm != null ? publicKeyAlgorithm : "RSA")); } if (!StringUtils.isBlank(publicKey) && !StringUtils.isBlank(privateKey)) { try { KeyFactory publicKeyFactory = KeyFactory .getInstance(publicKeyAlgorithm != null ? publicKeyAlgorithm : "RSA"); KeyFactory privateKeyFactory = KeyFactory .getInstance(privateKeyAlgorithm != null ? privateKeyAlgorithm : "RSA"); X509EncodedKeySpec publicKeySpec = new X509EncodedKeySpec(publicKey.getBytes()); PKCS8EncodedKeySpec privateKeySpec = new PKCS8EncodedKeySpec(privateKey.getBytes()); KeyPair keyPair = new KeyPair(publicKeyFactory.generatePublic(publicKeySpec), privateKeyFactory.generatePrivate(privateKeySpec)); return new EncryptionMaterials(keyPair); } catch (Exception e) { getLogger().info("Failed to create key pair based encryption materials: reason={}", new Object[] { e.getMessage() }); return null; } } return null; }
From source file:org.nuxeo.ecm.core.storage.sql.S3BinaryManager.java
License:Apache License
@Override protected void setupCloudClient() throws IOException { // Get settings from the configuration bucketName = getProperty(BUCKET_NAME_PROPERTY); bucketNamePrefix = MoreObjects.firstNonNull(getProperty(BUCKET_PREFIX_PROPERTY), StringUtils.EMPTY); String bucketRegion = getProperty(BUCKET_REGION_PROPERTY); if (isBlank(bucketRegion)) { bucketRegion = DEFAULT_BUCKET_REGION; }//from w ww . j a v a2 s . com String awsID = getProperty(AWS_ID_PROPERTY); String awsSecret = getProperty(AWS_SECRET_PROPERTY); String proxyHost = Framework.getProperty(Environment.NUXEO_HTTP_PROXY_HOST); String proxyPort = Framework.getProperty(Environment.NUXEO_HTTP_PROXY_PORT); String proxyLogin = Framework.getProperty(Environment.NUXEO_HTTP_PROXY_LOGIN); String proxyPassword = Framework.getProperty(Environment.NUXEO_HTTP_PROXY_PASSWORD); int maxConnections = getIntProperty(CONNECTION_MAX_PROPERTY); int maxErrorRetry = getIntProperty(CONNECTION_RETRY_PROPERTY); int connectionTimeout = getIntProperty(CONNECTION_TIMEOUT_PROPERTY); int socketTimeout = getIntProperty(SOCKET_TIMEOUT_PROPERTY); String keystoreFile = getProperty(KEYSTORE_FILE_PROPERTY); String keystorePass = getProperty(KEYSTORE_PASS_PROPERTY); String privkeyAlias = getProperty(PRIVKEY_ALIAS_PROPERTY); String privkeyPass = getProperty(PRIVKEY_PASS_PROPERTY); String endpoint = getProperty(ENDPOINT_PROPERTY); String sseprop = getProperty(SERVERSIDE_ENCRYPTION_PROPERTY); if (isNotBlank(sseprop)) { userServerSideEncryption = Boolean.parseBoolean(sseprop); } // Fallback on default env keys for ID and secret if (isBlank(awsID)) { awsID = System.getenv(AWS_ID_ENV); } if (isBlank(awsSecret)) { awsSecret = System.getenv(AWS_SECRET_ENV); } if (isBlank(bucketName)) { throw new RuntimeException("Missing conf: " + BUCKET_NAME_PROPERTY); } if (!isBlank(bucketNamePrefix) && !bucketNamePrefix.endsWith("/")) { log.warn(String.format("%s %s S3 bucket prefix should end by '/' " + ": added automatically.", BUCKET_PREFIX_PROPERTY, bucketNamePrefix)); bucketNamePrefix += "/"; } // set up credentials if (isBlank(awsID) || isBlank(awsSecret)) { awsCredentialsProvider = new InstanceProfileCredentialsProvider(); try { awsCredentialsProvider.getCredentials(); } catch (AmazonClientException e) { throw new RuntimeException("Missing AWS credentials and no instance role found"); } } else { awsCredentialsProvider = new BasicAWSCredentialsProvider(awsID, awsSecret); } // set up client configuration clientConfiguration = new ClientConfiguration(); if (isNotBlank(proxyHost)) { clientConfiguration.setProxyHost(proxyHost); } if (isNotBlank(proxyPort)) { clientConfiguration.setProxyPort(Integer.parseInt(proxyPort)); } if (isNotBlank(proxyLogin)) { clientConfiguration.setProxyUsername(proxyLogin); } if (proxyPassword != null) { // could be blank clientConfiguration.setProxyPassword(proxyPassword); } if (maxConnections > 0) { clientConfiguration.setMaxConnections(maxConnections); } if (maxErrorRetry >= 0) { // 0 is allowed clientConfiguration.setMaxErrorRetry(maxErrorRetry); } if (connectionTimeout >= 0) { // 0 is allowed clientConfiguration.setConnectionTimeout(connectionTimeout); } if (socketTimeout >= 0) { // 0 is allowed clientConfiguration.setSocketTimeout(socketTimeout); } // set up encryption encryptionMaterials = null; if (isNotBlank(keystoreFile)) { boolean confok = true; if (keystorePass == null) { // could be blank log.error("Keystore password missing"); confok = false; } if (isBlank(privkeyAlias)) { log.error("Key alias missing"); confok = false; } if (privkeyPass == null) { // could be blank log.error("Key password missing"); confok = false; } if (!confok) { throw new RuntimeException("S3 Crypto configuration incomplete"); } try { // Open keystore File ksFile = new File(keystoreFile); FileInputStream ksStream = new FileInputStream(ksFile); KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); keystore.load(ksStream, keystorePass.toCharArray()); ksStream.close(); // Get keypair for alias if (!keystore.isKeyEntry(privkeyAlias)) { throw new RuntimeException("Alias " + privkeyAlias + " is missing or not a key alias"); } PrivateKey privKey = (PrivateKey) keystore.getKey(privkeyAlias, privkeyPass.toCharArray()); Certificate cert = keystore.getCertificate(privkeyAlias); PublicKey pubKey = cert.getPublicKey(); KeyPair keypair = new KeyPair(pubKey, privKey); // Get encryptionMaterials from keypair encryptionMaterials = new EncryptionMaterials(keypair); cryptoConfiguration = new CryptoConfiguration(); } catch (IOException | GeneralSecurityException e) { throw new RuntimeException("Could not read keystore: " + keystoreFile + ", alias: " + privkeyAlias, e); } } isEncrypted = encryptionMaterials != null; // Try to create bucket if it doesn't exist if (!isEncrypted) { amazonS3 = new AmazonS3Client(awsCredentialsProvider, clientConfiguration); } else { amazonS3 = new AmazonS3EncryptionClient(awsCredentialsProvider, new StaticEncryptionMaterialsProvider(encryptionMaterials), clientConfiguration, cryptoConfiguration); } if (isNotBlank(endpoint)) { amazonS3.setEndpoint(endpoint); } // Set region explicitely for regions that reguire Version 4 signature ArrayList<String> V4_ONLY_REGIONS = new ArrayList<String>(); V4_ONLY_REGIONS.add("eu-central-1"); V4_ONLY_REGIONS.add("ap-northeast-2"); if (V4_ONLY_REGIONS.contains(bucketRegion)) { amazonS3.setRegion(Region.getRegion(Regions.fromName(bucketRegion))); } try { if (!amazonS3.doesBucketExist(bucketName)) { amazonS3.createBucket(bucketName, bucketRegion); amazonS3.setBucketAcl(bucketName, CannedAccessControlList.Private); } } catch (AmazonClientException e) { throw new IOException(e); } // compat for NXP-17895, using "downloadfroms3", to be removed // these two fields have already been initialized by the base class initialize() // using standard property "directdownload" String dd = getProperty(DIRECTDOWNLOAD_PROPERTY_COMPAT); if (dd != null) { directDownload = Boolean.parseBoolean(dd); } int dde = getIntProperty(DIRECTDOWNLOAD_EXPIRE_PROPERTY_COMPAT); if (dde >= 0) { directDownloadExpire = dde; } transferManager = new TransferManager(amazonS3); abortOldUploads(); }