in src/main/java/software/amazon/encryption/s3/materials/KmsKeyring.java [112:150]
public EncryptionMaterials generateDataKey(EncryptionMaterials materials) {
DataKeySpec dataKeySpec;
if (!materials.algorithmSuite().dataKeyAlgorithm().equals("AES")) {
throw new S3EncryptionClientException(String.format("The data key algorithm %s is not supported by AWS " + "KMS", materials.algorithmSuite().dataKeyAlgorithm()));
}
switch (materials.algorithmSuite().dataKeyLengthBits()) {
case 128:
dataKeySpec = DataKeySpec.AES_128;
break;
case 256:
dataKeySpec = DataKeySpec.AES_256;
break;
default:
throw new S3EncryptionClientException(String.format("The data key length %d is not supported by " + "AWS KMS", materials.algorithmSuite().dataKeyLengthBits()));
}
GenerateDataKeyRequest request = GenerateDataKeyRequest.builder()
.keyId(_wrappingKeyId)
.keySpec(dataKeySpec)
.encryptionContext(materials.encryptionContext())
.overrideConfiguration(builder -> builder.addApiName(API_NAME))
.build();
GenerateDataKeyResponse response = _kmsClient.generateDataKey(request);
byte[] encryptedDataKeyCiphertext = response.ciphertextBlob().asByteArray();
EncryptedDataKey encryptedDataKey = EncryptedDataKey.builder()
.keyProviderId(S3Keyring.KEY_PROVIDER_ID)
.keyProviderInfo(keyProviderInfo().getBytes(StandardCharsets.UTF_8))
.encryptedDataKey(Objects.requireNonNull(encryptedDataKeyCiphertext))
.build();
List<EncryptedDataKey> encryptedDataKeys = new ArrayList<>(materials.encryptedDataKeys());
encryptedDataKeys.add(encryptedDataKey);
return materials.toBuilder()
.encryptedDataKeys(encryptedDataKeys)
.plaintextDataKey(response.plaintext().asByteArray())
.build();
}