in DynamoDbEncryption/runtimes/java/src/main/sdkv1/com/amazonaws/services/dynamodbv2/datamodeling/encryption/providers/DirectKmsMaterialProvider.java [120:176]
public DecryptionMaterials getDecryptionMaterials(EncryptionContext context) {
final Map<String, String> materialDescription =
context.getMaterialDescription();
final Map<String, String> ec = new HashMap<>();
final String providedEncAlg = materialDescription.get(
CONTENT_KEY_ALGORITHM
);
final String providedSigAlg = materialDescription.get(
SIGNING_KEY_ALGORITHM
);
ec.put("*" + CONTENT_KEY_ALGORITHM + "*", providedEncAlg);
ec.put("*" + SIGNING_KEY_ALGORITHM + "*", providedSigAlg);
populateKmsEcFromEc(context, ec);
DecryptRequest request = appendUserAgent(new DecryptRequest());
request.setCiphertextBlob(
ByteBuffer.wrap(Base64.decode(materialDescription.get(ENVELOPE_KEY)))
);
request.setEncryptionContext(ec);
final DecryptResult decryptResult = decrypt(request, context);
validateEncryptionKeyId(decryptResult.getKeyId(), context);
final Hkdf kdf;
try {
kdf = Hkdf.getInstance(KDF_ALG);
} catch (NoSuchAlgorithmException e) {
throw new DynamoDBMappingException(e);
}
kdf.init(toArray(decryptResult.getPlaintext()));
final String[] encAlgParts = providedEncAlg.split("/", 2);
int encLength = encAlgParts.length == 2
? Integer.parseInt(encAlgParts[1])
: 256;
final String[] sigAlgParts = providedSigAlg.split("/", 2);
int sigLength = sigAlgParts.length == 2
? Integer.parseInt(sigAlgParts[1])
: 256;
final SecretKey encryptionKey = new SecretKeySpec(
kdf.deriveKey(KDF_ENC_INFO, encLength / 8),
encAlgParts[0]
);
final SecretKey macKey = new SecretKeySpec(
kdf.deriveKey(KDF_SIG_INFO, sigLength / 8),
sigAlgParts[0]
);
return new SymmetricRawMaterials(
encryptionKey,
macKey,
materialDescription
);
}