in DynamoDbEncryption/runtimes/java/src/main/sdkv1/com/amazonaws/services/dynamodbv2/datamodeling/encryption/DynamoDBEncryptor.java [474:530]
private void actualDecryption(
Map<String, AttributeValue> itemAttributes,
Map<String, Set<EncryptionFlags>> attributeActionsOnEncrypt,
SecretKey encryptionKey,
Map<String, String> materialDescription
) throws GeneralSecurityException {
final String encryptionMode = encryptionKey != null
? encryptionKey.getAlgorithm() +
materialDescription.get(symmetricEncryptionModeHeader)
: null;
Cipher cipher = null;
int blockSize = -1;
for (Map.Entry<String, AttributeValue> entry : itemAttributes.entrySet()) {
Set<EncryptionFlags> flags = attributeActionsOnEncrypt.get(
entry.getKey()
);
if (flags != null && flags.contains(EncryptionFlags.ENCRYPT)) {
if (!flags.contains(EncryptionFlags.SIGN)) {
throw new IllegalArgumentException(
"All encrypted fields must be signed. Bad field: " + entry.getKey()
);
}
ByteBuffer plainText;
ByteBuffer cipherText = entry.getValue().getB().asReadOnlyBuffer();
cipherText.rewind();
if (encryptionKey instanceof DelegatedKey) {
plainText =
ByteBuffer.wrap(
((DelegatedKey) encryptionKey).decrypt(
toByteArray(cipherText),
null,
encryptionMode
)
);
} else {
if (cipher == null) {
blockSize = getBlockSize(encryptionMode);
cipher = Cipher.getInstance(encryptionMode);
}
byte[] iv = new byte[blockSize];
cipherText.get(iv);
cipher.init(
Cipher.DECRYPT_MODE,
encryptionKey,
new IvParameterSpec(iv),
Utils.getRng()
);
plainText =
ByteBuffer.allocate(cipher.getOutputSize(cipherText.remaining()));
cipher.doFinal(cipherText, plainText);
plainText.rewind();
}
entry.setValue(AttributeValueMarshaller.unmarshall(plainText));
}
}
}