private void actualDecryption()

in DynamoDbEncryption/runtimes/java/src/main/sdkv1/com/amazonaws/services/dynamodbv2/datamodeling/encryption/DynamoDBEncryptor.java [474:530]


  private void actualDecryption(
    Map<String, AttributeValue> itemAttributes,
    Map<String, Set<EncryptionFlags>> attributeActionsOnEncrypt,
    SecretKey encryptionKey,
    Map<String, String> materialDescription
  ) throws GeneralSecurityException {
    final String encryptionMode = encryptionKey != null
      ? encryptionKey.getAlgorithm() +
      materialDescription.get(symmetricEncryptionModeHeader)
      : null;
    Cipher cipher = null;
    int blockSize = -1;

    for (Map.Entry<String, AttributeValue> entry : itemAttributes.entrySet()) {
      Set<EncryptionFlags> flags = attributeActionsOnEncrypt.get(
        entry.getKey()
      );
      if (flags != null && flags.contains(EncryptionFlags.ENCRYPT)) {
        if (!flags.contains(EncryptionFlags.SIGN)) {
          throw new IllegalArgumentException(
            "All encrypted fields must be signed. Bad field: " + entry.getKey()
          );
        }
        ByteBuffer plainText;
        ByteBuffer cipherText = entry.getValue().getB().asReadOnlyBuffer();
        cipherText.rewind();
        if (encryptionKey instanceof DelegatedKey) {
          plainText =
            ByteBuffer.wrap(
              ((DelegatedKey) encryptionKey).decrypt(
                  toByteArray(cipherText),
                  null,
                  encryptionMode
                )
            );
        } else {
          if (cipher == null) {
            blockSize = getBlockSize(encryptionMode);
            cipher = Cipher.getInstance(encryptionMode);
          }
          byte[] iv = new byte[blockSize];
          cipherText.get(iv);
          cipher.init(
            Cipher.DECRYPT_MODE,
            encryptionKey,
            new IvParameterSpec(iv),
            Utils.getRng()
          );
          plainText =
            ByteBuffer.allocate(cipher.getOutputSize(cipherText.remaining()));
          cipher.doFinal(cipherText, plainText);
          plainText.rewind();
        }
        entry.setValue(AttributeValueMarshaller.unmarshall(plainText));
      }
    }
  }