in sdk1/src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/DynamoDBEncryptor.java [371:414]
private void actualDecryption(
Map<String, AttributeValue> itemAttributes,
Map<String, Set<EncryptionFlags>> attributeFlags,
SecretKey encryptionKey,
Map<String, String> materialDescription)
throws GeneralSecurityException {
final String encryptionMode =
encryptionKey != null
? encryptionKey.getAlgorithm() + materialDescription.get(symmetricEncryptionModeHeader)
: null;
Cipher cipher = null;
int blockSize = -1;
for (Map.Entry<String, AttributeValue> entry : itemAttributes.entrySet()) {
Set<EncryptionFlags> flags = attributeFlags.get(entry.getKey());
if (flags != null && flags.contains(EncryptionFlags.ENCRYPT)) {
if (!flags.contains(EncryptionFlags.SIGN)) {
throw new IllegalArgumentException(
"All encrypted fields must be signed. Bad field: " + entry.getKey());
}
ByteBuffer plainText;
ByteBuffer cipherText = entry.getValue().getB().asReadOnlyBuffer();
cipherText.rewind();
if (encryptionKey instanceof DelegatedKey) {
plainText =
ByteBuffer.wrap(
((DelegatedKey) encryptionKey)
.decrypt(toByteArray(cipherText), null, encryptionMode));
} else {
if (cipher == null) {
blockSize = getBlockSize(encryptionMode);
cipher = Cipher.getInstance(encryptionMode);
}
byte[] iv = new byte[blockSize];
cipherText.get(iv);
cipher.init(Cipher.DECRYPT_MODE, encryptionKey, new IvParameterSpec(iv), Utils.getRng());
plainText = ByteBuffer.allocate(cipher.getOutputSize(cipherText.remaining()));
cipher.doFinal(cipherText, plainText);
plainText.rewind();
}
entry.setValue(AttributeValueMarshaller.unmarshall(plainText));
}
}
}