public Map decryptRecord()

in sdk1/src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/DynamoDBEncryptor.java [232:292]


  public Map<String, AttributeValue> decryptRecord(
      Map<String, AttributeValue> itemAttributes,
      Map<String, Set<EncryptionFlags>> attributeFlags,
      EncryptionContext context)
      throws GeneralSecurityException {
    if (!itemContainsFieldsToDecryptOrSign(itemAttributes.keySet(), attributeFlags)) {
      return itemAttributes;
    }
    // Copy to avoid changing anyone elses objects
    itemAttributes = new HashMap<String, AttributeValue>(itemAttributes);

    Map<String, String> materialDescription = Collections.emptyMap();
    DecryptionMaterials materials;
    SecretKey decryptionKey;

    DynamoDBSigner signer = DynamoDBSigner.getInstance(DEFAULT_SIGNATURE_ALGORITHM, Utils.getRng());

    if (itemAttributes.containsKey(materialDescriptionFieldName)) {
      materialDescription = unmarshallDescription(itemAttributes.get(materialDescriptionFieldName));
    }
    // Copy the material description and attribute values into the context
    context =
        new EncryptionContext.Builder(context)
            .withMaterialDescription(materialDescription)
            .withAttributeValues(itemAttributes)
            .build();

    Function<EncryptionContext, EncryptionContext> encryptionContextOverrideOperator =
        getEncryptionContextOverrideOperator();
    if (encryptionContextOverrideOperator != null) {
      context = encryptionContextOverrideOperator.apply(context);
    }

    materials = encryptionMaterialsProvider.getDecryptionMaterials(context);
    decryptionKey = materials.getDecryptionKey();
    if (materialDescription.containsKey(signingAlgorithmHeader)) {
      String signingAlg = materialDescription.get(signingAlgorithmHeader);
      signer = DynamoDBSigner.getInstance(signingAlg, Utils.getRng());
    }

    ByteBuffer signature;
    if (!itemAttributes.containsKey(signatureFieldName)
        || itemAttributes.get(signatureFieldName).getB() == null) {
      signature = ByteBuffer.allocate(0);
    } else {
      signature = itemAttributes.get(signatureFieldName).getB().asReadOnlyBuffer();
    }
    itemAttributes.remove(signatureFieldName);

    String associatedData = "TABLE>" + context.getTableName() + "<TABLE";
    signer.verifySignature(
        itemAttributes,
        attributeFlags,
        associatedData.getBytes(UTF8),
        materials.getVerificationKey(),
        signature);
    itemAttributes.remove(materialDescriptionFieldName);

    actualDecryption(itemAttributes, attributeFlags, decryptionKey, materialDescription);
    return itemAttributes;
  }