An AWS KMS Master key should only attempt to process an Encrypted Data Key if the * information in the Encrypted Data Key matches the master keys configuration. */ static boolean filterEncryptedDataKeys( final String providerId, final String awsKmsIdentifier_, final EncryptedDataKey edk) { final String edkKeyId = new String(edk.getProviderInformation(), StandardCharsets.UTF_8); final AwsKmsCmkArnInfo providerArnInfo = parseInfoFromKeyArn(edkKeyId); // = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key.txt#2.9 // # Additionally each provider info MUST be a valid AWS KMS ARN // # (aws-kms-key-arn.md#a-valid-aws-kms-arn) with a resource type of // # "key". if (providerArnInfo == null || !"key".equals(providerArnInfo.getResourceType())) { throw new IllegalStateException("Invalid provider info in message."); } // = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key.txt#2.9 // # To match the encrypted data key's // # provider ID MUST exactly match the value "aws-kms" and the the // # function AWS KMS MRK Match for Decrypt (aws-kms-mrk-match-for- // # decrypt.md#implementation) called with the configured AWS KMS key // # identifier and the encrypted data key's provider info MUST return // # "true". return edk.getProviderId().equals(providerId) && awsKmsArnMatchForDecrypt(awsKmsIdentifier_, edkKeyId); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - src/main/java/com/amazonaws/encryptionsdk/kmssdkv2/AwsKmsMrkAwareMasterKey.java [392:428]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - return new DataKey<>( new SecretKeySpec(rawKey, algorithm.getDataKeyAlgo()), edk.getEncryptedDataKey(), edk.getProviderInformation(), masterKey); } /** * A pure function to filter encrypted data keys. This function is refactored out from * `decryptDataKey` to facilitate testing and ensure correctness. * *
An AWS KMS Master key should only attempt to process an Encrypted Data Key if the * information in the Encrypted Data Key matches the master keys configuration. */ static boolean filterEncryptedDataKeys( final String providerId, final String awsKmsIdentifier_, final EncryptedDataKey edk) { final String edkKeyId = new String(edk.getProviderInformation(), StandardCharsets.UTF_8); final AwsKmsCmkArnInfo providerArnInfo = parseInfoFromKeyArn(edkKeyId); // = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key.txt#2.9 // # Additionally each provider info MUST be a valid AWS KMS ARN // # (aws-kms-key-arn.md#a-valid-aws-kms-arn) with a resource type of // # "key". if (providerArnInfo == null || !"key".equals(providerArnInfo.getResourceType())) { throw new IllegalStateException("Invalid provider info in message."); } // = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key.txt#2.9 // # To match the encrypted data key's // # provider ID MUST exactly match the value "aws-kms" and the the // # function AWS KMS MRK Match for Decrypt (aws-kms-mrk-match-for- // # decrypt.md#implementation) called with the configured AWS KMS key // # identifier and the encrypted data key's provider info MUST return // # "true". return edk.getProviderId().equals(providerId) && awsKmsArnMatchForDecrypt(awsKmsIdentifier_, edkKeyId); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -