in src/main/java/com/amazonaws/encryptionsdk/kmssdkv2/KmsMasterKey.java [168:217]
public DataKey<KmsMasterKey> decryptDataKey(
final CryptoAlgorithm algorithm,
final Collection<? extends EncryptedDataKey> encryptedDataKeys,
final Map<String, String> encryptionContext)
throws UnsupportedProviderException, AwsCryptoException {
final List<Exception> exceptions = new ArrayList<>();
for (final EncryptedDataKey edk : encryptedDataKeys) {
try {
final String edkKeyId = new String(edk.getProviderInformation(), StandardCharsets.UTF_8);
if (!edkKeyId.equals(id_)) {
continue;
}
final DecryptResponse decryptResponse =
clientSupplier_
.get()
.decrypt(
DecryptRequest.builder()
.overrideConfiguration(API_NAME_INTERCEPTOR)
.ciphertextBlob(SdkBytes.fromByteArray(edk.getEncryptedDataKey()))
.encryptionContext(encryptionContext)
.grantTokens(grantTokens_)
.keyId(edkKeyId)
.build());
final String decryptResponseKeyId = decryptResponse.keyId();
if (decryptResponseKeyId == null) {
throw new IllegalStateException("Received an empty keyId from KMS");
}
if (decryptResponseKeyId.equals(id_)) {
final ByteBuffer plaintextBuffer = decryptResponse.plaintext().asByteBuffer();
if (plaintextBuffer.limit() != algorithm.getDataKeyLength()) {
throw new IllegalStateException("Received an unexpected number of bytes from KMS");
}
final byte[] rawKey = new byte[algorithm.getDataKeyLength()];
plaintextBuffer.get(rawKey);
return new DataKey<>(
new SecretKeySpec(rawKey, algorithm.getDataKeyAlgo()),
edk.getEncryptedDataKey(),
edk.getProviderInformation(),
this);
}
} catch (final AwsServiceException awsex) {
exceptions.add(awsex);
}
}
throw buildCannotDecryptDksException(exceptions);
}