in src/main/java/com/amazonaws/encryptionsdk/kms/AwsKmsMrkAwareMasterKeyProvider.java [497:578]
public AwsKmsMrkAwareMasterKey getMasterKey(final String providerId, final String requestedKeyArn)
throws UnsupportedProviderException, NoSuchMasterKeyException {
// = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.7
// # The function MUST only provide master keys if the input provider id
// # equals "aws-kms".
if (!canProvide(providerId)) {
throw new UnsupportedProviderException();
}
/* There SHOULD only be one match.
* An unambiguous multi-region key for the family
* of related multi-region keys is required.
* See `assertMrksAreUnique`.
* However, in the case of single region keys or aliases,
* duplicates _are_ possible.
*/
Optional<String> matchedArn =
keyIds_.stream().filter(t -> awsKmsArnMatchForDecrypt(t, requestedKeyArn)).findFirst();
// = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.7
// # In strict mode, the requested AWS KMS key ARN MUST
// # match a member of the configured key ids by using AWS KMS MRK Match
// # for Decrypt (aws-kms-mrk-match-for-decrypt.md#implementation)
// # otherwise this function MUST error.
if (!isDiscovery_ && !matchedArn.isPresent()) {
throw new NoSuchMasterKeyException("Key must be in supplied list of keyIds.");
}
final AwsKmsCmkArnInfo requestedKeyArnInfo = parseInfoFromKeyArn(requestedKeyArn);
// = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.7
// # In discovery mode, the requested
// # AWS KMS key identifier MUST be a well formed AWS KMS ARN.
if (isDiscovery_ && requestedKeyArnInfo == null) {
throw new NoSuchMasterKeyException(
"Cannot use AWS KMS identifiers " + "when in discovery mode.");
}
// = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.7
// # In
// # discovery mode if a discovery filter is configured the requested AWS
// # KMS key ARN's "partition" MUST match the discovery filter's
// # "partition" and the AWS KMS key ARN's "account" MUST exist in the
// # discovery filter's account id set.
if (isDiscovery_
&& discoveryFilter_ != null
&& !discoveryFilter_.allowsPartitionAndAccount(
requestedKeyArnInfo.getPartition(), requestedKeyArnInfo.getAccountId())) {
throw new NoSuchMasterKeyException(
"Cannot use key in partition "
+ requestedKeyArnInfo.getPartition()
+ " with account id "
+ requestedKeyArnInfo.getAccountId()
+ " with configured discovery filter.");
}
final String regionName_ =
extractRegion(
defaultRegion_, discoveryMrkRegion_, matchedArn, requestedKeyArnInfo, isDiscovery_);
// = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.7
// # An AWS KMS client
// # MUST be obtained by calling the regional client supplier with this
// # AWS Region.
AWSKMS kms = regionalClientSupplier_.getClient(regionName_);
String keyIdentifier =
isDiscovery_
// = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.7
// # In discovery mode a AWS KMS MRK Aware Master Key (aws-kms-mrk-aware-
// # master-key.md) MUST be returned configured with
? requestedKeyArnInfo.toString(regionName_)
// = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.7
// # In strict mode a AWS KMS MRK Aware Master Key (aws-kms-mrk-aware-
// # master-key.md) MUST be returned configured with
: matchedArn.get();
final AwsKmsMrkAwareMasterKey result =
AwsKmsMrkAwareMasterKey.getInstance(kms, keyIdentifier, this);
result.setGrantTokens(grantTokens_);
// = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.7
// # The output MUST be the same as the Master Key Provider Get Master Key
// # (../master-key-provider-interface.md#get-master-key) interface.
return result;
}