public DataKey encryptDataKey()

in src/main/java/com/amazonaws/encryptionsdk/kmssdkv2/AwsKmsMrkAwareMasterKey.java [212:265]

• 34 lines of code
• 4 McCabe index (conditional complexity)

  public DataKey<AwsKmsMrkAwareMasterKey> encryptDataKey(
      final CryptoAlgorithm algorithm,
      final Map<String, String> encryptionContext,
      final DataKey<?> dataKey) {
    final SecretKey key = dataKey.getKey();
    /* Precondition: The key format MUST be RAW. */
    if (!key.getFormat().equals("RAW")) {
      throw new IllegalArgumentException("Only RAW encoded keys are supported");
    }

    try {
      // = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key.txt#2.11
      // # The master
      // # key MUST use the configured AWS KMS client to make an AWS KMS Encrypt
      // # (https://docs.aws.amazon.com/kms/latest/APIReference/
      // # API_Encrypt.html) request constructed as follows:
      final EncryptResponse encryptResponse =
          kmsClient_.encrypt(
              EncryptRequest.builder()
                  .overrideConfiguration(API_NAME_INTERCEPTOR)
                  .keyId(awsKmsIdentifier_)
                  .plaintext(SdkBytes.fromByteArray(key.getEncoded()))
                  .encryptionContext(encryptionContext)
                  .grantTokens(grantTokens_)
                  .build());

      final ByteBuffer ciphertextBlobBuffer = encryptResponse.ciphertextBlob().asByteBuffer();
      final byte[] edk = new byte[ciphertextBlobBuffer.remaining()];
      ciphertextBlobBuffer.get(edk);

      final String encryptResultKeyId = encryptResponse.keyId();
      // = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key.txt#2.11
      // # The AWS KMS Encrypt response MUST contain a valid "KeyId".
      /* Postcondition: Must have an AWS KMS ARN from AWS KMS encrypt. */
      if (parseInfoFromKeyArn(encryptResultKeyId) == null) {
        throw new IllegalStateException("Received an empty or invalid keyId from KMS");
      }

      // = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key.txt#2.11
      // # The output MUST be the same as the Master Key Encrypt Data Key
      // # (../master-key-interface.md#encrypt-data-key) interface.
      return new DataKey<>(
          dataKey.getKey(),
          // = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key.txt#2.11
          // # The
          // # response's cipher text blob MUST be used as the "ciphertext" for the
          // # encrypted data key.
          edk,
          encryptResultKeyId.getBytes(StandardCharsets.UTF_8),
          this);
    } catch (final AwsServiceException asex) {
      throw new AwsCryptoException(asex);
    }
  }