public DataKey decryptDataKey()

in src/main/java/com/amazonaws/encryptionsdk/kmssdkv2/AwsKmsMrkAwareMasterKey.java [277:336]

• 29 lines of code
• 2 McCabe index (conditional complexity)

  public DataKey<AwsKmsMrkAwareMasterKey> decryptDataKey(
      final CryptoAlgorithm algorithm,
      final Collection<? extends EncryptedDataKey> encryptedDataKeys,
      final Map<String, String> encryptionContext)
      throws AwsCryptoException {
    final List<Exception> exceptions = new ArrayList<>();
    final String providerId = this.getProviderId();

    return encryptedDataKeys.stream()
        // = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key.txt#2.9
        // # The set of encrypted data keys MUST first be filtered to match this
        // # master key's configuration.
        .filter(edk -> filterEncryptedDataKeys(providerId, awsKmsIdentifier_, edk))
        // = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key.txt#2.9
        // # For each encrypted data key in the filtered set, one at a time, the
        // # master key MUST attempt to decrypt the data key.
        .map(
            edk -> {
              try {
                return decryptSingleEncryptedDataKey(
                    this,
                    kmsClient_,
                    awsKmsIdentifier_,
                    grantTokens_,
                    algorithm,
                    edk,
                    encryptionContext);
              } catch (final AwsServiceException amazonServiceException) {
                // = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key.txt#2.9
                // # If this attempt
                // # results in an error, then these errors MUST be collected.
                exceptions.add(amazonServiceException);
              }
              return null;
            })
        /* Need to filter null
         * because an Optional
         * of a null is crazy.
         * Therefore `findFirst` will throw
         * if it sees `null`.
         */
        .filter(Objects::nonNull)
        // = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key.txt#2.9
        // # If the AWS KMS response satisfies the requirements then it MUST be
        // # use and this function MUST return and not attempt to decrypt any more
        // # encrypted data keys.
        /* Order is important.
         * Process the encrypted data keys in the order they exist in the encrypted message.
         */
        .findFirst()
        // = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key.txt#2.9
        // # If all the input encrypted data keys have been processed then this
        // # function MUST yield an error that includes all the collected errors.
        //
        // = compliance/framework/aws-kms/aws-kms-mrk-aware-master-key.txt#2.9
        // # The output MUST be the same as the Master Key Decrypt Data Key
        // # (../master-key-interface.md#decrypt-data-key) interface.
        /* Exceptional Postcondition: Master key was unable to decrypt. */
        .orElseThrow(() -> buildCannotDecryptDksException(exceptions));
  }