in src/main/java/com/amazonaws/encryptionsdk/internal/AwsKmsCmkArnInfo.java [167:196]
public static boolean awsKmsArnMatchForDecrypt(
final String configuredKeyIdentifier, final String providerInfoKeyIdentifier) {
// = compliance/framework/aws-kms/aws-kms-mrk-match-for-decrypt.txt#2.5
// # If both identifiers are identical, this function MUST return "true".
if (configuredKeyIdentifier.equals(providerInfoKeyIdentifier)) return true;
final AwsKmsCmkArnInfo configuredArnInfo = parseInfoFromKeyArn(configuredKeyIdentifier);
final AwsKmsCmkArnInfo providerInfoKeyArnInfo = parseInfoFromKeyArn(providerInfoKeyIdentifier);
/* Check for early return (Postcondition): Both identifiers are not ARNs and not equal, therefore they can not match. */
if (providerInfoKeyArnInfo == null || configuredArnInfo == null) return false;
// = compliance/framework/aws-kms/aws-kms-mrk-match-for-decrypt.txt#2.5
// # Otherwise if either input is not identified as a multi-Region key
// # (aws-kms-key-arn.md#identifying-an-aws-kms-multi-region-key), then
// # this function MUST return "false".
if (!isMRK(configuredArnInfo) || !isMRK(providerInfoKeyArnInfo)) return false;
// = compliance/framework/aws-kms/aws-kms-mrk-match-for-decrypt.txt#2.5
// # Otherwise if both inputs are
// # identified as a multi-Region keys (aws-kms-key-arn.md#identifying-an-
// # aws-kms-multi-region-key), this function MUST return the result of
// # comparing the "partition", "service", "accountId", "resourceType",
// # and "resource" parts of both ARN inputs.
// Service is not matched because AwsKmsCmkArnInfo only allows a service of `kms`.
return configuredArnInfo.getPartition().equals(providerInfoKeyArnInfo.getPartition())
&& configuredArnInfo.getAccountId().equals(providerInfoKeyArnInfo.getAccountId())
&& configuredArnInfo.getResourceType().equals(providerInfoKeyArnInfo.getResourceType())
&& configuredArnInfo.getResource().equals(providerInfoKeyArnInfo.getResource());
}