feat: reEncryptInstructionFile Implementation #475
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* I created the MaterialsDescription class to help identify AES + RSA keys for reEncryptInstructionFile feature Co-authored-by: Anirav Kareddy <[email protected]>
--------- Co-authored-by: Anirav Kareddy <[email protected]>
Implemented a stronger level of validation for reEncryptInstructionFile where, when enabled, the client will attempt to decrypt the re-encrypted instruction file with the old key material and throw an exception when decryption succeeds. This is a stronger level of validation that the wrapping key has been rotated than the standard assertion that the materials descriptions are different. --------- Co-authored-by: Anirav Kareddy <[email protected]>
kessplas
requested changes
Jul 21, 2025
| if (newKeyring == null) { | ||
| throw new S3EncryptionClientException("New keyring must be provided!"); | ||
| } | ||
| if (newKeyring instanceof AesKeyring) { |
There was a problem hiding this comment.
We should change this to check !(newKeyring instanceof RsaKeyring) and the error message to say "is only applicable for RSA keyring!" so the validation is more robust and fails closed for new raw keyrings.
| } | ||
|
|
||
| //Create or update instruction file with the re-encrypted metadata while preserving IV | ||
| ContentMetadataEncodingStrategy encodeStrategy = new ContentMetadataEncodingStrategy(_instructionFileConfig); |
There was a problem hiding this comment.
We need to validate the instruction file config here to make sure that Inst file is enabled, otherwise the new key will get lost.
First, can you write a test which reproduces this bug?
Then, can you add validation to make sure that isInstructionFilePutEnabled() is true?
added 5 commits
July 21, 2025 15:52
akareddy04
added a commit
that referenced
this pull request
Jul 24, 2025
This reverts commit ff66e72.
akareddy04
added a commit
that referenced
this pull request
Jul 24, 2025
aws-crypto-tools-ci-bot
pushed a commit
that referenced
this pull request
Jul 30, 2025
## [3.4.0](v3.3.5...v3.4.0) (2025-07-30) ### Features * put object with instruction file configured ([#466](#466)) ([99077dc](99077dc)) * reEncryptInstructionFile Implementation ([#475](#475)) ([ff66e72](ff66e72)) * reEncryptInstructionFile Implementation ([#478](#478)) ([f7e6fa5](f7e6fa5)) ### Fixes * Revert "feat: reEncryptInstructionFile Implementation ([#475](#475))" ([#477](#477)) ([6d45ec5](6d45ec5)) ### Maintenance * guard against properties conflicts ([#479](#479)) ([793c73b](793c73b)) * **pom:** fix scm url ([#469](#469)) ([1bc2ca3](1bc2ca3)) * **release:** Migrate release to Central Portal ([#468](#468)) ([da71231](da71231)) * validate against legacy wrapping on client but customer passes keyring with no legacy wrapping ([#473](#473)) ([bb898d1](bb898d1))
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue #, if available:
Description of changes:
Implemented the following feature: re-encrypting an instruction file with a new keyring while preserving the original encrypted object in S3. This enables:
1. Key rotation by updating instruction file metadata without re-encrypting object content
2. Sharing encrypted objects with partners by creating new instruction files with a custom suffix using their public keys
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Check any applicable: