Address PR feedback.

* Allow AESKeyring to take a `SecureRandom` parameter.
* Remove 'what' comments from AESKeyring.
* Rename algorithm suite name to match spec.
* Rename decrypt materials function to match spec.

Author: smswz

src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java

@@ -41,8 +41,7 @@
 import software.amazon.awssdk.utils.IoUtils;
 import software.amazon.encryption.s3.algorithms.AlgorithmSuite;
 import software.amazon.encryption.s3.materials.DecryptionMaterials;
-import software.amazon.encryption.s3.materials.DefaultMaterialsManager;
-import software.amazon.encryption.s3.materials.DecryptionMaterialsRequest;
+import software.amazon.encryption.s3.materials.DecryptMaterialsRequest;
 import software.amazon.encryption.s3.materials.EncryptionMaterialsRequest;
 import software.amazon.encryption.s3.materials.EncryptedDataKey;
 import software.amazon.encryption.s3.materials.EncryptionMaterials;
@@ -170,19 +169,19 @@ public <T> T getObject(GetObjectRequest getObjectRequest, ResponseTransformer<Ge
         final String contentEncryptionAlgorithm = metadata.get("x-amz-cek-alg");
         AlgorithmSuite algorithmSuite = null;
         if (contentEncryptionAlgorithm.equals("AES/GCM/NoPadding")) {
-            algorithmSuite = AlgorithmSuite.ALG_AES_256_GCM_NO_KDF;;
+            algorithmSuite = AlgorithmSuite.ALG_AES_256_GCM_IV12_TAG16_NO_KDF;;
         }
 
         if (algorithmSuite == null) {
             throw new RuntimeException("Unknown content encryption algorithm: " + contentEncryptionAlgorithm);
         }
 
-        DecryptionMaterialsRequest request = DecryptionMaterialsRequest.builder()
+        DecryptMaterialsRequest request = DecryptMaterialsRequest.builder()
                 .algorithmSuite(algorithmSuite)
                 .encryptedDataKeys(encryptedDataKeys)
                 .encryptionContext(encryptionContext)
                 .build();
-        DecryptionMaterials materials = _materialsManager.getDecryptionMaterials(request);
+        DecryptionMaterials materials = _materialsManager.decryptMaterials(request);
 
         // Get content encryption information
         SecretKey contentKey = new SecretKeySpec(materials.plaintextDataKey(), "AES");

src/main/java/software/amazon/encryption/s3/algorithms/AlgorithmSuite.java

@@ -2,7 +2,7 @@
 
 
 public enum AlgorithmSuite {
-    ALG_AES_256_GCM_NO_KDF(0x0078,
+    ALG_AES_256_GCM_IV12_TAG16_NO_KDF(0x0078,
             "AES",
             256,
             "AES/GCM/NoPadding",

src/main/java/software/amazon/encryption/s3/materials/AESKeyring.java

@@ -22,12 +22,14 @@ public class AESKeyring implements Keyring {
     private static final int TAG_LENGTH_BYTES = 16;
     private static final int TAG_LENGTH_BITS = TAG_LENGTH_BYTES * 8;
 
-    private final DataKeyGenerator _dataKeyGenerator;
     private final SecretKey _wrappingKey;
+    private final SecureRandom _secureRandom;
+    private final DataKeyGenerator _dataKeyGenerator;
 
     private AESKeyring(Builder builder) {
-        _dataKeyGenerator = builder._dataKeyGenerator;
         _wrappingKey = builder._wrappingKey;
+        _secureRandom = builder._secureRandom;
+        _dataKeyGenerator = builder._dataKeyGenerator;
     }
 
     public static Builder builder() {
@@ -44,17 +46,14 @@ public EncryptionMaterials onEncrypt(EncryptionMaterials materials) {
         }
 
         try {
-            SecureRandom secureRandom = new SecureRandom();
-
-            AlgorithmSuite algorithmSuite = materials.algorithmSuite();
             byte[] nonce = new byte[NONCE_LENGTH_BYTES];
-            secureRandom.nextBytes(nonce);
+            _secureRandom.nextBytes(nonce);
             GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LENGTH_BITS, nonce);
 
             final Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM);
-            cipher.init(Cipher.ENCRYPT_MODE, _wrappingKey, gcmParameterSpec, secureRandom);
+            cipher.init(Cipher.ENCRYPT_MODE, _wrappingKey, gcmParameterSpec, _secureRandom);
 
-            // this is the CONTENT encryption, not the wrapping encryption
+            AlgorithmSuite algorithmSuite = materials.algorithmSuite();
             cipher.updateAAD(algorithmSuite.cipherName().getBytes(StandardCharsets.UTF_8));
             byte[] ciphertext = cipher.doFinal(materials.plaintextDataKey());
 
@@ -97,12 +96,11 @@ public DecryptionMaterials onDecrypt(final DecryptionMaterials materials, List<E
             System.arraycopy(encodedBytes, 0, nonce, 0, nonce.length);
             System.arraycopy(encodedBytes, nonce.length, ciphertext, 0, ciphertext.length);
 
-
             GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LENGTH_BITS, nonce);
             try {
                 final Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM);
                 cipher.init(Cipher.DECRYPT_MODE, _wrappingKey, gcmParameterSpec);
-                // this is the CONTENT encryption, not the wrapping encryption
+
                 AlgorithmSuite algorithmSuite = materials.algorithmSuite();
                 cipher.updateAAD(algorithmSuite.cipherName().getBytes(StandardCharsets.UTF_8));
                 byte[] plaintext = cipher.doFinal(ciphertext);
@@ -117,8 +115,9 @@ public DecryptionMaterials onDecrypt(final DecryptionMaterials materials, List<E
     }
 
     public static class Builder {
-        private DataKeyGenerator _dataKeyGenerator = new DefaultDataKeyGenerator();
         private SecretKey _wrappingKey;
+        private SecureRandom _secureRandom = new SecureRandom();
+        private DataKeyGenerator _dataKeyGenerator = new DefaultDataKeyGenerator();
 
         private Builder() {}
 
@@ -130,6 +129,11 @@ public Builder wrappingKey(SecretKey wrappingKey) {
             return this;
         }
 
+        public Builder secureRandom(SecureRandom secureRandom) {
+            _secureRandom = secureRandom;
+            return this;
+        }
+
         public Builder dataKeyGenerator(DataKeyGenerator dataKeyGenerator) {
             _dataKeyGenerator = dataKeyGenerator;
             return this;

src/main/java/software/amazon/encryption/s3/materials/DataKeyGenerator.java

@@ -3,6 +3,7 @@
 import javax.crypto.SecretKey;
 import software.amazon.encryption.s3.algorithms.AlgorithmSuite;
 
+@FunctionalInterface
 public interface DataKeyGenerator {
     SecretKey generateDataKey(AlgorithmSuite algorithmSuite);
 }

src/main/java/software/amazon/encryption/s3/materials/DecryptionMaterialsRequest.java renamed to src/main/java/software/amazon/encryption/s3/materials/DecryptMaterialsRequest.java

@@ -4,15 +4,14 @@
 import java.util.List;
 import java.util.Map;
 import software.amazon.encryption.s3.algorithms.AlgorithmSuite;
-import software.amazon.encryption.s3.materials.EncryptionMaterials.Builder;
 
-public class DecryptionMaterialsRequest {
+public class DecryptMaterialsRequest {
 
     private final AlgorithmSuite _algorithmSuite;
     private final List<EncryptedDataKey> _encryptedDataKeys;
     private final Map<String, String> _encryptionContext;
 
-    private DecryptionMaterialsRequest(Builder builder) {
+    private DecryptMaterialsRequest(Builder builder) {
         this._algorithmSuite = builder._algorithmSuite;
         this._encryptedDataKeys = builder._encryptedDataKeys;
         this._encryptionContext = builder._encryptionContext;
@@ -36,7 +35,7 @@ public Map<String, String> encryptionContext() {
 
     static public class Builder {
 
-        private AlgorithmSuite _algorithmSuite = AlgorithmSuite.ALG_AES_256_GCM_NO_KDF;
+        private AlgorithmSuite _algorithmSuite = AlgorithmSuite.ALG_AES_256_GCM_IV12_TAG16_NO_KDF;
         private Map<String, String> _encryptionContext = Collections.emptyMap();
         private List<EncryptedDataKey> _encryptedDataKeys = Collections.emptyList();
 
@@ -62,8 +61,8 @@ public Builder encryptedDataKeys(List<EncryptedDataKey> encryptedDataKeys) {
             return this;
         }
 
-        public DecryptionMaterialsRequest build() {
-            return new DecryptionMaterialsRequest(this);
+        public DecryptMaterialsRequest build() {
+            return new DecryptMaterialsRequest(this);
         }
     }
 }

src/main/java/software/amazon/encryption/s3/materials/DecryptionMaterials.java

@@ -52,7 +52,7 @@ public Builder toBuilder() {
 
     static public class Builder {
 
-        private AlgorithmSuite _algorithmSuite = AlgorithmSuite.ALG_AES_256_GCM_NO_KDF;
+        private AlgorithmSuite _algorithmSuite = AlgorithmSuite.ALG_AES_256_GCM_IV12_TAG16_NO_KDF;
         private Map<String, String> _encryptionContext = Collections.emptyMap();
         private byte[] _plaintextDataKey = null;
 

src/main/java/software/amazon/encryption/s3/materials/DefaultMaterialsManager.java

@@ -1,9 +1,5 @@
 package software.amazon.encryption.s3.materials;
 
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
-import javax.crypto.KeyGenerator;
-import javax.crypto.SecretKey;
 import software.amazon.encryption.s3.algorithms.AlgorithmSuite;
 
 public class DefaultMaterialsManager implements MaterialsManager {
@@ -16,14 +12,14 @@ public DefaultMaterialsManager(Keyring keyring) {
 
     public EncryptionMaterials getEncryptionMaterials(EncryptionMaterialsRequest request) {
         EncryptionMaterials materials = EncryptionMaterials.builder()
-                .algorithmSuite(AlgorithmSuite.ALG_AES_256_GCM_NO_KDF)
+                .algorithmSuite(AlgorithmSuite.ALG_AES_256_GCM_IV12_TAG16_NO_KDF)
                 .encryptionContext(request.encryptionContext())
                 .build();
 
         return _keyring.onEncrypt(materials);
     }
 
-    public DecryptionMaterials getDecryptionMaterials(DecryptionMaterialsRequest request) {
+    public DecryptionMaterials decryptMaterials(DecryptMaterialsRequest request) {
         DecryptionMaterials materials = DecryptionMaterials.builder()
                 .algorithmSuite(request.algorithmSuite())
                 .encryptionContext(request.encryptionContext())

src/main/java/software/amazon/encryption/s3/materials/EncryptionMaterials.java

@@ -60,7 +60,7 @@ public Builder toBuilder() {
 
     static public class Builder {
 
-        private AlgorithmSuite _algorithmSuite = AlgorithmSuite.ALG_AES_256_GCM_NO_KDF;
+        private AlgorithmSuite _algorithmSuite = AlgorithmSuite.ALG_AES_256_GCM_IV12_TAG16_NO_KDF;
         private Map<String, String> _encryptionContext = Collections.emptyMap();
         private List<EncryptedDataKey> _encryptedDataKeys = Collections.emptyList();
         private byte[] _plaintextDataKey = null;

src/main/java/software/amazon/encryption/s3/materials/MaterialsManager.java

@@ -2,5 +2,5 @@
 
 public interface MaterialsManager {
     EncryptionMaterials getEncryptionMaterials(EncryptionMaterialsRequest request);
-    DecryptionMaterials getDecryptionMaterials(DecryptionMaterialsRequest request);
+    DecryptionMaterials decryptMaterials(DecryptMaterialsRequest request);
 }