public abstract class S3CryptoModuleBase<T extends com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.MultipartUploadCryptoContext> extends S3CryptoModule<T>
Modifier and Type | Field and Description |
---|---|
protected ContentCryptoScheme |
contentCryptoScheme |
protected CryptoConfiguration |
cryptoConfig
A read-only copy of the crypto configuration.
|
protected S3CryptoScheme |
cryptoScheme |
protected static int |
DEFAULT_BUFFER_SIZE |
protected EncryptionMaterialsProvider |
kekMaterialsProvider |
protected com.ibm.cloud.objectstorage.services.kms.AWSKMS |
kms |
protected org.apache.commons.logging.Log |
log |
protected Map<String,T> |
multipartUploadContexts
Map of data about in progress encrypted multipart uploads.
|
protected S3Direct |
s3 |
Modifier | Constructor and Description |
---|---|
protected |
S3CryptoModuleBase(com.ibm.cloud.objectstorage.services.kms.AWSKMS kms,
S3Direct s3,
AWSCredentialsProvider credentialsProvider,
EncryptionMaterialsProvider kekMaterialsProvider,
CryptoConfiguration cryptoConfig) |
protected |
S3CryptoModuleBase(S3Direct s3,
AWSCredentialsProvider credentialsProvider,
EncryptionMaterialsProvider kekMaterialsProvider,
CryptoConfiguration cryptoConfig)
For testing purposes only.
|
Modifier and Type | Method and Description |
---|---|
void |
abortMultipartUploadSecurely(AbortMultipartUploadRequest req) |
protected abstract long |
ciphertextLength(long plaintextLength)
Returns the length of the ciphertext computed from the length of the
plaintext.
|
CompleteMultipartUploadResult |
completeMultipartUploadSecurely(CompleteMultipartUploadRequest req) |
CopyPartResult |
copyPartSecurely(CopyPartRequest copyPartRequest) |
protected com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.ContentCryptoMaterial |
createContentCryptoMaterial(AmazonWebServiceRequest req)
Creates and returns a non-null content crypto material for the given
request.
|
protected PutObjectRequest |
createInstructionPutRequest(String bucketName,
String key,
com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.ContentCryptoMaterial cekMaterial) |
protected SecretKey |
generateCEK(EncryptionMaterials kekMaterials) |
S3CryptoScheme |
getS3CryptoScheme() |
InitiateMultipartUploadResult |
initiateMultipartUploadSecurely(InitiateMultipartUploadRequest req) |
protected CipherLiteInputStream |
newMultipartS3CipherInputStream(UploadPartRequest req,
CipherLite cipherLite) |
protected long |
plaintextLength(AbstractPutObjectRequest request,
ObjectMetadata metadata)
Returns the plaintext length from the request and metadata; or -1 if
unknown.
|
PutObjectResult |
putInstructionFileSecurely(PutInstructionFileRequest req) |
void |
putLocalObjectSecurely(UploadObjectRequest reqIn,
String uploadId,
OutputStream os) |
PutObjectResult |
putObjectSecurely(PutObjectRequest req) |
protected void |
securityCheck(com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.ContentCryptoMaterial cekMaterial,
com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.S3ObjectWrapper retrieved)
Checks if the the crypto scheme used in the given content crypto material
is allowed to be used in this crypto module.
|
protected PutObjectRequest |
updateInstructionPutRequest(PutObjectRequest req,
com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.ContentCryptoMaterial cekMaterial)
Updates put request to store the specified instruction object in S3.
|
protected ObjectMetadata |
updateMetadataWithContentCryptoMaterial(ObjectMetadata metadata,
File file,
com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.ContentCryptoMaterial instruction) |
UploadPartResult |
uploadPartSecurely(UploadPartRequest req) |
protected <R extends AbstractPutObjectRequest> |
wrapWithCipher(R request,
com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.ContentCryptoMaterial cekMaterial)
Returns the given
PutObjectRequest but has the content as
input stream wrapped with a cipher, and configured with some meta data
and user metadata. |
getObjectSecurely, getObjectSecurely
protected static final int DEFAULT_BUFFER_SIZE
protected final EncryptionMaterialsProvider kekMaterialsProvider
protected final org.apache.commons.logging.Log log
protected final S3CryptoScheme cryptoScheme
protected final ContentCryptoScheme contentCryptoScheme
protected final CryptoConfiguration cryptoConfig
protected final Map<String,T extends com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.MultipartUploadCryptoContext> multipartUploadContexts
protected final S3Direct s3
protected final com.ibm.cloud.objectstorage.services.kms.AWSKMS kms
protected S3CryptoModuleBase(com.ibm.cloud.objectstorage.services.kms.AWSKMS kms, S3Direct s3, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, CryptoConfiguration cryptoConfig)
cryptoConfig
- a read-only copy of the crypto configuration.protected S3CryptoModuleBase(S3Direct s3, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, CryptoConfiguration cryptoConfig)
protected abstract long ciphertextLength(long plaintextLength)
plaintextLength
- a non-negative numberpublic PutObjectResult putObjectSecurely(PutObjectRequest req)
putObjectSecurely
in class S3CryptoModule<T extends com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.MultipartUploadCryptoContext>
public final void abortMultipartUploadSecurely(AbortMultipartUploadRequest req)
abortMultipartUploadSecurely
in class S3CryptoModule<T extends com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.MultipartUploadCryptoContext>
public final CopyPartResult copyPartSecurely(CopyPartRequest copyPartRequest)
copyPartSecurely
in class S3CryptoModule<T extends com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.MultipartUploadCryptoContext>
public InitiateMultipartUploadResult initiateMultipartUploadSecurely(InitiateMultipartUploadRequest req)
initiateMultipartUploadSecurely
in class S3CryptoModule<T extends com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.MultipartUploadCryptoContext>
public UploadPartResult uploadPartSecurely(UploadPartRequest req)
NOTE: Because the encryption process requires context from previous blocks, parts uploaded with the AmazonS3EncryptionClient (as opposed to the normal AmazonS3Client) must be uploaded serially, and in order. Otherwise, the previous encryption context isn't available to use when encrypting the current part.
uploadPartSecurely
in class S3CryptoModule<T extends com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.MultipartUploadCryptoContext>
protected final CipherLiteInputStream newMultipartS3CipherInputStream(UploadPartRequest req, CipherLite cipherLite)
public CompleteMultipartUploadResult completeMultipartUploadSecurely(CompleteMultipartUploadRequest req)
completeMultipartUploadSecurely
in class S3CryptoModule<T extends com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.MultipartUploadCryptoContext>
protected final ObjectMetadata updateMetadataWithContentCryptoMaterial(ObjectMetadata metadata, File file, com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.ContentCryptoMaterial instruction)
protected final com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.ContentCryptoMaterial createContentCryptoMaterial(AmazonWebServiceRequest req)
SdkClientException
- if no encryption material can be found.public final void putLocalObjectSecurely(UploadObjectRequest reqIn, String uploadId, OutputStream os) throws IOException
putLocalObjectSecurely
in class S3CryptoModule<T extends com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.MultipartUploadCryptoContext>
uploadId
- multipart upload idos
- output stream which will be closed upon method completion.IOException
protected final SecretKey generateCEK(EncryptionMaterials kekMaterials)
kekMaterials
- non-null encryption materialsprotected final <R extends AbstractPutObjectRequest> R wrapWithCipher(R request, com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.ContentCryptoMaterial cekMaterial)
PutObjectRequest
but has the content as
input stream wrapped with a cipher, and configured with some meta data
and user metadata.protected final long plaintextLength(AbstractPutObjectRequest request, ObjectMetadata metadata)
public final S3CryptoScheme getS3CryptoScheme()
protected final PutObjectRequest updateInstructionPutRequest(PutObjectRequest req, com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.ContentCryptoMaterial cekMaterial)
req
- The put-instruction-file request for the instruction file to
be stored in S3.cekMaterial
- The instruction object to be stored in S3.protected final PutObjectRequest createInstructionPutRequest(String bucketName, String key, com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.ContentCryptoMaterial cekMaterial)
protected void securityCheck(com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.ContentCryptoMaterial cekMaterial, com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.S3ObjectWrapper retrieved)
SecurityException
- if the crypto scheme used in the given content crypto
material is not allowed in this crypto module.public final PutObjectResult putInstructionFileSecurely(PutInstructionFileRequest req)
putInstructionFileSecurely
in class S3CryptoModule<T extends com.ibm.cloud.objectstorage.services.s3.internal.crypto.v1.MultipartUploadCryptoContext>
EncryptedGetObjectRequest
.Copyright © 2024. All rights reserved.