rubin@: Adding test to detect modification to encrypted attributes

hchar@: remove dependency on commons b64 codec + doc

Author: hansonchar

README.md

@@ -119,7 +119,7 @@ For signing, the user specified signing key can be either symmetric or asymmetri
 
 1. Currently the new data types in [Amazon DynamoDB][ddb] including Map, List, Boolean, and NULL are not yet supported by this library.  In particular, this library would fail fast upon detecting the use of these new data types.  We expect to support the new types soon in future releases.
 
-2. During retrieval of an item, all the attributes of the item that has been involved for encryption or signing must be included for signature verification.  Otherwise, the signature would fail to verify.
+2. During retrieval of an item, all the attributes of the item that have been involved for encryption or signing must also be included for signature verification.  Otherwise, the signature would fail to verify.
 
 [attrencryptor]: src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/AttributeEncryptor.java
 [createtable]: https://github.com/aws/aws-sdk-java/blob/master/src/samples/AmazonDynamoDBDocumentAPI/quick-start/com/amazonaws/services/dynamodbv2/document/quickstart/A_CreateTableTest.java

src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/DynamoDBEncryptor.java

@@ -255,7 +255,7 @@ public Map<String, AttributeValue> decryptRecord(
         if (!itemAttributes.containsKey(signatureFieldName) || itemAttributes.get(signatureFieldName).getB() == null) {
             signature = ByteBuffer.allocate(0);
         } else {
-            signature = itemAttributes.get(signatureFieldName).getB();
+            signature = itemAttributes.get(signatureFieldName).getB().asReadOnlyBuffer();
         }
         itemAttributes.remove(signatureFieldName);
 
@@ -344,7 +344,7 @@ private void actualDecryption(Map<String, AttributeValue> itemAttributes,
                     throw new IllegalArgumentException("All encrypted fields must be signed. Bad field: " + entry.getKey());
                 }
                 ByteBuffer plainText;
-                ByteBuffer cipherText = entry.getValue().getB();
+                ByteBuffer cipherText = entry.getValue().getB().asReadOnlyBuffer();
                 cipherText.rewind();
                 if (encryptionKey instanceof DelegatedKey) {
                     plainText = ByteBuffer.wrap(((DelegatedKey)encryptionKey).decrypt(toByteArray(cipherText), null, encryptionMode));

src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/materials/WrappedRawMaterials.java

@@ -14,7 +14,6 @@
  */
 package com.amazonaws.services.dynamodbv2.datamodeling.encryption.materials;
 
-import java.nio.charset.Charset;
 import java.security.GeneralSecurityException;
 import java.security.InvalidKeyException;
 import java.security.Key;
@@ -30,9 +29,8 @@
 import javax.crypto.NoSuchPaddingException;
 import javax.crypto.SecretKey;
 
-import org.apache.commons.codec.binary.Base64;
-
 import com.amazonaws.services.dynamodbv2.datamodeling.encryption.DelegatedKey;
+import com.amazonaws.util.Base64;
 
 /**
  * Represents cryptographic materials used to manage unique record-level keys.
@@ -64,7 +62,6 @@ public class WrappedRawMaterials extends AbstractRawMaterials {
      * key.
      */
     protected static final String ENVELOPE_KEY = "amzn-ddb-env-key";
-    private static final Charset UTF8 = Charset.forName("utf-8");
     private static final String DEFAULT_ALGORITHM = "AES/256";
     private static final SecureRandom rand = new SecureRandom();
 
@@ -125,7 +122,7 @@ protected SecretKey initEnvelopeKey() throws GeneralSecurityException {
             if (unwrappingKey == null) {
                 throw new IllegalStateException("No private decryption key provided.");
             }
-            byte[] encryptedKey = Base64.decodeBase64(description.get(ENVELOPE_KEY).getBytes(UTF8));
+            byte[] encryptedKey = Base64.decode(description.get(ENVELOPE_KEY));
             String wrappingAlgorithm = unwrappingKey.getAlgorithm();
             if (description.containsKey(KEY_WRAPPING_ALGORITHM)) {
                 wrappingAlgorithm = description.get(KEY_WRAPPING_ALGORITHM);
@@ -140,7 +137,7 @@ protected SecretKey initEnvelopeKey() throws GeneralSecurityException {
                     description.get(KEY_WRAPPING_ALGORITHM) :
                     getTransformation(wrappingKey.getAlgorithm());
             byte[] encryptedKey = wrapKey(key, wrappingAlg);
-            description.put(ENVELOPE_KEY, new String(Base64.encodeBase64(encryptedKey), UTF8));
+            description.put(ENVELOPE_KEY, Base64.encodeAsString(encryptedKey));
             description.put(CONTENT_KEY_ALGORITHM, key.getAlgorithm());
             description.put(KEY_WRAPPING_ALGORITHM, wrappingAlg);
             setMaterialDescription(description);

src/test/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/DynamoDBEncryptorTest.java

@@ -122,25 +122,37 @@ public void fullEncryption() throws GeneralSecurityException {
         Map<String, AttributeValue> encryptedAttributes = 
                 encryptor.encryptAllFieldsExcept(Collections.unmodifiableMap(attribs), context, "hashKey", "rangeKey", "version");
         assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
+
         Map<String, AttributeValue> decryptedAttributes =
                 encryptor.decryptAllFieldsExcept(Collections.unmodifiableMap(encryptedAttributes), context, "hashKey", "rangeKey", "version");
         assertThat(decryptedAttributes, AttrMatcher.match(attribs));
-        
+
         // Make sure keys and version are not encrypted
         assertAttrEquals(attribs.get("hashKey"), encryptedAttributes.get("hashKey"));
         assertAttrEquals(attribs.get("rangeKey"), encryptedAttributes.get("rangeKey"));
         assertAttrEquals(attribs.get("version"), encryptedAttributes.get("version"));
-        
+
         // Make sure String has been encrypted (we'll assume the others are correct as well)
         assertTrue(encryptedAttributes.containsKey("stringValue"));
         assertNull(encryptedAttributes.get("stringValue").getS());
         assertNotNull(encryptedAttributes.get("stringValue").getB());
-        
+
         // Make sure we're calling the proper getEncryptionMaterials method
         assertEquals("Wrong getEncryptionMaterials() called", 
                 1, prov.getCallCount("getEncryptionMaterials(EncryptionContext context)"));
     }
-    
+
+    @Test
+    public void ensureEncryptedAttributesUnmodified() throws GeneralSecurityException {
+        Map<String, AttributeValue> encryptedAttributes =
+                encryptor.encryptAllFieldsExcept(Collections.unmodifiableMap(attribs), context, "hashKey", "rangeKey", "version");
+        String encryptedString = encryptedAttributes.toString();
+        Map<String, AttributeValue> decryptedAttributes =
+                encryptor.decryptAllFieldsExcept(Collections.unmodifiableMap(encryptedAttributes), context, "hashKey", "rangeKey", "version");
+
+        assertEquals(encryptedString, encryptedAttributes.toString());
+    }
+
     @Test(expected=SignatureException.class)
     public void fullEncryptionBadSignature() throws GeneralSecurityException {
         Map<String, AttributeValue> encryptedAttributes =
@@ -305,7 +317,7 @@ private <T> void assertSetsEqual(Collection<T> c1, Collection<T> c2) {
             Assert.assertEquals(s1, s2);
         }
     }
-    
+
     private EncryptionMaterialsProvider getMaterialProviderwithECDSA() 
            throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, NoSuchProviderException {
             Security.addProvider(new BouncyCastleProvider());

src/test/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/providers/KeyStoreMaterialsProviderTest.java

@@ -37,14 +37,14 @@
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
 
-import org.apache.commons.codec.binary.Base64;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
 
 import com.amazonaws.services.dynamodbv2.datamodeling.encryption.EncryptionContext;
 import com.amazonaws.services.dynamodbv2.datamodeling.encryption.materials.DecryptionMaterials;
 import com.amazonaws.services.dynamodbv2.datamodeling.encryption.materials.EncryptionMaterials;
+import com.amazonaws.util.Base64;
 
 public class KeyStoreMaterialsProviderTest {
     private static final String certPem = 
@@ -124,10 +124,10 @@ public static void setUpBeforeClass() throws Exception {
         keyStore.load(null, password.toCharArray());
 
         KeyFactory kf = KeyFactory.getInstance("RSA");
-        PKCS8EncodedKeySpec rsaSpec = new PKCS8EncodedKeySpec(Base64.decodeBase64(keyPem));
+        PKCS8EncodedKeySpec rsaSpec = new PKCS8EncodedKeySpec(Base64.decode(keyPem));
         privateKey = kf.generatePrivate(rsaSpec);
         CertificateFactory cf = CertificateFactory.getInstance("X509");
-        certificate = cf.generateCertificate(new ByteArrayInputStream(Base64.decodeBase64(certPem)));
+        certificate = cf.generateCertificate(new ByteArrayInputStream(Base64.decode(certPem)));
 
 
         keyStore.setEntry("enc", new SecretKeyEntry(encryptionKey), passwordProtection);