Respect signing algorithm injected through materialDescription by akshays@

Author: hansonchar

pom.xml

@@ -46,6 +46,13 @@
       <version>4.8.1</version>
       <scope>test</scope>
     </dependency>
+
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcprov-ext-jdk15on</artifactId>
+      <version>1.50</version>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 
   <build>

src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/DynamoDBEncryptor.java

@@ -70,6 +70,8 @@ public class DynamoDBEncryptor {
     private final String symmetricEncryptionModeHeader;
     private final String signingAlgorithmHeader;
 
+    public static final String DEFAULT_SIGNING_ALGORITHM_HEADER = DEFAULT_DESCRIPTION_BASE + "signingAlg";
+    
     protected DynamoDBEncryptor(EncryptionMaterialsProvider provider, String descriptionBase) {
         this.encryptionMaterialsProvider = provider;
         this.descriptionBase = descriptionBase;
@@ -306,8 +308,10 @@ public Map<String, AttributeValue> encryptRecord(
 
         // The description must be stored after encryption because its data
         // is necessary for proper decryption.
-        DynamoDBSigner signer = DynamoDBSigner.getInstance(DEFAULT_SIGNATURE_ALGORITHM, rnd);
-        if (materials.getSigningKey() instanceof PrivateKey) {
+        final String signingAlgo = materialDescription.get(signingAlgorithmHeader);
+        DynamoDBSigner signer = DynamoDBSigner.getInstance(signingAlgo == null ? DEFAULT_SIGNATURE_ALGORITHM : signingAlgo, rnd);
+        
+        if (materials.getSigningKey() instanceof PrivateKey ) {
             materialDescription.put(signingAlgorithmHeader, signer.getSigningAlgorithm());
         }
         if (!materialDescription.isEmpty()) {
@@ -483,6 +487,9 @@ protected static AttributeValue marshallDescription(Map<String, String> descript
         }
     }
 
+    public String getSigningAlgorithmHeader() {
+        return signingAlgorithmHeader;
+    }
     /**
      * @see #marshallDescription(Map)
      */

src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/DynamoDBSigner.java

@@ -54,13 +54,15 @@ class DynamoDBSigner {
     private final SecretKey hmacComparisonKey;
     private final String signingAlgorithm;
 
+    /**
+     * @param signingAlgorithm
+     *            is the algorithm used for asymmetric signing (ex:
+     *            SHA256withRSA). This is ignored for symmetric HMACs as that
+     *            algorithm is fully specified by the key.
+     */
     static DynamoDBSigner getInstance(String signingAlgorithm, SecureRandom rnd) {
         DynamoDBSigner result = cache.get(signingAlgorithm);
         if (result == null) {
-            // TODO: Support more signing algorithms.
-            if (!signingAlgorithm.equals("SHA256withRSA")) {
-                throw new UnsupportedOperationException("Only SHA256withRSA signatures currently supported.");
-            }
             result = new DynamoDBSigner(signingAlgorithm, rnd);
             cache.putIfAbsent(signingAlgorithm, result);
         }

src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/providers/KeyStoreMaterialsProvider.java

@@ -14,14 +14,14 @@
  */
 package com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers;
 
+import java.security.GeneralSecurityException;
 import java.security.KeyPair;
 import java.security.KeyStore;
 import java.security.KeyStore.Entry;
 import java.security.KeyStore.PrivateKeyEntry;
 import java.security.KeyStore.ProtectionParameter;
-import java.security.KeyStore.TrustedCertificateEntry;
-import java.security.GeneralSecurityException;
 import java.security.KeyStore.SecretKeyEntry;
+import java.security.KeyStore.TrustedCertificateEntry;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;

src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/internal/AttributeValueMarshaller.java

@@ -110,8 +110,16 @@ public static ByteBuffer marshall(AttributeValue attributeValue) {
                     out.writeInt(bytes.length);
                     out.write(bytes);
                 }
+            } else if (attributeValue.getBOOL() != null) {
+                throw new UnsupportedOperationException("BOOL data type has yet to be supported");
+            } else if (attributeValue.getNULL() != null) {
+                throw new UnsupportedOperationException("NULL data type has yet to be supported");
+            } else if (attributeValue.getL() != null) {
+                throw new UnsupportedOperationException("List data type has yet to be supported");
+            } else if (attributeValue.getM() != null) {
+                throw new UnsupportedOperationException("Map data type has yet to be supported");
             } else {
-                out.writeChar('\0');
+                throw new IllegalArgumentException("A seemingly empty AttributeValue is indicative of invalid input or potential errors");
             }
             out.close();
             return ByteBuffer.wrap(resultBytes.toByteArray());

src/test/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/DynamoDBEncryptorTest.java

@@ -22,9 +22,13 @@
 
 import java.nio.ByteBuffer;
 import java.security.GeneralSecurityException;
+import java.security.InvalidAlgorithmParameterException;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
 import java.security.SecureRandom;
+import java.security.Security;
 import java.security.SignatureException;
 import java.util.Collection;
 import java.util.Collections;
@@ -38,6 +42,9 @@
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
 
+import org.bouncycastle.jce.ECNamedCurveTable;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.jce.spec.ECParameterSpec;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.BeforeClass;
@@ -250,6 +257,37 @@ public void RsaSignedOnlyBadSignature() throws GeneralSecurityException {
         encryptor.decryptAllFieldsExcept(encryptedAttributes, context, attribs.keySet().toArray(new String[0]));
     }
 
+    @Test
+    public void EcdsaSignedOnly() throws GeneralSecurityException {
+
+        encryptor = DynamoDBEncryptor.getInstance(getMaterialProviderwithECDSA());
+        
+        Map<String, AttributeValue> encryptedAttributes = encryptor.encryptAllFieldsExcept(attribs, context, attribs.keySet().toArray(new String[0]));
+        assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
+        Map<String, AttributeValue> decryptedAttributes = 
+                encryptor.decryptAllFieldsExcept(encryptedAttributes, context, attribs.keySet().toArray(new String[0]));
+        assertThat(decryptedAttributes, AttrMatcher.match(attribs));
+        
+        // Make sure keys and version are not encrypted
+        assertAttrEquals(attribs.get("hashKey"), encryptedAttributes.get("hashKey"));
+        assertAttrEquals(attribs.get("rangeKey"), encryptedAttributes.get("rangeKey"));
+        assertAttrEquals(attribs.get("version"), encryptedAttributes.get("version"));
+        
+        // Make sure String has not been encrypted (we'll assume the others are correct as well)
+        assertAttrEquals(attribs.get("stringValue"), encryptedAttributes.get("stringValue"));
+    }
+    
+    @Test(expected=SignatureException.class)
+    public void EcdsaSignedOnlyBadSignature() throws GeneralSecurityException {
+
+        encryptor = DynamoDBEncryptor.getInstance(getMaterialProviderwithECDSA());
+
+        Map<String, AttributeValue> encryptedAttributes = encryptor.encryptAllFieldsExcept(attribs, context, attribs.keySet().toArray(new String[0]));
+        assertThat(encryptedAttributes, AttrMatcher.invert(attribs));
+        encryptedAttributes.get("hashKey").setN("666");
+        encryptor.decryptAllFieldsExcept(encryptedAttributes, context, attribs.keySet().toArray(new String[0]));
+    }
+
     private void assertAttrEquals(AttributeValue o1, AttributeValue o2) {
         Assert.assertEquals(o1.getB(), o2.getB());
         assertSetsEqual(o1.getBS(), o2.getBS());
@@ -268,6 +306,18 @@ private <T> void assertSetsEqual(Collection<T> c1, Collection<T> c2) {
         }
     }
 
+    private EncryptionMaterialsProvider getMaterialProviderwithECDSA() 
+           throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, NoSuchProviderException {
+            Security.addProvider(new BouncyCastleProvider());
+            ECParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec("secp384r1");
+            KeyPairGenerator g = KeyPairGenerator.getInstance("ECDSA", "BC");
+            g.initialize(ecSpec, new SecureRandom());
+            KeyPair keypair = g.generateKeyPair();
+            Map<String, String> description = new HashMap<String, String>();
+            description.put(DynamoDBEncryptor.DEFAULT_SIGNING_ALGORITHM_HEADER, "SHA384withECDSA");
+            return new SymmetricStaticProvider(null, keypair, description);
+    }
+
     private static final class InstrumentedEncryptionMaterialsProvider implements EncryptionMaterialsProvider {
         private final EncryptionMaterialsProvider delegate;
         private final ConcurrentHashMap<String, AtomicInteger> calls = new ConcurrentHashMap<>();