From 6144721c555c751a64f9b68dadb43feecd743722 Mon Sep 17 00:00:00 2001
From: Alex Chew <alexchew@amazon.com>
Date: Sat, 11 Jun 2022 07:17:39 -0700
Subject: [PATCH] chore: clarify Key.getAlgorithm usage

---
 .../encryption/materials/WrappedRawMaterials.java    | 12 +++++++++++-
 .../providers/WrappedMaterialsProvider.java          |  4 ++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/sdk1/src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/materials/WrappedRawMaterials.java b/sdk1/src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/materials/WrappedRawMaterials.java
index ba0c489a..b5278189 100644
--- a/sdk1/src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/materials/WrappedRawMaterials.java
+++ b/sdk1/src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/materials/WrappedRawMaterials.java
@@ -40,6 +40,10 @@
  * <p>Other possibly implementations might use a Key-Derivation Function to derive a unique key per
  * record.
  *
+ * <p>This class is only as strong as the security of the wrapping/unwrapping keys' underlying
+ * cryptographic algorithm. We recommend using an AES or RSA key, though other algorithms may also
+ * be used.
+ *
  * @author Greg Rubin
  */
 public class WrappedRawMaterials extends AbstractRawMaterials {
@@ -117,6 +121,7 @@ protected SecretKey initEnvelopeKey() throws GeneralSecurityException {
         throw new IllegalStateException("No private decryption key provided.");
       }
       byte[] encryptedKey = Base64.decode(description.get(ENVELOPE_KEY));
+      // The wrapping/unwrapping keys can be of any algorithm of the user's choice, so no check is needed/possible here.
       String wrappingAlgorithm = unwrappingKey.getAlgorithm();
       if (description.containsKey(KEY_WRAPPING_ALGORITHM)) {
         wrappingAlgorithm = description.get(KEY_WRAPPING_ALGORITHM);
@@ -128,13 +133,16 @@ protected SecretKey initEnvelopeKey() throws GeneralSecurityException {
               ? generateContentKey(description.get(CONTENT_KEY_ALGORITHM))
               : generateContentKey(DEFAULT_ALGORITHM);
 
+      // The wrapping/unwrapping keys can be of any algorithm of the user's choice, so no check is needed/possible here.
       String wrappingAlg =
           description.containsKey(KEY_WRAPPING_ALGORITHM)
               ? description.get(KEY_WRAPPING_ALGORITHM)
               : getTransformation(wrappingKey.getAlgorithm());
+      String contentKeyAlg = key.getAlgorithm();
+
       byte[] encryptedKey = wrapKey(key, wrappingAlg);
       description.put(ENVELOPE_KEY, Base64.encodeToString(encryptedKey));
-      description.put(CONTENT_KEY_ALGORITHM, key.getAlgorithm());
+      description.put(CONTENT_KEY_ALGORITHM, contentKeyAlg);
       description.put(KEY_WRAPPING_ALGORITHM, wrappingAlg);
       setMaterialDescription(description);
       return key;
@@ -147,6 +155,7 @@ public byte[] wrapKey(SecretKey key, String wrappingAlg)
     if (wrappingKey instanceof DelegatedKey) {
       return ((DelegatedKey) wrappingKey).wrap(key, null, wrappingAlg);
     } else {
+      // The wrapping key can be of any algorithm of the user's choice, so no check is needed/possible here.
       Cipher cipher = Cipher.getInstance(wrappingAlg);
       cipher.init(Cipher.WRAP_MODE, wrappingKey, Utils.getRng());
       byte[] encryptedKey = cipher.wrap(key);
@@ -167,6 +176,7 @@ protected SecretKey unwrapKey(
                   null,
                   wrappingAlgorithm);
     } else {
+      // The unwrapping key can be of any algorithm of the user's choice, so no check is needed/possible here.
       Cipher cipher = Cipher.getInstance(wrappingAlgorithm);
 
       // This can be of the form "AES/256" as well as "AES" e.g.,
diff --git a/sdk1/src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/providers/WrappedMaterialsProvider.java b/sdk1/src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/providers/WrappedMaterialsProvider.java
index 3dab893e..dde84855 100644
--- a/sdk1/src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/providers/WrappedMaterialsProvider.java
+++ b/sdk1/src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/providers/WrappedMaterialsProvider.java
@@ -38,6 +38,10 @@
  * <p>This is generally a more secure way of encrypting data than with the {@link
  * SymmetricStaticProvider}.
  *
+ * <p>This class is only as strong as the security of the wrapping/unwrapping keys' underlying
+ * cryptographic algorithm. We recommend using an AES or RSA key, though other algorithms may also
+ * be used.
+ *
  * @see WrappedRawMaterials
  * @author Greg Rubin
  */