From 4bbe029f34ff270d4f2b7d9c3b232d092dd6af4e Mon Sep 17 00:00:00 2001 From: Wesley Rosenblum Date: Thu, 31 Oct 2019 17:20:14 -0700 Subject: [PATCH] Defining Keyring interface and implementing RawKeyring. *Issue #, if available:* #102 *Description of changes:* This change defines the Keyring interface and an implementation of a RawKeyring which supports both AES and RSA. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. # Check any applicable: - [ ] Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files. --- .../DefaultCryptoMaterialsManager.java | 8 +- .../internal/DecryptionHandler.java | 11 +- .../encryptionsdk/keyrings/Keyring.java | 73 ++++++++++ .../encryptionsdk/keyrings/RawKeyring.java | 134 ++++++++++++++++++ .../model/DecryptionMaterials.java | 93 ++++++++++-- .../model/EncryptionMaterials.java | 16 ++- .../DefaultCryptoMaterialsManagerTest.java | 3 +- .../caching/CacheTestFixtures.java | 9 +- ...alCryptoMaterialsCacheThreadStormTest.java | 12 +- 9 files changed, 321 insertions(+), 38 deletions(-) create mode 100644 src/main/java/com/amazonaws/encryptionsdk/keyrings/Keyring.java create mode 100644 src/main/java/com/amazonaws/encryptionsdk/keyrings/RawKeyring.java diff --git a/src/main/java/com/amazonaws/encryptionsdk/DefaultCryptoMaterialsManager.java b/src/main/java/com/amazonaws/encryptionsdk/DefaultCryptoMaterialsManager.java index d31c615b5..25b4d9c14 100644 --- a/src/main/java/com/amazonaws/encryptionsdk/DefaultCryptoMaterialsManager.java +++ b/src/main/java/com/amazonaws/encryptionsdk/DefaultCryptoMaterialsManager.java @@ -131,9 +131,11 @@ public DefaultCryptoMaterialsManager(MasterKeyProvider mkp) { } return DecryptionMaterials.newBuilder() - .setDataKey(dataKey) - .setTrailingSignatureKey(pubKey) - .build(); + .setAlgorithm(request.getAlgorithm()) + .setCleartextDataKey(dataKey.getKey()) + .setMasterKey(dataKey.getMasterKey()) + .setTrailingSignatureKey(pubKey) + .build(); } private PublicKey deserializeTrailingKeyFromEc(CryptoAlgorithm algo, String pubKey) { diff --git a/src/main/java/com/amazonaws/encryptionsdk/internal/DecryptionHandler.java b/src/main/java/com/amazonaws/encryptionsdk/internal/DecryptionHandler.java index 386a4d867..5f2729155 100644 --- a/src/main/java/com/amazonaws/encryptionsdk/internal/DecryptionHandler.java +++ b/src/main/java/com/amazonaws/encryptionsdk/internal/DecryptionHandler.java @@ -28,7 +28,6 @@ import com.amazonaws.encryptionsdk.CryptoAlgorithm; import com.amazonaws.encryptionsdk.CryptoMaterialsManager; -import com.amazonaws.encryptionsdk.DataKey; import com.amazonaws.encryptionsdk.DefaultCryptoMaterialsManager; import com.amazonaws.encryptionsdk.MasterKey; import com.amazonaws.encryptionsdk.MasterKeyProvider; @@ -61,7 +60,8 @@ public class DecryptionHandler> implements MessageCryptoH private CryptoHandler contentCryptoHandler_; - private DataKey dataKey_; + private SecretKey dataKey_; + private K masterKey_; private SecretKey decryptionKey_; private CryptoAlgorithm cryptoAlgo_; private Signature trailingSig_; @@ -454,12 +454,13 @@ private void readHeaderFields(final CiphertextHeaders ciphertextHeaders) { DecryptionMaterials result = materialsManager_.decryptMaterials(request); + dataKey_ = result.getCleartextDataKey(); //noinspection unchecked - dataKey_ = (DataKey)result.getDataKey(); + masterKey_ = (K)result.getMasterKey(); PublicKey trailingPublicKey = result.getTrailingSignatureKey(); try { - decryptionKey_ = cryptoAlgo_.getEncryptionKeyFromDataKey(dataKey_.getKey(), ciphertextHeaders); + decryptionKey_ = cryptoAlgo_.getEncryptionKeyFromDataKey(dataKey_, ciphertextHeaders); } catch (final InvalidKeyException ex) { throw new AwsCryptoException(ex); } @@ -536,7 +537,7 @@ public CiphertextHeaders getHeaders() { @Override public List getMasterKeys() { - return Collections.singletonList(dataKey_.getMasterKey()); + return Collections.singletonList(masterKey_); } @Override diff --git a/src/main/java/com/amazonaws/encryptionsdk/keyrings/Keyring.java b/src/main/java/com/amazonaws/encryptionsdk/keyrings/Keyring.java new file mode 100644 index 000000000..171d9357e --- /dev/null +++ b/src/main/java/com/amazonaws/encryptionsdk/keyrings/Keyring.java @@ -0,0 +1,73 @@ +/* + * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except + * in compliance with the License. A copy of the License is located at + * + * http://aws.amazon.com/apache2.0 + * + * or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the + * specific language governing permissions and limitations under the License. + */ + +package com.amazonaws.encryptionsdk.keyrings; + +import com.amazonaws.encryptionsdk.EncryptedDataKey; +import com.amazonaws.encryptionsdk.model.DecryptionMaterials; +import com.amazonaws.encryptionsdk.model.EncryptionMaterials; + +import javax.crypto.SecretKey; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.util.List; + +/** + * Keyrings are responsible for the generation, encryption, and decryption of data keys. + */ +public interface Keyring { + + /** + * Generate a data key if not present and encrypt it using any available wrapping key + * + * @param encryptionMaterials Materials needed for encryption that the keyring may modify. + */ + void onEncrypt(EncryptionMaterials encryptionMaterials); + + /** + * Attempt to decrypt the encrypted data keys + * + * @param decryptionMaterials Materials needed for decryption that the keyring may modify. + * @param encryptedDataKeys List of encrypted data keys. + */ + void onDecrypt(DecryptionMaterials decryptionMaterials, List encryptedDataKeys); + + /** + * Constructs a {@link Keyring} which does local AES-GCM encryption + * decryption of data keys using the provided wrapping key. + * + * @param keyNamespace A UTF-8 encoded value that, together with the key name, identifies the wrapping key. + * @param keyName A UTF-8 encoded value that, together with the key namespace, identifies the wrapping key. + * @param wrappingKey The AES key input to AES-GCM to encrypt plaintext data keys. + * @return The {@link Keyring} + */ + static Keyring rawAes(String keyNamespace, String keyName, SecretKey wrappingKey) { + return RawKeyring.aes(keyNamespace, keyName, wrappingKey); + } + + /** + * Constructs a {@link Keyring} which does local RSA encryption and decryption of data keys using the + * provided public and private keys. If {@code privateKey} is {@code null} then the returned {@link Keyring} + * can only be used for encryption. + * + * @param keyNamespace A UTF-8 encoded value that, together with the key name, identifies the wrapping key. + * @param keyName A UTF-8 encoded value that, together with the key namespace, identifies the wrapping key. + * @param publicKey The RSA public key used by this keyring to encrypt data keys. + * @param privateKey The RSA private key used by this keyring to decrypt data keys. + * @param wrappingAlgorithm The RSA algorithm to use with this keyring. + * @return The {@link Keyring} + */ + static Keyring rawRsa(String keyNamespace, String keyName, PublicKey publicKey, PrivateKey privateKey, String wrappingAlgorithm) { + return RawKeyring.rsa(keyNamespace, keyName, publicKey, privateKey, wrappingAlgorithm); + } +} diff --git a/src/main/java/com/amazonaws/encryptionsdk/keyrings/RawKeyring.java b/src/main/java/com/amazonaws/encryptionsdk/keyrings/RawKeyring.java new file mode 100644 index 000000000..604046eee --- /dev/null +++ b/src/main/java/com/amazonaws/encryptionsdk/keyrings/RawKeyring.java @@ -0,0 +1,134 @@ +/* + * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except + * in compliance with the License. A copy of the License is located at + * + * http://aws.amazon.com/apache2.0 + * + * or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the + * specific language governing permissions and limitations under the License. + */ + +package com.amazonaws.encryptionsdk.keyrings; + +import com.amazonaws.encryptionsdk.EncryptedDataKey; +import com.amazonaws.encryptionsdk.internal.JceKeyCipher; +import com.amazonaws.encryptionsdk.internal.Utils; +import com.amazonaws.encryptionsdk.model.DecryptionMaterials; +import com.amazonaws.encryptionsdk.model.EncryptionMaterials; +import com.amazonaws.encryptionsdk.model.KeyBlob; + +import javax.crypto.SecretKey; +import javax.crypto.spec.SecretKeySpec; + +import java.nio.charset.Charset; +import java.nio.charset.StandardCharsets; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.util.List; +import java.util.logging.Logger; + +import static org.apache.commons.lang3.Validate.notBlank; +import static org.apache.commons.lang3.Validate.notNull; + +/** + * A keyring supporting local encryption and decryption using either RSA or AES-GCM. + */ +public class RawKeyring implements Keyring { + + private final String keyNamespace; + private final String keyName; + private final JceKeyCipher jceKeyCipher; + private static final Charset KEY_NAME_ENCODING = StandardCharsets.UTF_8; + private static final Logger LOGGER = Logger.getLogger(RawKeyring.class.getName()); + + static Keyring aes(String keyNamespace, String keyName, SecretKey wrappingKey) { + return new RawKeyring(keyNamespace, keyName, JceKeyCipher.aesGcm(wrappingKey)); + } + + static Keyring rsa(String keyNamespace, String keyName, PublicKey publicKey, PrivateKey privateKey, String transformation) { + return new RawKeyring(keyNamespace, keyName, JceKeyCipher.rsa(publicKey, privateKey, transformation)); + } + + private RawKeyring(final String keyNamespace, final String keyName, JceKeyCipher jceKeyCipher) { + notBlank(keyNamespace, "keyNamespace is required"); + notBlank(keyName, "keyName is required"); + notNull(jceKeyCipher, "jceKeyCipher is required"); + + this.keyNamespace = keyNamespace; + this.keyName = keyName; + this.jceKeyCipher = jceKeyCipher; + } + + @Override + public void onEncrypt(EncryptionMaterials encryptionMaterials) { + notNull(encryptionMaterials, "encryptionMaterials are required"); + + if (encryptionMaterials.getCleartextDataKey() == null) { + generateDataKey(encryptionMaterials); + } + + final SecretKey cleartextDataKey = encryptionMaterials.getCleartextDataKey(); + + if (!cleartextDataKey.getAlgorithm().equalsIgnoreCase(encryptionMaterials.getAlgorithm().getDataKeyAlgo())) { + throw new IllegalArgumentException("Incorrect key algorithm. Expected " + cleartextDataKey.getAlgorithm() + + " but got " + encryptionMaterials.getAlgorithm().getDataKeyAlgo()); + } + + final EncryptedDataKey encryptedDataKey = jceKeyCipher.encryptKey( + cleartextDataKey.getEncoded(), keyName, keyNamespace, encryptionMaterials.getEncryptionContext()); + encryptionMaterials.getEncryptedDataKeys().add(new KeyBlob(encryptedDataKey)); + + encryptionMaterials.getKeyringTrace().add(keyNamespace, keyName, KeyringTraceFlag.ENCRYPTED_DATA_KEY); + } + + @Override + public void onDecrypt(DecryptionMaterials decryptionMaterials, List encryptedDataKeys) { + notNull(decryptionMaterials, "decryptionMaterials are required"); + notNull(encryptedDataKeys, "encryptedDataKeys are required"); + + if (decryptionMaterials.getCleartextDataKey() != null) { + return; + } + + final byte[] keyNameBytes = keyName.getBytes(KEY_NAME_ENCODING); + + for (EncryptedDataKey encryptedDataKey : encryptedDataKeys) { + if (!keyNamespace.equals(encryptedDataKey.getProviderId())) { + continue; + } + + if (!Utils.arrayPrefixEquals(encryptedDataKey.getProviderInformation(), keyNameBytes, keyNameBytes.length)) { + continue; + } + + try { + final byte[] decryptedKey = jceKeyCipher.decryptKey( + encryptedDataKey, keyName, decryptionMaterials.getEncryptionContext()); + decryptionMaterials.setCleartextDataKey( + new SecretKeySpec(decryptedKey, decryptionMaterials.getAlgorithm().getDataKeyAlgo())); + decryptionMaterials.getKeyringTrace().add(keyNamespace, keyName, KeyringTraceFlag.DECRYPTED_DATA_KEY); + return; + } catch (Exception e) { + LOGGER.info("Could not decrypt key due to: " + e.getMessage()); + } + } + + LOGGER.warning("Could not decrypt any data keys"); + } + + private void generateDataKey(EncryptionMaterials encryptionMaterials) { + if (encryptionMaterials.getCleartextDataKey() != null) { + throw new IllegalStateException("Plaintext data key already exists"); + } + + final byte[] rawKey = new byte[encryptionMaterials.getAlgorithm().getDataKeyLength()]; + Utils.getSecureRandom().nextBytes(rawKey); + final SecretKey key = new SecretKeySpec(rawKey, encryptionMaterials.getAlgorithm().getDataKeyAlgo()); + + encryptionMaterials.setCleartextDataKey(key); + encryptionMaterials.getKeyringTrace().add(keyNamespace, keyName, KeyringTraceFlag.GENERATED_DATA_KEY); + } +} diff --git a/src/main/java/com/amazonaws/encryptionsdk/model/DecryptionMaterials.java b/src/main/java/com/amazonaws/encryptionsdk/model/DecryptionMaterials.java index 0c0ba52c7..8b9ec3e5a 100644 --- a/src/main/java/com/amazonaws/encryptionsdk/model/DecryptionMaterials.java +++ b/src/main/java/com/amazonaws/encryptionsdk/model/DecryptionMaterials.java @@ -1,29 +1,68 @@ package com.amazonaws.encryptionsdk.model; import java.security.PublicKey; +import java.util.Map; -import com.amazonaws.encryptionsdk.DataKey; +import com.amazonaws.encryptionsdk.CryptoAlgorithm; +import com.amazonaws.encryptionsdk.MasterKey; import com.amazonaws.encryptionsdk.keyrings.KeyringTrace; +import javax.crypto.SecretKey; + public final class DecryptionMaterials { - private final DataKey dataKey; + private final CryptoAlgorithm algorithm; + private SecretKey cleartextDataKey; + private final MasterKey masterKey; private final PublicKey trailingSignatureKey; + private final Map encryptionContext; private final KeyringTrace keyringTrace; private DecryptionMaterials(Builder b) { - dataKey = b.getDataKey(); + algorithm = b.getAlgorithm(); + cleartextDataKey = b.getCleartextDataKey(); + masterKey = b.getMasterKey(); trailingSignatureKey = b.getTrailingSignatureKey(); + encryptionContext = b.getEncryptionContext(); keyringTrace = b.getKeyringTrace(); } - public DataKey getDataKey() { - return dataKey; + /** + * The algorithm to use for this decryption operation. Must match the algorithm in DecryptionMaterialsRequest, if that + * algorithm was non-null. + */ + public CryptoAlgorithm getAlgorithm() { + return algorithm; + } + + public SecretKey getCleartextDataKey() { + return cleartextDataKey; + } + + public void setCleartextDataKey(SecretKey cleartextDataKey) { + if(this.cleartextDataKey != null) { + throw new IllegalStateException("dataKey was already populated"); + } + + this.cleartextDataKey = cleartextDataKey; + } + + /** + * Gets the MasterKey (if any) used for decrypting the data key. Will be null + * if a KeyRing was used instead of a MasterKeyProvider. + * @return The MasterKey + */ + public MasterKey getMasterKey() { + return masterKey; } public PublicKey getTrailingSignatureKey() { return trailingSignatureKey; } + public Map getEncryptionContext() { + return encryptionContext; + } + public KeyringTrace getKeyringTrace() { return keyringTrace; } @@ -37,24 +76,47 @@ public Builder toBuilder() { } public static final class Builder { - private DataKey dataKey; + private CryptoAlgorithm algorithm; + private SecretKey cleartextDataKey; + private MasterKey masterKey; private PublicKey trailingSignatureKey; + private Map encryptionContext; private KeyringTrace keyringTrace; private Builder(DecryptionMaterials result) { - this.dataKey = result.getDataKey(); + this.algorithm = result.getAlgorithm(); + this.cleartextDataKey = result.getCleartextDataKey(); + this.masterKey = result.getMasterKey(); this.trailingSignatureKey = result.getTrailingSignatureKey(); this.keyringTrace = result.getKeyringTrace(); } private Builder() {} - public DataKey getDataKey() { - return dataKey; + public CryptoAlgorithm getAlgorithm() { + return algorithm; + } + + public Builder setAlgorithm(CryptoAlgorithm algorithm) { + this.algorithm = algorithm; + return this; + } + + public SecretKey getCleartextDataKey() { + return cleartextDataKey; } - public Builder setDataKey(DataKey dataKey) { - this.dataKey = dataKey; + public Builder setCleartextDataKey(SecretKey cleartextDataKey) { + this.cleartextDataKey = cleartextDataKey; + return this; + } + + public MasterKey getMasterKey() { + return masterKey; + } + + public Builder setMasterKey(MasterKey masterKey) { + this.masterKey = masterKey; return this; } @@ -67,6 +129,15 @@ public Builder setTrailingSignatureKey(PublicKey trailingSignatureKey) { return this; } + public Map getEncryptionContext() { + return encryptionContext; + } + + public Builder setEncryptionContext(Map encryptionContext) { + this.encryptionContext = encryptionContext; + return this; + } + public KeyringTrace getKeyringTrace() { return keyringTrace; } diff --git a/src/main/java/com/amazonaws/encryptionsdk/model/EncryptionMaterials.java b/src/main/java/com/amazonaws/encryptionsdk/model/EncryptionMaterials.java index f9b05a153..558a7c5ea 100644 --- a/src/main/java/com/amazonaws/encryptionsdk/model/EncryptionMaterials.java +++ b/src/main/java/com/amazonaws/encryptionsdk/model/EncryptionMaterials.java @@ -22,7 +22,7 @@ public final class EncryptionMaterials { private final CryptoAlgorithm algorithm; private final Map encryptionContext; private final List encryptedDataKeys; - private final SecretKey cleartextDataKey; + private SecretKey cleartextDataKey; private final PrivateKey trailingSignatureKey; private final List masterKeys; private final KeyringTrace keyringTrace; @@ -75,6 +75,14 @@ public SecretKey getCleartextDataKey() { return cleartextDataKey; } + public void setCleartextDataKey(SecretKey cleartextDataKey) { + if(this.cleartextDataKey != null) { + throw new IllegalStateException("cleartextDataKey was already populated"); + } + + this.cleartextDataKey = cleartextDataKey; + } + /** * The private key to be used to sign the message trailer. Must be present if any only if required by the * crypto algorithm, and the key type must likewise match the algorithm in use. @@ -87,6 +95,10 @@ public PrivateKey getTrailingSignatureKey() { return trailingSignatureKey; } + public KeyringTrace getKeyringTrace() { + return keyringTrace; + } + /** * Contains a list of all MasterKeys that could decrypt this message. */ @@ -160,7 +172,7 @@ public List getEncryptedDataKeys() { } public Builder setEncryptedDataKeys(List encryptedDataKeys) { - this.encryptedDataKeys = Collections.unmodifiableList(new ArrayList<>(encryptedDataKeys)); + this.encryptedDataKeys = new ArrayList<>(encryptedDataKeys); return this; } diff --git a/src/test/java/com/amazonaws/encryptionsdk/DefaultCryptoMaterialsManagerTest.java b/src/test/java/com/amazonaws/encryptionsdk/DefaultCryptoMaterialsManagerTest.java index 9f693fe28..d831e3c8b 100644 --- a/src/test/java/com/amazonaws/encryptionsdk/DefaultCryptoMaterialsManagerTest.java +++ b/src/test/java/com/amazonaws/encryptionsdk/DefaultCryptoMaterialsManagerTest.java @@ -2,7 +2,6 @@ import static com.amazonaws.encryptionsdk.multi.MultipleProviderFactory.buildMultiProvider; import static java.util.Collections.singletonMap; -import static org.hamcrest.Matchers.hasEntry; import static org.junit.Assert.assertArrayEquals; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; @@ -250,7 +249,7 @@ public void decrypt_testSimpleRoundTrip() throws Exception { DecryptionMaterials decryptMaterials = new DefaultCryptoMaterialsManager(mk1).decryptMaterials(decryptReqFromMaterials(encryptMaterials)); - assertArrayEquals(decryptMaterials.getDataKey().getKey().getEncoded(), + assertArrayEquals(decryptMaterials.getCleartextDataKey().getEncoded(), encryptMaterials.getCleartextDataKey().getEncoded()); if (encryptMaterials.getTrailingSignatureKey() == null) { diff --git a/src/test/java/com/amazonaws/encryptionsdk/caching/CacheTestFixtures.java b/src/test/java/com/amazonaws/encryptionsdk/caching/CacheTestFixtures.java index bda4343d3..4d385ca5f 100644 --- a/src/test/java/com/amazonaws/encryptionsdk/caching/CacheTestFixtures.java +++ b/src/test/java/com/amazonaws/encryptionsdk/caching/CacheTestFixtures.java @@ -1,12 +1,9 @@ package com.amazonaws.encryptionsdk.caching; -import static org.mockito.ArgumentMatchers.eq; - import javax.crypto.SecretKey; import javax.crypto.spec.SecretKeySpec; import java.util.Collections; -import com.amazonaws.encryptionsdk.DataKey; import com.amazonaws.encryptionsdk.DefaultCryptoMaterialsManager; import com.amazonaws.encryptionsdk.MasterKey; import com.amazonaws.encryptionsdk.TestUtils; @@ -56,10 +53,8 @@ public static DecryptionMaterials createDecryptResult(DecryptionMaterialsRequest DecryptionMaterials realResult = new DefaultCryptoMaterialsManager(FIXED_KEY).decryptMaterials(request); return realResult .toBuilder() - .setDataKey(new DataKey(new SentinelKey(), - realResult.getDataKey().getEncryptedDataKey(), - realResult.getDataKey().getProviderInformation(), - realResult.getDataKey().getMasterKey())) + .setCleartextDataKey(realResult.getCleartextDataKey()) + .setMasterKey(realResult.getMasterKey()) .build(); } diff --git a/src/test/java/com/amazonaws/encryptionsdk/caching/LocalCryptoMaterialsCacheThreadStormTest.java b/src/test/java/com/amazonaws/encryptionsdk/caching/LocalCryptoMaterialsCacheThreadStormTest.java index 804b148ac..e2ac53637 100644 --- a/src/test/java/com/amazonaws/encryptionsdk/caching/LocalCryptoMaterialsCacheThreadStormTest.java +++ b/src/test/java/com/amazonaws/encryptionsdk/caching/LocalCryptoMaterialsCacheThreadStormTest.java @@ -1,9 +1,6 @@ package com.amazonaws.encryptionsdk.caching; -import static com.amazonaws.encryptionsdk.caching.CacheTestFixtures.createMaterialsResult; import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotEquals; -import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; import java.lang.reflect.Field; @@ -28,7 +25,6 @@ import org.junit.Test; -import com.amazonaws.encryptionsdk.DataKey; import com.amazonaws.encryptionsdk.caching.CryptoMaterialsCache.UsageStats; import com.amazonaws.encryptionsdk.model.DecryptionMaterials; import com.amazonaws.encryptionsdk.model.EncryptionMaterials; @@ -137,9 +133,9 @@ public void decryptAddThread() { ref[0] = 0; CacheTestFixtures.SentinelKey key = new CacheTestFixtures.SentinelKey(); - DecryptionMaterials result = BASE_DECRYPT.toBuilder().setDataKey( - new DataKey(key, new byte[0], new byte[0], BASE_DECRYPT.getDataKey().getMasterKey()) - ).build(); + DecryptionMaterials result = BASE_DECRYPT.toBuilder() + .setCleartextDataKey(key) + .setMasterKey(BASE_DECRYPT.getMasterKey()).build(); ConcurrentHashMap expectedDecryptMap = possibleDecrypts.computeIfAbsent(ByteBuffer.wrap(ref), @@ -183,7 +179,7 @@ public void decryptCheckThread() { CacheTestFixtures.SentinelKey cachedKey = null; if (result != null) { inc("decrypt: hit"); - cachedKey = (CacheTestFixtures.SentinelKey) result.getResult().getDataKey().getKey(); + cachedKey = (CacheTestFixtures.SentinelKey) result.getResult().getCleartextDataKey(); if (expectedDecryptMap.containsKey(cachedKey)) { inc("decrypt: found key in expected"); } else {