Upgrade AWS Encryption SDK (#98)

* Upgrade AWS dependencies * Update CHANGELOG and README
schibsted · Feb 15, 2023 · e61f7c3 · e61f7c3
1 parent 78d8b34
commit e61f7c3
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,9 @@
 - [CLI in Releases](https://github.com/schibsted/strongbox/releases)
 - [Java SDK in Maven Central](https://search.maven.org/artifact/com.schibsted.security/strongbox-sdk)
 
+## 0.5.0 (2023-2-15) - Security Update
+- Upgrade AWS Encryption SDK dependency due to [GHSA-55xh-53m6-936r](https://github.com/aws/aws-encryption-sdk-java/security/advisories/GHSA-55xh-53m6-936r)
+
 ## 0.4.0 (2021-5-7) - Bintray Sunset
 - Publish Java SDK to [Maven Central](https://search.maven.org/artifact/com.schibsted.security/strongbox-sdk) instead of [JCenter](https://mvnrepository.com/artifact/com.schibsted.security/strongbox-sdk?repo=jcenter)
 - Stop publishing Archaius and Spring Boot Java libraries

diff --git a/README.md b/README.md
@@ -8,12 +8,10 @@
   <a href="https://snyk.io/test/github/schibsted/strongbox"><img src="https://snyk.io/test/github/schibsted/strongbox/badge.svg" alt="Known Vulnerabilities" data-canonical-src="https://snyk.io/test/github/schibsted/strongbox" style="max-width:100%;"></a>
 </p>
 
-**May 2021: Strongbox should be considered deprecated (it will continue to receive minor updates). We recommended to check out [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) (which was launched after Strongbox was open sourced), as well as [HashiCorp Vault](https://www.vaultproject.io/). Changes related to the [Bintray Sunset](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/) is covered in [#91](https://github.com/schibsted/strongbox/issues/91).**
+**Strongbox is not actively maintained. Alternatives include [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) (which was launched after Strongbox was open sourced).**
 
 Strongbox is a CLI/GUI and SDK to manage, store, and retrieve secrets (access tokens, encryption keys, private certificates, etc). Strongbox is a client-side convenience layer on top of AWS KMS, DynamoDB and IAM. It manages the AWS resources for you and configure them in a secure way.
 
-Strongbox has been used in production since mid-2016 and is now used extensively within Schibsted. 
-
 <p align="center">
   <img src="https://raw.githubusercontent.com/schibsted/strongbox/images/strongbox-building-blocks.png" width="70%">
 </p>

diff --git a/build.gradle b/build.gradle
@@ -48,8 +48,8 @@ allprojects {
         airlineVersion = '0.8'
         apacheCommonsVersion = '1.2'
         archaiusVersion = '0.7.5'
-        awsEncryptionVersion = '0.0.1'
-        awsVersion = '1.11.124'
+        awsEncryptionVersion = '2.4.0'
+        awsVersion = '1.12.395'
         // can't update guava to latest version until airline is fixed, see https://github.com/airlift/airline/pull/53
         guavaVersion = '20.0'
         hamcrestVersion = '1.3'

diff --git a/sdk/src/main/java/com/schibsted/security/strongbox/sdk/internal/encryption/KMSEncryptor.java b/sdk/src/main/java/com/schibsted/security/strongbox/sdk/internal/encryption/KMSEncryptor.java
@@ -6,13 +6,14 @@
 
 import com.amazonaws.auth.AWSCredentialsProvider;
 import com.amazonaws.encryptionsdk.AwsCrypto;
+import com.amazonaws.encryptionsdk.CommitmentPolicy;
 import com.amazonaws.encryptionsdk.CryptoAlgorithm;
 import com.amazonaws.encryptionsdk.CryptoResult;
 import com.amazonaws.encryptionsdk.exception.AwsCryptoException;
 import com.amazonaws.encryptionsdk.kms.KmsMasterKey;
 import com.amazonaws.encryptionsdk.kms.KmsMasterKeyProvider;
-import com.amazonaws.regions.Region;
-import com.amazonaws.regions.RegionUtils;
+import com.amazonaws.services.kms.AWSKMSClient;
+import com.amazonaws.services.kms.AWSKMSClientBuilder;
 import com.schibsted.security.strongbox.sdk.exceptions.UnlimitedEncryptionNotSetException;
 import com.schibsted.security.strongbox.sdk.internal.interfaces.ManagedResource;
 import com.schibsted.security.strongbox.sdk.types.ClientConfiguration;
@@ -60,7 +61,13 @@ public static KMSEncryptor fromCredentials(AWSCredentialsProvider awsCredentials
                                                SecretsGroupIdentifier groupIdentifier,
                                                EncryptionStrength encryptionStrength) {
         KMSManager manager = KMSManager.fromCredentials(awsCredentials, clientConfiguration, groupIdentifier);
-        return new KMSEncryptor(manager, awsCredentials, clientConfiguration, groupIdentifier, new AwsCrypto(), encryptionStrength);
+
+        AwsCrypto awsCrypto = AwsCrypto.builder()
+                .withCommitmentPolicy(CommitmentPolicy.ForbidEncryptAllowDecrypt)
+                .withMaxEncryptedDataKeys(1)
+                .build();
+
+        return new KMSEncryptor(manager, awsCredentials, clientConfiguration, groupIdentifier, awsCrypto, encryptionStrength);
     }
 
     /**
@@ -174,8 +181,17 @@ public int pendingDeletionWindowInDays() {
 
     protected KmsMasterKeyProvider getProvider() {
         if (!prov.isPresent()) {
-            Region region = RegionUtils.getRegion(groupIdentifier.region.getName());
-            prov = Optional.of(new KmsMasterKeyProvider(awsCredentials, region, transformAndVerifyOrThrow(clientConfiguration), getKeyArn()));
+            AWSKMSClientBuilder kmsClientBuilder = AWSKMSClient.builder()
+                    .withCredentials(awsCredentials)
+                    .withRegion(groupIdentifier.region.getName())
+                    .withClientConfiguration(transformAndVerifyOrThrow(clientConfiguration));
+
+            KmsMasterKeyProvider provider = KmsMasterKeyProvider.builder()
+                    .withClientBuilder(kmsClientBuilder)
+                    .withDefaultRegion(groupIdentifier.region.getName())
+                    .buildStrict(getKeyArn());
+
+            prov = Optional.of(provider);
         }
         return prov.get();
     }