bc-java icon indicating copy to clipboard operation
bc-java copied to clipboard
verified publisher icon bcgit

CMS in AWS enclaves

Open stevemit opened this issue 7 months ago • 0 comments

It would be nice to have an enhancement or subclass of BcCMSContentEncryptorBuilder called BcProvidedCMSContentEncryptorBuilder. This class would not generate a fresh content encryption key (CEK) but instead would accept a provided CEK as a byte array in its constructor.

The use case is KMS in AWS Nitro enclaves. There the GenerateDataKey API creates a CEK and its KEK-wrapped ciphertext atomically. There is no separate wrapping API. The ciphertext format is proprietary and undocumented.

In bcpkix 1.81, the classes BcCMSContentEncryptorBuilder and JceCMSContentEncryptorBuilder cannot be effectively subclassed, because their nested classes are private. A workaround is to copy the source of the entire class.

stevemit avatar Jun 22 '25 10:06 stevemit