Google/Tink: Use AWS KMS Key encrypt key material but get NullPointerException

Question

When I used follow demo to encrypt key material, I got NullPointerException in AwsKmsClient().getAead() mothod.

String masterKeyUri = "aws-kms://arn:aws:kms:us-east-1:007084425826:key/84a65985-f868-4bfc-83c2-366618acf147";
KeysetHandle keysetHandle = KeysetHandle.read(
        JsonKeysetReader.withFile(new File(keysetFilename)),
        new AwsKmsClient().getAead(masterKeyUri));

I debuged and found AWSKMS client(this.client) in AwsKmsClient is null.

public Aead getAead(String uri) throws GeneralSecurityException {
        if (this.keyUri != null && !this.keyUri.equals(uri)) {
            throw new GeneralSecurityException(String.format("this client is bound to %s, cannot load keys bound to %s", this.keyUri, uri));
        } else {
            return new AwsKmsAead(this.client, Validators.validateKmsKeyUriAndRemovePrefix("aws-kms://", uri));
        }
    }

Do you know how to deal with this problem? or how to use AWS KMS correctly? Thanks in advance.

score 0 · Accepted Answer · answered Jan 17 '19 at 23:15

Sorry for the slow response. It seems that you forgot to add credentials?

Please try this and let me know if it works:

String masterKeyUri = "aws-kms://arn:aws:kms:us-east-1:007084425826:key/84a65985-f868-4bfc-83c2-366618acf147";
KeysetHandle keysetHandle = KeysetHandle.read(
        JsonKeysetReader.withFile(new File(keysetFilename)),
        new AwsKmsClient().withDefaultCredentials().getAead(masterKeyUri))

The API could be improved though. I'll see to it how to do that.

Google/Tink: Use AWS KMS Key encrypt key material but get NullPointerException

1 Answers1