284 lines (164 loc) · 24.6 KB

Changelog

4.0.1 (2026-02-10)

Fixes

set instruction file content length (b76c281)

Maintenance

fix examples & spec path (#493) (a95aa3f)

4.0.0 (2025-12-17)

⚠ BREAKING CHANGES

The S3 Encryption Client now requires key committing algorithm suites by default. See migration guide from 3.x to 4.x: link
builder() method has been removed; use builderV4() instead
builderV4() now defaults to commitmentPolicy (REQUIRE_ENCRYPT_REQUIRE_DECRYPT) and encryptionAlgorithm (ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY)
Updated expectations for custom implementations of the CryptographicMaterialsManager interface.
- Custom implementations of the interface's getEncryptionMaterials method MUST set the AlgorithmSuite field on the returned EncryptionMaterials.
  - The provided DefaultCryptoMaterialsManager's getEncryptionMaterials method sets this field from the AlgorithmSuite provided in the EncryptionMaterialsRequest.
  - If the custom implementation wraps the provided DefaultCryptoMaterialsManager.getEncryptionMaterials method, it's likely that no code updates are required. The provided logic has been updated with this change.
- Custom implementations of the interface's decryptMaterials method MUST set the KeyCommitment field on the returned DecryptionMaterials.
  - The provided DefaultCryptoMaterialsManager's decryptMaterials method sets this field from the KeyCommitment provided in the DecryptMaterialsRequest.
  - If the custom implementation wraps the provided DefaultCryptoMaterialsManager.decryptMaterials method, it's likely that no code updates are required. The provided logic has been updated with this change.
Updated expectations for custom implementations of the Keyring interface.
- Custom implementations of the interface's onDecrypt method MUST preserve the KeyCommitment field on the returned DecryptionMaterials.
  - The provided S3Keyring's onDecrypt method (base class for all keyrings including KmsKeyring) preserves this field through the builder pattern when returning updated materials.
  - If the custom implementation wraps the provided S3Keyring.onDecrypt method or uses the builder pattern to return materials, it's likely that no code updates are required. The provided logic has been updated with this change.

Features

Updates to the S3 Encryption Client (#491) (9d4523e)

Maintenance

update releaserc (#492) (d423d8d)

3.6.0 (2025-12-16)

Features

Updates to the S3 Encryption Client (#489) (2b13cf2)

Maintenance

Add 's3:HeadObject' action to S3 bucket policies (#488) (c24b358)
update releaserc (#490) (51d4635)

3.5.0 (2025-10-27)

Features

allow raw keyrings to decrypt with multiple wrapping keys (#485) (a78cb52)

Maintenance

add client specification and Duvet annotations (#481) (1bd8b7a)
move spec submodule to master, update annotations (#482) (cc9eafc)
release: skip openjdk11 during release validation (#487) (a210653)
spec: add spec and Duvet annotations for KmsKeyring (#483) (ab41a57)

3.4.0 (2025-07-30)

Features

put object with instruction file configured (#466) (99077dc)
reEncryptInstructionFile Implementation (#475) (ff66e72)
reEncryptInstructionFile Implementation (#478) (f7e6fa5)

Fixes

Revert "feat: reEncryptInstructionFile Implementation (#475)" (#477) (6d45ec5)

Maintenance

guard against properties conflicts (#479) (793c73b)
pom: fix scm url (#469) (1bc2ca3)
release: Migrate release to Central Portal (#468) (da71231)
validate against legacy wrapping on client but customer passes keyring with no legacy wrapping (#473) (bb898d1)

3.3.5 (2025-05-21)

Fixes

determine effective contentLength, account for tagLength on decrypt (#463) (969d721)
disable low-level Multipart Upload in Async client (#461) (599f941)
support PutObjectResponse fields (#462) (dec503b)

Maintenance

Revert "Amazon S3 Encryption Client 3.3.5 Release -- 2025-05-20" (#465) (3f9ac8e)
update dependency needed for semantic-release (#464) (0fd3b58)

3.3.4 (2025-05-12)

Fixes

Add details to error message (#459) (0d32b4a), closes #458
Support all PutObjectRequest fields (#458) (99cce95)

3.3.3 (2025-05-05)

Fixes

fix CipherSubscriber to only call onNext once per request (#456) (646b735)

3.3.2 (2025-04-16)

Fixes

add builders to S3EncryptionClientException class (#450) (647c809)
allow CipherSubscriber to determine if the part is last part (#453) (12355a1)

3.3.1 (2025-01-24)

Fixes

KMS Dependency is required (44e9886)
treat null matdesc as empty (#448) (bcd711e)
unbounded streams are not supported (#422) (034bb89)

3.3.0 (2024-10-30)

Features

allow configuration of instruction file client, add new top-level client options, disable wrapped multipart upload (#387) (37e772f)

Maintenance

add ListBucket permission to release role (#391) (fa1e6cc)
deps-dev: bump commons-io:commons-io from 2.11.0 to 2.14.0 (#381) (5e03842)

3.2.3 (2024-10-04)

Fixes

catch CompletionException instead when instruction file is not found (#379) (dd61547)
handle S3 server encoding of non-US-ASCII object metadata (#375) (b907743)
introduce S3-specific client configuration to top-level configuration (#378) (54fa0cb)

Maintenance

fix release cfn and codebuild (#380) (2844498)
fix release javadocs (#373) (8a69959)

3.2.2 (2024-09-18)

Fixes

use the configured async client to get the instruction file (#366) (5249bbf)

Maintenance

update upload_artifacts (#349) (a21cc35)

3.2.1 (2024-08-21)

Maintenance

Update Release to use token (#347) (87819d1)

3.2.0 (2024-08-20)

Features

add KMS Discovery Keyring (#324) (8d3c06a)
allow S3EncryptionClient and S3AsyncEncryption Client to be configured (#328) (11f25f6)

Maintenance

deps-dev: bump org.bouncycastle:bcprov-jdk18on (#260) (cd58967)
deps: bump software.amazon.awssdk.crt:aws-crt (#303) (cfe325e)
update build scripts (#341) (8fa4266)
Update Release CFN (#343) (81606b6), closes #382

3.1.3 (2024-06-18)

Fixes

Ranged gets with RSA keys (#288) (5d7fc31)
set bufferSize to 1 when bufferSize is less than or equal to 0 in BoundedStreamBufferer (#283) (adb6d3b)

Maintenance

add support policy (#236) (264168d)

3.1.2 (2024-03-21)

Fixes

create clients only if necessary (#187) (ea0c0c7)
do not signal onComplete when the incoming buffer length is less than the cipher block (#209) (8b1a686)

Maintenance

fix dependabot.yml (#190) (5ee8b08)
modify range to allow queries specifying only the start index (#184) (765b9c6)
README: detail no unencrypted pass through (#189) (576ea66), closes #186 /github.com/aws/amazon-s3-encryption-client-java/issues/186#issuecomment-1973016669

3.1.1 (2024-01-24)

Fixes

Close threads when calling PutObject (#180) (45b69fb)

Maintenance

allow ToolsDevelopment to Assume CI Role (#179) (a9fdaa3)
fix release script (#177) (60c377b)
update artifact-hunt.yml to pick the version from pom.xml (#176) (9f6b90f)
update node version in version step (#181) (49c2069)

3.1.0 (2023-08-31)

Features

add configuration option to set max buffer size (#166) (ecf6e6c)
multipart & ranged get examples (#168) (203e5dc)
Refactor KmsKeyring to use GenerateDataKey instead of Encrypt (#171) (a1a22a4)

Fixes

Create default wrapped clients only if necessary. (#163) (285eab6)
unwrap completion exception in AbortMultipartUpload and inside multipart putObject (#174) (84baad8)

Maintenance

allow CI to run in forks (#164) (66a5ca4)
deps-dev: bump bcprov-jdk18on from 1.72 to 1.74 (#169) (5502eab)
fix bugs and nit (#175) (926818b)
install dependabot (#172) (1c63fdb)
warn against use of Encryption Context for non-kms keyrings. (#173) (54557a9)

3.0.1 (2023-06-01)

Maintenance

add metadata downgrade tests(#55) (0fed900)
fix some issues with release (#156) (c6b4e64)

Fixes

null check for InputStream in ApiNameVersion (#161) (c23aeb2)
unwrap CompletionException in default client, rethrow as S3Encry… (#162) (1a00d3e)

3.0.0 (2023-04-06)

⚠ BREAKING CHANGES

prod release for S3 EC (#152)

Features

prod release for S3 EC (#152) (d724eab)

Fixes

Revert "Amazon S3 Encryption Client 2.0.1 Release -- $(date +%Y-%m-%d)" (#151) (a62e455), closes #151
remove illegal javadoc syntax (#147) (412a02c)
remove illegal javadoc tags (#148) (d5682b9)

Maintenance

add scm url to pom.xml (#155) (22ac9ad)
add the developer guide to the README (#150) (b41a07b)
point release at correct internal staging domain, fix group id (#149) (f88e89d)