Description
It would be nice to have an enhancement or subclass of BcCMSContentEncryptorBuilder called BcProvidedCMSContentEncryptorBuilder. This class would not generate a fresh content encryption key (CEK) but instead would accept a provided CEK as a byte array in its constructor.
The use case is KMS in AWS Nitro enclaves. There the GenerateDataKey API creates a CEK and its KEK-wrapped ciphertext atomically. There is no separate wrapping API. The ciphertext format is proprietary and undocumented.
In bcpkix 1.81, the classes BcCMSContentEncryptorBuilder and JceCMSContentEncryptorBuilder cannot be effectively subclassed, because their nested classes are private. A workaround is to copy the source of the entire class.