Class: Aws::S3::Encryption::DefaultCipherProvider Private

Inherits:
Object
  • Object
show all
Defined in:
lib/aws-sdk-s3/encryption/default_cipher_provider.rb

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Instance Method Summary collapse

Constructor Details

#initialize(options = {}) ⇒ DefaultCipherProvider

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns a new instance of DefaultCipherProvider.


11
12
13
# File 'lib/aws-sdk-s3/encryption/default_cipher_provider.rb', line 11

def initialize(options = {})
  @key_provider = options[:key_provider]
end

Instance Method Details

#decryption_cipher(envelope, options = {}) ⇒ Cipher

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns Given an encryption envelope, returns a decryption cipher.

Returns:

  • (Cipher)

    Given an encryption envelope, returns a decryption cipher.


29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# File 'lib/aws-sdk-s3/encryption/default_cipher_provider.rb', line 29

def decryption_cipher(envelope, options = {})
  master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
  if envelope.key? 'x-amz-key'
    # Support for decryption of legacy objects
    key = Utils.decrypt(master_key, decode64(envelope['x-amz-key']))
    iv = decode64(envelope['x-amz-iv'])
    Utils.aes_decryption_cipher(:CBC, key, iv)
  else
    if envelope['x-amz-cek-alg'] != 'AES/GCM/NoPadding'
      raise ArgumentError, 'Unsupported cek-alg: ' \
        "#{envelope['x-amz-cek-alg']}"
    end
    key =
      case envelope['x-amz-wrap-alg']
      when 'AES/GCM'
        if master_key.is_a? OpenSSL::PKey::RSA
          raise ArgumentError, 'Key mismatch - Client is configured' \
            ' with an RSA key and the x-amz-wrap-alg is AES/GCM.'
        end
        Utils.decrypt_aes_gcm(master_key,
                              decode64(envelope['x-amz-key-v2']),
                              envelope['x-amz-cek-alg'])
      when 'RSA-OAEP-SHA1'
        unless master_key.is_a? OpenSSL::PKey::RSA
          raise ArgumentError, 'Key mismatch - Client is configured' \
            ' with an AES key and the x-amz-wrap-alg is RSA-OAEP-SHA1.'
        end
        key, cek_alg = Utils.decrypt_rsa(master_key, decode64(envelope['x-amz-key-v2']))
        raise Errors::DecryptionError unless cek_alg == envelope['x-amz-cek-alg']
        key
      when 'kms+context'
        raise ArgumentError, 'Key mismatch - Client is configured' \
            ' with a user provided key and the x-amz-wrap-alg is' \
            ' kms+context.  Please configure the client with the' \
            ' required kms_key_id'
      else
        raise ArgumentError, 'Unsupported wrap-alg: ' \
        "#{envelope['x-amz-wrap-alg']}"
      end
    iv = decode64(envelope['x-amz-iv'])
    Utils.aes_decryption_cipher(:GCM, key, iv)
  end
end

#encryption_cipherArray<Hash,Cipher>

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns Creates an returns a new encryption envelope and encryption cipher.

Returns:

  • (Array<Hash,Cipher>)

    Creates an returns a new encryption envelope and encryption cipher.


17
18
19
20
21
22
23
24
25
# File 'lib/aws-sdk-s3/encryption/default_cipher_provider.rb', line 17

def encryption_cipher
  cipher = Utils.aes_encryption_cipher(:CBC)
  envelope = {
    'x-amz-key' => encode64(encrypt(envelope_key(cipher))),
    'x-amz-iv' => encode64(envelope_iv(cipher)),
    'x-amz-matdesc' => materials_description,
  }
  [envelope, cipher]
end