Class: Aws::S3::EncryptionV2::DefaultCipherProvider Private

Inherits:

Object

Object
Aws::S3::EncryptionV2::DefaultCipherProvider

Defined in:: lib/aws-sdk-s3/encryptionV2/default_cipher_provider.rb

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Instance Method Summary collapse

#decryption_cipher(envelope, options = {}) ⇒ Cipher private

Given an encryption envelope, returns a decryption cipher.
#encryption_cipher(options = {}) ⇒ Array<Hash,Cipher> private

Creates an returns a new encryption envelope and encryption cipher.
#initialize(options = {}) ⇒ DefaultCipherProvider constructor private

A new instance of DefaultCipherProvider.

Constructor Details

#initialize(options = {}) ⇒ `DefaultCipherProvider`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns a new instance of DefaultCipherProvider.

# File 'lib/aws-sdk-s3/encryptionV2/default_cipher_provider.rb', line 11

def initialize(options = {})
  @key_provider = options[:key_provider]
  @key_wrap_schema = validate_key_wrap(
    options[:key_wrap_schema],
    @key_provider.encryption_materials.key
  )
  @content_encryption_schema = validate_cek(
    options[:content_encryption_schema]
  )
end

Instance Method Details

#decryption_cipher(envelope, options = {}) ⇒ `Cipher`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns Given an encryption envelope, returns a decryption cipher.

Returns:

(Cipher) —

Given an encryption envelope, returns a decryption cipher.

# File 'lib/aws-sdk-s3/encryptionV2/default_cipher_provider.rb', line 50

def decryption_cipher(envelope, options = {})
  validate_options(options)
  master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
  if envelope.key? 'x-amz-key'
    unless options[:security_profile] == :v2_and_legacy
      raise Errors::LegacyDecryptionError
    end
    # Support for decryption of legacy objects
    key = Utils.decrypt(master_key, decode64(envelope['x-amz-key']))
    iv = decode64(envelope['x-amz-iv'])
    Utils.aes_decryption_cipher(:CBC, key, iv)
  else
    if envelope['x-amz-cek-alg'] != 'AES/GCM/NoPadding'
      raise ArgumentError, 'Unsupported cek-alg: ' \
        "#{envelope['x-amz-cek-alg']}"
    end
    key =
      case envelope['x-amz-wrap-alg']
      when 'AES/GCM'
        if master_key.is_a? OpenSSL::PKey::RSA
          raise ArgumentError, 'Key mismatch - Client is configured' \
            ' with an RSA key and the x-amz-wrap-alg is AES/GCM.'
        end
        Utils.decrypt_aes_gcm(master_key,
                            decode64(envelope['x-amz-key-v2']),
                            envelope['x-amz-cek-alg'])
      when 'RSA-OAEP-SHA1'
        unless master_key.is_a? OpenSSL::PKey::RSA
          raise ArgumentError, 'Key mismatch - Client is configured' \
            ' with an AES key and the x-amz-wrap-alg is RSA-OAEP-SHA1.'
        end
        key, cek_alg = Utils.decrypt_rsa(master_key, decode64(envelope['x-amz-key-v2']))
        raise Errors::CEKAlgMismatchError unless cek_alg == envelope['x-amz-cek-alg']
        key
      when 'kms+context'
        raise ArgumentError, 'Key mismatch - Client is configured' \
            ' with a user provided key and the x-amz-wrap-alg is' \
            ' kms+context.  Please configure the client with the' \
            ' required kms_key_id'
      else
        raise ArgumentError, 'Unsupported wrap-alg: ' \
              "#{envelope['x-amz-wrap-alg']}"
      end
    iv = decode64(envelope['x-amz-iv'])
    Utils.aes_decryption_cipher(:GCM, key, iv)
  end
end

#encryption_cipher(options = {}) ⇒ `Array<Hash,Cipher>`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns Creates an returns a new encryption envelope and encryption cipher.

Returns:

(Array<Hash,Cipher>) —

Creates an returns a new encryption envelope and encryption cipher.

# File 'lib/aws-sdk-s3/encryptionV2/default_cipher_provider.rb', line 24

def encryption_cipher(options = {})
  validate_options(options)
  cipher = Utils.aes_encryption_cipher(:GCM)
  if @key_provider.encryption_materials.key.is_a? OpenSSL::PKey::RSA
    enc_key = encode64(
      encrypt_rsa(envelope_key(cipher), @content_encryption_schema)
    )
  else
    enc_key = encode64(
      encrypt_aes_gcm(envelope_key(cipher), @content_encryption_schema)
    )
  end
  envelope = {
    'x-amz-key-v2' => enc_key,
    'x-amz-cek-alg' => @content_encryption_schema,
    'x-amz-tag-len' => (AES_GCM_TAG_LEN_BYTES * 8).to_s,
    'x-amz-wrap-alg' => @key_wrap_schema,
    'x-amz-iv' => encode64(envelope_iv(cipher)),
    'x-amz-matdesc' => materials_description
  }
  cipher.auth_data = '' # auth_data must be set after key and iv
  [envelope, cipher]
end

Class: Aws::S3::EncryptionV2::DefaultCipherProvider Private

Instance Method Summary collapse

Constructor Details

#initialize(options = {}) ⇒ DefaultCipherProvider

Instance Method Details

#decryption_cipher(envelope, options = {}) ⇒ Cipher

#encryption_cipher(options = {}) ⇒ Array<Hash,Cipher>

#initialize(options = {}) ⇒ `DefaultCipherProvider`

#decryption_cipher(envelope, options = {}) ⇒ `Cipher`

#encryption_cipher(options = {}) ⇒ `Array<Hash,Cipher>`