Class: Aws::S3::EncryptionV2::KmsCipherProvider Private

Inherits:

Object

Object
Aws::S3::EncryptionV2::KmsCipherProvider

Defined in:: lib/aws-sdk-s3/encryptionV2/kms_cipher_provider.rb

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Instance Method Summary collapse

#decryption_cipher(envelope, options = {}) ⇒ Cipher private

Given an encryption envelope, returns a decryption cipher.
#encryption_cipher(options = {}) ⇒ Array<Hash,Cipher> private

Creates and returns a new encryption envelope and encryption cipher.
#initialize(options = {}) ⇒ KmsCipherProvider constructor private

A new instance of KmsCipherProvider.

Constructor Details

#initialize(options = {}) ⇒ `KmsCipherProvider`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns a new instance of KmsCipherProvider.

# File 'lib/aws-sdk-s3/encryptionV2/kms_cipher_provider.rb', line 11

def initialize(options = {})
  @kms_key_id = validate_kms_key(options[:kms_key_id])
  @kms_client = options[:kms_client]
  @key_wrap_schema = validate_key_wrap(
    options[:key_wrap_schema]
  )
  @content_encryption_schema = validate_cek(
    options[:content_encryption_schema]
  )
end

Instance Method Details

#decryption_cipher(envelope, options = {}) ⇒ `Cipher`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns Given an encryption envelope, returns a decryption cipher.

Returns:

(Cipher) —

Given an encryption envelope, returns a decryption cipher.

# File 'lib/aws-sdk-s3/encryptionV2/kms_cipher_provider.rb', line 50

def decryption_cipher(envelope, options = {})
  encryption_context = Json.load(envelope['x-amz-matdesc'])
  cek_alg = envelope['x-amz-cek-alg']

  case envelope['x-amz-wrap-alg']
  when 'kms'
    unless options[:security_profile] == :v2_and_legacy
      raise Errors::LegacyDecryptionError
    end
  when 'kms+context'
    if cek_alg != encryption_context['aws:x-amz-cek-alg']
      raise Errors::CEKAlgMismatchError
    end

    if encryption_context != build_encryption_context(cek_alg, options)
      raise Errors::DecryptionError, 'Value of encryption context from'\
        ' envelope does not match the provided encryption context'
    end
  when 'AES/GCM'
    raise ArgumentError, 'Key mismatch - Client is configured' \
            ' with a KMS key and the x-amz-wrap-alg is AES/GCM.'
  when 'RSA-OAEP-SHA1'
    raise ArgumentError, 'Key mismatch - Client is configured' \
            ' with a KMS key and the x-amz-wrap-alg is RSA-OAEP-SHA1.'
  else
    raise ArgumentError, 'Unsupported wrap-alg: ' \
        "#{envelope['x-amz-wrap-alg']}"
  end

  any_cmk_mode = false || options[:kms_allow_decrypt_with_any_cmk]
  decrypt_options = {
    ciphertext_blob: decode64(envelope['x-amz-key-v2']),
    encryption_context: encryption_context
  }
  unless any_cmk_mode
    decrypt_options[:key_id] = @kms_key_id
  end

  key = Aws::Plugins::UserAgent.feature('S3CryptoV2') do
    @kms_client.decrypt(decrypt_options).plaintext
  end
  iv = decode64(envelope['x-amz-iv'])
  block_mode =
    case cek_alg
    when 'AES/CBC/PKCS5Padding'
      :CBC
    when 'AES/CBC/PKCS7Padding'
      :CBC
    when 'AES/GCM/NoPadding'
      :GCM
    else
      type = envelope['x-amz-cek-alg'].inspect
      msg = "unsupported content encrypting key (cek) format: #{type}"
      raise Errors::DecryptionError, msg
    end
  Utils.aes_decryption_cipher(block_mode, key, iv)
end

#encryption_cipher(options = {}) ⇒ `Array<Hash,Cipher>`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns Creates and returns a new encryption envelope and encryption cipher.

Returns:

(Array<Hash,Cipher>) —

Creates and returns a new encryption envelope and encryption cipher.

# File 'lib/aws-sdk-s3/encryptionV2/kms_cipher_provider.rb', line 24

def encryption_cipher(options = {})
  validate_key_for_encryption
  encryption_context = build_encryption_context(@content_encryption_schema, options)
  key_data = Aws::Plugins::UserAgent.feature('S3CryptoV2') do
    @kms_client.generate_data_key(
      key_id: @kms_key_id,
      encryption_context: encryption_context,
      key_spec: 'AES_256'
    )
  end
  cipher = Utils.aes_encryption_cipher(:GCM)
  cipher.key = key_data.plaintext
  envelope = {
    'x-amz-key-v2' => encode64(key_data.ciphertext_blob),
    'x-amz-iv' => encode64(cipher.iv = cipher.random_iv),
    'x-amz-cek-alg' => @content_encryption_schema,
    'x-amz-tag-len' => (AES_GCM_TAG_LEN_BYTES * 8).to_s,
    'x-amz-wrap-alg' => @key_wrap_schema,
    'x-amz-matdesc' => Json.dump(encryption_context)
  }
  cipher.auth_data = '' # auth_data must be set after key and iv
  [envelope, cipher]
end

Class: Aws::S3::EncryptionV2::KmsCipherProvider Private

Instance Method Summary collapse

Constructor Details

#initialize(options = {}) ⇒ KmsCipherProvider

Instance Method Details

#decryption_cipher(envelope, options = {}) ⇒ Cipher

#encryption_cipher(options = {}) ⇒ Array<Hash,Cipher>

#initialize(options = {}) ⇒ `KmsCipherProvider`

#decryption_cipher(envelope, options = {}) ⇒ `Cipher`

#encryption_cipher(options = {}) ⇒ `Array<Hash,Cipher>`