Module: Aws::S3::EncryptionV2::Utils Private

Defined in:
lib/aws-sdk-s3/encryptionV2/utils.rb

This module is part of a private API. You should avoid using this module if possible, as it may be removed or be changed in the future.

Class Method Summary collapse

Class Method Details

.aes_cipher(mode, block_mode, key, iv) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Parameters:

  • mode (String)

    “encrypt” or “decrypt”

  • block_mode (String)

    “CBC” or “ECB”

  • key (OpenSSL::PKey::RSA, String, nil)
  • iv (String, nil)

    The initialization vector


82
83
84
85
86
87
88
89
90
# File 'lib/aws-sdk-s3/encryptionV2/utils.rb', line 82

def aes_cipher(mode, block_mode, key, iv)
  cipher = key ?
    OpenSSL::Cipher.new("aes-#{cipher_size(key)}-#{block_mode.downcase}") :
    OpenSSL::Cipher.new("aes-256-#{block_mode.downcase}")
  cipher.send(mode) # encrypt or decrypt
  cipher.key = key if key
  cipher.iv = iv if iv
  cipher
end

.aes_decryption_cipher(block_mode, key = nil, iv = nil) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Parameters:

  • block_mode (String)

    “CBC” or “ECB”

  • key (OpenSSL::PKey::RSA, String, nil) (defaults to: nil)
  • iv (String, nil) (defaults to: nil)

    The initialization vector


74
75
76
# File 'lib/aws-sdk-s3/encryptionV2/utils.rb', line 74

def aes_decryption_cipher(block_mode, key = nil, iv = nil)
  aes_cipher(:decrypt, block_mode, key, iv)
end

.aes_encryption_cipher(block_mode, key = nil, iv = nil) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Parameters:

  • block_mode (String)

    “CBC” or “ECB”

  • key (OpenSSL::PKey::RSA, String, nil) (defaults to: nil)
  • iv (String, nil) (defaults to: nil)

    The initialization vector


67
68
69
# File 'lib/aws-sdk-s3/encryptionV2/utils.rb', line 67

def aes_encryption_cipher(block_mode, key = nil, iv = nil)
  aes_cipher(:encrypt, block_mode, key, iv)
end

.cipher_size(key) ⇒ Integer

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Parameters:

  • key (String)

Returns:

  • (Integer)

Raises:

  • ArgumentError


95
96
97
# File 'lib/aws-sdk-s3/encryptionV2/utils.rb', line 95

def cipher_size(key)
  key.bytesize * 8
end

.decrypt(key, data) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.


27
28
29
30
31
32
33
34
35
36
37
38
39
40
# File 'lib/aws-sdk-s3/encryptionV2/utils.rb', line 27

def decrypt(key, data)
  begin
    case key
    when OpenSSL::PKey::RSA # asymmetric decryption
      key.private_decrypt(data)
    when String # symmetric Decryption
      cipher = aes_cipher(:decrypt, :ECB, key, nil)
      cipher.update(data) + cipher.final
    end
  rescue OpenSSL::Cipher::CipherError
    msg = 'decryption failed, possible incorrect key'
    raise Errors::DecryptionError, msg
  end
end

.decrypt_aes_gcm(key, data, auth_data) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.


42
43
44
45
46
47
48
49
50
51
52
# File 'lib/aws-sdk-s3/encryptionV2/utils.rb', line 42

def decrypt_aes_gcm(key, data, auth_data)
  # data is iv (12B) + key + tag (16B)
  buf = data.unpack('C*')
  iv = buf[0,12].pack('C*') # iv will always be 12 bytes
  tag = buf[-16, 16].pack('C*') # tag is 16 bytes
  enc_key = buf[12, buf.size - (12+16)].pack('C*')
  cipher = aes_cipher(:decrypt, :GCM, key, iv)
  cipher.auth_tag = tag
  cipher.auth_data = auth_data
  cipher.update(enc_key) + cipher.final
end

.decrypt_rsa(key, enc_data) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

returns the decrypted data + auth_data


55
56
57
58
59
60
61
62
# File 'lib/aws-sdk-s3/encryptionV2/utils.rb', line 55

def decrypt_rsa(key, enc_data)
  # Plaintext must be KeyLengthInBytes (1 Byte) + DataKey + AuthData
  buf = key.private_decrypt(enc_data, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING).unpack('C*')
  key_length = buf[0]
  data = buf[1, key_length].pack('C*')
  auth_data = buf[key_length+1, buf.length - key_length].pack('C*')
  [data, auth_data]
end

.encrypt_aes_gcm(key, data, auth_data) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.


13
14
15
16
17
18
19
# File 'lib/aws-sdk-s3/encryptionV2/utils.rb', line 13

def encrypt_aes_gcm(key, data, auth_data)
  cipher = aes_encryption_cipher(:GCM, key)
  cipher.iv = (iv = cipher.random_iv)
  cipher.auth_data = auth_data

  iv + cipher.update(data) + cipher.final + cipher.auth_tag
end

.encrypt_rsa(key, data, auth_data) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.


21
22
23
24
25
# File 'lib/aws-sdk-s3/encryptionV2/utils.rb', line 21

def encrypt_rsa(key, data, auth_data)
  # Plaintext must be KeyLengthInBytes (1 Byte) + DataKey + AuthData
  buf = [data.bytesize] + data.unpack('C*') + auth_data.unpack('C*')
  key.public_encrypt(buf.pack('C*'), OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
end