Class: Aws::S3::EncryptionV3::DefaultCipherProvider Private

Inherits:

Object

• Object
• Aws::S3::EncryptionV3::DefaultCipherProvider

Defined in:

lib/aws-sdk-s3/encryptionV3/default_cipher_provider.rb

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Instance Attribute Summary

• #key_provider ⇒ Object readonly private

Instance Method Summary

• #decryption_cipher(envelope, options = {}) ⇒ Cipher private

  Given an encryption envelope, returns a decryption cipher.

• #encryption_cipher(options = {}) ⇒ Array<Hash,Cipher> private

  Creates an returns a new encryption envelope and encryption cipher.

• #initialize(options = {}) ⇒ DefaultCipherProvider constructor private

  A new instance of DefaultCipherProvider.

Constructor Details

#initialize(options = {}) ⇒ DefaultCipherProvider

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns a new instance of DefaultCipherProvider.

# File 'lib/aws-sdk-s3/encryptionV3/default_cipher_provider.rb', line 10

def initialize(options = {})
  @key_provider = options[:key_provider]
  @key_wrap_schema = validate_key_wrap(
    options[:key_wrap_schema],
    @key_provider.encryption_materials.key
  )
  ##= ../specification/s3-encryption/encryption.md#content-encryption
  ##% The S3EC MUST use the encryption algorithm configured during [client](./client.md) initialization.
  @content_encryption_schema = Utils.validate_cek(
    options[:content_encryption_schema]
  )
end

Instance Attribute Details

#key_provider ⇒ Object (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/aws-sdk-s3/encryptionV3/default_cipher_provider.rb', line 23

def key_provider
  @key_provider
end

Instance Method Details

#decryption_cipher(envelope, options = {}) ⇒ Cipher

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns Given an encryption envelope, returns a decryption cipher.

# File 'lib/aws-sdk-s3/encryptionV3/default_cipher_provider.rb', line 59

def decryption_cipher(envelope, options = {})
  validate_options(options)
  wrapping_key = @key_provider.key_for(envelope['x-amz-m'])

  data_key =
    case envelope['x-amz-w']
    when '02'
      ##= ../specification/s3-encryption/data-format/content-metadata.md#v3-only
      ##% - The wrapping algorithm value "02" MUST be translated to AES/GCM upon retrieval, and vice versa on write.
      if wrapping_key.is_a? OpenSSL::PKey::RSA
        raise ArgumentError, 'Key mismatch - Client is configured' \
          ' with an RSA key and the x-amz-wrap-alg is AES/GCM.'
      end
      Utils.decrypt_aes_gcm(wrapping_key,
                            decode64(envelope['x-amz-3']),
                            @content_encryption_schema)
    when '22'
      ##= ../specification/s3-encryption/data-format/content-metadata.md#v3-only
      ##% - The wrapping algorithm value "22" MUST be translated to RSA-OAEP-SHA1 upon retrieval, and vice versa on write.
      unless wrapping_key.is_a? OpenSSL::PKey::RSA
        raise ArgumentError, 'Key mismatch - Client is configured' \
          ' with an AES key and the x-amz-wrap-alg is RSA-OAEP-SHA1.'
      end
      key, cek_alg = Utils.decrypt_rsa(wrapping_key, decode64(envelope['x-amz-3']))
      raise Errors::CEKAlgMismatchError unless cek_alg == @content_encryption_schema

      key
    when '12'
      raise ArgumentError, 'Key mismatch - Client is configured' \
          ' with a user provided key and the x-amz-w is' \
          ' kms+context.  Please configure the client with the' \
          ' required kms_key_id'
    else
      raise ArgumentError, 'Unsupported wrapping algorithm: ' \
            "#{envelope['x-amz-w']}"
    end

  message_id = decode64(envelope['x-amz-i'])
  commitment_key = decode64(envelope['x-amz-d'])

  Utils.derive_alg_aes_256_gcm_hkdf_sha512_commit_key_cipher(data_key, message_id, commitment_key)
end

#encryption_cipher(options = {}) ⇒ Array<Hash,Cipher>

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns Creates an returns a new encryption envelope and encryption cipher.

# File 'lib/aws-sdk-s3/encryptionV3/default_cipher_provider.rb', line 27

def encryption_cipher(options = {})
  validate_options(options)
  data_key = Utils.generate_data_key
  cipher, message_id, commitment_key = Utils.generate_alg_aes_256_gcm_hkdf_sha512_commit_key_cipher(data_key)
  enc_key =
    if @key_provider.encryption_materials.key.is_a? OpenSSL::PKey::RSA
      encode64(
        encrypt_rsa(data_key, @content_encryption_schema)
      )
    else
      encode64(
        encrypt_aes_gcm(data_key, @content_encryption_schema)
      )
    end
  ##= ../specification/s3-encryption/data-format/content-metadata.md#algorithm-suite-and-message-format-version-compatibility
  ##% Objects encrypted with ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY MUST use the V3 message format version only.
  envelope = {
    'x-amz-3' => enc_key,
    'x-amz-c' => @content_encryption_schema,
    'x-amz-w' => @key_wrap_schema,
    ##= ../specification/s3-encryption/data-format/content-metadata.md#v3-only
    ##% The Material Description MUST be used for wrapping algorithms `AES/GCM` (`02`) and `RSA-OAEP-SHA1` (`22`).
    'x-amz-m' => materials_description,
    'x-amz-d' => encode64(commitment_key),
    'x-amz-i' => encode64(message_id)
  }

  [envelope, cipher]
end