Class: Aws::S3::EncryptionV2::KmsCipherProvider Private
- Inherits:
-
Object
- Object
- Aws::S3::EncryptionV2::KmsCipherProvider
- Defined in:
- lib/aws-sdk-s3/encryptionV2/kms_cipher_provider.rb
This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.
Instance Method Summary collapse
-
#decryption_cipher(envelope, options = {}) ⇒ Cipher
private
Given an encryption envelope, returns a decryption cipher.
-
#encryption_cipher(options = {}) ⇒ Array<Hash,Cipher>
private
Creates and returns a new encryption envelope and encryption cipher.
-
#initialize(options = {}) ⇒ KmsCipherProvider
constructor
private
A new instance of KmsCipherProvider.
Constructor Details
#initialize(options = {}) ⇒ KmsCipherProvider
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Returns a new instance of KmsCipherProvider.
11 12 13 14 15 16 17 18 19 20 |
# File 'lib/aws-sdk-s3/encryptionV2/kms_cipher_provider.rb', line 11 def initialize( = {}) @kms_key_id = validate_kms_key([:kms_key_id]) @kms_client = [:kms_client] @key_wrap_schema = validate_key_wrap( [:key_wrap_schema] ) @content_encryption_schema = validate_cek( [:content_encryption_schema] ) end |
Instance Method Details
#decryption_cipher(envelope, options = {}) ⇒ Cipher
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Returns Given an encryption envelope, returns a decryption cipher.
48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 |
# File 'lib/aws-sdk-s3/encryptionV2/kms_cipher_provider.rb', line 48 def decryption_cipher(envelope, = {}) encryption_context = Json.load(envelope['x-amz-matdesc']) cek_alg = envelope['x-amz-cek-alg'] case envelope['x-amz-wrap-alg'] when 'kms' unless [:security_profile] == :v2_and_legacy raise Errors::LegacyDecryptionError end when 'kms+context' if cek_alg != encryption_context['aws:x-amz-cek-alg'] raise Errors::CEKAlgMismatchError end if encryption_context != build_encryption_context(cek_alg, ) raise Errors::DecryptionError, 'Value of encryption context from'\ ' envelope does not match the provided encryption context' end when 'AES/GCM' raise ArgumentError, 'Key mismatch - Client is configured' \ ' with a KMS key and the x-amz-wrap-alg is AES/GCM.' when 'RSA-OAEP-SHA1' raise ArgumentError, 'Key mismatch - Client is configured' \ ' with a KMS key and the x-amz-wrap-alg is RSA-OAEP-SHA1.' else raise ArgumentError, 'Unsupported wrap-alg: ' \ "#{envelope['x-amz-wrap-alg']}" end any_cmk_mode = false || [:kms_allow_decrypt_with_any_cmk] = { ciphertext_blob: decode64(envelope['x-amz-key-v2']), encryption_context: encryption_context } unless any_cmk_mode [:key_id] = @kms_key_id end key = @kms_client.decrypt().plaintext iv = decode64(envelope['x-amz-iv']) block_mode = case cek_alg when 'AES/CBC/PKCS5Padding' :CBC when 'AES/CBC/PKCS7Padding' :CBC when 'AES/GCM/NoPadding' :GCM else type = envelope['x-amz-cek-alg'].inspect msg = "unsupported content encrypting key (cek) format: #{type}" raise Errors::DecryptionError, msg end Utils.aes_decryption_cipher(block_mode, key, iv) end |
#encryption_cipher(options = {}) ⇒ Array<Hash,Cipher>
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Returns Creates and returns a new encryption envelope and encryption cipher.
24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
# File 'lib/aws-sdk-s3/encryptionV2/kms_cipher_provider.rb', line 24 def encryption_cipher( = {}) validate_key_for_encryption encryption_context = build_encryption_context(@content_encryption_schema, ) key_data = @kms_client.generate_data_key( key_id: @kms_key_id, encryption_context: encryption_context, key_spec: 'AES_256' ) cipher = Utils.aes_encryption_cipher(:GCM) cipher.key = key_data.plaintext envelope = { 'x-amz-key-v2' => encode64(key_data.ciphertext_blob), 'x-amz-iv' => encode64(cipher.iv = cipher.random_iv), 'x-amz-cek-alg' => @content_encryption_schema, 'x-amz-tag-len' => (AES_GCM_TAG_LEN_BYTES * 8).to_s, 'x-amz-wrap-alg' => @key_wrap_schema, 'x-amz-matdesc' => Json.dump(encryption_context) } cipher.auth_data = '' # auth_data must be set after key and iv [envelope, cipher] end |