Class: Aws::S3::Encryption::KmsCipherProvider Private

Inherits:
Object
  • Object
show all
Defined in:
lib/aws-sdk-s3/encryption/kms_cipher_provider.rb

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Instance Method Summary collapse

Constructor Details

#initialize(options = {}) ⇒ KmsCipherProvider

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns a new instance of KmsCipherProvider.



9
10
11
12
# File 'lib/aws-sdk-s3/encryption/kms_cipher_provider.rb', line 9

def initialize(options = {})
  @kms_key_id = options[:kms_key_id]
  @kms_client = options[:kms_client]
end

Instance Method Details

#decryption_cipher(envelope) ⇒ Cipher

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns Given an encryption envelope, returns a decryption cipher.

Returns:

  • (Cipher)

    Given an encryption envelope, returns a decryption cipher.



37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# File 'lib/aws-sdk-s3/encryption/kms_cipher_provider.rb', line 37

def decryption_cipher(envelope)
  encryption_context = Json.load(envelope['x-amz-matdesc'])
  key = @kms_client.decrypt(
    ciphertext_blob: decode64(envelope['x-amz-key-v2']),
    encryption_context: encryption_context,
  ).plaintext
  iv = decode64(envelope['x-amz-iv'])
  block_mode =
    case envelope['x-amz-cek-alg']
    when 'AES/CBC/PKCS5Padding'
      :CBC
    when 'AES/CBC/PKCS7Padding'
      :CBC
    when 'AES/GCM/NoPadding'
      :GCM
    else
      type = envelope['x-amz-cek-alg'].inspect
      msg = "unsupported content encrypting key (cek) format: #{type}"
      raise Errors::DecryptionError, msg
    end
  Utils.aes_decryption_cipher(block_mode, key, iv)
end

#encryption_cipherArray<Hash,Cipher>

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns Creates an returns a new encryption envelope and encryption cipher.

Returns:

  • (Array<Hash,Cipher>)

    Creates an returns a new encryption envelope and encryption cipher.



16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# File 'lib/aws-sdk-s3/encryption/kms_cipher_provider.rb', line 16

def encryption_cipher
  encryption_context = { "kms_cmk_id" => @kms_key_id }
  key_data = @kms_client.generate_data_key(
    key_id: @kms_key_id,
    encryption_context: encryption_context,
    key_spec: 'AES_256',
  )
  cipher = Utils.aes_encryption_cipher(:CBC)
  cipher.key = key_data.plaintext
  envelope = {
    'x-amz-key-v2' => encode64(key_data.ciphertext_blob),
    'x-amz-iv' => encode64(cipher.iv = cipher.random_iv),
    'x-amz-cek-alg' => 'AES/CBC/PKCS5Padding',
    'x-amz-wrap-alg' => 'kms',
    'x-amz-matdesc' => Json.dump(encryption_context)
  }
  [envelope, cipher]
end