Module: Aws::S3::Encryption::Utils Private

Defined in:

lib/aws-sdk-s3/encryption/utils.rb

Overview

This module is part of a private API. You should avoid using this module if possible, as it may be removed or be changed in the future.

API:

• private

Constant Summary

UNSAFE_MSG =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

API:

• private

"unsafe encryption, data is longer than key length"

Class Method Summary

• .aes_cipher(mode, block_mode, key, iv) ⇒ Object private
• .aes_decryption_cipher(block_mode, key = nil, iv = nil) ⇒ Object private
• .aes_encryption_cipher(block_mode, key = nil, iv = nil) ⇒ Object private
• .cipher_size(key) ⇒ Integer private
• .decrypt(key, data) ⇒ Object private
• .decrypt_aes_gcm(key, data, auth_data) ⇒ Object private
• .decrypt_rsa(key, enc_data) ⇒ Object private

  returns the decrypted data + auth_data.

• .encrypt(key, data) ⇒ Object private

Class Method Details

.aes_cipher(mode, block_mode, key, iv) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Parameters:

• “encrypt” or “decrypt”

• “CBC” or “ECB”

• The initialization vector

API:

• private

# File 'lib/aws-sdk-s3/encryption/utils.rb', line 83

def aes_cipher(mode, block_mode, key, iv)
  cipher = key ?
    OpenSSL::Cipher.new("aes-#{cipher_size(key)}-#{block_mode.downcase}") :
    OpenSSL::Cipher.new("aes-256-#{block_mode.downcase}")
  cipher.send(mode) # encrypt or decrypt
  cipher.key = key if key
  cipher.iv = iv if iv
  cipher
end

.aes_decryption_cipher(block_mode, key = nil, iv = nil) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Parameters:

• “CBC” or “ECB”

• (defaults to: nil)
• (defaults to: nil)

  The initialization vector

API:

• private

# File 'lib/aws-sdk-s3/encryption/utils.rb', line 75

def aes_decryption_cipher(block_mode, key = nil, iv = nil)
  aes_cipher(:decrypt, block_mode, key, iv)
end

.aes_encryption_cipher(block_mode, key = nil, iv = nil) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Parameters:

• “CBC” or “ECB”

• (defaults to: nil)
• (defaults to: nil)

  The initialization vector

API:

• private

# File 'lib/aws-sdk-s3/encryption/utils.rb', line 68

def aes_encryption_cipher(block_mode, key = nil, iv = nil)
  aes_cipher(:encrypt, block_mode, key, iv)
end

.cipher_size(key) ⇒ Integer

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Parameters:

Returns:

Raises:

• ArgumentError

API:

• private

# File 'lib/aws-sdk-s3/encryption/utils.rb', line 96

def cipher_size(key)
  key.bytesize * 8
end

.decrypt(key, data) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

API:

• private

# File 'lib/aws-sdk-s3/encryption/utils.rb', line 27

def decrypt(key, data)
  begin
    case key
    when OpenSSL::PKey::RSA # asymmetric decryption
      key.private_decrypt(data)
    when String # symmetric Decryption
      cipher = aes_cipher(:decrypt, :ECB, key, nil)
      cipher.update(data) + cipher.final
    end
  rescue OpenSSL::Cipher::CipherError
    msg = 'decryption failed, possible incorrect key'
    raise Errors::DecryptionError, msg
  end
end

.decrypt_aes_gcm(key, data, auth_data) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

API:

• private

# File 'lib/aws-sdk-s3/encryption/utils.rb', line 43

def decrypt_aes_gcm(key, data, auth_data)
  # data is iv (12B) + key + tag (16B)
  buf = data.unpack('C*')
  iv = buf[0,12].pack('C*') # iv will always be 12 bytes
  tag = buf[-16, 16].pack('C*') # tag is 16 bytes
  enc_key = buf[12, buf.size - (12+16)].pack('C*')
  cipher = aes_cipher(:decrypt, :GCM, key, iv)
  cipher.auth_tag = tag
  cipher.auth_data = auth_data
  cipher.update(enc_key) + cipher.final
end

.decrypt_rsa(key, enc_data) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

returns the decrypted data + auth_data

API:

• private

# File 'lib/aws-sdk-s3/encryption/utils.rb', line 56

def decrypt_rsa(key, enc_data)
  # Plaintext must be KeyLengthInBytes (1 Byte) + DataKey + AuthData
  buf = key.private_decrypt(enc_data, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING).unpack('C*')
  key_length = buf[0]
  data = buf[1, key_length].pack('C*')
  auth_data = buf[key_length+1, buf.length - key_length].pack('C*')
  [data, auth_data]
end

.encrypt(key, data) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

API:

• private

# File 'lib/aws-sdk-s3/encryption/utils.rb', line 15

def encrypt(key, data)
  case key
  when OpenSSL::PKey::RSA # asymmetric encryption
    warn(UNSAFE_MSG) if key.public_key.n.num_bits < cipher_size(data)
    key.public_encrypt(data)
  when String # symmetric encryption
    warn(UNSAFE_MSG) if cipher_size(key) < cipher_size(data)
    cipher = aes_encryption_cipher(:ECB, key)
    cipher.update(data) + cipher.final
  end
end