Class: Aws::S3::EncryptionV2::Decryption Private
- Inherits:
-
Object
- Object
- Aws::S3::EncryptionV2::Decryption
- Defined in:
- lib/aws-sdk-s3/encryptionV2/decryption.rb
This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.
Constant Summary collapse
- V1_ENVELOPE_KEYS =
This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.
../specification/s3-encryption/data-format/content-metadata.md#content-metadata-mapkeys
% - The mapkey “x-amz-key” MUST be present for V1 format objects.
../specification/s3-encryption/data-format/content-metadata.md#content-metadata-mapkeys
% - The mapkey “x-amz-iv” MUST be present for V1 format objects.
../specification/s3-encryption/data-format/content-metadata.md#content-metadata-mapkeys
% - The mapkey “x-amz-matdesc” MUST be present for V1 format objects.
%w[ x-amz-key x-amz-iv x-amz-matdesc ].freeze
- V2_ENVELOPE_KEYS =
This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.
../specification/s3-encryption/data-format/content-metadata.md#content-metadata-mapkeys
% - The mapkey “x-amz-key-v2” MUST be present for V2 format objects.
../specification/s3-encryption/data-format/content-metadata.md#content-metadata-mapkeys
% - The mapkey “x-amz-iv” MUST be present for V2 format objects.
../specification/s3-encryption/data-format/content-metadata.md#content-metadata-mapkeys
% - The mapkey “x-amz-cek-alg” MUST be present for V2 format objects.
../specification/s3-encryption/data-format/content-metadata.md#content-metadata-mapkeys
% - The mapkey “x-amz-wrap-alg” MUST be present for V2 format objects.
../specification/s3-encryption/data-format/content-metadata.md#content-metadata-mapkeys
% - The mapkey “x-amz-matdesc” MUST be present for V2 format objects.
%w[ x-amz-key-v2 x-amz-iv x-amz-cek-alg x-amz-wrap-alg x-amz-matdesc ].freeze
- V2_OPTIONAL_KEYS =
This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.
../specification/s3-encryption/data-format/content-metadata.md#content-metadata-mapkeys
type=exception
reason=The implementation treats this as optional, but verifies its value.
% - The mapkey “x-amz-tag-len” MUST be present for V2 format objects.
%w[x-amz-tag-len].freeze
- POSSIBLE_ENVELOPE_KEYS =
This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.
(V1_ENVELOPE_KEYS + V2_ENVELOPE_KEYS + V2_OPTIONAL_KEYS).uniq
- POSSIBLE_WRAPPING_FORMATS =
This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.
%w[ AES/GCM kms kms+context RSA-OAEP-SHA1 ].freeze
- POSSIBLE_ENCRYPTION_FORMATS =
This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.
%w[ AES/GCM/NoPadding AES/CBC/PKCS5Padding AES/CBC/PKCS7Padding ].freeze
- AUTH_REQUIRED_CEK_ALGS =
This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.
%w[AES/GCM/NoPadding].freeze
Class Method Summary collapse
-
.auth_tag_length(envelope) ⇒ Object
private
Determine the auth tag length from the algorithm Validate it against the value provided in the x-amz-tag-len Return the tag length in bytes.
-
.authenticated_decrypter(context, cipher, envelope) ⇒ Object
private
This method fetches the tag from the end of the object by making a GET Object w/range request.
- .body_contains_auth_tag?(envelope) ⇒ Boolean private
- .decryption_cipher(context) ⇒ Object private
- .envelope_from_instr_file(context) ⇒ Object private
- .envelope_from_metadata(context) ⇒ Object private
- .extract_envelope(hash) ⇒ Object private
- .get_decrypter(context, cipher, envelope) ⇒ Object private
- .get_encryption_envelope(context) ⇒ Object private
- .v1_envelope(envelope) ⇒ Object private
- .v2_envelope(envelope) ⇒ Object private
Class Method Details
.auth_tag_length(envelope) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Determine the auth tag length from the algorithm Validate it against the value provided in the x-amz-tag-len Return the tag length in bytes
187 188 189 190 191 192 193 194 195 196 197 198 199 200 |
# File 'lib/aws-sdk-s3/encryptionV2/decryption.rb', line 187 def auth_tag_length(envelope) tag_length = case envelope['x-amz-cek-alg'] when 'AES/GCM/NoPadding' then AES_GCM_TAG_LEN_BYTES else raise ArgumentError, 'Unsupported cek-alg: ' \ "#{envelope['x-amz-cek-alg']}" end if (tag_length * 8) != envelope['x-amz-tag-len'].to_i raise Errors::DecryptionError, 'x-amz-tag-len does not match expected' end tag_length end |
.authenticated_decrypter(context, cipher, envelope) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
This method fetches the tag from the end of the object by making a GET Object w/range request. This auth tag is used to initialize the cipher, and the decrypter truncates the auth tag from the body when writing the final bytes.
160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 |
# File 'lib/aws-sdk-s3/encryptionV2/decryption.rb', line 160 def authenticated_decrypter(context, cipher, envelope) http_resp = context.http_response content_length = http_resp.headers['content-length'].to_i auth_tag_length = auth_tag_length(envelope) auth_tag = context.client.get_object( bucket: context.params[:bucket], key: context.params[:key], version_id: context.params[:version_id], range: "bytes=-#{auth_tag_length}" ).body.read cipher.auth_tag = auth_tag cipher.auth_data = '' # The encrypted object contains both the cipher text # plus a trailing auth tag. IOAuthDecrypter.new( io: http_resp.body, encrypted_content_length: content_length - auth_tag_length, cipher: cipher ) end |
.body_contains_auth_tag?(envelope) ⇒ Boolean
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
152 153 154 |
# File 'lib/aws-sdk-s3/encryptionV2/decryption.rb', line 152 def body_contains_auth_tag?(envelope) AUTH_REQUIRED_CEK_ALGS.include?(envelope['x-amz-cek-alg']) end |
.decryption_cipher(context) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
64 65 66 67 68 69 70 71 72 73 74 75 |
# File 'lib/aws-sdk-s3/encryptionV2/decryption.rb', line 64 def decryption_cipher(context) if (envelope = get_encryption_envelope(context)) cipher = context[:encryption][:cipher_provider] .decryption_cipher( envelope, context[:encryption] ) [cipher, envelope] else raise Errors::DecryptionError, 'unable to locate encryption envelope' end end |
.envelope_from_instr_file(context) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
103 104 105 106 107 108 109 110 111 112 |
# File 'lib/aws-sdk-s3/encryptionV2/decryption.rb', line 103 def envelope_from_instr_file(context) suffix = context[:encryption][:instruction_file_suffix] possible_envelope = Json.load(context.client.get_object( bucket: context.params[:bucket], key: context.params[:key] + suffix ).body.read) extract_envelope(possible_envelope) rescue S3::Errors::ServiceError, Json::ParseError nil end |
.envelope_from_metadata(context) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
93 94 95 96 97 98 99 100 101 |
# File 'lib/aws-sdk-s3/encryptionV2/decryption.rb', line 93 def (context) possible_envelope = {} POSSIBLE_ENVELOPE_KEYS.each do |suffix| if (value = context.http_response.headers["x-amz-meta-#{suffix}"]) possible_envelope[suffix] = value end end extract_envelope(possible_envelope) end |
.extract_envelope(hash) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
114 115 116 117 118 119 120 121 122 123 124 125 126 127 |
# File 'lib/aws-sdk-s3/encryptionV2/decryption.rb', line 114 def extract_envelope(hash) return nil unless hash ##= ../specification/s3-encryption/data-format/content-metadata.md#determining-s3ec-object-status ##% - If the metadata contains "x-amz-iv" and "x-amz-key" then the object MUST be considered as an S3EC-encrypted object using the V1 format. return v1_envelope(hash) if hash.key?('x-amz-key') ##= ../specification/s3-encryption/data-format/content-metadata.md#determining-s3ec-object-status ##% - If the metadata contains "x-amz-iv" and "x-amz-metadata-x-amz-key-v2" then the object MUST be considered as an S3EC-encrypted object using the V2 format. return v2_envelope(hash) if hash.key?('x-amz-key-v2') return unless hash.keys.any? { |key| key.match(/^x-amz-key-(.+)$/) } msg = "unsupported envelope encryption version #{::Regexp.last_match(1)}" raise Errors::DecryptionError, msg end |
.get_decrypter(context, cipher, envelope) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
77 78 79 80 81 82 83 |
# File 'lib/aws-sdk-s3/encryptionV2/decryption.rb', line 77 def get_decrypter(context, cipher, envelope) if body_contains_auth_tag?(envelope) authenticated_decrypter(context, cipher, envelope) else IODecrypter.new(cipher, context.http_response.body) end end |
.get_encryption_envelope(context) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
85 86 87 88 89 90 91 |
# File 'lib/aws-sdk-s3/encryptionV2/decryption.rb', line 85 def get_encryption_envelope(context) if context[:encryption][:envelope_location] == :metadata (context) || envelope_from_instr_file(context) else envelope_from_instr_file(context) || (context) end end |
.v1_envelope(envelope) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
129 130 131 |
# File 'lib/aws-sdk-s3/encryptionV2/decryption.rb', line 129 def v1_envelope(envelope) envelope end |
.v2_envelope(envelope) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 |
# File 'lib/aws-sdk-s3/encryptionV2/decryption.rb', line 133 def v2_envelope(envelope) unless POSSIBLE_ENCRYPTION_FORMATS.include? envelope['x-amz-cek-alg'] alg = envelope['x-amz-cek-alg'].inspect msg = "unsupported content encrypting key (cek) format: #{alg}" raise Errors::DecryptionError, msg end unless POSSIBLE_WRAPPING_FORMATS.include? envelope['x-amz-wrap-alg'] alg = envelope['x-amz-wrap-alg'].inspect msg = "unsupported key wrapping algorithm: #{alg}" raise Errors::DecryptionError, msg end unless (missing_keys = V2_ENVELOPE_KEYS - envelope.keys).empty? msg = "incomplete v2 encryption envelope:\n" msg += " missing: #{missing_keys.join(',')}\n" raise Errors::DecryptionError, msg end envelope end |