Class: Aws::S3::EncryptionV2::DefaultCipherProvider Private

Inherits:
Object
  • Object
show all
Defined in:
lib/aws-sdk-s3/encryptionV2/default_cipher_provider.rb

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(options = {}) ⇒ DefaultCipherProvider

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns a new instance of DefaultCipherProvider.



11
12
13
14
15
16
17
18
19
20
21
22
 
# File 'lib/aws-sdk-s3/encryptionV2/default_cipher_provider.rb', line 11

def initialize(options = {})
  @key_provider = options[:key_provider]
  @key_wrap_schema = validate_key_wrap(
    options[:key_wrap_schema],
    @key_provider.encryption_materials.key
  )
  ##= ../specification/s3-encryption/encryption.md#content-encryption
  ##% The S3EC MUST use the encryption algorithm configured during [client](./client.md) initialization.
  @content_encryption_schema = validate_cek(
    options[:content_encryption_schema]
  )
end

Instance Attribute Details

#key_providerObject (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future. 



24
25
26
 
# File 'lib/aws-sdk-s3/encryptionV2/default_cipher_provider.rb', line 24

def key_provider
  @key_provider
end

Instance Method Details

#decryption_cipher(envelope, options = {}) ⇒ Cipher

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns Given an encryption envelope, returns a decryption cipher.

Returns:

  • (Cipher)

    Given an encryption envelope, returns a decryption cipher.



59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
 
# File 'lib/aws-sdk-s3/encryptionV2/default_cipher_provider.rb', line 59

def decryption_cipher(envelope, options = {})
  validate_options(options)
  master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
  if envelope.key? 'x-amz-key'
    unless options[:security_profile] == :v2_and_legacy
      ##= ../specification/s3-encryption/decryption.md#legacy-decryption
      ##% If the S3EC is not configured to enable legacy unauthenticated content decryption, the client MUST throw an exception when attempting to decrypt an object encrypted with a legacy unauthenticated algorithm suite.
      ##= ../specification/s3-encryption/client.md#enable-legacy-unauthenticated-modes
      ##% When disabled, the S3EC MUST NOT decrypt objects encrypted using legacy content encryption algorithms; it MUST throw an exception when attempting to decrypt an object encrypted with a legacy content encryption algorithm.
      raise Errors::LegacyDecryptionError
    end
    ##= ../specification/s3-encryption/decryption.md#legacy-decryption
    ##% The S3EC MUST NOT decrypt objects encrypted using legacy unauthenticated algorithm suites unless specifically configured to do so.
    ##= ../specification/s3-encryption/client.md#enable-legacy-unauthenticated-modes
    ##% When enabled, the S3EC MUST be able to decrypt objects encrypted with all content encryption algorithms (both legacy and fully supported).
    # Support for decryption of legacy objects
    key = Utils.decrypt(master_key, decode64(envelope['x-amz-key']))
    iv = decode64(envelope['x-amz-iv'])
    Utils.aes_decryption_cipher(:CBC, key, iv)
  else
    if envelope['x-amz-cek-alg'] != 'AES/GCM/NoPadding'
      raise ArgumentError, 'Unsupported cek-alg: ' \
        "#{envelope['x-amz-cek-alg']}"
    end
    key =
      case envelope['x-amz-wrap-alg']
      when 'AES/GCM'
        if master_key.is_a? OpenSSL::PKey::RSA
          raise ArgumentError, 'Key mismatch - Client is configured' \
            ' with an RSA key and the x-amz-wrap-alg is AES/GCM.'
        end
        Utils.decrypt_aes_gcm(master_key,
                            decode64(envelope['x-amz-key-v2']),
                            envelope['x-amz-cek-alg'])
      when 'RSA-OAEP-SHA1'
        unless master_key.is_a? OpenSSL::PKey::RSA
          raise ArgumentError, 'Key mismatch - Client is configured' \
            ' with an AES key and the x-amz-wrap-alg is RSA-OAEP-SHA1.'
        end
        key, cek_alg = Utils.decrypt_rsa(master_key, decode64(envelope['x-amz-key-v2']))
        raise Errors::CEKAlgMismatchError unless cek_alg == envelope['x-amz-cek-alg']
        key
      when 'kms+context'
        raise ArgumentError, 'Key mismatch - Client is configured' \
            ' with a user provided key and the x-amz-wrap-alg is' \
            ' kms+context.  Please configure the client with the' \
            ' required kms_key_id'
      else
        raise ArgumentError, 'Unsupported wrap-alg: ' \
              "#{envelope['x-amz-wrap-alg']}"
      end
    iv = decode64(envelope['x-amz-iv'])
    Utils.aes_decryption_cipher(:GCM, key, iv)
  end
end

#encryption_cipher(options = {}) ⇒ Array<Hash,Cipher>

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns Creates an returns a new encryption envelope and encryption cipher.

Returns:

  • (Array<Hash,Cipher>)

    Creates an returns a new encryption envelope and encryption cipher.



28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
# File 'lib/aws-sdk-s3/encryptionV2/default_cipher_provider.rb', line 28

def encryption_cipher(options = {})
  validate_options(options)
  cipher = Utils.aes_encryption_cipher(:GCM)
  if @key_provider.encryption_materials.key.is_a? OpenSSL::PKey::RSA
    enc_key = encode64(
      encrypt_rsa(envelope_key(cipher), @content_encryption_schema)
    )
  else
    enc_key = encode64(
      ##= ../specification/s3-encryption/encryption.md#alg-aes-256-gcm-iv12-tag16-no-kdf
      ##% The client MUST NOT provide any AAD when encrypting with ALG_AES_256_GCM_IV12_TAG16_NO_KDF.
      encrypt_aes_gcm(envelope_key(cipher), @content_encryption_schema)
    )
  end

  ##= ../specification/s3-encryption/data-format/content-metadata.md#algorithm-suite-and-message-format-version-compatibility
  ##% Objects encrypted with ALG_AES_256_GCM_IV12_TAG16_NO_KDF MUST use the V2 message format version only.
  envelope = {
    'x-amz-key-v2' => enc_key,
    'x-amz-cek-alg' => @content_encryption_schema,
    'x-amz-tag-len' => (AES_GCM_TAG_LEN_BYTES * 8).to_s,
    'x-amz-wrap-alg' => @key_wrap_schema,
    'x-amz-iv' => encode64(envelope_iv(cipher)),
    'x-amz-matdesc' => materials_description
  }
  cipher.auth_data = '' # auth_data must be set after key and iv
  [envelope, cipher]
end