Module: Aws::S3::EncryptionV2::Utils Private

Defined in:
lib/aws-sdk-s3/encryptionV2/utils.rb

This module is part of a private API. You should avoid using this module if possible, as it may be removed or be changed in the future.

Class Method Summary collapse

Class Method Details

.aes_cipher(mode, block_mode, key, iv) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Parameters:

  • mode (String)

    “encrypt” or “decrypt”

  • block_mode (String)

    “CBC” or “ECB”

  • key (OpenSSL::PKey::RSA, String, nil)
  • iv (String, nil)

    The initialization vector



82
83
84
85
86
87
88
89
90
91
92
93
94
95
 
# File 'lib/aws-sdk-s3/encryptionV2/utils.rb', line 82

def aes_cipher(mode, block_mode, key, iv)
  ##= ../specification/s3-encryption/encryption.md#alg-aes-256-gcm-iv12-tag16-no-kdf
  ##% The client MUST initialize the cipher,
  ##% or call an AES-GCM encryption API, with the plaintext data key, the generated IV,
  ##% and the tag length defined in the Algorithm Suite
  ##% when encrypting with ALG_AES_256_GCM_IV12_TAG16_NO_KDF.
  cipher = key ?
    OpenSSL::Cipher.new("aes-#{cipher_size(key)}-#{block_mode.downcase}") :
    OpenSSL::Cipher.new("aes-256-#{block_mode.downcase}")
  cipher.send(mode) # encrypt or decrypt
  cipher.key = key if key
  cipher.iv = iv if iv
  cipher
end

.aes_decryption_cipher(block_mode, key = nil, iv = nil) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Parameters:

  • block_mode (String)

    “CBC” or “ECB”

  • key (OpenSSL::PKey::RSA, String, nil) (defaults to: nil)
  • iv (String, nil) (defaults to: nil)

    The initialization vector



74
75
76
 
# File 'lib/aws-sdk-s3/encryptionV2/utils.rb', line 74

def aes_decryption_cipher(block_mode, key = nil, iv = nil)
  aes_cipher(:decrypt, block_mode, key, iv)
end

.aes_encryption_cipher(block_mode, key = nil, iv = nil) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Parameters:

  • block_mode (String)

    “CBC” or “ECB”

  • key (OpenSSL::PKey::RSA, String, nil) (defaults to: nil)
  • iv (String, nil) (defaults to: nil)

    The initialization vector



67
68
69
 
# File 'lib/aws-sdk-s3/encryptionV2/utils.rb', line 67

def aes_encryption_cipher(block_mode, key = nil, iv = nil)
  aes_cipher(:encrypt, block_mode, key, iv)
end

.cipher_size(key) ⇒ Integer

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Parameters:

  • key (String)

Returns:

  • (Integer)

Raises:

  • ArgumentError



100
101
102
 
# File 'lib/aws-sdk-s3/encryptionV2/utils.rb', line 100

def cipher_size(key)
  key.bytesize * 8
end

.decrypt(key, data) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future. 



27
28
29
30
31
32
33
34
35
36
37
38
39
40
 
# File 'lib/aws-sdk-s3/encryptionV2/utils.rb', line 27

def decrypt(key, data)
  begin
    case key
    when OpenSSL::PKey::RSA # asymmetric decryption
      key.private_decrypt(data)
    when String # symmetric Decryption
      cipher = aes_cipher(:decrypt, :ECB, key, nil)
      cipher.update(data) + cipher.final
    end
  rescue OpenSSL::Cipher::CipherError
    msg = 'decryption failed, possible incorrect key'
    raise Errors::DecryptionError, msg
  end
end

.decrypt_aes_gcm(key, data, auth_data) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future. 



42
43
44
45
46
47
48
49
50
51
52
 
# File 'lib/aws-sdk-s3/encryptionV2/utils.rb', line 42

def decrypt_aes_gcm(key, data, auth_data)
  # data is iv (12B) + key + tag (16B)
  buf = data.unpack('C*')
  iv = buf[0,12].pack('C*') # iv will always be 12 bytes
  tag = buf[-16, 16].pack('C*') # tag is 16 bytes
  enc_key = buf[12, buf.size - (12+16)].pack('C*')
  cipher = aes_cipher(:decrypt, :GCM, key, iv)
  cipher.auth_tag = tag
  cipher.auth_data = auth_data
  cipher.update(enc_key) + cipher.final
end

.decrypt_rsa(key, enc_data) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

returns the decrypted data + auth_data



55
56
57
58
59
60
61
62
 
# File 'lib/aws-sdk-s3/encryptionV2/utils.rb', line 55

def decrypt_rsa(key, enc_data)
  # Plaintext must be KeyLengthInBytes (1 Byte) + DataKey + AuthData
  buf = key.private_decrypt(enc_data, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING).unpack('C*')
  key_length = buf[0]
  data = buf[1, key_length].pack('C*')
  auth_data = buf[key_length+1, buf.length - key_length].pack('C*')
  [data, auth_data]
end

.encrypt_aes_gcm(key, data, auth_data) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future. 



13
14
15
16
17
18
19
 
# File 'lib/aws-sdk-s3/encryptionV2/utils.rb', line 13

def encrypt_aes_gcm(key, data, auth_data)
  cipher = aes_encryption_cipher(:GCM, key)
  cipher.iv = (iv = cipher.random_iv)
  cipher.auth_data = auth_data

  iv + cipher.update(data) + cipher.final + cipher.auth_tag
end

.encrypt_rsa(key, data, auth_data) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future. 



21
22
23
24
25
 
# File 'lib/aws-sdk-s3/encryptionV2/utils.rb', line 21

def encrypt_rsa(key, data, auth_data)
  # Plaintext must be KeyLengthInBytes (1 Byte) + DataKey + AuthData
  buf = [data.bytesize] + data.unpack('C*') + auth_data.unpack('C*')
  key.public_encrypt(buf.pack('C*'), OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
end