aws-sdk-resources 2.3.12 → 2.3.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/aws-sdk-resources/services/s3/encryption.rb +1 -0
- data/lib/aws-sdk-resources/services/s3/encryption/decrypt_handler.rb +48 -4
- data/lib/aws-sdk-resources/services/s3/encryption/io_auth_decrypter.rb +50 -0
- data/lib/aws-sdk-resources/services/s3/encryption/io_decrypter.rb +2 -9
- data/lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb +12 -1
- data/lib/aws-sdk-resources/services/s3/encryption/utils.rb +2 -2
- metadata +5 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 11c22ca5443cb742557f0ff0d51e1fef0df79fcf
|
|
4
|
+
data.tar.gz: e4491cd6fc35298e073d7a8b2acc125d51b1f4ff
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 415203dbe9f34837a545a8665a75c2573ff78bdbce65fb04556fed2d8168b9144b7e7d8205334e3aac2cfa3d544d4c29cd5b9a4ef12cc1a10c5621f832cd9817
|
|
7
|
+
data.tar.gz: de05df3ec9627f3f6a53b9e41914921ec0476fd22702bf8a15736c53673ad13fe222c7c7c7b9e456dcf23bd5e2477043707793aaadd0583e3a9990b4cd77d932
|
|
@@ -9,6 +9,7 @@ module Aws
|
|
|
9
9
|
autoload :EncryptHandler, 'aws-sdk-resources/services/s3/encryption/encrypt_handler'
|
|
10
10
|
autoload :Errors, 'aws-sdk-resources/services/s3/encryption/errors'
|
|
11
11
|
autoload :IOEncrypter, 'aws-sdk-resources/services/s3/encryption/io_encrypter'
|
|
12
|
+
autoload :IOAuthDecrypter, 'aws-sdk-resources/services/s3/encryption/io_auth_decrypter'
|
|
12
13
|
autoload :IODecrypter, 'aws-sdk-resources/services/s3/encryption/io_decrypter'
|
|
13
14
|
autoload :KeyProvider, 'aws-sdk-resources/services/s3/encryption/key_provider'
|
|
14
15
|
autoload :KmsCipherProvider, 'aws-sdk-resources/services/s3/encryption/kms_cipher_provider'
|
|
@@ -22,6 +22,11 @@ module Aws
|
|
|
22
22
|
|
|
23
23
|
POSSIBLE_ENVELOPE_KEYS = (V1_ENVELOPE_KEYS + V2_ENVELOPE_KEYS).uniq
|
|
24
24
|
|
|
25
|
+
POSSIBLE_ENCRYPTION_FORMATS = %w(
|
|
26
|
+
AES/GCM/NoPadding
|
|
27
|
+
AES/CBC/PKCS5Padding
|
|
28
|
+
)
|
|
29
|
+
|
|
25
30
|
def call(context)
|
|
26
31
|
attach_http_event_listeners(context)
|
|
27
32
|
@handler.call(context)
|
|
@@ -30,10 +35,13 @@ module Aws
|
|
|
30
35
|
private
|
|
31
36
|
|
|
32
37
|
def attach_http_event_listeners(context)
|
|
38
|
+
|
|
33
39
|
context.http_response.on_headers(200) do
|
|
34
40
|
cipher = decryption_cipher(context)
|
|
35
|
-
|
|
36
|
-
|
|
41
|
+
decrypter = body_contains_auth_tag?(context) ?
|
|
42
|
+
authenticated_decrypter(context, cipher) :
|
|
43
|
+
IODecrypter.new(cipher, context.http_response.body)
|
|
44
|
+
context.http_response.body = decrypter
|
|
37
45
|
end
|
|
38
46
|
|
|
39
47
|
context.http_response.on_success(200) do
|
|
@@ -44,7 +52,7 @@ module Aws
|
|
|
44
52
|
end
|
|
45
53
|
|
|
46
54
|
context.http_response.on_error do
|
|
47
|
-
if context.http_response.body.
|
|
55
|
+
if context.http_response.body.respond_to?(:io)
|
|
48
56
|
context.http_response.body = context.http_response.body.io
|
|
49
57
|
end
|
|
50
58
|
end
|
|
@@ -103,7 +111,7 @@ module Aws
|
|
|
103
111
|
end
|
|
104
112
|
|
|
105
113
|
def v2_envelope(envelope)
|
|
106
|
-
unless envelope['x-amz-cek-alg']
|
|
114
|
+
unless POSSIBLE_ENCRYPTION_FORMATS.include? envelope['x-amz-cek-alg']
|
|
107
115
|
alg = envelope['x-amz-cek-alg'].inspect
|
|
108
116
|
msg = "unsupported content encrypting key (cek) format: #{alg}"
|
|
109
117
|
raise Errors::DecryptionError, msg
|
|
@@ -124,6 +132,42 @@ module Aws
|
|
|
124
132
|
envelope
|
|
125
133
|
end
|
|
126
134
|
|
|
135
|
+
# When the x-amz-meta-x-amz-tag-len header is present, it indicates
|
|
136
|
+
# that the body of this object has a trailing auth tag. The header
|
|
137
|
+
# indicates the length of that tag.
|
|
138
|
+
#
|
|
139
|
+
# This method fetches the tag from the end of the object by
|
|
140
|
+
# making a GET Object w/range request. This auth tag is used
|
|
141
|
+
# to initialize the cipher, and the decrypter truncates the
|
|
142
|
+
# auth tag from the body when writing the final bytes.
|
|
143
|
+
def authenticated_decrypter(context, cipher)
|
|
144
|
+
http_resp = context.http_response
|
|
145
|
+
content_length = http_resp.headers['content-length'].to_i
|
|
146
|
+
auth_tag_length = http_resp.headers['x-amz-meta-x-amz-tag-len']
|
|
147
|
+
auth_tag_length = auth_tag_length.to_i / 8
|
|
148
|
+
|
|
149
|
+
auth_tag = context.client.get_object(
|
|
150
|
+
bucket: context.params[:bucket],
|
|
151
|
+
key: context.params[:key],
|
|
152
|
+
range: "bytes=-#{auth_tag_length}"
|
|
153
|
+
).body.read
|
|
154
|
+
|
|
155
|
+
cipher.auth_tag = auth_tag
|
|
156
|
+
cipher.auth_data = ''
|
|
157
|
+
|
|
158
|
+
# The encrypted object contains both the cipher text
|
|
159
|
+
# plus a trailing auth tag. This decrypter will the body
|
|
160
|
+
# expect for the trailing auth tag.
|
|
161
|
+
decrypter = IOAuthDecrypter.new(
|
|
162
|
+
io: http_resp.body,
|
|
163
|
+
encrypted_content_length: content_length - auth_tag_length,
|
|
164
|
+
cipher: cipher)
|
|
165
|
+
end
|
|
166
|
+
|
|
167
|
+
def body_contains_auth_tag?(context)
|
|
168
|
+
context.http_response.headers['x-amz-meta-x-amz-tag-len']
|
|
169
|
+
end
|
|
170
|
+
|
|
127
171
|
end
|
|
128
172
|
end
|
|
129
173
|
end
|
|
@@ -0,0 +1,50 @@
|
|
|
1
|
+
module Aws
|
|
2
|
+
module S3
|
|
3
|
+
module Encryption
|
|
4
|
+
# @api private
|
|
5
|
+
class IOAuthDecrypter
|
|
6
|
+
|
|
7
|
+
# @option options [required, IO#write] :io
|
|
8
|
+
# An IO-like object that responds to {#write}.
|
|
9
|
+
# @option options [required, Integer] :encrypted_content_length
|
|
10
|
+
# The number of bytes to decrypt from the `:io` object.
|
|
11
|
+
# This should be the total size of `:io` minus the length of
|
|
12
|
+
# the cipher auth tag.
|
|
13
|
+
# @option options [required, OpenSSL::Cipher] :cipher An initialized
|
|
14
|
+
# cipher that can be used to decrypt the bytes as they are
|
|
15
|
+
# written to the `:io` object. The cipher should already have
|
|
16
|
+
# its `#auth_tag` set.
|
|
17
|
+
def initialize(options = {})
|
|
18
|
+
@decrypter = IODecrypter.new(options[:cipher], options[:io])
|
|
19
|
+
@max_bytes = options[:encrypted_content_length]
|
|
20
|
+
@bytes_written = 0
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
def write(chunk)
|
|
24
|
+
chunk = truncate_chunk(chunk)
|
|
25
|
+
@bytes_written += chunk.bytesize
|
|
26
|
+
@decrypter.write(chunk)
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def finalize
|
|
30
|
+
@decrypter.finalize
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
def io
|
|
34
|
+
@decrypter.io
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
private
|
|
38
|
+
|
|
39
|
+
def truncate_chunk(chunk)
|
|
40
|
+
if chunk.bytesize + @bytes_written <= @max_bytes
|
|
41
|
+
chunk
|
|
42
|
+
else
|
|
43
|
+
chunk[0..(@max_bytes - @bytes_written - 1)]
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
end
|
|
48
|
+
end
|
|
49
|
+
end
|
|
50
|
+
end
|
|
@@ -5,18 +5,17 @@ module Aws
|
|
|
5
5
|
class IODecrypter
|
|
6
6
|
|
|
7
7
|
# @param [OpenSSL::Cipher] cipher
|
|
8
|
-
# @param [#write] io An IO-like object that responds to
|
|
8
|
+
# @param [IO#write] io An IO-like object that responds to `#write`.
|
|
9
9
|
def initialize(cipher, io)
|
|
10
|
-
@orig_cipher = cipher.clone
|
|
11
10
|
@cipher = cipher.clone
|
|
12
11
|
@io = io
|
|
13
|
-
reset_cipher
|
|
14
12
|
end
|
|
15
13
|
|
|
16
14
|
# @return [#write]
|
|
17
15
|
attr_reader :io
|
|
18
16
|
|
|
19
17
|
def write(chunk)
|
|
18
|
+
# decrypt and write
|
|
20
19
|
@io.write(@cipher.update(chunk))
|
|
21
20
|
end
|
|
22
21
|
|
|
@@ -24,12 +23,6 @@ module Aws
|
|
|
24
23
|
@io.write(@cipher.final)
|
|
25
24
|
end
|
|
26
25
|
|
|
27
|
-
private
|
|
28
|
-
|
|
29
|
-
def reset_cipher
|
|
30
|
-
@cipher = @orig_cipher.clone
|
|
31
|
-
end
|
|
32
|
-
|
|
33
26
|
end
|
|
34
27
|
end
|
|
35
28
|
end
|
|
@@ -41,7 +41,18 @@ module Aws
|
|
|
41
41
|
encryption_context: encryption_context,
|
|
42
42
|
).plaintext
|
|
43
43
|
iv = decode64(envelope['x-amz-iv'])
|
|
44
|
-
|
|
44
|
+
block_mode =
|
|
45
|
+
case envelope['x-amz-cek-alg']
|
|
46
|
+
when 'AES/CBC/PKCS5Padding'
|
|
47
|
+
:CBC
|
|
48
|
+
when 'AES/GCM/NoPadding'
|
|
49
|
+
:GCM
|
|
50
|
+
else
|
|
51
|
+
type = envelope['x-amz-cek-alg'].inspect
|
|
52
|
+
msg = "unsupported content encrypting key (cek) format: #{type}"
|
|
53
|
+
raise Errors::DecryptionError, msg
|
|
54
|
+
end
|
|
55
|
+
Utils.aes_decryption_cipher(block_mode, key, iv)
|
|
45
56
|
end
|
|
46
57
|
|
|
47
58
|
private
|
|
@@ -57,8 +57,8 @@ module Aws
|
|
|
57
57
|
# @param [String, nil] iv The initialization vector
|
|
58
58
|
def aes_cipher(mode, block_mode, key, iv)
|
|
59
59
|
cipher = key ?
|
|
60
|
-
OpenSSL::Cipher.new("
|
|
61
|
-
OpenSSL::Cipher.new("
|
|
60
|
+
OpenSSL::Cipher.new("aes-#{cipher_size(key)}-#{block_mode.downcase}") :
|
|
61
|
+
OpenSSL::Cipher.new("aes-256-#{block_mode.downcase}")
|
|
62
62
|
cipher.send(mode) # encrypt or decrypt
|
|
63
63
|
cipher.key = key if key
|
|
64
64
|
cipher.iv = iv if iv
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aws-sdk-resources
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.3.
|
|
4
|
+
version: 2.3.13
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Amazon Web Services
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-06-
|
|
11
|
+
date: 2016-06-09 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-sdk-core
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 2.3.
|
|
19
|
+
version: 2.3.13
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 2.3.
|
|
26
|
+
version: 2.3.13
|
|
27
27
|
description: Provides resource oriented interfaces and other higher-level abstractions
|
|
28
28
|
for many AWS services. This gem is part of the official AWS SDK for Ruby.
|
|
29
29
|
email:
|
|
@@ -65,6 +65,7 @@ files:
|
|
|
65
65
|
- lib/aws-sdk-resources/services/s3/encryption/default_key_provider.rb
|
|
66
66
|
- lib/aws-sdk-resources/services/s3/encryption/encrypt_handler.rb
|
|
67
67
|
- lib/aws-sdk-resources/services/s3/encryption/errors.rb
|
|
68
|
+
- lib/aws-sdk-resources/services/s3/encryption/io_auth_decrypter.rb
|
|
68
69
|
- lib/aws-sdk-resources/services/s3/encryption/io_decrypter.rb
|
|
69
70
|
- lib/aws-sdk-resources/services/s3/encryption/io_encrypter.rb
|
|
70
71
|
- lib/aws-sdk-resources/services/s3/encryption/key_provider.rb
|