aws-sdk-s3 1.21.0 → 1.117.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (99) hide show
  1. checksums.yaml +5 -5
  2. data/CHANGELOG.md +930 -0
  3. data/LICENSE.txt +202 -0
  4. data/VERSION +1 -0
  5. data/lib/aws-sdk-s3/bucket.rb +393 -75
  6. data/lib/aws-sdk-s3/bucket_acl.rb +57 -14
  7. data/lib/aws-sdk-s3/bucket_cors.rb +67 -13
  8. data/lib/aws-sdk-s3/bucket_lifecycle.rb +54 -15
  9. data/lib/aws-sdk-s3/bucket_lifecycle_configuration.rb +56 -15
  10. data/lib/aws-sdk-s3/bucket_logging.rb +52 -15
  11. data/lib/aws-sdk-s3/bucket_notification.rb +47 -17
  12. data/lib/aws-sdk-s3/bucket_policy.rb +51 -13
  13. data/lib/aws-sdk-s3/bucket_region_cache.rb +2 -0
  14. data/lib/aws-sdk-s3/bucket_request_payment.rb +51 -12
  15. data/lib/aws-sdk-s3/bucket_tagging.rb +59 -13
  16. data/lib/aws-sdk-s3/bucket_versioning.rb +118 -12
  17. data/lib/aws-sdk-s3/bucket_website.rb +66 -13
  18. data/lib/aws-sdk-s3/client.rb +11422 -2518
  19. data/lib/aws-sdk-s3/client_api.rb +1196 -155
  20. data/lib/aws-sdk-s3/customizations/bucket.rb +53 -36
  21. data/lib/aws-sdk-s3/customizations/multipart_upload.rb +2 -0
  22. data/lib/aws-sdk-s3/customizations/object.rb +200 -62
  23. data/lib/aws-sdk-s3/customizations/object_summary.rb +5 -0
  24. data/lib/aws-sdk-s3/customizations/types/list_object_versions_output.rb +2 -0
  25. data/lib/aws-sdk-s3/customizations.rb +4 -1
  26. data/lib/aws-sdk-s3/encryption/client.rb +23 -6
  27. data/lib/aws-sdk-s3/encryption/decrypt_handler.rb +71 -29
  28. data/lib/aws-sdk-s3/encryption/default_cipher_provider.rb +43 -5
  29. data/lib/aws-sdk-s3/encryption/default_key_provider.rb +2 -0
  30. data/lib/aws-sdk-s3/encryption/encrypt_handler.rb +13 -2
  31. data/lib/aws-sdk-s3/encryption/errors.rb +2 -0
  32. data/lib/aws-sdk-s3/encryption/io_auth_decrypter.rb +11 -3
  33. data/lib/aws-sdk-s3/encryption/io_decrypter.rb +11 -3
  34. data/lib/aws-sdk-s3/encryption/io_encrypter.rb +2 -0
  35. data/lib/aws-sdk-s3/encryption/key_provider.rb +2 -0
  36. data/lib/aws-sdk-s3/encryption/kms_cipher_provider.rb +34 -3
  37. data/lib/aws-sdk-s3/encryption/materials.rb +8 -6
  38. data/lib/aws-sdk-s3/encryption/utils.rb +25 -0
  39. data/lib/aws-sdk-s3/encryption.rb +4 -0
  40. data/lib/aws-sdk-s3/encryptionV2/client.rb +566 -0
  41. data/lib/aws-sdk-s3/encryptionV2/decrypt_handler.rb +222 -0
  42. data/lib/aws-sdk-s3/encryptionV2/default_cipher_provider.rb +170 -0
  43. data/lib/aws-sdk-s3/encryptionV2/default_key_provider.rb +40 -0
  44. data/lib/aws-sdk-s3/encryptionV2/encrypt_handler.rb +65 -0
  45. data/lib/aws-sdk-s3/encryptionV2/errors.rb +37 -0
  46. data/lib/aws-sdk-s3/encryptionV2/io_auth_decrypter.rb +58 -0
  47. data/lib/aws-sdk-s3/encryptionV2/io_decrypter.rb +37 -0
  48. data/lib/aws-sdk-s3/encryptionV2/io_encrypter.rb +73 -0
  49. data/lib/aws-sdk-s3/encryptionV2/key_provider.rb +31 -0
  50. data/lib/aws-sdk-s3/encryptionV2/kms_cipher_provider.rb +169 -0
  51. data/lib/aws-sdk-s3/encryptionV2/materials.rb +60 -0
  52. data/lib/aws-sdk-s3/encryptionV2/utils.rb +103 -0
  53. data/lib/aws-sdk-s3/encryption_v2.rb +23 -0
  54. data/lib/aws-sdk-s3/endpoint_parameters.rb +142 -0
  55. data/lib/aws-sdk-s3/endpoint_provider.rb +2020 -0
  56. data/lib/aws-sdk-s3/endpoints.rb +2149 -0
  57. data/lib/aws-sdk-s3/errors.rb +123 -1
  58. data/lib/aws-sdk-s3/event_streams.rb +20 -7
  59. data/lib/aws-sdk-s3/file_downloader.rb +17 -10
  60. data/lib/aws-sdk-s3/file_part.rb +11 -6
  61. data/lib/aws-sdk-s3/file_uploader.rb +33 -14
  62. data/lib/aws-sdk-s3/legacy_signer.rb +17 -25
  63. data/lib/aws-sdk-s3/multipart_file_uploader.rb +78 -19
  64. data/lib/aws-sdk-s3/multipart_stream_uploader.rb +54 -15
  65. data/lib/aws-sdk-s3/multipart_upload.rb +178 -28
  66. data/lib/aws-sdk-s3/multipart_upload_error.rb +2 -0
  67. data/lib/aws-sdk-s3/multipart_upload_part.rb +237 -44
  68. data/lib/aws-sdk-s3/object.rb +897 -154
  69. data/lib/aws-sdk-s3/object_acl.rb +81 -20
  70. data/lib/aws-sdk-s3/object_copier.rb +2 -0
  71. data/lib/aws-sdk-s3/object_multipart_copier.rb +2 -0
  72. data/lib/aws-sdk-s3/object_summary.rb +649 -139
  73. data/lib/aws-sdk-s3/object_version.rb +167 -65
  74. data/lib/aws-sdk-s3/plugins/accelerate.rb +17 -64
  75. data/lib/aws-sdk-s3/plugins/arn.rb +70 -0
  76. data/lib/aws-sdk-s3/plugins/bucket_dns.rb +7 -43
  77. data/lib/aws-sdk-s3/plugins/bucket_name_restrictions.rb +20 -3
  78. data/lib/aws-sdk-s3/plugins/dualstack.rb +7 -50
  79. data/lib/aws-sdk-s3/plugins/endpoints.rb +262 -0
  80. data/lib/aws-sdk-s3/plugins/expect_100_continue.rb +5 -4
  81. data/lib/aws-sdk-s3/plugins/get_bucket_location_fix.rb +3 -1
  82. data/lib/aws-sdk-s3/plugins/http_200_errors.rb +11 -3
  83. data/lib/aws-sdk-s3/plugins/iad_regional_endpoint.rb +44 -0
  84. data/lib/aws-sdk-s3/plugins/location_constraint.rb +2 -0
  85. data/lib/aws-sdk-s3/plugins/md5s.rb +34 -27
  86. data/lib/aws-sdk-s3/plugins/redirects.rb +2 -0
  87. data/lib/aws-sdk-s3/plugins/s3_host_id.rb +2 -0
  88. data/lib/aws-sdk-s3/plugins/s3_signer.rb +55 -92
  89. data/lib/aws-sdk-s3/plugins/skip_whole_multipart_get_checksums.rb +31 -0
  90. data/lib/aws-sdk-s3/plugins/sse_cpk.rb +3 -1
  91. data/lib/aws-sdk-s3/plugins/streaming_retry.rb +139 -0
  92. data/lib/aws-sdk-s3/plugins/url_encoded_keys.rb +2 -0
  93. data/lib/aws-sdk-s3/presigned_post.rb +108 -56
  94. data/lib/aws-sdk-s3/presigner.rb +169 -77
  95. data/lib/aws-sdk-s3/resource.rb +45 -5
  96. data/lib/aws-sdk-s3/types.rb +8564 -3891
  97. data/lib/aws-sdk-s3/waiters.rb +67 -1
  98. data/lib/aws-sdk-s3.rb +16 -6
  99. metadata +37 -13
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require 'base64'
2
4
 
3
5
  module Aws
@@ -5,6 +7,7 @@ module Aws
5
7
  module Encryption
6
8
  # @api private
7
9
  class DecryptHandler < Seahorse::Client::Handler
10
+ @@warned_response_target_proc = false
8
11
 
9
12
  V1_ENVELOPE_KEYS = %w(
10
13
  x-amz-key
@@ -20,7 +23,17 @@ module Aws
20
23
  x-amz-matdesc
21
24
  )
22
25
 
23
- POSSIBLE_ENVELOPE_KEYS = (V1_ENVELOPE_KEYS + V2_ENVELOPE_KEYS).uniq
26
+ V2_OPTIONAL_KEYS = %w(x-amz-tag-len)
27
+
28
+ POSSIBLE_ENVELOPE_KEYS = (V1_ENVELOPE_KEYS +
29
+ V2_ENVELOPE_KEYS + V2_OPTIONAL_KEYS).uniq
30
+
31
+ POSSIBLE_WRAPPING_FORMATS = %w(
32
+ AES/GCM
33
+ kms
34
+ kms+context
35
+ RSA-OAEP-SHA1
36
+ )
24
37
 
25
38
  POSSIBLE_ENCRYPTION_FORMATS = %w(
26
39
  AES/GCM/NoPadding
@@ -28,8 +41,21 @@ module Aws
28
41
  AES/CBC/PKCS7Padding
29
42
  )
30
43
 
44
+ AUTH_REQUIRED_CEK_ALGS = %w(AES/GCM/NoPadding)
45
+
31
46
  def call(context)
32
47
  attach_http_event_listeners(context)
48
+ apply_cse_user_agent(context)
49
+
50
+ if context[:response_target].is_a?(Proc) && !@@warned_response_target_proc
51
+ @@warned_response_target_proc = true
52
+ warn(':response_target is a Proc, or a block was provided. ' \
53
+ 'Read the entire object to the ' \
54
+ 'end before you start using the decrypted data. This is to ' \
55
+ 'verify that the object has not been modified since it ' \
56
+ 'was encrypted.')
57
+ end
58
+
33
59
  @handler.call(context)
34
60
  end
35
61
 
@@ -38,9 +64,9 @@ module Aws
38
64
  def attach_http_event_listeners(context)
39
65
 
40
66
  context.http_response.on_headers(200) do
41
- cipher = decryption_cipher(context)
42
- decrypter = body_contains_auth_tag?(context) ?
43
- authenticated_decrypter(context, cipher) :
67
+ cipher, envelope = decryption_cipher(context)
68
+ decrypter = body_contains_auth_tag?(envelope) ?
69
+ authenticated_decrypter(context, cipher, envelope) :
44
70
  IODecrypter.new(cipher, context.http_response.body)
45
71
  context.http_response.body = decrypter
46
72
  end
@@ -60,8 +86,13 @@ module Aws
60
86
  end
61
87
 
62
88
  def decryption_cipher(context)
63
- if envelope = get_encryption_envelope(context)
64
- context[:encryption][:cipher_provider].decryption_cipher(envelope)
89
+ if (envelope = get_encryption_envelope(context))
90
+ cipher = context[:encryption][:cipher_provider]
91
+ .decryption_cipher(
92
+ envelope,
93
+ context[:encryption]
94
+ )
95
+ [cipher, envelope]
65
96
  else
66
97
  raise Errors::DecryptionError, "unable to locate encryption envelope"
67
98
  end
@@ -97,13 +128,12 @@ module Aws
97
128
  end
98
129
 
99
130
  def extract_envelope(hash)
131
+ return nil unless hash
100
132
  return v1_envelope(hash) if hash.key?('x-amz-key')
101
133
  return v2_envelope(hash) if hash.key?('x-amz-key-v2')
102
134
  if hash.keys.any? { |key| key.match(/^x-amz-key-(.+)$/) }
103
135
  msg = "unsupported envelope encryption version #{$1}"
104
136
  raise Errors::DecryptionError, msg
105
- else
106
- nil # no envelope found
107
137
  end
108
138
  end
109
139
 
@@ -117,39 +147,27 @@ module Aws
117
147
  msg = "unsupported content encrypting key (cek) format: #{alg}"
118
148
  raise Errors::DecryptionError, msg
119
149
  end
120
- unless envelope['x-amz-wrap-alg'] == 'kms'
121
- # possible to support
122
- # RSA/ECB/OAEPWithSHA-256AndMGF1Padding
150
+ unless POSSIBLE_WRAPPING_FORMATS.include? envelope['x-amz-wrap-alg']
123
151
  alg = envelope['x-amz-wrap-alg'].inspect
124
152
  msg = "unsupported key wrapping algorithm: #{alg}"
125
153
  raise Errors::DecryptionError, msg
126
154
  end
127
- unless V2_ENVELOPE_KEYS.sort == envelope.keys.sort
155
+ unless (missing_keys = V2_ENVELOPE_KEYS - envelope.keys).empty?
128
156
  msg = "incomplete v2 encryption envelope:\n"
129
- msg += " expected: #{V2_ENVELOPE_KEYS.join(',')}\n"
130
- msg += " got: #{envelope_keys.join(', ')}"
157
+ msg += " missing: #{missing_keys.join(',')}\n"
131
158
  raise Errors::DecryptionError, msg
132
159
  end
133
160
  envelope
134
161
  end
135
162
 
136
- # When the x-amz-meta-x-amz-tag-len header is present, it indicates
137
- # that the body of this object has a trailing auth tag. The header
138
- # indicates the length of that tag.
139
- #
140
163
  # This method fetches the tag from the end of the object by
141
164
  # making a GET Object w/range request. This auth tag is used
142
165
  # to initialize the cipher, and the decrypter truncates the
143
166
  # auth tag from the body when writing the final bytes.
144
- def authenticated_decrypter(context, cipher)
145
- if RUBY_VERSION.match(/1.9/)
146
- raise "authenticated decryption not supported by OpeenSSL in Ruby version ~> 1.9"
147
- raise Aws::Errors::NonSupportedRubyVersionError, msg
148
- end
167
+ def authenticated_decrypter(context, cipher, envelope)
149
168
  http_resp = context.http_response
150
169
  content_length = http_resp.headers['content-length'].to_i
151
- auth_tag_length = http_resp.headers['x-amz-meta-x-amz-tag-len']
152
- auth_tag_length = auth_tag_length.to_i / 8
170
+ auth_tag_length = auth_tag_length(envelope)
153
171
 
154
172
  auth_tag = context.client.get_object(
155
173
  bucket: context.params[:bucket],
@@ -161,16 +179,40 @@ module Aws
161
179
  cipher.auth_data = ''
162
180
 
163
181
  # The encrypted object contains both the cipher text
164
- # plus a trailing auth tag. This decrypter will the body
165
- # expect for the trailing auth tag.
182
+ # plus a trailing auth tag.
166
183
  IOAuthDecrypter.new(
167
184
  io: http_resp.body,
168
185
  encrypted_content_length: content_length - auth_tag_length,
169
186
  cipher: cipher)
170
187
  end
171
188
 
172
- def body_contains_auth_tag?(context)
173
- context.http_response.headers['x-amz-meta-x-amz-tag-len']
189
+ def body_contains_auth_tag?(envelope)
190
+ AUTH_REQUIRED_CEK_ALGS.include?(envelope['x-amz-cek-alg'])
191
+ end
192
+
193
+ # Determine the auth tag length from the algorithm
194
+ # Validate it against the value provided in the x-amz-tag-len
195
+ # Return the tag length in bytes
196
+ def auth_tag_length(envelope)
197
+ tag_length =
198
+ case envelope['x-amz-cek-alg']
199
+ when 'AES/GCM/NoPadding' then AES_GCM_TAG_LEN_BYTES
200
+ else
201
+ raise ArgumentError, 'Unsupported cek-alg: ' \
202
+ "#{envelope['x-amz-cek-alg']}"
203
+ end
204
+ if (tag_length * 8) != envelope['x-amz-tag-len'].to_i
205
+ raise Errors::DecryptionError, 'x-amz-tag-len does not match expected'
206
+ end
207
+ tag_length
208
+ end
209
+
210
+ def apply_cse_user_agent(context)
211
+ if context.config.user_agent_suffix.nil?
212
+ context.config.user_agent_suffix = EC_USER_AGENT
213
+ elsif !context.config.user_agent_suffix.include? EC_USER_AGENT
214
+ context.config.user_agent_suffix += " #{EC_USER_AGENT}"
215
+ end
174
216
  end
175
217
 
176
218
  end
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require 'base64'
2
4
 
3
5
  module Aws
@@ -24,11 +26,48 @@ module Aws
24
26
 
25
27
  # @return [Cipher] Given an encryption envelope, returns a
26
28
  # decryption cipher.
27
- def decryption_cipher(envelope)
29
+ def decryption_cipher(envelope, options = {})
28
30
  master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
29
- key = Utils.decrypt(master_key, decode64(envelope['x-amz-key']))
30
- iv = decode64(envelope['x-amz-iv'])
31
- Utils.aes_decryption_cipher(:CBC, key, iv)
31
+ if envelope.key? 'x-amz-key'
32
+ # Support for decryption of legacy objects
33
+ key = Utils.decrypt(master_key, decode64(envelope['x-amz-key']))
34
+ iv = decode64(envelope['x-amz-iv'])
35
+ Utils.aes_decryption_cipher(:CBC, key, iv)
36
+ else
37
+ if envelope['x-amz-cek-alg'] != 'AES/GCM/NoPadding'
38
+ raise ArgumentError, 'Unsupported cek-alg: ' \
39
+ "#{envelope['x-amz-cek-alg']}"
40
+ end
41
+ key =
42
+ case envelope['x-amz-wrap-alg']
43
+ when 'AES/GCM'
44
+ if master_key.is_a? OpenSSL::PKey::RSA
45
+ raise ArgumentError, 'Key mismatch - Client is configured' \
46
+ ' with an RSA key and the x-amz-wrap-alg is AES/GCM.'
47
+ end
48
+ Utils.decrypt_aes_gcm(master_key,
49
+ decode64(envelope['x-amz-key-v2']),
50
+ envelope['x-amz-cek-alg'])
51
+ when 'RSA-OAEP-SHA1'
52
+ unless master_key.is_a? OpenSSL::PKey::RSA
53
+ raise ArgumentError, 'Key mismatch - Client is configured' \
54
+ ' with an AES key and the x-amz-wrap-alg is RSA-OAEP-SHA1.'
55
+ end
56
+ key, cek_alg = Utils.decrypt_rsa(master_key, decode64(envelope['x-amz-key-v2']))
57
+ raise Errors::DecryptionError unless cek_alg == envelope['x-amz-cek-alg']
58
+ key
59
+ when 'kms+context'
60
+ raise ArgumentError, 'Key mismatch - Client is configured' \
61
+ ' with a user provided key and the x-amz-wrap-alg is' \
62
+ ' kms+context. Please configure the client with the' \
63
+ ' required kms_key_id'
64
+ else
65
+ raise ArgumentError, 'Unsupported wrap-alg: ' \
66
+ "#{envelope['x-amz-wrap-alg']}"
67
+ end
68
+ iv = decode64(envelope['x-amz-iv'])
69
+ Utils.aes_decryption_cipher(:GCM, key, iv)
70
+ end
32
71
  end
33
72
 
34
73
  private
@@ -56,7 +95,6 @@ module Aws
56
95
  def decode64(str)
57
96
  Base64.decode64(str)
58
97
  end
59
-
60
98
  end
61
99
  end
62
100
  end
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  module Aws
2
4
  module S3
3
5
  module Encryption
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require 'base64'
2
4
 
3
5
  module Aws
@@ -10,6 +12,7 @@ module Aws
10
12
  envelope, cipher = context[:encryption][:cipher_provider].encryption_cipher
11
13
  apply_encryption_envelope(context, envelope, cipher)
12
14
  apply_encryption_cipher(context, cipher)
15
+ apply_cse_user_agent(context)
13
16
  @handler.call(context)
14
17
  end
15
18
 
@@ -36,14 +39,22 @@ module Aws
36
39
  context.params[:body] = IOEncrypter.new(cipher, io)
37
40
  context.params[:metadata] ||= {}
38
41
  context.params[:metadata]['x-amz-unencrypted-content-length'] = io.size
39
- if md5 = context.params.delete(:content_md5)
40
- context.params[:metadata]['x-amz-unencrypted-content-md5'] = md5
42
+ if context.params.delete(:content_md5)
43
+ warn('Setting content_md5 on client side encrypted objects is deprecated')
41
44
  end
42
45
  context.http_response.on_headers do
43
46
  context.params[:body].close
44
47
  end
45
48
  end
46
49
 
50
+ def apply_cse_user_agent(context)
51
+ if context.config.user_agent_suffix.nil?
52
+ context.config.user_agent_suffix = EC_USER_AGENT
53
+ elsif !context.config.user_agent_suffix.include? EC_USER_AGENT
54
+ context.config.user_agent_suffix += " #{EC_USER_AGENT}"
55
+ end
56
+ end
57
+
47
58
  end
48
59
  end
49
60
  end
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  module Aws
2
4
  module S3
3
5
  module Encryption
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  module Aws
2
4
  module S3
3
5
  module Encryption
@@ -22,8 +24,10 @@ module Aws
22
24
 
23
25
  def write(chunk)
24
26
  chunk = truncate_chunk(chunk)
25
- @bytes_written += chunk.bytesize
26
- @decrypter.write(chunk)
27
+ if chunk.bytesize > 0
28
+ @bytes_written += chunk.bytesize
29
+ @decrypter.write(chunk)
30
+ end
27
31
  end
28
32
 
29
33
  def finalize
@@ -39,8 +43,12 @@ module Aws
39
43
  def truncate_chunk(chunk)
40
44
  if chunk.bytesize + @bytes_written <= @max_bytes
41
45
  chunk
42
- else
46
+ elsif @bytes_written < @max_bytes
43
47
  chunk[0..(@max_bytes - @bytes_written - 1)]
48
+ else
49
+ # If the tag was sent over after the full body has been read,
50
+ # we don't want to accidentally append it.
51
+ ""
44
52
  end
45
53
  end
46
54
 
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  module Aws
2
4
  module S3
3
5
  module Encryption
@@ -7,8 +9,10 @@ module Aws
7
9
  # @param [OpenSSL::Cipher] cipher
8
10
  # @param [IO#write] io An IO-like object that responds to `#write`.
9
11
  def initialize(cipher, io)
10
- @cipher = cipher.clone
11
- @io = io
12
+ @cipher = cipher
13
+ # Ensure that IO is reset between retries
14
+ @io = io.tap { |io| io.truncate(0) if io.respond_to?(:truncate) }
15
+ @cipher_buffer = String.new
12
16
  end
13
17
 
14
18
  # @return [#write]
@@ -16,7 +20,11 @@ module Aws
16
20
 
17
21
  def write(chunk)
18
22
  # decrypt and write
19
- @io.write(@cipher.update(chunk))
23
+ if @cipher.method(:update).arity == 1
24
+ @io.write(@cipher.update(chunk))
25
+ else
26
+ @io.write(@cipher.update(chunk, @cipher_buffer))
27
+ end
20
28
  end
21
29
 
22
30
  def finalize
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require 'stringio'
2
4
  require 'tempfile'
3
5
 
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  module Aws
2
4
  module S3
3
5
  module Encryption
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require 'base64'
2
4
 
3
5
  module Aws
@@ -34,15 +36,36 @@ module Aws
34
36
 
35
37
  # @return [Cipher] Given an encryption envelope, returns a
36
38
  # decryption cipher.
37
- def decryption_cipher(envelope)
39
+ def decryption_cipher(envelope, options = {})
38
40
  encryption_context = Json.load(envelope['x-amz-matdesc'])
41
+ cek_alg = envelope['x-amz-cek-alg']
42
+
43
+ case envelope['x-amz-wrap-alg']
44
+ when 'kms'; # NO OP
45
+ when 'kms+context'
46
+ if cek_alg != encryption_context['aws:x-amz-cek-alg']
47
+ raise Errors::DecryptionError, 'Value of cek-alg from envelope'\
48
+ ' does not match the value in the encryption context'
49
+ end
50
+ when 'AES/GCM'
51
+ raise ArgumentError, 'Key mismatch - Client is configured' \
52
+ ' with a KMS key and the x-amz-wrap-alg is AES/GCM.'
53
+ when 'RSA-OAEP-SHA1'
54
+ raise ArgumentError, 'Key mismatch - Client is configured' \
55
+ ' with a KMS key and the x-amz-wrap-alg is RSA-OAEP-SHA1.'
56
+ else
57
+ raise ArgumentError, 'Unsupported wrap-alg: ' \
58
+ "#{envelope['x-amz-wrap-alg']}"
59
+ end
60
+
39
61
  key = @kms_client.decrypt(
40
62
  ciphertext_blob: decode64(envelope['x-amz-key-v2']),
41
- encryption_context: encryption_context,
63
+ encryption_context: encryption_context
42
64
  ).plaintext
65
+
43
66
  iv = decode64(envelope['x-amz-iv'])
44
67
  block_mode =
45
- case envelope['x-amz-cek-alg']
68
+ case cek_alg
46
69
  when 'AES/CBC/PKCS5Padding'
47
70
  :CBC
48
71
  when 'AES/CBC/PKCS7Padding'
@@ -59,6 +82,14 @@ module Aws
59
82
 
60
83
  private
61
84
 
85
+ def build_encryption_context(cek_alg, options = {})
86
+ kms_context = (options[:kms_encryption_context] || {})
87
+ .each_with_object({}) { |(k, v), h| h[k.to_s] = v }
88
+ {
89
+ 'aws:x-amz-cek-alg' => cek_alg
90
+ }.merge(kms_context)
91
+ end
92
+
62
93
  def encode64(str)
63
94
  Base64.encode64(str).split("\n") * ""
64
95
  end
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require 'base64'
2
4
 
3
5
  module Aws
@@ -32,14 +34,14 @@ module Aws
32
34
  if [32, 24, 16].include?(key.bytesize)
33
35
  key
34
36
  else
35
- msg = "invalid key, symmetric key required to be 16, 24, or "
36
- msg << "32 bytes in length, saw length " + key.bytesize.to_s
37
+ msg = 'invalid key, symmetric key required to be 16, 24, or '\
38
+ '32 bytes in length, saw length ' + key.bytesize.to_s
37
39
  raise ArgumentError, msg
38
40
  end
39
41
  else
40
- msg = "invalid encryption key, expected an OpenSSL::PKey::RSA key "
41
- msg << "(for asymmetric encryption) or a String (for symmetric "
42
- msg << "encryption)."
42
+ msg = 'invalid encryption key, expected an OpenSSL::PKey::RSA key '\
43
+ '(for asymmetric encryption) or a String (for symmetric '\
44
+ 'encryption).'
43
45
  raise ArgumentError, msg
44
46
  end
45
47
  end
@@ -48,7 +50,7 @@ module Aws
48
50
  Json.load(description)
49
51
  description
50
52
  rescue Json::ParseError, EncodingError
51
- msg = "expected description to be a valid JSON document string"
53
+ msg = 'expected description to be a valid JSON document string'
52
54
  raise ArgumentError, msg
53
55
  end
54
56
 
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require 'openssl'
2
4
 
3
5
  module Aws
@@ -37,6 +39,29 @@ module Aws
37
39
  end
38
40
  end
39
41
 
42
+
43
+ def decrypt_aes_gcm(key, data, auth_data)
44
+ # data is iv (12B) + key + tag (16B)
45
+ buf = data.unpack('C*')
46
+ iv = buf[0,12].pack('C*') # iv will always be 12 bytes
47
+ tag = buf[-16, 16].pack('C*') # tag is 16 bytes
48
+ enc_key = buf[12, buf.size - (12+16)].pack('C*')
49
+ cipher = aes_cipher(:decrypt, :GCM, key, iv)
50
+ cipher.auth_tag = tag
51
+ cipher.auth_data = auth_data
52
+ cipher.update(enc_key) + cipher.final
53
+ end
54
+
55
+ # returns the decrypted data + auth_data
56
+ def decrypt_rsa(key, enc_data)
57
+ # Plaintext must be KeyLengthInBytes (1 Byte) + DataKey + AuthData
58
+ buf = key.private_decrypt(enc_data, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING).unpack('C*')
59
+ key_length = buf[0]
60
+ data = buf[1, key_length].pack('C*')
61
+ auth_data = buf[key_length+1, buf.length - key_length].pack('C*')
62
+ [data, auth_data]
63
+ end
64
+
40
65
  # @param [String] block_mode "CBC" or "ECB"
41
66
  # @param [OpenSSL::PKey::RSA, String, nil] key
42
67
  # @param [String, nil] iv The initialization vector
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require 'aws-sdk-s3/encryption/client'
2
4
  require 'aws-sdk-s3/encryption/decrypt_handler'
3
5
  require 'aws-sdk-s3/encryption/default_cipher_provider'
@@ -15,5 +17,7 @@ require 'aws-sdk-s3/encryption/default_key_provider'
15
17
  module Aws
16
18
  module S3
17
19
  module Encryption; end
20
+ AES_GCM_TAG_LEN_BYTES = 16
21
+ EC_USER_AGENT = 'S3CryptoV1n'
18
22
  end
19
23
  end