aws-sdk-s3 1.68.1 → 1.69.0

data/lib/aws-sdk-s3/encryptionV2/decrypt_handler.rb

@@ -0,0 +1,194 @@
+require 'base64'
+
+module Aws
+  module S3
+    module EncryptionV2
+      # @api private
+      class DecryptHandler < Seahorse::Client::Handler
+
+        V1_ENVELOPE_KEYS = %w(
+          x-amz-key
+          x-amz-iv
+          x-amz-matdesc
+        )
+
+        V2_ENVELOPE_KEYS = %w(
+          x-amz-key-v2
+          x-amz-iv
+          x-amz-cek-alg
+          x-amz-wrap-alg
+          x-amz-matdesc
+        )
+
+        V2_OPTIONAL_KEYS = %w(x-amz-tag-len)
+
+        POSSIBLE_ENVELOPE_KEYS = (V1_ENVELOPE_KEYS +
+          V2_ENVELOPE_KEYS + V2_OPTIONAL_KEYS).uniq
+
+        POSSIBLE_WRAPPING_FORMATS = %w(
+          AES/GCM
+          kms
+          kms+context
+          RSA-OAEP-SHA1
+        )
+
+        POSSIBLE_ENCRYPTION_FORMATS = %w(
+          AES/GCM/NoPadding
+          AES/CBC/PKCS5Padding
+          AES/CBC/PKCS7Padding
+        )
+
+        def call(context)
+          attach_http_event_listeners(context)
+          apply_cse_user_agent(context)
+          @handler.call(context)
+        end
+
+        private
+
+        def attach_http_event_listeners(context)
+
+          context.http_response.on_headers(200) do
+            cipher, envelope = decryption_cipher(context)
+            decrypter = body_contains_auth_tag?(envelope) ?
+              authenticated_decrypter(context, cipher, envelope) :
+              IODecrypter.new(cipher, context.http_response.body)
+            context.http_response.body = decrypter
+          end
+
+          context.http_response.on_success(200) do
+            decrypter = context.http_response.body
+            decrypter.finalize
+            decrypter.io.rewind if decrypter.io.respond_to?(:rewind)
+            context.http_response.body = decrypter.io
+          end
+
+          context.http_response.on_error do
+            if context.http_response.body.respond_to?(:io)
+              context.http_response.body = context.http_response.body.io
+            end
+          end
+        end
+
+        def decryption_cipher(context)
+          if envelope = get_encryption_envelope(context)
+            [context[:encryption][:cipher_provider].decryption_cipher(envelope),
+             envelope]
+          else
+            raise Errors::DecryptionError, "unable to locate encryption envelope"
+          end
+        end
+
+        def get_encryption_envelope(context)
+          if context[:encryption][:envelope_location] == :metadata
+            envelope_from_metadata(context) || envelope_from_instr_file(context)
+          else
+            envelope_from_instr_file(context) || envelope_from_metadata(context)
+          end
+        end
+
+        def envelope_from_metadata(context)
+          possible_envelope = {}
+          POSSIBLE_ENVELOPE_KEYS.each do |suffix|
+            if value = context.http_response.headers["x-amz-meta-#{suffix}"]
+              possible_envelope[suffix] = value
+            end
+          end
+          extract_envelope(possible_envelope)
+        end
+
+        def envelope_from_instr_file(context)
+          suffix = context[:encryption][:instruction_file_suffix]
+          possible_envelope = Json.load(context.client.get_object(
+            bucket: context.params[:bucket],
+            key: context.params[:key] + suffix
+          ).body.read)
+          extract_envelope(possible_envelope)
+        rescue S3::Errors::ServiceError, Json::ParseError
+          nil
+        end
+
+        def extract_envelope(hash)
+          return nil unless hash
+          return v1_envelope(hash) if hash.key?('x-amz-key')
+          return v2_envelope(hash) if hash.key?('x-amz-key-v2')
+          if hash.keys.any? { |key| key.match(/^x-amz-key-(.+)$/) }
+            msg = "unsupported envelope encryption version #{$1}"
+            raise Errors::DecryptionError, msg
+          end
+        end
+
+        def v1_envelope(envelope)
+          envelope
+        end
+
+        def v2_envelope(envelope)
+          unless POSSIBLE_ENCRYPTION_FORMATS.include? envelope['x-amz-cek-alg']
+            alg = envelope['x-amz-cek-alg'].inspect
+            msg = "unsupported content encrypting key (cek) format: #{alg}"
+            raise Errors::DecryptionError, msg
+          end
+          unless POSSIBLE_WRAPPING_FORMATS.include? envelope['x-amz-wrap-alg']
+            alg = envelope['x-amz-wrap-alg'].inspect
+            msg = "unsupported key wrapping algorithm: #{alg}"
+            raise Errors::DecryptionError, msg
+          end
+          unless (missing_keys = V2_ENVELOPE_KEYS - envelope.keys).empty?
+            msg = "incomplete v2 encryption envelope:\n"
+            msg += "  missing: #{missing_keys.join(',')}\n"
+            raise Errors::DecryptionError, msg
+          end
+          envelope
+        end
+
+        # When the x-amz-meta-x-amz-tag-len header is present, it indicates
+        # that the body of this object has a trailing auth tag. The header
+        # indicates the length of that tag.
+        #
+        # This method fetches the tag from the end of the object by
+        # making a GET Object w/range request. This auth tag is used
+        # to initialize the cipher, and the decrypter truncates the
+        # auth tag from the body when writing the final bytes.
+        def authenticated_decrypter(context, cipher, envelope)
+          if RUBY_VERSION.match(/1.9/)
+            raise "authenticated decryption not supported by OpenSSL in Ruby version ~> 1.9"
+            raise Aws::Errors::NonSupportedRubyVersionError, msg
+          end
+          http_resp = context.http_response
+          content_length = http_resp.headers['content-length'].to_i
+          auth_tag_length = envelope['x-amz-tag-len']
+          auth_tag_length = auth_tag_length.to_i / 8
+
+          auth_tag = context.client.get_object(
+            bucket: context.params[:bucket],
+            key: context.params[:key],
+            range: "bytes=-#{auth_tag_length}"
+          ).body.read
+
+          cipher.auth_tag = auth_tag
+          cipher.auth_data = ''
+
+          # The encrypted object contains both the cipher text
+          # plus a trailing auth tag.
+          IOAuthDecrypter.new(
+            io: http_resp.body,
+            encrypted_content_length: content_length - auth_tag_length,
+            cipher: cipher)
+        end
+
+        def body_contains_auth_tag?(envelope)
+          envelope.include? 'x-amz-tag-len'
+        end
+
+        def apply_cse_user_agent(context)
+          if context.config.user_agent_suffix.nil?
+            context.config.user_agent_suffix = 'CSE_V2'
+          elsif !context.config.user_agent_suffix.include? 'CSE_V2'
+            context.config.user_agent_suffix += ' CSE_V2'
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/encryptionV2/default_cipher_provider.rb

@@ -0,0 +1,104 @@
+require 'base64'
+
+module Aws
+  module S3
+    module EncryptionV2
+      # @api private
+      class DefaultCipherProvider
+
+        def initialize(options = {})
+          @key_provider = options[:key_provider]
+        end
+
+        # @return [Array<Hash,Cipher>] Creates an returns a new encryption
+        #   envelope and encryption cipher.
+        def encryption_cipher
+          cipher = Utils.aes_encryption_cipher(:GCM)
+          cek_alg = 'AES/GCM/NoPadding'
+          if @key_provider.encryption_materials.key.is_a? OpenSSL::PKey::RSA
+            wrap_alg = 'RSA-OAEP-SHA1'
+            enc_key = encode64(encrypt_rsa(envelope_key(cipher), cek_alg))
+          else
+            wrap_alg = 'AES/GCM'
+            enc_key = encode64(encrypt_aes_gcm(envelope_key(cipher), cek_alg))
+          end
+          envelope = {
+            'x-amz-key-v2' => enc_key,
+            'x-amz-cek-alg' => cek_alg,
+            'x-amz-tag-len' => 16 * 8,
+            'x-amz-wrap-alg' => wrap_alg,
+            'x-amz-iv' => encode64(envelope_iv(cipher)),
+            'x-amz-matdesc' => materials_description,
+          }
+          cipher.auth_data = '' # auth_data must be set after key and iv
+          [envelope, cipher]
+        end
+
+        # @return [Cipher] Given an encryption envelope, returns a
+        #   decryption cipher.
+        def decryption_cipher(envelope)
+          if envelope.key? 'x-amz-key'
+            # Support for decryption of legacy objects
+            master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
+            key = Utils.decrypt(master_key, decode64(envelope['x-amz-key']))
+            iv = decode64(envelope['x-amz-iv'])
+            Utils.aes_decryption_cipher(:CBC, key, iv)
+          else
+            master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
+            if envelope['x-amz-cek-alg'] != 'AES/GCM/NoPadding'
+              raise ArgumentError, 'Unsupported cek-alg: ' \
+                "#{envelope['x-amz-cek-alg']}"
+            end
+            key =
+              case envelope['x-amz-wrap-alg']
+              when 'AES/GCM'
+                Utils.decrypt_aes_gcm(master_key,
+                                    decode64(envelope['x-amz-key-v2']),
+                                    envelope['x-amz-cek-alg'])
+              when 'RSA-OAEP-SHA1'
+                key, cek_alg = Utils.decrypt_rsa(master_key, decode64(envelope['x-amz-key-v2']))
+                raise Errors::DecryptionError unless cek_alg == envelope['x-amz-cek-alg']
+                key
+              else
+              raise ArgumentError, 'Unsupported wrap-alg: ' \
+                "#{envelope['x-amz-wrap-alg']}"
+            end
+            iv = decode64(envelope['x-amz-iv'])
+            Utils.aes_decryption_cipher(:GCM, key, iv)
+          end
+        end
+
+        private
+
+        def envelope_key(cipher)
+          cipher.key = cipher.random_key
+        end
+
+        def envelope_iv(cipher)
+          cipher.iv = cipher.random_iv
+        end
+
+        def encrypt_aes_gcm(data, auth_data)
+          Utils.encrypt_aes_gcm(@key_provider.encryption_materials.key, data, auth_data)
+        end
+
+        def encrypt_rsa(data, auth_data)
+          Utils.encrypt_rsa(@key_provider.encryption_materials.key, data, auth_data)
+        end
+
+        def materials_description
+          @key_provider.encryption_materials.description
+        end
+
+        def encode64(str)
+          Base64.encode64(str).split("\n") * ''
+        end
+
+        def decode64(str)
+          Base64.decode64(str)
+        end
+
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/encryptionV2/default_key_provider.rb

@@ -0,0 +1,38 @@
+module Aws
+  module S3
+    module EncryptionV2
+
+      # The default key provider is constructed with a single key
+      # that is used for both encryption and decryption, ignoring
+      # the possible per-object envelope encryption materials description.
+      # @api private
+      class DefaultKeyProvider
+
+        include KeyProvider
+
+        # @option options [required, OpenSSL::PKey::RSA, String] :encryption_key
+        #   The master key to use for encrypting objects.
+        # @option options [String<JSON>] :materials_description ('{}')
+        #   A description of the encryption key.
+        def initialize(options = {})
+          @encryption_materials = Materials.new(
+            key: options[:encryption_key],
+            description: options[:materials_description] || '{}'
+          )
+        end
+
+        # @return [Materials]
+        def encryption_materials
+          @encryption_materials
+        end
+
+        # @param [String<JSON>] materials_description
+        # @return Returns the key given in the constructor.
+        def key_for(materials_description)
+          @encryption_materials.key
+        end
+
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/encryptionV2/encrypt_handler.rb

@@ -0,0 +1,63 @@
+require 'base64'
+
+module Aws
+  module S3
+    module EncryptionV2
+      # @api private
+      class EncryptHandler < Seahorse::Client::Handler
+
+        def call(context)
+          if RUBY_VERSION.match(/1.9/)
+            raise "authenticated encryption not supported by OpenSSL in Ruby version ~> 1.9"
+            raise Aws::Errors::NonSupportedRubyVersionError, msg
+          end
+          envelope, cipher = context[:encryption][:cipher_provider].encryption_cipher
+          context[:encryption][:cipher] = cipher
+          apply_encryption_envelope(context, envelope)
+          apply_encryption_cipher(context, cipher)
+          apply_cse_user_agent(context)
+          @handler.call(context)
+        end
+
+        private
+
+        def apply_encryption_envelope(context, envelope)
+          if context[:encryption][:envelope_location] == :instruction_file
+            suffix = context[:encryption][:instruction_file_suffix]
+            context.client.put_object(
+              bucket: context.params[:bucket],
+              key: context.params[:key] + suffix,
+              body: Json.dump(envelope)
+            )
+          else # :metadata
+            context.params[:metadata] ||= {}
+            context.params[:metadata].update(envelope)
+          end
+        end
+
+        def apply_encryption_cipher(context, cipher)
+          io = context.params[:body] || ''
+          io = StringIO.new(io) if io.is_a? String
+          context.params[:body] = IOEncrypter.new(cipher, io)
+          context.params[:metadata] ||= {}
+          context.params[:metadata]['x-amz-unencrypted-content-length'] = io.size
+          if context.params.delete(:content_md5)
+            raise ArgumentError, 'content_md5 is not supported'
+          end
+          context.http_response.on_headers do
+            context.params[:body].close
+          end
+        end
+
+        def apply_cse_user_agent(context)
+          if context.config.user_agent_suffix.nil?
+            context.config.user_agent_suffix = 'CSE_V2'
+          elsif !context.config.user_agent_suffix.include? 'CSE_V2'
+            context.config.user_agent_suffix += ' CSE_V2'
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/encryptionV2/errors.rb

@@ -0,0 +1,13 @@
+module Aws
+  module S3
+    module EncryptionV2
+      module Errors
+
+        class DecryptionError < RuntimeError; end
+
+        class EncryptionError < RuntimeError; end
+
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/encryptionV2/io_auth_decrypter.rb

@@ -0,0 +1,56 @@
+module Aws
+  module S3
+    module EncryptionV2
+      # @api private
+      class IOAuthDecrypter
+
+        # @option options [required, IO#write] :io
+        #   An IO-like object that responds to {#write}.
+        # @option options [required, Integer] :encrypted_content_length
+        #   The number of bytes to decrypt from the `:io` object.
+        #   This should be the total size of `:io` minus the length of
+        #   the cipher auth tag.
+        # @option options [required, OpenSSL::Cipher] :cipher An initialized
+        #   cipher that can be used to decrypt the bytes as they are
+        #   written to the `:io` object. The cipher should already have
+        #   its `#auth_tag` set.
+        def initialize(options = {})
+          @decrypter = IODecrypter.new(options[:cipher], options[:io])
+          @max_bytes = options[:encrypted_content_length]
+          @bytes_written = 0
+        end
+
+        def write(chunk)
+          chunk = truncate_chunk(chunk)
+          if chunk.bytesize > 0
+            @bytes_written += chunk.bytesize
+            @decrypter.write(chunk)
+          end
+        end
+
+        def finalize
+          @decrypter.finalize
+        end
+
+        def io
+          @decrypter.io
+        end
+
+        private
+
+        def truncate_chunk(chunk)
+          if chunk.bytesize + @bytes_written <= @max_bytes
+            chunk
+          elsif @bytes_written < @max_bytes
+            chunk[0..(@max_bytes - @bytes_written - 1)]
+          else
+            # If the tag was sent over after the full body has been read,
+            # we don't want to accidentally append it.
+            ""
+          end
+        end
+
+      end
+    end
+  end
+end