aws-sdk-s3 1.69.0 → 1.69.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/aws-sdk-s3.rb +1 -1
- data/lib/aws-sdk-s3/client.rb +1 -1
- data/lib/aws-sdk-s3/encryptionV2/client.rb +10 -0
- data/lib/aws-sdk-s3/encryptionV2/decrypt_handler.rb +6 -2
- data/lib/aws-sdk-s3/encryptionV2/default_cipher_provider.rb +3 -4
- data/lib/aws-sdk-s3/encryptionV2/encrypt_handler.rb +4 -1
- data/lib/aws-sdk-s3/encryptionV2/io_decrypter.rb +1 -1
- data/lib/aws-sdk-s3/encryptionV2/kms_cipher_provider.rb +25 -10
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 71499a1c36cb061a8fb6b48a61fba9eec3985149a0e3effb810f8bf45e89f8db
|
4
|
+
data.tar.gz: 05e2a7de980f2c579b09688d1301326ce8a5df60bb9f3487a0ff21486afb58e6
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 522caf62fdf5130b9e8f19da2c06841074ea7da04c15c9e2731992cadc9fcd7372a0705db07902bd672ea48d7b47703876f0f679c402330f13fb33120f6e4478
|
7
|
+
data.tar.gz: 977b14327746226f9abb50cc7984f23abfa6526b6a3b10360c5e1827d4b38166c827290ca416e109a58bebf5debecdb4effc7dbc316c22e921a004720cad8e63
|
data/lib/aws-sdk-s3.rb
CHANGED
data/lib/aws-sdk-s3/client.rb
CHANGED
@@ -11670,7 +11670,7 @@ module Aws::S3
|
|
11670
11670
|
params: params,
|
11671
11671
|
config: config)
|
11672
11672
|
context[:gem_name] = 'aws-sdk-s3'
|
11673
|
-
context[:gem_version] = '1.69.
|
11673
|
+
context[:gem_version] = '1.69.1'
|
11674
11674
|
Seahorse::Client::Request.new(handlers, context)
|
11675
11675
|
end
|
11676
11676
|
|
@@ -252,16 +252,22 @@ module Aws
|
|
252
252
|
# Uploads an object to Amazon S3, encrypting data client-side.
|
253
253
|
# See {S3::Client#put_object} for documentation on accepted
|
254
254
|
# request parameters.
|
255
|
+
# @option params [Hash] :kms_encryption_context Additional encryption
|
256
|
+
# context to use with KMS. Applies only when KMS is used. In order
|
257
|
+
# to decrypt the object you will need to provide the identical
|
258
|
+
# :kms_encryption_context to `get_object`.
|
255
259
|
# @option (see S3::Client#put_object)
|
256
260
|
# @return (see S3::Client#put_object)
|
257
261
|
# @see S3::Client#put_object
|
258
262
|
def put_object(params = {})
|
263
|
+
kms_encryption_context = params.delete(:kms_encryption_context)
|
259
264
|
req = @client.build_request(:put_object, params)
|
260
265
|
req.handlers.add(EncryptHandler, priority: 95)
|
261
266
|
req.context[:encryption] = {
|
262
267
|
cipher_provider: @cipher_provider,
|
263
268
|
envelope_location: @envelope_location,
|
264
269
|
instruction_file_suffix: @instruction_file_suffix,
|
270
|
+
kms_encryption_context: kms_encryption_context
|
265
271
|
}
|
266
272
|
req.send_request
|
267
273
|
end
|
@@ -274,6 +280,8 @@ module Aws
|
|
274
280
|
# envelope. You should not set this option when the envelope
|
275
281
|
# is stored in the object metadata. Defaults to
|
276
282
|
# {#instruction_file_suffix}.
|
283
|
+
# @option params [Hash] :kms_encryption_context Additional encryption
|
284
|
+
# context to use with KMS. Applies only when KMS is used.
|
277
285
|
# @option params [String] :instruction_file_suffix
|
278
286
|
# @option (see S3::Client#get_object)
|
279
287
|
# @return (see S3::Client#get_object)
|
@@ -284,12 +292,14 @@ module Aws
|
|
284
292
|
raise NotImplementedError, '#get_object with :range not supported'
|
285
293
|
end
|
286
294
|
envelope_location, instruction_file_suffix = envelope_options(params)
|
295
|
+
kms_encryption_context = params.delete(:kms_encryption_context)
|
287
296
|
req = @client.build_request(:get_object, params)
|
288
297
|
req.handlers.add(DecryptHandler)
|
289
298
|
req.context[:encryption] = {
|
290
299
|
cipher_provider: @cipher_provider,
|
291
300
|
envelope_location: envelope_location,
|
292
301
|
instruction_file_suffix: instruction_file_suffix,
|
302
|
+
kms_encryption_context: kms_encryption_context
|
293
303
|
}
|
294
304
|
req.send_request(target: block)
|
295
305
|
end
|
@@ -72,8 +72,12 @@ module Aws
|
|
72
72
|
|
73
73
|
def decryption_cipher(context)
|
74
74
|
if envelope = get_encryption_envelope(context)
|
75
|
-
|
76
|
-
|
75
|
+
cipher = context[:encryption][:cipher_provider]
|
76
|
+
.decryption_cipher(
|
77
|
+
envelope,
|
78
|
+
kms_encryption_context: context[:encryption][:kms_encryption_context]
|
79
|
+
)
|
80
|
+
[cipher, envelope]
|
77
81
|
else
|
78
82
|
raise Errors::DecryptionError, "unable to locate encryption envelope"
|
79
83
|
end
|
@@ -12,7 +12,7 @@ module Aws
|
|
12
12
|
|
13
13
|
# @return [Array<Hash,Cipher>] Creates an returns a new encryption
|
14
14
|
# envelope and encryption cipher.
|
15
|
-
def encryption_cipher
|
15
|
+
def encryption_cipher(options = {})
|
16
16
|
cipher = Utils.aes_encryption_cipher(:GCM)
|
17
17
|
cek_alg = 'AES/GCM/NoPadding'
|
18
18
|
if @key_provider.encryption_materials.key.is_a? OpenSSL::PKey::RSA
|
@@ -36,15 +36,14 @@ module Aws
|
|
36
36
|
|
37
37
|
# @return [Cipher] Given an encryption envelope, returns a
|
38
38
|
# decryption cipher.
|
39
|
-
def decryption_cipher(envelope)
|
39
|
+
def decryption_cipher(envelope, options = {})
|
40
|
+
master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
|
40
41
|
if envelope.key? 'x-amz-key'
|
41
42
|
# Support for decryption of legacy objects
|
42
|
-
master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
|
43
43
|
key = Utils.decrypt(master_key, decode64(envelope['x-amz-key']))
|
44
44
|
iv = decode64(envelope['x-amz-iv'])
|
45
45
|
Utils.aes_decryption_cipher(:CBC, key, iv)
|
46
46
|
else
|
47
|
-
master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
|
48
47
|
if envelope['x-amz-cek-alg'] != 'AES/GCM/NoPadding'
|
49
48
|
raise ArgumentError, 'Unsupported cek-alg: ' \
|
50
49
|
"#{envelope['x-amz-cek-alg']}"
|
@@ -11,7 +11,10 @@ module Aws
|
|
11
11
|
raise "authenticated encryption not supported by OpenSSL in Ruby version ~> 1.9"
|
12
12
|
raise Aws::Errors::NonSupportedRubyVersionError, msg
|
13
13
|
end
|
14
|
-
envelope, cipher = context[:encryption][:cipher_provider]
|
14
|
+
envelope, cipher = context[:encryption][:cipher_provider]
|
15
|
+
.encryption_cipher(
|
16
|
+
kms_encryption_context: context[:encryption][:kms_encryption_context]
|
17
|
+
)
|
15
18
|
context[:encryption][:cipher] = cipher
|
16
19
|
apply_encryption_envelope(context, envelope)
|
17
20
|
apply_encryption_cipher(context, cipher)
|
@@ -7,7 +7,7 @@ module Aws
|
|
7
7
|
# @param [OpenSSL::Cipher] cipher
|
8
8
|
# @param [IO#write] io An IO-like object that responds to `#write`.
|
9
9
|
def initialize(cipher, io)
|
10
|
-
@cipher = cipher
|
10
|
+
@cipher = cipher
|
11
11
|
# Ensure that IO is reset between retries
|
12
12
|
@io = io.tap { |io| io.truncate(0) if io.respond_to?(:truncate) }
|
13
13
|
end
|
@@ -13,15 +13,13 @@ module Aws
|
|
13
13
|
|
14
14
|
# @return [Array<Hash,Cipher>] Creates and returns a new encryption
|
15
15
|
# envelope and encryption cipher.
|
16
|
-
def encryption_cipher
|
16
|
+
def encryption_cipher(options = {})
|
17
17
|
cek_alg = 'AES/GCM/NoPadding'
|
18
|
-
encryption_context =
|
19
|
-
'aws:x-amz-cek-alg' => cek_alg
|
20
|
-
}
|
18
|
+
encryption_context = build_encryption_context(cek_alg, options)
|
21
19
|
key_data = @kms_client.generate_data_key(
|
22
20
|
key_id: @kms_key_id,
|
23
21
|
encryption_context: encryption_context,
|
24
|
-
key_spec: 'AES_256'
|
22
|
+
key_spec: 'AES_256'
|
25
23
|
)
|
26
24
|
cipher = Utils.aes_encryption_cipher(:GCM)
|
27
25
|
cipher.key = key_data.plaintext
|
@@ -39,18 +37,27 @@ module Aws
|
|
39
37
|
|
40
38
|
# @return [Cipher] Given an encryption envelope, returns a
|
41
39
|
# decryption cipher.
|
42
|
-
def decryption_cipher(envelope)
|
40
|
+
def decryption_cipher(envelope, options={})
|
43
41
|
encryption_context = Json.load(envelope['x-amz-matdesc'])
|
44
|
-
key = @kms_client.decrypt(
|
45
|
-
ciphertext_blob: decode64(envelope['x-amz-key-v2']),
|
46
|
-
encryption_context: encryption_context
|
47
|
-
).plaintext
|
48
42
|
cek_alg = envelope['x-amz-wrap-alg'] == 'kms+context' ?
|
49
43
|
encryption_context['aws:x-amz-cek-alg'] : envelope['x-amz-cek-alg']
|
50
44
|
if cek_alg != envelope['x-amz-cek-alg']
|
51
45
|
raise Errors::DecryptionError, 'Value of cek-alg from envelope'\
|
52
46
|
' does not match the value in the encryption context'
|
53
47
|
end
|
48
|
+
|
49
|
+
if envelope['x-amz-wrap-alg'] == 'kms+context' &&
|
50
|
+
encryption_context != build_encryption_context(cek_alg, options)
|
51
|
+
raise Errors::DecryptionError, 'Value of encryption context from'\
|
52
|
+
' envelope does not match the provided encryption context'
|
53
|
+
end
|
54
|
+
|
55
|
+
key = @kms_client.decrypt(
|
56
|
+
ciphertext_blob: decode64(envelope['x-amz-key-v2']),
|
57
|
+
encryption_context: encryption_context
|
58
|
+
).plaintext
|
59
|
+
|
60
|
+
|
54
61
|
iv = decode64(envelope['x-amz-iv'])
|
55
62
|
block_mode =
|
56
63
|
case cek_alg
|
@@ -70,6 +77,14 @@ module Aws
|
|
70
77
|
|
71
78
|
private
|
72
79
|
|
80
|
+
def build_encryption_context(cek_alg, options = {})
|
81
|
+
kms_context = (options[:kms_encryption_context] || {})
|
82
|
+
.each_with_object({}) { |(k, v), h| h[k.to_s] = v }
|
83
|
+
{
|
84
|
+
'aws:x-amz-cek-alg' => cek_alg
|
85
|
+
}.merge(kms_context)
|
86
|
+
end
|
87
|
+
|
73
88
|
def encode64(str)
|
74
89
|
Base64.encode64(str).split("\n") * ""
|
75
90
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws-sdk-s3
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.69.
|
4
|
+
version: 1.69.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Amazon Web Services
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-06-
|
11
|
+
date: 2020-06-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: aws-sdk-kms
|