aws-sdk-s3 1.69.0 → 1.69.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 42108655e1496a1ce6df9db9b19ea1733e1c2d3710b70d8a27bb6c8b562fb307
4
- data.tar.gz: 2b759d809937dc65075c1e193ce71972de3ce592ac7d6d01d782e1eb401e6b1e
3
+ metadata.gz: 71499a1c36cb061a8fb6b48a61fba9eec3985149a0e3effb810f8bf45e89f8db
4
+ data.tar.gz: 05e2a7de980f2c579b09688d1301326ce8a5df60bb9f3487a0ff21486afb58e6
5
5
  SHA512:
6
- metadata.gz: d0342f210f9a406650291b5cc4a27315d39c142d042609362bc16b3ef20eafa2915243a7f72dcd3a84a81bcdc0e1209f76b440cddf3acd88dc62ce66cc6f67fb
7
- data.tar.gz: e3090d0ea9210596cb6eaa93b95ad43fb8784de81b249ebe8e8db33fb97763e281192f593a0f07bf224fa820ec5d0ea5f225368d9e396982f10a9c3e8a528f91
6
+ metadata.gz: 522caf62fdf5130b9e8f19da2c06841074ea7da04c15c9e2731992cadc9fcd7372a0705db07902bd672ea48d7b47703876f0f679c402330f13fb33120f6e4478
7
+ data.tar.gz: 977b14327746226f9abb50cc7984f23abfa6526b6a3b10360c5e1827d4b38166c827290ca416e109a58bebf5debecdb4effc7dbc316c22e921a004720cad8e63
@@ -68,6 +68,6 @@ require_relative 'aws-sdk-s3/event_streams'
68
68
  # @service
69
69
  module Aws::S3
70
70
 
71
- GEM_VERSION = '1.69.0'
71
+ GEM_VERSION = '1.69.1'
72
72
 
73
73
  end
@@ -11670,7 +11670,7 @@ module Aws::S3
11670
11670
  params: params,
11671
11671
  config: config)
11672
11672
  context[:gem_name] = 'aws-sdk-s3'
11673
- context[:gem_version] = '1.69.0'
11673
+ context[:gem_version] = '1.69.1'
11674
11674
  Seahorse::Client::Request.new(handlers, context)
11675
11675
  end
11676
11676
 
@@ -252,16 +252,22 @@ module Aws
252
252
  # Uploads an object to Amazon S3, encrypting data client-side.
253
253
  # See {S3::Client#put_object} for documentation on accepted
254
254
  # request parameters.
255
+ # @option params [Hash] :kms_encryption_context Additional encryption
256
+ # context to use with KMS. Applies only when KMS is used. In order
257
+ # to decrypt the object you will need to provide the identical
258
+ # :kms_encryption_context to `get_object`.
255
259
  # @option (see S3::Client#put_object)
256
260
  # @return (see S3::Client#put_object)
257
261
  # @see S3::Client#put_object
258
262
  def put_object(params = {})
263
+ kms_encryption_context = params.delete(:kms_encryption_context)
259
264
  req = @client.build_request(:put_object, params)
260
265
  req.handlers.add(EncryptHandler, priority: 95)
261
266
  req.context[:encryption] = {
262
267
  cipher_provider: @cipher_provider,
263
268
  envelope_location: @envelope_location,
264
269
  instruction_file_suffix: @instruction_file_suffix,
270
+ kms_encryption_context: kms_encryption_context
265
271
  }
266
272
  req.send_request
267
273
  end
@@ -274,6 +280,8 @@ module Aws
274
280
  # envelope. You should not set this option when the envelope
275
281
  # is stored in the object metadata. Defaults to
276
282
  # {#instruction_file_suffix}.
283
+ # @option params [Hash] :kms_encryption_context Additional encryption
284
+ # context to use with KMS. Applies only when KMS is used.
277
285
  # @option params [String] :instruction_file_suffix
278
286
  # @option (see S3::Client#get_object)
279
287
  # @return (see S3::Client#get_object)
@@ -284,12 +292,14 @@ module Aws
284
292
  raise NotImplementedError, '#get_object with :range not supported'
285
293
  end
286
294
  envelope_location, instruction_file_suffix = envelope_options(params)
295
+ kms_encryption_context = params.delete(:kms_encryption_context)
287
296
  req = @client.build_request(:get_object, params)
288
297
  req.handlers.add(DecryptHandler)
289
298
  req.context[:encryption] = {
290
299
  cipher_provider: @cipher_provider,
291
300
  envelope_location: envelope_location,
292
301
  instruction_file_suffix: instruction_file_suffix,
302
+ kms_encryption_context: kms_encryption_context
293
303
  }
294
304
  req.send_request(target: block)
295
305
  end
@@ -72,8 +72,12 @@ module Aws
72
72
 
73
73
  def decryption_cipher(context)
74
74
  if envelope = get_encryption_envelope(context)
75
- [context[:encryption][:cipher_provider].decryption_cipher(envelope),
76
- envelope]
75
+ cipher = context[:encryption][:cipher_provider]
76
+ .decryption_cipher(
77
+ envelope,
78
+ kms_encryption_context: context[:encryption][:kms_encryption_context]
79
+ )
80
+ [cipher, envelope]
77
81
  else
78
82
  raise Errors::DecryptionError, "unable to locate encryption envelope"
79
83
  end
@@ -12,7 +12,7 @@ module Aws
12
12
 
13
13
  # @return [Array<Hash,Cipher>] Creates an returns a new encryption
14
14
  # envelope and encryption cipher.
15
- def encryption_cipher
15
+ def encryption_cipher(options = {})
16
16
  cipher = Utils.aes_encryption_cipher(:GCM)
17
17
  cek_alg = 'AES/GCM/NoPadding'
18
18
  if @key_provider.encryption_materials.key.is_a? OpenSSL::PKey::RSA
@@ -36,15 +36,14 @@ module Aws
36
36
 
37
37
  # @return [Cipher] Given an encryption envelope, returns a
38
38
  # decryption cipher.
39
- def decryption_cipher(envelope)
39
+ def decryption_cipher(envelope, options = {})
40
+ master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
40
41
  if envelope.key? 'x-amz-key'
41
42
  # Support for decryption of legacy objects
42
- master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
43
43
  key = Utils.decrypt(master_key, decode64(envelope['x-amz-key']))
44
44
  iv = decode64(envelope['x-amz-iv'])
45
45
  Utils.aes_decryption_cipher(:CBC, key, iv)
46
46
  else
47
- master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
48
47
  if envelope['x-amz-cek-alg'] != 'AES/GCM/NoPadding'
49
48
  raise ArgumentError, 'Unsupported cek-alg: ' \
50
49
  "#{envelope['x-amz-cek-alg']}"
@@ -11,7 +11,10 @@ module Aws
11
11
  raise "authenticated encryption not supported by OpenSSL in Ruby version ~> 1.9"
12
12
  raise Aws::Errors::NonSupportedRubyVersionError, msg
13
13
  end
14
- envelope, cipher = context[:encryption][:cipher_provider].encryption_cipher
14
+ envelope, cipher = context[:encryption][:cipher_provider]
15
+ .encryption_cipher(
16
+ kms_encryption_context: context[:encryption][:kms_encryption_context]
17
+ )
15
18
  context[:encryption][:cipher] = cipher
16
19
  apply_encryption_envelope(context, envelope)
17
20
  apply_encryption_cipher(context, cipher)
@@ -7,7 +7,7 @@ module Aws
7
7
  # @param [OpenSSL::Cipher] cipher
8
8
  # @param [IO#write] io An IO-like object that responds to `#write`.
9
9
  def initialize(cipher, io)
10
- @cipher = cipher.clone
10
+ @cipher = cipher
11
11
  # Ensure that IO is reset between retries
12
12
  @io = io.tap { |io| io.truncate(0) if io.respond_to?(:truncate) }
13
13
  end
@@ -13,15 +13,13 @@ module Aws
13
13
 
14
14
  # @return [Array<Hash,Cipher>] Creates and returns a new encryption
15
15
  # envelope and encryption cipher.
16
- def encryption_cipher
16
+ def encryption_cipher(options = {})
17
17
  cek_alg = 'AES/GCM/NoPadding'
18
- encryption_context = {
19
- 'aws:x-amz-cek-alg' => cek_alg
20
- }
18
+ encryption_context = build_encryption_context(cek_alg, options)
21
19
  key_data = @kms_client.generate_data_key(
22
20
  key_id: @kms_key_id,
23
21
  encryption_context: encryption_context,
24
- key_spec: 'AES_256',
22
+ key_spec: 'AES_256'
25
23
  )
26
24
  cipher = Utils.aes_encryption_cipher(:GCM)
27
25
  cipher.key = key_data.plaintext
@@ -39,18 +37,27 @@ module Aws
39
37
 
40
38
  # @return [Cipher] Given an encryption envelope, returns a
41
39
  # decryption cipher.
42
- def decryption_cipher(envelope)
40
+ def decryption_cipher(envelope, options={})
43
41
  encryption_context = Json.load(envelope['x-amz-matdesc'])
44
- key = @kms_client.decrypt(
45
- ciphertext_blob: decode64(envelope['x-amz-key-v2']),
46
- encryption_context: encryption_context
47
- ).plaintext
48
42
  cek_alg = envelope['x-amz-wrap-alg'] == 'kms+context' ?
49
43
  encryption_context['aws:x-amz-cek-alg'] : envelope['x-amz-cek-alg']
50
44
  if cek_alg != envelope['x-amz-cek-alg']
51
45
  raise Errors::DecryptionError, 'Value of cek-alg from envelope'\
52
46
  ' does not match the value in the encryption context'
53
47
  end
48
+
49
+ if envelope['x-amz-wrap-alg'] == 'kms+context' &&
50
+ encryption_context != build_encryption_context(cek_alg, options)
51
+ raise Errors::DecryptionError, 'Value of encryption context from'\
52
+ ' envelope does not match the provided encryption context'
53
+ end
54
+
55
+ key = @kms_client.decrypt(
56
+ ciphertext_blob: decode64(envelope['x-amz-key-v2']),
57
+ encryption_context: encryption_context
58
+ ).plaintext
59
+
60
+
54
61
  iv = decode64(envelope['x-amz-iv'])
55
62
  block_mode =
56
63
  case cek_alg
@@ -70,6 +77,14 @@ module Aws
70
77
 
71
78
  private
72
79
 
80
+ def build_encryption_context(cek_alg, options = {})
81
+ kms_context = (options[:kms_encryption_context] || {})
82
+ .each_with_object({}) { |(k, v), h| h[k.to_s] = v }
83
+ {
84
+ 'aws:x-amz-cek-alg' => cek_alg
85
+ }.merge(kms_context)
86
+ end
87
+
73
88
  def encode64(str)
74
89
  Base64.encode64(str).split("\n") * ""
75
90
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: aws-sdk-s3
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.69.0
4
+ version: 1.69.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Amazon Web Services
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-06-18 00:00:00.000000000 Z
11
+ date: 2020-06-22 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: aws-sdk-kms