aws-sdk-s3 1.75.0 → 1.76.0

data/lib/aws-sdk-s3/encryptionV2/decrypt_handler.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'base64'
 
 module Aws
@@ -5,6 +7,7 @@ module Aws
     module EncryptionV2
       # @api private
       class DecryptHandler < Seahorse::Client::Handler
+        @@warned_response_target_proc = false
 
         V1_ENVELOPE_KEYS = %w(
           x-amz-key
@@ -38,9 +41,22 @@ module Aws
           AES/CBC/PKCS7Padding
         )
 
+        AUTH_REQUIRED_CEK_ALGS = %w(AES/GCM/NoPadding)
+
         def call(context)
           attach_http_event_listeners(context)
           apply_cse_user_agent(context)
+
+          if context[:response_target].is_a?(Proc) && !@@warned_response_target_proc
+            @@warned_response_target_proc = true
+            warn(':response_target is a Proc, or a block was provided. ' \
+              'Read the entire object to the ' \
+              'end before you start using the decrypted data. This is to ' \
+              'verify that the object has not been modified since it ' \
+              'was encrypted.')
+
+          end
+
           @handler.call(context)
         end
 
@@ -71,11 +87,11 @@ module Aws
         end
 
         def decryption_cipher(context)
-          if envelope = get_encryption_envelope(context)
+          if (envelope = get_encryption_envelope(context))
             cipher = context[:encryption][:cipher_provider]
              .decryption_cipher(
                envelope,
-               kms_encryption_context: context[:encryption][:kms_encryption_context]
+               context[:encryption]
              )
             [cipher, envelope]
           else
@@ -145,10 +161,6 @@ module Aws
           envelope
         end
 
-        # When the x-amz-meta-x-amz-tag-len header is present, it indicates
-        # that the body of this object has a trailing auth tag. The header
-        # indicates the length of that tag.
-        #
         # This method fetches the tag from the end of the object by
         # making a GET Object w/range request. This auth tag is used
         # to initialize the cipher, and the decrypter truncates the
@@ -160,8 +172,7 @@ module Aws
           end
           http_resp = context.http_response
           content_length = http_resp.headers['content-length'].to_i
-          auth_tag_length = envelope['x-amz-tag-len']
-          auth_tag_length = auth_tag_length.to_i / 8
+          auth_tag_length = auth_tag_length(envelope)
 
           auth_tag = context.client.get_object(
             bucket: context.params[:bucket],
@@ -181,14 +192,31 @@ module Aws
         end
 
         def body_contains_auth_tag?(envelope)
-          envelope.include? 'x-amz-tag-len'
+          AUTH_REQUIRED_CEK_ALGS.include?(envelope['x-amz-cek-alg'])
+        end
+
+        # Determine the auth tag length from the algorithm
+        # Validate it against the value provided in the x-amz-tag-len
+        # Return the tag length in bytes
+        def auth_tag_length(envelope)
+          tag_length =
+            case envelope['x-amz-cek-alg']
+            when 'AES/GCM/NoPadding' then AES_GCM_TAG_LEN_BYTES
+            else
+              raise ArgumentError, 'Unsupported cek-alg: ' \
+                "#{envelope['x-amz-cek-alg']}"
+            end
+          if (tag_length * 8) != envelope['x-amz-tag-len'].to_i
+            raise Errors::DecryptionError, 'x-amz-tag-len does not match expected'
+          end
+          tag_length
         end
 
         def apply_cse_user_agent(context)
           if context.config.user_agent_suffix.nil?
-            context.config.user_agent_suffix = 'CSE_V2'
-          elsif !context.config.user_agent_suffix.include? 'CSE_V2'
-            context.config.user_agent_suffix += ' CSE_V2'
+            context.config.user_agent_suffix = EC_USER_AGENT
+          elsif !context.config.user_agent_suffix.include? EC_USER_AGENT
+            context.config.user_agent_suffix += " #{EC_USER_AGENT}"
           end
         end
 

data/lib/aws-sdk-s3/encryptionV2/default_cipher_provider.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'base64'
 
 module Aws
@@ -8,27 +10,36 @@ module Aws
 
         def initialize(options = {})
           @key_provider = options[:key_provider]
+          @key_wrap_schema = validate_key_wrap(
+            options[:key_wrap_schema],
+            @key_provider.encryption_materials.key
+          )
+          @content_encryption_schema = validate_cek(
+            options[:content_encryption_schema]
+          )
         end
 
         # @return [Array<Hash,Cipher>] Creates an returns a new encryption
         #   envelope and encryption cipher.
         def encryption_cipher(options = {})
+          validate_options(options)
           cipher = Utils.aes_encryption_cipher(:GCM)
-          cek_alg = 'AES/GCM/NoPadding'
           if @key_provider.encryption_materials.key.is_a? OpenSSL::PKey::RSA
-            wrap_alg = 'RSA-OAEP-SHA1'
-            enc_key = encode64(encrypt_rsa(envelope_key(cipher), cek_alg))
+            enc_key = encode64(
+              encrypt_rsa(envelope_key(cipher), @content_encryption_schema)
+            )
           else
-            wrap_alg = 'AES/GCM'
-            enc_key = encode64(encrypt_aes_gcm(envelope_key(cipher), cek_alg))
+            enc_key = encode64(
+              encrypt_aes_gcm(envelope_key(cipher), @content_encryption_schema)
+            )
           end
           envelope = {
             'x-amz-key-v2' => enc_key,
-            'x-amz-cek-alg' => cek_alg,
-            'x-amz-tag-len' => 16 * 8,
-            'x-amz-wrap-alg' => wrap_alg,
+            'x-amz-cek-alg' => @content_encryption_schema,
+            'x-amz-tag-len' => (AES_GCM_TAG_LEN_BYTES * 8).to_s,
+            'x-amz-wrap-alg' => @key_wrap_schema,
             'x-amz-iv' => encode64(envelope_iv(cipher)),
-            'x-amz-matdesc' => materials_description,
+            'x-amz-matdesc' => materials_description
           }
           cipher.auth_data = '' # auth_data must be set after key and iv
           [envelope, cipher]
@@ -37,8 +48,12 @@ module Aws
         # @return [Cipher] Given an encryption envelope, returns a
         #   decryption cipher.
         def decryption_cipher(envelope, options = {})
+          validate_options(options)
           master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
           if envelope.key? 'x-amz-key'
+            unless options[:security_profile] == :v2_and_legacy
+              raise Errors::LegacyDecryptionError
+            end
             # Support for decryption of legacy objects
             key = Utils.decrypt(master_key, decode64(envelope['x-amz-key']))
             iv = decode64(envelope['x-amz-iv'])
@@ -51,13 +66,26 @@ module Aws
             key =
               case envelope['x-amz-wrap-alg']
               when 'AES/GCM'
+                if master_key.is_a? OpenSSL::PKey::RSA
+                  raise ArgumentError, 'Key mismatch - Client is configured' \
+                    ' with an RSA key and the x-amz-wrap-alg is AES/GCM.'
+                end
                 Utils.decrypt_aes_gcm(master_key,
                                     decode64(envelope['x-amz-key-v2']),
                                     envelope['x-amz-cek-alg'])
               when 'RSA-OAEP-SHA1'
+                unless master_key.is_a? OpenSSL::PKey::RSA
+                  raise ArgumentError, 'Key mismatch - Client is configured' \
+                    ' with an AES key and the x-amz-wrap-alg is RSA-OAEP-SHA1.'
+                end
                 key, cek_alg = Utils.decrypt_rsa(master_key, decode64(envelope['x-amz-key-v2']))
-                raise Errors::DecryptionError unless cek_alg == envelope['x-amz-cek-alg']
+                raise Errors::CEKAlgMismatchError unless cek_alg == envelope['x-amz-cek-alg']
                 key
+              when 'kms+context'
+                raise ArgumentError, 'Key mismatch - Client is configured' \
+                    ' with a user provided key and the x-amz-wrap-alg is' \
+                    ' kms+context.  Please configure the client with the' \
+                    ' required kms_key_id'
               else
               raise ArgumentError, 'Unsupported wrap-alg: ' \
                 "#{envelope['x-amz-wrap-alg']}"
@@ -69,6 +97,39 @@ module Aws
 
         private
 
+        # Validate that the key_wrap_schema
+        # is valid, supported and matches the provided key.
+        # Returns the string version for the x-amz-key-wrap-alg
+        def validate_key_wrap(key_wrap_schema, key)
+          if key.is_a? OpenSSL::PKey::RSA
+            unless key_wrap_schema == :rsa_oaep_sha1
+              raise ArgumentError, ':key_wrap_schema must be set to :rsa_oaep_sha1 for RSA keys.'
+            end
+          else
+            unless key_wrap_schema == :aes_gcm
+              raise ArgumentError, ':key_wrap_schema must be set to :aes_gcm for AES keys.'
+            end
+          end
+
+          case key_wrap_schema
+          when :rsa_oaep_sha1 then 'RSA-OAEP-SHA1'
+          when :aes_gcm then 'AES/GCM'
+          when :kms_context
+            raise ArgumentError, 'A kms_key_id is required when using :kms_context.'
+          else
+            raise ArgumentError, "Unsupported key_wrap_schema: #{key_wrap_schema}"
+          end
+        end
+
+        def validate_cek(content_encryption_schema)
+          case content_encryption_schema
+          when :aes_gcm_no_padding
+            "AES/GCM/NoPadding"
+          else
+            raise ArgumentError, "Unsupported content_encryption_schema: #{content_encryption_schema}"
+          end
+        end
+
         def envelope_key(cipher)
           cipher.key = cipher.random_key
         end
@@ -97,6 +158,12 @@ module Aws
           Base64.decode64(str)
         end
 
+        def validate_options(options)
+          if !options[:kms_encryption_context].nil?
+            raise ArgumentError, 'Cannot provide :kms_encryption_context ' \
+            'with non KMS client.'
+          end
+        end
       end
     end
   end

data/lib/aws-sdk-s3/encryptionV2/default_key_provider.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Aws
   module S3
     module EncryptionV2

data/lib/aws-sdk-s3/encryptionV2/encrypt_handler.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'base64'
 
 module Aws
@@ -45,7 +47,8 @@ module Aws
           context.params[:metadata] ||= {}
           context.params[:metadata]['x-amz-unencrypted-content-length'] = io.size
           if context.params.delete(:content_md5)
-            raise ArgumentError, 'content_md5 is not supported'
+            raise ArgumentError, 'Setting content_md5 on client side '\
+              'encrypted objects is deprecated.'
           end
           context.http_response.on_headers do
             context.params[:body].close
@@ -54,9 +57,9 @@ module Aws
 
         def apply_cse_user_agent(context)
           if context.config.user_agent_suffix.nil?
-            context.config.user_agent_suffix = 'CSE_V2'
-          elsif !context.config.user_agent_suffix.include? 'CSE_V2'
-            context.config.user_agent_suffix += ' CSE_V2'
+            context.config.user_agent_suffix = EC_USER_AGENT
+          elsif !context.config.user_agent_suffix.include? EC_USER_AGENT
+            context.config.user_agent_suffix += " #{EC_USER_AGENT}"
           end
         end
 

data/lib/aws-sdk-s3/encryptionV2/errors.rb

@@ -1,12 +1,36 @@
+# frozen_string_literal: true
+
 module Aws
   module S3
     module EncryptionV2
       module Errors
 
+        # Generic DecryptionError
         class DecryptionError < RuntimeError; end
 
         class EncryptionError < RuntimeError; end
 
+        # Raised when attempting to decrypt a legacy (V1) encrypted object
+        # when using a security_profile that does not support it.
+        class LegacyDecryptionError < DecryptionError
+          def initialize(*args)
+            msg = 'The requested object is ' \
+              'encrypted with V1 encryption schemas that have been disabled ' \
+              'by client configuration security_profile = :v2. Retry with ' \
+              ':v2_and_legacy or re-encrypt the object.'
+            super(msg)
+          end
+        end
+
+        class CEKAlgMismatchError < DecryptionError
+          def initialize(*args)
+            msg = 'The content encryption algorithm used at encryption time ' \
+              'does not match the algorithm stored for decryption time. ' \
+              'The object may be altered or corrupted.'
+            super(msg)
+          end
+        end
+
       end
     end
   end

data/lib/aws-sdk-s3/encryptionV2/io_auth_decrypter.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Aws
   module S3
     module EncryptionV2

data/lib/aws-sdk-s3/encryptionV2/io_decrypter.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Aws
   module S3
     module EncryptionV2

data/lib/aws-sdk-s3/encryptionV2/io_encrypter.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'stringio'
 require 'tempfile'
 

data/lib/aws-sdk-s3/encryptionV2/key_provider.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Aws
   module S3
     module EncryptionV2

data/lib/aws-sdk-s3/encryptionV2/kms_cipher_provider.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'base64'
 
 module Aws
@@ -7,15 +9,21 @@ module Aws
       class KmsCipherProvider
 
         def initialize(options = {})
-          @kms_key_id = options[:kms_key_id]
+          @kms_key_id = validate_kms_key(options[:kms_key_id])
           @kms_client = options[:kms_client]
+          @key_wrap_schema = validate_key_wrap(
+            options[:key_wrap_schema]
+          )
+          @content_encryption_schema = validate_cek(
+            options[:content_encryption_schema]
+          )
         end
 
         # @return [Array<Hash,Cipher>] Creates and returns a new encryption
         #   envelope and encryption cipher.
         def encryption_cipher(options = {})
-          cek_alg = 'AES/GCM/NoPadding'
-          encryption_context = build_encryption_context(cek_alg, options)
+          validate_key_for_encryption
+          encryption_context = build_encryption_context(@content_encryption_schema, options)
           key_data = @kms_client.generate_data_key(
             key_id: @kms_key_id,
             encryption_context: encryption_context,
@@ -26,9 +34,9 @@ module Aws
           envelope = {
             'x-amz-key-v2' => encode64(key_data.ciphertext_blob),
             'x-amz-iv' => encode64(cipher.iv = cipher.random_iv),
-            'x-amz-cek-alg' => cek_alg,
-            'x-amz-tag-len' => 16 * 8,
-            'x-amz-wrap-alg' => 'kms+context',
+            'x-amz-cek-alg' => @content_encryption_schema,
+            'x-amz-tag-len' => (AES_GCM_TAG_LEN_BYTES * 8).to_s,
+            'x-amz-wrap-alg' => @key_wrap_schema,
             'x-amz-matdesc' => Json.dump(encryption_context)
           }
           cipher.auth_data = '' # auth_data must be set after key and iv
@@ -37,27 +45,45 @@ module Aws
 
         # @return [Cipher] Given an encryption envelope, returns a
         #   decryption cipher.
-        def decryption_cipher(envelope, options={})
+        def decryption_cipher(envelope, options = {})
           encryption_context = Json.load(envelope['x-amz-matdesc'])
-          cek_alg = envelope['x-amz-wrap-alg'] == 'kms+context' ?
-            encryption_context['aws:x-amz-cek-alg'] : envelope['x-amz-cek-alg']
-          if cek_alg != envelope['x-amz-cek-alg']
-            raise Errors::DecryptionError, 'Value of cek-alg from envelope'\
-              ' does not match the value in the encryption context'
-          end
+          cek_alg = envelope['x-amz-cek-alg']
+
+          case envelope['x-amz-wrap-alg']
+          when 'kms'
+            unless options[:security_profile] == :v2_and_legacy
+              raise Errors::LegacyDecryptionError
+            end
+          when 'kms+context'
+            if cek_alg != encryption_context['aws:x-amz-cek-alg']
+              raise Errors::CEKAlgMismatchError
+            end
 
-          if envelope['x-amz-wrap-alg'] == 'kms+context' &&
-            encryption_context != build_encryption_context(cek_alg, options)
-            raise Errors::DecryptionError, 'Value of encryption context from'\
-              ' envelope does not match the provided encryption context'
+            if encryption_context != build_encryption_context(cek_alg, options)
+              raise Errors::DecryptionError, 'Value of encryption context from'\
+                ' envelope does not match the provided encryption context'
+            end
+          when 'AES/GCM'
+            raise ArgumentError, 'Key mismatch - Client is configured' \
+                    ' with a KMS key and the x-amz-wrap-alg is AES/GCM.'
+          when 'RSA-OAEP-SHA1'
+            raise ArgumentError, 'Key mismatch - Client is configured' \
+                    ' with a KMS key and the x-amz-wrap-alg is RSA-OAEP-SHA1.'
+          else
+            raise ArgumentError, 'Unsupported wrap-alg: ' \
+                "#{envelope['x-amz-wrap-alg']}"
           end
 
-          key = @kms_client.decrypt(
+          any_cmk_mode = false || options[:kms_allow_decrypt_with_any_cmk]
+          decrypt_options = {
             ciphertext_blob: decode64(envelope['x-amz-key-v2']),
             encryption_context: encryption_context
-          ).plaintext
-
+          }
+          unless any_cmk_mode
+            decrypt_options[:key_id] = @kms_key_id
+          end
 
+          key = @kms_client.decrypt(decrypt_options).plaintext
           iv = decode64(envelope['x-amz-iv'])
           block_mode =
             case cek_alg
@@ -77,9 +103,46 @@ module Aws
 
         private
 
+        def validate_key_wrap(key_wrap_schema)
+          case key_wrap_schema
+          when :kms_context then 'kms+context'
+          else
+            raise ArgumentError, "Unsupported key_wrap_schema: #{key_wrap_schema}"
+          end
+        end
+
+        def validate_cek(content_encryption_schema)
+          case content_encryption_schema
+          when :aes_gcm_no_padding
+            "AES/GCM/NoPadding"
+          else
+            raise ArgumentError, "Unsupported content_encryption_schema: #{content_encryption_schema}"
+          end
+        end
+
+        def validate_kms_key(kms_key_id)
+          if kms_key_id.nil? || kms_key_id.length.zero?
+            raise ArgumentError, 'KMS CMK ID was not specified. ' \
+              'Please specify a CMK ID, ' \
+              'or set kms_key_id: :kms_allow_decrypt_with_any_cmk to use ' \
+              'any valid CMK from the object.'
+          end
+
+          if kms_key_id.is_a?(Symbol) && kms_key_id != :kms_allow_decrypt_with_any_cmk
+            raise ArgumentError, 'kms_key_id must be a valid KMS CMK or be ' \
+              'set to :kms_allow_decrypt_with_any_cmk'
+          end
+          kms_key_id
+        end
+
         def build_encryption_context(cek_alg, options = {})
           kms_context = (options[:kms_encryption_context] || {})
             .each_with_object({}) { |(k, v), h| h[k.to_s] = v }
+          if kms_context.include? 'aws:x-amz-cek-alg'
+            raise ArgumentError, 'Conflict in reserved KMS Encryption Context ' \
+              'key aws:x-amz-cek-alg. This value is reserved for the S3 ' \
+              'Encryption Client and cannot be set by the user.'
+          end
           {
             'aws:x-amz-cek-alg' => cek_alg
           }.merge(kms_context)
@@ -93,6 +156,13 @@ module Aws
           Base64.decode64(str)
         end
 
+        def validate_key_for_encryption
+          if @kms_key_id == :kms_allow_decrypt_with_any_cmk
+            raise ArgumentError, 'Unable to encrypt/write objects with '\
+              'kms_key_id = :kms_allow_decrypt_with_any_cmk.  Provide ' \
+              'a valid kms_key_id on client construction.'
+          end
+        end
       end
     end
   end