aws-sdk-s3 1.69.0 → 1.69.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/aws-sdk-s3.rb +1 -1
- data/lib/aws-sdk-s3/client.rb +1 -1
- data/lib/aws-sdk-s3/encryptionV2/client.rb +10 -0
- data/lib/aws-sdk-s3/encryptionV2/decrypt_handler.rb +6 -2
- data/lib/aws-sdk-s3/encryptionV2/default_cipher_provider.rb +3 -4
- data/lib/aws-sdk-s3/encryptionV2/encrypt_handler.rb +4 -1
- data/lib/aws-sdk-s3/encryptionV2/io_decrypter.rb +1 -1
- data/lib/aws-sdk-s3/encryptionV2/kms_cipher_provider.rb +25 -10
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 71499a1c36cb061a8fb6b48a61fba9eec3985149a0e3effb810f8bf45e89f8db
|
4
|
+
data.tar.gz: 05e2a7de980f2c579b09688d1301326ce8a5df60bb9f3487a0ff21486afb58e6
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 522caf62fdf5130b9e8f19da2c06841074ea7da04c15c9e2731992cadc9fcd7372a0705db07902bd672ea48d7b47703876f0f679c402330f13fb33120f6e4478
|
7
|
+
data.tar.gz: 977b14327746226f9abb50cc7984f23abfa6526b6a3b10360c5e1827d4b38166c827290ca416e109a58bebf5debecdb4effc7dbc316c22e921a004720cad8e63
|
data/lib/aws-sdk-s3.rb
CHANGED
data/lib/aws-sdk-s3/client.rb
CHANGED
@@ -11670,7 +11670,7 @@ module Aws::S3
|
|
11670
11670
|
params: params,
|
11671
11671
|
config: config)
|
11672
11672
|
context[:gem_name] = 'aws-sdk-s3'
|
11673
|
-
context[:gem_version] = '1.69.
|
11673
|
+
context[:gem_version] = '1.69.1'
|
11674
11674
|
Seahorse::Client::Request.new(handlers, context)
|
11675
11675
|
end
|
11676
11676
|
|
@@ -252,16 +252,22 @@ module Aws
|
|
252
252
|
# Uploads an object to Amazon S3, encrypting data client-side.
|
253
253
|
# See {S3::Client#put_object} for documentation on accepted
|
254
254
|
# request parameters.
|
255
|
+
# @option params [Hash] :kms_encryption_context Additional encryption
|
256
|
+
# context to use with KMS. Applies only when KMS is used. In order
|
257
|
+
# to decrypt the object you will need to provide the identical
|
258
|
+
# :kms_encryption_context to `get_object`.
|
255
259
|
# @option (see S3::Client#put_object)
|
256
260
|
# @return (see S3::Client#put_object)
|
257
261
|
# @see S3::Client#put_object
|
258
262
|
def put_object(params = {})
|
263
|
+
kms_encryption_context = params.delete(:kms_encryption_context)
|
259
264
|
req = @client.build_request(:put_object, params)
|
260
265
|
req.handlers.add(EncryptHandler, priority: 95)
|
261
266
|
req.context[:encryption] = {
|
262
267
|
cipher_provider: @cipher_provider,
|
263
268
|
envelope_location: @envelope_location,
|
264
269
|
instruction_file_suffix: @instruction_file_suffix,
|
270
|
+
kms_encryption_context: kms_encryption_context
|
265
271
|
}
|
266
272
|
req.send_request
|
267
273
|
end
|
@@ -274,6 +280,8 @@ module Aws
|
|
274
280
|
# envelope. You should not set this option when the envelope
|
275
281
|
# is stored in the object metadata. Defaults to
|
276
282
|
# {#instruction_file_suffix}.
|
283
|
+
# @option params [Hash] :kms_encryption_context Additional encryption
|
284
|
+
# context to use with KMS. Applies only when KMS is used.
|
277
285
|
# @option params [String] :instruction_file_suffix
|
278
286
|
# @option (see S3::Client#get_object)
|
279
287
|
# @return (see S3::Client#get_object)
|
@@ -284,12 +292,14 @@ module Aws
|
|
284
292
|
raise NotImplementedError, '#get_object with :range not supported'
|
285
293
|
end
|
286
294
|
envelope_location, instruction_file_suffix = envelope_options(params)
|
295
|
+
kms_encryption_context = params.delete(:kms_encryption_context)
|
287
296
|
req = @client.build_request(:get_object, params)
|
288
297
|
req.handlers.add(DecryptHandler)
|
289
298
|
req.context[:encryption] = {
|
290
299
|
cipher_provider: @cipher_provider,
|
291
300
|
envelope_location: envelope_location,
|
292
301
|
instruction_file_suffix: instruction_file_suffix,
|
302
|
+
kms_encryption_context: kms_encryption_context
|
293
303
|
}
|
294
304
|
req.send_request(target: block)
|
295
305
|
end
|
@@ -72,8 +72,12 @@ module Aws
|
|
72
72
|
|
73
73
|
def decryption_cipher(context)
|
74
74
|
if envelope = get_encryption_envelope(context)
|
75
|
-
|
76
|
-
|
75
|
+
cipher = context[:encryption][:cipher_provider]
|
76
|
+
.decryption_cipher(
|
77
|
+
envelope,
|
78
|
+
kms_encryption_context: context[:encryption][:kms_encryption_context]
|
79
|
+
)
|
80
|
+
[cipher, envelope]
|
77
81
|
else
|
78
82
|
raise Errors::DecryptionError, "unable to locate encryption envelope"
|
79
83
|
end
|
@@ -12,7 +12,7 @@ module Aws
|
|
12
12
|
|
13
13
|
# @return [Array<Hash,Cipher>] Creates an returns a new encryption
|
14
14
|
# envelope and encryption cipher.
|
15
|
-
def encryption_cipher
|
15
|
+
def encryption_cipher(options = {})
|
16
16
|
cipher = Utils.aes_encryption_cipher(:GCM)
|
17
17
|
cek_alg = 'AES/GCM/NoPadding'
|
18
18
|
if @key_provider.encryption_materials.key.is_a? OpenSSL::PKey::RSA
|
@@ -36,15 +36,14 @@ module Aws
|
|
36
36
|
|
37
37
|
# @return [Cipher] Given an encryption envelope, returns a
|
38
38
|
# decryption cipher.
|
39
|
-
def decryption_cipher(envelope)
|
39
|
+
def decryption_cipher(envelope, options = {})
|
40
|
+
master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
|
40
41
|
if envelope.key? 'x-amz-key'
|
41
42
|
# Support for decryption of legacy objects
|
42
|
-
master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
|
43
43
|
key = Utils.decrypt(master_key, decode64(envelope['x-amz-key']))
|
44
44
|
iv = decode64(envelope['x-amz-iv'])
|
45
45
|
Utils.aes_decryption_cipher(:CBC, key, iv)
|
46
46
|
else
|
47
|
-
master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
|
48
47
|
if envelope['x-amz-cek-alg'] != 'AES/GCM/NoPadding'
|
49
48
|
raise ArgumentError, 'Unsupported cek-alg: ' \
|
50
49
|
"#{envelope['x-amz-cek-alg']}"
|
@@ -11,7 +11,10 @@ module Aws
|
|
11
11
|
raise "authenticated encryption not supported by OpenSSL in Ruby version ~> 1.9"
|
12
12
|
raise Aws::Errors::NonSupportedRubyVersionError, msg
|
13
13
|
end
|
14
|
-
envelope, cipher = context[:encryption][:cipher_provider]
|
14
|
+
envelope, cipher = context[:encryption][:cipher_provider]
|
15
|
+
.encryption_cipher(
|
16
|
+
kms_encryption_context: context[:encryption][:kms_encryption_context]
|
17
|
+
)
|
15
18
|
context[:encryption][:cipher] = cipher
|
16
19
|
apply_encryption_envelope(context, envelope)
|
17
20
|
apply_encryption_cipher(context, cipher)
|
@@ -7,7 +7,7 @@ module Aws
|
|
7
7
|
# @param [OpenSSL::Cipher] cipher
|
8
8
|
# @param [IO#write] io An IO-like object that responds to `#write`.
|
9
9
|
def initialize(cipher, io)
|
10
|
-
@cipher = cipher
|
10
|
+
@cipher = cipher
|
11
11
|
# Ensure that IO is reset between retries
|
12
12
|
@io = io.tap { |io| io.truncate(0) if io.respond_to?(:truncate) }
|
13
13
|
end
|
@@ -13,15 +13,13 @@ module Aws
|
|
13
13
|
|
14
14
|
# @return [Array<Hash,Cipher>] Creates and returns a new encryption
|
15
15
|
# envelope and encryption cipher.
|
16
|
-
def encryption_cipher
|
16
|
+
def encryption_cipher(options = {})
|
17
17
|
cek_alg = 'AES/GCM/NoPadding'
|
18
|
-
encryption_context =
|
19
|
-
'aws:x-amz-cek-alg' => cek_alg
|
20
|
-
}
|
18
|
+
encryption_context = build_encryption_context(cek_alg, options)
|
21
19
|
key_data = @kms_client.generate_data_key(
|
22
20
|
key_id: @kms_key_id,
|
23
21
|
encryption_context: encryption_context,
|
24
|
-
key_spec: 'AES_256'
|
22
|
+
key_spec: 'AES_256'
|
25
23
|
)
|
26
24
|
cipher = Utils.aes_encryption_cipher(:GCM)
|
27
25
|
cipher.key = key_data.plaintext
|
@@ -39,18 +37,27 @@ module Aws
|
|
39
37
|
|
40
38
|
# @return [Cipher] Given an encryption envelope, returns a
|
41
39
|
# decryption cipher.
|
42
|
-
def decryption_cipher(envelope)
|
40
|
+
def decryption_cipher(envelope, options={})
|
43
41
|
encryption_context = Json.load(envelope['x-amz-matdesc'])
|
44
|
-
key = @kms_client.decrypt(
|
45
|
-
ciphertext_blob: decode64(envelope['x-amz-key-v2']),
|
46
|
-
encryption_context: encryption_context
|
47
|
-
).plaintext
|
48
42
|
cek_alg = envelope['x-amz-wrap-alg'] == 'kms+context' ?
|
49
43
|
encryption_context['aws:x-amz-cek-alg'] : envelope['x-amz-cek-alg']
|
50
44
|
if cek_alg != envelope['x-amz-cek-alg']
|
51
45
|
raise Errors::DecryptionError, 'Value of cek-alg from envelope'\
|
52
46
|
' does not match the value in the encryption context'
|
53
47
|
end
|
48
|
+
|
49
|
+
if envelope['x-amz-wrap-alg'] == 'kms+context' &&
|
50
|
+
encryption_context != build_encryption_context(cek_alg, options)
|
51
|
+
raise Errors::DecryptionError, 'Value of encryption context from'\
|
52
|
+
' envelope does not match the provided encryption context'
|
53
|
+
end
|
54
|
+
|
55
|
+
key = @kms_client.decrypt(
|
56
|
+
ciphertext_blob: decode64(envelope['x-amz-key-v2']),
|
57
|
+
encryption_context: encryption_context
|
58
|
+
).plaintext
|
59
|
+
|
60
|
+
|
54
61
|
iv = decode64(envelope['x-amz-iv'])
|
55
62
|
block_mode =
|
56
63
|
case cek_alg
|
@@ -70,6 +77,14 @@ module Aws
|
|
70
77
|
|
71
78
|
private
|
72
79
|
|
80
|
+
def build_encryption_context(cek_alg, options = {})
|
81
|
+
kms_context = (options[:kms_encryption_context] || {})
|
82
|
+
.each_with_object({}) { |(k, v), h| h[k.to_s] = v }
|
83
|
+
{
|
84
|
+
'aws:x-amz-cek-alg' => cek_alg
|
85
|
+
}.merge(kms_context)
|
86
|
+
end
|
87
|
+
|
73
88
|
def encode64(str)
|
74
89
|
Base64.encode64(str).split("\n") * ""
|
75
90
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws-sdk-s3
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.69.
|
4
|
+
version: 1.69.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Amazon Web Services
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-06-
|
11
|
+
date: 2020-06-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: aws-sdk-kms
|