Sha256: 3e07f380eb8886e77f256b997a4def0ec2bed320adcee1aad84d6b0587cbd89b

Contents?: true

Size: 1.76 KB

Versions: 78

Compression:

Stored size: 1.76 KB

Contents

require 'base64'

module Aws
  module S3
    module Encryption
      # @api private
      class KmsCipherProvider

        def initialize(options = {})
          @kms_key_id = options[:kms_key_id]
          @kms_client = options[:kms_client]
        end

        # @return [Array<Hash,Cipher>] Creates an returns a new encryption
        #   envelope and encryption cipher.
        def encryption_cipher
          encryption_context = { "kms_cmk_id" => @kms_key_id }
          key_data = @kms_client.generate_data_key(
            key_id: @kms_key_id,
            encryption_context: encryption_context,
            key_spec: 'AES_256',
          )
          cipher = Utils.aes_encryption_cipher(:CBC)
          cipher.key = key_data.plaintext
          envelope = {
            'x-amz-key-v2' => encode64(key_data.ciphertext_blob),
            'x-amz-iv' => encode64(cipher.iv = cipher.random_iv),
            'x-amz-cek-alg' => 'AES/CBC/PKCS5Padding',
            'x-amz-wrap-alg' => 'kms',
            'x-amz-matdesc' => Json.dump(encryption_context)
          }
          [envelope, cipher]
        end

        # @return [Cipher] Given an encryption envelope, returns a
        #   decryption cipher.
        def decryption_cipher(envelope)
          encryption_context = Json.load(envelope['x-amz-matdesc'])
          key = @kms_client.decrypt(
            ciphertext_blob: decode64(envelope['x-amz-key-v2']),
            encryption_context: encryption_context,
          ).plaintext
          iv = decode64(envelope['x-amz-iv'])
          Utils.aes_decryption_cipher(:CBC, key, iv)
        end

        private

        def encode64(str)
          Base64.encode64(str).split("\n") * ""
        end

        def decode64(str)
          Base64.decode64(str)
        end

      end
    end
  end
end

Version data entries

78 entries across 78 versions & 1 rubygems

Version Path
aws-sdk-resources-2.3.12 lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb
aws-sdk-resources-2.3.11 lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb
aws-sdk-resources-2.3.10 lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb
aws-sdk-resources-2.3.9 lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb
aws-sdk-resources-2.3.8 lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb
aws-sdk-resources-2.3.7 lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb
aws-sdk-resources-2.3.6 lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb
aws-sdk-resources-2.3.5 lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb
aws-sdk-resources-2.3.4 lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb
aws-sdk-resources-2.3.3 lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb
aws-sdk-resources-2.3.2 lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb
aws-sdk-resources-2.3.1 lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb
aws-sdk-resources-2.3.0 lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb
aws-sdk-resources-2.2.37 lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb
aws-sdk-resources-2.2.36 lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb
aws-sdk-resources-2.2.35 lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb
aws-sdk-resources-2.2.34 lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb
aws-sdk-resources-2.2.33 lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb
aws-sdk-resources-2.2.32 lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb
aws-sdk-resources-2.2.31 lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb