class Aws::S3::Encryption::DefaultCipherProvider

@api private

Public Class Methods

new(options = {}) click to toggle source
# File lib/aws-sdk-s3/encryption/default_cipher_provider.rb, line 11
def initialize(options = {})
  @key_provider = options[:key_provider]
end

Public Instance Methods

decryption_cipher(envelope, options = {}) click to toggle source

@return [Cipher] Given an encryption envelope, returns a

decryption cipher.
# File lib/aws-sdk-s3/encryption/default_cipher_provider.rb, line 29
def decryption_cipher(envelope, options = {})
  master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
  if envelope.key? 'x-amz-key'
    # Support for decryption of legacy objects
    key = Utils.decrypt(master_key, decode64(envelope['x-amz-key']))
    iv = decode64(envelope['x-amz-iv'])
    Utils.aes_decryption_cipher(:CBC, key, iv)
  else
    if envelope['x-amz-cek-alg'] != 'AES/GCM/NoPadding'
      raise ArgumentError, 'Unsupported cek-alg: ' \
        "#{envelope['x-amz-cek-alg']}"
    end
    key =
      case envelope['x-amz-wrap-alg']
      when 'AES/GCM'
        if master_key.is_a? OpenSSL::PKey::RSA
          raise ArgumentError, 'Key mismatch - Client is configured' \
            ' with an RSA key and the x-amz-wrap-alg is AES/GCM.'
        end
        Utils.decrypt_aes_gcm(master_key,
                              decode64(envelope['x-amz-key-v2']),
                              envelope['x-amz-cek-alg'])
      when 'RSA-OAEP-SHA1'
        unless master_key.is_a? OpenSSL::PKey::RSA
          raise ArgumentError, 'Key mismatch - Client is configured' \
            ' with an AES key and the x-amz-wrap-alg is RSA-OAEP-SHA1.'
        end
        key, cek_alg = Utils.decrypt_rsa(master_key, decode64(envelope['x-amz-key-v2']))
        raise Errors::DecryptionError unless cek_alg == envelope['x-amz-cek-alg']
        key
      when 'kms+context'
        raise ArgumentError, 'Key mismatch - Client is configured' \
            ' with a user provided key and the x-amz-wrap-alg is' \
            ' kms+context.  Please configure the client with the' \
            ' required kms_key_id'
      else
        raise ArgumentError, 'Unsupported wrap-alg: ' \
        "#{envelope['x-amz-wrap-alg']}"
      end
    iv = decode64(envelope['x-amz-iv'])
    Utils.aes_decryption_cipher(:GCM, key, iv)
  end
end
encryption_cipher() click to toggle source

@return [Array<Hash,Cipher>] Creates an returns a new encryption

envelope and encryption cipher.
# File lib/aws-sdk-s3/encryption/default_cipher_provider.rb, line 17
def encryption_cipher
  cipher = Utils.aes_encryption_cipher(:CBC)
  envelope = {
    'x-amz-key' => encode64(encrypt(envelope_key(cipher))),
    'x-amz-iv' => encode64(envelope_iv(cipher)),
    'x-amz-matdesc' => materials_description,
  }
  [envelope, cipher]
end

Private Instance Methods

decode64(str) click to toggle source
# File lib/aws-sdk-s3/encryption/default_cipher_provider.rb, line 95
def decode64(str)
  Base64.decode64(str)
end
encode64(str) click to toggle source
# File lib/aws-sdk-s3/encryption/default_cipher_provider.rb, line 91
def encode64(str)
  Base64.encode64(str).split("\n") * ""
end
encrypt(data) click to toggle source
# File lib/aws-sdk-s3/encryption/default_cipher_provider.rb, line 83
def encrypt(data)
  Utils.encrypt(@key_provider.encryption_materials.key, data)
end
envelope_iv(cipher) click to toggle source
# File lib/aws-sdk-s3/encryption/default_cipher_provider.rb, line 79
def envelope_iv(cipher)
  cipher.iv = cipher.random_iv
end
envelope_key(cipher) click to toggle source
# File lib/aws-sdk-s3/encryption/default_cipher_provider.rb, line 75
def envelope_key(cipher)
  cipher.key = cipher.random_key
end
materials_description() click to toggle source
# File lib/aws-sdk-s3/encryption/default_cipher_provider.rb, line 87
def materials_description
  @key_provider.encryption_materials.description
end