def search_key_pair(data, response):
key_pairs = KMSBackend.get().key_pairs
key = key_pairs.get(data.get("KeyId"))
if not key:
return response
key_object = Key(key["Policy"], key["KeyUsage"], key["KeySpec"],
key["Description"], key["Region"])
key_object.id = key["KeyId"]
response.status_code = 200
set_response_content(response, json.dumps(key_object.to_dict()))
return response
def test_decrypt_invalid_ciphertext_format():
master_key = Key("nop", "nop", "nop", [], "nop")
master_key_map = {master_key.id: master_key}
with assert_raises(InvalidCiphertextException):
decrypt(master_keys=master_key_map,
ciphertext_blob=b"",
encryption_context={})
def test_decrypt_invalid_ciphertext():
master_key = Key("nop", "nop", "nop", [], "nop")
master_key_map = {master_key.id: master_key}
ciphertext_blob = master_key.id.encode(
"utf-8") + b"123456789012" b"1234567890123456" b"some ciphertext"
with assert_raises(InvalidCiphertextException):
decrypt(
master_keys=master_key_map,
ciphertext_blob=ciphertext_blob,
encryption_context={},
)
def test_encrypt_decrypt_cycle(encryption_context):
plaintext = b"some secret plaintext"
master_key = Key("nop", "nop", "nop", [], "nop")
master_key_map = {master_key.id: master_key}
ciphertext_blob = encrypt(master_keys=master_key_map,
key_id=master_key.id,
plaintext=plaintext,
encryption_context=encryption_context)
ciphertext_blob.should_not.equal(plaintext)
decrypted, decrypting_key_id = decrypt(
master_keys=master_key_map,
ciphertext_blob=ciphertext_blob,
encryption_context=encryption_context)
decrypted.should.equal(plaintext)
decrypting_key_id.should.equal(master_key.id)
def test_decrypt_invalid_encryption_context():
plaintext = b"some secret plaintext"
master_key = Key("nop", "nop", "nop", [], "nop")
master_key_map = {master_key.id: master_key}
ciphertext_blob = encrypt(
master_keys=master_key_map,
key_id=master_key.id,
plaintext=plaintext,
encryption_context={
"some": "encryption",
"context": "here"
},
)
with assert_raises(InvalidCiphertextException):
decrypt(
master_keys=master_key_map,
ciphertext_blob=ciphertext_blob,
encryption_context={},
)
def _generate_data_key_pair(data, create_cipher=True, add_to_keys=True):
region_details = KMSBackend.get()
kms = aws_stack.connect_to_service("kms")
key_id = data.get("KeyId")
key_spec = data.get("KeyPairSpec") or data.get("KeySpec") or data.get(
"CustomerMasterKeySpec")
key = None
public_format = None
if key_spec.startswith("RSA"):
rsa_key_sizes = {
"RSA_2048": 2048,
"RSA_3072": 3072,
"RSA_4096": 4096,
}
key_size = rsa_key_sizes.get(key_spec)
key = rsa.generate_private_key(public_exponent=65537,
key_size=key_size)
public_format = crypto_serialization.PublicFormat.PKCS1
if key_spec.startswith("ECC"):
curve = None
if key_spec == "ECC_NIST_P256":
curve = ec.SECP256R1()
elif key_spec == "ECC_NIST_P384":
curve = ec.SECP384R1()
elif key_spec == "ECC_NIST_P521":
curve = ec.SECP521R1()
elif key_spec == "ECC_SECG_P256K1":
curve = ec.SECP256K1()
key = ec.generate_private_key(curve)
public_format = crypto_serialization.PublicFormat.SubjectPublicKeyInfo
private_key = key.private_bytes(
crypto_serialization.Encoding.DER,
crypto_serialization.PrivateFormat.PKCS8,
crypto_serialization.NoEncryption(),
)
public_key = key.public_key().public_bytes(
crypto_serialization.Encoding.DER, public_format)
cipher_text = None
if create_cipher:
cipher_text = kms.encrypt(KeyId=key_id,
Plaintext=private_key)["CiphertextBlob"]
region = region_details.get_current_request_region()
result = {
"PrivateKeyCiphertextBlob": cipher_text,
"PrivateKeyPlaintext": private_key,
"PublicKey": public_key,
"KeyId": key_id,
"KeyPairSpec": key_spec,
"KeySpec": key_spec,
"KeyUsage": "SIGN_VERIFY",
"Policy": data.get("Policy"),
"Region": region,
"Description": data.get("Description"),
"Arn": key_id and aws_stack.kms_key_arn(key_id),
"_key_": key,
}
if add_to_keys:
region_details.key_pairs[key_id] = result
key = Key("", result["KeyUsage"], key_spec, result["Description"], region)
key.id = key_id
result = {**key.to_dict()["KeyMetadata"], **result}
result.pop("Region")
if add_to_keys:
result.pop("_key_")
return result