def test_raw_master_key_decrypts_what_raw_keyring_encrypts(
encryption_materials_samples):
test_raw_rsa_keyring = RawRSAKeyring.from_pem_encoding(
key_namespace=_PROVIDER_ID,
key_name=_KEY_ID,
wrapping_algorithm=_WRAPPING_ALGORITHM,
private_encoded_key=_PRIVATE_WRAPPING_KEY_PEM,
public_encoded_key=_PUBLIC_WRAPPING_KEY_PEM,
)
# Creating an instance of a raw master key
test_raw_master_key = RawMasterKey(
key_id=_KEY_ID,
provider_id=_PROVIDER_ID,
wrapping_key=WrappingKey(
wrapping_algorithm=_WRAPPING_ALGORITHM,
wrapping_key=_PRIVATE_WRAPPING_KEY_PEM,
wrapping_key_type=EncryptionKeyType.PRIVATE,
),
)
# Call on_encrypt function for the keyring
encryption_materials = test_raw_rsa_keyring.on_encrypt(
encryption_materials=encryption_materials_samples)
# Check if plaintext data key encrypted by raw keyring is decrypted by raw master key
raw_mkp_decrypted_data_key = test_raw_master_key.decrypt_data_key_from_list(
encrypted_data_keys=encryption_materials._encrypted_data_keys,
algorithm=encryption_materials.algorithm,
encryption_context=encryption_materials.encryption_context,
).data_key
assert encryption_materials.data_encryption_key.data_key == raw_mkp_decrypted_data_key
def __init__(self, plain_key):
RawMasterKeyProvider.__init__(self)
self.wrapping_key = WrappingKey(
wrapping_algorithm=WrappingAlgorithm.
AES_256_GCM_IV12_TAG16_NO_PADDING,
wrapping_key=plain_key,
wrapping_key_type=EncryptionKeyType.SYMMETRIC)
def _get_raw_key(self, key_id):
wrapping_key = VALUES['raw'][key_id][self.config.encryption_key_type]
if key_id == b'sym1':
wrapping_key = wrapping_key[:self.config.wrapping_algorithm.
algorithm.data_key_len]
return WrappingKey(wrapping_algorithm=self.config.wrapping_algorithm,
wrapping_key=wrapping_key,
wrapping_key_type=self.config.encryption_key_type)
def test_key_info_prefix_vectors(wrapping_algorithm):
assert (serialize_raw_master_key_prefix(raw_master_key=RawMasterKey(
provider_id=_PROVIDER_ID,
key_id=_KEY_ID,
wrapping_key=WrappingKey(
wrapping_algorithm=wrapping_algorithm,
wrapping_key=_WRAPPING_KEY,
wrapping_key_type=EncryptionKeyType.SYMMETRIC,
),
)) == _KEY_ID + b"\x00\x00\x00\x80\x00\x00\x00\x0c")
def _get_raw_key(self: StaticRandomMasterKeyProvider, key_id: bytes) -> WrappingKey:
try:
static_key = self._static_keys[key_id]
except KeyError:
static_key = hashlib.sha256(key_id).digest()
self._static_keys[key_id] = static_key
return WrappingKey(
wrapping_algorithm=WrappingAlgorithm.AES_256_GCM_IV12_TAG16_NO_PADDING,
wrapping_key=static_key,
wrapping_key_type=EncryptionKeyType.SYMMETRIC,
)
def _get_raw_key(self, key_id):
if key_id not in self._static_keys.keys():
static_key = open(self.path_to_pem_file, "rb").read()
print("static_key=%s" % static_key)
self._static_keys[key_id] = static_key
else:
static_key = self._static_keys[key_id]
return WrappingKey(
#RSA_OAEP_SHA1_MGF1
wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA512_MGF1,
wrapping_key=static_key,
wrapping_key_type=EncryptionKeyType.PUBLIC,
)
def _get_raw_key(self, key_id):
""""""
try:
algorithm, key_bits, padding_algorithm, padding_hash = key_id.upper(
).split('.', 3)
key_bits = int(key_bits)
key_type = _KEY_TYPES_MAP[algorithm]
wrapping_algorithm = _WRAPPING_ALGORITHM_MAP[algorithm][key_bits][
padding_algorithm][padding_hash]
static_key = _STATIC_KEYS[algorithm][key_bits]
return WrappingKey(wrapping_algorithm=wrapping_algorithm,
wrapping_key=static_key,
wrapping_key_type=key_type)
except KeyError:
_LOGGER.exception('Unknown Key ID: {}'.format(key_id))
raise InvalidKeyIdError('Unknown Key ID: {}'.format(key_id))
def _get_raw_key(self, key_id):
"""Retrieves a static, randomly generated, symmetric key for the specified key id.
:param str key_id: Key ID
:returns: Wrapping key which contains the specified static key
:rtype: :class:`aws_encryption_sdk.internal.crypto.WrappingKey`
"""
try:
static_key = self._static_keys[key_id]
except KeyError:
static_key = os.urandom(32)
self._static_keys[key_id] = static_key
return WrappingKey(wrapping_algorithm=WrappingAlgorithm.
AES_256_GCM_IV12_TAG16_NO_PADDING,
wrapping_key=static_key,
wrapping_key_type=EncryptionKeyType.SYMMETRIC)
def test_raw_keyring_decrypts_what_raw_master_key_encrypts(
encryption_materials_samples):
# Create instance of raw master key
test_raw_master_key = RawMasterKey(
key_id=_KEY_ID,
provider_id=_PROVIDER_ID,
wrapping_key=WrappingKey(
wrapping_algorithm=_WRAPPING_ALGORITHM,
wrapping_key=_PRIVATE_WRAPPING_KEY_PEM,
wrapping_key_type=EncryptionKeyType.PRIVATE,
),
)
test_raw_rsa_keyring = RawRSAKeyring.from_pem_encoding(
key_namespace=_PROVIDER_ID,
key_name=_KEY_ID,
wrapping_algorithm=_WRAPPING_ALGORITHM,
private_encoded_key=_PRIVATE_WRAPPING_KEY_PEM,
public_encoded_key=_PUBLIC_WRAPPING_KEY_PEM,
)
raw_mkp_generated_data_key = test_raw_master_key.generate_data_key(
algorithm=encryption_materials_samples.algorithm,
encryption_context=encryption_materials_samples.encryption_context,
)
raw_mkp_encrypted_data_key = test_raw_master_key.encrypt_data_key(
data_key=raw_mkp_generated_data_key,
algorithm=encryption_materials_samples.algorithm,
encryption_context=encryption_materials_samples.encryption_context,
)
decryption_materials = test_raw_rsa_keyring.on_decrypt(
decryption_materials=DecryptionMaterials(
algorithm=encryption_materials_samples.algorithm,
encryption_context=encryption_materials_samples.encryption_context,
verification_key=b"ex_verification_key",
),
encrypted_data_keys=[raw_mkp_encrypted_data_key],
)
assert raw_mkp_generated_data_key.data_key == decryption_materials.data_encryption_key.data_key
def _get_raw_key(self, key_id):
"""Retrieves a static, randomly generated, RSA key for the specified key id.
:param str key_id: Key ID
:returns: Wrapping key which contains the specified static key
:rtype: :class:`aws_encryption_sdk.internal.crypto.WrappingKey`
"""
try:
static_key = self._static_keys[key_id]
except KeyError:
private_key = rsa.generate_private_key(public_exponent=65537,
key_size=4096,
backend=default_backend())
static_key = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption())
self._static_keys[key_id] = static_key
return WrappingKey(
wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA1_MGF1,
wrapping_key=static_key,
wrapping_key_type=EncryptionKeyType.PRIVATE)
def decrypt(decoded, plaintext):
wrapping_key = WrappingKey(
wrapping_algorithm=WrappingAlgorithm.AES_256_GCM_IV12_TAG16_NO_PADDING,
wrapping_key=plaintext,
wrapping_key_type=EncryptionKeyType.SYMMETRIC)
my_key_provider = MyRawMasterKeyProvider(wrapping_key)
my_key_provider.add_master_key("DataKey")
with aws_encryption_sdk.stream(
mode='d',
source=decoded,
materials_manager=DefaultCryptoMaterialsManager(
master_key_provider=my_key_provider)) as decryptor:
entries = []
for chunk in decryptor:
d = zlib.decompressobj(16 + zlib.MAX_WBITS)
decompressed_database_stream = d.decompress(chunk)
record_event = json.loads(
decompressed_database_stream.decode("utf-8"))
for evt in record_event['databaseActivityEventList']:
if evt['type'] != "heartbeat":
entries.append(evt)
if len(entries) > 0:
process_entries(entries)
def _get_raw_key(self, key_id):
return WrappingKey(
wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1,
wrapping_key=self._key,
wrapping_key_type=EncryptionKeyType.PRIVATE)
def _get_raw_key(self, key_id):
return WrappingKey(
wrapping_algorithm=self.config.wrapping_algorithm,
wrapping_key=self.config.key_bytes,
wrapping_key_type=self.config.encryption_key_type,
)