def serialize_header_auth(algorithm, header, data_encryption_key, signer=None):
"""Creates serialized header authentication data.
:param algorithm: Algorithm to use for encryption
:type algorithm: aws_encryption_sdk.identifiers.Algorithm
:param bytes header: Serialized message header
:param bytes data_encryption_key: Data key with which to encrypt message
:param signer: Cryptographic signer object (optional)
:type signer: aws_encryption_sdk.Signer
:returns: Serialized header authentication data
:rtype: bytes
"""
header_auth = encrypt(
algorithm=algorithm,
key=data_encryption_key,
plaintext=b"",
associated_data=header,
iv=header_auth_iv(algorithm),
)
output = struct.pack(
">{iv_len}s{tag_len}s".format(iv_len=algorithm.iv_len, tag_len=algorithm.tag_len),
header_auth.iv,
header_auth.tag,
)
if signer is not None:
signer.update(output)
return output
def test_encrypt(patch_encryptor):
patch_encryptor.return_value.update.return_value = b"some data-"
patch_encryptor.return_value.finalize.return_value = b"some more data"
patch_encryptor.return_value.iv = b"ex iv"
patch_encryptor.return_value.tag = b"ex tag"
test = encrypt(
algorithm=sentinel.algorithm,
key=sentinel.key,
plaintext=sentinel.plaintext,
associated_data=sentinel.aad,
iv=sentinel.iv,
)
patch_encryptor.assert_called_once_with(sentinel.algorithm, sentinel.key, sentinel.aad, sentinel.iv)
patch_encryptor.return_value.update.assert_called_once_with(sentinel.plaintext)
patch_encryptor.return_value.finalize.assert_called_once_with()
assert test == EncryptedData(iv=b"ex iv", ciphertext=b"some data-some more data", tag=b"ex tag")
def serialize_frame(
algorithm, plaintext, message_id, data_encryption_key, frame_length, sequence_number, is_final_frame, signer=None
):
"""Receives a message plaintext, breaks off a frame, encrypts and serializes
the frame, and returns the encrypted frame and the remaining plaintext.
:param algorithm: Algorithm to use for encryption
:type algorithm: aws_encryption_sdk.identifiers.Algorithm
:param bytes plaintext: Source plaintext to encrypt and serialize
:param bytes message_id: Message ID
:param bytes data_encryption_key: Data key with which to encrypt message
:param int frame_length: Length of the framed data
:param int sequence_number: Sequence number for frame to be generated
:param bool is_final_frame: Boolean stating whether or not this frame is a final frame
:param signer: Cryptographic signer object (optional)
:type signer: aws_encryption_sdk.Signer
:returns: Serialized frame and remaining plaintext
:rtype: tuple of bytes
:raises SerializationError: if number of frames is too large
"""
if sequence_number < 1:
raise SerializationError("Frame sequence number must be greater than 0")
if sequence_number > aws_encryption_sdk.internal.defaults.MAX_FRAME_COUNT:
raise SerializationError("Max frame count exceeded")
if is_final_frame:
content_string = ContentAADString.FINAL_FRAME_STRING_ID
else:
content_string = ContentAADString.FRAME_STRING_ID
frame_plaintext = plaintext[:frame_length]
frame_ciphertext = encrypt(
algorithm=algorithm,
key=data_encryption_key,
plaintext=frame_plaintext,
associated_data=aws_encryption_sdk.internal.formatting.encryption_context.assemble_content_aad(
message_id=message_id,
aad_content_string=content_string,
seq_num=sequence_number,
length=len(frame_plaintext),
),
iv=frame_iv(algorithm, sequence_number),
)
plaintext = plaintext[frame_length:]
if is_final_frame:
_LOGGER.debug("Serializing final frame")
packed_frame = struct.pack(
">II{iv_len}sI{content_len}s{auth_len}s".format(
iv_len=algorithm.iv_len, content_len=len(frame_ciphertext.ciphertext), auth_len=algorithm.auth_len
),
SequenceIdentifier.SEQUENCE_NUMBER_END.value,
sequence_number,
frame_ciphertext.iv,
len(frame_ciphertext.ciphertext),
frame_ciphertext.ciphertext,
frame_ciphertext.tag,
)
else:
_LOGGER.debug("Serializing frame")
packed_frame = struct.pack(
">I{iv_len}s{content_len}s{auth_len}s".format(
iv_len=algorithm.iv_len, content_len=frame_length, auth_len=algorithm.auth_len
),
sequence_number,
frame_ciphertext.iv,
frame_ciphertext.ciphertext,
frame_ciphertext.tag,
)
if signer is not None:
signer.update(packed_frame)
return packed_frame, plaintext