def _prep_message(self):
"""Performs initial message setup.
:raises MasterKeyProviderError: if primary master key is not a member of supplied MasterKeyProvider
:raises MasterKeyProviderError: if no Master Keys are returned from key_provider
"""
validate_commitment_policy_on_encrypt(self.config.commitment_policy,
self.config.algorithm)
try:
plaintext_length = self.stream_length
except NotSupportedError:
plaintext_length = None
encryption_materials_request = EncryptionMaterialsRequest(
algorithm=self.config.algorithm,
encryption_context=self.config.encryption_context.copy(),
frame_length=self.config.frame_length,
plaintext_rostream=aws_encryption_sdk.internal.utils.streams.
ROStream(self.source_stream),
plaintext_length=plaintext_length,
commitment_policy=self.config.commitment_policy,
)
self._encryption_materials = self.config.materials_manager.get_encryption_materials(
request=encryption_materials_request)
if self.config.algorithm is not None and self._encryption_materials.algorithm != self.config.algorithm:
raise ActionNotAllowedError(
("Cryptographic materials manager provided algorithm suite"
" differs from algorithm suite in request.\n"
"Required: {requested}\n"
"Provided: {provided}").format(
requested=self.config.algorithm,
provided=self._encryption_materials.algorithm))
if self._encryption_materials.signing_key is None:
self.signer = None
else:
self.signer = Signer.from_key_bytes(
algorithm=self._encryption_materials.algorithm,
key_bytes=self._encryption_materials.signing_key)
aws_encryption_sdk.internal.utils.validate_frame_length(
frame_length=self.config.frame_length,
algorithm=self._encryption_materials.algorithm)
message_id = aws_encryption_sdk.internal.utils.message_id(
self._encryption_materials.algorithm.message_id_length())
self._derived_data_key = derive_data_encryption_key(
source_key=self._encryption_materials.data_encryption_key.data_key,
algorithm=self._encryption_materials.algorithm,
message_id=message_id,
)
self._header = self.generate_header(message_id)
self._write_header()
if self.content_type == ContentType.NO_FRAMING:
self._prep_non_framed()
self._message_prepped = True
def validate_signature_policy_on_decrypt(signature_policy, algorithm):
"""Validates that the provided algorithm does not violate the signature policy for a decrypt request."""
if signature_policy == SignaturePolicy.ALLOW_ENCRYPT_FORBID_DECRYPT and algorithm.is_signing(
):
error_message = (
"Configuration conflict. Cannot decrypt signed message in decrypt-unsigned mode. Algorithm ID was {}. "
)
raise ActionNotAllowedError(
error_message.format(algorithm.algorithm_id))
def validate_commitment_policy_on_decrypt(commitment_policy, algorithm):
"""Validates that the provided algorithm does not violate the commitment policy for a decrypt request."""
if commitment_policy == CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT and not algorithm.is_committing(
):
error_message = (
"Configuration conflict. Cannot decrypt due to {} requiring only committed messages. Algorithm ID was {}. "
"See: " + TROUBLESHOOTING_URL)
raise ActionNotAllowedError(
error_message.format(commitment_policy, algorithm.algorithm_id))
def validate_commitment_policy_on_encrypt(commitment_policy, algorithm):
"""Validates that the provided algorithm does not violate the commitment policy for an encrypt request."""
if commitment_policy == CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT and (
algorithm is not None and algorithm.is_committing()):
error_message = (
"Configuration conflict. Cannot encrypt due to {} requiring only non-committed messages. "
"Algorithm ID was {}. See: " + TROUBLESHOOTING_URL)
raise ActionNotAllowedError(
error_message.format(commitment_policy, algorithm.algorithm_id))
if commitment_policy in (
CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT,
CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT,
):
if algorithm is not None and not algorithm.is_committing():
error_message = (
"Configuration conflict. Cannot encrypt due to {} requiring only committed messages. "
"Algorithm ID was {}. See: " + TROUBLESHOOTING_URL)
raise ActionNotAllowedError(
error_message.format(commitment_policy,
algorithm.algorithm_id))
def frame_iv(algorithm, sequence_number):
"""Builds the deterministic IV for a body frame.
:param algorithm: Algorithm for which to build IV
:type algorithm: aws_encryption_sdk.identifiers.Algorithm
:param int sequence_number: Frame sequence number
:returns: Generated IV
:rtype: bytes
:raises ActionNotAllowedError: if sequence number of out bounds
"""
if sequence_number < 1 or sequence_number > MAX_FRAME_COUNT:
raise ActionNotAllowedError(
'Invalid frame sequence number: {actual}\nMust be between 1 and {max}'
.format(actual=sequence_number, max=MAX_FRAME_COUNT))
prefix_len = algorithm.iv_len - 4
prefix = b'\x00' * prefix_len
return prefix + struct.pack('>I', sequence_number)
def write(self, b): # pylint: disable=unused-argument
"""Blocks calls to write.
:raises ActionNotAllowedError: when called
"""
raise ActionNotAllowedError('Write not allowed on ROStream objects')
def write(self, b):
"""Blocks calls to write.
:raises ActionNotAllowedError: when called
"""
raise ActionNotAllowedError('Write not allowed on ROStream objects')
def _prep_message(self):
"""Performs initial message setup.
:raises MasterKeyProviderError: if primary master key is not a member of supplied MasterKeyProvider
:raises MasterKeyProviderError: if no Master Keys are returned from key_provider
"""
message_id = aws_encryption_sdk.internal.utils.message_id()
try:
plaintext_length = self.stream_length
except NotSupportedError:
plaintext_length = None
encryption_materials_request = EncryptionMaterialsRequest(
algorithm=self.config.algorithm,
encryption_context=self.config.encryption_context.copy(),
frame_length=self.config.frame_length,
plaintext_rostream=aws_encryption_sdk.internal.utils.ROStream(
self.source_stream),
plaintext_length=plaintext_length)
self._encryption_materials = self.config.materials_manager.get_encryption_materials(
request=encryption_materials_request)
if self.config.algorithm is not None and self._encryption_materials.algorithm != self.config.algorithm:
raise ActionNotAllowedError(
('Cryptographic materials manager provided algorithm suite'
' differs from algorithm suite in request.\n'
'Required: {requested}\n'
'Provided: {provided}').format(
requested=self.config.algorithm,
provided=self._encryption_materials.algorithm))
if self._encryption_materials.signing_key is None:
self.signer = None
else:
self.signer = aws_encryption_sdk.internal.crypto.Signer.from_key_bytes(
algorithm=self._encryption_materials.algorithm,
key_bytes=self._encryption_materials.signing_key)
aws_encryption_sdk.internal.utils.validate_frame_length(
frame_length=self.config.frame_length,
algorithm=self._encryption_materials.algorithm)
self._derived_data_key = aws_encryption_sdk.internal.crypto.derive_data_encryption_key(
source_key=self._encryption_materials.data_encryption_key.data_key,
algorithm=self._encryption_materials.algorithm,
message_id=message_id)
self._header = MessageHeader(
version=VERSION,
type=TYPE,
algorithm=self._encryption_materials.algorithm,
message_id=message_id,
encryption_context=self._encryption_materials.encryption_context,
encrypted_data_keys=self._encryption_materials.encrypted_data_keys,
content_type=self.content_type,
content_aad_length=0,
header_iv_length=self._encryption_materials.algorithm.iv_len,
frame_length=self.config.frame_length)
self._write_header()
if self.content_type == ContentType.NO_FRAMING:
self._prep_non_framed()
self._message_prepped = True
