def _prep_message(self): """Performs initial message setup. :raises MasterKeyProviderError: if primary master key is not a member of supplied MasterKeyProvider :raises MasterKeyProviderError: if no Master Keys are returned from key_provider """ validate_commitment_policy_on_encrypt(self.config.commitment_policy, self.config.algorithm) try: plaintext_length = self.stream_length except NotSupportedError: plaintext_length = None encryption_materials_request = EncryptionMaterialsRequest( algorithm=self.config.algorithm, encryption_context=self.config.encryption_context.copy(), frame_length=self.config.frame_length, plaintext_rostream=aws_encryption_sdk.internal.utils.streams. ROStream(self.source_stream), plaintext_length=plaintext_length, commitment_policy=self.config.commitment_policy, ) self._encryption_materials = self.config.materials_manager.get_encryption_materials( request=encryption_materials_request) if self.config.algorithm is not None and self._encryption_materials.algorithm != self.config.algorithm: raise ActionNotAllowedError( ("Cryptographic materials manager provided algorithm suite" " differs from algorithm suite in request.\n" "Required: {requested}\n" "Provided: {provided}").format( requested=self.config.algorithm, provided=self._encryption_materials.algorithm)) if self._encryption_materials.signing_key is None: self.signer = None else: self.signer = Signer.from_key_bytes( algorithm=self._encryption_materials.algorithm, key_bytes=self._encryption_materials.signing_key) aws_encryption_sdk.internal.utils.validate_frame_length( frame_length=self.config.frame_length, algorithm=self._encryption_materials.algorithm) message_id = aws_encryption_sdk.internal.utils.message_id( self._encryption_materials.algorithm.message_id_length()) self._derived_data_key = derive_data_encryption_key( source_key=self._encryption_materials.data_encryption_key.data_key, algorithm=self._encryption_materials.algorithm, message_id=message_id, ) self._header = self.generate_header(message_id) self._write_header() if self.content_type == ContentType.NO_FRAMING: self._prep_non_framed() self._message_prepped = True
def validate_signature_policy_on_decrypt(signature_policy, algorithm): """Validates that the provided algorithm does not violate the signature policy for a decrypt request.""" if signature_policy == SignaturePolicy.ALLOW_ENCRYPT_FORBID_DECRYPT and algorithm.is_signing( ): error_message = ( "Configuration conflict. Cannot decrypt signed message in decrypt-unsigned mode. Algorithm ID was {}. " ) raise ActionNotAllowedError( error_message.format(algorithm.algorithm_id))
def validate_commitment_policy_on_decrypt(commitment_policy, algorithm): """Validates that the provided algorithm does not violate the commitment policy for a decrypt request.""" if commitment_policy == CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT and not algorithm.is_committing( ): error_message = ( "Configuration conflict. Cannot decrypt due to {} requiring only committed messages. Algorithm ID was {}. " "See: " + TROUBLESHOOTING_URL) raise ActionNotAllowedError( error_message.format(commitment_policy, algorithm.algorithm_id))
def validate_commitment_policy_on_encrypt(commitment_policy, algorithm): """Validates that the provided algorithm does not violate the commitment policy for an encrypt request.""" if commitment_policy == CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT and ( algorithm is not None and algorithm.is_committing()): error_message = ( "Configuration conflict. Cannot encrypt due to {} requiring only non-committed messages. " "Algorithm ID was {}. See: " + TROUBLESHOOTING_URL) raise ActionNotAllowedError( error_message.format(commitment_policy, algorithm.algorithm_id)) if commitment_policy in ( CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT, CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT, ): if algorithm is not None and not algorithm.is_committing(): error_message = ( "Configuration conflict. Cannot encrypt due to {} requiring only committed messages. " "Algorithm ID was {}. See: " + TROUBLESHOOTING_URL) raise ActionNotAllowedError( error_message.format(commitment_policy, algorithm.algorithm_id))
def frame_iv(algorithm, sequence_number): """Builds the deterministic IV for a body frame. :param algorithm: Algorithm for which to build IV :type algorithm: aws_encryption_sdk.identifiers.Algorithm :param int sequence_number: Frame sequence number :returns: Generated IV :rtype: bytes :raises ActionNotAllowedError: if sequence number of out bounds """ if sequence_number < 1 or sequence_number > MAX_FRAME_COUNT: raise ActionNotAllowedError( 'Invalid frame sequence number: {actual}\nMust be between 1 and {max}' .format(actual=sequence_number, max=MAX_FRAME_COUNT)) prefix_len = algorithm.iv_len - 4 prefix = b'\x00' * prefix_len return prefix + struct.pack('>I', sequence_number)
def write(self, b): # pylint: disable=unused-argument """Blocks calls to write. :raises ActionNotAllowedError: when called """ raise ActionNotAllowedError('Write not allowed on ROStream objects')
def write(self, b): """Blocks calls to write. :raises ActionNotAllowedError: when called """ raise ActionNotAllowedError('Write not allowed on ROStream objects')
def _prep_message(self): """Performs initial message setup. :raises MasterKeyProviderError: if primary master key is not a member of supplied MasterKeyProvider :raises MasterKeyProviderError: if no Master Keys are returned from key_provider """ message_id = aws_encryption_sdk.internal.utils.message_id() try: plaintext_length = self.stream_length except NotSupportedError: plaintext_length = None encryption_materials_request = EncryptionMaterialsRequest( algorithm=self.config.algorithm, encryption_context=self.config.encryption_context.copy(), frame_length=self.config.frame_length, plaintext_rostream=aws_encryption_sdk.internal.utils.ROStream( self.source_stream), plaintext_length=plaintext_length) self._encryption_materials = self.config.materials_manager.get_encryption_materials( request=encryption_materials_request) if self.config.algorithm is not None and self._encryption_materials.algorithm != self.config.algorithm: raise ActionNotAllowedError( ('Cryptographic materials manager provided algorithm suite' ' differs from algorithm suite in request.\n' 'Required: {requested}\n' 'Provided: {provided}').format( requested=self.config.algorithm, provided=self._encryption_materials.algorithm)) if self._encryption_materials.signing_key is None: self.signer = None else: self.signer = aws_encryption_sdk.internal.crypto.Signer.from_key_bytes( algorithm=self._encryption_materials.algorithm, key_bytes=self._encryption_materials.signing_key) aws_encryption_sdk.internal.utils.validate_frame_length( frame_length=self.config.frame_length, algorithm=self._encryption_materials.algorithm) self._derived_data_key = aws_encryption_sdk.internal.crypto.derive_data_encryption_key( source_key=self._encryption_materials.data_encryption_key.data_key, algorithm=self._encryption_materials.algorithm, message_id=message_id) self._header = MessageHeader( version=VERSION, type=TYPE, algorithm=self._encryption_materials.algorithm, message_id=message_id, encryption_context=self._encryption_materials.encryption_context, encrypted_data_keys=self._encryption_materials.encrypted_data_keys, content_type=self.content_type, content_aad_length=0, header_iv_length=self._encryption_materials.algorithm.iv_len, frame_length=self.config.frame_length) self._write_header() if self.content_type == ContentType.NO_FRAMING: self._prep_non_framed() self._message_prepped = True