def _key_check(self, data_key):
"""Verifies that supplied Data Key's key provider matches this Master Key.
:param data_key: Data Key to verify
:type data_key: :class:`aws_encryption_sdk.structures.RawDataKey`,
:class:`aws_encryption_sdk.structures.DataKey`,
or :class:`aws_encryption_sdk.structures.EncryptedDataKey`
:raises IncorrectMasterKeyError: if Data Key's key provider does not match this Master Key
"""
if not self.owns_data_key(data_key):
raise IncorrectMasterKeyError(
"Provided data key provider {key} does not match Master Key provider {master}"
.format(key=data_key.key_provider, master=self.key_provider))
def decrypt(self, encrypted_wrapped_data_key, encryption_context):
"""Decrypts a wrapped, encrypted, data key.
:param encrypted_wrapped_data_key: Encrypted, wrapped, data key
:type encrypted_wrapped_data_key: aws_encryption_sdk.internal.structures.EncryptedData
:param dict encryption_context: Encryption context to use in decryption
:returns: Plaintext of data key
:rtype: bytes
"""
if self.wrapping_key_type is EncryptionKeyType.PUBLIC:
raise IncorrectMasterKeyError('Public key cannot decrypt')
if self.wrapping_key_type is EncryptionKeyType.PRIVATE:
return self._wrapping_key.decrypt(
ciphertext=encrypted_wrapped_data_key.ciphertext,
padding=self.wrapping_algorithm.padding)
serialized_encryption_context = serialize_encryption_context(
encryption_context=encryption_context)
return decrypt(algorithm=self.wrapping_algorithm.algorithm,
key=self._derived_wrapping_key,
encrypted_data=encrypted_wrapped_data_key,
associated_data=serialized_encryption_context)