def test_calculate_commitment_key(patch_default_backend, patch_struct): algorithm = MagicMock() algorithm.kdf_hash_type.return_value = sentinel.kdf_hash_type algorithm.is_committing.return_value = False test = data_keys.calculate_commitment_key( source_key=sentinel.source_key, algorithm=algorithm, message_id=sentinel.message_id ) patch_struct.pack.assert_called_with(">9s", data_keys.COMMIT_LABEL) algorithm.kdf_type.assert_called_with( algorithm=sentinel.kdf_hash_type, length=data_keys.L_C, salt=sentinel.message_id, info=patch_struct.pack.return_value, backend=patch_default_backend.return_value, ) algorithm.kdf_type.return_value.derive.assert_called_with(sentinel.source_key) assert test == algorithm.kdf_type.return_value.derive.return_value
def generate_header(self, message_id): """Generates the header object. :param message_id: The randomly generated id for the message :type message_id: bytes """ version = VERSION if self._encryption_materials.algorithm.message_format_version == 0x02: version = SerializationVersion.V2 kwargs = dict( version=version, algorithm=self._encryption_materials.algorithm, message_id=message_id, encryption_context=self._encryption_materials.encryption_context, encrypted_data_keys=self._encryption_materials.encrypted_data_keys, content_type=self.content_type, frame_length=self.config.frame_length, ) if self._encryption_materials.algorithm.is_committing(): commitment_key = calculate_commitment_key( source_key=self._encryption_materials.data_encryption_key. data_key, algorithm=self._encryption_materials.algorithm, message_id=message_id, ) kwargs["commitment_key"] = commitment_key if version == SerializationVersion.V1: kwargs["type"] = TYPE kwargs["content_aad_length"] = 0 kwargs[ "header_iv_length"] = self._encryption_materials.algorithm.iv_len return MessageHeader(**kwargs)
def _read_header(self): """Reads the message header from the input stream. :returns: tuple containing deserialized header and header_auth objects :rtype: tuple of aws_encryption_sdk.structures.MessageHeader and aws_encryption_sdk.internal.structures.MessageHeaderAuthentication :raises CustomMaximumValueExceeded: if frame length is greater than the custom max value """ header, raw_header = deserialize_header(self.source_stream) self.__unframed_bytes_read += len(raw_header) validate_commitment_policy_on_decrypt(self.config.commitment_policy, header.algorithm) if (self.config.max_body_length is not None and header.content_type == ContentType.FRAMED_DATA and header.frame_length > self.config.max_body_length): raise CustomMaximumValueExceeded( "Frame Size in header found larger than custom value: {found:d} > {custom:d}" .format(found=header.frame_length, custom=self.config.max_body_length)) decrypt_materials_request = DecryptionMaterialsRequest( encrypted_data_keys=header.encrypted_data_keys, algorithm=header.algorithm, encryption_context=header.encryption_context, commitment_policy=self.config.commitment_policy, ) decryption_materials = self.config.materials_manager.decrypt_materials( request=decrypt_materials_request) if decryption_materials.verification_key is None: self.verifier = None else: self.verifier = Verifier.from_key_bytes( algorithm=header.algorithm, key_bytes=decryption_materials.verification_key) if self.verifier is not None: self.verifier.update(raw_header) header_auth = deserialize_header_auth(version=header.version, stream=self.source_stream, algorithm=header.algorithm, verifier=self.verifier) self._derived_data_key = derive_data_encryption_key( source_key=decryption_materials.data_key.data_key, algorithm=header.algorithm, message_id=header.message_id) if header.algorithm.is_committing(): expected_commitment_key = calculate_commitment_key( source_key=decryption_materials.data_key.data_key, algorithm=header.algorithm, message_id=header.message_id, ) if not hmac.compare_digest(expected_commitment_key, header.commitment_key): raise MasterKeyProviderError( "Key commitment validation failed. Key identity does not match the identity asserted in the " "message. Halting processing of this message.") validate_header(header=header, header_auth=header_auth, raw_header=raw_header, data_key=self._derived_data_key) return header, header_auth