def test_encrypt_load_header_v2(): """Test that StreamEncryptor can extract header without reading plaintext.""" # Using a non-signed algorithm to simplify header size calculation algorithm = aws_encryption_sdk.Algorithm.AES_256_GCM_HKDF_SHA512_COMMIT_KEY key_provider = fake_kms_key_provider(algorithm.kdf_input_len) header_length = 1 # version header_length += 2 # algorithm id header_length += 32 # message id header_length += 2 # aad len s = serialize_encryption_context(VALUES["encryption_context"]) header_length += len(s) header_length += 2 # encrypted data key count header_length += 6 + 7 + len(VALUES["arn"]) + len( VALUES["data_keys"][algorithm.kdf_input_len]["encrypted"]) header_length += 1 # content type header_length += 4 # frame length header_length += 32 # algorithm suite data header_length += algorithm.auth_len # authentication tag with aws_encryption_sdk.EncryptionSDKClient().stream( mode="e", source=VALUES["plaintext_128"], key_provider=key_provider, encryption_context=VALUES["encryption_context"], algorithm=algorithm, frame_length=1024, ) as encryptor: encryptor_header = encryptor.header # Ensure that only the header has been written into the output buffer assert len(encryptor.output_buffer) == header_length assert encryptor_header.encryption_context == VALUES["encryption_context"]
def encrypt(self, plaintext_data_key, encryption_context): """Encrypts a data key using a direct wrapping key. :param bytes plaintext_data_key: Data key to encrypt :param dict encryption_context: Encryption context to use in encryption :returns: Deserialized object containing encrypted key :rtype: aws_encryption_sdk.internal.structures.EncryptedData """ if self.wrapping_algorithm.encryption_type is EncryptionType.ASYMMETRIC: if self.wrapping_key_type is EncryptionKeyType.PRIVATE: encrypted_key = self._wrapping_key.public_key().encrypt( plaintext=plaintext_data_key, padding=self.wrapping_algorithm.padding) else: encrypted_key = self._wrapping_key.encrypt( plaintext=plaintext_data_key, padding=self.wrapping_algorithm.padding) return EncryptedData(iv=None, ciphertext=encrypted_key, tag=None) serialized_encryption_context = serialize_encryption_context( encryption_context=encryption_context) iv = os.urandom(self.wrapping_algorithm.algorithm.iv_len) return encrypt(algorithm=self.wrapping_algorithm.algorithm, key=self._derived_wrapping_key, plaintext=plaintext_data_key, associated_data=serialized_encryption_context, iv=iv)
def decrypt(self, encrypted_wrapped_data_key, encryption_context): """Decrypts a wrapped, encrypted, data key. :param encrypted_wrapped_data_key: Encrypted, wrapped, data key :type encrypted_wrapped_data_key: aws_encryption_sdk.internal.structures.EncryptedData :param dict encryption_context: Encryption context to use in decryption :returns: Plaintext of data key :rtype: bytes """ if self.wrapping_key_type is EncryptionKeyType.PUBLIC: raise IncorrectMasterKeyError('Public key cannot decrypt') if self.wrapping_key_type is EncryptionKeyType.PRIVATE: return self._wrapping_key.decrypt( ciphertext=encrypted_wrapped_data_key.ciphertext, padding=self.wrapping_algorithm.padding) serialized_encryption_context = serialize_encryption_context( encryption_context=encryption_context) return decrypt(algorithm=self.wrapping_algorithm.algorithm, key=self._derived_wrapping_key, encrypted_data=encrypted_wrapped_data_key, associated_data=serialized_encryption_context)
def test_encrypt_load_header(): """Test that StreamEncryptor can extract header without reading plaintext.""" # Using a non-signed algorithm to simplify header size calculation algorithm = aws_encryption_sdk.Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA256 key_provider = fake_kms_key_provider(algorithm.kdf_input_len) header_length = len(serialize_encryption_context(VALUES["encryption_context"])) header_length += 34 header_length += algorithm.iv_len header_length += algorithm.auth_len header_length += 6 + 7 + len(VALUES["arn"]) + len(VALUES["data_keys"][algorithm.kdf_input_len]["encrypted"]) with aws_encryption_sdk.stream( mode="e", source=VALUES["plaintext_128"], key_provider=key_provider, encryption_context=VALUES["encryption_context"], algorithm=algorithm, frame_length=1024, ) as encryptor: encryptor_header = encryptor.header # Ensure that only the header has been written into the output buffer assert len(encryptor.output_buffer) == header_length assert encryptor_header.encryption_context == VALUES["encryption_context"]
def test_encrypt_load_header(self): """Test that StreamEncryptor can extract header without reading plaintext.""" # Using a non-signed algorithm to simplify header size calculation algorithm = aws_encryption_sdk.Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA256 header_length = len( serialize_encryption_context(VALUES['encryption_context'])) header_length += 34 header_length += algorithm.iv_len header_length += algorithm.auth_len header_length += 6 + 7 + len(VALUES['arn']) + len( VALUES['encrypted_data_key']) with aws_encryption_sdk.stream( mode='e', source=VALUES['plaintext_128'], key_provider=self.mock_kms_key_provider, encryption_context=VALUES['encryption_context'], algorithm=algorithm, frame_length=1024) as encryptor: encryptor_header = encryptor.header # Ensure that only the header has been written into the output buffer assert len(encryptor.output_buffer) == header_length assert encryptor_header.encryption_context == VALUES[ 'encryption_context']