def test_calculate_commitment_key(patch_default_backend, patch_struct):
algorithm = MagicMock()
algorithm.kdf_hash_type.return_value = sentinel.kdf_hash_type
algorithm.is_committing.return_value = False
test = data_keys.calculate_commitment_key(
source_key=sentinel.source_key, algorithm=algorithm, message_id=sentinel.message_id
)
patch_struct.pack.assert_called_with(">9s", data_keys.COMMIT_LABEL)
algorithm.kdf_type.assert_called_with(
algorithm=sentinel.kdf_hash_type,
length=data_keys.L_C,
salt=sentinel.message_id,
info=patch_struct.pack.return_value,
backend=patch_default_backend.return_value,
)
algorithm.kdf_type.return_value.derive.assert_called_with(sentinel.source_key)
assert test == algorithm.kdf_type.return_value.derive.return_value
def generate_header(self, message_id):
"""Generates the header object.
:param message_id: The randomly generated id for the message
:type message_id: bytes
"""
version = VERSION
if self._encryption_materials.algorithm.message_format_version == 0x02:
version = SerializationVersion.V2
kwargs = dict(
version=version,
algorithm=self._encryption_materials.algorithm,
message_id=message_id,
encryption_context=self._encryption_materials.encryption_context,
encrypted_data_keys=self._encryption_materials.encrypted_data_keys,
content_type=self.content_type,
frame_length=self.config.frame_length,
)
if self._encryption_materials.algorithm.is_committing():
commitment_key = calculate_commitment_key(
source_key=self._encryption_materials.data_encryption_key.
data_key,
algorithm=self._encryption_materials.algorithm,
message_id=message_id,
)
kwargs["commitment_key"] = commitment_key
if version == SerializationVersion.V1:
kwargs["type"] = TYPE
kwargs["content_aad_length"] = 0
kwargs[
"header_iv_length"] = self._encryption_materials.algorithm.iv_len
return MessageHeader(**kwargs)
def _read_header(self):
"""Reads the message header from the input stream.
:returns: tuple containing deserialized header and header_auth objects
:rtype: tuple of aws_encryption_sdk.structures.MessageHeader
and aws_encryption_sdk.internal.structures.MessageHeaderAuthentication
:raises CustomMaximumValueExceeded: if frame length is greater than the custom max value
"""
header, raw_header = deserialize_header(self.source_stream)
self.__unframed_bytes_read += len(raw_header)
validate_commitment_policy_on_decrypt(self.config.commitment_policy,
header.algorithm)
if (self.config.max_body_length is not None
and header.content_type == ContentType.FRAMED_DATA
and header.frame_length > self.config.max_body_length):
raise CustomMaximumValueExceeded(
"Frame Size in header found larger than custom value: {found:d} > {custom:d}"
.format(found=header.frame_length,
custom=self.config.max_body_length))
decrypt_materials_request = DecryptionMaterialsRequest(
encrypted_data_keys=header.encrypted_data_keys,
algorithm=header.algorithm,
encryption_context=header.encryption_context,
commitment_policy=self.config.commitment_policy,
)
decryption_materials = self.config.materials_manager.decrypt_materials(
request=decrypt_materials_request)
if decryption_materials.verification_key is None:
self.verifier = None
else:
self.verifier = Verifier.from_key_bytes(
algorithm=header.algorithm,
key_bytes=decryption_materials.verification_key)
if self.verifier is not None:
self.verifier.update(raw_header)
header_auth = deserialize_header_auth(version=header.version,
stream=self.source_stream,
algorithm=header.algorithm,
verifier=self.verifier)
self._derived_data_key = derive_data_encryption_key(
source_key=decryption_materials.data_key.data_key,
algorithm=header.algorithm,
message_id=header.message_id)
if header.algorithm.is_committing():
expected_commitment_key = calculate_commitment_key(
source_key=decryption_materials.data_key.data_key,
algorithm=header.algorithm,
message_id=header.message_id,
)
if not hmac.compare_digest(expected_commitment_key,
header.commitment_key):
raise MasterKeyProviderError(
"Key commitment validation failed. Key identity does not match the identity asserted in the "
"message. Halting processing of this message.")
validate_header(header=header,
header_auth=header_auth,
raw_header=raw_header,
data_key=self._derived_data_key)
return header, header_auth