def validate_header(header, header_auth, stream, header_start, header_end,
data_key):
"""Validates the header using the header authentication data.
:param header: Deserialized header
:type header: aws_encryption_sdk.structures.MessageHeader
:param header_auth: Deserialized header auth
:type header_auth: aws_encryption_sdk.internal.structures.MessageHeaderAuthentication
:param stream: Stream containing serialized message
:type stream: io.BytesIO
:param int header_start: Position in stream of start of serialized header
:param int header_end: Position in stream of end of serialized header
:param bytes data_key: Data key with which to perform validation
:raises SerializationError: if header authorization fails
"""
_LOGGER.debug('Starting header validation')
current_position = stream.tell()
stream.seek(header_start)
try:
decrypt(algorithm=header.algorithm,
key=data_key,
encrypted_data=EncryptedData(header_auth.iv, b'',
header_auth.tag),
associated_data=stream.read(header_end - header_start))
except InvalidTag:
raise SerializationError('Header authorization failed')
stream.seek(current_position)
def test_decrypt(patch_decryptor):
patch_decryptor.return_value.update.return_value = b'some data-'
patch_decryptor.return_value.finalize.return_value = b'some more data'
test = decrypt(
algorithm=sentinel.algorithm,
key=sentinel.key,
encrypted_data=MagicMock(
iv=sentinel.iv,
tag=sentinel.tag,
ciphertext=sentinel.ciphertext
),
associated_data=sentinel.aad
)
patch_decryptor.assert_called_once_with(
sentinel.algorithm,
sentinel.key,
sentinel.aad,
sentinel.iv,
sentinel.tag
)
patch_decryptor.return_value.update.assert_called_once_with(sentinel.ciphertext)
patch_decryptor.return_value.finalize.assert_called_once_with()
assert test == b'some data-some more data'
def validate_header(header, header_auth, raw_header, data_key):
"""Validates the header using the header authentication data.
:param header: Deserialized header
:type header: aws_encryption_sdk.structures.MessageHeader
:param header_auth: Deserialized header auth
:type header_auth: aws_encryption_sdk.internal.structures.MessageHeaderAuthentication
:type stream: io.BytesIO
:param bytes raw_header: Raw header bytes
:param bytes data_key: Data key with which to perform validation
:raises SerializationError: if header authorization fails
"""
_LOGGER.debug('Starting header validation')
try:
decrypt(algorithm=header.algorithm,
key=data_key,
encrypted_data=EncryptedData(header_auth.iv, b'',
header_auth.tag),
associated_data=raw_header)
except InvalidTag:
raise SerializationError('Header authorization failed')
def _read_bytes_from_framed_body(self, b):
"""Reads the requested number of bytes from a streaming framed message body.
:param int b: Number of bytes to read
:returns: Bytes read from source stream and decrypted
:rtype: bytes
"""
plaintext = b''
final_frame = False
_LOGGER.debug('collecting %s bytes', b)
while len(plaintext) < b and not final_frame:
_LOGGER.debug('Reading frame')
frame_data, final_frame = aws_encryption_sdk.internal.formatting.deserialize.deserialize_frame(
stream=self.source_stream,
header=self._header,
verifier=self.verifier
)
_LOGGER.debug('Read complete for frame %s', frame_data.sequence_number)
if frame_data.sequence_number != self.last_sequence_number + 1:
raise SerializationError('Malformed message: frames out of order')
self.last_sequence_number += 1
aad_content_string = aws_encryption_sdk.internal.utils.get_aad_content_string(
content_type=self._header.content_type,
is_final_frame=frame_data.final_frame
)
associated_data = aws_encryption_sdk.internal.formatting.encryption_context.assemble_content_aad(
message_id=self._header.message_id,
aad_content_string=aad_content_string,
seq_num=frame_data.sequence_number,
length=len(frame_data.ciphertext)
)
plaintext += decrypt(
algorithm=self._header.algorithm,
key=self._derived_data_key,
encrypted_data=frame_data,
associated_data=associated_data
)
_LOGGER.debug('bytes collected: %s', len(plaintext))
if final_frame:
_LOGGER.debug('Reading footer')
self.footer = aws_encryption_sdk.internal.formatting.deserialize.deserialize_footer(
stream=self.source_stream,
verifier=self.verifier
)
self.source_stream.close()
return plaintext
