def generate_data_key(acs_client, key_id):
request = GenerateDataKeyRequest.GenerateDataKeyRequest()
request.set_accept_format('JSON')
request.set_KeyId(key_id)
response = GenerateDataKeyResponse(
acs_client.do_action_with_exception(request))
return response.get_plaintext(), response.get_cipher_text_blob()
def envelope_encrypt(cmk_id, plainText):
request = GenerateDataKeyRequest.GenerateDataKeyRequest()
# Set parameters for CMK ID, JSON format, connection over TLS and key specification
request.set_KeyId(cmk_id)
request.set_KeySpec('AES_256')
request.set_accept_format('json')
request.set_protocol_type('https')
# Set the encryption context as a parameter. This does not need to be secret.
# e.g. i'm using the author, publication year and publisher to create the encryption context
context = '{"author":"lewis carrol", "year":"1865", "publisher":"project gutenberg"}'
request.set_EncryptionContext(context)
# Call the Alibaba Cloud GenerateDataKey API
# Response stored in mutable object which can later be zero'd
response = [CLIENT.do_action_with_exception(request)]
# Parse the Alibaba Cloud API's JSON response and get the plaintext version of the Data Key
# The Data Key also requires base64 decoding
data_key = b64decode(json.loads(response[0])['Plaintext'])
# Instantiate an AES cipher object and perform encryption of plaintext data. Base64 encode the result
cipher = AES.new(data_key, AES.MODE_CBC)
cipherText = b64encode(cipher.iv + cipher.encrypt(pad(plainText, AES.block_size)))
# Parse the Alibaba Cloud API's JSON response and get the encryted version of the Data Key
encrypted_data_key = json.loads(response[0])['CiphertextBlob']
# Clear the response variable
response[0] = 0
return [cipherText, encrypted_data_key, context]
def kms_generate_data_key(client, key_alias):
request = GenerateDataKeyRequest.GenerateDataKeyRequest()
request.set_accept_format('JSON')
request.set_KeyId(key_alias)
request.set_NumberOfBytes(32)
response = json.loads(client.do_action_with_exception(request))
plaintext = response.get('Plaintext')
cipher_text = response.get('CiphertextBlob')
return plaintext, cipher_text
def __generate_data_key(self):
req = GenerateDataKeyRequest.GenerateDataKeyRequest()
req.set_accept_format(format_type.JSON)
req.set_method(method_type.POST)
req.set_KeyId(self.custom_master_key_id)
req.set_KeySpec('AES_256')
req.set_NumberOfBytes(32)
req.set_EncryptionContext(self.context)
if self.sts_token:
req.set_STSToken(self.sts_token)
resp = self.__do(req)
return b64decode_from_string(resp['Plaintext']), resp['CiphertextBlob']
from Crypto import Random
import base64
def aes256pad(s):
return s + (32 - len(s) % 32) * chr(32 - len(s) % 32)
if __name__ == '__main__':
#AccessKey情報を定義
accesskeyid = "<Your AccessKeyId>"
accesssecret = "<Your AccessKeySecret>"
#Clientを初期化
clt = client.AcsClient(accesskeyid, accesssecret, "ap-northeast-1")
#KMS OpenAPI GenerateDataKeyを呼び出す
genrequest = GenerateDataKeyRequest.GenerateDataKeyRequest()
#keiidはKMSコンソールで作成したCMKのID
keyid = '<Your keyid> '
genrequest.set_KeyId(keyid)
genrequest.set_KeySpec("AES_256")
#json形式を指定する
genrequest.set_accept_format("json")
#KMSはHTTPSのRequestのみサポートする
genrequest.set_protocol_type("https")
genresp = clt.do_action_with_exception(genrequest)
#KMSから平文キーと暗号キー入手するためのキーワードを取得する
datakeydict = json.loads(genresp)
#KMSからのキーワードを利用して、平文キーを入手する
datakey = base64.b64decode(datakeydict["Plaintext"])
#KMSからのキーワードを利用して、暗号キーを入手する
cipherdatakey = datakeydict["CiphertextBlob"]