def test_encrypt_load_header_v2():
"""Test that StreamEncryptor can extract header without reading plaintext."""
# Using a non-signed algorithm to simplify header size calculation
algorithm = aws_encryption_sdk.Algorithm.AES_256_GCM_HKDF_SHA512_COMMIT_KEY
key_provider = fake_kms_key_provider(algorithm.kdf_input_len)
header_length = 1 # version
header_length += 2 # algorithm id
header_length += 32 # message id
header_length += 2 # aad len
s = serialize_encryption_context(VALUES["encryption_context"])
header_length += len(s)
header_length += 2 # encrypted data key count
header_length += 6 + 7 + len(VALUES["arn"]) + len(
VALUES["data_keys"][algorithm.kdf_input_len]["encrypted"])
header_length += 1 # content type
header_length += 4 # frame length
header_length += 32 # algorithm suite data
header_length += algorithm.auth_len # authentication tag
with aws_encryption_sdk.EncryptionSDKClient().stream(
mode="e",
source=VALUES["plaintext_128"],
key_provider=key_provider,
encryption_context=VALUES["encryption_context"],
algorithm=algorithm,
frame_length=1024,
) as encryptor:
encryptor_header = encryptor.header
# Ensure that only the header has been written into the output buffer
assert len(encryptor.output_buffer) == header_length
assert encryptor_header.encryption_context == VALUES["encryption_context"]
def encrypt(self, plaintext_data_key, encryption_context):
"""Encrypts a data key using a direct wrapping key.
:param bytes plaintext_data_key: Data key to encrypt
:param dict encryption_context: Encryption context to use in encryption
:returns: Deserialized object containing encrypted key
:rtype: aws_encryption_sdk.internal.structures.EncryptedData
"""
if self.wrapping_algorithm.encryption_type is EncryptionType.ASYMMETRIC:
if self.wrapping_key_type is EncryptionKeyType.PRIVATE:
encrypted_key = self._wrapping_key.public_key().encrypt(
plaintext=plaintext_data_key,
padding=self.wrapping_algorithm.padding)
else:
encrypted_key = self._wrapping_key.encrypt(
plaintext=plaintext_data_key,
padding=self.wrapping_algorithm.padding)
return EncryptedData(iv=None, ciphertext=encrypted_key, tag=None)
serialized_encryption_context = serialize_encryption_context(
encryption_context=encryption_context)
iv = os.urandom(self.wrapping_algorithm.algorithm.iv_len)
return encrypt(algorithm=self.wrapping_algorithm.algorithm,
key=self._derived_wrapping_key,
plaintext=plaintext_data_key,
associated_data=serialized_encryption_context,
iv=iv)
def decrypt(self, encrypted_wrapped_data_key, encryption_context):
"""Decrypts a wrapped, encrypted, data key.
:param encrypted_wrapped_data_key: Encrypted, wrapped, data key
:type encrypted_wrapped_data_key: aws_encryption_sdk.internal.structures.EncryptedData
:param dict encryption_context: Encryption context to use in decryption
:returns: Plaintext of data key
:rtype: bytes
"""
if self.wrapping_key_type is EncryptionKeyType.PUBLIC:
raise IncorrectMasterKeyError('Public key cannot decrypt')
if self.wrapping_key_type is EncryptionKeyType.PRIVATE:
return self._wrapping_key.decrypt(
ciphertext=encrypted_wrapped_data_key.ciphertext,
padding=self.wrapping_algorithm.padding)
serialized_encryption_context = serialize_encryption_context(
encryption_context=encryption_context)
return decrypt(algorithm=self.wrapping_algorithm.algorithm,
key=self._derived_wrapping_key,
encrypted_data=encrypted_wrapped_data_key,
associated_data=serialized_encryption_context)
def test_encrypt_load_header():
"""Test that StreamEncryptor can extract header without reading plaintext."""
# Using a non-signed algorithm to simplify header size calculation
algorithm = aws_encryption_sdk.Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA256
key_provider = fake_kms_key_provider(algorithm.kdf_input_len)
header_length = len(serialize_encryption_context(VALUES["encryption_context"]))
header_length += 34
header_length += algorithm.iv_len
header_length += algorithm.auth_len
header_length += 6 + 7 + len(VALUES["arn"]) + len(VALUES["data_keys"][algorithm.kdf_input_len]["encrypted"])
with aws_encryption_sdk.stream(
mode="e",
source=VALUES["plaintext_128"],
key_provider=key_provider,
encryption_context=VALUES["encryption_context"],
algorithm=algorithm,
frame_length=1024,
) as encryptor:
encryptor_header = encryptor.header
# Ensure that only the header has been written into the output buffer
assert len(encryptor.output_buffer) == header_length
assert encryptor_header.encryption_context == VALUES["encryption_context"]
def test_encrypt_load_header(self):
"""Test that StreamEncryptor can extract header without reading plaintext."""
# Using a non-signed algorithm to simplify header size calculation
algorithm = aws_encryption_sdk.Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA256
header_length = len(
serialize_encryption_context(VALUES['encryption_context']))
header_length += 34
header_length += algorithm.iv_len
header_length += algorithm.auth_len
header_length += 6 + 7 + len(VALUES['arn']) + len(
VALUES['encrypted_data_key'])
with aws_encryption_sdk.stream(
mode='e',
source=VALUES['plaintext_128'],
key_provider=self.mock_kms_key_provider,
encryption_context=VALUES['encryption_context'],
algorithm=algorithm,
frame_length=1024) as encryptor:
encryptor_header = encryptor.header
# Ensure that only the header has been written into the output buffer
assert len(encryptor.output_buffer) == header_length
assert encryptor_header.encryption_context == VALUES[
'encryption_context']
