def _key_check(self, data_key): """Verifies that supplied Data Key's key provider matches this Master Key. :param data_key: Data Key to verify :type data_key: :class:`aws_encryption_sdk.structures.RawDataKey`, :class:`aws_encryption_sdk.structures.DataKey`, or :class:`aws_encryption_sdk.structures.EncryptedDataKey` :raises IncorrectMasterKeyError: if Data Key's key provider does not match this Master Key """ if not self.owns_data_key(data_key): raise IncorrectMasterKeyError( "Provided data key provider {key} does not match Master Key provider {master}" .format(key=data_key.key_provider, master=self.key_provider))
def decrypt(self, encrypted_wrapped_data_key, encryption_context): """Decrypts a wrapped, encrypted, data key. :param encrypted_wrapped_data_key: Encrypted, wrapped, data key :type encrypted_wrapped_data_key: aws_encryption_sdk.internal.structures.EncryptedData :param dict encryption_context: Encryption context to use in decryption :returns: Plaintext of data key :rtype: bytes """ if self.wrapping_key_type is EncryptionKeyType.PUBLIC: raise IncorrectMasterKeyError('Public key cannot decrypt') if self.wrapping_key_type is EncryptionKeyType.PRIVATE: return self._wrapping_key.decrypt( ciphertext=encrypted_wrapped_data_key.ciphertext, padding=self.wrapping_algorithm.padding) serialized_encryption_context = serialize_encryption_context( encryption_context=encryption_context) return decrypt(algorithm=self.wrapping_algorithm.algorithm, key=self._derived_wrapping_key, encrypted_data=encrypted_wrapped_data_key, associated_data=serialized_encryption_context)