def validate_header(header, header_auth, stream, header_start, header_end, data_key): """Validates the header using the header authentication data. :param header: Deserialized header :type header: aws_encryption_sdk.structures.MessageHeader :param header_auth: Deserialized header auth :type header_auth: aws_encryption_sdk.internal.structures.MessageHeaderAuthentication :param stream: Stream containing serialized message :type stream: io.BytesIO :param int header_start: Position in stream of start of serialized header :param int header_end: Position in stream of end of serialized header :param bytes data_key: Data key with which to perform validation :raises SerializationError: if header authorization fails """ _LOGGER.debug('Starting header validation') current_position = stream.tell() stream.seek(header_start) try: decrypt(algorithm=header.algorithm, key=data_key, encrypted_data=EncryptedData(header_auth.iv, b'', header_auth.tag), associated_data=stream.read(header_end - header_start)) except InvalidTag: raise SerializationError('Header authorization failed') stream.seek(current_position)
def test_decrypt(patch_decryptor): patch_decryptor.return_value.update.return_value = b'some data-' patch_decryptor.return_value.finalize.return_value = b'some more data' test = decrypt( algorithm=sentinel.algorithm, key=sentinel.key, encrypted_data=MagicMock( iv=sentinel.iv, tag=sentinel.tag, ciphertext=sentinel.ciphertext ), associated_data=sentinel.aad ) patch_decryptor.assert_called_once_with( sentinel.algorithm, sentinel.key, sentinel.aad, sentinel.iv, sentinel.tag ) patch_decryptor.return_value.update.assert_called_once_with(sentinel.ciphertext) patch_decryptor.return_value.finalize.assert_called_once_with() assert test == b'some data-some more data'
def validate_header(header, header_auth, raw_header, data_key): """Validates the header using the header authentication data. :param header: Deserialized header :type header: aws_encryption_sdk.structures.MessageHeader :param header_auth: Deserialized header auth :type header_auth: aws_encryption_sdk.internal.structures.MessageHeaderAuthentication :type stream: io.BytesIO :param bytes raw_header: Raw header bytes :param bytes data_key: Data key with which to perform validation :raises SerializationError: if header authorization fails """ _LOGGER.debug('Starting header validation') try: decrypt(algorithm=header.algorithm, key=data_key, encrypted_data=EncryptedData(header_auth.iv, b'', header_auth.tag), associated_data=raw_header) except InvalidTag: raise SerializationError('Header authorization failed')
def _read_bytes_from_framed_body(self, b): """Reads the requested number of bytes from a streaming framed message body. :param int b: Number of bytes to read :returns: Bytes read from source stream and decrypted :rtype: bytes """ plaintext = b'' final_frame = False _LOGGER.debug('collecting %s bytes', b) while len(plaintext) < b and not final_frame: _LOGGER.debug('Reading frame') frame_data, final_frame = aws_encryption_sdk.internal.formatting.deserialize.deserialize_frame( stream=self.source_stream, header=self._header, verifier=self.verifier ) _LOGGER.debug('Read complete for frame %s', frame_data.sequence_number) if frame_data.sequence_number != self.last_sequence_number + 1: raise SerializationError('Malformed message: frames out of order') self.last_sequence_number += 1 aad_content_string = aws_encryption_sdk.internal.utils.get_aad_content_string( content_type=self._header.content_type, is_final_frame=frame_data.final_frame ) associated_data = aws_encryption_sdk.internal.formatting.encryption_context.assemble_content_aad( message_id=self._header.message_id, aad_content_string=aad_content_string, seq_num=frame_data.sequence_number, length=len(frame_data.ciphertext) ) plaintext += decrypt( algorithm=self._header.algorithm, key=self._derived_data_key, encrypted_data=frame_data, associated_data=associated_data ) _LOGGER.debug('bytes collected: %s', len(plaintext)) if final_frame: _LOGGER.debug('Reading footer') self.footer = aws_encryption_sdk.internal.formatting.deserialize.deserialize_footer( stream=self.source_stream, verifier=self.verifier ) self.source_stream.close() return plaintext