Module: Aws::S3::Encryption::Utils Private

Defined in:

lib/aws-sdk-s3/encryption/utils.rb

This module is part of a private API. You should avoid using this module if possible, as it may be removed or be changed in the future.

Constant Summary

UNSAFE_MSG =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

"unsafe encryption, data is longer than key length"

Class Method Summary

• .aes_cipher(mode, block_mode, key, iv) ⇒ Object private
• .aes_decryption_cipher(block_mode, key = nil, iv = nil) ⇒ Object private
• .aes_encryption_cipher(block_mode, key = nil, iv = nil) ⇒ Object private
• .cipher_size(key) ⇒ Integer private
• .decrypt(key, data) ⇒ Object private
• .decrypt_aes_gcm(key, data, auth_data) ⇒ Object private
• .decrypt_rsa(key, enc_data) ⇒ Object private

  returns the decrypted data + auth_data.

• .encrypt(key, data) ⇒ Object private

Class Method Details

.aes_cipher(mode, block_mode, key, iv) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Parameters:

• mode (String) —

  “encrypt” or “decrypt”

• block_mode (String) —

  “CBC” or “ECB”

• key (OpenSSL::PKey::RSA, String, nil)
• iv (String, nil) —

  The initialization vector

# File 'lib/aws-sdk-s3/encryption/utils.rb', line 83

def aes_cipher(mode, block_mode, key, iv)
  cipher = key ?
    OpenSSL::Cipher.new("aes-#{cipher_size(key)}-#{block_mode.downcase}") :
    OpenSSL::Cipher.new("aes-256-#{block_mode.downcase}")
  cipher.send(mode) # encrypt or decrypt
  cipher.key = key if key
  cipher.iv = iv if iv
  cipher
end

.aes_decryption_cipher(block_mode, key = nil, iv = nil) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Parameters:

• block_mode (String) —

  “CBC” or “ECB”

• key (OpenSSL::PKey::RSA, String, nil) (defaults to: nil)
• iv (String, nil) (defaults to: nil) —

  The initialization vector

# File 'lib/aws-sdk-s3/encryption/utils.rb', line 75

def aes_decryption_cipher(block_mode, key = nil, iv = nil)
  aes_cipher(:decrypt, block_mode, key, iv)
end

.aes_encryption_cipher(block_mode, key = nil, iv = nil) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Parameters:

• block_mode (String) —

  “CBC” or “ECB”

• key (OpenSSL::PKey::RSA, String, nil) (defaults to: nil)
• iv (String, nil) (defaults to: nil) —

  The initialization vector

# File 'lib/aws-sdk-s3/encryption/utils.rb', line 68

def aes_encryption_cipher(block_mode, key = nil, iv = nil)
  aes_cipher(:encrypt, block_mode, key, iv)
end

.cipher_size(key) ⇒ Integer

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Parameters:

• key (String)

Returns:

• (Integer)

Raises:

• ArgumentError

# File 'lib/aws-sdk-s3/encryption/utils.rb', line 96

def cipher_size(key)
  key.bytesize * 8
end

.decrypt(key, data) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/aws-sdk-s3/encryption/utils.rb', line 27

def decrypt(key, data)
  begin
    case key
    when OpenSSL::PKey::RSA # asymmetric decryption
      key.private_decrypt(data)
    when String # symmetric Decryption
      cipher = aes_cipher(:decrypt, :ECB, key, nil)
      cipher.update(data) + cipher.final
    end
  rescue OpenSSL::Cipher::CipherError
    msg = 'decryption failed, possible incorrect key'
    raise Errors::DecryptionError, msg
  end
end

.decrypt_aes_gcm(key, data, auth_data) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/aws-sdk-s3/encryption/utils.rb', line 43

def decrypt_aes_gcm(key, data, auth_data)
  # data is iv (12B) + key + tag (16B)
  buf = data.unpack('C*')
  iv = buf[0,12].pack('C*') # iv will always be 12 bytes
  tag = buf[-16, 16].pack('C*') # tag is 16 bytes
  enc_key = buf[12, buf.size - (12+16)].pack('C*')
  cipher = aes_cipher(:decrypt, :GCM, key, iv)
  cipher.auth_tag = tag
  cipher.auth_data = auth_data
  cipher.update(enc_key) + cipher.final
end

.decrypt_rsa(key, enc_data) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

returns the decrypted data + auth_data

# File 'lib/aws-sdk-s3/encryption/utils.rb', line 56

def decrypt_rsa(key, enc_data)
  # Plaintext must be KeyLengthInBytes (1 Byte) + DataKey + AuthData
  buf = key.private_decrypt(enc_data, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING).unpack('C*')
  key_length = buf[0]
  data = buf[1, key_length].pack('C*')
  auth_data = buf[key_length+1, buf.length - key_length].pack('C*')
  [data, auth_data]
end

.encrypt(key, data) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/aws-sdk-s3/encryption/utils.rb', line 15

def encrypt(key, data)
  case key
  when OpenSSL::PKey::RSA # asymmetric encryption
    warn(UNSAFE_MSG) if key.public_key.n.num_bits < cipher_size(data)
    key.public_encrypt(data)
  when String # symmetric encryption
    warn(UNSAFE_MSG) if cipher_size(key) < cipher_size(data)
    cipher = aes_encryption_cipher(:ECB, key)
    cipher.update(data) + cipher.final
  end
end