static void TestDecryptedS3(EncryptionMaterials encryptionMaterials)
{
string bucket_Name = null;
AmazonS3EncryptionClient s3Client = new AmazonS3EncryptionClient(encryptionMaterials);
bucket_Name = TdwUtils.rootBucketName + "encrypted-content";
bucket_Name = TdwUtils.CreateBucket(s3Client, bucket_Name);
GetObjectRequest getObjectRequest = new GetObjectRequest
{
BucketName = bucket_Name,
Key = TdwUtils.keyName
};
string data = null;
using (GetObjectResponse getObjectResponse = s3Client.GetObject(getObjectRequest))
{
using (var stream = getObjectResponse.ResponseStream)
using (var reader = new StreamReader(stream))
{
data = reader.ReadToEnd();
}
Console.WriteLine("===============>TestDecryptedS3 START<===============");
Console.WriteLine("Encryption method was:");
Console.WriteLine(getObjectResponse.ServerSideEncryptionMethod);
Console.WriteLine("===============> <===============");
}
Console.WriteLine(data);
Console.WriteLine("===============>TestDecryptedS3 END<===============");
}
//private static AmazonS3EncryptionClient s3EncryptionClientFileMode;
static void Main(string[] args)
{
EncryptionMaterials encryptionMaterials = new EncryptionMaterials(TdwUtils.CreateAsymmetricProvider());
//S3demo testS3 = new S3demo(encryptionMaterials);
CloudFormationDemo cfDemo = new CloudFormationDemo(args);
//KinesisDemo KinesisDemo = new KinesisDemo(args);
}
static void TestEncryptedS3(EncryptionMaterials encryptionMaterials)
{
string bucket_Name = null;
AmazonS3EncryptionClient s3Client = new AmazonS3EncryptionClient(encryptionMaterials);
bucket_Name = TdwUtils.rootBucketName + "encrypted-content";
try
{
AmazonS3Util.DeleteS3BucketWithObjects(s3Client, bucket_Name);
}
catch (Exception ex)
{
ex = null;
}
bucket_Name = TdwUtils.CreateBucket(s3Client, bucket_Name);
string dataPath = TdwUtils.bingPathToAppDir(TdwUtils.cfClassPath);
byte[] dataBytes = TdwUtils.FileToArray(dataPath);
PutObjectRequest request = new PutObjectRequest()
{
BucketName = bucket_Name,
Key = TdwUtils.keyName,
InputStream = new MemoryStream(dataBytes)
};
PutObjectResponse response = s3Client.PutObject(request);
Console.WriteLine("===============>TestEncryptedS3 START<===============");
Console.WriteLine("Encryption method was:");
Console.WriteLine(response.ServerSideEncryptionMethod);
Console.WriteLine("===============>TestEncryptedS3 END<===============");
}
protected async Task <string> UploadIkek(string objectKeyName, byte[] ikek)
{
logger.Info($"encrypt I-KEK using {KmsCmkId}");
logger.Info($"upload I-KEK to {objectKeyName}");
using (var algorithm = new KMSAlgorithm(new AmazonKeyManagementServiceClient(AwsRegion), KmsCmkId))
{
var materials = new EncryptionMaterials(algorithm);
using (var s3Client = GetS3EncryptionClient(materials, new AmazonS3CryptoConfiguration {
RegionEndpoint = AwsRegion
}))
{
var putRequest = new PutObjectRequest
{
BucketName = BucketName,
Key = objectKeyName,
InputStream = new MemoryStream(ikek),
ContentType = "application/octet-stream",
ServerSideEncryptionKeyManagementServiceKeyId = KmsCmkId,
ServerSideEncryptionMethod = ServerSideEncryptionMethod.AWSKMS
};
var putResult = await s3Client.PutObjectAsync(putRequest);
logger.Info($"uploaded I-KEK to {objectKeyName}");
return(putResult.VersionId);
}
}
}
static async Task <GetObjectResponse> MyPutObjectAsync(EncryptionMaterials materials, string bucketName, string keyName)
{
// CryptoStorageMode.ObjectMetadata is required for KMS EncryptionMaterials
var config = new AmazonS3CryptoConfiguration()
{
StorageMode = CryptoStorageMode.ObjectMetadata
};
AmazonS3EncryptionClient s3Client = new AmazonS3EncryptionClient(config, materials);
// encrypt and put object
var putRequest = new PutObjectRequest
{
BucketName = bucketName,
Key = keyName,
ContentBody = "object content"
};
await s3Client.PutObjectAsync(putRequest);
// get object and decrypt
var getRequest = new GetObjectRequest
{
BucketName = bucketName,
Key = keyName
};
GetObjectResponse response = await s3Client.GetObjectAsync(getRequest);
return(response);
}
public void Initialize()
{
kmsClient = new AmazonKeyManagementServiceClient(RegionEndpoint.USEast1);
s3Client = new AmazonS3Client(RegionEndpoint.USEast1);
// Create a bucket to store objects related to this test.
bucketName = GetOrCreateBucket(s3Client);
// Create a KMS key, and an S3 object with the KMSKeyID.
kmsKeyID = GetOrCreateKMSKey(s3Client, kmsClient, bucketName);
// Create an S3 object with a symmetric key used for testing.
symmetricAlgorithm = GetOrCreateSymmetricAlgorithm(s3Client, bucketName);
var encryptionMaterials = new EncryptionMaterials(symmetricAlgorithm);
var kmsEncryptionMaterials = new EncryptionMaterials(kmsKeyID);
AmazonS3CryptoConfiguration config = new AmazonS3CryptoConfiguration()
{
StorageMode = CryptoStorageMode.InstructionFile
};
s3EncryptionClientMetadataMode = new AmazonS3EncryptionClient(encryptionMaterials);
RetryUtilities.ForceConfigureClient(s3EncryptionClientMetadataMode);
s3EncryptionClientFileMode = new AmazonS3EncryptionClient(config, encryptionMaterials);
RetryUtilities.ForceConfigureClient(s3EncryptionClientFileMode);
s3EncryptionClientMetadataModeKMS = new AmazonS3EncryptionClient(kmsEncryptionMaterials);
RetryUtilities.ForceConfigureClient(s3EncryptionClientMetadataModeKMS);
s3EncryptionClientFileModeKMS = new AmazonS3EncryptionClient(config, kmsEncryptionMaterials);
RetryUtilities.ForceConfigureClient(s3EncryptionClientFileModeKMS);
}
protected async Task <byte[]> DownloadIkek(string objectKeyName, string versionId)
{
logger.Info($"download I-KEK from {objectKeyName} versionId={versionId}");
var getObject = new GetObjectRequest {
BucketName = BucketName, Key = objectKeyName
};
if (!string.IsNullOrEmpty(versionId))
{
getObject.VersionId = versionId;
}
using (var algorithm = new KMSAlgorithm(new AmazonKeyManagementServiceClient(AwsRegion), KmsCmkId))
{
var materials = new EncryptionMaterials(algorithm);
using (var s3Client = GetS3EncryptionClient(materials, new AmazonS3CryptoConfiguration {
RegionEndpoint = AwsRegion
}))
{
var s3Object = await s3Client.GetObjectAsync(getObject);
using (var reader = new StreamReader(s3Object.ResponseStream))
{
var fileContents = await reader.ReadToEndAsync();
return(ASCIIEncoding.UTF8.GetBytes(fileContents));
}
}
}
}
public S3Storage()
{
const string filename = "keyxml.pk";
var path = WebServerPathUtils.GetPathTo(Path.Combine("bin", filename));
var f = new FileInfo(path);
if (f.Exists)
{
using (var file = f.OpenRead())
{
var keyString = new StreamReader(file).ReadToEnd();
_algorithm = RSA.Create();
_algorithm.FromXmlString(keyString);
var encryptionMaterials = new EncryptionMaterials(_algorithm);
try
{
_client = new AmazonS3EncryptionClient(encryptionMaterials);
var bucket = new S3DirectoryInfo(_client, PdfDocumentsBucketName);
if (!bucket.Exists)
{
bucket.Create();
}
}
catch (Exception ex)
{
Console.WriteLine("Unable to initialize S3 client\n" + ex);
}
}
}
}
public static void Main(string[] args)
{
if (args.Length < 3)
{
Console.WriteLine("You must supply a Region, bucket name, and item name:");
Console.WriteLine("Usage: KmsS3Encryption REGION BUCKET ITEM");
return;
}
string regionName = args[0];
string bucketName = args[1];
string itemName = args[2];
Task <CreateKeyResponse> response = MyCreateKeyAsync(regionName);
KeyMetadata keyMetadata = response.Result.KeyMetadata;
string kmsKeyId = keyMetadata.KeyId;
// An object that contains information about the CMK created by this operation.
EncryptionMaterials kmsEncryptionMaterials = new EncryptionMaterials(kmsKeyId);
Task <GetObjectResponse> goResponse = MyPutObjectAsync(kmsEncryptionMaterials, bucketName, itemName);
Stream stream = goResponse.Result.ResponseStream;
StreamReader reader = new StreamReader(stream);
Console.WriteLine(reader.ReadToEnd());
Console.WriteLine("Press any key to continue...");
Console.ReadKey();
}
public EncryptionTests()
{
using (var kmsClient = new AmazonKeyManagementServiceClient())
{
var response = CallAsyncTask(
kmsClient.CreateKeyAsync(new CreateKeyRequest
{
Description = "Key for .NET integration tests.",
Origin = OriginType.AWS_KMS,
KeyUsage = KeyUsageType.ENCRYPT_DECRYPT
}));
kmsKeyID = response.KeyMetadata.KeyId;
}
var encryptionMaterials = new EncryptionMaterials(RSA.Create());
var kmsEncryptionMaterials = new EncryptionMaterials(kmsKeyID);
AmazonS3CryptoConfiguration config = new AmazonS3CryptoConfiguration()
{
StorageMode = CryptoStorageMode.InstructionFile
};
s3EncryptionClientMetadataMode = new AmazonS3EncryptionClient(encryptionMaterials);
s3EncryptionClientFileMode = new AmazonS3EncryptionClient(config, encryptionMaterials);
s3EncryptionClientMetadataModeKMS = new AmazonS3EncryptionClient(kmsEncryptionMaterials);
s3EncryptionClientFileModeKMS = new AmazonS3EncryptionClient(config, kmsEncryptionMaterials);
using (StreamWriter writer = File.CreateText(filePath))
{
writer.Write(sampleContent);
}
bucketName = CallAsyncTask(UtilityMethods.CreateBucketAsync(s3EncryptionClientFileMode, GetType().Name));
}
//private static AmazonS3EncryptionClient s3EncryptionClientFileMode;
public CloudFormationDemo(string[] args)
{
EncryptionMaterials encryptionMaterials = new EncryptionMaterials(TdwUtils.CreateAsymmetricProvider());
//CopyTemplatesToS3(encryptionMaterials);
//TestParentChildTemplates();
//TestCfStack(encryptionMaterials);
ApplyCloudFormationChangeSetExample();
}
public EncryptionTestsV1NInteropV2(KmsKeyIdProvider kmsKeyIdProvider) : base(kmsKeyIdProvider)
{
kmsKeyID = _kmsKeyIdProvider.GetKmsIdAsync().GetAwaiter().GetResult();
var rsa = RSA.Create();
var aes = Aes.Create();
var asymmetricEncryptionMaterialsV1N = new EncryptionMaterials(rsa);
var symmetricEncryptionMaterialsV1N = new EncryptionMaterials(aes);
var kmsEncryptionMaterialsV1N = new EncryptionMaterials(kmsKeyID);
var configV1N = new AmazonS3CryptoConfiguration()
{
StorageMode = CryptoStorageMode.InstructionFile
};
var asymmetricEncryptionMaterialsV2 = new EncryptionMaterialsV2(rsa, AsymmetricAlgorithmType.RsaOaepSha1);
var symmetricEncryptionMaterialsV2 = new EncryptionMaterialsV2(aes, SymmetricAlgorithmType.AesGcm);
var kmsEncryptionMaterialsV2 = new EncryptionMaterialsV2(kmsKeyID, KmsType.KmsContext, new Dictionary <string, string>());
metadataConfigV2 = new AmazonS3CryptoConfigurationV2(SecurityProfile.V2AndLegacy)
{
StorageMode = CryptoStorageMode.ObjectMetadata,
};
fileConfigV2 = new AmazonS3CryptoConfigurationV2(SecurityProfile.V2AndLegacy)
{
StorageMode = CryptoStorageMode.InstructionFile,
};
#pragma warning disable 0618
s3EncryptionClientMetadataModeAsymmetricWrapV1N = new AmazonS3EncryptionClient(asymmetricEncryptionMaterialsV1N);
s3EncryptionClientFileModeAsymmetricWrapV1N = new AmazonS3EncryptionClient(configV1N, asymmetricEncryptionMaterialsV1N);
s3EncryptionClientMetadataModeSymmetricWrapV1N = new AmazonS3EncryptionClient(symmetricEncryptionMaterialsV1N);
s3EncryptionClientFileModeSymmetricWrapV1N = new AmazonS3EncryptionClient(configV1N, symmetricEncryptionMaterialsV1N);
s3EncryptionClientMetadataModeKMSV1N = new AmazonS3EncryptionClient(kmsEncryptionMaterialsV1N);
s3EncryptionClientFileModeKMSV1N = new AmazonS3EncryptionClient(configV1N, kmsEncryptionMaterialsV1N);
#pragma warning restore 0618
s3EncryptionClientMetadataModeAsymmetricWrapV2 = new AmazonS3EncryptionClientV2(metadataConfigV2, asymmetricEncryptionMaterialsV2);
s3EncryptionClientFileModeAsymmetricWrapV2 = new AmazonS3EncryptionClientV2(fileConfigV2, asymmetricEncryptionMaterialsV2);
s3EncryptionClientMetadataModeSymmetricWrapV2 = new AmazonS3EncryptionClientV2(metadataConfigV2, symmetricEncryptionMaterialsV2);
s3EncryptionClientFileModeSymmetricWrapV2 = new AmazonS3EncryptionClientV2(fileConfigV2, symmetricEncryptionMaterialsV2);
s3EncryptionClientMetadataModeKMSV2 = new AmazonS3EncryptionClientV2(metadataConfigV2, kmsEncryptionMaterialsV2);
s3EncryptionClientFileModeKMSV2 = new AmazonS3EncryptionClientV2(fileConfigV2, kmsEncryptionMaterialsV2);
using (var writer = File.CreateText(filePath))
{
writer.Write(SampleContent);
}
bucketName = EncryptionTestsUtils.CallAsyncTask(UtilityMethods.CreateBucketAsync(s3EncryptionClientFileModeAsymmetricWrapV1N));
}
public static void Main(string[] args)
{
string kmsKeyID = null;
using (var kmsClient = new AmazonKeyManagementServiceClient())
{
var response = kmsClient.CreateKey(new CreateKeyRequest());
kmsKeyID = response.KeyMetadata.KeyId;
var keyMetadata = response.KeyMetadata; // An object that contains information about the CMK created by this operation.
var bucketName = "<s3bucket>";
var objectKey = "key";
var kmsEncryptionMaterials = new EncryptionMaterials(kmsKeyID);
// CryptoStorageMode.ObjectMetadata is required for KMS EncryptionMaterials
var config = new AmazonS3CryptoConfiguration()
{
StorageMode = CryptoStorageMode.ObjectMetadata
};
using (var s3Client = new AmazonS3EncryptionClient(config, kmsEncryptionMaterials))
{
// encrypt and put object
var putRequest = new PutObjectRequest
{
BucketName = bucketName,
Key = objectKey,
ContentBody = "object content"
};
s3Client.PutObject(putRequest);
// get object and decrypt
var getRequest = new GetObjectRequest
{
BucketName = bucketName,
Key = objectKey
};
using (var getResponse = s3Client.GetObject(getRequest))
using (var stream = getResponse.ResponseStream)
using (var reader = new StreamReader(stream))
{
Console.WriteLine(reader.ReadToEnd());
}
}
}
Console.WriteLine("Press any key to continue...");
Console.ReadKey();
}
#pragma warning restore 0618
public EncryptionTestsV1InteropV1N(KmsKeyIdProvider kmsKeyIdProvider) : base(kmsKeyIdProvider)
{
kmsKeyID = _kmsKeyIdProvider.GetKmsIdAsync().GetAwaiter().GetResult();
var rsa = RSA.Create();
var aes = Aes.Create();
var asymmetricEncryptionMaterialsV1 = new Amazon.S3.Encryption.EncryptionMaterials(rsa);
var asymmetricEncryptionMaterialsV1N = new EncryptionMaterials(rsa);
var symmetricEncryptionMaterialsV1 = new Amazon.S3.Encryption.EncryptionMaterials(aes);
var symmetricEncryptionMaterialsV1N = new EncryptionMaterials(aes);
var kmsEncryptionMaterialsV1 = new Amazon.S3.Encryption.EncryptionMaterials(kmsKeyID);
var kmsEncryptionMaterialsV1N = new EncryptionMaterials(kmsKeyID);
var configV1 = new Amazon.S3.Encryption.AmazonS3CryptoConfiguration()
{
StorageMode = Amazon.S3.Encryption.CryptoStorageMode.InstructionFile
};
var configV1N = new AmazonS3CryptoConfiguration()
{
StorageMode = CryptoStorageMode.InstructionFile
};
s3EncryptionClientMetadataModeAsymmetricWrapV1 = new Amazon.S3.Encryption.AmazonS3EncryptionClient(asymmetricEncryptionMaterialsV1);
s3EncryptionClientFileModeAsymmetricWrapV1 = new Amazon.S3.Encryption.AmazonS3EncryptionClient(configV1, asymmetricEncryptionMaterialsV1);
s3EncryptionClientMetadataModeSymmetricWrapV1 = new Amazon.S3.Encryption.AmazonS3EncryptionClient(symmetricEncryptionMaterialsV1);
s3EncryptionClientFileModeSymmetricWrapV1 = new Amazon.S3.Encryption.AmazonS3EncryptionClient(configV1, symmetricEncryptionMaterialsV1);
s3EncryptionClientMetadataModeKMSV1 = new Amazon.S3.Encryption.AmazonS3EncryptionClient(kmsEncryptionMaterialsV1);
s3EncryptionClientFileModeKMSV1 = new Amazon.S3.Encryption.AmazonS3EncryptionClient(configV1, kmsEncryptionMaterialsV1);
#pragma warning disable 0618
s3EncryptionClientMetadataModeAsymmetricWrapV1N = new AmazonS3EncryptionClient(asymmetricEncryptionMaterialsV1N);
s3EncryptionClientFileModeAsymmetricWrapV1N = new AmazonS3EncryptionClient(configV1N, asymmetricEncryptionMaterialsV1N);
s3EncryptionClientMetadataModeSymmetricWrapV1N = new AmazonS3EncryptionClient(symmetricEncryptionMaterialsV1N);
s3EncryptionClientFileModeSymmetricWrapV1N = new AmazonS3EncryptionClient(configV1N, symmetricEncryptionMaterialsV1N);
s3EncryptionClientMetadataModeKMSV1N = new AmazonS3EncryptionClient(kmsEncryptionMaterialsV1N);
s3EncryptionClientFileModeKMSV1N = new AmazonS3EncryptionClient(configV1N, kmsEncryptionMaterialsV1N);
#pragma warning restore 0618
using (var writer = File.CreateText(filePath))
{
writer.Write(SampleContent);
}
bucketName = EncryptionTestsUtils.CallAsyncTask(UtilityMethods.CreateBucketAsync(s3EncryptionClientFileModeAsymmetricWrapV1));
}
public static void Initialize(TestContext a)
{
EncryptionMaterials encryptionMaterials = new EncryptionMaterials(generateAsymmetricProvider());
s3EncryptionClientMetadataMode = new AmazonS3EncryptionClient(encryptionMaterials);
AmazonS3CryptoConfiguration config = new AmazonS3CryptoConfiguration()
{
StorageMode = CryptoStorageMode.InstructionFile
};
s3EncryptionClientFileMode = new AmazonS3EncryptionClient(config, encryptionMaterials);
using (StreamWriter writer = File.CreateText(fileName))
{
writer.Write(sampleContent);
}
bucketName = S3TestUtils.CreateBucket(s3EncryptionClientFileMode);
}
public static void Initialize(TestContext a)
{
using (var kmsClient = new AmazonKeyManagementServiceClient())
{
var response = kmsClient.CreateKey(new CreateKeyRequest
{
Description = "Key for .NET integration tests.",
Origin = OriginType.AWS_KMS,
KeyUsage = KeyUsageType.ENCRYPT_DECRYPT
});
kmsKeyID = response.KeyMetadata.KeyId;
}
var encryptionMaterials = new EncryptionMaterials(RSA.Create());
var kmsEncryptionMaterials = new EncryptionMaterials(kmsKeyID);
AmazonS3CryptoConfiguration config = new AmazonS3CryptoConfiguration()
{
StorageMode = CryptoStorageMode.InstructionFile
};
s3EncryptionClientMetadataMode = new AmazonS3EncryptionClient(encryptionMaterials);
RetryUtilities.ForceConfigureClient(s3EncryptionClientMetadataMode);
s3EncryptionClientFileMode = new AmazonS3EncryptionClient(config, encryptionMaterials);
RetryUtilities.ForceConfigureClient(s3EncryptionClientFileMode);
s3EncryptionClientMetadataModeKMS = new AmazonS3EncryptionClient(kmsEncryptionMaterials);
RetryUtilities.ForceConfigureClient(s3EncryptionClientMetadataModeKMS);
s3EncryptionClientFileModeKMS = new AmazonS3EncryptionClient(config, kmsEncryptionMaterials);
RetryUtilities.ForceConfigureClient(s3EncryptionClientFileModeKMS);
using (StreamWriter writer = File.CreateText(filePath))
{
writer.Write(sampleContent);
}
bucketName = S3TestUtils.CreateBucket(s3EncryptionClientFileMode);
}
public async Task <string> ReadValue(string key)
{
using (var kmsClient = new AmazonKeyManagementServiceClient())
{
string kmsKeyID = null;
var response = await kmsClient.CreateKeyAsync(new CreateKeyRequest());
kmsKeyID = response.KeyMetadata.KeyId;
var keyMetadata = response.KeyMetadata;
var bucketName = "<your S3 bucket name>";
var objectKey = key;
var kmsEncryptionMaterials = new EncryptionMaterials(key);
var config = new AmazonS3CryptoConfiguration()
{
StorageMode = CryptoStorageMode.ObjectMetadata
};
using (var s3Client = new AmazonS3EncryptionClient(config, kmsEncryptionMaterials))
{
var getRequest = new GetObjectRequest
{
BucketName = bucketName,
Key = objectKey
};
using (var getResponse = await s3Client.GetObjectAsync(getRequest))
using (var stream = getResponse.ResponseStream)
using (var reader = new StreamReader(stream))
{
return(reader.ReadToEnd());
}
}
}
}
public async Task <bool> WriteValue(string key, string value)
{
using (var kmsClient = new AmazonKeyManagementServiceClient())
{
var response = await kmsClient.CreateKeyAsync(new CreateKeyRequest());
string kmsKeyID = response.KeyMetadata.KeyId;
var keyMetadata = response.KeyMetadata;
var bucketName = "<your S3 bucket name>";
var objectKey = key;
var kmsEncryptionMaterials = new EncryptionMaterials(kmsKeyID);
var config = new AmazonS3CryptoConfiguration()
{
StorageMode = CryptoStorageMode.ObjectMetadata
};
using (var s3Client = new AmazonS3EncryptionClient(config, kmsEncryptionMaterials))
{
var putRequest = new PutObjectRequest
{
BucketName = bucketName,
Key = objectKey,
ContentBody = value
};
var obj = await s3Client.PutObjectAsync(putRequest);
if (obj.HttpStatusCode == HttpStatusCode.OK)
{
return(true);
}
}
}
return(false);
}
public EncryptionTestsV1NInteropV2() : base(KmsKeyIdProvider.Instance)
{
kmsKeyID = _kmsKeyIdProvider.GetKmsId();
var rsa = RSA.Create();
var aes = Aes.Create();
var asymmetricEncryptionMaterialsV1N = new EncryptionMaterials(rsa);
var symmetricEncryptionMaterialsV1N = new EncryptionMaterials(aes);
var kmsEncryptionMaterialsV1N = new EncryptionMaterials(kmsKeyID);
var configV1N = new AmazonS3CryptoConfiguration()
{
StorageMode = CryptoStorageMode.InstructionFile
};
var asymmetricEncryptionMaterialsV2 = new EncryptionMaterialsV2(rsa, AsymmetricAlgorithmType.RsaOaepSha1);
var symmetricEncryptionMaterialsV2 = new EncryptionMaterialsV2(aes, SymmetricAlgorithmType.AesGcm);
var kmsEncryptionMaterialsV2 =
new EncryptionMaterialsV2(kmsKeyID, KmsType.KmsContext, new Dictionary <string, string>());
fileConfigV2 = new AmazonS3CryptoConfigurationV2(SecurityProfile.V2AndLegacy)
{
StorageMode = CryptoStorageMode.InstructionFile,
};
metadataConfigV2 = new AmazonS3CryptoConfigurationV2(SecurityProfile.V2AndLegacy)
{
StorageMode = CryptoStorageMode.ObjectMetadata,
};
s3EncryptionClientMetadataModeAsymmetricWrapV1N =
new AmazonS3EncryptionClient(asymmetricEncryptionMaterialsV1N);
s3EncryptionClientFileModeAsymmetricWrapV1N =
new AmazonS3EncryptionClient(configV1N, asymmetricEncryptionMaterialsV1N);
s3EncryptionClientMetadataModeSymmetricWrapV1N =
new AmazonS3EncryptionClient(symmetricEncryptionMaterialsV1N);
s3EncryptionClientFileModeSymmetricWrapV1N =
new AmazonS3EncryptionClient(configV1N, symmetricEncryptionMaterialsV1N);
s3EncryptionClientMetadataModeKMSV1N = new AmazonS3EncryptionClient(kmsEncryptionMaterialsV1N);
s3EncryptionClientFileModeKMSV1N = new AmazonS3EncryptionClient(configV1N, kmsEncryptionMaterialsV1N);
s3EncryptionClientMetadataModeAsymmetricWrapV2 =
new AmazonS3EncryptionClientV2(metadataConfigV2, asymmetricEncryptionMaterialsV2);
s3EncryptionClientFileModeAsymmetricWrapV2 =
new AmazonS3EncryptionClientV2(fileConfigV2, asymmetricEncryptionMaterialsV2);
s3EncryptionClientMetadataModeSymmetricWrapV2 =
new AmazonS3EncryptionClientV2(metadataConfigV2, symmetricEncryptionMaterialsV2);
s3EncryptionClientFileModeSymmetricWrapV2 =
new AmazonS3EncryptionClientV2(fileConfigV2, symmetricEncryptionMaterialsV2);
s3EncryptionClientMetadataModeKMSV2 =
new AmazonS3EncryptionClientV2(metadataConfigV2, kmsEncryptionMaterialsV2);
s3EncryptionClientFileModeKMSV2 = new AmazonS3EncryptionClientV2(fileConfigV2, kmsEncryptionMaterialsV2);
using (var writer = File.CreateText(filePath))
{
writer.Write(SampleContent);
}
bucketName = S3TestUtils.CreateBucketWithWait(s3EncryptionClientFileModeAsymmetricWrapV1N);
}
static void TestCfStack(EncryptionMaterials encryptionMaterials)
{
string bucket_Name = QSS3BucketName;
string templateName = QSS3KeyPrefix + TdwUtils.cfClassPathBastion.Replace("tdw_cf_template\\", "");
string stack_name = templateName.Replace("-", "");
stack_name = stack_name.Replace(".template", "");
//AmazonS3EncryptionClient s3Client = new AmazonS3EncryptionClient(encryptionMaterials);
AmazonS3Client s3Client = new AmazonS3Client();
GetObjectRequest getObjectRequest = new GetObjectRequest
{
BucketName = bucket_Name,
Key = templateName,
};
string data = null;
using (GetObjectResponse getObjectResponse = s3Client.GetObject(getObjectRequest))
{
using (var stream = getObjectResponse.ResponseStream)
using (var reader = new StreamReader(stream))
{
data = reader.ReadToEnd();
}
}
Amazon.CloudFormation.AmazonCloudFormationClient cfClient = new AmazonCloudFormationClient();
ValidateTemplateResponse templateResponse = cfClient.ValidateTemplate(new ValidateTemplateRequest()
{
TemplateBody = data
});
List <string> capabilities = templateResponse.Capabilities;
string capabilitiesReason = templateResponse.CapabilitiesReason;
string description = templateResponse.Description;
List <TemplateParameter> parameters = templateResponse.Parameters;
if (parameters.Any())
{
Console.WriteLine(" Parameters:");
foreach (var p in parameters)
{
Console.WriteLine(" {0} = {1}",
p.ParameterKey, p.Description);
}
}
//try
//{
// DeleteStackRequest deleteRequest = new DeleteStackRequest() { StackName = stack_name };
// cfClient.DeleteStack(deleteRequest);
//}
//catch (Exception ex)
//{
// ex = null;
//}
DescribeStacksResponse testForStackDescResp = new DescribeStacksResponse();
try
{
testForStackDescResp = cfClient.DescribeStacks(new DescribeStacksRequest()
{
StackName = stack_name
});
}
catch (Exception ex)
{
testForStackDescResp = null;
}
if (testForStackDescResp == null)
{
List <string> CfCapabilities = new List <string>();
CfCapabilities.Add("CAPABILITY_IAM");
CreateStackRequest stackRequest = new CreateStackRequest()
{
StackName = stack_name, TemplateBody = data, Capabilities = CfCapabilities
};
//stackRequest.Parameters.Add(new Parameter() { ParameterKey = "pDBPassword", ParameterValue = "LiverpoolFC" } );
//stackRequest.Parameters.Add(new Parameter() { ParameterKey = "pNotifyEmail", ParameterValue = "*****@*****.**" });
//stackRequest.Parameters.Add(new Parameter() { ParameterKey = "pEC2KeyPairBastion", ParameterValue = "BastionSshKvp" });
//stackRequest.Parameters.Add(new Parameter() { ParameterKey = "pEC2KeyPair", ParameterValue = "Ec2SshKvp" });
//stackRequest.Parameters.Add(new Parameter() { ParameterKey = "pSupportsConfig", ParameterValue = "Yes" });
//stackRequest.Parameters.Add(new Parameter() { ParameterKey = "pAvailabilityZoneA", ParameterValue = "eu-west-1a" });
//stackRequest.Parameters.Add(new Parameter() { ParameterKey = "pAvailabilityZoneB", ParameterValue = "eu-west-1b" });
//stackRequest.Parameters.Add(new Parameter() { ParameterKey = "pVPCTenancy", ParameterValue = "default" });
//stackRequest.Parameters.Add(new Parameter() { ParameterKey = "QSS3BucketName", ParameterValue = QSS3BucketName });
//stackRequest.Parameters.Add(new Parameter() { ParameterKey = "QSS3KeyPrefix", ParameterValue = QSS3KeyPrefix });
templateResponse = cfClient.ValidateTemplate(new ValidateTemplateRequest()
{
TemplateBody = data
});
CreateStackResponse stackResponse = cfClient.CreateStack(stackRequest);
}
testForStackDescResp = cfClient.DescribeStacks(new DescribeStacksRequest());
foreach (var stack in testForStackDescResp.Stacks)
{
Console.WriteLine("stack: {0}", stack.StackName);
Console.WriteLine(" status: {0}", stack.StackStatus);
Console.WriteLine(" created: {0}", stack.CreationTime);
var ps = stack.Parameters;
if (ps.Any())
{
Console.WriteLine(" parameters:");
foreach (var p in ps)
{
Console.WriteLine(" {0} = {1}",
p.ParameterKey, p.ParameterValue);
}
}
}
}
private AmazonS3EncryptionClient GetS3EncryptionClient(EncryptionMaterials materials, AmazonS3CryptoConfiguration cryptoConfig)
{
return(new AmazonS3EncryptionClient(GetAwsCredentials(), cryptoConfig, materials));
}
static void CopyTemplatesToS3(EncryptionMaterials encryptionMaterials)
{
string bucket_Name = null;
string dataPath = null;
byte[] dataBytes = null;
PutObjectRequest request = null;
PutObjectResponse response = null;
//AmazonS3EncryptionClient s3Client = new AmazonS3EncryptionClient(encryptionMaterials);
AmazonS3Client s3Client = new AmazonS3Client();
try
{
TdwUtils.TearDownS3BucketByPrefix(s3Client, "tdwcftdev");
AmazonS3Util.DeleteS3BucketWithObjects(s3Client, QSS3BucketName);
}
catch (Exception ex)
{
ex = null;
}
bucket_Name = TdwUtils.CreateBucket(s3Client, QSS3BucketName);
///Cross stack communication, Parent
dataPath = TdwUtils.bingPathToAppDir(TdwUtils.cfClassPathParentSubnet);
dataBytes = TdwUtils.FileToArray(dataPath);
request = new PutObjectRequest()
{
BucketName = QSS3BucketName,
Key = QSS3KeyPrefix + TdwUtils.cfClassPathParentSubnet.Replace("tdw_cf_template\\", ""),
InputStream = new MemoryStream(dataBytes)
};
response = s3Client.PutObject(request);
///Cross stack communication, first child
dataPath = TdwUtils.bingPathToAppDir(TdwUtils.cfClassPathChildSubnetProducer);
dataBytes = TdwUtils.FileToArray(dataPath);
request = new PutObjectRequest()
{
BucketName = QSS3BucketName,
Key = QSS3KeyPrefix + TdwUtils.cfClassPathChildSubnetProducer.Replace("tdw_cf_template\\", ""),
InputStream = new MemoryStream(dataBytes)
};
response = s3Client.PutObject(request);
///Cross stack communication, second child
dataPath = TdwUtils.bingPathToAppDir(TdwUtils.cfClassPathChildSubnet);
dataBytes = TdwUtils.FileToArray(dataPath);
request = new PutObjectRequest()
{
BucketName = QSS3BucketName,
Key = QSS3KeyPrefix + TdwUtils.cfClassPathChildSubnet.Replace("tdw_cf_template\\", ""),
InputStream = new MemoryStream(dataBytes)
};
response = s3Client.PutObject(request);
///Application Template
dataPath = TdwUtils.bingPathToAppDir(TdwUtils.cfClassPathApplication);
dataBytes = TdwUtils.FileToArray(dataPath);
request = new PutObjectRequest()
{
BucketName = QSS3BucketName,
Key = QSS3KeyPrefix + TdwUtils.cfClassPathApplication.Replace("tdw_cf_template\\", ""),
InputStream = new MemoryStream(dataBytes)
};
response = s3Client.PutObject(request);
//Config Rules
dataPath = TdwUtils.bingPathToAppDir(TdwUtils.cfClassPathConfigRules);
dataBytes = TdwUtils.FileToArray(dataPath);
request = new PutObjectRequest()
{
BucketName = QSS3BucketName,
Key = QSS3KeyPrefix + TdwUtils.cfClassPathConfigRules.Replace("tdw_cf_template\\", ""),
InputStream = new MemoryStream(dataBytes)
};
response = s3Client.PutObject(request);
///Iam Template
dataPath = TdwUtils.bingPathToAppDir(TdwUtils.cfClassPathIam);
dataBytes = TdwUtils.FileToArray(dataPath);
request = new PutObjectRequest()
{
BucketName = QSS3BucketName,
Key = QSS3KeyPrefix + TdwUtils.cfClassPathIam.Replace("tdw_cf_template\\", ""),
InputStream = new MemoryStream(dataBytes)
};
response = s3Client.PutObject(request);
//Kinesis
dataPath = TdwUtils.bingPathToAppDir(TdwUtils.cfClassPathKinesis);
dataBytes = TdwUtils.FileToArray(dataPath);
request = new PutObjectRequest()
{
BucketName = QSS3BucketName,
Key = QSS3KeyPrefix + TdwUtils.cfClassPathKinesis.Replace("tdw_cf_template\\", ""),
InputStream = new MemoryStream(dataBytes)
};
response = s3Client.PutObject(request);
///Logging Template
dataPath = TdwUtils.bingPathToAppDir(TdwUtils.cfClassPathLogging);
dataBytes = TdwUtils.FileToArray(dataPath);
request = new PutObjectRequest()
{
BucketName = QSS3BucketName,
Key = QSS3KeyPrefix + TdwUtils.cfClassPathLogging.Replace("tdw_cf_template\\", ""),
InputStream = new MemoryStream(dataBytes)
};
response = s3Client.PutObject(request);
///Main Bastion Template
dataPath = TdwUtils.bingPathToAppDir(TdwUtils.cfClassPathBastion);
dataBytes = TdwUtils.FileToArray(dataPath);
request = new PutObjectRequest()
{
BucketName = QSS3BucketName,
Key = QSS3KeyPrefix + TdwUtils.cfClassPathBastion.Replace("tdw_cf_template\\", ""),
InputStream = new MemoryStream(dataBytes)
};
response = s3Client.PutObject(request);
///Management Vpc Template
dataPath = TdwUtils.bingPathToAppDir(TdwUtils.cfClassPathManagementVpc);
dataBytes = TdwUtils.FileToArray(dataPath);
request = new PutObjectRequest()
{
BucketName = QSS3BucketName,
Key = QSS3KeyPrefix + TdwUtils.cfClassPathManagementVpc.Replace("tdw_cf_template\\", ""),
InputStream = new MemoryStream(dataBytes)
};
response = s3Client.PutObject(request);
///Prod Vpc Template
dataPath = TdwUtils.bingPathToAppDir(TdwUtils.cfClassPathProductionVpc);
dataBytes = TdwUtils.FileToArray(dataPath);
request = new PutObjectRequest()
{
BucketName = QSS3BucketName,
Key = QSS3KeyPrefix + TdwUtils.cfClassPathProductionVpc.Replace("tdw_cf_template\\", ""),
InputStream = new MemoryStream(dataBytes)
};
response = s3Client.PutObject(request);
///ChangeSet Template for main bastion
dataPath = TdwUtils.bingPathToAppDir(TdwUtils.cfClassPathBastionChangeSet);
dataBytes = TdwUtils.FileToArray(dataPath);
request = new PutObjectRequest()
{
BucketName = QSS3BucketName,
Key = QSS3KeyPrefix + TdwUtils.cfClassPathBastionChangeSet.Replace("tdw_cf_template\\", ""),
InputStream = new MemoryStream(dataBytes)
};
response = s3Client.PutObject(request);
}
#pragma warning restore 0618
public EncryptionTestsV1InteropV1N() : base(KmsKeyIdProvider.Instance)
{
filePath = Path.Combine(Path.GetTempPath(), $"EncryptionPutObjectFile-{Guid.NewGuid()}.txt");
kmsKeyID = _kmsKeyIdProvider.GetKmsId();
var rsa = RSA.Create();
var aes = Aes.Create();
var asymmetricEncryptionMaterialsV1 = new Amazon.S3.Encryption.EncryptionMaterials(rsa);
var asymmetricEncryptionMaterialsV1N = new EncryptionMaterials(rsa);
var symmetricEncryptionMaterialsV1 = new Amazon.S3.Encryption.EncryptionMaterials(aes);
var symmetricEncryptionMaterialsV1N = new EncryptionMaterials(aes);
var kmsEncryptionMaterialsV1 = new Amazon.S3.Encryption.EncryptionMaterials(kmsKeyID);
var kmsEncryptionMaterialsV1N = new EncryptionMaterials(kmsKeyID);
var configV1 = new Amazon.S3.Encryption.AmazonS3CryptoConfiguration()
{
StorageMode = Amazon.S3.Encryption.CryptoStorageMode.InstructionFile
};
var configV1N = new AmazonS3CryptoConfiguration()
{
StorageMode = CryptoStorageMode.InstructionFile
};
s3EncryptionClientMetadataModeAsymmetricWrapV1 =
new Amazon.S3.Encryption.AmazonS3EncryptionClient(asymmetricEncryptionMaterialsV1);
RetryUtilities.ForceConfigureClient(s3EncryptionClientMetadataModeAsymmetricWrapV1);
s3EncryptionClientFileModeAsymmetricWrapV1 =
new Amazon.S3.Encryption.AmazonS3EncryptionClient(configV1, asymmetricEncryptionMaterialsV1);
RetryUtilities.ForceConfigureClient(s3EncryptionClientFileModeAsymmetricWrapV1);
s3EncryptionClientMetadataModeSymmetricWrapV1 =
new Amazon.S3.Encryption.AmazonS3EncryptionClient(symmetricEncryptionMaterialsV1);
RetryUtilities.ForceConfigureClient(s3EncryptionClientMetadataModeSymmetricWrapV1);
s3EncryptionClientFileModeSymmetricWrapV1 =
new Amazon.S3.Encryption.AmazonS3EncryptionClient(configV1, symmetricEncryptionMaterialsV1);
RetryUtilities.ForceConfigureClient(s3EncryptionClientFileModeSymmetricWrapV1);
s3EncryptionClientMetadataModeKMSV1 =
new Amazon.S3.Encryption.AmazonS3EncryptionClient(kmsEncryptionMaterialsV1);
RetryUtilities.ForceConfigureClient(s3EncryptionClientMetadataModeKMSV1);
s3EncryptionClientFileModeKMSV1 =
new Amazon.S3.Encryption.AmazonS3EncryptionClient(configV1, kmsEncryptionMaterialsV1);
RetryUtilities.ForceConfigureClient(s3EncryptionClientFileModeKMSV1);
s3EncryptionClientMetadataModeAsymmetricWrapV1N =
new AmazonS3EncryptionClient(asymmetricEncryptionMaterialsV1N);
RetryUtilities.ForceConfigureClient(s3EncryptionClientMetadataModeAsymmetricWrapV1N);
s3EncryptionClientFileModeAsymmetricWrapV1N =
new AmazonS3EncryptionClient(configV1N, asymmetricEncryptionMaterialsV1N);
RetryUtilities.ForceConfigureClient(s3EncryptionClientFileModeAsymmetricWrapV1N);
s3EncryptionClientMetadataModeSymmetricWrapV1N =
new AmazonS3EncryptionClient(symmetricEncryptionMaterialsV1N);
RetryUtilities.ForceConfigureClient(s3EncryptionClientMetadataModeSymmetricWrapV1N);
s3EncryptionClientFileModeSymmetricWrapV1N =
new AmazonS3EncryptionClient(configV1N, symmetricEncryptionMaterialsV1N);
RetryUtilities.ForceConfigureClient(s3EncryptionClientFileModeSymmetricWrapV1N);
s3EncryptionClientMetadataModeKMSV1N = new AmazonS3EncryptionClient(kmsEncryptionMaterialsV1N);
RetryUtilities.ForceConfigureClient(s3EncryptionClientMetadataModeKMSV1N);
s3EncryptionClientFileModeKMSV1N = new AmazonS3EncryptionClient(configV1N, kmsEncryptionMaterialsV1N);
RetryUtilities.ForceConfigureClient(s3EncryptionClientFileModeKMSV1N);
using (var writer = File.CreateText(filePath))
{
writer.Write(SampleContent);
}
bucketName = S3TestUtils.CreateBucketWithWait(s3EncryptionClientFileModeAsymmetricWrapV1);
}
public S3demo(EncryptionMaterials encryptionMaterials)
{
TestS3();
TestEncryptedS3(encryptionMaterials);
TestDecryptedS3(encryptionMaterials);
}
static void UploadFileWithClientSideEncryption(string filePath)
{
string kmsKeyID = null;
var objectKey = System.IO.Path.GetFileName(filePath);
using (var kmsClient = new AmazonKeyManagementServiceClient(defaultEndpoint))
{
// var response = kmsClient.CreateKeyAsync(new CreateKeyRequest()).GetAwaiter().GetResult();
kmsKeyID = GetKeyByAlias(keyName, kmsClient);
// var keyMetadata = keyData?.KeyMetadata; // An object that contains information about the CMK created by this operation.
var kmsEncryptionMaterials = new EncryptionMaterials(kmsKeyID);
//set encryption context
using (var s3Client = new AmazonS3EncryptionClient(defaultEndpoint, kmsEncryptionMaterials))
{
// encrypt and put object
var putRequest = new PutObjectRequest
{
BucketName = bucketName,
Key = objectKey,
FilePath = filePath
};
putRequest.Metadata.Add("x-amz-meta-moo", "This is a test");
// putRequest.Headers["x-amz-matdesc"] = System.Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(jsonStringEncryptionContext));
putRequest.Headers["x-amz-server-side-encryption"] = "aws:kms";
putRequest.Headers["x-amz-server-side-encryption-aws-kms-key-id"] = kmsKeyID;
putRequest.Headers["x-amz-server-side-encryption-context"] = System.Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(jsonStringEncryptionContext));
s3Client.PutObjectAsync(putRequest).GetAwaiter().GetResult();
}
// The KeyID is actually embedded in the metadata of the object and the encryptionclient automatically looks it up so you don't actually have to do that yourself
var kem2 = new EncryptionMaterials("1111111-11111-11111111-11111111");
using (var s3Client2 = new AmazonS3EncryptionClient(defaultEndpoint, kem2))
{
// get object and decrypt
var getRequest = new GetObjectRequest
{
BucketName = bucketName,
Key = objectKey
};
string fPath2 = System.IO.Path.Combine(System.IO.Path.GetDirectoryName(filePath), System.IO.Path.GetFileNameWithoutExtension(filePath) + "_" + new Random().Next(0, 1000).ToString() + System.IO.Path.GetExtension(filePath));
using (var getResponse = s3Client2.GetObjectAsync(getRequest).GetAwaiter().GetResult())
using (var stream = getResponse.ResponseStream)
using (var reader = new StreamReader(stream))
{
using (var fileStream = new FileStream(fPath2, FileMode.Create, FileAccess.Write))
{
stream.CopyTo(fileStream);
fileStream.Flush();
fileStream.Close();
}
}
Console.WriteLine($"Object written to {fPath2}");
}
}
Console.WriteLine("Press any key to continue...");
Console.ReadKey();
}
