/// <summary>
/// Updates object where the object input stream contains the decrypted contents.
/// </summary>
/// <param name="objectResponse">
/// The getObject response whose contents are to be decrypted.
/// </param>
private void DecryptObjectUsingMetadata(GetObjectResponse objectResponse)
{
// Create an instruction object from the object metadata
EncryptionInstructions instructions = EncryptionUtils.BuildInstructionsFromObjectMetadata(objectResponse, this.EncryptionClient.EncryptionMaterials);
// Decrypt the object with the instruction
EncryptionUtils.DecryptObjectUsingInstructions(objectResponse, instructions);
}
/// <summary>
/// Updates object where the object input stream contains the decrypted contents.
/// </summary>
/// <param name="getObjectResponse">The getObject response whose contents are to be decrypted.</param>
/// <param name="decryptedEnvelopeKeyKMS">The decrypted envelope key to be use if KMS key wrapping is being used. Or null if non-KMS key wrapping is being used.</param>
protected void DecryptObjectUsingMetadata(GetObjectResponse getObjectResponse, byte[] decryptedEnvelopeKeyKMS)
{
// Create an instruction object from the object metadata
EncryptionInstructions instructions = EncryptionUtils.BuildInstructionsFromObjectMetadata(getObjectResponse, EncryptionClient.EncryptionMaterials, decryptedEnvelopeKeyKMS);
if (decryptedEnvelopeKeyKMS != null)
{
if (getObjectResponse.Metadata[EncryptionUtils.XAmzCekAlg] != null &&
instructions.MaterialsDescription.ContainsKey(EncryptionUtils.XAmzEncryptionContextCekAlg))
{
if (EncryptionUtils.XAmzAesGcmCekAlgValue.Equals(getObjectResponse.Metadata[EncryptionUtils.XAmzCekAlg]) &&
EncryptionUtils.XAmzAesGcmCekAlgValue.Equals(instructions.MaterialsDescription[EncryptionUtils.XAmzEncryptionContextCekAlg]))
{
// Decrypt the object with V2 instruction
EncryptionUtils.DecryptObjectUsingInstructionsV2(getObjectResponse, instructions);
}
else
{
throw new AmazonCryptoException($"The content encryption algorithm used at encryption time does not match the algorithm stored for decryption time." +
" The object may be altered or corrupted.");
}
}
else if (EncryptionUtils.XAmzAesCbcPaddingCekAlgValue.Equals(instructions.CekAlgorithm))
{
ThrowIfLegacyReadIsDisabled();
// Decrypt the object with V1 instruction
EncryptionUtils.DecryptObjectUsingInstructions(getObjectResponse, instructions);
}
else
{
throw new AmazonCryptoException($"The content encryption algorithm used at encryption time does not match the algorithm stored for decryption time." +
" The object may be altered or corrupted.");
}
}
else if (EncryptionUtils.XAmzAesGcmCekAlgValue.Equals(getObjectResponse.Metadata[EncryptionUtils.XAmzCekAlg]))
{
// Decrypt the object with V2 instruction
EncryptionUtils.DecryptObjectUsingInstructionsV2(getObjectResponse, instructions);
}
// It is safe to assume, this is either non KMS encryption with V1 client or AES CBC
// We don't need to check cek algorithm to be AES CBC, because non KMS encryption with V1 client doesn't set it
else
{
ThrowIfLegacyReadIsDisabled();
EncryptionUtils.DecryptObjectUsingInstructions(getObjectResponse, instructions);
}
}