/// <summary>
/// Builds an instruction object from the object metadata.
/// </summary>
/// <param name="response">
/// A non-null object response that contains encryption information in its metadata.
/// </param>
/// <param name="materials">
/// The non-null encryption materials to be used to encrypt and decrypt Envelope key.
/// </param>
/// <param name="decryptedEnvelopeKeyKMS">
/// The decrypted envelope key to be use if KMS key wrapping is being used. Or null if non-KMS key wrapping is being used.
/// </param>
/// <returns>
/// </returns>
internal static EncryptionInstructions BuildInstructionsFromObjectMetadata(
GetObjectResponse response, EncryptionMaterialsBase materials, byte[] decryptedEnvelopeKeyKMS)
{
MetadataCollection metadata = response.Metadata;
var materialDescription = GetMaterialDescriptionFromMetaData(response.Metadata);
if (metadata[XAmzKeyV2] != null)
{
EnsureSupportedAlgorithms(metadata);
var base64EncodedEncryptedEnvelopeKey = metadata[XAmzKeyV2];
var encryptedEnvelopeKey = Convert.FromBase64String(base64EncodedEncryptedEnvelopeKey);
var base64EncodedIV = metadata[XAmzIV];
var IV = Convert.FromBase64String(base64EncodedIV);
var cekAlgorithm = metadata[XAmzCekAlg];
var wrapAlgorithm = metadata[XAmzWrapAlg];
EncryptionInstructions instructions;
if (decryptedEnvelopeKeyKMS != null)
{
return(new EncryptionInstructions(materialDescription, decryptedEnvelopeKeyKMS, encryptedEnvelopeKey, IV, wrapAlgorithm, cekAlgorithm));
}
else
{
byte[] decryptedEnvelopeKey;
if (XAmzWrapAlgRsaOaepSha1.Equals(wrapAlgorithm) || XAmzWrapAlgAesGcmValue.Equals(wrapAlgorithm))
{
decryptedEnvelopeKey = DecryptNonKmsEnvelopeKeyV2(encryptedEnvelopeKey, materials);
}
else
{
decryptedEnvelopeKey = DecryptNonKMSEnvelopeKey(encryptedEnvelopeKey, materials);
}
return(new EncryptionInstructions(materialDescription, decryptedEnvelopeKey, encryptedEnvelopeKey, IV, wrapAlgorithm, cekAlgorithm));
}
}
else
{
string base64EncodedEncryptedEnvelopeKey = metadata[XAmzKey];
byte[] encryptedEnvelopeKey = Convert.FromBase64String(base64EncodedEncryptedEnvelopeKey);
byte[] decryptedEnvelopeKey = DecryptNonKMSEnvelopeKey(encryptedEnvelopeKey, materials);
string base64EncodedIV = metadata[XAmzIV];
byte[] IV = Convert.FromBase64String(base64EncodedIV);
return(new EncryptionInstructions(materialDescription, decryptedEnvelopeKey, encryptedEnvelopeKey, IV));
}
}
/// <summary>
/// Decrypts an encrypted Envelope key using the provided encryption materials
/// and returns it in raw byte array form.
/// </summary>
/// <param name="encryptedEnvelopeKey">Encrypted envelope key</param>
/// <param name="materials">Encryption materials needed to decrypt the encrypted envelope key</param>
/// <returns></returns>
internal static byte[] DecryptNonKMSEnvelopeKey(byte[] encryptedEnvelopeKey, EncryptionMaterialsBase materials)
{
if (materials.AsymmetricProvider != null)
{
return(DecryptEnvelopeKeyUsingAsymmetricKeyPair(materials.AsymmetricProvider, encryptedEnvelopeKey));
}
if (materials.SymmetricProvider != null)
{
return(DecryptEnvelopeKeyUsingSymmetricKey(materials.SymmetricProvider, encryptedEnvelopeKey));
}
throw new ArgumentException("Error decrypting non-KMS envelope key. " +
"EncryptionMaterials must have the AsymmetricProvider or SymmetricProvider set.");
}
/// <summary>
/// Constructs AmazonS3EncryptionClient with AWS Access Key ID, Secret Key, SessionToken
/// AmazonS3EncryptionClient CryptoConfiguration object and Encryption materials.
/// </summary>
/// <param name="awsAccessKeyId">AWS Access Key ID</param>
/// <param name="awsSecretAccessKey">AWS Secret Access Key</param>
/// <param name="awsSessionToken">AWS Session Token</param>
/// <param name="config">The AmazonS3EncryptionClient CryptoConfiguration Object</param>
/// <param name="materials">
/// The encryption materials to be used to encrypt and decrypt envelope key.
/// </param>
public AmazonS3EncryptionClientBase(string awsAccessKeyId, string awsSecretAccessKey, string awsSessionToken, AmazonS3CryptoConfigurationBase config, EncryptionMaterialsBase materials)
: base(awsAccessKeyId, awsSecretAccessKey, awsSessionToken, config)
{
this.EncryptionMaterials = materials;
S3CryptoConfig = config;
}
/// <summary>
/// Constructs AmazonS3EncryptionClient with AWS Access Key ID, Secret Key,
/// SessionToken, Region and Encryption materials.
/// </summary>
/// <param name="awsAccessKeyId">AWS Access Key ID</param>
/// <param name="awsSecretAccessKey">AWS Secret Access Key</param>
/// <param name="awsSessionToken">AWS Session Token</param>
/// <param name="region">The region to connect.</param>
/// <param name="materials">The encryption materials to be used to encrypt and decrypt envelope key.</param>
public AmazonS3EncryptionClientBase(string awsAccessKeyId, string awsSecretAccessKey, string awsSessionToken, RegionEndpoint region, EncryptionMaterialsBase materials)
: base(awsAccessKeyId, awsSecretAccessKey, awsSessionToken, region)
{
this.EncryptionMaterials = materials;
}
/// <summary>
/// Constructs AmazonS3EncryptionClient with AWS Access Key ID,
/// AWS Secret Key and Encryption materials
/// </summary>
/// <param name="awsAccessKeyId">AWS Access Key ID</param>
/// <param name="awsSecretAccessKey">AWS Secret Access Key</param>
/// <param name="materials">The encryption materials to be used to encrypt and decrypt envelope key.</param>
public AmazonS3EncryptionClientBase(string awsAccessKeyId, string awsSecretAccessKey, EncryptionMaterialsBase materials)
: base(awsAccessKeyId, awsSecretAccessKey)
{
this.EncryptionMaterials = materials;
}
/// <summary>
/// Constructs AmazonS3EncryptionClient with AWS Credentials, AmazonS3CryptoConfigurationBase Configuration object
/// and Encryption materials
/// </summary>
/// <param name="credentials">AWS Credentials</param>
/// <param name="config">The AmazonS3EncryptionClient CryptoConfiguration Object</param>
/// <param name="materials">
/// The encryption materials to be used to encrypt and decrypt envelope key.
/// </param>
public AmazonS3EncryptionClientBase(AWSCredentials credentials, AmazonS3CryptoConfigurationBase config, EncryptionMaterialsBase materials)
: base(credentials, config)
{
this.EncryptionMaterials = materials;
S3CryptoConfig = config;
}
/// <summary>
/// Constructs AmazonS3EncryptionClient with AWS Credentials, Region and Encryption materials
/// </summary>
/// <param name="credentials">AWS Credentials</param>
/// <param name="region">The region to connect.</param>
/// <param name="materials">
/// The encryption materials to be used to encrypt and decrypt envelope key.
/// </param>
public AmazonS3EncryptionClientBase(AWSCredentials credentials, RegionEndpoint region, EncryptionMaterialsBase materials)
: base(credentials, region)
{
this.EncryptionMaterials = materials;
}
/// <summary>
/// Constructs AmazonS3EncryptionClient with AWS Credentials and Encryption materials.
/// </summary>
/// <param name="materials">
/// The encryption materials to be used to encrypt and decrypt envelope key.
/// </param>
/// <param name="credentials">AWS Credentials</param>
public AmazonS3EncryptionClientBase(AWSCredentials credentials, EncryptionMaterialsBase materials)
: base(credentials)
{
this.EncryptionMaterials = materials;
}
/// <summary>
/// Constructs AmazonS3EncryptionClient with the Encryption materials and credentials loaded from the application's
/// default configuration, and if unsuccessful from the Instance Profile service on an EC2 instance.
///
/// Example App.config with credentials set.
/// <code>
/// <?xml version="1.0" encoding="utf-8" ?>
/// <configuration>
/// <appSettings>
/// <add key="AWSProfileName" value="AWS Default"/>
/// </appSettings>
/// </configuration>
/// </code>
///
/// </summary>
/// <param name="region">
/// The region to connect.
/// </param>
/// <param name="materials">
/// The encryption materials to be used to encrypt and decrypt envelope key.
/// </param>
public AmazonS3EncryptionClientBase(RegionEndpoint region, EncryptionMaterialsBase materials)
: base(region)
{
this.EncryptionMaterials = materials;
}
/// <summary>
/// Constructs AmazonS3EncryptionClient with the Encryption materials and credentials loaded from the application's
/// default configuration, and if unsuccessful from the Instance Profile service on an EC2 instance.
///
/// Example App.config with credentials set.
/// <code>
/// <?xml version="1.0" encoding="utf-8" ?>
/// <configuration>
/// <appSettings>
/// <add key="AWSProfileName" value="AWS Default"/>
/// </appSettings>
/// </configuration>
/// </code>
///
/// </summary>
/// <param name="materials">
/// The encryption materials to be used to encrypt and decrypt envelope key.
/// </param>
public AmazonS3EncryptionClientBase(EncryptionMaterialsBase materials)
: base()
{
this.EncryptionMaterials = materials;
}
/// <summary>
/// Builds an instruction object from the instruction file.
/// </summary>
/// <param name="response"> Instruction file GetObject response</param>
/// <param name="materials">
/// The non-null encryption materials to be used to encrypt and decrypt Envelope key.
/// </param>
/// <returns>
/// A non-null instruction object containing encryption information.
/// </returns>
internal static EncryptionInstructions BuildInstructionsUsingInstructionFileV2(GetObjectResponse response, EncryptionMaterialsBase materials)
{
using (TextReader textReader = new StreamReader(response.ResponseStream))
{
var jsonData = JsonMapper.ToObject(textReader);
if (jsonData[XAmzKeyV2] != null)
{
// The envelope contains data in V2 format
var encryptedEnvelopeKey = Base64DecodedDataValue(jsonData, XAmzKeyV2);
var decryptedEnvelopeKey = DecryptNonKmsEnvelopeKeyV2(encryptedEnvelopeKey, materials);
var initializationVector = Base64DecodedDataValue(jsonData, XAmzIV);
var materialDescription = JsonMapper.ToObject <Dictionary <string, string> >((string)jsonData[XAmzMatDesc]);
var cekAlgorithm = StringValue(jsonData, XAmzCekAlg);
var wrapAlgorithm = StringValue(jsonData, XAmzWrapAlg);
var instructions = new EncryptionInstructions(materialDescription, decryptedEnvelopeKey, null,
initializationVector, wrapAlgorithm, cekAlgorithm);
return(instructions);
}
else if (jsonData[XAmzKey] != null)
{
// The envelope contains data in V1 format
var encryptedEnvelopeKey = Base64DecodedDataValue(jsonData, XAmzKey);
var decryptedEnvelopeKey = DecryptNonKMSEnvelopeKey(encryptedEnvelopeKey, materials);
var initializationVector = Base64DecodedDataValue(jsonData, XAmzIV);
var materialDescription = JsonMapper.ToObject <Dictionary <string, string> >((string)jsonData[XAmzMatDesc]);
var instructions = new EncryptionInstructions(materialDescription, decryptedEnvelopeKey, null, initializationVector);
return(instructions);
}
else if (jsonData[EncryptedEnvelopeKey] != null)
{
// The envelope contains data in older format
var encryptedEnvelopeKey = Base64DecodedDataValue(jsonData, EncryptedEnvelopeKey);
var decryptedEnvelopeKey = DecryptNonKMSEnvelopeKey(encryptedEnvelopeKey, materials);
var initializationVector = Base64DecodedDataValue(jsonData, IV);
return(new EncryptionInstructions(materials.MaterialsDescription, decryptedEnvelopeKey, initializationVector));
}
else
{
throw new ArgumentException("Missing parameters required for decryption");
}
}
}
/// <summary>
/// Build encryption instructions for UploadPartEncryptionContext
/// </summary>
/// <param name="context">UploadPartEncryptionContext which contains instructions used for encrypting multipart object</param>
/// <param name="encryptionMaterials">EncryptionMaterials which contains material used for encrypting multipart object</param>
/// <returns></returns>
internal static EncryptionInstructions BuildEncryptionInstructionsForInstructionFileV2(UploadPartEncryptionContext context, EncryptionMaterialsBase encryptionMaterials)
{
var instructions = new EncryptionInstructions(encryptionMaterials.MaterialsDescription, context.EnvelopeKey, context.EncryptedEnvelopeKey, context.FirstIV,
context.WrapAlgorithm, context.CekAlgorithm);
return(instructions);
}
