/// <summary>
/// Updates the request where the input stream contains the encrypted object contents.
/// </summary>
/// <param name="request"></param>
private void GenerateEncryptedUploadPartRequest(UploadPartRequest request)
{
string uploadID = request.UploadId;
UploadPartEncryptionContext contextForEncryption = currentMultiPartUploadKeys[uploadID];
byte[] envelopeKey = contextForEncryption.EnvelopeKey;
byte[] IV = contextForEncryption.NextIV;
EncryptionInstructions instructions = new EncryptionInstructions(EncryptionMaterials.EmptyMaterialsDescription, envelopeKey, IV);
if (request.IsLastPart == false)
{
if (contextForEncryption.IsFinalPart == true)
{
throw new AmazonClientException("Last part has already been processed, cannot upload this as the last part");
}
if (request.PartNumber < contextForEncryption.PartNumber)
{
throw new AmazonClientException("Upload Parts must in correct sequence");
}
request.InputStream = EncryptionUtils.EncryptUploadPartRequestUsingInstructions(request.InputStream, instructions);
contextForEncryption.PartNumber = request.PartNumber;
}
else
{
request.InputStream = EncryptionUtils.EncryptRequestUsingInstruction(request.InputStream, instructions);
contextForEncryption.IsFinalPart = true;
}
request.RequestState.Add(S3CryptoStream, request.InputStream);
}
//wrap encrypted stream into AESDecriptionStream wrapper
internal static Stream DecryptStream(Stream encryptedStream, EncryptionInstructions encryptionInstructions)
{
AESDecryptionStream aesDecryptStream;
aesDecryptStream = new AESDecryptionStream(encryptedStream, encryptionInstructions.EnvelopeKey, encryptionInstructions.InitializationVector);
return(aesDecryptStream);
}
/// <summary>
/// Updates object where the object input stream contains the decrypted contents.
/// </summary>
/// <param name="objectResponse">
/// The getObject response whose contents are to be decrypted.
/// </param>
private void DecryptObjectUsingMetadata(GetObjectResponse objectResponse)
{
// Create an instruction object from the object metadata
EncryptionInstructions instructions = EncryptionUtils.BuildInstructionsFromObjectMetadata(objectResponse, this.encryptionMaterials);
// Decrypt the object with the instruction
EncryptionUtils.DecryptObjectUsingInstructions(objectResponse, instructions);
}
/// <summary>
/// Updates object where the object input stream contains the decrypted contents.
/// </summary>
/// <param name="instructionFileResponse">
/// The getObject response of InstructionFile.
/// </param>
/// <param name="response">
/// The getObject response whose contents are to be decrypted.
/// </param>
private void DecryptObjectUsingInstructionFile(GetObjectResponse response, GetObjectResponse instructionFileResponse)
{
// Create an instruction object from the instruction file response
EncryptionInstructions instructions = EncryptionUtils.BuildInstructionsUsingInstructionFile(instructionFileResponse, this.encryptionMaterials);
// Decrypt the object with the instructions
EncryptionUtils.DecryptObjectUsingInstructions(response, instructions);
}
/// <summary>
/// Returns an updated stream where the stream contains the encrypted object contents.
/// The specified instruction will be used to encrypt data.
/// </summary>
/// <param name="toBeEncrypted">
/// The stream whose contents are to be encrypted.
/// </param>
/// <param name="instructions">
/// The instruction that will be used to encrypt the object data.
/// </param>
/// <returns>
/// Encrypted stream, i.e input stream wrapped into encrypted stream
/// </returns>
internal static Stream EncryptRequestUsingInstruction(Stream toBeEncrypted, EncryptionInstructions instructions)
{
//wrap input stream into AESEncryptionPutObjectStream wrapper
AESEncryptionPutObjectStream aesEStream;
aesEStream = new AESEncryptionPutObjectStream(toBeEncrypted, instructions.EnvelopeKey, instructions.InitializationVector);
return(aesEStream);
}
/// <summary>
/// Updates the request where the metadata contains encryption information
/// and the input stream contains the encrypted object contents.
/// </summary>
/// <param name="putObjectRequest">
/// The request whose contents are to be encrypted.
/// </param>
private void GenerateEncryptedObjectRequestUsingMetadata(PutObjectRequest putObjectRequest)
{
// Create instruction
EncryptionInstructions instructions = EncryptionUtils.GenerateInstructions(this.encryptionMaterials);
EncryptionUtils.AddUnencryptedContentLengthToMetadata(putObjectRequest);
// Encrypt the object data with the instruction
putObjectRequest.InputStream = EncryptionUtils.EncryptRequestUsingInstruction(putObjectRequest.InputStream, instructions);
// Update the metadata
EncryptionUtils.UpdateMetadataWithEncryptionInstructions(putObjectRequest, instructions);
}
/// <summary>
/// Updates the request where the instruction file contains encryption information
/// and the input stream contains the encrypted object contents.
/// </summary>
/// <param name="putObjectRequest"></param>
private void GenerateEncryptedObjectRequestUsingInstructionFile(PutObjectRequest putObjectRequest)
{
// Create instruction
EncryptionInstructions instructions = EncryptionUtils.GenerateInstructions(this.encryptionMaterials);
EncryptionUtils.AddUnencryptedContentLengthToMetadata(putObjectRequest);
// Encrypt the object data with the instruction
putObjectRequest.InputStream = EncryptionUtils.EncryptRequestUsingInstruction(putObjectRequest.InputStream, instructions);
// Create request for uploading instruction file
PutObjectRequest instructionFileRequest = EncryptionUtils.CreateInstructionFileRequest(putObjectRequest, instructions);
S3ClientForInstructionFile.PutObject(instructionFileRequest);
}
/// <summary>
/// Update the request's ObjectMetadata with the necessary information for decrypting the object.
/// </summary>
/// <param name="request">
/// AmazonWebServiceRequest encrypted using the given instruction
/// </param>
/// <param name="instructions">
/// Non-null instruction used to encrypt the data in this AmazonWebServiceRequest .
/// </param>
/// <param name="useV2Metadata">
/// If true use V2 metadata format, otherwise use V1.
/// </param>
internal static void UpdateMetadataWithEncryptionInstructions(
AmazonWebServiceRequest request, EncryptionInstructions instructions,
bool useV2Metadata)
{
byte[] keyBytesToStoreInMetadata = instructions.EncryptedEnvelopeKey;
string base64EncodedEnvelopeKey = Convert.ToBase64String(keyBytesToStoreInMetadata);
byte[] IVToStoreInMetadata = instructions.InitializationVector;
string base64EncodedIV = Convert.ToBase64String(IVToStoreInMetadata);
MetadataCollection metadata = null;
var putObjectRequest = request as PutObjectRequest;
if (putObjectRequest != null)
{
metadata = putObjectRequest.Metadata;
}
var initiateMultipartrequest = request as InitiateMultipartUploadRequest;
if (initiateMultipartrequest != null)
{
metadata = initiateMultipartrequest.Metadata;
}
if (metadata != null)
{
if (useV2Metadata)
{
metadata.Add(XAmzKeyV2, base64EncodedEnvelopeKey);
metadata.Add(XAmzWrapAlg, XAmzWrapAlgValue);
metadata.Add(XAmzCEKAlg, XAmzCEKAlgValue);
}
else
{
metadata.Add(XAmzKey, base64EncodedEnvelopeKey);
}
metadata.Add(XAmzIV, base64EncodedIV);
metadata.Add(XAmzMatDesc, JsonMapper.ToJson(instructions.MaterialsDescription));
}
}
/// <summary>
/// Performs encryption for PutObject and MultiPartUpload,
/// also adding encryption information to object metadata or
/// instruction file
/// </summary>
/// <param name="request">AmazonWebServiceRequest on which encryption is performed </param>
protected override void ProcessPreRequestHandlers(AmazonWebServiceRequest request)
{
base.ProcessPreRequestHandlers(request);
var putObjectRequest = request as PutObjectRequest;
if (putObjectRequest != null)
{
if (this.amazonS3CryptoConfig.StorageMode == CryptoStorageMode.InstructionFile)
{
GenerateEncryptedObjectRequestUsingInstructionFile(putObjectRequest);
}
else
{
GenerateEncryptedObjectRequestUsingMetadata(putObjectRequest);
}
}
var initiateMultiPartRequest = request as InitiateMultipartUploadRequest;
if (initiateMultiPartRequest != null)
{
EncryptionInstructions instructions = EncryptionUtils.GenerateInstructions(this.encryptionMaterials);
if (this.amazonS3CryptoConfig.StorageMode == CryptoStorageMode.ObjectMetadata)
{
EncryptionUtils.UpdateMetadataWithEncryptionInstructions(initiateMultiPartRequest, instructions);
}
initiateMultiPartRequest.EnvelopeKey = instructions.EnvelopeKey;
initiateMultiPartRequest.IV = instructions.InitializationVector;
}
var uploadPartRequest = request as UploadPartRequest;
if (uploadPartRequest != null)
{
GenerateEncryptedUploadPartRequest(uploadPartRequest);
}
}
/// <summary>
/// Returns an updated input stream where the input stream contains the encrypted object contents.
/// The specified instruction will be used to encrypt data.
/// </summary>
/// <param name="toBeEncrypted">
/// The stream whose contents are to be encrypted.
/// </param>
/// <param name="instructions">
/// The instruction that will be used to encrypt the object data.
/// </param>
/// <returns>
/// Encrypted stream, i.e input stream wrapped into encrypted stream
/// </returns>
internal static Stream EncryptUploadPartRequestUsingInstructions(Stream toBeEncrypted, EncryptionInstructions instructions)
{
//wrap input stream into AESEncryptionStreamForUploadPart wrapper
AESEncryptionUploadPartStream aesEStream;
aesEStream = new AESEncryptionUploadPartStream(toBeEncrypted, instructions.EnvelopeKey, instructions.InitializationVector);
return aesEStream;
}
/// <summary>
/// Returns an updated stream where the stream contains the encrypted object contents.
/// The specified instruction will be used to encrypt data.
/// </summary>
/// <param name="toBeEncrypted">
/// The stream whose contents are to be encrypted.
/// </param>
/// <param name="instructions">
/// The instruction that will be used to encrypt the object data.
/// </param>
/// <returns>
/// Encrypted stream, i.e input stream wrapped into encrypted stream
/// </returns>
internal static Stream EncryptRequestUsingInstruction(Stream toBeEncrypted, EncryptionInstructions instructions)
{
//wrap input stream into AESEncryptionPutObjectStream wrapper
AESEncryptionPutObjectStream aesEStream;
aesEStream = new AESEncryptionPutObjectStream(toBeEncrypted, instructions.EnvelopeKey, instructions.InitializationVector);
return aesEStream;
}
/// <summary>
/// Updates object where the object
/// input stream contains the decrypted contents.
/// </summary>
/// <param name="response">
/// The getObject response whose contents are to be decrypted.
/// </param>
/// <param name="instructions">
/// The instruction that will be used to encrypt the object data.
/// </param>
internal static void DecryptObjectUsingInstructions(GetObjectResponse response, EncryptionInstructions instructions)
{
response.ResponseStream = DecryptStream(response.ResponseStream, instructions);
}
/// <summary>
/// Performs decryption of data by getting encryption information
/// from object metadata or instruction file.
/// </summary>
/// <param name="response">AmazonWebServiceResponse on which decryption is performed</param>
/// <param name="request">IRequest</param>
/// <param name="webResponseData">IWebResponseData</param>
protected override void ProcessResponseHandlers(AmazonWebServiceResponse response, IRequest request, IWebResponseData webResponseData)
{
base.ProcessResponseHandlers(response, request, webResponseData);
var initiateMultiPartUploadRequest = request.OriginalRequest as InitiateMultipartUploadRequest;
var initiateMultiPartResponse = response as InitiateMultipartUploadResponse;
if (initiateMultiPartResponse != null)
{
byte[] envelopeKey = initiateMultiPartUploadRequest.EnvelopeKey;
byte[] iv = initiateMultiPartUploadRequest.IV;
UploadPartEncryptionContext contextForEncryption = new UploadPartEncryptionContext();
contextForEncryption.EnvelopeKey = envelopeKey;
contextForEncryption.NextIV = iv;
contextForEncryption.FirstIV = iv;
contextForEncryption.PartNumber = 0;
//Add context for encryption of next part
currentMultiPartUploadKeys.Add(initiateMultiPartResponse.UploadId, contextForEncryption);
}
var uploadPartRequest = request.OriginalRequest as UploadPartRequest;
var uploadPartResponse = response as UploadPartResponse;
if (uploadPartResponse != null)
{
string uploadID = uploadPartRequest.UploadId;
UploadPartEncryptionContext encryptedUploadedContext = null;
if (!currentMultiPartUploadKeys.TryGetValue(uploadID, out encryptedUploadedContext))
throw new AmazonS3Exception("encryption context for multi part upload not found");
if (uploadPartRequest.IsLastPart == false)
{
object stream = null;
if (!uploadPartRequest.RequestState.TryGetValue(S3CryptoStream, out stream))
throw new AmazonS3Exception("cannot retrieve S3 crypto stream from request state, hence cannot get Initialization vector for next uploadPart ");
var encryptionStream = stream as AESEncryptionUploadPartStream;
encryptedUploadedContext.NextIV = encryptionStream.InitializationVector;
}
}
var getObjectResponse = response as GetObjectResponse;
if (getObjectResponse != null)
{
if (EncryptionUtils.IsEncryptionInfoInMetadata(getObjectResponse) == true)
{
DecryptObjectUsingMetadata(getObjectResponse);
}
else
{
GetObjectResponse instructionFileResponse = null;
try
{
GetObjectRequest instructionFileRequest = EncryptionUtils.GetInstructionFileRequest(getObjectResponse);
instructionFileResponse = S3ClientForInstructionFile.GetObject(instructionFileRequest);
}
catch (AmazonServiceException ace)
{
throw new AmazonServiceException(string.Format(CultureInfo.InvariantCulture, "Unable to decrypt data for object {0} in bucket {1}",
getObjectResponse.Key, getObjectResponse.BucketName), ace);
}
if (EncryptionUtils.IsEncryptionInfoInInstructionFile(instructionFileResponse) == true)
{
DecryptObjectUsingInstructionFile(getObjectResponse, instructionFileResponse);
}
}
}
var completeMultiPartUploadRequest = request.OriginalRequest as CompleteMultipartUploadRequest;
var completeMultipartUploadResponse = response as CompleteMultipartUploadResponse;
if (completeMultipartUploadResponse != null)
{
if (amazonS3CryptoConfig.StorageMode == CryptoStorageMode.InstructionFile)
{
UploadPartEncryptionContext context = currentMultiPartUploadKeys[completeMultiPartUploadRequest.UploadId];
byte[] envelopeKey = context.EnvelopeKey;
byte[] iv = context.FirstIV;
byte[] encryptedEnvelopeKey = EncryptionUtils.EncryptEnvelopeKey(envelopeKey, this.encryptionMaterials);
EncryptionInstructions instructions = new EncryptionInstructions(EncryptionMaterials.EmptyMaterialsDescription, envelopeKey, encryptedEnvelopeKey, iv);
PutObjectRequest instructionFileRequest = EncryptionUtils.CreateInstructionFileRequest(completeMultiPartUploadRequest, instructions);
S3ClientForInstructionFile.PutObject(instructionFileRequest);
}
//Clear Context data since encryption is completed
currentMultiPartUploadKeys.Clear();
}
}
/// <summary>
/// Updates the request where the input stream contains the encrypted object contents.
/// </summary>
/// <param name="request"></param>
private void GenerateEncryptedUploadPartRequest(UploadPartRequest request)
{
string uploadID = request.UploadId;
UploadPartEncryptionContext contextForEncryption = currentMultiPartUploadKeys[uploadID];
byte[] envelopeKey = contextForEncryption.EnvelopeKey;
byte[] IV = contextForEncryption.NextIV;
EncryptionInstructions instructions = new EncryptionInstructions(EncryptionMaterials.EmptyMaterialsDescription, envelopeKey, IV);
if (request.IsLastPart == false)
{
if (contextForEncryption.IsFinalPart == true)
throw new AmazonClientException("Last part has already been processed, cannot upload this as the last part");
if (request.PartNumber < contextForEncryption.PartNumber)
throw new AmazonClientException("Upload Parts must in correct sequence");
request.InputStream = EncryptionUtils.EncryptUploadPartRequestUsingInstructions(request.InputStream, instructions);
contextForEncryption.PartNumber = request.PartNumber;
}
else
{
request.InputStream = EncryptionUtils.EncryptRequestUsingInstruction(request.InputStream, instructions);
contextForEncryption.IsFinalPart = true;
}
request.RequestState.Add(S3CryptoStream, request.InputStream);
}
internal static PutObjectRequest CreateInstructionFileRequest(AmazonWebServiceRequest request, EncryptionInstructions instructions)
{
byte[] keyBytesToStoreInInstructionFile = instructions.EncryptedEnvelopeKey;
string base64EncodedEnvelopeKey = Convert.ToBase64String(keyBytesToStoreInInstructionFile);
byte[] IVToStoreInInstructionFile = instructions.InitializationVector;
string base64EncodedIV = Convert.ToBase64String(IVToStoreInInstructionFile);
JsonData jsonData = new JsonData();
jsonData["EncryptedEnvelopeKey"] = base64EncodedEnvelopeKey;
jsonData["IV"] = base64EncodedIV;
string credentials = jsonData.ToJson();
var putObjectRequest = request as PutObjectRequest;
if (putObjectRequest != null)
{
PutObjectRequest requestforInstructionFile = new PutObjectRequest()
{
BucketName = putObjectRequest.BucketName,
Key = putObjectRequest.Key + instructionfileSuffix,
ContentBody = credentials
};
requestforInstructionFile.Metadata.Add(instructionFileInfo, "");
return requestforInstructionFile;
}
var completeMultiPartRequest = request as CompleteMultipartUploadRequest;
if (completeMultiPartRequest != null)
{
PutObjectRequest requestforInstructionFile = new PutObjectRequest()
{
BucketName = completeMultiPartRequest.BucketName,
Key = completeMultiPartRequest.Key + instructionfileSuffix,
ContentBody = credentials
};
requestforInstructionFile.Metadata.Add(instructionFileInfo, "");
return requestforInstructionFile;
}
else
return null;
}
/// <summary>
/// Update the request's ObjectMetadata with the necessary information for decrypting the object.
/// </summary>
/// <param name="request">
/// AmazonWebServiceRequest encrypted using the given instruction
/// </param>
/// <param name="instructions">
/// Non-null instruction used to encrypt the data in this AmazonWebServiceRequest .
/// </param>
internal static void UpdateMetadataWithEncryptionInstructions(AmazonWebServiceRequest request, EncryptionInstructions instructions)
{
byte[] keyBytesToStoreInMetadata = instructions.EncryptedEnvelopeKey;
string base64EncodedEnvelopeKey = Convert.ToBase64String(keyBytesToStoreInMetadata);
byte[] IVToStoreInMetadata = instructions.InitializationVector;
string base64EncodedIV = Convert.ToBase64String(IVToStoreInMetadata);
var putObjectRequest = request as PutObjectRequest;
if (putObjectRequest != null)
{
MetadataCollection metadata = putObjectRequest.Metadata;
metadata.Add(keyInMetadata, base64EncodedEnvelopeKey);
metadata.Add(initVectorInMetadata, base64EncodedIV);
Dictionary<string, string> materialsDescription = instructions.MaterialsDescription;
if (materialsDescription.Count == 0)
metadata.Add(encryptionMaterialsDescription, "{}");
putObjectRequest.Metadata = metadata;
}
var initiateMultipartrequest = request as InitiateMultipartUploadRequest;
if (initiateMultipartrequest != null)
{
MetadataCollection metadata = initiateMultipartrequest.Metadata;
metadata.Add(keyInMetadata, base64EncodedEnvelopeKey);
metadata.Add(initVectorInMetadata, base64EncodedIV);
Dictionary<string, string> materialsDescription = instructions.MaterialsDescription;
if (materialsDescription.Count == 0)
metadata.Add(encryptionMaterialsDescription, "{}");
initiateMultipartrequest.Metadata = metadata;
}
}
//wrap encrypted stream into AESDecriptionStream wrapper
internal static Stream DecryptStream(Stream encryptedStream, EncryptionInstructions encryptionInstructions)
{
AESDecryptionStream aesDecryptStream;
aesDecryptStream = new AESDecryptionStream(encryptedStream, encryptionInstructions.EnvelopeKey, encryptionInstructions.InitializationVector);
return aesDecryptStream;
}
/// <summary>
/// Performs decryption of data by getting encryption information
/// from object metadata or instruction file.
/// </summary>
/// <param name="response">AmazonWebServiceResponse on which decryption is performed</param>
/// <param name="request">IRequest</param>
/// <param name="webResponseData">IWebResponseData</param>
protected override void ProcessResponseHandlers(AmazonWebServiceResponse response, IRequest request, IWebResponseData webResponseData)
{
base.ProcessResponseHandlers(response, request, webResponseData);
var initiateMultiPartUploadRequest = request.OriginalRequest as InitiateMultipartUploadRequest;
var initiateMultiPartResponse = response as InitiateMultipartUploadResponse;
if (initiateMultiPartResponse != null)
{
byte[] envelopeKey = initiateMultiPartUploadRequest.EnvelopeKey;
byte[] iv = initiateMultiPartUploadRequest.IV;
UploadPartEncryptionContext contextForEncryption = new UploadPartEncryptionContext();
contextForEncryption.EnvelopeKey = envelopeKey;
contextForEncryption.NextIV = iv;
contextForEncryption.FirstIV = iv;
contextForEncryption.PartNumber = 0;
//Add context for encryption of next part
currentMultiPartUploadKeys.Add(initiateMultiPartResponse.UploadId, contextForEncryption);
}
var uploadPartRequest = request.OriginalRequest as UploadPartRequest;
var uploadPartResponse = response as UploadPartResponse;
if (uploadPartResponse != null)
{
string uploadID = uploadPartRequest.UploadId;
UploadPartEncryptionContext encryptedUploadedContext = null;
if (!currentMultiPartUploadKeys.TryGetValue(uploadID, out encryptedUploadedContext))
{
throw new AmazonS3Exception("encryption context for multi part upload not found");
}
if (uploadPartRequest.IsLastPart == false)
{
object stream = null;
if (!uploadPartRequest.RequestState.TryGetValue(S3CryptoStream, out stream))
{
throw new AmazonS3Exception("cannot retrieve S3 crypto stream from request state, hence cannot get Initialization vector for next uploadPart ");
}
var encryptionStream = stream as AESEncryptionUploadPartStream;
encryptedUploadedContext.NextIV = encryptionStream.InitializationVector;
}
}
var getObjectResponse = response as GetObjectResponse;
if (getObjectResponse != null)
{
if (EncryptionUtils.IsEncryptionInfoInMetadata(getObjectResponse) == true)
{
DecryptObjectUsingMetadata(getObjectResponse);
}
else
{
GetObjectResponse instructionFileResponse = null;
try
{
GetObjectRequest instructionFileRequest = EncryptionUtils.GetInstructionFileRequest(getObjectResponse);
instructionFileResponse = S3ClientForInstructionFile.GetObject(instructionFileRequest);
}
catch (AmazonServiceException ace)
{
throw new AmazonServiceException(string.Format(CultureInfo.InvariantCulture, "Unable to decrypt data for object {0} in bucket {1}",
getObjectResponse.Key, getObjectResponse.BucketName), ace);
}
if (EncryptionUtils.IsEncryptionInfoInInstructionFile(instructionFileResponse) == true)
{
DecryptObjectUsingInstructionFile(getObjectResponse, instructionFileResponse);
}
}
}
var completeMultiPartUploadRequest = request.OriginalRequest as CompleteMultipartUploadRequest;
var completeMultipartUploadResponse = response as CompleteMultipartUploadResponse;
if (completeMultipartUploadResponse != null)
{
if (amazonS3CryptoConfig.StorageMode == CryptoStorageMode.InstructionFile)
{
UploadPartEncryptionContext context = currentMultiPartUploadKeys[completeMultiPartUploadRequest.UploadId];
byte[] envelopeKey = context.EnvelopeKey;
byte[] iv = context.FirstIV;
byte[] encryptedEnvelopeKey = EncryptionUtils.EncryptEnvelopeKey(envelopeKey, this.encryptionMaterials);
EncryptionInstructions instructions = new EncryptionInstructions(EncryptionMaterials.EmptyMaterialsDescription, envelopeKey, encryptedEnvelopeKey, iv);
PutObjectRequest instructionFileRequest = EncryptionUtils.CreateInstructionFileRequest(completeMultiPartUploadRequest, instructions);
S3ClientForInstructionFile.PutObject(instructionFileRequest);
}
//Clear Context data since encryption is completed
currentMultiPartUploadKeys.Clear();
}
}
/// <summary>
/// Update the request's ObjectMetadata with the necessary information for decrypting the object.
/// </summary>
/// <param name="request">
/// AmazonWebServiceRequest encrypted using the given instruction
/// </param>
/// <param name="instructions">
/// Non-null instruction used to encrypt the data in this AmazonWebServiceRequest .
/// </param>
internal static void UpdateMetadataWithEncryptionInstructions(AmazonWebServiceRequest request, EncryptionInstructions instructions)
{
byte[] keyBytesToStoreInMetadata = instructions.EncryptedEnvelopeKey;
string base64EncodedEnvelopeKey = Convert.ToBase64String(keyBytesToStoreInMetadata);
byte[] IVToStoreInMetadata = instructions.InitializationVector;
string base64EncodedIV = Convert.ToBase64String(IVToStoreInMetadata);
var putObjectRequest = request as PutObjectRequest;
if (putObjectRequest != null)
{
MetadataCollection metadata = putObjectRequest.Metadata;
metadata.Add(keyInMetadata, base64EncodedEnvelopeKey);
metadata.Add(initVectorInMetadata, base64EncodedIV);
Dictionary <string, string> materialsDescription = instructions.MaterialsDescription;
if (materialsDescription.Count == 0)
{
metadata.Add(encryptionMaterialsDescription, "{}");
}
putObjectRequest.Metadata = metadata;
}
var initiateMultipartrequest = request as InitiateMultipartUploadRequest;
if (initiateMultipartrequest != null)
{
MetadataCollection metadata = initiateMultipartrequest.Metadata;
metadata.Add(keyInMetadata, base64EncodedEnvelopeKey);
metadata.Add(initVectorInMetadata, base64EncodedIV);
Dictionary <string, string> materialsDescription = instructions.MaterialsDescription;
if (materialsDescription.Count == 0)
{
metadata.Add(encryptionMaterialsDescription, "{}");
}
initiateMultipartrequest.Metadata = metadata;
}
}
internal static PutObjectRequest CreateInstructionFileRequest(AmazonWebServiceRequest request, EncryptionInstructions instructions)
{
byte[] keyBytesToStoreInInstructionFile = instructions.EncryptedEnvelopeKey;
string base64EncodedEnvelopeKey = Convert.ToBase64String(keyBytesToStoreInInstructionFile);
byte[] IVToStoreInInstructionFile = instructions.InitializationVector;
string base64EncodedIV = Convert.ToBase64String(IVToStoreInInstructionFile);
JsonData jsonData = new JsonData();
jsonData["EncryptedEnvelopeKey"] = base64EncodedEnvelopeKey;
jsonData["IV"] = base64EncodedIV;
string credentials = jsonData.ToJson();
var putObjectRequest = request as PutObjectRequest;
if (putObjectRequest != null)
{
PutObjectRequest requestforInstructionFile = new PutObjectRequest()
{
BucketName = putObjectRequest.BucketName,
Key = putObjectRequest.Key + S3Constants.EncryptionInstructionfileSuffix,
ContentBody = credentials
};
requestforInstructionFile.Metadata.Add(instructionFileInfo, "");
return(requestforInstructionFile);
}
var completeMultiPartRequest = request as CompleteMultipartUploadRequest;
if (completeMultiPartRequest != null)
{
PutObjectRequest requestforInstructionFile = new PutObjectRequest()
{
BucketName = completeMultiPartRequest.BucketName,
Key = completeMultiPartRequest.Key + S3Constants.EncryptionInstructionfileSuffix,
ContentBody = credentials
};
requestforInstructionFile.Metadata.Add(instructionFileInfo, "");
return(requestforInstructionFile);
}
else
{
return(null);
}
}
/// <summary>
/// Updates object where the object
/// input stream contains the decrypted contents.
/// </summary>
/// <param name="response">
/// The getObject response whose contents are to be decrypted.
/// </param>
/// <param name="instructions">
/// The instruction that will be used to encrypt the object data.
/// </param>
internal static void DecryptObjectUsingInstructions(GetObjectResponse response, EncryptionInstructions instructions)
{
response.ResponseStream = DecryptStream(response.ResponseStream, instructions);
}
