internal GenerateDataKeyResponse GenerateDataKey(GenerateDataKeyRequest request) { var marshaller = new GenerateDataKeyRequestMarshaller(); var unmarshaller = GenerateDataKeyResponseUnmarshaller.Instance; return(Invoke <GenerateDataKeyRequest, GenerateDataKeyResponse>(request, marshaller, unmarshaller)); }
/// <summary> /// Generates a data key for the specified master key. This will return both /// the plaintext key that you can use for encryption/decryption and the /// same key as protected by the master key. /// </summary> /// <param name="keyId">The identifier of the key we should use to generate and protect the data key.</param> /// <returns>Result containing the plaintext representation of the generated data key /// which can be used for encryption/decryption, an encrypted version of the /// data key encrypted by the master key and the ID of the key that was used.</returns> /// <exception cref="KeyManagementServiceUnavailableException"></exception> public GenerateDataKeyResult GenerateDataKey(string keyId) { if (_disposed) { throw new ObjectDisposedException("AwsKmsKeyManager"); } ValidateMasterKey(keyId); var res = RetryPolicy.ExecuteAndCapture(() => { var req = new GenerateDataKeyRequest { KeyId = keyId, KeySpec = DataKeySpec.AES_128 }; var t = _client.GenerateDataKeyAsync(req); t.ConfigureAwait(false); return(t.GetAwaiter().GetResult()); }); ValidateResponse(res); var result = (GenerateDataKeyResponse)res.Result; return(new GenerateDataKeyResult { KeyId = keyId, CipherTextKey = result.CiphertextBlob.ToArray(), PlainTextKey = result.Plaintext.ToArray() }); }
public void GenerateKey(int keyBits, out byte[] key, out byte[] encryptedKey, IDictionary <string, string> context) { DataKeySpec keySpec; if (keyBits == 128) { keySpec = DataKeySpec.AES_128; } else if (keyBits == 256) { keySpec = DataKeySpec.AES_256; } else { throw new ArgumentException("only 128 and 256 bit keys are supported", "keyBits"); } var request = new GenerateDataKeyRequest { KeyId = _keyId, KeySpec = keySpec, EncryptionContext = AsDictionary(context) }; GenerateDataKeyResponse response = _client.GenerateDataKey(request); key = response.Plaintext.ToArray(); encryptedKey = response.CiphertextBlob.ToArray(); }
public void GenerateKey_Ok(int bits, string keySpec, bool throws) { var kmsClientMock = new Mock <IAmazonKeyManagementService>(); var provider = new KmsDataKeyProvider(kmsClientMock.Object, "myKey"); GenerateDataKeyRequest requestSent = null; kmsClientMock.Setup(x => x.GenerateDataKey(It.IsAny <GenerateDataKeyRequest>())) .Returns((GenerateDataKeyRequest req) => { requestSent = req; return(new GenerateDataKeyResponse { CiphertextBlob = new MemoryStream(Bytes(1, 2, 3)), Plaintext = new MemoryStream(Bytes(4, 5, 6)), }); }); byte[] key = null, encryptedKey = null; Action invocation = provider.Invoking(p => p.GenerateKey(bits, out key, out encryptedKey)); if (throws) { invocation.ShouldThrow <ArgumentException>(); } else { invocation.ShouldNotThrow(); key.Should().Equal(Bytes(4, 5, 6)); encryptedKey.Should().Equal(Bytes(1, 2, 3)); requestSent.KeyId.Should().Be("myKey"); requestSent.KeySpec.ToString().Should().Be(keySpec); requestSent.EncryptionContext.Should().BeEmpty(); } }
/// <summary> /// Initiates the asynchronous execution of the GenerateDataKey operation. /// </summary> /// /// <param name="request">Container for the necessary parameters to execute the GenerateDataKey operation.</param> /// <param name="cancellationToken"> /// A cancellation token that can be used by other objects or threads to receive notice of cancellation. /// </param> /// <returns>The task object representing the asynchronous operation.</returns> public Task <GenerateDataKeyResponse> GenerateDataKeyAsync(GenerateDataKeyRequest request, System.Threading.CancellationToken cancellationToken = default(CancellationToken)) { var marshaller = new GenerateDataKeyRequestMarshaller(); var unmarshaller = GenerateDataKeyResponseUnmarshaller.Instance; return(InvokeAsync <GenerateDataKeyRequest, GenerateDataKeyResponse>(request, marshaller, unmarshaller, cancellationToken)); }
static void UploadManualEncrypt(string filePath) { string kmsKeyID = ""; var objectKey = System.IO.Path.GetFileName(filePath); using (var aes = Aes.Create()) using (var kmsClient = new AmazonKeyManagementServiceClient(defaultEndpoint)) { //Get the key from KMS kmsKeyID = GetKeyByAlias(keyName, kmsClient); //Generate a data key for the specific object var dataKeyRequest = new GenerateDataKeyRequest(); dataKeyRequest.KeyId = kmsKeyID; dataKeyRequest.KeySpec = DataKeySpec.AES_256; //Set the encryption context for your AAD dataKeyRequest.EncryptionContext["MyContext"] = myContext; var dataKeyResponse = kmsClient.GenerateDataKeyAsync(dataKeyRequest).GetAwaiter().GetResult(); var fileData = new FileStream(filePath, FileMode.Open, FileAccess.Read); Stream output = new MemoryStream(); //Write the length of the encrypted key first so we can retrieve it later output.WriteByte((byte)dataKeyResponse?.CiphertextBlob?.Length); //Write the encrypted key to next dataKeyResponse.CiphertextBlob.CopyTo(output); aes.Key = dataKeyResponse.Plaintext.ToArray(); //Then write the IV, since IV is fixed length we don't have to worry about storing the IV length output.Write(aes.IV, 0, aes.IV.Length); using (var cs = new CryptoStream(output, aes.CreateEncryptor(), CryptoStreamMode.Write)) { //Now encrypt the file data into the stream fileData.CopyTo(cs); cs.FlushFinalBlock(); using (var s3client = new AmazonS3Client(defaultEndpoint)) { var putRequest = new PutObjectRequest { BucketName = bucketName, Key = objectKey, InputStream = output }; //All of this metadata is optional, you do not have to include any of this //I am just putting it here if you want to store it in the metadata along with the object //The encrypted data key and IV are already stored with the file, you will need a way to look up the context and keyid putRequest.Metadata.Add("x-amz-meta-client-side-encryption-context", myContext); putRequest.Metadata.Add("x-amz-meta-client-side-encryption-aws-kms-key-id", kmsKeyID); putRequest.Metadata.Add("x-amz-meta-cipherblob", Convert.ToBase64String(dataKeyResponse.CiphertextBlob.ToArray())); putRequest.Metadata.Add("x-amz-meta-x-amz-iv", Convert.ToBase64String(aes.IV)); s3client.PutObjectAsync(putRequest).GetAwaiter().GetResult(); } } } }
public void X2() { var request = new GenerateDataKeyRequest { KeyId = "1", KeySpec = KeySpec.AES_128 }; Assert.Equal( @"{ ""KeyId"": ""1"", ""KeySpec"": ""AES_128"" }", JsonObject.FromObject(request).ToString()); }
public void B() { var request = new GenerateDataKeyRequest { KeyId = "1", KeySpec = KeySpec.AES_128 }; Assert.Equal( @"{ ""KeyId"": ""1"", ""KeySpec"": ""AES_128"" }", JsonSerializer.Serialize(request, JSO.Default)); }
/// <summary> /// 本接口生成一个数据密钥,您可以用这个密钥进行本地数据的加密。 /// </summary> /// <param name="req"><see cref="GenerateDataKeyRequest"/></param> /// <returns><see cref="GenerateDataKeyResponse"/></returns> public GenerateDataKeyResponse GenerateDataKeySync(GenerateDataKeyRequest req) { JsonResponseModel <GenerateDataKeyResponse> rsp = null; try { var strResp = this.InternalRequestSync(req, "GenerateDataKey"); rsp = JsonConvert.DeserializeObject <JsonResponseModel <GenerateDataKeyResponse> >(strResp); } catch (JsonSerializationException e) { throw new TencentCloudSDKException(e.Message); } return(rsp.Response); }
public void A() { var request = new GenerateDataKeyRequest { KeyId = "1", KeySpec = KeySpec.AES_128, NumberOfBytes = 128 // 128, 256, 512, and 1024 }; Assert.Equal( @"{ ""KeyId"": ""1"", ""KeySpec"": ""AES_128"", ""NumberOfBytes"": 128 }", JsonSerializer.Serialize(request, JSO.Default).ToString()); }
private SecureString GetDataKeyFromKms(string application, string tenantId, string keyIdentifier) { using (var scope = new ProfileContext($"Generating new crypto key using kms for {application} {tenantId}")) { GenerateDataKeyRequest request = null; GenerateDataKeyResponse response = null; bool isSuccess = false; try { var client = _kmsClientFactory.GetGlobalClient(); request = GetGenerateDataKeyRequest(application, tenantId, keyIdentifier); var waitHandle = new ManualResetEvent(false); Task.Factory.StartNew(async() => { try { response = await client.GenerateDataKeyAsync(request); } catch (Exception ex) { Platform.Common.ExceptionPolicy.HandleException(ex, Constants.LogOnlyPolicy); throw Errors.ServerSide.KMSCommunicationError(); } finally { waitHandle.Set(); } }); waitHandle.WaitOne(); if (response == null || response.HttpStatusCode != HttpStatusCode.OK) { throw Errors.ServerSide.KMSCommunicationError(); } //CiperTextBlob is Base64-encoded binary data _cryptoKeyStore.Add(application, tenantId, keyIdentifier, response.CiphertextBlob.ToArray()); isSuccess = true; //PlaintText is Base64-encoded binary data return(ConvertStreamToSecureString(response.Plaintext)); } finally { LogRQRS(request, SanitizedResponse(response), application, tenantId, "aws_kms_provider", "generate_datakey", isSuccess); } } }
public void X() { // 128, 256, 512, and 1024 var request = new GenerateDataKeyRequest { KeyId = "1", KeySpec = KeySpec.AES_128, NumberOfBytes = 128 }; Assert.Equal( @"{ ""KeyId"": ""1"", ""KeySpec"": ""AES_128"", ""NumberOfBytes"": 128 }", JsonObject.FromObject(request).ToString()); }
public async Task <CryptoData> EncryptWithKey(string data) { var keyReq = new GenerateDataKeyRequest { KeyId = this.keyId, KeySpec = DataKeySpec.AES_256 }; var dataKeyResponse = await client.GenerateDataKeyAsync(keyReq); var key = GetBase64StringFromStream(dataKeyResponse.CiphertextBlob); var plainTextKey = GetBase64StringFromStream(dataKeyResponse.Plaintext); var protector = dataProtectionProvider.CreateProtector(plainTextKey); var result = protector.Protect(data); return(new CryptoData { Encrypted = result, Key = key }); }
public static async Task <byte[]> EncryptData(string toEncrypt, AccountCredentials credentials, string region, CancellationToken token = default) { try { var jsonMemStream = new MemoryStream(System.Text.Encoding.UTF8.GetBytes(toEncrypt ?? "")); var cmk = credentials.cmk; var kmsClient = new AmazonKeyManagementServiceClient(credentials.AWSCredentials, RegionEndpoint.GetBySystemName(region)); kmsClient.ExceptionEvent += KmsClient_ExceptionEvent; var dataKeyRequest = new GenerateDataKeyRequest() { KeyId = cmk, //"alias/console-test1846939174-user1846939660" KeySpec = DataKeySpec.AES_128 }; GenerateDataKeyResponse dataKeyResponse = kmsClient.GenerateDataKey(dataKeyRequest); var plaintextKey = await StreamToByteArray(dataKeyResponse.Plaintext); var encryptedKey = await StreamToByteArray(dataKeyResponse.CiphertextBlob); var key = encryptedKey; var encryptedResponse = await kmsClient.EncryptAsync(new EncryptRequest() { KeyId = cmk, Plaintext = jsonMemStream, }, token); var dataBytes = await GetByteDataPackage(encryptedResponse, key); //var dataBytes = Encoding.ASCII.GetBytes(dataPack); return(dataBytes); } catch (Exception exc) //took just over 15 seconds { } return(null); }
/// <summary> /// 从KMS中获取一对数据密钥的明文/密文 /// </summary> /// <param name="request">请求参数信息</param> /// <returns>请求结果信息</returns> public async Task <GenerateDataKeyResponse> GenerateDataKey(GenerateDataKeyRequest request) { return(await new GenerateDataKeyExecutor().Client(this).Execute <GenerateDataKeyResponse, GenerateDataKeyResult, GenerateDataKeyRequest>(request).ConfigureAwait(false)); }
/// <summary> /// 从KMS中获取一对数据密钥的明文/密文 /// </summary> /// <param name="request">请求参数信息</param> /// <returns>请求结果信息</returns> public GenerateDataKeyResponse GenerateDataKey(GenerateDataKeyRequest request) { return(new GenerateDataKeyExecutor().Client(this).Execute <GenerateDataKeyResponse, GenerateDataKeyResult, GenerateDataKeyRequest>(request)); }