/// <summary> /// Generates an instruction that will be used to encrypt an object /// using materials with the KMSKeyID set. /// </summary> /// <param name="kmsClient"> /// Used to call KMS to generate a data key. /// </param> /// <param name="materials"> /// The encryption materials to be used to encrypt and decrypt data. /// </param> /// <returns> /// The instruction that will be used to encrypt an object. /// </returns> internal static async System.Threading.Tasks.Task <EncryptionInstructions> GenerateInstructionsForKMSMaterialsAsync( IAmazonKeyManagementService kmsClient, EncryptionMaterials materials) { if (materials.KMSKeyID == null) { throw new ArgumentNullException(nameof(materials.KMSKeyID), KmsKeyIdNullMessage); } var iv = new byte[IVLength]; // Generate IV, and get both the key and the encrypted key from KMS. RandomNumberGenerator.Create().GetBytes(iv); var generateDataKeyResult = await kmsClient.GenerateDataKeyAsync(materials.KMSKeyID, materials.MaterialsDescription, KMSKeySpec).ConfigureAwait(false); return(new EncryptionInstructions(materials.MaterialsDescription, generateDataKeyResult.KeyPlaintext, generateDataKeyResult.KeyCiphertext, iv, XAmzWrapAlgKmsValue, XAmzAesCbcPaddingCekAlgValue)); }
///<inheritdoc/> public AmazonS3EncryptionClient(string awsAccessKeyId, string awsSecretAccessKey, string awsSessionToken, RegionEndpoint region, EncryptionMaterials materials) : base(awsAccessKeyId, awsSecretAccessKey, awsSessionToken, region, materials) { S3CryptoConfig = new AmazonS3CryptoConfiguration(); }
///<inheritdoc/> public AmazonS3EncryptionClient(string awsAccessKeyId, string awsSecretAccessKey, AmazonS3CryptoConfiguration config, EncryptionMaterials materials) : base(awsAccessKeyId, awsSecretAccessKey, config, materials) { }
///<inheritdoc/> public AmazonS3EncryptionClient(AWSCredentials credentials, AmazonS3CryptoConfiguration config, EncryptionMaterials materials) : base(credentials, config, materials) { }
///<inheritdoc/> public AmazonS3EncryptionClient(AWSCredentials credentials, RegionEndpoint region, EncryptionMaterials materials) : base(credentials, region, materials) { S3CryptoConfig = new AmazonS3CryptoConfiguration(); }
///<inheritdoc/> public AmazonS3EncryptionClient(AmazonS3CryptoConfiguration config, EncryptionMaterials materials) : base(config, materials) { }
///<inheritdoc/> public AmazonS3EncryptionClient(RegionEndpoint region, EncryptionMaterials materials) : base(region, materials) { S3CryptoConfig = new AmazonS3CryptoConfiguration(); }
///<inheritdoc/> public AmazonS3EncryptionClient(EncryptionMaterials materials) : base(materials) { S3CryptoConfig = new AmazonS3CryptoConfiguration(); }
/// <summary> /// Build encryption instructions for UploadPartEncryptionContext /// </summary> /// <param name="context">UploadPartEncryptionContext which contains instructions used for encrypting multipart object</param> /// <param name="encryptionMaterials">EncryptionMaterials which contains material used for encrypting multipart object</param> /// <returns></returns> internal static EncryptionInstructions BuildEncryptionInstructionsForInstructionFile(UploadPartEncryptionContext context, EncryptionMaterials encryptionMaterials) { var instructions = new EncryptionInstructions(encryptionMaterials.MaterialsDescription, context.EnvelopeKey, context.EncryptedEnvelopeKey, context.FirstIV); return(instructions); }
/// <summary> /// Builds an instruction object from the instruction file. /// </summary> /// <param name="response"> Instruction file GetObject response</param> /// <param name="materials"> /// The non-null encryption materials to be used to encrypt and decrypt Envelope key. /// </param> /// <param name="decryptNonKmsEnvelopeKey">Func to be used to decrypt non KMS envelope key</param> /// <returns> /// A non-null instruction object containing encryption information. /// </returns> internal static EncryptionInstructions BuildInstructionsUsingInstructionFile(GetObjectResponse response, EncryptionMaterials materials, Func <byte[], EncryptionMaterials, byte[]> decryptNonKmsEnvelopeKey) { using (TextReader textReader = new StreamReader(response.ResponseStream)) { JsonData jsonData = JsonMapper.ToObject(textReader); var base64EncodedEncryptedEnvelopeKey = jsonData["EncryptedEnvelopeKey"]; byte[] encryptedEnvelopeKey = Convert.FromBase64String((string)base64EncodedEncryptedEnvelopeKey); byte[] decryptedEnvelopeKey = decryptNonKmsEnvelopeKey(encryptedEnvelopeKey, materials); var base64EncodedIV = jsonData["IV"]; byte[] IV = Convert.FromBase64String((string)base64EncodedIV); return(new EncryptionInstructions(materials.MaterialsDescription, decryptedEnvelopeKey, IV)); } }
/// <summary> /// Generates an instruction that will be used to encrypt an object /// using materials with the AsymmetricProvider or SymmetricProvider set. /// </summary> /// <param name="materials"> /// The encryption materials to be used to encrypt and decrypt data. /// </param> /// <returns> /// The instruction that will be used to encrypt an object. /// </returns> internal static EncryptionInstructions GenerateInstructionsForNonKMSMaterials(EncryptionMaterials materials) { byte[] encryptedEnvelopeKey = null; // Generate the IV and key, and encrypt the key locally. Aes aesObject = Aes.Create(); if (materials.AsymmetricProvider != null) { encryptedEnvelopeKey = EncryptEnvelopeKeyUsingAsymmetricKeyPair(materials.AsymmetricProvider, aesObject.Key); } else if (materials.SymmetricProvider != null) { encryptedEnvelopeKey = EncryptEnvelopeKeyUsingSymmetricKey(materials.SymmetricProvider, aesObject.Key); } else { throw new ArgumentException("Error generating encryption instructions. " + "EncryptionMaterials must have the AsymmetricProvider or SymmetricProvider set."); } return(new EncryptionInstructions(materials.MaterialsDescription, aesObject.Key, encryptedEnvelopeKey, aesObject.IV, XAmzAesCbcPaddingCekAlgValue)); }