/// <summary> /// Builds an instruction object from the object metadata. /// </summary> /// <param name="response"> /// A non-null object response that contains encryption information in its metadata. /// </param> /// <param name="materials"> /// The non-null encryption materials to be used to encrypt and decrypt Envelope key. /// </param> /// <param name="decryptedEnvelopeKeyKMS"> /// The decrypted envelope key to be use if KMS key wrapping is being used. Or null if non-KMS key wrapping is being used. /// </param> /// <returns> /// </returns> internal static EncryptionInstructions BuildInstructionsFromObjectMetadata( GetObjectResponse response, EncryptionMaterialsBase materials, byte[] decryptedEnvelopeKeyKMS) { MetadataCollection metadata = response.Metadata; var materialDescription = GetMaterialDescriptionFromMetaData(response.Metadata); if (metadata[XAmzKeyV2] != null) { EnsureSupportedAlgorithms(metadata); var base64EncodedEncryptedEnvelopeKey = metadata[XAmzKeyV2]; var encryptedEnvelopeKey = Convert.FromBase64String(base64EncodedEncryptedEnvelopeKey); var base64EncodedIV = metadata[XAmzIV]; var IV = Convert.FromBase64String(base64EncodedIV); var cekAlgorithm = metadata[XAmzCekAlg]; var wrapAlgorithm = metadata[XAmzWrapAlg]; EncryptionInstructions instructions; if (decryptedEnvelopeKeyKMS != null) { return(new EncryptionInstructions(materialDescription, decryptedEnvelopeKeyKMS, encryptedEnvelopeKey, IV, wrapAlgorithm, cekAlgorithm)); } else { byte[] decryptedEnvelopeKey; if (XAmzWrapAlgRsaOaepSha1.Equals(wrapAlgorithm) || XAmzWrapAlgAesGcmValue.Equals(wrapAlgorithm)) { decryptedEnvelopeKey = DecryptNonKmsEnvelopeKeyV2(encryptedEnvelopeKey, materials); } else { decryptedEnvelopeKey = DecryptNonKMSEnvelopeKey(encryptedEnvelopeKey, materials); } return(new EncryptionInstructions(materialDescription, decryptedEnvelopeKey, encryptedEnvelopeKey, IV, wrapAlgorithm, cekAlgorithm)); } } else { string base64EncodedEncryptedEnvelopeKey = metadata[XAmzKey]; byte[] encryptedEnvelopeKey = Convert.FromBase64String(base64EncodedEncryptedEnvelopeKey); byte[] decryptedEnvelopeKey = DecryptNonKMSEnvelopeKey(encryptedEnvelopeKey, materials); string base64EncodedIV = metadata[XAmzIV]; byte[] IV = Convert.FromBase64String(base64EncodedIV); return(new EncryptionInstructions(materialDescription, decryptedEnvelopeKey, encryptedEnvelopeKey, IV)); } }
/// <summary> /// Decrypts an encrypted Envelope key using the provided encryption materials /// and returns it in raw byte array form. /// </summary> /// <param name="encryptedEnvelopeKey">Encrypted envelope key</param> /// <param name="materials">Encryption materials needed to decrypt the encrypted envelope key</param> /// <returns></returns> internal static byte[] DecryptNonKMSEnvelopeKey(byte[] encryptedEnvelopeKey, EncryptionMaterialsBase materials) { if (materials.AsymmetricProvider != null) { return(DecryptEnvelopeKeyUsingAsymmetricKeyPair(materials.AsymmetricProvider, encryptedEnvelopeKey)); } if (materials.SymmetricProvider != null) { return(DecryptEnvelopeKeyUsingSymmetricKey(materials.SymmetricProvider, encryptedEnvelopeKey)); } throw new ArgumentException("Error decrypting non-KMS envelope key. " + "EncryptionMaterials must have the AsymmetricProvider or SymmetricProvider set."); }
/// <summary> /// Constructs AmazonS3EncryptionClient with AWS Access Key ID, Secret Key, SessionToken /// AmazonS3EncryptionClient CryptoConfiguration object and Encryption materials. /// </summary> /// <param name="awsAccessKeyId">AWS Access Key ID</param> /// <param name="awsSecretAccessKey">AWS Secret Access Key</param> /// <param name="awsSessionToken">AWS Session Token</param> /// <param name="config">The AmazonS3EncryptionClient CryptoConfiguration Object</param> /// <param name="materials"> /// The encryption materials to be used to encrypt and decrypt envelope key. /// </param> public AmazonS3EncryptionClientBase(string awsAccessKeyId, string awsSecretAccessKey, string awsSessionToken, AmazonS3CryptoConfigurationBase config, EncryptionMaterialsBase materials) : base(awsAccessKeyId, awsSecretAccessKey, awsSessionToken, config) { this.EncryptionMaterials = materials; S3CryptoConfig = config; }
/// <summary> /// Constructs AmazonS3EncryptionClient with AWS Access Key ID, Secret Key, /// SessionToken, Region and Encryption materials. /// </summary> /// <param name="awsAccessKeyId">AWS Access Key ID</param> /// <param name="awsSecretAccessKey">AWS Secret Access Key</param> /// <param name="awsSessionToken">AWS Session Token</param> /// <param name="region">The region to connect.</param> /// <param name="materials">The encryption materials to be used to encrypt and decrypt envelope key.</param> public AmazonS3EncryptionClientBase(string awsAccessKeyId, string awsSecretAccessKey, string awsSessionToken, RegionEndpoint region, EncryptionMaterialsBase materials) : base(awsAccessKeyId, awsSecretAccessKey, awsSessionToken, region) { this.EncryptionMaterials = materials; }
/// <summary> /// Constructs AmazonS3EncryptionClient with AWS Access Key ID, /// AWS Secret Key and Encryption materials /// </summary> /// <param name="awsAccessKeyId">AWS Access Key ID</param> /// <param name="awsSecretAccessKey">AWS Secret Access Key</param> /// <param name="materials">The encryption materials to be used to encrypt and decrypt envelope key.</param> public AmazonS3EncryptionClientBase(string awsAccessKeyId, string awsSecretAccessKey, EncryptionMaterialsBase materials) : base(awsAccessKeyId, awsSecretAccessKey) { this.EncryptionMaterials = materials; }
/// <summary> /// Constructs AmazonS3EncryptionClient with AWS Credentials, AmazonS3CryptoConfigurationBase Configuration object /// and Encryption materials /// </summary> /// <param name="credentials">AWS Credentials</param> /// <param name="config">The AmazonS3EncryptionClient CryptoConfiguration Object</param> /// <param name="materials"> /// The encryption materials to be used to encrypt and decrypt envelope key. /// </param> public AmazonS3EncryptionClientBase(AWSCredentials credentials, AmazonS3CryptoConfigurationBase config, EncryptionMaterialsBase materials) : base(credentials, config) { this.EncryptionMaterials = materials; S3CryptoConfig = config; }
/// <summary> /// Constructs AmazonS3EncryptionClient with AWS Credentials, Region and Encryption materials /// </summary> /// <param name="credentials">AWS Credentials</param> /// <param name="region">The region to connect.</param> /// <param name="materials"> /// The encryption materials to be used to encrypt and decrypt envelope key. /// </param> public AmazonS3EncryptionClientBase(AWSCredentials credentials, RegionEndpoint region, EncryptionMaterialsBase materials) : base(credentials, region) { this.EncryptionMaterials = materials; }
/// <summary> /// Constructs AmazonS3EncryptionClient with AWS Credentials and Encryption materials. /// </summary> /// <param name="materials"> /// The encryption materials to be used to encrypt and decrypt envelope key. /// </param> /// <param name="credentials">AWS Credentials</param> public AmazonS3EncryptionClientBase(AWSCredentials credentials, EncryptionMaterialsBase materials) : base(credentials) { this.EncryptionMaterials = materials; }
/// <summary> /// Constructs AmazonS3EncryptionClient with the Encryption materials and credentials loaded from the application's /// default configuration, and if unsuccessful from the Instance Profile service on an EC2 instance. /// /// Example App.config with credentials set. /// <code> /// <?xml version="1.0" encoding="utf-8" ?> /// <configuration> /// <appSettings> /// <add key="AWSProfileName" value="AWS Default"/> /// </appSettings> /// </configuration> /// </code> /// /// </summary> /// <param name="region"> /// The region to connect. /// </param> /// <param name="materials"> /// The encryption materials to be used to encrypt and decrypt envelope key. /// </param> public AmazonS3EncryptionClientBase(RegionEndpoint region, EncryptionMaterialsBase materials) : base(region) { this.EncryptionMaterials = materials; }
/// <summary> /// Constructs AmazonS3EncryptionClient with the Encryption materials and credentials loaded from the application's /// default configuration, and if unsuccessful from the Instance Profile service on an EC2 instance. /// /// Example App.config with credentials set. /// <code> /// <?xml version="1.0" encoding="utf-8" ?> /// <configuration> /// <appSettings> /// <add key="AWSProfileName" value="AWS Default"/> /// </appSettings> /// </configuration> /// </code> /// /// </summary> /// <param name="materials"> /// The encryption materials to be used to encrypt and decrypt envelope key. /// </param> public AmazonS3EncryptionClientBase(EncryptionMaterialsBase materials) : base() { this.EncryptionMaterials = materials; }
/// <summary> /// Builds an instruction object from the instruction file. /// </summary> /// <param name="response"> Instruction file GetObject response</param> /// <param name="materials"> /// The non-null encryption materials to be used to encrypt and decrypt Envelope key. /// </param> /// <returns> /// A non-null instruction object containing encryption information. /// </returns> internal static EncryptionInstructions BuildInstructionsUsingInstructionFileV2(GetObjectResponse response, EncryptionMaterialsBase materials) { using (TextReader textReader = new StreamReader(response.ResponseStream)) { var jsonData = JsonMapper.ToObject(textReader); if (jsonData[XAmzKeyV2] != null) { // The envelope contains data in V2 format var encryptedEnvelopeKey = Base64DecodedDataValue(jsonData, XAmzKeyV2); var decryptedEnvelopeKey = DecryptNonKmsEnvelopeKeyV2(encryptedEnvelopeKey, materials); var initializationVector = Base64DecodedDataValue(jsonData, XAmzIV); var materialDescription = JsonMapper.ToObject <Dictionary <string, string> >((string)jsonData[XAmzMatDesc]); var cekAlgorithm = StringValue(jsonData, XAmzCekAlg); var wrapAlgorithm = StringValue(jsonData, XAmzWrapAlg); var instructions = new EncryptionInstructions(materialDescription, decryptedEnvelopeKey, null, initializationVector, wrapAlgorithm, cekAlgorithm); return(instructions); } else if (jsonData[XAmzKey] != null) { // The envelope contains data in V1 format var encryptedEnvelopeKey = Base64DecodedDataValue(jsonData, XAmzKey); var decryptedEnvelopeKey = DecryptNonKMSEnvelopeKey(encryptedEnvelopeKey, materials); var initializationVector = Base64DecodedDataValue(jsonData, XAmzIV); var materialDescription = JsonMapper.ToObject <Dictionary <string, string> >((string)jsonData[XAmzMatDesc]); var instructions = new EncryptionInstructions(materialDescription, decryptedEnvelopeKey, null, initializationVector); return(instructions); } else if (jsonData[EncryptedEnvelopeKey] != null) { // The envelope contains data in older format var encryptedEnvelopeKey = Base64DecodedDataValue(jsonData, EncryptedEnvelopeKey); var decryptedEnvelopeKey = DecryptNonKMSEnvelopeKey(encryptedEnvelopeKey, materials); var initializationVector = Base64DecodedDataValue(jsonData, IV); return(new EncryptionInstructions(materials.MaterialsDescription, decryptedEnvelopeKey, initializationVector)); } else { throw new ArgumentException("Missing parameters required for decryption"); } } }
/// <summary> /// Build encryption instructions for UploadPartEncryptionContext /// </summary> /// <param name="context">UploadPartEncryptionContext which contains instructions used for encrypting multipart object</param> /// <param name="encryptionMaterials">EncryptionMaterials which contains material used for encrypting multipart object</param> /// <returns></returns> internal static EncryptionInstructions BuildEncryptionInstructionsForInstructionFileV2(UploadPartEncryptionContext context, EncryptionMaterialsBase encryptionMaterials) { var instructions = new EncryptionInstructions(encryptionMaterials.MaterialsDescription, context.EnvelopeKey, context.EncryptedEnvelopeKey, context.FirstIV, context.WrapAlgorithm, context.CekAlgorithm); return(instructions); }