public async Task <string> Decrypt(string data)
{
using var stream = GenerateStreamFromBase64String(data);
var req = new DecryptRequest
{
KeyId = this.keyId,
CiphertextBlob = stream
};
var response = await client.DecryptAsync(req);
var result = GetValueFromStream(response.Plaintext);
return(result);
}
/// <summary>
/// Decrypts a provided XML element.
/// </summary>
/// <param name="encryptedElement">Encrypted XML element.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>Decrypted XML element.</returns>
#pragma warning disable S3242 // Not altering Microsoft interface definition
public async Task <XElement> DecryptAsync(XElement encryptedElement, CancellationToken ct)
#pragma warning restore S3242
{
ValidateConfig();
logger?.LogDebug("Decrypting ciphertext DataProtection key using AWS key {0}", Config.KeyId);
using (var memoryStream = new MemoryStream())
{
byte[] protectedKey = Convert.FromBase64String((string)encryptedElement.Element("value"));
await memoryStream.WriteAsync(protectedKey, 0, protectedKey.Length, ct);
var response = await kmsClient.DecryptAsync(new DecryptRequest
{
EncryptionContext = ContextUpdater.GetEncryptionContext(Config, dpOptions.Value),
GrantTokens = Config.GrantTokens,
CiphertextBlob = memoryStream
},
ct)
.ConfigureAwait(false);
// Help indicates that Plaintext might be empty if the key couldn't be retrieved but
// testing shows that you always get an exception thrown first
using (var plaintext = response.Plaintext)
{
// Ignoring all the good reasons mentioned in KmsXmlEncryptor and that the implementation would
// be error-prone, hard to test & review, as well as vary between NET Full & NET Core, it's not
// actually permitted to access the buffer of response.Plaintext because it was populated in
// the SDK from a constructor which disallows any subsequent writing.
//
// Yet more reasons that this needs to be handled at a framework level, providing clear Secure* primitives.
return(XElement.Load(plaintext));
}
}
}
public string Decrypt(EncryptedValue encryptedValue, IIncomingLogicalMessageContext context)
{
if (encryptedValue == null || String.IsNullOrEmpty(encryptedValue.EncryptedBase64Value))
{
return(null);
}
if (!context.Headers.ContainsKey(EncryptionHeaders.RijndaelKeyIdentifier))
{
return(null);
}
var decryptlabel = context.Headers[EncryptionHeaders.RijndaelKeyIdentifier];
var decryptRequest = new DecryptRequest {
KeyId = decryptlabel
};
var value = Convert.FromBase64String(encryptedValue.EncryptedBase64Value);
decryptRequest.CiphertextBlob = new System.IO.MemoryStream(value);
var response = _client.DecryptAsync(decryptRequest).GetAwaiter().GetResult();
if (response != null)
{
return(Encoding.UTF8.GetString(response.Plaintext.ToArray()));
}
return(null);
}
private async Task <byte[]> GetDecryptedDataKey()
{
var request = new DecryptRequest
{
CiphertextBlob = new MemoryStream(Convert.FromBase64String(encryptedDataKey))
};
var response = await kmsService.DecryptAsync(request);
return(response.Plaintext.ToArray());
}
private async Task <IDictionary <string, string> > ReadParametersFromEnvironmentVariables()
{
var parameters = new Dictionary <string, string>(StringComparer.InvariantCultureIgnoreCase);
foreach (DictionaryEntry envVar in Environment.GetEnvironmentVariables())
{
var key = envVar.Key as string;
var value = envVar.Value as string;
if ((key == null) || (value == null))
{
continue;
}
if (key.StartsWith("STR_", StringComparison.Ordinal))
{
// plain string value
parameters.Add(EnvToVarKey(key), value);
}
else if (key.StartsWith("SEC_", StringComparison.Ordinal))
{
// secret with optional encryption context pairs
var parts = value.Split('|');
Dictionary <string, string> encryptionContext = null;
if (parts.Length > 1)
{
encryptionContext = new Dictionary <string, string>();
for (var i = 1; i < parts.Length; ++i)
{
var pair = parts[i].Split('=', 2);
if (pair.Length != 2)
{
continue;
}
encryptionContext.Add(
Uri.UnescapeDataString(pair[0]),
Uri.UnescapeDataString(pair[1])
);
}
}
var plaintextStream = (await _kmsClient.DecryptAsync(new DecryptRequest {
CiphertextBlob = new MemoryStream(Convert.FromBase64String(value)),
EncryptionContext = encryptionContext
})).Plaintext;
parameters.Add(EnvToVarKey(key), Encoding.UTF8.GetString(plaintextStream.ToArray()));
}
}
return(parameters);
// local functions
string EnvToVarKey(string key) => "/" + key.Substring(4).Replace('_', '/');
}
public async Task <string> Decrypt(string encryptedData, string serviceAccountId)
{
var tuple = EnvelopeEncryptionUtils.Unwrap(encryptedData).ValueOrFailure("Invalid encrypted data format");
var(encryptedDataKey, iv, actualEncryptedData) = tuple;
var decryptionResult = await mAmazonKeyManagementService.DecryptAsync(new DecryptRequest
{
CiphertextBlob = new MemoryStream(Convert.FromBase64String(encryptedDataKey)),
});
var decrypted = RijndaelUtils.Decrypt(decryptionResult.Plaintext.ToArray(), iv, actualEncryptedData);
return(Encoding.UTF8.GetString(decrypted));
}
public async Task <string> Decrypt(string encryptedData, string serviceAccountId)
{
var encryptedDataKey = encryptedData.Split('$')[1];
var actualEncryptedData = encryptedData.Split('$')[2];
var decryptionResult = await mAmazonKeyManagementService.DecryptAsync(new DecryptRequest
{
CiphertextBlob = new MemoryStream(Convert.FromBase64String(encryptedDataKey)),
});
var dataKey = ConvertMemoryStreamToBase64String(decryptionResult.Plaintext);
mSymmetricKeyManagement.SetEncryptionKey(dataKey);
return(await mSymmetricKeyManagement.Decrypt(actualEncryptedData, serviceAccountId));
}
public byte[] Decrypt(byte[] keyBytes, Dictionary <string, string> context)
{
var cipherStream = new MemoryStream(keyBytes)
{
Position = 0
};
var request = new DecryptRequest
{
CiphertextBlob = cipherStream,
EncryptionContext = context
};
var response = _kmsClient.DecryptAsync(request).Result;
var result = new byte[response.Plaintext.Length];
response.Plaintext.Read(result, 0, (int)response.Plaintext.Length);
return(result);
}
/// <summary>
/// Decrypts the passed data with a master key. This method will decrypt a
/// payload of up to 6144 bytes returning the resulting clear text
/// </summary>
/// <param name="data">The encrypted data to decrypt.</param>
/// <returns>Resulting clear text.</returns>
/// <exception cref="ArgumentNullException"></exception>
/// <exception cref="ArgumentException">You must provide some data to encrypt</exception>
/// <exception cref="PayloadTooLargeException"></exception>
/// <exception cref="KeyManagementServiceUnavailableException"></exception>
public byte[] DecryptData(byte[] data)
{
if (_disposed)
{
throw new ObjectDisposedException("AwsKmsKeyManager");
}
if (data == null)
{
throw new ArgumentNullException(nameof(data));
}
if (!data.Any())
{
throw new ArgumentException("You must provide some data to encrypt", nameof(data));
}
if (data.Length > MaxDecryptPayloadSize)
{
throw new PayloadTooLargeException(MaxDecryptPayloadSize, data.Length);
}
var res = RetryPolicy.ExecuteAndCapture(() =>
{
using (var msData = new MemoryStream(data))
{
var req = new DecryptRequest
{
CiphertextBlob = msData
};
var t = _client.DecryptAsync(req);
t.ConfigureAwait(false);
return(t.GetAwaiter().GetResult());
}
});
ValidateResponse(res);
return(((DecryptResponse)res.Result).Plaintext.ToArray());
}
public virtual async Task <string> Decrypt(string ciphertext, CancellationToken cancellationToken = default)
{
cancellationToken.ThrowIfCancellationRequested();
using var stream = new MemoryStream();
var byteArray = Convert.FromBase64String(ciphertext);
await stream.WriteAsync(byteArray, cancellationToken);
cancellationToken.ThrowIfCancellationRequested();
var request = new DecryptRequest {
CiphertextBlob = stream
};
var response = await kmsClient.DecryptAsync(request, cancellationToken);
cancellationToken.ThrowIfCancellationRequested();
using var reader = new StreamReader(response.Plaintext);
return(await reader.ReadToEndAsync());
}
public async Task DecryptShouldDecryptTheCiphertext(
[Frozen, Substitute] IAmazonKeyManagementService kmsClient,
[Target] DefaultDecryptionService service
)
{
var value = "ZW5jcnlwdGVkIHZhcmlhYmxlCg==";
var expectedValue = "decrypted variable";
kmsClient
.DecryptAsync(Any <DecryptRequest>())
.Returns(new DecryptResponse
{
Plaintext = await CreateStreamFromString(expectedValue),
});
var cancellationToken = new CancellationToken(false);
var response = await service.Decrypt(value);
response.Should().BeEquivalentTo(expectedValue);
await kmsClient.Received().DecryptAsync(Is <DecryptRequest>(req => req.CiphertextBlob != null), Is(cancellationToken));
}
private Amazon.KeyManagementService.Model.DecryptResponse CallAWSServiceOperation(IAmazonKeyManagementService client, Amazon.KeyManagementService.Model.DecryptRequest request)
{
Utils.Common.WriteVerboseEndpointMessage(this, client.Config, "AWS Key Management Service", "Decrypt");
try
{
#if DESKTOP
return(client.Decrypt(request));
#elif CORECLR
return(client.DecryptAsync(request).GetAwaiter().GetResult());
#else
#error "Unknown build edition"
#endif
}
catch (AmazonServiceException exc)
{
var webException = exc.InnerException as System.Net.WebException;
if (webException != null)
{
throw new Exception(Utils.Common.FormatNameResolutionFailureMessage(client.Config, webException.Message), webException);
}
throw;
}
}
public async Task <Optional <string> > GetSecretAsync(string name, string version = null, Dictionary <string, string> encryptionContext = null, bool throwOnInvalidCipherTextException = true)
{
CredstashItem item;
if (version == null)
{
var response = await _amazonDynamoDb.QueryAsync(new QueryRequest()
{
TableName = Options.Table,
Limit = 1,
ScanIndexForward = false,
ConsistentRead = true,
KeyConditions = new Dictionary <string, Condition>()
{
{
"name", new Condition()
{
ComparisonOperator = ComparisonOperator.EQ,
AttributeValueList = new List <AttributeValue>()
{
new AttributeValue(name)
}
}
}
}
}).ConfigureAwait(false);
item = CredstashItem.From(response.Items.FirstOrDefault());
}
else
{
var response = await _amazonDynamoDb.GetItemAsync(new GetItemRequest()
{
TableName = Options.Table,
Key = new Dictionary <string, AttributeValue>()
{
{ "name", new AttributeValue(name) },
{ "version", new AttributeValue(version) },
}
}).ConfigureAwait(false);
item = CredstashItem.From(response.Item);
}
if (item == null)
{
return(null);
}
DecryptResponse decryptResponse;
try
{
decryptResponse = await _amazonKeyManagementService.DecryptAsync(new DecryptRequest()
{
CiphertextBlob = new MemoryStream(Convert.FromBase64String(item.Key)),
EncryptionContext = encryptionContext
}).ConfigureAwait(false);
}
catch (InvalidCiphertextException e)
{
if (throwOnInvalidCipherTextException)
{
throw new CredstashException("Could not decrypt hmac key with KMS. The credential may " +
"require that an encryption context be provided to decrypt " +
"it.", e);
}
return(new Optional <string>());
}
catch (Exception e)
{
throw new CredstashException("Decryption error", e);
}
var bytes = decryptResponse.Plaintext.ToArray();
var key = new byte[32];
var hmacKey = new byte[32];
Buffer.BlockCopy(bytes, 0, key, 0, 32);
Buffer.BlockCopy(bytes, 32, hmacKey, 0, 32);
var contents = Convert.FromBase64String(item.Contents);
var hmac = new HMACSHA256(hmacKey);
var result = hmac.ComputeHash(contents);
if (!result.ToHexString().Equals(item.Hmac))
{
throw new CredstashException($"HMAC Failure for {item.Name} v{item.Version}");
}
IBufferedCipher cipher = CipherUtilities.GetCipher("AES/CTR/NoPadding");
cipher.Init(false, new ParametersWithIV(ParameterUtilities.CreateKeyParameter("AES", key), _initializationVector));
byte[] plaintext = cipher.DoFinal(contents);
return(Encoding.UTF8.GetString(plaintext));
}
protected virtual async Task InitializeAsync(ILambdaConfigSource envSource, ILambdaContext context)
{
// read configuration from environment variables
DeploymentTier = envSource.Read("TIER");
ModuleName = envSource.Read("MODULE");
_deadLetterQueueUrl = envSource.Read("DEADLETTERQUEUE");
_loggingTopicArn = envSource.Read("LOGGINGTOPIC");
var framework = envSource.Read("LAMBDARUNTIME");
LogInfo($"TIER = {DeploymentTier}");
LogInfo($"MODULE = {ModuleName}");
LogInfo($"DEADLETTERQUEUE = {_deadLetterQueueUrl ?? "NONE"}");
LogInfo($"LOGGINGTOPIC = {_loggingTopicArn ?? "NONE"}");
// read optional git-sha file
var gitsha = File.Exists("gitsha.txt") ? File.ReadAllText("gitsha.txt") : null;
LogInfo($"GITSHA = {gitsha ?? "NONE"}");
// read module parameter values from parameters file
var parameters = await ParseParameters("/", File.ReadAllText("parameters.json"));
// create config where environment variables take precedence over those found in the parameter file
_appConfig = new LambdaConfig(new LambdaMultiSource(new[] {
envSource,
new LambdaDictionarySource("", parameters)
}));
// initialize rollbar
var rollbarAccessToken = _appConfig.ReadText("RollbarToken", defaultValue: null);
const string proxy = "";
const string platform = "lambda";
_rollbarClient = RollbarClient.Create(new RollbarConfiguration(
// NOTE (2018-08-06, bjorg): the rollbar access token determines the rollbar project
// the error report is associated with; when rollbar intergration is disabled,
// use the module name instead so the logging recipient can determine the module
// the log entry belongs to.
rollbarAccessToken ?? ModuleName,
proxy,
DeploymentTier,
platform,
framework,
gitsha
));
_rollbarEnabled = (rollbarAccessToken != null);
LogInfo($"ROLLBAR = {(_rollbarEnabled ? "ENABLED" : "DISABLED")}");
// local functions
async Task <Dictionary <string, string> > ParseParameters(string parameterPrefix, string json)
{
var functionParameters = JsonConvert.DeserializeObject <Dictionary <string, LambdaFunctionParameter> >(json);
var flatten = new Dictionary <string, string>();
await Flatten(functionParameters, parameterPrefix, "STACK_", flatten);
return(flatten);
// local functions
async Task Flatten(Dictionary <string, LambdaFunctionParameter> source, string prefix, string envPrefix, Dictionary <string, string> target)
{
foreach (var kv in source)
{
var value = kv.Value.Value;
switch (kv.Value.Type)
{
case LambdaFunctionParameterType.Collection:
await Flatten((Dictionary <string, LambdaFunctionParameter>) value, prefix + kv.Key + "/", envPrefix + kv.Key.ToUpperInvariant() + "_", target);
break;
case LambdaFunctionParameterType.Secret: {
var secret = (string)value;
var plaintextStream = (await _kmsClient.DecryptAsync(new DecryptRequest {
CiphertextBlob = new MemoryStream(Convert.FromBase64String(secret)),
EncryptionContext = kv.Value.EncryptionContext
})).Plaintext;
target.Add(prefix + kv.Key, Encoding.UTF8.GetString(plaintextStream.ToArray()));
break;
}
case LambdaFunctionParameterType.Stack:
target.Add(prefix + kv.Key, envSource.Read(envPrefix + kv.Key.ToUpperInvariant()));
break;
case LambdaFunctionParameterType.Text:
target.Add(prefix + kv.Key, (string)value);
break;
default:
throw new NotSupportedException($"unsupported parameter type: '{kv.Value.Type.ToString()}'");
}
}
}
}
}
