public void GenerateKey(int keyBits, out byte[] key, out byte[] encryptedKey, IDictionary<string, string> context)
{
DataKeySpec keySpec;
if (keyBits == 128)
{
keySpec = DataKeySpec.AES_128;
}
else if (keyBits == 256)
{
keySpec = DataKeySpec.AES_256;
}
else
{
throw new ArgumentException("only 128 and 256 bit keys are supported", "keyBits");
}
var request = new GenerateDataKeyRequest
{
KeyId = _keyId,
KeySpec = keySpec,
EncryptionContext = AsDictionary(context)
};
GenerateDataKeyResponse response = _client.GenerateDataKey(request);
key = response.Plaintext.ToArray();
encryptedKey = response.CiphertextBlob.ToArray();
}
public object Execute(ExecutorContext context)
{
var cmdletContext = context as CmdletContext;
// create request
var request = new Amazon.KeyManagementService.Model.GenerateDataKeyRequest();
if (cmdletContext.EncryptionContext != null)
{
request.EncryptionContext = cmdletContext.EncryptionContext;
}
if (cmdletContext.GrantToken != null)
{
request.GrantTokens = cmdletContext.GrantToken;
}
if (cmdletContext.KeyId != null)
{
request.KeyId = cmdletContext.KeyId;
}
if (cmdletContext.KeySpec != null)
{
request.KeySpec = cmdletContext.KeySpec;
}
if (cmdletContext.NumberOfBytes != null)
{
request.NumberOfBytes = cmdletContext.NumberOfBytes.Value;
}
CmdletOutput output;
// issue call
var client = Client ?? CreateClient(_CurrentCredentials, _RegionEndpoint);
try
{
var response = CallAWSServiceOperation(client, request);
object pipelineOutput = null;
pipelineOutput = cmdletContext.Select(response, this);
output = new CmdletOutput
{
PipelineOutput = pipelineOutput,
ServiceResponse = response
};
}
catch (Exception e)
{
output = new CmdletOutput {
ErrorResponse = e
};
}
return(output);
}
/// <summary>
/// Initiates the asynchronous execution of the GenerateDataKey operation.
/// </summary>
///
/// <param name="request">Container for the necessary parameters to execute the GenerateDataKey operation.</param>
/// <param name="cancellationToken">
/// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
/// </param>
/// <returns>The task object representing the asynchronous operation.</returns>
public Task<GenerateDataKeyResponse> GenerateDataKeyAsync(GenerateDataKeyRequest request, System.Threading.CancellationToken cancellationToken = default(CancellationToken))
{
var marshaller = new GenerateDataKeyRequestMarshaller();
var unmarshaller = GenerateDataKeyResponseUnmarshaller.Instance;
return InvokeAsync<GenerateDataKeyRequest,GenerateDataKeyResponse>(request, marshaller,
unmarshaller, cancellationToken);
}
/// <summary>
/// Generates a data key that you can use in your application to locally encrypt data.
/// This call returns a plaintext version of the key in the <code>Plaintext</code> field
/// of the response object and an encrypted copy of the key in the <code>CiphertextBlob</code>
/// field. The key is encrypted by using the master key specified by the <code>KeyId</code>
/// field. To decrypt the encrypted key, pass it to the <code>Decrypt</code> API.
///
///
/// <para>
/// We recommend that you use the following pattern to locally encrypt data: call the
/// <code>GenerateDataKey</code> API, use the key returned in the <code>Plaintext</code>
/// response field to locally encrypt data, and then erase the plaintext data key from
/// memory. Store the encrypted data key (contained in the <code>CiphertextBlob</code>
/// field) alongside of the locally encrypted data.
/// </para>
/// <note>You should not call the <code>Encrypt</code> function to re-encrypt your data
/// keys within a region. <code>GenerateDataKey</code> always returns the data key encrypted
/// and tied to the customer master key that will be used to decrypt it. There is no need
/// to decrypt it twice. </note>
/// <para>
/// If you decide to use the optional <code>EncryptionContext</code> parameter, you must
/// also store the context in full or at least store enough information along with the
/// encrypted data to be able to reconstruct the context when submitting the ciphertext
/// to the <code>Decrypt</code> API. It is a good practice to choose a context that you
/// can reconstruct on the fly to better secure the ciphertext. For more information about
/// how this parameter is used, see <a href="http://docs.aws.amazon.com/kms/latest/developerguide/encrypt-context.html">Encryption
/// Context</a>.
/// </para>
///
/// <para>
/// To decrypt data, pass the encrypted data key to the <code>Decrypt</code> API. <code>Decrypt</code>
/// uses the associated master key to decrypt the encrypted data key and returns it as
/// plaintext. Use the plaintext data key to locally decrypt your data and then erase
/// the key from memory. You must specify the encryption context, if any, that you specified
/// when you generated the key. The encryption context is logged by CloudTrail, and you
/// can use this log to help track the use of particular data.
/// </para>
/// </summary>
/// <param name="request">Container for the necessary parameters to execute the GenerateDataKey service method.</param>
///
/// <returns>The response from the GenerateDataKey service method, as returned by KeyManagementService.</returns>
/// <exception cref="Amazon.KeyManagementService.Model.DependencyTimeoutException">
/// The system timed out while trying to fulfill the request.
/// </exception>
/// <exception cref="Amazon.KeyManagementService.Model.DisabledException">
/// A request was rejected because the specified key was marked as disabled.
/// </exception>
/// <exception cref="Amazon.KeyManagementService.Model.InvalidGrantTokenException">
/// A grant token provided as part of the request is invalid.
/// </exception>
/// <exception cref="Amazon.KeyManagementService.Model.InvalidKeyUsageException">
/// The request was rejected because the specified KeySpec parameter is not valid. The
/// currently supported value is ENCRYPT/DECRYPT.
/// </exception>
/// <exception cref="Amazon.KeyManagementService.Model.KeyUnavailableException">
/// The request was rejected because the key was disabled, not found, or otherwise not
/// available.
/// </exception>
/// <exception cref="Amazon.KeyManagementService.Model.KMSInternalException">
/// The request was rejected because an internal exception occurred. This error can be
/// retried.
/// </exception>
/// <exception cref="Amazon.KeyManagementService.Model.NotFoundException">
/// The request was rejected because the specified entity or resource could not be found.
/// </exception>
public GenerateDataKeyResponse GenerateDataKey(GenerateDataKeyRequest request)
{
var marshaller = new GenerateDataKeyRequestMarshaller();
var unmarshaller = GenerateDataKeyResponseUnmarshaller.Instance;
return Invoke<GenerateDataKeyRequest,GenerateDataKeyResponse>(request, marshaller, unmarshaller);
}
private Amazon.KeyManagementService.Model.GenerateDataKeyResponse CallAWSServiceOperation(IAmazonKeyManagementService client, Amazon.KeyManagementService.Model.GenerateDataKeyRequest request)
{
Utils.Common.WriteVerboseEndpointMessage(this, client.Config, "AWS Key Management Service", "GenerateDataKey");
try
{
#if DESKTOP
return(client.GenerateDataKey(request));
#elif CORECLR
return(client.GenerateDataKeyAsync(request).GetAwaiter().GetResult());
#else
#error "Unknown build edition"
#endif
}
catch (AmazonServiceException exc)
{
var webException = exc.InnerException as System.Net.WebException;
if (webException != null)
{
throw new Exception(Utils.Common.FormatNameResolutionFailureMessage(client.Config, webException.Message), webException);
}
throw;
}
}
/// <summary>
/// Initiates the asynchronous execution of the GenerateDataKey operation.
/// </summary>
///
/// <param name="request">Container for the necessary parameters to execute the GenerateDataKey operation on AmazonKeyManagementServiceClient.</param>
/// <param name="callback">An AsyncCallback delegate that is invoked when the operation completes.</param>
/// <param name="state">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback
/// procedure using the AsyncState property.</param>
///
/// <returns>An IAsyncResult that can be used to poll or wait for results, or both; this value is also needed when invoking EndGenerateDataKey
/// operation.</returns>
public IAsyncResult BeginGenerateDataKey(GenerateDataKeyRequest request, AsyncCallback callback, object state)
{
var marshaller = new GenerateDataKeyRequestMarshaller();
var unmarshaller = GenerateDataKeyResponseUnmarshaller.Instance;
return BeginInvoke<GenerateDataKeyRequest>(request, marshaller, unmarshaller,
callback, state);
}
