class Aws::S3::Encryption::KmsCipherProvider
def decryption_cipher(envelope, options = {})
-
(Cipher)- Given an encryption envelope, returns a
def decryption_cipher(envelope, options = {}) encryption_context = Json.load(envelope['x-amz-matdesc']) cek_alg = envelope['x-amz-cek-alg'] case envelope['x-amz-wrap-alg'] when 'kms'; # NO OP when 'kms+context' if cek_alg != encryption_context['aws:x-amz-cek-alg'] raise Errors::DecryptionError, 'Value of cek-alg from envelope'\ ' does not match the value in the encryption context' end when 'AES/GCM' raise ArgumentError, 'Key mismatch - Client is configured' \ ' with a KMS key and the x-amz-wrap-alg is AES/GCM.' when 'RSA-OAEP-SHA1' raise ArgumentError, 'Key mismatch - Client is configured' \ ' with a KMS key and the x-amz-wrap-alg is RSA-OAEP-SHA1.' else raise ArgumentError, 'Unsupported wrap-alg: ' \ "#{envelope['x-amz-wrap-alg']}" end key = Aws::Plugins::UserAgent.metric('S3_CRYPTO_V1N') do @kms_client.decrypt( ciphertext_blob: decode64(envelope['x-amz-key-v2']), encryption_context: encryption_context ).plaintext end iv = decode64(envelope['x-amz-iv']) block_mode = case cek_alg when 'AES/CBC/PKCS5Padding' :CBC when 'AES/CBC/PKCS7Padding' :CBC when 'AES/GCM/NoPadding' :GCM else type = envelope['x-amz-cek-alg'].inspect msg = "unsupported content encrypting key (cek) format: #{type}" raise Errors::DecryptionError, msg end Utils.aes_decryption_cipher(block_mode, key, iv) end