class Aws::S3::EncryptionV2::KmsCipherProvider
def decryption_cipher(envelope, options = {})
-
(Cipher)- Given an encryption envelope, returns a
def decryption_cipher(envelope, options = {}) encryption_context = Json.load(envelope['x-amz-matdesc']) cek_alg = envelope['x-amz-cek-alg'] case envelope['x-amz-wrap-alg'] when 'kms' unless options[:security_profile] == :v2_and_legacy raise Errors::LegacyDecryptionError end when 'kms+context' if cek_alg != encryption_context['aws:x-amz-cek-alg'] raise Errors::CEKAlgMismatchError end if encryption_context != build_encryption_context(cek_alg, options) raise Errors::DecryptionError, 'Value of encryption context from'\ ' envelope does not match the provided encryption context' end when 'AES/GCM' raise ArgumentError, 'Key mismatch - Client is configured' \ ' with a KMS key and the x-amz-wrap-alg is AES/GCM.' when 'RSA-OAEP-SHA1' raise ArgumentError, 'Key mismatch - Client is configured' \ ' with a KMS key and the x-amz-wrap-alg is RSA-OAEP-SHA1.' else raise ArgumentError, 'Unsupported wrap-alg: ' \ "#{envelope['x-amz-wrap-alg']}" end any_cmk_mode = false || options[:kms_allow_decrypt_with_any_cmk] decrypt_options = { ciphertext_blob: decode64(envelope['x-amz-key-v2']), encryption_context: encryption_context } unless any_cmk_mode decrypt_options[:key_id] = @kms_key_id end key = Aws::Plugins::UserAgent.metric('S3_CRYPTO_V2') do @kms_client.decrypt(decrypt_options).plaintext end iv = decode64(envelope['x-amz-iv']) block_mode = case cek_alg when 'AES/CBC/PKCS5Padding' :CBC when 'AES/CBC/PKCS7Padding' :CBC when 'AES/GCM/NoPadding' :GCM else type = envelope['x-amz-cek-alg'].inspect msg = "unsupported content encrypting key (cek) format: #{type}" raise Errors::DecryptionError, msg end Utils.aes_decryption_cipher(block_mode, key, iv) end