为什么AWS KMS的Java SDK的解密功能不需要加密上下文?

时间:2019-02-19 09:36:47

标签: java amazon-web-services encryption aws-kms

From the description of AWS

  

当在加密请求中提供加密上下文时,它将加密方式绑定到密文,因此需要相同的加密上下文来解密(或解密和重新加密)数据。如果解密请求中提供的加密上下文不是完全区分大小写的匹配,则解密请求将失败。只有加密上下文对的顺序可以改变。

但是in the example code of JAVA SDK,它在解密时未指定加密上下文。

  

crypto.decryptString(prov,密文);

这两个帖子对我来说有点矛盾,因为我认为解密用户需要自己提供加密上下文。我在sdk中检查了AwsCrypto.decryptString(final CryptoMaterialsManager provider, final String ciphertext))的源代码,看来加密上下文也包含在密文中。

我可以知道为什么这样设置吗?

1 个答案:

答案 0 :(得分:0)

经过研究,我发现至少有两种方法可以执行加密和解密。如果有人感兴趣,只需在此处发布即可。它是用科特林编写的。

class AwsEncryptionSDKWrapper(private val keyIdArn: String, region: String) {
    private val crypto = AwsCrypto()
    private val prov: KmsMasterKeyProvider = KmsMasterKeyProvider.builder().withDefaultRegion(region).withKeysForEncryption(keyIdArn).build()

    fun encrypt(raw: String, encryptionContext: Map<String, String>): String {
        return crypto.encryptString(prov, raw, encryptionContext).result
    }

    fun decrypt(cipherText: String, encryptionContext: Map<String, String>): String {
        val decryptedResponse = crypto.decryptString(prov, cipherText)
        if (decryptedResponse.masterKeyIds[0] != keyIdArn) {
            throw IllegalStateException("Wrong key ID!")
        }

        encryptionContext.entries.forEach { (key, value) ->
            if (value != decryptedResponse.encryptionContext[key]) {
                throw IllegalStateException("Wrong Encryption Context!")
            }
        }
        return decryptedResponse.result
    }
}

class AwsKMSSDKWrapper(region: String) {
    private val client = AWSKMSClientBuilder.standard().withRegion(region).build()

    fun encrypt(keyIdArn: String, raw: String, encryptionContext: Map<String, String>): String {
        val plaintextBytes = raw.toByteArray(StandardCharsets.UTF_8)

        val encReq = EncryptRequest()
        encReq.keyId = keyIdArn
        encReq.plaintext = ByteBuffer.wrap(plaintextBytes)
        encReq.withEncryptionContext(encryptionContext)
        val cipherText = client.encrypt(encReq).ciphertextBlob

        return Base64.getEncoder().encodeToString(cipherText.array())
    }

    fun decrypt(base64CipherText: String, encryptionContext: Map<String, String>, keyIdArn: String): String {
        val req = DecryptRequest()
            .withCiphertextBlob(ByteBuffer.wrap(Base64.getDecoder().decode(base64CipherText)))
            .withEncryptionContext(encryptionContext)

        val resp = client.decrypt(req)
        if (resp.keyId == null || resp.keyId!!.contentEquals(keyIdArn))  throw IllegalStateException("keyid not match ! provided $keyIdArn, actual ${resp.keyId}");

        return resp.plaintext.array().toString(StandardCharsets.UTF_8)
    }
}

特别感谢@kdgregory指出我的困惑。

相关问题
最新问题