.NET Core-AWS KMS-EncryptionMaterials问题

时间:2018-08-02 13:06:37

标签: amazon-web-services amazon-s3 asp.net-core aws-sdk aws-kms

我一直在尝试使用KMS管理器来加密某些敏感信息并将其存储在S3存储桶中。我找到了许多有关如何执行此操作的示例,其中最重要的是AWS文档(https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/kms-keys-s3-encryption.html)中的一个

using System;
using System.Collections.Specialized;
using System.Collections.Generic;
using System.Configuration;
using System.IO;
using System.Linq;
using System.Net;
using System.Security.Cryptography;

using Amazon;
using Amazon.S3;
using Amazon.S3.Model;
using Amazon.S3.Encryption;
using Amazon.KeyManagementService;
using Amazon.KeyManagementService.Model;

namespace S3Sample1
{
    class S3Sample
    {
        public static void Main(string[] args)
        {
            string kmsKeyID = null;
            using (var kmsClient = new AmazonKeyManagementServiceClient())
            {
                var response = kmsClient.CreateKey(new CreateKeyRequest());
                kmsKeyID = response.KeyMetadata.KeyId;

                var keyMetadata = response.KeyMetadata; // An object that contains information about the CMK created by this operation.
                var bucketName = "<s3bucket>";
                var objectKey = "key";

                var kmsEncryptionMaterials = new EncryptionMaterials(kmsKeyID);
                // CryptoStorageMode.ObjectMetadata is required for KMS EncryptionMaterials
                var config = new AmazonS3CryptoConfiguration()
                {
                    StorageMode = CryptoStorageMode.ObjectMetadata
                };

                using (var s3Client = new AmazonS3EncryptionClient(config, kmsEncryptionMaterials))
                {
                    // encrypt and put object
                    var putRequest = new PutObjectRequest
                    {
                        BucketName = bucketName,
                        Key = objectKey,
                        ContentBody = "object content"
                    };
                    s3Client.PutObject(putRequest);

                    // get object and decrypt
                    var getRequest = new GetObjectRequest
                    {
                        BucketName = bucketName,
                        Key = objectKey
                    };

                    using (var getResponse = s3Client.GetObject(getRequest))
                    using (var stream = getResponse.ResponseStream)
                    using (var reader = new StreamReader(stream))
                    {
                        Console.WriteLine(reader.ReadToEnd());
                    }
                }
            }

            Console.WriteLine("Press any key to continue...");
            Console.ReadKey();
        }

    }

}

即使我使用完整框架(要使用.NET Core中的上述示例,我也必须根据其文档使所有aws调用异步)版本,否则此代码将不起作用,因为

var kmsEncryptionMaterials = new EncryptionMaterials(kmsKeyID);

不接受字符串,而是AsymmetricKey或SymmetricKey对象。我绕过

var kmsEncryptionMaterials = new EncryptionMaterials(RSA.Create())

显然,这将是每个会话的密钥,因此我实际上找到了这篇文章https://aws.amazon.com/blogs/developer/client-side-data-encryption-with-aws-sdk-for-net-and-amazon-s3/,该文章基本上详细介绍了如何重用似乎确实过时的密钥(创建于2013年),并且我认为这是不合理的。最初是想将KMS用作aws生态系统中所有盒子的实际身份验证/授权提供者,然后访问包含密钥的S3存储桶。

我想念什么吗?为什么AWS示例中包含字符串?

我正在使用适用于AWS开发工具包.NET Core的最新软件包:

  • AWSSDK.Core-v:3.3.24.4
  • AWSSDK.KeyManagementService-v:3.3.6
  • AWSSDK.S3-v:3.3.20

1 个答案:

答案 0 :(得分:0)

在大约一天左右的时间后,我意识到这个问题与Amazon.S3.Encryption dll的多个目标有关。

我找到了一个github项目,该示例具有适用于.net核心(https://github.com/priyalwalpita/awssdk_dotnetcore)的示例,并且从中可以很明显地看出问题出在我的缓存dll中。

我还对csproj中的ItemGroups进行了三遍检查,并确保它们是正确的

  <ItemGroup>
<PackageReference Include="AWSSDK.Core" Version="3.3.24.4" />
<PackageReference Include="AWSSDK.KeyManagementService" Version="3.3.6" />
<PackageReference Include="AWSSDK.S3" Version="3.3.20" />
<PackageReference Include="Microsoft.Extensions.Configuration" Version="2.1.1" />
<PackageReference Include="Microsoft.Extensions.Configuration.FileExtensions" Version="2.1.1" />
<PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="2.1.1" />
  </ItemGroup>

希望这将来可能对某人有所帮助