Python-解密S3图像文件,使用CSE KMS加密

时间:2019-03-06 17:51:38

标签: python amazon-web-services boto3 aws-kms

是否有一种方法可以在Python中解密jpg或png文件,该文件是使用JAVA-AmazonS3EncryptionClient加密并存储在S3中的CSE KMS?看来boto3和aws加密客户端仅支持密文,而不支持文件。

我尝试了以下代码,但失败了,

<form id="regForm" action="">

<h1>Register:</h1>

<!-- One "tab" for each step in the form: -->
<div class="tab">Name:
  <p><input placeholder="First name..." oninput="this.className = ''"></p>
  <p><input placeholder="Last name..." oninput="this.className = ''"></p>
</div>

<div class="tab">Contact Info:
  <p><input placeholder="E-mail..." oninput="this.className = ''"></p>
  <p><input placeholder="Phone..." oninput="this.className = ''"></p>
</div>

<div class="tab">Birthday:
  <p><input placeholder="dd" oninput="this.className = ''"></p>
  <p><input placeholder="mm" oninput="this.className = ''"></p>
  <p><input placeholder="yyyy" oninput="this.className = ''"></p>
</div>

<div class="tab">Login Info:
  <p><input placeholder="Username..." oninput="this.className = ''"></p>
  <p><input placeholder="Password..." oninput="this.className = ''"></p>
</div>

<div style="overflow:auto;">
  <div style="float:right;">
    <button type="button" id="prevBtn" onclick="nextPrev(-1)">Previous</button>
    <button type="button" id="nextBtn" onclick="nextPrev(1)">Next</button>
  </div>
</div>

<!-- Circles which indicates the steps of the form: -->
<div style="text-align:center;margin-top:40px;">
  <span class="step"></span>
  <span class="step"></span>
  <span class="step"></span>
  <span class="step"></span>
</div>

</form>

错误:

在“ client.decrypt(CiphertextBlob = encryptedImage)”上失败,带有{“ e​​rrorMessage”:“调用Decrypt操作时发生错误(413):HTTP内容长度超过200000字节。”,“ errorType”:“ ClientError “,}

参考文献: https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html https://github.com/aws/aws-encryption-sdk-python/ https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/python-example-code.html https://aws-encryption-sdk-python.readthedocs.io/en/latest/

1 个答案:

答案 0 :(得分:0)

根据您共享的文档,EncryptDecrypt API的有效载荷被限制为最大4k:https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html

使用KMS密钥对文件进行编码时,其基本原理是生成一个对称密钥,用该对称密钥对有效负载进行编码,使用KMS encrypt API对该对称密钥进行编码,并将加密的对称密钥存储在信封中,作为S3上的元数据。

以下是用于S3文件加密的代码示例:

    #
    # Generate a Data Key (encoded with my Master Key in KMS)
    #
    key = kms.generate_data_key(KeyId=MASTER_KEY_ARN,KeySpec='AES_256')
    keyPlain  = key['Plaintext']
    keyCipher = key['CiphertextBlob']

    #
    # Encode a file with the data key
    #
    print ("Initializing encryption engine")
    iv = ''.join(chr(random.randint(0, 0xFF)) for i in range(16))
    chunksize = 64*1024
    encryptor = AES.new(keyPlain, AES.MODE_CBC, iv)

    print ("KMS Plain text key = %s " % base64.b64encode(keyPlain))
    print ("KMS Encrypted key  = %s " % base64.b64encode(keyCipher))

    in_filename = os.path.join(DIRECTORY, FILENAME)
    out_filename = in_filename + '.enc'
    filesize = os.path.getsize(in_filename)

    print ("Encrypting file")
    with open(in_filename, 'rb') as infile:
        with open(out_filename, 'wb') as outfile:
            outfile.write(struct.pack('<Q', filesize))
            outfile.write(iv)

            chunk = infile.read(chunksize)
            while len(chunk) != 0:
                if len(chunk) % 16 != 0:
                    chunk += ' ' * (16 - len(chunk) % 16)
                outfile.write(encryptor.encrypt(chunk))
                chunk = infile.read(chunksize)

    #
    # Store encrypted file on S3
    # Encrypted Key will be stored as meta data
    #
    print ("Storing encrypted file on S3")
    metadata = {
        "key" : base64.b64encode(keyCipher)
    }

    #client = boto3.client('s3', 'us-west-2')
    s3 = session.client('s3')
    transfer = S3Transfer(s3)
    transfer.upload_file(out_filename, S3_BUCKET, out_filename, extra_args={"Metadata" : metadata})
    os.remove(out_filename)

和要解密的示例代码:

    #
    # Download Encrypted File and it's metadata
    #
    print ("Download file and meta data from S3")
    transfer.download_file(S3_BUCKET, out_filename, out_filename)

    #retrieve meta data
    import boto3
    s3 = boto3.resource('s3')
    object = s3.Object(S3_BUCKET, out_filename)
    #print object.metadata

    keyCipher = base64.b64decode(object.metadata['key'])

    #decrypt encrypted key
    print ("Decrypt ciphered key")
    key = kms.decrypt(CiphertextBlob=keyCipher)
    keyPlain = key['Plaintext']
    print ("KMS Plain text key = %s " % base64.b64encode(keyPlain))
    print ("KMS Encrypted key  = %s " % base64.b64encode(keyCipher))

    #
    # Decrypt the file
    #
    print("Decrypt the file")

    in_filename = out_filename
    out_filename = in_filename + '.jpg'
    filesize = os.path.getsize(in_filename)

    with open(in_filename, 'rb') as infile:
        origsize = struct.unpack('<Q', infile.read(struct.calcsize('Q')))[0]
        iv = infile.read(16)
        decryptor = AES.new(keyPlain, AES.MODE_CBC, iv)

        with open(out_filename, 'wb') as outfile:
            chunk = infile.read(chunksize)
            while len(chunk) != 0:
                outfile.write(decryptor.decrypt(chunk))
                chunk = infile.read(chunksize)

            outfile.truncate(origsize)
相关问题
最新问题