在NodeJ中使用AWS KMS解密文本

时间:2019-06-30 20:50:26

标签: node.js encryption ecmascript-6 aws-sdk aws-kms

我正在尝试使用aws-sdk和NodeJs解密使用AWS KMS加密的一些文本。我今天开始与NodeJs一起玩,所以我是它的新手。 我已经用Java解决了这个问题,但我正在尝试将现有的Alexa技能从Java迁移到NodeJ。

要解密的代码是:

function decrypt(buffer) {
    const kms = new aws.KMS({
        accessKeyId: 'accessKeyId',
        secretAccessKey: 'secretAccessKey',
        region: 'eu-west-1'
    });
    return new Promise((resolve, reject) => {
        let params = {
            "CiphertextBlob" : buffer,
        };
        kms.decrypt(params, (err, data) => {
            if (err) {
                reject(err);
            } else {
                resolve(data.Plaintext);
            }
        });
    });
};

当我使用正确的CiphertextBlob运行此代码时,出现此错误:

Promise {
  <rejected> { MissingRequiredParameter: Missing required key 'CiphertextBlob' in params
    at ParamValidator.fail (D:\Developing\abono-transportes-js\node_modules\aws-sdk\lib\param_validator.js:50:37)
    at ParamValidator.validateStructure (D:\Developing\abono-transportes-js\node_modules\aws-sdk\lib\param_validator.js:61:14)
    at ParamValidator.validateMember (D:\Developing\abono-transportes-js\node_modules\aws-sdk\lib\param_validator.js:88:21)
    at ParamValidator.validate (D:\Developing\abono-transportes-js\node_modules\aws-sdk\lib\param_validator.js:34:10)
    at Request.VALIDATE_PARAMETERS (D:\Developing\abono-transportes-js\node_modules\aws-sdk\lib\event_listeners.js:126:42)
    at Request.callListeners (D:\Developing\abono-transportes-js\node_modules\aws-sdk\lib\sequential_executor.js:106:20)
    at callNextListener (D:\Developing\abono-transportes-js\node_modules\aws-sdk\lib\sequential_executor.js:96:12)
    at D:\Developing\abono-transportes-js\node_modules\aws-sdk\lib\event_listeners.js:86:9
    at finish (D:\Developing\abono-transportes-js\node_modules\aws-sdk\lib\config.js:349:7)
    at D:\Developing\abono-transportes-js\node_modules\aws-sdk\lib\config.js:367:9
  message: 'Missing required key \'CiphertextBlob\' in params',
  code: 'MissingRequiredParameter',
  time: 2019-06-30T20:29:18.890Z } }

我不明白为什么CiphertextBlob在params变量中会收到消息。

有人知道吗? 预先感谢!

编辑01/07

测试编码功能: 第一个功能:

const CheckExpirationDateHandler = {
    canHandle(handlerInput) {
        return handlerInput.requestEnvelope.request.type === 'IntentRequest'
            && handlerInput.requestEnvelope.request.intent.name === 'TtpConsultaIntent';
    },
    handle(handlerInput) {

        var fecha = "";
        var speech = "";

        userData = handlerInput.attributesManager.getSessionAttributes();

        if (Object.keys(userData).length === 0) {
            speech = consts.No_Card_Registered;
        } else {
            console.log("Retrieving expiration date from 3rd API");
            fecha = crtm.expirationDate(cipher.decrypt(userData.code.toString()));
            speech = "Tu abono caducará el " + fecha;
        }

        return handlerInput.responseBuilder
            .speak(speech)
            .shouldEndSession(true)
            .getResponse();

    }
}

解密功能随日志一起提供:

// source is plaintext
async function decrypt(source) {

    console.log("Decrypt func INPUT: " + source)
    const params = {
        CiphertextBlob: Buffer.from(source, 'base64'),
    };
    const { Plaintext } = await kms.decrypt(params).promise();
    return Plaintext.toString();
};

输出:

  

2019-07-01T19:01:12.814Z 38b45272-809d-4c84-b155-928bee61a4f8 INFO从第3个API检索到期日期   2019-07-01T19:01:12.814Z 38b45272-809d-4c84-b155-928bee61a4f8 INFO解密功能输入:   AYADeHK9xoVE19u / 3vBTiug3LuYAewACABVhd3MtY3J5cHRvLXB1YmxpYy1rZXkAREF4UW0rcW5PSElnY1ZnZ2l1bHQ2bzc3ZnFLZWZMM2J6YWJEdnFCNVNGNzEyZGVQZ1dXTDB3RkxsdDJ2dFlRaEY4UT09AA10dHBDYXJkTnVtYmVyAAt0aXRsZU51bWJlcgABAAdhd3Mta21zAEthcm46YXdzOmttczpldS13ZXN0LTE6MjQwMTE3MzU1MTg4OmtleS81YTRkNmFmZS03MzkxLTRkMDQtYmUwYi0zZDJlMWRhZTRkMmIAuAECAQB4sE8Iv75TZ0A9b / ila9Yi / 3vTSja3wM7mN / B0ThqiHZEBxYsoWpX7jCqHMoeoYOkVtAAAAH4wfAYJKoZIhvcNAQcGoG8wbQIBADBoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDNnGIwghz + b42E07KAIBEIA76sV3Gmp5ib99S9H4MnY0d1l ............   2019-07-01T19:01:12.925Z 38b45272-809d-4c84-b155-928bee61a4f8 INFO错误   处理:handlerInput.responseBuilder.speak(...)。shouldEndSession是   不是功能   2019-07-01T19:01:13.018Z 38b45272-809d-4c84-b155-928bee61a4f8错误未处理的承诺   拒绝{“ errorType”:“ Runtime.UnhandledPromiseRejection”,“ errorMessage”:“ InvalidCiphertextException:   null“,” stack“:[” Runtime.UnhandledPromiseRejection:   InvalidCiphertextException:null“,” ...

3 个答案:

答案 0 :(得分:1)

这意味着您缺少键“ CiphertextBlob”或其值未定义。

请签出您作为buffer传递的值。

作为参考,我还添加了我使用的工作代码示例。

import { KMS } from 'aws-sdk';

import config from '../config';

const kms = new KMS({
  accessKeyId: config.aws.accessKeyId,
  secretAccessKey: config.aws.secretAccessKey,
  region: config.aws.region,
});

// source is plaintext
async function encrypt(source) {
  const params = {
    KeyId: config.aws.kmsKeyId,
    Plaintext: source,
  };
  const { CiphertextBlob } = await kms.encrypt(params).promise();

  // store encrypted data as base64 encoded string
  return CiphertextBlob.toString('base64');
}

// source is plaintext
async function decrypt(source) {
  const params = {
    CiphertextBlob: Buffer.from(source, 'base64'),
  };
  const { Plaintext } = await kms.decrypt(params).promise();
  return Plaintext.toString();
}

export default {
  encrypt,
  decrypt,
};

-----添加-----

我能够重现您的问题。

decrypt("this text is not encrpyted before!");

此代码会引发您遇到的相同错误。

所以我可以得出结论,如果您传递未经加密的纯文本或使用其他密钥加密的纯文本,则会抛出InvalidCiphertextException: null

现在,我给你一个用法示例。

encrypt("hello world!") // this will return base64 encoded string
  .then(decrypt) // this one accepts encrypted string
  .then(decoded => console.log(decoded)); // hello world!

答案 1 :(得分:1)

在尝试使用可接受的解决方案时,我对我使用 AWS <加密的环境变量使用 AWS KMS 不断在我的 AWS lambda 中遇到此错误。 / em>用户界面。

它对我有用,它是根据 AWS官方解决方案(无法找到链接)改编而成的:

decrypt.js

const AWS = require('aws-sdk');
AWS.config.update({ region: 'us-east-1' });

module.exports = async (env) => {
    const functionName = process.env.AWS_LAMBDA_FUNCTION_NAME;
    const encrypted = process.env[env];
    
    if (!process.env[env]) {
        throw Error(`Environment variable ${env} not found`) 
    }
    
    const kms = new AWS.KMS();
    try {
        const data = await kms.decrypt({
            CiphertextBlob: Buffer.from(process.env[env], 'base64'),
            EncryptionContext: { LambdaFunctionName: functionName },
        }).promise();
        console.info(`Environment variable ${env} decrypted`)
        return data.Plaintext.toString('ascii');
    } catch (err) {
        console.log('Decryption error:', err);
        throw err;
    }
}

要像这样使用:

index.js

const decrypt = require("./decrypt.js")

exports.handler = async (event, context, callback) => {
    console.log(await decrypt("MY_CRYPTED_ENVIRONMENT_VARIABLE"))
}

答案 2 :(得分:1)

  1. EncryptionContext 是必须的。
  2. 假设 EnvironmentVariable 的名称是 Secret
  3. 下面的代码读取名为 Secret 的 EnvironmentVariable,并在正文中以纯文本形式返回解密后的机密。
  4. 请看下面贴出的函数代码

'使用严格';

const aws = require('aws-sdk');
var kms = new aws.KMS();

exports.handler = (event, context, callback) => {
    const functionName = process.env.AWS_LAMBDA_FUNCTION_NAME;
    const encryptedSecret = process.env.Secret;

    kms.decrypt({
            CiphertextBlob: new Buffer(encryptedSecret, 'base64'),
            EncryptionContext: {
                LambdaFunctionName: functionName /*Providing the name of the function as the Encryption Context is a must*/
            },
        },
        (err, data) => {

            if (err) {
                /*Handle the error please*/
            }

            var decryptedSecret = data.Plaintext.toString('ascii');

            callback(null, {
                statusCode: 200,
                body: decryptedSecret,
                headers: {
                    'Content-Type': 'application/json',
                },
            });
        });
};