堆栈内存溢出
  简体   繁体   English

如何使用带有Java或AWSKmsClient的AWS Encryption SDK解密AWS KMS密码

[英]How to decrypt AWS KMS cipher with AWS Encryption SDK with Java or AWSKmsClient

 原文  2019-04-23 19:55:31       java/ scala/ amazon-web-services/ encryption/ aws-kms

问题描述

I want to use AWSKmsClient or AWS Encryption SDK with Java to decrypt the message I have encrypted using AWS CLI 我想使用带有Java的AWSKmsClient或AWS Encryption SDK来解密我已使用AWS CLI加密的消息

I have created an encrypted message using: 我使用以下方法创建了加密的消息:
aws kms encrypt --key-id 123421-4032-412c-4321-eds42d1a1b432 --plaintext MyText --output text --query CiphertextBlob
It generates something like this for me: ADCCAHhJotXoy8910T/Pd8PXVaF/Xkg+9NrF9QTy/XlW7rTtUAH6zACj9MbEY1cS7526GfscAAAAZjBkBgkqhkiG9w0BBwagVzBVAgEAMFAGCSqGSIb3DQEHATAeBglghkgBZDEEAS4wEQQMGmYHb67SV66h/eE0AgEQgCONMNda4kVsSi9sPAXXts2F0N/mwjSlIB2ngJcAyxymnltrHQ== 它产生这样的事情对我来说: ADCCAHhJotXoy8910T/Pd8PXVaF/Xkg+9NrF9QTy/XlW7rTtUAH6zACj9MbEY1cS7526GfscAAAAZjBkBgkqhkiG9w0BBwagVzBVAgEAMFAGCSqGSIb3DQEHATAeBglghkgBZDEEAS4wEQQMGmYHb67SV66h/eE0AgEQgCONMNda4kVsSi9sPAXXts2F0N/mwjSlIB2ngJcAyxymnltrHQ==

I want to pass this to my scala-spark code and decrypt it either with AWSKmsClient or AWS Encryption SDK with Java. 我想将其传递给我的scala-spark代码,然后使用AWSKmsClient或带有Java的AWS Encryption SDK对其进行解密。

Based on this link it seems there some difference between AWS Encryption SDK and AWS KMS : 根据此链接 ,AWS Encryption SDK和AWS KMS之间似乎有些区别:

The AWS Encryption SDK for Java is not meant to be compatible with the aws kms command line tool. 适用于Java的AWS Encryption SDK并不意味着与aws kms命令行工具兼容。 In short, the AWS Encryption SDK leverages KMS to provide more versatile encryption functionality than KMS alone 简而言之,AWS Encryption SDK利用KMS提供了比单独的KMS更通用的加密功能。

I can not manage to do it with AWSKmsClient either, am I missing something? 我也无法通过AWSKmsClient做到这一点,我缺少什么吗? is there a better way to achieve this? 有没有更好的方法来实现这一目标?

3 个解决方案

解决方案1
 1  2019-04-24 21:25:24

The confusion here comes down to the difference between using AWS KMS directly via the AWS SDKs and using the AWS Encryption SDK. 这里的困惑归结为直接通过AWS开发工具包使用AWS KMS和使用AWS Encryption SDK之间的区别。

The AWS Encryption SDK uses KMS (or other key providers) as part of an envelope encryption format[1]. AWS Encryption SDK使用KMS(或其他密钥提供者)作为信封加密格式的一部分[1]。 Because of this, the snippet you quoted is correct: the output of the AWS Encryption SDK cannot be decrypted by KMS directly, and vice versa. 因此,您引用的代码段是正确的:AWS Encryption SDK的输出无法直接由KMS解密,反之亦然。

However, all AWS Encryption SDK implementations are compatible with each other . 但是,所有AWS加密SDK实现相互兼容。

If you want to encrypt something from the CLI that you can pass to Java/JVM code for decryption, that is definitely possible with the AWS Encryption SDK CLI and the AWS Encryption SDK for Java. 如果您想通过CLI加密某些内容,然后可以传递给Java / JVM代码进行解密,那么使用AWS Encryption SDK CLI和适用于Java的AWS Encryption SDK绝对可以实现。

Source: I wrote the AWS Encryption SDK for Python[2] and CLI[3] and advised on the AWS Encryption SDK for C[4] as well as our documentation[5]. 资料来源:我编写了适用于Python [2]和CLI [3]的AWS Encryption SDK,并为适用于C [4]的AWS Encryption SDK和我们的文档提供了建议[5]。

As for why you could not use AWSKmsClient to decrypt the value that you received from using the AWS CLI to call KMS directly, there are a variety of possibilities depending on what error you received. 至于为什么您不能使用AWSKmsClient来解密通过使用AWS CLI直接调用KMS而收到的值,则根据收到的错误有多种可能性。

One possibility is that you might not have Decrypt permissions on the CMK. 一种可能是您可能没有对CMK的Decrypt权限。 This should have resulted in a permissions error from KMS. 这应该导致了KMS的权限错误。

Another possibility is that you are providing an invalid ciphertext. 另一种可能性是您提供了无效的密文。 The AWS CLI automatically base64-encodes the CiphertextBlob binary data that it receives from KMS before returning it because most shells do not handle binary data well. AWS CLI自动返回它从KMS接收到的CiphertextBlob二进制数据的base64编码,然后再将其返回,因为大多数shell不能很好地处理二进制数据。 However, AWSKmsClient will not automatically base64-decode anything before sending it to KMS. 但是, AWSKmsClient将任何内容发送到KMS之前不会自动对其进行base64解码。 You must provide the raw bytes. 您必须提供原始字节。 So, if you are providing the base64-encoded string to AWSKmsClient in the decrypt request, then KMS will throw an error that you provided invalid ciphertext. 因此,如果您在解密请求中将base64编码的字符串提供给AWSKmsClient ,则KMS将抛出错误,您提供了无效的密文。

[1] https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/message-format.html [1] https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/message-format.html

[2] https://aws-encryption-sdk-python.readthedocs.io/en/latest/ [2] https://aws-encryption-sdk-python.readthedocs.io/en/latest/

[3] https://aws-encryption-sdk-cli.readthedocs.io/en/latest/ [3] https://aws-encryption-sdk-cli.readthedocs.io/en/latest/

[4] https://github.com/awslabs/aws-encryption-sdk-c [4] https://github.com/awslabs/aws-encryption-sdk-c

[5] https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html [5] https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html

解决方案2
 0  2019-04-24 15:44:29

"All language-specific implementations of the AWS Encryption SDK, including the AWS Encryption CLI, are interoperable." “ AWS Encryption SDK的所有特定于语言的实现,包括AWS Encryption CLI,都是可以互操作的。” quoted from aws docs . 引自aws docs so the missing link in your question body must contain false information. 因此问题正文中缺少的链接必须包含虚假信息。

there are basic examples in the documentation . 文档中有基本的例子。 Initing KmsMasterKeyProvider with your key id should do it for you. 用您的密钥ID初始化KmsMasterKeyProvider应该可以为您完成。

Why don't you just wrap the encryption part in a java program which uses AWS Encryption SDK so you don't have to worry about 'Interoperability'? 为什么不将加密部分包装在使用AWS Encryption SDK的Java程序中,这样您就不必担心“互操作性”了?

解决方案3
 0  2019-04-25 19:11:16

I have managed to use AWSKMSClient 我已经设法使用AWSKMSClient 

import java.nio.charset.StandardCharsets

import com.amazonaws.services.kms.{AWSKMS, AWSKMSClientBuilder}
import com.amazonaws.services.kms.model.DecryptRequest
import java.nio.ByteBuffer
import com.google.common.io.BaseEncoding

object KMSUtils {

  val keyId = "arn:aws:kms:us-east-1:{Account ID}:key/{KEY ID}"

  def decrypt(base64EncodedValue: String): String = {
    val kmsClient: AWSKMS = AWSKMSClientBuilder.standard.build

    val textDecoded: ByteBuffer = ByteBuffer.wrap(BaseEncoding.base64().decode(base64EncodedValue))

    val req : DecryptRequest = new DecryptRequest().withCiphertextBlob(textDecoded)
    val plainText : ByteBuffer = kmsClient.decrypt(req).getPlaintext

    val printable = StandardCharsets.UTF_8.decode(plainText).toString

    return printable
  }

}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS KMS如何使用解密功能Java - AWS KMS How to use Decrypt function Java AWS Encryption SDK使用数据密钥加密/解密 - AWS Encryption SDK Encrypt/Decrypt with Data Key 为什么AWS KMS的Java SDK的解密功能不需要加密上下文? - Why does decryption function of Java SDK of AWS KMS does not require an encryption context? 在 Java 中以编程方式使用 AWS KMS 解密 cypherTextBlob ? 无效密文异常 - Decrypt cypherTextBlob using AWS KMS programmatically in Java ? InvalidCiphertextException AWS Java SDK:为EBS指定KMS密钥ID - AWS Java SDK: Specifying KMS Key Id For EBS 如何将 AWS KMS 与 java sdk 一起使用,以便能够将 IAM 凭证解析到 ECS 环境中? - How to use AWS KMS with java sdk to be able to resolve IAM credentials into ECS env? 使用 AWS S3 KMS 加密时如何确保您的文件已加密? - How to make sure your files are encrypted when using AWS S3 KMS encryption? 在使用Java代码将文件保存到S3时,如何设置请求标头(x-amz-server-side-encryption:aws:kms)? - How do I set a request header(x-amz-server-side-encryption : aws:kms) while saving file to S3 in Java code? Maven 未安装 aws-encryption-sdk-java 依赖项 - Maven not installing aws-encryption-sdk-java dependency 如何通过aws-java-sdk创建AWS默认VPC - How to create AWS default VPC through aws-java-sdk
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM