[英]Getting InvalidCiphertextException with CiphertextBlob as String
I am trying to decrypt a string with AWS KMS, but I am getting an InvalidCiphertextException error (with no further information following the exception name).我正在尝试使用 AWS KMS 解密字符串,但出现 InvalidCiphertextException 错误(异常名称后面没有更多信息)。
I was originally decrypting in a node js lambda, using an environment variable as the source for encryptedString:我最初是在节点 js lambda 中解密,使用环境变量作为 encryptedString 的源:
var params = {
CiphertextBlob: Buffer.from(encryptedString, 'base64')
};
kms.decrypt(params, function(err, data) {
if (err) {
...
} else {
...
}
}
I have also tried it with the CiphertextBlob value as a String, ie:我也试过用 CiphertextBlob 值作为字符串,即:
CiphertextBlob: encryptedString
The KMS key used to encrypt the value originally is a symmetric CMK so I believe I shouldn't need to pass in the key ID.用于加密该值的 KMS 密钥最初是一个对称 CMK,所以我相信我不需要传入密钥 ID。
I also tried the same thing via awscli (passing in ciphertext-blob as a string) but got the same error:我也通过 awscli 尝试了同样的事情(将 ciphertext-blob 作为字符串传递),但得到了同样的错误:
aws kms decrypt --ciphertext-blob <encrypted string value> --query PlainText | base64 --decode
Passing in the key ID had no effect either.传入密钥 ID 也没有任何影响。
I have used an online tool to validate that the encrypted string is base64.我使用了一个在线工具来验证加密字符串是否为 base64。 I'm not too clued up on base64 encoding so not sure if that's all it takes to prove the cipher text is valid.
我对 base64 编码不太了解,所以不确定这是否就是证明密文有效所需的全部内容。
I'm sure I'm failing with something fundamental - either my encrypted string is not base64 or not what decrypt expects, or I am missing some additional decrypt arguments perhaps.我确定我在一些基本问题上失败了 - 我的加密字符串不是 base64 或不是解密所期望的,或者我可能缺少一些额外的解密参数。
Thanks in advance.提前致谢。
Based on the comments.根据评论。
The issue is with decrypting SSM parameter.问题在于解密 SSM 参数。 Thus, an encryption context must be provided during the decryption procedure.
因此,必须在解密过程中提供加密上下文。 From docs :
从文档:
Parameter Store includes this encryption context in calls to encrypt and decrypt the MyParameter parameter in an example AWS account and region.
Parameter Store 在对示例 AWS 账户和区域中的 MyParameter 参数进行加密和解密的调用中包含此加密上下文。
"PARAMETER_ARN":"arn:aws:ssm:<REGION_NAME>:<ACCOUNT_ID>:parameter/<parameter-name>"
Therefore, if you are not using get_parameter with WithDecryption
option set to True
, you must provide the above encryption context during KMS decrypt
operation.因此,如果您没有在
WithDecryption
选项设置为True
情况下使用get_parameter , WithDecryption
必须在 KMS decrypt
操作期间提供上述加密上下文。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.