使用来自 aws-sdk-v3 的 KMS 客户端解密认知代码
[英]Decrypting cognito codes with KMS client from aws-sdk-v3
问题描述
I am following this instruction to implement custom message sender in Cognito https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.html
我正在按照此说明在 Cognito https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.html中实现自定义消息发件人
All works well with similar code (I use Typescript on AWS Lambda):一切都适用于类似的代码(我在 AWS Lambda 上使用 Typescript):
import {buildClient, CommitmentPolicy, KmsKeyringNode} from '@aws-crypto/client-node';
import b64 from 'base64-js';
const {decrypt} = buildClient(CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT);
const keyring = new KmsKeyringNode({keyIds: ["my-key-arn"]});
...
const {plaintext} = await decrypt(keyring, b64.toByteArray(event.request.code));
console.log(plainttext.toString()) // prints plain text exactly as I need
However, this library @aws-crypto/client-node makes my bundle really huge, almost 20MB.但是,这个库@aws-crypto/client-node使我的包非常大,几乎有 20MB。 Probably because it depends on some of older AWS libs...可能是因为它依赖于一些旧的 AWS 库......
I used to use modular libraries like @aws-sdk/xxx which indeed give much smaller bundles.我曾经使用像@aws-sdk/xxx这样的模块化库,它确实提供了更小的包。
I have found that for encrypt/decrypt I can use @aws-sdk/client-kms .我发现对于加密/解密我可以使用@aws-sdk/client-kms 。 But it doesn't work!但它不起作用!
I am trying the following code:我正在尝试以下代码:
import {KMSClient, DecryptCommand} from "@aws-sdk/client-kms";
import b64 from 'base64-js';
const client = new KMSClient;
await client.send(new DecryptCommand({CiphertextBlob: b64.toByteArray(event.request.code), KeyId: 'my-key-arn'}))
Which gives me an error:这给了我一个错误:
InvalidCiphertextException: UnknownError
at deserializeAws_json1_1InvalidCiphertextExceptionResponse (/projectdir/node_modules/@aws-sdk/client-kms/dist-cjs/protocols/Aws_json1_1.js:3157:23)
at deserializeAws_json1_1DecryptCommandError (/projectdir/node_modules/@aws-sdk/client-kms/dist-cjs/protocols/Aws_json1_1.js:850:25)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async /projectdir/node_modules/@aws-sdk/middleware-serde/dist-cjs/deserializerMiddleware.js:7:24
at async /projectdir/node_modules/@aws-sdk/middleware-signing/dist-cjs/middleware.js:14:20
at async StandardRetryStrategy.retry (/projectdir/node_modules/@aws-sdk/middleware-retry/dist-cjs/StandardRetryStrategy.js:51:46)
at async /projectdir/node_modules/@aws-sdk/middleware-logger/dist-cjs/loggerMiddleware.js:6:22
at async REPL7:1:33 {
'$fault': 'client',
'$metadata': {
httpStatusCode: 400,
requestId: '<uuid>',
extendedRequestId: undefined,
cfId: undefined,
attempts: 1,
totalRetryDelay: 0
},
__type: 'InvalidCiphertextException'
}
What am I doing wrong?我究竟做错了什么? Does this KMSClient support what I need?这个 KMSClient 是否支持我需要的东西?
I have also tried AWS CLI aws kms decrypt --ciphertext-blob... command, gives me exactly same response.我也尝试过 AWS CLI aws kms decrypt --ciphertext-blob...命令,给我完全相同的响应。 Though if I encrypt and decrypt any random message like "hello world", it works like a charm.虽然如果我加密和解密任何随机消息,如“hello world”,它就像一个魅力。
What am I doing wrong and what is so special about Cognito code ciphertext so I have to decrypt it somehow another way?我做错了什么,Cognito 代码密文有什么特别之处,所以我必须以其他方式解密它?
2 个解决方案
解决方案1
0 2022-12-29 18:08:46
Short answer: Cognito does not use KMS to encrypt the text, it uses the Encryption SDK. So you cannot use KMS to decrypt Cognito ciphertext.简短回答: Cognito 不使用 KMS 来加密文本,它使用加密 SDK。因此您不能使用 KMS 来解密 Cognito 密文。
Longer answer: I spent the past day trying to get a Python email-sender-trigger function working against Cognito using boto3 and the KMS client until I found another post (somewhere?) explaining that Cognito does not encrypt data using KMS, rather the Encryption SDK. Of course these two encryption mechanisms are not compatible.更长的答案:我过去一天试图使用 boto3 和 KMS 客户端获取 Python 电子邮件发件人触发器 function 来对抗 Cognito,直到我找到另一篇文章(某处?)解释 Cognito 不使用 KMS 加密数据,而是使用加密SDK。当然这两种加密机制是不兼容的。
For JavaScript and Node.js applications, it looks like you have an alternative to including the entire crypto-client: https://www.npmjs.com/package/@aws-crypto/decrypt-node对于 JavaScript 和 Node.js 应用程序,看起来您可以选择包含整个加密客户端: https://www.npmjs.com/package/@aws-crypto/decrypt-node
If all you are doing is decrypting, the above package will let you decrypt using the Encryption SDK and it's only 159KB.如果你所做的只是解密,上面的 package 将让你使用加密 SDK 解密,它只有 159KB。
解决方案2
0 2022-12-30 12:03:15
I have managed to solve my task.我设法解决了我的任务。 I have realized that indeed it does not simply uses KMS to encrypt the text, the encryption/decryption process is much more complicated.我已经意识到它确实不是简单地使用KMS来加密文本,加密/解密过程要复杂得多。
There is reference page https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/message-format.html有参考页https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/message-format.html
It describes how the message looks like, with all the headers and body, with IV, AAD, keys, etc... I have written my own script to parse it all and properly decrypt, it worked.它描述了消息的外观,包括所有标头和正文、IV、AAD、密钥等……我编写了自己的脚本来解析所有内容并正确解密,它有效。 Probably it's too long to share... I suggest to use the reference instead.可能分享时间太长了……我建议改用参考资料。 Hopefully in future they will publish proper modular version of SDK.希望将来他们会发布适当的 SDK 模块化版本。
The one from '@aws-crypto' didn't work for me, probably doesn't support all the protocols properly.来自“@aws-crypto”的那个对我不起作用,可能没有正确支持所有协议。 This might be not the truth at the moment you are reading it.在您阅读它的那一刻,这可能不是事实。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.