从S3解密SES消息KMS,节点
我不能够解密我的邮件我从我的S3存储接收。他们进行加密,KMS密钥。我使用节点和打字稿。
我已经尝试了一些东西,但arrent能够使它发挥作用。展望这个链接:://docs.aws.amazon/AWSJavaScriptSDK/latest/AWS/SES.html
我的代码看起来像现在这样:
import * as AWS from 'aws-sdk';
import * as crypto from 'crypto';
const s3 = new AWS.S3({ apiVersion: '2006-03-01', region: 'eu-west-1' });
const kms = new AWS.KMS({ apiVersion: '2014-11-01', region: 'eu-west-1' });
export const handler = LambdaUtils.lambdaHandler( 'onebox-email-service-SendMailToL4PFunction', async (event) => {
const record = event.Records[0];
const request = {
Bucket: record.s3.bucket.name,
Key: record.s3.object.key
};
const data = await s3.getObject(request).promise();
const decryptData = await decryptSES(data);
return decryptData;
}
);
export const decryptSES = async (objectData) => {
const metadata = objectData.Metadata || {};
const kmsKeyBase64 = metadata['x-amz-key-v2'];
const iv = metadata['x-amz-iv'];
const tagLen = (metadata['x-amz-tag-len'] || 0) / 8;
let algo = metadata['x-amz-cek-alg'];
const encryptionContext = JSON.parse(metadata['x-amz-matdesc']);
switch (algo) {
case 'AES/GCM/NoPadding':
algo = 'aes-256-gcm';
break;
case 'AES/CBC/PKCS5Padding':
algo = 'aes-256-cbc';
break;
default:
log.error({Message: 'Unsupported algorithm: ' + algo});
return;
}
if (typeof (kmsKeyBase64) === 'undefined') {
log.error('Error');
}
const kmsKeyBuffer = new Buffer(kmsKeyBase64, 'base64');
const returnValue = await kms.decrypt({ CiphertextBlob: kmsKeyBuffer, EncryptionContext: encryptionContext }, (err, kmsData) => {
if (err) {
log.error({err});
return null;
} else {
const data = objectData.Body.slice(0, -tagLen);
const decipher = crypto.createDecipheriv( algo, kmsKeys.Plaintext[0], new Buffer(iv, 'base64'));
if (tagLen !== 0) {
const tag = objectData.Body.slice(-tagLen);
decipher.setAuthTag(tag);
}
let dec = decipher.update(data, 'binary', 'utf8');
dec += decipher.final('utf8');
return dec;
}
}).promise();
return returnValue;
};
我得到我的拉姆达错误是这样的:
2019-02-05T17:06:19.015Z d9593ef7-635b-47b2-b881-ede2a396f88e错误:在Object.createDecipheriv(crypto.js:627:10)在在新Decipheriv(::267 16 crypto.js)无效的密钥长度Response.l.decrypt(/var/task/email-from-s3.js:592:232696)的请求。 (/var/runtime/node_modules/aws-sdk/lib/request.js:364:18)处请求Request.callListeners(/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:105:20) .emit(/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:77:10)在Request.emit(/var/runtime/node_modules/aws-sdk/lib/request.js:683:14)在Request.transition(/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)在AcceptorStateMachine.runTo(/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14: 12)在/var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10在请求。 (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)在请求。 (/var/runtime/node_modules/aws-sdk/lib/request.js:685:12)处请求Request.callListeners(/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:115:18) .emit(/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:77:10)在Request.emit(/var/runtime/node_modules/aws-sdk/lib/request.js:683:14)在Request.transition(/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
我可以在我的日志中看到我从我的S3存储得到加密的消息,但随后无法解密。
是否有人可以帮助我吗?我使用节点和打字稿。
回答如下:我得到了同事的一些帮助,我们可以计算出来。问题是与
const decipher = crypto.createDecipheriv( algo, kmsKeys.Plaintext[0], new Buffer(iv, 'base64'));
我们需要改变kms.Plaintext到kms.Plaintext as Buffer并开始工作。我在这里发布我的洞的Funktion,如果有人需要它供以后使用。
import * as AWS from 'aws-sdk';
import * as crypto from 'crypto';
const kms = new AWS.KMS({ apiVersion: '2014-11-01', region: 'eu-west-1' });
export const decryptS3Message = async (objectData) => {
const metadata = objectData.Metadata || {};
const kmsKeyBase64 = metadata['x-amz-key-v2'];
const iv = metadata['x-amz-iv'];
const tagLen = (metadata['x-amz-tag-len'] || 0) / 8;
let algo = metadata['x-amz-cek-alg'];
const encryptionContext = JSON.parse(metadata['x-amz-matdesc']);
switch (algo) {
case 'AES/GCM/NoPadding':
algo = `aes-256-gcm`;
break;
case 'AES/CBC/PKCS5Padding':
algo = `aes-256-cbc`;
break;
default:
throw new ErrorUtils.NotFoundError('Unsupported algorithm: ' + algo);
}
if (typeof (kmsKeyBase64) === 'undefined') {
return null;
}
const kmsKeyBuffer = Buffer.from(kmsKeyBase64, 'base64');
const returnValue = await kms.decrypt({ CiphertextBlob: kmsKeyBuffer, EncryptionContext: encryptionContext }).promise()
.then((res) => {
const data = objectData.Body.slice(0, -tagLen);
const decipher = crypto.createDecipheriv( algo, res.Plaintext as Buffer, Buffer.from(iv, 'base64'));
if (tagLen !== 0) {
const tag = objectData.Body.slice(-tagLen);
decipher.setAuthTag(tag);
}
let dec = decipher.update(data, 'binary', 'utf8');
dec += decipher.final('utf8');
return dec;
}).catch((err) => {
throw new ErrorUtils.InternalServerError('Not able to decrypt message: ', err);
});
return returnValue;
};
从S3解密SES消息KMS,节点
我不能够解密我的邮件我从我的S3存储接收。他们进行加密,KMS密钥。我使用节点和打字稿。
我已经尝试了一些东西,但arrent能够使它发挥作用。展望这个链接:://docs.aws.amazon/AWSJavaScriptSDK/latest/AWS/SES.html
我的代码看起来像现在这样:
import * as AWS from 'aws-sdk';
import * as crypto from 'crypto';
const s3 = new AWS.S3({ apiVersion: '2006-03-01', region: 'eu-west-1' });
const kms = new AWS.KMS({ apiVersion: '2014-11-01', region: 'eu-west-1' });
export const handler = LambdaUtils.lambdaHandler( 'onebox-email-service-SendMailToL4PFunction', async (event) => {
const record = event.Records[0];
const request = {
Bucket: record.s3.bucket.name,
Key: record.s3.object.key
};
const data = await s3.getObject(request).promise();
const decryptData = await decryptSES(data);
return decryptData;
}
);
export const decryptSES = async (objectData) => {
const metadata = objectData.Metadata || {};
const kmsKeyBase64 = metadata['x-amz-key-v2'];
const iv = metadata['x-amz-iv'];
const tagLen = (metadata['x-amz-tag-len'] || 0) / 8;
let algo = metadata['x-amz-cek-alg'];
const encryptionContext = JSON.parse(metadata['x-amz-matdesc']);
switch (algo) {
case 'AES/GCM/NoPadding':
algo = 'aes-256-gcm';
break;
case 'AES/CBC/PKCS5Padding':
algo = 'aes-256-cbc';
break;
default:
log.error({Message: 'Unsupported algorithm: ' + algo});
return;
}
if (typeof (kmsKeyBase64) === 'undefined') {
log.error('Error');
}
const kmsKeyBuffer = new Buffer(kmsKeyBase64, 'base64');
const returnValue = await kms.decrypt({ CiphertextBlob: kmsKeyBuffer, EncryptionContext: encryptionContext }, (err, kmsData) => {
if (err) {
log.error({err});
return null;
} else {
const data = objectData.Body.slice(0, -tagLen);
const decipher = crypto.createDecipheriv( algo, kmsKeys.Plaintext[0], new Buffer(iv, 'base64'));
if (tagLen !== 0) {
const tag = objectData.Body.slice(-tagLen);
decipher.setAuthTag(tag);
}
let dec = decipher.update(data, 'binary', 'utf8');
dec += decipher.final('utf8');
return dec;
}
}).promise();
return returnValue;
};
我得到我的拉姆达错误是这样的:
2019-02-05T17:06:19.015Z d9593ef7-635b-47b2-b881-ede2a396f88e错误:在Object.createDecipheriv(crypto.js:627:10)在在新Decipheriv(::267 16 crypto.js)无效的密钥长度Response.l.decrypt(/var/task/email-from-s3.js:592:232696)的请求。 (/var/runtime/node_modules/aws-sdk/lib/request.js:364:18)处请求Request.callListeners(/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:105:20) .emit(/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:77:10)在Request.emit(/var/runtime/node_modules/aws-sdk/lib/request.js:683:14)在Request.transition(/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)在AcceptorStateMachine.runTo(/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14: 12)在/var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10在请求。 (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)在请求。 (/var/runtime/node_modules/aws-sdk/lib/request.js:685:12)处请求Request.callListeners(/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:115:18) .emit(/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:77:10)在Request.emit(/var/runtime/node_modules/aws-sdk/lib/request.js:683:14)在Request.transition(/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
我可以在我的日志中看到我从我的S3存储得到加密的消息,但随后无法解密。
是否有人可以帮助我吗?我使用节点和打字稿。
回答如下:我得到了同事的一些帮助,我们可以计算出来。问题是与
const decipher = crypto.createDecipheriv( algo, kmsKeys.Plaintext[0], new Buffer(iv, 'base64'));
我们需要改变kms.Plaintext到kms.Plaintext as Buffer并开始工作。我在这里发布我的洞的Funktion,如果有人需要它供以后使用。
import * as AWS from 'aws-sdk';
import * as crypto from 'crypto';
const kms = new AWS.KMS({ apiVersion: '2014-11-01', region: 'eu-west-1' });
export const decryptS3Message = async (objectData) => {
const metadata = objectData.Metadata || {};
const kmsKeyBase64 = metadata['x-amz-key-v2'];
const iv = metadata['x-amz-iv'];
const tagLen = (metadata['x-amz-tag-len'] || 0) / 8;
let algo = metadata['x-amz-cek-alg'];
const encryptionContext = JSON.parse(metadata['x-amz-matdesc']);
switch (algo) {
case 'AES/GCM/NoPadding':
algo = `aes-256-gcm`;
break;
case 'AES/CBC/PKCS5Padding':
algo = `aes-256-cbc`;
break;
default:
throw new ErrorUtils.NotFoundError('Unsupported algorithm: ' + algo);
}
if (typeof (kmsKeyBase64) === 'undefined') {
return null;
}
const kmsKeyBuffer = Buffer.from(kmsKeyBase64, 'base64');
const returnValue = await kms.decrypt({ CiphertextBlob: kmsKeyBuffer, EncryptionContext: encryptionContext }).promise()
.then((res) => {
const data = objectData.Body.slice(0, -tagLen);
const decipher = crypto.createDecipheriv( algo, res.Plaintext as Buffer, Buffer.from(iv, 'base64'));
if (tagLen !== 0) {
const tag = objectData.Body.slice(-tagLen);
decipher.setAuthTag(tag);
}
let dec = decipher.update(data, 'binary', 'utf8');
dec += decipher.final('utf8');
return dec;
}).catch((err) => {
throw new ErrorUtils.InternalServerError('Not able to decrypt message: ', err);
});
return returnValue;
};