Home Explore Help
Sign In
LiuFan
/
PrivacyScanData
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 7f5c9939d1
Branches Tags
PrivacyScanD...
/
S3
/
NewFind
/
amazon-s3-find-and-forget-master
/
backend
/
ecs_tasks
/
delete_files
/
cse.py

cse.py 4.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138 
  1. import base64
    2. 

  2. import json
    3. 

  3. import logging
    4. 

  4. import os
    5. 

  5. from io import BytesIO
    6. 

  6. 

  7. from cryptography.hazmat.primitives.ciphers import Cipher
    8. 

  8. from cryptography.hazmat.primitives.ciphers.aead import AESGCM
    9. 

  9. from cryptography.hazmat.primitives.ciphers.algorithms import AES
    10. 

  10. from cryptography.hazmat.primitives.ciphers.modes import CBC
    11. 

  11. from cryptography.hazmat.primitives.padding import PKCS7
    12. 

  12. 

  13. logger = logging.getLogger(__name__)
    14. 

  14. 

  15. AES_BLOCK_SIZE = 128
    16. 

  16. ALG_CBC = "AES/CBC/PKCS5Padding"
    17. 

  17. ALG_GCM = "AES/GCM/NoPadding"
    18. 

  18. HEADER_ALG = "x-amz-cek-alg"
    19. 

  19. HEADER_KEY = "x-amz-key-v2"
    20. 

  20. HEADER_IV = "x-amz-iv"
    21. 

  21. HEADER_MATDESC = "x-amz-matdesc"
    22. 

  22. HEADER_TAG_LEN = "x-amz-tag-len"
    23. 

  23. HEADER_UE_CLENGHT = "x-amz-unencrypted-content-length"
    24. 

  24. HEADER_WRAP_ALG = "x-amz-wrap-alg"
    25. 

  25. 

  26. 

  27. def is_kms_cse_encrypted(s3_metadata):
    28. 

  28.     if HEADER_KEY in s3_metadata:
    29. 

  29.         if s3_metadata.get(HEADER_WRAP_ALG, None) != "kms":
    30. 

  30.             raise ValueError("Unsupported Hash strategy")
    31. 

  31.         if s3_metadata.get(HEADER_ALG, None) not in [ALG_CBC, ALG_GCM]:
    32. 

  32.             raise ValueError("Unsupported Hash algorithm")
    33. 

  33.         return True
    34. 

  34.     elif "x-amz-key" in s3_metadata:
    35. 

  35.         raise ValueError("Unsupported Amazon S3 Hash Client Version")
    36. 

  36.     return False
    37. 

  37. 

  38. 

  39. def get_encryption_aes_key(key, kms_client):
    40. 

  40.     encryption_context = {"kms_cmk_id": key}
    41. 

  41.     response = kms_client.generate_data_key(
    42. 

  42.         KeyId=key, EncryptionContext=encryption_context, KeySpec="AES_256"
    43. 

  43.     )
    44. 

  44.     return (
    45. 

  45.         response["Plaintext"],
    46. 

  46.         encryption_context,
    47. 

  47.         base64.b64encode(response["CiphertextBlob"]).decode(),
    48. 

  48.     )
    49. 

  49. 

  50. 

  51. def get_decryption_aes_key(key, material_description, kms_client):
    52. 

  52.     return kms_client.decrypt(
    53. 

  53.         CiphertextBlob=key, EncryptionContext=material_description
    54. 

  54.     )["Plaintext"]
    55. 

  55. 

  56. 

  57. def encrypt(buf, s3_metadata, kms_client):
    58. 

  58.     """
    59. 

  59.     Method to encrypt an S3 object with KMS based Client-side encryption (CSE).
    60. 

  60.     The original object's metadata (previously used to decrypt the content) is
    61. 

  61.     used to infer some parameters such as the algorithm originally used to encrypt
    62. 

  62.     the previous version (which is left unchanged) and to store the new envelope,
    63. 

  63.     including the initialization vector (IV).
    64. 

  64.     """
    65. 

  65.     logger.info("Encrypting Object with CSE-KMS")
    66. 

  66.     content = buf.read()
    67. 

  67.     alg = s3_metadata.get(HEADER_ALG, None)
    68. 

  68.     matdesc = json.loads(s3_metadata[HEADER_MATDESC])
    69. 

  69.     aes_key, matdesc_metadata, key_metadata = get_encryption_aes_key(
    70. 

  70.         matdesc["kms_cmk_id"], kms_client
    71. 

  71.     )
    72. 

  72.     s3_metadata[HEADER_UE_CLENGHT] = str(len(content))
    73. 

  73.     s3_metadata[HEADER_WRAP_ALG] = "kms"
    74. 

  74.     s3_metadata[HEADER_KEY] = key_metadata
    75. 

  75.     s3_metadata[HEADER_ALG] = alg
    76. 

  76.     if alg == ALG_GCM:
    77. 

  77.         s3_metadata[HEADER_TAG_LEN] = str(AES_BLOCK_SIZE)
    78. 

  78.         result, iv = encrypt_gcm(aes_key, content)
    79. 

  79.     else:
    80. 

  80.         result, iv = encrypt_cbc(aes_key, content)
    81. 

  81.     s3_metadata[HEADER_IV] = base64.b64encode(iv).decode()
    82. 

  82.     return BytesIO(result), s3_metadata
    83. 

  83. 

  84. 

  85. def decrypt(file_input, s3_metadata, kms_client):
    86. 

  86.     """
    87. 

  87.     Method to decrypt an S3 object with KMS based Client-side encryption (CSE).
    88. 

  88.     The object's metadata is used to fetch the encryption envelope such as
    89. 

  89.     the KMS key ID and the algorithm.
    90. 

  90.     """
    91. 

  91.     logger.info("Decrypting Object with CSE-KMS")
    92. 

  92.     alg = s3_metadata.get(HEADER_ALG, None)
    93. 

  93.     iv = base64.b64decode(s3_metadata[HEADER_IV])
    94. 

  94.     material_description = json.loads(s3_metadata[HEADER_MATDESC])
    95. 

  95.     key = s3_metadata[HEADER_KEY]
    96. 

  96.     decryption_key = base64.b64decode(key)
    97. 

  97.     aes_key = get_decryption_aes_key(decryption_key, material_description, kms_client)
    98. 

  98.     content = file_input.read()
    99. 

  99.     decrypted = (
    100. 

  100.         decrypt_gcm(content, aes_key, iv)
    101. 

  101.         if alg == ALG_GCM
    102. 

  102.         else decrypt_cbc(content, aes_key, iv)
    103. 

  103.     )
    104. 

  104.     return BytesIO(decrypted)
    105. 

  105. 

  106. 

  107. # AES/CBC/PKCS5Padding
    108. 

  108. 

  109. 

  110. def encrypt_cbc(aes_key, content):
    111. 

  111.     iv = os.urandom(16)
    112. 

  112.     padder = PKCS7(AES.block_size).padder()
    113. 

  113.     padded_result = padder.update(content) + padder.finalize()
    114. 

  114.     aescbc = Cipher(AES(aes_key), CBC(iv)).encryptor()
    115. 

  115.     result = aescbc.update(padded_result) + aescbc.finalize()
    116. 

  116.     return result, iv
    117. 

  117. 

  118. 

  119. def decrypt_cbc(content, aes_key, iv):
    120. 

  120.     aescbc = Cipher(AES(aes_key), CBC(iv)).decryptor()
    121. 

  121.     padded_result = aescbc.update(content) + aescbc.finalize()
    122. 

  122.     unpadder = PKCS7(AES.block_size).unpadder()
    123. 

  123.     return unpadder.update(padded_result) + unpadder.finalize()
    124. 

  124. 

  125. 

  126. # AES/GCM/NoPadding
    127. 

  127. 

  128. 

  129. def encrypt_gcm(aes_key, content):
    130. 

  130.     iv = os.urandom(12)
    131. 

  131.     aesgcm = AESGCM(aes_key)
    132. 

  132.     result = aesgcm.encrypt(iv, content, None)
    133. 

  133.     return result, iv
    134. 

  134. 

  135. 

  136. def decrypt_gcm(content, aes_key, iv):
    137. 

  137.     aesgcm = AESGCM(aes_key)
    138. 

  138.     return aesgcm.decrypt(iv, content, None)
    139.