Package: s3crypto

import "../ibm-cos-sdk-go/service/s3/s3crypto"

Constants

const DefaultInstructionKeySuffix = readonly

DefaultInstructionKeySuffix is appended to the end of the instruction file key when grabbing or saving to S3

Value:

".instruction"

const AESGCMNoPadding = readonly

AESGCMNoPadding is the constant value that is used to specify the cek algorithm consiting of AES GCM with no padding.

Value:

"AES/GCM/NoPadding"

const AESCBC = readonly

AESCBC is the string constant that signifies the AES CBC algorithm cipher.

Value:

"AES/CBC"

const KMSWrap = readonly

KMSWrap is a constant used during decryption to build a KMS key handler.

Value:

"kms"

const DefaultMinFileSize = readonly

DefaultMinFileSize is used to check whether we want to write to a temp file or store the data in memory.

Value:

1024 * 512 * 5

const KMSContextWrap = readonly

KMSContextWrap is a constant used during decryption to build a kms+context key handler

Value:

"kms+context"

Variables

var NoPadder = writable

NoPadder does not pad anything

Value:

Padder(noPadder{})

var AESCBCPadder = writable

AESCBCPadder is used to pad AES encrypted and decrypted data. Although it uses the pkcs5Padder, it isn't following the RFC for PKCS5. The only reason why it is called pkcs5Padder is due to the Name returning PKCS5Padding.

Value:

Padder(aescbcPadding)

var _ awsFixture = writable

Value:

(*kmsContextKeyHandler)(nil)

Type Summary

• CipherData struct

  CipherData is used for content encryption.

• CryptoReadCloser struct

  CryptoReadCloser handles closing of the body and allowing reads from the decrypted content.

• CryptoRegistry struct

  CryptoRegistry is a collection of registries for configuring a decryption client with different key wrapping algorithms, content encryption algorithms, and padders.

• DecryptionClient struct

  DecryptionClient is an S3 crypto client.

• DecryptionClientOptions struct

  DecryptionClientOptions is the configuration options for DecryptionClientV2.

• DecryptionClientV2 struct

  DecryptionClientV2 is an S3 crypto client.

• EncryptionClient struct

  EncryptionClient is an S3 crypto client.

• EncryptionClientOptions struct

  EncryptionClientOptions is the configuration options for EncryptionClientV2.

• EncryptionClientV2 struct

  EncryptionClientV2 is an S3 crypto client.

• Envelope struct

  Envelope encryption starts off by generating a random symmetric key using AES GCM.

• HeaderV2LoadStrategy struct

  Load from a given object's header.

• HeaderV2SaveStrategy struct

  Save will save the envelope to the request's header.

• MaterialDescription struct

  Clone returns a copy of the MaterialDescription.

• S3LoadStrategy struct

  S3LoadStrategy will load the instruction file from s3.

• S3SaveStrategy struct

  S3SaveStrategy will save the metadata to a separate instruction file in S3.

Interface Summary

• Cipher interface

  Cipher interface allows for either encryption and decryption of an object.

• CipherDataDecrypter interface

  CipherDataDecrypter is a handler to decrypt keys from the envelope.

• CipherDataDecrypterWithContext interface

  CipherDataDecrypterWithContext is a handler to decrypt keys from the envelope with request context.

• CipherDataGenerator interface

  CipherDataGenerator handles generating proper key and IVs of proper size for the content cipher.

• CipherDataGeneratorWithCEKAlg interface

  CipherDataGeneratorWithCEKAlg handles generating proper key and IVs of proper size for the content cipher.

• CipherDataGeneratorWithContext interface

  CipherDataGeneratorWithContext handles generating proper key and IVs of proper size for the content cipher.

• ContentCipher interface

  ContentCipher deals with encrypting and decrypting content.

• ContentCipherBuilder interface

  ContentCipherBuilder is a builder interface that builds ciphers for each request.

• ContentCipherBuilderWithContext interface

  ContentCipherBuilderWithContext is a builder interface that builds ciphers for each request.

• Decrypter interface

  Decrypter interface with only the decrypt method.

• Encrypter interface

  Encrypter interface with only the encrypt method.

• LoadStrategy interface

  LoadStrategy …

• Padder interface

  Padder handles padding of crypto data.

• SaveStrategy interface

  SaveStrategy is how the data's metadata wants to be saved.

Function Summary

• func AESCBCContentCipherBuilder(generator CipherDataGenerator, padder Padder) ContentCipherBuilder

  AESCBCContentCipherBuilder returns a new encryption only AES/CBC mode structure using the provided padder.

• func AESGCMContentCipherBuilder(generator CipherDataGenerator) ContentCipherBuilder

  AESGCMContentCipherBuilder returns a new encryption only AES/GCM mode structure with a specific cipher data generator that will provide keys to be used for content encryption.

• func AESGCMContentCipherBuilderV2(generator CipherDataGeneratorWithCEKAlg) ContentCipherBuilder

  AESGCMContentCipherBuilderV2 returns a new encryption only AES/GCM mode structure with a specific cipher data generator that will provide keys to be used for content encryption.

• func NewDecryptionClient(prov client.ConfigProvider, options ...func(*DecryptionClient)) *DecryptionClient

  NewDecryptionClient instantiates a new S3 crypto client.

• func NewEncryptionClient(prov client.ConfigProvider, builder ContentCipherBuilder, options ...func(*EncryptionClient)) *EncryptionClient

  NewEncryptionClient instantiates a new S3 crypto client.

• func NewKMSContextKeyGenerator(client kmsiface.KMSAPI, cmkID string, matdesc MaterialDescription) CipherDataGeneratorWithCEKAlg

  NewKMSContextKeyGenerator builds a new kms+context key provider using the customer key ID and material description.

• func NewKMSKeyGenerator(kmsClient kmsiface.KMSAPI, cmkID string) CipherDataGenerator

  NewKMSKeyGenerator builds a new KMS key provider using the customer key ID and material description.

• func NewKMSKeyGeneratorWithMatDesc(kmsClient kmsiface.KMSAPI, cmkID string, matdesc MaterialDescription) CipherDataGenerator

  NewKMSKeyGeneratorWithMatDesc builds a new KMS key provider using the customer key ID and material description.

• func NewKMSWrapEntry(kmsClient kmsiface.KMSAPI) WrapEntry

  NewKMSWrapEntry builds returns a new KMS key provider and its decrypt handler.

• func NewPKCS7Padder(blockSize int) Padder

  NewPKCS7Padder follows the RFC 2315: www.ietf.org/rfc/rfc2315.txt PKCS7 padding is subject to side-channel attacks and timing attacks.

• func RegisterAESCBCContentCipher(registry *CryptoRegistry, padder Padder) error

  RegisterAESCBCContentCipher registers the AES/CBC cipher and padder with the provided CryptoRegistry.

• func RegisterAESGCMContentCipher(registry *CryptoRegistry) error

  RegisterAESGCMContentCipher registers the AES/GCM content cipher algorithm with the provided CryptoRegistry.

• func RegisterKMSContextWrapWithAnyCMK(registry *CryptoRegistry, client kmsiface.KMSAPI) error

  RegisterKMSContextWrapWithAnyCMK registers the kms+context wrapping algorithm to the given WrapRegistry.

• func RegisterKMSContextWrapWithCMK(registry *CryptoRegistry, client kmsiface.KMSAPI, cmkID string) error

  RegisterKMSContextWrapWithCMK registers the kms+context wrapping algorithm to the given WrapRegistry.

• func RegisterKMSWrapWithAnyCMK(registry *CryptoRegistry, client kmsiface.KMSAPI) error

  RegisterKMSWrapWithAnyCMK registers the kms wrapping algorithm to the given WrapRegistry.

• func RegisterKMSWrapWithCMK(registry *CryptoRegistry, client kmsiface.KMSAPI, cmkID string) error

  RegisterKMSWrapWithCMK registers the kms wrapping algorithm to the given WrapRegistry.

Type Details

DecryptionClientOptions struct

DecryptionClientOptions is the configuration options for DecryptionClientV2.

Structure Fields:

S3Client s3iface.S3API

LoadStrategy LoadStrategy

LoadStrategy is used to load the metadata either from the metadata of the object or from a separate file in s3.

Defaults to our default load strategy.

CryptoRegistry *CryptoRegistry

EncryptionClientOptions struct

EncryptionClientOptions is the configuration options for EncryptionClientV2

Structure Fields:

S3Client s3iface.S3API

ContentCipherBuilder ContentCipherBuilder

SaveStrategy SaveStrategy

SaveStrategy will dictate where the envelope is saved.

Defaults to the object's metadata

TempFolderPath string

TempFolderPath is used to store temp files when calling PutObject. Temporary files are needed to compute the X-Amz-Content-Sha256 header.

MinFileSize int64

MinFileSize is the minimum size for the content to write to a temporary file instead of using memory.

Function Details

func AESCBCContentCipherBuilder(generator CipherDataGenerator, padder Padder) ContentCipherBuilder

AESCBCContentCipherBuilder returns a new encryption only AES/CBC mode structure using the provided padder. The provided cipher data generator will be used to provide keys for content encryption.

Deprecated: This feature is in maintenance mode, no new updates will be released. Please see docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.

// File 'service/s3/s3crypto/aes_cbc_content_cipher.go', line 20

func AESCBCContentCipherBuilder(generator CipherDataGenerator, padder Padder) ContentCipherBuilder {
	return cbcContentCipherBuilder{generator: generator, padder: padder}
}

func AESGCMContentCipherBuilder(generator CipherDataGenerator) ContentCipherBuilder

AESGCMContentCipherBuilder returns a new encryption only AES/GCM mode structure with a specific cipher data generator that will provide keys to be used for content encryption.

Note: This uses the Go stdlib AEAD implementation for AES/GCM. Due to this objects to be encrypted or decrypted will be fully loaded into memory before encryption or decryption can occur. Caution must be taken to avoid memory allocation failures.

Deprecated: This feature is in maintenance mode, no new updates will be released. Please see docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.

// File 'service/s3/s3crypto/aes_gcm_content_cipher.go', line 22

func AESGCMContentCipherBuilder(generator CipherDataGenerator) ContentCipherBuilder {
	return gcmContentCipherBuilder{generator}
}

func AESGCMContentCipherBuilderV2(generator CipherDataGeneratorWithCEKAlg) ContentCipherBuilder

AESGCMContentCipherBuilderV2 returns a new encryption only AES/GCM mode structure with a specific cipher data generator that will provide keys to be used for content encryption. This type is compatible with the V2 encryption client.

Note: This uses the Go stdlib AEAD implementation for AES/GCM. Due to this objects to be encrypted or decrypted will be fully loaded into memory before encryption or decryption can occur. Caution must be taken to avoid memory allocation failures.

// File 'service/s3/s3crypto/aes_gcm_content_cipher.go', line 32

func AESGCMContentCipherBuilderV2(generator CipherDataGeneratorWithCEKAlg) ContentCipherBuilder {
	return gcmContentCipherBuilderV2{generator}
}

func NewDecryptionClient(prov client.ConfigProvider, options ...func(*DecryptionClient)) *DecryptionClient

NewDecryptionClient instantiates a new S3 crypto client

Example:

sess := session.Must(session.NewSession())
svc := s3crypto.NewDecryptionClient(sess, func(svc *s3crypto.DecryptionClient{
	// Custom client options here
}))

Deprecated: This feature is in maintenance mode, no new updates will be released. Please see docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.

// File 'service/s3/s3crypto/decryption_client.go', line 51

func NewDecryptionClient(prov client.ConfigProvider, options ...func(*DecryptionClient)) *DecryptionClient {
	s3client := s3.New(prov)

	s3client.Handlers.Build.PushBack(func(r *request.Request) {
		request.AddToUserAgent(r, "S3CryptoV1n")
	})

	kmsClient := kms.New(prov)
	client := &DecryptionClient{
		S3Client: s3client,
		LoadStrategy: defaultV2LoadStrategy{
			client: s3client,
		},
		WrapRegistry: map[string]WrapEntry{
			KMSWrap:        NewKMSWrapEntry(kmsClient),
			KMSContextWrap: newKMSContextWrapEntryWithAnyCMK(kmsClient),
		},
		CEKRegistry: map[string]CEKEntry{
			AESGCMNoPadding:                    newAESGCMContentCipher,
			AESCBC + "/" + AESCBCPadder.Name(): newAESCBCContentCipher,
		},
		PadderRegistry: map[string]Padder{
			AESCBC + "/" + AESCBCPadder.Name(): AESCBCPadder,
			NoPadder.Name():                    NoPadder,
		},
	}
	for _, option := range options {
		option(client)
	}

	return client
}

func NewEncryptionClient(prov client.ConfigProvider, builder ContentCipherBuilder, options ...func(*EncryptionClient)) *EncryptionClient

NewEncryptionClient instantiates a new S3 crypto client

Example:

	cmkID := "arn:aws:kms:region:000000000000:key/00000000-0000-0000-0000-000000000000"
 sess := session.Must(session.NewSession())
	handler := s3crypto.NewKMSKeyGenerator(kms.New(sess), cmkID)
	svc := s3crypto.NewEncryptionClient(sess, s3crypto.AESGCMContentCipherBuilder(handler))

Deprecated: This feature is in maintenance mode, no new updates will be released. Please see docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.

// File 'service/s3/s3crypto/encryption_client.go', line 59

func NewEncryptionClient(prov client.ConfigProvider, builder ContentCipherBuilder, options ...func(*EncryptionClient)) *EncryptionClient {
	s3client := s3.New(prov)

	s3client.Handlers.Build.PushBack(func(r *request.Request) {
		request.AddToUserAgent(r, "S3CryptoV1n")
	})

	client := &EncryptionClient{
		S3Client:             s3client,
		ContentCipherBuilder: builder,
		SaveStrategy:         HeaderV2SaveStrategy{},
		MinFileSize:          DefaultMinFileSize,
	}

	for _, option := range options {
		option(client)
	}

	return client
}

func NewKMSContextKeyGenerator(client kmsiface.KMSAPI, cmkID string, matdesc MaterialDescription) CipherDataGeneratorWithCEKAlg

NewKMSContextKeyGenerator builds a new kms+context key provider using the customer key ID and material description.

Example:

sess := session.Must(session.NewSession())
cmkID := "KMS Key ARN"
var matdesc s3crypto.MaterialDescription
handler := s3crypto.NewKMSContextKeyGenerator(kms.New(sess), cmkID, matdesc)

// File 'service/s3/s3crypto/kms_context_key_handler.go', line 28

func NewKMSContextKeyGenerator(client kmsiface.KMSAPI, cmkID string, matdesc MaterialDescription) CipherDataGeneratorWithCEKAlg {
	return newKMSContextKeyHandler(client, cmkID, matdesc)
}

func NewKMSKeyGenerator(kmsClient kmsiface.KMSAPI, cmkID string) CipherDataGenerator

NewKMSKeyGenerator builds a new KMS key provider using the customer key ID and material description.

Example:

sess := session.Must(session.NewSession())
cmkID := "arn to key"
matdesc := s3crypto.MaterialDescription{}
handler := s3crypto.NewKMSKeyGenerator(kms.New(sess), cmkID)

Deprecated: This feature is in maintenance mode, no new updates will be released. Please see docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.

// File 'service/s3/s3crypto/kms_key_handler.go', line 36

func NewKMSKeyGenerator(kmsClient kmsiface.KMSAPI, cmkID string) CipherDataGenerator {
	return NewKMSKeyGeneratorWithMatDesc(kmsClient, cmkID, MaterialDescription{})
}

func NewKMSKeyGeneratorWithMatDesc(kmsClient kmsiface.KMSAPI, cmkID string, matdesc MaterialDescription) CipherDataGenerator

NewKMSKeyGeneratorWithMatDesc builds a new KMS key provider using the customer key ID and material description.

Example:

sess := session.Must(session.NewSession())
cmkID := "arn to key"
matdesc := s3crypto.MaterialDescription{}
handler := s3crypto.NewKMSKeyGeneratorWithMatDesc(kms.New(sess), cmkID, matdesc)

Deprecated: This feature is in maintenance mode, no new updates will be released. Please see docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.

// File 'service/s3/s3crypto/kms_key_handler.go', line 70

func NewKMSKeyGeneratorWithMatDesc(kmsClient kmsiface.KMSAPI, cmkID string, matdesc MaterialDescription) CipherDataGenerator {
	return newKMSKeyHandler(kmsClient, cmkID, matdesc)
}

func NewKMSWrapEntry(kmsClient kmsiface.KMSAPI) WrapEntry

NewKMSWrapEntry builds returns a new KMS key provider and its decrypt handler.

Example:

sess := session.Must(session.NewSession())
customKMSClient := kms.New(sess)
decryptHandler := s3crypto.NewKMSWrapEntry(customKMSClient)

svc := s3crypto.NewDecryptionClient(sess, func(svc *s3crypto.DecryptionClient) {
	svc.WrapRegistry[s3crypto.KMSWrap] = decryptHandler
}))

Deprecated: This feature is in maintenance mode, no new updates will be released. Please see docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.

// File 'service/s3/s3crypto/kms_key_handler.go', line 87

func NewKMSWrapEntry(kmsClient kmsiface.KMSAPI) WrapEntry {
	kp := newKMSWrapEntry(kmsClient)
	return kp.decryptHandler
}

func NewPKCS7Padder(blockSize int) Padder

NewPKCS7Padder follows the RFC 2315: www.ietf.org/rfc/rfc2315.txt PKCS7 padding is subject to side-channel attacks and timing attacks. For the most secure data, use an authenticated crypto algorithm.

// File 'service/s3/s3crypto/pkcs7_padder.go', line 24

func NewPKCS7Padder(blockSize int) Padder {
	return pkcs7Padder{blockSize}
}

func RegisterAESCBCContentCipher(registry *CryptoRegistry, padder Padder) error

RegisterAESCBCContentCipher registers the AES/CBC cipher and padder with the provided CryptoRegistry.

Example:

cr := s3crypto.NewCryptoRegistry()
if err := s3crypto.RegisterAESCBCContentCipher(cr, s3crypto.AESCBCPadder); err != nil {
	panic(err) // handle error
}

Deprecated: This feature is in maintenance mode, no new updates will be released. Please see docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.

// File 'service/s3/s3crypto/aes_cbc_content_cipher.go', line 34

func RegisterAESCBCContentCipher(registry *CryptoRegistry, padder Padder) error {
	if registry == nil {
		return errNilCryptoRegistry
	}
	name := AESCBC + "/" + padder.Name()
	err := registry.AddCEK(name, newAESCBCContentCipher)
	if err != nil {
		return err
	}
	if err := registry.AddPadder(name, padder); err != nil {
		return err
	}
	return nil
}

func RegisterAESGCMContentCipher(registry *CryptoRegistry) error

RegisterAESGCMContentCipher registers the AES/GCM content cipher algorithm with the provided CryptoRegistry.

Example:

cr := s3crypto.NewCryptoRegistry()
if err := s3crypto.RegisterAESGCMContentCipher(cr); err != nil {
	panic(err) // handle error
}

// File 'service/s3/s3crypto/aes_gcm_content_cipher.go', line 44

func RegisterAESGCMContentCipher(registry *CryptoRegistry) error {
	if registry == nil {
		return errNilCryptoRegistry
	}

	err := registry.AddCEK(AESGCMNoPadding, newAESGCMContentCipher)
	if err != nil {
		return err
	}

	// NoPadder is generic but required by this algorithm, so if it is already registered and is the expected implementation
	// don't error.
	padderName := NoPadder.Name()
	if v, ok := registry.GetPadder(padderName); !ok {
		if err := registry.AddPadder(padderName, NoPadder); err != nil {
			return err
		}
	} else if _, ok := v.(noPadder); !ok {
		return fmt.Errorf("%s is already registred but does not match expected type %T", padderName, NoPadder)
	}
	return nil
}

func RegisterKMSContextWrapWithAnyCMK(registry *CryptoRegistry, client kmsiface.KMSAPI) error

RegisterKMSContextWrapWithAnyCMK registers the kms+context wrapping algorithm to the given WrapRegistry. The wrapper will be configured to call KMS decrypt without providing a CMK.

Example:

sess := session.Must(session.NewSession())
cr := s3crypto.NewCryptoRegistry()
if err := s3crypto.RegisterKMSContextWrapWithAnyCMK(cr, kms.New(sess)); err != nil {
	panic(err) // handle error
}

// File 'service/s3/s3crypto/kms_context_key_handler.go', line 58

func RegisterKMSContextWrapWithAnyCMK(registry *CryptoRegistry, client kmsiface.KMSAPI) error {
	if registry == nil {
		return errNilCryptoRegistry
	}
	return registry.AddWrap(KMSContextWrap, newKMSContextWrapEntryWithAnyCMK(client))
}

func RegisterKMSContextWrapWithCMK(registry *CryptoRegistry, client kmsiface.KMSAPI, cmkID string) error

RegisterKMSContextWrapWithCMK registers the kms+context wrapping algorithm to the given WrapRegistry. The wrapper will be configured to only call KMS Decrypt using the provided CMK.

Example:

cr := s3crypto.NewCryptoRegistry()
if err := RegisterKMSContextWrapWithCMK(); err != nil {
	panic(err) // handle error
}

// File 'service/s3/s3crypto/kms_context_key_handler.go', line 41

func RegisterKMSContextWrapWithCMK(registry *CryptoRegistry, client kmsiface.KMSAPI, cmkID string) error {
	if registry == nil {
		return errNilCryptoRegistry
	}
	return registry.AddWrap(KMSContextWrap, newKMSContextWrapEntryWithCMK(client, cmkID))
}

func RegisterKMSWrapWithAnyCMK(registry *CryptoRegistry, client kmsiface.KMSAPI) error

RegisterKMSWrapWithAnyCMK registers the kms wrapping algorithm to the given WrapRegistry. The wrapper will be configured to call KMS Decrypt without providing a CMK.

Example:

sess := session.Must(session.NewSession())
cr := s3crypto.NewCryptoRegistry()
if err := s3crypto.RegisterKMSWrapWithAnyCMK(cr, kms.New(sess)); err != nil {
	panic(err) // handle error
}

Deprecated: This feature is in maintenance mode, no new updates will be released. Please see docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.

// File 'service/s3/s3crypto/kms_key_handler.go', line 123

func RegisterKMSWrapWithAnyCMK(registry *CryptoRegistry, client kmsiface.KMSAPI) error {
	if registry == nil {
		return errNilCryptoRegistry
	}
	return registry.AddWrap(KMSWrap, NewKMSWrapEntry(client))
}

func RegisterKMSWrapWithCMK(registry *CryptoRegistry, client kmsiface.KMSAPI, cmkID string) error

RegisterKMSWrapWithCMK registers the kms wrapping algorithm to the given WrapRegistry. The wrapper will be configured to call KMS Decrypt with the provided CMK.

Example:

sess := session.Must(session.NewSession())
cr := s3crypto.NewCryptoRegistry()
if err := s3crypto.RegisterKMSWrapWithCMK(cr, kms.New(sess), "cmkId"); err != nil {
	panic(err) // handle error
}

Deprecated: This feature is in maintenance mode, no new updates will be released. Please see docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.

// File 'service/s3/s3crypto/kms_key_handler.go', line 104

func RegisterKMSWrapWithCMK(registry *CryptoRegistry, client kmsiface.KMSAPI, cmkID string) error {
	if registry == nil {
		return errNilCryptoRegistry
	}
	return registry.AddWrap(KMSWrap, newKMSWrapEntryWithCMK(client, cmkID))
}