o diLY@sddlZddlZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z m Z m Z mZmZmZddlZddlmZddlmZddlmZddlmZddlmZmZmZdd lmZdd l m!Z!dd l"m#Z#dd l$m%Z%m&Z&dd l'm(Z(e)dZ*dZ+dZ,dZ-Gddde.Z/Gddde0Z1Gddde.Z2Gddde2Z3Gddde2Z4Gddde2Z5Gddde5Z6Gd d!d!e.Z7d"e8d#e9d$e8fd%d&Z:d'e9d(e9d$ee9e9ffd)d*Z;d+e9d$e9fd,d-Zd2e8d3e9d$e8fd4d5Z?dS)6N)BytesIO)DictUnionIOOptionalAnyTuple)AESGCM)default_backend)Cipher)AES)CBCCTRECB)PKCS7) InvalidTag)padding)PrivateKeyTypesPublicKeyTypes) serializationz"bytes=(?P\d+)-(?P\d+)*lc@s@eZdZdZdefddZdddZdd Zd d Zd d Z dS) DummyAIOFilezHSo that response['Body'].read() presents the same way as a normal S3 getdatacCst||_dSN)rfile)selfrrC/home/ubuntu/.local/lib/python3.10/site-packages/aioboto3/s3/cse.py__init__#szDummyAIOFile.__init__c|j|Srrreadrnrrrr#& zDummyAIOFile.readcs |jSrr"rrrrreadany)s zDummyAIOFile.readanycr!rr"r$rrr readexactly,r&zDummyAIOFile.readexactlycs|jdfS)NTr"r'rrr readchunk/szDummyAIOFile.readchunkN)r ) __name__ __module__ __qualname____doc__bytesrr#r(r)r*rrrrr s  rc@s eZdZdS) DecryptErrorN)r+r,r-rrrrr03sr0c@sZeZdZddZddZdedeeefdefdd Z de eeeefeffd d Z d S) CryptoContextcdS)z0 Coroutine to perform any setup Nrr'rrrsetup8szCryptoContext.setupcr2)z3 Coroutine to perform any teardown Nrr'rrrclose>szCryptoContext.closekeymaterial_descriptionreturnct)z Get decryption key for a given S3 object :param key: Base64 decoded version of x-amz-key-v2 :param material_description: JSON decoded x-amz-matdesc :return: Raw AES key bytes NotImplementedErrorrr5r6rrrget_decryption_aes_keyCsz$CryptoContext.get_decryption_aes_keycr8)z Get encryption key to encrypt an S3 object :return: Raw AES key bytes, Stringified JSON x-amz-matdesc, Base64 encoded x-amz-key-v2 r9r'rrrget_encryption_aes_keyMsz$CryptoContext.get_encryption_aes_keyN) r+r,r-r3r4r/rstrrr<rr=rrrrr17s $ r1c@seZdZdZ  ddeedeedeejfddZ de d e e e fd e fd d Zd ee e e e fe ffd dZede d efddZedde dee d efddZdS)AsymmetricCryptoContexta! Crypto context which uses public-private key cryptography. The public and private keys need to be loaded in by ``cryptography.hazmat.primitives.serialization.*`` :param public_key: Public key object :param private_key: Private key object :param loop: Event loop N public_key private_keyloopcCs(||_||_||_|st|_dSdSr)r@rA_loopasyncioget_event_loop)rr@rArBrrrras z AsymmetricCryptoContext.__init__r5r6r7cs6jdur tdjdfddIdH}|S) Get decryption key for a given S3 object :param key: Base64 decoded version of x-amz-key :param material_description: JSON decoded x-amz-matdesc :return: Raw AES key bytes NzQPrivate key not provided during initialisation, cannot decrypt key encrypting keycjtSr)rAdecryptrPKCS1v15rr5rrrvz@AsymmetricCryptoContext.get_decryption_aes_key..)rA ValueErrorrCrun_in_executor)rr5r6 plaintextrrJrr<ks  z.AsymmetricCryptoContext.get_decryption_aes_keycsPjdur tdtdjdfddIdH}it|fS) Get encryption key to encrypt an S3 object :return: Raw AES key bytes, Stringified JSON x-amz-matdesc, Base64 encoded x-amz-key NzPPublic key not provided during initialisation, cannot encrypt key encrypting key crGr)r@encryptrrIr random_bytesrrrrKrLz@AsymmetricCryptoContext.get_encryption_aes_key..) r@rMosurandomrCrNbase64 b64encodedecode)r ciphertextrrSrr=zs   z.AsymmetricCryptoContext.get_encryption_aes_keyrcCst|tS)zr Convert public key in DER encoding to a Public key object :param data: public key bytes )rload_der_public_keyr )rrrrfrom_der_public_keysz+AsymmetricCryptoContext.from_der_public_keypasswordcCst||tS)z Convert private key in DER encoding to a Private key object :param data: private key bytes :param password: password the private key is encrypted with )rload_der_private_keyr )rr]rrrfrom_der_private_keysz,AsymmetricCryptoContext.from_der_private_keyNNNr)r+r,r-r.rrrrDAbstractEventLooprr/rr>rr<rr= staticmethodr\r_rrrrr?Vs     "r?c@sheZdZdZd dedeejfddZdede e e fdefd d Z de ee e e fe ffd d ZdS)SymmetricCryptoContextz Crypto context which uses symmetric cryptography. The key field should be a valid AES key. :param key: Key bytes :param loop: Event loop Nr5rBcCsD||_t|_tt|jt|jd|_||_|s t |_dSdS)Nbackend) r5r _backendr r r_cipherrCrDrE)rr5rBrrrrszSymmetricCryptoContext.__init__r6r7csZ|j|jdfddIdHttj|jdfddIdH}|S)rFNcSrupdatefinalizer)aesecbr5rrrKrLz?SymmetricCryptoContext.get_decryption_aes_key..cSrrir padded_resultunpadderrrrKrL)rg decryptorrCrNrr block_sizerp)rr5r6resultr)rlr5rorprr<s  z-SymmetricCryptoContext.get_decryption_aes_keycsttdttj|jdfddIdH|j |jdfddIdH}it | fS)rPrQNcrhrrir)padderrTrrrKrLz?SymmetricCryptoContext.get_encryption_aes_key..crhrrir)rlrorrrKrL) rUrVrr rrrtrCrNrg encryptorrWrXrY)rencrypted_resultr)rlrortrTrr=s   z-SymmetricCryptoContext.get_encryption_aes_keyr)r+r,r-r.r/rrDrarrr>rr<rr=rrrrrcs   $rcc@seZdZdZ  ddeedeedefddZd d Z d d Z d e de ee fde fddZdee e eefeffddZdS)KMSCryptoContexta Crypto context which uses symmetric cryptography. The key field should be a valid AES key. E.g. if you wanted to set the KMS region, add kms_client_args={'region_name': 'eu-west-1'} :param key: Key bytes :param kms_client_args: Will be expanded when getting a KMS client :param authenticated_encryption: Uses AES-GCM instead of AES-CBC (also allows range gets of files) :param loop: Event loop NTkeyidkms_client_argsauthenticated_encryptioncCs*||_||_d|_|r |ni|_d|_dSr)kms_keyrz _kms_client_kms_client_args_session)rrxryrzrrrrs  zKMSCryptoContext.__init__cs0t|_|jjdi|jIdH|_dS)Nkms)r)aioboto3Sessionr~clientr} __aenter__r|r'rrrr3s $zKMSCryptoContext.setupcs|jIdHdSr)r|r4r'rrrr4szKMSCryptoContext.closer5r6r7cs |jj||dIdH}|dS)N)CiphertextBlobEncryptionContext Plaintext)r|rH)rr5r6kms_datarrrr<s  z'KMSCryptoContext.get_decryption_aes_keycsT|jdur tdd|ji}|jj|j|ddIdH}|d|t|dfS)NzLKMS Key not provided during initalisation, cannot decrypt key encrypting key kms_cmk_idAES_256)KeyIdrKeySpecrr)r{rMr|generate_data_keyrWrXrY)rencryption_contextkms_resprrrr=s   z'KMSCryptoContext.get_encryption_aes_key)NNT)r+r,r-r.rr>dictboolrr3r4r/rrr<rr=rrrrrws   $rwc seZdZ ddedededeffdd Zdd Zd d Zd ede e e fd efddZ d e ee e e fe ffddZZS)MockKMSCryptoContextTaes_keyr6 encrypted_keyrzcs*tt|||_||_||_||_dSr)superrrrr6rrz)rrr6rrz __class__rrr s  zMockKMSCryptoContext.__init__cdSrrr'rrrr3zMockKMSCryptoContext.setupcrrrr'rrrr4rzMockKMSCryptoContext.closer5r7cs|jSr)rr;rrrr<sz+MockKMSCryptoContext.get_decryption_aes_keycs |j|jt|jfSr)rr6copyrWrXrrYr'rrrr=sz+MockKMSCryptoContext.get_encryption_aes_key)T)r+r,r-r/rrrr3r4rr>rr<rr= __classcell__rrrrr s(rc@seZdZdZd"dedeefddZddZd d Z d d Z d dZ de de defddZ d"dedee e fdeedefddZ  d#dedee e fdedeedeedeedefddZd"deeefde de defd d!ZdS)$S3CSEa| S3 Client-side encryption wrapper. To change S3 region add s3_client_args={'region_name': 'eu-west-1'} To use this object, either use it with ``async with S3CSE(...) as s3_cse:`` Or run the setup() and close() coro's respectively :param crypto_context: Takes a cryto context object from above :param s3_client_args: Optional dict of S3 client args Ncrypto_contexts3_client_argscCs8d|_t|_||_d|_d|_|r||_dSi|_dSr)rCr rf_crypto_contextr~ _s3_client_s3_client_args)rrrrrrr/s zS3CSE.__init__cs`tjdkr t|_nt|_t|_|jj di|j  IdH|_ |j IdHdS)N)s3)r)sys version_inforDrErCget_running_looprrr~rrrrrr3r'rrrr38s     z S3CSE.setupcs&|jIdH|jIdHdSr)rr4rr'rrrr4Bsz S3CSE.closecs|IdH|Sr)r3r'rrrrFszS3CSE.__aenter__cs|IdHdSr)r4)rexc_typeexc_valexc_tbrrr __aexit__JszS3CSE.__aexit__BucketKeyr7csV|jdur |IdH|d}d}d}d}|rNt|}|s(td|t|d}|d}|dur;d}nt|}t ||\}} d|| |d<|jj d||d|IdH} | d } t| d d d } d | vrud| vru| Sd | vr| d IdH} | | | |IdH}n| d IdH} | | | | |||IdH}t|| d<| S)z S3 GetObject. Takes same args as Boto3 documentation Decrypts any CSE :param Bucket: S3 Bucket :param Key: S3 Key (filepath) :return: returns same response as a normal S3 get_object NRangez$Dont understand this range value {0}lz bytes={0}-{1})rrMetadataResponseMetadata HTTPHeaderszcontent-length x-amz-key x-amz-key-v2Bodyr)rr3get RANGE_REGEXmatchrMformatintgroup_get_adjusted_crypto_range get_objectr# _decrypt_v1 _decrypt_v2r)rrrkwargs_rangeactual_range_startdesired_range_startdesired_range_end range_matchactual_range_end s3_responsemetadatawhole_file_length file_databodyrrrrNsB      zS3CSE.get_objectrr range_startc s|rtdt|d}t|d}|j||IdH}t|d}tt|t ||j d |j dfddIdHttj|j dfddIdH}|S) Nz/Cant do range get when not using KMS encryptionr x-amz-matdescx-amz-ivrdcrhrriraescbcrrrrKrLz#S3CSE._decrypt_v1..crmrrirrnrrrKrL)r0rW b64decodejsonloadsrr<r r r rfrqrCrNrrrrp) rrrrdecryption_keyr6rivrsr)rrrorprrszS3CSE._decrypt_v1entire_file_length desired_start desired_endc st|d}t|d}|j||IdH} t|d|dddkr|durlt|tt | t |j d |j dfdd IdH} t|d d } || d } || krb| n|}| ||} | St| z|j dfd d IdH} W| Stytdw|rtdtt | t|j d |j dfdd IdHtt j|j dfdd IdH} | S)Nrrr x-amz-cek-algAES/CBC/PKCS5PaddingAES/GCM/NoPaddingrdcrhrrir)aesctrrrrrKrLz#S3CSE._decrypt_v2.. x-amz-tag-lenrcsdSr)rHr)aesgcmrrrrrKzJFailed to decrypt, AEAD tag is incorrect. Possible key or IV are incorrectz&Cannot decrypt AES-CBC file with rangecrhrrirrrrrKrLcrmrrirrnrrrKrL)rWrrrrr<r_adjust_iv_for_ranger r rrfrqrCrNrr rr0r rrrrp) rrrrrrrrr6rrs aead_tag_len max_offsetr)rrrrrrorprrsB    "   zS3CSE._decrypt_v2rrc s|jdur |IdHtdr$tjr IdHnt|jt}|o/|jj }|dur6|ni}|j IdH\}} } |rk|rkd|d<t t |d<t dt||jdfddIdH} n>|rqd |d<t d ttj|jdfd dIdHtt|t|jd |jdfd dIdH} t t|d<t|d<t| |d<|rd|d<| |d<n| |d<|jj d||| |d|IdHdS)z PutObject. Takes same args as Boto3 documentation Encrypts files :param: Body: File data :param Bucket: S3 Bucket :param Key: S3 Key (filepath) Nr#rrr csdSr)rRr)rrrrrrK rz"S3CSE.put_object..rrcrmrrir)rrtrrrKrLrdcrhrrir)rrorrrKrLz x-amz-unencrypted-content-lengthrrrzx-amz-wrap-algrr)rrrrr)!rr3hasattrinspectiscoroutinefunctionr# isinstancerrwrzr=r>AES_BLOCK_SIZErUrVr rCrNrr rrrtr r rfrulenrWrXrYrdumps put_object) rrrrrris_kmsauthenticated_cryptormatdesc_metadata key_metadatarsr)rrrrrortrrsN       "  zS3CSE.put_objectrr`)r+r,r-r.r1rrrr3r4rrr>rr/rrrrrrrrrrrr"s*   (@ (@rr byte_offsetr7cCsFt|dkr tdt}||}|||krtdt|}t||S)Nrz(IV must be 12 bytes long for AES-GCM/CTRzLRange size invalid. Should never hit this as range should be adjusted by now)r RuntimeErrorr _compute_j0_increment_blocks)rrrr block_offsetj0rrrr/s   rstartendcCst|}t|}||fSr)_get_cipher_block_lower_bound_get_cipher_block_upper_bound)rrrrrr<srvaluecCs||tt}t|dS)Nr)rmax)r lower_boundrrrrCs rcCs"t|t}||t}t|tSr)rminJAVA_LONG_MAX_VALUE)roffset upper_boundrrrrHs   rcCs|dtdd}t|dS)N r)AES_BLOCK_SIZE_BYTESr)rrrrrrNs rcounter block_deltacCs|dkr|S|rt|dkrtddgd}d}|dkr-||||d<|d7}|dkstdtdt|d|}|dd|d d}|S) NrrzCounter must be 16 bytes longrrrz>Q)rrMstructpackunpackr/)rr byte_bufferirsrrrrTs  r)@rDrWrrrUrerr iortypingrrrrrrr+cryptography.hazmat.primitives.ciphers.aeadr cryptography.hazmat.backendsr &cryptography.hazmat.primitives.ciphersr 1cryptography.hazmat.primitives.ciphers.algorithmsr ,cryptography.hazmat.primitives.ciphers.modesr rr&cryptography.hazmat.primitives.paddingrcryptography.exceptionsr)cryptography.hazmat.primitives.asymmetricr/cryptography.hazmat.primitives.asymmetric.typesrrcryptography.hazmat.primitivesrcompilerrrrobjectr Exceptionr0r1r?rcrwrrr/rrrrrrrrrrrsR           I94