From a681a4183756913a38ec5609c3f306d0aa1d9bea Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 1 May 2024 16:51:15 -0700 Subject: [PATCH 1/3] fix: Try all master key providers when decrypting raw RSA data key --- src/aws_encryption_sdk/internal/crypto/wrapping_keys.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/aws_encryption_sdk/internal/crypto/wrapping_keys.py b/src/aws_encryption_sdk/internal/crypto/wrapping_keys.py index 91f9fd834..ba6135965 100644 --- a/src/aws_encryption_sdk/internal/crypto/wrapping_keys.py +++ b/src/aws_encryption_sdk/internal/crypto/wrapping_keys.py @@ -98,9 +98,12 @@ def decrypt(self, encrypted_wrapped_data_key, encryption_context): if self.wrapping_key_type is EncryptionKeyType.PUBLIC: raise IncorrectMasterKeyError("Public key cannot decrypt") if self.wrapping_key_type is EncryptionKeyType.PRIVATE: - return self._wrapping_key.decrypt( - ciphertext=encrypted_wrapped_data_key.ciphertext, padding=self.wrapping_algorithm.padding - ) + try: + return self._wrapping_key.decrypt( + ciphertext=encrypted_wrapped_data_key.ciphertext, padding=self.wrapping_algorithm.padding + ) + except ValueError as e: + raise IncorrectMasterKeyError("_wrapping_key cannot decrypt provided ciphertext") serialized_encryption_context = serialize_encryption_context(encryption_context=encryption_context) return decrypt( algorithm=self.wrapping_algorithm.algorithm, From d55db0b90dcf6fd6b41dfebb6410c17cdda843e3 Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Wed, 1 May 2024 16:55:47 -0700 Subject: [PATCH 2/3] lint --- src/aws_encryption_sdk/internal/crypto/wrapping_keys.py | 2 +- .../test/aws-crypto-tools-test-vector-framework | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/aws_encryption_sdk/internal/crypto/wrapping_keys.py b/src/aws_encryption_sdk/internal/crypto/wrapping_keys.py index ba6135965..da9bc9b6b 100644 --- a/src/aws_encryption_sdk/internal/crypto/wrapping_keys.py +++ b/src/aws_encryption_sdk/internal/crypto/wrapping_keys.py @@ -102,7 +102,7 @@ def decrypt(self, encrypted_wrapped_data_key, encryption_context): return self._wrapping_key.decrypt( ciphertext=encrypted_wrapped_data_key.ciphertext, padding=self.wrapping_algorithm.padding ) - except ValueError as e: + except ValueError: raise IncorrectMasterKeyError("_wrapping_key cannot decrypt provided ciphertext") serialized_encryption_context = serialize_encryption_context(encryption_context=encryption_context) return decrypt( diff --git a/test_vector_handlers/test/aws-crypto-tools-test-vector-framework b/test_vector_handlers/test/aws-crypto-tools-test-vector-framework index c3d73fae2..9eb2fcbbe 160000 --- a/test_vector_handlers/test/aws-crypto-tools-test-vector-framework +++ b/test_vector_handlers/test/aws-crypto-tools-test-vector-framework @@ -1 +1 @@ -Subproject commit c3d73fae260fd9e9cc9e746f09a7ffbab83576e2 +Subproject commit 9eb2fcbbe47ab30c29d6ad9a8125b1064e0db42a From 4c4b51920ba821d95c0611044e71e0255a3a264a Mon Sep 17 00:00:00 2001 From: Lucas McDonald Date: Thu, 2 May 2024 09:41:53 -0700 Subject: [PATCH 3/3] revert --- .../test/aws-crypto-tools-test-vector-framework | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test_vector_handlers/test/aws-crypto-tools-test-vector-framework b/test_vector_handlers/test/aws-crypto-tools-test-vector-framework index 9eb2fcbbe..c3d73fae2 160000 --- a/test_vector_handlers/test/aws-crypto-tools-test-vector-framework +++ b/test_vector_handlers/test/aws-crypto-tools-test-vector-framework @@ -1 +1 @@ -Subproject commit 9eb2fcbbe47ab30c29d6ad9a8125b1064e0db42a +Subproject commit c3d73fae260fd9e9cc9e746f09a7ffbab83576e2