0

我正在尝试将以下链接中的代码复制到 python/boto3: https ://github.com/gilt/node-s3-encryption-client/issues/3

但是,我坚持使用以下代码从 KMS 获取纯文本:

metadata = s3.head_object(Bucket='my bucket', Key='myencryptedemail00045')
kmsKeyBase64 = metadata['Metadata']['x-amz-key-v2']
iv = metadata['Metadata']['x-amz-iv']
taglen = (int(metadata['Metadata']['x-amz-tag-len']))/8
algo = metadata['Metadata']['x-amz-cek-alg']
encryptionContext = json.loads(metadata['Metadata']['x-amz-matdesc'])
kmsKeyBase = base64.b64decode(kmsKeyBase64)
response = kms.decrypt(CiphertextBlob=kmsKeyBase, EncryptionContext=encryptionContext)
print (response)

boto3 的纯文本输出显示如下:

 {u'Plaintext': '\x13I&\x99\xfd\x07\x12\x13\x08M\xf4\x8f\xc4\xae\xc1\x9c\x16\xc2\x88\xaf\xda\xf7\xcf\xfe\x07\xa1\xb7S\x1d\n%\xd7'

如果我在 AWS CLI 中使用与 kms 解密相同的输入,我会得到正确的输出,如下所示:

aws kms decrypt --ciphertext-blob fileb://<(echo 'AQIDAHh/JCD4iDXb1vJh8MhaLBj6MyPnIB57hOtOlVzmpYZUereim0TFFcTueWN+w0Njd4IhPAAAAfjB8BgkqhkiereungbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMvYra4oU2QfFPI0tdAgEQgDuYGmtfQf/1reukNRiD6oGrv3BJuztdkeVrpPxkGzEY25otr143WKrA0YCEcmILYPfXOn3OJT2CShCH31w==' | base64 -d) --encryption-context '{"aws:ses:source-account": "XXXXXXXX", "aws:ses:message-id": "v235k9p8t2jf45u9dlnh6i45sc163di3a2m3u081", "kms_cmk_id": "arn:aws:kms:us-west-2:XXXXXXXXXXX:alias/rockondel-ses", "aws:ses:rule-name": "encrypt-test"}'

命令行输出:

{
"Plaintext": "E0kmokU0HEhIujfSPxKyUhjnBbCiK/a98/+B6G3Ux0KJdc=", 
"KeyId": "arn:aws:kms:us-west-2:XXXXXXXXXXX:key/XXxxxXX-06ce-49f1-3452-XXxxxXXXXxx"

}

知道我做错了什么吗?

4

1 回答 1

0

我认为您认为 AWS CLI 的输出只是对明文进行 base64 编码。

from base64 import b64encode
b64encode(b'\x13I&\x99\xfd\x07\x12\x13\x08M\xf4\x8f\xc4\xae\xc1\x9c\x16\xc2\x88\xaf\xda\xf7\xcf\xfe\x07\xa1\xb7S\x1d\n%\xd7')
b'E0kmmf0HEhMITfSPxK7BnBbCiK/a98/+B6G3Ux0KJdc='
于 2018-07-15T18:22:38.203 回答