CODEWITHSUNDEEP
javaaws-secrets-manageramazon-kmsencryption-asymmetric
Srineel Mazumdar
Srineel Mazumdar

Reputation: 1

Getting BadCiphertextException while doing Envelope Encryption with AWS Encryption SDK for Java

I am working on a proof of concept.

  1. Created a KMSkeyring with public and private key.

  2. Public key is in Secrets Manager.

  3. Private Key is in KMS

  4. Use the public key to do encryption and use the encrypted text as test string for decryption

final CreateAwsKmsRsaKeyringInput kmsKeyRing = CreateAwsKmsRsaKeyringInput.builder()
                    .kmsClient(KmsClient.create()).kmsKeyId(rsaKeyArn).publicKey(publicKeyByteBuffer)
                    .encryptionAlgorithm(EncryptionAlgorithmSpec.RSAES_OAEP_SHA_256).build();

logger.log("Create Raw Rsa Keyring Input .........................................................");

            final MaterialProviders matProv = MaterialProviders.builder()
                    .MaterialProvidersConfig(MaterialProvidersConfig.builder().build()).build();

            logger.log("Material Providers ....................................................................");

            /*
             * IKeyring rawPubRsaKeyring = matProv.CreateRawRsaKeyring(pubKeyringInput);
             * IKeyring awsKmsRsaKeyring = matProv.CreateAwsKmsRsaKeyring(privKeyringInput);
             */
            IKeyring awsKmsRsaKeyring = matProv.CreateAwsKmsRsaKeyring(kmsKeyRing);

String ciphertext = encryptMessage(plaintext, awsKmsRsaKeyring);
            String decryptedtext = decryptMessage(ciphertext, awsKmsRsaKeyring);

private ByteBuffer getPublicKeyFromPem(String pem) throws Exception {
        String publicKeyPEM = pem.replace("-----BEGIN PUBLIC KEY-----", "").replace("-----END PUBLIC KEY-----", "")
                .replaceAll("\\s", "");
        byte[] encoded = Base64.getDecoder().decode(publicKeyPEM);

        logger.log("Encoded publicKeyPEM ...... " + encoded);

        StringWriter publicKeyStringWriter = new StringWriter();
        PemWriter publicKeyPemWriter = new PemWriter(publicKeyStringWriter);
        try {
            logger.log("Public Key Encoded .......  " + encoded);
            publicKeyPemWriter.writeObject(new PemObject("PUBLIC KEY", encoded));
            publicKeyPemWriter.close();
        } catch (Exception e) {
            throw new RuntimeException("Exception while writing public key PEM", e);
        }
        return StandardCharsets.UTF_8.encode(publicKeyStringWriter.toString());

private String fetchPublicKeyFromSecretsManager(String secretName, LambdaLogger logger, String secretKey) {
        Region region = Region.of // removed the region name

        logger.log("Secrets Manager Client ......................................................");
        // Create a Secrets Manager client
        SecretsManagerClient client = SecretsManagerClient.builder().region(region).build();

        logger.log("Get Secret Value Request .................................................... ");
        GetSecretValueRequest getSecretValueRequest = GetSecretValueRequest.builder().secretId(secretName).build();

        GetSecretValueResponse getSecretValueResponse;
        try {
            getSecretValueResponse = client.getSecretValue(getSecretValueRequest);

            logger.log("Get Secret Value Response " + getSecretValueResponse.secretString());

        } catch (Exception e) {
            logger.log(e.toString());
            throw e;
        }

        JsonObject jsonObject = JsonParser.parseString(getSecretValueResponse.secretString()).getAsJsonObject();

        // printing the values
        logger.log(jsonObject.get(secretKey).getAsString());

        return jsonObject.get(secretKey).getAsString();
    }

private String encryptMessage(String plaintext, IKeyring keyring) {
        // Instantiate the SDK
        final AwsCrypto crypto = AwsCrypto.builder().withCommitmentPolicy(CommitmentPolicy.ForbidEncryptAllowDecrypt)
                .withEncryptionAlgorithm(CryptoAlgorithm. ALG_AES_256_GCM_IV12_TAG16_NO_KDF).build();

        logger.log(
                "Aws Crypto - Encrypt .................................................................................. ");
        // Create an encryption context
        final Map<String, String> encryptionContext = Collections.singletonMap("ExampleContextKey",
                "ExampleContextValue");

        // Encrypt the data
        final CryptoResult<byte[], ?> encryptResult = crypto.encryptData(keyring,
                plaintext.getBytes(StandardCharsets.UTF_8), encryptionContext);

        logger.log("Crypto Result post encryption..... " + encryptResult.getResult());

        return Base64.getEncoder().encodeToString(encryptResult.getResult());
    }

private String decryptMessage(String ciphertext, IKeyring keyring) {
        // Instantiate the SDK
        final AwsCrypto crypto = AwsCrypto.builder().withCommitmentPolicy(CommitmentPolicy.ForbidEncryptAllowDecrypt)
                .withEncryptionAlgorithm(CryptoAlgorithm. ALG_AES_256_GCM_IV12_TAG16_NO_KDF).build();
                                         
        logger.log("Aws Crypto - Decrypt ...... " + ciphertext);
        // Create an encryption context
        final Map<String, String> encryptionContext = Collections.singletonMap("ExampleContextKey",
                "ExampleContextValue");

        // 5. Decrypt the data
        final CryptoResult<byte[], ?> decryptResult = crypto.decryptData(keyring,
                ciphertext.getBytes(StandardCharsets.UTF_8),
                // Verify that the encryption context in the result contains the
                // encryption context supplied to the encryptData method
                encryptionContext);
        logger.log("Crypto Result post decryption..... " + decryptResult.getResult());

        return Base64.getEncoder().encodeToString(decryptResult.getResult());
    }

<dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>software.amazon.awssdk</groupId>
                <artifactId>bom</artifactId>
                <version>2.26.12</version> <!-- Use the latest version available -->
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>
-------------------
<dependency>
            <groupId>com.amazonaws</groupId>
            <artifactId>aws-encryption-sdk-java</artifactId>
            <version>3.0.1</version>
        </dependency>
        <!-- AWS Encryption SDK (Material Providers) -->
        <dependency>
            <groupId>software.amazon.cryptography</groupId>
            <artifactId>aws-cryptographic-material-providers</artifactId>
            <version>1.5.0</version>
        </dependency>
<dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcprov-jdk15on</artifactId>
            <version>1.70</version>
        </dependency>

I use AWS Encryption SDK for java and use envelope encryption. I get the following error

com.amazonaws.encryptionsdk.exception.BadCiphertextException: Invalid version  
    at com.amazonaws.encryptionsdk.model.CiphertextHeaders.deserialize(CiphertextHeaders.java:588)  
    at com.amazonaws.encryptionsdk.ParsedCiphertext.(ParsedCiphertext.java:42)  
    at com.amazonaws.encryptionsdk.AwsCrypto.decryptData(AwsCrypto.java:752)

Code is at https://github.com/aws/aws-encryption-sdk-java/issues/2042.

Can anyone please help me in resolving this issue?

Upvotes: 0

Views: 113

Answers (0)

Related Questions