我试图将下面链接中的代码复制到python/boto3: https://github.com/gilt/node-s3-encryption-client/issues/3
但是,我坚持从KMS获取纯文本,代码如下:
metadata = s3.head_object(Bucket='my bucket', Key='myencryptedemail00045')
kmsKeyBase64 = metadata['Metadata']['x-amz-key-v2']
iv = metadata['Metadata']['x-amz-iv']
taglen = (int(metadata['Metadata']['x-amz-tag-len']))/8
algo = metadata['Metadata']['x-amz-cek-alg']
encryptionContext = json.loads(metadata['Metadata']['x-amz-matdesc'])
kmsKeyBase = base64.b64decode(kmsKeyBase64)
response = kms.decrypt(CiphertextBlob=kmsKeyBase, EncryptionContext=encryptionContext)
print (response)
用boto3输出的纯文本显示如下:
^{pr2}$如果我在AWS CLI中对kms decrypt使用相同的输入,那么我将得到正确的输出,如下所示:
aws kms decrypt --ciphertext-blob fileb://<(echo 'AQIDAHh/JCD4iDXb1vJh8MhaLBj6MyPnIB57hOtOlVzmpYZUereim0TFFcTueWN+w0Njd4IhPAAAAfjB8BgkqhkiereungbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMvYra4oU2QfFPI0tdAgEQgDuYGmtfQf/1reukNRiD6oGrv3BJuztdkeVrpPxkGzEY25otr143WKrA0YCEcmILYPfXOn3OJT2CShCH31w==' | base64 -d) --encryption-context '{"aws:ses:source-account": "XXXXXXXX", "aws:ses:message-id": "v235k9p8t2jf45u9dlnh6i45sc163di3a2m3u081", "kms_cmk_id": "arn:aws:kms:us-west-2:XXXXXXXXXXX:alias/rockondel-ses", "aws:ses:rule-name": "encrypt-test"}'
CLI输出:
{
"Plaintext": "E0kmokU0HEhIujfSPxKyUhjnBbCiK/a98/+B6G3Ux0KJdc=",
"KeyId": "arn:aws:kms:us-west-2:XXXXXXXXXXX:key/XXxxxXX-06ce-49f1-3452-XXxxxXXXXxx"
}
你知道我做错什么了吗?在
我认为awscli的输出只是对明文进行base64编码。在
相关问题 更多 >
编程相关推荐