是否有一种方法可以在Python中解密JPG或PNG文件,该文件是使用Java加密的CSE KMS -AmazonS3EccryptionClient并存储在S3中?它看起来像boto3和AWS Ecryption客户端仅支持密码文本,而不支持文件。
我尝试了以下代码,但失败了,
def get_decrypted_stream(s3_object):
region_name = 'us-east-1'
encryptedImageBytes = s3_object.get()['Body'].read()
print("Decoded file : {}".format(encryptedImageBytes))
client = boto3.client('kms', region_name=region_name)
response = client.decrypt( CiphertextBlob=encryptedImageBytes)
data = meta[u'Plaintext']
return io.BytesIO(data)
错误:
它在" client.decrypt(ciphertextblob = encryptedImage)"上失败,{" errirormessage":"调用解密操作时发生错误(413):http content Length:http content Lengume超过200000 bytes bytes。",}
参考:https://docs.aws.amazon.com/kms/latest/apieferference/api_decrypt.html https://github.com/aws/aws-aws-eccryption-sdk-python/https://docs.aws.aws.amazon.com/cryption-sdk/latest/developer-guide/python-example-code.html https://aws-encryption-sdk-python.readthedocs.io/en/latest/
根据您共享的文档,Encrypt
和Decrypt
API仅限于4K的有效载荷最大值:https://docs.aws.aws.amazon.com/kms/kms/latest/latest/apireference/api_encrypt。html
使用KMS键编码文件时,理念是生成一个符号密钥,用Symetric键编码有效负载,用KMMS encrypt
API对Symetric密钥进行编码,并将隐脚的Symetric Key存储在信封中,作为元 - ---例如,S3上的数据。
这是用于S3文件加密的代码示例:
#
# Generate a Data Key (encoded with my Master Key in KMS)
#
key = kms.generate_data_key(KeyId=MASTER_KEY_ARN,KeySpec='AES_256')
keyPlain = key['Plaintext']
keyCipher = key['CiphertextBlob']
#
# Encode a file with the data key
#
print ("Initializing encryption engine")
iv = ''.join(chr(random.randint(0, 0xFF)) for i in range(16))
chunksize = 64*1024
encryptor = AES.new(keyPlain, AES.MODE_CBC, iv)
print ("KMS Plain text key = %s " % base64.b64encode(keyPlain))
print ("KMS Encrypted key = %s " % base64.b64encode(keyCipher))
in_filename = os.path.join(DIRECTORY, FILENAME)
out_filename = in_filename + '.enc'
filesize = os.path.getsize(in_filename)
print ("Encrypting file")
with open(in_filename, 'rb') as infile:
with open(out_filename, 'wb') as outfile:
outfile.write(struct.pack('<Q', filesize))
outfile.write(iv)
chunk = infile.read(chunksize)
while len(chunk) != 0:
if len(chunk) % 16 != 0:
chunk += ' ' * (16 - len(chunk) % 16)
outfile.write(encryptor.encrypt(chunk))
chunk = infile.read(chunksize)
#
# Store encrypted file on S3
# Encrypted Key will be stored as meta data
#
print ("Storing encrypted file on S3")
metadata = {
"key" : base64.b64encode(keyCipher)
}
#client = boto3.client('s3', 'us-west-2')
s3 = session.client('s3')
transfer = S3Transfer(s3)
transfer.upload_file(out_filename, S3_BUCKET, out_filename, extra_args={"Metadata" : metadata})
os.remove(out_filename)
和解密的示例代码:
#
# Download Encrypted File and it's metadata
#
print ("Download file and meta data from S3")
transfer.download_file(S3_BUCKET, out_filename, out_filename)
#retrieve meta data
import boto3
s3 = boto3.resource('s3')
object = s3.Object(S3_BUCKET, out_filename)
#print object.metadata
keyCipher = base64.b64decode(object.metadata['key'])
#decrypt encrypted key
print ("Decrypt ciphered key")
key = kms.decrypt(CiphertextBlob=keyCipher)
keyPlain = key['Plaintext']
print ("KMS Plain text key = %s " % base64.b64encode(keyPlain))
print ("KMS Encrypted key = %s " % base64.b64encode(keyCipher))
#
# Decrypt the file
#
print("Decrypt the file")
in_filename = out_filename
out_filename = in_filename + '.jpg'
filesize = os.path.getsize(in_filename)
with open(in_filename, 'rb') as infile:
origsize = struct.unpack('<Q', infile.read(struct.calcsize('Q')))[0]
iv = infile.read(16)
decryptor = AES.new(keyPlain, AES.MODE_CBC, iv)
with open(out_filename, 'wb') as outfile:
chunk = infile.read(chunksize)
while len(chunk) != 0:
outfile.write(decryptor.decrypt(chunk))
chunk = infile.read(chunksize)
outfile.truncate(origsize)