有没有办法在Python中解密jpg或png文件,这是使用JAVA加密的CSE KMS - AmazonS3EncryptionClient并存储在S3中?它看起来像boto3和aws ecryption客户端只支持密文而不是文件。
我尝试下面的代码,但它失败了,
def get_decrypted_stream(s3_object):
region_name = 'us-east-1'
encryptedImageBytes = s3_object.get()['Body'].read()
print("Decoded file : {}".format(encryptedImageBytes))
client = boto3.client('kms', region_name=region_name)
response = client.decrypt( CiphertextBlob=encryptedImageBytes)
data = meta[u'Plaintext']
return io.BytesIO(data)
错误:
它使用{“errorMessage”:“client.decrypt(CiphertextBlob = encryptedImage)”失败:“调用Decrypt操作时发生错误(413):HTTP内容长度超过200000字节。”,“errorType”:“ClientError”,}
参考文献:https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html https://github.com/aws/aws-encryption-sdk-python/ https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/python-example-code.html https://aws-encryption-sdk-python.readthedocs.io/en/latest/
根据您分享的文档,Encrypt
和Decrypt
API限制为最大4k的有效载荷:https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html
使用KMS密钥对文件进行编码时,其理念是生成对称密钥,使用对称密钥对有效负载进行编码,使用KMS encrypt
API对对称密钥进行编码,并将加密的对称密钥存储在信封中,作为S3上的元数据例如。
以下是S3文件加密的代码示例:
#
# Generate a Data Key (encoded with my Master Key in KMS)
#
key = kms.generate_data_key(KeyId=MASTER_KEY_ARN,KeySpec='AES_256')
keyPlain = key['Plaintext']
keyCipher = key['CiphertextBlob']
#
# Encode a file with the data key
#
print ("Initializing encryption engine")
iv = ''.join(chr(random.randint(0, 0xFF)) for i in range(16))
chunksize = 64*1024
encryptor = AES.new(keyPlain, AES.MODE_CBC, iv)
print ("KMS Plain text key = %s " % base64.b64encode(keyPlain))
print ("KMS Encrypted key = %s " % base64.b64encode(keyCipher))
in_filename = os.path.join(DIRECTORY, FILENAME)
out_filename = in_filename + '.enc'
filesize = os.path.getsize(in_filename)
print ("Encrypting file")
with open(in_filename, 'rb') as infile:
with open(out_filename, 'wb') as outfile:
outfile.write(struct.pack('<Q', filesize))
outfile.write(iv)
chunk = infile.read(chunksize)
while len(chunk) != 0:
if len(chunk) % 16 != 0:
chunk += ' ' * (16 - len(chunk) % 16)
outfile.write(encryptor.encrypt(chunk))
chunk = infile.read(chunksize)
#
# Store encrypted file on S3
# Encrypted Key will be stored as meta data
#
print ("Storing encrypted file on S3")
metadata = {
"key" : base64.b64encode(keyCipher)
}
#client = boto3.client('s3', 'us-west-2')
s3 = session.client('s3')
transfer = S3Transfer(s3)
transfer.upload_file(out_filename, S3_BUCKET, out_filename, extra_args={"Metadata" : metadata})
os.remove(out_filename)
以及要解密的示例代码:
#
# Download Encrypted File and it's metadata
#
print ("Download file and meta data from S3")
transfer.download_file(S3_BUCKET, out_filename, out_filename)
#retrieve meta data
import boto3
s3 = boto3.resource('s3')
object = s3.Object(S3_BUCKET, out_filename)
#print object.metadata
keyCipher = base64.b64decode(object.metadata['key'])
#decrypt encrypted key
print ("Decrypt ciphered key")
key = kms.decrypt(CiphertextBlob=keyCipher)
keyPlain = key['Plaintext']
print ("KMS Plain text key = %s " % base64.b64encode(keyPlain))
print ("KMS Encrypted key = %s " % base64.b64encode(keyCipher))
#
# Decrypt the file
#
print("Decrypt the file")
in_filename = out_filename
out_filename = in_filename + '.jpg'
filesize = os.path.getsize(in_filename)
with open(in_filename, 'rb') as infile:
origsize = struct.unpack('<Q', infile.read(struct.calcsize('Q')))[0]
iv = infile.read(16)
decryptor = AES.new(keyPlain, AES.MODE_CBC, iv)
with open(out_filename, 'wb') as outfile:
chunk = infile.read(chunksize)
while len(chunk) != 0:
outfile.write(decryptor.decrypt(chunk))
chunk = infile.read(chunksize)
outfile.truncate(origsize)