Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encrypt issues #10

Closed
devblueray opened this issue Sep 25, 2021 · 1 comment
Closed

Encrypt issues #10

devblueray opened this issue Sep 25, 2021 · 1 comment
Labels
wontfix

Comments

@devblueray
Copy link

devblueray commented Sep 25, 2021
edited
Loading

  • Do not use the issues tracker for help or support (try Elixir Forum, Slack, IRC, etc.)
  • Questions about how to contribute are fine.

Environment

  • Elixir & Erlang versions (elixir --version): 24/1.12.2
  • ExAws version mix deps |grep ex_aws: 2.2.2 (ex_aws_kms version 2.2.0)
  • HTTP client version. IE for hackney do mix deps | grep hackney: 1.17.4

Current behavior

encrypt() doesn't currently work as you'd expect it to. KMS encrypt requires the plaintext value to be base64 encoded. Currently the library doesn't do this so you end up with a bad value.

I have verified that the problem is in the encrypt by using the aws cli to decrypt the ciphertext.

Here's an example.

`ExAws.KMS.encrypt("key-id", "foobar") |> ExAws.request

returns the Ciphertext value of "AQICAHhP4M1Q/HWR0J90p6ShL/0jKkUUrexGH4YlNL6o4thjYAG7Gjzq7UMO5L+BemSIJsVFAAAAYjBgBgkqhkiG9w0BBwagUzBRAgEAMEwGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMx+BQnTksyPLvqTxaAgEQgB8IpvmwFBSNa/wYY3lDxpjO1w7HbQ8vLOflmx2EI5d3"

and when you decrypt this using
ExAws.KMS.decrypt("AQICAHhP4M1Q/HWR0J90p6ShL/0jKkUUrexGH4YlNL6o4thjYAG7Gjzq7UMO5L+BemSIJsVFAAAAYjBgBgkqhkiG9w0BBwagUzBRAgEAMEwGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMx+BQnTksyPLvqTxaAgEQgB8IpvmwFBSNa/wYY3lDxpjO1w7HbQ8vLOflmx2EI5d3") |> ExAws.request!

You get back a plaintext value: foobag=='`

Expected behavior

When you encrypt "foobar", decrypt on the resulting ciphertext should return "foobar".

As I see it, possibly the most idiomatic way may be to switch the parameter order in encrypt to have the ciphertext first then the key then opts so you can use it in a pipe Base.encode64("value") |> ExAws.KMS.encrypt("key-id", opts) |> ExAWS.request!

Of course, you could always do Of course, you could always do b64_value = Base.encode64("foobar") then ExAws.KMS.encrypt(b64_value, "key-id") but that's not very idiomatic as it prevents you from piping a base64 value into encrypt.

I will submit a PR for your consideration that reverses the parameter order in encrypt()

Please let me know if I'm way off base with this and what a better way would be? I'm still learning elixir.
@devblueray devblueray mentioned this issue Sep 25, 2021
Closed
@artkay
Copy link
Collaborator

artkay commented Dec 8, 2021

Hey @devblueray you can pipe it use the Kernel.then/2 function like so:

"value"
|> Base.encode64()
|> then(fn encoded -> ExAws.KMS.encrypt("key_id", encrypted) end)

@artkay artkay added the wontfix label Dec 21, 2021
@artkay artkay closed this as completed Dec 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@devblueray @artkay