Critical: Cannot upload using a public key

[qidydl]

Description

When trying to upload a file (PutObjectAsync) using only a public key, the V2 client attempts to decrypt the response (even though it doesn't contain encrypted file data, it's just the PutObjectResponse) and fails because the public key does not contain private RSA parameters. The V1 client does not have this issue.

Reproduction Steps

Create the EncryptionMaterialsV2 using a certificate/key that only contains public parameters. For example, open an X.509 certificate and pass <cert>.PublicKey.Key as the "algorithm".

Logs

Message: Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException : The requested operation is not supported Stack Trace: CngKey.Export(CngKeyBlobFormat format) RSACng.ExportKeyBlob(Boolean includePrivateParameters) RSACng.ExportParameters(Boolean includePrivateParameters) RsaUtils.CreateRsaOaepSha1Cipher(Boolean forEncryption, RSA rsa) EncryptionUtils.DecryptEnvelopeKeyUsingAsymmetricKeyPairV2(AsymmetricAlgorithm asymmetricAlgorithm, Byte[] encryptedEnvelopeKey) EncryptionUtils.BuildInstructionsFromObjectMetadata(GetObjectResponse response, EncryptionMaterialsBase materials, Byte[] decryptedEnvelopeKeyKMS) SetupDecryptionHandler.DecryptObjectUsingMetadata(GetObjectResponse getObjectResponse, Byte[] decryptedEnvelopeKeyKMS) SetupDecryptionHandler.DecryptObjectAsync(Byte[] decryptedEnvelopeKeyKMS, GetObjectResponse getObjectResponse) SetupDecryptionHandler.PostInvokeAsync(IExecutionContext executionContext) SetupDecryptionHandler.InvokeAsync[T](IExecutionContext executionContext) ErrorHandler.InvokeAsync[T](IExecutionContext executionContext) ErrorHandler.InvokeAsync[T](IExecutionContext executionContext) line 107 CallbackHandler.InvokeAsync[T](IExecutionContext executionContext) EndpointDiscoveryHandler.InvokeAsync[T](IExecutionContext executionContext) EndpointDiscoveryHandler.InvokeAsync[T](IExecutionContext executionContext) line 79 CredentialsRetriever.InvokeAsync[T](IExecutionContext executionContext) line 98 RetryHandler.InvokeAsync[T](IExecutionContext executionContext) RetryHandler.InvokeAsync[T](IExecutionContext executionContext) line 146 CallbackHandler.InvokeAsync[T](IExecutionContext executionContext) SetupEncryptionHandler.InvokeAsync[T](IExecutionContext executionContext) CallbackHandler.InvokeAsync[T](IExecutionContext executionContext) AmazonS3ExceptionHandler.InvokeAsync[T](IExecutionContext executionContext) ErrorCallbackHandler.InvokeAsync[T](IExecutionContext executionContext) MetricsHandler.InvokeAsync[T](IExecutionContext executionContext) AwsClientCryptoTests.TestClientSideEncryption() line 73

Environment

• SDK Version: AWSSDK.S3 version 3.5.7.8
• Package Version: Amazon.Extensions.S3.Encryption version 1.2.1
• OS Info: Windows 10
• Build Environment: Visual Studio
• Targeted .NET Platform: 2.1

Resolution

It looks like there's a processing pipeline inside the AWS SDK clients configured by CustomizeRuntimePipeline. If the encryption and decryption handlers are always present, they could check if they're processing a request or response that actually requires encryption/decryption.

I am not legally able to contribute a fix.

---

This is a :bug: bug-report

[ashishdhingra]

Hi @qidydl,

Good afternoon.

As per Readme for Amazon S3 Encryption Client for .NET, the AmazonS3EncryptionClientV2 client automatically encrypts data on the client when uploading to Amazon S3, and automatically decrypts it when data is retrieved. Could you please elaborate on Create the EncryptionMaterialsV2 using a certificate/key that only contains public parameters. Also share the sample code and other information in the following format.

Expected Behavior

Current Behavior

Possible Solution

Steps to Reproduce (for bugs)

Context

Your Environment

• AWSSDK.Core version used:
• Service assembly and version used:
• Operating System and version:
• Visual Studio version:
• Targeted .NET platform:

.NET Core Info

• .NET Core version used for development:
• .NET Core version installed in the environment where application runs:
• Output of dotnet --info:
• Contents of project.json/project.csproj:

Thanks, Ashish

[qidydl]

@ashishdhingra, my apologies, Visual Studio was directing me to the wrong line of code. The issue is something entirely different from what I thought it was.

It looks like the V2 client requires a private key that is plain-text exportable, which was previously not required. This has turned out to be extraordinarily difficult, and may force us to find or implement a replacement for this library.

[ashishdhingra]

@ashishdhingra, my apologies, Visual Studio was directing me to the wrong line of code. The issue is something entirely different from what I thought it was.

It looks like the V2 client requires a private key that is plain-text exportable, which was previously not required. This has turned out to be extraordinarily difficult, and may force us to find or implement a replacement for this library.

@qidydl Thanks for your input. Please confirm if we could close this issue.

[ganeshnj]

@qidydl can you provide sample code that uses V1 client to perform PUT and GET operations?

It seems like you are trying to use RSA-OAEP-SHA1 asymmetric algorithm, you can check the client instantiation example here

[github-actions[bot]]

This issue has not recieved a response in 2 weeks. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled.