The content encryption algorithm used at encryption time does not match the algorithm stored for decryption time. The object may be altered or corrupted.

wnmendonca commented 3 years ago

Description

I am using SES rule set to save encrypted messages in a S3 bucket. The messages are encrypted using kms key. When I try to get this objects using Amazon S3 Encryption client for .NET, I have a error: The content encryption algorithm used at encryption time does not match the algorithm stored for decryption time. The object may be altered or corrupted. I noticed that sdk is validate a material description metadata and in this json doesn't have encryption context property (aws:x-amz-cek-alg).

Not is possible to set this property in request encryption context, I have a error: Conflict in reserved KMS Encryption Context key aws:x-amz-cek-alg. This value is reserved for the S3 Encryption Client and cannot be set by the use

Reproduction Steps

Try to get a encrypted object saved in S3 by a SES rule set.

Logs

Environment

SDK Version: 2.0.3
Package Version: 2.0.3
OS Info: Windows 10
Build Environment Visual Studio
Targeted .NET Platform: .Net Core 3.1

Resolution

[ ] :wave: I can/would-like-to implement a fix for this problem myself

This is a :bug: bug-report

imre-turi-cko commented 2 years ago

We are having the same issue, could you give an update please?

justinrhammonds commented 2 years ago

I am having the same issue. Any updates on this would be really appreciated!

To anyone else encountering this issue... have you determined a suitable workaround or alternative? Would love to hear how your handling this. My org has the requirement (not so much an option) that we encrypt the emails SES receives, so decryption is necessary one way or another.

wnmendonca commented 2 years ago

Hi Justin, I stopped using encryption using SES and used only encryption on the S3 bucket. https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html But you can try using another framework like Node.js. https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/s3-example-client-side-decrypt-item-with-kms-master-key.html

CamileDahdah commented 1 year ago

Hi there,

Thank you for creating this issue. Can you post the same code that you wrote which is failing? That way I can make sure that I am addressing the problem you are facing. Also, are you using AmazonS3EncryptionClientV2 or AmazonS3EncryptionClient?

Thank you.

justinrhammonds commented 1 year ago

I have submitted a PR for the bug/issue I was experiencing. My issue was exactly as wnmendonca described. When debugging, I found where the the cekAlgorithm prop wasn't being populated properly -- it was exposed on instructions.cekAlgorithm and not instructions.MaterialsDescription[EncryptionUtils.XAmzEncryptionContextCekAlg] which was evaluating null every time and causing the condition to not pass.

CamileDahdah commented 1 year ago

Thank you @wnmendonca, and everyone who was involved in this thread. We have finally released a fix for this bug as part of this PR. The fix has also been released in version 2.0.5 of NuGet package Amazon.Extensions.S3.Encryption on 02/13/2023.

github-actions[bot] commented 1 year ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

CamileDahdah commented 1 year ago

Please note that you should set your AmazonS3EncryptionClient configuration to "SecurityProfile.V2AndLegacy" for it to work.

aws / amazon-s3-encryption-client-dotnet