search

aws / aws-encryption-sdk-python

AWS Encryption SDK
https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html
Apache License 2.0
236 stars 86 forks source link

Encrypt throws incorrect error when a CMK within KMSMasterKeyProvider is disabled #142

Open paavan98pm opened 5 years ago

paavan98pm commented 5 years ago

If a CMK is disabled/deleted within KMSMasterKeyProvider CMKs, the encrypt call throws a couple of errors (below).

botocore.errorfactory.DisabledException: An error occurred (DisabledException) when calling the Encrypt operation: arn:aws:kms:eu-west-2:xxxxxxx

aws_encryption_sdk.exceptions.EncryptKeyError: Master Key arn:aws:kms:eu-west-2

import aws_encryption_sdk

kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[
    'arn:aws:kms:us-east-1:2222222222222:key/22222222-2222-2222-2222-222222222222',
    'arn:aws:kms:us-east-1:3333333333333:key/33333333-3333-3333-3333-333333333333'
])
my_plaintext = b'This is some super secret data!  Yup, sure is!'

my_ciphertext, encryptor_header = aws_encryption_sdk.encrypt(
    source=my_plaintext,
    key_provider=kms_key_provider,
    encryption_context={
        'not really': 'a secret',
        'but adds': 'some authentication'
    }
)

decrypted_plaintext, decryptor_header = aws_encryption_sdk.decrypt(
    source=my_ciphertext,
    key_provider=kms_key_provider
)

assert my_plaintext == decrypted_plaintext
assert encryptor_header.encryption_context == decryptor_header.encryption_context
mattsb42-aws commented 5 years ago

The general pattern here is correct. The behavior of KMSMasterKeyProvider on encrypt is that all master keys must succeed or the entire process will fail.

That said, this should be being swallowed in either a GenerateKeyError or EncryptKeyError to simply say that the master key failed the requested operation.