"The master key provider SHOULD attempt to decrypt the data key by passing the request to any master keys that it has access to until it has either exhausted available master keys or obtained a plaintext data key."
Surfacing the ValueError as an IncorrectMasterKeyError lets this logic swallow the exception, and try to decrypt other data keys from the encrypted data key list.
This is extremely similar to this previous issue, except with raw RSA keys instead of KMSMasterKeys.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Check any applicable:
[ ] Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files.
Issue #, if available:
Description of changes:
Catch a
ValueErrorthrown by cryptography if the master key provider cannot decrypt the EDK, and surface it as aIncorrectMasterKeyError.From MKP Decrypt Data Key spec:
"The master key provider SHOULD attempt to decrypt the data key by passing the request to any master keys that it has access to until it has either exhausted available master keys or obtained a plaintext data key."
Surfacing the
ValueErroras anIncorrectMasterKeyErrorlets this logic swallow the exception, and try to decrypt other data keys from the encrypted data key list.This is extremely similar to this previous issue, except with raw RSA keys instead of KMSMasterKeys.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Check any applicable: