def _decrypt_data_key(self, encrypted_data_key, algorithm, encryption_context=None):
"""Decrypts an encrypted data key and returns the plaintext.
:param data_key: Encrypted data key
:type data_key: aws_encryption_sdk.structures.EncryptedDataKey
:type algorithm: `aws_encryption_sdk.identifiers.Algorithm` (not used for KMS)
:param dict encryption_context: Encryption context to use in decryption
:returns: Decrypted data key
:rtype: aws_encryption_sdk.structures.DataKey
:raises DecryptKeyError: if Master Key is unable to decrypt data key
"""
kms_params = {
'CiphertextBlob': encrypted_data_key.encrypted_data_key
}
if encryption_context:
kms_params['EncryptionContext'] = encryption_context
if self.config.grant_tokens:
kms_params['GrantTokens'] = self.config.grant_tokens
# Catch any boto3 errors and normalize to expected DecryptKeyError
try:
response = self.config.client.decrypt(**kms_params)
plaintext = response['Plaintext']
except (ClientError, KeyError):
error_message = 'Master Key {key_id} unable to decrypt data key'.format(key_id=self._key_id)
_LOGGER.exception(error_message)
raise DecryptKeyError(error_message)
return DataKey(
key_provider=self.key_provider,
data_key=plaintext,
encrypted_data_key=encrypted_data_key.encrypted_data_key
)
评论列表
文章目录
