Comments (2)
I can reproduce the issue with a simple curl:
curl -X POST http://localhost:8080/ -H 'X-Amz-Target:TrentService.Decrypt' -d '{ "CiphertextBlob": "AgV48tKFNiOC7/dmZoXQiT9U3VLm2x4dALXTRYyc+YRL/cgAXwABABVhd3MtY3J5cHRvLXB1YmxpYy1rZXkAREFpQ2pXcGxWcXIxMmxWcTB2Y0tKWXBBMVBmMGZiR2Y1SEhFUzgwMlo2di9VSGk2NGFnSGQ5dnh1VktmZGN3cXhrZz09AAIAB2F3cy1rbXMAR2Fybjphd3M6a21zOnVzLXdlc3QtMjo5OTk5OTk5OTk6a2V5L2JjNDM2NDg1LTUwOTItNDJiOC05MmEzLTBhYThiOTM1MzZjAIhHYXJuOmF3czprbXM6dXMtd2VzdC0yOjk5OTk5OTk5OTprZXkvYmM0MzY0ODUtNTA5Mi00MmI4LTkyYTMtMGFhOGI5MzUzNmMAAAAAVUO1tqKgbLqMBsdHg05VgY8yk2gDJxxKcvbII6unarm4MNHISFjjCpY41K8ClwuTuRn93Z48Id0t+2ZmAAdhd3Mta21zAEdhcm46YXdzOmttczp1cy13ZXN0LTI6OTk5OTk5OTk5OmtleS9iYzQzNjQ4NS01MDkyLTQyYjgtOTJhMy0wYWE4YjkzNTM2YwCIR2Fybjphd3M6a21zOnVzLXdlc3QtMjo5OTk5OTk5OTk6a2V5L2JjNDM2NDg1LTUwOTItNDJiOC05MmEzLTBhYThiOTM1MzZjAAAAAOg9H9NuUsisTJYhBqSiDMsqKQA4fZOLr+MJMwapxhkAf/yT+zBxOUoY/SsluCCIptu59T51W+4/N8VRqAIAABAAX1hx7OYRDIFU4NV8Pi4PtrxQS/D7dPdoKpZWEsmCbJDu+vMTC7ZCVpIeSdCNn5kH/////wAAAAEAAAAAAAAAAAAAAAEAAAAGStSchSe9W3+sdXJ9V1CU1quJ86wgSABoMGYCMQD1q2QYTQ7DUzqxJXoNpvl+FYSKy4W5Aw2YANzNy7Lc9ZLfeVMz1Ltv6GCITSVSCiQCMQCUFJK2OXcV1WZfQUq7GB4SGSbt4seIhZlLxacguQkcQ4BcLOM08KAPJZkNZ/tiAy4=", "KeyId": "arn:aws:kms:us-west-2:999999999:key/bc436485-5092-42b8-92a3-0aa8b93536c" }' -H 'Content-type: application/json'
{"__type":"InvalidCiphertextException"}
local-kms log: Unable to decode Ciphertext: required version of backing key is invalid
If I follow the httpie example from the readme, only the CiphertextBlob
is required in the decrypt request, and:
curl -X POST http://localhost:8080/ -H 'X-Amz-Target:TrentService.Decrypt' -d '{ "CiphertextBlob": "AgV48tKFNiOC7/dmZoXQiT9U3VLm2x4dALXTRYyc+YRL/cgAXwABABVhd3MtY3J5cHRvLXB1YmxpYy1rZXkAREFpQ2pXcGxWcXIxMmxWcTB2Y0tKWXBBMVBmMGZiR2Y1SEhFUzgwMlo2di9VSGk2NGFnSGQ5dnh1VktmZGN3cXhrZz09AAIAB2F3cy1rbXMAR2Fybjphd3M6a21zOnVzLXdlc3QtMjo5OTk5OTk5OTk6a2V5L2JjNDM2NDg1LTUwOTItNDJiOC05MmEzLTBhYThiOTM1MzZjAIhHYXJuOmF3czprbXM6dXMtd2VzdC0yOjk5OTk5OTk5OTprZXkvYmM0MzY0ODUtNTA5Mi00MmI4LTkyYTMtMGFhOGI5MzUzNmMAAAAAVUO1tqKgbLqMBsdHg05VgY8yk2gDJxxKcvbII6unarm4MNHISFjjCpY41K8ClwuTuRn93Z48Id0t+2ZmAAdhd3Mta21zAEdhcm46YXdzOmttczp1cy13ZXN0LTI6OTk5OTk5OTk5OmtleS9iYzQzNjQ4NS01MDkyLTQyYjgtOTJhMy0wYWE4YjkzNTM2YwCIR2Fybjphd3M6a21zOnVzLXdlc3QtMjo5OTk5OTk5OTk6a2V5L2JjNDM2NDg1LTUwOTItNDJiOC05MmEzLTBhYThiOTM1MzZjAAAAAOg9H9NuUsisTJYhBqSiDMsqKQA4fZOLr+MJMwapxhkAf/yT+zBxOUoY/SsluCCIptu59T51W+4/N8VRqAIAABAAX1hx7OYRDIFU4NV8Pi4PtrxQS/D7dPdoKpZWEsmCbJDu+vMTC7ZCVpIeSdCNn5kH/////wAAAAEAAAAAAAAAAAAAAAEAAAAGStSchSe9W3+sdXJ9V1CU1quJ86wgSABoMGYCMQD1q2QYTQ7DUzqxJXoNpvl+FYSKy4W5Aw2YANzNy7Lc9ZLfeVMz1Ltv6GCITSVSCiQCMQCUFJK2OXcV1WZfQUq7GB4SGSbt4seIhZlLxacguQkcQ4BcLOM08KAPJZkNZ/tiAy4=" }' -H 'Content-type: application/json'
{"Message":"The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.","__type":"AccessDeniedException"}
local-kms log: Key 'arn:aws:kms:us-west-2:999999999:key/x' does not exist
It means that the CiphertextBlob
is not correct ?
from local-kms.
Ok, the issue was in my lambda code.
Just need to follow the code example here: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-email-sender.html
A working code is:
const b64 = require('base64-js');
const encryptionSdk = require('@aws-crypto/client-node');
const { encrypt, decrypt } = encryptionSdk.buildClient(encryptionSdk.CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT);
const generatorKeyId = process.env.KEY_ALIAS;
const keyIds = [ process.env.KEY_ARN ];
const keyring = new encryptionSdk.KmsKeyringNode({ generatorKeyId, keyIds });
const { createTransport } = require('nodemailer');
module.exports.handler = async (event, context, callback) => {
const from = 'local@local';
const to = event.request.userAttributes.email;
//Decrypt the secret code using encryption SDK.
let plainTextCode;
if(event.request.code){
const { plaintext, messageHeader } = await decrypt(keyring, b64.toByteArray(event.request.code));
plainTextCode = plaintext
}
//PlainTextCode now contains the decrypted secret.
if(event.triggerSource == 'CustomEmailSender_SignUp'){
//Send an email message to your user via a custom provider.
//Include the temporary password in the message.
const email = await emailSender(from, to, 'Code', plainTextCode);
}
else if(event.triggerSource == 'CustomEmailSender_ResendCode'){
}
else if(event.triggerSource == 'CustomEmailSender_ForgotPassword'){
}
else if(event.triggerSource == 'CustomEmailSender_UpdateUserAttribute'){
}
else if(event.triggerSource == 'CustomEmailSender_VerifyUserAttribute'){
}
else if(event.triggerSource == 'CustomEmailSender_AdminCreateUser'){
}
else if(event.triggerSource == 'CustomEmailSender_AccountTakeOverNotification'){
}
return;
};
Sorry for the disruption! ^^
from local-kms.
Related Issues (20)
- Unable to do encrypt/decrypt roundtrip with key aliases HOT 3
- Please update to Go 1.17 HOT 2
- Feautre: Support grants
- Return KeySpec instead of CustomerMasterKeySpec HOT 1
- importing secp256k1
- Publish `arm64` docker images HOT 2
- can you allow this to support ssl? HOT 2
- Key Alias+ARN 'Not Found' for Sign HOT 4
- [Question] Is it possible to use seed.yaml with KeyMaterial? HOT 1
- Update go version HOT 2
- Replace ioutil with os
- Different types of encrypted files
- [Vulnerability] btcsuite/btcd 0.22.0-beta
- [question] HTTPS support HOT 1
- GLIBC not found HOT 10
- Push image to AWS ECR HOT 2
- [Discussion]Is it possible to manage the key store through AWS XKS
- panic: file missing HOT 1
- Support for importing asymmetric keys?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from local-kms.