Hello ! I try to use local-kms with cognito-local, and I have an iss

I can reproduce the issue with a simple curl: <div class="snippet-clipboard-conten

Unable to decode Ciphertext: required version of backing key is invalid about local-kms HOT 2 CLOSED

beerfranz commented on July 29, 2024

Unable to decode Ciphertext: required version of backing key is invalid

from local-kms.

Comments (2)

beerfranz commented on July 29, 2024

I can reproduce the issue with a simple curl:

curl -X POST http://localhost:8080/ -H 'X-Amz-Target:TrentService.Decrypt' -d '{ "CiphertextBlob": "AgV48tKFNiOC7/dmZoXQiT9U3VLm2x4dALXTRYyc+YRL/cgAXwABABVhd3MtY3J5cHRvLXB1YmxpYy1rZXkAREFpQ2pXcGxWcXIxMmxWcTB2Y0tKWXBBMVBmMGZiR2Y1SEhFUzgwMlo2di9VSGk2NGFnSGQ5dnh1VktmZGN3cXhrZz09AAIAB2F3cy1rbXMAR2Fybjphd3M6a21zOnVzLXdlc3QtMjo5OTk5OTk5OTk6a2V5L2JjNDM2NDg1LTUwOTItNDJiOC05MmEzLTBhYThiOTM1MzZjAIhHYXJuOmF3czprbXM6dXMtd2VzdC0yOjk5OTk5OTk5OTprZXkvYmM0MzY0ODUtNTA5Mi00MmI4LTkyYTMtMGFhOGI5MzUzNmMAAAAAVUO1tqKgbLqMBsdHg05VgY8yk2gDJxxKcvbII6unarm4MNHISFjjCpY41K8ClwuTuRn93Z48Id0t+2ZmAAdhd3Mta21zAEdhcm46YXdzOmttczp1cy13ZXN0LTI6OTk5OTk5OTk5OmtleS9iYzQzNjQ4NS01MDkyLTQyYjgtOTJhMy0wYWE4YjkzNTM2YwCIR2Fybjphd3M6a21zOnVzLXdlc3QtMjo5OTk5OTk5OTk6a2V5L2JjNDM2NDg1LTUwOTItNDJiOC05MmEzLTBhYThiOTM1MzZjAAAAAOg9H9NuUsisTJYhBqSiDMsqKQA4fZOLr+MJMwapxhkAf/yT+zBxOUoY/SsluCCIptu59T51W+4/N8VRqAIAABAAX1hx7OYRDIFU4NV8Pi4PtrxQS/D7dPdoKpZWEsmCbJDu+vMTC7ZCVpIeSdCNn5kH/////wAAAAEAAAAAAAAAAAAAAAEAAAAGStSchSe9W3+sdXJ9V1CU1quJ86wgSABoMGYCMQD1q2QYTQ7DUzqxJXoNpvl+FYSKy4W5Aw2YANzNy7Lc9ZLfeVMz1Ltv6GCITSVSCiQCMQCUFJK2OXcV1WZfQUq7GB4SGSbt4seIhZlLxacguQkcQ4BcLOM08KAPJZkNZ/tiAy4=", "KeyId": "arn:aws:kms:us-west-2:999999999:key/bc436485-5092-42b8-92a3-0aa8b93536c" }' -H 'Content-type: application/json'

{"__type":"InvalidCiphertextException"}

local-kms log: Unable to decode Ciphertext: required version of backing key is invalid

If I follow the httpie example from the readme, only the CiphertextBlob is required in the decrypt request, and:

curl -X POST http://localhost:8080/ -H 'X-Amz-Target:TrentService.Decrypt' -d '{ "CiphertextBlob": "AgV48tKFNiOC7/dmZoXQiT9U3VLm2x4dALXTRYyc+YRL/cgAXwABABVhd3MtY3J5cHRvLXB1YmxpYy1rZXkAREFpQ2pXcGxWcXIxMmxWcTB2Y0tKWXBBMVBmMGZiR2Y1SEhFUzgwMlo2di9VSGk2NGFnSGQ5dnh1VktmZGN3cXhrZz09AAIAB2F3cy1rbXMAR2Fybjphd3M6a21zOnVzLXdlc3QtMjo5OTk5OTk5OTk6a2V5L2JjNDM2NDg1LTUwOTItNDJiOC05MmEzLTBhYThiOTM1MzZjAIhHYXJuOmF3czprbXM6dXMtd2VzdC0yOjk5OTk5OTk5OTprZXkvYmM0MzY0ODUtNTA5Mi00MmI4LTkyYTMtMGFhOGI5MzUzNmMAAAAAVUO1tqKgbLqMBsdHg05VgY8yk2gDJxxKcvbII6unarm4MNHISFjjCpY41K8ClwuTuRn93Z48Id0t+2ZmAAdhd3Mta21zAEdhcm46YXdzOmttczp1cy13ZXN0LTI6OTk5OTk5OTk5OmtleS9iYzQzNjQ4NS01MDkyLTQyYjgtOTJhMy0wYWE4YjkzNTM2YwCIR2Fybjphd3M6a21zOnVzLXdlc3QtMjo5OTk5OTk5OTk6a2V5L2JjNDM2NDg1LTUwOTItNDJiOC05MmEzLTBhYThiOTM1MzZjAAAAAOg9H9NuUsisTJYhBqSiDMsqKQA4fZOLr+MJMwapxhkAf/yT+zBxOUoY/SsluCCIptu59T51W+4/N8VRqAIAABAAX1hx7OYRDIFU4NV8Pi4PtrxQS/D7dPdoKpZWEsmCbJDu+vMTC7ZCVpIeSdCNn5kH/////wAAAAEAAAAAAAAAAAAAAAEAAAAGStSchSe9W3+sdXJ9V1CU1quJ86wgSABoMGYCMQD1q2QYTQ7DUzqxJXoNpvl+FYSKy4W5Aw2YANzNy7Lc9ZLfeVMz1Ltv6GCITSVSCiQCMQCUFJK2OXcV1WZfQUq7GB4SGSbt4seIhZlLxacguQkcQ4BcLOM08KAPJZkNZ/tiAy4=" }' -H 'Content-type: application/json'
{"Message":"The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.","__type":"AccessDeniedException"}

local-kms log: Key 'arn:aws:kms:us-west-2:999999999:key/x' does not exist

It means that the CiphertextBlob is not correct ?

from local-kms.

beerfranz commented on July 29, 2024

Ok, the issue was in my lambda code.

Just need to follow the code example here: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-email-sender.html

A working code is:

const b64 = require('base64-js');
const encryptionSdk = require('@aws-crypto/client-node');

const { encrypt, decrypt } = encryptionSdk.buildClient(encryptionSdk.CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT);

const generatorKeyId = process.env.KEY_ALIAS;
const keyIds = [ process.env.KEY_ARN ];
const keyring = new encryptionSdk.KmsKeyringNode({ generatorKeyId, keyIds });

const { createTransport } = require('nodemailer');

module.exports.handler = async (event, context, callback) => {

  const from = 'local@local';
  const to = event.request.userAttributes.email;

  //Decrypt the secret code using encryption SDK.
  let plainTextCode;
  if(event.request.code){
    const { plaintext, messageHeader } = await decrypt(keyring, b64.toByteArray(event.request.code));
    plainTextCode = plaintext
  }

  //PlainTextCode now contains the decrypted secret.
  if(event.triggerSource == 'CustomEmailSender_SignUp'){
    //Send an email message to your user via a custom provider.
    //Include the temporary password in the message.
    const email = await emailSender(from, to, 'Code', plainTextCode);
  }
  else if(event.triggerSource == 'CustomEmailSender_ResendCode'){
  }
  else if(event.triggerSource == 'CustomEmailSender_ForgotPassword'){
  }
  else if(event.triggerSource == 'CustomEmailSender_UpdateUserAttribute'){
  }
  else if(event.triggerSource == 'CustomEmailSender_VerifyUserAttribute'){
  }
  else if(event.triggerSource == 'CustomEmailSender_AdminCreateUser'){
  }
  else if(event.triggerSource == 'CustomEmailSender_AccountTakeOverNotification'){
  }
  return;
};

Sorry for the disruption! ^^

from local-kms.

Unable to decode Ciphertext: required version of backing key is invalid about local-kms HOT 2 CLOSED

Comments (2)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent