How to decrypt string from AWS Connect in Python

Question

I'm working on a contact flow in Amazon Connect that encrypts the customer's dialed information, actually I'm not able to decrypt the result string on a Python based Lambda

I already follow some available documentation on the AWS Developer Forum, also tried to change the certificates on my lambda and on Connect

import base64
import boto3
import aws_encryption_sdk
from aws_encryption_sdk.internal.crypto import WrappingKey
from aws_encryption_sdk.key_providers.raw import RawMasterKeyProvider
from aws_encryption_sdk.identifiers import WrappingAlgorithm, EncryptionKeyType
import logging

class StaticMasterKeyProvider(RawMasterKeyProvider):
    provider_id = 'AmazonConnect'

    def __init__(self, **kwargs):
        self._static_keys = {}

    def _get_raw_key(self, key_id):
        try:
           static_key = self._static_keys[key_id]
        except KeyError:
            # X.509 private key file
            static_key = open('blog.connect.private.key', 'rb').read()
            self._static_keys[key_id] = static_key
        return WrappingKey(
            wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1,
            wrapping_key=static_key,
            wrapping_key_type=EncryptionKeyType.PRIVATE
        )

def decrypt_string(encrypted_text):
    encrypted_text = base64.b64decode(encrypted_text)

    # key id specified in amazon connect
    static_key_id = 'KEY Provided By AWS Connect after upload the Public Key'
    static_master_key_provider = StaticMasterKeyProvider()
    static_master_key_provider.add_master_key(static_key_id)

    plaintext, decrypted_header = aws_encryption_sdk.decrypt(
        source=encrypted_text,
        key_provider=static_master_key_provider
    )

log = logging.getLogger('test')
logging.basicConfig(level=logging.DEBUG)
log.setLevel(logging.DEBUG)
log.root.setLevel(logging.DEBUG)
encrypted_text = 'Encrypted Text'
print(decrypt_string(encrypted_text))

When I try to execute this code i get the next error: ValueError: Decryption failed instead the unencrypted value

Could someone help me with this? I Already spend about 5 Hours checking the Python SDK documentation and I'm not able to decrypt the information correctly.

Answer 1

From the github answer AWS team answer the question with the next snippet:

from aws_encryption_sdk.key_providers.raw import RawMasterKeyProvider, WrappingKey
from aws_encryption_sdk.identifiers import EncryptionKeyType, WrappingAlgorithm

class AmazonConnectRawMasterKeyProvider(RawMasterKeyProvider):
    provider_id = "AmazonConnect"

    def _get_raw_key(self, key_id):
        # NOTE: key_id will be your contact flow ID
        static_key = load_my_key_from_wherever()
        return WrappingKey(
            wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA512_MGF1,
            wrapping_key=static_key,
            wrapping_key_type=EncryptionKeyType.PRIVATE,
        )

They are using a RSA_OAEP_SHA512_MGF1 as wrapping algorithm, so I need to declare it when returning the raw key (Using a private key).