Invalid response from AWS KMS GeneratedDataKey: Invalid ciphertext (AWS Database Encryption SDK - DynamoDB)

Question

When using AWS Database Encryption SDK I'm facing the error "Invalid response from AWS KMS GeneratedDataKey: Invalid ciphertext".

By debugging the AWS SDK v2 (Java), I found that the length of the CiphertextBlob returned by AWS API is 140, but AWS's SDK code expects it to be 184.

Below is the snippet of AWS's Java code I mentioned (it seems to be an automatically generated version of this Dafny source):

// All on line 84 of KMSKeystoreOperations_Compile.__default.java

_1185_valueOrError2 = Wrappers_Compile.__default
    .<software.amazon.cryptography.keystore.internaldafny.types.Error>Need(
        software.amazon.cryptography.keystore.internaldafny.types.Error._typeDescriptor(), 
        (
            (
                (   // _1181_generateResponse is software.amazon.cryptography.services.kms.internaldafny.types.GenerateDataKeyWithoutPlaintextResponse
                    (_1181_generateResponse).dtor_CiphertextBlob()
                ).is_Some()
            ) && (
                java.util.Objects.equals(
                    java.math.BigInteger.valueOf(
                        (
                            (
                                (_1181_generateResponse).dtor_CiphertextBlob()
                            ).dtor_value()
                        ).length()  // Result is 140
                    ), Structure_Compile.__default.KMS__GEN__KEY__NO__PLAINTEXT__LENGTH__32()   // Constant value is 184
                )   // Result is FALSE
            )
        ) && (
            software.amazon.cryptography.services.kms.internaldafny.types.__default.IsValid__CiphertextType(
                (
                    (_1181_generateResponse).dtor_CiphertextBlob()
                ).dtor_value()
            )
        ), 
        software.amazon.cryptography.keystore.internaldafny.types.Error.create_KeyStoreException(
            dafny.DafnySequence.asString("Invalid response from AWS KMS GeneratedDataKey: Invalid ciphertext")
        )
    );

The response from AWS API is HTTP Status 200, no error from their service; it seems the error resides on local code, when comparing the result from the service with the expected key length.

I'm using an HierarchicalKeyring with Localstack (local-kms) as following:

KeyStore globalKeyStore = KeyStore.builder()
        .KeyStoreConfig(
                KeyStoreConfig.builder()
                        .ddbClient(myDdbClient)
                        .ddbTableName("my-table")
                        .logicalKeyStoreName("my-table")
                        .kmsClient(myKmsClient)
                        .kmsConfiguration(
                                KMSConfiguration.builder()
                                        .kmsKeyArn("arn:aws:kms:sa-east-1:000000000000:key/00000000-0000-0000-0000-000000000001")
                                        .build())
                        .build())
        .build();
globalKeyStore.CreateKeyStore(CreateKeyStoreInput.builder().build());

String branchKey = globalKeyStore.CreateKey(CreateKeyInput.builder()
        .branchKeyIdentifier()
        .build()).branchKeyIdentifier();

Libraries are:

implementation platform("software.amazon.awssdk:bom:2.19.1")
implementation "software.amazon.awssdk:dynamodb-enhanced"
implementation "software.amazon.cryptography:aws-database-encryption-sdk-dynamodb:3.0.0"
implementation "software.amazon.cryptography:aws-cryptographic-material-providers:1.0.0"
implementation "software.amazon.awssdk:kms"

Any hints?

Tried debugging the AWS library's code, changing Localstack to use local-kms instead of moto and generating a KeyId by seeding it locally and also generating a new Key by using KmsClient with no success. Same error.

Answer 1

It was a bug on AWS's lib, fixed on version software.amazon.cryptography:aws-cryptographic-material-providers:1.0.1.

See: https://github.com/aws/aws-cryptographic-material-providers-library-java/commit/479faf78a54ab9865a8ec0e056ca8f9bb93a7d77