When using AWS Database Encryption SDK I'm facing the error "Invalid response from AWS KMS GeneratedDataKey: Invalid ciphertext"
.
By debugging the AWS SDK v2 (Java), I found that the length of the CiphertextBlob returned by AWS API is 140, but AWS's SDK code expects it to be 184.
Below is the snippet of AWS's Java code I mentioned (it seems to be an automatically generated version of this Dafny source):
// All on line 84 of KMSKeystoreOperations_Compile.__default.java
_1185_valueOrError2 = Wrappers_Compile.__default
.<software.amazon.cryptography.keystore.internaldafny.types.Error>Need(
software.amazon.cryptography.keystore.internaldafny.types.Error._typeDescriptor(),
(
(
( // _1181_generateResponse is software.amazon.cryptography.services.kms.internaldafny.types.GenerateDataKeyWithoutPlaintextResponse
(_1181_generateResponse).dtor_CiphertextBlob()
).is_Some()
) && (
java.util.Objects.equals(
java.math.BigInteger.valueOf(
(
(
(_1181_generateResponse).dtor_CiphertextBlob()
).dtor_value()
).length() // Result is 140
), Structure_Compile.__default.KMS__GEN__KEY__NO__PLAINTEXT__LENGTH__32() // Constant value is 184
) // Result is FALSE
)
) && (
software.amazon.cryptography.services.kms.internaldafny.types.__default.IsValid__CiphertextType(
(
(_1181_generateResponse).dtor_CiphertextBlob()
).dtor_value()
)
),
software.amazon.cryptography.keystore.internaldafny.types.Error.create_KeyStoreException(
dafny.DafnySequence.asString("Invalid response from AWS KMS GeneratedDataKey: Invalid ciphertext")
)
);
The response from AWS API is HTTP Status 200, no error from their service; it seems the error resides on local code, when comparing the result from the service with the expected key length.
I'm using an HierarchicalKeyring with Localstack (local-kms) as following:
KeyStore globalKeyStore = KeyStore.builder()
.KeyStoreConfig(
KeyStoreConfig.builder()
.ddbClient(myDdbClient)
.ddbTableName("my-table")
.logicalKeyStoreName("my-table")
.kmsClient(myKmsClient)
.kmsConfiguration(
KMSConfiguration.builder()
.kmsKeyArn("arn:aws:kms:sa-east-1:000000000000:key/00000000-0000-0000-0000-000000000001")
.build())
.build())
.build();
globalKeyStore.CreateKeyStore(CreateKeyStoreInput.builder().build());
String branchKey = globalKeyStore.CreateKey(CreateKeyInput.builder()
.branchKeyIdentifier()
.build()).branchKeyIdentifier();
Libraries are:
implementation platform("software.amazon.awssdk:bom:2.19.1")
implementation "software.amazon.awssdk:dynamodb-enhanced"
implementation "software.amazon.cryptography:aws-database-encryption-sdk-dynamodb:3.0.0"
implementation "software.amazon.cryptography:aws-cryptographic-material-providers:1.0.0"
implementation "software.amazon.awssdk:kms"
Any hints?
Tried debugging the AWS library's code, changing Localstack to use local-kms instead of moto and generating a KeyId by seeding it locally and also generating a new Key by using KmsClient with no success. Same error.
It was a bug on AWS's lib, fixed on version software.amazon.cryptography:aws-cryptographic-material-providers:1.0.1
.