Search code examples
pythonjavaamazon-web-servicesencryption

Cannot use AWS KMS key with AWS Encryption CLI but works with AWS Encryption SDK for Java

We have implemented encryption/decryption on individual database fields using the AWS Encryption SDK for Java. We use a AWS KSM key for the task and this works as it should.

Now we also need to access the decrypted data from a Python utility script. Using the example code we wrote:

def decrypt_string(key_arn, ciphertext, botocore_session=None):
    # Set up an encryption client with an explicit commitment policy. If you do not explicitly choose a
    # commitment policy, REQUIRE_ENCRYPT_REQUIRE_DECRYPT is used by default.
    client = aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT)

    # Create an AWS KMS master key provider
    kms_kwargs = dict(key_ids=[key_arn])
    if botocore_session is not None:
        kms_kwargs["botocore_session"] = botocore_session
    master_key_provider = aws_encryption_sdk.StrictAwsKmsMasterKeyProvider(**kms_kwargs)

    # Decrypt the ciphertext
    plaintext, decrypted_header = client.decrypt(source=ciphertext, key_provider=master_key_provider)

    print(plaintext)

The commitment policy is the same for the Java and Python implementation. When we invoke the function with the same ARN for the key and the raw cipher text we get the following error:

aws_encryption_sdk.exceptions.NotSupportedError: Unsupported signing algorithm info

Thinking we might have done something wrong we also installed the AWS Encryption CLI and tried to decode the same cipher text:

echo '<base64-encoded cipher text>' | \
aws-encryption-cli \
  --decrypt
  --decode
  --wrapping-keys key=<KMS KEY ARN>
  --commitment-policy require-encrypt-require-decrypt
  -S
  --input -
  --output -

But this resulted in the same error.

Next we just tried to encode some sample text using the AWS Encryption CLI but again we got the same error.

The KMS key is described as:

{
    "KeyMetadata": {
        "AWSAccountId": "<account-id>",
        "KeyId": "<key-id>",
        "Arn": "arn:aws:kms:eu-central-1:<account-id>:key/<key-id>",
        "CreationDate": "2023-06-07T10:35:18.466000+02:00",
        "Enabled": true,
        "Description": "",
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "Origin": "AWS_KMS",
        "KeyManager": "CUSTOMER",
        "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
        "KeySpec": "SYMMETRIC_DEFAULT",
        "EncryptionAlgorithms": [
            "SYMMETRIC_DEFAULT"
        ],
        "MultiRegion": false
    }
}

Is the key not created properly or am I missing something else?

Software installed with pip:

  • aws-encryption-sdk: 3.1.1
  • aws-encryption-sdk-cli: 4.1.0
  • boto3: 1.26.148

Software installed for the Java implementation:

  • org.bouncycastle.bcprov-ext-jdk18on: 1.73
  • com.amazonaws.aws-encryption-sdk-java: 2.4.0
Solution

  • I had the same issue. Found a similar ticket on github.
    Info from the ticket helped to recover from the issue - although requirements file for aws-encryption-sdk: 3.1.1 lists cryptography>=2.5.0 it did cause an issue. Upgrading cryptography package to 41.0.7 has solved the issue for me.