Enumerations | |
| enum | aws_cryptosdk_aes_key_len { AWS_CRYPTOSDK_AES128 = 128 / 8 , AWS_CRYPTOSDK_AES192 = 192 / 8 , AWS_CRYPTOSDK_AES256 = 256 / 8 } |
| enum | aws_cryptosdk_rsa_padding_mode { AWS_CRYPTOSDK_RSA_PKCS1 , AWS_CRYPTOSDK_RSA_OAEP_SHA1_MGF1 , AWS_CRYPTOSDK_RSA_OAEP_SHA256_MGF1 } |
Functions | |
| struct aws_cryptosdk_keyring * | aws_cryptosdk_raw_aes_keyring_new (struct aws_allocator *alloc, const struct aws_string *key_namespace, const struct aws_string *key_name, const uint8_t *key_bytes, enum aws_cryptosdk_aes_key_len key_len) |
| struct aws_cryptosdk_keyring * | aws_cryptosdk_raw_rsa_keyring_new (struct aws_allocator *alloc, const struct aws_string *key_namespace, const struct aws_string *key_name, const char *rsa_private_key_pem, const char *rsa_public_key_pem, enum aws_cryptosdk_rsa_padding_mode rsa_padding_mode) |
Detailed Description
Enumeration Type Documentation
◆ aws_cryptosdk_aes_key_len
◆ aws_cryptosdk_rsa_padding_mode
Function Documentation
◆ aws_cryptosdk_raw_aes_keyring_new()
| struct aws_cryptosdk_keyring * aws_cryptosdk_raw_aes_keyring_new | ( | struct aws_allocator * | alloc, |
| const struct aws_string * | key_namespace, | ||
| const struct aws_string * | key_name, | ||
| const uint8_t * | key_bytes, | ||
| enum aws_cryptosdk_aes_key_len | key_len ) |
A keyring which does local AES-GCM encryption and decryption of data keys using the bytes in the array provided as the wrapping key.
Key namespace, name, and raw key bytes provided by the caller are copied into the state of the KR, so those arrays do not need to be maintained while using the KR. For maximum security, the caller should zero out the array of raw key bytes after creating this object.
The encryption context which is passed to this KR on encrypt and decrypt calls is used as additional authenticated data (AAD) in the AES-GCM encryption of the data keys. This means that the same encryption context must be present for both encryption and decryption.
Set your own namespace and name for the wrapping key you use, for bookkeeping purposes. A raw AES keyring which attempts to decrypt data previously encrypted by another raw AES keyring must specify the same name and namespace.
Note: when this keyring is used, it generates a trace that includes copies of the namespace and name strings for each call. If you generate either or both of the namespace and name strings using the AWS_STATIC_STRING_FROM_LITERAL macro, all copies of these strings will be optimized out.
On failure returns NULL and sets an internal AWS error code.
◆ aws_cryptosdk_raw_rsa_keyring_new()
| struct aws_cryptosdk_keyring * aws_cryptosdk_raw_rsa_keyring_new | ( | struct aws_allocator * | alloc, |
| const struct aws_string * | key_namespace, | ||
| const struct aws_string * | key_name, | ||
| const char * | rsa_private_key_pem, | ||
| const char * | rsa_public_key_pem, | ||
| enum aws_cryptosdk_rsa_padding_mode | rsa_padding_mode ) |
A keyring which does local RSA encryption and decryption of data keys using the RSA keys provided as a null terminated C-string in PEM format.
Here, 'rsa_public_key_pem' is a null terminated C-string containing the public key in PEM format and 'rsa_private_key_pem' is a null terminated C-string containing the private key in PEM format. Note that either argument may be set to NULL. Encryption is possible only when a public key is provided, and decryption is possible only when a private key is provided.
Key namespace, name, RSA private key and RSA public key provided by the caller are copied into the state of the keyring, so those arrays do not need to be maintained while using the keyring. For maximum security, the caller should zero out the array of 'rsa_private_key_pem' after creating this object.
Set your own namespace and name for the wrapping (RSA) key you use, for bookkeeping purposes. A raw RSA keyring which attempts to decrypt data previously encrypted by another raw RSA keyring must specify the same name and namespace.
Note: when this keyring is used, it generates a trace that includes copies of the namespace and name strings for each call. If you generate either or both of the namespace and name strings using the AWS_STATIC_STRING_FROM_LITERAL macro, all copies of these strings will be optimized out.
On failure returns NULL and sets an internal AWS error code.
Generated by
1.13.2