我可以通过Java SDK添加一个客户端加密文件，也可以获取该文件。我现在正试着用boto3来访问它。（我知道boto3不支持这个，但是s3 wrapper支持。不过，这与boto3有关）。

我正在获取s3元数据，然后调用kms.decrypt，如下所示：

object_info = s3.head_object(Bucket=bucket_name, Key=key_name)
metadata = object_info['Metadata'] # metadata is a dict with lots of x-amz-key, x-amz-iv, etc
ekey = kms.decrypt(CiphertextBlob=metadata,EncryptionContext=metadata)

# fails with:
# ParamValidationError:
# Parameter validation failed: Invalid type for parameter CiphertextBlob, value: .. type: <class 'dict'>, valid types: <class 'bytes'>, <class 'bytearray'>, file-like object`

那么，如果我将密钥作为密文blob传入呢？

# this key looks like 'CiAlgoyM4k...
ekey = kms.decrypt(CiphertextBlob=metadata['x-amz-key-v2'],EncryptionContext=metadata)

# fails with:
# botocore.exceptions.ClientError: An error occurred (InvalidCiphertextException) when calling the Decrypt operation: None

然后我尝试传入一个base64'd密钥：

# this key looks like b'\n %\x82\x8c\x8c\xe2ML...
cblob = base64.b64decode(metadata['x-amz-key-v2'])
ekey = kms.decrypt(CiphertextBlob=cblob,EncryptionContext=metadata)

# (still) fails with:
# botocore.exceptions.ClientError: An error occurred (InvalidCiphertextException) when calling the Decrypt operation: None

然后我尝试将s3内容作为blob传入。

full_object = s3.get_object(Bucket=bucket_name, Key=key_name)
ekey = kms.decrypt(CiphertextBlob=full_object['Body'].read(),EncryptionContext=metadata)

# Still fails with:
# botocore.exceptions.ClientError: An error occurred (InvalidCiphertextException) when calling the Decrypt operation: None

所以，我想我的问题是，什么是来自S3元数据的正确密文blob？因为我把它放在Java SDK的EncryptedPutObjectRequest和AmazonS3EncryptionClient中，后者将它抽象出来，所以我不知道这个blob应该是什么样子。

相关链接

• 堆栈溢出：client-side decryption in ruby; does not use KMS
• boto3 github问题：the start of kms decryption in boto3 for s3; does not work, perhaps because this is a "v2" key?