aws-sdk-cpp icon indicating copy to clipboard operation
aws-sdk-cpp copied to clipboard

Published 20 hours ago verified publisher icon aws

KMS GenerateDataKey API fails when using a string containing null byte as the encryption context

Open ttjsu-aws opened this issue 7 years ago • 1 comments

The KMS Client's GenerateDataKey API fails when using a string containing a null byte (specifically the first byte of the string) used as the encryption context. Below is an example code that regenerates this issue:

#include <stdio.h>
#include <aws/core/Aws.h>

#include <aws/core/utils/Array.h>
#include <aws/core/utils/Outcome.h>
#include <aws/core/utils/memory/stl/AWSMap.h>
#include <aws/core/utils/memory/stl/AWSString.h>
#include <aws/core/client/ClientConfiguration.h>
#include <aws/kms/KMSClient.h>
#include <aws/kms/model/GenerateDataKeyRequest.h>
#include <aws/kms/model/GenerateDataKeyResult.h>

using Aws::SDKOptions;

int main()
{
    Aws::SDKOptions options;
    Aws::InitAPI(options);
    options.loggingOptions.logLevel = Aws::Utils::Logging::LogLevel::Info;

    struct Aws::Client::ClientConfiguration client_configuration;
    std::shared_ptr<Aws::KMS::KMSClient> kms_client;
    Aws::KMS::Model::GenerateDataKeyRequest request;
    Aws::KMS::Model::GenerateDataKeyOutcome generate_datakey_outcome;
    Aws::Map<Aws::String, Aws::String> enc_context;

    const char *KEY_ARN = "arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f";
    client_configuration.region = Aws::Region::US_WEST_2;
    kms_client = Aws::MakeShared<Aws::KMS::KMSClient>("Test KMS client", client_configuration);

    //String not containing a null byte as KMS encryption context

    Aws::String key1 = "key";
    Aws::String value1 = "val";

    request.SetKeyId(KEY_ARN);
    request.SetNumberOfBytes(64);
    request.SetEncryptionContext(enc_context);

    generate_datakey_outcome = kms_client->GenerateDataKey(request);

    if (!generate_datakey_outcome.IsSuccess())
    {
        fprintf(stderr, "KMS CLient GenerateDataKey API call failed for not-null byte encryption context.\n");
    }

    //String containing a null byte as KMS encryption context

    key1[0] = 0x01;
    key1[1] = 0x02;
    key1[2] = 0x03;

    value1[0] = 0x00; //NULL
    value1[1] = 0x21;
    value1[2] = 0x22;

    enc_context[key1] = value1;
    request.SetEncryptionContext(enc_context);
    generate_datakey_outcome = kms_client->GenerateDataKey(request);

    if (!generate_datakey_outcome.IsSuccess())
    {
        fprintf(stderr, "KMS Client GenerateDataKey API call failed for null-byte encryption context.\n");
    }

    Aws::ShutdownAPI(options);
    return 0;
}

ttjsu-aws avatar Nov 30 '18 00:11 ttjsu-aws

C-Strings snip the value during JSON serialization.

JsonValue& JsonValue::WithString(const char* key, const Aws::String& value)
{
    if (!m_value)
    {
        m_value = cJSON_CreateObject();
    }

    const auto val = cJSON_CreateString(value.c_str()); // <--- the problem
    AddOrReplace(m_value, key, val);
    return *this;
}

It doesn't look like cJSON (our JSON serializer) supports those kinds of strings. We will have to patch it to fix this.

Would love to have a pull request for this.

marcomagdy avatar Dec 05 '18 18:12 marcomagdy

This is an old issue. Are you still having problems when using a null byte?

jmklix avatar Mar 10 '23 17:03 jmklix

Greetings! It looks like this issue hasn’t been active in longer than a week. We encourage you to check if this is still an issue in the latest release. Because it has been longer than a week since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or add an upvote to prevent automatic closure, or if the issue is already closed, please feel free to open a new one.

github-actions[bot] avatar Mar 13 '23 00:03 github-actions[bot]