GO-2025-4250: Amazon S3 Encryption Client has a Key Commitment Issue in github.com/aws/amazon-s3-encryption-client-go

The highest tagged major version is v4.

client

package

v3.2.0 Latest Latest Go to latest Published: Dec 16, 2025 License: Apache-2.0 Imports: 19 Imported by: 4

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/aws/amazon-s3-encryption-client-go

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func DefaultEncryptionAlgorithmSuite(options EncryptionClientOptions) *algorithms.AlgorithmSuite
func ValidateContentEncryptionAlgorithmAgainstCommitmentPolicy(cekAlgSuite *algorithms.AlgorithmSuite, policy commitment.CommitmentPolicy) error
func ValidateEncryptionAlgorithmSuite(options EncryptionClientOptions) error
type EncryptionClientOptions
type GetObjectAPIClient
type PutObjectAPIClient
type S3EncryptionClientV3
- func New(s3Client *s3.Client, ...) (*S3EncryptionClientV3, error)

Constants ¶

View Source

const DefaultBufferSize = 1024 * 64 // 64KB default buffer size

DefaultBufferSize is the default buffer size for GetObject operations The S3EC MUST set the buffer size to a reasonable default for GetObject

View Source

const DefaultMinFileSize = 1024 * 512 * 5

DefaultMinFileSize is used to check whether we want to write to a temp file or store the data in memory.

View Source

const EncryptionContext = "EncryptionContext"

EncryptionContext is used to extract Encryption Context to use on a per-request basis

Variables ¶

This section is empty.

Functions ¶

func DefaultEncryptionAlgorithmSuite ¶ added in v3.2.0

func DefaultEncryptionAlgorithmSuite(options EncryptionClientOptions) *algorithms.AlgorithmSuite

func ValidateContentEncryptionAlgorithmAgainstCommitmentPolicy ¶ added in v3.2.0

func ValidateContentEncryptionAlgorithmAgainstCommitmentPolicy(cekAlgSuite *algorithms.AlgorithmSuite, policy commitment.CommitmentPolicy) error

func ValidateEncryptionAlgorithmSuite ¶ added in v3.2.0

func ValidateEncryptionAlgorithmSuite(options EncryptionClientOptions) error

Explict (but verbose) validations of S3EC specification

Types ¶

type EncryptionClientOptions ¶

type EncryptionClientOptions struct {
	// TempFolderPath is used to store temp files when calling PutObject
	// Temporary files are needed to compute the X-Amz-Content-Sha256 header
	TempFolderPath string

	// MinFileSize is the minimum size for the content to write to a
	// temporary file instead of using memory
	MinFileSize int64

	// BufferSize is the buffer size used for GetObject operations
	BufferSize int64

	// The logger to write logging messages to
	Logger *log.Logger

	// The CryptographicMaterialsManager to use to manage encryption and decryption materials
	CryptographicMaterialsManager materials.CryptographicMaterialsManager

	// EnableLegacyUnauthenticatedModes MUST be set to true in order to decrypt objects encrypted
	// using legacy (unauthenticated) modes such as AES/CBC. The default is false.
	EnableLegacyUnauthenticatedModes bool

	// CommitmentPolicy specifies the key commitment policy for this client.
	// S3EncryptionClientV3 defaults to commitment.FORBID_ENCRYPT_ALLOW_DECRYPT.
	// Objects written by a client configured with this default can be read by any v3 or v4 client
	// that is configured with either FORBID_ENCRYPT_ALLOW_DECRYPT or REQUIRE_ENCRYPT_ALLOW_DECRYPT commitment policies.
	// A client configured with this default can read objects written by any v3 or v4 client.
	// If an EncryptionAlgorithmSuite is also provided,
	// the selected CommitmentPolicy must also be compatible with the selected EncryptionAlgorithmSuite; if not, New() will return an error.
	CommitmentPolicy commitment.CommitmentPolicy

	// EncryptionAlgorithmSuite specifies the algorithm suite to use when encrypting objects.
	// S3EncryptionClientV3 defaults to algorithms.AlgAES256GCMIV12Tag16NoKDF.
	// Attempts to use a committing algorithm suite with S3EncryptionClientV3 will result in an error;
	// to use a committing algorithm suite, upgrade to S3EncryptionClientV4.
	// S3EncryptionClientV3 will decrypt objects encrypted with any supported algorithm suite, provided that the
	// algorithms suite is compatible with the selected CommitmentPolicy and EnableLegacyUnauthenticatedModes options.
	// If a CommitmentPolicy is also provided,
	// the selected EncryptionAlgorithmSuite must also be compatible with the selected CommitmentPolicy; if not, New() will return an error.
	EncryptionAlgorithmSuite *algorithms.AlgorithmSuite
}

type GetObjectAPIClient ¶

type GetObjectAPIClient interface {
	GetObject(context.Context, *s3.GetObjectInput, ...func(*s3.Options)) (*s3.GetObjectOutput, error)
}

GetObjectAPIClient is a client that implements the GetObject operation

type PutObjectAPIClient ¶

type PutObjectAPIClient interface {
	PutObject(context.Context, *s3.PutObjectInput, ...func(*s3.Options)) (*s3.PutObjectOutput, error)
}

PutObjectAPIClient is a client that implements the PutObject operation

type S3EncryptionClientV3 ¶

type S3EncryptionClientV3 struct {
	*s3.Client                         // promoted anonymous field, it allows this type to call s3 Client methods
	Options    EncryptionClientOptions // options for encrypt/decrypt
}

S3EncryptionClientV3 provides client-side encryption for S3. The client embeds a default client to provide support for control plane operations which do not involve encryption.

func New ¶

func New(s3Client *s3.Client, CryptographicMaterialsManager materials.CryptographicMaterialsManager, optFns ...func(options *EncryptionClientOptions)) (*S3EncryptionClientV3, error)

New creates a new S3 Encryption Client v4 with the given CryptographicMaterialsManager

func (*S3EncryptionClientV3) DeleteObject ¶ added in v3.2.0

func (c *S3EncryptionClientV3) DeleteObject(ctx context.Context, input *s3.DeleteObjectInput, optFns ...func(*s3.Options)) (*s3.DeleteObjectOutput, error)

DeleteObject will defer to the underlying S3 client to delete the object, but will execute its own logic to delete the associated instruction file using the default instruction file suffix.

func (*S3EncryptionClientV3) DeleteObjects ¶ added in v3.2.0

func (c *S3EncryptionClientV3) DeleteObjects(ctx context.Context, input *s3.DeleteObjectsInput, optFns ...func(*s3.Options)) (*s3.DeleteObjectsOutput, error)

DeleteObjects will delete multiple objects by calling DeleteObject for each object. This ensures that both the objects and their associated instruction files are deleted.

func (*S3EncryptionClientV3) GetObject ¶

func (c *S3EncryptionClientV3) GetObject(ctx context.Context, input *s3.GetObjectInput, optFns ...func(*s3.Options)) (*s3.GetObjectOutput, error)

GetObject will make a request to s3 and retrieve the object. In this process decryption will be done. The SDK only supports region reads of KMS and GCM.

func (*S3EncryptionClientV3) PutObject ¶

func (c *S3EncryptionClientV3) PutObject(ctx context.Context, input *s3.PutObjectInput, optFns ...func(*s3.Options)) (*s3.PutObjectOutput, error)

PutObject will make encrypt the contents before sending the data to S3. Depending on the MinFileSize a temporary file may be used to buffer the encrypted contents to.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL