You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: s3-encryption/data-format/content-metadata.md
+6-7Lines changed: 6 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -48,7 +48,7 @@ Metadata containing "x-amz-c" is considered to use the V3 format.
48
48
49
49
### Content Metadata MapKeys
50
50
51
-
Metadata is stored as an US-ASCII preferred string -> an US-ASCII preferred only string map (see [US-ASCII preferred String](#us-ascii-preferred-string) for details).
51
+
Metadata is stored as a US-ASCII preferred string -> a US-ASCII preferred only string map (see [US-ASCII preferred String](#us-ascii-preferred-string) for details).
52
52
Metadata is responsible for storing data which is critical for decryption of the object.
53
53
The mapkeys contained in the metadata depends on the format version used.
54
54
The "x-amz-meta-" prefix is automatically added by the S3 server and MUST NOT be included in implementation code.
@@ -60,7 +60,7 @@ When the object is encrypted using the V1 format:
60
60
- The mapkey "x-amz-key" MUST be present for V1 format objects.
61
61
- The mapkey "x-amz-matdesc" MUST be present for V1 format objects.
62
62
- The mapkey "x-amz-iv" MUST be present for V1 format objects.
63
-
-Mapkeys exclusive to other format versions MUST NOT be present.
63
+
-If mapkeys exclusive to other (non-V1) format versions is present,the S3EC SHOULD throw an exception.
64
64
65
65
When the object is encrypted using the V2 format:
66
66
@@ -72,9 +72,8 @@ When the object is encrypted using the V2 format:
72
72
- The mapkey "x-amz-tag-len" MAY be present for V2 format objects.
73
73
- If the object is encrypted using AES-GCM for content encryption, then the the mapkey "x-amz-tag-len" MUST be present.
74
74
- If the object is encrypted using AES-CBC for content encryption, then the the mapkey "x-amz-tag-len" MUST NOT be present.
75
-
- The mapkey "x-amz-unencrypted-content-length" MAY be present for V2 format objects.
76
-
- Mapkeys exclusive to other format versions MUST NOT be present.
77
-
- If a mapkey exclusive to one or more other format versions is present, the S3EC SHOULD throw an exception.
75
+
- The mapkey "x-amz-unencrypted-content-length" SHOULD be present for V2 format objects.
76
+
- If a mapkey exclusive to other (non-V2) format versions is present, the S3EC SHOULD throw an exception.
78
77
79
78
The V3 format introduces the use of compression to reduce the size of S3EC-specific metadata.
80
79
The V3 format uses the following mapkeys:
@@ -101,8 +100,7 @@ The V3 format uses the following mapkeys:
101
100
- The mapkey "x-amz-i" MUST be present for V3 format objects.
102
101
- This mapkey ("x-amz-i") SHOULD be represented by a constant named "MESSAGE_ID_V3" or similar in the implementation code.
103
102
- This mapkey is new for V3 and refers to the Message ID value used by committing algorithm suites.
104
-
- Mapkeys exclusive to other format versions MUST NOT be present.
105
-
- If a mapkey exclusive to one or more other format versions is present, the S3EC SHOULD throw an exception.
103
+
- If a mapkey exclusive to other (non-V3) format versions is present, the S3EC SHOULD throw an exception.
106
104
107
105
In general, the storage medium is independent from the format, with the exception of the V3 format.
108
106
In the V3 format, the mapkeys "x-amz-c", "x-amz-d", and "x-amz-i" MUST be stored exclusively in the Object Metadata.
@@ -275,3 +273,4 @@ then the implementation SHOULD throw an error if non-US-ASCII characters are enc
275
273
the error SHOULD detail that the implementation does not support non-US-ASCII characters but encountered non-US-ASCII characters.
276
274
277
275
[//]: #"See https://taskei.amazon.dev/tasks/P330807252 for details on UTF-8."
Copy file name to clipboardExpand all lines: s3-encryption/decryption.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -47,7 +47,7 @@ If an object is encrypted with ALG_AES_256_CBC_IV16_NO_KDF and [legacy unauthent
47
47
the S3EC MUST throw an error which details that client was not configured to decrypt objects with ALG_AES_256_CBC_IV16_NO_KDF.
48
48
49
49
If an object is encrypted with ALG_AES_256_CBC_IV16_NO_KDF and [legacy unauthenticated algorithm suites](#legacy-decryption) is enabled,
50
-
then the S3EC MUST create a cipher object using the cipher transformation "AES/CBC/PKCS5Padding".
50
+
then the S3EC MUST create a cipher with AES in CBC Mode with PKCS5Padding or PKCS7Padding compatible padding for a 16-byte block cipher (example: for the Java JCE, this is "AES/CBC/PKCS5Padding").
51
51
52
52
If the cipher object cannot be created as described above,
0 commit comments