Skip to content

Commit ebfef6d

Browse files
committed
KMS:Error handling for invalid blob in issue #12530
1 parent 5b0180c commit ebfef6d

File tree

4 files changed

+34
-3
lines changed

4 files changed

+34
-3
lines changed

localstack-core/localstack/services/kms/provider.py

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1043,7 +1043,8 @@ def decrypt(
10431043
account_id, region_name, key_id = self._parse_key_id(key_id, context)
10441044
try:
10451045
ciphertext = deserialize_ciphertext_blob(ciphertext_blob=ciphertext_blob)
1046-
except Exception:
1046+
except Exception as e:
1047+
logging.error("Error deserializing ciphertext blob: %s", e)
10471048
ciphertext = None
10481049
pass
10491050
else:
@@ -1072,6 +1073,9 @@ def decrypt(
10721073
if self._is_rsa_spec(key.crypto_key.key_spec) and not ciphertext:
10731074
plaintext = key.decrypt_rsa(ciphertext_blob)
10741075
else:
1076+
# if symmetric encryption then ciphertext must not be None
1077+
if ciphertext is None:
1078+
raise InvalidCiphertextException()
10751079
plaintext = key.decrypt(ciphertext, encryption_context)
10761080
except InvalidTag:
10771081
raise InvalidCiphertextException()

tests/aws/services/kms/test_kms.py

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@
1414
from cryptography.hazmat.primitives.serialization import load_der_public_key
1515

1616
from localstack.services.kms.models import (
17+
HEADER_LEN,
1718
IV_LEN,
1819
ON_DEMAND_ROTATION_LIMIT,
1920
Ciphertext,
@@ -1819,6 +1820,15 @@ def test_encrypt_decrypt_encryption_context(self, kms_create_key, snapshot, aws_
18191820
)
18201821
snapshot.match("decrypt_response_without_encryption_context", e.value.response)
18211822

1823+
with pytest.raises(ClientError) as e:
1824+
aws_client.kms.decrypt(
1825+
KeyId=key_id,
1826+
CiphertextBlob=ciphertext[HEADER_LEN:],
1827+
EncryptionAlgorithm=algo,
1828+
EncryptionContext=encryption_context,
1829+
)
1830+
snapshot.match("decrypt_response_with_invalid_ciphertext", e.value.response)
1831+
18221832
@markers.aws.validated
18231833
def test_get_parameters_for_import(self, kms_create_key, snapshot, aws_client):
18241834
sign_verify_key = kms_create_key(

tests/aws/services/kms/test_kms.snapshot.json

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1565,7 +1565,7 @@
15651565
}
15661566
},
15671567
"tests/aws/services/kms/test_kms.py::TestKMS::test_encrypt_decrypt_encryption_context": {
1568-
"recorded-date": "11-05-2023, 22:46:49",
1568+
"recorded-date": "08-07-2025, 05:53:27",
15691569
"recorded-content": {
15701570
"encrypt_response": {
15711571
"CiphertextBlob": "ciphertext-blob",
@@ -1579,6 +1579,7 @@
15791579
"decrypt_response_with_encryption_context": {
15801580
"EncryptionAlgorithm": "SYMMETRIC_DEFAULT",
15811581
"KeyId": "<key-id:1>",
1582+
"KeyMaterialId": "e2333676b9bf055cb0caa2bec3957d7f3e60b7545a3706314e397746cd26122e",
15821583
"Plaintext": "plaintext",
15831584
"ResponseMetadata": {
15841585
"HTTPHeaders": {},
@@ -1594,6 +1595,16 @@
15941595
"HTTPHeaders": {},
15951596
"HTTPStatusCode": 400
15961597
}
1598+
},
1599+
"decrypt_response_with_invalid_ciphertext": {
1600+
"Error": {
1601+
"Code": "InvalidCiphertextException",
1602+
"Message": ""
1603+
},
1604+
"ResponseMetadata": {
1605+
"HTTPHeaders": {},
1606+
"HTTPStatusCode": 400
1607+
}
15971608
}
15981609
}
15991610
},

tests/aws/services/kms/test_kms.validation.json

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,13 @@
6060
"last_validated_date": "2024-04-11T15:53:18+00:00"
6161
},
6262
"tests/aws/services/kms/test_kms.py::TestKMS::test_encrypt_decrypt_encryption_context": {
63-
"last_validated_date": "2024-04-11T15:54:22+00:00"
63+
"last_validated_date": "2025-07-08T05:53:27+00:00",
64+
"durations_in_seconds": {
65+
"setup": 0.74,
66+
"call": 1.08,
67+
"teardown": 0.15,
68+
"total": 1.97
69+
}
6470
},
6571
"tests/aws/services/kms/test_kms.py::TestKMS::test_encrypt_validate_plaintext_size_per_key_type[RSA_2048-RSAES_OAEP_SHA_1]": {
6672
"last_validated_date": "2024-04-11T15:53:20+00:00"

0 commit comments

Comments
 (0)