By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Cognito Custom Email Sender Code Decryption

0

I am implementing a custom email sending Lambda for Cognito. When attempting to decrypt the "code" I am receiving the "Aws::KMS::Errors::InvalidCiphertextException" exception.

I have a symmetric KMS key assigned to the Lambda via the Cognito User Pool, and can successfully trigger the Lambda. I have attempted to use both "Base64.decode64" and Base64.strict_decode64" before passing the ciphertext to the decode method.

The CloudTrail logs are showing that Cognito is using the KMS GenerateKeyPair method, and providing an encryption context:

{
  "userpool-id": "my-user-pool",
  "aws-crypto-public-key": "AULXovx/...==" 
}

I have therefore attempted to pass this "encryption_context" to the decrypt method, however the "aws-crypto-public-key" is unique to each request. The KMS documentation explains (as best I can understand) that public keys are not applicable for symmetric keys.

Questions:

  • Have I correctly understood the requirements to decode the ciphertext input?
  • If so, how can I retrieve the public-key value for the given ciphertext input?

Language: Ruby SDK Version: 3

1 Answer
0
Accepted Answer

I was using the wrong library to decrypt the ciphertext. Cognito is using the Encryption SDK to encrypt the code, not KMS, therefore it requires the use of the same SDK to decrypt.

Notes:

  • The Encryption SDK, in this circumstance, is using the symmetric KMS key configured on the user pool to perform the encryption.
  • The Encryption SDK is not currently available for Ruby
answered 3 years ago
profile picture
EXPERT
reviewed 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions