AwsEncryptionSdk.Format.Header (AWS Encryption SDK v0.7.0)

View Source

Message header serialization and deserialization.

Supports both version 1.0 and 2.0 header formats.

Version 2.0 Format (Committed Suites)

| Field                | Size      |
|----------------------|-----------|
| Version              | 1 byte    | 0x02
| Algorithm Suite ID   | 2 bytes   |
| Message ID           | 32 bytes  |
| AAD Length           | 2 bytes   |
| AAD (enc context)    | Variable  |
| EDK Count            | 2 bytes   |
| EDKs                 | Variable  |
| Content Type         | 1 byte    |
| Frame Length         | 4 bytes   |
| Algorithm Suite Data | 32 bytes  | (commitment key)
| Auth Tag             | 16 bytes  |

Version 1.0 Format (Legacy)

| Field                | Size      |
|----------------------|-----------|
| Version              | 1 byte    | 0x01
| Type                 | 1 byte    | 0x80
| Algorithm Suite ID   | 2 bytes   |
| Message ID           | 16 bytes  |
| AAD Length           | 2 bytes   |
| AAD (enc context)    | Variable  |
| EDK Count            | 2 bytes   |
| EDKs                 | Variable  |
| Content Type         | 1 byte    |
| Reserved             | 4 bytes   | 0x00000000
| IV Length            | 1 byte    |
| Frame Length         | 4 bytes   |
| IV                   | Variable  |
| Auth Tag             | 16 bytes  |

Summary

Types

content_type()
t()

Message header structure

Functions

deserialize(arg1)

Deserializes a header from binary data.

generate_message_id(int)

Generates a new random message ID for the given version.

serialize(header)

Serializes a complete header including the auth tag.

serialize_body(header)

Serializes the header body (everything except the auth tag).

Types

content_type()

@type content_type() :: :framed | :non_framed

t()

@type t() :: %AwsEncryptionSdk.Format.Header{
  algorithm_suite: AwsEncryptionSdk.AlgorithmSuite.t(),
  algorithm_suite_data: binary() | nil,
  content_type: content_type(),
  encrypted_data_keys: [AwsEncryptionSdk.Materials.EncryptedDataKey.t()],
  encryption_context: AwsEncryptionSdk.Format.EncryptionContext.t(),
  frame_length: non_neg_integer(),
  header_auth_tag: binary(),
  header_iv: binary() | nil,
  message_id: binary(),
  version: 1 | 2
}

Message header structure

Functions

deserialize(arg1)

@spec deserialize(binary()) :: {:ok, t(), binary()} | {:error, term()}

Deserializes a header from binary data.

Returns {:ok, header, rest} on success.

generate_message_id(int)

@spec generate_message_id(1 | 2) :: binary()

Generates a new random message ID for the given version.

  • Version 1: 16 random bytes
  • Version 2: 32 random bytes

serialize(header)

@spec serialize(t()) :: {:ok, binary()} | {:error, term()}

Serializes a complete header including the auth tag.

serialize_body(header)

@spec serialize_body(t()) :: {:ok, binary()} | {:error, term()}

Serializes the header body (everything except the auth tag).

This is the data that gets authenticated by the header auth tag.