@spec load_private_key_pem(String.t()) :: {:ok, rsa_private_key()} | {:error, term()}

Loads an RSA private key from PEM-encoded string.

Supports PKCS#8 PrivateKeyInfo and RSAPrivateKey formats.

Examples

iex> pem = "-----BEGIN PRIVATE KEY-----\n..."
iex> {:ok, key} = AwsEncryptionSdk.Keyring.RawRsa.load_private_key_pem(pem)

@spec load_public_key_pem(String.t()) :: {:ok, rsa_public_key()} | {:error, term()}

Loads an RSA public key from PEM-encoded string.

Supports X.509 SubjectPublicKeyInfo and RSAPublicKey formats.

Examples

iex> pem = "-----BEGIN PUBLIC KEY-----\n..."
iex> {:ok, key} = AwsEncryptionSdk.Keyring.RawRsa.load_public_key_pem(pem)

@spec new(String.t(), String.t(), padding_scheme(), keyword()) ::
  {:ok, t()} | {:error, term()}

Creates a new Raw RSA Keyring.

Parameters

• key_namespace - Key provider ID (must not start with "aws-kms")
• key_name - Unique identifier for the key pair
• padding_scheme - One of :pkcs1_v1_5, {:oaep, :sha1}, {:oaep, :sha256}, {:oaep, :sha384}, {:oaep, :sha512}
• opts - Keyword list with :public_key and/or :private_key (at least one required)

Returns

• {:ok, keyring} on success
• {:error, reason} on validation failure

Errors

• {:error, :reserved_provider_id} - key_namespace starts with "aws-kms"
• {:error, :invalid_padding_scheme} - unsupported padding scheme
• {:error, :no_keys_provided} - neither public nor private key provided

Examples

iex> {:ok, pub} = AwsEncryptionSdk.Keyring.RawRsa.load_public_key_pem(pem)
iex> {:ok, keyring} = AwsEncryptionSdk.Keyring.RawRsa.new("ns", "key", {:oaep, :sha256}, public_key: pub)
iex> keyring.padding_scheme
{:oaep, :sha256}

@spec unwrap_key(t(), AwsEncryptionSdk.Materials.DecryptionMaterials.t(), [
  AwsEncryptionSdk.Materials.EncryptedDataKey.t()
]) ::
  {:ok, AwsEncryptionSdk.Materials.DecryptionMaterials.t()} | {:error, term()}

Unwraps a data key using this keyring's private key.

Iterates through EDKs to find one that:

1. Has matching key_provider_id (key_namespace)
2. Has matching key_provider_info (key_name)
3. Successfully decrypts with this keyring's private key

Returns

• {:ok, materials} - Data key successfully unwrapped and set
• {:error, :no_private_key} - No private key configured
• {:error, :plaintext_data_key_already_set} - Materials already have a key
• {:error, :unable_to_decrypt_data_key} - No matching EDK could be decrypted

Examples

iex> {:ok, priv} = RawRsa.load_private_key_pem(pem)
iex> {:ok, keyring} = RawRsa.new("ns", "key", {:oaep, :sha256}, private_key: priv)
iex> dec_materials = DecryptionMaterials.new_for_decrypt(suite, ec)
iex> {:ok, result} = RawRsa.unwrap_key(keyring, dec_materials, edks)
iex> is_binary(result.plaintext_data_key)
true

@spec wrap_key(t(), AwsEncryptionSdk.Materials.EncryptionMaterials.t()) ::
  {:ok, AwsEncryptionSdk.Materials.EncryptionMaterials.t()} | {:error, term()}

Wraps a data key using this keyring's public key.

If materials don't have a plaintext data key, one will be generated. The wrapped key is added to the materials as an EDK.

Examples

iex> {:ok, pub} = RawRsa.load_public_key_pem(pem)
iex> {:ok, keyring} = RawRsa.new("ns", "key", {:oaep, :sha256}, public_key: pub)
iex> suite = AwsEncryptionSdk.AlgorithmSuite.aes_256_gcm_hkdf_sha512_commit_key()
iex> materials = AwsEncryptionSdk.Materials.EncryptionMaterials.new_for_encrypt(suite, %{})
iex> {:ok, result} = RawRsa.wrap_key(keyring, materials)
iex> length(result.encrypted_data_keys) == 1
true