I upload a Customer managed key into aws kms, than I used the kms generate_data_key function to genrate a data key.I tried to decrypt the CiphertextBlob using the following code:
from Crypto.Cipher import AES
key = AES.new(open('MyCustomeKey.bin', 'rb').read(), AES.MODE_GCM)
key.decrypt(ciphertext)
But it doesn't work, the reason is CiphertextBlob is 96 bytes for some reason and the Plaintext key is 32 bytes. Aws using AES GCM to encrypt but it looked like there is some padding (GCM doesn't has padding), maybe IV but it look like there is no way to recive this IV.
I generate the plain text key and private key as follow:
def generate_key(kms, key , key_spec= 'AES_256')
try:
response = kms.generate_data_key(KeyId=key_id,KeySpec=key_spec)
except ClientError as e:
return None, None
return response['CiphertextBlob'], response['Plaintext']