AmazonS3EncryptionClient cannot decrypt 'AES/GCM/NoPadding' SES messages

[mjdaly]

AmazonS3EncryptionClient cannot decrypt SES messages stored in S3.

Expected Behavior

AmazonS3EncryptionClient decrypts encrypted S3 objects created by SES.

Current Behavior

AmazonS3EncryptionClient throws an exception indicating the decryption method is not supported:

'AES/GCM/NoPadding' for metadata key 'x-amz-cek-alg' is invalid. AmazonS3EncryptionClient only supports 'AES/CBC/PKCS5Padding' as the content encryption algorithm. Although this mode is supported by other AWS SDKs, the .NET SDK does not support it at this time.

Context

We want to use SES for receiving emails. Emails should be encrypted at rest.

[vellozzi]

AES/GCM/NoPadding is available in .NET 3.5 and .NET 4.5, but not .NET Core 1.0.
This has been added to our feature request list.
Note that we won't be able to implement it in the .NET Core 1.0 SDK.

I'm closing the issue, but feel free to comment.

[mcblair]

@vellozzi What about the .NET Core 3.0 SDK? Does dotnet/corefx#31389 allow your teams to implement this? Can the community?

@mjdaly have you solved this?