Add initial implementation to support AWS KMS.
parent
b0f768a3fb
commit
c32abb76cd
@ -0,0 +1,237 @@
|
||||
package awskms
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto"
|
||||
"net/url"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/smallstep/certificates/kms/uri"
|
||||
|
||||
"github.com/aws/aws-sdk-go/aws/session"
|
||||
"github.com/aws/aws-sdk-go/service/kms"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/smallstep/certificates/kms/apiv1"
|
||||
"github.com/smallstep/cli/crypto/pemutil"
|
||||
)
|
||||
|
||||
// KMS implements a KMS using AWS Key Management Service.
|
||||
type KMS struct {
|
||||
session *session.Session
|
||||
service *kms.KMS
|
||||
}
|
||||
|
||||
// customerMasterKeySpecMapping is a mapping between the step signature algorithm,
|
||||
// and bits for RSA keys, with awskms CustomerMasterKeySpec.
|
||||
var customerMasterKeySpecMapping = map[apiv1.SignatureAlgorithm]interface{}{
|
||||
apiv1.UnspecifiedSignAlgorithm: kms.CustomerMasterKeySpecEccNistP256,
|
||||
apiv1.SHA256WithRSA: map[int]string{
|
||||
0: kms.CustomerMasterKeySpecRsa3072,
|
||||
2048: kms.CustomerMasterKeySpecRsa2048,
|
||||
3072: kms.CustomerMasterKeySpecRsa3072,
|
||||
4096: kms.CustomerMasterKeySpecRsa4096,
|
||||
},
|
||||
apiv1.SHA512WithRSA: map[int]string{
|
||||
0: kms.CustomerMasterKeySpecRsa4096,
|
||||
4096: kms.CustomerMasterKeySpecRsa4096,
|
||||
},
|
||||
apiv1.SHA256WithRSAPSS: map[int]string{
|
||||
0: kms.CustomerMasterKeySpecRsa3072,
|
||||
2048: kms.CustomerMasterKeySpecRsa2048,
|
||||
3072: kms.CustomerMasterKeySpecRsa3072,
|
||||
4096: kms.CustomerMasterKeySpecRsa4096,
|
||||
},
|
||||
apiv1.SHA512WithRSAPSS: map[int]string{
|
||||
0: kms.CustomerMasterKeySpecRsa4096,
|
||||
4096: kms.CustomerMasterKeySpecRsa4096,
|
||||
},
|
||||
apiv1.ECDSAWithSHA256: kms.CustomerMasterKeySpecEccNistP256,
|
||||
apiv1.ECDSAWithSHA384: kms.CustomerMasterKeySpecEccNistP384,
|
||||
apiv1.ECDSAWithSHA512: kms.CustomerMasterKeySpecEccNistP521,
|
||||
}
|
||||
|
||||
// New creates a new AWSKMS. By default, sessions will be created using the
|
||||
// credentials in `~/.aws/credentials`, but this can be overridden using the
|
||||
// CredentialsFile option, the Region and Profile can also be configured as
|
||||
// options.
|
||||
//
|
||||
// AWS sessions can also be configured with environment variables, see docs at
|
||||
// https://docs.aws.amazon.com/sdk-for-go/api/aws/session/ for all the options.
|
||||
func New(ctx context.Context, opts apiv1.Options) (*KMS, error) {
|
||||
o := session.Options{}
|
||||
if opts.Region != "" {
|
||||
o.Config.Region = &opts.Region
|
||||
}
|
||||
if opts.Profile != "" {
|
||||
o.Profile = opts.Profile
|
||||
}
|
||||
if opts.CredentialsFile != "" {
|
||||
o.SharedConfigFiles = []string{opts.CredentialsFile}
|
||||
}
|
||||
|
||||
sess, err := session.NewSessionWithOptions(o)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "error creating AWS session")
|
||||
}
|
||||
|
||||
return &KMS{
|
||||
session: sess,
|
||||
service: kms.New(sess),
|
||||
}, nil
|
||||
}
|
||||
|
||||
func init() {
|
||||
apiv1.Register(apiv1.AmazonKMS, func(ctx context.Context, opts apiv1.Options) (apiv1.KeyManager, error) {
|
||||
return New(ctx, opts)
|
||||
})
|
||||
}
|
||||
|
||||
// GetPublicKey returns a public key from KMS.
|
||||
func (k *KMS) GetPublicKey(req *apiv1.GetPublicKeyRequest) (crypto.PublicKey, error) {
|
||||
if req.Name == "" {
|
||||
return nil, errors.New("getPublicKey 'name' cannot be empty")
|
||||
}
|
||||
keyID, err := parseKeyID(req.Name)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
ctx, cancel := defaultContext()
|
||||
defer cancel()
|
||||
|
||||
resp, err := k.service.GetPublicKeyWithContext(ctx, &kms.GetPublicKeyInput{
|
||||
KeyId: &keyID,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "awskms GetPublicKeyWithContext failed")
|
||||
}
|
||||
|
||||
return pemutil.ParseDER(resp.PublicKey)
|
||||
}
|
||||
|
||||
// CreateKey generates a new key in KMS and returns the public key version
|
||||
// of it.
|
||||
func (k *KMS) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error) {
|
||||
if req.Name == "" {
|
||||
return nil, errors.New("createKeyRequest 'name' cannot be empty")
|
||||
}
|
||||
|
||||
keySpec, err := getCustomerMasterKeySpecMapping(req.SignatureAlgorithm, req.Bits)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
tag := new(kms.Tag)
|
||||
tag.SetTagKey("name")
|
||||
tag.SetTagValue(req.Name)
|
||||
|
||||
input := &kms.CreateKeyInput{
|
||||
Description: &req.Name,
|
||||
CustomerMasterKeySpec: &keySpec,
|
||||
Tags: []*kms.Tag{tag},
|
||||
}
|
||||
input.SetKeyUsage(kms.KeyUsageTypeSignVerify)
|
||||
|
||||
ctx, cancel := defaultContext()
|
||||
defer cancel()
|
||||
|
||||
resp, err := k.service.CreateKeyWithContext(ctx, input)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "awskms CreateKeyWithContext failed")
|
||||
}
|
||||
if err := k.createKeyAlias(*resp.KeyMetadata.KeyId, req.Name); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Create uri for key
|
||||
name := uri.New("awskms", url.Values{
|
||||
"key-id": []string{*resp.KeyMetadata.KeyId},
|
||||
}).String()
|
||||
|
||||
publicKey, err := k.GetPublicKey(&apiv1.GetPublicKeyRequest{
|
||||
Name: name,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Names uses Amazon Resource Name
|
||||
// https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms
|
||||
return &apiv1.CreateKeyResponse{
|
||||
Name: name,
|
||||
PublicKey: publicKey,
|
||||
CreateSignerRequest: apiv1.CreateSignerRequest{
|
||||
SigningKey: name,
|
||||
},
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (k *KMS) createKeyAlias(keyID, alias string) error {
|
||||
alias = "alias/" + alias + "-" + keyID[:8]
|
||||
|
||||
ctx, cancel := defaultContext()
|
||||
defer cancel()
|
||||
|
||||
_, err := k.service.CreateAliasWithContext(ctx, &kms.CreateAliasInput{
|
||||
AliasName: &alias,
|
||||
TargetKeyId: &keyID,
|
||||
})
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "awskms CreateAliasWithContext failed")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// CreateSigner creates a new crypto.Signer with a previously configured key.
|
||||
func (k *KMS) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, error) {
|
||||
if req.SigningKey == "" {
|
||||
return nil, errors.New("createSigner 'signingKey' cannot be empty")
|
||||
}
|
||||
return NewSigner(k.service, req.SigningKey)
|
||||
}
|
||||
|
||||
// Close closes the connection of the KMS client.
|
||||
func (k *KMS) Close() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func defaultContext() (context.Context, context.CancelFunc) {
|
||||
return context.WithTimeout(context.Background(), 15*time.Second)
|
||||
}
|
||||
|
||||
// parseKeyID extracts the key-id from an uri.
|
||||
func parseKeyID(name string) (string, error) {
|
||||
name = strings.ToLower(name)
|
||||
if strings.HasPrefix(name, "awskms:") || strings.HasPrefix(name, "aws:") {
|
||||
u, err := uri.Parse(name)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
if k := u.Get("key-id"); k != "" {
|
||||
return k, nil
|
||||
}
|
||||
return "", errors.Errorf("failed to get key-id from %s", name)
|
||||
}
|
||||
return name, nil
|
||||
}
|
||||
|
||||
func getCustomerMasterKeySpecMapping(alg apiv1.SignatureAlgorithm, bits int) (string, error) {
|
||||
v, ok := customerMasterKeySpecMapping[alg]
|
||||
if !ok {
|
||||
return "", errors.Errorf("awskms does not support signature algorithm '%s'", alg)
|
||||
}
|
||||
|
||||
switch v := v.(type) {
|
||||
case string:
|
||||
return v, nil
|
||||
case map[int]string:
|
||||
s, ok := v[bits]
|
||||
if !ok {
|
||||
return "", errors.Errorf("awskms does not support signature algorithm '%s' with '%d' bits", alg, bits)
|
||||
}
|
||||
return s, nil
|
||||
default:
|
||||
return "", errors.Errorf("unexpected error: this should not happen")
|
||||
}
|
||||
}
|
@ -0,0 +1,121 @@
|
||||
package awskms
|
||||
|
||||
import (
|
||||
"crypto"
|
||||
"crypto/ecdsa"
|
||||
"crypto/rsa"
|
||||
"io"
|
||||
|
||||
"github.com/aws/aws-sdk-go/service/kms"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/smallstep/cli/crypto/pemutil"
|
||||
)
|
||||
|
||||
type Signer struct {
|
||||
service *kms.KMS
|
||||
keyID string
|
||||
publicKey crypto.PublicKey
|
||||
}
|
||||
|
||||
// NewSigner creates a new signer using a key in the AWS KMS.
|
||||
func NewSigner(svc *kms.KMS, signingKey string) (*Signer, error) {
|
||||
keyID, err := parseKeyID(signingKey)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Make sure that the key exists.
|
||||
signer := &Signer{
|
||||
service: svc,
|
||||
keyID: keyID,
|
||||
}
|
||||
if err := signer.preloadKey(keyID); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return signer, nil
|
||||
}
|
||||
|
||||
func (s *Signer) preloadKey(keyID string) error {
|
||||
ctx, cancel := defaultContext()
|
||||
defer cancel()
|
||||
|
||||
resp, err := s.service.GetPublicKeyWithContext(ctx, &kms.GetPublicKeyInput{
|
||||
KeyId: &keyID,
|
||||
})
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "awskms GetPublicKeyWithContext failed")
|
||||
}
|
||||
|
||||
s.publicKey, err = pemutil.ParseDER(resp.PublicKey)
|
||||
return err
|
||||
}
|
||||
|
||||
// Public returns the public key of this signer or an error.
|
||||
func (s *Signer) Public() crypto.PublicKey {
|
||||
return s.publicKey
|
||||
}
|
||||
|
||||
// Sign signs digest with the private key stored in the AWS KMS.
|
||||
func (s *Signer) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
|
||||
alg, err := getSigningAlgorithm(s.Public(), opts)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
req := &kms.SignInput{
|
||||
KeyId: &s.keyID,
|
||||
SigningAlgorithm: &alg,
|
||||
Message: digest,
|
||||
}
|
||||
req.SetMessageType("DIGEST")
|
||||
|
||||
ctx, cancel := defaultContext()
|
||||
defer cancel()
|
||||
|
||||
resp, err := s.service.SignWithContext(ctx, req)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "awsKMS SignWithContext failed")
|
||||
}
|
||||
|
||||
return resp.Signature, nil
|
||||
}
|
||||
|
||||
func getSigningAlgorithm(key crypto.PublicKey, opts crypto.SignerOpts) (string, error) {
|
||||
switch key.(type) {
|
||||
case *rsa.PublicKey:
|
||||
_, isPSS := opts.(*rsa.PSSOptions)
|
||||
switch h := opts.HashFunc(); h {
|
||||
case crypto.SHA256:
|
||||
if isPSS {
|
||||
return "RSASSA_PSS_SHA_256", nil
|
||||
}
|
||||
return "RSASSA_PKCS1_V1_5_SHA_256", nil
|
||||
case crypto.SHA384:
|
||||
if isPSS {
|
||||
return "RSASSA_PSS_SHA_384", nil
|
||||
}
|
||||
return "RSASSA_PKCS1_V1_5_SHA_384", nil
|
||||
case crypto.SHA512:
|
||||
if isPSS {
|
||||
return "RSASSA_PSS_SHA_512", nil
|
||||
}
|
||||
return "RSASSA_PKCS1_V1_5_SHA_512", nil
|
||||
default:
|
||||
return "", errors.Errorf("unsupported hash function %v", h)
|
||||
}
|
||||
case *ecdsa.PublicKey:
|
||||
switch h := opts.HashFunc(); h {
|
||||
case crypto.SHA256:
|
||||
return "ECDSA_SHA_256", nil
|
||||
case crypto.SHA384:
|
||||
return "ECDSA_SHA_384", nil
|
||||
case crypto.SHA512:
|
||||
return "ECDSA_SHA_512", nil
|
||||
default:
|
||||
return "", errors.Errorf("unsupported hash function %v", h)
|
||||
}
|
||||
default:
|
||||
return "", errors.Errorf("unsupported key type %T", key)
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue