vssock-proxy fails with Certificate is untrusted (Error encountered in /tmp/crt-builder/s2n-tls/tls/s2n_x509_validator.c:228 when using a vpc endpoint

aws / aws-nitro-enclaves-cli

Tooling for Nitro Enclave Management

Apache License 2.0

116 stars 78 forks source link

vssock-proxy fails with Certificate is untrusted (Error encountered in /tmp/crt-builder/s2n-tls/tls/s2n_x509_validator.c:228 when using a vpc endpoint #610

Closed frankwese closed 2 months ago

frankwese commented 2 months ago

my parent host is in an isolated subnet, so I created a VPC-endpoint. From the parent host it is working, but when the enclave tries to decrypt using kmstool_enclave_cli decrypt ... it fails with the error message "Certificate is untrusted (Error encountered in /tmp/crt-builder/s2n-tls/tls/s2n_x509_validator.c:228 when using a vpc endpoint"

domeger commented 2 months ago

@frankwese A few things to have you check,

Service Verification: Confirm that the VPC endpoint is connected to the AWS service for key management (KMS).

Example: aws ec2 describe-vpc-endpoints --query "VpcEndpoints[?ServiceName==com.amazonaws.[region].kms]" --output table

Security Controls: Check the security groups associated with the VPC endpoint to ensure they permit traffic from the subnet where your application resides.
Policy Review: Review the endpoint policy to verify that it allows the necessary KMS actions and resources required by your application.

Example: aws ec2 describe-vpc-endpoints --vpc-endpoint-ids [endpoint-id]

Routing Configurations: Ensure the route tables correctly route KMS-bound traffic to the VPC endpoint. Example: sudo tcpdump -i any -n host "KMS-EndpointIP" and port 443

frankwese commented 2 months ago

Just to clarify: The host instance currently runs in an isolated subnet. With setting up a socat pipe

on the host instance: socat vsock-listen:8000,reuseaddr,fork tcp-connect:kms.eu-central-1.amazonaws.com:443 &

and in the enclave:

echo "127.0.0.1   local.kms.eu-central-1.vpce.amazonaws.com" >> /etc/hosts
socat tcp-listen:1443,reuseaddr,fork vsock-connect:2:8000 &

I am able to do: aws kms decrypt --ciphertext-blob "${encrypted_pwd}" --endpoint-url "https://local.kms.eu-central-1.vpce.amazonaws.com:1443" --query Plaintext --output text | base64 -d

I want to use the kmstool_enclave_cli because it includes the attestation document into the request

domeger commented 2 months ago

@frankwese we actual can do this natively with our SDK, so if your interested in trying our platform with Nitro, it might be your easy button.

https://github.com/anjuna-security/go-nitro-attestation

frankwese commented 2 months ago

Thanks for the link @domeger. Actually it turned out that one has to provide the --region parameter with kmstool.