search

aws / aws-nitro-enclaves-sdk-c

This repo provides a C API for AWS Nitro Enclaves, including a KMS SDK that integrates it with attestation.
Apache License 2.0
99 stars 74 forks source link

Got Access Denied When Use kmstool_enclave_cli to call decrypt API #93

Closed longzhihun closed 1 year ago

longzhihun commented 1 year ago

The errror stack trace:

[INFO] [2022-09-21T08:56:50Z] [00007febc50fe840] [AuthSigning] - (id=0xea1ea0) Signing successfully built canonical request for algorithm SigV4, with contents
POST
/

content-length:6668
content-type:application/x-amz-json-1.1
host:kms.us-east-1.amazonaws.com
x-amz-content-sha256:e0098d8ee155016aa6843037897e2b1ffd5cbe410bef506d05d4cd9eb8995597
x-amz-date:20220921T085650Z
x-amz-security-token:IQoJb3JpZ2luX2VjEMn//////////wEaCXVzLWVhc3QtMSJIMEYCIQDE3ddwkVJBAjjW/LaMRzkk8sCwVsu5kNkLwJLuxeiK9wIhAMtVM+m0l91ksHjaEUUve9nBDst1BR9zqaxpt0EHK0yDKs0ECHIQABoMNzE1MzcxMzAyMjgxIgzB3QvVOdCqjx0xX9wqqgQcsk5QuUX997lia8RisKTgXbHM7/o5ppfWba4PreFV8KsTIxYDsPYlwOnghqRdM174xp9BzDGtFizuC4NS5XN1h4nVSIrBTrPmxyULLZv3Be02PuIpKo2IrwBBXnQCTz92YBCuUjVuZmhG2/8hkTywzw84SBd/SQN7JH8AGbjGrmmRWsLKWCgx6o6Wg+OogFpXxCVfIk16zhc743DhTgeyY9sCwwSc0gsUVoVWJgB7jSW0glZ1mMGZEfZoj3NGu4CCvFfy7jImU1asUtLbHdFztPFl/anhiib/M8BZeVv82K1ZfHs5+P9d5vCiWB6fgZmUPy8m0wC3GtOZsCAOwWzMcDmXszcPgB0C9VMz71w/s2ymtAjdlFIm7CmWsRKxDUlPMrrcIkbgZRVQzKm3Rt56QAwNEp0BDerJL/vaxvuH/iULNH8dasfPgH3VkTYmF0cE3BC/96xI5buip/PThi5it/T7n6F/o+tDksIRiYyUiVrs8I7ZEpAiGX/AZFAnJCa4fpMzTCb095F9CtbNJGz6QJNlLvmKIjYsSk9/3E5FJer79pz9wQiX2uiQk/WY0F7EDgozA6utsBLRwj5AvwDhVcal8QSjv8baIupAU+vxmQCyoXMsscnbAxQdAUOeYqts1lBhWvsfMLRvLe5tphv2sBZBlqVjJJnueCo+nseNYpgFulaIsrTBXtnU3fVIKisAdsyZzdC+8+GnFWNFFkCpREdkpViYng8dNDDbl6uZBjqoAZak5nz7dRwcpkqO2cL96QToLmkivyOTfLl1sXkC93TPsg5Lt0kf3IFBspx4YNdCyTOaxMPF6Y+bW8elrtx7yvZ1Dl7mH6TAV7+RZckTYkSYhKYJJLh7ZJNSCiSNjEqKVNNMm4xaxeSNU+VlbFL0cyItKs03I8H0omd67C9aPJFoY8RltWzSS1mEB/ol6HpIhmAQk3i9V1kba2IiGPbLQJwespaSLsGEBA==
x-amz-target:TrentService.Decrypt

content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-security-token;x-amz-target
e0098d8ee155016aa6843037897e2b1ffd5cbe410bef506d05d4cd9eb8995597

[INFO] [2022-09-21T08:56:50Z] [00007febc50fe840] [AuthSigning] - (id=0xea1ea0) Signing successfully built string-to-sign via algorithm SigV4, with contents
AWS4-HMAC-SHA256
20220921T085650Z
20220921/us-east-1/kms/aws4_request
cba550b0d43eb9d8d7e39dc8048d0ffaaddb6221f9392a6f09137f2780c9506f

[INFO] [2022-09-21T08:56:50Z] [00007febc50fe840] [AuthSigning] - (id=0xea1ea0) Http request successfully built final authorization value via algorithm SigV4, with contents
AWS4-HMAC-SHA256 Credential=ASIA2ND3TZWES3ZWAIMF/20220921/us-east-1/kms/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-security-token;x-amz-target, Signature=f104c19109f0821c51622852e415debb102787446c2eca5db1b52261a89bd911

Got non-200 answer from KMS: 400
Could not decrypt ciphertext
Could not decrypt

the call command:

kmsToolEnvlaveCli,
                    "decrypt",
                    "--region", credential.getRegion(),
                    "--aws-access-key-id", credential.getAccessKeyId(),
                    "--aws-secret-access-key", credential.getSecretAccessKey(),
                    "--aws-session-token", credential.getSessionToken(),
                    "--ciphertext", content

If I remove the PCR condition in kms policy, it works fine, but when I add the PCR condition to kms policy , got the error shown above.

BTW: In my sense, the attestation info is added by kms_enclave_cli by default, am i wrong?

richardfan1126 commented 1 year ago

Are you using debug mode?

Please be reminded that the PCR value is always zeros when using debug mode

longzhihun commented 1 year ago

Are you using debug mode?

Please be reminded that the PCR value is always zeros when using debug mode

Thanks, you are right, I just using debug mode leads the error, thanks again. BTW, Do we have the plan to build the PCR value in the java SDK? To be honest, it's inconvenience to use the command line calling kms API.

alcioa commented 1 year ago

Will close this. @longzhihun please open a new Issue with your requirements so that we can track them easier.