Support KMS parameters used by AWS Nitro Enclaves

[craigfe]

Describe the feature

Several KMS operations support an optional Recipient parameter intended for use by applications running in AWS Nitro Enclaves. Iff this flag is passed, a successful response will also contain a CiphertextForRecipient field containing an encrypted form of the data that would otherwise have been in the Plaintext response field (and the Plaintext field is null).

These request/response fields are not yet supported by this SDK, although they are used by the C KMS SDK included in aws-nitro-enclaves-sdk-c. It would be useful to have support for them directly in Go to avoid needing an extra C dependency when running Go binaries inside Nitro enclaves.

Use Case

We have a Go application that runs in a Nitro enclave and needs to be able to present its attestation document to KMS, but cannot depend on an external C library. To support this use-case, we're currently running an internal fork of aws-sdk-go-v2/service/kms that adds support for the necessary request & response parameters.

Proposed Solution

The implementation might look like:

• add an optional Recipient field to the DecryptInput, GenerateDataKeyInput and GenerateRandomInput structs;
• add an optional CiphertextForRecipient field to the DecryptOutput, GenerateDataKeyOutput and GenerateRandomOutput structs.

Other Information

• Nitro enclaves + KMS documentation
• AWS Nitro Enclaves SDK for C, including the KMS SDK implementation.
• Note that the CiphertextForRecipient field isn't an immediate ciphertext blob but is a BER-encoded object with some internal structure. The C SDK provides some extra utilities for parsing this format; it's not clear to me if the Go SDK would want to do the same or leave it up to the user. (Our internal fork does the latter for the moment to keep things simple.)

Acknowledgements

• [X] I may be able to implement this feature request
• [ ] This feature might incur a breaking change

AWS Go SDK V2 Module Versions Used

github.com/aws/aws-sdk-go-v2/service/kms@v1.17.3 github.com/aws/aws-sdk-go-v2@v1.16.5

Go version used

1.18.4

[RanVaknin]

Hi ,

Thanks for opening this issue. Your proposed solution talks about adding certain fields to the service model, and that is owned by the service team, not the SDKs. I see there was an internal ticket created for this by your TAM ref D54200427.

Will let you know when I hear back from the service team.

Thanks, Ran

[aBurmeseDev]

HI @craigfe - thank you for reporting this issue.

I checked in with the service team but they currently don't have the timeline for it. Since service team is aware of this now and SDK doesn't have control over it, please follow up with TAM or check Changelog for further updates. We'll be closing the issue.

Feel free to reach out again!

[github-actions[bot]]

This issue is now closed.

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.