Request to support signing using AWS KMS keys

[semmet95]

Hi,

I'm currently using in-toto-golang to generate an attested dsse envelope, signing it with a locally generated key. I'd like to sign the envelope using a key stored in AWS KMS. From what I could figure out this would probably require using aws sdk, kms client to be more specific. I'm not completely sure on how to add this feature, if someone can guide me I'll be happy to contribute.

If anyone knows a workaround on how I can use KMS keys with in-toto-golang I'd love to know that too.

[lukpueh]

FYI: The crypto interface used by the Python in-toto implementation provides an AWSSigner: https://github.com/secure-systems-lab/securesystemslib/blob/main/securesystemslib/signer/_aws_signer.py

Maybe this could be ported to go. Here are some additional infos about the Signer API: https://python-securesystemslib.readthedocs.io/en/latest/signer.html

[adityasaky]

I also want to loop in @jkjell here. I think in-toto/witness has support for signing using AWS KMS, and I wonder if using that is an option for you @semmet95? We're working behind the scenes to consolidate in-toto-golang's functionality into witness going forward.

[semmet95]

@lukpueh hmm, so does that mean writing different implementations of signing the payload, and storing a field, signer, in the Envelope struct, and initialising it based whatever type of signer you want to use?

[semmet95]

@adityasaky yes I was also wondering if witness AWS KMS support would be added to in-toto-golang. One question I have about witness KMS signing is if it would generate the same envelope as in-toto-golang currently does.

[lukpueh]

@lukpueh hmm, so does that mean writing different implementations of signing the payload,

Yes.

and storing a field, signer, in the Envelope struct, and initialising it based whatever type of signer you want to use?

No.

I haven't looked at the dsse implementation in in-toto-golang in detail, but the following design worked well for us on the Python side:

• A Signer interface defines an abstract sign method, which takes arbitrary bytes and returns a signature.
• A Signer implementation can use e.g. AWS or a local private key file to do the actual signing.
• The Envelope sign method takes a Signer and calls its sign method with the payload bytes.

IIRC go-securesystemslib has a similar design.

[jkjell]

Hey @semmet95! 👋 With respect to your question:

One question I have about witness KMS signing is if it would generate the same envelope as in-toto-golang currently does.

witness has a link attestor option that can output a standard DSSE. I don't think we've done an exact comparison between the generated attestations of each but, if there are differences, we can probably resolve them pretty quickly in Witness.

[semmet95]

Hi @jkjell I'm concerned about the attestation format because my use case also involves ingesting these envelopes using GUAC. I'll check and get back to you about this.

[semmet95]

Hi @adityasaky I'm wondering if you guys have any timeline regarding consolidating in-toto-golang's functionality into witness 🤔 Also, this means we can completely replace in-toto-golang with witness right?

[pxp928]

Hi @jkjell I'm concerned about the attestation format because my use case also involves ingesting these envelopes using GUAC. I'll check and get back to you about this.

Hey @semmet95, we can make updates on the GUAC side if things are out of sync (if needed).