Open naftulikay opened 5 years ago
This is all the time I'm willing to invest in this for now. The purpose of this appears to allow instances to verify cryptographically that they are indeed in AWS using AWS' public cert, the given document, and the PKCS-7 signature.
1 has dealt with almost every edge-case that I can find, outside of the instance identity stuff, which is largely cryptographic data signing a given document. There are a few keys in
/${api_version}/dynamic/instance-identity/*
:document
: a JSON dictionary describing facts about the instance.rsa2048
: an undocumented item which appears to be an RSA signature ofdocument
, which does embed thedocument
data within itself.pkcs7
: A PKCS#7 signature which embedsdocument
within itself.signature
: An unknown format of a signature overdocument
withoutdocument
embedded within it.The most ideal thing to do would be to generate a valid set of signatures for our emended
document
such that, provided that clients use our cert, clients could successfully validate our data identically to the way that it normally works on EC2.Unfortunately, this doesn't seem to be possible so I'm filing my findings here.
Next we will inspect the files and try to understand what's going on therein.
document
The actual document looks like this:
Pretty standard instance metadata, including
region
which isn't exposed elsewhere.rsa2048
I am zero-indexing bytes.
Header
Bytes 0-53 (inclusive) appear to be a binary header of some format.
Python byte encoded:
Hex encoding:
This does not appear to be any ASCII data.
Document
After the header is the document in ASCII, in my case bytes 54 through 531 inclusive.
Footer
After the document, the footer begins at byte 532 and continues to the end of the document at byte 827.
Python byte encoded:
Hex encoding:
Hexedit's attempt to deserialize:
Notable are the strings "Amazon Web Services LLC", "Seattle", "Washington State", etc. This is probably DER encoded data, though I don't know that only a handful of bytes (296 bytes). I assume this is the signature portion with parts of the public key embedded.
pkcs7
Similar to
rsa2048
above, this is composed of a header, body, and footer. The header is 54 bytes of binary data, the body isdocument
, and the footer is 296 bytes long and includes some similar certificate-esque metadata.signature
This file is 128 bytes long and appears to be a constant-size signature with no non-binary data.