search

nsmithuk / local-kms

A mock version of AWS' Key Management Service, for local development and testing.
MIT License
198 stars 34 forks source link

Implement asymmetric key seeding for ECC and RSA keys. #26

Closed mjeffrey closed 3 years ago

mjeffrey commented 3 years ago

This is what the seed.yaml looks like 

Keys:
  Symmetric:
    Aes:
      - Metadata:
          KeyId: bc436485-5092-42b8-92a3-0aa8b93536dc
        BackingKeys:
          - 5cdaead27fe7da2de47945d73cd6d79e36494e73802f3cd3869f1d2cb0b5d7a9
  Asymmetric:
    Rsa:
      - Metadata:
          KeyId: ff275b92-0def-4dfc-b0f6-87c96b26c6c7
          KeyUsage: SIGN_VERIFY # or ENCRYPT_DECRYPT
          Description: RSA key with 2048 bits
        PrivateKeyPem: |
          -----BEGIN PRIVATE KEY-----
          MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQD21epc1564DeWZ
          80XYAXTo4tjqJzEQ6VdpkRfKHraJ4WNqS8N5HjfyzmADVOgqqlbm5M+Qq0/ViMd/
          Xqh+OUNhwvEIo6iZuNbWba3/cUV9ZFpmCv9IWvlNojc3zq0C9/fXeSqXwZWut78d
          AuFodRdAnENiHf9aXv4pIyszAxALCSCd/UCYZRw+XUDPG4pSJrwgz2Ohkqr1SnFF
          1aQt6onjt3Rtfn5IUs7BGEXGd6M3HeIlikSLjdoXEuevVaZO0ysiQdiYDYYQ2eFe
          ytXefRuotRqH4dLpL6beUFRbT1MQVtqC2S0K2wWq8T5gTFejxv6E6eVqRC2xu0lj
          TGDxnUC3AgMBAAECggEAU6K73GV69CZRS86wNbaYpGho0z4gU/ick7qD8wphE2r5
          QoUVYK6qimz+/2H/oKVC+M1Cv2Qsks/buP6b3NkOScvB3AmIET4eHV3gfRMmVoxw
          TO8g/KVGn9V9HD29Rao7ohj+I5mGXEMKUIwvUDOMg2nvMwmzAi35tHqkIo7BGtt8
          gBuuHsZj9PM6MYSSZdrHP52T3K15MaHfrLb97UaryyYnhnUmBA12DBE8MseuYA7w
          JwL3os6MwtLxRxgXnBhkk3Ist83nZNiXESXhN3d98NLS8KbX2wcbnd0B+CqRyvnv
          GbE+CfzxPf/zTsexxpS3TlTR80vAYkubmtWIMG128QKBgQD/iQbZx2xhH6VjYWC6
          +kc03povTKTe/MKUySO7poWjJrGbajrkq7RcXdNCglVSXcKY/BvmgsWRqJc+Jh2z
          enFIcGOuO146FEAr3i4hGjtV01/ukgAl6Ko68gdxjyQLqrJ/bg0qQO57KEhRh5Tb
          mR5mIkG2j2Usr4Llc3LGXIH8VQKBgQD3SNaahwum8+8kXaxgmKwfOL64rM5fLQq3
          f0UGzKZkuRSqXJn9EKuE1rNKX4zNUBWJVF+C4bjRGLz1QRS7j2taqU4awLie+5Ak
          M4Ww8lzHd3uKf+ESCd8DU3TzD+dggtuw+OTqVZdJKA5Kfrbg72ZUyzH3p9Oj/zMu
          QWl3d6TU2wKBgQCaMZs6qoWRjcEE2Ou/p+pz0qcDR6JtE+RuV3kCcJdPPbgKae2j
          sqCg49To2zCVBRK5sdc8H0kMfcjVrbZaaNYWugrMRfKz5Shb0DPRsbyAK45FrT/9
          oAmojAdF1PQRPi17i3LSPmApXMNWvxNp91lKk/1HJfwNHNNFlYZ6f7PICQKBgQCq
          q2ryXCJ+p/11a/F8+eJR6ig37YzBw6SR4RUTDEwLWHIa4q6lKsw2crhrrGbRjWRP
          1BvXiVK1fg1sd+6HRQUjHZb6f+jsUVO6qJSs+5ltUdnCTWBZwtZYxVECMQfQZICc
          NCxKT6iKpUq3v50YwiIug8+IzhwUJB5+3kacXcc14QKBgQDpjYvwAPAq1Rru/Ew4
          hzisDSCY5CLE+X/6dvogWhJBmpaZBKDmUGi6AwK9rcwITZmlR/qU+2WqNdhHxa8S
          uSp1A6OmOHQHA3I+J4veI0kPB2Y0Z65CyfCYm9MsNkcyFYx4tRBSOzAdA+xrJCa4
          y5+KYGmXlaoRhFSq1VO8mGoihA==
          -----END PRIVATE KEY-----

    Ecc:
    - Metadata:
        KeyId: 800d5768-3fd7-4edd-a4b8-4c81c3e4c147
        KeyUsage: SIGN_VERIFY
        Description: ECC key with curve secp256r1
      PrivateKeyPem: |
        -----BEGIN EC PRIVATE KEY-----
        MHcCAQEEIMnOrUrXr8rwne7d8f01cfwmpS/w+K7jcyWmmeLDgWKaoAoGCCqGSM49
        AwEHoUQDQgAEYNMBBZ3h1ipuph1iO5k+yLvTs94UN71quXN3f0P/tprs2Fp2FEas
        M7m7XZ2xlDK3wcEAs1QEIoQjjwnhcptQ6A==
        -----END EC PRIVATE KEY-----

Aliases:
  - AliasName: alias/testing
    TargetKeyId: bc436485-5092-42b8-92a3-0aa8b93536dc

Key descriptions

aws kms --endpoint=http://localhost:8080 describe-key --key-id ff275b92-0def-4dfc-b0f6-87c96b26c6c7
{
    "KeyMetadata": {
        "AWSAccountId": "111122223333",
        "KeyId": "ff275b92-0def-4dfc-b0f6-87c96b26c6c7",
        "Arn": "arn:aws:kms:eu-west-2:111122223333:key/ff275b92-0def-4dfc-b0f6-87c96b26c6c7",
        "CreationDate": "2021-01-16T20:35:18+01:00",
        "Enabled": true,
        "Description": "RSA key with 2048 bits",
        "KeyUsage": "SIGN_VERIFY",
        "KeyState": "Enabled",
        "KeyManager": "CUSTOMER",
        "CustomerMasterKeySpec": "RSA_2048",
        "SigningAlgorithms": [
            "RSASSA_PSS_SHA_256",
            "RSASSA_PSS_SHA_384",
            "RSASSA_PSS_SHA_512",
            "RSASSA_PKCS1_V1_5_SHA_256",
            "RSASSA_PKCS1_V1_5_SHA_384",
            "RSASSA_PKCS1_V1_5_SHA_512"
        ]
    }
}
aws kms --endpoint=http://localhost:8080 describe-key --key-id 800d5768-3fd7-4edd-a4b8-4c81c3e4c147
{
    "KeyMetadata": {
        "AWSAccountId": "111122223333",
        "KeyId": "800d5768-3fd7-4edd-a4b8-4c81c3e4c147",
        "Arn": "arn:aws:kms:eu-west-2:111122223333:key/800d5768-3fd7-4edd-a4b8-4c81c3e4c147",
        "CreationDate": "2021-01-16T20:35:18+01:00",
        "Enabled": true,
        "Description": "ECC key with curve secp256r1",
        "KeyUsage": "SIGN_VERIFY",
        "KeyState": "Enabled",
        "KeyManager": "CUSTOMER",
        "CustomerMasterKeySpec": "ECC_NIST_P256",
        "SigningAlgorithms": [
            "ECDSA_SHA_256"
        ]
    }
}
nsmithuk commented 3 years ago

Thanks @mjeffrey The version with refactored code sounds great, so I'll wait to take a look at that.

If it is merged, do you have idea when it would be updated in localstack?

As this won't be a backward breaking change, it'll be quite quick. Once merged I'll release a new version, which will start to get picked up by localstack's build process straight away. Beyond that it depends on how you build/acquire localstack.

nsmithuk commented 3 years ago

Closing as I've merged the alternative solution.