search

nsmithuk / local-kms

A mock version of AWS' Key Management Service, for local development and testing.
MIT License
198 stars 34 forks source link

importing secp256k1 #36

Open InoMurko opened 2 years ago

InoMurko commented 2 years ago

seed.yml


Keys:
  Asymmetric:
    Ecc:
      - Metadata:
          KeyId: 73a7f626-67eb-4b4c-aaaf-ac91b6aea43b
          KeyUsage: SIGN_VERIFY
          Description: ECC key with curve secp256k1
        PrivateKeyPem: |
          -----BEGIN EC PRIVATE KEY-----
          MHQCAQEEINMXSNwP0WbqumEgo0m3HPwB66aneeUIxVqj3uvOERU8oAcGBSuBBAAK
          oUQDQgAEt49ajeJo+cBu2nI8Gi2mxm0LRguz/MpvkTKw+YVffDbhkGMDmKpjRoOQ
          W8zBgVIFtF+ty+zoPfPesdhybjYK2A==
          -----END EC PRIVATE KEY-----

docker-compose up kms
Starting ops_kms_1 ... done
Attaching to ops_kms_1
kms_1                        | 2022/03/30 12:23:09 build started
kms_1                        | Building ....
kms_1                        | go build: -i flag is deprecated
kms_1                        | 2022/03/30 12:23:09 build completed
kms_1                        | Running ...
kms_1                        | INFO[2022-03-30 12:23:09.719] Local KMS Version Unknown (Commit Hash Unknown) 
kms_1                        | WARN[2022-03-30 12:23:09.728] Error parsing YAML at path /init/seed.yaml: Error unmarshaling YAML: Unable to decode pem of key 73a7f626-67eb-4b4c-aaaf-ac91b6aea43b, Ensure it is in PKCS8 format with no password: x509: unknown elliptic curve.
kms_1                        | ; attempting to parse legacy format. 
kms_1                        | ERRO[2022-03-30 12:23:09.728] Error parsing YAML at path /init/seed.yaml: yaml: unmarshal errors:
kms_1                        |   line 3: cannot unmarshal !!map into []cmk.AesKey; skipping. 
kms_1                        | INFO[2022-03-30 12:23:09.728] Data will be stored in /data                 
kms_1                        | INFO[2022-03-30 12:23:09.728] Local KMS started on 0.0.0.0:8080
  kms:
    image: local-kms_kms:latest
    volumes:
      - type: bind
        source: ./seed.yaml
        target: /init/seed.yaml
    ports:
      - 8080:8080

keys generated with:

function ecckey(){
local curve=$1
if ! [[ "$curve" =~ ^(secp256r1|secp384r1|secp521r1|secp256k1)$ ]];
then
   echo "Curve must be one of: secp256r1 secp384r1 secp521r1 secp256k1"
   return
fi
keyId=$(uuidgen | tr '[:upper:]' '[:lower:]')

echo "
Keys:
  Asymmetric:
    Ecc:
      - Metadata:
          KeyId: ${keyId}
          KeyUsage: SIGN_VERIFY
          Description: ECC key with curve ${curve}
        PrivateKeyPem: |
$(openssl ecparam -name ${curve} -genkey -noout | sed 's/^/          /')
"
}

The claim is that secp256k1 is supported: https://github.com/nsmithuk/local-kms/blob/1cd79814ca22aec2b54eca17968ef1ab039a9e8d/src/x509/README.md