search

nsmithuk / local-kms

A mock version of AWS' Key Management Service, for local development and testing.
MIT License
198 stars 34 forks source link

Key Alias+ARN 'Not Found' for Sign #40

Closed gerryfletch closed 2 years ago

gerryfletch commented 2 years ago

Hello,

I'm creating an RSA key pair and associating an alias:

#!/bin/bash
echo "Installing JQ"
apt-get update && apt-get -y install jq

echo "Creating Asymmetric Keys in KMS"
KEY_ID=$(awslocal kms create-key \
  --description "Used to sign and verify JWTs." \
  --key-usage "SIGN_VERIFY" \
  --key-spec "RSA_2048" \
  --origin "AWS_KMS" \
  --tags "TagKey=ServiceName,TagValue=s-auth" \
  --no-multi-region \
  | jq -r '.KeyMetadata.KeyId')

# Create Alias
echo "Creating and Associating Alias 'jwt-sign' to key ${KEY_ID}"
awslocal kms create-alias \
  --alias-name "alias/jwt-sign" \
  --target-key-id $KEY_ID

I'm finding that functions like encrypt and decrypt can successfully use the alias:

awslocal kms encrypt --plaintext=test --key-id=alias/jwt-sign --output json
{
    "CiphertextBlob": "OGRjZGQzMmQtYWQ3Yi00ZjY4LTk4NjUtZTEyNTkxOTFlZThmTvH4FB8gss72/B1fc5iHihqDosir9CyocxwPj7rvCck=",
    "KeyId": "arn:aws:kms:eu-west-1:000000000000:key/8dcdd32d-ad7b-4f68-9865-e1259191ee8f"
}

However, using the alias or arn for the sign operation fails, and only works if I use the Key ID directly:

# failure using alias
awslocal kms sign --key-id=alias/jwt-sign --signing-algorithm=RSASSA_PSS_SHA_256 --message eyJoZWxsbyI6IndvcmxkIn0=

An error occurred (NotFoundException) when calling the Sign operation: Key ID alias/jwt-sign not found for signing

# failure using arn
awslocal kms sign --key-id=arn:aws:kms:eu-west-1:000000000000:key/8dcdd32d-ad7b-4f68-9865-e1259191ee8f --signing-algorithm=RSASSA_PSS_SHA_256 --message eyJoZWxsbyI6IndvcmxkIn0=

An error occurred (NotFoundException) when calling the Sign operation: Key ID arn:aws:kms:eu-west-1:000000000000:key/8dcdd32d-ad7b-4f68-9865-e1259191ee8f not found for signing

# success using key id directly
awslocal kms sign --key-id=8dcdd32d-ad7b-4f68-9865-e1259191ee8f --signing-algorithm=RSASSA_PSS_SHA_256 --message eyJoZWxsbyI6IndvcmxkIn0=
{
    "KeyId": "8dcdd32d-ad7b-4f68-9865-e1259191ee8f",
    "Signature": "cAQRRZ9G1trJHKiT8sTjl9haNlq7SJ8PoA7Fmhp+QuyhASOS4F8eSqVBLNbrRbFqzfj9DN0OLZJlJjL+ufq/QjbKCuAxjbveGdlIbZ8pCAqr5hkPmyafi8oXpQ6FyANC0/CdffRu2YJR08gj8RRv2mv7eTgmjTAC1O6t9b21IIlEazbEiYo7gd+wFLBSkWZ1nT6Iwjk3zuKk22amb2+I5xSef9Q/bMX4iwZhpoUtoLZyeowVqs1EtuvBBq1GApwoOjjBZdjX4WQ8MpHgC+aS+Yznd9Jm1AjqV2oFb2aWfgC6dxWK7udtZ75sVEw0iMWJ58GHihQGh6ST2C7cqKsXwg==",
    "SigningAlgorithm": "RSASSA_PSS_SHA_256"
}

I'm unsure if this is a quirk of aliases in KMS, or a bug in local-kms - any pointers would be greatly appreciated.

gerryfletch commented 2 years ago

I'd also note that the AWS KMS docs specify that you can use the alias or arn: https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html#API_Sign_RequestSyntax

Edit: I can also verify the exact commands in the issue description work totally fine against the real AWS KMS.

nsmithuk commented 2 years ago

Hi @gerryfletch.

This does sound like it could be a local-kms bug. I'll take a look at it this coming weekend to see if I can get to the bottom of it.

nsmithuk commented 2 years ago

Hi @gerryfletch

I am struggling to replicate this. I've put the following into a test.sh

echo "Creating Asymmetric Keys in KMS"
KEY_ID=$(awslocal kms create-key \
  --description "Used to sign and verify JWTs." \
  --key-usage "SIGN_VERIFY" \
  --key-spec "RSA_2048" \
  --origin "AWS_KMS" \
  --tags "TagKey=ServiceName,TagValue=s-auth" \
  --no-multi-region \
  | jq -r '.KeyMetadata.KeyId')

echo "Creating and Associating Alias 'jwt-sign' to key ${KEY_ID}"
awslocal kms create-alias \
  --alias-name "alias/jwt-sign" \
  --target-key-id $KEY_ID

echo "Signing the message using the alias"
awslocal kms sign \
  --key-id=alias/jwt-sign \
  --signing-algorithm=RSASSA_PSS_SHA_256 \
  --message eyJoZWxsbyI6IndvcmxkIn0=

Which when I run appears successful; the output being.

bash ./test.sh             
Creating Asymmetric Keys in KMS
Creating and Associating Alias 'jwt-sign' to key 1ce158de-5b0c-46b5-a58c-d5fb6a6624b5
Signing the message using the alias
{
    "KeyId": "arn:aws:kms:eu-west-2:111122223333:key/1ce158de-5b0c-46b5-a58c-d5fb6a6624b5",
    "Signature": "lhNPJZ2fnqz8B2qC5wGxRv0kNYkt9Sil7mKK49SbA4UPVVq65/J5K2Y1nBqn/B8/snYSeHWHBaFIdX6IHZHtcuZWNCKZEfv2NseqvBjJXq1CRy15Vwc3taQqcDJAABWNZqhzdmcgfgT1UKuaSjvgJeZiafoBNiEWLRyExiDaPcBqSaAmsvaf4tb3Y3yyrSMOUx67Ebn0OTtMhDB+BKV2CYQBUprI078hv1CLKvyVKOUBTabOne/ZkUCsg34+zZQ6uCD+jrntSHBEX8ZgEYuw2jncCsGMLwenbaVRuEnx/3kcbZ3gVLNJoncz3JUtvbS88UU6jUEdYezXk2KstZItMg==",
    "SigningAlgorithm": "RSASSA_PSS_SHA_256"
}

This was done with the latest version of Local KMS (3.11.0) and the latest version of the AWS CLI (2.5.6).

The only odd thing I did find is that if the message sent to the Sign endpoint is not valid base64, you get a misleading error about the key not being found, rather than it being an encoding issue.

Are you able to me any more details?

gerryfletch commented 2 years ago

Thanks @nsmithuk. I was using local-kms via localstack, and despite updating the localstack images, it looks like it isn't using the latest version of your image. Swapping out localstack and running local-kms myself works fine. Apologies for creating the issue and thanks for the speedy response!