Comments (11)
JackOfMostTrades
commented on September 17, 2024
Yea, I thought about providing better support for using pkcs11 uris when I first put this together, but I really just wanted to get a MVP out the door. As opposed to having separate slots I was thinking of just representing the keys as objects in a single slot, so for tools that support a pkcs11 uri you could specify pkcs11:object=f9292d51-8d46-4de9-bd3d-c91f41b78c4d;objecttype=private where f9292d51-8d46-4de9-bd3d-c91f41b78c4d is the KMS key id. You would still need to either list all possible key ids that you would want to use in the config or else the module could fall back to doing a list keys call. That seems ideal since in cases where that's sufficient it would save you from having to make a config file at all.
The only real challenge is that I'd have to do some refactoring to be keep track of the getPublicKey calls and do it lazily (since right now it just eagerly fetches it when the session is started, but I wouldn't want to do that for all keys if it supports multiple keys).
from aws-kms-pkcs11.
hongkongkiwi
commented on September 17, 2024
Yea, I think doing it via objects also makes sense.
I think forcing to have the keys specified in the config is a good thing. It would mean that an arbitrary key couldn't be looked up unless it was specifically mentioned in the config. (one could argue that you should control this via IAM, but many people use very permissive IAM so an extra check is a good idea).
from aws-kms-pkcs11.
JackOfMostTrades
commented on September 17, 2024
I just pushed a commit to master which should add support for this. I didn't expand the config to allow a region, per key, but otherwise it should look the same as above. So you can specify a list of key ids in your config, e.g. "kms_key_ids: ["kms_id_1", "kms_id_2"] and then use the pkcs11 uri to pick the key you want to use, e.g. pkcs11:object=kms_id_1. It seems to work properly for me based on some brief testing.
from aws-kms-pkcs11.
JackOfMostTrades
commented on September 17, 2024
Actually, scratch that. I came around to your original suggestion. Multiple KMS keys are now represented as multiple slots. This makes it a lot easier to select a single KMS key from the list when you do a signing operation without having to do a GetPublicKey call for each one. This will also make it easier to add a certificate to the slot.
from aws-kms-pkcs11.
hongkongkiwi
commented on September 17, 2024
Ah awesome! Great work. I noticed you implemented label as well. I was going to suggest to add that ;) The new slots array is handy because it makes it easy to add additional items later if extra functionality is added.
I'm just testing it now (I generate the json dynamically from environment variables for my docker so just writing that script). Will post back with the results.
from aws-kms-pkcs11.
hongkongkiwi
commented on September 17, 2024
I think there is a bug in the code because key region and key id is getting mixed up in the code somewhere. You can see my config here:
{
"slots": [
{
"kms_key_id": "xxxxxxxxxx",
"label": "development",
"aws_region": "us-west-1"
}
]
}
And see the debug log here:
AWS_KMS_PKCS11_DEBUG=1 openssl
OpenSSL> engine pkcs11 -pre VERBOSE -pre MODULE_PATH:/usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
(pkcs11) pkcs11 engine
[Success]: VERBOSE
[Success]: MODULE_PATH:/usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
OpenSSL> pkeyutl -engine pkcs11 -sign -inkey 'pkcs11:token=development' -keyform engine -out foo.sig -in foo
engine "pkcs11" set.
PKCS#11: Initializing the engine
AWS_KMS: Debug enabled.
AWS_KMS: Attempting to load config from path: /root/.config/aws-kms-pkcs11/config.json
AWS_KMS: Skipping config because we couldn't open the file.
AWS_KMS: Attempting to load config from path: /etc/aws-kms-pkcs11/config.json
AWS_KMS: Configured slots:
AWS_KMS: us-west-1
Found 1 slot
Loading private key "pkcs11:token=development"
Looking in slot -1 for key:
[0] no pin (development)
Found slot:
Found token: development
AWS_KMS: Getting public key for key us-west-1
AWS_KMS: Got error from AWS fetching public key for key id us-west-1: Invalid keyId us-west-1
Loading private key "pkcs11:token=development"
Looking in slot -1 for key:
[0] no pin (development)
Found slot:
Found token: development
No private keys found.
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
140124731147584:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:858:
140124731147584:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:77:
unable to load Private Key
pkeyutl: Error initializing context
error in pkeyutl
Specifically it shows lines like this. I'll trace the code by eye to see if I can see where it gets mixed up.
AWS_KMS: Getting public key for key us-west-1
AWS_KMS: Got error from AWS fetching public key for key id us-west-1: Invalid keyId us-west-1
AWS_KMS: Configured slots:
AWS_KMS: us-west-1
from aws-kms-pkcs11.
hongkongkiwi
commented on September 17, 2024
Issued a pull request #6
from aws-kms-pkcs11.
JackOfMostTrades
commented on September 17, 2024
D'oh. Thanks for the fix. Dangers of copy/pasting code late at night.
from aws-kms-pkcs11.
hongkongkiwi
commented on September 17, 2024
I just posted some instructions to setting up p11-tool which is a useful debug tool #7. I noticed that if no config is setup, this seems to list all available keys in my KMS account e.g.
p11tool --list-tokens. I'm not sure if this is intentional?
Token 0:
URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
Label: System Trust
Type: Trust module
Flags: uPIN uninitialized
Manufacturer: PKCS#11 Kit
Model: p11-kit-trust
Serial: 1
Module: p11-kit-trust.so
Token 1:
URL: pkcs11:token=1d369ab6-a941-4b21-bd3e-6950f14b
Label: 1d369ab6-a941-4b21-bd3e-6950f14b
Type: Generic token
Flags: uPIN uninitialized
Manufacturer:
Model:
Serial:
Module: /usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
Token 2:
URL: pkcs11:token=366f107f-887e-4832-b8a9-ba88e76c
Label: 366f107f-887e-4832-b8a9-ba88e76c
Type: Generic token
Flags: uPIN uninitialized
Manufacturer:
Model:
Serial:
Module: /usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
Token 3:
URL: pkcs11:token=368836f7-e7e7-43cc-aa2a-e575855f
Label: 368836f7-e7e7-43cc-aa2a-e575855f
Type: Generic token
Flags: uPIN uninitialized
Manufacturer:
Model:
Serial:
Module: /usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
Token 4:
URL: pkcs11:token=525414eb-f898-4769-ab99-2df70708
Label: 525414eb-f898-4769-ab99-2df70708
Type: Generic token
Flags: uPIN uninitialized
Manufacturer:
Model:
Serial:
Module: /usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
Token 5:
URL: pkcs11:token=62f9d456-a336-439a-aa91-71dbc068
Label: 62f9d456-a336-439a-aa91-71dbc068
Type: Generic token
Flags: uPIN uninitialized
Manufacturer:
Model:
Serial:
Module: /usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
Token 6:
URL: pkcs11:token=8e6426ad-dbd5-4b86-8446-b8adc503
Label: 8e6426ad-dbd5-4b86-8446-b8adc503
Type: Generic token
Flags: uPIN uninitialized
Manufacturer:
Model:
Serial:
Module: /usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
Token 7:
URL: pkcs11:token=ddb28995-58d4-4a28-80b6-567aea09
Label: ddb28995-58d4-4a28-80b6-567aea09
Type: Generic token
Flags: uPIN uninitialized
Manufacturer:
Model:
Serial:
Module: /usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
The neat thing about this tool is you can also list the URIs p11tool --list-token-urls
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
pkcs11:token=1d369ab6-a941-4b21-bd3e-6950f14b
pkcs11:token=366f107f-887e-4832-b8a9-ba88e76c
pkcs11:token=368836f7-e7e7-43cc-aa2a-e575855f
pkcs11:token=525414eb-f898-4769-ab99-2df70708
pkcs11:token=62f9d456-a336-439a-aa91-71dbc068
pkcs11:token=8e6426ad-dbd5-4b86-8446-b8adc503
pkcs11:token=ddb28995-58d4-4a28-80b6-567aea09
After setting up a config, it appears to show more expected results:
Token 0:
URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
Label: System Trust
Type: Trust module
Flags: uPIN uninitialized
Manufacturer: PKCS#11 Kit
Model: p11-kit-trust
Serial: 1
Module: p11-kit-trust.so
Token 1:
URL: pkcs11:token=devkernel
Label: devkernel
Type: Generic token
Flags: uPIN uninitialized
Manufacturer:
Model:
Serial:
Module: /usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
Token 2:
URL: pkcs11:token=devrauc
Label: devrauc
Type: Generic token
Flags: uPIN uninitialized
Manufacturer:
Model:
Serial:
Module: /usr/lib/x86_64-linux-gnu/pkcs11/aws_kms_pkcs11.so
With. urls looking normal too
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
pkcs11:token=devkernel
pkcs11:token=devrauc
from aws-kms-pkcs11.
JackOfMostTrades
commented on September 17, 2024
if no config is setup, this seems to list all available keys in my KMS account e.g. p11tool --list-tokens. I'm not sure if this is intentional?
Yea, that's some functionality I added after the update to support multiple slots. The only overhead is a call to the KMS list-keys endpoint, so supporting key use without config seemed easy enough to do. It's using the KMS key id as the label by default, although labels can only be 32 characters and UUIDs are 37, so they're truncated. 🤷
If you do have a configuration there isn't any behavior change (it doesn't do any list-keys call).
from aws-kms-pkcs11.
hongkongkiwi
commented on September 17, 2024
Thank you, this seems to be working well for me so far.
from aws-kms-pkcs11.
Related Issues (17)
- No licence HOT 2
- Set model/manufactorer for returned tokens HOT 4
- Allow config.json slot entries without kms_key_id to return only certificate HOT 3
- p11tool --list-certs not working HOT 1
- signing via openssl fails HOT 5
- When using remotely via p11-kit "server", keys aren't found HOT 2
- Error signing: Algorithm ECDSA_SHA_256 is incompatible with key spec ECC_NIST_P521 HOT 3
- aarch64 releases? HOT 1
- Compilation errors (invalid conversion) HOT 12
- Problems with GPG HOT 11
- [Question] Is this library working for OpenSSL v3? HOT 4
- Precompiled .so does not seem to work HOT 4
- Support MacOS
- Signing Kernel Modules - Certificate not found HOT 6
- Some ideas for future :) HOT 2
- Trouble with RSA 2048 cert signing HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-kms-pkcs11.