Skip to content

Add CreateDecrypter support to AWS KMS #702

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hslatman merged 2 commits into from
Feb 20, 2025
Merged

Add CreateDecrypter support to AWS KMS #702

hslatman merged 2 commits into from
Feb 20, 2025

Conversation

@hslatman
Copy link
Member

@hslatman hslatman commented Feb 13, 2025

No description provided.

sduc
sduc reviewed Feb 17, 2025
View reviewed changes
@hslatman hslatman force-pushed the herman/awskms-decrypter branch from 7ded556 to 7c54eed Compare February 17, 2025 13:11
@hslatman
Copy link
Member Author

hslatman commented Feb 17, 2025
edited
Loading

I've just done a quick encrypt/decrypt test against AWS with a patched step-kms-plugin, and it looks OK 🙂

$ step-kms-plugin encrypt --oaep --in message.txt --no-label --kms 'awskms:' 'awskms:key-id=<key-id>;region=<region>'
// encrypted output in base64 format

$ step-kms-plugin decrypt --oaep --in encrypted.bin --no-label --kms 'awskms:' 'awskms:key-id=<key-id>;region=<region>'
// decrypted output

@sduc
Copy link

sduc commented Feb 17, 2025

I've just done a quick encrypt/decrypt test against AWS with a patched step-kms-plugin, and it looks OK 🙂

$ step-kms-plugin encrypt --oaep --in message.txt --no-label --kms 'awskms:' 'awskms:key-id=<key-id>;region=<region>'
// encrypted output in base64 format

$ step-kms-plugin decrypt --oaep --in encrypted.bin --no-label --kms 'awskms:' 'awskms:key-id=<key-id>;region=<region>'
// decrypted output

Yup I confirm. The only requirement is to have an RSA key configured with Key Usage: Encrypt and decrypt and not Sign and Verify :)

@hslatman
Copy link
Member Author

hslatman commented Feb 17, 2025
edited
Loading

Yup I confirm. The only requirement is to have an RSA key configured with Key Usage: Encrypt and decrypt and not Sign and Verify :)

Indeed. I've seen that before with GCP Cloud KMS, and is considered a good practice. In its current form we generally don't check the key capabilities in the KMS implementations before performing crypto operations. An invalid key will thus result in an error upon trying a decryption, whereas it may be an option to check the capabilities before trying to use the key for a purpose it's not configured for. Maybe we'll add something for that in the future 🙂

For your use case you'll thus need the SCEP decrypter configured in addition to the RSA intermediate for signing. If the rest of your stack allows for it, you could also opt for an ECDSA intermediate signer, and the RSA SCEP decrypter.

@hslatman hslatman force-pushed the herman/awskms-decrypter branch from 7c54eed to afd9451 Compare February 18, 2025 23:09
@hslatman hslatman force-pushed the herman/awskms-decrypter branch from 147982a to 3018ea0 Compare February 19, 2025 00:33
@hslatman hslatman marked this pull request as ready for review February 19, 2025 00:36
@hslatman hslatman enabled auto-merge February 19, 2025 00:36
@hslatman hslatman requested review from a team and maraino February 19, 2025 00:37
@azazeal
Copy link

azazeal commented Feb 19, 2025

Is seems there's a lot of places where a new context pops out instead of being propagated. Is that intentional?

@hslatman
Copy link
Member Author

hslatman commented Feb 19, 2025
edited
Loading

Is seems there's a lot of places where a new context pops out instead of being propagated. Is that intentional?

These are the two I see:

  • There's no DecryptContext(ctx context.Context, ...) in the stdlib, so it has to come from somewhere when calling a function that expects one when it's being called through the crypto.Decrypter interface. Injecting a parent context during instantiation is possible, but wouldn't be a properly propagated context in that case.
  • For preloadKey we maybe can provide an alternative, but I don't consider that part of the scope of this PR. There's an open issue to make initialization of a KMS lazy, and I suspect we may want to touch on context.Context usage there too.

maraino
maraino approved these changes Feb 20, 2025
View reviewed changes
Copy link
Contributor

@maraino maraino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@hslatman hslatman merged commit 26e1ce2 into master Feb 20, 2025
12 checks passed
@hslatman hslatman deleted the herman/awskms-decrypter branch February 20, 2025 18:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maraino maraino maraino approved these changes

+1 more reviewer

@sduc sduc sduc left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

needs triage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@hslatman @sduc @azazeal @maraino