Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updated to support only ECC_NIST_P256 keyspec for initial release #2973

Merged
merged 1 commit into from
Sep 6, 2024
Merged

Updated to support only ECC_NIST_P256 keyspec for initial release #2973

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 14 additions & 37 deletions internal/cryptosigner/aws/kms.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,50 +52,27 @@ func NewKMS(client *kms.Client, kmsKeyID string) (*KMS, error) {
return nil, fmt.Errorf("invalid key usage. expected SIGN_VERIFY, got %q", keyDesc.KeyUsage)
}

// there should be at least one signing algorithm available, and for sign/verify keys there should only be one.
if len(keyDesc.SigningAlgorithms) != 1 {
return nil, fmt.Errorf("expected one signing algorithm for key %q got %q", kmsKeyID, keyDesc.SigningAlgorithms)
}

alg := keyDesc.SigningAlgorithms[0]

// Using the matching KMS keyset as per the following table, we select the
// appropriate jwa.KeyAlgorithm see https://datatracker.ietf.org/doc/html/rfc7518#section-3.1
// and https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html
//
// | "alg" Param Value | Digital Signature Algorithm | KMS KeySpec |
// | ----------------- | --------------------------- | ----------- |
// | ES256 | ECDSA using P-256 and SHA-256 | ECC_NIST_P256 |
// | ES384 | ECDSA using P-384 and SHA-384 | ECC_NIST_P384 |
// | ES512 | ECDSA using P-521 and SHA-512 | ECC_NIST_P521 |
// | RS256 | RSASSA-PKCS1-v1_5 using SHA-256 | RSASSA_PKCS1_V1_5_SHA_256 |
// | RS384 | RSASSA-PKCS1-v1_5 using SHA-384 | RSASSA_PKCS1_V1_5_SHA_384 |
// | RS512 | RSASSA-PKCS1-v1_5 using SHA-512 | RSASSA_PKCS1_V1_5_SHA_512 |
// | "alg" Param Value | Digital Signature Algorithm | KMS KeySpec |
// | ----------------- | ----------------------------- | ------------- |
// | ES256 | ECDSA using P-256 and SHA-256 | ECC_NIST_P256 |
//
var jwaAlg jwa.KeyAlgorithm
switch alg {
case types.SigningAlgorithmSpecEcdsaSha256:
jwaAlg = jwa.ES256
case types.SigningAlgorithmSpecEcdsaSha384:
jwaAlg = jwa.ES384
case types.SigningAlgorithmSpecEcdsaSha512:
jwaAlg = jwa.ES512
case types.SigningAlgorithmSpecRsassaPkcs1V15Sha256:
jwaAlg = jwa.RS256
case types.SigningAlgorithmSpecRsassaPkcs1V15Sha384:
jwaAlg = jwa.RS384
case types.SigningAlgorithmSpecRsassaPkcs1V15Sha512:
jwaAlg = jwa.RS512
// We only support ECC_NIST_P256 for now.
switch keyDesc.KeySpec {
case types.KeySpecEccNistP256:
return &KMS{
client: client,
kid: kmsKeyID,
jwaAlg: jwa.ES256,
alg: types.SigningAlgorithmSpecEcdsaSha256,
}, nil
default:
return nil, fmt.Errorf("unsupported signing algorithm %q", alg)
return nil, fmt.Errorf("unsupported key spec: %q, supported key specs are %q", keyDesc.KeySpec,
[]types.KeySpec{types.KeySpecEccNistP256})
}

return &KMS{
client: client,
jwaAlg: jwaAlg,
alg: alg,
kid: kmsKeyID,
}, nil
}

// Sign generates a signature from the given digest.
Expand Down