Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS KMS documentation Unclear #1178

Open
ChevronTango opened this issue May 21, 2023 · 7 comments
Open

AWS KMS documentation Unclear #1178

ChevronTango opened this issue May 21, 2023 · 7 comments
Labels
enhancement New feature or request

Comments

@ChevronTango
Copy link

Description

When trying to use AWS KMS to sign my certs in fulcsio using awskms://[endpoint]/[arn] it took me ages to realize that the endpoint was optional, but the trailing / was not. It's not clear from the guidance that the correct prefix when not specifying the endpoint is awskms:///. The documentation does show examples of this, but I spent longer than I care to admit not noticing 3 slashes and assuming it was meant to be just 2.

There's also a lack of guidance around exactly what IAM role permissions you need in order to call AWS KMS from fulcio. I ended up reading through https://github.com/sigstore/sigstore/blob/main/pkg/signature/kms/aws/client.go to find the full list of commands that needed to be called.

The last point that is unclear is exactly how to go about setting up the certificate chain needed by fulcio to validate KMS. I'm using a Private CA to achieve this with some success, but its taken a very long time to figure out.

@ChevronTango ChevronTango added the enhancement New feature or request label May 21, 2023
@ianhundere
Copy link

ianhundere commented Aug 8, 2023

@ChevronTango how are you going about signing the Private CA w/ KMS?

we've tried using the ca and cert created via kms-issuer , but keep getting errors, x509: certificate specifies an incompatible key usage, even tho we're following the correct spec via the certificate resource:

@haydentherapper
Copy link
Contributor

Can you specify your certificate chain?

@ianhundere
Copy link

Can you specify your certificate chain?

Yes, we've tried using a local key (which was then imported to KMS) to sign a Private CA created via openssl and that worked, but using kms-issuer hasn't seemed to work so far. We've tried including the CA it's created as well as the certificate it creates.

Any other suggestions in regards to creating/signing a Private CA using KMS?

@haydentherapper
Copy link
Contributor

An incompatible key usage means that the x509 library failed to build a valid chain. I would confirm that your root and intermediate specifies Certificate Sign and CRL Sign only.

@ianhundere
Copy link

An incompatible key usage means that the x509 library failed to build a valid chain. I would confirm that your root and intermediate specifies Certificate Sign and CRL Sign only.

hmm, i think it's because the CA it creates doesn't have the correct usages select. don't think this is something you can change using kms-issuer:

        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication

@ianhundere
Copy link

ah, i was able to get it working using step-ca. cheers 🍻

@ChevronTango
Copy link
Author

ChevronTango commented Aug 10, 2023

My approach involved creating a simple CSR (can be anything) and using aws-kms-sign-csr to sign it. I then passed it to my root CSA and asked it to sign the CSR using the SubordinateCACertificate_PathLen0_APIPassthrough/V1 template. I gave it an ExtendedKeyUsageType of CODE_SIGNING and filled in all the usual subjects and common names when I passed the CSR through to the CA for signing. I was able to pass this information through using the --api-passthrough option, hence the need for that particular template.

The KMS key in particular was RSA_4096 and I passed it through to Fulcio using awskms:///<kms_arn> along with a certificate bundle containing both the root CA public key and the KMS backed intermediate public key I signed above.

I did all of this in terraform, but was able to achieve a nice reliable and repeatable pattern once I'd figured out all the steps I needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants