nsmithuk / local-kms Goto Github PK

View Code? Open in Web Editor NEW

193.0 193.0 34.0 6.45 MB

A mock version of AWS' Key Management Service, for local development and testing.

License: MIT License

Go 85.01% Dockerfile 0.33% Python 14.66%

aws aws-kms golang

local-kms's People

Contributors

Stargazers

Watchers

local-kms's Issues

Concurrency issues (resource temporarily unavailable)

Currently it is impossible to use local-kms concurrently from multiple processes, because the underlying goleveldb library assumes database would be consumed from a single thread only. As a result the following error occurs when I run multiple nodes accessing local-kms in my test environment:

resource temporarily unavailable
goroutine 56 [running]:
net/http.(*conn).serve.func1(0xc0000b2b40)
	/usr/local/go/src/net/http/server.go:1769 +0x139
panic(0x8d5100, 0xdde600)
	/usr/local/go/src/runtime/panic.go:522 +0x1b5
github.com/nsmithuk/local-kms/src/data.NewDatabase(...)
	/go/src/github.com/nsmithuk/local-kms/src/data/database.go:19
github.com/nsmithuk/local-kms/src.getDatabase(0xc00002c6c0)
	/go/src/github.com/nsmithuk/local-kms/src/init.go:23 +0xb8
github.com/nsmithuk/local-kms/src.handleRequest(0xae6340, 0xc0001b22a0, 0xc000606300)
	/go/src/github.com/nsmithuk/local-kms/src/server.go:31 +0x14b
net/http.HandlerFunc.ServeHTTP(0x95fcc0, 0xae6340, 0xc0001b22a0, 0xc000606300)
	/usr/local/go/src/net/http/server.go:1995 +0x44
net/http.(*ServeMux).ServeHTTP(0xe18640, 0xae6340, 0xc0001b22a0, 0xc000606300)
	/usr/local/go/src/net/http/server.go:2375 +0x1d6
net/http.serverHandler.ServeHTTP(0xc000108000, 0xae6340, 0xc0001b22a0, 0xc000606300)
	/usr/local/go/src/net/http/server.go:2774 +0xa8
net/http.(*conn).serve(0xc0000b2b40, 0xae7580, 0xc0000f6300)
	/usr/local/go/src/net/http/server.go:1878 +0x851
created by net/http.(*Server).Serve
	/usr/local/go/src/net/http/server.go:2884 +0x2f4

Ideally we should either reuse leveldb reference or open it in read-only mode, which might be tricky though.

Asymmetric key support ?

Is there a plan to introduce support for Asymmetric key in the near future ?

Issue with Docker for windows 2.1.0.0

When running the local-kms container in windows container mode with experimental features turned on (to mix windows and linux containers) the container can be started but not stopped or killed anymore once its running.
Works fine with the previous release 2.0.0.3.

Different types of encrypted files

Hi there, great work on this! I used it in the past days and it is awesome!

During my usage, I noticed that nowadays there is some different between encrypted files using KMS. I noticed that in some older files, we had the plain-text string identifying the key-id used to encrypt the file, and this information is used by local-kms (and AWS KMS) to identify which key to use if not specifying --key-id.

But recent versions changed that. The information about the key is still there, but it appears to be in a binary format. Here is an example:

# strings sample-old-format.bin 
Karn:aws:kms:us-east-1:1234567890:key/abcdef123-4567-890a-bcde-f1234567890ab
@/jq|

$ strings sample-new-format.bin
(J&@
$

Because of that, I believe the UnpackCiphertextBlob and Decrypt functions don't support this "new format". I don't know binary parsing much, so I could be wrong.

Using the same key material on both ends, I can't use local-kms to decrypt the new format:

$ aws --region us-east-1 --endpoint-url=http://localhost:8080 kms decrypt --ciphertext-blob fileb://sample-new-format.bin --output text --query Plaintext | base64 -d
An error occurred (AccessDeniedException) when calling the Decrypt operation: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.

and from the local-kms logs I can see that it didn't find the key-id:

WARN[2022-11-10 18:55:35.361] Key 'arn:aws:kms:us-east-1:1234567890:key/' does not exist

If I specify the key-id, it doesn't decrypt it well:

$ aws --region us-east-1 --endpoint-url=http://localhost:8080 kms decrypt --key-id "abcdef123-4567-890a-bcde-f1234567890ab" --ciphertext-blob fileb://sample-new-format.bin --output text --query Plaintext | base64 -d
An error occurred (InvalidCiphertextException) when calling the Decrypt operation:

and from the local-kms logs:

WARN[2022-11-10 18:56:38.393] Unable to decode Ciphertext: required version of backing key is invalid

Using the old format works flawlessly.

So the main issue is: are you aware of this "new format", and if so, is there any plans to support it?

Thank you so much.

Unable to decode Ciphertext: required version of backing key is invalid

Hello !

I try to use local-kms with cognito-local, and I have an issue on decryption. cognito-local encrypt a code, send it to a lambda that decrypt the code to send it by email.

Local-kms logs:

kms-1  | INFO[2024-02-15 15:59:28.661] Data key generated with plaintext: arn:aws:kms:us-west-2:999999999:key/bc436485-5092-42b8-92a3-0aa8b93536c 
kms-1  | INFO[2024-02-15 15:59:28.663] Encryption called: arn:aws:kms:us-west-2:999999999:key/bc436485-5092-42b8-92a3-0aa8b93536c 
kms-1  | WARN[2024-02-15 15:59:28.864] Unable to decode Ciphertext: required version of backing key is invalid

Seed.yaml (same as the README.md):

Keys:
  Symmetric:
    Aes:
      - Metadata:
          KeyId: bc436485-5092-42b8-92a3-0aa8b93536c
        BackingKeys:
          - 5cdaead27fe7da2de47945d73cd6d79e36494e73802f3cd3869f1d2cb0b5d7a9
Aliases:
  - AliasName: alias/testing
    TargetKeyId: bc436485-5092-42b8-92a3-0aa8b93536c

My JS code to ask for decryption:

  const { KMSClient, DecryptCommand } = require("@aws-sdk/client-kms");
  const client = new KMSClient({ endpoint: 'http://kms:8080' });

  const encryptedString = event.request.code;
  const blob = Buffer.from(encryptedString, 'base64');
  const input = {
    CiphertextBlob: blob,
    KeyId: "arn:aws:kms:us-west-2:999999999:key/bc436485-5092-42b8-92a3-0aa8b93536c",
  };

  const command = new DecryptCommand(input);
  const response = await client.send(command);

This is the value of encryptedString:

AgV48tKFNiOC7/dmZoXQiT9U3VLm2x4dALXTRYyc+YRL/cgAXwABABVhd3MtY3J5cHRvLXB1YmxpYy1rZXkAREFpQ2pXcGxWcXIxMmxWcTB2Y0tKWXBBMVBmMGZiR2Y1SEhFUzgwMlo2di9VSGk2NGFnSGQ5dnh1VktmZGN3cXhrZz09AAIAB2F3cy1rbXMAR2Fybjphd3M6a21zOnVzLXdlc3QtMjo5OTk5OTk5OTk6a2V5L2JjNDM2NDg1LTUwOTItNDJiOC05MmEzLTBhYThiOTM1MzZjAIhHYXJuOmF3czprbXM6dXMtd2VzdC0yOjk5OTk5OTk5OTprZXkvYmM0MzY0ODUtNTA5Mi00MmI4LTkyYTMtMGFhOGI5MzUzNmMAAAAAVUO1tqKgbLqMBsdHg05VgY8yk2gDJxxKcvbII6unarm4MNHISFjjCpY41K8ClwuTuRn93Z48Id0t+2ZmAAdhd3Mta21zAEdhcm46YXdzOmttczp1cy13ZXN0LTI6OTk5OTk5OTk5OmtleS9iYzQzNjQ4NS01MDkyLTQyYjgtOTJhMy0wYWE4YjkzNTM2YwCIR2Fybjphd3M6a21zOnVzLXdlc3QtMjo5OTk5OTk5OTk6a2V5L2JjNDM2NDg1LTUwOTItNDJiOC05MmEzLTBhYThiOTM1MzZjAAAAAOg9H9NuUsisTJYhBqSiDMsqKQA4fZOLr+MJMwapxhkAf/yT+zBxOUoY/SsluCCIptu59T51W+4/N8VRqAIAABAAX1hx7OYRDIFU4NV8Pi4PtrxQS/D7dPdoKpZWEsmCbJDu+vMTC7ZCVpIeSdCNn5kH/////wAAAAEAAAAAAAAAAAAAAAEAAAAGStSchSe9W3+sdXJ9V1CU1quJ86wgSABoMGYCMQD1q2QYTQ7DUzqxJXoNpvl+FYSKy4W5Aw2YANzNy7Lc9ZLfeVMz1Ltv6GCITSVSCiQCMQCUFJK2OXcV1WZfQUq7GB4SGSbt4seIhZlLxacguQkcQ4BcLOM08KAPJZkNZ/tiAy4=

And the blob that is send to local-kms:

<Buffer 02 05 78 f2 d2 85 36 23 82 ef f7 66 66 85 d0 89 3f 54 dd 52 e6 db 1e 1d 00 b5 d3 45 8c 9c f9 84 4b fd c8 00 5f 00 01 00 15 61 77 73 2d 63 72 79 70 74 ... 729 more bytes>

Lambda logs:

serverless-1  | × InvalidCiphertextException: UnknownError
serverless-1  |       at de_InvalidCiphertextExceptionRes (/usr/src/app/node_modules/@aws-sdk/client-kms/dist-cjs/index.js:2634:21)
serverless-1  |       at de_CommandError (/usr/src/app/node_modules/@aws-sdk/client-kms/dist-cjs/index.js:2417:19)
serverless-1  |       at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
serverless-1  |       at async /usr/src/app/node_modules/@smithy/middleware-serde/dist-cjs/index.js:35:20
serverless-1  |       at async /usr/src/app/node_modules/@smithy/core/dist-cjs/index.js:165:18
serverless-1  |       at async /usr/src/app/node_modules/@smithy/middleware-retry/dist-cjs/index.js:320:38
serverless-1  |       at async /usr/src/app/node_modules/@aws-sdk/middleware-logger/dist-cjs/index.js:33:22
serverless-1  |       at async module.exports.handler (/usr/src/app/email.js:163:20)
serverless-1  |       at async MessagePort.<anonymous> (file:///usr/local/lib/node_modules/serverless-offline/src/lambda/handler-runner/worker-thread-runner/workerThreadHelper.js:24:14)

I've tried to retry from start with a backingKey generated with openssl rand -hex 32, but I still have this error message.

Can I have some inputs to help me to solve this please ?

CiphertextBlob appears empty if an invalid base64 string was provided

Giving a seemingly incorrect error of CiphertextBlob missing rather than CiphertextBlob invalid.

can't decrytp the data

I start up local-kms on port 8081 (because localstack is started at port 8080)

localstack/localstack#206 (comment)

Here is my test result, that I can encrypt data, but can't decrypt it.

# Create key is fine.
$ curl -X "POST" "http://localhost:8081/"      -H 'X-Amz-Target: TrentService.CreateKey'      -H 'Content-Type: application/json; charset=utf-8'      -d $'{}'
{"KeyMetadata":{"AWSAccountId":"111122223333","Arn":"arn:aws:kms:eu-west-2:111122223333:key/67c4b713-0ab3-4be2-aac0-6cfd2be15125","CreationDate":1571278255,"Description":"","Enabled":true,"KeyId":"67c4b713-0ab3-4be2-aac0-6cfd2be15125","KeyManager":"CUSTOMER","KeyState":"Enabled","KeyUsage":"ENCRYPT_DECRYPT","Origin":"AWS_KMS"}}
 
# encrypt data is fine.
$ curl -X "POST" "http://localhost:8081/"      -H 'X-Amz-Target: TrentService.Encrypt'      -H 'Content-Type: application/json; charset=utf-8'      -d $'{
  "KeyId": "bc436485-5092-42b8-92a3-0aa8b93536dc",
  "Plaintext": "SGVsbG8="
}'
{"KeyId":"arn:aws:kms:eu-west-2:111122223333:key/bc436485-5092-42b8-92a3-0aa8b93536dc","CiphertextBlob":"S2Fybjphd3M6a21zOmV1LXdlc3QtMjoxMTExMjIyMjMzMzM6a2V5L2JjNDM2NDg1LTUwOTItNDJiOC05MmEzLTBhYThiOTM1MzZkYwAAAACH7BBmLEn+3YuYzVEnu1ABJSPrqjz8epykbOnSHwS7gA4="}

# But can't decrypt the data
$ curl -X "POST" "http://localhost:8081/"      -H 'X-Amz-Target: TrentService.Decrypt'      -H 'Content-Type: application/json; charset=utf-8'      -d $'{
  "KeyId": "bc436485-5092-42b8-92a3-0aa8b93536dc",
  "CiphertextBlob": "S2Fybjphd3M6a21zOmV1LXdlc3QtMjoxMTExMjIyMjMzMzM6a2V5L2JjNDM2NDg1LTUwOTItNDJiOC05MmEzLTBhYThiOTM1MzZkYwAAAAD39qJkWhnxpBI+ZDosHf3vMcphFfUHYGQ9P9JMzGdLLsYHEWRaw80hxArEdRwt3eI1W6sJcSOjOXLyrvw="
}'

{"__type":"InvalidCiphertextException"}

support for PutKeyPolicy?

do you anticipate support for PutKeyPolicy?

can you allow this to support ssl?

Trying to use this to test with the AWS encryption sdk and they only use SSL to make the calls.

Remove this

https://github.com/NSmithUK/local-kms-go/blob/98575a14516c95850fd51311aa59a18cd4ec6dda/src/encryption/decrypt.go#L13

Update go version

Could you publish a new version of your docker image?
It's currently using 1.17.9, which contains several CVEs. The CVEs would be solved by using 1.17.13.

Proposal: Upgrade to Go Modules

When I run this command locally I get a compile error:

$ go get -u github.com/nsmithuk/local-kms
# github.com/nsmithuk/local-kms/src/handler
../go/src/github.com/nsmithuk/local-kms/src/handler/create_key.go:24:21: multiple-value uuid.NewV4() in single-value context

It looks like this package is using an old package manager and requires use of dep ensure.

Migrating to Go Modules would make it easier to use and develop on this tool using standard Go tools.

If I checkout the code and initialize the Go module with the below commands, code compiles fine:

$ git clone https://github.com/nsmithuk/local-kms
$ cd local-kms
$ go mod init github.com/nsmithuk/local-kms
go: creating new go.mod: module github.com/nsmithuk/local-kms
go: copying requirements from Gopkg.lock
$ go mod tidy
...
$ go run .
INFO[2020-07-10 13:50:00.644] No file found at path /init/seed.yaml; skipping seeding.
INFO[2020-07-10 13:50:00.644] Data will be stored in /tmp/local-kms
INFO[2020-07-10 13:50:00.645] Local KMS started on 0.0.0.0:8080

Proposal: `go fmt` this codebase

I am currently working on implementing some of the missing KMS functionality in this repository (importing key material). I have my local IDE setup to run go fmt on file save which results in a much larger change set than is strictly needed and slows me down as I now need to try and selectively pick out my changes from the linting changes made by gofmt when committing. This has left me wondering if you be opening to using gofmt to ensure a consistent coding style on this repo?

For a sample of the changes:

This would resolve spacing issues seen here

local-kms/src/cmk/key.go

Lines 14 to 23 in f1cc916

    
           type CustomerMasterKeySpec string 
        
           const ( 
        
           	SpecSymmetricDefault 	 	CustomerMasterKeySpec = "SYMMETRIC_DEFAULT" 
        
           	SpecEccNistP256				CustomerMasterKeySpec = "ECC_NIST_P256" 
        
           	SpecEccNistP384				CustomerMasterKeySpec = "ECC_NIST_P384" 
        
           	SpecEccNistP521				CustomerMasterKeySpec = "ECC_NIST_P521" 
        
           	SpecRsa2048					CustomerMasterKeySpec = "RSA_2048" 
        
           	SpecRsa3072					CustomerMasterKeySpec = "RSA_3072" 
        
           	SpecRsa4096					CustomerMasterKeySpec = "RSA_4096" 
        
           )

and also adjustments like:

_, ok := err.(base64.CorruptInputError)
if ok {

local-kms/src/handler/decrypt.go

Line 19 in f1cc916

_, ok := err.(base64.CorruptInputError); if ok {

and a bunch of other smaller differences in style in various places.

Return KeySpec instead of CustomerMasterKeySpec

CustomerMasterKeySpec is deprecated in favor of just KeySpec. According to https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html, the response of the CreateKey and DescribeKey operations includes a KeySpec and CustomerMasterKeySpec member with the same value.

LocalKMS should update the two operations to recognize/return KeySpec as well.

AWS KMS allows GenerateRandom to take a KeySpec

This isn't however in their documentation: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateRandom.html

Calling GenerateRandom with an empty body returns

Please specify either number of bytes or key spec.

And the endpoint works if passed

{
   "KeySpec": "AES_256"
}

Thus it appears to be valid.

ScheduleKeyDeletion returns `DeletionDate` in Standard Form

On successfully calling ScheduleKeyDeletion, the timestamp in the DeletionDate field returned from AWS is encoded in Scientific Notation/Standard Form. Local KMS returns the value as a standard integer.

For example:
AWS returns: 1.5565824E9
Local KMS returns: 1556582400

AWS' SDKs appear to transparently accept either correctly.

There appears no easy way to force Go to output the value as a number, in Scientific Notation. The community conscientious seems to be that as the interpreter should read both numbers identically, thus Go is working as expected.

[Discussion]Is it possible to manage the key store through AWS XKS

Is it possible to manage the key store through AWS XKS proxy instead of a local database or configuration file?

AWS eXternal Key Stores

I'm not suggesting replacing the local database, but rather exploring the possibility of supporting multiple modes where users can choose to either store the keys locally or derive them from a remote XKS API.

Scenario

Our customers may have three different deployment modes:

Cloud: directly using AWS KMS + XKS ✅
Offline on-premise deployment: using local-kms ✅
Online on-premise deployment: using local-kms + XKS ❓

I would like to discuss about the feasibility of using the third option.

[Question] Is it possible to use seed.yaml with KeyMaterial?

I'd like to understand if it is possible to use seed.yaml with Key Material

Key Alias+ARN 'Not Found' for Sign

Hello,

I'm creating an RSA key pair and associating an alias:

#!/bin/bash
echo "Installing JQ"
apt-get update && apt-get -y install jq

echo "Creating Asymmetric Keys in KMS"
KEY_ID=$(awslocal kms create-key \
  --description "Used to sign and verify JWTs." \
  --key-usage "SIGN_VERIFY" \
  --key-spec "RSA_2048" \
  --origin "AWS_KMS" \
  --tags "TagKey=ServiceName,TagValue=s-auth" \
  --no-multi-region \
  | jq -r '.KeyMetadata.KeyId')

# Create Alias
echo "Creating and Associating Alias 'jwt-sign' to key ${KEY_ID}"
awslocal kms create-alias \
  --alias-name "alias/jwt-sign" \
  --target-key-id $KEY_ID

I'm finding that functions like encrypt and decrypt can successfully use the alias:

awslocal kms encrypt --plaintext=test --key-id=alias/jwt-sign --output json
{
    "CiphertextBlob": "OGRjZGQzMmQtYWQ3Yi00ZjY4LTk4NjUtZTEyNTkxOTFlZThmTvH4FB8gss72/B1fc5iHihqDosir9CyocxwPj7rvCck=",
    "KeyId": "arn:aws:kms:eu-west-1:000000000000:key/8dcdd32d-ad7b-4f68-9865-e1259191ee8f"
}

However, using the alias or arn for the sign operation fails, and only works if I use the Key ID directly:

# failure using alias
awslocal kms sign --key-id=alias/jwt-sign --signing-algorithm=RSASSA_PSS_SHA_256 --message eyJoZWxsbyI6IndvcmxkIn0=

An error occurred (NotFoundException) when calling the Sign operation: Key ID alias/jwt-sign not found for signing

# failure using arn
awslocal kms sign --key-id=arn:aws:kms:eu-west-1:000000000000:key/8dcdd32d-ad7b-4f68-9865-e1259191ee8f --signing-algorithm=RSASSA_PSS_SHA_256 --message eyJoZWxsbyI6IndvcmxkIn0=

An error occurred (NotFoundException) when calling the Sign operation: Key ID arn:aws:kms:eu-west-1:000000000000:key/8dcdd32d-ad7b-4f68-9865-e1259191ee8f not found for signing

# success using key id directly
awslocal kms sign --key-id=8dcdd32d-ad7b-4f68-9865-e1259191ee8f --signing-algorithm=RSASSA_PSS_SHA_256 --message eyJoZWxsbyI6IndvcmxkIn0=
{
    "KeyId": "8dcdd32d-ad7b-4f68-9865-e1259191ee8f",
    "Signature": "cAQRRZ9G1trJHKiT8sTjl9haNlq7SJ8PoA7Fmhp+QuyhASOS4F8eSqVBLNbrRbFqzfj9DN0OLZJlJjL+ufq/QjbKCuAxjbveGdlIbZ8pCAqr5hkPmyafi8oXpQ6FyANC0/CdffRu2YJR08gj8RRv2mv7eTgmjTAC1O6t9b21IIlEazbEiYo7gd+wFLBSkWZ1nT6Iwjk3zuKk22amb2+I5xSef9Q/bMX4iwZhpoUtoLZyeowVqs1EtuvBBq1GApwoOjjBZdjX4WQ8MpHgC+aS+Yznd9Jm1AjqV2oFb2aWfgC6dxWK7udtZ75sVEw0iMWJ58GHihQGh6ST2C7cqKsXwg==",
    "SigningAlgorithm": "RSASSA_PSS_SHA_256"
}

I'm unsure if this is a quirk of aliases in KMS, or a bug in local-kms - any pointers would be greatly appreciated.

panic: file missing

I've somehow gotten myself into a state where running local-kms with any arguments results in:

❯ local-kms -vvv --help 
INFO[2023-11-30 18:54:38.709] Local KMS Version Unknown (Commit Hash Unknown) 
panic: file missing

goroutine 1 [running]:
github.com/nsmithuk/local-kms/src/data.NewDatabase(...)
        github.com/nsmithuk/local-kms/src/data/database.go:15
github.com/nsmithuk/local-kms/src.Run({0x964759, 0x4}, {0x968bf0, 0xf})
        github.com/nsmithuk/local-kms/src/server.go:19 +0x356
main.main()
        github.com/nsmithuk/local-kms/start.go:111 +0x57d

any ideas?

Implement seeding of Asymmetric Keys

We have a requirement for stable asymmetric keys for signing. I have created a PR for it.

Pull request

There is a bit of duplication in the code which could be improved by someone with more experience.
I'm pretty new to Go I only started today and this is my first code 😄 .

The existing code was very easy to follow and logically structured which made it really easy.

Notes:
I have only coded this, no tests, no docs. If you think the approach is OK I can do the docs.
There is a bash script for generating some YAML for the seed (I can put this in docs).

p.s. thanks for a great product. It really helps us out in development and testing (we are using local KMS in localstack)

Publish `arm64` docker images

When I run the image published on dockerhub on an M1 Mac, I get the following output:

❯ docker run nsmithuk/local-kms
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
INFO[2022-03-30 14:56:22.026] Local KMS Version Unknown (Commit Hash Unknown)
INFO[2022-03-30 14:56:22.061] No file found at path /init/seed.yaml; skipping seeding.
INFO[2022-03-30 14:56:22.061] Data will be stored in /data
INFO[2022-03-30 14:56:22.061] Local KMS started on 0.0.0.0:8080

and when I build the image locally and run it:

INFO[2022-03-30 14:56:15.329] Local KMS Version Unknown (Commit Hash Unknown)
INFO[2022-03-30 14:56:15.335] No file found at path /init/seed.yaml; skipping seeding.
INFO[2022-03-30 14:56:15.335] Data will be stored in /data
INFO[2022-03-30 14:56:15.335] Local KMS started on 0.0.0.0:8080

I think it's just a matter of configuring the deployment pipeline to build multiple architectures and push them to dockerhub.

importing secp256k1

seed.yml


Keys:
  Asymmetric:
    Ecc:
      - Metadata:
          KeyId: 73a7f626-67eb-4b4c-aaaf-ac91b6aea43b
          KeyUsage: SIGN_VERIFY
          Description: ECC key with curve secp256k1
        PrivateKeyPem: |
          -----BEGIN EC PRIVATE KEY-----
          MHQCAQEEINMXSNwP0WbqumEgo0m3HPwB66aneeUIxVqj3uvOERU8oAcGBSuBBAAK
          oUQDQgAEt49ajeJo+cBu2nI8Gi2mxm0LRguz/MpvkTKw+YVffDbhkGMDmKpjRoOQ
          W8zBgVIFtF+ty+zoPfPesdhybjYK2A==
          -----END EC PRIVATE KEY-----

docker-compose up kms
Starting ops_kms_1 ... done
Attaching to ops_kms_1
kms_1                        | 2022/03/30 12:23:09 build started
kms_1                        | Building ....
kms_1                        | go build: -i flag is deprecated
kms_1                        | 2022/03/30 12:23:09 build completed
kms_1                        | Running ...
kms_1                        | INFO[2022-03-30 12:23:09.719] Local KMS Version Unknown (Commit Hash Unknown) 
kms_1                        | WARN[2022-03-30 12:23:09.728] Error parsing YAML at path /init/seed.yaml: Error unmarshaling YAML: Unable to decode pem of key 73a7f626-67eb-4b4c-aaaf-ac91b6aea43b, Ensure it is in PKCS8 format with no password: x509: unknown elliptic curve.
kms_1                        | ; attempting to parse legacy format. 
kms_1                        | ERRO[2022-03-30 12:23:09.728] Error parsing YAML at path /init/seed.yaml: yaml: unmarshal errors:
kms_1                        |   line 3: cannot unmarshal !!map into []cmk.AesKey; skipping. 
kms_1                        | INFO[2022-03-30 12:23:09.728] Data will be stored in /data                 
kms_1                        | INFO[2022-03-30 12:23:09.728] Local KMS started on 0.0.0.0:8080

  kms:
    image: local-kms_kms:latest
    volumes:
      - type: bind
        source: ./seed.yaml
        target: /init/seed.yaml
    ports:
      - 8080:8080

keys generated with:

function ecckey(){
local curve=$1
if ! [[ "$curve" =~ ^(secp256r1|secp384r1|secp521r1|secp256k1)$ ]];
then
   echo "Curve must be one of: secp256r1 secp384r1 secp521r1 secp256k1"
   return
fi
keyId=$(uuidgen | tr '[:upper:]' '[:lower:]')

echo "
Keys:
  Asymmetric:
    Ecc:
      - Metadata:
          KeyId: ${keyId}
          KeyUsage: SIGN_VERIFY
          Description: ECC key with curve ${curve}
        PrivateKeyPem: |
$(openssl ecparam -name ${curve} -genkey -noout | sed 's/^/          /')
"
}

The claim is that secp256k1 is supported: https://github.com/nsmithuk/local-kms/blob/1cd79814ca22aec2b54eca17968ef1ab039a9e8d/src/x509/README.md

[question] HTTPS support

How can I use the server with HTTPS?
(The ClientEncryption of older pymongo versions only works with TLS.)

Support for importing asymmetric keys?

Since mid 2023 AWS KMS supports importing asymmetric and HMAC keys.
Are there any plans to support this feature?

GLIBC not found

Hi there.

There's an issue with glibc library.

Possible conditions:

Localstack version: 2.1.0
local-kms version: 3.11.5
Host Ubuntu 20.04.

Issue:
local-kms provider fails to start with repeated errors:``

[container-267b98d4a74d] 2023-08-07T09:22:43.599  INFO --- [functhread33] l.s.kms.local_kms_server   : /var/lib/localstack/lib/local-kms/latest/local-kms_linux-amd64.bin: /lib/x86_64-linux-gnu/libc.so.6: version 'GLIBC_2.32' not found (required by /var/lib/localstack/lib/local-kms/latest/local-kms_linux-amd64.bin)

[container-267b98d4a74d] 2023-08-07T09:22:43.599  INFO --- [functhread33] l.s.kms.local_kms_server   : /var/lib/localstack/lib/local-kms/latest/local-kms_linux-amd64.bin: /lib/x86_64-linux-gnu/libc.so.6: version 'GLIBC_2.34' not found (required by /var/lib/localstack/lib/local-kms/latest/local-kms_linux-amd64.bin)

[container-267b98d4a74d] 2023-08-07T09:22:43.599  INFO --- [functhread33] localstack.utils.run       : Restarting process (received exit code 1): ['/var/lib/localstack/lib/local-kms/latest/local-kms_linux-amd64.bin']

Possible reason:

Is there anything what can be done with this issue?

Thanks in advance.

Unable to do encrypt/decrypt roundtrip with key aliases

Hi @nsmithuk - thanks for providing this great library. (As you know, we're happily using it in LocalStack..)

Question regarding encrypt/decrypt roundtrip - this might be related to incorrect usage, or potentially may point to an issue in the implementation.

$ key_id=$(awslocal kms create-key | jq -r '.KeyMetadata.KeyId')
$ awslocal kms create-alias --alias-name alias/test --target-key-id $key_id
...
$ encrypted=$(awslocal kms encrypt --plaintext=test --key-id=alias/test --query=CiphertextBlob --output text)

$ # attempting to decrypt, without key-id specified
$ awslocal kms decrypt --output text  --query=CiphertextBlob --ciphertext-blob $encrypted
An error occurred (AccessDeniedException) when calling the Decrypt operation: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.

$ # attempting to decrypt, with key-id specified
$ awslocal kms decrypt --key-id $key_id --output text  --query=CiphertextBlob --ciphertext-blob $encrypted
An error occurred (InvalidCiphertextException) when calling the Decrypt operation:

If you can point us in the right direction, we can also try to contribute a PR to fix this issue (just wanted to confirm first if there's a workaround for this). Thanks for your help!

AWS KMS Base64 encodes decrypted key

https://docs.aws.amazon.com/kms/latest/developerguide/programming-encryption.html The Decrypting a Data Key Java implementation with local-kms returns a non base64 encoded message while AWS KMS returns it already base64 encoded. Is this intended?

Missing TrentService.GetKeyPolicy for Terraform.

Seems this local implementation is missing TrentService.GetKeyPolicy for Terraform. I am able to deploy a kms key locally using this lib, but refreshing the state seems to require another route that isn't implemented. I could take a swing at it, see if I can create it myself.

Don't panic

Failed decryption should be supported as an expected case.

https://github.com/NSmithUK/local-kms-go/blob/98575a14516c95850fd51311aa59a18cd4ec6dda/src/encryption/decrypt.go#L27

cipher: message authentication failed

Regards,

[Vulnerability] btcsuite/btcd 0.22.0-beta

pkg:golang/github.com/btcsuite/[email protected]  [Vulnerable]    
1 known vulnerabilities affecting installed version

(...) Improper Restriction of Operations within the Bounds of a Memory Buffer
btcd before 0.23.2, as used in Lightning Labs lnd before 0.15.2-beta and other 
Bitcoin-related products, mishandles witness size checking.

You should update the github.com/btcsuite/btcd version to fix the issue

Link: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMBTCSUITEBTCDWIRE-3105848

Feautre: Support grants

Is there any reason why grants are not supported?

Push image to AWS ECR

Hi,

I would love to see this docker image in the public AWS registry too.
https://gallery.ecr.aws/

I think the biggest benefit would be, to not be dependent on the rate limiting and a lot of users would probably run in it AWS anyway

	type CustomerMasterKeySpec string
	const (
	SpecSymmetricDefault CustomerMasterKeySpec = "SYMMETRIC_DEFAULT"
	SpecEccNistP256 CustomerMasterKeySpec = "ECC_NIST_P256"
	SpecEccNistP384 CustomerMasterKeySpec = "ECC_NIST_P384"
	SpecEccNistP521 CustomerMasterKeySpec = "ECC_NIST_P521"
	SpecRsa2048 CustomerMasterKeySpec = "RSA_2048"
	SpecRsa3072 CustomerMasterKeySpec = "RSA_3072"
	SpecRsa4096 CustomerMasterKeySpec = "RSA_4096"
	)

nsmithuk / local-kms Goto Github PK

local-kms's People

Contributors

Stargazers

Watchers

Forkers

local-kms's Issues

Scenario

Recommend Projects

Recommend Topics

Recommend Org