Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement command 'sign-eif' #406

Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Conversation

pro-vlad
Copy link
Contributor

Issue #, if available:
#204
Description of changes:

  • Implemented 'sign-eif' which can be used to sign an existing EIF by using a private key or KMS.
  • Add new arguments for 'describe-eif' for extracting certificate information for images signed with KMS.
  • Add new arguments for 'run-enclave' for validating KMS signed images.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Comment on lines 293 to 297
pub private_key: Option<String>,
/// The region in which the KMS key resides.
pub region: Option<String>,
/// The KMS key id.
pub key_id: Option<String>,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should work as an enum as such { LocalKey(Path), KmsKey(KeyArn, Region) }

impl SignArgs {
/// Construct a new `SignArg` instance from the given command-line arguments.
pub fn new_with(args: &ArgMatches) -> NitroCliResult<Self> {
let signing_method = parse_signing_method(args)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This signing_method argument is really not required. It should be indicated by either the presence of key_id or private_key and no need to have a separate argument for it.

.map_err(|err| err.add_subaction("Parse signing method".to_string()))?;
let private_key = parse_private_key(args);
let region = parse_region(args);
let key_id = parse_key_id(args);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

key_id is a bit hard to interpret as "KMS Key ID". Perhaps kms_key_arn make more sense. Also region is not very obvious.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

region should also be optional. kms_client should load it from .aws/config or from AWS_REGION env variable. Perhaps there's some way to check if any of these are set or not.

src/lib.rs Outdated
.takes_value(true)
.help("The KMS key id.")
.required(false)
.conflicts_with("config"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should also conflict with private_key.

src/lib.rs Outdated
.takes_value(true)
.help("The region in which the KMS key resides.")
.required(false)
.conflicts_with("config"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should conflict with private_key.

@gavinuhma
Copy link

@pro-vlad Thanks for this! Are you still planning to get it merged? We're looking for this feature

pro-vlad and others added 11 commits May 12, 2023 12:03
- Adjust existing tests to work with the changes needed for kms-signing
- Add test for signing existing eifs
- use default region from config if region argument was not provided
- change argument conditions and conflicts
- use async calls to init kms key
- print measurements after signing an existing image
@pro-vlad pro-vlad force-pushed the kms-image-signing branch from d7ba5aa to 979e106 Compare August 7, 2023 15:02
.map(|val| val.to_string());

let signing_key = match (kms_key_arn, private_key_path) {
Copy link

@dwmw2 dwmw2 Oct 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This shouldn't just be a key path. It should accept PKCS#11 URIs and conform to http://david.woodhou.se/draft-woodhouse-cert-best-practice.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants