Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Request to support signing using AWS KMS keys #334

Open
semmet95 opened this issue Jun 5, 2024 · 9 comments
Open

Request to support signing using AWS KMS keys #334

semmet95 opened this issue Jun 5, 2024 · 9 comments
Labels
enhancement New feature or request

Comments

@semmet95
Copy link

semmet95 commented Jun 5, 2024

Hi,

I'm currently using in-toto-golang to generate an attested dsse envelope, signing it with a locally generated key. I'd like to sign the envelope using a key stored in AWS KMS.
From what I could figure out this would probably require using aws sdk, kms client to be more specific.
I'm not completely sure on how to add this feature, if someone can guide me I'll be happy to contribute.

If anyone knows a workaround on how I can use KMS keys with in-toto-golang I'd love to know that too.

@semmet95 semmet95 added the enhancement New feature or request label Jun 5, 2024
@lukpueh
Copy link
Member

lukpueh commented Jun 5, 2024

FYI: The crypto interface used by the Python in-toto implementation provides an AWSSigner: https://github.com/secure-systems-lab/securesystemslib/blob/main/securesystemslib/signer/_aws_signer.py

Maybe this could be ported to go. Here are some additional infos about the Signer API: https://python-securesystemslib.readthedocs.io/en/latest/signer.html

@adityasaky
Copy link
Member

I also want to loop in @jkjell here. I think in-toto/witness has support for signing using AWS KMS, and I wonder if using that is an option for you @semmet95? We're working behind the scenes to consolidate in-toto-golang's functionality into witness going forward.

@semmet95
Copy link
Author

semmet95 commented Jun 9, 2024

@lukpueh hmm, so does that mean writing different implementations of signing the payload, and storing a field, signer, in the Envelope struct, and initialising it based whatever type of signer you want to use?

@semmet95
Copy link
Author

semmet95 commented Jun 9, 2024

@adityasaky yes I was also wondering if witness AWS KMS support would be added to in-toto-golang.
One question I have about witness KMS signing is if it would generate the same envelope as in-toto-golang currently does.

@lukpueh
Copy link
Member

lukpueh commented Jun 10, 2024

@lukpueh hmm, so does that mean writing different implementations of signing the payload,

Yes.

and storing a field, signer, in the Envelope struct, and initialising it based whatever type of signer you want to use?

No.

I haven't looked at the dsse implementation in in-toto-golang in detail, but the following design worked well for us on the Python side:

  • A Signer interface defines an abstract sign method, which takes arbitrary bytes and returns a signature.
  • A Signer implementation can use e.g. AWS or a local private key file to do the actual signing.
  • The Envelope sign method takes a Signer and calls its sign method with the payload bytes.

IIRC go-securesystemslib has a similar design.

@jkjell
Copy link
Member

jkjell commented Jun 10, 2024

Hey @semmet95! 👋 With respect to your question:

One question I have about witness KMS signing is if it would generate the same envelope as in-toto-golang currently does.

witness has a link attestor option that can output a standard DSSE. I don't think we've done an exact comparison between the generated attestations of each but, if there are differences, we can probably resolve them pretty quickly in Witness.

@semmet95
Copy link
Author

Hi @jkjell
I'm concerned about the attestation format because my use case also involves ingesting these envelopes using GUAC.
I'll check and get back to you about this.

@semmet95
Copy link
Author

Hi @adityasaky I'm wondering if you guys have any timeline regarding consolidating in-toto-golang's functionality into witness 🤔
Also, this means we can completely replace in-toto-golang with witness right?

@pxp928
Copy link
Member

pxp928 commented Jun 14, 2024

Hi @jkjell I'm concerned about the attestation format because my use case also involves ingesting these envelopes using GUAC. I'll check and get back to you about this.

Hey @semmet95, we can make updates on the GUAC side if things are out of sync (if needed).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

5 participants