aws-sdk-go-v2 icon indicating copy to clipboard operation
aws-sdk-go-v2 copied to clipboard

Published 20 hours ago verified publisher icon aws

Support KMS parameters used by AWS Nitro Enclaves

Open craigfe opened this issue 3 years ago • 0 comments

Describe the feature

Several KMS operations support an optional Recipient parameter intended for use by applications running in AWS Nitro Enclaves. Iff this flag is passed, a successful response will also contain a CiphertextForRecipient field containing an encrypted form of the data that would otherwise have been in the Plaintext response field (and the Plaintext field is null).

These request/response fields are not yet supported by this SDK, although they are used by the C KMS SDK included in aws-nitro-enclaves-sdk-c. It would be useful to have support for them directly in Go to avoid needing an extra C dependency when running Go binaries inside Nitro enclaves.

Use Case

We have a Go application that runs in a Nitro enclave and needs to be able to present its attestation document to KMS, but cannot depend on an external C library. To support this use-case, we're currently running an internal fork of aws-sdk-go-v2/service/kms that adds support for the necessary request & response parameters.

Proposed Solution

The implementation might look like:

  • add an optional Recipient field to the DecryptInput, GenerateDataKeyInput and GenerateRandomInput structs;
  • add an optional CiphertextForRecipient field to the DecryptOutput, GenerateDataKeyOutput and GenerateRandomOutput structs.

Other Information

Acknowledgements

  • [X] I may be able to implement this feature request
  • [ ] This feature might incur a breaking change

AWS Go SDK V2 Module Versions Used

github.com/aws/aws-sdk-go-v2/service/[email protected] github.com/aws/[email protected]

Go version used

1.18.4

craigfe avatar Aug 04 '22 16:08 craigfe