jsign icon indicating copy to clipboard operation
jsign copied to clipboard
verified publisher icon ebourg

Support AWS KMS Key Aliases

Open hongkongkiwi opened this issue 1 year ago • 3 comments

When using AWS keys (with the system properties workaround mentioned in #226 ), I have found that when passing the key alias it does not support AWS key aliases, it only supports key IDs. Key alises are a common way to refer to keys.

In AWS KMS you can refer to a key in the following ways:

  • KMS Key Arn: arn:aws:kms:us-west-1:4292584766675:key/d4a23b1f-6c58-48ed-b0f7-aa09f4bb402b
  • KMS Alias Arn: arn:aws:kms:us-west-1:4292584766675:key/alias/mycool-name or arn:aws:kms:us-west-1:4292584766675:key/alias/here/is/a/path
  • KMS Key ID: d4a23b1f-6c58-48ed-b0f7-aa09f4bb402b
  • KMS Key Alias: alias/mycool-name or alias/here/is/a/path

It would be great if all these different methods could be supported in the jsign key alias parameter. In the AWS CLI tools using any of those as a key-id is valid.

I think probably we could simplify it to look for a regex: ^arn:.*:key/([-a-f0-9]+)$ and ^arn:.*:alias/(.*)$ and ^alias/(.*)$ and ^[-a-f0-9]+$

hongkongkiwi avatar Jun 03 '24 12:06 hongkongkiwi

I'm not sure the AWS REST API accepts the aliases directly. If it doesn't we have to figure out how to convert the alias into a key id.

ebourg avatar Jun 03 '24 12:06 ebourg

According to the docs, they should all be accepted when passed as a keyId. Strange though that the alias/name didn't work. I guess I'll have to dig into the code. Perhaps it is my issue ...

hongkongkiwi avatar Jun 03 '24 12:06 hongkongkiwi

https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html#KMS-Sign-request-KeyId

KeyId

Identifies an asymmetric KMS key. AWS KMS uses the private key in the asymmetric KMS key to sign the message. The KeyUsage type of the KMS key must be SIGN_VERIFY. To find the KeyUsage of a KMS key, use the DescribeKey operation.

To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a KMS key in a different AWS account, you must use the key ARN or alias ARN.

It looks like aliases are accepted by the API.

What error did you get with the alias?

ebourg avatar Jun 03 '24 14:06 ebourg

It looks like aliases are accepted by the API.

What error did you get with the alias?

I just tested this out and can confirm that the alias works in place of the key-id without any changes to this library. Tested with jsign 7.1.

java -jar jsign-7.1.jar \
    --name Foo \
    --url example.com \
    --replace --alg SHA-256 \
    --storetype AWS \
    --keystore us-east-1 \
-   --alias a1b2c3d4-a1b2-a1b2-a1b2-a1b2c3d4e5f6
+   --alias my-kms-id
    --storepass "foo|bar" \
    --tsaurl tsa.example.com \
    --certfile fullchain.pem \
    foo.exe

tresf avatar Apr 24 '25 17:04 tresf

@tresf Thank you for the feedback, I think I can close the issue now.

ebourg avatar Apr 24 '25 22:04 ebourg