AWS KMS documentation Unclear

[ChevronTango]

Description

When trying to use AWS KMS to sign my certs in fulcsio using awskms://[endpoint]/[arn] it took me ages to realize that the endpoint was optional, but the trailing / was not. It's not clear from the guidance that the correct prefix when not specifying the endpoint is awskms:///. The documentation does show examples of this, but I spent longer than I care to admit not noticing 3 slashes and assuming it was meant to be just 2.

There's also a lack of guidance around exactly what IAM role permissions you need in order to call AWS KMS from fulcio. I ended up reading through https://github.com/sigstore/sigstore/blob/main/pkg/signature/kms/aws/client.go to find the full list of commands that needed to be called.

The last point that is unclear is exactly how to go about setting up the certificate chain needed by fulcio to validate KMS. I'm using a Private CA to achieve this with some success, but its taken a very long time to figure out.

[ianhundere]

@ChevronTango how are you going about signing the Private CA w/ KMS?

we've tried using the ca and cert created via kms-issuer , but keep getting errors, x509: certificate specifies an incompatible key usage, even tho we're following the correct spec via the certificate resource:

• https://github.com/sigstore/fulcio/blob/main/docs/certificate-specification.md

[haydentherapper]

Can you specify your certificate chain?

[ianhundere]

Can you specify your certificate chain?

Yes, we've tried using a local key (which was then imported to KMS) to sign a Private CA created via openssl and that worked, but using kms-issuer hasn't seemed to work so far. We've tried including the CA it's created as well as the certificate it creates.

Any other suggestions in regards to creating/signing a Private CA using KMS?

[haydentherapper]

An incompatible key usage means that the x509 library failed to build a valid chain. I would confirm that your root and intermediate specifies Certificate Sign and CRL Sign only.

[ianhundere]

An incompatible key usage means that the x509 library failed to build a valid chain. I would confirm that your root and intermediate specifies Certificate Sign and CRL Sign only.

hmm, i think it's because the CA it creates doesn't have the correct usages select. don't think this is something you can change using kms-issuer:

        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication

[ianhundere]

ah, i was able to get it working using step-ca. cheers 🍻

[ChevronTango]

My approach involved creating a simple CSR (can be anything) and using aws-kms-sign-csr to sign it. I then passed it to my root CSA and asked it to sign the CSR using the SubordinateCACertificate_PathLen0_APIPassthrough/V1 template. I gave it an ExtendedKeyUsageType of CODE_SIGNING and filled in all the usual subjects and common names when I passed the CSR through to the CA for signing. I was able to pass this information through using the --api-passthrough option, hence the need for that particular template.

The KMS key in particular was RSA_4096 and I passed it through to Fulcio using awskms:///<kms_arn> along with a certificate bundle containing both the root CA public key and the KMS backed intermediate public key I signed above.

I did all of this in terraform, but was able to achieve a nice reliable and repeatable pattern once I'd figured out all the steps I needed.