Implement AWS KMS cryptography (includes #21) #23
Conversation
|
For transparency: I personally only care about #21 and #22, but I decided to write and submit this one as well to ensure myself the API I designed in #21 allowed for implementing KMS. |
|
Also, please do note: because the aws_sdk crates are not yet published to crates.io, this introduces a git dependency. |
puiterwijk
changed the title
|
Unfortunately this feature can't be enabled on crates.io yet, until the AWS SDK is pushed to crates.io, so I'll postpone merging this PR until that happens. |
|
AWS SDK for Rust is now on crates.io, so this can finally be merged: https://crates.io/crates/aws-sdk-kms. |
|
@petreeftime cool. Do you want me to do a rebase again, or is this set to go in? |
|
I wanted to also make the tests run with Github Actions before merging, but I need to create a role and a KMS key in our test account to make it work and didn't quite find time for it. |
|
Fair enough. Just let me know if you need me to do anything else. |
|
Any progress in getting this merged? Thanks! |
|
Any news? We really need this for our deployment. |
|
I've rebased the dev branch I had to the latest commit, but I still need to figure out the testing part for this feature. |
|
I'll do some manual testing as soon as possible, merge and update the crate version to unblock you, and figure out the automated testing afterwards. |
petreeftime
force-pushed
the
crypto-kms
branch
5 times, most recently
from
86ee534
to
e71d8f3
Compare
This implements an abstracted signing crypto module that uses an Amazon Web Services Key Management Service key to sign data. It supports either KMS or local keys for verification. Fixes: awslabs#5 Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
This bumps MSRV to 1.58 to allow adding some new dependencies. These dependencies could be kept back to some degree but I am unsure whether this would bring value. At this point, more and more libraries require version 2021, which was introduced with rust 1.56. Signed-off-by: Petre Eftime <epetre@amazon.com>
This fixes the build issues that cropped up from integrating other patches into the repo. Signed-off-by: Petre Eftime <epetre@amazon.com>
Signed-off-by: Petre Eftime <epetre@amazon.com>
This implements an abstracted signing crypto module that uses an Amazon
Web Services Key Management Service key to sign data.
It supports either KMS or local keys for verification.
Fixes: #5
Signed-off-by: Patrick Uiterwijk patrick@puiterwijk.org
This PR is based on top of #21 and #22.
It can be tested by setting the following environment variables:
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYAWS_DEFAULT_REGIONAWS_KMS_TEST_KEY_ARN- the ARN of the created test keyTEST_KEY_SIG_ALG- a signature algorithm (ES256,ES384orES512) that this key supportsThis test currently does not yet run via GitHub CI, since there's a lack of secrets.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the Apache License Version 2.0, as specified in the LICENSE file of this repository.