Use private-key parameter for KMS keys

atanzu · atanzu · commit b5935a873406 · 2025-01-27T15:12:14.000Z
This commit allows to pass KMS key ARN via the `--private-key`
parameter. The underlying crate `aws-nitro-enclaves-image-format` will
parse the given value and decide if a KMS key or a local key is given.

Parameters `--kms-key-id` and `--kms-key-region` have been
removed.

Signed-off-by: Mark Kirichenko &lt;mkirich@amazon.de&gt;
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -20,7 +20,7 @@ page_size = "0.6"
 signal-hook = "0.3"
 ciborium = "0.2"
 driver-bindings = { path = "./driver-bindings" }
-aws-nitro-enclaves-image-format = "0.4"
+aws-nitro-enclaves-image-format = "0.5"
 eif_loader = { path = "./eif_loader" }
 enclave_build = { path = "./enclave_build" }
 openssl = "0.10.66"
diff --git a/eif_loader/Cargo.toml b/eif_loader/Cargo.toml
@@ -8,7 +8,7 @@ rust-version = "1.68"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-aws-nitro-enclaves-image-format = "0.4"
+aws-nitro-enclaves-image-format = "0.5"
 nix = "0.26"
 libc = "0.2"
 vsock = "0.3"
diff --git a/enclave_build/Cargo.toml b/enclave_build/Cargo.toml
@@ -21,6 +21,6 @@ url = "2.4"
 sha2 = "0.9.5"
 futures = "0.3.28"
 
-aws-nitro-enclaves-image-format = "0.4"
+aws-nitro-enclaves-image-format = "0.5"
 tar = "0.4.40"
 flate2 = "1.0.28"
diff --git a/enclave_build/src/lib.rs b/enclave_build/src/lib.rs
@@ -12,9 +12,7 @@ mod yaml_generator;
 
 use aws_nitro_enclaves_image_format::defs::{EifBuildInfo, EifIdentityInfo, EIF_HDR_ARCH_ARM64};
 use aws_nitro_enclaves_image_format::utils::identity::parse_custom_metadata;
-use aws_nitro_enclaves_image_format::utils::{
-    EifBuilder, SignKeyData, SignKeyDataInfo, SignKeyInfo,
-};
+use aws_nitro_enclaves_image_format::utils::{EifBuilder, SignKeyData};
 use docker::DockerUtil;
 use serde_json::json;
 use sha2::Digest;
@@ -71,9 +69,7 @@ impl<'a> Docker2Eif<'a> {
         output: &'a mut File,
         artifacts_prefix: String,
         certificate_path: &Option<String>,
-        key_path: &Option<String>,
-        kms_key_id: &Option<String>,
-        kms_key_region: &Option<String>,
+        private_key: &Option<String>,
         img_name: Option<String>,
         img_version: Option<String>,
         metadata_path: Option<String>,
@@ -102,31 +98,17 @@ impl<'a> Docker2Eif<'a> {
             }
         }
 
-        let sign_key_info = match (kms_key_id, key_path) {
-            (None, None) => None,
-            (Some(kms_id), None) => Some(SignKeyInfo::KmsKeyInfo {
-                id: kms_id.into(),
-                region: kms_key_region.clone(),
-            }),
-            (None, Some(key_path)) => Some(SignKeyInfo::LocalPrivateKeyInfo {
-                path: key_path.into(),
-            }),
-            _ => return Err(Docker2EifError::SignArgsError),
+        let sign_info = match (private_key, certificate_path) {
+            (Some(key), Some(cert)) => SignKeyData::new(key, Path::new(&cert)).map_or_else(
+                |e| {
+                    eprintln!("Could not read signing info: {:?}", e);
+                    None
+                },
+                Some,
+            ),
+            _ => None,
         };
 
-        let sign_info = sign_key_info
-            .map(|key_info| {
-                SignKeyData::new(&SignKeyDataInfo {
-                    cert_path: certificate_path
-                        .as_ref()
-                        .ok_or(Docker2EifError::SignArgsError)?
-                        .into(),
-                    key_info,
-                })
-                .map_err(|_| Docker2EifError::SignArgsError)
-            })
-            .transpose()?;
-
         Ok(Docker2Eif {
             docker_image,
             docker,
diff --git a/enclave_build/src/main.rs b/enclave_build/src/main.rs
@@ -1,7 +1,7 @@
 // Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-use clap::{Arg, ArgAction, ArgGroup, Command};
+use clap::{Arg, ArgAction, Command};
 use std::fs::OpenOptions;
 
 use aws_nitro_enclaves_image_format::generate_build_info;
@@ -68,29 +68,14 @@ fn main() {
         .arg(
             Arg::new("signing-certificate")
                 .long("signing-certificate")
-                .help("Specify the path to the signing certificate"),
+                .help("Specify the path to the signing certificate")
+                .requires("private-key"),
         )
         .arg(
             Arg::new("private-key")
                 .long("private-key")
-                .help("Specify the path to the private-key"),
-        )
-        .arg(
-            Arg::new("kms-key-id")
-                .long("kms-key-id")
-                .help("Specify unique id of the KMS key")
-        )
-        .arg(
-            Arg::new("kms-key-region")
-                .long("kms-key-region")
-                .help("Specify region in which the KMS key resides")
-                .requires("kms-key-id")
-        )
-        .group(
-            ArgGroup::new("signing-key")
-                .args(["kms-key-id", "private-key"])
-                .multiple(false)
-                .requires("signing-certificate")
+                .help("Specify KMS key ARN or the path to the private key file")
+                .requires("signing-certificate"),
         )
         .arg(
             Arg::new("build")
@@ -139,10 +124,6 @@ fn main() {
     let img_name = matches.get_one::<String>("image_name").map(String::from);
     let img_version = matches.get_one::<String>("image_version").map(String::from);
     let metadata = matches.get_one::<String>("metadata").map(String::from);
-    let kms_key_id = matches.get_one::<String>("kms-key-id").map(String::from);
-    let kms_key_region = matches
-        .get_one::<String>("kms-key-region")
-        .map(String::from);
 
     let mut output = OpenOptions::new()
         .read(true)
@@ -163,8 +144,6 @@ fn main() {
         ".".to_string(),
         &signing_certificate,
         &private_key,
-        &kms_key_id,
-        &kms_key_region,
         img_name,
         img_version,
         metadata,
diff --git a/src/common/commands_parser.rs b/src/common/commands_parser.rs
@@ -106,12 +106,8 @@ pub struct BuildEnclavesArgs {
     pub output: String,
     /// The path to the signing certificate for signed enclaves.
     pub signing_certificate: Option<String>,
-    /// The path to the private key for signed enclaves.
+    /// KMS key ARN or path to the private key for signed enclaves.
     pub private_key: Option<String>,
-    /// ID of the KMS key for signed enclaves.
-    pub kms_key_id: Option<String>,
-    /// Region of the KMS key for signed enclaves.
-    pub kms_key_region: Option<String>,
     /// The name of the enclave image.
     pub img_name: Option<String>,
     /// The version of the enclave image.
@@ -141,8 +137,6 @@ impl BuildEnclavesArgs {
             })?,
             signing_certificate: parse_signing_certificate(args),
             private_key: parse_private_key(args),
-            kms_key_id: parse_kms_key_id(args),
-            kms_key_region: parse_kms_key_region(args),
             img_name: parse_image_name(args),
             img_version: parse_image_version(args),
             metadata: parse_metadata(args),
@@ -528,14 +522,6 @@ fn parse_private_key(args: &ArgMatches) -> Option<String> {
     args.get_one::<String>("private-key").map(String::from)
 }
 
-fn parse_kms_key_id(args: &ArgMatches) -> Option<String> {
-    args.get_one::<String>("kms-key-id").map(String::from)
-}
-
-fn parse_kms_key_region(args: &ArgMatches) -> Option<String> {
-    args.get_one::<String>("kms-key-region").map(String::from)
-}
-
 fn parse_image_name(args: &ArgMatches) -> Option<String> {
     args.get_one::<String>("image_name").map(String::from)
 }
@@ -565,7 +551,7 @@ mod tests {
     use crate::common::construct_error_message;
     use crate::create_app;
 
-    use clap::{Arg, ArgGroup, Command};
+    use clap::{Arg, Command};
 
     /// Parse the path of the JSON config file
     fn parse_config_file(args: &ArgMatches) -> NitroCliResult<String> {
diff --git a/src/lib.rs b/src/lib.rs
@@ -58,8 +58,6 @@ pub fn build_enclaves(args: BuildEnclavesArgs) -> NitroCliResult<()> {
         &args.output,
         &args.signing_certificate,
         &args.private_key,
-        &args.kms_key_id,
-        &args.kms_key_region,
         &args.img_name,
         &args.img_version,
         &args.metadata,
@@ -75,8 +73,6 @@ pub fn build_from_docker(
     output_path: &str,
     signing_certificate: &Option<String>,
     private_key: &Option<String>,
-    kms_key_id: &Option<String>,
-    kms_key_region: &Option<String>,
     img_name: &Option<String>,
     img_version: &Option<String>,
     metadata_path: &Option<String>,
@@ -140,8 +136,6 @@ pub fn build_from_docker(
         artifacts_path()?,
         signing_certificate,
         private_key,
-        kms_key_id,
-        kms_key_region,
         img_name.clone(),
         img_version.clone(),
         metadata_path.clone(),
@@ -713,29 +707,14 @@ macro_rules! create_app {
                     .arg(
                         Arg::new("signing-certificate")
                             .long("signing-certificate")
-                            .help("Local path to developer's X509 signing certificate."),
+                            .help("Local path to developer's X509 signing certificate.")
+                            .requires("private-key"),
                     )
                     .arg(
                         Arg::new("private-key")
                             .long("private-key")
-                            .help("Local path to developer's Eliptic Curve private key."),
-                    )
-                    .arg(
-                        Arg::new("kms-key-id")
-                            .long("kms-key-id")
-                            .help("Specify unique id of the KMS key")
-                    )
-                    .arg(
-                        Arg::new("kms-key-region")
-                            .long("kms-key-region")
-                            .help("Specify region in which the KMS key resides")
-                            .requires("kms-key-id")
-                    )
-                    .group(
-                        ArgGroup::new("signing-key")
-                            .args(&["kms-key-id", "private-key"])
-                            .multiple(false)
-                            .requires("signing-certificate")
+                            .help("KMS key ARN or local path to developer's Eliptic Curve private key.")
+                            .requires("signing-certificate"),
                     )
                     .arg(
                         Arg::new("image_name")
diff --git a/src/main.rs b/src/main.rs
@@ -8,7 +8,7 @@
 
 extern crate lazy_static;
 
-use clap::{Arg, ArgGroup, Command};
+use clap::{Arg, Command};
 use log::info;
 use std::os::unix::net::UnixStream;
 
diff --git a/tests/test_nitro_cli_args.rs b/tests/test_nitro_cli_args.rs
diff --git a/tests/tests.rs b/tests/tests.rs
