scripts/sign_encrypt.py: Support signing TAs using AWS KMS
This adds support for signing trusted applications (TAs) using
a customer owned AWS KMS asymmetric key.
When the option to --key points to a valid Amazon Resource Name (ARN),
the signing operation will be delegated to AWS KMS. IAM credentials are
provided via environment variables.
Requires boto3 to work correctly.
Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Donald Chan <hoiho@amazon.com>
diff --git a/scripts/sign_encrypt.py b/scripts/sign_encrypt.py
index 6075e41..d89833f 100755
--- a/scripts/sign_encrypt.py
+++ b/scripts/sign_encrypt.py
@@ -98,7 +98,9 @@
parser.add_argument('--uuid', required=True,
type=uuid_parse, help='String UUID of the TA')
parser.add_argument('--key', required=True,
- help='Name of signing key file (PEM format)')
+ help='Name of signing key file (PEM format) or an ' +
+ 'Amazon Resource Name (arn:) of an AWS KMS ' +
+ 'asymmetric key')
parser.add_argument('--enc-key', required=False,
help='Encryption key string')
parser.add_argument(
@@ -182,15 +184,22 @@
args = get_args(logger)
- with open(args.key, 'rb') as f:
- data = f.read()
+ if args.key.startswith('arn:'):
+ from sign_helper_kms import _RSAPrivateKeyInKMS
+ key = _RSAPrivateKeyInKMS(args.key)
+ else:
+ with open(args.key, 'rb') as f:
+ data = f.read()
- try:
- key = serialization.load_pem_private_key(data, password=None,
- backend=default_backend())
- except ValueError:
- key = serialization.load_pem_public_key(data,
- backend=default_backend())
+ try:
+ key = serialization.load_pem_private_key(
+ data,
+ password=None,
+ backend=default_backend())
+ except ValueError:
+ key = serialization.load_pem_public_key(
+ data,
+ backend=default_backend())
with open(args.inf, 'rb') as f:
img = f.read()