Thanks to visit codestin.com
Credit goes to github.com

Skip to content

bug: KMS DeriveSharedSecret should return the raw ECDH secret #12129

New issue
New issue
Open
Open
bug: KMS DeriveSharedSecret should return the raw ECDH secret#12129
Labels
aws:kmsAWS Key Management Servicestatus: backlogTriaged but not yet being worked ontype: bugBug report
@christianholth

Description

@christianholth
christianholth
opened on Jan 13, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

When I try to use the derive-shared-secret I do not get the same shared secret as when I derive the the secret using openssl.

Using the following steps as described in the following blog post:
https://aws.amazon.com/blogs/security/announcing-aws-kms-elliptic-curve-diffie-hellman-ecdh-support/

Expected Behavior

When running the "Steps to reproduce" the diff -qs kms.ss openssl.ss command should respond that the files are identical.
I think that the issue is that derive-shared-secret function should return the raw ECDH secret and if a key derivation function is needed it should be performed on the client side.

How are you starting LocalStack?

With a docker-compose file

Steps To Reproduce

How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)

docker run localstack/localstack

Client commands (e.g., AWS SDK code snippet, or sequence of "awslocal" commands)

awslocal kms create-key \
--key-spec ECC_NIST_P256 \
--key-usage KEY_AGREEMENT \
--description "Example ECDH key pair"

awslocal kms create-alias \
    --alias-name alias/example-ecdh-key \
    --target-key-id <keyid>

awslocal kms get-public-key \
    --key-id alias/example-ecdh-key \
    --output text \
    --query PublicKey | base64 --decode > kms_ecdh_public_key.der

openssl ecparam -name P-256 \
        -genkey -out openssl_ecc_private_key.pem

openssl ec -in openssl_ecc_private_key.pem \
        -pubout -outform DER \
        > openssl_ecc_public_key.bin.der

openssl ec -pubin -inform DER -outform PEM \
        -in kms_ecdh_public_key.der \
        -out kms_ecdh_public_key.pem

openssl pkeyutl -derive \
-inkey openssl_ecc_private_key.pem \
-peerkey kms_ecdh_public_key.pem > openssl.ss

awslocal kms derive-shared-secret \
--key-id alias/example-ecdh-key \
--public-key fileb://openssl_ecc_public_key.bin.der \
--key-agreement-algorithm ECDH \
--output text --query SharedSecret |base64 --decode > kms.ss

diff -qs kms.ss openssl.ss

Environment

- OS: Ubuntu 22.04.5
- LocalStack:
  LocalStack version: 4.0.4.dev99
  LocalStack Docker image sha: sha256:c8ddf79656370d8270bfbd4907a9231c527dc90bb80389838070d95681120468
  LocalStack build date: 2025-01-10
  LocalStack build git hash: f95f29208

Anything else?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    aws:kmsAWS Key Management Servicestatus: backlogTriaged but not yet being worked ontype: bugBug report

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions