/
aws.go
57 lines (48 loc) · 1.38 KB
/
aws.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
package signer
import (
"crypto/ecdsa"
"fmt"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/kms"
)
type AWSSigner struct {
client *kms.KMS
keyARN string
publicKey ecdsa.PublicKey
}
// NewAWSSigner creates a new AWS signer with the provided signing key
func NewAWSSigner(client *kms.KMS, keyARN string) (*AWSSigner, error) {
// Get public key from KMS
key, err := client.GetPublicKey(&kms.GetPublicKeyInput{KeyId: &keyARN})
if err != nil {
return nil, fmt.Errorf("signer: unable to get public key: %w", err)
}
// Convert to ecdsa.PublicKey
pk, err := pemToPubkey(key.PublicKey)
if err != nil {
return nil, fmt.Errorf("signer: failed to decode public key: %w", err)
}
return &AWSSigner{
client: client,
keyARN: keyARN,
publicKey: *pk,
}, nil
}
// GetPublicKey returns a public key
func (c *AWSSigner) GetPublicKey() ecdsa.PublicKey {
return c.publicKey
}
// Sign the given digest using a KMS key and return ECDSA signature
func (c *AWSSigner) Sign(digest []byte) (SignatureECDSA, error) {
// Call the API
res, err := c.client.Sign(&kms.SignInput{
KeyId: aws.String(c.keyARN),
Message: digest,
MessageType: aws.String(kms.MessageTypeDigest),
SigningAlgorithm: aws.String(kms.SigningAlgorithmSpecEcdsaSha256),
})
if err != nil {
return nil, err
}
return recoverAndVerify(digest, res.Signature, c.publicKey)
}