This is a simple implementation of the XKS API. Not intended for production use (secrets are hardcoded in various places here), but may be useful if you're interested in messing around with XKS.
I just used ssh port forwarding on a public EC2 instance, this way I could test and debug live requests with a real certificate.
TODO: Add some more documentation on how to use this.
NOTE: The rest of the documentation may be out of date.
Important: This is not meant for production use.
make init
./tests/test.sh
NOTE: the test.sh script trys to find the local ip of your host, if testing isn't working maybe check that. You can probably change this to localhost if you are on linux.
openssl rand 32 | base64
URI: https://[/]/kms/xks/v1/keys//metadata URI: https://[/]/kms/xks/v1/keys//encrypt URI: https://[/]/kms/xks/v1/keys//decrypt URI: https://[/]/kms/xks/v1/health
HTTP Method: POST URI: https://[/]/kms/xks/v1/keys//metadata
{
"requestMetadata": {
"awsPrincipalArn": "arn:aws:iam::123456789012:user/Alice",
"kmsOperation": "CreateKey",
"kmsRequestId": "4112f4d6-db54-4af4-ae30-c55a22a8dfae"
}
}
{
"requestMetadata": {
"awsPrincipalArn": "arn:aws:iam::123456789012:user/Alice",
"kmsKeyArn": "arn:aws:kms:us-east-2:123456789012:/key/1234abcd-12ab-34cd-56ef-1234567890ab",
"kmsOperation": "Encrypt",
"kmsRequestId": "4112f4d6-db54-4af4-ae30-c55a22a8dfae",
"kmsViaService": "ebs"
},
"additionalAuthenticatedData": "cHJvamVjdD1uaWxlLGRlcGFydG1lbnQ9bWFya2V0aW5n",
"plaintext": "SGVsbG8gV29ybGQh",
"encryptionAlgorithm": "AES_GCM",
"ciphertextDataIntegrityValueAlgorithm": "SHA_256"
}
HTTP Method: POST URI: https://[/]/kms/xks/v1/keys//encrypt
{
"requestMetadata": {
"awsPrincipalArn": "arn:aws:iam::123456789012:user/Alice",
"kmsKeyArn": "arn:aws:kms:us-east-2:123456789012:/key/1234abcd-12ab-34cd-56ef-1234567890ab",
"kmsOperation": "Encrypt",
"kmsRequestId": "4112f4d6-db54-4af4-ae30-c55a22a8dfae",
"kmsViaService": "ebs"
},
"additionalAuthenticatedData": "cHJvamVjdD1uaWxlLGRlcGFydG1lbnQ9bWFya2V0aW5n",
"plaintext": "SGVsbG8gV29ybGQh",
"encryptionAlgorithm": "AES_GCM",
"ciphertextDataIntegrityValueAlgorithm": "SHA_256"
}
{
"authenticationTag": "vBxN2ncH1oEkR8WVXpmyYQ==",
"ciphertext": "ghxkK1txeDNn3q8Y",
"ciphertextDataIntegrityValue": "qHA/ImC9h5HsLRXqCyPmWgYx7tzyoTplzILbP0fPXsc=",
"ciphertextMetadata": "a2V5X3ZlcnNpb249MQ==",
"initializationVector": "HMrlRw85cAJUd5Ax"
}
HTTP Method: POST URI: https://[/]/kms/xks/v1/keys//decrypt
{
"requestMetadata": {
"awsPrincipalArn": "arn:aws:iam::123456789012:user/Alice",
"kmsKeyArn": "arn:aws:kms:us-east-2:123456789012:/key/1234abcd-12ab-34cd-56ef-1234567890ab",
"kmsOperation": "Decrypt",
"kmsRequestId": "5112f4d6-db54-4af4-ae30-c55a22a8dfae",
"kmsViaService": "ebs"
},
"additionalAuthenticatedData": "cHJvamVjdD1uaWxlLGRlcGFydG1lbnQ9bWFya2V0aW5n",
"encryptionAlgorithm": "AES_GCM",
"ciphertext": "ghxkK1txeDNn3q8Y",
"ciphertextMetadata": "a2V5X3ZlcnNpb249MQ==",
"initializationVector": "HMrlRw85cAJUd5Ax",
"authenticationTag": "vBxN2ncH1oEkR8WVXpmyYQ=="
}
{
"plaintext": "SGVsbG8gV29ybGQh"
}
HTTP Method: POST URI: https://[/]/kms/xks/v1/health
{
"requestMetadata": {
"kmsRequestId": "4112f4d6-db54-4af4-ae30-c55a22a8dfae",
"kmsOperation": "CreateCustomKeyStore"
}
}
{
"xksProxyFleetSize": 2,
"xksProxyVendor": "Acme Corp",
"xksProxyModel": "Acme XKS Proxy 1.0",
"ekmVendor": "Thales Group",
"ekmFleetDetails": [
{
"id": "hsm-id-1",
"model": "Luna 5.0",
"healthStatus": "DEGRADED"
},
{
"id": "hsm-id-2",
"model": "Luna 5.1",
"healthStatus": "ACTIVE"
}
]
}