fbpx

Posted on by admin

Code signing making use of AWS Certificate Manager Personal AWS and CA Crucial Management Services asymmetric keys

In this article, we display you how to mix the asymmetric signing function of the AWS Key Management Service (AWS KMS) and code-signing certificates from the AWS Certificate Manager (ACM)Private Certificate Authority (PCA) program to digitally indication any binary information blob and verify its identification and integrity. AWS KMS makes it simple for you to generate and manage cryptographic keys and manage their use across an array of AWS services sufficient reason for your applications working on AWS. ACM PCA offers you an extremely available personal certificate authority (CA) provider without the upfront expense and ongoing maintenance expenses of operating your personal personal CA. CA administrators may use ACM PCA to produce a full CA hierarchy, including on-line root and subordinate CAs, without the need for external CAs. Making use of ACM PCA, it is possible to provision, rotate, and revoke certificates which are trusted inside your organization.

Traditionally, a person’s signature really helps to validate that an contract was signed by the individual and decided to the terms. Signatures certainly are a big section of our lifestyles, from our driver’s licenses to your home mortgage documents. Whenever a signature will be requested, the individual or entity requesting the signature must verify the validity of the signature and the integrity of the information being signed.

As the web and cryptography analysis evolved, technologists found methods to carry the usefulness of signatures from the analog globe to the digital planet. In the digital entire world, public and private crucial X and cryptography.509 certificates might help with electronic signing, verifying message integrity, and verifying signature authenticity. Basically, an entity—that could be a person, a business, a device, or perhaps a server—can sign a bit of data digitally, and another entity can validate the authenticity of the validate and signature the integrity of the signed data. The info that’s getting signed is actually a document, a program, or any binary data blob.

To learn more regarding AWS KMS asymmetric ACM and keys PCA, see Digital signing with the brand new asymmetric keys feature of AWS KMS and How to host and manage a whole private certificate infrastructure in AWS.

We provide Java program code snippets for every right area of the process in the next steps. In addition, the entire Java program code with the maven build construction file pom.xml are for sale to download out of this GitHub project. The methods below illustrate the various processes which are involved and the associated Java program code snippet. However, you should employ the GitHub project in order to build and run the Java program code successfully.

Let’s have a look at the steps.

1. Create an asymmetric key pair

For digital signing, a code-signing is necessary by you certificate and an asymmetric key pair. In this task, you create an asymmetric key pair using AWS KMS. The below code snippet in the primary method within the file Runner.java can be used to generate the asymmetric key pair within KMS in your AWS account. An asymmetric KMS key with the alias CodeSigningCMK is established.


AsymmetricCMK codeSigningCMK = AsymmetricCMK.builder()
                .withAlias(CMK_ALIAS)
                .getOrCreate();

2. Develop a code-signing certificate

To make a code-signing certificate, you will need a private CA hierarchy, that you create within the ACM PCA service. This runs on the simple CA hierarchy of 1 root CA and something subordinate CA beneath the root as the recommendation is that you shouldn’t utilize the root CA directly for signing code-signing certificates. The certificate authorities are essential to generate the code-signing certificate. The normal name for the main CA certificate is root CA, and the normal name for the subordinate CA certificate is subordinate CA. The next code snippet in the primary method within the file Runner.java can be used to generate the private CA hierarchy.


PrivateCA rootPrivateCA = PrivateCA.builder()
                .withCommonName(ROOT_COMMON_NAME)
                .withType(CertificateAuthorityType.ROOT)
                .getOrCreate();

PrivateCA subordinatePrivateCA = PrivateCA.builder()
        .withIssuer(rootPrivateCA)
        .withCommonName(SUBORDINATE_COMMON_NAME)
        .withType(CertificateAuthorityType.SUBORDINATE)
        .getOrCreate();

3. Develop a certificate signing request

In this task, you develop a certificate signing request (CSR) for the code-signing certificate. The next code snippet in the primary method within the file Runner.java can be used to generate the CSR. The END_ENTITY_COMMON_NAME identifies the normal name parameter of the code signing certificate.


String codeSigningCSR = codeSigningCMK.generateCSR(END_ENTITY_COMMON_NAME);

4. Sign the CSR

In this task, the code-signing CSR is signed by the subordinate CA that has been generated in step two 2 to generate the code-signing certificate.


GetCertificateResult codeSigningCertificate = subordinatePrivateCA.issueCodeSigningCertificate(codeSigningCSR);

Note: The code-signing certificate that’s generated provides the public key of the asymmetric key pair generated in step one 1.

5. Create the custom signed object

The info to be signed is really a simple string: “the info I’d like signed”. Its binary representation is hashed and digitally signed by the asymmetric KMS private key created in step one 1, and a custom signed object which has the signature and the code-signing certificate is established.

The below code snippet in the primary method within the file Runner.java can be used to generate the custom signed object.


CustomCodeSigningObject customCodeSigningObject = CustomCodeSigningObject.builder()
                .withAsymmetricCMK(codeSigningCMK)
                .withDataBlob(TBS_DATA.getBytes(StandardCharsets.UTF_8))
                .withCertificate(codeSigningCertificate.getCertificate())
                .build();

6. Verify the signature

The custom signed object is verified for integrity, and the main CA certificate can be used to verify the chain of trust to verify non-repudiation of the identity that produced the digital signature.

The below code snippet in the primary method within the file Runner.java can be used for signature verification:


String rootCACertificate = rootPrivateCA.getCertificate();
 String customCodeSigningObjectCertificateChain = codeSigningCertificate.getCertificate() + "n" + codeSigningCertificate.getCertificateChain();

 CustomCodeSigningObject.getInstance(customCodeSigningObject.toString())
        .validate(rootCACertificate, customCodeSigningObjectCertificateChain);

In this signature validation process, the validation method shown in the code above retrieves the general public key part of the AWS KMS asymmetric key pair generated in step one 1 from the code-signing certificate. The benefit is had by this technique that credentials to gain access to AWS KMS aren’t needed during signature validation. Any entity which has the main CA certificate loaded in its trust store can verify the signature without needing usage of the AWS KMS verify API.

Note: The implementation outlined in this article can be an example. It doesn’t work with a certificate trust store that’s either section of a browser or section of a file system within the resident operating-system of a device or perhaps a server. The trust store is positioned within an instance of a Java class object for the intended purpose of this post. If you’re planning to utilize this code-signing example in a production system, you must change the implementation to employ a trust store on the host. To take action, it is possible to build and distribute a secure trust store which includes the main CA certificate.

Conclusion

In this article, we showed you what sort of binary data blob could be digitally signed using ACM PCA and AWS KMS and the way the signature could be verified using only the main CA certificate. No secret credentials or information must verify the signature. You can use this technique to create a custom code-signing treatment for address your unique use cases. The Java is supplied by the GitHub repository code and the maven pom.xml which you can use to build and check it out yourself. The README.md file in the GitHub repository shows the instructions to execute the code.

When you have feedback concerning this post, submit comments in the Comments section below. When you have questions concerning this post, take up a new thread on the AWS Certificate Manager forum or contact AWS Support.

Want more AWS Security how-to content, news, and show announcements? Follow us on Twitter.

Writer

Ram Ramani

Ram is really a Security Options Architect at AWS concentrating on data security. Ram works together with customers across various industry verticals to supply them with options that assist with protecting information at relaxation and in transit. In prior functions, Ram constructed ML algorithms for video clip quality optimization and done identity and access administration solutions for financial solutions organizations.

Writer

Kyle Schultheiss

Kyle is really a Senior Software program Engineer on the AWS Cryptography group. He has been focusing on the ACM Personal Certificate Authority support since its inception in 2018. In prior functions, he contributed to additional AWS providers such as for example Amazon Virtual Personal Cloud, Amazon EC2, and Amazon Path 53.