Implemented tough-kms to include AWS KMS as a new keysource

[srgothi92]

Issue #, if available:
N/A

Description of changes:
-tough-kms implements the "KeySource" trait found in tough
-Unit test cases are added for tough-kms utilizing rusoto_mock
-Integration Tests are added in tuftool, to test 3 keysource: tough-kms, tough-ssm, local key.
-To run integration tests use feature flag "integ" while running test

Testing Done:
Ran Unit tests
Ran Integration Tests
Manually created root.json and used kms key for signing.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[zmrow]

Nice work!

I didn't get through tough-kms/tests/all_test.rs, but here's what I have so far.

[srgothi92]

Added comments for Design related questions.

[srgothi92]

I added few other comments in last conversation. But, I could not see them any more. Adding them back.

[webern]

I didn't get all the way through this. It seems like something is wrong with our design if adding a new key source causes a lot of churn in tough. The idea behind the key source trait was to ensure that tough (to the extent possible) doesn't know anything about what's under the hood in a key source.

Leaving the 'heavy lifting' of creating a key outside the realm of tough would be better if it prevents us from adding dependencies to tough.

I know you're working with Zack on this. I'd be happy to join a call to join any discussion. Thanks!

Nice start!

[iliana]

First, run cargo check --all to regenerate the Cargo.lock, and commit that. CI is requiring that your Cargo.lock is accurate and maps to the dependencies you are using across the project.

No Rusoto dependencies should exist in the main tough crate. I moved all of the added structs to tough-kms locally and realized the reason you may have done this: the Sign trait's sign method returns a Result<T, tough::Error> instead of allowing the implementation to return a more generic error. Because we have to implement Sign differently for KMS, this is impossible without adding the code directly to tough.

If you're comfortable with it, modify the Sign::sign trait signature to return a generic error, similar to the methods in KeySource (they return a Result<T, E> where E is Box<dyn std::error::Error + Send + Sync + 'static>>). Alternately, if you like, I can make this change in a separate PR, and you can rebase on top of it and carry on.

[srgothi92]

Response to @iliana comment:
1:
Thanks.

2:
Not just because of Sign trait's sign method returns a Result<T, tough::Error>. In Sign object I would need KmsClient to sign the messages. For LocalKeySource and tough-ssm, sign object has private key available to sign the messages. Which is not the case with Kms. The solution I currently implemented adds rusoto_kms as dependency and makes a call to KMS directly using Kmsclient available with Sign trait. Which definitely is not the right way.
Solution Suggestion 1: I am thinking, if we can expose a module in tough_kms that is used by Sign trait to sign the messages, avoiding direct dependency on KmsClient, not sure if it would result in cyclic dependency. tough_kms provides sign object and sign object needs tough_kms.
Solution Suggestion 2: We can get rid of Sign trait and let KeySource expose sign and tuf_key method. Its upto keySource implementer to cache the private key and use the cached key for multiple sign request.

3:
I can take care of it, if required.

[iliana]

In Sign object I would need KmsClient to sign the messages.

KeySource::as_sign returns a Box<dyn Sign>, and KmsRsaKey (which has your KmsClient) implements Sign. This separation allows you to move KmsRsaKey to tough-kms.

[zmrow]

We just realized that we probably shouldn't create a tokio runtime inside these libraries, so we probably shouldn't ship this until #213 is fixed. :(

[webern]

Nice! As I understand it, because tough-kms needs to implement sign, the sign trait was changed to return a generic error to break dependency cycle. Looks good, looks clean.

[iliana]

Merging this into develop fails to compile — there are two new Sign implementations that need to have their signatures fixed. You'll probably want to rebase and resolve those issues.

I'm fixing that locally and continuing to review.

[srgothi92]

Merging this into develop fails to compile — there are two new Sign implementations that need to have their signatures fixed. You'll probably want to rebase and resolve those issues.

I'm fixing that locally and continuing to review.

Done

[iliana]

A first pass of thoughts.

I'm unable to verify signatures produced by this code. I'm investigating why, because the answer is not obvious to me.

[srgothi92]

Fixed some of the code review comments, with multiple stupid force pushes. you might have to look at two of them to see the complete changes.

[iliana]

ae2f466 fixes the verification issue! The commit message explains, but when we initially discussed how to go about creating the Decoded<RsaPem> I forgot that the byte form of it needs to be an RSAPublicKey document, not a SubjectPublicKeyInfo document. This confusion caused us to double-wrap the public key in the SPKI wrapper, resulting in this extremely confusing situation:

$ jq -r .signed.keys.a6c9b56dd7ce0a87fab1fa1c39d37afefcfb0692c05b2ddaa207919f4d1173d1.keyval.public ~/tmp/root.json \
> | openssl asn1parse
    0:d=0  hl=4 l= 442 cons: SEQUENCE          
    4:d=1  hl=2 l=  13 cons: SEQUENCE          
    6:d=2  hl=2 l=   9 prim: OBJECT            :rsaEncryption
   17:d=2  hl=2 l=   0 prim: NULL              
   19:d=1  hl=4 l= 423 prim: BIT STRING        
$ jq -r .signed.keys.a6c9b56dd7ce0a87fab1fa1c39d37afefcfb0692c05b2ddaa207919f4d1173d1.keyval.public ~/tmp/root.json \
> | openssl asn1parse -strparse 19
    0:d=0  hl=4 l= 418 cons: SEQUENCE          
    4:d=1  hl=2 l=  13 cons: SEQUENCE          
    6:d=2  hl=2 l=   9 prim: OBJECT            :rsaEncryption
   17:d=2  hl=2 l=   0 prim: NULL              
   19:d=1  hl=4 l= 399 prim: BIT STRING        

[srgothi92]

PR comments fixes.

[iliana]

We just realized that we probably shouldn't create a tokio runtime inside these libraries, so we probably shouldn't ship this until #213 is fixed. :(

I'd rather merge this first, then do the async party. :)

[iliana]

Final stretch!

[srgothi92]

Fixed PR comments. Check 1st force-pushed for all relevant changes, 2nd was for missed cargo fmt -- --check

[zmrow]

🌃

lgtm