Skip to content

bug: Import KMS key fails with "Could not deserialize key data" #10909

New issue
New issue
Open
Open
bug: Import KMS key fails with "Could not deserialize key data"#10909
Labels
aws:kmsAWS Key Management Servicestatus: backlogTriaged but not yet being worked onstatus: confirmedBug report was confirmedtype: bugBug report
@akastyka

Description

@akastyka
akastyka
opened on May 27, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

Running import-key-material kms command fails with:
An error occurred (InternalError) when calling the ImportKeyMaterial operation (reached max retries: 2): exception while calling kms.ImportKeyMaterial: ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [<OpenSSLError(code=109052072, lib=13, reason=168, reason_text=wrong tag)>, <OpenSSLError(code=109576458, lib=13, reason=524554, reason_text=nested asn1 error)>])

Despite the error key status is changes to "Enabled": true

Expected Behavior

kms import-key material finishes successfully

How are you starting LocalStack?

With a docker run command

Steps To Reproduce

How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)

docker run --rm --name local-kms --publish 4566:4566 -p 4510-4559:4510-4559 -e SERVICES=kms -e START_WEB=1 -d localstack/localstack
  • Create EXTERNAL key
awslocal kms create-key --key-spec HMAC_512  --key-usage GENERATE_VERIFY_MAC --origin EXTERNAL
  • Get public key and token
awslocal kms get-parameters-for-import \
       --key-id 58df27f5-66ae-47a9-b6eb-1c61040768f0 \
       --wrapping-algorithm RSAES_OAEP_SHA_256 \
       --wrapping-key-spec RSA_4096
  • Generate key locally
openssl rand -out HMAC_512_PlaintextKey.bin 64
  • Encypt key using public key from step above
openssl pkeyutl \
       -encrypt \
       -in HMAC_512_PlaintextKey.bin \
       -out EncryptedKeyMaterial.bin \
       -inkey WrappingPublicKey.bin \
       -keyform DER \
       -pubin \
       -pkeyopt rsa_padding_mode:oaep \
       -pkeyopt rsa_oaep_md:sha256 \
       -pkeyopt rsa_mgf1_md:sha256
  • Import encypted key
awslocal kms import-key-material --key-id 58df27f5-66ae-47a9-b6eb-1c61040768f0 \
       --encrypted-key-material fileb://EncryptedKeyMaterial.bin \
       --import-token fileb://ImportToken.bin \
       --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE

Fails with error above

Environment

- OS:Ubuntu 22.04
- OpenSSL: OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
- LocalStack:
  LocalStack version:3.4.1.dev
  LocalStack Docker image sha:
  LocalStack build date:2024-05-01
  LocalStack build git hash:0da986511

Anything else?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    aws:kmsAWS Key Management Servicestatus: backlogTriaged but not yet being worked onstatus: confirmedBug report was confirmedtype: bugBug report

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions