Allow config.json slot entries without kms_key_id to return only certificate

[hongkongkiwi]

I was wondering if it's possible to add the feature to allow skipping lookup from KMS if I exclude the kms_key_id?

So, I'm hoping to have something like this, that means I can mix a signing key, with root-certs using the same mechanism. e.g. when using rauc:
rauc bundle --keyring='pkcs11:token=dev-root-ca' --intermediate='pkcs11:token=dev-int-ca'--cert='pkcs11:token=dev-leaf' --key='pkcs11:token=dev-leaf' input_dir/ my_bundle.raucb

So the config.json would look like this:

{
  "slots": [
    {
      "label": "dev-root-ca",
      "certificate": "<mycert>"
    },
    {
      "label": "dev-int-ca",
      "certificate": "<mycert>"
    },
    {
      "label": "dev-leaf",
      "kms_key_id": "1234",
      "aws_region": "us-west-1",
      "certificate": "<signing_cert_base64>"
    }
  ]
 }

[JackOfMostTrades]

Hmm, it seems a bit odd to support slots in the provider without any key. That might be something other PKCS11 providers enable, but I think I'd want to check how typical that is. Any reason to do it this way versus just specifying paths to the root/intermediate certs in the rauc bundle command?

[ozbenh]

So this is useful in conjunction with the PR I sent which allows you to specify certificates by ACM PCA ARN in the config file :-)

That way, you can do a setup you never have to copy and maintain certificate files, you can make the CA cert accessible via the token. I want to use this in part because I use the plugin along with p11-kit "proxy" to proxy keys into a container and I don't want to mess around with keeping cert files up to date when keys rotate.

Right now (at least with my branch for which I just sent a PR but I don't think it would fail otherwise), it will somewhat work if you ommit the key ID for a slot. It will try to access it and get errors, but the certificate will be available, at least via p11tool --export ... that said it's somewhat sucky since we don't have an ID

I'm thinking of doing a patch so it, at least, doesn't try to retrieve the key when it's not specified, and uses something else as an ID, maybe just the cert name.

We'll see if I find time. I also want to rework a few more things, hide the KMS client completely inside AwsKmsSlot using longer lived client instances maybe (they should re-obtain credentials automatically), and other niceties, but again ... time :-)

[hongkongkiwi]

Thanks for this, I've been thinking on it and actually I think a rest call might also be a good idea as well, but that code might need to do an extra check to ensure the certificate returned actually matches the private key. But maybe such a check could benefit here as well? incase the wrong ID is entered.

I've actually switched to using ACM PCA. The only downside is the cost (!) so this patch is very useful, thank you.