I am trying for Decrypt API of AWS KMS from an enclave.
And In the Nitro Enclave Documentation, it was expressed that, instead of returning the plaintext ( decrypted result ) KMS response with "CiphertextForRecipient" which is encrypted with the public key in the attestation. And that "CiphertextForRecipient" can be decrypted with the private key in the enclave.
Refered from https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html.
In the attestation document, there is public key(optional) value.
Refered from https://docs.aws.amazon.com/enclaves/latest/user/verify-root.html.
So, my question is, which private key am I going to use to decrypt?
Is it the private key of corresponding public key which is used to signed the attestation document.
Or the private key of the corresponding public key which is optional value of attestation document.
In short: it is the public key which is optionally included in attestation document.
You should decrypt the
CiphertextForRecipientusing the public key that corresponds to thepublic_keyfield in the attestation document. So, you will do the following:public_key.kms:Decryptrequest, including the attestation document.CiphertextForRecipientusing the RSA private key.The
CiphertextForRecipientis in RFC 5652 RecipientInfo format. Here is anopensslsnippet for decrypting it:Then, the plaintext output will be available as a file at
$PATH_FOR_PLAINTEXT_OUTPUT.The snippet above is adapted from the Anjuna documentation. For some reason, the main AWS documentation site is not clear about this, but the related GitHub repos have more info on how AWS KMS interacts with AWS Nitro Enclaves: