By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Importing asymmetric key to AWS KMS

0

After several days of trying to import the key material of a private key, I was able to generate it as stated in the AWS programmer's manual (https://docs.aws.amazon.com/es_es/kms/latest/developerguide/importing-keys-encrypt-key-material.html) by running the following command: openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 | openssl pkcs8 -topk8 -outform der -nocrypt > RSA_2048_PrivateKey.der But I was assigned a .p12 file from which I obtained the private key and obtained the following information: openssl pkcs12 -info -noout -in certificate.p12 -legacy MAC: sha1, Iteration 2048 So I proceed to update it: MAC: sha256, Iteration 2048 PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256 But when I try to import it with this key material, openssl pkcs12 -in certificate.p12 -nocerts -nodes -out aesPrivateKey.pem openssl pkcs8 -topk8 -nocrypt -inform PEM -outform DER -in aesPrivateKey.pem -out aes-PrivateKeyder.der aws kms --region us-east-2 import-key-material --key-id 123.. --encrypted-key-material fileb://EncryptedKeyMaterial.bin --import-token fileb://ImportToken.bin --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE ,(aes-PrivateKeyder.der) I get: an error occurred (invalidciphertextexception) when calling the importkeymaterial operation but it works correctly with RSA_2048_PrivateKey.der What steps do I need to take to import the key material with certificate.p12? Thanks!

Topics
Security, Identity, & Compliance
Tags
AWS Key Management Service
Language
English
Alfredo
asked 2 months ago123 views
2 Answers
1

Just wanted to jump in and share a working solution, after hours of trial and error dealing with InvalidCiphertextException, explicit parameters, and wrapping mismatches.

TL;DR: Yes, you can import an EC private key (e.g., Apple .p8 with ES256) into AWS KMS, as long as:

You convert it to use named curve parameters (not explicit ones!)

You wrap it using RSA_AES_KEY_WRAP_SHA_256 as described in AWS docs

You follow exact format expectations for DER and wrapping

I’ve created a fully working Bash script that:

Converts the Apple .p8 to PKCS#8 DER format with named_curve

Uses AES-256-WRAP-PAD + RSA-OAEP-SHA256 (RSA 4096)

Imports the key material into a KMS key created with KeySpec=ECC_NIST_P256, KeyUsage=SIGN_VERIFY, Origin=EXTERNAL

You can find my solution here:

https://gist.github.com/marcriemer/49109d852f04b92b7ed3cad10cfcc084

It includes size checks, cleanup, and fully automates the wrapping and import process via AWS CLI + OpenSSL.

Hope this helps others avoid the painful debugging loop. Let me know if you have questions or need help adapting it for other curves or formats!

Cheers

Marc
answered a month ago
  • Alfredo
    a month ago

    In my case, I have an RSA private key (2048 bits) and the AWS KMS Key: ECC_NIST_P256 is 256 bits. What can I do in this case? Thanks for your help!

0

To import the key material from your .p12 file into AWS KMS, you'll need to follow a specific process. Here are the steps you should take:

  1. Extract the private key from the .p12 file: Use the command you've already used: openssl pkcs12 -in certificate.p12 -nocerts -nodes -out privateKey.pem

  2. Convert the private key to PKCS#8 format in DER encoding: openssl pkcs8 -topk8 -nocrypt -inform PEM -outform DER -in privateKey.pem -out privateKey.der

  3. Obtain the public key and import parameters from AWS KMS: aws kms get-parameters-for-import --key-id <your-key-id> --wrapping-algorithm RSAES_OAEP_SHA_1 --wrapping-key-spec RSA_2048

  4. Use the public key from step 3 to encrypt your private key material: openssl pkeyutl -encrypt -in privateKey.der -out EncryptedKeyMaterial.bin -inkey PublicKey.bin -keyform DER -pubin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha1

  5. Import the encrypted key material into AWS KMS: aws kms import-key-material --key-id <your-key-id> --encrypted-key-material fileb://EncryptedKeyMaterial.bin --import-token fileb://ImportToken.bin --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE

The error you're encountering (InvalidCiphertextException) likely occurs because the key material isn't properly encrypted with the public key provided by AWS KMS. Make sure you're using the correct wrapping algorithm and key specification when getting the import parameters and encrypting the key material.

Also, ensure that the KMS key you're trying to import into was created with the origin set to EXTERNAL. You cannot import key material into a key that was not created for this purpose.

If you continue to face issues, double-check that the key in your .p12 file is compatible with the key spec of the KMS key you're trying to import into. The key sizes and types must match.
Sources
Importing key material for AWS KMS keys - AWS Key Management Service
Importing key material - AWS Key Management Service
How to migrate asymmetric keys from CloudHSM to AWS KMS | AWS Security Blog

profile picture
re:Post Agent
answered 2 months ago
  • Alfredo
    2 months ago

    that algorithm RSAES_OAEP_SHA_1 is for symmetric, for asymmetric keys it is wrapping-algorithm RSA_AES_KEY_WRAP_SHA_256, i have to use this procedure first : openssl enc -id-aes256-wrap-pad -K "$(xxd -p < aes-key.bin | tr -d '\n')" -iv A65959A6 -in aes-PrivateKeyder.der -out key-material-wrapped.bin and then use : cat aes-key-wrapped.bin key-material-wrapped.bin > EncryptedKeyMaterial.bin

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content