Add initial implementation to support AWS KMS.

2020-05-19 17:35:36 -07:00 · 2020-05-19 17:35:36 -07:00 · c32abb76cd
commit c32abb76cd
parent b0f768a3fb
6 changed files with 384 additions and 6 deletions
--- a/go.mod
+++ b/go.mod
@ -5,13 +5,14 @@ go 1.13
 require (
 	cloud.google.com/go v0.51.0
 	github.com/Masterminds/sprig/v3 v3.0.0
+	github.com/aws/aws-sdk-go v1.30.29
 	github.com/go-chi/chi v4.0.2+incompatible
 	github.com/go-piv/piv-go v1.5.0
 	github.com/googleapis/gax-go/v2 v2.0.5
 	github.com/juju/ansiterm v0.0.0-20180109212912-720a0952cc2a // indirect
 	github.com/lunixbochs/vtclean v1.0.0 // indirect
 	github.com/newrelic/go-agent v2.15.0+incompatible
-	github.com/pkg/errors v0.8.1
+	github.com/pkg/errors v0.9.1
 	github.com/rs/xid v1.2.1
 	github.com/sirupsen/logrus v1.4.2
 	github.com/smallstep/assert v0.0.0-20200103212524-b99dc1097b15
@ -19,7 +20,7 @@ require (
 	github.com/smallstep/nosql v0.3.0
 	github.com/urfave/cli v1.22.2
 	golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59
-	golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553
+	golang.org/x/net v0.0.0-20200202094626-16171245cfb2
 	google.golang.org/api v0.15.0
 	google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb
 	google.golang.org/grpc v1.26.0
--- a/go.sum
+++ b/go.sum
@ -43,7 +43,10 @@ github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRF
 github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
+github.com/aws/aws-sdk-go v1.19.18 h1:Hb3+b9HCqrOrbAtFstUWg7H5TQ+/EcklJtE8VShVs8o=
 github.com/aws/aws-sdk-go v1.19.18/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
+github.com/aws/aws-sdk-go v1.30.29 h1:NXNqBS9hjOCpDL8SyCyl38gZX3LLLunKOJc5E7vJ8P0=
+github.com/aws/aws-sdk-go v1.30.29/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@ -128,6 +131,8 @@ github.com/go-piv/piv-go v1.5.0 h1:UtHPfrJsZKY+Z3UIjmJLh6DY+KtmNOl/9b/zt4N81pM=
 github.com/go-piv/piv-go v1.5.0/go.mod h1:ON2WvQncm7dIkCQ7kYJs+nc3V4jHGfrrJnSF8HKy7Gk=
 github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA=
 github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
+github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs=
+github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-toolsmith/astcast v1.0.0 h1:JojxlmI6STnFVG9yOImLeGREv8W2ocNUM+iOhR6jE7g=
 github.com/go-toolsmith/astcast v1.0.0/go.mod h1:mt2OdQTeAQcY4DQgPSArJjHCcOwlX+Wl/kwN+LbLGQ4=
@ -268,7 +273,10 @@ github.com/imdario/mergo v0.3.7 h1:Y+UAYTZ7gDEuOfhxKWy+dvb5dRQ6rJjFSdX2HZY1/gI=
 github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
+github.com/jmespath/go-jmespath v0.3.0 h1:OS12ieG61fsCg5+qLJ+SsW9NicxNkg3b25OyT2yCeUc=
+github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik=
 github.com/jonboulle/clockwork v0.1.0 h1:VKV+ZcuP6l3yW9doeqz6ziZGgcynBVQO+obU0+0hcPo=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
@ -386,6 +394,8 @@ github.com/pelletier/go-toml v1.6.0/go.mod h1:5N711Q9dKgbdkxHL+MEfF31hpT7l0S0s/t
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/otp v1.0.0/go.mod h1:Zad1CMQfSQZI5KLpahDiSUX4tMMREnXw98IvL1nhgMk=
@ -500,6 +510,8 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/timakin/bodyclose v0.0.0-20190721030226-87058b9bfcec/go.mod h1:Qimiffbc6q9tBWlVV6x0P9sat/ao1xEkREYPPj9hphk=
@ -618,6 +630,8 @@ golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20191002035440-2ec189313ef0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553 h1:efeOvDhwQ29Dj3SdAV/MJf8oukgn+8D8WgaCaRMchF8=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200202094626-16171245cfb2 h1:CCH4IOTTfewWjGOlSp+zGcjutRKlBEZQ6wTn8ozI/nI=
+golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
--- a/kms/apiv1/options.go
+++ b/kms/apiv1/options.go
@ -57,7 +57,7 @@ type Options struct {
 	// The type of the KMS to use.
 	Type string `json:"type"`

-	// Path to the credentials file used in CloudKMS.
+	// Path to the credentials file used in CloudKMS and AmazonKMS.
 	CredentialsFile string `json:"credentialsFile"`

 	// Path to the module used with PKCS11 KMS.
@ -65,6 +65,12 @@ type Options struct {

 	// Pin used to access the PKCS11 module.
 	Pin string `json:"pin"`
+
+	// Region to use in AmazonKMS.
+	Region string `json:"region"`
+
+	// Profile to use in AmazonKMS.
+	Profile string `json:"profile"`
 }

 // Validate checks the fields in Options.
@ -74,10 +80,8 @@ func (o *Options) Validate() error {
 	}

 	switch Type(strings.ToLower(o.Type)) {
-	case DefaultKMS, SoftKMS, CloudKMS:
+	case DefaultKMS, SoftKMS, CloudKMS, AmazonKMS:
 	case YubiKey:
-	case AmazonKMS:
-		return ErrNotImplemented{"support for AmazonKMS is not yet implemented"}
 	case PKCS11:
 		return ErrNotImplemented{"support for PKCS11 is not yet implemented"}
 	default:
--- a/kms/awskms/awskms.go
+++ b/kms/awskms/awskms.go
@ -0,0 +1,237 @@
+package awskms
+
+import (
+	"context"
+	"crypto"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/smallstep/certificates/kms/uri"
+
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/kms"
+	"github.com/pkg/errors"
+	"github.com/smallstep/certificates/kms/apiv1"
+	"github.com/smallstep/cli/crypto/pemutil"
+)
+
+// KMS implements a KMS using AWS Key Management Service.
+type KMS struct {
+	session *session.Session
+	service *kms.KMS
+}
+
+// customerMasterKeySpecMapping is a mapping between the step signature algorithm,
+// and bits for RSA keys, with awskms CustomerMasterKeySpec.
+var customerMasterKeySpecMapping = map[apiv1.SignatureAlgorithm]interface{}{
+	apiv1.UnspecifiedSignAlgorithm: kms.CustomerMasterKeySpecEccNistP256,
+	apiv1.SHA256WithRSA: map[int]string{
+		0:    kms.CustomerMasterKeySpecRsa3072,
+		2048: kms.CustomerMasterKeySpecRsa2048,
+		3072: kms.CustomerMasterKeySpecRsa3072,
+		4096: kms.CustomerMasterKeySpecRsa4096,
+	},
+	apiv1.SHA512WithRSA: map[int]string{
+		0:    kms.CustomerMasterKeySpecRsa4096,
+		4096: kms.CustomerMasterKeySpecRsa4096,
+	},
+	apiv1.SHA256WithRSAPSS: map[int]string{
+		0:    kms.CustomerMasterKeySpecRsa3072,
+		2048: kms.CustomerMasterKeySpecRsa2048,
+		3072: kms.CustomerMasterKeySpecRsa3072,
+		4096: kms.CustomerMasterKeySpecRsa4096,
+	},
+	apiv1.SHA512WithRSAPSS: map[int]string{
+		0:    kms.CustomerMasterKeySpecRsa4096,
+		4096: kms.CustomerMasterKeySpecRsa4096,
+	},
+	apiv1.ECDSAWithSHA256: kms.CustomerMasterKeySpecEccNistP256,
+	apiv1.ECDSAWithSHA384: kms.CustomerMasterKeySpecEccNistP384,
+	apiv1.ECDSAWithSHA512: kms.CustomerMasterKeySpecEccNistP521,
+}
+
+// New creates a new AWSKMS. By default, sessions will be created using the
+// credentials in `~/.aws/credentials`, but this can be overridden using the
+// CredentialsFile option, the Region and Profile can also be configured as
+// options.
+//
+// AWS sessions can also be configured with environment variables, see docs at
+// https://docs.aws.amazon.com/sdk-for-go/api/aws/session/ for all the options.
+func New(ctx context.Context, opts apiv1.Options) (*KMS, error) {
+	o := session.Options{}
+	if opts.Region != "" {
+		o.Config.Region = &opts.Region
+	}
+	if opts.Profile != "" {
+		o.Profile = opts.Profile
+	}
+	if opts.CredentialsFile != "" {
+		o.SharedConfigFiles = []string{opts.CredentialsFile}
+	}
+
+	sess, err := session.NewSessionWithOptions(o)
+	if err != nil {
+		return nil, errors.Wrap(err, "error creating AWS session")
+	}
+
+	return &KMS{
+		session: sess,
+		service: kms.New(sess),
+	}, nil
+}
+
+func init() {
+	apiv1.Register(apiv1.AmazonKMS, func(ctx context.Context, opts apiv1.Options) (apiv1.KeyManager, error) {
+		return New(ctx, opts)
+	})
+}
+
+// GetPublicKey returns a public key from KMS.
+func (k *KMS) GetPublicKey(req *apiv1.GetPublicKeyRequest) (crypto.PublicKey, error) {
+	if req.Name == "" {
+		return nil, errors.New("getPublicKey 'name' cannot be empty")
+	}
+	keyID, err := parseKeyID(req.Name)
+	if err != nil {
+		return nil, err
+	}
+
+	ctx, cancel := defaultContext()
+	defer cancel()
+
+	resp, err := k.service.GetPublicKeyWithContext(ctx, &kms.GetPublicKeyInput{
+		KeyId: &keyID,
+	})
+	if err != nil {
+		return nil, errors.Wrap(err, "awskms GetPublicKeyWithContext failed")
+	}
+
+	return pemutil.ParseDER(resp.PublicKey)
+}
+
+// CreateKey generates a new key in KMS and returns the public key version
+// of it.
+func (k *KMS) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error) {
+	if req.Name == "" {
+		return nil, errors.New("createKeyRequest 'name' cannot be empty")
+	}
+
+	keySpec, err := getCustomerMasterKeySpecMapping(req.SignatureAlgorithm, req.Bits)
+	if err != nil {
+		return nil, err
+	}
+
+	tag := new(kms.Tag)
+	tag.SetTagKey("name")
+	tag.SetTagValue(req.Name)
+
+	input := &kms.CreateKeyInput{
+		Description:           &req.Name,
+		CustomerMasterKeySpec: &keySpec,
+		Tags:                  []*kms.Tag{tag},
+	}
+	input.SetKeyUsage(kms.KeyUsageTypeSignVerify)
+
+	ctx, cancel := defaultContext()
+	defer cancel()
+
+	resp, err := k.service.CreateKeyWithContext(ctx, input)
+	if err != nil {
+		return nil, errors.Wrap(err, "awskms CreateKeyWithContext failed")
+	}
+	if err := k.createKeyAlias(*resp.KeyMetadata.KeyId, req.Name); err != nil {
+		return nil, err
+	}
+
+	// Create uri for key
+	name := uri.New("awskms", url.Values{
+		"key-id": []string{*resp.KeyMetadata.KeyId},
+	}).String()
+
+	publicKey, err := k.GetPublicKey(&apiv1.GetPublicKeyRequest{
+		Name: name,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	// Names uses Amazon Resource Name
+	// https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms
+	return &apiv1.CreateKeyResponse{
+		Name:      name,
+		PublicKey: publicKey,
+		CreateSignerRequest: apiv1.CreateSignerRequest{
+			SigningKey: name,
+		},
+	}, nil
+}
+
+func (k *KMS) createKeyAlias(keyID, alias string) error {
+	alias = "alias/" + alias + "-" + keyID[:8]
+
+	ctx, cancel := defaultContext()
+	defer cancel()
+
+	_, err := k.service.CreateAliasWithContext(ctx, &kms.CreateAliasInput{
+		AliasName:   &alias,
+		TargetKeyId: &keyID,
+	})
+	if err != nil {
+		return errors.Wrap(err, "awskms CreateAliasWithContext failed")
+	}
+	return nil
+}
+
+// CreateSigner creates a new crypto.Signer with a previously configured key.
+func (k *KMS) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, error) {
+	if req.SigningKey == "" {
+		return nil, errors.New("createSigner 'signingKey' cannot be empty")
+	}
+	return NewSigner(k.service, req.SigningKey)
+}
+
+// Close closes the connection of the KMS client.
+func (k *KMS) Close() error {
+	return nil
+}
+
+func defaultContext() (context.Context, context.CancelFunc) {
+	return context.WithTimeout(context.Background(), 15*time.Second)
+}
+
+// parseKeyID extracts the key-id from an uri.
+func parseKeyID(name string) (string, error) {
+	name = strings.ToLower(name)
+	if strings.HasPrefix(name, "awskms:") || strings.HasPrefix(name, "aws:") {
+		u, err := uri.Parse(name)
+		if err != nil {
+			return "", err
+		}
+		if k := u.Get("key-id"); k != "" {
+			return k, nil
+		}
+		return "", errors.Errorf("failed to get key-id from %s", name)
+	}
+	return name, nil
+}
+
+func getCustomerMasterKeySpecMapping(alg apiv1.SignatureAlgorithm, bits int) (string, error) {
+	v, ok := customerMasterKeySpecMapping[alg]
+	if !ok {
+		return "", errors.Errorf("awskms does not support signature algorithm '%s'", alg)
+	}
+
+	switch v := v.(type) {
+	case string:
+		return v, nil
+	case map[int]string:
+		s, ok := v[bits]
+		if !ok {
+			return "", errors.Errorf("awskms does not support signature algorithm '%s' with '%d' bits", alg, bits)
+		}
+		return s, nil
+	default:
+		return "", errors.Errorf("unexpected error: this should not happen")
+	}
+}
--- a/kms/awskms/signer.go
+++ b/kms/awskms/signer.go
@ -0,0 +1,121 @@
+package awskms
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/rsa"
+	"io"
+
+	"github.com/aws/aws-sdk-go/service/kms"
+	"github.com/pkg/errors"
+	"github.com/smallstep/cli/crypto/pemutil"
+)
+
+type Signer struct {
+	service   *kms.KMS
+	keyID     string
+	publicKey crypto.PublicKey
+}
+
+// NewSigner creates a new signer using a key in the AWS KMS.
+func NewSigner(svc *kms.KMS, signingKey string) (*Signer, error) {
+	keyID, err := parseKeyID(signingKey)
+	if err != nil {
+		return nil, err
+	}
+
+	// Make sure that the key exists.
+	signer := &Signer{
+		service: svc,
+		keyID:   keyID,
+	}
+	if err := signer.preloadKey(keyID); err != nil {
+		return nil, err
+	}
+
+	return signer, nil
+}
+
+func (s *Signer) preloadKey(keyID string) error {
+	ctx, cancel := defaultContext()
+	defer cancel()
+
+	resp, err := s.service.GetPublicKeyWithContext(ctx, &kms.GetPublicKeyInput{
+		KeyId: &keyID,
+	})
+	if err != nil {
+		return errors.Wrap(err, "awskms GetPublicKeyWithContext failed")
+	}
+
+	s.publicKey, err = pemutil.ParseDER(resp.PublicKey)
+	return err
+}
+
+// Public returns the public key of this signer or an error.
+func (s *Signer) Public() crypto.PublicKey {
+	return s.publicKey
+}
+
+// Sign signs digest with the private key stored in the AWS KMS.
+func (s *Signer) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
+	alg, err := getSigningAlgorithm(s.Public(), opts)
+	if err != nil {
+		return nil, err
+	}
+
+	req := &kms.SignInput{
+		KeyId:            &s.keyID,
+		SigningAlgorithm: &alg,
+		Message:          digest,
+	}
+	req.SetMessageType("DIGEST")
+
+	ctx, cancel := defaultContext()
+	defer cancel()
+
+	resp, err := s.service.SignWithContext(ctx, req)
+	if err != nil {
+		return nil, errors.Wrap(err, "awsKMS SignWithContext failed")
+	}
+
+	return resp.Signature, nil
+}
+
+func getSigningAlgorithm(key crypto.PublicKey, opts crypto.SignerOpts) (string, error) {
+	switch key.(type) {
+	case *rsa.PublicKey:
+		_, isPSS := opts.(*rsa.PSSOptions)
+		switch h := opts.HashFunc(); h {
+		case crypto.SHA256:
+			if isPSS {
+				return "RSASSA_PSS_SHA_256", nil
+			}
+			return "RSASSA_PKCS1_V1_5_SHA_256", nil
+		case crypto.SHA384:
+			if isPSS {
+				return "RSASSA_PSS_SHA_384", nil
+			}
+			return "RSASSA_PKCS1_V1_5_SHA_384", nil
+		case crypto.SHA512:
+			if isPSS {
+				return "RSASSA_PSS_SHA_512", nil
+			}
+			return "RSASSA_PKCS1_V1_5_SHA_512", nil
+		default:
+			return "", errors.Errorf("unsupported hash function %v", h)
+		}
+	case *ecdsa.PublicKey:
+		switch h := opts.HashFunc(); h {
+		case crypto.SHA256:
+			return "ECDSA_SHA_256", nil
+		case crypto.SHA384:
+			return "ECDSA_SHA_384", nil
+		case crypto.SHA512:
+			return "ECDSA_SHA_512", nil
+		default:
+			return "", errors.Errorf("unsupported hash function %v", h)
+		}
+	default:
+		return "", errors.Errorf("unsupported key type %T", key)
+	}
+}
--- a/kms/kms.go
+++ b/kms/kms.go
@ -8,6 +8,7 @@ import (
 	"github.com/smallstep/certificates/kms/apiv1"

 	// Enabled kms interfaces.
+	_ "github.com/smallstep/certificates/kms/awskms"
 	_ "github.com/smallstep/certificates/kms/cloudkms"
 	_ "github.com/smallstep/certificates/kms/softkms"