Skip to content

Signing Application with MP4-output running with AWS Lambda, AWS S3 and AWS KMS

License

Notifications You must be signed in to change notification settings

ARD-C2PA-SAMPLES/c2pa_sign_awslambdakms

Repository files navigation

C2PA AWS Lambda sign demo with output MP4-File and AWS KMS

Setup AWS KMS for private key import

  1. convert private key in binary format (.der) openssl pkcs8 -topk8 -inform PEM -outform DER -in es256_private.key -out es256_private.der -nocrypt Now we have private key es256_private.der in DER Binary Format. Important: please ensure, that both public and private key belong together. Here in sample we're using private key from https://github.com/contentauth/c2patool/blob/main/sample/es256_private.key

  2. Create KMS Key with: aws kms create-key --key-spec ECC_NIST_P256 --key-usage SIGN_VERIFY --origin EXTERNAL Check for output, please write down KeyId (needed for next steps)

  3. Navigate to AWS KMS Console and choose appropiate Key with given KeyId (see 3.)

  • Navigate to "Key Material" and choose "Import key material".
  • Choose wrapping key spec RSA_4096 and wrapping algorithm RSAES_OAEP_SHA_256
  • Click on "Download wrapping public key and import token"
  • You will download a ZIP File containg both wrapping public key and import token
  • Get WrappingPublikKey.bin from ZIP and ...
  1. Encrypt private key es256_private.der (see 1.) with Wrappingpublickey (see.3)
openssl pkeyutl \
    -encrypt \
    -in es256_private.der \
    -out EncryptedKeyMaterial.bin \
    -inkey WrappingPublicKey.bin \
    -keyform DER \
    -pubin \
    -pkeyopt rsa_padding_mode:oaep \
    -pkeyopt rsa_oaep_md:sha256 \
    -pkeyopt rsa_mgf1_md:sha256
  1. Now let's import the encrypted Key Material with given KeyID and ImportToken and "valid-to" Timestamp
aws kms import-key-material \
    --key-id <KeyId> \
    --encrypted-key-material fileb://EncryptedKeyMaterial.bin \
    --import-token fileb://ImportToken.bin \
    --expiration-model KEY_MATERIAL_EXPIRES \
    --valid-to 2025-09-21T19:00:00Z
  1. Now KMS with Key is ready to use:-)

Pre-requistes

https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/prerequisites.html

Deployment of Application via AWS SAM

Check out repository

cd lambda_c2pasign
sam build
sam deploy --guided

Once you define KMS Key ID of used KMS Signer Key, please use KeyId of previously created KMS Key.

Short Introduction in running c2patool with AWS KMS

system schema

  1. There's a trigger configured, that once an Object on S3 Bucket has been created in folder "s3BucketPath" (defined by env-variable, default "data"), a call to Lambda function will be initiated.
  2. Lambda Function will download Object to local Store
  3. Starting Signing with given manifest-definition, To be signed claim-bytes will be sent to AWS KMS - and with stored Config with private Key on AWS KMS
    Have a look using parameter signer-path, ref. https://github.com/contentauth/c2patool?tab=readme-ov-file#signing-claim-bytes-with-your-own-signer
  4. the signed claim bytes will be returned
  5. the signed Object will be transferred back to S3-Bucket in folder "s3BucketPathSigned" (defined by env-variable, default "data_sign")

About

Signing Application with MP4-output running with AWS Lambda, AWS S3 and AWS KMS

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages