Support AWS KMS Key Aliases

[hongkongkiwi]

When using AWS keys (with the system properties workaround mentioned in #226 ), I have found that when passing the key alias it does not support AWS key aliases, it only supports key IDs. Key alises are a common way to refer to keys.

In AWS KMS you can refer to a key in the following ways:

• KMS Key Arn: arn:aws:kms:us-west-1:4292584766675:key/d4a23b1f-6c58-48ed-b0f7-aa09f4bb402b
• KMS Alias Arn: arn:aws:kms:us-west-1:4292584766675:key/alias/mycool-name or arn:aws:kms:us-west-1:4292584766675:key/alias/here/is/a/path
• KMS Key ID: d4a23b1f-6c58-48ed-b0f7-aa09f4bb402b
• KMS Key Alias: alias/mycool-name or alias/here/is/a/path

It would be great if all these different methods could be supported in the jsign key alias parameter. In the AWS CLI tools using any of those as a key-id is valid.

I think probably we could simplify it to look for a regex: ^arn:.*:key/([-a-f0-9]+)$ and ^arn:.*:alias/(.*)$ and ^alias/(.*)$ and ^[-a-f0-9]+$

[ebourg]

I'm not sure the AWS REST API accepts the aliases directly. If it doesn't we have to figure out how to convert the alias into a key id.

[hongkongkiwi]

According to the docs, they should all be accepted when passed as a keyId. Strange though that the alias/name didn't work. I guess I'll have to dig into the code. Perhaps it is my issue ...

[ebourg]

https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html#KMS-Sign-request-KeyId

KeyId

Identifies an asymmetric KMS key. AWS KMS uses the private key in the asymmetric KMS key to sign the message. The KeyUsage type of the KMS key must be SIGN_VERIFY. To find the KeyUsage of a KMS key, use the DescribeKey operation.

To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a KMS key in a different AWS account, you must use the key ARN or alias ARN.

It looks like aliases are accepted by the API.

What error did you get with the alias?