AWS Model Provider - Encryption Step failure #1432
Comments
|
The issue is not with the AWS KMS libraries but rather the fact that the encrypted blob is copied without first being decrypted. The blob cannot be decrypted after being copied as the KmsStorageClient implementation uses the blob key as the associated data (AD) for the encryption. The solution proposed by @stevenwarejones is to add a flag which specifies a fixed blob key of a single encrypted private signing key used across all workflows. |
|
@SanjayVas - There is an issue encrypting using the KMS that has an unknown root cause. Mario is unable to run the old exchange but once he gets it running, we can hopefully figure out the root cause. The flag I added just allows someone to use a pre-encrypted private key since daily encryptions of the current day's private key aren't working. |
Describe the bug
The AWS MP client is not able to use the KMS certificate on the encrypt/decrypt step. This seems to be an issue with AWS KMS libraries.
@stevenwarejones identified https://github.com/world-federation-of-advertisers/common-jvm/blob/ddedd5aa4362df505aec38f1156639dfb6dab1d4/src/main/kotlin/org/wfanet/measurement/common/crypto/tink/KmsStorageClient.kt#L53 as the root cause of the problem
@stevenwarejones @jonmolle could you add more details the issue description?
Steps to reproduce
Component(s) affected
Model Provider AWS Client
Version
0.4.2
Environment
Origin / Kantr Production
Additional context
Slack discussion: https://cross-mediaworkspace.slack.com/archives/C01LX87C2LB/p1704820453689469
The text was updated successfully, but these errors were encountered: