0

Using AWS KMS Customer Master Key (CMK), I'm generating a Data Key Pair without plain text. AWS API reference is here. Boto3 API reference for generate_data_key_pair_without_plaintext is here

I'm using Python2.7 and my code is here

kms = boto3.client('kms')

data_key = kms.generate_data_key_pair_without_plaintext(KeyId=cmk_key_id, 
                                                        KeyPairSpec='ECC_NIST_P384')
public_key = data_key['PublicKey']
encr_private_key = data_key['PrivateKeyCiphertextBlob']

print("public key: %s" % public_key)  <<< prints garbage because public_key is binary object

Documentation says public_key is plaintext (and also Base64-encoded binary data object). This is confusing. Please see this

PublicKey

The public key (in plaintext)

Type: Base64-encoded binary data object

I would like to convert the public key into a PEM format. How can I do that?

Bhaskar
  • 2,549
  • 1
  • 21
  • 23
  • Where did you get `Type: Base64-encoded binary data object` from? The documention states only: "PublicKey (bytes) -- The public key (in plaintext)." – Marcin Nov 20 '20 at 04:59
  • @Marcin it is in the first link: "Response Elements" -> "PublicKey". Here is that link [https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPairWithoutPlaintext.html] – Bhaskar Nov 20 '20 at 05:18
  • 1
    This is for HTTP api. You are using boto3, which returns ` (bytes) -- The public key (in plaintext)`. Its not base64 encoded. – Marcin Nov 20 '20 at 05:34
  • @Marcin got it, thank you. But any idea why printing public key (above code) is printing garbage? – Bhaskar Nov 20 '20 at 06:14
  • Its raw binary key in bytes. You can change to to `base64`, if you want using `base64.b64encode(public_key)` to more human friendly printout. – Marcin Nov 20 '20 at 06:19
  • Sorry if these are naive questions. I understand it is raw binary. I could save the key in b64 encoded format. I would like to convert it to PEM format. I have used RSA asymmetric keys in past (PEM format) and used the private keys to make cURL calls. But these asymmetric keys are ECC based in above code. If I could convert the public (and private) raw binary to PEM format then I know how to use them in cURL calls. Hence my question, can I convert this raw binary bytes to PEM format? – Bhaskar Nov 20 '20 at 06:27
  • No problem, but I'm not too familiar with PEM format. So can't help with the conversion. – Marcin Nov 20 '20 at 06:41

0 Answers0