How to use the output from Invoke-KMSSigning? Trying to re-sign a CSR to obtain a codesign certificate from third party.

[amlynnworth]

I am trying to workaround the need for expensive CloudHSM by using a CSR (generated by the free DigiCert Certificate Utility for Windows) that gets re-signed with a key from AWS KMS, which I then want to feed to FastSSL with the hope of being able to use the resulting codesigning certificate on a remote-continuous-integration machine without a usb hardware dongle.

The re-signing of the CSR seems possible with Python and I thought it should also be possible with PowerShell. Python:
https://github.com/g-a-d/aws-kms-sign-csr/blob/master/aws-kms-sign-csr.py

This is my PowerShell code:

$csr = @'
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICvTsnipsnipsnipRMw
-----END NEW CERTIFICATE REQUEST-----
'@

$Env:AWS_ACCESS_KEY_ID="AKIsnip7EXAMPLE"
$Env:AWS_SECRET_ACCESS_KEY="wJalrXsnipPxRfiCYEXAMPLEKEY"

cls
write-output $csr.length   # with a valid CSR string, the length is 1024
$myId = '4esnip'    # AWS SMS KeyID
Invoke-KMSSigning -Message $csr -KeyId $myId -SigningAlgorithm RSASSA_PSS_SHA_256  -region us-west-2 

# Note AWS KMS Cryptographic Configurations says my Key Spec = RSA_4096, Key Usage = Sign and Verify

The output from the PowerShell IDE is

CanRead      : True
CanSeek      : True
CanWrite     : True
Capacity     : 512
Length       : 512
Position     : 0
CanTimeout   : False
ReadTimeout  : 
WriteTimeout : 

These fields seem to be properties of the System.IO.MemoryStream. How do I get my re-signed CSR into a file? I tried Out-File and -Select '*' and ToString(). All I ever get is the datatype of MemoryStream or the above list of properties.

I realize this is a bit of a wild goose chase. Nonetheless, even if this way of codesigning Windows EXEs turns out to be impossible, I would appreciate finding out whether there is a way to use Invoke-KMSSigning to get the result of the signing process.

Here is an example where a file is signed using the 'sign' method of AWS KMS using AWS command line: https://www.youtube.com/watch?v=8VxCDHgJOlU (Digital Signing with AWS KMS by Zeal Vora) and this makes me think I need to pipe the output of the signing process in a way that concatenates it into the original file.

Here is aws cli syntax which generates a signature as shown in the video, using my key-id, same region, same algorithm, same input data:

aws.exe kms sign --key-id "4snip0" --message fileb://D:\temp\01_csr.txt --signing-algorithm RSASSA_PSS_SHA_256 --region us-west-2

Thank you.

[afroz429]

MemoryStream can be converted to a string by using the following code in PowerShell. After you have a string, you can use Out-File to write to file

[Text.Encoding]::UTF8.GetString($memoryStream.ToArray())

[amlynnworth]

Thank you! I did not realize the ToArray() function would bridge from the memory stream to an array of bytes that can be converted further.

For the record, this is the code I have so far:

$base64String = [System.Convert]::ToBase64String( $response.ToArray() )
write-host $base64String
#Set-Content -Path 'C:\MyFolder\base64.txt' -Value $base64String