feat(ebe): use KMS tls cert if mtls mode is enabled

Ticket: WP-4353

Author: pranavjain97

README.md

@@ -59,20 +59,29 @@ Both modes use the same TLS configuration variables:
 
 **Option 1: Certificate Files**
 
-- `TLS_KEY_PATH` - Path to private key file
-- `TLS_CERT_PATH` - Path to certificate file
+- `TLS_KEY_PATH` - Path to private key file (used for both inbound mTLS server and outbound mTLS client to KMS)
+- `TLS_CERT_PATH` - Path to certificate file (used for both inbound mTLS server and outbound mTLS client to KMS)
 
 **Option 2: Environment Variables**
 
-- `TLS_KEY` - Private key content (PEM format)
-- `TLS_CERT` - Certificate content (PEM format)
+- `TLS_KEY` - Private key content (PEM format, used for both inbound and outbound)
+- `TLS_CERT` - Certificate content (PEM format, used for both inbound and outbound)
 
 #### mTLS Settings (when TLS_MODE=mtls)
 
 - `MTLS_REQUEST_CERT` - Request client certificates (default: true)
 - `ALLOW_SELF_SIGNED` - Allow self-signed certificates (default: false)
 - `MTLS_ALLOWED_CLIENT_FINGERPRINTS` - Comma-separated list of allowed client certificate fingerprints (optional)
 
+#### Outbound mTLS to KMS
+
+- When `TLS_MODE=mtls`, outbound mTLS to KMS is enabled by default.
+- The same `TLS_CERT` and `TLS_KEY` are used as the client certificate and key for outbound mTLS requests to KMS.
+- `KMS_TLS_CERT_PATH` - Path to the CA certificate to verify the KMS server (required when outbound mTLS is enabled).
+- If `TLS_MODE=disabled`, outbound mTLS to KMS is also disabled by default.
+
+> **Note:** If you want to use a different client certificate for KMS, you will need to extend the configuration. By default, the same cert/key is used for both inbound and outbound mTLS.
+
 ### Logging and Debug
 
 - `HTTP_LOGFILE` - Path to HTTP request log file (optional, used by Morgan for HTTP access logs)

src/initConfig.ts

@@ -87,12 +87,13 @@ function enclavedEnvConfig(): Partial<EnclavedConfig> {
     port: Number(readEnvVar('ENCLAVED_EXPRESS_PORT')),
     bind: readEnvVar('BIND'),
     ipc: readEnvVar('IPC'),
-    httpLoggerFile: readEnvVar('HTTP_LOGFILE'),
+    httpLoggerFile: readEnvVar('HTTP_LOGFILE') || 'logs/http-access.log',
     timeout: Number(readEnvVar('TIMEOUT')),
     keepAliveTimeout: Number(readEnvVar('KEEP_ALIVE_TIMEOUT')),
     headersTimeout: Number(readEnvVar('HEADERS_TIMEOUT')),
     // KMS settings
     kmsUrl,
+    kmsTlsCertPath: readEnvVar('KMS_TLS_CERT_PATH'),
     // mTLS settings
     keyPath: readEnvVar('TLS_KEY_PATH'),
     crtPath: readEnvVar('TLS_CERT_PATH'),
@@ -123,6 +124,7 @@ function mergeEnclavedConfigs(...configs: Partial<EnclavedConfig>[]): EnclavedCo
     keepAliveTimeout: get('keepAliveTimeout'),
     headersTimeout: get('headersTimeout'),
     kmsUrl: get('kmsUrl'),
+    kmsTlsCertPath: get('kmsTlsCertPath'),
     keyPath: get('keyPath'),
     crtPath: get('crtPath'),
     tlsKey: get('tlsKey'),
@@ -164,6 +166,19 @@ function configureEnclavedMode(): EnclavedConfig {
       logger.info('Using TLS certificate from environment variable');
     }
 
+    if (!config.kmsTlsCertPath) {
+      throw new Error('KMS TLS CERT is required when TLS mode is MTLS');
+    }
+    if (config.kmsTlsCertPath) {
+      try {
+        config.kmsTlsCert = fs.readFileSync(config.kmsTlsCertPath, 'utf-8');
+        logger.info(`Successfully loaded KMS TLS certificate from file: ${config.kmsTlsCertPath}`);
+      } catch (e) {
+        const err = e instanceof Error ? e : new Error(String(e));
+        throw new Error(`Failed to read KMS TLS certificate from kmsTlsCert: ${err.message}`);
+      }
+    }
+
     // Validate that certificates are properly loaded when TLS is enabled
     validateTlsCertificates(config);
   }

src/kms/kmsClient.ts

@@ -1,6 +1,6 @@
 import debug from 'debug';
 import * as superagent from 'superagent';
-import { EnclavedConfig, isMasterExpressConfig } from '../shared/types';
+import { EnclavedConfig, isMasterExpressConfig, TlsMode } from '../shared/types';
 import { PostKeyKmsSchema, PostKeyParams, PostKeyResponse } from './types/postKey';
 import { GetKeyKmsSchema, GetKeyParams, GetKeyResponse } from './types/getKey';
 import {
@@ -25,14 +25,17 @@ export class KmsClient {
     if (isMasterExpressConfig(cfg)) {
       throw new Error('Configuration is not in enclaved express mode');
     }
-
     if (!cfg.kmsUrl) {
       throw new Error('KMS URL not configured. Please set KMS_URL in your environment.');
     }
 
     this.url = cfg.kmsUrl;
-    if (cfg.kmsTlsMode === 'enabled' && cfg.kmsTlsCert) {
-      this.agent = new https.Agent({ ca: cfg.kmsTlsCert });
+    if (cfg.tlsMode === TlsMode.MTLS && cfg.kmsTlsCert) {
+      this.agent = new https.Agent({
+        ca: cfg.kmsTlsCert,
+        cert: cfg.tlsCert,
+        key: cfg.tlsKey,
+      });
     }
     debugLogger('kmsClient initialized with URL: %s', this.url);
   }

src/shared/types/index.ts

@@ -27,9 +27,8 @@ export interface EnclavedConfig extends BaseConfig {
   appMode: AppMode.ENCLAVED;
   // KMS settings
   kmsUrl: string;
-  kmsTlsMode?: 'enabled' | 'disabled';
-  kmsTlsCert?: string;
   kmsTlsCertPath?: string;
+  kmsTlsCert?: string;
   // mTLS settings
   keyPath?: string;
   crtPath?: string;