From 417ccbd54ae7ea35ab1872ee4a0f7b5dddf7abc0 Mon Sep 17 00:00:00 2001
From: Akira Noda <61897166+tsugumi-sys@users.noreply.github.com>
Date: Tue, 29 Aug 2023 03:39:50 +0900
Subject: [PATCH] KMS: Add fail cases for testing verification of RSA Signing
 algorithms (#6738)

---
 tests/test_kms/test_kms_boto3.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/tests/test_kms/test_kms_boto3.py b/tests/test_kms/test_kms_boto3.py
index 8ec794cbe..b2db4817a 100644
--- a/tests/test_kms/test_kms_boto3.py
+++ b/tests/test_kms/test_kms_boto3.py
@@ -1233,7 +1233,10 @@ def test_fail_verify_digest_message_type_RSA(
     digest = hashes.Hash(hashes.SHA256())
     digest.update(b"this works")
     digest.update(b"as well")
+    falsified_digest = digest.copy()
     message = digest.finalize()
+    falsified_digest.update(b"This sentence has been falsified")
+    falsified_message = falsified_digest.finalize()
 
     sign_response = client.sign(
         KeyId=key_id,
@@ -1242,6 +1245,16 @@ def test_fail_verify_digest_message_type_RSA(
         MessageType="DIGEST",
     )
 
+    # Verification fails if a message has been falsified.
+    verify_response = client.verify(
+        KeyId=key_id,
+        Message=falsified_message,
+        Signature=sign_response["Signature"],
+        SigningAlgorithm=signing_algorithm,
+    )
+    assert verify_response["SignatureValid"] is False
+
+    # Verification fails if a different signing algorithm is used than the one used in signature.
     verify_response = client.verify(
         KeyId=key_id,
         Message=message,