KMS: sign/verify should use the original message, not the base64-encoded version (#6795)

moto/kms/models.py

@@ -629,9 +629,8 @@ class KmsBackend(BaseBackend):
     def sign(
         self, key_id: str, message: bytes, signing_algorithm: str
     ) -> Tuple[str, bytes, str]:
-        """Sign message using generated private key.
-
-        - signing_algorithm is ignored and hardcoded to RSASSA_PSS_SHA_256
+        """
+        Sign message using generated private key.
 
         - grant_tokens are not implemented
         """
@@ -647,9 +646,8 @@ class KmsBackend(BaseBackend):
     def verify(
         self, key_id: str, message: bytes, signature: bytes, signing_algorithm: str
     ) -> Tuple[str, bool, str]:
-        """Verify message using public key from generated private key.
-
-        - signing_algorithm is ignored and hardcoded to RSASSA_PSS_SHA_256
+        """
+        Verify message using public key from generated private key.
 
         - grant_tokens are not implemented
         """

moto/kms/responses.py

@@ -24,7 +24,7 @@ class KmsResponse(BaseResponse):
     def _get_param(self, param_name: str, if_none: Any = None) -> Any:
         params = json.loads(self.body)
 
-        for key in ("Plaintext", "CiphertextBlob"):
+        for key in ("Plaintext", "CiphertextBlob", "Message"):
             if key in params:
                 params[key] = base64.b64decode(params[key].encode("utf-8"))
 
@@ -634,11 +634,6 @@ class KmsResponse(BaseResponse):
                 "The GrantTokens-parameter is not yet implemented for client.sign()"
             )
 
-        if signing_algorithm != "RSASSA_PSS_SHA_256":
-            warnings.warn(
-                "The SigningAlgorithm-parameter is ignored hardcoded to RSASSA_PSS_SHA_256 for client.sign()"
-            )
-
         if isinstance(message, str):
             message = message.encode("utf-8")
 
@@ -687,11 +682,6 @@ class KmsResponse(BaseResponse):
                 "The MessageType-parameter DIGEST is not yet implemented for client.verify()"
             )
 
-        if signing_algorithm != "RSASSA_PSS_SHA_256":
-            warnings.warn(
-                "The SigningAlgorithm-parameter is ignored hardcoded to RSASSA_PSS_SHA_256 for client.verify()"
-            )
-
         if not message_type:
             message_type = "RAW"
 

tests/test_kms/test_kms_boto3.py

@@ -1,7 +1,7 @@
 import json
 from datetime import datetime
-from cryptography.hazmat.primitives import hashes
-from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import rsa, ec
 import itertools
 from unittest import mock
 from dateutil.tz import tzutc
@@ -1598,3 +1598,30 @@ def create_simple_key(client, id_or_arn="KeyId", description=None, policy=None):
         if policy:
             params["Policy"] = policy
         return client.create_key(**params)["KeyMetadata"][id_or_arn]
+
+
+@mock_kms
+def test_ensure_key_can_be_verified_manually():
+    signing_algorithm: str = "ECDSA_SHA_256"
+    kms_client = boto3.client("kms", region_name="us-east-1")
+    response = kms_client.create_key(
+        Description="example",
+        KeyUsage="SIGN_VERIFY",
+        CustomerMasterKeySpec="ECC_NIST_P256",
+    )
+    key_id = response["KeyMetadata"]["KeyId"]
+    public_key_data = kms_client.get_public_key(KeyId=key_id)["PublicKey"]
+
+    message = b"example message"
+    response = kms_client.sign(
+        KeyId=key_id,
+        Message=message,
+        MessageType="RAW",
+        SigningAlgorithm=signing_algorithm,
+    )
+
+    raw_signature = response["Signature"]
+    sign_kwargs = dict(signature_algorithm=ec.ECDSA(hashes.SHA256()))
+
+    public_key = serialization.load_der_public_key(public_key_data)
+    public_key.verify(signature=raw_signature, data=message, **sign_kwargs)