diff --git a/moto/kms/models.py b/moto/kms/models.py index 34a24ff91..16abc0cf2 100644 --- a/moto/kms/models.py +++ b/moto/kms/models.py @@ -629,9 +629,8 @@ class KmsBackend(BaseBackend): def sign( self, key_id: str, message: bytes, signing_algorithm: str ) -> Tuple[str, bytes, str]: - """Sign message using generated private key. - - - signing_algorithm is ignored and hardcoded to RSASSA_PSS_SHA_256 + """ + Sign message using generated private key. - grant_tokens are not implemented """ @@ -647,9 +646,8 @@ class KmsBackend(BaseBackend): def verify( self, key_id: str, message: bytes, signature: bytes, signing_algorithm: str ) -> Tuple[str, bool, str]: - """Verify message using public key from generated private key. - - - signing_algorithm is ignored and hardcoded to RSASSA_PSS_SHA_256 + """ + Verify message using public key from generated private key. - grant_tokens are not implemented """ diff --git a/moto/kms/responses.py b/moto/kms/responses.py index a6de11e0f..03e2adf07 100644 --- a/moto/kms/responses.py +++ b/moto/kms/responses.py @@ -24,7 +24,7 @@ class KmsResponse(BaseResponse): def _get_param(self, param_name: str, if_none: Any = None) -> Any: params = json.loads(self.body) - for key in ("Plaintext", "CiphertextBlob"): + for key in ("Plaintext", "CiphertextBlob", "Message"): if key in params: params[key] = base64.b64decode(params[key].encode("utf-8")) @@ -634,11 +634,6 @@ class KmsResponse(BaseResponse): "The GrantTokens-parameter is not yet implemented for client.sign()" ) - if signing_algorithm != "RSASSA_PSS_SHA_256": - warnings.warn( - "The SigningAlgorithm-parameter is ignored hardcoded to RSASSA_PSS_SHA_256 for client.sign()" - ) - if isinstance(message, str): message = message.encode("utf-8") @@ -687,11 +682,6 @@ class KmsResponse(BaseResponse): "The MessageType-parameter DIGEST is not yet implemented for client.verify()" ) - if signing_algorithm != "RSASSA_PSS_SHA_256": - warnings.warn( - "The SigningAlgorithm-parameter is ignored hardcoded to RSASSA_PSS_SHA_256 for client.verify()" - ) - if not message_type: message_type = "RAW" diff --git a/tests/test_kms/test_kms_boto3.py b/tests/test_kms/test_kms_boto3.py index bd2a9f7f3..3754815e8 100644 --- a/tests/test_kms/test_kms_boto3.py +++ b/tests/test_kms/test_kms_boto3.py @@ -1,7 +1,7 @@ import json from datetime import datetime -from cryptography.hazmat.primitives import hashes -from cryptography.hazmat.primitives.asymmetric import rsa +from cryptography.hazmat.primitives import hashes, serialization +from cryptography.hazmat.primitives.asymmetric import rsa, ec import itertools from unittest import mock from dateutil.tz import tzutc @@ -1598,3 +1598,30 @@ def create_simple_key(client, id_or_arn="KeyId", description=None, policy=None): if policy: params["Policy"] = policy return client.create_key(**params)["KeyMetadata"][id_or_arn] + + +@mock_kms +def test_ensure_key_can_be_verified_manually(): + signing_algorithm: str = "ECDSA_SHA_256" + kms_client = boto3.client("kms", region_name="us-east-1") + response = kms_client.create_key( + Description="example", + KeyUsage="SIGN_VERIFY", + CustomerMasterKeySpec="ECC_NIST_P256", + ) + key_id = response["KeyMetadata"]["KeyId"] + public_key_data = kms_client.get_public_key(KeyId=key_id)["PublicKey"] + + message = b"example message" + response = kms_client.sign( + KeyId=key_id, + Message=message, + MessageType="RAW", + SigningAlgorithm=signing_algorithm, + ) + + raw_signature = response["Signature"] + sign_kwargs = dict(signature_algorithm=ec.ECDSA(hashes.SHA256())) + + public_key = serialization.load_der_public_key(public_key_data) + public_key.verify(signature=raw_signature, data=message, **sign_kwargs)