KMS: sign/verify should use the original message, not the base64-encoded version (#6795)
This commit is contained in:
parent
a75e30faae
commit
fa9aa95156
@ -629,9 +629,8 @@ class KmsBackend(BaseBackend):
|
|||||||
def sign(
|
def sign(
|
||||||
self, key_id: str, message: bytes, signing_algorithm: str
|
self, key_id: str, message: bytes, signing_algorithm: str
|
||||||
) -> Tuple[str, bytes, str]:
|
) -> Tuple[str, bytes, str]:
|
||||||
"""Sign message using generated private key.
|
"""
|
||||||
|
Sign message using generated private key.
|
||||||
- signing_algorithm is ignored and hardcoded to RSASSA_PSS_SHA_256
|
|
||||||
|
|
||||||
- grant_tokens are not implemented
|
- grant_tokens are not implemented
|
||||||
"""
|
"""
|
||||||
@ -647,9 +646,8 @@ class KmsBackend(BaseBackend):
|
|||||||
def verify(
|
def verify(
|
||||||
self, key_id: str, message: bytes, signature: bytes, signing_algorithm: str
|
self, key_id: str, message: bytes, signature: bytes, signing_algorithm: str
|
||||||
) -> Tuple[str, bool, str]:
|
) -> Tuple[str, bool, str]:
|
||||||
"""Verify message using public key from generated private key.
|
"""
|
||||||
|
Verify message using public key from generated private key.
|
||||||
- signing_algorithm is ignored and hardcoded to RSASSA_PSS_SHA_256
|
|
||||||
|
|
||||||
- grant_tokens are not implemented
|
- grant_tokens are not implemented
|
||||||
"""
|
"""
|
||||||
|
@ -24,7 +24,7 @@ class KmsResponse(BaseResponse):
|
|||||||
def _get_param(self, param_name: str, if_none: Any = None) -> Any:
|
def _get_param(self, param_name: str, if_none: Any = None) -> Any:
|
||||||
params = json.loads(self.body)
|
params = json.loads(self.body)
|
||||||
|
|
||||||
for key in ("Plaintext", "CiphertextBlob"):
|
for key in ("Plaintext", "CiphertextBlob", "Message"):
|
||||||
if key in params:
|
if key in params:
|
||||||
params[key] = base64.b64decode(params[key].encode("utf-8"))
|
params[key] = base64.b64decode(params[key].encode("utf-8"))
|
||||||
|
|
||||||
@ -634,11 +634,6 @@ class KmsResponse(BaseResponse):
|
|||||||
"The GrantTokens-parameter is not yet implemented for client.sign()"
|
"The GrantTokens-parameter is not yet implemented for client.sign()"
|
||||||
)
|
)
|
||||||
|
|
||||||
if signing_algorithm != "RSASSA_PSS_SHA_256":
|
|
||||||
warnings.warn(
|
|
||||||
"The SigningAlgorithm-parameter is ignored hardcoded to RSASSA_PSS_SHA_256 for client.sign()"
|
|
||||||
)
|
|
||||||
|
|
||||||
if isinstance(message, str):
|
if isinstance(message, str):
|
||||||
message = message.encode("utf-8")
|
message = message.encode("utf-8")
|
||||||
|
|
||||||
@ -687,11 +682,6 @@ class KmsResponse(BaseResponse):
|
|||||||
"The MessageType-parameter DIGEST is not yet implemented for client.verify()"
|
"The MessageType-parameter DIGEST is not yet implemented for client.verify()"
|
||||||
)
|
)
|
||||||
|
|
||||||
if signing_algorithm != "RSASSA_PSS_SHA_256":
|
|
||||||
warnings.warn(
|
|
||||||
"The SigningAlgorithm-parameter is ignored hardcoded to RSASSA_PSS_SHA_256 for client.verify()"
|
|
||||||
)
|
|
||||||
|
|
||||||
if not message_type:
|
if not message_type:
|
||||||
message_type = "RAW"
|
message_type = "RAW"
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
import json
|
import json
|
||||||
from datetime import datetime
|
from datetime import datetime
|
||||||
from cryptography.hazmat.primitives import hashes
|
from cryptography.hazmat.primitives import hashes, serialization
|
||||||
from cryptography.hazmat.primitives.asymmetric import rsa
|
from cryptography.hazmat.primitives.asymmetric import rsa, ec
|
||||||
import itertools
|
import itertools
|
||||||
from unittest import mock
|
from unittest import mock
|
||||||
from dateutil.tz import tzutc
|
from dateutil.tz import tzutc
|
||||||
@ -1598,3 +1598,30 @@ def create_simple_key(client, id_or_arn="KeyId", description=None, policy=None):
|
|||||||
if policy:
|
if policy:
|
||||||
params["Policy"] = policy
|
params["Policy"] = policy
|
||||||
return client.create_key(**params)["KeyMetadata"][id_or_arn]
|
return client.create_key(**params)["KeyMetadata"][id_or_arn]
|
||||||
|
|
||||||
|
|
||||||
|
@mock_kms
|
||||||
|
def test_ensure_key_can_be_verified_manually():
|
||||||
|
signing_algorithm: str = "ECDSA_SHA_256"
|
||||||
|
kms_client = boto3.client("kms", region_name="us-east-1")
|
||||||
|
response = kms_client.create_key(
|
||||||
|
Description="example",
|
||||||
|
KeyUsage="SIGN_VERIFY",
|
||||||
|
CustomerMasterKeySpec="ECC_NIST_P256",
|
||||||
|
)
|
||||||
|
key_id = response["KeyMetadata"]["KeyId"]
|
||||||
|
public_key_data = kms_client.get_public_key(KeyId=key_id)["PublicKey"]
|
||||||
|
|
||||||
|
message = b"example message"
|
||||||
|
response = kms_client.sign(
|
||||||
|
KeyId=key_id,
|
||||||
|
Message=message,
|
||||||
|
MessageType="RAW",
|
||||||
|
SigningAlgorithm=signing_algorithm,
|
||||||
|
)
|
||||||
|
|
||||||
|
raw_signature = response["Signature"]
|
||||||
|
sign_kwargs = dict(signature_algorithm=ec.ECDSA(hashes.SHA256()))
|
||||||
|
|
||||||
|
public_key = serialization.load_der_public_key(public_key_data)
|
||||||
|
public_key.verify(signature=raw_signature, data=message, **sign_kwargs)
|
||||||
|
Loading…
Reference in New Issue
Block a user