KMS: sign/verify should use the original message, not the base64-encoded version (#6795)

This commit is contained in:
Bert Blommers 2023-09-09 09:57:39 +00:00 committed by GitHub
parent a75e30faae
commit fa9aa95156
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 34 additions and 19 deletions

View File

@ -629,9 +629,8 @@ class KmsBackend(BaseBackend):
def sign( def sign(
self, key_id: str, message: bytes, signing_algorithm: str self, key_id: str, message: bytes, signing_algorithm: str
) -> Tuple[str, bytes, str]: ) -> Tuple[str, bytes, str]:
"""Sign message using generated private key. """
Sign message using generated private key.
- signing_algorithm is ignored and hardcoded to RSASSA_PSS_SHA_256
- grant_tokens are not implemented - grant_tokens are not implemented
""" """
@ -647,9 +646,8 @@ class KmsBackend(BaseBackend):
def verify( def verify(
self, key_id: str, message: bytes, signature: bytes, signing_algorithm: str self, key_id: str, message: bytes, signature: bytes, signing_algorithm: str
) -> Tuple[str, bool, str]: ) -> Tuple[str, bool, str]:
"""Verify message using public key from generated private key. """
Verify message using public key from generated private key.
- signing_algorithm is ignored and hardcoded to RSASSA_PSS_SHA_256
- grant_tokens are not implemented - grant_tokens are not implemented
""" """

View File

@ -24,7 +24,7 @@ class KmsResponse(BaseResponse):
def _get_param(self, param_name: str, if_none: Any = None) -> Any: def _get_param(self, param_name: str, if_none: Any = None) -> Any:
params = json.loads(self.body) params = json.loads(self.body)
for key in ("Plaintext", "CiphertextBlob"): for key in ("Plaintext", "CiphertextBlob", "Message"):
if key in params: if key in params:
params[key] = base64.b64decode(params[key].encode("utf-8")) params[key] = base64.b64decode(params[key].encode("utf-8"))
@ -634,11 +634,6 @@ class KmsResponse(BaseResponse):
"The GrantTokens-parameter is not yet implemented for client.sign()" "The GrantTokens-parameter is not yet implemented for client.sign()"
) )
if signing_algorithm != "RSASSA_PSS_SHA_256":
warnings.warn(
"The SigningAlgorithm-parameter is ignored hardcoded to RSASSA_PSS_SHA_256 for client.sign()"
)
if isinstance(message, str): if isinstance(message, str):
message = message.encode("utf-8") message = message.encode("utf-8")
@ -687,11 +682,6 @@ class KmsResponse(BaseResponse):
"The MessageType-parameter DIGEST is not yet implemented for client.verify()" "The MessageType-parameter DIGEST is not yet implemented for client.verify()"
) )
if signing_algorithm != "RSASSA_PSS_SHA_256":
warnings.warn(
"The SigningAlgorithm-parameter is ignored hardcoded to RSASSA_PSS_SHA_256 for client.verify()"
)
if not message_type: if not message_type:
message_type = "RAW" message_type = "RAW"

View File

@ -1,7 +1,7 @@
import json import json
from datetime import datetime from datetime import datetime
from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives.asymmetric import rsa, ec
import itertools import itertools
from unittest import mock from unittest import mock
from dateutil.tz import tzutc from dateutil.tz import tzutc
@ -1598,3 +1598,30 @@ def create_simple_key(client, id_or_arn="KeyId", description=None, policy=None):
if policy: if policy:
params["Policy"] = policy params["Policy"] = policy
return client.create_key(**params)["KeyMetadata"][id_or_arn] return client.create_key(**params)["KeyMetadata"][id_or_arn]
@mock_kms
def test_ensure_key_can_be_verified_manually():
signing_algorithm: str = "ECDSA_SHA_256"
kms_client = boto3.client("kms", region_name="us-east-1")
response = kms_client.create_key(
Description="example",
KeyUsage="SIGN_VERIFY",
CustomerMasterKeySpec="ECC_NIST_P256",
)
key_id = response["KeyMetadata"]["KeyId"]
public_key_data = kms_client.get_public_key(KeyId=key_id)["PublicKey"]
message = b"example message"
response = kms_client.sign(
KeyId=key_id,
Message=message,
MessageType="RAW",
SigningAlgorithm=signing_algorithm,
)
raw_signature = response["Signature"]
sign_kwargs = dict(signature_algorithm=ec.ECDSA(hashes.SHA256()))
public_key = serialization.load_der_public_key(public_key_data)
public_key.verify(signature=raw_signature, data=message, **sign_kwargs)