KMS: sign/verify should use the original message, not the base64-encoded version (#6795)

This commit is contained in:
Bert Blommers 2023-09-09 09:57:39 +00:00 committed by GitHub
parent a75e30faae
commit fa9aa95156
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 34 additions and 19 deletions

View File

@ -629,9 +629,8 @@ class KmsBackend(BaseBackend):
def sign(
self, key_id: str, message: bytes, signing_algorithm: str
) -> Tuple[str, bytes, str]:
"""Sign message using generated private key.
- signing_algorithm is ignored and hardcoded to RSASSA_PSS_SHA_256
"""
Sign message using generated private key.
- grant_tokens are not implemented
"""
@ -647,9 +646,8 @@ class KmsBackend(BaseBackend):
def verify(
self, key_id: str, message: bytes, signature: bytes, signing_algorithm: str
) -> Tuple[str, bool, str]:
"""Verify message using public key from generated private key.
- signing_algorithm is ignored and hardcoded to RSASSA_PSS_SHA_256
"""
Verify message using public key from generated private key.
- grant_tokens are not implemented
"""

View File

@ -24,7 +24,7 @@ class KmsResponse(BaseResponse):
def _get_param(self, param_name: str, if_none: Any = None) -> Any:
params = json.loads(self.body)
for key in ("Plaintext", "CiphertextBlob"):
for key in ("Plaintext", "CiphertextBlob", "Message"):
if key in params:
params[key] = base64.b64decode(params[key].encode("utf-8"))
@ -634,11 +634,6 @@ class KmsResponse(BaseResponse):
"The GrantTokens-parameter is not yet implemented for client.sign()"
)
if signing_algorithm != "RSASSA_PSS_SHA_256":
warnings.warn(
"The SigningAlgorithm-parameter is ignored hardcoded to RSASSA_PSS_SHA_256 for client.sign()"
)
if isinstance(message, str):
message = message.encode("utf-8")
@ -687,11 +682,6 @@ class KmsResponse(BaseResponse):
"The MessageType-parameter DIGEST is not yet implemented for client.verify()"
)
if signing_algorithm != "RSASSA_PSS_SHA_256":
warnings.warn(
"The SigningAlgorithm-parameter is ignored hardcoded to RSASSA_PSS_SHA_256 for client.verify()"
)
if not message_type:
message_type = "RAW"

View File

@ -1,7 +1,7 @@
import json
from datetime import datetime
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import rsa, ec
import itertools
from unittest import mock
from dateutil.tz import tzutc
@ -1598,3 +1598,30 @@ def create_simple_key(client, id_or_arn="KeyId", description=None, policy=None):
if policy:
params["Policy"] = policy
return client.create_key(**params)["KeyMetadata"][id_or_arn]
@mock_kms
def test_ensure_key_can_be_verified_manually():
signing_algorithm: str = "ECDSA_SHA_256"
kms_client = boto3.client("kms", region_name="us-east-1")
response = kms_client.create_key(
Description="example",
KeyUsage="SIGN_VERIFY",
CustomerMasterKeySpec="ECC_NIST_P256",
)
key_id = response["KeyMetadata"]["KeyId"]
public_key_data = kms_client.get_public_key(KeyId=key_id)["PublicKey"]
message = b"example message"
response = kms_client.sign(
KeyId=key_id,
Message=message,
MessageType="RAW",
SigningAlgorithm=signing_algorithm,
)
raw_signature = response["Signature"]
sign_kwargs = dict(signature_algorithm=ec.ECDSA(hashes.SHA256()))
public_key = serialization.load_der_public_key(public_key_data)
public_key.verify(signature=raw_signature, data=message, **sign_kwargs)