fix: hash payload before signing/verifying with Aws KMS #12
Conversation
| @@ -110,10 +111,14 @@ actual class AwsKmsCryptoProvider actual constructor( | |||
| ?: throw IllegalArgumentException("Key does not have a signature algorithm set") | |||
| } | |||
|
|
|||
| // Create a digest of the input data | |||
| val hashedInput = MessageDigest.getInstance(algorithm.digestAlgorithm?.name).digest(input) | |||
There was a problem hiding this comment.
Are you sure this is correct? In other words does AWS expect the hashed inputs? Is that a param?
Let's say I am using Scep256r1/ES256 as signature alg, then normally the signing part itself would perform the hashing internally, as Secp256r1/ES256 is EcDSA with SHA256
There was a problem hiding this comment.
It should have been opened as a draft.
As per AWS docs Use the Message parameter to specify the message or message digest to sign. You can submit messages of up to 4096 bytes. To sign a larger message, generate a hash digest of the message, and then provide the hash digest in the Message parameter. To indicate whether the message is a full message or a digest, use the MessageType parameter.
I need to test it further before making it a PR. For the last part of the question, I will need to understand better those scenarios and create tests that cover them.
No description provided.