Skip to content

KMS: fix HMAC key import and add validated tests for HMAC and ECC key specs #12952

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Aug 7, 2025
Merged

KMS: fix HMAC key import and add validated tests for HMAC and ECC key specs #12952

merged 5 commits into from
Aug 7, 2025

Conversation

sannya-singal
Copy link
Contributor

@sannya-singal sannya-singal commented Aug 5, 2025
edited
Loading

Motivation

Fix key import for all HMAC key specs HMAC_224, HMAC_256, HMAC_384, HMAC_512. Previously, importing EXTERNAL origin HMAC keys failed with the following error:

An error occurred (InternalError) when calling the ImportKeyMaterial operation (reached max retries: 2): exception while calling kms.ImportKeyMaterial: ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [<OpenSSLError(code=109052072, lib=13, reason=168, reason_text=wrong tag)>, <OpenSSLError(code=109576458, lib=13, reason=524554, reason_text=nested asn1 error)>])

Changes

The key material gets loaded correctly and accepts raw key material for all HMAC specs and not just SYMMETRIC_DEFAULT and add AWS validated test test_import_key_hmac_keys covering import, mac generation and verification for all HMAC key specs.

This PR also adds test test_import_key_ecc_keys to validate correct import, sign, verification and usage for all ECC key specs: ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1 as a user reported issues with it in a github issue comments and Localstack community channel.

Closes #10909

@sannya-singal sannya-singal added this to the 4.8 milestone Aug 5, 2025
@sannya-singal sannya-singal self-assigned this Aug 5, 2025
@sannya-singal sannya-singal added aws:kms AWS Key Management Service semver: patch Non-breaking changes which can be included in patch releases labels Aug 5, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 5, 2025
edited
Loading

LocalStack Community integration with Pro

  2 files  ±    0    2 suites  ±0   4m 37s ⏱️ - 1h 36m 51s
718 tests  - 3 889  710 ✅  - 3 467   8 💤  - 422  0 ❌ ±0 
720 runs   - 3 889  710 ✅  - 3 467  10 💤  - 422  0 ❌ ±0 

Results for commit 875f432. ± Comparison against base commit 29690c2.

This pull request removes 3897 and adds 8 tests. Note that renamed tests count towards both. 
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_lambda_dynamodb
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_opensearch_crud
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_search_books
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_setup
tests.aws.scenario.kinesis_firehose.test_kinesis_firehose.TestKinesisFirehoseScenario ‑ test_kinesis_firehose_s3
tests.aws.scenario.lambda_destination.test_lambda_destination_scenario.TestLambdaDestinationScenario ‑ test_destination_sns
tests.aws.scenario.lambda_destination.test_lambda_destination_scenario.TestLambdaDestinationScenario ‑ test_infra
tests.aws.scenario.loan_broker.test_loan_broker.TestLoanBrokerScenario ‑ test_prefill_dynamodb_table
tests.aws.scenario.loan_broker.test_loan_broker.TestLoanBrokerScenario ‑ test_stepfunctions_input_recipient_list[step_function_input0-SUCCEEDED]
tests.aws.scenario.loan_broker.test_loan_broker.TestLoanBrokerScenario ‑ test_stepfunctions_input_recipient_list[step_function_input1-SUCCEEDED]
…

tests.aws.services.kms.test_kms.TestKMS ‑ test_import_key_ecc_keys[ECC_NIST_P256]
tests.aws.services.kms.test_kms.TestKMS ‑ test_import_key_ecc_keys[ECC_NIST_P384]
tests.aws.services.kms.test_kms.TestKMS ‑ test_import_key_ecc_keys[ECC_NIST_P521]
tests.aws.services.kms.test_kms.TestKMS ‑ test_import_key_ecc_keys[ECC_SECG_P256K1]
tests.aws.services.kms.test_kms.TestKMS ‑ test_import_key_hmac_keys[HMAC_224]
tests.aws.services.kms.test_kms.TestKMS ‑ test_import_key_hmac_keys[HMAC_256]
tests.aws.services.kms.test_kms.TestKMS ‑ test_import_key_hmac_keys[HMAC_384]
tests.aws.services.kms.test_kms.TestKMS ‑ test_import_key_hmac_keys[HMAC_512]

♻️ This comment has been updated with latest results.

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 5, 2025
edited
Loading

Test Results - Preflight, Unit

22 063 tests  ±0   20 329 ✅ ±0   6m 23s ⏱️ +6s
     1 suites ±0    1 734 💤 ±0 
     1 files   ±0        0 ❌ ±0 

Results for commit 875f432. ± Comparison against base commit 29690c2.

♻️ This comment has been updated with latest results.

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 5, 2025
edited
Loading

Test Results (amd64) - Acceptance

7 tests  ±0   5 ✅ ±0   3m 5s ⏱️ -14s
1 suites ±0   2 💤 ±0 
1 files   ±0   0 ❌ ±0 

Results for commit 875f432. ± Comparison against base commit 29690c2.

♻️ This comment has been updated with latest results.

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 5, 2025
edited
Loading

Test Results (amd64) - Integration, Bootstrap

  5 files    5 suites   17m 7s ⏱️
742 tests 734 ✅  8 💤 0 ❌
748 runs  734 ✅ 14 💤 0 ❌

Results for commit 875f432.

♻️ This comment has been updated with latest results.

@sannya-singal sannya-singal requested a review from k-a-il August 5, 2025 07:31
@sannya-singal sannya-singal marked this pull request as ready for review August 5, 2025 07:31
k-a-il
k-a-il reviewed Aug 6, 2025
View reviewed changes
Copy link
Contributor

@k-a-il k-a-il left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice fix, LGTM 🚀

@k-a-il k-a-il self-requested a review August 6, 2025 16:28
@sannya-singal sannya-singal merged commit 0ec1008 into main Aug 7, 2025
40 checks passed
@sannya-singal sannya-singal deleted the kms-10909 branch August 7, 2025 04:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@k-a-il k-a-il k-a-il approved these changes

Assignees

@sannya-singal sannya-singal

Labels
aws:kms AWS Key Management Service semver: patch Non-breaking changes which can be included in patch releases
Projects
None yet
Milestone
4.8
Development

Successfully merging this pull request may close these issues.

bug: Import KMS key fails with "Could not deserialize key data"
2 participants
@sannya-singal @k-a-il