Skip to content

bug: KMS provides invalid signature by ignoring MessageType #6815

New issue
New issue
Closed
#7878
Closed
bug: KMS provides invalid signature by ignoring MessageType#6815
#7878
Labels
aws:kmsAWS Key Management Servicestatus: resolved/fixedResolved with a fix or an implementationtype: bugBug report
@dissoupov

Description

@dissoupov
dissoupov
opened on Sep 4, 2022

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

It seems that Sign operation ignores MessageType.
As per AWS documentation the MessageType can be "DIGEST", that means the digest is already computed and just needs to be signed.
https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html

Localstack ignores this parameter:

localstack/localstack/services/kms/provider.py

Line 332 in 5fafd1b

message_type: MessageType = None,

In GoLang the Sign interface takes the digest, not the raw message.
Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts)
Therefore Sign/Verify operations in Go fail by using localstack.

Expected Behavior

Use MessageType parameter and do not compute the digest when MessageType==DIGEST

How are you starting LocalStack?

With a docker-compose file

Steps To Reproduce

Use Sign/Verify in GoLang

Environment

- OS: ubuntu
- LocalStack: latest
- GoLang 1.19

Anything else?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    aws:kmsAWS Key Management Servicestatus: resolved/fixedResolved with a fix or an implementationtype: bugBug report

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions