[KMS]Signing a digest message with ECDSA_SHA_256 #571

chabashilah · 2022-07-05T13:19:43Z

chabashilah
Jul 5, 2022

Hi,

I am trying to test the signing with aws_sdk_kms.
Currently, I am testing a Keccak-256 hashed message. Even if I gave the hashed message to Blob, I got the following message.

Error: Unhandled(Error { code: Some("ValidationException"), message: Some("Digest is invalid length for algorithm ECDSA_SHA_256."), request_id: Some(""), extras: {} })

The source code I am testing is like

    let digest = "5b07e077a81ffc6b47435f65a8727bcc542bc6fc0f25a56210efb1a74b88a5ae";
    let blob = Blob::new(digest.as_bytes());

    let resp = client
        .sign()
        .key_id(key)
        .signing_algorithm(aws_sdk_kms::model::SigningAlgorithmSpec::EcdsaSha256)
        .message_type(aws_sdk_kms::model::MessageType::Digest)
        .message(blob)
        .send()
        .await?;

Could you tell me what the right way to handle a digest message with Blob is?
When I tested the signing with aws cli, I used openssl for creating a digest message. At that time, I needed to specify -binary option.
In the above code case, the digest message is already handled as byte data. Is it not enough?

====

Soon after posting the above question, I realized that the digest message should've handled as at the beginning. I mean, it needs to be converted as binary from hex, not text. Am I right? Sorry, this question could be such a basic question....

Answered by rcoh

Jul 5, 2022

Hello! digest.as_bytes() is giving you the bytes of the ascii string (which are different from the actual bytes)—you'd need to hex-decode the digest to use it. Does that make sense? (eg. https://docs.rs/hex/0.4.3/hex/fn.decode.html)

However, if you're computing the Digest in Rust, you can just pass the Vec<u8> to Blob directly

We ran into a very similar issue during our own development of S3 Flexible Checksums—@Velfi may have a code snippet to direct you to

View full answer

rcoh · 2022-07-05T13:53:21Z

rcoh
Jul 5, 2022
Collaborator

Hello! digest.as_bytes() is giving you the bytes of the ascii string (which are different from the actual bytes)—you'd need to hex-decode the digest to use it. Does that make sense? (eg. https://docs.rs/hex/0.4.3/hex/fn.decode.html)

However, if you're computing the Digest in Rust, you can just pass the Vec<u8> to Blob directly

We ran into a very similar issue during our own development of S3 Flexible Checksums—@Velfi may have a code snippet to direct you to

2 replies

Velfi Jul 5, 2022
Maintainer

The hex crate is indeed a great way to correctly convert the text representation into the &[u8] representation.
The other (quite tedious for SHA256) way is to define the bytes with hex literals:

// let digest = "5b07e077a81ffc6b47435f65a8727bcc542bc6fc0f25a56210efb1a74b88a5ae";
let digest: &[u8] = &[
    0x5b,
    0x07,
    0xe0,
    0x77,
    // and so on...
];

chabashilah Jul 5, 2022
Author

Thank you both! It totally makes sense!

2023-12-02T00:10:14Z

github-actions[bot]
bot Dec 2, 2023

Hello! Reopening this discussion to make it searchable.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[KMS]Signing a digest message with ECDSA_SHA_256 #571

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 2 replies

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

[KMS]Signing a digest message with ECDSA_SHA_256 #571

chabashilah Jul 5, 2022

Replies: 2 comments · 2 replies

rcoh Jul 5, 2022 Collaborator

Velfi Jul 5, 2022 Maintainer

chabashilah Jul 5, 2022 Author

github-actions[bot] bot Dec 2, 2023

chabashilah
Jul 5, 2022

Replies: 2 comments 2 replies

rcoh
Jul 5, 2022
Collaborator

Velfi Jul 5, 2022
Maintainer

chabashilah Jul 5, 2022
Author

github-actions[bot]
bot Dec 2, 2023