Supported p256 for event initiator

[tuananhk13bk]

Example for signing a msg on the backend side:

func SignWithP256(privateKey *ecdsa.PrivateKey, data []byte) ([]byte, error) {
	if privateKey == nil {
		return nil, fmt.Errorf("invalid private key: private key is nil")
	}

	if privateKey.Curve == nil {
		return nil, fmt.Errorf("invalid private key: curve is nil")
	}

	hash := sha256.Sum256(data)

	signature, err := ecdsa.SignASN1(rand.Reader, privateKey, hash[:])
	if err != nil {
		return nil, fmt.Errorf("failed to sign data: %w", err)
	}

	return signature, nil
}

The best practice to keep in mind here is that it signs the sha256 hash of the message, not the message itself.
Reference link:
https://cryptobook.nakov.com/digital-signatures/ecdsa-sign-verify-messages

Test with AWS KMS (Localstack)

1. Create a P256 keypair in AWS KMS:

aws kms create-key \
  --endpoint-url=http://localhost:4566 \
  --description "Test P-256 keypair" \
  --key-usage SIGN_VERIFY \
  --customer-master-key-spec ECC_NIST_P256

Expected response:

{
    "KeyMetadata": {
        "AWSAccountId": "000000000000",
        "KeyId": "330a9df7-4fd9-4e86-bfc5-f360b4c4be39",
        "Arn": "arn:aws:kms:ap-southeast-1:000000000000:key/330a9df7-4fd9-4e86-bfc5-f360b4c4be39",
        "CreationDate": "2025-08-28T16:42:18.487655+07:00",
        "Enabled": true,
        "Description": "Test P-256 keypair",
        "KeyUsage": "SIGN_VERIFY",
        "KeyState": "Enabled",
        "Origin": "AWS_KMS",
        "KeyManager": "CUSTOMER",
        "CustomerMasterKeySpec": "ECC_NIST_P256",
        "KeySpec": "ECC_NIST_P256",
        "SigningAlgorithms": [
            "ECDSA_SHA_256"
        ],
        "MultiRegion": false
    }
}

2. Get the public key:

aws kms get-public-key \
  --endpoint-url=http://localhost:4566 \
  --key-id 4428f130-0a25-4e78-b563-9e8a9e23110a \
  --query PublicKey \
  --output text | base64 -d | xxd -p -c 256

Expected response:

3059301306072a8648ce3d020106082a8648ce3d030107034200042b7539fc51123c3ba53c71e244be71d2d3138cbed4909fa259b924b56c92148cadd410cf98b789269d7f672c3ba978e99fc1f01c87daee97292d3666357738fd

3. Sign a message

aws kms sign \
  --endpoint-url=http://localhost:4566 \
  --key-id 4428f130-0a25-4e78-b563-9e8a9e23110a \
  --message $(echo '{"user":"john.doe","action":"login","timestamp":"2025-08-28T10:30:00Z"}' | base64 -w 0) \
  --message-type RAW \
  --signing-algorithm ECDSA_SHA_256

Expected response:

{
    "KeyId": "arn:aws:kms:ap-southeast-1:000000000000:key/4428f130-0a25-4e78-b563-9e8a9e23110a",
    "Signature": "MEUCIC8xSkhWdLfUPfk7nW64+IaMOSacQvS7FiHmFQKpVuo5AiEAtutVr0NNikPyI1KZahN6CpDA+7a9LHd/8F6n3013ENY=",
    "SigningAlgorithm": "ECDSA_SHA_256"
}

[gitguardian]

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
While these secrets were previously flagged, we no longer have a reference to the
specific commits where they were detected. Once a secret has been leaked into a git
repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.

---

^{_{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}}

[tuananhk13bk]

Resolves #67

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github.com/​aws/​aws-sdk-go-v2/​config@​v1.31.4
	github.com/​aws/​aws-sdk-go-v2/​service/​kms@​v1.45.0

View full report

[anhthii]

@nann-cheng feel free to review when you have time. We support event initiator signing with p256 curve which is supported by major cloud kms.

[anhthii]

all good @tuananhk13bk ? I think we can merge

[tuananhk13bk]

all good @tuananhk13bk ? I think we can merge

Yes looks good to me.

[anhthii]

thanks for contribution.