Fix AWS KMS Signer 4KB Message Size Limit #1026
Conversation
|
Looks good at first glance, thanks. Have you ran this on actual AWS already? (I don't think that's a requirement for merging, just curious as our aws tests only run on localstack) |
jku
left a comment
jku
left a comment
There was a problem hiding this comment.
Nice. I think this makes a lot of sense (would make sense even if AWS did not have the limit).
Looks good to merge to me -- I left one comment but it's a code comment nitpick, feel free to leave it as is if you don't feel like fixing it.
@ianhundere any comments as original author?
|
Thank you for the review. I updates the docstrings. Yes, I tested it with a real AWS KMS key. |
|
Hey @jku, I can't merge this. If you think it's ready, could you please merge it for me? Also, could you let me know when it can be released? |
|
sure, was just leaving some time for @lukpueh or ian to chime in if they wanted to. This seems uncontroversial though so I can merge, let's say, tomorrow. We could do a release for this, it's been a few months since the last one. |
We actually run AWS tests with localstack as part of CI: https://github.com/secure-systems-lab/securesystemslib/actions/runs/17919157997/job/51027942600?pr=1026 So this should be fine. |
|
lgtm 🙌🏼 |
|
Thanks! |
4 participants
Description of the changes being introduced by the pull request:
Problem
AWS KMS Signer fails when signing messages larger than 4KB due to using
MessageType="RAW", which has a hard 4096-byte limit in the AWS KMS Sign API.Changes Made
Modified
AWSSigner.sign()method in_aws_signer.py:hashlib.new(hash_algorithm)MessageTypefrom"RAW"to"DIGEST"Benefits
Fixes #1025