-
Notifications
You must be signed in to change notification settings - Fork 54
Fix AWS KMS Signer 4KB Message Size Limit #1026
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix AWS KMS Signer 4KB Message Size Limit #1026
Conversation
|
Looks good at first glance, thanks. Have you ran this on actual AWS already? (I don't think that's a requirement for merging, just curious as our aws tests only run on localstack) |
jku
left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice. I think this makes a lot of sense (would make sense even if AWS did not have the limit).
Looks good to merge to me -- I left one comment but it's a code comment nitpick, feel free to leave it as is if you don't feel like fixing it.
@ianhundere any comments as original author?
|
Thank you for the review. I updates the docstrings. Yes, I tested it with a real AWS KMS key. |
|
Hey @jku, I can't merge this. If you think it's ready, could you please merge it for me? Also, could you let me know when it can be released? |
|
sure, was just leaving some time for @lukpueh or ian to chime in if they wanted to. This seems uncontroversial though so I can merge, let's say, tomorrow. We could do a release for this, it's been a few months since the last one. |
We actually run AWS tests with localstack as part of CI: https://github.com/secure-systems-lab/securesystemslib/actions/runs/17919157997/job/51027942600?pr=1026 So this should be fine. |
|
lgtm 🙌🏼 |
|
Thanks! |
Description of the changes being introduced by the pull request:
Problem
AWS KMS Signer fails when signing messages larger than 4KB due to using
MessageType="RAW", which has a hard 4096-byte limit in the AWS KMS Sign API.Changes Made
Modified
AWSSigner.sign()method in_aws_signer.py:hashlib.new(hash_algorithm)MessageTypefrom"RAW"to"DIGEST"Benefits
Fixes #1025