2回答
- 新しい順
- 投票が多い順
- コメントが多い順
1
Hey, you can try this:
- Ensure you're using the same asymmetric KMS key and signing algorithm for both signing and verifying.
- Verify the message is identical (including encoding) during both operations. If hashed, ensure consistent handling.
- Confirm the IAM and key policies allow the Verify operation.
- Make sure the KMS key is active and not disabled or pending deletion.
- Log key ID, message, and algorithm details to spot any mismatches.
This is the correct verify syntax:
response = client.verify(
KeyId='string',
Message=b'bytes',
MessageType='RAW'|'DIGEST',
Signature=b'bytes',
SigningAlgorithm='RSASSA_PSS_SHA_256'|'RSASSA_PSS_SHA_384'|'RSASSA_PSS_SHA_512'|'RSASSA_PKCS1_V1_5_SHA_256'|'RSASSA_PKCS1_V1_5_SHA_384'|'RSASSA_PKCS1_V1_5_SHA_512'|'ECDSA_SHA_256'|'ECDSA_SHA_384'|'ECDSA_SHA_512'|'SM2DSA',
GrantTokens=[
'string',
]
)
Try to validate if you are passing correctly the parameters to your client.verify()
.
This resources could help you: https://boto3.amazonaws.com/v1/documentation/api/1.26.94/reference/services/kms/client/verify.html
0
Hello,
Maybe you can try making a simple verify call directly from Python using hardcoded values to rule out any issues you face. Also, make sure the header is in the right format, which is what KMS expect.
Thanks
回答済み 3ヶ月前
関連するコンテンツ
- AWS公式更新しました 2年前
Hi, Thanks for your response. I am using it in a similar fashion. I have a turtle integration to retrieve this session( The turtle is using us-west-2 for arn as my host is in us-west-2 but kms is in us-east-1. Hence, I am explicitly passing region as parameter. Also I have added sufficient loggers. //snipping for brevity session = get_boto3_session_from_turtle() logger.log(logging.INFO, f"session:{session}") kms_client = session.client('kms', region_name='us-east-1') logger.log(logging.INFO,f"session for region:{kms_client.meta.region_name}") message_bytes = message.encode('utf-8') logger.log(logging.INFO, f"message_bytes:{message_bytes}") logger.log(logging.INFO, 'CALLING KMS CLIENT')
try: response = kms_client.verify( KeyId = key_id, Message = message_bytes, Signature = signature_bytes, SigningAlgorithm = algorithm, MessageType='RAW' ) #return True if the 'SignatureValid' field is present, default to False otherwise logger.log(logging.INFO, f"response:{response}") return response.get('SignatureValid', False)