How can I verify signatures generated by AWS KMS asymmetric keys?
3 minute read
I want to use Key Management Service (AWS KMS) to sign a file. Then, I want to share the file, its signature, and the public key for verification that the signature is valid. I don't want to provide API access for users to access my AWS KMS key.
The following example uses AWS KMS with an ECC_NIST_P256 (secp256r1) asymmetric key pair. When AWS KMS generates a signature file using this key pair, it's created according to NIST FIPS 168-4. An ECDSA digital signature containing (r, s) values is generated as specified in ANS X9.62. Because of the open standard, you can verify this signature using OpenSSL.
After creating the AWS KMS key pair in your account, refer to the key pair using the AWS CLI to sign a file. The response received from the AWS KMS API is encoded in Base64. The following example uses the --query parameter to get the signature value from the response and places it in the sign.b64 file.
Note: You can submit messages up to 4096 bytes. To sign a larger message, generate a hash digest of the message. Then, provide the hash digest in the message parameter. To indicate whether the message is a full message or a digest, use the MessageType parameter. Be sure to take note of the signing algorithm, as this is needed for verifying the signature later.