AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

KMSInvalidSignatureException: An error occurred (KMSInvalidSignatureException) when calling the Verify operation:

0

I am using AWS KMS in my tool integrated with Turtle. So I am using session from turtle to call the KMS client. The KMS parameters are passed via headers to the backend. These are generated in typescript and then sent via headers to the backend in python. I see that I am getting the values, however when calling the client I see this error :- response = kms_client.verify( ..../lib/python3.8/site-packages/botocore/client.py", line 535, in _api_call return self._make_api_call(operation_name, kwargs) File "..../lib/python3.8/site-packages/botocore/client.py", line 980, in _make_api_call raise error_class(parsed_response, operation_name) botocore.errorfactory.KMSInvalidSignatureException: An error occurred (KMSInvalidSignatureException) when calling the Verify operation:

주제
보안, 신원 및 규정 준수
태그
AWS 키 관리 서비스
언어
English
rePost-User-9637849
질문됨 3달 전153회 조회
2개 답변
1

Hey, you can try this:

  1. Ensure you're using the same asymmetric KMS key and signing algorithm for both signing and verifying.
  2. Verify the message is identical (including encoding) during both operations. If hashed, ensure consistent handling.
  3. Confirm the IAM and key policies allow the Verify operation.
  4. Make sure the KMS key is active and not disabled or pending deletion.
  5. Log key ID, message, and algorithm details to spot any mismatches.

This is the correct verify syntax:

response = client.verify(
    KeyId='string',
    Message=b'bytes',
    MessageType='RAW'|'DIGEST',
    Signature=b'bytes',
SigningAlgorithm='RSASSA_PSS_SHA_256'|'RSASSA_PSS_SHA_384'|'RSASSA_PSS_SHA_512'|'RSASSA_PKCS1_V1_5_SHA_256'|'RSASSA_PKCS1_V1_5_SHA_384'|'RSASSA_PKCS1_V1_5_SHA_512'|'ECDSA_SHA_256'|'ECDSA_SHA_384'|'ECDSA_SHA_512'|'SM2DSA',
    GrantTokens=[
        'string',
    ]
)

Try to validate if you are passing correctly the parameters to your client.verify().

This resources could help you: https://boto3.amazonaws.com/v1/documentation/api/1.26.94/reference/services/kms/client/verify.html

profile picture
전문가
Osvaldo Marte
답변함 3달 전
  • rePost-User-9637849
    3달 전

    Hi, Thanks for your response. I am using it in a similar fashion. I have a turtle integration to retrieve this session( The turtle is using us-west-2 for arn as my host is in us-west-2 but kms is in us-east-1. Hence, I am explicitly passing region as parameter. Also I have added sufficient loggers. //snipping for brevity session = get_boto3_session_from_turtle() logger.log(logging.INFO, f"session:{session}") kms_client = session.client('kms', region_name='us-east-1') logger.log(logging.INFO,f"session for region:{kms_client.meta.region_name}") message_bytes = message.encode('utf-8') logger.log(logging.INFO, f"message_bytes:{message_bytes}") logger.log(logging.INFO, 'CALLING KMS CLIENT')
    try: response = kms_client.verify( KeyId = key_id, Message = message_bytes, Signature = signature_bytes, SigningAlgorithm = algorithm, MessageType='RAW' ) #return True if the 'SignatureValid' field is present, default to False otherwise logger.log(logging.INFO, f"response:{response}") return response.get('SignatureValid', False)

0

Hello,

Maybe you can try making a simple verify call directly from Python using hardcoded values to rule out any issues you face. Also, make sure the header is in the right format, which is what KMS expect.

Thanks

Abhinav Chauhan
답변함 3달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠