Merge pull request #1026 from ArkadiuszNitkaSWI/fix-aws-signer

Fix AWS KMS Signer 4KB Message Size Limit

Author: jku

.gitignore

@@ -16,5 +16,8 @@ tests/htmlcov/*
 .DS_Store
 .python-version
 
+# PyCharm IDE
+.idea/
+
 # Sphinx documentation
 docs/_build/

securesystemslib/signer/_aws_signer.py

@@ -2,6 +2,7 @@
 
 from __future__ import annotations
 
+import hashlib
 import logging
 from urllib import parse
 
@@ -32,6 +33,8 @@ class AWSSigner(Signer):
     AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN. These will
     be recognized by the boto3 SDK, which underlies the aws_kms Python module.
 
+    The signer computes hash digests locally and sends only the digest to AWS KMS.
+
     For more details on AWS authentication, refer to the AWS Command Line
     Interface User Guide:
         https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
@@ -187,8 +190,8 @@ def import_(
     def sign(self, payload: bytes) -> Signature:
         """Sign the payload with the AWS KMS key
 
-        This method sends the payload to AWS KMS, where it is signed using the specified
-        key and algorithm using the raw message type.
+        This method computes the hash of the payload locally and sends only the
+        digest to AWS KMS for signing.
 
         Arguments:
             payload (bytes): The payload to be signed.
@@ -200,10 +203,15 @@ def sign(self, payload: bytes) -> Signature:
             Signature: A signature object containing the key ID and the signature.
         """
         try:
+            hash_algorithm = self.public_key.get_hash_algorithm_name()
+            hasher = hashlib.new(hash_algorithm)
+            hasher.update(payload)
+            digest = hasher.digest()
+
             sign_request = self.client.sign(
                 KeyId=self.aws_key_id,
-                Message=payload,
-                MessageType="RAW",
+                Message=digest,
+                MessageType="DIGEST",
                 SigningAlgorithm=self.aws_algo,
             )