KMS sign: Avoid rehashing the already hashed message#7817
KMS sign: Avoid rehashing the already hashed message#7817paullallier wants to merge 2 commits intolocalstack:masterfrom
Conversation
localstack-bot
left a comment
There was a problem hiding this comment.
Welcome to LocalStack! Thanks for raising your first Pull Request and landing in your contributions. Our team will reach out with any reviews or feedbacks that we have shortly. We recommend joining our Slack Community and share your PR on the #community channel to share your contributions with us. Please make sure you are following our contributing guidelines and our Code of Conduct.
|
CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅ |
|
I have read the CLA Document and I hereby sign the CLA |
|
Not sure why the CI tests fail on something that doesn't seem KMS related... But is there a CI configuration error, more generally? As far as I can see it's not run the tests in tests/integration/test_kms.py - or several other files in that folder. Is that intentional? (I was trying to double-check that my changes had been tested by the existing test.) EDIT: I guess the full suite of integration tests didn't run because one of the previous tests failed. |
|
I believe my fix is correct though - I've manually applied the change to the localstack docker container I'm running, restarted python, and my JWTs now verify after being signed by localstack KMS in 'RAW' messageType mode - as they do with AWS. |
|
I can confirm that running your branch locally (using |
|
recheck didn't work, worth a try... |
|
Hmm. That test suite failed again, but on a different test. I guess it's possible that S3 and firehose (which I don't know) both use KMS sign internally for something, and my change has broken it? |
|
The failures don't seem related to your change. Thanks for contributing @paullallier ! |
|
Thanks @viren-nadkarni. What do we need to do, if anything, to get it mergeable? I think there are some actual KMS tests tha would run in the "integration-tests-against-pro / run-integration-tests" step - and I might genuinely have broken those (though failures there might be that the tests aren't testing the right thing). |
|
@paullallier: We need to add some tests. I'm trying to reproduce the issue so that we can compare the behaviour against AWS. Since you mentioned you're not fluent with Python, I'm happy to take this over. |
|
@viren-nadkarni: Sounds good to me. There's some information about it here, which might be useful if you haven't seen it already. #6815 (comment) Since we can't extract the private key from AWS, I was struggling a bit to come up with a way to do a like-for-like test. And I've, personally, only really tested it with EC256 keys so far, since that's what I'm interested in. |
|
Closing in favour of #7878 Thanks again @paullallier for the findings! |
This may be an improvement on issue #6815 - hopefully.
May also relate to issue #7158.