diff --git a/pkg/kms/aws/service.go b/pkg/kms/aws/service.go index 6e639d11b..4a84ee9db 100644 --- a/pkg/kms/aws/service.go +++ b/pkg/kms/aws/service.go @@ -91,6 +91,9 @@ var kmsKeyTypes = map[types.SigningAlgorithmSpec]arieskms.KeyType{ // nolint: gochecknoglobals var keySpecToCurve = map[types.KeySpec]elliptic.Curve{ types.KeySpecEccSecgP256k1: btcec.S256(), + types.KeySpecEccNistP256: elliptic.P256(), + types.KeySpecEccNistP384: elliptic.P384(), + types.KeySpecEccNistP521: elliptic.P521(), } const ( @@ -251,9 +254,10 @@ func (s *Service) Sign(msg []byte, kh interface{}) ([]byte, error) { //nolint: f return nil, err } - if describeKey.KeyMetadata.KeySpec == types.KeySpecEccSecgP256k1 { + if describeKey.KeyMetadata.KeySpec == types.KeySpecEccSecgP256k1 || + describeKey.KeyMetadata.KeySpec == types.KeySpecEccNistP384 || + describeKey.KeyMetadata.KeySpec == types.KeySpecEccNistP256 { signature := ecdsaSignature{} - _, err = asn1.Unmarshal(result.Signature, &signature) if err != nil { return nil, err diff --git a/pkg/kms/aws/service_test.go b/pkg/kms/aws/service_test.go index 4228c6c30..7e64c45c1 100644 --- a/pkg/kms/aws/service_test.go +++ b/pkg/kms/aws/service_test.go @@ -63,10 +63,18 @@ func TestSign(t *testing.T) { metric.EXPECT().SignCount() metric.EXPECT().SignTime(gomock.Any()) + sig := ecdsaSignature{ + R: big.NewInt(12345), + S: big.NewInt(54321), + } + + asnSig, err := asn1.Marshal(sig) + require.NoError(t, err) + client := NewMockawsClient(gomock.NewController(t)) client.EXPECT().Sign(gomock.Any(), gomock.Any(), gomock.Any()). Return(&kms.SignOutput{ - Signature: []byte("data"), + Signature: asnSig, }, nil) client.EXPECT().DescribeKey(gomock.Any(), gomock.Any(), gomock.Any()). @@ -85,7 +93,7 @@ func TestSign(t *testing.T) { signature, err := suiteSigner.Sign([]byte("msg"), wrapKID( "aws-kms://arn:aws:kms:ca-central-1:111122223333:alias/800d5768-3fd7-4edd-a4b8-4c81c3e4c147")) require.NoError(t, err) - require.Contains(t, string(signature), "data") + require.Contains(t, string(signature), "\xd41") }) } })