22
33from __future__ import annotations
44
5+ import hashlib
56import logging
67from urllib import parse
78
@@ -32,6 +33,9 @@ class AWSSigner(Signer):
3233 AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN. These will
3334 be recognized by the boto3 SDK, which underlies the aws_kms Python module.
3435
36+ The signer computes hash digests locally and sends only the digest to AWS KMS,
37+ removing the 4KB message size limitation that exists with raw message signing.
38+
3539 For more details on AWS authentication, refer to the AWS Command Line
3640 Interface User Guide:
3741 https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
@@ -187,8 +191,9 @@ def import_(
187191 def sign (self , payload : bytes ) -> Signature :
188192 """Sign the payload with the AWS KMS key
189193
190- This method sends the payload to AWS KMS, where it is signed using the specified
191- key and algorithm using the raw message type.
194+ This method computes the hash of the payload locally and sends only the
195+ digest to AWS KMS for signing, removing the 4KB message size limitation
196+ that exists when using MessageType="RAW".
192197
193198 Arguments:
194199 payload (bytes): The payload to be signed.
@@ -200,10 +205,16 @@ def sign(self, payload: bytes) -> Signature:
200205 Signature: A signature object containing the key ID and the signature.
201206 """
202207 try :
208+ # Compute hash locally to remove 4KB payload size limit
209+ hash_algorithm = self .public_key .get_hash_algorithm_name ()
210+ hasher = hashlib .new (hash_algorithm )
211+ hasher .update (payload )
212+ digest = hasher .digest ()
213+
203214 sign_request = self .client .sign (
204215 KeyId = self .aws_key_id ,
205- Message = payload ,
206- MessageType = "RAW " ,
216+ Message = digest ,
217+ MessageType = "DIGEST " ,
207218 SigningAlgorithm = self .aws_algo ,
208219 )
209220
0 commit comments