The current implementation signs the client assertions using the signing_key.private_key
value specified in the configuration.
AWS KMS only allows to sign data using the signing API.
The keyID, algorithm and the message(or digest) are the only parameters required for this API.
When used with the ECDSA_SHA_256, ECDSA_SHA_384, or ECDSA_SHA_512 signing algorithms, the signature value is a DER-encoded object as defined by ANS X9.62–2005 and RFC 3279 Section 2.2.3. This is the most commonly used signature format and is appropriate for most uses. We need to perform the following steps to convert the DER-encoded object to a valid signature
- Retrieve
r
&s
values from the encoded structure - Compute signature size based on algorithm and size of
r
ands
values - Copy
r
ands
values after adding necessary padding to signature - Convert signature bytes to base64 using URL encoding without padding