Skip to content

Instantly share code, notes, and snippets.

@prasanthu

prasanthu/kms-signing.md

Created May 3, 2023 07:11
Show Gist options
  • Save prasanthu/20596a9ea4886c168dd2124559a35416 to your computer and use it in GitHub Desktop.
Save prasanthu/20596a9ea4886c168dd2124559a35416 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
kms-signing.md

AWS KMS support for OAuth2 Client Credentials JWT authentication

The current implementation signs the client assertions using the signing_key.private_key value specified in the configuration. AWS KMS only allows to sign data using the signing API. The keyID, algorithm and the message(or digest) are the only parameters required for this API.

Generating base64 encoded signature

When used with the ECDSA_SHA_256, ECDSA_SHA_384, or ECDSA_SHA_512 signing algorithms, the signature value is a DER-encoded object as defined by ANS X9.62–2005 and RFC 3279 Section 2.2.3. This is the most commonly used signature format and is appropriate for most uses. We need to perform the following steps to convert the DER-encoded object to a valid signature

  1. Retrieve r & s values from the encoded structure
  2. Compute signature size based on algorithm and size of r and s values
  3. Copy r and s values after adding necessary padding to signature
  4. Convert signature bytes to base64 using URL encoding without padding
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment